Recent Discussions
AIP Webinar Recordings
Below are the links to the recordings of the AIP webinar sessions. AIP Unified Labeling webinar recording: May 23, 7:00 AM PT / 10:00 AM ET / 2:00 PM GMT Unified Labeling in AIP Feedback https://aka.ms/AIP-UL-Webinar-Feedback Slide deck Attached below AIP 6 Part Series: NOTE: We are currently experiencing a problem with many of these recordings. The links that do not work have been temporarily removed until the problem is resolved. We are working to resolve the problem as quickly as we can. Thanks for your patience. Recordings of most of the sessions can be found at https://aka.ms/SecurityCommunityFiles. Update: Several people requested the slide decks, so we have attached them. If you were unable to join us live, but have questions about something covered in the webinar, you can ask them at https://www.yammer.com/askipteam. To ensure you hear about future AIP webinars and other developments, make sure you've joined out community by going to https://aka.ms/SecurityCommunity. We hope you'll join us!Azure ATP Webinar Recordings
Below are the links to the Azure ATP webinar recordings. Time & Date Topic Link to the recording July 15, 8:00 AM PT / 11:00 AM ET / 15:00 UTC Detections part 2 of 2 MP4 YouTube June 24, 8:00 AM PT / 11:00 AM ET / 15:00 UTC Unified SecOps Portal MP4 YouTube April 29, 8:00 AM PT / 11:00 AM ET / 15:00 UTC Detections part 1 of 2 MP4 YouTube The slide decks can be found in the same folders as the MP4 files at https://aka.ms/SecurityCommunityFiles. You can sign up for forthcoming webinars at https://aka.ms/AATPWebinar.Join Our Security Community
We want you to speak directly to our engineering teams. We believe that the best way to improve our security products is by having no barriers between you and the people that create them. That's why we need your participation in our security community. As part of our community you can influence our products and get early access to changes by participating in private previews, giving feedback, requesting features, reviewing product roadmaps, joining webinars and calls, or attending in-person events. Join Us To join our community, click here, and then click the join button and the heart icons of the groups your are interested in, as pictured below. Additional Security Groups Here's a list of other security-related groups you may want to join. Azure Azure Security Center Azure Security and Identity Azure Sentinel Enterprise Mobility + Security Azure Advanced Threat Protection and ATA Azure Information Protection Microsoft Cloud App Security Internet of Things Azure Security Center for IoT Microsoft Graph Security API Security, Privacy & Compliance. Windows Defender Advanced Threat Protection Find Us on LinkedIn We have a general discussion group on LinkedIn called the Microsoft Security Community, where I announce highlights from this site. Please join the group and feel free connect with me. Webinars and Calls Several of our product teams hold regular webinars or calls where they introduce the product, do a deep dive, preview forthcoming features, gather feedback, and answer questions. Registration links are posted below: Product Next Webinar Recordings of Past Webinars Azure Security Center for IoT 8/5/2019: Introduction https://aka.ms/ASCIoTRecordings Azure Advanced Threat Protection TBD https://aka.ms/AATPRecordings Azure Sentinel TBD http://aka.ms/AzureSentinelRecordings Azure Information Protection TBD https://aka.ms/AIPRecordings Microsoft Cloud App Security TBD https://aka.ms/MCASRecordings Security Intelligence Report TBD https://aka.ms/SIRRecordings Customer Advisory Council (CAC) We periodically select customers to be part of our Customer Advisory Council (CAC). We form a close relationship with these organizations, inviting them to exclusive, in-person events and giving them access to non-public roadmaps and information. CAC members give in-depth feedback our on products and consequently exert a great deal of influence our plans, priorities, and designs. Part of our criteria for choosing CAC members is how active they are in this community. If you would like to be part of our CAC, join our community, participate heavily, and then reach out to me. Submit Feature Requests In addition to engaging us in the ways listed above, you can also submit and vote on feature requests at https://microsoftsecurity.uservoice.com. We hope to hear from you soon!Join Our Security Community
We want you to speak directly to our engineering teams. We believe that the best way to improve our security products is by having no filter between you and the people that create them. That's why we need your participation in our security community. As part of our community you can influence our products and get early access to changes by participating in private previews, giving feedback, requesting features, reviewing product roadmaps, joining conference call discussions, or attending in-person events. Join Us To join our community, click here, and then click the join button and the heart icons of the groups your are interested in, as pictured below. Additional Security Groups Here's a list of other security-related groups you may want to join. Azure Azure Security Center Azure Security and Identity Enterprise Mobility + Security Azure Advanced Threat Protection and ATA Azure Information Protection Microsoft Cloud App Security Microsoft Graph Security API Security, Privacy & Compliance. Windows Defender Advanced Threat Protection Find Us on LinkedIn We have a general discussion group on LinkedIn called the Microsoft Security Community, where I announce highlights from this site. Please join the group and feel free connect with me. Customer Advisory Board (CAB) We periodically select customers to be part of our Customer Advisory Board (CAB). We form a close relationship with these organizations, inviting them to exclusive, in-person events and giving them access to non-public roadmaps and information. CAB members give in-depth feedback our on products and consequently exert a great deal of influence our plans, priorities, and designs. Part of our criteria for choosing CAB members is how active they are in this community. If you would like to be part of our CAB, join our community, participate heavily, and then reach out to me. If you are a member, you can find our private CAB group here. Note that in order to access this group, you will first have to join our public groups using the instructions above, and then contact us to be added to the private access list. Conference Calls Several of our product teams hold regular conference calls where they preview forthcoming features, gather feedback, and host discussions. Many of these allow you to join private previews. Meeting invitations are posted on the product spaces within the communities. Contact me if you would like to join the calls and cannot find what you are looking for. Submit Feature Requests In addition to engaging us in the ways listed above, you can also submit and vote on feature requests at https://microsoftsecurity.uservoice.com. We hope to hear from you soon!
RSS feeds to security blogs?
Hello, After the update of blogs here i no longer see any RSS feeds or links. Where can those RSS feed be found now? It was the only newsfeed where blogs could be aggregated. perhaps im just blind :) but i cant find the new RSS feeds. Thank you! Previously (before this weeks update) the links to those RSS feed was as follows: https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftSecurityandCompliance https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=Identity https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=CoreInfrastructureandSecurityBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=AzureNetworkSecurityBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=IdentityStandards https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftThreatProtectionBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftDefenderCloudBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftDefenderATPBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftDefenderIoTBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=DefenderExternalAttackSurfaceMgmtBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=Vulnerability-Management https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=DefenderThreatIntelligence https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftSecurityExperts https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=Microsoft-Security-Baselines https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftSentinelBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftDefenderforOffice365BlogThis was my preparation for the exam Microsoft Certified: Cybersecurity Architect Expert (SC-100)!
Dear Microsoft 365 Security and Azure Security Friends, When I first read about this certification I was immediately excited! But at the same time I had a lot of respect, because it is an expert certification. I quickly started collecting information. The first thing I learned was that it takes a so-called prerequisite exam to become a Microsoft Certified: Cybersecurity Architect Expert certification. The following prerequisite exams are available (only one of these exams must be passed): Microsoft Certified: Security Operations Analyst Associate (SC-200) https://docs.microsoft.com/en-us/learn/certifications/security-operations-analyst/ Microsoft Certified: Identity and Access Administrator Associate (SC-300) https://docs.microsoft.com/en-us/learn/certifications/identity-and-access-administrator/ Microsoft Certified: Azure Security Engineer Associate (AZ-500) https://docs.microsoft.com/en-us/learn/certifications/azure-security-engineer/ Microsoft 365 Certified: Security Administrator Associate (MS-500) https://docs.microsoft.com/en-us/learn/certifications/m365-security-administrator/ I have taken all these prerequisite exams. The two exams AZ-500 and MS-500 helped me the most in preparing for the SC-100 (this is certainly not the case for everyone). In this SC-100 exam you will be quizzed on topics in Microsoft Sentinel, Microsoft Defender for Cloud, Microsoft 365 Defender for Cloud Apps (and all other Defender products), Azure Policy, Azure landing zone, etc. This spectrum is huge, please take enough time to "explore" these "portals" deeply. You don't have to have the technical knowledge down to the last detail. No not at all, in this exam it is important to use all the features and products with the right strategy. This was among other things my way to success! Now to my preparations for the exam: 1. First of all, I looked at the Exam Topics to get a first impression of the scope of topics. https://docs.microsoft.com/en-us/learn/certifications/cybersecurity-architect-expert/ Please take a close look at the skills assessed: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWVbXN 2. So that I can prepare for an exam I need an Azure test environment (this is indispensable for me). You can sign up for a free trial here. https://azure.microsoft.com/en-us/free/ Next, I set up a Microsoft 365 test environment. You can sign up for a free trial here. https://www.microsoft.com/en-us/microsoft-365/business/compare-all-microsoft-365-business-products I chose the "Microsoft 365 Business Premium" plan for my testing. I have also registered several free trials to test the various Defender products. 3. Now it goes to the Microsoft Learn content. These learn paths (as you can see below, all 4) I have worked through completely and "mapped"/reconfigured as much as possible in my test environment. https://docs.microsoft.com/en-us/learn/paths/sc-100-design-zero-trust-strategy-architecture/ https://docs.microsoft.com/en-us/learn/paths/sc-100-evaluate-governance-risk-compliance/ https://docs.microsoft.com/en-us/learn/paths/sc-100-design-security-for-infrastructure/ https://docs.microsoft.com/en-us/learn/paths/sc-100-design-strategy-for-data-applications/ 4. Register for the exam early. This creates some pressure and you stay motivated. https://docs.microsoft.com/en-us/learn/certifications/cybersecurity-architect-expert/ 5. Please also watch the video of John Savill, it is very helpful! https://youtu.be/2Qu5gQjNQh4 6. The Exam Ref for the SC-200 exam was also very supportive. https://www.microsoftpressstore.com/store/exam-ref-sc-200-microsoft-security-operations-analyst-9780137666720 7. Further I have summarized various links that have also helped me a lot. Sorted by Functional Group. Design a Zero Trust strategy and architecture: https://docs.microsoft.com/en-us/security/cybersecurity-reference-architecture/mcra https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/secure/security-governance https://docs.microsoft.com/en-us/azure/architecture/framework/security/monitor-audit https://docs.microsoft.com/en-us/security/benchmark/azure/security-control-logging-monitoring https://docs.microsoft.com/en-us/azure/security/fundamentals/log-audit https://docs.microsoft.com/en-us/azure/architecture/framework/security/design-network-connectivity https://docs.microsoft.com/en-us/azure/architecture/framework/security/design-network-segmentation https://docs.microsoft.com/en-us/security/zero-trust/deploy/infrastructure https://docs.microsoft.com/en-us/security/zero-trust/integrate/infrastructure https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/strategy/define-security-strategy https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/secure/business-resilience https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/strategy/technical-considerations/ https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/ https://docs.microsoft.com/en-us/azure/security/fundamentals/operational-checklist https://azure.microsoft.com/en-us/services/defender-for-cloud/#features https://docs.microsoft.com/en-us/azure/sentinel/overview https://docs.microsoft.com/en-us/azure/defender-for-cloud/workflow-automation https://docs.microsoft.com/en-us/security/compass/incident-response-overview https://docs.microsoft.com/en-us/security/compass/incident-response-planning https://docs.microsoft.com/en-us/security/compass/incident-response-process https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/secure/security-operations https://docs.microsoft.com/en-us/security/compass/security-operations https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/manage-access https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices https://docs.microsoft.com/en-us/azure/active-directory/external-identities/external-identities-overview https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods https://docs.microsoft.com/en-us/microsoft-365/education/deploy/design-credential-authentication-strategies https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn https://docs.microsoft.com/en-us/azure/architecture/framework/security/design-identity-authentication https://docs.microsoft.com/en-us/azure/architecture/framework/security/design-identity-authorization https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access https://docs.microsoft.com/en-us/azure/architecture/guide/security/conditional-access-zero-trust https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-delegate https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-concept https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure https://docs.microsoft.com/en-us/security/compass/identity https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-delegate https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/principles-of-operation https://docs.microsoft.com/en-us/azure/active-directory/roles/security-planning Evaluate Governance Risk Compliance (GRC) technical strategies and security operations strategies: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/govern/policy-compliance/regulatory-compliance https://docs.microsoft.com/en-us/azure/security/fundamentals/technical-capabilities https://docs.microsoft.com/en-us/security/compass/governance https://docs.microsoft.com/en-us/azure/defender-for-cloud/regulatory-compliance-dashboard https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-manager?view=o365-worldwide https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-score-calculation?view=o365-worldwide https://docs.microsoft.com/en-us/azure/defender-for-cloud/secure-score-security-controls https://docs.microsoft.com/en-us/azure/governance/policy/overview https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage https://azure.microsoft.com/en-us/global-infrastructure/data-residency/ https://azure.microsoft.com/en-us/resources/achieving-compliant-data-residency-and-security-with-azure/ https://azure.microsoft.com/en-us/overview/trusted-cloud/privacy/ https://azure.microsoft.com/en-us/blog/10-recommendations-for-cloud-privacy-and-security-with-ponemon-research/ https://docs.microsoft.com/en-us/security/benchmark/azure/introduction https://docs.microsoft.com/en-us/azure/defender-for-cloud/update-regulatory-compliance-packages https://docs.microsoft.com/en-us/azure/defender-for-cloud/regulatory-compliance-dashboard https://docs.microsoft.com/en-us/azure/defender-for-cloud/secure-score-access-and-track https://docs.microsoft.com/en-us/azure/defender-for-cloud/enhanced-security-features-overview https://docs.microsoft.com/en-us/azure/architecture/framework/security/design-governance-landing-zone https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/landing-zone-security https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-ti?view=o365-worldwide https://docs.microsoft.com/en-us/microsoft-365/compliance/insider-risk-management?view=o365-worldwide https://techcommunity.microsoft.com/t5/security-compliance-and-identity/reduce-risk-across-your-environments-with-the-latest-threat-and/ba-p/2902691 Design security for infrastructure: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines https://docs.microsoft.com/en-us/windows-server/security/security-and-assurance https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/minimum-requirements?view=o365-worldwide https://docs.microsoft.com/en-us/mem/intune/protect/security-baselines https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory https://docs.microsoft.com/en-us/azure/active-directory-domain-services/secure-your-domain https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates https://docs.microsoft.com/en-us/azure/security/fundamentals/management https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/cloud-services-security-baseline https://azure.microsoft.com/en-us/overview/iot/security/ https://docs.microsoft.com/en-us/azure/azure-sql/database/security-overview?view=azuresql https://docs.microsoft.com/en-us/azure/azure-sql/database/security-best-practice?view=azuresql https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/sql-database-security-baseline https://docs.microsoft.com/en-us/azure/cosmos-db/database-security?tabs=sql-api https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/synapse-analytics-security-baseline https://docs.microsoft.com/en-us/azure/app-service/overview-security https://docs.microsoft.com/en-us/azure/app-service/security-recommendations https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/app-service-security-baseline https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/storage-security-baseline https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/container-instances-security-baseline https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/container-registry-security-baseline https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/aks-security-baseline https://docs.microsoft.com/en-us/azure/aks/concepts-security https://docs.microsoft.com/en-us/azure/aks/operator-best-practices-cluster-security?tabs=azure-cli https://docs.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-kubernetes-service/azure-kubernetes-service Design a strategy for data and applications: https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-mitigations https://docs.microsoft.com/en-us/azure/architecture/framework/security/design-threat-model https://docs.microsoft.com/en-us/compliance/assurance/assurance-security-development-and-operation https://docs.microsoft.com/en-us/azure/security/develop/secure-design https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-app-service-introduction https://docs.microsoft.com/en-us/azure/architecture/framework/security/resilience https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy https://docs.microsoft.com/en-us/azure/architecture/data-guide/scenarios/securing-data-solutions https://docs.microsoft.com/en-us/azure/architecture/framework/security/design-storage https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-overview https://docs.microsoft.com/en-us/azure/security/fundamentals/data-encryption-best-practices https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest https://docs.microsoft.com/en-us/azure/architecture/framework/security/design-storage-encryption 8. You can find a list of all the links here: https://github.com/tomwechsler/Microsoft_Cloud_Security/blob/main/SC-100/Links.md I know you've probably read and heard this many times: read the exam questions slowly and accurately. Well, that was the key to success for me. It's the details that make the difference between success and failure. Let me give you an example at this point. You want to make a business app available. The authentication should be done by each person with his own LinkedIn account. Which variant of Azure Active Directory do you use for this? At this point you should know the different types of Azure Active Directory. One final tip: When you have learned something new, try to explain what you have learned to another person (whether or not they know your subject). If you can explain it in your own words, you understand the subject. That is exactly how I do it, except that I do not explain it to another person, but record a video for YouTube! I hope this information helps you and that you successfully pass the exam. I wish you success! Kind regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechslerPartners cannot access Security and Compliance Center
Partners haven't been able to access the Security and Compliance center on behalf of their clients for almost 18 months now. Last we heard on this was from Scott Landry back in July of 2019, but it's been silence since then. Is anyone on the Security and Compliance team working with the Microsoft Partner Center team on this?? This is the one item that's keeping us from being able to exclusively work from our Delegated Admin accounts. As it stands now we still have to share a generic global admin account with all our employees just so they can manage certain aspects of our client's Office 365 subscription. https://office365.uservoice.com/forums/289138-office-365-security-compliance/suggestions/34423372-allow-partners-to-access-the-security-and-complianMicrosoft Security Product Reviews on Gartner Peer Insights: Give product feedback & get rewarded!
We love hearing more about our customers’ experience with our products! We’re currently working on growing our product reviews of Microsoft Security products on Gartner Peer Insights. We would love for you to participate and share your thoughts, feedback, and experiences using Microsoft Security products to help others in their buying process. To provide feedback on the capabilities of the below Microsoft Security products, please click on the below links. You will need to first log in to your Gartner Peer Insights account or take 30 seconds to create a free account. Azure Active Directory Microsoft Sentinel Microsoft Defender for Endpoint Once you have completed your review, GPI will prompt you to choose a gift card option. As soon as your review is approved, the card will be made available to you digitally. Offer good only for those who submit a product review on the above-mentioned site and provide confirmation. Limit one per person Offer is non-transferable and cannot be combined with any other offer This offer runs through June 30, 2023, or while supplies last, and is not redeemable for cash. Taxes, if any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice This offer does not apply to customers in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and China. Only customers are eligible to participate. Microsoft partners and MVPs are not eligible. Please see Gartner’s Community Guidelines for more information Privacy Statement: Respondent’s information will only be used for the purpose of mailing the gifts if they are one of the recipients. Microsoft Privacy Statement: https://go.microsoft.com/fwlink/?LinkId=521839.Enriched NTLM authentication data using Windows Event 8004
Have you previously experienced NTLM authentications activities that came from unknown devices, such as Workstation or MSTSC? Would you like to discover the actual server being accessed inside the network? This information is now available in Azure ATP! Starting from Version 2.96, Azure ATP sensors parse Windows event 8004 for NTLM authentications. When NTLM auditing is enabled and Windows event 8004 are logged, Azure ATP sensors now automatically read the event and enrich your NTLM authentications activities display with the accessed server data. New Resource Access over NTLM activity is now available, showing the source user, source device and the accessed resource: Joye Parsons (1) is accessing CLIENT2 from W10-000100 device over NTLM. Enriched Failed log on activities providing the destination computer the user attempted, but failed to access: Joye Parsons (1) failing to log on to CLIENT2 from W10-000100 device over NTLM. In a future release, this data will also be available directly in authentication based Azure ATP security alerts such as Brute Force and Account Enumeration. Stay tuned for more updates. As always, your feedback and questions are welcome!Announcing the release of Threat Intelligence and Advanced Data Governance, plus significant...
Announcing the release of Threat Intelligence and Advanced Data Governance, plus significant updates to Advanced Threat Protection Today, the Office 365 Team is pleased to announce several enhancements that bolster Office 365’s security and compliance capabilities. With the launch of Office 365 Threat Intelligence, the Team is enriching security in Office 365 to help customers stay ahead of the evolving threat landscape. Today, they will also be introducing a new reporting interface to improve the customer experience for Advanced Threat Protection (ATP) and extending the ATP Safe Links feature to Word, Excel and PowerPoint for Office 365 ProPlus desktop clients. Office 365 Advanced Data Governance also launches today, providing customers with robust compliance capabilities. A new policy management interface for Data Loss Protection (DLP), helps Office 365 customers remain compliant and in control of their data. The enhancements include: Enhancing threat protection—a path to proactive cyber-defense with Office 365 Threat Intelligence New Office 365 Advanced Threat Protection (ATP) reporting interface Extending ATP Safe Links to Office 365 ProPlus desktop clients Ensuring compliance—why Office 365 Advanced Data Governance matters Enhanced Office 365 Data Loss Prevention (DLP) management experience Read the full announcement on Office Blogs.Cybersecurity Month Tech Community Giveaway!
Hey everyone! October is Cybersecurity Month and we wanted to celebrate by giving away some awesome Microsoft Swag to 20 lucky Tech Community members as a thank you for supporting this community. All you must do to enter is share our registration link to your favorite social media platform (Twitter, LinkedIn, Reddit, etc), take a screenshot and post down below for proof, and send an email with the screenshot of your post to bweenig@microsoft.com. At the end of October, we will be selecting 20 responders at random to receive some exclusive Microsoft swag. Good luck and thanks again!
How to: Enabling MFA for Active Directory Domain Admins with Passwordless Authentication
Administer on premise Active Directory Using Azure Passwordless Authentication removing Domain Admins passwords Hello Guys, I am here just to demonstrate that today is technically possible (Proof of Concept): Configure a modern MFA solution to access on prem Windows 10 PC Use that solution to protect privileged accounts passwords Eradicate from the domain the password presence for those privileged accounts (make impossible to use a password to log on to domain to prevent some king of password attacks) Have the ability to use multiple PAWs (privileged access workstation) with same MFA credential Have only one identity with one strong credential Same credential can be used on prem and in cloud (if needed) Connect to Domain Controller thorough RDP form the PAW using SSO (Single Sign On) Obtain above with a sort of simplicity and costs control I am not here to discuss if this document in any parts adhere to all principles and best practices of a secure administration environment, I just want to show a feature as a proof of concept. It’s up to you to integer this work into your security posture and evaluate impacts. No direct or indirect guarantee is given, and this cannot be considered official documentation. The content is provided “As Is”. Have look more deeply above points: Many customers asked me, after they have used Azure/Office 365 MFA: is it possible to use something like that to log on to the domain/on prem resources. The solution is today present : the use a security key (FIDO2) : Passwordless security key sign-in to on-premises resources - Azure Active Directory | Microsoft Docs. Please have a look also at Plan a passwordless authentication deployment with Azure AD | Microsoft Docs. I wanted to demonstrate that this solution can protect also Domain Admins group to protect high privileged accounts (important notice about is present in this document : (FAQs for hybrid FIDO2 security key deployment - Azure Active Directory | Microsoft Docs – “FIDO2 security key sign-in isn't working for my Domain Admin or other high privilege accounts. Why?”). After having substituted the password with one MFA credential (private key + primary factor) (here more information : Azure Active Directory passwordless sign-in | Microsoft Docs) we can configure a way to make the password not necessary for domain administration, very long and complex, and disabled: Passwordless Strategy - Microsoft 365 Security | Microsoft Docs With other MFA tool (e.g. Windows Hello for Business), if we want to use different PAWs (secured workstations from which the Administrator connects with privileged accounts Why are privileged access devices important | Microsoft Docs) we need to configure and enroll the solution machine per machine (create different private keys one for any windows desktop). With the described solution below the enrollment happens only once (the private key is only one per identity and is portable and only present inside the USB FIDO key) and is potentially usable on all secure desktop/PAWs in the domain. The dream is: to have one identity and one strong credential: this credential (private key installed in the FIDO physical key) is protected by a second factor (what you know (PIN) or what you are (biometric), it is portable and usable to consume services and applications on premises and in cloud To connect using RDP to another/third system after this kind of strong authentication is performed on the physical PC a password is needed (but we really want to eradicate the use of a password)….So.. We can use a Windows 10 / Windows 2016 and afterwards feature (Remote Credential Guard Protect Remote Desktop credentials with Windows Defender Remote Credential Guard (Windows 10) - Microsoft 365 Security | Microsoft Docs) to remove this limitation. If you have a certain hybrid infrastructure already in place (What is hybrid identity with Azure Active Directory? | Microsoft Docs, Configure hybrid Azure Active Directory join for managed domains | Microsoft Docs, etc.), the activation of this solution is simple and there are no important added costs (a FIDO key costs around 20 / 30 euros) The solution is based on 3 important features: AzureAD/Fido Keys, Remote Credential Guard and primarily Active Directory SCRIL Feature [ https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/passwordless-strategy#transition-into-a-passwordless-deployment-step-3 : "...SCRIL setting for a user on Active Directory Users and Computers. When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users are effectively passwordless because: the do not know their password. their password is 128 random bits of data and is likely to include non-typable characters. the user is not asked to change their password domain controllers do not allow passwords for interactive authentication ...] Chapter 1 – Enable Passwordless authentication and create your key Enable the use of FIDO Keys for Passwordless authentication. In Azure AD \ Security \ Authentication methods, enable the use of a security key for a specific group and set the keys settings in accordance with the HW provider of the key (in my case Force Attestation and Key Restriction set to off). Confirm Hybrid Device Join. Confirm your Windows 10 2004+ PC are Hybrid Device Joined. Confirm users and all involved groups are hybrid Confirm all involved users or groups are correctly replicated by AD Connect, have Azure Active Directory properly configured and login in cloud works correctly Implement Kerberos Server to foster on prem SSO (Single Sign On) for on prem resources follow this guidance Passwordless security key sign-in to on-premises resources - Azure Active Directory | Microsoft Docs Enroll the key. Please don’t use Incognito Web Mode (sign out already connected users and use “switch to a different account”). If during enrollment errors come up, check if any user is already signed into the browser (in the new Edge use “Browse as Guest” that is different from “Incognito Mode”). Login to Office.com with the user you want to provide the USB KEY and reach My Account page In My Account page open Security Info and initialize the USB Key. https://mysignins.microsoft.com/security-info If not completed before, enable MFA authentication by using a phone (SMS) or Authenticator App (in this case the user was not already provided of MFA , so the systems automatically make you enroll the authenticator app in your phone) Now, because you have an MFA tool, you can create/enroll a security key: add method / USB Key. The browser challenges you to insert a key.. to inject your identity into it Create a new PIN ! Confirm touching the key Name the key Done - security Key is enrolled with your identity Perform an Office365 Passwordless Authentication Verify you are able to sign on to O365 using the Key w/o the use of a password. Please use Microsoft Edge, if already logged click right corner and “browse as a guest” Please remember to click in “Sign in Options” to trigger key authentication : Well done: you are logged in the cloud Passwordless! Chapter 2 – Enable on prem multifactor login Deploy a GPO – Group Policy Object- to enable FIDO2 on prem login with Windows 10 2004+. In your on prem environment we can enable the use of USB key credential provider (Windows has multiple credential providers: password, usb key, smartcard, et.). Enable and link this setting to your Windows 10 2004+ machines. Restart involved machines. Now you will see a new icon to login to the PC. Clicking on sign in option you can use this new credential provides – FIDO security key - . Insert the Usb key, type the PIN… On some FIDO Keys you can avoid PIN with biometric (fingerprint). You can use the same identity/credential in all the PC with the FIDO credential provider enabled. Remember that currently for on prem sign on only one user per key is available (you can’t have multiple identity on the same usb key). Please note that this kind of authentication is recognized by Azure/O365 cloud as one already claimed MFA so when you open your preferred application the connection is in SSO (you don’t have to re-authenticate or perform another strong auth). Please note that with the same key you can login to the cloud applications using MFA from external computers w/o any modifications (like kiosks, byod computers, etc). Please note that you have access to all on prem services because the Kerberos server we installed above is useful to foster the obtention of Kerberos tickets for on prem AD service consumption Chapter 3 – Use FIDO KEYS to protect privileged users (Domain Admins) and De-materialize their password. Now we are going to enable a FIDO key for the Domain Admin or configure FIDO KEYS to work with privileged users. The default security policy doesn't grant Azure AD permission to sign high privilege accounts on to on-premises resources. To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object (e.g. CN=AzureADKerberos,OU=Domain Controllers,<domain-DN>). Remove all privileged groups you want to use with FIDO KEYS. Consider one user might be member of different groups, so remove all wanted user is member of. I removed all groups with the exception of Domain Controllers .. Make the test user member of Domain Admins group Wait AD Connect Sync Time (normally at least of 30 min) Now enroll the FIDO Usb Key for the privileged account following Chapter 1 of this guide Now test the Login with the Domain Admin using the FIDO KEY and check the possibility to be authenticated to onprem services (e.g. Fileshares, MMC - ADUC Consoles, etc.). Try the high privilege like creating a new user…. Now that we have one alternative way to Sign In on prem and in cloud (instead of password) we can work on password eradication. Obviously, every application we want to use must not use passwords (work in SSO with AD or Azure AD). This is not a problem for a privileged accounts because these should not have any application access nut only accesses to administrative consoles We will enable SCRIL policy (Smart Card is required for interactive logons) for the privileged user: Smart Card is required for interactive logon = the user password is reset and made random and complex, unknown by humanity, the use of password for interactive login is disabled Test you can’t access with password anymore To complete and strengthen the password eradication we want to prevent the use of the password also for network authentications using the NTLM protocol, so we are going to make the user member of “protected users” group Protected Users Security Group | Microsoft Docs. This because if a bad guy reset that user’s password, he/she might use the NTLM protocol to log on using password, bypassing interactive log on. Protected Users disables the entire usability of NTLM protocol that is not needed to common AD administration. If you don’t want to disable NTLM protocol and If you have Domain Functional Level 2016 you can also enable NTLM rolling to make NTLM password hash to cycle every login and improve the password eradication What's new in Credential Protection | Microsoft Docs (Rolling public key only user's NTLM secrets) Probably you want to use that user to log in to privileged systems with Remote Desktop. By default, Remote Desktop Protocol requests the use of passwords … Here we don’t have a password to write because the password is unknown by humanity….. so … how to? The simplest way to solve the above problem is to use Remote Credential Guard feature if you have the needed requirements (..Windows 10, version 1607 or Windows Server 2016.. or above) What's new in Credential Protection | Microsoft Docs To enable it on the server we want to connect to, just add this registry key using the example command reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD From the client where we used the FIDO login, just run RDP with the parameter /RemoteGuard Now also the RDP remote authentication performs well without passwords!!! Now we signed in a Domain Controller using a MFA key and is no more possible to use a password for domain administration. Update1: using temporary access password might be possible to never assign even a beginning password to a Domain Admin neither need a phone authentication. Configure a Temporary Access Pass in Azure AD to register Passwordless authentication methods | Microsoft Docs As detailed above, create a Domain Admin on prem, immediately enable SCRIL and Protected Users, wait AD connect sync time, create a temporary password for that admin user (the temporary password can only be used to enable an MFA credential w/o using a Phone and w/o the risk of someone else accessing applications during the configuration phase). We recommend to maintain Azure Global Admins and Active Directory Domain Admins identities separately, so don't make synced Domain Admins member of Azure Global Admins role.Compliance Feedback Hubs
Hey all! The Information Protection and Compliance team is ramping up usage of a new platform for collecting customer feedback for MIP, DLP, and our other solutions. We know that all these topics are very popular for questions on the SCI Community so hopefully these will be very useful to all of you! The feedback portal links for MIP and DLP are: https://aka.ms/MIP/Feedback https://aka.ms/DLP/Feedback https://aka.ms/CC/Feedback https://aka.ms/IRM/Feedback Please use these links to submit and vote on feedback directly using the links above so we can assess the true impact of each of these requests. Thank you very much!Azure Information Protection - Label Classification and Definition| Multiple Languages Walkthrough
Howdy Guys, The Azure Information Protection service now supports different language packs for the AIP Label classification and Protection classification details within the Office clients and AIP client with Windows. This is all being managed through the Azure Information Protection Policy. More information on what the AIP Policy Is can be found here: https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-policy-default I'm writing this to offer a step-by-step guide about the configuration of the Office suite and the Windows operating system. I'll be using Office 2016 and Windows 10. The test language will be French (France) "fr-FR". The default language will be English (US) "en-US". Very important: Before continuing, please make sure you're done with your AIP Labels before proceeding to spend time creating these new language policies. Every time you change your labels or other settings you will have to update their translations. Here's a list of everything we'll be going over: Setting up the Azure Information Protection service for a supported language The Windows requirements and configuration for the AIP Client The Office requirements and configuration for the AIP Client Starting with the policy update Go to portal.azure.com Click on "More Services" Search for "Azure Information Protection" Click on "Azure Information Protection" Right now you'll be viewing your AIP Policy. You'll notice under the "Azure Information Protection - Global Policy" that there are a few options. Under "Manage," you'll find "Languages." Click on "Languages." If you don't see any languages on the "Supported Language Menu," find the "+ Add a new language for translation" button and click to add a new language ( Picture Below ) In this example, we'll be adding in the language "French (France)" Click on "French (France)" (A check box will be selected next the name) Click "OK" You should be back at your main Language menu Click "French (France)" (Check box) Click "Export" *Additional tip, you can export more than 1 language at a time. The exported file should be called "Exported Localizations.zip," save this file to a location you'd prefer Extract the folder You'll see the newly exported "fr-FR.xml" file Open the .xml in your favorite text editor tool. You'll see the following information > Note: At the top you'll see "fr-FR," which is the identifier for the AIP service to know what language is being configured. You'll see both the "defaultText" and the "LocalizedText" being brought to your attention. DO NOT change the "defaultText". The only modifications required are for the "LocalizedText". I'll be using Bing Translate for this test and I'll be modifying all the information above. Specifically, the "Sensitivity, Sensitivity Information, Confidential Label, and the Confidential Label classification information. " *Additional Information : Your information may look a little different than mine, as the names of your labels and the definition could be different. Please feel free to modify the whole template in the language you're testing and setting up for the first time. In my test I'll be showing only 2 changes to show the difference visually. After modifications it should look like the following > Now save your changes to the .xml file Compress the .xml file ( Not the folder ) to a new .zip file Go back to your "Azure Information protection - Language" portal Uncheck the language we just exported You'll now see the "Import" button is now accessible Click on Import Click on the fr-FR.zip you just compressed You'll see "Importing…" After it's completed you'll see "Import completed successfully. Click Publish to deploy changes to all users" > Publish changes Confirm "Yes" *Additional information: If you don't zip the file, It'll give you an error: "Only .zip files are allowed" We've completed the updating of the policy for fr-FR, now to see our work. We're going to start with the operating system for the Azure Information Protection client. Azure Information Protection client | Windows 10 In order for the AIP Client to find the language to use within the explorer window, It'll be looking for the local operating system language pack. These are the Steps required for configuring the AIP client outside of Office. If you haven't done so already, download and install the AIP Client : http://www.microsoft.com/en-us/download/details.aspx?id=53018 Before setting up the language setup your test scenario Go to your desktop Right click on your desktop Click "New" "Text Document" If you'd like to walk through the test in English Right click on the "New Text Document.txt" Click "Classify and Protect" with the AIP client Login if prompted View your current label classification in English Now continuing forward with the OS configuration for the AIP client. Go to your Windows 10 workstation Click on the start menu on Windows 10 Type in " Region & language settings ," Select it Click on the "Add Language," under "Languages" In the search bar type in "French" Click on "French" Click on "French (France)" Wait for the language pack to turn to show "Language pack available" Click on "Français (France)" Click on "Options" > Click on "Download" under the download language pack Wait for the language pack to install. Now that the language pack is installed, we'll need to change the default language of the OS over to French, changing the keyboard language isn't the same test. Still at the same screen before Click the back arrow to go back to the region and language settings home page Click on "Français (France)" Select "Set As Default" Go to your start menu to log out After we sign back in, we'll be seeing the OS in French, please feel free to use my steps to navigate if you're unfamiliar with the language. Sign back into the operating system with the same user ( If you have issues with the password, on the bottom right you can change the keyboard to English ) Going back to our earlier test right click on that "New Text Document.txt" Click on "Classer et protéger" You will now see the new configuration we applied earlier in fr-FR My visual example > If these steps were followed, you should be seeing your newly updated AIP policy with the language pack you've added to the AIP service. Next we'll be talking about the Office requirements. If you're wanting to test this the same way without the whole OS changed, you can walk through these steps. Click on the bottom right where you might see "FRA or ENG" for the keyboard language Click on "Préférences linguistiques" Click on "English (US)" Click on "Définir comme valeur par défaut" Right click on the start menu Click on "Arrêt ou déconnexion" Click on "Se Déconnecter" You'll be back at your login menu of the OS. If for some reason you're not seeing the language change you can check the following Are you on the same language on the OS that you've updated? It is very specific, like I mentioned earlier we modified fr-FR on the OS and the AIP Policy. Is your policy updating correctly? You can refresh you policy by closing the AIP client > Open %Localappdata%\Microsoft\MSIP > Delete the Policy.msip > Attempt the test again. Did you confirm that you published the language pack after uploading it? Go back to the azure.portal.com to confirm that the update was published, if it wasn't you'll see a notification that a change is pending. Azure Information Protection | Office 2016 The Azure Information Protection client add-on for Office is looking at Office for what language to use for the language configuration. You'll have to install the Office suite with the supported language you're wanting to support. With our example, I'm going to walk through the add-on installation of Office 2016 with Office 365 and what's required to use the AIP client in the fr-FR language. I'm going to continue this installation with the expectation that you've already installed Office 2016 CTR (en-US) on your workstation. Please note, this is a walkthrough for the O365 experience, an MSI package or enterprise package will have a different setup requirement. Sign-in to office.com At the top right, you'll see "Install Office 2016" Click on the "Other installs" under it. You'll see the installation configuration page for Office 365, near the middle of the page you'll see the language drop down bar Change the language to "Français (France)" Install (Please use the same version already install on the workstation, aka 32bit vs 64bit) After the installation has taken place, we're going to check to see if the installation worked successfully. Start Word Click on "Blank Document" You'll see that the AIP client is currently configured for the en-US language. We're going to change the language to French Click on "File" At the bottom "Options" Click on "Language" At this point you should see 2 installations of Office installed. Both English (US) and French (France). Example below > To test the Office client Change the "Display Language" from " Match Microsoft Windows <Default>" to "French [Français]" Close all Office applications Open Word You should now see the same test we saw with the Windows OS test. Here is an example > To change this back to the default configuration Click on "Fichier" Click on "Options" Click on "Langue" Click on "Identique à Microsoft Windows" Click below it "Définir par défaut" Click OK Close Office Open Word It'll be back to the language of the OS and default settings of Office. We've now successfully setup and configured the AIP service, the Windows OS and the Office application to understand the fr-FR configuration we've applied for the AIP client.
Events
in 10 hours
Microsoft Entra Suite helps enforce Conditional Access to cloud apps and internet resources. Watch our product expert demo how to implement secure risk-based access to all resources with Microsoft En...
Online
Recent Blogs
- Part 1: What Is Cyber Resiliency and How Do I Get It? Recently I was on a call with some Security leaders who were interested in how we at Microsoft could help them with cyber resiliency. But when ...Mar 10, 2025
- When managing identities across multiple tenants, organizations often face a crucial decision: should they choose ADSS (Active Directory Synchronization Service) Tenant Sync or Entra Native Cross-Ten...Mar 06, 2025
