Many of my customers move to the cloud in the last recent years. This means for existing environments a start of a journey away from on-prem system going forward to cloud environments. We all know a journey starts with preperation and needs different steps and is always not a good idea to work on all systems together. But on the other hand, same system still exists in there old way and use sometimes old, unsecure protocols for communication and authentication.
To adress this issues Microsoft announce Septemper 2019 in a blog article “Improving security” the disabling of support for Basic authentication for the protocols like EWS, POP, IMAP and Remote Powershell. After the plan the corona crisis came up and Microsote decided to postpone the disabling of the noted protocols.
In September 2021 Microsoft released new information about this in the article “Basic authentication and Exchange Online” including some updated information. Microsoft will disable basic authentication beginning 1st of October 2022 for all protocols except SMTP auth. This means the following protocols will be disabled:
The full event month of September is slowly coming to an end and what better way to end it than with a great Azure conference? I´m really happy to announce that I will speak at the Experts Live Netherlands. The Experts Live Netherlands is one of the biggest Experts Live conferences next to Experts Live Europe and celebrates its 10th anniversary this year.
After 8 Months of planning the Cloud Identity Summit 2022 is over and I can say it was really a pleasure to help to organize this great Community event from my perspective. Four years ago Thomas Naunheim come up with the Idea to create a event focus on Identity for the Community. We discuss this in our Azure Bonn Orga Team and finally the Cloud Identity Summit was born. At the end of 2019 we plan the first edition for 2020 as a in-person event, but things changed and we changed the format to an virtual event and this also for 2021.
Back in february we start planning for the 3rd edition 2022 and we decided to go back to our original idea to hold it as a in-person event, but with the experience of two virtual events we move it to an hybrid event. Yesterday was our 1st Cloud Identity Summit 2022 as hybrid edition and I can say, I was really exited about it. Why?
I took the Microsoft Cybersecurity Beta exam #SC100 and got yesterday the confirmation that I passed the exam. This is great news for me as it confirms that I am gaining a better and better knowledge in Azure Security topics.
In this article I will introduce the exam, how to get the Microsoft Cybersecurity Architect Expert award and which materials I used to prepare for the exam.
I am pleased to have received an invitation to speak at the upcoming Scottish Summit 2021. The Scottish Summit was estabhlished in 2020. This year the conference is becoming an online-only conference and will be streamed on all social media channels. The conference itself is growing into a really big conference with many parallel tracks with different language. The main conference starts on Saturday 27/02/21 and there will be many sessions on Microsoft Cloud services (like Azure, M365 and so on).
Azure Governance is an important topic for any customer using cloud resources. In my session, I will show the power of Azure Policy and Azure Security Center to define guardrails for your Azure environment and bring it into a compliant and secure state. I will go live with my session at Saturday 27/02/21 starting 1PM. If you are interested in how Azure Policy and Azure Security Center work together and how these services are handled, please feel free to join my session and ask questions.
Over the past few months, I have conducted many customer workshops, designed and implemented Landing Zones, and migrated or placed VMs into Azure. One of the most common customer questions has been about best practices for Azure VMs to maximize performance and efficiency, minimize costs, increase security, and reduce management overhead. This article is based on my real-world experience and recommendations based on several Azure projects.
In the past Thomas Naunheim and I do a lot of architecture and designing prinicple for integrating Azure in company environments. We have the idea to create a Azure Governance Best Practices session in the last couple of months to give the community our insights and best practices for Starting/Integrating Azure environments. The goal is to give you insights, where you can find the best documentations to start with a Cloud journey and which technical Azure features help to bring and hold your environment in an compliant and secure state.
The session contains the following topics:
Cloud Adoption Framework
Insights about Azure Policies and Azure Security Center
Azure Enterprise Scale architecture
Identity and Access Management
We are exited to hold the session at the GermanyClouds Meetup on november 26. Did you interested in this topics or you are in the beginning or implementig phase, join us. We will happy to see you there and get your questions.
Microsoft has changed the #AzureBastion minimum subnet size from /27 to /26. Installed #Azure Bastion are unaffected, but new deployments require the new subnet size. Please remember this. https://docs.microsoft.com/en-us/azure/bastion/bastion-faq#subnet
Update – 12/2020
Azure Bastion is now available in West Germany Central.
Azure Bastion is a service to avoid deployment own Jumphosts and reach Azure VMs over the Management Ports (SSH and RDP) in a secure way without the need to assign Public IPs directly to Azure VMs.
Azure Bastion got a really big improvement and now supports Azure VNET Peering. This includes all VNET peering models, inside a single subscription and VNET peering across different subscriptions.
Our 1st IdentitySummit is over and we had a amazing Summit with our powerfull Speakers and our attendees.
We (Azure Bonn Orga Team) started planning the Summit in March 2020. The Orga Team from the AzureBonn Meetup consists of Melanie Eibl, Thomas Naunheim and René de la Motte. The idea came from Thomas (our Identity Expert) and we can say that was a wonderful idea.
We meet together at the Debeka Innovation Center (DICE) in Koblenz to organize and streaming all the sessions from one central place. The current Corona situation has unfortunately not made a complete live event possible, so we have met under the rules in force to ensure a smooth process and bring a little live feeling.
Now after 6 session in 2 parallel Tracks we can say it was worth every minute of planning – Why?
The answer is simple: First of all because of our great speakers. Each session was planned with a minimum of 300, and each session went deep into the relevant topics, showing what needs to be considered, the pitfalls and best practices available.
I´ve updated the article because the actual sign-in query only logs all login attempts of the break glass account (successfully, unsuccessfully, etc.) . I added the different IDs so that you can setup the alert mail based on a indivudal filter. Thank you goes out to Eric Soldierer for this note. I also updated some changed services that had left their preview status.
In the past I do a lot of Azure Governance workshop and one interesting topic is how to handle the Break Glass Account. Before we going deeper, first we take a look was is the Break Glass Account. For each Administrator role in Azure or Office365 is it best practice to use MFA to secure the account and get a better security for the Tenant. To realize this, normally we use Conditional Access and create a rule, that every Admin require MFA for login. But what can we do, when:
the MFA service is down
we create a Conditinal Access that with a wrong rule set and lost sign-in access
we do not regulary update our control list and the admin account goes lost
For this cases we need a Break glass account, an additional account with a high security password, to enter the Tenant in an emergeny case. For this account, there are some recommendations:
only use a generic account
create a complex password with more than 16 characters
for compliance reason divide the password into two parts
save each part in a different location
create a security group that contains the break glass accounts
create two break glass accounts with no standard username like breakglass@ or emergency
use the Tenant name for the account
do not use a custom domain name
in futher it will be possible to use FIDO2 security key for break glass (right now is in preview and not recommended for such critical scenario)
Now we can discuss in some ways a security gap – a service account with Global admin rights that do not require MFA for login. Now you see, why it is so important to monitor this accounts and get notified when they will be used for login.