0:12

Hey there and welcome back to

0:14

another episode of Control Health

0:16

Asher. This is a show

0:18

where we talk about all

0:20

things, Microsoft technology. I'm Tobias

0:22

and I'm back with you. What's up?

0:25

Hey Toby, I'm gearing up for the

0:27

MVP Summit. That takes place in late

0:29

March in Redmond and usually

0:32

no friction on this. It would

0:34

be business as usual. But for

0:36

me, it's been five or six

0:39

years since I last went to

0:41

the US. I think I've forgotten

0:43

everything about long-distance travel. So I

0:46

frequently travel in Europe. It doesn't

0:48

require any sort of planning really.

0:50

You pick up your stuff and

0:52

you go. You don't even need

0:55

your passport because you have the

0:57

national ID card which is enough.

0:59

But now my travel adapters are

1:01

collecting dust. I haven't purchased an

1:03

e-seam for the phone so that

1:05

I could get mobile data access

1:07

while I'm in the US. and I'm

1:09

not used to jet lag anymore.

1:11

So before COVID, I went

1:13

to the US for even six times

1:16

a year. It was business

1:18

as usual. Now once a decade

1:20

for me, feels like a massive

1:22

effort. Yeah, I hear you. Well, I

1:25

hope you have a good time at

1:27

the MVP Summit. I do miss hanging

1:29

out at the summit meeting up

1:31

with all the MVP peers. I

1:33

was also on MVP for many

1:35

years in my years in my

1:38

past life. So I'm glad they

1:40

brought that back now, you know,

1:42

post-covids, so hopefully you'll get some

1:44

good times over there. For me, you

1:46

know, last week it feels like spring

1:48

really reached us kind of big

1:50

time over the weekend. We spent

1:52

some time in the garden with

1:54

the family, tidying up some of

1:57

the bits and pieces to prepare

1:59

for the new... season, kind of

2:01

all the seeds that we usually plant,

2:03

we now planted them indoors, and I

2:05

managed to clear out most of the

2:07

greenhouse over the weekend, and I found

2:10

all my raspberry pie devices and my

2:12

most, you know, the sensors in the

2:14

soil to check the moisture and temperature

2:16

and, you know, brightness and UV levels

2:19

and all these kind of things. So

2:21

I'm preparing that as well, so I

2:23

can put those into the pots as

2:25

soon as I can move them out

2:28

into the greenhouse. So now I think

2:30

we're ready for the planting

2:32

season, you know, let the fruits,

2:34

veggies and herbs thrive once more.

2:37

Sounds awesome. We are not that

2:39

far ahead with spring here in

2:41

Finland. I don't live that

2:43

far away from you, but

2:45

I live further up north,

2:47

so it still feels a

2:49

little bit like winter here

2:51

in Helsinki. So today we

2:53

are talking about securing Microsoft

2:55

Entra. This is based on

2:57

the fact that Microsoft released

3:00

a pretty awesome guidance last

3:02

month in February 2025

3:04

on configuring increased security

3:06

capabilities for intra. And

3:08

for me, I've been

3:10

working with Azure Active Directory

3:13

and EntrID for longer than

3:15

I can remember and before

3:17

that obviously mainly on Active

3:20

Directory. So I usually... Trust

3:22

everybody else knows everything

3:24

about entry and its

3:26

capabilities. There's nothing new

3:28

to find, but it's also

3:30

a bit educating for me to

3:32

sort of go back to the basics

3:35

to see, did I miss something?

3:37

Has something changed since I learned

3:39

this in 2014 or whatever? So

3:41

we're refreshing a bit on

3:43

our knowledge and the recommendations

3:45

as of 2025. But Toby, do you

3:47

feel with Entra? Do you feel you

3:50

have any gaps in your knowledge? Or

3:52

if somebody asks your question

3:54

on anything in intra, is that

3:57

always something you sort of know

3:59

already? all news for you. I think

4:01

that's a great question. And anyone

4:03

who says, no, I know

4:05

everything already is probably

4:08

not enough self-aware, I would

4:10

say. There are so many

4:12

things to be aware of.

4:14

And you can always be

4:16

educated and educate yourself on

4:18

new capabilities, features, how to

4:20

best configure things. For me, I

4:23

used to operate and manage what

4:25

was then called Asra Active

4:27

Active Directory, but today

4:29

Entra. you know, for organizations. Back

4:31

then, I was pretty well versed

4:33

in where to find things, which

4:36

commandlets I should run to enable

4:38

or disable specific things, you know,

4:40

setting up all the conditional access

4:43

policies and, you know, figuring out

4:45

the sensitive users and risk use,

4:48

like all the things you would

4:50

usually do from a security perspective,

4:52

but also from a kind of

4:55

organizational management perspective. Today, I'm not

4:57

doing that on my... in my daily job,

4:59

so I am pretty disconnected from

5:01

entra management. So back to the

5:03

question, any gaps in my knowledge

5:06

for entra? Yep, you know, I

5:08

would have to rely on the documentation

5:10

and go back and say, all right,

5:12

where do we start? Which I think

5:14

it's great because that kind of segues

5:16

into the things we're going to talk

5:19

about today. Yeah, yeah, for me, it's the

5:21

same. I don't really actively actively

5:23

operate a lot of

5:25

production entra environments. I'm... Often

5:28

brought into troubleshoot something or

5:30

figuring something out like hey

5:33

we have this Let's say

5:35

an enterprise application and

5:37

it's doing authentication in there and

5:39

we can see this in the

5:42

logs What should we do with

5:44

this then and that sort of

5:46

ties into entra but at the same

5:49

time? It's something which is more

5:51

business related than strictly

5:53

something you would configure in

5:55

entra So for me, I

5:57

feel the configuration.

6:00

aspects of Entra are fairly well

6:02

known, and I feel at home

6:04

with those, but each time you

6:06

add the customer and the business

6:08

context, it becomes a little bit

6:10

messier and you sort of need

6:12

to go back to the higher

6:14

philosophy of what was thought out

6:16

when this was designed for this

6:18

particular business. So let's take a

6:20

look at what the guidance includes.

6:22

The guide is available on Microsoft

6:24

Learn. You can see the link

6:26

in the show notes, and it's

6:28

divided in five main topics. Let's

6:30

walk through all of these one

6:32

at a time. And the first

6:34

one is privileged access. And

6:36

for me, privileged access used

6:39

to mean the domain admin account

6:41

that was back in the

6:43

day before cloud. And for now,

6:45

obviously, any type of an

6:48

account can be privileged, depending on

6:50

what roles and permissions it

6:52

has. But the main guidance here

6:54

is that privileged accounts should

6:56

aim to be cloud native. And

6:59

what this means is that

7:01

if you synchronize any of your

7:03

accounts from an on -premises source,

7:05

Active Directory or some other

7:07

directory, those permissions might be converted

7:10

to privileged accounts in the

7:12

cloud. And if they get compromised

7:14

in the on -premises, they will

7:16

then also be compromised in

7:18

the cloud. For me, this always

7:21

brings me back to Active

7:23

Directory Federation Services that we were

7:25

busy creating 15 years ago.

7:27

Thankfully, not that often any longer.

7:30

Would you agree on this assessment that

7:33

privileged accounts should be cloud native

7:35

and you should really protect the five

7:37

permission accounts in on -premises as well,

7:39

but you should separate those two? Yeah,

7:43

I think that sounds

7:45

reasonable. And when we talk

7:47

about securing identity, securing

7:49

the perimeter, we always talk

7:52

about separation of intent

7:54

and separation of duties and

7:56

separation of roles. So

7:58

I think this is definitely

8:00

a step in the

8:02

right direction. It's What you said there

8:04

is like if you compromise an account on on-prem

8:07

and that's directly sent to the cloud, that compromise

8:09

can move into your cloud, which is similar to

8:11

if someone paints your data or

8:13

manipulates your data and that

8:15

replicates across different regions, then

8:18

you have broken or incorrect

8:20

or malicious data replicated across

8:22

regions. Kind of the same

8:24

thing here. And I know with privileged

8:26

access, another thing that you have

8:28

to think about is like ensuring

8:30

you have these fishing resistance kind

8:32

of authentication methods. I know in

8:34

the past couple years we talked

8:37

about security default to enable

8:39

that and then you got MFA

8:41

or you roll out conditional access

8:43

and then you can require a

8:45

bunch of things. Microsoft has made

8:47

you know. a lot of investments

8:49

and push towards password less as

8:51

much as possible using like these hardware

8:53

keys, you know, there's the keys

8:55

you can scan with your fingerprint

8:57

or touch the keys and you

8:59

have a sign-in method that way. So

9:01

anything that is not your mobile phone,

9:04

essentially, I'm even getting that

9:06

not just from, you know,

9:08

authentication providers or the big

9:10

authentication providers, but also for

9:12

some of the services. that

9:14

I subscribe to in my

9:16

personal life for professional services.

9:18

They also now require to have

9:20

a more sophisticated, multi-factor

9:23

authentication method than SMS

9:26

or call because they say now that you need

9:28

a hardware key or you need

9:30

an app on a different device so

9:32

you can identify with bioscans or

9:34

whatever, but we will not send

9:36

phone calls or text messages anymore

9:39

for your MFA codes because that's

9:41

been abused and you can do

9:43

the... Sim card fishing and and

9:45

seem card hijacking and all these

9:47

kind of things. So if you're

9:50

a sophisticated attacker that becomes

9:52

a pretty easy target So long

9:54

story short. Yeah privileged access

9:56

important to secure also make sure

9:59

you have have fishing resistance

10:01

authentication methods, which then includes

10:03

password less and the Fido

10:05

2 keys and you have

10:08

Windows Hello for business and

10:10

things like that. And perhaps

10:12

if passwordless fails, perhaps too

10:15

modern or too complex to

10:17

roll out right now, start

10:19

by disabling text message based

10:22

MFA and the phone call

10:24

option. Once you eliminate those

10:26

two. Then you can start

10:29

focusing on something more modern.

10:31

Obviously, authenticator is great, but

10:33

for privileged high access, high

10:35

permission accounts, you need to

10:38

go for Fido2, physical keys,

10:40

Windows Hello for Business, or

10:42

certificate-based authentication. The next topic

10:45

is Credential Management. And I

10:47

think the guide on purpose

10:49

tries to keep this quite

10:52

clean. It doesn't go... end-to-end

10:54

on all possible things you

10:56

have to factor in because

10:59

that guidance is already I

11:01

believe in clouded-upson framework, the

11:03

well-arthetical framework in the specific

11:05

entreaty guidance. This is more

11:08

of a good approach on

11:10

what you should know about

11:12

credential management and overall ensure

11:15

you have strong authentication methods

11:17

configured for both of your

11:19

users and your privileged access

11:22

accounts. Again. SMS meeting text-based

11:24

authentication and phone calls should

11:26

be eventually retired. Have a

11:29

look in your signing logs

11:31

if anybody's even using those,

11:33

if they are instruct them

11:35

to use something else, disable

11:38

that one. The next one,

11:40

I feel, is it's trivial

11:42

to configure, but often problematic,

11:45

especially in smaller organizations, blocking

11:47

legacy authentication. So basic authentication

11:49

for emails like POP3 and

11:52

IMAP and SMTP quite widely

11:54

used because people are using

11:56

legacy email. clients on phones,

11:59

they rely on these. And

12:01

if you just go and

12:03

block it, then it will break

12:06

something for the people who

12:08

rely on the services. And

12:10

that might be the CEO

12:12

of the company who cannot

12:14

access emails now when they're

12:16

traveling. So again, this boils

12:18

back down to conditional access

12:20

policies and MFA. Anything else you

12:22

would highlight from the

12:24

Credential Management aspect? I think

12:27

one thing that comes to

12:29

mind when we talk about

12:31

credential management, you know, whether

12:34

this is in the cloud

12:36

or if this is on

12:39

your personal device or something

12:41

else, is password managers or

12:44

a centralized password kind

12:46

of management service

12:48

for securing admin secrets.

12:50

So there is a bunch

12:53

of different things. that you

12:55

should probably think about in doing that. And

12:57

you also use probably key vaults, you have

12:59

your app secrets, you have your certificates, you

13:01

have your different keys, and all these things.

13:04

And there's a life cycle type to all

13:06

of this. So it's not just, you know,

13:08

one thing that I discovered so many

13:10

times over the years before joining

13:12

Microsoft, I was working with different

13:14

customers and different companies. And one

13:16

thing that was very clear was

13:18

people had the sense of security because they

13:21

deployed a key vault and they put

13:23

everything as secrets. They put everything as

13:25

strings as secrets and then they

13:28

never rotated those secrets they had

13:30

sometimes to copy it to a

13:32

developer machine sometimes to copy it

13:34

to you know a notebook somewhere

13:36

sometimes they copied it and send

13:38

it to the web browser and

13:40

tried an API call you know it all

13:42

over the place and then you

13:44

know there's this showcasing really bad

13:46

practices not good practices but I

13:49

want to emphasize that this does

13:51

happen and that still does happen

13:53

so credential management is

13:55

important, but also having

13:57

that kind of centralized like a

13:59

key vault. a centralized option or if

14:01

it's for a password like centralized

14:03

password management service where you rotate

14:06

secrets you rotate passwords you make

14:08

sure you cannot reuse them you

14:10

make sure that they are frequently

14:13

updated and if it's certificates and

14:15

keys for your systems if you

14:17

implement an outer rolling function that

14:19

can kind of roll those over

14:22

you know implement new certificates new

14:24

encryption keys and these kind of

14:26

things that's great because then you

14:29

solve that problem so there's a

14:31

you know There's a long line

14:33

of things to think about when

14:35

it comes to credential management. And

14:38

if we keep it just within,

14:40

you know, Entra, you know, there's,

14:42

there's probably a good, I think

14:45

there's links in that document as

14:47

well. And there's probably a good

14:49

set of recommendations where you can

14:51

go in and say, when you

14:54

manage your credentials in Entra, here's

14:56

the kind of recommendations we have

14:58

for that. So yeah, for me.

15:00

This is something that historically showcased

15:03

a weakness in most of the

15:05

kind of security audits we did

15:07

with organizations that I was part

15:10

of where credential management was for

15:12

hygiene. You know, that is where

15:14

the security posture of many organizations

15:16

kind of went down. Yeah, I

15:19

agree on that one. And you

15:21

mentioned the sort of centralized password

15:23

management service. So this applies both

15:26

to individual people, your employees. your

15:28

admins and perhaps for some of

15:30

the services where you maybe have

15:32

a break glass account or some

15:35

sort of secrets you need to

15:37

be rapidly able to access. They

15:39

might be in keyball or you

15:42

would use typically a commercial option

15:44

as well that you could run

15:46

on your phone and desktop as

15:48

well. So the next category is

15:51

application management. Again, trivial to say.

15:53

Please manage your applications. Everybody's managing

15:55

their applications, but disabling and monitoring

15:58

for inactive service principles, ensuring... that

16:00

nobody can consent for

16:02

the whole company in

16:04

terms of Microsoft Graph

16:06

permissions, knowing what your

16:08

adamines should be monitoring

16:10

and reacting to those.

16:12

And some things that I

16:14

usually do not see companies

16:17

doing is removing excessive permissions,

16:19

for example from service

16:22

principles. Once they are

16:24

granted... then typically they are

16:26

quite static. So somebody needs

16:29

to go perhaps on a

16:31

bimonthly basis or twice a year

16:33

to go through what do we

16:35

have? Are they still used? Are

16:37

the permissions correct? Did somebody

16:39

accidentally grant it too much

16:42

for something we are no

16:44

longer using? Are the secrets

16:46

for those service principles? Are we

16:48

rotating those? So small things, but

16:51

somebody... needs to have these review

16:53

sessions to understand what is going

16:56

on in. You could automate plenty

16:58

of this, but often you need

17:00

the manual view and manual reporting

17:03

so that you can then raise

17:05

the issues, should be clean this

17:07

up, is this still relevant? You

17:10

might have 500 people relying on

17:12

those different service principles and you

17:14

don't know them intimately on how

17:17

they're used. So you need to

17:19

have these review sessions to understand

17:21

what is going on in. there. Toby,

17:23

I know you have plenty of

17:25

experience on this area as well.

17:27

Any sort of vision you can

17:29

you can share here as well. Yeah,

17:31

I think it circles back to

17:34

the same, same kind of points

17:36

we talked about just before, make

17:38

sure you have a life cycle.

17:40

implemented not just hey we

17:42

we're gonna cycle secrets every X days but

17:44

actually enforce that there's a or there used

17:46

to be I haven't tried it in a

17:48

while but if I find it after this

17:51

recording I put it in the show notes

17:53

so go take a look right now and

17:55

you'll might see it there there used to

17:57

be a workbook that you could have for

17:59

Ashermont or for defendant for cloud. That

18:01

would make queries and say, here's all

18:04

the app registration is being actively used.

18:06

Here's the consent flow. Here's people consenting

18:08

to these apps. Here's the different secrets

18:10

or whatever things that you could visualize.

18:13

That way you get an understanding saying,

18:15

okay, we have these accounts. they are

18:17

actively being used. We have these applications,

18:19

they're actively being used. And then this

18:22

way you could start painting a picture

18:24

about what is active, what is inactive.

18:26

And then from there just, you know,

18:29

cut access or disable the inactive accounts

18:31

or the inactive applications in Entra right

18:33

away. And then you of course need

18:35

to have the, again, coming back to

18:38

life cycle management. And when it comes

18:40

to applications that have secrets. One thing

18:42

to also consider is moving to managed

18:44

identity. So instead, if that's possible, sometimes

18:47

you're going to have to have an

18:49

entra ID app or an entra app

18:51

and you have to set it up

18:53

and you have to have application or

18:56

user permissions for whatever reason and it

18:58

has to be a certain way, sometimes

19:00

you can configure managed identity and say,

19:03

hey, this application should be able to

19:05

retrieve this and that information from this

19:07

and that app. If you can. always

19:09

used managed identity because that means you

19:12

don't need to have a secret. If

19:14

you do need to have a secret,

19:16

you probably should put it in a

19:18

key vault. You should not have it

19:21

anywhere else. And if it's a production

19:23

system, and again, this is something I've

19:25

seen in the wild so many times.

19:27

People go into their key vault and

19:30

they copy a secret to their debt

19:32

machine or troubleshoot and they use postman

19:34

or some other kind of tool where

19:36

you send tokens back and forth and

19:39

all of a sudden you're sending secrets

19:41

that should be inside of a key

19:43

vault and never read by a human

19:46

or another system. It should just be

19:48

read by the kind of deployed services

19:50

you have in Azure. But you know

19:52

there's a human in the loop and

19:55

they want to try something out or

19:57

debug or do something else and they

19:59

copy this. secret and voila it's on

20:01

a clipboard somewhere and some people might

20:04

know some people might not know that a

20:06

clipboard on Windows 11 if you push the

20:08

Windows key and V you will get the

20:10

history of all the clips you've done so

20:12

if you've copied a password or secret

20:14

today it's going to be in your clipboard

20:16

so if anyone dumps your clipboard voila

20:19

secret spilled so it's not just that

20:21

you have it in the clipboard right

20:23

now It's just the fact that you

20:25

did copy it sometime during the day

20:28

today, and voila, you spill the secret.

20:30

So obviously we're not going into

20:32

the entire like downstream what

20:34

can happen with compromised

20:36

information on your machine. But this comes

20:38

back to what we talked about, credential

20:41

hygiene. And this goes for applications

20:43

for managing your applications.

20:45

Make sure you have a life

20:47

cycle configured. If there's any kind

20:50

of privileged built-in roles. Make sure

20:52

you audit them. Make sure you

20:54

audit how your applications are being used

20:56

and what application permissions are being

20:58

used and how that's being used as

21:01

well. And what you see mentioned, there's

21:03

always raises like a red flag for

21:05

me when someone says, hey, our app

21:07

is going to require application permissions. We're

21:10

going to need to read your entire

21:12

directory in read, like global read account.

21:14

We're going to have access to

21:16

everything you have. That brings a flag to

21:19

me saying, well, if you can prove. How

21:21

you operate? Like are you SOC 2

21:23

type 2 certified? Are you ISO

21:25

27,001 certified? Are you HIPAA certified?

21:27

Are you following any of the

21:29

other certifications? And have you been

21:32

audited by third-party auditor? And can

21:34

you ensure that all encryption keys

21:36

are rotated? And no human can

21:39

read any of the data in the

21:41

databases and so on and so on? Because

21:43

again, that's a problem with

21:45

many service providers or SAS

21:48

companies or other companies. They

21:50

built something. But there's always someone on the

21:52

back end that can just kind of open the

21:54

sequel server and look at everything in plain

21:56

text. And if they collected all the information from

21:58

your business, well, guess what? But your business

22:01

data is now in plain text

22:03

in someone else's database. And that

22:05

does happen. That's not just a

22:07

risk that can happen. That does

22:09

happen with companies already today. So

22:11

if someone says, I know I'm

22:14

just renting now, if someone says,

22:16

hey, this app is going to

22:18

need application permission, you're going to

22:20

need admin consent or high privilege

22:22

consent app because we need access

22:25

to all this information, think not

22:27

once or twice. Think a few

22:29

more times. Take it. Take it

22:31

back to your. stock team or

22:33

take it back to your security

22:36

advisors internally, maybe your CISO and

22:38

say, hey, here's a thing, they

22:40

want to access to all this

22:42

data, what's our risk? Are we

22:44

risk averse here? Do we want

22:46

to take the risk? Is that

22:49

a company we trust? Who's asking

22:51

for the data? What data are

22:53

they asking for? Because that is

22:55

a single click where you just

22:57

say, I consent to this, and

23:00

then all that tenant information is

23:02

now accessible. from a random application

23:04

that you may or may not

23:06

trust. So that's important. That is

23:08

solid advice. I'm always smiling or

23:11

screaming a little bit if I'm

23:13

in a screen sharing session with

23:15

somebody and... They open a VDI

23:17

platform and you can see a

23:19

password to TXD on the desktop

23:22

because it's easier to have them

23:24

there than going back and forth

23:26

between the password management systems and

23:28

keywords. So the world is definitely

23:30

not ready for something like having

23:32

passwordless and certificate-based authentication everywhere. It's

23:35

a little bit too cumbersome, a

23:37

lot of the times and you

23:39

have to rely on secrets and

23:41

passwords at times. The second to

23:43

last category is external collaboration, meaning

23:46

guest accounts and guest access. So

23:48

your guests shouldn't be able to

23:50

invite other guests that that's a

23:52

given, but you have to configure

23:54

for that. And if you can,

23:57

meaning if you have enter IDP2

23:59

and or the governance add on.

24:01

then utilize access packages and access

24:03

reviews so that you have some

24:05

sort of orchestration and governance over

24:07

who has access to wear externally

24:10

and what can they do. And

24:12

one small thing that I typically

24:14

like to add is that when

24:16

we invite guests we require MFA.

24:19

So we could trust their existing

24:21

MFA challenge that they've already probably...

24:23

provided for their entry if

24:26

they use one, but I'm also

24:28

enforcing typically an additional MFA. And

24:30

that, again, no text messages, no

24:33

phone calls. Obviously for guests you

24:35

cannot say, we require you to

24:37

use 502 because I would have

24:40

to provide that for them. But

24:42

it's more like, well, we'd like

24:44

you to use Microsoft Authenticator. And

24:46

again, their guests, they typically don't

24:48

have admin access, but we want

24:50

to control what sort of

24:52

access they have on. that one. So the

24:54

external collaboration is relatively

24:57

simple in that sense. The

24:59

last bit is monitoring and

25:01

Toby I know you've been

25:03

exposed to a lot of monitoring

25:05

in your life. Any top of mind

25:08

guidance from the Microsoft guidance

25:10

you would highlight here? Yeah I

25:12

think just looking at this guy

25:14

like monitoring we could probably

25:16

have five episodes just talk

25:19

about monitoring because it's a

25:21

pretty big topic. Looking at

25:23

the scope of this guidance that

25:25

we're talking about now within the

25:27

kind of fundamentals, I think enabling

25:30

diagnostic settings. So they're configured for

25:32

all Microsoft Entral logs. It's going

25:34

to be important. You can do

25:36

that with the kind of diagnostic

25:39

settings for Entra. You can also

25:41

integrate Microsoft Entral logs with Asher

25:43

Monitor, which is something I

25:45

definitely recommend, because then you can

25:48

get those logs flowing into Asher

25:50

Monitor, where... you probably have your

25:53

kind of single pain of glass for

25:55

most of the monitoring needs in Azure.

25:57

You can of course stream might enter

25:59

a lot. logs to an event hub

26:01

as well. So if you want to

26:03

get these logs into a different format,

26:06

if you want to get them into

26:08

a different system, if you want to

26:10

visualize them somehow, if you want to

26:12

tie them to whatever, then from an

26:15

event hub you can do that.

26:17

So that's one. Make sure that

26:19

diagnostic settings are configured for all

26:21

the Microsoft Entra logs, because

26:23

that way, you know, if they're not...

26:26

regularly kind of archived or sent

26:28

to your CM tool for querying? How

26:30

will you ever know if there's malicious

26:32

activity? How will you ever know

26:34

if there are anomalies in the

26:36

daily operations? You will not know

26:39

because you don't have the data.

26:41

But if you do enable diagnostic

26:43

settings and you do enable these

26:45

things to flow into your security

26:47

information and event management or CM

26:49

system. That's where you will find

26:52

the anomalies. That's where you will

26:54

find the risky silence. That's where

26:56

you will find all these kind

26:58

of things. So the more data

27:00

you have, the more informed decisions

27:02

you can take on a lot

27:04

of these things and also find

27:06

things happening a lot quicker. So

27:08

that's one. The other is

27:11

no legacy authentication signing activity.

27:13

So making sure that you

27:15

monitor for legacy authentication, making

27:18

sure that there is no.

27:20

legacy authentication signing activity because

27:22

when that does happen it can be

27:24

for one of many reasons. One reason

27:27

is that you did not disable it

27:29

and you know there's a bunch

27:31

of accounts signing in with the

27:33

you know kind of legacy authentication

27:36

mechanisms. Another angle and you know

27:38

I worked with penetration testing and a

27:40

bunch of that stuff in my old

27:42

days as well. Another venue is that's

27:45

very common for attackers to use kind

27:47

of legacy authentication that does not require

27:49

MFA or you know doesn't support it.

27:52

Again you mentioned SMTP and IMAP and

27:54

other kind of protocols so if you

27:56

do need to have them enabled in

27:59

your organization because you can't

28:01

simply shut down all the legacy

28:03

systems because your business would not

28:05

thrive, it would maybe break. Still,

28:08

you need to monitor for legacy

28:10

authentication signing activity and then you

28:12

can stay in top of it

28:14

and say, well, these are trusted

28:17

and now we're getting it from

28:19

an IP outside of our range

28:21

or now we're getting it from a

28:24

strange application or, you know, again,

28:26

without that monitoring, you just

28:28

don't know. Those are the two top

28:30

of mind from there. Anything else

28:33

top of your mind? No, I

28:35

think monitoring, it's often on

28:37

a fairly okay level that I'm

28:39

seeing. But as you mentioned,

28:41

the diagnostic settings, you should

28:43

really have that nailed down

28:46

across all the services. So

28:48

utilize Azure policies for that

28:50

one. Make sure you're getting

28:52

all the possible logs you

28:54

can. It's easier to troubleshoot

28:56

and monitor things. later on.

28:58

It's a good guidance.

29:00

It's fairly easy to read, just

29:03

five main categories. And the sort

29:05

of stuff you have in there,

29:07

I feel it's easy

29:09

for anybody regardless of

29:12

their experience level. It's

29:14

easy to digest and implement

29:16

as well. So if you

29:18

haven't had a look on

29:21

the guidance, have a look,

29:23

it's in the show notes.

29:25

Start applying those recommendations. from

29:27

the guidance. All right, the last

29:30

bit before wrapping up the

29:32

show, the unexpected question, Toby,

29:34

do you have a question for

29:37

me? I do have a question and

29:39

the other day. You know my wife accidentally broke

29:41

the glass of her smartphone so we had to

29:43

go into a shop and I found one of

29:45

these foldable phones from I don't know Samsung or

29:47

whoever does it and I'm like whoa I want

29:49

one of these and I took a look and

29:51

then I'm like this is pretty useless what I'm

29:53

going to do with this and I took a

29:56

look at I've not been in a phone shop

29:58

for like five years because I just ordered. every

30:00

three, four years, I order a phone

30:02

online, I very seldom change my

30:04

device. But it was fun being in

30:06

the store and, you know, try

30:08

the device. Anyway, my question that came

30:10

out of that is, if

30:12

you could add one completely

30:15

useless feature to

30:18

a modern smartphone, what

30:20

would that be? Well, obviously a

30:22

phone would be something I

30:24

could use. I've been

30:26

looking at those there too

30:29

costly to sort of

30:31

exotic right now. Perhaps one day

30:33

I'll have one, but for

30:35

now, no. But something completely

30:37

useless, it would be useful

30:39

for me, useless for everybody

30:42

else. My kids' phones, I

30:44

would want to have like

30:46

a remote trigger five

30:48

minutes before dinner is ready. It

30:51

would flash their screens in red.

30:53

Dinner will be ready in five

30:55

minutes. And then 30 seconds before

30:57

I'm expecting them to sit down

31:00

for dinner, it would just blank out

31:02

the screen and they would be

31:04

forced to come. Now I'm yelling

31:06

them once, hey, dinner is ready.

31:08

Yeah, yeah, just after this game.

31:10

And then I'm thinking, should I go

31:13

to my Unify gateway and just block all

31:15

that for traffic? Well, maybe that's too

31:17

harsh. I'll give them five more minutes. And

31:19

eventually it's 15 minutes since I first

31:21

asked them. And I fully get it.

31:23

I was the same. I'm still sometimes

31:25

the same. But that would be the

31:27

useless feature. Flush the screen furiously and

31:29

then just blank the screen and mute

31:31

everything. Then they would come to me,

31:33

hey, there's something wrong with my phone. Well, I'll

31:36

fix it. Let's have dinner first. I think

31:38

that's a healthy reflection, but I also like that

31:40

you're the global admin in your house. So

31:42

you can just pull the plug and say, well,

31:44

oops, internet no longer works. So the games

31:46

just kind of are on pause now. So we

31:48

can eat potatoes meanwhile. Exactly.

31:51

All right, thanks for tuning in. See you next

31:53

week. All right, see you then. Fairy"]