Updated CIAOPS PowerShell course

I am pleased to announce that I have updated my online PowerShell course for Microsoft 365. A lot has changed in recent times so I’ve been through the content and updated it as well as add lots more lessons and resources. The only thing that hasn’t changed is the price. That remains at US$39!

You can view the course content and sign up here:

https://www.ciaopsacademy.com/p/powershell-for-microsoft-365

Of course, if you are eligible CIAOPS Patron, you’ll also get immediate access to the course for free as part of your benefits.

The idea with the course is not to give you a deep dive into all the workings of PowerShell. It is designed to get you up and running using PowerShell with Microsoft 365 as quickly as possible. No pre-existing knowledge is assumed. I’m aiming to bring out more advanced courses, but this course is the foundation on which courses will be built.

As I have said many times here, PowerShell is a KEY skill for any IT Pro going forward in the Microsoft Cloud space. It allows you to do things faster and more consistently, just to name two benefits. If you haven’t taken the step to learning PowerShell then invest in yourself and you future and do so!

Need to Know podcast–Episode 249

FAQ podcasts are shorter and more focused on a particular topic. In this episode I speak about what Office 365 Alerts is and provide some best practice suggestions.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-249-azure-information-protection/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

FAQ 14

CIAOPS Patron Community

Azure Information Protection

@directorcia

Announcing the CIAOPS Azure Sentinel online course

If you want to get started with Azure Sentinel and don;t know quite where, then I have created an online course just for you.

You’ll find it here:

https://www.ciaopsacademy.com/p/getting-started-with-azure-sentinel/

Azure Sentinel is a cloud based security information and event management (SEIM) tool that you can easily connect to various data sources, both on premises and in the cloud. Once events are flowing you can then use Sentinel to analyse and report on those events quickly and easily as well as take automated actions if desired.

This course is aimed at helping you get up and running with Azure Sentinel quickly by introducing you to its main features and then showing you how to configure the most important settings to get it working for business.

If you want to quickly and easily ingest security logging data, analyse, report and act on that then Azure Sentinel is for you and this course will show you how to get up and running quickly. Inside you’ll find video tutorials, references, best practices, how-to’s and more.

I’ll continue to add more material to the course but once you sign up you’ll always have access to all the content.

Look out for more online courses coming soon.

Determining legacy authentication usage

I’ve spoken previously about the need to eliminate basic authentication from your environment:

Disable basic auth to improve Office 365 security

The unfortunate reality is that some legacy applications could be using and can ONLY use legacy auth! So, you don’t want to necessarily disable it across your tenant without first understand who or what maybe using legacy auth.

One way you can see this is by navigating to your Azure Active Directory in the Azure portal for your tenant. You then need to select the Sign-ins options on the left under the Monitoring heading towards the bottom as shown above. You should then see a list of events display on the right. At the top of this pane select the Columns menu item.

From the pane that appears from the right ensure you have the option Client app selected, as shown above.

Next, select the Add filters button at the top of the list of events as shown above. From the list that appears select Client app and then the Apply button at the bottom.

A Client app option should now appear at the top of the list as shown. It will typically show None Selected.

Select the new Client app button and a list of items will be displayed as shown above. From this list, select all the items under the Legacy Authentication Clients heading.

When you now click away, the list of events should be filtered to only those events that match the use of Legacy Authentication. You can select any of these to get more information about the event including who or what generated this.

Armed with this knowledge you can now start working whether upgrades or additional configuration is required in your environment to minimise the attack surface area of Legacy Authentication in your environment.

Protecting your Microsoft 365 environment using Azure AD Privileged Identity Management (PIM)

If you are managing a Microsoft 365 environment my recommendation is to do so using a Microsoft 365 E5 SKU, no matter what else in in that tenant. The reason for having at least one Microsoft 365 E5 SKU in your environment is that it provides a wealth of additional features that directly benefit administrators. One of these is Azure AD Privileged Identity Management (PIM).

In a nutshell, PIM allows you to do just-in-time (JIT) role escalation. This means that users can be given the permissions they need to do things, only when the need them. It means that you don’t need to have users with standing global administrator access, they can be escalated only when they actually need those privileges. Standing elevated privileges is something that you should be looking to minimise or eliminate in your environment so that if an account does get compromised it won’t have access to the ‘family jewels’. PIM is also a way to potentially minimise the threat of a ‘rogue administrator’ given that it can have an approval process tied to it as well. Most important, all PIM actions are audited in detail which is always handy to have.

PIM is a feature of Azure AD P2 and as mentioned, included in Microsoft 365 E5. Best practice is to ensure you have an ‘emergency break-glass’ administration account tucked away as a backup before you start restricting existing administrators with PIM. Once you have both the license and a ‘get out of jail’ account you are ready to use PIM.

A good example to help you understand the benefits of PIM is to illustrate how I use it myself in my own production environment. The account that I use for my day to day work used to be a global administrator but best practices dictates that it really shouldn’t be. However, given the number of browser sessions I have open already I didn’t want to add yet another one to be checking administrative tenant level ‘stuff’. PIM to rescue! With PIM, my account can stay as a member account by default and I can escalate it to be a global administrator as needed.

One of the things I like to check is Microsoft Cloud App Security for my tenant. As you can see above, by default, I now have no privileges.

To elevate my privileges I follow this process:

Activate my Azure resource roles in Privileged Identity Management

This means that I login to the Azure Portal and then navigate to Azure AD roles in PIM as shown above. Here I can see that I can activate the Global administrator role by selecting the Activate link as shown.

When I do this a dialog box appears and my credentials are verified. You can enable the requirement to again prompt for MFA during this validation process if you wish. That means, even if I am already logged in successfully, I need to complete an MFA challenge again to proceed.

I can now select the time required to complete my work up to a pre-defined Duration limit. Here I’m going to select the full 8 hours for a full work day at my desk. I also need to provide a Reason for elevation. This information will be recorded and held with the auditing information. This means I can track when and why I elevated.

When complete, I press the Activate button at the bottom of the page to continue.

The activation request is then processed according to pre-define rules. In my case, I have elected to have automatic approvals but you can refer approvals to a third party if you wish for greater protection.

In about 30 seconds my activation is complete and if I now look in the Active roles area of the console I see that I am indeed a global administrator.

If I now refresh my Microsoft Cloud App Security page, you see that I can get access as a normal administrator. This is also the same with all the other administrator areas in the tenant thanks to undergoing the elevation to a Global Administrator thanks to PIM.

The good thing is now I can work using my normal account, check and monitor what I need to without using a different account. I can also rest easy that after the 8 hour time limit my account will again be de-activated back to being a member user. Thus, at the end of the day, I simply shut down and the account will automatically be de-activated for me without me needing to remember to do it. I can of course, manually de-activate the account at any time if I wish, say if I needed to go out somewhere. It is also easy enough for me to re-activate again if I need to do any additional work.

What I also like is the audit logging as shown above. Having it all in one place in the PIM console makes it easy for me to verify what has been happening with the process over time.

So in summary, I am using PIM to elevate my normal work account to an escalated level as needed during the day. This means that I don’t have to maintain standing administrator access for the account but I still have the convenience of using it to perform administrator roles as needed.

To set this up for yourself, you’ll need M365 E5 or Azure AD P2 as well as a ‘break-glass’ account. Then you’ll need to configure the roles you wish to escalate to via:

Configure Azure resource role settings in PIM

You can get quite granular here if you wish, but my advice is that you keep it simple to start with and go from there. For me, I just wanted the simple process of becoming a ‘normal’ global administrator.

You can have multiple roles, with different access for different users if you wish. In my case, I’m just focusing on the role of the tenant administrator. As I said, you can also have approvals sent to a third party or parties if you want for an extra level of protection if desired. There lots of settings you can customise with PIM.

Using PIM now gives me extra level of protection when it comes to administration rights. It means my production user isn’t a global administrator by default. I can however, use that same account as a global administrator, by going through a simple automated escalation process that requires MFA for greater security. Additional benefits include that I get great auditing and tracking, I can manually de-activate those rights at any point and those rights will also be automatically de-activated for me after a specified time limit and I also get alerting.

If you want to make your Microsoft 365 environment, especially you administrator logins, more secure then I suggest you take a look at PIM. Even for a small environment like mine, it is great value.

Create a Bing Custom Search

I detailed in a previous article how I had created a custom search:

A dedicated Microsoft Cloud Search Engine

The benefits were that I could target it to a specific set of URL’s to search through when producing a result. It also eliminated many of the commercial elements you see in common search engines. This makes it much cleaner and faster.

The good news is that you too can easily go and create your own custom search. Before you do so however, you will need to have an Azure subscription as there are generally costs that are incurred depending on the functionality you desire. the Custom Search capability is found under Cognitive Services in Azure. However, the easiest way to start creating your own custom search is to visit:

https://www.customsearch.ai/

and sign in with your tenant credentials.

You’ll come to the above screen first. Simply select I agree and then the Agree button below to continue.

You can go through he Welcome messages if you wish.

Next, select the Create new instance button at the bottom of the page.

Give your instance a name (here Demo) and select Ok.

You’ll then end up on the above page where you can input the URLs you wish to have be part of your custom search.

Just keep adding the URL’s you desire. As you do you’ll notice a yellow banner appear at the top of the page as shown above. This is a reminder that you need to Publish your results for them to be visible to others.

When you do elect to publish you will see the above dialog. Press the Publish button to continue.

You should begreeted with a successful result, as shown above. You can return and keep editing the environment or you can select the Go to production environment option.

In the production environment, if you now select the Host UI menu option on the left, the windows on the right will show you a dialog box towards the button as shown above. Copy this URL.

If you Paste this URL into a new browser window, you should see your custom search engine as shown above.

Pretty easy to get going right?

If you navigate to the Azure portal and search for Cognitive services you should see your new Bing CustomSearch as shown above, along with any other services that utilise Cognitive Services (here a Q and A bot).

You can go in here and customise different aspects of your Custom Search, which I’ll cover off in up coming articles. However, hopefully, you see how easy it is to get started creating a Custom Search in Azure. Remember, you can always test out what I have created using this here:

https://bit.ly/ciasearch

Need to Know podcast–Episode 244

Sarah Young from Microsoft joins us again to talk about Azure Sentinel. We run through what it is and why you should be using it to protect your IT environments. Brenton joins us as well to cover off the latest news and certifications he has achieved. Listen in for all the details.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-244-sarah-young/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

Sarah Young

@contactbrenton

@directorcia

L400 Sentinel Ninja Training

MS Tech Community Sentinel blog

Sentinel GitHub repo

Sentinel documentation

MS Security Community webinars

Defender ATP for Linux now GA

Defender ATP for Android

OneDrive Roadmap Roundup – May 2020

PowerPoint Live is now generally available

What’s New: Livestream for Azure Sentinel is now released for General Availability

Azure responds to COVID-19

20 updates for Microsoft Teams for Education, including 7×7 video and Breakout Rooms

Outlook for Windows: Signature cloud settings

An easier way to connect using PowerShell

If you visit my Office 365 GitHub repository, you’ll find a whole of scripts there you can use for free. A subset of those scripts are designed to make connecting to the various Microsoft Cloud service easier. For example the script:

https://github.com/directorcia/Office365/blob/master/o365-connect-exov2.ps1

allows you to easily connect to Exchange Online using the version 2 module.

While all of this helps, it can still be a bit trickly for people to know what to run when to get connected. So, with that in mind I have created this script:

https://github.com/directorcia/Office365/blob/master/c.ps1

which when run by simply typing

.\c.ps1

in the PowerShell command line

will now pop up a dialog as shown above and allow you to select which service which wish to connect to.

Even better, you can also select multiple services in this same window. You simply use the CTRL and SHIFT keys to select multiple item, just as you do in any Windows desktop application (like Windows Explorer for files say).

After you have made your selection, those individual service connection scripts will be run.

Of course, the assumption is that you have all of my scripts (including the individual connection scripts) in the same directory. If not, then the connections will not be made. However, if you have ‘cloned’ what I have into a single location on your machine, then you should be all good.

I also created this short script:

https://github.com/directorcia/Office365/blob/master/r.ps1

which you can run at the PowerShell command prompt via:

.\r.ps1

to remove any currently loaded PowerShell sessions as well, quickly and easily.

Hopefully, this new ‘master connection’ script will make it easier for people to connect to the Microsoft Cloud services they need.

Make you you check back regularly to my Github repository for any updates and additions