Information about SharePoint, Microsoft 365, Azure, Mobility and Productivity from the Computer Information Agency
Slides from this month’s webinar are at:
May 2021 Microsoft 365 Need to Know Webinar
If you are not a CIAOPS patron you want to view or download a full copy of the video from the session you can do so here:
http://www.ciaopsacademy.com.au/p/need-to-know-webinars
Watch out for next month’s webinar.
“enables cross- and multi-tenant management, allowing for higher automation, scalability, and enhanced governance across resources and tenants.”
In essence, it allows you to manage multiple ‘client’ Azure tenants from a single ‘master’ tenant. There is no cost for Azure Lighthouse and it is simple to enable. However, I would caution you to pay close attention to the permissions you assign the ‘master’ tenant inside the ‘client’ tenants and follow the best practice of least privilege security.
You are going to need a few things before you start configuring Azure Lighthouse.
1. A ‘master’ Azure tenant with a paid subscription
2. ‘Client’ Azure tenants with a paid subscription in each
3. For each ‘client’ Azure tenant you will require a login to that tenant who has the Owner built-in role for the subscription being onboarded. Typically, there is only one subscription in an Azure tenant and the initial administrator has that role. You will use this user, inside each ‘client’ tenant to permit access from the ‘master’ tenant.
4. The Tenant ID of the ‘master’ tenant.
You will find that on the front page of the Azure Active Directory blade in the ‘master’ Azure tenant portal as shown above.
5. The Object ID for the controlling entity (user or group) in the ‘master’ Azure tenant. This is basically the individual user or Azure AD security group who you wish to give access rights to the ‘client’ Azure tenants.
You will find the Object ID on the front page of that item in Azure AD as shown above. The above example show this for a single user.
The above example is for a group.
6. You now need to deicide what permissions you will give this Object ID from the ‘master’ Azure tenant inside the ‘client’ tenants. You can find all the Ids for Azure built-in roles here:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
So, if you want for the ‘master’ tenant Object ID to have effectively full rights inside the ‘client’ Azure tenants use:
Contributor – ID = b24988ac-6180-42a0-ab88-20f7382dd24c
Remember, best practice is to follow least privilege and as such if you just want to view Azure Sentinel information in the ‘client’ Azure tenant use:
Azure Sentinel Reader – ID = 8d289c81-5878-46d4-8554-54e1e3d8b5cb
but as I said, be very, very careful about the rights you assign the ‘master’ Object ID inside the ‘client’ tenants.
Once you have all the above information, you’ll need to login to the ‘client’ Azure tenant with the user account in step 3 above (i.e. an owner of the ‘client’ Azure tenant).
In the same browser session open a new tab and navigate to:
https://github.com/Azure/Azure-Lighthouse-samples/
and select the Auto-deployment button in the first row as shown:
A custom deployment template should launch
and look like the above. Here, select the Subscription and Region appropriate in the ‘client’ Azure tenant. You can put any custom text you wish into the Msp Offer Name and Msp Offer Description field.
Into the Managed by Tenant Id field enter the value you recorded in step 4 above (i.e. the Tenant ID of the ‘master’ Azure subscription).
The Authorizations field needs to be in the format of:
[{“principalId”:”ee8f6d35-15f2-4252-b1b8-591358e8a244″,”roleDefinitionId”:”acdd72a7-3385-48ef-bd42-f606fba81ae7″,”principalIdDisplayName”:”PIM_Group”},{“principalId”:”ee8f6d35-15f2-4252-b1b8-591358e8a244″,”roleDefinitionId”:”91c1777a-f3dc-4fae-b103-61d183457e46″,”principalIdDisplayName”:”PIM_Group”}]
where the principalId field will be the item you obtained in step 5 above (i.e. who in the ‘master’ Azure tenant do you want to have rights to the ‘client’ Azure tenant) and roleDefinitionId will be the information obtained in step 6 above (i.e. what permissions you want to gibe inside the ‘client’ Azure tenant). You can assign the principalIdDisplayName field any meaningful text you wish.
As you can see from the example you can chain multiple permission assignments together. So in this example, let’s say that I want to assign my one user full contributor rights and a security group only Azure reader rights. The entry would then look like:
[{“principalId”:”b75e7296-a058-4000-0000-000000000000″,”roleDefinitionId”:”b24988ac-6180-42a0-ab88-20f7382dd24c”,”principalIdDisplayName”:”User_contributor”},{“principalId”:”8d3a5c5a-0d1e-4639-0000-000000000000″,”roleDefinitionId”:”8d289c81-5878-46d4-8554-54e1e3d8b5cb”,”principalIdDisplayName”:”Group_Sentinel_reader”}]
It is very, very important that you get the formatting of the Authorizations field correct. I suggest you compose it in something like Notepad (with word wrap = off) and paste it in. If you see any errors during deployment, double check you have this field EXACTLY correct!
Once you have entered all the information, select the Review + create button an the bottom of the screen.
Your options will then be validated, and if passed, select the Create button at the bottom of the screen.
You should then see the deployment commence as shown above. The deployment will take a few minutes to complete, after which it take at least another 15 minutes for the Azure Lighthouse configurations to appear in the ‘master’ and ‘client’ tenants, so be patient.
After the 15 minutes, navigate to Azure Lighthouse in the ‘client’ tenant and look at Service Provider offer as seen above. This basically tells you that this ‘client’ tenant has single delegation (i.e connect to a ‘master’ Azure tenant).
Now head over to the ‘master’ Azure tenant and view Azure Lighthouse there, but look at the My customers then Customers option as seen above. Here you should see the ‘client’ Azure tenant just added to the current ‘master’ Azure tenant. Again remember, this takes around 15 minutes to appear once configured.
Congratulation you have successfully used Azure Lighthouse to link a ‘client’ Azure tenant to a ‘master Azure tenant. Look out for upcoming articles on what you can now do once you have enabled Azure Lighthouse.
If you are interested in attending a hands on in person 2 day deep dive event into Microsoft Security including:
– Exchange Online
– Windows 10 hardening
– Effective incident monitoring
– Identity security
– Data protection
and more then I encourage you to register your interest now for CIAOPS Secwerks 1 in Melbourne CBD over 2 days, Thursday the 5th and Friday the 6th of August 2021. I expect demand to be extremely high for this event and I will have more to share when I have confirmed all the details. However, feel free to reach out to me if you want more information. Please register your interest here to be kept up to date with the event:
The theme of this event will be to help you understand all the technologies that the Microsoft Cloud provides, how to configure them appropriately and get your Microsoft Secure Secure above 80%. The material covered will be technical and cover all the basics but then to extend beyond Level 400. The course is specifically designed for those who need to provide security for environments connected to Microsoft 365.
I hope to see you there.
Here’s the slides from my presentation at the International Association of Microsoft Channel Partners Quarterly Briefing today providing an overview of Microsoft Security. You can also access the slides via:
https://www.slideshare.net/directorcia/microsoft-365-security-overview
Thanks to all who attended and the International Association of Microsoft Channel Partners for the opportunity.
I speak with Aaron Dinnage from Microsoft who is the author of the great licensing resource Microsoft 365 maps. Aaron shares the history of this project and it takes to update it every month. We also get some great insights and suggestions when it comes to Microsoft 365 licensing.
This episode was recorded using Microsoft Teams and produced with Camtasia 2020.
Brought to you by www.ciaopspatron.com
Take a listen and let us know what you think – feedback@needtoknow.cloud
You can listen directly to this episode at:
https://ciaops.podbean.com/e/episode-267-aaron-dinnage/
Subscribe via iTunes at:
https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2
The podcast is also available on Stitcher at:
http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr
Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.
Resources
Aaron Dinnage – Linkedin, Twitter
https://m365maps.com/guide.htm
Office 365 Platform Service Descriptions
Microsoft Teams now brings family and friends together to call, chat, and make plans
Announcing Public Preview of OneDrive Sync Admin Reports
New Azure AD Capabilities for Conditional Access and Azure VMs
Introducing Webinars in Microsoft Teams: Easy, professional webinars to engage customers
A fluent new look for the Azure icon
Business email compromise: How Microsoft is combating this costly threat
Forrester names Microsoft a Leader in the 2021 Enterprise Email Security Wave
The SharePoint PnP module is a handy way to get access to more granular aspects of the SharePoint Online that the standard administration modules doesn’t. You’ll find more details about the module here:
I’ve created a free script to allow you to connect to SharePoint Online PnP that supports MFA logins. You’ll find the script here:
https://github.com/directorcia/Office365/blob/master/o365-connect-pnp.ps1
When you run this script it will firstly connect to Microsoft Online so it can determine what the correct name of your tenant is. Next, it will use this to connect to the SharePoint Online administration service to determine all the SharePoint sites you have in your tenant. It will then allow you to select from a list of all these site after which it will connect to your selection using SharePoint PnP.
The first time a connection is made to SharePoint PnP it will require you to accept a swag of permissions as shown above. These are required to allow SharePoint PnP to perform it administration role, so you’ll need to accept these. You’ll only need to this once for each user that needs to use SharePoint PnP PowerShell.
Once connected you can perform any of the SharePoint PnP commands:
Recently, I have seen my Azure Sentinel overview look like the above. I was puzzled why I had so many hours without any data being ingested? In short, it turned out that I had exceeded my storage tier capacity. Here’s where to look if you see something similar.
From the menu on the left of the Azure Sentinel workspace scroll to the bottom and select Settings as shown. Then from the pane that appears on the right select Workspace settings at the top as shown.
This will take you to the Azure Log Analytics workspace that underpins Sentinel. From the menu on the left here select Usage and estimated costs. Note on the right what is highlighted under Free pricing tier I was using:
(The log data ingestion includes the 500 MB/VM/day data allowances from Azure Security Center.)
That is the limit for my current tier. Any ingested data over that quota was not being ingested. Not ingested data, nothing recorded in the Sentinel overview report.
If you select the Daily cap button at the top of the page you’ll get more information appear from the right as shown.
The two important things to note are that the daily volume cap is 0.5 GB/day and that the limit is reset at 2am UTC (12pm Sydney time).
When I checked the Workspace Pricing tier details, shown above, there is indeed a daily cap of 512MB.
Then when I looked at the overview report in Sentinel I see that data did indeed start begin re-ingest at 12pm local time (2am UTC) as expected.
So the next question was, how is it going to cost me avoid this situation and ingest all my data? Looking at the Pay-as-you-go pricing tier I see the estimated cost per month would only be AU$4.79. Easy choice. SELECT.
The important thing to remember with this ingested data is that you always get the initial 512MB per day free. Anything above that you won’t get any captured data unless you upgrade your pricing tier. But then you’ll only pay for the amount above the 512MB per day, which in my case was only about 34MB per day on average.
A good way to keep track of this sort of data, before it becomes and issue as it did for me, is to use the Workspace usage Report workbook which you can access from the Sentinel console as shown above.
Here you’ll see everything you need to keep on top of this total data you are ingesting and where it is coming from.
The reason I’m so much data is that I’m pulling security events from local devices. Most Microsoft cloud services include free ingestion, which is the place you should start. However, I had added a number of demo devices to my tenant which pushed me over the free 512MB limit. Most people should be able to stay well below this quota by default, at least to start with. However, if you ever need to upgrade, like I have, it’s still cheap for it provides!
A while back I wrote an article on All the Microsoft Defender products. It’s now time to update that since much has changed in that short time period.
Microsoft unfortunately has quite a few products under the ‘Defender’ banner that I see causing confusion out there. Most believe that ‘Defender’ is only an anti-virus solution, but that could not be further from the case. Hopefully, I can show you here how broad the ‘Defender’ brand is here and hopefully give you a basic idea of what each ‘Defender’ product is.
To start off with there are products that are considered ‘Window Defender’ products, although I see the Windows and Microsoft brand intermingled regularly. Here is a list of specific ‘Windows Defender’ products, typically tied to Windows 10 devices, and typically only available with Windows 10 Enterprise but not always:
Windows Defender Application Control – WDAC was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients.
Windows Defender Firewall – By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device.
Windows Defender Exploit Guard – Automatically applies a number of exploit mitigation techniques to operating system processes and apps.
The four components of Windows Defender Exploit Guard are:
Windows Defender Credential Guard – Uses virtualization-based security to isolate secrets so that only privileged system software can access them.
Windows Defender System Guard – Reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It’s designed to make these security guarantees:
In contrast, here are the ‘Microsoft Defender’ products many of which have been re-branded lately:
Microsoft 365 Defender – (over arching service which includes other Defender services) is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
Microsoft Defender for Office 365 – (previously Office 365 ATP) Safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools.
Microsoft Defender for Identity – (previously Azure ATP) Cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Azure Defender – (previously Azure Security Center) Provides security alerts and advanced threat protection for virtual machines, SQL databases, containers, web applications, your network, and more. It includes:
Microsoft Defender for Endpoint – (previously Defender ATP) an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats especially on user devices like desktops, laptops and mobiles.
Microsoft Defender Smart screen – Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
Microsoft Defender Antivirus – Brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your organization.
Microsoft Defender Application Guard – helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet.
Microsoft Defender Security Center – is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks.
Microsoft Defender Browser Protection – a non Microsoft browser extension helps protect you against online threats, such as links in phishing emails and websites designed to trick you into downloading and installing malicious software that can harm your computer.
So, as you can see, there are quite a lot of ‘Defender’ products out there from Microsoft. How and when you get each of these varies greatly as well as their capabilities, since most will integrate together. That however, is beyond the scope of this article but maybe something I explore in upcoming articles.
For now, just be careful to investigate what is actually meant when it says ‘Defender’ in the Microsoft space!
CIAOPS 