CIA Brief – 231104

[MC682087 · Published Oct 17, 2023]: Organizations with Microsoft 365 Business Premium licenses will receive one hundred (100) print jobs per license per month starting on November 14, 2023. Today, Microsoft 365 Business Premium customers receive five (5) print jobs per license per month. These print jobs are refreshed every month and are pooled, so all licensed employees can use them. This change is similar to the April 2023 extension of print jobs per license for Microsoft 365 E3 and E5 organizations.

OneDrive Quickstart Guide –

https://adoption.microsoft.com/files/onedrive/Microsoft-OneDrive-quick-start-guide.pdf

Microsoft Security Copilot Demo: Defend at Machine Speed –

https://www.youtube.com/watch?v=psWW3g1CJvY

Latest updates to Microsoft 365 Migration Manager – https://www.youtube.com/watch?v=C-MbzTrZJ0A

Storing data for thousands of years | Microsoft Project Silica – https://www.youtube.com/watch?v=-rfEYd4NGQg

What’s new for IT pros in Windows 11, version 23H2

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-11-version-23h2/ba-p/3967814

The Defender’s Watch: Disrupting Attacks in Real Time – https://info.microsoft.com/ww-thankyou-the-defenders-watch-episode-4.html?LCID=EN-US

Windows passwordless experience expands – https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-passwordless-experience-expands/ba-p/3962005

What’s new in Microsoft Intune (2310) October edition – https://techcommunity.microsoft.com/t5/microsoft-intune-blog/what-s-new-in-microsoft-intune-2310-october-edition/ba-p/3964074

If you found this valuable, the I’d appreciate a ‘like’. This helps me know that people enjoy what I have created. If you have any feedback or suggestions around this, I’m all ears.

Watch out for the next CIA Brief next week.

Create a new Azure Key Vault

Given that a number of upcoming articles will discuss Azure Key Vaults, I thought a good place to start was to show you how to set one up. It is pretty easy, so let’s do it!

You’ll need a paid Azure subscription and administrator access to your Azure portal.

In the Azure portal, search for Key Vaults as shown and select Key Vaults from the results.

Then select the option to Create a new vault as shown above.

Complete the details for the vault, including:

– Azure subscription

– Resource group

– Key vault name

– Region

– Pricing tier

most of the other options can be left at their defaults. Select the Next button at the bottom of the window to continue.

In this case the default Permissions model of Azure role-based access control is desired setting.

Generally, no further changes are required. Select Next at the bottom of the windows to continue.

Typically, no changes need to be made here as we will want this new vault to be available publicly via something like PowerShell. However, you can make whatever changes you desire and select the Next button at the bottom of the screen to continue.

Add tags if you wish and then select the Next button at the bottom of the window.

Review the settings you have made and select the Create button.

You should now see the new vault being provisioned as shown above.

When the provisioning you can select the option to view the result as shown above.

You can return to your new vault at any time by navigating to Key Vaults in the Azure portal where you should see the vault just created as shown above.

I’d also suggest you check some permissions before you leave. Open the newly created vault and select Secrets from the menu on the left. If you see the banner across the top as shown above the reads This operation is not allowed by RBAC then you’ll probably need to change some permissions.

Navigate to the Access Control (IAM) option from the menu on the left as shown above. Then on the right select +Add.

From the menu that appears select the Add role assignment as shown above.

Locate and select the Key Vault Administrator job function role as shown.

Select Next at the bottom of the screen to continue.

Click the +Select members hyperlink as shown above.

From the window that appears on the right, search for the user whom you want to have rights over the vault (typically the same user that is currently logged in). Press the Select button at the bottom of the window to continue.

The selected user(s) should now appear under the Members section as shown above.

Press the Next button to continue.

Select the Review + assign button at the bottom of the screen to complete the process.

If you now return to the Secrets area that displayed the original RBAC warning, after a minute or two, you should see that message is longer displayed. The user that you just added now has administrative rights to the vault.

If you want to learn more about what Azure Key Vaults are all about take a look at:

Azure Key Vault basic concepts

however, in essence they are going to place to store stuff you want kept secure, like configurations details, including passwords and then access them programmatically.

CIA Brief is coming

messenger delivering a new annoucement to the pubblic

For a long while I used Power Automate to push out interesting stories around the Microsoft Cloud I found to Twitter (X now). Unfortunately, X changed the pricing of their API which made it prohibitively expensive to continue with this approach.

Given this, I’ve been thinking about what would be a suitable replacement. I initially considered an email list, as that is what all the cool kids do, but I also needed a process that was simple and easy for me, especially if I was going to do something weekly. The problem using a bulk email system like Mailchimp, is that I would need to format each blast using the Mailchimp website as well as send it from there. If I planned to do a weekly update of links I have found, that becomes time consuming and inconvenient, especially if I’m travelling.

Another reason I have not opted for an email list is that I am already on plenty that send updates weekly and honestly I don’t find that it is a very effective mechanism. Yes, I do read them all and yes, they provide value but I tend to put off reading them and deal with more important things in my inbox. I kind of need to be in the ‘mood’ to sit there and read through all the information and if I’m not then they tend to ‘backup’ as a to-do item.

I also considered doing a video update and posting it on YouTube as many others do. The downside to this method is it is a huge amount of work behind the scenes. My experience is also that a video of a whole bunch of screen shots or text really doesn’t appeal to people because when I tried it a while back by posting my podcasts with this content, the number of views simply didn’t reach acceptable minimums for the amount of invested effort.

Thus, I ruled out setting up an email list or using a video update as well as few other methods and instead have favoured posting the information here on my blog. The benefits of this is that it will be easy for me to quickly copy, paste and post the collection of stuff I find weekly. For those that do want emails there is the option to subscribe to my blog as email if you wish. The blog method however means you can simply read the post without having to give up your email if you choose and not have additional emails in your inbox, which is always a good thing. I also like that it will be searchable and publicly available.

I have created a tag on my blog called ‘CIA Brief’ which allows you to filter by just that tag. For example the feed will be:

https://blog.ciaops.com/tag/CIA-Brief/

that means you can simply follow the items I post with this tag the get the list of information I plan to post.

The ask I have of those that find value in the CIA Brief is to Like the post, as shown above at the bottom of each post. This way I know that the information is of value to people and provides an incentive for me to continue producing it. If you can Like each CIA Brief you see that would be very much appreciated.

Of course, I also welcome your feedback about how to make this concept even more valuable to people. I want something that is quick and easy to view on a weekly basis that will keep you up to date with the Microsoft Cloud. If you have any suggestions or feedback then I’m all ears.

That is the why and wherefores done. Stay tuned for the first CIA brief at the end of this week.

October Microsoft 365 Webinar resources

The slides from this month’s webinar are available at:

https://github.com/directorcia/general/blob/master/Presentations/Need%20to%20Know%20Webinars/202310.pdf

If you are not a CIAOPS patron you want to view or download a full copy of the video from the session you can do so here:

http://www.ciaopsacademy.com.au/p/need-to-know-webinars

Watch out for next month’s webinar.

CIAOPS Need to Know Microsoft 365 Webinar – October

Join me for the free monthly CIAOPS Need to Know webinar. Along with all the Microsoft Cloud news we’ll be taking a look at OneDrive for Business.

Shortly after registering you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite.

You can register for the regular monthly webinar here:

October Webinar Registrations

(If you are having issues with the above link copy and paste – https://bit.ly/n2k2310

The details are:

CIAOPS Need to Know Webinar – October 2023
Tuesday 31st of October 2023
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Monitoring a break glass account with Sentinel

In a previous article I covered off how to use Defender for Cloud Apps to monitor a break glass account. Typically, the alerts generated there will feed into Sentinel, however it is possible to configure Sentinel to perform a similar role.

The starting point is to use a KQL query like this:

SigninLogs
| where UserPrincipalName == “breakglass@domain.com”
| where OperationName == “Sign-in activity”
| project TimeGenerated, UserPrincipalName, ClientAppUsed, LocationDetails

If you run that query manually you’ll see a result like shown above. You will however also notice a New alert rule option in the top right of the window.

Selecting this will reveal two choices as shown above. Select Create Microsoft Sentinel alert to continue.

Make the appropriate settings in the General page, like shown above, and continue.

Here there are number of settings you can select but you will probably want to adjust how often the query is run as shown above. The important point to remember is that, as Azure is a consumption based billing model, there is a (very, very small charge) every time the query is run. Thus, the more often it runs the more it will cost.

When you have completed this section, move onto the Incident settings.

Here it is important to ensure that the option to Create incidents is Enabled as shown above.

Make any additional adjustments and move to Automated response.

Here you can enable any automation action you wish by selecting from those already created, as shown above. You can always add additional automation later if desired.

Finally, review and create the alert.

Verify that the alert you just created now appears in the list of Analytic rules for your environment as shown above.

If you now test this by logging as your breakglass account you should an incident generated as shown above. Once again, it is important to remember that this incident doesn’t appear immediately. It will appear in a time period based on how often you set the alert to check.

Another important thing to remember is that by default, the incident will not send an email notification of the alert. You can configure that a variety of different ways if you wish, which I won’t cover here.

The differences with using Sentinel for custom alerts is that the billing is consumption based, but you have a lot more flexibility in how you configure the actual alerts as well as any automated response if desired. I would also say that Sentinel has more power around actually analysing signals as well which is handy to protect your breakglass account.

Monitoring a break glass account with Defender for Cloud Apps

It is a very good thing to have a breakglass account in your environment. I have spoken about this in depth in an episode of my podcast:

Need to Know podcast – Episode 310

The challenge can be ensuring you know if and when this account is used because it typically has less protection associated with it than normal accounts in the environment.

One way to achieve this is to use Defender for Cloud Apps, which can be found by navigating to:

https://security.microsoft.com

to generate alerts when the account logs into the environment.

On the left hand menu of the Microsoft Security Center for your tenant expand the Policies option under the Cloud apps heading, and select the Policy management item.

Now select the +Create policy menu item on the right as shown above.

From the drop down that appears, select Activity policy as shown above.

Give the new policy a Name and Description. Select the Policy severity and the Category.

Select the option to Act on: Single activity.

In the Activities matching all of the following select:

Activity Type equals Log on

then add another filter and select:

User Name equals breakglassaccount@domain.com as Any role

as shown above. This in essence will trigger and alert whenever the breakglass account logs into the environment.

Configure the Alerts and Governance actions to suit your requirements. At a minimum you probably want the alert to be emailed to an external address. You can also build a Power Automate Flow from this also if you wish.

Save the new policy.

Locate the policy just created in the list (you can sort using the Modified column if necessary). Select the ellipse (three dots) to the right of the policy entry and from the menu that appears, select View all matches as shown above.

Ensure you test the policy by logging into your breakglass account.

This will now show all the matches in your environment as shown above. It is also recommended that you Save as so you can easily return these results if needed in the Activity log.

If you have also set up Sentinel, the alert should also flow into here as shown above. More automation and alert options are available here if needed.

The most important thing to remember that any alert generated by the login of your breakglass will NOT be immediate! It should however appear with a a few minutes of the action taking place and then a little while after in Sentinel as it flows through the logging process.

There is more that can be done to with this process, but this should get you started protecting your breakglass account.

Copilot appearance for SMB will require patience

man waiting patiently and not rushin

Microsoft has announced that Copilot will be available on November the 1st 2023. Unfortunately, Microsoft is only targeting the initial release at enterprises as revealed in a document titled:

Microsoft 365 Copilot General Availability FAQ for partners. In essence it says:

Availability will be worldwide, in the public clouds, and customers will be able to transact via the EA/EAS/MCA-E channels.

the document also addresses the question:

Why are we not making the SKU available in Direct and CSP channels?

Microsoft 365 Copilot is an amazing new technology, but we are all learning together. To ensure
a smooth integration process, we’ve decided to start by introducing it to our Enterprise and
SMC-Corporate customers via EA/EAS/MCA-E.

there will also be minimum purchase requirements, also highlighted in the document:

Is there a minimum number of seats customers should buy?

Yes, customers must buy at least 300 seats of Microsoft 365 Copilot.

It is disappointing to see many claim, even some well respected identities in the SMB space, that Microsoft is not delivering Copilot to SMB. The reality is that the SMB space has always had to wait for technologies to trickle down and Copilot will be no different.

As I understand it, Copilot and AI in general, places a lot more load on the back end servers and much of this cannot be cached like normal searching can. Also, Microsoft doesn’t have a true indication of the load users will place on cloud infrastructure when it starts to be used in production. They therefore want to bring this load on in a controlled manner to avoid failure, which would not be good or profitable for a new service like Copilot.

Thus, there are many technical and business reasons for limiting the roll out of Copilot to the customers. There is significant demand in all areas for the technology but it needs to both prove itself and pay its way before it is widely adopted. That means that those in SMB are going to wait a little longer before it becomes available as a direct purchase. It does not mean that Microsoft won’t be delivering to all audiences, it just means people will need to be patient.

I would point you back to the features that have been added to Microsoft Business premium over time. At release of this product it didn’t include technologies like Entra ID P1 or Defender for Business. However, they did come to the product. Perhaps they didn’t arrive as soon as people would have liked but they did arrive and we are reaping the benefits today.

There is no doubt that the demand for Copilot is significant. There is no doubt that will will benefit the SMB market. However, it is incorrect to say Copilot will not be available for the SMB market. It will just require a little patience for it to become available, which to be honest is probably a good thing to let others work the kinks out.