Mittwoch, 31. August 2022

Your file server in the cloud - What is Azure Files?

Azure Files provides fully managed file shares in the cloud, accessible via SMB as well as via NFS.

Azure Files offers all the features expected by a modern file server: Encryption in transit / Encryption at rest, Soft delete, Backup & Recovery as well as monitoring by Microsoft Defender for Storage. A search capability can also be implemented via Azure Cognitive Search and Azure File Indexer. This makes this solution an interesting alternative to the classic file server, which is located in a data center.
SMB file shares in Azure Files can be accessed from Windows, Linux, and macOS clients. NFS shares are available for access from Linux or macOS clients. SMB file shares in Azure Files can also be cached on Windows servers in your own data center, using Azure File Sync. This can ensure fast access for large files.

Key benefits

  • Shared access: Azure Files support both SMB and NFS standard protocols. This makes it easy to replace local file servers with Azure Files without worrying about application compatibility. 
  • Complete management: Azure Files can be set up without having to worry about the hardware or operating systems. Security upgrades or hardware failures are no longer an ongoing issue to worry about.
  • Scripts and Tools: PowerShell cmdlets and the Azure CLI can be used to manage Azure Files. The Azure Portal or Azure Storage Explorer can also be used for management.
  • Resilience: Azure Files is designed from the ground up as a highly available solution. Unlike on-premises file servers, failsafe power or networks are not an issue here.
  • Access via code: Applications running in Azure can access data in Azure Files via file system I/O APIs. Developers can therefore use their existing code and previously learned skills to migrate existing applications. In addition to system I/O APIs, Azure Storage client libraries or the Azure Storage REST API can also be used.

Typical use cases of Azure Files

  • Replace or extend local file servers: Azure Files can replace or extend local file servers or NAS system. Common operating systems such as Windows, macOS, and Linux can directly integrate Azure Files. SMB file shares in Azure can be replicated to Windows servers (either on-premises or in the cloud) via Azure File Sync to provide high performance and distributed caching for large files at the point of use. With the current release of Azure Files AD authentication, SMB file shares in Azure can still be used with the locally hosted AD instance for access control.
  • Lift & Shift Applications: Azure Files simplifies Lift & Shift projects to the cloud for applications where file shares are expected to store data. Azure Files enables not only the classic Lift & Shift scenario, where both the application and its associated data are moved to Azure, but also the Lift & Shift hybrid scenario, where the application data is moved to Azure Files and the application continues to run locally.

Indexer in Azure - Cognitive Search for Azure Files

An indexer in Azure Cognitive Search is a crawler that extracts content from cloud data sources and creates a search index using field-to-field mappings between source data and a search index. This approach is also known as the "pull model" because the search service retrieves data without writing any code. Indexers can be run on demand or on a schedule for regular data updates.

Besides the common file formats such as Microsoft Office formats and PDF, the following formats are also supported by the indexer: CSV, EML, EPUB, GZ, HTML, JSON, KML, , ODT, ODS, ODP, TXT, RTF, XML, ZIP.

Microsoft Defender for Storage & Azure Files

Protection for Azure Storage to support Azure Files and Azure Data Lake Storage Gen2 API was introduced by Microsoft in the year 2020. Advanced Threat Protection for Azure Storage provides an additional layer of security intelligence that pushes alerts when unusual and potentially malicious activity is detected.
These security alerts are integrated with Azure Security Center and are also emailed to subscription administrators. Details about the suspicious activity and recommendations on how to investigate and remediate threats are integrated.








Mittwoch, 30. März 2022

Microsoft Sentinel for Teams

Microsoft Sentinel can be used via the Microsoft Teams workbook or the Office 365 workbook to monitor Teams. The integration is done via the Data Types OfficeActivity respectively via the logs of Microsoft Teams in M365.
In the Microsoft Sentinel Content Hub, the template "Microsoft Sentinel for Teams" is now also available as a preview. The template installs 2 Analytics Rule, 7 Hunting Query and 2 Playbooks with which Teams can be monitored and the logs can be filtered for threats.
The installation is dialog-driven and quite simple. When the deployment has been successfully completed, the following page is displayed with an overview of what was installed.

What is deployed?

Analytics

Analytics Rules are used to create rules for threat detection. The template creates two rules for Microsoft Teams:
  • External user added and removed in short timeframe: This rule flags when external users are added to a Team and then removed within an hour.
  • Multiple Teams deleted by a single user: This rule indicates when multiple Teams are deleted within one hour. 
These analysis rules are created in disabled mode and can be enabled / customized in the analysis rules gallery in Sentinel:

Hunting Queries

Microsoft Sentinel provides queries to search for threats in the connected data sources. This enables targeted searches for suspicious behavior or unusual activity. The template installs the following hunting queries with a focus on Microsoft Teams:
  • External user from a new organization added to Teams: This query identifies external users that have been added to Teams, where the user's domain has not yet been used.
  • Multiple Teams deleted by a single user: This query shows when multiple Teams have been deleted by a single user within a short period of time.
  • Bots added to multiple Teams: This query helps identify bots that have been added to multiple Teams in a short period of time.
  • User made owner of multiple Teams: This identifies users who have been made owners of multiple Teams.
  • Previously unseen bot or application added to Teams: New and possibly unapproved applications or bots added to Teams are identified with this query.
  • Files uploaded to Teams and access summary: This query shows files uploaded to SharePoint via a Teams chat and summarizes the users and IP addresses that accessed those files. This allows for the identification of anomalous file sharing patterns.
  • User added to Team and immediately uploads file: This identifies users who have been added to a Team or Chat and uploaded a file via Chat within one minute of being added. This could be an indicator of suspicious activity.

Playbooks

Playbooks are a collection of procedures that can be executed in response to an alert or incident. A playbook can be used to automate actions when certain warnings or incidents are detected.
A sticking point in the "Playbook" setup step, as seen in the screenshot, is that a user must be added here who has the right to connect to the Teams API.

To do this, this user must be given consent. A simple way to do this is described here: https://docs.microsoft.com/en-us/graph/auth-v2-user#consent-experience The user that you want to use logs in and grants consent. The fact that the link to which you are then redirected is empty is irrelevant.
The following playbooks are deployed:
  • IdentityProtection-TeamsBotResponse
  • Post-Message-Teams













Sonntag, 27. März 2022

Microsoft Teams Shared Channels

Shared Channels will be rolled out as a public preview in the coming weeks. This is a new channel type that will be added to the existing standard and private channels. Shared Channels allow collaboration with external users without the need for the user to switch tenants:
Shared channels can be configured as follows, via Teams Policies:
Shared Channels are based on Azure-AD B2B Direct Connect. This Azure-AD feature enables collaboration with external users without the need to add these users as B2B guests in Azure-AD. To use shared channels between tenants, both sides must configure B2B Direct Connect policies because the feature is disabled by default. Administrators can grant, restrict, or revoke access for external users on an individual, group, or client level:
More details about Cross-tenant access settings: Cross-tenant access settings in Azure AD

A separate SharePoint SiteCollection is created for each shared channel, just as for each private channel.  Conditinal Access Policies for SharePoint therefore also affect Shared Channels and the co-authoring of documents in these channels.





Donnerstag, 24. Februar 2022

Graph Insights Adjustments

Microsoft Viva takes over the functionality of the My Analytics and Workplace Analytics features step by step. And there is also a lot going on in the backend. The MeetingInsights and ItemInsights endpoints have been customizable for some time and now the PeopleInsights endpoint can also be configured. This affects the following areas:
  • Profile Cards
  • User Profile in Delve
  • Listing relevant people / working with overview
I have already posted about the options to customize MeetingInsights and ItemInsights in the article "My Analytics, Workplace Analytics & Delve - or from the backend perspective Office Graph & Microsoft Graph".

Customize Insights

In general, the ItemInsights as well as the PeopleInsights can now be customized. The respective endpoint can be completely disabled or enabled / disabled for an Azure-AD Group. The third category, MeetingInsights, can only be globally enabled or disabled.
Details on ItemInsights and MeetingInsights: Customizing item insights privacy in Microsoft Graph

Customize PeopleInsights

PeopleInsights show relationships between people. This evaluates public signals such as joint Microsoft 365 Groups / Teams or shared Exchange distribution lists. This data is displayed in Delve and the profile cards in Microsoft 365 and can be queried via the API:
By default, this feature is enabled in a Microsoft 365 tenant. The following options are available for customization:
  • Disable PeopleInsights for all users:
PATCH, beta:
{
  "isEnabledInOrganization": false
}

  • Disable PeopleInsights for an Azure AD Group by additionally using the disabledForGroup paramter: 
PATCH, beta:
{
  "isEnabledInOrganization": false,
  "disabledForGroup": "f742839d-2321479-4de9-9616-e61877675c88c"
}

 To do this, for example, with Microsoft Graph Explorer, the following steps are performed:

  • Open Graph Explorer and log in: https://developer.microsoft.com/en-us/graph/graph-explorer 
  • GET, beta: https://graph.microsoft.com/beta/organization returns the OrganizationId that is needed in the next step:

  • Get the current settings:
GET, beta: https://graph.microsoft.com/beta/organization/{organizationId}/settings/peopleInsights
  • Customize the settings as needed:
PATCH, beta:
{
  "isEnabledInOrganization": false,
  "disabledForGroup": "f953948d-3423-4ac7-9616-d6187975c00c"
}

 

Effect: No more users are displayed in the "works with" section:

Important:
  • The settings for PeopleInsights are currently only available in BETA.
  • The update process does not check if an Azure AD Group exists. If the Group does not exist, no changes will be made for any user.
  • It can take up to 24 hours for insightsSettings adjustments to take effect, or longer in the BETA version.





 




Montag, 21. Februar 2022

Cross-tenant access settings in Azure AD

Using Azure AD to provide access to resources in another tenant is not new. The Azure B2C and B2B feature have been available for several years. Now Microsoft has released the Cross-Tenant Access Settings feature as Preview. This allows general settings and settings per tenant, which is accessed as a guest user or from which guests access your own environment:

In addition, there is the option to accept the multifactor authentication that may already have been performed when logging on to the other Azure AD. Another option relates to the status of the device used, which can then be verified in a conditional access policy, for example.  Both the "Compliant Device" status and the "Hybrid Azure AD Joined" status can be trusted:

Overview Cross-tenant access with Azure AD External Identities

Using Cross-tenant access settings you can set default settings for your environment as well as settings per tenant from which accesses are made. So if you work with partners or selected customers on a regular basis, you can configure explicit rules for B2B collaboration - External users and groups, B2B - collaboration Applications and Trust settings for inbound and outbound traffic:
The following applies:
  • The default settings apply to all external Azure AD's that are not listed in the Organizational Setting tab. These default settings can be changed, but not deleted.
  • For access that is not authenticated via an Azure AD, the settings under: Edit or view collaboration restrictions applys

Configure cross-tenant access settings

The default settings for inbound and outbound traffic can be set to B2B collaboration - External users and groups, B2B - collaboration Applications and Trust settings. These values then apply to all tenants that are not explicitly registered:
On the Organizational Setting tab, explicit environments can be added via Add Organization:
These can then either also inherit the default settings, or get explicit settings:
The following settings can be configured for each tenant: 
  • Select explicit external users and groups:

  • Select applications:

  • Settings for MFA and device

Reporitng

Reports on access from other tenants can be created both via PowerShell and via the "Monitoring" tab in Azure AD.

Example via PowerShell for cross-tenant sign-in activity:
  • Get-MSIDCrossTenantAccessActivity -SummaryStats -ResolveTenantId
Example via PowerShell for the sign-in logs:
Get-MgAuditLogSignIn ` 
-Filter “ResourceTenantID ne ‘your tenant id’” ` 
-all:$True| ` 
group ResourceTenantId,AppDisplayName,UserPrincipalName| ` 
select count, @{n=’Ext TenantID/App User Pair’;e={$_.name}}]

Source and more details:  Identify inbound and outbound sign-ins

Cross-tenant access activity workbook:
This workbook is available in the Azure AD under "Monitoring" and provides reports that can be filtered by the following values:
  • Time range (up to 90 days)
  • External tenant ID
  • User principal name
  • Application
  • Status of the sign-in (success or failure)






Dienstag, 15. Februar 2022

Restrict Microsoft Teams Copy & Paste

The need to restrict the copy & paste feature in Teams can have different reasons.
For example, it can prevent users from copying content from Teams chats and posting it in other apps. In general, it is important to consider whether these restrictions apply to the web version of Microsoft Teams or to the Teams client/app. Both can be restricted, but different solutions are used in each case:
A common scenario, for example, is to restrict the copy & paste feature for guest users. This can also increase security on unmanaged devices, for example in the case of guest users or a bring-your-own-device strategy.
To implement this scenario for browser access, a Conditional Access policy is created that only affects guest users/selected users or groups and in which Azure AD joined devices can be excluded.
If the Teams Client / the Teams App is used for access, a App Protection Policy must be used in Endpoint Manager. This policy can then be restricted to "unmanaged" devices, for example.

Restrict copy & paste when accessing via the browser

When accessing via the browser, the request is redirected from a conditional access policy via Defender for Cloud Apps, with the "Use Conditional Access App Control" setting:


The conditional access rule can be restricted to guests or specific groups from Azure AD, for example:

A rule must then be created in Defender for Cloud Apps that prevents the copy & paste capability:

As the screenshot shows, the following other capabilities can also be restricted:
  • Print
  • Send item
  • Send Teams message
In the "Session control type" section of the policy, you can see that uploads or downloads can also be restricted in this way. A separate policy must then be created for this, since the filter in the "Session control type" section only allows a single filter.
The user now receives the following notification when trying to copy data from a Teams chat:

Restrict copy & paste when accessing via Teams client / Teams app

App Protection rules are used when accessing via the client / app. This is a feature in Microsoft Endpoint Manger. For the scenario of restricting access from unmanaged devices, the "unmanaged" option is selected for the Device Type in the policy. In the "Apps" section of the policy, the applications that are affected by the policy are defined. As the screenshot shows, the same policy can also cover additional apps, such as Microsoft Planner:

In the section "Data protection" the setting "Restrict cut, copy, and paste between other apps" is available:

The user will now see this message when trying to copy data from a Teams chat and post it in WhatsApp, for example:

The following additional settings can be configured in the App Protection Policy:
  • Backup org data to Android backup services
  • Send org data to other apps
  • Receive data from other apps
  • Screen capture
  • Printing org data
  • Restrict web content transfer with other apps