Identity & Security

After a brief behind-the-scenes look a few days ago, here we are: Defender for Podcast, new season! This year, some new features: new locations and guests! And, speaking of guests, we couldn’t have started better: with us Carlo Mauceli for this first episode! What did we talk about? 🎯 Geopolitics and the use of cyberattacks in war scenarios 🎯 Evolution of attack tactics through Artificial Intelligence 🎯 The black market where anyone can become a hacker

As a follow-up to the CrowdStrike Falcon agent issue impacting Windows clients and servers, Microsoft released a USB tool to help IT Admins expedite the repair process. The signed Microsoft Recovery Tool can be found in the Microsoft Download Center: ➡️ New Recovery Tool to help with CrowdStrike issue impacting Windows endpoints The steps to use the tool are detailed in the article linked above. Your IT Specialist, Riccardo

After reaching the first milestone of our lab, it’s time to do a little recap. Below is the complete list of the first videos in the “The Lab” series, from creating the Active Directory forest to the first Windows Entra Joined client and its behavior in an on-premises environment. 📺 The LAB - Episode 0 - Introduction to the Lab 📺 The LAB - Episode 1 - Creating an Active Directory Forest and Setting Up a Domain Controller

Today we see the first concrete result of building our hybrid lab inspired by a modern management of identities and devices: we will test together if a Windows Entra Joined PC can access an on-premises resource in single sign-on, specifically a file server. Will it work? You’ll see in the video :) Video You can find the full video below, or you can continue reading the article. SSO on On-Premises Resources with a Windows Entra Joined PC Introduction IT specialists, hello everyone!

🚨 If, like me, you’ve had intense weeks and missed the latest episode of Defender for Podcast, don’t worry, here’s all the info you need. Spoiler: we talk about passwordless and, above all, Passkey! In particular: Multi-factor authentication is not perfect, what are the risks and issues? Microsoft Authenticator FIDO 2 keys Certificate-based authentication Passkey Lots to discuss, plenty of useful information, and a pinch of fun (don’t miss the “Goat dance”).

Hello IT specialists! We are finally at a turning point in creating our hybrid lab, which until now has been very little hybrid, since we created an AD forest and installed a Certification Authority, all on-prem components. Video Find the full video below, or you can continue reading the article. Installing and Configuring Microsoft Entra Connect Today, we prepare our environment for the installation, configuration, and activation of Entra Connect. Yes, we are finally hybridizing our environment, synchronizing identities with Entra ID.

🚨 New episode of Copilot for Pod… oops… no… sorry, I meant Defender for Podcast! 🤣 With all these Copilots, I’m getting a bit carried away! Caught up in a frenzy of memes and various quotes (absolute gems not to be missed), Marco Moioli (henceforth known as Mar-Copilot) and I couldn’t miss the opportunity to talk about the current star: Copilot for Security! We’ll explore what it is, how it integrates with various Microsoft products, and, most importantly, share our impressions on the significant value this product brings.

Every forest and Active Directory domain should have LDAPS implemented, but in very few cases is it actually implemented. The topic can be intimidating because it involves certificates, but once you understand some basic concepts, it’s easier to tame than it seems. Let’s see how to implement it! Video You can find the entire video below, or you can continue reading the article. Article With all this talk about the cloud, I realized that I have neglected our beloved Active Directory!

IT Specialists, hello everyone! Today a very fast but fundamental video: we add the second piece of the lab, putting a Certification Authority on track. Video Find the entire video below, or you can continue reading the article. Why is a Certification Authority useful in the lab? Here’s why a Certification Authority can be useful in the lab: Because a CA is always useful, regardless. 😊 Because I want to implement LDAPS on Active Directory right away (and the next video will talk about this).

IT Specialists, hello everyone! Finally, we are truly getting our hands dirty in this lab: today, we create the on-premises Active Directory forest (and domain) needed for our hybrid environment. Video Find the entire video below, or you can continue reading the article. Before We Begin Just a couple of observations. First observation: as mentioned in the previous video, what I will show you in building the lab will be seen more from the perspective of identity (users and devices) and their security.

IT Specialists, hello everyone! It’s been a while since we last met on video, but despite that, during these months of absence, I’ve been scheming in the shadows, advancing other projects and initiatives, the results of which you will see on my channels and the Microsoft Security Italian Users Group community. 😉 But enough chit-chat, this is neither the video nor the right occasion to tell you the why, the how, etc.

Waiting for “good news” at the beginning of 2024, let’s review the latest updates from Intune (release 2312), especially those that catch our attention from a security perspective: Edge Security baselines updated to v117 Support for new variables {{username}} {{devicename}} in non-compliance communication emails New visualization in the reporting of the Defender for Endpoint connector New settings in Antivirus policies (RandomizeScheduledTaskTimes and SchedulerRandomizationTime) New status metric for Microsoft Tunnel (TLS certificate revocation) Of course, these are just some of the updates.

It’s true, I neglected “Resource Friday” for a while: why? The spirit of the column was to find for you a, precisely, free “resource” to download or use in the realm of our beloved Microsoft technologies. In recent years, however, the ways in which content is consumed have changed a lot, decisively shifting towards other platforms and formats (video, social media, etc). Moreover, the speed at which product updates and new features arrive, in some cases, quickly renders an eBook obsolete.

📢 Free-resource-friday! Azure Defenses for Ransomware Attacks. Today, I’ve gathered for you a highly informative (and free) eBook that discusses the tools available in Azure to counter a Ransomware attack. Almost mandatory reading in these times! 📌 Bonus tip: Don’t miss the plethora of links to documents and resources in the “Additional Resources” slide! 📖 Here’s where you can download it: ➡️ Azure Defenses for Ransomware Attacks Your IT Specialist, Riccardo

In a Zero Trust Security approach, where identity is a fundamental element, the security of authentications can be measured to some extent based on the so-called “signals.” Analyzing these signals provides a level of “risk” for a particular user when authenticating to Microsoft 365 services. Today, I’ll tell you about Mirosoft Entra Identity Protection and what the concept of “risk” means. As always, before diving headfirst into this “risky” journey (pun intended 🤣), we need to introduce another concept: you need to understand what signals are.

Fresh news in the Microsoft Entra ID realm: templates and a brand new overview are now publicly available. Let’s start with the templates. Template Conditional Access policies are a powerful tool that offers a high degree of customization and granularity. That’s why it can sometimes be less intuitive to know where to begin when it comes to implementing a particular policy for a specific situation. The availability of templates helps in this regard by providing ready-to-use tools for specific situations, making it easier to implement a conditional access criterion.

As anticipated a few days ago, today we begin a series of short video clips, lasting no more than a couple of minutes, where I demonstrate activities and procedures that most people take for granted but, for various reasons, may not be so straightforward. Welcome to “The Lab Series”! Today, we have a quick-and-dirty procedure for installing the Azure AD Application Proxy connector. Useful documentation for further reference: 📄 Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory

🎥💊 Video Pill News: FIDO2 key support on Safari iOS! The key used in this video is a FEITIAN, iePass K44 model, with dual interfaces: USB-C and Lightning. I hope that FIDO2 key support arrives soon for Microsoft apps on iOS! Riccardo

About 2 years ago (June 2021), I had fun experimenting with a new feature that was in preview: macOS Single Sign-On (SSO) for Azure AD on Microsoft 365 applications and services. ⚠️ Update as of June 1, 2023 The “Microsoft Azure AD” plug-in is finally in General Availability and is ready to use in production environments! You might be wondering, “What on earth is it for?” This feature allows you to authenticate yourself and your fantastic Mac more easily to Microsoft 365 services and applications without repeated credential prompts, making the user experience even smoother and seamless.

Friday resource! If you’re tinkering with Local Groups Membership policies in Intune and (like me) have cursed a bit while converting group/role ObjectIDs to SIDs and vice versa, here’s a website that does it online instantly and conveniently. 🔹 ObjectId ➡️ SID 🔹 SID ➡️ ObjectId I’d love to tag the author of this wonderful utility (Erik Engberg) here, but from what I’ve seen, they’re not on LinkedIn. If I’m mistaken and someone knows their exact profile, please let me know so I can give them proper thanks.

Why Windows Hello for Business is the Multi-Factor Authentication for Windows login and how to configure it via Intune in Azure AD Kerberos Cloud Trust mode, through the Settings Catalog. Below is the documentation I refer to in the video: 📄 Windows Hello for Business Overview 📄 How Windows Hello for Business works in Windows Devices 📄 Windows Hello for Business and Authentication 📄 Cloud Kerberos trust deployment 📄 Enable passwordless security key sign-in to on-premises resources by using Azure AD Have you implemented Windows Hello for Business?

A few days ago, I came across a very interesting article from the Intune Customer Success Team. The article discusses how to configure BitLocker through the Intune Settings Catalog. This piqued my curiosity because, considering the Settings Catalog, there are now three different ways to deploy BitLocker from Intune. I wanted to understand the advantages of using the Settings Catalog compared to the already available methods. Here’s my experience! ⚠️ As mentioned in the video: the settings you see were done for purely educational and illustrative purposes.

It took me a while to make this video, but finally, here I am: Azure Virtual Desktop Single Sign-On to Azure AD. One of the main “criticisms” always directed at AVD is the double authentication, which many consider a hassle. With Single Sign-On, the process becomes smoother, and the required authentications decrease. Could I have just shown you the simple SSO? Clearly NO, so I even included a FIDO2 security key in it!

📺 New video: Today I’ll tell you about Temporary Access Pass in Azure AD and how it can be useful in specific situations. ☑️ Onboarding a user to register a passwordless authentication method ☑️ Recovery of a lost or unusable passwordless access ☑️ Initialization of a Windows Autopilot device ☑️ Joining a device to Azure AD ☑️ Initial setup of Windows Hello for Business All the details in the video!