Welcome to Episode 382 of the Microsoft Cloud IT Pro Podcast. In this episode, we dive into three essential tools for safeguarding your organization in the cloud-first world: Security Defaults in Microsoft Entra ID, Conditional Access Policies, and Microsoft Secure Score. Join us as we talk through and rationalize each solution, including when and why you might want to use each depending on your maturity with the Microsoft Cloud.
Whether you’re an IT administrator, security professional, or just someone keen on understanding how to secure your digital workspace, this episode is packed with valuable insights and practical tips to help you leverage these security tools. Tune in to stay ahead of the curve and ensure your organization is protected against the evolving threat landscape!
Like what you hear and want to support the show? Check out our membership options.
Show Notes
Security defaults in Microsoft Entra ID
Microsoft Secure Future Initiative
Every Microsoft employee is now being judged on their security work
What is Conditional Access?
Conditional Access policy templates
Episode 256 – Conditional Access All The Things?
Microsoft security portals and admin centers
Track your Microsoft Secure Score history and meet goals
Assess your security posture with Microsoft Secure Score
About the sponsors
Would you like to become the irreplaceable Microsoft 365 resource for your organization? Let us know!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:03):
Welcome to episode
382 of the Microsoft Cloud IT Pro Podcast,
recorded live on August 9, 2024.
This is a show about Microsoft 365
and Azure from the perspective of IT pros
and end users, where we discuss the topic
or recent news and how it relates to
you. Today, we start diving into tools for
safeguarding your organization in the cloud first world,
(00:27):
talking about some of the pros and cons
as well as when you might want to
use some of these various tools. We start
off talking about security defaults in Microsoft EntraID
before moving into conditional access.
We wrap up the episode discussing
Secure Score in Microsoft Defender XDR.
(00:47):
Should we talk about something Microsoft 365 related?
Let's get into it. M 365
day. It Maybe a little bit of Azure.
We'll see what we can work in. This
might be a little bit
of Entra stuff, which as we have discussed
multiple times spans
both Entra or both Microsoft 365
and Azure. But this came from
(01:10):
kinda some things that people have brought up,
questions that have been asked, and it was
around security. And I think the specific question,
if I go pull it up, was
somebody asked more how do you would or
how would you how do you how to
evaluate new tenants,
evaluate
security
(01:31):
resources out there to get statuses on your
tenant.
Like, I went and stood up a brand
new tenant, again, whether it be Azure or
Microsoft 365, I have a brand new Entra.
Where do I go from here from a
security perspective? It's the gist of the question.
It's an interesting question, right, especially in split
brained land where, like you said, Entra comprises
(01:54):
functionality
across both the M365
stack and Azure as well.
Yeah. So security is like a far ranging
topic, and I would preface all this with
I am by no means a security expert.
But that being said, like, there's a bunch
of tools out there that are available
to us mere mortals
(02:16):
to help us rationalize
current configuration.
Hey. How does stuff look today? And then
maybe for folks like me who aren't experts,
what are some logical defaults
or some things that I should think about
going and configuring
to improve the posture
of the security configuration
of my tenant.
(02:37):
And to a certain degree, not even just
my tenant, like, the users who interact with
my tenant because users who interact with my
tenant could be in my tenant, or they
could be guest accounts or other things that
are coming in to
interact across SharePoint and other workloads like that.
We talked before. We are going to I'm
not gonna commit to a time, but we
are gonna try to keep these somewhat
(02:59):
time boxed. So this very well may turn
into a multipart episode too. To your point,
this is
a very broad topic across everything. So I
think from my perspective,
where I first start, new clients come to
me, and this one is m 365, but
it does touch Azure is I have a
new tenant. I stood up Microsoft 365.
(03:20):
I stood up Azure. I now have Entra.
What do I do? And the first thing,
and this is a newer one, is
by default now, everybody has security defaults
that are enabled in your tenant.
These are also I don't have these been
turned on by an old tenant yet? I
don't I can't remember, and I don't see
the timeline on here of when Microsoft was
(03:43):
gonna force these on.
These should be turned on
in existing tenants as well. So
at this point, if you have a tenant
that was created after
2019,
give or take. Like, it it was late
2019, early 2020 when a lot of this
stuff rolled out
(04:04):
as far as security defaults. So if you
had, like, a new m 365
environment that came up, o 365,
you set up a new Azure subscription and
a new entry ID tenant or Azure AD
tenant as they were called back then,
then you should have some permutation
of this.
Like many things that Microsoft does, I think
(04:25):
if you have an established tenancy and you
were somebody who, like, looked after it, you
were probably somebody who's decided to, like, slow
roll it, or maybe you blocked it for
a while.
So
it it could be in, like, various states
within
your
own tenant configuration
today.
But it's actually it it's pretty easy to
(04:47):
look. So you can hop into the entry
ID admin center.
You have to have a role that is
at least a security administrator.
And then if you go into
the identity blade and just the kind of
overview of
your entry
tenant your entry ID tenant,
The properties for it, they just have a
(05:08):
little, basically, am I enabled or am I
disabled for security defaults
that you can go ahead and flip through.
And, like I said, I think,
my approach to to this stuff back when
I always used to do it was to
slow roll it and say, oh, yeah. Microsoft
gave me an easy button, but I might
wanna turn that on a little bit more
(05:29):
piecemeal rather than stepping in and having everything
all at once, like requiring all users to
enroll in MFA, requiring all my admins to
do MFA,
and all the blocking legacy authentication protocols, a
lot of stuff, and, like, doing all those
permutations at once, sometimes you wanna slow roll
those and do them yourself. And if you
are of that, like, kinda person, right, okay,
(05:52):
that's your approach, nothing wrong with it, I
think this even that the security defaults are
there and documented, like, it's another thing to
go and look at and say, k, what's
my posture? Where am I at? Maybe I
haven't turned it all on, but do I
have a plan? Am I aligned to best
practices? Those kinds of things. Yeah. The one
thing I would say though so this is
my biggest
(06:12):
I would say my biggest gripe with security
default is you can't slow roll it. You
cannot. It is
either on or off, and I get why
Microsoft did this. Like, you had a bunch
of old legacy tenants and new tenants that
were getting stood up that people were not
doing any sort of security with. And
this has a lot of those basic controls
you said. So if you turn this on
(06:33):
or if it is on, what security default
is requiring
MFA for all users, it's requiring
or to register for MFA, it's requiring admins
to do MFA, multifactor authentication.
It's requiring users to do MFA
when necessary.
So it's not all the time like, this
is gonna probably be tied to certain risks
(06:55):
or certain conditions that they're triggering. You don't
really have any control over it. Microsoft decides
when necessary is and isn't. Like you said,
it blocks legacy authentication,
and it protects privileged activities
like access to the Azure portal. So you
turn it on, it's gonna do all those
things. You turn it off, it's not gonna
do any of those. But there's nothing bad
in here.
There's the degrees of maturity
(07:17):
with
your comfort with an environment. So I would
go to you, and I would say, hey,
Ben. Help me out with the configuration
of my AD sorry, enter ID tenant. And
you go, sure. Gotcha. Been doing this for
years years. I know where all the knobs
and levers are. Let's go turn them. What
kind of customer are you? Oh, I see
you've got I see you have premium licenses
(07:39):
for entry ID. Like, you have a mix
of p ones, p twos. Maybe you're all
p twos, all p ones, whatever it is.
So you're immediately gonna clue into
the world of
I know what's available to you and
where you can really lean into
the complexity
of that organization's requirements and where they wanna
(08:02):
land. Because they're licensed for it, you'll have
access to things like conditional access
and CA policies and
all the power that comes along with those.
And on the flip side,
there are people out there who just go
and sign up for new GoDaddy tenants,
and, yeah, they're Don't do that. No. Don't
(08:22):
do it. Nobody. Don't do it. But people
do it. Okay. But people do. And for
those people who do it, like, they're not
the most
they're not the deepest into the ecosystem. Right?
They they don't have that same level of
maturity. They don't carry the licenses,
particularly for some of the more advanced features
in things like conditional access.
So in that world, security defaults is nice
(08:45):
because,
yeah, it can cause some pain.
We can argue how much the pain's worth
it, but it immediately puts your posture in
a place where you're at least covered for
the vast majority of the basics
for free, and you didn't have to do
anything and go with it.
Again, if you're a customer out there or
(09:06):
you're an administrator, developer, whatever it is, and
you're looking at this and you go, I
know my way around this. I'm gonna script
it out, or I'm gonna click next next
next,
and I'm really gonna dial it in. Security
defaults isn't for you. So, in that case,
you can just use the documentation
for security defaults as, hey, what are the
things that I should think about doing within
my environment?
(09:27):
Should I require all users to register for
MFA?
I might look at that and say, yeah.
All users, but not really all users because
you're gonna have a segment of users that,
you might not want to be eligible for
MFA today based on your organizational constraints, maybe
like a break glass account or something like
that. Right? Like, you you have the exceptions,
(09:48):
and you know how to
drive into those
and configure those kinds of things. But for
those that require the easy button or for
those that are net new, I really don't
think there's anything wrong with having the easy
button enabled by default, especially as long as
you can come back and upgrade later
or you can disable it. But at least
at that point, it's a conscientious decision on
(10:10):
your part as a customer to come in
and do it. So I can totally see
where, like, as a service provider on the
Microsoft side, they're saying, like, hey, we want
you to be in the best default posture
that you can be. And that's often at
the expense of
a little bit of pain
and a little bit of friction because for
better or worse, like, all these things, like
(10:32):
turning on MFA
and having all the authentication methods and locking
users down to things like just certain authenticator
apps and things like that.
It's it is necessary,
which is sad when that's a conversation for
another day. I agree. 100%. All of these
are good things to have, and to the
pain point, it's not nearly as painful as
(10:52):
it used to be. I would say 3
years ago, the legacy authentication
would really bite people. They'd go toggle this
on and all of a sudden a whole
bunch of stuff would break because they were
still running old Office clients or they were
still using app passwords, that type of stuff.
But I am glad they have this as
a default state. There's a few times that
I've been in a few situations where I'm
(11:13):
like, you know what? I wish I could
toggle, like, one of these off where it
is. It's a small business. They don't wanna
go pay for conditional access, but you run
into
those weird one off scenarios
where
legacy authentication is causing an issue.
That's probably the biggest one. But, again, over
the last 3 years, as everybody has gone
(11:34):
away from legacy auth, this is absolutely
a good thing to have in place by
default.
The only other thing I would say with
this is I still see some people that
have this
auth. They're like, I'm doing, like, the per
user MFA, like, the old school per user
MFA, and we've talked about that being legacy.
That is going to go away at some
point in time. So if you're still relying
(11:54):
on that to turn off MFA in certain
situations
and leaving security defaults off, 1, security defaults
gives you a lot more production than just
that legacy MFA, and 2, that is gonna
go away. I think folks should be prepared
for stuff to
start getting dialed in and change more rapidly
as well. If you go out and you
(12:15):
just look at the news
for
security incidents
across Microsoft,
Azure, Google,
like, the these things definitely exist, right? They're
out there. And then you consider, like, the
spread and what's going on between having to
protect cloud resources,
protect local machines,
(12:36):
and all these kinds of things,
it's in the service provider's best interest to,
like, really start to dial things in
and lock things down.
If I was a Microsoft customer, I would
go out and look at things like the
Secure Future initiative,
which has been publicly talked about, but, hey,
(12:57):
these these are some thoughts and approaches and
ways that we are going to align
to
being the most secure that we can be.
And I'm a Microsoft employee. That bubbles back
to me, actually. So one of the things
that was publicly reported last week,
I think I saw an article on The
Verge about it, was
(13:18):
that as a Microsoft employee,
I am going
to have a
specific item on, like, my my annual assessments.
I'm gonna I'm gonna have a core priority
that basically aligns to saying, what did Scott
do to contribute to the overall security of
Microsoft?
So now it's if it wasn't part of
(13:39):
my job, and it was part of my
job, but now it's it's really there. It's
front and center, and it's effectively, like, priority
0. Right? I need to get in, and
I need to do these things. And as
every employee is doing that across every part
of the stack,
I think you're gonna see an acceleration
in not only the features that are available
to you, and this is just my hunch.
(14:00):
Right? As we all lean into it, like,
you'll see an acceleration in the features that
are available, but you'll also probably see an
acceleration
in application of those features, timelines for implementing
those features, things like that, because there's gonna
be a rapid desire not only to move,
like, internal workloads away from an unsecure posture,
(14:21):
but also to move customers that way. And
we'll learn a bunch as we're moving internal
stuff that way, and then that'll eventually
disseminate out to the rest of the world.
But
when you're looking at this stuff,
I I think just to give you the
perspective of, hey, somebody who works at Microsoft,
like, literally part of my job now. And
so when I say I'm not a security
(14:41):
expert, I gotta become one at least in
some ways for like the things I own
and the things that
I'm accountable for
so that I can move that forward because
it's gonna be something that
directly
ties back to my performance at work. Yeah.
And with that, it wouldn't surprise me. Like,
they have guidance now for how to turn
off security defaults, so you can still go
(15:03):
in and disable it. You mentioned if you
don't wanna do security defaults, the next logical
step is conditional access.
It would not surprise me to see them
get to a point where if you turn
off security defaults,
you either, a, need to go implement certain
conditional access policies
within x amount of days to not have
(15:26):
security defaults turned back on, or even when
you turn it off, it goes and automatically
creates some conditional access policies
to
mirror what security defaults did just because you
don't wanna find yourself in that state where
you're completely
unsecured. And they already give you guidance, they
just don't necessarily
force you into it yet. It'll be interesting
(15:47):
to see if they move in that direction.
But you wanna go to conditional access. This
is where I tend to go. I tell
most of my customers,
don't tell Microsoft this, Scott. I think the
price of EntraID
plan 1 is worth it just for conditional
access and what you can do. And I
think we've done whole episodes on that, but
(16:08):
it is an EntraID
p one
SKU, so you have to license everybody for
EntraID p one to do conditional access. But
then you get all the customization,
you can tweak it, and you can even
make it more secure. If you want to
just make that step and you're like, you
know what? I've had security defaults. I haven't
done conditional access yet,
(16:30):
but I wanna move in that direction, Microsoft
does provide your security foundations
category
of
templates in conditional access. So, essentially, you can
go into Entra, go to security
I think it's under secure or protection and
then security and conditional access, Select templates and
they have categories,
(16:50):
and one of those is secure foundation, and
it has a template for all of those
conditional access policies
that that security defaults implements. You can go
click through and just deploy all
what 7 templates it looks like in conditional
access to
replicate security defaults within your tenant. So this
(17:12):
is one that again, if you're not doing
security defaults, absolutely go do this. This is
a nice first step for anybody that wants
to move in that direction and wants to
see how do these conditional access policies work.
Use this template or, frankly, any of the
templates in there to start creating those policies
and
get those in place instead and see what
(17:33):
they look like, how those settings look, that
type of stuff. It's all well documented.
Right? So the other thing is
even if you didn't wanna use the template,
you can technically go spin this stuff up
yourself,
and next next your way through it or
use the various automation tooling and things like
that to get it to where it needs
to be. There's a lot you can do
with conditional access. We can do a whole
(17:54):
episode on that if we haven't. I'm pretty
sure we have. I've done YouTube videos on
it.
Do you feel overwhelmed by trying to manage
your Office 365
environment? Are you facing unexpected issues that disrupt
your company's productivity? IntelliJunk is here to help.
Much like you take your car to the
mechanic that has specialized knowledge on how to
(18:15):
best keep your car running, Intelligent helps you
with your Microsoft cloud environment because that's their
expertise.
Intelligent keeps up with the latest updates in
the Microsoft cloud to help keep your business
running smoothly and ahead of the curve. Whether
you are a small organization with just a
few users, up to
1000 employees,
they want to partner with you to implement
(18:36):
and administer your Microsoft Cloud technology.
Visit them at inteligink.com/podcast.
That's intell
ing.com/podcast
for more information or to schedule a 30
minute call to get started with them today.
Remember, IntelliJ focuses on the Microsoft cloud, so
(18:58):
you can focus on your business.
What you would do next. So so you
either did security defaults, you've done conditional access,
you have
base I would say that's base
authentication
security. Right? You're protecting your user accounts and
how they're logging in with those 2, but
there's a lot more to security
(19:20):
than just go in and turn on security
defaults or turn on conditional access policies. There's
just a hint or a hair or more
to that. Yeah. And if you're we're going
going back to the question
a little bit is how to evaluate new
tenant security, eval, resources, tools. I'm thinking, given
the time, maybe we do a third a
(19:40):
second one on tools.
The next place I go before I would
even go implement tools or look at tools
is I head over to
the security center that you have in Microsoft
365.
Security.microsoft
dotcom. If you go to admin.microsoft.com
and go to security there, underneath,
they keep changing the navigation around in here.
(20:03):
I think it is under
where did they move it? They moved it
under some place in there. You can go
search for it. Is you have your secure
score. And every time I need it, I'm
able to find it, exposure management.
There it is. So if you stand out
exposure management, you can look at your secure
score, and this gives you an overview
of
(20:24):
your security posture and your tenant. So it'll
give you some score.
My score is 53.73%.
I have achieved
748.99
out of a possible 1394
points. I don't know about you, Scott. I
have never seen anybody get this to a
100. So if you go in here, I
think new tenants start out
(20:47):
somewhere in the 40 to 50%
range
if you don't do anything. I continue to
not like Secure Score. I wish it was
more like Azure Advisor recommendations.
K. Here's the set of things that you
should consider doing kinda thing. But the way
it's presented as, like, a hard number with
a percentage, it really makes you feel like
you should get to a 100%,
(21:09):
and
I don't believe that's the intention behind it.
Like, I've never run into anybody who thinks
it's that way
nor have I met anyone who's ever gotten
a 10 to 100. If you ever have,
hey, give us a call. Come on the
show. We'd love to have you. Well, walk
us through, like, how many prompts your users
go through every time they, like, click a
(21:30):
button. So the intent isn't to get you
to a 100%, but it's in in intended
to get you to
incrementally
approve or improve your posture over time because
there could be, like, new rules that are
added.
There could be new metrics that are evaluated,
things like that. So as long as you're
comfortable with it, like, it turns out that,
like, your score of
(21:50):
53.73%,
that could actually be your version of a
100. Right? K. We're comfortable. We're ready. We're
good to go.
For somebody else, it could be 60. For
somebody else, it could be 40.
50 feels like an actually, like, a pretty
good number, like, in the model for what's
out there.
But, yeah, you're not gonna get to a
(22:11):
100, nor do I believe the intent is
to get you to a 100. Yeah. And
that's the way I tell clients to look
at it too is within the secure score,
you get an overview, but you also get
a history. So I can see that my
historic
score over the last
I don't know. I'm looking at the last
3 months
has increased 2.19%.
So my security has gotten incrementally better. There
(22:33):
are times it's decreased, there are times it's
increased,
but I treat it more as, am I
getting better or worse at security?
Not, am I getting up to a 100%
when I'm looking at the score. To your
point about the adviser, what I like about
Secure Score is it comes up with that
score based on a list of recommended actions.
(22:54):
So if I look at mine, I actually
have I should go look at this. I
have actions to review 7 are
regressed. So something has regressed in my tenant,
whether something got turned off or a
policy that was applying to devices,
a device got removed from it. Somehow, there's
something that regressed, and then I have a
(23:16):
126
actions to address. And, again, I would say
the dangerous is people look at it and
they're like, oh, I got a 126
things I need to fix in my tenant.
No. There's a 126
recommended actions
that you can go look at, ranging from
things like blocking JavaScript or VB scripts from
launching
downloaded
(23:36):
executable
content
to blocking office applications from creating executable
content,
unsigned processes running on USBs,
disabling basic authentication for the winrm
client.
Like, there's a whole bunch of things. And
to your point, Scott, I treat this as
(23:57):
okay. Let's go look at this.
It does give you
a percentage. If you go do this,
your score is going to increase by
0.57%,
by 0.65%.
The other thing to call out is your
score is different than my score, which is
different from the next person's score. And even
to, like, the degree of, k, here's your
(24:18):
max score and how your percentage is configured
and things like that. Because one of the
things that strikes me as I look at
yours, you talked about, okay, maybe the default
score being someplace in, like, the forties for
a new tenant. You're not a new tenant,
and you have a bunch of stuff lit
up. Like, you have things related to devices
in here. So because Secure Score
(24:38):
technically falls under Defender, and it's part of
the whole, like, Defender XDR
suite thing that's going on, So you're seeing
a bunch of things that are potentially applicable,
not just to where we started off with
entry ID
and just access policies
around identity.
Now we've extended into the world of
(24:59):
devices and device specific configuration
and the the behaviors of my users that
are out there. And then this takes us
back to the same conversation we had with
secure defaults versus CA policies and things like
you might be able to turn it all
on, you might not be able to turn
it all on, or it at least points
you in a direction where you wanna go.
(25:20):
Oh,
I thought about Office Mac this is legit.
The last time I thought about Office Macros
was probably 2 plus years ago,
but maybe seeing it on there is enough
to, like, just light up an admin's brain
and say, oh, we should go reevaluate that
and see if we can improve
improve our posture there and move things forward.
Or maybe you wanna look at these things
(25:42):
by their categories
and where they sit, and these things are
categorical.
Like, even if you look down what you
have on the screen right now, it's Exchange
Online, it's Teams,
it's Office. It's very workload centric,
so you can go in and choose, I
I guess, workload or solution or scenario, like,
depending on how you slice it. So if
(26:03):
you wanted to come in and you wanted
to just do, like, the secure score equivalents
for identity, you could absolutely dial into just
enter ID and the things that are going
on there. Yep. And that's 100%
what I do. Like, I've looked down this
list and I treat it as a checklist,
but what you mentioned is a prompt for,
oh, yeah. I didn't think about this. I
(26:23):
didn't think about turning on customer lockbox feature,
or I didn't think about
dial in users
bypassing the meeting lobby because I do a
bunch of Teams meetings. This does let you
sort filtered group by scores, by how you
can improve it, by the status, if you've
actually addressed it or not, categories for it,
(26:44):
identity versus apps,
products, devices,
all of that.
And the other thing I would say too
about this, Scott,
is this tries to automate it. It tries
to look at your configuration
and say,
yeah, you've done this or you haven't done
this. But there's things like configuring VPN integration
(27:04):
or
especially when you get into some of the
devices,
disabling machine account password changes.
This,
in so much as it can automate it,
it depends on you using Microsoft 365
for everything.
Just a little bit. Yeah. If you're using
AirWatch for device management
or one of the other third parties,
(27:25):
if you're using
Sophos, I was talking to somebody the other
day using Sophos for endpoint management, There may
be some of this stuff that you've already
addressed via a third party tool that your
Secure Score just doesn't know about. So they
do give you the option to also manually
go in and say it's addressed
or, again, your percentage, it's a guideline. It
(27:45):
may not know everything that you have done,
especially if you've done it in ways outside
of managing it within the Microsoft 365 ecosystem.
Yeah. You almost want the button like, I'm
never gonna do this. Don't evaluate me on
it.
Yeah. There are some in here I look
at. It's black USB devices from working on
your endpoints. I'm like, no. I'm not ever
gonna completely disable USB on all my endpoints.
(28:08):
Some people may. Some places, it's a requirement.
Mine, it's not. So it's a security risk
I'm willing to accept even though it lowers
my secure score. But this is
after I look at security defaults and conditional
access, the next place
I would go from evaluating a tenant is
just almost working through this with a client.
What of these do you care about? Or
(28:29):
I tell a client, go look through this
list. What of these do you care about?
What of these do you wanna know more
about? Which ones of these are you like,
yeah, we've already taken care of that? But
using it as a starting checklist
for
what are some other security things I should
be thinking about or addressing within
(28:49):
my Microsoft 365 tenant. All of this just
lets you widen the net. So where should
you start? Arguably, identity 100% of the time,
right? It's your first gateway into all of
these things, like,
you're not using Teams
until you're logging in through enter ID, full
stop. So start on the identity side, and
then this approach of, hey, let's go in
(29:11):
and cast a wider net and see what
else is out there. Like, the I'm gonna
throw a pebble into the pond and see
how many ripples it creates kinda thing,
and you can start to
do that this way. So, great, I've got
the identity thing. Oh, it turns out that
security score tells me more about identity
than even just the security defaults did
(29:33):
or than some of the stuff that maybe
I saw while I was clicking around in
conditional access or reading the docs. Great. Those
are other things I can look at. Now
I just looked at identity. What do I
wanna look at next? Do I wanna look
at my cloud hosted workloads like Teams and
Exchange and SharePoint?
Or do I wanna look at
desktops
and devices that that that exist out there?
(29:54):
And you can start to
just keep searching, right? And every layer you
peel back, you you find a new thing,
and it gives you more work to do.
And like I said, if there's somebody out
there and you're listening to this and you're
like, I've gotten a tenant to a 100%,
I wanna hear about it. I wanna hear
if anybody's even gotten it to 90. I
won't even set the bar at a 100.
90%,
I would love to hear about it. 90%.
(30:15):
Let us know. We have a contact form.
You just go to msclouditpropodcast.comormsclouditpro.com.
I think we redirect these days, and just
hit the contact form, let us know. If
you're a member, come ping us in Discord.
We'd love to have you on and participate
in real time. We can make it happen.
Ben and I are curious. Absolutely.
(30:36):
With that, should we wrap it up and
continue
our discussion next time
on evaluating
security, whether it be Azure, whether it be
third party tools, whether it be some other
random security thing we think of? I think
next time, because because we did the research
on it, we should talk about tools next
time and ways to and I consider, like,
Secure Score a tool. Right? Like, you browse
(30:58):
to this website, you've pulled it up, it's
giving you some actionable information. There's a bunch
of other ways to get at this data
as well
through
the API surface that's available
in Entra, including our friend, the Microsoft Graph.
So we can talk about some tools and
some ways to interrogate
and visualize
(31:18):
tenant configurations
through some of the stuff that's out there.
We can also talk about tools and ways
to, like, break into your environments and things
like that, so, like, vulnerability testing for these
environments. Perfect. Sounds like a plan. Thanks, Scott.
With that, go enjoy your, hopefully,
your hurricane free, hopefully, a nice weather weekend.
I'm going to Denver this weekend, so I
(31:39):
got a concert at Red Rocks that I
gotta get to. I'm jealous. I'm staying in
Florida this weekend where it is currently feels
like a 112 degrees outside. So I'm gonna
go outside and play pickleball because somehow in
my mind, that's a great idea. I was
in Denver last week for another concert, and
it was 98 degrees Fahrenheit, and there were
forest fires. So don't feel bad for me.
(31:59):
Alright. I won't. Sounds good. Well, enjoy. Hopefully,
you have better weather this weekend, and we
will talk to you again soon. Alright. Thanks,
Ben. Alright. Thanks, Scott.
If you enjoyed the podcast, go leave us
a 5 star rating in iTunes. It helps
to get the word out so more IT
pros can learn about Office 365
and Azure.
If you have any questions you want us
(32:20):
to address on the show, or feedback about
the show, feel free to reach out via
our website,
Twitter, or Facebook.
Thanks again for listening, and have a great
day.
Welcome to episode
382 of the Microsoft Cloud IT Pro Podcast,
recorded live on August 9, 2024.
This is a show about Microsoft 365
and Azure from the perspective of IT pros
and end users, where we discuss the topic
or recent news and how it relates to
you. Today, we start diving into tools for
safeguarding your organization in the cloud first world,
(00:27):
talking about some of the pros and cons
as well as when you might want to
use some of these various tools. We start
off talking about security defaults in Microsoft EntraID
before moving into conditional access.
We wrap up the episode discussing
Secure Score in Microsoft Defender XDR.
(00:47):
Should we talk about something Microsoft 365 related?
Let's get into it. M 365
day. It Maybe a little bit of Azure.
We'll see what we can work in. This
might be a little bit
of Entra stuff, which as we have discussed
multiple times spans
both Entra or both Microsoft 365
and Azure. But this came from
(01:10):
kinda some things that people have brought up,
questions that have been asked, and it was
around security. And I think the specific question,
if I go pull it up, was
somebody asked more how do you would or
how would you how do you how to
evaluate new tenants,
evaluate
security
(01:31):
resources out there to get statuses on your
tenant.
Like, I went and stood up a brand
new tenant, again, whether it be Azure or
Microsoft 365, I have a brand new Entra.
Where do I go from here from a
security perspective? It's the gist of the question.
It's an interesting question, right, especially in split
brained land where, like you said, Entra comprises
(01:54):
functionality
across both the M365
stack and Azure as well.
Yeah. So security is like a far ranging
topic, and I would preface all this with
I am by no means a security expert.
But that being said, like, there's a bunch
of tools out there that are available
to us mere mortals
(02:16):
to help us rationalize
current configuration.
Hey. How does stuff look today? And then
maybe for folks like me who aren't experts,
what are some logical defaults
or some things that I should think about
going and configuring
to improve the posture
of the security configuration
of my tenant.
(02:37):
And to a certain degree, not even just
my tenant, like, the users who interact with
my tenant because users who interact with my
tenant could be in my tenant, or they
could be guest accounts or other things that
are coming in to
interact across SharePoint and other workloads like that.
We talked before. We are going to I'm
not gonna commit to a time, but we
are gonna try to keep these somewhat
(02:59):
time boxed. So this very well may turn
into a multipart episode too. To your point,
this is
a very broad topic across everything. So I
think from my perspective,
where I first start, new clients come to
me, and this one is m 365, but
it does touch Azure is I have a
new tenant. I stood up Microsoft 365.
(03:20):
I stood up Azure. I now have Entra.
What do I do? And the first thing,
and this is a newer one, is
by default now, everybody has security defaults
that are enabled in your tenant.
These are also I don't have these been
turned on by an old tenant yet? I
don't I can't remember, and I don't see
the timeline on here of when Microsoft was
(03:43):
gonna force these on.
These should be turned on
in existing tenants as well. So
at this point, if you have a tenant
that was created after
2019,
give or take. Like, it it was late
2019, early 2020 when a lot of this
stuff rolled out
(04:04):
as far as security defaults. So if you
had, like, a new m 365
environment that came up, o 365,
you set up a new Azure subscription and
a new entry ID tenant or Azure AD
tenant as they were called back then,
then you should have some permutation
of this.
Like many things that Microsoft does, I think
(04:25):
if you have an established tenancy and you
were somebody who, like, looked after it, you
were probably somebody who's decided to, like, slow
roll it, or maybe you blocked it for
a while.
So
it it could be in, like, various states
within
your
own tenant configuration
today.
But it's actually it it's pretty easy to
(04:47):
look. So you can hop into the entry
ID admin center.
You have to have a role that is
at least a security administrator.
And then if you go into
the identity blade and just the kind of
overview of
your entry
tenant your entry ID tenant,
The properties for it, they just have a
(05:08):
little, basically, am I enabled or am I
disabled for security defaults
that you can go ahead and flip through.
And, like I said, I think,
my approach to to this stuff back when
I always used to do it was to
slow roll it and say, oh, yeah. Microsoft
gave me an easy button, but I might
wanna turn that on a little bit more
(05:29):
piecemeal rather than stepping in and having everything
all at once, like requiring all users to
enroll in MFA, requiring all my admins to
do MFA,
and all the blocking legacy authentication protocols, a
lot of stuff, and, like, doing all those
permutations at once, sometimes you wanna slow roll
those and do them yourself. And if you
are of that, like, kinda person, right, okay,
(05:52):
that's your approach, nothing wrong with it, I
think this even that the security defaults are
there and documented, like, it's another thing to
go and look at and say, k, what's
my posture? Where am I at? Maybe I
haven't turned it all on, but do I
have a plan? Am I aligned to best
practices? Those kinds of things. Yeah. The one
thing I would say though so this is
my biggest
(06:12):
I would say my biggest gripe with security
default is you can't slow roll it. You
cannot. It is
either on or off, and I get why
Microsoft did this. Like, you had a bunch
of old legacy tenants and new tenants that
were getting stood up that people were not
doing any sort of security with. And
this has a lot of those basic controls
you said. So if you turn this on
(06:33):
or if it is on, what security default
is requiring
MFA for all users, it's requiring
or to register for MFA, it's requiring admins
to do MFA, multifactor authentication.
It's requiring users to do MFA
when necessary.
So it's not all the time like, this
is gonna probably be tied to certain risks
(06:55):
or certain conditions that they're triggering. You don't
really have any control over it. Microsoft decides
when necessary is and isn't. Like you said,
it blocks legacy authentication,
and it protects privileged activities
like access to the Azure portal. So you
turn it on, it's gonna do all those
things. You turn it off, it's not gonna
do any of those. But there's nothing bad
in here.
There's the degrees of maturity
(07:17):
with
your comfort with an environment. So I would
go to you, and I would say, hey,
Ben. Help me out with the configuration
of my AD sorry, enter ID tenant. And
you go, sure. Gotcha. Been doing this for
years years. I know where all the knobs
and levers are. Let's go turn them. What
kind of customer are you? Oh, I see
you've got I see you have premium licenses
(07:39):
for entry ID. Like, you have a mix
of p ones, p twos. Maybe you're all
p twos, all p ones, whatever it is.
So you're immediately gonna clue into
the world of
I know what's available to you and
where you can really lean into
the complexity
of that organization's requirements and where they wanna
(08:02):
land. Because they're licensed for it, you'll have
access to things like conditional access
and CA policies and
all the power that comes along with those.
And on the flip side,
there are people out there who just go
and sign up for new GoDaddy tenants,
and, yeah, they're Don't do that. No. Don't
(08:22):
do it. Nobody. Don't do it. But people
do it. Okay. But people do. And for
those people who do it, like, they're not
the most
they're not the deepest into the ecosystem. Right?
They they don't have that same level of
maturity. They don't carry the licenses,
particularly for some of the more advanced features
in things like conditional access.
So in that world, security defaults is nice
(08:45):
because,
yeah, it can cause some pain.
We can argue how much the pain's worth
it, but it immediately puts your posture in
a place where you're at least covered for
the vast majority of the basics
for free, and you didn't have to do
anything and go with it.
Again, if you're a customer out there or
(09:06):
you're an administrator, developer, whatever it is, and
you're looking at this and you go, I
know my way around this. I'm gonna script
it out, or I'm gonna click next next
next,
and I'm really gonna dial it in. Security
defaults isn't for you. So, in that case,
you can just use the documentation
for security defaults as, hey, what are the
things that I should think about doing within
my environment?
(09:27):
Should I require all users to register for
MFA?
I might look at that and say, yeah.
All users, but not really all users because
you're gonna have a segment of users that,
you might not want to be eligible for
MFA today based on your organizational constraints, maybe
like a break glass account or something like
that. Right? Like, you you have the exceptions,
(09:48):
and you know how to
drive into those
and configure those kinds of things. But for
those that require the easy button or for
those that are net new, I really don't
think there's anything wrong with having the easy
button enabled by default, especially as long as
you can come back and upgrade later
or you can disable it. But at least
at that point, it's a conscientious decision on
(10:10):
your part as a customer to come in
and do it. So I can totally see
where, like, as a service provider on the
Microsoft side, they're saying, like, hey, we want
you to be in the best default posture
that you can be. And that's often at
the expense of
a little bit of pain
and a little bit of friction because for
better or worse, like, all these things, like
(10:32):
turning on MFA
and having all the authentication methods and locking
users down to things like just certain authenticator
apps and things like that.
It's it is necessary,
which is sad when that's a conversation for
another day. I agree. 100%. All of these
are good things to have, and to the
pain point, it's not nearly as painful as
(10:52):
it used to be. I would say 3
years ago, the legacy authentication
would really bite people. They'd go toggle this
on and all of a sudden a whole
bunch of stuff would break because they were
still running old Office clients or they were
still using app passwords, that type of stuff.
But I am glad they have this as
a default state. There's a few times that
I've been in a few situations where I'm
(11:13):
like, you know what? I wish I could
toggle, like, one of these off where it
is. It's a small business. They don't wanna
go pay for conditional access, but you run
into
those weird one off scenarios
where
legacy authentication is causing an issue.
That's probably the biggest one. But, again, over
the last 3 years, as everybody has gone
(11:34):
away from legacy auth, this is absolutely
a good thing to have in place by
default.
The only other thing I would say with
this is I still see some people that
have this
auth. They're like, I'm doing, like, the per
user MFA, like, the old school per user
MFA, and we've talked about that being legacy.
That is going to go away at some
point in time. So if you're still relying
(11:54):
on that to turn off MFA in certain
situations
and leaving security defaults off, 1, security defaults
gives you a lot more production than just
that legacy MFA, and 2, that is gonna
go away. I think folks should be prepared
for stuff to
start getting dialed in and change more rapidly
as well. If you go out and you
(12:15):
just look at the news
for
security incidents
across Microsoft,
Azure, Google,
like, the these things definitely exist, right? They're
out there. And then you consider, like, the
spread and what's going on between having to
protect cloud resources,
protect local machines,
(12:36):
and all these kinds of things,
it's in the service provider's best interest to,
like, really start to dial things in
and lock things down.
If I was a Microsoft customer, I would
go out and look at things like the
Secure Future initiative,
which has been publicly talked about, but, hey,
(12:57):
these these are some thoughts and approaches and
ways that we are going to align
to
being the most secure that we can be.
And I'm a Microsoft employee. That bubbles back
to me, actually. So one of the things
that was publicly reported last week,
I think I saw an article on The
Verge about it, was
(13:18):
that as a Microsoft employee,
I am going
to have a
specific item on, like, my my annual assessments.
I'm gonna I'm gonna have a core priority
that basically aligns to saying, what did Scott
do to contribute to the overall security of
Microsoft?
So now it's if it wasn't part of
(13:39):
my job, and it was part of my
job, but now it's it's really there. It's
front and center, and it's effectively, like, priority
0. Right? I need to get in, and
I need to do these things. And as
every employee is doing that across every part
of the stack,
I think you're gonna see an acceleration
in not only the features that are available
to you, and this is just my hunch.
(14:00):
Right? As we all lean into it, like,
you'll see an acceleration in the features that
are available, but you'll also probably see an
acceleration
in application of those features, timelines for implementing
those features, things like that, because there's gonna
be a rapid desire not only to move,
like, internal workloads away from an unsecure posture,
(14:21):
but also to move customers that way. And
we'll learn a bunch as we're moving internal
stuff that way, and then that'll eventually
disseminate out to the rest of the world.
But
when you're looking at this stuff,
I I think just to give you the
perspective of, hey, somebody who works at Microsoft,
like, literally part of my job now. And
so when I say I'm not a security
(14:41):
expert, I gotta become one at least in
some ways for like the things I own
and the things that
I'm accountable for
so that I can move that forward because
it's gonna be something that
directly
ties back to my performance at work. Yeah.
And with that, it wouldn't surprise me. Like,
they have guidance now for how to turn
off security defaults, so you can still go
(15:03):
in and disable it. You mentioned if you
don't wanna do security defaults, the next logical
step is conditional access.
It would not surprise me to see them
get to a point where if you turn
off security defaults,
you either, a, need to go implement certain
conditional access policies
within x amount of days to not have
(15:26):
security defaults turned back on, or even when
you turn it off, it goes and automatically
creates some conditional access policies
to
mirror what security defaults did just because you
don't wanna find yourself in that state where
you're completely
unsecured. And they already give you guidance, they
just don't necessarily
force you into it yet. It'll be interesting
(15:47):
to see if they move in that direction.
But you wanna go to conditional access. This
is where I tend to go. I tell
most of my customers,
don't tell Microsoft this, Scott. I think the
price of EntraID
plan 1 is worth it just for conditional
access and what you can do. And I
think we've done whole episodes on that, but
(16:08):
it is an EntraID
p one
SKU, so you have to license everybody for
EntraID p one to do conditional access. But
then you get all the customization,
you can tweak it, and you can even
make it more secure. If you want to
just make that step and you're like, you
know what? I've had security defaults. I haven't
done conditional access yet,
(16:30):
but I wanna move in that direction, Microsoft
does provide your security foundations
category
of
templates in conditional access. So, essentially, you can
go into Entra, go to security
I think it's under secure or protection and
then security and conditional access, Select templates and
they have categories,
(16:50):
and one of those is secure foundation, and
it has a template for all of those
conditional access policies
that that security defaults implements. You can go
click through and just deploy all
what 7 templates it looks like in conditional
access to
replicate security defaults within your tenant. So this
(17:12):
is one that again, if you're not doing
security defaults, absolutely go do this. This is
a nice first step for anybody that wants
to move in that direction and wants to
see how do these conditional access policies work.
Use this template or, frankly, any of the
templates in there to start creating those policies
and
get those in place instead and see what
(17:33):
they look like, how those settings look, that
type of stuff. It's all well documented.
Right? So the other thing is
even if you didn't wanna use the template,
you can technically go spin this stuff up
yourself,
and next next your way through it or
use the various automation tooling and things like
that to get it to where it needs
to be. There's a lot you can do
with conditional access. We can do a whole
(17:54):
episode on that if we haven't. I'm pretty
sure we have. I've done YouTube videos on
it.
Do you feel overwhelmed by trying to manage
your Office 365
environment? Are you facing unexpected issues that disrupt
your company's productivity? IntelliJunk is here to help.
Much like you take your car to the
mechanic that has specialized knowledge on how to
(18:15):
best keep your car running, Intelligent helps you
with your Microsoft cloud environment because that's their
expertise.
Intelligent keeps up with the latest updates in
the Microsoft cloud to help keep your business
running smoothly and ahead of the curve. Whether
you are a small organization with just a
few users, up to
1000 employees,
they want to partner with you to implement
(18:36):
and administer your Microsoft Cloud technology.
Visit them at inteligink.com/podcast.
That's intell
ing.com/podcast
for more information or to schedule a 30
minute call to get started with them today.
Remember, IntelliJ focuses on the Microsoft cloud, so
(18:58):
you can focus on your business.
What you would do next. So so you
either did security defaults, you've done conditional access,
you have
base I would say that's base
authentication
security. Right? You're protecting your user accounts and
how they're logging in with those 2, but
there's a lot more to security
(19:20):
than just go in and turn on security
defaults or turn on conditional access policies. There's
just a hint or a hair or more
to that. Yeah. And if you're we're going
going back to the question
a little bit is how to evaluate new
tenant security, eval, resources, tools. I'm thinking, given
the time, maybe we do a third a
(19:40):
second one on tools.
The next place I go before I would
even go implement tools or look at tools
is I head over to
the security center that you have in Microsoft
365.
Security.microsoft
dotcom. If you go to admin.microsoft.com
and go to security there, underneath,
they keep changing the navigation around in here.
(20:03):
I think it is under
where did they move it? They moved it
under some place in there. You can go
search for it. Is you have your secure
score. And every time I need it, I'm
able to find it, exposure management.
There it is. So if you stand out
exposure management, you can look at your secure
score, and this gives you an overview
of
(20:24):
your security posture and your tenant. So it'll
give you some score.
My score is 53.73%.
I have achieved
748.99
out of a possible 1394
points. I don't know about you, Scott. I
have never seen anybody get this to a
100. So if you go in here, I
think new tenants start out
(20:47):
somewhere in the 40 to 50%
range
if you don't do anything. I continue to
not like Secure Score. I wish it was
more like Azure Advisor recommendations.
K. Here's the set of things that you
should consider doing kinda thing. But the way
it's presented as, like, a hard number with
a percentage, it really makes you feel like
you should get to a 100%,
(21:09):
and
I don't believe that's the intention behind it.
Like, I've never run into anybody who thinks
it's that way
nor have I met anyone who's ever gotten
a 10 to 100. If you ever have,
hey, give us a call. Come on the
show. We'd love to have you. Well, walk
us through, like, how many prompts your users
go through every time they, like, click a
(21:30):
button. So the intent isn't to get you
to a 100%, but it's in in intended
to get you to
incrementally
approve or improve your posture over time because
there could be, like, new rules that are
added.
There could be new metrics that are evaluated,
things like that. So as long as you're
comfortable with it, like, it turns out that,
like, your score of
(21:50):
53.73%,
that could actually be your version of a
100. Right? K. We're comfortable. We're ready. We're
good to go.
For somebody else, it could be 60. For
somebody else, it could be 40.
50 feels like an actually, like, a pretty
good number, like, in the model for what's
out there.
But, yeah, you're not gonna get to a
(22:11):
100, nor do I believe the intent is
to get you to a 100. Yeah. And
that's the way I tell clients to look
at it too is within the secure score,
you get an overview, but you also get
a history. So I can see that my
historic
score over the last
I don't know. I'm looking at the last
3 months
has increased 2.19%.
So my security has gotten incrementally better. There
(22:33):
are times it's decreased, there are times it's
increased,
but I treat it more as, am I
getting better or worse at security?
Not, am I getting up to a 100%
when I'm looking at the score. To your
point about the adviser, what I like about
Secure Score is it comes up with that
score based on a list of recommended actions.
(22:54):
So if I look at mine, I actually
have I should go look at this. I
have actions to review 7 are
regressed. So something has regressed in my tenant,
whether something got turned off or a
policy that was applying to devices,
a device got removed from it. Somehow, there's
something that regressed, and then I have a
(23:16):
126
actions to address. And, again, I would say
the dangerous is people look at it and
they're like, oh, I got a 126
things I need to fix in my tenant.
No. There's a 126
recommended actions
that you can go look at, ranging from
things like blocking JavaScript or VB scripts from
launching
downloaded
(23:36):
executable
content
to blocking office applications from creating executable
content,
unsigned processes running on USBs,
disabling basic authentication for the winrm
client.
Like, there's a whole bunch of things. And
to your point, Scott, I treat this as
(23:57):
okay. Let's go look at this.
It does give you
a percentage. If you go do this,
your score is going to increase by
0.57%,
by 0.65%.
The other thing to call out is your
score is different than my score, which is
different from the next person's score. And even
to, like, the degree of, k, here's your
(24:18):
max score and how your percentage is configured
and things like that. Because one of the
things that strikes me as I look at
yours, you talked about, okay, maybe the default
score being someplace in, like, the forties for
a new tenant. You're not a new tenant,
and you have a bunch of stuff lit
up. Like, you have things related to devices
in here. So because Secure Score
(24:38):
technically falls under Defender, and it's part of
the whole, like, Defender XDR
suite thing that's going on, So you're seeing
a bunch of things that are potentially applicable,
not just to where we started off with
entry ID
and just access policies
around identity.
Now we've extended into the world of
(24:59):
devices and device specific configuration
and the the behaviors of my users that
are out there. And then this takes us
back to the same conversation we had with
secure defaults versus CA policies and things like
you might be able to turn it all
on, you might not be able to turn
it all on, or it at least points
you in a direction where you wanna go.
(25:20):
Oh,
I thought about Office Mac this is legit.
The last time I thought about Office Macros
was probably 2 plus years ago,
but maybe seeing it on there is enough
to, like, just light up an admin's brain
and say, oh, we should go reevaluate that
and see if we can improve
improve our posture there and move things forward.
Or maybe you wanna look at these things
(25:42):
by their categories
and where they sit, and these things are
categorical.
Like, even if you look down what you
have on the screen right now, it's Exchange
Online, it's Teams,
it's Office. It's very workload centric,
so you can go in and choose, I
I guess, workload or solution or scenario, like,
depending on how you slice it. So if
(26:03):
you wanted to come in and you wanted
to just do, like, the secure score equivalents
for identity, you could absolutely dial into just
enter ID and the things that are going
on there. Yep. And that's 100%
what I do. Like, I've looked down this
list and I treat it as a checklist,
but what you mentioned is a prompt for,
oh, yeah. I didn't think about this. I
(26:23):
didn't think about turning on customer lockbox feature,
or I didn't think about
dial in users
bypassing the meeting lobby because I do a
bunch of Teams meetings. This does let you
sort filtered group by scores, by how you
can improve it, by the status, if you've
actually addressed it or not, categories for it,
(26:44):
identity versus apps,
products, devices,
all of that.
And the other thing I would say too
about this, Scott,
is this tries to automate it. It tries
to look at your configuration
and say,
yeah, you've done this or you haven't done
this. But there's things like configuring VPN integration
(27:04):
or
especially when you get into some of the
devices,
disabling machine account password changes.
This,
in so much as it can automate it,
it depends on you using Microsoft 365
for everything.
Just a little bit. Yeah. If you're using
AirWatch for device management
or one of the other third parties,
(27:25):
if you're using
Sophos, I was talking to somebody the other
day using Sophos for endpoint management, There may
be some of this stuff that you've already
addressed via a third party tool that your
Secure Score just doesn't know about. So they
do give you the option to also manually
go in and say it's addressed
or, again, your percentage, it's a guideline. It
(27:45):
may not know everything that you have done,
especially if you've done it in ways outside
of managing it within the Microsoft 365 ecosystem.
Yeah. You almost want the button like, I'm
never gonna do this. Don't evaluate me on
it.
Yeah. There are some in here I look
at. It's black USB devices from working on
your endpoints. I'm like, no. I'm not ever
gonna completely disable USB on all my endpoints.
(28:08):
Some people may. Some places, it's a requirement.
Mine, it's not. So it's a security risk
I'm willing to accept even though it lowers
my secure score. But this is
after I look at security defaults and conditional
access, the next place
I would go from evaluating a tenant is
just almost working through this with a client.
What of these do you care about? Or
(28:29):
I tell a client, go look through this
list. What of these do you care about?
What of these do you wanna know more
about? Which ones of these are you like,
yeah, we've already taken care of that? But
using it as a starting checklist
for
what are some other security things I should
be thinking about or addressing within
(28:49):
my Microsoft 365 tenant. All of this just
lets you widen the net. So where should
you start? Arguably, identity 100% of the time,
right? It's your first gateway into all of
these things, like,
you're not using Teams
until you're logging in through enter ID, full
stop. So start on the identity side, and
then this approach of, hey, let's go in
(29:11):
and cast a wider net and see what
else is out there. Like, the I'm gonna
throw a pebble into the pond and see
how many ripples it creates kinda thing,
and you can start to
do that this way. So, great, I've got
the identity thing. Oh, it turns out that
security score tells me more about identity
than even just the security defaults did
(29:33):
or than some of the stuff that maybe
I saw while I was clicking around in
conditional access or reading the docs. Great. Those
are other things I can look at. Now
I just looked at identity. What do I
wanna look at next? Do I wanna look
at my cloud hosted workloads like Teams and
Exchange and SharePoint?
Or do I wanna look at
desktops
and devices that that that exist out there?
(29:54):
And you can start to
just keep searching, right? And every layer you
peel back, you you find a new thing,
and it gives you more work to do.
And like I said, if there's somebody out
there and you're listening to this and you're
like, I've gotten a tenant to a 100%,
I wanna hear about it. I wanna hear
if anybody's even gotten it to 90. I
won't even set the bar at a 100.
90%,
I would love to hear about it. 90%.
(30:15):
Let us know. We have a contact form.
You just go to msclouditpropodcast.comormsclouditpro.com.
I think we redirect these days, and just
hit the contact form, let us know. If
you're a member, come ping us in Discord.
We'd love to have you on and participate
in real time. We can make it happen.
Ben and I are curious. Absolutely.
(30:36):
With that, should we wrap it up and
continue
our discussion next time
on evaluating
security, whether it be Azure, whether it be
third party tools, whether it be some other
random security thing we think of? I think
next time, because because we did the research
on it, we should talk about tools next
time and ways to and I consider, like,
Secure Score a tool. Right? Like, you browse
(30:58):
to this website, you've pulled it up, it's
giving you some actionable information. There's a bunch
of other ways to get at this data
as well
through
the API surface that's available
in Entra, including our friend, the Microsoft Graph.
So we can talk about some tools and
some ways to interrogate
and visualize
(31:18):
tenant configurations
through some of the stuff that's out there.
We can also talk about tools and ways
to, like, break into your environments and things
like that, so, like, vulnerability testing for these
environments. Perfect. Sounds like a plan. Thanks, Scott.
With that, go enjoy your, hopefully,
your hurricane free, hopefully, a nice weather weekend.
I'm going to Denver this weekend, so I
(31:39):
got a concert at Red Rocks that I
gotta get to. I'm jealous. I'm staying in
Florida this weekend where it is currently feels
like a 112 degrees outside. So I'm gonna
go outside and play pickleball because somehow in
my mind, that's a great idea. I was
in Denver last week for another concert, and
it was 98 degrees Fahrenheit, and there were
forest fires. So don't feel bad for me.
(31:59):
Alright. I won't. Sounds good. Well, enjoy. Hopefully,
you have better weather this weekend, and we
will talk to you again soon. Alright. Thanks,
Ben. Alright. Thanks, Scott.
If you enjoyed the podcast, go leave us
a 5 star rating in iTunes. It helps
to get the word out so more IT
pros can learn about Office 365
and Azure.
If you have any questions you want us
(32:20):
to address on the show, or feedback about
the show, feel free to reach out via
our website,
Twitter, or Facebook.
Thanks again for listening, and have a great
day.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com