May 8, 2025 • 39 mins
Welcome to Episode 401 of the Microsoft Cloud IT Pro Podcast. In this episode, Ben Stegink and Scott Hoag dive into the intricacies of implementing Zero Trust principles within Microsoft 365 environments. They explore the foundational aspects of Zero Trust, starting with identity management and the importance of Entra ID. They also cover:
Identity Management: The critical role of identity in Zero Trust, including MFA, password policies, and least privilege access.
Endpoint Security: Strategies for verifying and managing devices, including compliance checks and the balance between corporate and BYOD devices.
Networking: The complexities of securing network traffic in a SaaS environment, including conditional access policies and the emerging Global Secure Access feature.
Application Management: The role of Defender for Cloud in monitoring shadow IT and ensuring data security across various applications.
Data Protection: Techniques for safeguarding sensitive information, including DLP policies and the upcoming network-level DLP capabilities.
Join us as we unpack these topics and provide practical insights for enhancing your organization's security posture with Zero Trust.
Your support makes this show possible! Please consider becoming a premium member for access to live shows and more. Check out our membership options.
Show Notes
Zero Trust deployment for technology pillars
Securing identity with Zero Trust
Secure endpoints with Zero Trust
Secure endpoints with Zero Trust
Secure applications with Zero Trust
Secure data with Zero Trust
Microsoft Zero Trust Assessment
About the sponsors
Would you like to become the irreplaceable Microsoft 365 resource for your organization? Let us know!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:03):
Welcome to episode 401 of the Microsoft Cloud
IT Pro podcast
recorded live 05/02/2025.
This is a show about Microsoft three sixty
five and Azure from the perspective of IT
pros and end users, where we discuss a
topic or recent news and how it relates
to you. This week, Ben and Scott are
back to Microsoft three sixty five security.
(00:26):
In this episode,
It's been
It's been so long since we've done this.
We've had, like, weird scheduling issues, and I've
(00:47):
been gone, and
I've been gone, and, I mean, that's pretty
much it. We had some interviews. Like, we
had some interviews from the MVP summit that
took us away from this live. Hopefully, maybe
we say this when we're back on schedule,
but with summer coming, who knows? We'll
we'll see where it goes. Real life always
tends to get in the way. Yeah.
So it does. Alright. Well, today's topic. Well,
(01:09):
today's topic. If you're live, you can see
it on the screen. If you're not live,
you should come join us in Discord. Join
the membership in Discord and come join us.
Today's topic, though, is zero trust and primarily
around Microsoft three sixty five. Like, we could
maybe take this and extrapolate this out to
Azure.
Some of this would
kind of apply to Azure too, but primarily
(01:30):
Microsoft three sixty five. And
I can't take a ton of credit. I
can't take a ton of credit for this.
Just say that. So Jelisk and I have
done a presentation around this a couple times
now. We did one down in Orlando
at CollabCon.
We just did it this past weekend that
feels like forever ago for Microsoft three sixty
(01:50):
five
Community Days up in Philly, which is not
really Philly Philly. It's just closes. I didn't
realize how far outside of Philly it was
till I got there and got an Uber.
It's like, oh, Melbourne is like sort of
Philly, but not really Philly. It's out there
a little bit.
If you're if you're doing if you're doing
Malvern, you're, like, yeah, an hour outside Philly
with traffic. So, yeah, we decided Scott, I
(02:12):
would just talk about zero trust. It'll be
interesting because I've done this with Jay Scott
to get your take on some of this
as well with your thoughts around Zero Trust
and implementing Zero Trust in Microsoft three sixty
five. We'll put a bunch of links in
the chat. There's some tools too. I actually
really wanna turn this into a workshop. So
we'll see. I have a whole Zero Trust
(02:32):
workshop submitted to a couple
conferences along with Jay to see if we
can turn this into a, like, eight hour
workshop all in Zero Trust. We'll keep you
updated. If it turns into one, which conference
to go to to see the workshop version
of this? I think it's an interesting topic,
and there's a lot of knobs and levers,
particularly across
Microsoft three sixty five. So it's it's kinda
(02:54):
easy to hop in at the front end,
I think, and talk about,
zero trust identity. What are the principles
that you let into your directory,
non person accounts versus per person accounts,
all those things like that.
But it could also be devices
in your environment, like how do those connect,
how do those come in.
(03:15):
Once you've got all those identities out there
well and and devices and things, then there's
an endpoint component. And, well, zero trust from
how you manage your endpoints from the perspective
of maybe, like, your own endpoints versus,
maybe a BYOD for, like, a partner or
a contractor
who comes into your environment, things like that.
(03:36):
All the applications, all the data,
not the infrastructure so much. Right? Like, Microsoft
takes care of a bunch of that stuff
for you. Right. But certainly, the networking aspects
of it as well, I think, are
interesting. Like, we talk a lot about, like,
clients and endpoints and how they connect, and
are they Internet bound versus private traffic?
Where does all that fall out? And then,
(03:57):
ultimately, like, once you make these decisions about
how your environment's gonna look and and how
it's gonna be structured, well, then you gotta
go put it all together.
So how do you automate that? How do
you script things out? What are the API
surfaces available to you? How do you ensure
compliance within
with within a given part of the substrate,
like, be it, like, m three sixty five
(04:18):
holistically?
Maybe it's Exchange. Maybe you'd like you said,
maybe you do some stuff over in Azure,
and you're trying to figure out, like, the
application of policy
and and how all that meets up with
those same identities, same endpoints, and and everything
along the way.
It's kinda funny how much of it, if
if you look across the stack, like, even
though it's very technology focused on m three
(04:39):
sixty five, like, a lot of stuff decomposes
back to
the artist form formerly known as Azure Active
Directory, Enter ID.
We with the
common constructs that are in there for auth
n and and auth z, particularly around, like,
conditional access.
Some of the endpoint control with, like, EnterID
plus Intune. Like, we start to get back
(05:00):
into that whole suite of services things and
everything that's there. So
I I'm curious where you start the zero
trust
conversation
with
your customers. Like, I know you did this
conference talk, but it's all based on your
lived reality, right, as as a consultant and
somebody who's out there kinda doing this day
to day with customers. So
(05:21):
where do you start that conversation
given
the broad swath and and just kinda the
surface area
of a
of of a SaaS suite like m three
sixty five plus the components of Azure and
things that come into it. Plus. Yeah. And
I think where I tend to start is
actually where we do start when we do
this presentation as well is more with the
(05:44):
Entra, and you mentioned it, like the Entra
ID, Azure AD,
really the identity side of it because
as you mentioned, like, when you think about
zero trust and we even we even think
about this when I talk to clients. When
clients used to do zero trust and I'm
gonna define, I should define zero trust. So
when we talk about this too We should.
(06:05):
We should take a step back. Is defining
zero trust. Right? Zero trust a lot of
times is assuming a breach. Right? Like assuming
somebody is gonna get in. Not if somebody
gets in, but when somebody is in or
assuming that somebody is gonna get into your
environment and making sure that when they do
get in, there's least privilege. Like, there's barriers
between things. I was even talking to my
kids about it the other day, and I'm
(06:26):
like, zero trust is like not if someone
got into your house, they could go everywhere.
Zero trust is almost like you lock every
door in your house so that when somebody
gets in one door, there's a whole bunch
of other doors to get through. Assume that
somebody is gonna get in. Don't give them
free reign of everything, but then give them
least privilege,
once they do get in. So make sure
(06:47):
that once you get through one door, there's
another door to get through and another door
to get through and another door to get
to, and it's just not a trust that's
there because you got in the door. And
then actually verifying, like, every step of the
process, verifying that someone is who they said
they are, verifying
that they should have access, verifying that they're
coming from the proper device. So
(07:08):
that's how I kind of frame up that
would be my my rough definition of zero
trust is assume that there's a breach, assume
somebody's in, least privilege, don't just give everybody
access to everything, and then verify
everything that they're doing what they should, they
are who they said, they're coming from where
they're supposed to be, all those things. Anything
you'd wanna add to that? No. No. I
(07:29):
think that sums it up. The the the
verify component's always a fun one. Right? Like,
customers often, like, say they
want this level of observability,
but then they find out that it costs
money to enable logs or to store logs
or to query logs and and and where
all that manifests. So I think as you're
thinking about it as a customer, like, part
of it is,
(07:49):
what are the general principles that you wanna
adopt? What does that look like within your
organization,
your users, your applications,
all all those kinds of things? But then,
yeah, like, also, what's reality for you? Like,
what
it's super easy with this stuff to talk
art of the possible because, like, really a
ton's possible, and it's been enabled within these
(08:10):
suites of tooling.
That said, they are tools that you have
to adopt. So there's art of the possible,
and then there's art of the real.
What is real for you both in context
of technologies you're comfortable managing
to the degree you're going to automate this
stuff, spin it up, make sure that you're
adhering to your own compliance principles, all that.
Like, yeah, that's great. But then also, like,
(08:31):
just what what can you stomach to turn
on? Because if you're an m three sixty
five customer today at some kind of base
licensing
construct, then all of a sudden you go
from
zero to a hundred miles per hour, kilometers
per hour, whatever you wanna do, like you're
ramping really fast, and you're gonna find that
some of those things kind of run away
from you and potentially sour your taste on
it
(08:52):
versus coming back and focusing on, like, your
core principles, what's what's the business need, and
and how does all that manifest for you?
Yeah. And I think going back to why
I started with identity, Zero Trust,
in some respects,
it I would say customers didn't always do
it well even internally. You would have, like,
your DMZs and your your internal networks. Maybe
(09:12):
you'd have, like, your barrier. You'd have your
firewalls in and you'd poke a hole in
to let VPN in, all those types of
things. But when it was on prem days,
I felt like network got treated a lot
as the zero trust boundary, whether it was
firewalls between subnets or different vnets and opening
ports here,
setting up air gaps here and there. The
(09:33):
cloud changes all of that in that now
I can really get to Microsoft three sixty
five from anywhere. I don't have a network
boundary I can set up because Microsoft
owns a lot of that infrastructure.
And, really, the way into Microsoft three sixty
five now and into an environment
is going through
a user sign in, whether it's a service
principal, whether it's a user. So that's why
(09:54):
a lot of times it starts with
identity. Like, who are you? Should you be
allowed in? And what are you doing at
that gateway of
the user's login? Setting up MFA
for all of your users. What are you
doing around
passwords
for your users? What are you doing around,
like, the legacy authentication? Some of those things
(10:16):
that
going back to the cost
at a
entry level
is setting up those security defaults that I
think are now enabled by every new tenant.
A lot of tenants that didn't have them
on, they're getting turned on for them. But
at a base level, if you're not gonna
go out and pay for extra entry licenses,
you're just doing Microsoft three sixty five business
(10:36):
basic or business standard
or any one plan, having those security defaults
on that set up some of those initial
barriers
just on identity. And then from there, you
can continue to build out around if you
wanna do MFA and if you wanna do
phishing resistant MFA
based on that feature level. And that's also
where you go start thinking through the least
(10:57):
privilege. I'm not gonna give everybody global admin
rights. As much as the CEO wants to
be able to get into everything and see
everything, the CEO does not need to be
a global admin in my tenant. What do
you mean?
Your exchange admin. Yeah. Your exchange admin does
not necessarily have to be a global admin.
And to give companies credit, I'm seeing companies
(11:18):
do a lot better job at this. I'm
also trying to do a better job at
it even as a consultant. It's easy for
me. Someone says, hey, Ben. We need you
to help me with Microsoft three sixty five.
Well, just give me a global admin. That's
easiest. No. That should not be my approach.
My approach should be, well, I'm helping you
with SharePoint and Exchange and Intune. Give me
a SharePoint exchange Intune admin rights. Don't give
me global admin. Even though it's a little
(11:39):
bit more work, maybe I have to go
back and ask for extra credentials later. But
really from that perspective,
starting off with that least
permissive
for those different roles. And some of them,
like even Teams, has like four or five
different admin roles within Teams that you can
be assigned. That goes back to how customers
(12:00):
rationalize these things, right, and like how they
grok the knobs and levers themselves. I I
will say, like, I it's a complex stack
that said I think Microsoft has done a
better job at publishing guidance and being potentially
a little bit more prescriptive.
Like, today, like, if you went out in
a zero trust environment, we talk about, like,
global admins and, like, break glass accounts, things
(12:20):
like that.
That used to be, like, super fuzzy. Like,
sure, you should have a break glass account,
but what does that mean? How do you
secure it? Like, what does MFA look like
in context of a world like that? Like,
how do you store that YubiKey for what's
effectively not a person? Like, you and I
are working together. Does YubiKey go to your
house? Where do you store it at your
house? But then what happens if I know
(12:41):
the username and password? Like, how do we
coordinate that and get it back together? So
Microsoft's done a much better job, I think,
about kind of publishing prescriptive guidance there at,
like, the click stops as they exist
within the licensing suites. It still gets a
little bit confusing, especially when you start to,
like, cross the streams between these things. I
I I do think it's a little bit
easier to live in the world of, say,
(13:02):
like, just EntraID,
and what comes to you with your EntraID
premium licensing, maybe like a p one versus
a p two kinda thing, versus what happens
with m three sixty five plus Entra plus
Intune
plus I I don't know. Maybe you're doing,
like, global secure access for your applications, and
you're combining the endpoints and more client flows
(13:23):
in there and things like that. Like, you
as a customer can kinda ramp the complexity
infinitely.
And
I do see at some point, like, customers
kinda bottom out on they just can't figure
it out anymore
because they finally hit, like, the sweet spot
for, like, that permutation
or that set set of decisions in their
environment where they're like,
I'm off the beaten path. And then you
gotta know kinda holistically how it all works
(13:44):
together, and and that's still very hard to
do. Yes. That's why I'm here, Scott. If
you have trouble putting it all together, call
me. Dreamless self plug, self promotion in the
middle of the podcast. Yeah. So I think
that's where I always start with identity. From
there, we're gonna run out of time, Scott.
I gotta talk fast. Did I mention this
was an hour long presentation?
No. I think from identity, the next one
(14:06):
I tend to move to when I'm working
with customers as well is
and these two are, like I would say
these two are step one and step two.
After these two,
you can kinda move a few different directions,
but my next one is always endpoints,
Primarily because when I'm logging
in as somebody, I have to be logging
in as somebody from some device.
(14:28):
So
how do I know that
this identity, this person logging in, going back
to even the least permissive here isn't necessarily
just about roles, but it could be least
permissive in terms of devices that I'm allowed
to log in to my tenant from. Or
going back to the assume breach, assume that
every device that tries to log in to
(14:50):
my tenant is not a safe device.
So thinking through how am I verifying that
the phone that somebody logs into my tenant
from, the laptop, the desktop,
the tablets,
whatever that may be, how do I verify
that device? How do I make sure that
device is safe?
(15:12):
How am I thinking about those endpoints that
users are logging in from when they come
to my tenant. Because again, now I don't
necessarily
have the network.
A lot of people used to take the
approach of this device is plugged into my
local network. They're inside my firewall. I'm gonna
trust it. I don't have a firewall anymore.
There's some ways we can kinda
(15:33):
you can look at that. You can kinda
pseudo make a firewall, but I think it
comes into a lot more now. What are
you doing for corporate devices versus BYOD devices?
One thing I think about is
it's this is a newer approach I've started
taking, and people can yell at me for
saying, you should have thought of this sooner,
you should have done this sooner, is a
(15:54):
lot of clients are still focused on kind
of that inside my network, and they're looking
at device
trust. It's the trust type in
conditional access, but it's is this device joined
to my intra ID, or is it hybrid
joined? Is it joined to AD? Should I
really be looking at, was this device able
to be joined to my active directory, or
(16:14):
should I be doing things like compliance? Is
this device compliance? Has the drive been encrypted?
Is the antivirus up to date? Is the
patching up to date? Are they running a
certain version of the OS? And not necessarily
thinking through, oh, they were able to join
this device to my domain so it's trusted
and it's safe, but
more, does this device
meet the level of compliance,
(16:37):
which could be that security construct that I'm
going to allow it in? And maybe that
trust type is a part of that, but
I don't think that should be the whole
picture when you're starting to talk zero trust.
No. The other thing you have to think
about is
the
the the experience of those devices.
So how do you make it, like, friction
free?
(16:58):
You don't want potentially your
I don't know. Maybe you do, maybe you
don't. But you may maybe you don't want
your user, like, pinning in on every boot
of a device given the class of the
device. Right? Like, is this my Yep. Everyday
laptop versus maybe, like, my admin workstation or
things like that? So what are those profiles?
How do those come together?
And
then the other thing that happens here is
(17:21):
the
intersection
of your environment, your policies,
and
application of those policies across managed and unmanaged
devices.
Shout out to Pirate in the chat. Like,
he's going just where like, I was thinking
so you have this world now of potentially
thinking about, like, do you do
full device management?
(17:41):
Is MAM a possibility in your environment? Like,
like, doing some kind of, like, application management
level kinda thing. Like, what does that look
like for you, and and how do you
compose?
Which ultimately bleeds back again to, like, your
corporate construct plus
user experience. Right? Like, like, practically, example, like,
I live in a world where I can't
access
(18:02):
my work stuff through an unmanaged device.
At the same time, my employer does my
employer doesn't buy me, like, a phone. So
I have a very, like, conscious decision to
make of, do I join my personal phone
and and let my employer manage a personal
device where it's still a
managed? Like, so you have to navigate a
bunch of that stuff as well just in
your policy and and thinking about how it
(18:24):
comes together for your users. Yeah.
Do you feel overwhelmed by trying to manage
your Office three sixty five environment? Are you
facing unexpected issues that disrupt your company's productivity?
Intelligink is here to help. Much like you
take your car to the mechanic that has
specialized knowledge on how to best keep your
car running, Intelligink helps you with your Microsoft
(18:46):
cloud environment because that's their expertise.
Intelligink keeps up with the latest updates in
the Microsoft cloud to help keep your business
running smoothly and ahead of the curve. Whether
you are a small organization with just a
few users up to an organization of several
thousand employees,
they want to partner with you to implement
and administer your Microsoft cloud technology.
(19:07):
Visit them at inteliginc.com/podcast.
That's intelligink.com/podcast
for more information or to schedule a thirty
minute call to get started with them today.
Remember, Intelligink focuses on the Microsoft cloud so
you can focus on your business.
(19:30):
Because this is audio, it's gonna be hard
to visualize. But when we talk through this,
sometimes too, we'll even draw a grid where
you maybe have, like, upper left corner is
a managed device
that's on the corporate domain,
that is going to be
the level of hoops you have to jump
through. It's going to be a much more
(19:50):
trusted device than maybe, like, down in the
bottom right is a BYOD device that isn't
joined to your domain, that isn't managed,
and thinking through
what level of access to your point, what
level of access are you gonna give these
different types of devices in your domain or
your user experience? What level of authentication do
they have to go through? This is an
(20:10):
unmanaged device. They're logging in from not a
known location.
I'm gonna
force a phishing resistant MFA, and they're only
gonna get browser based access. Whereas something that's
joined to the domain, it's enrolled in Intune,
it's a compliant device,
maybe I relax my MFA requirements a little
bit where it's not necessarily phishing resistant or
(20:34):
maybe it's even corporate joined on the network
compliant into managed. I'm gonna allow maybe you
do allow those to bypass MFA if they
reach a certain level there. So it's not
even like that one size fits all, but
it's here's this matricy of all these different
scenarios that I can encounter with my devices.
What level of trust and confidence do I
(20:56):
have in the safety of that device, and
what am I gonna allow based on that?
So I think that's that's kind of that
next step is devices.
And thinking through all of that, I think
some of it does, like you said, tie
into your licensing. How much licensing do you
have for things like auto autopilot,
for Intune, for
different levels because there is a cost to
(21:16):
these different features in Microsoft three sixty five.
There is a cost. There's there's
a operational cost, like the human cost of
just turn it on, your users have to
interact with it, and then there's the dreaded
licensing cost,
which which also sits there as well. So
where do you wanna go from there? Choose
your own adventure, Scott. Identity and device are,
(21:36):
I would say, a couple of my core
ones. There's other things to think about. Why
don't we talk about networking while we're here?
So I I always find the networking aspects
of, like, a SaaS surface, like,
public endpoints connect to over the Internet,
clients over the Internet, and then all the
ways customers try and fight it. And they're
like, how can I privatize my traffic to
(21:57):
to SharePoint online? Like, well, a, do you
wanna do that? B, no, you actually don't
wanna do that. But, yeah, let's keep hearing
you talk about how you wanna do it.
So so so networking's a good one. Why
don't we go there next? Alright. So networking
is like you said, it's interesting because you're
in
the cloud. It's a SaaS space. There's a
couple things I think about when I start
(22:17):
going down the networking path. This one, very
much licensing comes into play. One thing you
can do is
there are ways within conditional access to
set up trusted networks. So you can either
set it up based on
IP address.
So you can go in and define IP
addresses. These are the public IP addresses that
(22:38):
are for my office.
I have my public IP addresses that are
from my home network. You may have public
IP addresses from different satellite locations that you
can define. You can also go in and
Microsoft gives you the ability to pick country
based trust. So I'm gonna trust IP addresses
that we're pretty sure, and this is not
(22:59):
a you can be 100% sure all the
time, IP addresses coming from The US, or
here's IP addresses coming from Europe or Africa
or South America, different regional locations. Microsoft does
have predefined network locations there where you can
go in and actually
block or allow,
maybe block everything and then set exclusions for
(23:21):
allowing, however you wanna do it to
set up different
policies on logging into your environment
based on which IP address you're coming from.
So I think that's kind of the most
basic one. That one is still its conditional
access, so it's still gonna be your Entra
plan one as minimum for that. The other
interesting one that's coming into play more and
(23:43):
more with networking in these conversations
is the global secure access.
This is an add on to even Entra
p two, but there's a lot of stuff,
and there's getting to be more and more
stuff you can do with Global Secure Access.
And there's different components to it. So there's
the whole Microsoft three sixty five aspect, Global
Secure Access to Microsoft three sixty five where
(24:05):
it is I don't wanna say it's a
VPN because it's it shows up as a
VPN, though. I will say that. It kinda
shows up as a VPN. You put a
client on your desktop.
You
do it through
Defender for Endpoint on your mobile devices,
and then it does show up as a
VPN connection on my phone. But it tunnels
that traffic then, encrypts that traffic from your
(24:26):
device
straight to Microsoft three sixty five.
Because of that, it also gives you some
ability to do, like, some additional logging on
that network traffic between your end user devices
and Microsoft three sixty five. This is not
out for everything yet. Like, ironically enough, I
can't put it on my Surface device because
there's not an ARM client available for it.
(24:46):
It has to be x 64. You can
do it in macOS. You can do it
in mobile. I think iOS and Android are
both out there now.
But you can do that for Microsoft three
sixty five traffic, but you can also do
this. They also have an Internet,
aspect of Global Secure Access and a private
aspect of Global Secure Access where I can
now send all my Internet traffic over Global
Secure Access to do
(25:08):
web protection, web filtering, web monitoring
of Internet access. And it's interesting, like, I'll
see it in mine where I get a
lot of my web requests now routed through
a proxy if I have Global Secure Access
enabled on my desktop.
The private one gives you the ability to
use Microsoft three sixty five, the
private
(25:28):
connection in Global Secure Access,
to create a tunnel from your endpoints back
to your on premises network to access web
applications
on premises. So this is all built into
Entra and add on to Entra for
starting to do more of that managing of
the network, creating
secure tunnels to different locations, web filtering,
(25:49):
and
some of that additional monitoring of all that
network traffic. Yeah. Quite a bit to think
about on that one. It is. And we
could spend the entire time on that, but
It's a weird one. Like, I don't know.
Even if when you go down, like, the
filtering path, there's the things that you can
do as part of
Intune, Intra, and then, like, there's the whole,
(26:10):
like, I actually deployed my app, and what
does that look like? Like, does that app
live in Azure? Does it have a firewall
in front of it? Maybe it has, like,
a front door
or,
like, an application gateway, like, all all that
kind of stuff that just manifests as well.
I think another one that this kinda ties
into networking
I'm gonna go into apps a little bit
(26:30):
because there's a few different components to apps.
There's the applications
that
you use for work, deploying apps to your
endpoint, apps that are installed on your endpoints,
all the app management in Intune. We talked
about it in the chat a little bit.
You mentioned it earlier, Scott, the MAM, the
mobile application management,
managing those apps. But there's also Defender for
Cloud
(26:51):
that isn't necessarily networking, but it does help
watch for different shadow IT. People going out
using ChatGPT,
like, are people actually taking sensitive information
from my environment,
copying and pasting it, throwing it into ChatGPT.
Oh, oh, this is networking. Can I go
back to networking?
(27:12):
This is networking and data. I'll save it
for data. We'll save that when we talk
about data. I thought you were gonna ask,
and I was gonna say, like, yes. Your
your users are taking private data to ChatGPT.
100%
there. Yes. And if not ChatGPT, they're taking
it to Cloud or Copilot or Gemini or
someplace where you don't think it should be.
Where you don't think. Yeah. And that's something
that Defender for Cloud can help for. Again,
(27:34):
I'm gonna keep saying it just to remind
people, although I think they already know it.
There is cost for Defender for Cloud. This
is another one that is like a security
e five or Microsoft three sixty five e
five. But I know that
there's, like, 400
some third party AI services that are all
in Defender for Cloud already that if you
(27:54):
go ramp this up, you have the ability
to go in and block those to see
what are all the AI services that my
employees are using, where are they copying and
pasting data, there's some DLP stuff, being able
to
monitor
where people are putting files, which again, kinda
apps, kinda data, kinda networking,
(28:15):
but another part of that zero trust of
making sure that your employees are keeping data
where it's supposed to be kept, not putting
data where it's supposed to not putting data
where it's not supposed to be, that someone
that got into your environment isn't exfiltrating
data
through some of those other services.
And, again, a little bit of that verifying,
(28:36):
a little bit of that monitoring when it
comes to apps. And
I get so much to talk about here
because then you do get into all the
installed apps, keeping data safe in the apps
through, like, the mobile application management. So you
want me to keep going, see how close
we can keep this to a reasonable time
episode? I mean, you're doing pretty good. Alright.
All you got left in your talk is
(28:57):
data. Well, then then logs, but, we we
could always talk logs at a different time.
And data's the other one, is
looking
at,
like, how are you securing your data? This
is one too that has come up a
lot with Copilot, and we mentioned this in
some of the times when we've talked about
AI is some of that data security posture
management, the DPSM.
(29:18):
How are we protecting
sensitive information within
the company?
How are we thinking about
AI activity and what data AI can get
to? Are we putting
sensitive
sensitivity labels on our content and being aware
of what types of sensitive data may be
located in those various
places within,
(29:38):
our organization? I was I can't remember if
I've told this story before. If I have,
you get to hear it again. Working with
one company where we were trying to get
ready for Copilot, we were looking at sharing
links.
They had, like, 20,000 links that was shared
with the entire company. But then we were
also looking at sensitive information. I'm like, did
you know, like, you have all these Social
(29:58):
Security numbers over in the SharePoint site here?
Like, Purview picked them up, and I it
took me, like, five minutes. I was able
to go in
through Purview,
go to the Content Explorer, pull up some
social Social Security numbers. I was like, are
these false positives? Clicked on a couple of
them and was like, nope. Those are actually
those are actually
(30:19):
Social Security numbers, and it took me, like,
five minutes to find them. And I brought
it up to the company. They're like, oh,
our policy says no Social Security numbers are
allowed in SharePoint.
Yeah. That's what your policy says. You didn't
block it, though, so here we are. Right.
So what are you doing from that perspective
to
not just
set a policy of that or make that
your policy, but to go through and verify
(30:41):
that people are following the policy
and or if you do allow that in
there that it's being properly labeled and categorized
so you can put DLP policies in place
to prevent that exfiltration of that data, to
prevent it being inadvertently
shared with somebody it shouldn't be. And this
was a new one. I I was gonna
mention that I don't know how it's done.
(31:02):
I'll find the blog post to it in
the YouTube video and put it in the
chat. There is I think it was just
last week. It was about a week ago.
Microsoft announced
network level
DLP
coming to Microsoft three sixty five. So actually
being able to, like, pick up if I
copy and paste a Social Security number from
my machine into a website,
(31:24):
the picking it up in my network traffic
that I'm copying and pasting sensitive information or
that sensitive information is going from my device
somewhere. No they didn't announce how they're doing
it. I don't know if this is gonna
be part of Global Secure Access or part
of Microsoft Defender,
but there is absolutely,
like, that level of data security coming as
(31:47):
well from a DLP perspective, sensitive information.
So that's gonna be really cool to see
where that goes because that is questions that
come up. We'll see when it comes, how
it comes, what the cost is when it
comes, etcetera. I hadn't heard about that. Oh,
Pirate posted that. Browser Network. Yeah. I think
that's the one, Pirate, without actually looking at
that article that looks because it was on
(32:08):
Microsoft Mechanics where they posted that video and
that article about doing network browser based DLP.
It's okay, Scott. It's only a week old.
You're excused for not knowing it. Whew. That's
good. And I think kind of what brings
us all together too is I've mentioned it
a few times. We've talked about it. I
will never back down from my statement that
(32:28):
conditional access is worth the cost of EntraID
plan one if all you got with that
is conditional access. But to me that's really
like the bow that ties all of this
together, is going in and setting up a
lot of those conditional access policies, looking at
who you are, what identity you're logging in
with,
are you coming in as an admin, are
(32:49):
you coming in with a service principal, so
that identity aspect of it. And then looking
at all those different signals from your devices,
looking at different properties of the device, different
trust types, compliance of the device.
That's where you can go set up your
network level. What network am I coming in?
What IP address am I coming in from?
What applications am not only am I accessing
(33:09):
in Microsoft three sixty five, but what applications
am I using to access my data in
Microsoft three sixty five?
Setting up all those conditional access policies to
help you segment out how users are allowed
into your environment, where they're allowed in from,
all of that. There's a lot to think
about in that one. There's absolutely a ton
to think about. There's a reason you can
(33:30):
create hundreds and hundreds of conditional access policies,
Scott. I still wanna see a tenant that
has hundreds of them.
I haven't. No? I have heard of tenants
hitting the limit. Did you know there's a
limit to conditional access policies? I probably
work for one of those companies that's at
the limit. You probably do. I think it's
995
is the number of conditional access policies you
(33:51):
can have. That's what I thought. Pirate said
we've had the conversation before. So, anyways,
and then the last
I can do logs and signals. We talked
about the verification aspect of this too,
being alerted.
There's a lot of verification you can do,
but I would say a lot of it
does cost money, whether it's spinning up Sentinel
(34:11):
or another
SIEM to capture all these logs, be able
to query all these logs,
set alerts on these logs,
take automated actions based on them. Maybe you
want to be able to peruse your logs
or ask questions about it with
Security Copilot or some other
AI
tool based on where all these logs are
(34:33):
being captured.
But not just setting up all these controls
and then not ever keeping an eye on
what people are doing or
what's going on in your environment. So you
could go set all of this up. Someone
finds a way around it. Someone finds a
way around our backdoor. We're all human. We're
not perfect. We're gonna miss something. We're gonna
make mistakes. So do you have that logging,
(34:54):
that signaling, that alerting set up so that
if something does go wrong or if you
need to go back and look at what
somebody did, you have that ability
to go in and look at it, adjust
it, make changes to your security
based on what may come out of some
of that logging, that signaling, and that alerting.
(35:14):
What may come out of it? Good luck
interpreting it most of us. What may come
out of it? Okay. That's the other thing
is like, yeah, like, what may come out
of it? Now now go interpret it. Good
luck. Yeah. That's what Security Copilot's for, Scott.
Or Copilot for security. Security Copilot? Which one
is it? Something like that. One of those.
So there is an assessment.
Pirate mentioned it before. We'll put a link
to this in the chat too.
(35:35):
There is a Zero Trust workshop out there
that Microsoft has. Oh, you're not gonna be
able to see it in that window though
if I put it in the chat. We've
just had one window up in the one
browser window up. But a whole zero trust
workshop around identity
devices, and part of that workshop, they do
have a an assessment tool as well, a
PowerShell script that you can go run on
(35:56):
your environment
that will give you
some of that configuration
of how close are you to Zero Trust.
There's some other tools in here to help
you work through implementing Zero Trust. So this
is another good resource. I think this workshop
is easily a day long, if not a
multi day
workshop, if you were going to
(36:17):
work through it with somebody. Again, there's tools
in here you can take and run-in your
own environment to see where you stack up,
what you should think think about, configurations you
may need to make, again, based on what
licenses you have, what's available for you to
actually go turn on and light up. Yeah.
What's the scope of that workshop? So is
it all things Microsoft?
(36:37):
It it looks like it's pretty expansive. Like
Yes. I'm pretty sure this one will look
at all things
Microsoft. I should go find
where this is. I mean, it's yeah. Like,
you have DevSecOps
in here. You've got identity
devices.
That's talking about the Intune data warehouse.
What else in here? Conditional launch. There's stuff
(37:00):
around backing up to iCloud.
Yeah. Here's ARM provisioning,
RBAC stuff,
VPN tunnel. Someone asked me too, VPN tunnel
versus global secure access. I think they're both
in there. It wouldn't surprise me if the
VPN tunnel goes away. Yeah. All the stuff
around Samsung
AR, VR devices.
(37:20):
This is I don't is this I don't
even know what this is. A hundred and
twenty,
fifty, seventy, 80 Just keeps going. 89
different
steps, I guess, just in the devices section
that are things for you to think about
with devices. But, yeah, DevOps, I bet this
is Defender. Yeah. Implement Defender for servers.
(37:41):
So this is 100%,
like, all things
Microsoft cloud
from servers to Azure to ARM provisioning to
GitHub,
CodeQL is a part of this,
Azure DevOps is a part of this,
Defender for DevOps.
All of it. You could spend a long
time on this, Scott. All the things. Everything
(38:02):
is here. Just a couple of days. Easy
peasy. Yeah. Just blow through it all quick.
In and out. And then you get a
nice pretty docs that you need to go
implement.
Exactly.
Or call Ben, and Ben will help you
implement. I'm full of shameless self promotion today.
Yeah. You're doing a good job. Thanks. Appreciate
it. Alright. Anything else? It is 5PM
Eastern Time on a Friday. And I think
that takes us on a whirlwind tour of
(38:23):
Zero Trust. That was. And if I have
a workshop at a conference,
I will self promote that as well.
You just gotta score one, man. That's it.
Easy peasy. No sweat. We'll get it. We'll
get it nailed out. So well, thanks, Scott.
Appreciate it. Enjoy your weekend. Enjoy the rest
of your day. You too. And we will
talk to you again soon. Thanks, Ben.
(38:45):
If you enjoyed the podcast, go leave us
a five star rating in iTunes. It helps
to get the word out so more IT
pros can learn about Office three sixty five
and Azure.
If you have any questions you want us
to address on the show, or feedback about
the show, feel free to reach out via
our website, Twitter, or Facebook.
Thanks again for listening, and have a great
day.
Welcome to episode 401 of the Microsoft Cloud
IT Pro podcast
recorded live 05/02/2025.
This is a show about Microsoft three sixty
five and Azure from the perspective of IT
pros and end users, where we discuss a
topic or recent news and how it relates
to you. This week, Ben and Scott are
back to Microsoft three sixty five security.
(00:26):
In this episode,
It's been
It's been so long since we've done this.
We've had, like, weird scheduling issues, and I've
(00:47):
been gone, and
I've been gone, and, I mean, that's pretty
much it. We had some interviews. Like, we
had some interviews from the MVP summit that
took us away from this live. Hopefully, maybe
we say this when we're back on schedule,
but with summer coming, who knows? We'll
we'll see where it goes. Real life always
tends to get in the way. Yeah.
So it does. Alright. Well, today's topic. Well,
(01:09):
today's topic. If you're live, you can see
it on the screen. If you're not live,
you should come join us in Discord. Join
the membership in Discord and come join us.
Today's topic, though, is zero trust and primarily
around Microsoft three sixty five. Like, we could
maybe take this and extrapolate this out to
Azure.
Some of this would
kind of apply to Azure too, but primarily
(01:30):
Microsoft three sixty five. And
I can't take a ton of credit. I
can't take a ton of credit for this.
Just say that. So Jelisk and I have
done a presentation around this a couple times
now. We did one down in Orlando
at CollabCon.
We just did it this past weekend that
feels like forever ago for Microsoft three sixty
(01:50):
five
Community Days up in Philly, which is not
really Philly Philly. It's just closes. I didn't
realize how far outside of Philly it was
till I got there and got an Uber.
It's like, oh, Melbourne is like sort of
Philly, but not really Philly. It's out there
a little bit.
If you're if you're doing if you're doing
Malvern, you're, like, yeah, an hour outside Philly
with traffic. So, yeah, we decided Scott, I
(02:12):
would just talk about zero trust. It'll be
interesting because I've done this with Jay Scott
to get your take on some of this
as well with your thoughts around Zero Trust
and implementing Zero Trust in Microsoft three sixty
five. We'll put a bunch of links in
the chat. There's some tools too. I actually
really wanna turn this into a workshop. So
we'll see. I have a whole Zero Trust
(02:32):
workshop submitted to a couple
conferences along with Jay to see if we
can turn this into a, like, eight hour
workshop all in Zero Trust. We'll keep you
updated. If it turns into one, which conference
to go to to see the workshop version
of this? I think it's an interesting topic,
and there's a lot of knobs and levers,
particularly across
Microsoft three sixty five. So it's it's kinda
(02:54):
easy to hop in at the front end,
I think, and talk about,
zero trust identity. What are the principles
that you let into your directory,
non person accounts versus per person accounts,
all those things like that.
But it could also be devices
in your environment, like how do those connect,
how do those come in.
(03:15):
Once you've got all those identities out there
well and and devices and things, then there's
an endpoint component. And, well, zero trust from
how you manage your endpoints from the perspective
of maybe, like, your own endpoints versus,
maybe a BYOD for, like, a partner or
a contractor
who comes into your environment, things like that.
(03:36):
All the applications, all the data,
not the infrastructure so much. Right? Like, Microsoft
takes care of a bunch of that stuff
for you. Right. But certainly, the networking aspects
of it as well, I think, are
interesting. Like, we talk a lot about, like,
clients and endpoints and how they connect, and
are they Internet bound versus private traffic?
Where does all that fall out? And then,
(03:57):
ultimately, like, once you make these decisions about
how your environment's gonna look and and how
it's gonna be structured, well, then you gotta
go put it all together.
So how do you automate that? How do
you script things out? What are the API
surfaces available to you? How do you ensure
compliance within
with within a given part of the substrate,
like, be it, like, m three sixty five
(04:18):
holistically?
Maybe it's Exchange. Maybe you'd like you said,
maybe you do some stuff over in Azure,
and you're trying to figure out, like, the
application of policy
and and how all that meets up with
those same identities, same endpoints, and and everything
along the way.
It's kinda funny how much of it, if
if you look across the stack, like, even
though it's very technology focused on m three
(04:39):
sixty five, like, a lot of stuff decomposes
back to
the artist form formerly known as Azure Active
Directory, Enter ID.
We with the
common constructs that are in there for auth
n and and auth z, particularly around, like,
conditional access.
Some of the endpoint control with, like, EnterID
plus Intune. Like, we start to get back
(05:00):
into that whole suite of services things and
everything that's there. So
I I'm curious where you start the zero
trust
conversation
with
your customers. Like, I know you did this
conference talk, but it's all based on your
lived reality, right, as as a consultant and
somebody who's out there kinda doing this day
to day with customers. So
(05:21):
where do you start that conversation
given
the broad swath and and just kinda the
surface area
of a
of of a SaaS suite like m three
sixty five plus the components of Azure and
things that come into it. Plus. Yeah. And
I think where I tend to start is
actually where we do start when we do
this presentation as well is more with the
(05:44):
Entra, and you mentioned it, like the Entra
ID, Azure AD,
really the identity side of it because
as you mentioned, like, when you think about
zero trust and we even we even think
about this when I talk to clients. When
clients used to do zero trust and I'm
gonna define, I should define zero trust. So
when we talk about this too We should.
(06:05):
We should take a step back. Is defining
zero trust. Right? Zero trust a lot of
times is assuming a breach. Right? Like assuming
somebody is gonna get in. Not if somebody
gets in, but when somebody is in or
assuming that somebody is gonna get into your
environment and making sure that when they do
get in, there's least privilege. Like, there's barriers
between things. I was even talking to my
kids about it the other day, and I'm
(06:26):
like, zero trust is like not if someone
got into your house, they could go everywhere.
Zero trust is almost like you lock every
door in your house so that when somebody
gets in one door, there's a whole bunch
of other doors to get through. Assume that
somebody is gonna get in. Don't give them
free reign of everything, but then give them
least privilege,
once they do get in. So make sure
(06:47):
that once you get through one door, there's
another door to get through and another door
to get through and another door to get
to, and it's just not a trust that's
there because you got in the door. And
then actually verifying, like, every step of the
process, verifying that someone is who they said
they are, verifying
that they should have access, verifying that they're
coming from the proper device. So
(07:08):
that's how I kind of frame up that
would be my my rough definition of zero
trust is assume that there's a breach, assume
somebody's in, least privilege, don't just give everybody
access to everything, and then verify
everything that they're doing what they should, they
are who they said, they're coming from where
they're supposed to be, all those things. Anything
you'd wanna add to that? No. No. I
(07:29):
think that sums it up. The the the
verify component's always a fun one. Right? Like,
customers often, like, say they
want this level of observability,
but then they find out that it costs
money to enable logs or to store logs
or to query logs and and and where
all that manifests. So I think as you're
thinking about it as a customer, like, part
of it is,
(07:49):
what are the general principles that you wanna
adopt? What does that look like within your
organization,
your users, your applications,
all all those kinds of things? But then,
yeah, like, also, what's reality for you? Like,
what
it's super easy with this stuff to talk
art of the possible because, like, really a
ton's possible, and it's been enabled within these
(08:10):
suites of tooling.
That said, they are tools that you have
to adopt. So there's art of the possible,
and then there's art of the real.
What is real for you both in context
of technologies you're comfortable managing
to the degree you're going to automate this
stuff, spin it up, make sure that you're
adhering to your own compliance principles, all that.
Like, yeah, that's great. But then also, like,
(08:31):
just what what can you stomach to turn
on? Because if you're an m three sixty
five customer today at some kind of base
licensing
construct, then all of a sudden you go
from
zero to a hundred miles per hour, kilometers
per hour, whatever you wanna do, like you're
ramping really fast, and you're gonna find that
some of those things kind of run away
from you and potentially sour your taste on
it
(08:52):
versus coming back and focusing on, like, your
core principles, what's what's the business need, and
and how does all that manifest for you?
Yeah. And I think going back to why
I started with identity, Zero Trust,
in some respects,
it I would say customers didn't always do
it well even internally. You would have, like,
your DMZs and your your internal networks. Maybe
(09:12):
you'd have, like, your barrier. You'd have your
firewalls in and you'd poke a hole in
to let VPN in, all those types of
things. But when it was on prem days,
I felt like network got treated a lot
as the zero trust boundary, whether it was
firewalls between subnets or different vnets and opening
ports here,
setting up air gaps here and there. The
(09:33):
cloud changes all of that in that now
I can really get to Microsoft three sixty
five from anywhere. I don't have a network
boundary I can set up because Microsoft
owns a lot of that infrastructure.
And, really, the way into Microsoft three sixty
five now and into an environment
is going through
a user sign in, whether it's a service
principal, whether it's a user. So that's why
(09:54):
a lot of times it starts with
identity. Like, who are you? Should you be
allowed in? And what are you doing at
that gateway of
the user's login? Setting up MFA
for all of your users. What are you
doing around
passwords
for your users? What are you doing around,
like, the legacy authentication? Some of those things
(10:16):
that
going back to the cost
at a
entry level
is setting up those security defaults that I
think are now enabled by every new tenant.
A lot of tenants that didn't have them
on, they're getting turned on for them. But
at a base level, if you're not gonna
go out and pay for extra entry licenses,
you're just doing Microsoft three sixty five business
(10:36):
basic or business standard
or any one plan, having those security defaults
on that set up some of those initial
barriers
just on identity. And then from there, you
can continue to build out around if you
wanna do MFA and if you wanna do
phishing resistant MFA
based on that feature level. And that's also
where you go start thinking through the least
(10:57):
privilege. I'm not gonna give everybody global admin
rights. As much as the CEO wants to
be able to get into everything and see
everything, the CEO does not need to be
a global admin in my tenant. What do
you mean?
Your exchange admin. Yeah. Your exchange admin does
not necessarily have to be a global admin.
And to give companies credit, I'm seeing companies
(11:18):
do a lot better job at this. I'm
also trying to do a better job at
it even as a consultant. It's easy for
me. Someone says, hey, Ben. We need you
to help me with Microsoft three sixty five.
Well, just give me a global admin. That's
easiest. No. That should not be my approach.
My approach should be, well, I'm helping you
with SharePoint and Exchange and Intune. Give me
a SharePoint exchange Intune admin rights. Don't give
me global admin. Even though it's a little
(11:39):
bit more work, maybe I have to go
back and ask for extra credentials later. But
really from that perspective,
starting off with that least
permissive
for those different roles. And some of them,
like even Teams, has like four or five
different admin roles within Teams that you can
be assigned. That goes back to how customers
(12:00):
rationalize these things, right, and like how they
grok the knobs and levers themselves. I I
will say, like, I it's a complex stack
that said I think Microsoft has done a
better job at publishing guidance and being potentially
a little bit more prescriptive.
Like, today, like, if you went out in
a zero trust environment, we talk about, like,
global admins and, like, break glass accounts, things
(12:20):
like that.
That used to be, like, super fuzzy. Like,
sure, you should have a break glass account,
but what does that mean? How do you
secure it? Like, what does MFA look like
in context of a world like that? Like,
how do you store that YubiKey for what's
effectively not a person? Like, you and I
are working together. Does YubiKey go to your
house? Where do you store it at your
house? But then what happens if I know
(12:41):
the username and password? Like, how do we
coordinate that and get it back together? So
Microsoft's done a much better job, I think,
about kind of publishing prescriptive guidance there at,
like, the click stops as they exist
within the licensing suites. It still gets a
little bit confusing, especially when you start to,
like, cross the streams between these things. I
I I do think it's a little bit
easier to live in the world of, say,
(13:02):
like, just EntraID,
and what comes to you with your EntraID
premium licensing, maybe like a p one versus
a p two kinda thing, versus what happens
with m three sixty five plus Entra plus
Intune
plus I I don't know. Maybe you're doing,
like, global secure access for your applications, and
you're combining the endpoints and more client flows
(13:23):
in there and things like that. Like, you
as a customer can kinda ramp the complexity
infinitely.
And
I do see at some point, like, customers
kinda bottom out on they just can't figure
it out anymore
because they finally hit, like, the sweet spot
for, like, that permutation
or that set set of decisions in their
environment where they're like,
I'm off the beaten path. And then you
gotta know kinda holistically how it all works
(13:44):
together, and and that's still very hard to
do. Yes. That's why I'm here, Scott. If
you have trouble putting it all together, call
me. Dreamless self plug, self promotion in the
middle of the podcast. Yeah. So I think
that's where I always start with identity. From
there, we're gonna run out of time, Scott.
I gotta talk fast. Did I mention this
was an hour long presentation?
No. I think from identity, the next one
(14:06):
I tend to move to when I'm working
with customers as well is
and these two are, like I would say
these two are step one and step two.
After these two,
you can kinda move a few different directions,
but my next one is always endpoints,
Primarily because when I'm logging
in as somebody, I have to be logging
in as somebody from some device.
(14:28):
So
how do I know that
this identity, this person logging in, going back
to even the least permissive here isn't necessarily
just about roles, but it could be least
permissive in terms of devices that I'm allowed
to log in to my tenant from. Or
going back to the assume breach, assume that
every device that tries to log in to
(14:50):
my tenant is not a safe device.
So thinking through how am I verifying that
the phone that somebody logs into my tenant
from, the laptop, the desktop,
the tablets,
whatever that may be, how do I verify
that device? How do I make sure that
device is safe?
(15:12):
How am I thinking about those endpoints that
users are logging in from when they come
to my tenant. Because again, now I don't
necessarily
have the network.
A lot of people used to take the
approach of this device is plugged into my
local network. They're inside my firewall. I'm gonna
trust it. I don't have a firewall anymore.
There's some ways we can kinda
(15:33):
you can look at that. You can kinda
pseudo make a firewall, but I think it
comes into a lot more now. What are
you doing for corporate devices versus BYOD devices?
One thing I think about is
it's this is a newer approach I've started
taking, and people can yell at me for
saying, you should have thought of this sooner,
you should have done this sooner, is a
(15:54):
lot of clients are still focused on kind
of that inside my network, and they're looking
at device
trust. It's the trust type in
conditional access, but it's is this device joined
to my intra ID, or is it hybrid
joined? Is it joined to AD? Should I
really be looking at, was this device able
to be joined to my active directory, or
(16:14):
should I be doing things like compliance? Is
this device compliance? Has the drive been encrypted?
Is the antivirus up to date? Is the
patching up to date? Are they running a
certain version of the OS? And not necessarily
thinking through, oh, they were able to join
this device to my domain so it's trusted
and it's safe, but
more, does this device
meet the level of compliance,
(16:37):
which could be that security construct that I'm
going to allow it in? And maybe that
trust type is a part of that, but
I don't think that should be the whole
picture when you're starting to talk zero trust.
No. The other thing you have to think
about is
the
the the experience of those devices.
So how do you make it, like, friction
free?
(16:58):
You don't want potentially your
I don't know. Maybe you do, maybe you
don't. But you may maybe you don't want
your user, like, pinning in on every boot
of a device given the class of the
device. Right? Like, is this my Yep. Everyday
laptop versus maybe, like, my admin workstation or
things like that? So what are those profiles?
How do those come together?
And
then the other thing that happens here is
(17:21):
the
intersection
of your environment, your policies,
and
application of those policies across managed and unmanaged
devices.
Shout out to Pirate in the chat. Like,
he's going just where like, I was thinking
so you have this world now of potentially
thinking about, like, do you do
full device management?
(17:41):
Is MAM a possibility in your environment? Like,
like, doing some kind of, like, application management
level kinda thing. Like, what does that look
like for you, and and how do you
compose?
Which ultimately bleeds back again to, like, your
corporate construct plus
user experience. Right? Like, like, practically, example, like,
I live in a world where I can't
access
(18:02):
my work stuff through an unmanaged device.
At the same time, my employer does my
employer doesn't buy me, like, a phone. So
I have a very, like, conscious decision to
make of, do I join my personal phone
and and let my employer manage a personal
device where it's still a
managed? Like, so you have to navigate a
bunch of that stuff as well just in
your policy and and thinking about how it
(18:24):
comes together for your users. Yeah.
Do you feel overwhelmed by trying to manage
your Office three sixty five environment? Are you
facing unexpected issues that disrupt your company's productivity?
Intelligink is here to help. Much like you
take your car to the mechanic that has
specialized knowledge on how to best keep your
car running, Intelligink helps you with your Microsoft
(18:46):
cloud environment because that's their expertise.
Intelligink keeps up with the latest updates in
the Microsoft cloud to help keep your business
running smoothly and ahead of the curve. Whether
you are a small organization with just a
few users up to an organization of several
thousand employees,
they want to partner with you to implement
and administer your Microsoft cloud technology.
(19:07):
Visit them at inteliginc.com/podcast.
That's intelligink.com/podcast
for more information or to schedule a thirty
minute call to get started with them today.
Remember, Intelligink focuses on the Microsoft cloud so
you can focus on your business.
(19:30):
Because this is audio, it's gonna be hard
to visualize. But when we talk through this,
sometimes too, we'll even draw a grid where
you maybe have, like, upper left corner is
a managed device
that's on the corporate domain,
that is going to be
the level of hoops you have to jump
through. It's going to be a much more
(19:50):
trusted device than maybe, like, down in the
bottom right is a BYOD device that isn't
joined to your domain, that isn't managed,
and thinking through
what level of access to your point, what
level of access are you gonna give these
different types of devices in your domain or
your user experience? What level of authentication do
they have to go through? This is an
(20:10):
unmanaged device. They're logging in from not a
known location.
I'm gonna
force a phishing resistant MFA, and they're only
gonna get browser based access. Whereas something that's
joined to the domain, it's enrolled in Intune,
it's a compliant device,
maybe I relax my MFA requirements a little
bit where it's not necessarily phishing resistant or
(20:34):
maybe it's even corporate joined on the network
compliant into managed. I'm gonna allow maybe you
do allow those to bypass MFA if they
reach a certain level there. So it's not
even like that one size fits all, but
it's here's this matricy of all these different
scenarios that I can encounter with my devices.
What level of trust and confidence do I
(20:56):
have in the safety of that device, and
what am I gonna allow based on that?
So I think that's that's kind of that
next step is devices.
And thinking through all of that, I think
some of it does, like you said, tie
into your licensing. How much licensing do you
have for things like auto autopilot,
for Intune, for
different levels because there is a cost to
(21:16):
these different features in Microsoft three sixty five.
There is a cost. There's there's
a operational cost, like the human cost of
just turn it on, your users have to
interact with it, and then there's the dreaded
licensing cost,
which which also sits there as well. So
where do you wanna go from there? Choose
your own adventure, Scott. Identity and device are,
(21:36):
I would say, a couple of my core
ones. There's other things to think about. Why
don't we talk about networking while we're here?
So I I always find the networking aspects
of, like, a SaaS surface, like,
public endpoints connect to over the Internet,
clients over the Internet, and then all the
ways customers try and fight it. And they're
like, how can I privatize my traffic to
(21:57):
to SharePoint online? Like, well, a, do you
wanna do that? B, no, you actually don't
wanna do that. But, yeah, let's keep hearing
you talk about how you wanna do it.
So so so networking's a good one. Why
don't we go there next? Alright. So networking
is like you said, it's interesting because you're
in
the cloud. It's a SaaS space. There's a
couple things I think about when I start
(22:17):
going down the networking path. This one, very
much licensing comes into play. One thing you
can do is
there are ways within conditional access to
set up trusted networks. So you can either
set it up based on
IP address.
So you can go in and define IP
addresses. These are the public IP addresses that
(22:38):
are for my office.
I have my public IP addresses that are
from my home network. You may have public
IP addresses from different satellite locations that you
can define. You can also go in and
Microsoft gives you the ability to pick country
based trust. So I'm gonna trust IP addresses
that we're pretty sure, and this is not
(22:59):
a you can be 100% sure all the
time, IP addresses coming from The US, or
here's IP addresses coming from Europe or Africa
or South America, different regional locations. Microsoft does
have predefined network locations there where you can
go in and actually
block or allow,
maybe block everything and then set exclusions for
(23:21):
allowing, however you wanna do it to
set up different
policies on logging into your environment
based on which IP address you're coming from.
So I think that's kind of the most
basic one. That one is still its conditional
access, so it's still gonna be your Entra
plan one as minimum for that. The other
interesting one that's coming into play more and
(23:43):
more with networking in these conversations
is the global secure access.
This is an add on to even Entra
p two, but there's a lot of stuff,
and there's getting to be more and more
stuff you can do with Global Secure Access.
And there's different components to it. So there's
the whole Microsoft three sixty five aspect, Global
Secure Access to Microsoft three sixty five where
(24:05):
it is I don't wanna say it's a
VPN because it's it shows up as a
VPN, though. I will say that. It kinda
shows up as a VPN. You put a
client on your desktop.
You
do it through
Defender for Endpoint on your mobile devices,
and then it does show up as a
VPN connection on my phone. But it tunnels
that traffic then, encrypts that traffic from your
(24:26):
device
straight to Microsoft three sixty five.
Because of that, it also gives you some
ability to do, like, some additional logging on
that network traffic between your end user devices
and Microsoft three sixty five. This is not
out for everything yet. Like, ironically enough, I
can't put it on my Surface device because
there's not an ARM client available for it.
(24:46):
It has to be x 64. You can
do it in macOS. You can do it
in mobile. I think iOS and Android are
both out there now.
But you can do that for Microsoft three
sixty five traffic, but you can also do
this. They also have an Internet,
aspect of Global Secure Access and a private
aspect of Global Secure Access where I can
now send all my Internet traffic over Global
Secure Access to do
(25:08):
web protection, web filtering, web monitoring
of Internet access. And it's interesting, like, I'll
see it in mine where I get a
lot of my web requests now routed through
a proxy if I have Global Secure Access
enabled on my desktop.
The private one gives you the ability to
use Microsoft three sixty five, the
private
(25:28):
connection in Global Secure Access,
to create a tunnel from your endpoints back
to your on premises network to access web
applications
on premises. So this is all built into
Entra and add on to Entra for
starting to do more of that managing of
the network, creating
secure tunnels to different locations, web filtering,
(25:49):
and
some of that additional monitoring of all that
network traffic. Yeah. Quite a bit to think
about on that one. It is. And we
could spend the entire time on that, but
It's a weird one. Like, I don't know.
Even if when you go down, like, the
filtering path, there's the things that you can
do as part of
Intune, Intra, and then, like, there's the whole,
(26:10):
like, I actually deployed my app, and what
does that look like? Like, does that app
live in Azure? Does it have a firewall
in front of it? Maybe it has, like,
a front door
or,
like, an application gateway, like, all all that
kind of stuff that just manifests as well.
I think another one that this kinda ties
into networking
I'm gonna go into apps a little bit
(26:30):
because there's a few different components to apps.
There's the applications
that
you use for work, deploying apps to your
endpoint, apps that are installed on your endpoints,
all the app management in Intune. We talked
about it in the chat a little bit.
You mentioned it earlier, Scott, the MAM, the
mobile application management,
managing those apps. But there's also Defender for
Cloud
(26:51):
that isn't necessarily networking, but it does help
watch for different shadow IT. People going out
using ChatGPT,
like, are people actually taking sensitive information
from my environment,
copying and pasting it, throwing it into ChatGPT.
Oh, oh, this is networking. Can I go
back to networking?
(27:12):
This is networking and data. I'll save it
for data. We'll save that when we talk
about data. I thought you were gonna ask,
and I was gonna say, like, yes. Your
your users are taking private data to ChatGPT.
100%
there. Yes. And if not ChatGPT, they're taking
it to Cloud or Copilot or Gemini or
someplace where you don't think it should be.
Where you don't think. Yeah. And that's something
that Defender for Cloud can help for. Again,
(27:34):
I'm gonna keep saying it just to remind
people, although I think they already know it.
There is cost for Defender for Cloud. This
is another one that is like a security
e five or Microsoft three sixty five e
five. But I know that
there's, like, 400
some third party AI services that are all
in Defender for Cloud already that if you
(27:54):
go ramp this up, you have the ability
to go in and block those to see
what are all the AI services that my
employees are using, where are they copying and
pasting data, there's some DLP stuff, being able
to
monitor
where people are putting files, which again, kinda
apps, kinda data, kinda networking,
(28:15):
but another part of that zero trust of
making sure that your employees are keeping data
where it's supposed to be kept, not putting
data where it's supposed to not putting data
where it's not supposed to be, that someone
that got into your environment isn't exfiltrating
data
through some of those other services.
And, again, a little bit of that verifying,
(28:36):
a little bit of that monitoring when it
comes to apps. And
I get so much to talk about here
because then you do get into all the
installed apps, keeping data safe in the apps
through, like, the mobile application management. So you
want me to keep going, see how close
we can keep this to a reasonable time
episode? I mean, you're doing pretty good. Alright.
All you got left in your talk is
(28:57):
data. Well, then then logs, but, we we
could always talk logs at a different time.
And data's the other one, is
looking
at,
like, how are you securing your data? This
is one too that has come up a
lot with Copilot, and we mentioned this in
some of the times when we've talked about
AI is some of that data security posture
management, the DPSM.
(29:18):
How are we protecting
sensitive information within
the company?
How are we thinking about
AI activity and what data AI can get
to? Are we putting
sensitive
sensitivity labels on our content and being aware
of what types of sensitive data may be
located in those various
places within,
(29:38):
our organization? I was I can't remember if
I've told this story before. If I have,
you get to hear it again. Working with
one company where we were trying to get
ready for Copilot, we were looking at sharing
links.
They had, like, 20,000 links that was shared
with the entire company. But then we were
also looking at sensitive information. I'm like, did
you know, like, you have all these Social
(29:58):
Security numbers over in the SharePoint site here?
Like, Purview picked them up, and I it
took me, like, five minutes. I was able
to go in
through Purview,
go to the Content Explorer, pull up some
social Social Security numbers. I was like, are
these false positives? Clicked on a couple of
them and was like, nope. Those are actually
those are actually
(30:19):
Social Security numbers, and it took me, like,
five minutes to find them. And I brought
it up to the company. They're like, oh,
our policy says no Social Security numbers are
allowed in SharePoint.
Yeah. That's what your policy says. You didn't
block it, though, so here we are. Right.
So what are you doing from that perspective
to
not just
set a policy of that or make that
your policy, but to go through and verify
(30:41):
that people are following the policy
and or if you do allow that in
there that it's being properly labeled and categorized
so you can put DLP policies in place
to prevent that exfiltration of that data, to
prevent it being inadvertently
shared with somebody it shouldn't be. And this
was a new one. I I was gonna
mention that I don't know how it's done.
(31:02):
I'll find the blog post to it in
the YouTube video and put it in the
chat. There is I think it was just
last week. It was about a week ago.
Microsoft announced
network level
DLP
coming to Microsoft three sixty five. So actually
being able to, like, pick up if I
copy and paste a Social Security number from
my machine into a website,
(31:24):
the picking it up in my network traffic
that I'm copying and pasting sensitive information or
that sensitive information is going from my device
somewhere. No they didn't announce how they're doing
it. I don't know if this is gonna
be part of Global Secure Access or part
of Microsoft Defender,
but there is absolutely,
like, that level of data security coming as
(31:47):
well from a DLP perspective, sensitive information.
So that's gonna be really cool to see
where that goes because that is questions that
come up. We'll see when it comes, how
it comes, what the cost is when it
comes, etcetera. I hadn't heard about that. Oh,
Pirate posted that. Browser Network. Yeah. I think
that's the one, Pirate, without actually looking at
that article that looks because it was on
(32:08):
Microsoft Mechanics where they posted that video and
that article about doing network browser based DLP.
It's okay, Scott. It's only a week old.
You're excused for not knowing it. Whew. That's
good. And I think kind of what brings
us all together too is I've mentioned it
a few times. We've talked about it. I
will never back down from my statement that
(32:28):
conditional access is worth the cost of EntraID
plan one if all you got with that
is conditional access. But to me that's really
like the bow that ties all of this
together, is going in and setting up a
lot of those conditional access policies, looking at
who you are, what identity you're logging in
with,
are you coming in as an admin, are
(32:49):
you coming in with a service principal, so
that identity aspect of it. And then looking
at all those different signals from your devices,
looking at different properties of the device, different
trust types, compliance of the device.
That's where you can go set up your
network level. What network am I coming in?
What IP address am I coming in from?
What applications am not only am I accessing
(33:09):
in Microsoft three sixty five, but what applications
am I using to access my data in
Microsoft three sixty five?
Setting up all those conditional access policies to
help you segment out how users are allowed
into your environment, where they're allowed in from,
all of that. There's a lot to think
about in that one. There's absolutely a ton
to think about. There's a reason you can
(33:30):
create hundreds and hundreds of conditional access policies,
Scott. I still wanna see a tenant that
has hundreds of them.
I haven't. No? I have heard of tenants
hitting the limit. Did you know there's a
limit to conditional access policies? I probably
work for one of those companies that's at
the limit. You probably do. I think it's
995
is the number of conditional access policies you
(33:51):
can have. That's what I thought. Pirate said
we've had the conversation before. So, anyways,
and then the last
I can do logs and signals. We talked
about the verification aspect of this too,
being alerted.
There's a lot of verification you can do,
but I would say a lot of it
does cost money, whether it's spinning up Sentinel
(34:11):
or another
SIEM to capture all these logs, be able
to query all these logs,
set alerts on these logs,
take automated actions based on them. Maybe you
want to be able to peruse your logs
or ask questions about it with
Security Copilot or some other
AI
tool based on where all these logs are
(34:33):
being captured.
But not just setting up all these controls
and then not ever keeping an eye on
what people are doing or
what's going on in your environment. So you
could go set all of this up. Someone
finds a way around it. Someone finds a
way around our backdoor. We're all human. We're
not perfect. We're gonna miss something. We're gonna
make mistakes. So do you have that logging,
(34:54):
that signaling, that alerting set up so that
if something does go wrong or if you
need to go back and look at what
somebody did, you have that ability
to go in and look at it, adjust
it, make changes to your security
based on what may come out of some
of that logging, that signaling, and that alerting.
(35:14):
What may come out of it? Good luck
interpreting it most of us. What may come
out of it? Okay. That's the other thing
is like, yeah, like, what may come out
of it? Now now go interpret it. Good
luck. Yeah. That's what Security Copilot's for, Scott.
Or Copilot for security. Security Copilot? Which one
is it? Something like that. One of those.
So there is an assessment.
Pirate mentioned it before. We'll put a link
to this in the chat too.
(35:35):
There is a Zero Trust workshop out there
that Microsoft has. Oh, you're not gonna be
able to see it in that window though
if I put it in the chat. We've
just had one window up in the one
browser window up. But a whole zero trust
workshop around identity
devices, and part of that workshop, they do
have a an assessment tool as well, a
PowerShell script that you can go run on
(35:56):
your environment
that will give you
some of that configuration
of how close are you to Zero Trust.
There's some other tools in here to help
you work through implementing Zero Trust. So this
is another good resource. I think this workshop
is easily a day long, if not a
multi day
workshop, if you were going to
(36:17):
work through it with somebody. Again, there's tools
in here you can take and run-in your
own environment to see where you stack up,
what you should think think about, configurations you
may need to make, again, based on what
licenses you have, what's available for you to
actually go turn on and light up. Yeah.
What's the scope of that workshop? So is
it all things Microsoft?
(36:37):
It it looks like it's pretty expansive. Like
Yes. I'm pretty sure this one will look
at all things
Microsoft. I should go find
where this is. I mean, it's yeah. Like,
you have DevSecOps
in here. You've got identity
devices.
That's talking about the Intune data warehouse.
What else in here? Conditional launch. There's stuff
(37:00):
around backing up to iCloud.
Yeah. Here's ARM provisioning,
RBAC stuff,
VPN tunnel. Someone asked me too, VPN tunnel
versus global secure access. I think they're both
in there. It wouldn't surprise me if the
VPN tunnel goes away. Yeah. All the stuff
around Samsung
AR, VR devices.
(37:20):
This is I don't is this I don't
even know what this is. A hundred and
twenty,
fifty, seventy, 80 Just keeps going. 89
different
steps, I guess, just in the devices section
that are things for you to think about
with devices. But, yeah, DevOps, I bet this
is Defender. Yeah. Implement Defender for servers.
(37:41):
So this is 100%,
like, all things
Microsoft cloud
from servers to Azure to ARM provisioning to
GitHub,
CodeQL is a part of this,
Azure DevOps is a part of this,
Defender for DevOps.
All of it. You could spend a long
time on this, Scott. All the things. Everything
(38:02):
is here. Just a couple of days. Easy
peasy. Yeah. Just blow through it all quick.
In and out. And then you get a
nice pretty docs that you need to go
implement.
Exactly.
Or call Ben, and Ben will help you
implement. I'm full of shameless self promotion today.
Yeah. You're doing a good job. Thanks. Appreciate
it. Alright. Anything else? It is 5PM
Eastern Time on a Friday. And I think
that takes us on a whirlwind tour of
(38:23):
Zero Trust. That was. And if I have
a workshop at a conference,
I will self promote that as well.
You just gotta score one, man. That's it.
Easy peasy. No sweat. We'll get it. We'll
get it nailed out. So well, thanks, Scott.
Appreciate it. Enjoy your weekend. Enjoy the rest
of your day. You too. And we will
talk to you again soon. Thanks, Ben.
(38:45):
If you enjoyed the podcast, go leave us
a five star rating in iTunes. It helps
to get the word out so more IT
pros can learn about Office three sixty five
and Azure.
If you have any questions you want us
to address on the show, or feedback about
the show, feel free to reach out via
our website, Twitter, or Facebook.
Thanks again for listening, and have a great
day.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com