November 22, 2024 • 36 mins
In this episode, Michael, Sarah, and Mark talk to Merill Fernando about a set of open source tools he and his team have developed to help people understand their Azure and Entra ID security postures.
We also cover news about Fabric, TLS 1.o and 1,1 retirement, Microsoft Ignite, FIDO2, Confidential Containers and Red Hat OpenShift and various Zero Trust news.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy,
(00:09):
reliability and compliance on the Microsoft Cloud Platform.
Hey, everybody.
Welcome to episode 105.
This week is myself, Michael, with Mark and Sarah.
And our guest this week is Meryl Fernando.
He's here to talk to us about that kind of Entra ID and some of the tooling that he's
worked on over the years.
But before we get to our guest, let's take a little lap around the news.
(00:32):
Sarah, why don't you kick things off?
Well, it'll depend when you edit this.
But at the time we're recording this, it is next week, it is Microsoft Ignite.
So depending on when you listen to this, that might have already happened.
If it has already happened, then we will upload lots of sessions on YouTube so you can watch
(00:52):
them later.
If it hasn't happened, then of course, remember that the in-person tickets are sold out, but
you can still watch the live stream for free.
For better or worse, you'll get to watch me doing some of the interstitial programming.
That's what it's called, the bits in between the exciting bits.
But I get to interview some cool people.
So of course, go check out Ignite.
(01:14):
And if this is post-Ignite, which is the 18th to 22nd of November 2024, you can go and catch
up on sessions online.
And of course, there's lots of announcements about things.
That's all I can say.
So go and check that out.
So that's my first one.
That's taking up a lot of my time at the moment, pretty much every waking hour, actually.
(01:37):
Then next up, we have support for FIDO 2 authentication.
In fact, our guest probably knows more about that than I do.
But we're of course supporting pass keys for passwordless authentication.
We're all trying to move there and non-fishable creds.
So of course, the more you can use that, the better.
(01:59):
And then finally, last but not least for me, confidential containers are now in public
preview on Azure Red Hat OpenShift.
So we love a confidential container because it means that it's cloud-native confidential
computing and there's a trusted execution environment.
So you can have everything nice and secure and it runs in its own little enclave, I believe
(02:20):
is the correct word.
So go check that out.
If that's something you're interested in using.
And that's me done for the news.
All right.
I have a few items.
The first one is there's now REST endpoints, REST APIs for managing private endpoints in
Fabric.
This allows you ultimately to help sort of automate and streamline workflows because
(02:44):
now you have access to these APIs, which historically you didn't have.
Next one is Application Insights, Availability Tests.
TLS 1.0 and 1.1 is being retired.
This will take effect, I believe, March the 1st, 2025.
So you do have plenty of time.
But at the end of the day, that day is going to creep up on you.
(03:05):
And if you're not ready for it, then any client code that you have that's not using TLS 1.2
or 1.3 is going to break.
There's no fallback at that point.
And in fact, there's going to be a note as well because there's another item, which is
just an overarching update on the retirement of TLS 1.0 and 1.1 across various Azure services.
Again, this is something that you're going to see across every single Azure service.
(03:29):
So you really need to start working on all your clients, verify that your client code
is using TLS 1.2 and above.
What that really means from a programmatic perspective is make sure you're not hard coding
things like TLS 1.0 and 1.1, or you're using, for example, really, really old runtimes
or really old versions of browsers or operating systems or mobile operating systems that don't
(03:51):
support TLS 1.2 and 1.3.
The original announcement for this was actually made in November the 10th, 2023, so a year
ago.
So I'll give you a list or a link to a page that just has some updated information about
how you can make sure that you're ready for this transition.
I think the overarching transition is going to be end of August 2025.
(04:12):
But again, things in the rear vision mirror are closer than they seem.
So yeah, don't do nothing about this.
When the time comes, stuff's just not going to work.
Okay, that's all I have in the area of news.
So in my world, kind of piggybacking off of what Sarah was talking about, I will be at
(04:33):
Ignite as well.
So I'm going to be speaking on the Friday there.
I'm going to be talking about the top 10 Zerotrust controls that you can implement today.
So I'm very much focused on actionable guidance for Zerotrust there.
And I'm going to be sharing the stage actually with someone from NIST, Maruja Supaya, as
well as from one of our customers in a large Swedish bank.
(04:56):
So really excited to be presenting with Maruja and Ulf and talking through what they've learned
on their Zerotrust journey and their actionable tips as well.
The other thing that happened recently was I spoke at the Open Group Conference in Houston,
Texas.
And we kind of unveiled our vision for what we're setting out to solve with those security
(05:22):
standards.
For those that aren't aware, I'm the security forum chair for the Open Group.
So help guide and steward those standards and figure out what we need to be doing there
and all that kind of stuff.
And very interesting kind of a different role for me to be working through that.
And I figured, hey, if I'm in the role, I might as well do something good with it.
(05:44):
And so we're working on filling the gaps, building on existing standards, kind of connecting
the dots and addressing some of the things that just aren't addressed or aren't addressed
well in industry.
So things like mapping it to the defenders to the attackers activity, defining the security
roles in sort of a relatable kind of normal way, just connecting the dots between a whole
(06:06):
lot of things.
So got some exciting stuff.
We'll have some webinars that we'll be doing here in the next couple of months probably
to kind of reprise that on a live broadcast medium.
So that's the main stuff.
And I'll throw in a few links to some of the existing Open Group standards for folks to
check out.
But that's all I've got.
So now we're going to move on to our guest, Meryl Fernando, who is a principal product
(06:30):
manager in Entra.
He also lives in the same town as me, but ironically, when we're recording this, he's
actually in Sydney.
So Meryl, welcome.
Do you want to tell us, well, quickly introduce yourself to our listeners and tell us a bit
about yourself.
Thanks a lot, Sarah.
So I'm super excited to be here as a guest.
(06:52):
My name is Meryl Fernando.
I'm a CXP, or customer experience, principal product manager in the Microsoft Entra team.
And I love building tools and helping the community and connecting folks in the community
in cybersecurity.
And I spend way too much time than I should on LinkedIn and Twitter and Blue Sky and all
(07:19):
the social media accounts.
That's me.
So while we're talking about what we're going to talk about on this episode, one thing that
became abundantly obvious is that you've worked on a lot of tools over the years.
So we're going to talk about some of those tools.
So let's just get started with the first of those tools, which is Maester.
So my first question is, what on earth is Maester and what does it do?
(07:43):
Thanks.
Yes.
So I'll tell you a story because that's how I like to introduce all these different tools.
They always start with some story.
So with Maester, I was helping a customer.
They were going through troubleshooting some conditional access policy, and we were trying
to work through that.
And while we were looking at that, we just realized that they had a CA policy.
(08:04):
They had targeted for a group, like all the guests in their tenant.
And that group, they had a policy which said guests need to sign in every day because they
could be coming in from unmanaged devices and their tokens could be stolen and they
needed to secure it.
So they had created this policy and they thought it was all good and their tenant was secured.
(08:27):
But about 10 months ago, someone had gone in and either they deleted the group or they
just cleared out all the users in that group.
So this policy was sitting there.
They thought the policy was working, but there was no protection for them.
The guests were happily signing in and staying on with long-lived tokens, which could be
stolen as we know, and people could be replaying them and their tenant was not secure.
(08:51):
So this got me thinking about how I can bring some of my DevOps, SecDevOps practices to
identity and move the industry forward in applying SecDevOps practices to identity and
things like the control plane and conditional access.
So I got together with a few MVPs, Fabian, who had created something for Sentinel based
(09:15):
on PowerShell Pestor testing framework.
And Thomas, his name is another MVP in Germany who did a lot of Entra config settings, like
how to harden your environment.
So we got together and we built out Maester, which is like a PowerShell based test automation
framework.
We started with Entra, but it's like we launched in March last year.
(09:37):
It's grown so much that we have people contributing.
We have like 50, 60 plus contributors, bought 200 plus checks.
People have written ready-made checks.
I built it for writing tests for your own config, but people have started plugging in
like the CESA tests for Exchange, for Azure, for Intune.
(09:58):
And so it's become this huge open source framework and folks are starting to use it in really
new and innovative ways to make sure their cloud config is what they think it is.
But not hoping that no one went in and made a change that they don't know about.
So that's Maester.
So, Meral, I do have to ask, where does the word Maester even come from?
(10:19):
Cool.
Yes.
So Maester comes from the Game of Thrones.
And for those who watched the show or read the books know that Maesters in the Game of
Thrones world, they were the learned people, the wisest folks.
That's who people went to to get advice.
And they lived in this tower with a light, with a fire that always kept burning and they
(10:44):
held all the knowledge.
So I needed something that I could get the domain on and something that people could
easily remember.
So yeah, all of that combination came together.
I didn't want to name it Microsoft Cloud Security Test Automation Framework, which would have
been the typical name.
(11:04):
So we just came up with Maester for that.
I may actually be the only person in the world who has not seen Game of Thrones or read the
books, but it is what it is, I guess.
So Michael, you're not alone in not having seen or read Game of Thrones.
So you have company, so at least two of us on this podcast share that.
(11:25):
So something that's near and dear to my heart is I really love the work that your team has
done on the Zero Trust workshop that recently was announced and released publicly.
So can you tell our folks about that?
Yes, absolutely.
So the team that I'm in, I'm part of the Entra product group and we focus on Entra and we
help customers deploy Entra, secure Entra, harden it, you know, what are the right conditional
(11:50):
access policies, what they need to do and how they can plan out.
Because a lot of our customers don't know how like they've got Entra when they got M365.
They don't really, they haven't really done the work to go through and look at how they've
deployed, whether they've deployed all of the features that are there.
Like my day job is literally getting folks to deploy and use the features they've already
(12:14):
paid for and secure their tenant.
So I'm from the Entra team and we have counterparts in the Intune team, in Defender, in Purview,
like the whole of the security org.
Our day job is helping a lot of our customers deploy things.
And what we found out over time is we had a lot of knowledge in what someone needs to
(12:36):
do.
Like we could go through and ask questions and then come up and say, okay, you need to
do this first before you can do this.
For example, if you want to do like device compliance checks in conditional access, then
you first need to do hybrid join or Entra join.
And then, you know, you might not have configured the Connect Sync properly.
So you need to do that first if the devices are not being synced.
(12:59):
So there's a sequence to do things.
And we knew it.
We could just explain it to people.
But most folks didn't know where they should start.
And Zero Trust has always been people sell it as, you know, just deploy this one product
and you have Zero Trust.
But it's like a more holistic thing that you would need to do, especially the Microsoft
(13:20):
Security Suite.
We have so much.
And folks don't know where they should begin.
So that's how we came up with this idea of let's help people and make it really short
and succinct and give them a blueprint.
Let's help them assess and give them a roadmap for the next like two to three years on how
(13:42):
they can be well deployed with a proper Zero Trust framework across all of the products.
And so that's how we got together and started brainstorming ways how we can do this.
And we really wanted to scale it like it was not scalable with me doing like two or three
customers at a time.
We wanted it to help our whole industry move forward in adopting these practices.
(14:08):
So the Zero Trust workshop, we just launched it last week.
And there are lots of options people can self-serve and go through the workshops.
We do like one to two hour workshops with each pillar in Zero Trust.
Right now it's launched with identity devices and data.
And we plan to add the others in.
(14:29):
So it could be a self-service thing.
It could be you could bring in a Microsoft partner who we trained on and they can help
guide you through.
It can be through our teams like Microsoft Fast Track, etc.
You can reach out to Microsoft account team and they can help you with that.
And for our own customers who we manage, we run these as well with them.
(14:49):
So at the end of these workshops, they get like a ready-made customized map of what they
should do.
It's broken down into first, then next and sort of guides them.
So they have it's really useful.
Some of my customers got like funding from their stakeholders by showing this.
(15:10):
And they were able to then actually go ahead and implement it over the next two years.
So we've been running this in private preview for about two years and refining it with like
70 plus large customers who gave us a lot of feedback.
And it's a continuous like it's a living thing that we're building.
(15:30):
And we're going to keep on evolving this as new threats come on board and we have new
features and so on.
So that's aka.ms slash ztworkshop.
If I can add on there, one of the things that just always fascinates me about security,
because we also have a set of workshops that we deliver through our unified around the
(15:51):
security adoption framework or SAF.
And those generally hang out at the architecture level and at the program and metrics and
success and architecture and how it all fits together kind of thing.
But then there was this entire layer that we missed that your team did a great job on
sort of, okay, what are the technical features and capabilities that need to be turned on?
And then of course there's the how to actually turn them on.
(16:11):
And it's just one of the things that I'm always amazed at is just how complex security is
because there's so many different people that need to be doing those jobs.
And that doesn't even get into all the business teams and all the other things that
need to happen as well.
So it's just it's always amazing to me how much needs to get done and how important it is
to have those prescriptive first, next, later kind of checklists for those different
(16:35):
abstraction levels and roles.
Yeah, one of the key things we do in the workshop, we ask that they bring all the stakeholders.
Like when you're doing zero trust, it can't be just identity.
So even though we might be doing an identity workshop, it can't be just the identity folks.
You need the devices, folks, because you need to protect the device they're coming in from.
You need the SIEM and the SOC team.
(16:58):
You need the architects in there.
And a lot of the times we notice that this was the first time that all of them sat in one room.
Because you end up with a lot of folks working in silos, especially in large enterprises.
And half of the time it's mostly folks talking to each other for the very first time
(17:19):
and collaborating and thinking about what their overall security posture should be
and what's the best way to do that.
So it's a very complex process.
It's all if you're in mining versus education or in fintech, you have different challenges
and the priorities and what you consider as your zero trust baseline differs.
(17:40):
But yeah, this bringing of all of the folks together is a thing that I learned has not been happening quite a lot.
And the workshops are really powerful when you can bring all of those key stakeholders and those different teams together
to go through what zero trust means for them and then help them look at what their gaps are in where they stand today.
(18:03):
Yeah, we see the same thing.
It's so important to break the silos apart.
There's almost like a joke in there around the one thing that we all have in common is that we don't talk to each other.
But yeah, we see that dynamic a lot and it's just amazing how much magic happens
when people start talking to each other about, hey, how do we drive this outcome
that requires your expertise, my expertise, and each of the tools that we manage and technology and whatnot.
(18:28):
All right, so a couple of other tools that you have, Merrill.
The first one is, I don't know if these two are related or if they're sort of back to back or whatever,
but Graph X-Ray and Graph Permissions Explorer.
What problem are you trying to solve with those and how you go about it?
Yes, Graph X-Ray is a tool.
It's a Chrome extension.
You can think of it like Fiddler for Microsoft Graph.
(18:52):
You can run Fiddler to see what's happening behind the scenes.
So when you go to the portal and when you click on different things,
you can, you know, you do something, right?
So my struggle I had was I was writing PowerShell scripts and I would go and create a group,
like a dynamic group, or I would go and create a conditional access policy
(19:14):
or going to Intune and configure whole compliance policy and so on.
And then I knew how to do it in the UI, but then to write the script took me a while.
And we didn't have ChatGPT like a few years back,
but even that I had to tell it, you know, describe all of what I wanted to do even today.
So I knew how to do things in the UI and I wanted to get to the code as soon as possible
(19:38):
from that point.
And it took a while to go search the docs and find out the API and find out the parameters I needed to pass
and would take me like half an hour to an hour to figure out like how to do something.
So with Graph X-Ray, it's an extension you install and you just do the action in the portal.
And if the portal is, you know, using Graph X-Ray,
(20:02):
it'll give you the PowerShell command for the action that you just did.
So if I created a dynamic group, it'll give you the exact command for doing that.
It also supports multiple languages, C Sharp, JavaScript, Go.
So you can just flick through and get to the code just from the portal itself.
So it helps quite a lot when it comes to DevOps and automation
(20:27):
and you need to create like a hundred access packages. You can do one and use Graph X-Ray
to see what's happening behind the scenes.
So it's more like a DevOps tooling that I built to help in that.
It came out as part of like a hackathon we did about three, three, four years ago.
Graph Permissions is a website that I built.
(20:52):
The problem I was trying to solve there is the docs in the Microsoft docs for the Graph APIs
are all focused for developers. So you can go find out an API like
create a conditional access policy
or some other config in Graph, maybe create a Microsoft Teams site.
But you couldn't find out, like if I give something permission like
(21:17):
sites.read.all, what is it that a developer can do?
Like what are all the APIs they have access to? So I had a security architect come and ask me,
hey, someone's asking me for this permission, which is files.read.write.all
or directory.read.all. What I'm actually giving them when I give them this access?
And the answer that I had to give him was you need to go through search for this and look at all the
(21:42):
APIs and any of those APIs, what they can call.
So this got me thinking and then I sort of wrote a script that
passed all the markdown files in GitHub for Microsoft Graph.
And then I created a page which says, okay, if it's sites.read.all, these are all
the APIs that someone can call. So it's sort of like a different view into the
(22:07):
Graph permission. So it's been really useful for a lot of the cybersecurity teams and the architects
to really know what permission, what the permission does and
what it is that they're doing when they're consenting to an access permission in the tenant.
You know, what are the things that developer can do? Are they the least privileged
permissions that they can have if they need to? So this was just a stopgap
(22:32):
that the product team is looking into having this built into our
tools itself so it will make it easier. So for now, the site lets you
find out whether you're giving a big scary permission or
is it the right fit for what the app is trying to do?
I'm really glad that you brought that up about least privilege. So you do actually
(22:57):
find things that could be violations of least privilege because right now, this is something that
we're heavily focused on as you're in general, especially under the
if you look at the Zero Trust, sort of the three pillars of Zero Trust at Microsoft, one of them is
least privilege. And we're certainly spending a lot of time looking at applications and looking at
privileges that they've been assigned. So this could be used as a tool, as a general tool, to start
(23:22):
saying, okay, you know, what does our set of permissions look like
across the whole of our Azure environment? I mean, could you use the tool for that? I mean, is it designed for that?
Or is it really something that requires a little bit of interpretation?
This is a little bit of interpretation and this one is only focused on graph permissions, so not really
the Azure graph, which is a slightly different
(23:47):
API endpoint to the next one. Okay, okay. All right. Yeah, that makes sense.
Yeah, we're still reviewing graph permissions as well.
So, okay, that's cool. So the next tool is
ID Power Toys. What on earth is that?
The key part of this tool is something I call the conditional access visualizer.
(24:12):
So we have a really good blade UI to create conditional access policies
and it's really easy to create them. But when you want to understand
what your security config is in your conditional access settings,
you know, it's the gateway to all of your Microsoft environment,
right? Like whether you're going into Azure or into Graph or into any of the apps that you have
(24:37):
set up, the conditional access policies are the gateway and they define
whether you do MFA or not, who is excluded and what's happening.
I was helping a customer troubleshoot a conditional access another time and it was
really hard to figure out what the policies were doing because you have to click
about six times or seven times to get an idea of what one policy is doing.
(25:02):
And conditional access is a combination of all of the policies put together.
So it is really hard to figure out what exactly is happening in this
customer's config when it came to conditional access.
So that got me thinking about like how can I visualize it? Like people
might know me from my posts on LinkedIn and so on. I try to always make it simple and easier
(25:27):
to understand with sort of a very visual way. And that got me thinking and I came
up with this whole way to export it into PowerPoint where you get a visual view of
the whole CA policy in one deck, in one slide, and then all of the
CA policies put together so you can quickly scroll through and see,
okay, I like print them up, put them up on a wall, and you can see
(25:52):
what is happening in your tenant, what's configured, who is excluded from
policies, what's included. And it's been quite popular with a lot of
folks to help as they have 50, 100 policies to know
what's really happening in their security landscape.
It's with identity, we see identity as a new control plane, conditional
(26:17):
access policies are the way to get there, and this was just my contribution to make it
a lot easier to visualize what's happening in your settings.
So, Meral, I know because I have seen you post about it on
socials and you have tagged me many times, thank you, that you also
have a newsletter that you like to, that you send out
(26:42):
pretty regularly. Do you want to tell the folks who are listening about that?
Yes, yeah, absolutely. So, like I'm working at Microsoft and I read all of the
internal things and I'm across what Entra does, but even I struggle with all of the
different, just in my product, in Entra, all of the different features and new
things that come out. And I read a lot of what
(27:07):
IVPs and the folks who write about Entra and the different features.
I love reading that because these folks are in the forefront and they're deploying things,
they come across issues and they are thankfully sharing their knowledge of,
I came across this, this is how I fixed it, or this is a better way to do it, and so on.
And this, like that knowledge and experience is not something that I as one person
(27:32):
can gain from what I do in my day job with the few customers I help.
So, it helps really to scale your knowledge and I spend a lot of time
reading and staying up to date and all of that. And I was collecting all these links
and then I thought, I'm sure others would find this useful as well. And I'm a huge
fan of Hacker News. There's this Hacker News newsletter which just sends you
(27:57):
a weekly list of links of interesting things and every week I'll just scan it in
five, ten minutes and click on things that interest me. So, I was like, let me do this
because the community, we need one place to go in and read about
what happened this week in Entra. So, that's how it started. I started putting
it together and sending it out, like I started last year. We have like
(28:22):
70 plus issues out right now. So, every week I send out
on Sunday for me in Australia, a newsletter that lists, like these are
the new features that Microsoft officially announced. These are all the things that
the community created and shared about Entra and then I summarize some of my
LinkedIn posts and things that I've shared as well. So, just a way to share
(28:47):
like, hey, this new podcast came in about Entra, this new
toolkit, someone released a new tool or a red team tool or a blue team tool
and I just sort of summarize that and send through. And yeah, it's become
quite popular there. We have like more than 11,000 plus subscribers and I get my son
to help me out with it. So, I get to spend some time with him as well.
(29:12):
So, it's been a really fun experiment. I didn't think I could
keep it up, but yeah, we've been doing it for about a year plus now and one of my highlights
for the week is creating that and sending it out.
Yeah, and we'll pop in the show notes how you can go and subscribe to Merrill's
there if you want to. Yeah, we'll add links to all the tools that we've spoken about so far as well.
(29:37):
And there's other tools as well, so you'll see other tools that are up there. On the newsletter thing,
you've made a phrase that I use a lot, which I'm a big fan of. But back in the day when I
first started at Microsoft, I worked on the C++ compiler for Windows
developers basically, back when everyone knew what a message pump was in Windows.
Because I had access to a lot of latest updates to the compiler,
(30:02):
latest updates to Windows, tips and tricks from the SDK, all that sort of good stuff.
It was really appreciated by the development community.
Never underestimate how something that you think may be simple and quite straightforward to put together.
Never underestimate how useful that is to other people. So, yeah, I applaud you a lot
for doing the newsletter. I know that a lot of people will find that of use.
(30:27):
Thanks. It's a fun part of my weekend. I learn more than,
like I learned so much more from all the MVPs and the folks who share content.
They give their time freely to help us
as a community, as an industry to be better and help improve
our products as well. So I'm super grateful for all of the time
(30:52):
and effort folks put into all of this. And even like, you know, talk going out
and giving out presentations on all these different various topics.
So I just want them to be highlighted.
So this is my way of giving back. So, Meryl, what does
a typical day, this is something we started asking our guests, what does a typical day look
(31:17):
like for Meryl when you're at work? What do you get up to? Yes, yeah.
So I'm remote. I'm in Australia and I'm like 100% remote.
So it starts with we are in different time zones.
So I'm in Australia and a lot of my team are in Redmond and
actually spread across the globe. So my days usually start really early in the morning and
(31:42):
I have lots of meetings with teams learning about what are the new features
that we are building, talking with different feature PMs and so on.
So most of that happens during the day, during my early morning.
And then I get to, luckily for me, I work on the Zero Trust workshop
these days. We are building some cool assessments. So I get to write
(32:07):
a lot of PowerShell and a lot of scripts and go through, look at different settings
and try and I sort of get to hack things and build out
all these things. So I do that for much of the day.
We might be working on some new feature that I might be involved in. The last
one I was involved in was this Entra external auth method, which was really fun.
(32:32):
We brought in this integration from other vendors like RSA
and Ping Identity and integrating those with Entra in a plugin model.
So I would sometimes work on features. So we would work on reviewing specs.
And I bring the customer lens. I'm sort of the voice of the customer inside
Microsoft. And I call out saying, hey, this won't work with customers.
(32:57):
We should be doing this. And I look at ways on how we can improve those.
I do spend a lot of time on different forums helping, you know, just replying to the comments
people post and ask advice on. Then I do have in Kenya,
some of our team are based in Kenya where they do a lot of the graph and the PowerShell
work. So evening my time, I do get to sync up with them a few times.
(33:22):
And I love working at Microsoft because I get to do all this
while I'm at home. So I can go drop by four kids, drop them in school in the morning.
Then I go out for like long walks in the middle of the day with my wife.
And it's an amazing life and culture at Microsoft. And I really
love this lifestyle. For me, it's like
(33:47):
I'm in retirement. It's like doing the thing I enjoy the most and I get paid for it as well.
You can't ask for anything better than that.
That's fantastic. What would you like to leave our listeners with as sort of a final thought?
Yeah. So something we've been telling folks quite a lot is,
you know, do MFA. It's amazing the number of people who we still have tried to convince
(34:12):
to do MFA and do MFA everywhere. And now you would have noticed
that Azure has started enforcing MFA for any access into Azure.
I would say for everyone listening in, don't wait till Microsoft starts enforcing
for M365, for Entra, for the security portals.
Just do that now for yourself while the Azure MFA
(34:37):
enforcement is rolling out. I know a lot of orgs have delayed it.
They had the option to push it back by three months. It's going to come for everything.
So try to plan and do this as a once effort
across your org and focus on getting that messaging out to
your stakeholders and then to everyone else to say, let's just roll out MFA
(35:02):
for everyone. Don't have exceptions. It's not your trust when you do that.
And yeah, so that's the one message is, get ready for
MFA and do it all in one go for all of your users,
for all of the apps, so you don't need to do a thousand cuts and just do it
one at a time as Microsoft is enforcing it, if you can, if you are that
(35:27):
luxury. I think everyone who's been on that even touches
Entra ID or touches identity or authentication and authorization,
their final thought has always been use MFA.
So there must be some credence to it, right? If everyone's saying it. I agree 100%.
I also think it's great that you're taking walks with your wife every day.
(35:52):
I do the same, but that's mainly because the doctor told me I had to, but that's a whole
another discussion. Anyway, let's bring this episode to an end. Meryl, thank you so
much for joining us this week. This has actually been a really, for me anyway,
I've learned a lot. I'm certainly going to dig into some of these tools. I'll be frank, my
knowledge of Entra ID is not the best. I know the basics of it, but when it
(36:17):
comes to anything beyond the veneer of Entra ID, that's when I start to get lost.
I'll start to dig around with some of those tools. Alright, so again, thank you for joining us this week
and to all our listeners out there, we hope you found this episode of use. Stay safe
and we'll see you next time. Thanks for listening to the Azure Security Podcast. You can find show notes
and other resources at our website azsecuritypodcast.net.
(36:42):
If you have any questions, please find us on Twitter at Azure Setpod.
Background music is from ccmixtor.com and licensed under the Creative Commons license.
Music playing
Music playing
Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy,
(00:09):
reliability and compliance on the Microsoft Cloud Platform.
Hey, everybody.
Welcome to episode 105.
This week is myself, Michael, with Mark and Sarah.
And our guest this week is Meryl Fernando.
He's here to talk to us about that kind of Entra ID and some of the tooling that he's
worked on over the years.
But before we get to our guest, let's take a little lap around the news.
(00:32):
Sarah, why don't you kick things off?
Well, it'll depend when you edit this.
But at the time we're recording this, it is next week, it is Microsoft Ignite.
So depending on when you listen to this, that might have already happened.
If it has already happened, then we will upload lots of sessions on YouTube so you can watch
(00:52):
them later.
If it hasn't happened, then of course, remember that the in-person tickets are sold out, but
you can still watch the live stream for free.
For better or worse, you'll get to watch me doing some of the interstitial programming.
That's what it's called, the bits in between the exciting bits.
But I get to interview some cool people.
So of course, go check out Ignite.
(01:14):
And if this is post-Ignite, which is the 18th to 22nd of November 2024, you can go and catch
up on sessions online.
And of course, there's lots of announcements about things.
That's all I can say.
So go and check that out.
So that's my first one.
That's taking up a lot of my time at the moment, pretty much every waking hour, actually.
(01:37):
Then next up, we have support for FIDO 2 authentication.
In fact, our guest probably knows more about that than I do.
But we're of course supporting pass keys for passwordless authentication.
We're all trying to move there and non-fishable creds.
So of course, the more you can use that, the better.
(01:59):
And then finally, last but not least for me, confidential containers are now in public
preview on Azure Red Hat OpenShift.
So we love a confidential container because it means that it's cloud-native confidential
computing and there's a trusted execution environment.
So you can have everything nice and secure and it runs in its own little enclave, I believe
(02:20):
is the correct word.
So go check that out.
If that's something you're interested in using.
And that's me done for the news.
All right.
I have a few items.
The first one is there's now REST endpoints, REST APIs for managing private endpoints in
Fabric.
This allows you ultimately to help sort of automate and streamline workflows because
(02:44):
now you have access to these APIs, which historically you didn't have.
Next one is Application Insights, Availability Tests.
TLS 1.0 and 1.1 is being retired.
This will take effect, I believe, March the 1st, 2025.
So you do have plenty of time.
But at the end of the day, that day is going to creep up on you.
(03:05):
And if you're not ready for it, then any client code that you have that's not using TLS 1.2
or 1.3 is going to break.
There's no fallback at that point.
And in fact, there's going to be a note as well because there's another item, which is
just an overarching update on the retirement of TLS 1.0 and 1.1 across various Azure services.
Again, this is something that you're going to see across every single Azure service.
(03:29):
So you really need to start working on all your clients, verify that your client code
is using TLS 1.2 and above.
What that really means from a programmatic perspective is make sure you're not hard coding
things like TLS 1.0 and 1.1, or you're using, for example, really, really old runtimes
or really old versions of browsers or operating systems or mobile operating systems that don't
(03:51):
support TLS 1.2 and 1.3.
The original announcement for this was actually made in November the 10th, 2023, so a year
ago.
So I'll give you a list or a link to a page that just has some updated information about
how you can make sure that you're ready for this transition.
I think the overarching transition is going to be end of August 2025.
(04:12):
But again, things in the rear vision mirror are closer than they seem.
So yeah, don't do nothing about this.
When the time comes, stuff's just not going to work.
Okay, that's all I have in the area of news.
So in my world, kind of piggybacking off of what Sarah was talking about, I will be at
(04:33):
Ignite as well.
So I'm going to be speaking on the Friday there.
I'm going to be talking about the top 10 Zerotrust controls that you can implement today.
So I'm very much focused on actionable guidance for Zerotrust there.
And I'm going to be sharing the stage actually with someone from NIST, Maruja Supaya, as
well as from one of our customers in a large Swedish bank.
(04:56):
So really excited to be presenting with Maruja and Ulf and talking through what they've learned
on their Zerotrust journey and their actionable tips as well.
The other thing that happened recently was I spoke at the Open Group Conference in Houston,
Texas.
And we kind of unveiled our vision for what we're setting out to solve with those security
(05:22):
standards.
For those that aren't aware, I'm the security forum chair for the Open Group.
So help guide and steward those standards and figure out what we need to be doing there
and all that kind of stuff.
And very interesting kind of a different role for me to be working through that.
And I figured, hey, if I'm in the role, I might as well do something good with it.
(05:44):
And so we're working on filling the gaps, building on existing standards, kind of connecting
the dots and addressing some of the things that just aren't addressed or aren't addressed
well in industry.
So things like mapping it to the defenders to the attackers activity, defining the security
roles in sort of a relatable kind of normal way, just connecting the dots between a whole
(06:06):
lot of things.
So got some exciting stuff.
We'll have some webinars that we'll be doing here in the next couple of months probably
to kind of reprise that on a live broadcast medium.
So that's the main stuff.
And I'll throw in a few links to some of the existing Open Group standards for folks to
check out.
But that's all I've got.
So now we're going to move on to our guest, Meryl Fernando, who is a principal product
(06:30):
manager in Entra.
He also lives in the same town as me, but ironically, when we're recording this, he's
actually in Sydney.
So Meryl, welcome.
Do you want to tell us, well, quickly introduce yourself to our listeners and tell us a bit
about yourself.
Thanks a lot, Sarah.
So I'm super excited to be here as a guest.
(06:52):
My name is Meryl Fernando.
I'm a CXP, or customer experience, principal product manager in the Microsoft Entra team.
And I love building tools and helping the community and connecting folks in the community
in cybersecurity.
And I spend way too much time than I should on LinkedIn and Twitter and Blue Sky and all
(07:19):
the social media accounts.
That's me.
So while we're talking about what we're going to talk about on this episode, one thing that
became abundantly obvious is that you've worked on a lot of tools over the years.
So we're going to talk about some of those tools.
So let's just get started with the first of those tools, which is Maester.
So my first question is, what on earth is Maester and what does it do?
(07:43):
Thanks.
Yes.
So I'll tell you a story because that's how I like to introduce all these different tools.
They always start with some story.
So with Maester, I was helping a customer.
They were going through troubleshooting some conditional access policy, and we were trying
to work through that.
And while we were looking at that, we just realized that they had a CA policy.
(08:04):
They had targeted for a group, like all the guests in their tenant.
And that group, they had a policy which said guests need to sign in every day because they
could be coming in from unmanaged devices and their tokens could be stolen and they
needed to secure it.
So they had created this policy and they thought it was all good and their tenant was secured.
(08:27):
But about 10 months ago, someone had gone in and either they deleted the group or they
just cleared out all the users in that group.
So this policy was sitting there.
They thought the policy was working, but there was no protection for them.
The guests were happily signing in and staying on with long-lived tokens, which could be
stolen as we know, and people could be replaying them and their tenant was not secure.
(08:51):
So this got me thinking about how I can bring some of my DevOps, SecDevOps practices to
identity and move the industry forward in applying SecDevOps practices to identity and
things like the control plane and conditional access.
So I got together with a few MVPs, Fabian, who had created something for Sentinel based
(09:15):
on PowerShell Pestor testing framework.
And Thomas, his name is another MVP in Germany who did a lot of Entra config settings, like
how to harden your environment.
So we got together and we built out Maester, which is like a PowerShell based test automation
framework.
We started with Entra, but it's like we launched in March last year.
(09:37):
It's grown so much that we have people contributing.
We have like 50, 60 plus contributors, bought 200 plus checks.
People have written ready-made checks.
I built it for writing tests for your own config, but people have started plugging in
like the CESA tests for Exchange, for Azure, for Intune.
(09:58):
And so it's become this huge open source framework and folks are starting to use it in really
new and innovative ways to make sure their cloud config is what they think it is.
But not hoping that no one went in and made a change that they don't know about.
So that's Maester.
So, Meral, I do have to ask, where does the word Maester even come from?
(10:19):
Cool.
Yes.
So Maester comes from the Game of Thrones.
And for those who watched the show or read the books know that Maesters in the Game of
Thrones world, they were the learned people, the wisest folks.
That's who people went to to get advice.
And they lived in this tower with a light, with a fire that always kept burning and they
(10:44):
held all the knowledge.
So I needed something that I could get the domain on and something that people could
easily remember.
So yeah, all of that combination came together.
I didn't want to name it Microsoft Cloud Security Test Automation Framework, which would have
been the typical name.
(11:04):
So we just came up with Maester for that.
I may actually be the only person in the world who has not seen Game of Thrones or read the
books, but it is what it is, I guess.
So Michael, you're not alone in not having seen or read Game of Thrones.
So you have company, so at least two of us on this podcast share that.
(11:25):
So something that's near and dear to my heart is I really love the work that your team has
done on the Zero Trust workshop that recently was announced and released publicly.
So can you tell our folks about that?
Yes, absolutely.
So the team that I'm in, I'm part of the Entra product group and we focus on Entra and we
help customers deploy Entra, secure Entra, harden it, you know, what are the right conditional
(11:50):
access policies, what they need to do and how they can plan out.
Because a lot of our customers don't know how like they've got Entra when they got M365.
They don't really, they haven't really done the work to go through and look at how they've
deployed, whether they've deployed all of the features that are there.
Like my day job is literally getting folks to deploy and use the features they've already
(12:14):
paid for and secure their tenant.
So I'm from the Entra team and we have counterparts in the Intune team, in Defender, in Purview,
like the whole of the security org.
Our day job is helping a lot of our customers deploy things.
And what we found out over time is we had a lot of knowledge in what someone needs to
(12:36):
do.
Like we could go through and ask questions and then come up and say, okay, you need to
do this first before you can do this.
For example, if you want to do like device compliance checks in conditional access, then
you first need to do hybrid join or Entra join.
And then, you know, you might not have configured the Connect Sync properly.
So you need to do that first if the devices are not being synced.
(12:59):
So there's a sequence to do things.
And we knew it.
We could just explain it to people.
But most folks didn't know where they should start.
And Zero Trust has always been people sell it as, you know, just deploy this one product
and you have Zero Trust.
But it's like a more holistic thing that you would need to do, especially the Microsoft
(13:20):
Security Suite.
We have so much.
And folks don't know where they should begin.
So that's how we came up with this idea of let's help people and make it really short
and succinct and give them a blueprint.
Let's help them assess and give them a roadmap for the next like two to three years on how
(13:42):
they can be well deployed with a proper Zero Trust framework across all of the products.
And so that's how we got together and started brainstorming ways how we can do this.
And we really wanted to scale it like it was not scalable with me doing like two or three
customers at a time.
We wanted it to help our whole industry move forward in adopting these practices.
(14:08):
So the Zero Trust workshop, we just launched it last week.
And there are lots of options people can self-serve and go through the workshops.
We do like one to two hour workshops with each pillar in Zero Trust.
Right now it's launched with identity devices and data.
And we plan to add the others in.
(14:29):
So it could be a self-service thing.
It could be you could bring in a Microsoft partner who we trained on and they can help
guide you through.
It can be through our teams like Microsoft Fast Track, etc.
You can reach out to Microsoft account team and they can help you with that.
And for our own customers who we manage, we run these as well with them.
(14:49):
So at the end of these workshops, they get like a ready-made customized map of what they
should do.
It's broken down into first, then next and sort of guides them.
So they have it's really useful.
Some of my customers got like funding from their stakeholders by showing this.
(15:10):
And they were able to then actually go ahead and implement it over the next two years.
So we've been running this in private preview for about two years and refining it with like
70 plus large customers who gave us a lot of feedback.
And it's a continuous like it's a living thing that we're building.
(15:30):
And we're going to keep on evolving this as new threats come on board and we have new
features and so on.
So that's aka.ms slash ztworkshop.
If I can add on there, one of the things that just always fascinates me about security,
because we also have a set of workshops that we deliver through our unified around the
(15:51):
security adoption framework or SAF.
And those generally hang out at the architecture level and at the program and metrics and
success and architecture and how it all fits together kind of thing.
But then there was this entire layer that we missed that your team did a great job on
sort of, okay, what are the technical features and capabilities that need to be turned on?
And then of course there's the how to actually turn them on.
(16:11):
And it's just one of the things that I'm always amazed at is just how complex security is
because there's so many different people that need to be doing those jobs.
And that doesn't even get into all the business teams and all the other things that
need to happen as well.
So it's just it's always amazing to me how much needs to get done and how important it is
to have those prescriptive first, next, later kind of checklists for those different
(16:35):
abstraction levels and roles.
Yeah, one of the key things we do in the workshop, we ask that they bring all the stakeholders.
Like when you're doing zero trust, it can't be just identity.
So even though we might be doing an identity workshop, it can't be just the identity folks.
You need the devices, folks, because you need to protect the device they're coming in from.
You need the SIEM and the SOC team.
(16:58):
You need the architects in there.
And a lot of the times we notice that this was the first time that all of them sat in one room.
Because you end up with a lot of folks working in silos, especially in large enterprises.
And half of the time it's mostly folks talking to each other for the very first time
(17:19):
and collaborating and thinking about what their overall security posture should be
and what's the best way to do that.
So it's a very complex process.
It's all if you're in mining versus education or in fintech, you have different challenges
and the priorities and what you consider as your zero trust baseline differs.
(17:40):
But yeah, this bringing of all of the folks together is a thing that I learned has not been happening quite a lot.
And the workshops are really powerful when you can bring all of those key stakeholders and those different teams together
to go through what zero trust means for them and then help them look at what their gaps are in where they stand today.
(18:03):
Yeah, we see the same thing.
It's so important to break the silos apart.
There's almost like a joke in there around the one thing that we all have in common is that we don't talk to each other.
But yeah, we see that dynamic a lot and it's just amazing how much magic happens
when people start talking to each other about, hey, how do we drive this outcome
that requires your expertise, my expertise, and each of the tools that we manage and technology and whatnot.
(18:28):
All right, so a couple of other tools that you have, Merrill.
The first one is, I don't know if these two are related or if they're sort of back to back or whatever,
but Graph X-Ray and Graph Permissions Explorer.
What problem are you trying to solve with those and how you go about it?
Yes, Graph X-Ray is a tool.
It's a Chrome extension.
You can think of it like Fiddler for Microsoft Graph.
(18:52):
You can run Fiddler to see what's happening behind the scenes.
So when you go to the portal and when you click on different things,
you can, you know, you do something, right?
So my struggle I had was I was writing PowerShell scripts and I would go and create a group,
like a dynamic group, or I would go and create a conditional access policy
(19:14):
or going to Intune and configure whole compliance policy and so on.
And then I knew how to do it in the UI, but then to write the script took me a while.
And we didn't have ChatGPT like a few years back,
but even that I had to tell it, you know, describe all of what I wanted to do even today.
So I knew how to do things in the UI and I wanted to get to the code as soon as possible
(19:38):
from that point.
And it took a while to go search the docs and find out the API and find out the parameters I needed to pass
and would take me like half an hour to an hour to figure out like how to do something.
So with Graph X-Ray, it's an extension you install and you just do the action in the portal.
And if the portal is, you know, using Graph X-Ray,
(20:02):
it'll give you the PowerShell command for the action that you just did.
So if I created a dynamic group, it'll give you the exact command for doing that.
It also supports multiple languages, C Sharp, JavaScript, Go.
So you can just flick through and get to the code just from the portal itself.
So it helps quite a lot when it comes to DevOps and automation
(20:27):
and you need to create like a hundred access packages. You can do one and use Graph X-Ray
to see what's happening behind the scenes.
So it's more like a DevOps tooling that I built to help in that.
It came out as part of like a hackathon we did about three, three, four years ago.
Graph Permissions is a website that I built.
(20:52):
The problem I was trying to solve there is the docs in the Microsoft docs for the Graph APIs
are all focused for developers. So you can go find out an API like
create a conditional access policy
or some other config in Graph, maybe create a Microsoft Teams site.
But you couldn't find out, like if I give something permission like
(21:17):
sites.read.all, what is it that a developer can do?
Like what are all the APIs they have access to? So I had a security architect come and ask me,
hey, someone's asking me for this permission, which is files.read.write.all
or directory.read.all. What I'm actually giving them when I give them this access?
And the answer that I had to give him was you need to go through search for this and look at all the
(21:42):
APIs and any of those APIs, what they can call.
So this got me thinking and then I sort of wrote a script that
passed all the markdown files in GitHub for Microsoft Graph.
And then I created a page which says, okay, if it's sites.read.all, these are all
the APIs that someone can call. So it's sort of like a different view into the
(22:07):
Graph permission. So it's been really useful for a lot of the cybersecurity teams and the architects
to really know what permission, what the permission does and
what it is that they're doing when they're consenting to an access permission in the tenant.
You know, what are the things that developer can do? Are they the least privileged
permissions that they can have if they need to? So this was just a stopgap
(22:32):
that the product team is looking into having this built into our
tools itself so it will make it easier. So for now, the site lets you
find out whether you're giving a big scary permission or
is it the right fit for what the app is trying to do?
I'm really glad that you brought that up about least privilege. So you do actually
(22:57):
find things that could be violations of least privilege because right now, this is something that
we're heavily focused on as you're in general, especially under the
if you look at the Zero Trust, sort of the three pillars of Zero Trust at Microsoft, one of them is
least privilege. And we're certainly spending a lot of time looking at applications and looking at
privileges that they've been assigned. So this could be used as a tool, as a general tool, to start
(23:22):
saying, okay, you know, what does our set of permissions look like
across the whole of our Azure environment? I mean, could you use the tool for that? I mean, is it designed for that?
Or is it really something that requires a little bit of interpretation?
This is a little bit of interpretation and this one is only focused on graph permissions, so not really
the Azure graph, which is a slightly different
(23:47):
API endpoint to the next one. Okay, okay. All right. Yeah, that makes sense.
Yeah, we're still reviewing graph permissions as well.
So, okay, that's cool. So the next tool is
ID Power Toys. What on earth is that?
The key part of this tool is something I call the conditional access visualizer.
(24:12):
So we have a really good blade UI to create conditional access policies
and it's really easy to create them. But when you want to understand
what your security config is in your conditional access settings,
you know, it's the gateway to all of your Microsoft environment,
right? Like whether you're going into Azure or into Graph or into any of the apps that you have
(24:37):
set up, the conditional access policies are the gateway and they define
whether you do MFA or not, who is excluded and what's happening.
I was helping a customer troubleshoot a conditional access another time and it was
really hard to figure out what the policies were doing because you have to click
about six times or seven times to get an idea of what one policy is doing.
(25:02):
And conditional access is a combination of all of the policies put together.
So it is really hard to figure out what exactly is happening in this
customer's config when it came to conditional access.
So that got me thinking about like how can I visualize it? Like people
might know me from my posts on LinkedIn and so on. I try to always make it simple and easier
(25:27):
to understand with sort of a very visual way. And that got me thinking and I came
up with this whole way to export it into PowerPoint where you get a visual view of
the whole CA policy in one deck, in one slide, and then all of the
CA policies put together so you can quickly scroll through and see,
okay, I like print them up, put them up on a wall, and you can see
(25:52):
what is happening in your tenant, what's configured, who is excluded from
policies, what's included. And it's been quite popular with a lot of
folks to help as they have 50, 100 policies to know
what's really happening in their security landscape.
It's with identity, we see identity as a new control plane, conditional
(26:17):
access policies are the way to get there, and this was just my contribution to make it
a lot easier to visualize what's happening in your settings.
So, Meral, I know because I have seen you post about it on
socials and you have tagged me many times, thank you, that you also
have a newsletter that you like to, that you send out
(26:42):
pretty regularly. Do you want to tell the folks who are listening about that?
Yes, yeah, absolutely. So, like I'm working at Microsoft and I read all of the
internal things and I'm across what Entra does, but even I struggle with all of the
different, just in my product, in Entra, all of the different features and new
things that come out. And I read a lot of what
(27:07):
IVPs and the folks who write about Entra and the different features.
I love reading that because these folks are in the forefront and they're deploying things,
they come across issues and they are thankfully sharing their knowledge of,
I came across this, this is how I fixed it, or this is a better way to do it, and so on.
And this, like that knowledge and experience is not something that I as one person
(27:32):
can gain from what I do in my day job with the few customers I help.
So, it helps really to scale your knowledge and I spend a lot of time
reading and staying up to date and all of that. And I was collecting all these links
and then I thought, I'm sure others would find this useful as well. And I'm a huge
fan of Hacker News. There's this Hacker News newsletter which just sends you
(27:57):
a weekly list of links of interesting things and every week I'll just scan it in
five, ten minutes and click on things that interest me. So, I was like, let me do this
because the community, we need one place to go in and read about
what happened this week in Entra. So, that's how it started. I started putting
it together and sending it out, like I started last year. We have like
(28:22):
70 plus issues out right now. So, every week I send out
on Sunday for me in Australia, a newsletter that lists, like these are
the new features that Microsoft officially announced. These are all the things that
the community created and shared about Entra and then I summarize some of my
LinkedIn posts and things that I've shared as well. So, just a way to share
(28:47):
like, hey, this new podcast came in about Entra, this new
toolkit, someone released a new tool or a red team tool or a blue team tool
and I just sort of summarize that and send through. And yeah, it's become
quite popular there. We have like more than 11,000 plus subscribers and I get my son
to help me out with it. So, I get to spend some time with him as well.
(29:12):
So, it's been a really fun experiment. I didn't think I could
keep it up, but yeah, we've been doing it for about a year plus now and one of my highlights
for the week is creating that and sending it out.
Yeah, and we'll pop in the show notes how you can go and subscribe to Merrill's
there if you want to. Yeah, we'll add links to all the tools that we've spoken about so far as well.
(29:37):
And there's other tools as well, so you'll see other tools that are up there. On the newsletter thing,
you've made a phrase that I use a lot, which I'm a big fan of. But back in the day when I
first started at Microsoft, I worked on the C++ compiler for Windows
developers basically, back when everyone knew what a message pump was in Windows.
Because I had access to a lot of latest updates to the compiler,
(30:02):
latest updates to Windows, tips and tricks from the SDK, all that sort of good stuff.
It was really appreciated by the development community.
Never underestimate how something that you think may be simple and quite straightforward to put together.
Never underestimate how useful that is to other people. So, yeah, I applaud you a lot
for doing the newsletter. I know that a lot of people will find that of use.
(30:27):
Thanks. It's a fun part of my weekend. I learn more than,
like I learned so much more from all the MVPs and the folks who share content.
They give their time freely to help us
as a community, as an industry to be better and help improve
our products as well. So I'm super grateful for all of the time
(30:52):
and effort folks put into all of this. And even like, you know, talk going out
and giving out presentations on all these different various topics.
So I just want them to be highlighted.
So this is my way of giving back. So, Meryl, what does
a typical day, this is something we started asking our guests, what does a typical day look
(31:17):
like for Meryl when you're at work? What do you get up to? Yes, yeah.
So I'm remote. I'm in Australia and I'm like 100% remote.
So it starts with we are in different time zones.
So I'm in Australia and a lot of my team are in Redmond and
actually spread across the globe. So my days usually start really early in the morning and
(31:42):
I have lots of meetings with teams learning about what are the new features
that we are building, talking with different feature PMs and so on.
So most of that happens during the day, during my early morning.
And then I get to, luckily for me, I work on the Zero Trust workshop
these days. We are building some cool assessments. So I get to write
(32:07):
a lot of PowerShell and a lot of scripts and go through, look at different settings
and try and I sort of get to hack things and build out
all these things. So I do that for much of the day.
We might be working on some new feature that I might be involved in. The last
one I was involved in was this Entra external auth method, which was really fun.
(32:32):
We brought in this integration from other vendors like RSA
and Ping Identity and integrating those with Entra in a plugin model.
So I would sometimes work on features. So we would work on reviewing specs.
And I bring the customer lens. I'm sort of the voice of the customer inside
Microsoft. And I call out saying, hey, this won't work with customers.
(32:57):
We should be doing this. And I look at ways on how we can improve those.
I do spend a lot of time on different forums helping, you know, just replying to the comments
people post and ask advice on. Then I do have in Kenya,
some of our team are based in Kenya where they do a lot of the graph and the PowerShell
work. So evening my time, I do get to sync up with them a few times.
(33:22):
And I love working at Microsoft because I get to do all this
while I'm at home. So I can go drop by four kids, drop them in school in the morning.
Then I go out for like long walks in the middle of the day with my wife.
And it's an amazing life and culture at Microsoft. And I really
love this lifestyle. For me, it's like
(33:47):
I'm in retirement. It's like doing the thing I enjoy the most and I get paid for it as well.
You can't ask for anything better than that.
That's fantastic. What would you like to leave our listeners with as sort of a final thought?
Yeah. So something we've been telling folks quite a lot is,
you know, do MFA. It's amazing the number of people who we still have tried to convince
(34:12):
to do MFA and do MFA everywhere. And now you would have noticed
that Azure has started enforcing MFA for any access into Azure.
I would say for everyone listening in, don't wait till Microsoft starts enforcing
for M365, for Entra, for the security portals.
Just do that now for yourself while the Azure MFA
(34:37):
enforcement is rolling out. I know a lot of orgs have delayed it.
They had the option to push it back by three months. It's going to come for everything.
So try to plan and do this as a once effort
across your org and focus on getting that messaging out to
your stakeholders and then to everyone else to say, let's just roll out MFA
(35:02):
for everyone. Don't have exceptions. It's not your trust when you do that.
And yeah, so that's the one message is, get ready for
MFA and do it all in one go for all of your users,
for all of the apps, so you don't need to do a thousand cuts and just do it
one at a time as Microsoft is enforcing it, if you can, if you are that
(35:27):
luxury. I think everyone who's been on that even touches
Entra ID or touches identity or authentication and authorization,
their final thought has always been use MFA.
So there must be some credence to it, right? If everyone's saying it. I agree 100%.
I also think it's great that you're taking walks with your wife every day.
(35:52):
I do the same, but that's mainly because the doctor told me I had to, but that's a whole
another discussion. Anyway, let's bring this episode to an end. Meryl, thank you so
much for joining us this week. This has actually been a really, for me anyway,
I've learned a lot. I'm certainly going to dig into some of these tools. I'll be frank, my
knowledge of Entra ID is not the best. I know the basics of it, but when it
(36:17):
comes to anything beyond the veneer of Entra ID, that's when I start to get lost.
I'll start to dig around with some of those tools. Alright, so again, thank you for joining us this week
and to all our listeners out there, we hope you found this episode of use. Stay safe
and we'll see you next time. Thanks for listening to the Azure Security Podcast. You can find show notes
and other resources at our website azsecuritypodcast.net.
(36:42):
If you have any questions, please find us on Twitter at Azure Setpod.
Background music is from ccmixtor.com and licensed under the Creative Commons license.
Music playing
Music playing
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Law & Order: Criminal Justice System - Season 1 & Season 2
Season Two Out Now! Law & Order: Criminal Justice System tells the real stories behind the landmark cases that have shaped how the most dangerous and influential criminals in America are prosecuted. In its second season, the series tackles the threat of terrorism in the United States. From the rise of extremist political groups in the 60s to domestic lone wolves in the modern day, we explore how organizations like the FBI and Joint Terrorism Take Force have evolved to fight back against a multitude of terrorist threats.