Skip to main content

Lessons learned while implementing Azure AD Privileged Identity Management (PIM)

In this blogpost I will share my experiences with implementing Azure AD Privileged Identity Management (PIM).  PIM is a service that enables you to manage, control, and monitor access to important resources in your Azure environment. These resources include resources in Azure AD, Azure, and other Microsoft Online Services like Exchange Online, SharePoint Online or Microsoft Intune. 

PIM provides the following functionality: 

  • Just-in-time privileged access to Azure AD and Azure resources 
  • Assign time-bound access to resources using start and end dates 
  • Require approval to activate privileged roles 
  • Enforce multi-factor authentication to activate any role 
  • Use justification to understand why users activate 
  • Get notifications when privileged roles are activated 
  • Conduct access reviews to ensure users still need roles 
  • Download audit history for internal or external audit 

This article will cover the following topics:

Note: This post reflects the status of Azure AD Privileged Identity Management as of March 24th 2020. Functionality may change, even right after this post has been published.

Read More

Announcing WMUG_NL Saturday, on March 28 2020

On Saturday March 28th, 2020 the Windows Management User Group Netherlands (WMUG_NL) will organize a full Saturday with Workshops. Together with Peter Daalmans I will host a workshop on the topic of Conditional Access, the workshop partly be based on the blog articles I wrote about the subject earlier this year. Also Adnan Hendricks will host a session on Threat Hunting, which will be very interesting as well.

Also this year Fast Lane, a learning solutions provider located in Utrecht is hosting the location and providing us with food and drinks. See: Windows Management User Group Netherlands – WMUG Saturday 2020 on Meetup if you want to join us. Attending is free, the only thing you need to do is RSVP on the Meetup page, so that we know you are coming.

Windows Management User Group Netherlands
Read More

Speaking at RDW Techday on April 1st 2020

On Wednesday April 1st, I have the opportunity to present at the RDW Techday. RDW Techday is a community event organized by the RDW, the goal is to stimulate knowledge sharing within the company and between companies in the same region. I had the pleasure to present at earlier events already and received some really positive feedback.

RDW is the Netherlands Vehicle Authority in the mobility chain. RDW has developed extensive expertise through its years of experience in executing its statutory and assigned tasks. Tasks in the area of the licensing of vehicles and vehicle parts, supervision and enforcement, registration, information provision and issuing documents.

Read More

License requirements for administering Microsoft 365 services

Microsoft licensing is tough and vague but something we must deal with while implementing our solutions. I’m also aware that some of the features I describe on my blog are only available in the most expensive licensing options Microsoft provides, making some of the features I describe not usable for some of my readers.

If you administer Microsoft 365 services like Azure Active Directory (AzureAD), Exchange Online (EXO), SharePoint Online (SPO), Intune and many other products the license requirements for your administrative accounts are extra vague. I’ve asked Microsoft in December last year to clarify this, but until now no response was given.

There is some fragmented information available in the Microsoft documentation, that in combination with some other information to be found on the internet, like on twitter concludes that the license requirements are indeed very vague and could really use some official documentation from Microsoft to clear things up.

One thing in known, is that when asked about licensing requirements for the online services provided by Microsoft the statement returned is: “When the user benefits from the service, a license is required”

So let’s see what I found available online and see if it makes sense in some way…

Read More

Microsoft is going to disable basic/legacy authentication for Exchange Online. What does that actually mean and does that impact me?

On March 7, 2018 the Microsoft Exchange Team announced that on October 13, 2020 it would stop the support for Basic Authentication (also called Legacy authentication) for Exchange Web Services (EWS) in Exchange Online (EXO), the version of Exchange offered as a service part of Office 365. EWS is a web service which can be used by client applications to access the EXO environment. The team also announced that EWS would not receive any feature updates anymore, and suggests customers to transition towards using Microsoft Graph to access EXO.

One and a half year later, on November 20, 2019 the Exchange Team also announced to stop supporting Basic Authentication for Exchange ActiveSync (EAS), Post Office Protocol (POP), Internet Message Access Protocol (IMAP) and Remote PowerShell on October 13 2020 as well. Authenticated Simple Mail Transfer Protocol (SMTP) will stay supported when used with Basic Authentication.

Instead of supporting Basic/Legacy authentication Microsoft will move towards only supporting Modern Authentication for most of the methods used to connect to Exchange Online.

Read More

A guide to implementing Applocker on your Modern Workplace

At our last Windows Management User Group Netherlands meeting, we had the honor to have Sami Laiho, one of the world’s leading professionals in the Windows OS and Security flying over to the Netherlands and present for our user group. In his presentation titled: “Securing Windows in 2020 and forward”, Sami made us aware that by implementing some simple Applocker policies on our Modern Workplace and by making sure that the user working on the device has no admin rights, we can seriously improve our security. In his presentation Sami referred to a quote from Mikko Hyppönen (Chief Research Officer at F-Secure): “Make your security better than your neighbours”.

In this blogpost I will share my experience with implementing Applocker policy within my own tenant, and how I started to use these principles myself which eventually led by removing my account from the local administrator group.

Disclaimer: This blogpost provides a very simplistic way of enabling Applocker policies, in the real world there are some caveats which must be addressed when implementing Applocker. I will address  those caveats later in this post as well.

Read More

Stopping automatic email forwarding in your Exchange Online environment in a controlled way

Working as a modern workplace consultant also means that sometimes you have to go deep into Exchange Online options in order to make sure that (sensitive) data of your customer doesn’t leave the organization without the proper security measurements taken. In the Microsoft documentation titled: “Best practices for configuring EOP and Office 365 ATP“, the recommended settings for both Standard and Strict states that Auto-forwarding to external domains should be disallowed or monitored at least.

Automatic email forwarding is one of the possible and still most common way (sensitive) company data might leave the organization. Giving the users the ability to automatically forward emails using either mailbox forwarding or message rules to users outside the organization in that case can be very risky. I’ve seen many cases where corporate email accounts were configured to automatically forward all email to personal gmail.com or hotmail.com accounts. Also still enabled mailboxes which forward mail to users personal accounts while the user doesn’t work at the company anymore is common practice. 

It’s also commonly known that if a user somehow gets compromised, hackers usually put a forward on the mailbox of the user in order to gain knowledge about the user in order further continue with their attack methods, or to retrieve sensitive company data for their own gains.

Read More

Challenges while managing administrative privileges on your Azure AD joined Windows 10 devices

By default, on Windows 10 devices which are Azure AD joined, the user performing the join is added to the Local Administrator group. Besides the user and the local administrator (which is disabled by default), two other SIDs are added without any friendly name which explain who they are. So where are those SIDs coming from?

It is possible to make the user a normal user while enrolling the device, but then you have to create a Deployment Profile and use Windows Autopilot. See: Configure Autopilot profiles or use Bulk enrollment. See: Bulk enrollment for Windows devices

Note: This post reflects the status of Azure AD local administrative privileges as of February 11th 2020. Functionality may change, even right after this post has been published.

Read More

Did you already modify your Azure AD consent defaults settings? Here is why you should

As you may know, it’s possible for your users to sign-in to SaaS based applications using their Azure AD account. By doing this, a Single Sign On (SSO) experience is created for the user. Before this SSO for an SaaS based application is possible though, the user needs to accept (a) permission request(s) from the application allowing the application to access the users data on its users behalf, even when the user is not using the application.

Added February 11th: Erik Loef pointed me to the following two interesting articles detailing on how oAuth can be used to exploit Office 365 environments. See:

Shining a Light on OAuth Abuse with PwnAuth
Introducing the Office 365 Attack Toolkit

TL;DR; – Disable user app consent, and enable admin consent requests as soon as possible!

Note: This post reflects the status of Admin consent as of February 9th 2020. Functionality may change, even right after this post has been published.

Read More

Blocking access to Cloud apps by integrating Microsoft Cloud App Security with Microsoft Defender Advanced Threat Protection

Microsoft has quietly introduced the option to automatically block connections to unsanctioned cloud apps from the Microsoft Cloud App Security (MCAS) console. This is accomplished by integrating MCAS with Microsoft Defender Advanced Threat Protection (MDATP).

Based on the information available in Cloud App Security, the app’s domains are used to create domain indicators in the Microsoft Defender ATP portal. Within Windows Defender the Exploit Guard Network Policy option is used to block the access to the URLs. This will eventually result in the following notification sent to the user.

Windows 10 Notification

In this blog post I will explain how to setup this functionality when Microsoft Intune is used and what the behavior is within Windows 10. This assumes that you are licensed for both MCAS and MDATP, in my case by using a Microsoft365 E5 license.

Read More