Hi Viva Goals community,

I have a question related to closing and scoring OKRs.

When I go to close an Objective (blue bullseye icon) or Key Result (purple speedometer), I am given the option to adjust the score if desired.  However, when I go to close an Initiative (green calendar), the Close dialogue box does not have the Score line that allows me to adjust the score – I am forced to take the score that is auto-calculated by Viva Goals.

1) Can people confirm that this is the case for them as well?

2) If this is indeed the case, can anyone from Microsoft or otherwise help me understand why the score adjustment feature is not available on Initiatives?
3) Is there any plan to change this for Initiatives in the future?

Thanks everyone!

Evan

​Hi Viva Goals community, I have a question related to closing and scoring OKRs. When I go to close an Objective (blue bullseye icon) or Key Result (purple speedometer), I am given the option to adjust the score if desired.  However, when I go to close an Initiative (green calendar), the Close dialogue box does not have the Score line that allows me to adjust the score – I am forced to take the score that is auto-calculated by Viva Goals. 1) Can people confirm that this is the case for them as well?2) If this is indeed the case, can anyone from Microsoft or otherwise help me understand why the score adjustment feature is not available on Initiatives?3) Is there any plan to change this for Initiatives in the future? Thanks everyone! Evan  Read More

​

I have Parameter Field (type boolean) and a default value =True.

When I pass the parameter by url (= 0) it still shows it as True, how to prevent that behaviour.

(Default value is needed)

https://learn.microsoft.com/en-us/sql/reporting-services/pass-a-report-parameter-within-a-url?view=sql-server-ver16

​I have Parameter Field (type boolean) and a default value =True.When I pass the parameter by url (= 0) it still shows it as True, how to prevent that behaviour.(Default value is needed) https://learn.microsoft.com/en-us/sql/reporting-services/pass-a-report-parameter-within-a-url?view=sql-server-ver16  Read More

​

We’re excited to share a summary of the Azure Database for MySQL – Flexible Server announcements from last month, as well as the latest roadmap of upcoming features!

August 2024 Live webinar

These updates and the latest roadmap are also covered in our Monthly Live Webinar on YouTube (Click here to subscribe to our YouTube channel!), which streams the second Wednesday of every month, at 7:30 AM Pacific time. Below is a link to the session recording of the live webinar we delivered last week:

July 2024 updates and announcements

Major Version Upgrades for Azure Database for MySQL flexible servers in the Burstable service tier (General Availability)

You can now perform major version upgrades directly on flexible servers based on the Burstable service tier by using the Azure portal, and with just a few clicks! This feature release removes a previous limitation – the need to manually upgrade to General Purpose or Business Critical tiers, perform the version upgrade, and then downgrade the servers. The key benefits of this functionality include a seamless upgrade process, enhanced reliability, and effective cost management.

Learn more: Announcement Blog | Documentation | Demo video

Azure Key Vault Managed HSM (Hardware Security Module) support for customer managed keys (CMK) (General Availability)

Azure Key Vault Managed HSM (Hardware Security Module) is a fully managed, highly available, single-tenant, standards-compliant cloud service that enables you to safeguard cryptographic keys for your cloud applications, using FIPS 140-2 Level 3 validated HSMs.  It ensures your data is stored and processed only within the region that hosts the HSM, ensuring data residency. With the latest feature update, you can now use your own HSM-backed encryption keys to protect your data at rest in MySQL – Flexible Server instances. You can generate HSM-backed keys and import the encryption keys from a physical on-premises HSM using CMK’s bring your own key (BYOK) feature while maintaining full control over the keys.

Learn more: Announcement Blog | Documentation | Demo video

Support for up to 8TB in a single table file (General Availability)

We are excited to announce that Azure Database for MySQL – Flexible Server now supports up to 8TB in a single table file! Previously, the service supported up to 4TB in a single table file. This increase in storage capacity reduces the need for table partitioning and simplifies database management. Additionally, the increased storage limit allows customers to scale their tables more efficiently without compromising performance.

Learn more: Documentation

Latest feature roadmap

Feature

Description

Release status

Coming soon! 
(Tentative*)

On-demand backup and export

This feature provides you with the ability to export at-moment physical backup of the server to an Azure storage account (Azure blob storage) using an Azure CLI command.  After export, these backups can be used for data recovery, migration, data redundancy and availability, or auditing. Learn more.

Public Preview

General Availability 

in Q3 CY24

Flexible maintenance options

Building upon our existing system-managed and custom-managed maintenance windows, the following new flexible maintenance options aim to elevate user convenience and operational flexibility in server maintenance: 

Reschedule window: Tailor maintenance schedules to suit your business rhythm. 

On-demand maintenance: Instantly initiate maintenance activities using the Reschedule now option.  

Learn more.

Public Preview

General Availability 

in Q3 CY24

Virtual Canary

The Virtual Canary feature is an exciting solution for Azure MySQL users who prioritize staying at the forefront of technology by making sure that their servers always run the most current version. Servers opted in for virtual canary receive maintenance updates earlier in advance. You can also take advantage of the feature as an opportunity to perform an additional layer of update testing on your dev, test, or staging servers to help avoid workload-specific issues like application-level compatibility issues. The feature thus offers an efficient way to manage updates, align testing and production environments, and maintain operational stability with minimal disruption. 

–

Public Preview

in Q3 CY24

Near-zero downtime maintenance for HA servers

This feature is designed to substantially reduce maintenance downtime for HA-enabled servers, ensuring that in most cases, maintenance downtime is expected to be between 40 to 60 seconds. This capability is pivotal for businesses that demand high availability and minimal interruption in their database operations. Learn more.

Public Preview

General Availability 

in Q4 CY24

MySQL Discovery & Assessment in Azure Migrate

With this functionality, you can use Azure Migrate to discover MySQL servers in your environment, assess them by identifying their compatibility for moving to Azure Database for MySQL, and receive compute and storage SKU recommendations along with their costs. Learn more.

Private Preview

Public Preview

in Q4 CY24

Long Term Retention of Backups

Previously with Azure Database for MySQL, you could retain automated backups and on-demand backups for up to 35 days. With Long Term Retention, you can now retain the backups up to 10 years, further accommodating your audit and compliance needs. Learn more.

Public Preview

General Availability
in Q4 CY24

Error Logs (in Server Logs)

This feature allows you to maintain MySQL error log files under Server logs and download them for up to seven days. These error logs can help you efficiently identify and troubleshoot performance and reliability issues, and proactively detect and respond to unauthorized access attempts, failed login attempts, and other security-related events. Learn more.

Public Preview

General Availability
in Q4 CY24

CMK-enabled support for Accelerated Logs

Accelerated Logs, available with the Business Critical service tier and designed for mission-critical workloads, is a feature provides an increase in throughput of up to two times (2x) for your applications at no additional cost. The feature will soon be supported on servers that have Customer Managed Keys (CMK) enabled.

–

General Availability

in Q4 CY24

*The roadmap features and dates are tentative and subject to change. Please stay tuned for continuous updates.

Conclusion

As we continue to work on new features and functionalities, your feedback is very critical for our improvement. If you wish to enroll in Private Preview for any of the above features, or if you have any suggestions for or queries about our service, email us at AskAzureDBforMySQL@service.microsoft.com.

To learn more about what’s new with Flexible Server, see What’s new in Azure Database for MySQL – Flexible Server. Stay tuned for more updates and announcements by following us on social media: YouTube | LinkedIn | X.

​Microsoft Tech Community – Latest Blogs –Read More 

Hello,

I am using same template for my documents about 3 years. I am using horizontal line in header and footer. By using that i didn’t need to uncheck link to previous while transitioning portrait to landscape. I think with a new update it starts to not working. It still showing no problem in word document but after creating PDF lines are shortened. 

I checked older documents with no problem, but if i create pdf from these documents i will have same problem which occurs recently. 

I am using Office 365, Windows 11 and also using Adobe PDF (but checked with MS edge too). Also tried to do it other 3 or 4 others computers where same problem exist. 

Shortly i think, problems comes from new update of Office 365. Any solution will be appreciated. Sample files added link below.

Files: Help

​Hello, I am using same template for my documents about 3 years. I am using horizontal line in header and footer. By using that i didn’t need to uncheck link to previous while transitioning portrait to landscape. I think with a new update it starts to not working. It still showing no problem in word document but after creating PDF lines are shortened.  I checked older documents with no problem, but if i create pdf from these documents i will have same problem which occurs recently.  I am using Office 365, Windows 11 and also using Adobe PDF (but checked with MS edge too). Also tried to do it other 3 or 4 others computers where same problem exist.  Shortly i think, problems comes from new update of Office 365. Any solution will be appreciated. Sample files added link below. Files: Help  Read More

​

This is a step-by-step guided walkthrough of the extended report experience.

Prerequisites

License requirements for Microsoft Purview Information Protection depend on the scenarios and features you use. To understand your licensing requirements and options for Microsoft Purview Information Protection, see the Information Protection sections from Microsoft 365 guidance for security & compliance and the related PDF download for feature-level licensing requirements.
Before you start, all endpoint interaction with Sensitive content is already being included in the audit logging with Endpoint DLP enabled. For Microsoft 365 SharePoint, OneDrive Exchange, Teams you can enable policies that generate events but not incidents for important sensitive information types.
Install Power BI Desktop to make use of the templates Downloads | Microsoft Power BI

Step-by-step guided walkthrough

In this guide, we will provide high-level steps to get started using the new tooling.

Get the latest version of the report that you are interested in from here. In this case we will show the Board report.
Open the report if Power BI Desktop is installed it should look like this.

You may have to approve the use of ArcGIS Maps if that has not been done before.

You must authenticate with https://api.security.microsoft.com, select Organizational account, and sign in. Then click Connect.

You will also have to authenticate with httpps://api.security.microsoft.com/api/advancedhunting, select Organizational account, and sign in. Then click Connect.

The system will start to collect the information from the built-in queries. Please note that this can take quite some time in larger environments.

When the load completes you should see something like this, in the Legal and Compliance tab. The report provides details on all content that is matching, built-in, and custom Sensitivity types, or any that have been touched by any of the compromised User accounts or Devices in the red box. The report needs to be updated.

7.1 All the reports have diagrams to measure KPI’s that measure the progress of improvement projects. Sample above is in the grey box, where it is measured based on how much sensitive content is accessed by compromised users or devices. This should be adjusted to be based on what resonates with your key objectives.

7.2 The green boxes used for the KPI measurements come from MaxDataSensitiveRisk, MaxDataDevice, MaxDataUser. You can either add a new value or update the current value.

7.2.1 To update the current value by selecting Transform data.

7.2.2 Select Goals, click on the flywheel for Source.

7.2.3 You can now update the values that are stored in the template. If you want to use a different value, you can click the + sign to add additional columns.

7.2.4 When you have made the modifications click Close & Apply.

7.3 Update the blue box high-level description to match the content or replace it with something automatically generated by Copilot, https://learn.microsoft.com/en-us/power-bi/create-reports/copilot-introduction.

7.4 Based on the organization’s requirements filter to only the required Sensitive information types.

7.5 The last part that you may want to update is the incident diagrams. By default, they show the severity and type of attack for incidents linked to access to sensitive data. You may want to map this to incident Tags or other fields based on your requirements.

The Trust & Reputation got a similar build as the Legal and compliance scorecard. Update it based on the requirements for your use case. The initial idea for this report is to show privacy-related data. The impact of having customer data leaking is devastating for the Trust customers have for the organization. Other reputational data points should be added as needed.

The Company & Shareholder Value contains some more information. The goal is to customize this to be bound to the organization’s secrets. Secret drawings, source code, internal financial results dashboards, supply chains, product development and other sensitive information. You may want to filter down to EDM, Fingerprint type SITs and specific trainable classifiers for this report.

9.1 To receive the accurate mapping of the labelled content you need to update the MIPLabel table with your label names and GUIDs.

9.1.2 Select Transform data.

9.1.3 Select MIPLabel, click on the flywheel for Source.

9.1.4 Connect to SCC PowerShell (Connect-IPPSsession)

-Run get-label | select immutableid, DisplayName

-Copy the Output

 9.1.5 You can now update the values that are stored in the template. This ensures that the name mapping of labels works as expected.

9.1.6 The next step is to update the Access to mission-critical systems from compromised devices. Select the SensitiveSystems query. Then click Advanced Editor

9.1.7 Update the list of URLs that contain a system that has high business impact if an attacker has been accessing it. It is important to only use single quotes. Right now, there is no straightforward way to capture the URLs, so we need to do it manually. Once complete click Done.

9.1.8 When completed, click Close & Apply

If the previous steps have been completed the tab for operational scope should be ok. This view provides the organization with information about where Sensitive information is processed. This can help the organization to identify from where the content is being processed by which legal entity and function etc…. Failing this may in fact directly impact if an organization is allowed to operate in a specific market or not. Not knowing this have impact on restructuring the company and other actions to keep the company competitive.

10.1 We have one additional tab that does this based on Sensitivity labels. Called Operational Scope Classified Content.

11. The KPI tabs are more condensed and should be customized to fit with the context of the organization and the leaders to which the information is presented. The key thing is to communicate the information in a context that resonates.

11.1 You will want to update the incident view highlighted in red, switch it to something that works with the audience, it may be one of the Tags or other detail. You also want to be very deliberate about which incidents should generate the data to be shown in this dashboard. One way is to use tags, you may elect to only show incidents that are tagged with PossibleBoard as an example. This may enhance the communication between security teams and the board. By bringing awareness to the analysts the importance of their work and direct correlation with organizational leadership.

11.2 In this sample we have Credit Card in Focus and End user Identifiable, you should replace this with regulator names and the associated sensitive information types. Like SEC, FDA, FCC, NTIA, FCA etc. change the name and update the sensitive information filter.

Additional reports that come with this package

We are shipping a few additional reports that can be used to gain further insights. The Project sample provides this view for label usage. You can modify the targets similarly to you did for the board report.

One additional tip for this report is that you can,

Configure the “Maximum value” to be your target value, create the value in the Goals table.
Set the “Target value” to the value you had over the past period 275 in the case above.

While the incident sample will provide views like this. The incident reporting and progress view provides insights into the analyst process. It provides the overall efficiency metrics and measures to gauge the performance. It provides incident operations over time by different criteria, like severity, mean time to triage, mean time to resolve, DLP Policy, and more. You should customize this view to work with your practices.

The Incident view is by default 6 months while the event data is from the past 30 days. To increase the event data beyond 30 days you can use Microsoft Sentinel. If you on the other hand want to reduce the Incident window you can follow these steps.

Go to transform data
Select the Incident table, view settings by default you will see.

Update this to 30 days by updating the value to this as an example.

4. = OData.Feed(“https://api.security.microsoft.com/api/incidents?$filter=lastUpdateTime gt ” & Date.ToText(Date.AddDays(Date.From(DateTime.LocalNow()),-30), “yyyy-MM-dd”) , null, [Implementation=”2.0″])

The report also has a per workload detailed view like this sample for Exchange Online. The report contains Exchange, SharePoint, OneDrive for Business, Endpoint, Teams and OCR.

Additional configuration to be made

This is required to capture sensitive information that is transferred in Exchange Online or SharePoint Online. Setup captures all DLP policies that do not have any action or raise any alerts. This is also important for the Copilot for Security functionality to work correctly.

Create a custom policy.

Name the policy based on your naming standard and provide a description of the policy.

Select the workloads from where you want to capture sensitive data usage. For devices there is no need, devices are capturing all the sensitive data processing by default. 

Click next.

Click Create rule.

Provide a rule name and click Add condition, then click Content Contains

Then click Sensitive info types, and select all the relevant Sensitive information types that you would like to capture for both internal and external processing. Note, do focus on the sensitive information types that are key to your operations (max 125 per rule). Then click Add, you can add your own custom SITs or make use of the built in SITs.

If you want any other conditions to be true for generating signals like external communications add that condition. Next, ensure that no Action, User notifications, Incident reports or Use email incident reports… are turned on. They should all be turned off.

Setup the Power BI online view

Providing an online view of the data has several benefits. You can delegate access to the dashboard without delegating permissions to the underlying data set. You can also create queries that only show information for a specific division or market and only present that information to that specific market. You can set up a scheduled refresh to refresh the data without having to upload it again.

Follow these steps to set up the integration https://learn.microsoft.com/en-us/azure/sentinel/powerbi#create-a-power-bi-online-workspace.

Posts part of this series

Cyber Security in a context that allows your organization to achieve more
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/cyber-security-in-a-context-that-allows-your-organization-to/ba-p/4120041
Security for Copilot Data Security Analyst plugin https://techcommunity.microsoft.com/t5/security-compliance-and-identity/learn-how-to-customize-and-optimize-copilot-for-security-with/ba-p/4120147 
Guided walkthrough of the Microsoft Purview extended report experience https://techcommunity.microsoft.com/t5/security-compliance-and-identity/guided-walkthrough-of-the-microsoft-purview-extended-report/ba-p/4121083 

​Microsoft Tech Community – Latest Blogs –Read More 

I created several tags in the Asset Rule Management on Aug13th and 14th that have not run yet. How often do the UI tags get applied?

​I created several tags in the Asset Rule Management on Aug13th and 14th that have not run yet. How often do the UI tags get applied?  Read More

​

Hello Everyone,

I want to create an Entra Dynamic Group that will that will look for the Department and the Description attribute.  I have sync’d the “description (group)” and “description (user)” Directory extensions via our AAD Connect but the rule builder still won’t pick up on it.

After sync’ing the attributes I go into Entra -> Groups -> Create New -> select Dynamic.  While building the rule I click the Get Custom Extension Properties button and enter the App ID of my Tenant Schema app.  After this I can see the “extension_<AppID>_description Property to select from.  

However when I put in a matching value the rule validator does not pick up on it.

Microsoft Entra Connect Sync: Directory extensions – Microsoft Entra ID | Microsoft Learn

Is there anything I am missing?

Ultimately I would like to simply create an EXO Dynamic Group that can filter on these, but I cannot find away. 

Thanks for any input.

​Hello Everyone, I want to create an Entra Dynamic Group that will that will look for the Department and the Description attribute.  I have sync’d the “description (group)” and “description (user)” Directory extensions via our AAD Connect but the rule builder still won’t pick up on it. After sync’ing the attributes I go into Entra -> Groups -> Create New -> select Dynamic.  While building the rule I click the Get Custom Extension Properties button and enter the App ID of my Tenant Schema app.  After this I can see the “extension_<AppID>_description Property to select from.   However when I put in a matching value the rule validator does not pick up on it. Microsoft Entra Connect Sync: Directory extensions – Microsoft Entra ID | Microsoft Learn Is there anything I am missing? Ultimately I would like to simply create an EXO Dynamic Group that can filter on these, but I cannot find away.  Thanks for any input.  Read More

​

This is a step-by-step guided walkthrough of how to use the custom Copilot for Security pack for Microsoft Data Security and how it can empower your organization to understand the cyber security risks in a context that allows them to achieve more. By focusing on the information and organizational context to reflect the real impact/value of investments and incidents in cyber. We are working to add this to our native toolset as well, we will update once ready.

Prerequisites

License requirements for Microsoft Purview Information Protection depend on the scenarios and features you use. To understand your licensing requirements and options for Microsoft Purview Information Protection, see the Information Protection sections from Microsoft 365 guidance for security & compliance and the related PDF download for feature-level licensing requirements. You also need to be licensed for Microsoft Copilot for Security, more information here.
Consider setting up Azure AI Search to ingest policy documents, so that they can be part of the process.

Step-by-step guided walkthrough

In this guide we will provide high-level steps to get started using the new tooling. We will start by adding the custom plugin.

Go to securitycopilot.microsoft.com
Download the DataSecurityAnalyst.yml file from here.
Select the plugins icon down in the left corner.

Under Custom upload, select upload plugin.

Select the Copilot for Security plugin and upload the DataSecurityAnalyst.yml file.

Click Add
Under Custom you will now see the plug-in

 The custom package contains the following prompts

 Under DLP you will find this if you type /DLP

Under Sensitive you will find this if you type sensitive

Let us get started using this together with the Copilot for Security capabilities

Anomalies detection sample.
Access to sensitive information by compromised accounts.
Document accessed by possible compromised accounts.
CVE or proximity to ISP/IPTags.
Tune Exchange DLP policies sample.
Purview unlabelled operations.
Applications accessing sensitive content.
Hosts that are internet accessible accessing sensitive content
Exchange incident sample prompt book.
SharePoint sample prompt book.

Anomalies detection sample

The DLP anomaly is checking data from the past 30 days and inspect on a 30m interval for possible anomalies. Using a timeseries decomposition model.

The sensitivity content anomaly is using a slightly different model due to the amount of data. It is based on the diffpatterns function that compares week 3,4 with week 1,2.

Access to sensitive information by compromised accounts.

This example is checking the alerts reported against users with sensitive information that they have accessed.

Who has accessed a Sensitive e-mail and from where?

We allow for organizations to input message subject or message Id to identify who has opened a message. Note this only works for internal recipients.

You can also ask the plugin to list any emails classified as Sensitive being accessed from a specific network or affected of a specific CVE.

Document accessed by possible compromised accounts.

You can use the plugin to check if compromised accounts have been accessing a specific document.

CVE or proximity to ISP/IPTags

This is a sample where you can check how much sensitive information that is exposed to a CVE as an example. You can pivot this based on ISP as well.

Tune Exchange DLP policies sample.

If you want to tune your Exchange, Teams, SharePoint, Endpoint or OCR rules and policies you can ask Copilot for Security for suggestions.

Purview unlabelled operations

How many of the operations in your different departments are unlabelled?  Are any of the departments standing out?

In this context you can also use Copilot for Security to deliver recommendations and highlight what the benefit of sensitivity labels are bringing.

Applications accessing sensitive content.

What applications have been used to access sensitive content? The plugin supports asking for applications being used to access sensitive content. This can be a fairly long list of applications, you can add filters in the code to filter out common applications.

If you want to zoom into what type of content a specific application is accessing.

What type of network connectivity has been made from this application?

Or what if you get concerned about the process that has been used and want to validate the SHA256?

Hosts that are internet accessible accessing sensitive content

Another threat vector could be that some of your devices are accessible to the Internet and sensitive content is being processed. Check for processing of secrets and other sensitive information.

Promptbooks

Promptbooks are a valuable resource for accomplishing specific security-related tasks. Consider them as a way to practically implement your standard operating procedure (SOP) for certain incidents. By following the SOP, you can identify the various dimensions in an incident in a standardized way and summarize the outcome. For more information on prompt books please see this documentation.

Exchange incident sample prompt book

Note: The above detail is currently only available using Sentinel, we are working on Defender integration.

SharePoint sample prompt book

Posts part of this series

Cyber Security in a context that allows your organization to achieve more
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/cyber-security-in-a-context-that-allows-your-organization-to/ba-p/4120041
Guided walkthrough of the Microsoft Purview extended report experience https://techcommunity.microsoft.com/t5/security-compliance-and-identity/guided-walkthrough-of-the-microsoft-purview-extended-report/ba-p/4121083 
How to build the Microsoft Purview extended report experience https://techcommunity.microsoft.com/t5/security-compliance-and-identity/how-to-build-the-microsoft-purview-extended-report-experience/ba-p/4122028 

​Microsoft Tech Community – Latest Blogs –Read More 

Hello,

Our customer requested that to provide a solution for Azure DR. I am not sure how to accomplish this.

Anyone, please help.

Seaniro: 

Primary Site 

West Europe – Qatar Central

Secondery site 

West Europe to  North Europe  

and all are IAAS VM’s 

​Hello, Our customer requested that to provide a solution for Azure DR. I am not sure how to accomplish this.Anyone, please help. Seaniro: Primary Site West Europe – Qatar CentralSecondery site West Europe to  North Europe  and all are IAAS VM’s       Read More

​

Cloud computing has revolutionized the way businesses operate, with many organizations shifting their business-critical services and workloads to the cloud. This transition, and the massive growth of cloud environments, has led to a surge in security issues in need of addressing. Consequently, the need for contextual and differentiated security strategies is becoming a necessity. Organizations need solutions that allow them to detect, prioritize, and address security issues, based on their business-criticality and overall importance to the organization. Identifying an organization’s business-critical assets serves as the foundation to these solutions.

Microsoft is pleased to announce the release of a new set of critical cloud assets classification capability in the critical asset management and protection experience, as part of Microsoft Security Exposure Management solution, and Cloud Security Posture Management (CSPM) in Microsoft Defender for Cloud (MDC). This capability enables organizations to identify additional business-critical assets in the cloud, thereby allowing security administrators and the security operations center (SOC) teams to efficiently, accurately, and proactively prioritize to address various security issues affecting critical assets that may arise within their cloud environments.

Learn more how to get started with Critical Asset Management and Protection in Exposure Management and Microsoft Defender for Cloud: Critical Asset Protection with Microsoft Security Exposure Management, Critical assets protection (Preview) – Microsoft Defender for Cloud

Critical Asset Management experience in Microsoft Defender XDR

Criticality classification methodology

Over the past few months, we, at Microsoft, have conducted extensive research with several key objectives:

Understand and identify the factors that signify a cloud asset’s importance relative to others.
Analyze how the structure and design of a cloud environment can aid in detecting its most critical assets.
Accurately and comprehensively identify a broad spectrum of critical assets, including cloud identities and resources.

As a result, we are announcing the release of a new set of pre-defined classifications for critical cloud assets, encompassing a wide range of asset types, from cloud resources, to identities with privileged permissions on cloud resources. With this release, the total number of business-critical classifications has expanded to 49 for cloud identities and 8 for cloud resources, further empowering users to focus on what matters most in their cloud environments.

In the following sections, we will briefly discuss some of these new classifications, both for cloud-based identities and cloud-based resources, their integration into our products, their objectives, and unique features.

Identities

In cloud environments, it is essential to distinguish between the various role-based access control (RBAC) services, such as Microsoft Entra ID and Azure RBAC. Each service has unique permissions and scopes, necessitating a tailored approach to business-criticality classification.
We will go through examples of new business-critical rules classifying identities with assigned roles both in Microsoft Entra and Azure RBAC:

Microsoft Entra

The Microsoft Entra service is an identity and access management solution in which administrators or non-administrators can be assigned a wide range of built-in or custom roles to allow management of Microsoft Entra resources.

Examples of new business-criticality rules classifying identities assigned with a specific Microsoft Entra built-in role:

Classification: “Exchange Administrator”
Default Criticality Level: “High”

‘Exchange Administrator’ classification in Critical Asset Management in Microsoft Defender XDR

This rule applies to identities assigned with the Microsoft Entra Exchange Administrator built-in role.

Identities assigned this role have strong capabilities and control over the Exchange product, with access to sensitive information through the Exchange Admin Center, and more.

Classification: “Conditional Access Administrator”
Default Criticality Level: “High”

‘Conditional Access Administrator’ classification in Critical Asset Management in Microsoft Defender XDR

This rule applies to identities assigned with the Microsoft Entra Conditional Access Administrator built-in role.
Identities assigned this role are deemed to be of high importance, as it grants the ability to manage Microsoft Entra Conditional Access settings.

Azure RBAC

Azure role-based access control (Azure RBAC) is a system that provides fine-grained access management of Azure resources that helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. The way you control access to resources using Azure RBAC is to assign Azure roles.

Example of a new criticality rule classifying identities assigned with specific Azure RBAC roles:

Classification: “Identities with Privileged Azure Role”
Default Criticality Level: “High”

‘Identities with Privileged Azure Role’ classification in Critical Asset Management in Microsoft Defender XDR

This rule applies to identities assigned with an Azure privileged built-in or custom role.
Assets criticality classification within the Azure RBAC system necessitates consideration of different parameters, such as the role assigned to the identity, the scope in which the role takes effect, and the contextual business-criticality that lies within this scope.

Thus, this rule classifies identities which have a privileged action-permission assigned over an Azure subscription scope, in which a critical asset resides, thereby utilizing contextual and differential security measures. This provides the customer with a cutting-edge criticality classification technique for both Azure built-in roles, and custom roles, in which the classification accurately adapts to dynamic changes inside the customer environment, ensuring a more accurate reflection of criticality.

List of pre-defined criticality classifications for identities in Microsoft Security Exposure Management

Cloud resources

A cloud environment is a complex network of interconnected and isolated assets, allowing a remarkable amount of environment structure possibilities, asset configurations, and resource-identity interconnections. This flexibility provides users with significant value, particularly when designing environments around business-critical assets and configuring them to meet specific requirements.

We will present three examples of the new predefined criticality classifications as part of our release, that will illustrate innovative approaches to identifying business-critical assets.

Azure Virtual Machines

Examples of new criticality rules classifying Azure Virtual Machines:

Classification: “Azure Virtual Machine with High Availability and Performance”
Default Criticality Level: “Low”

‘Azure Virtual Machine with High Availability and Performance’ classification in Critical Asset Management in Microsoft Defender XDR

Compute resources are the cornerstone of cloud environments, supporting production services, business-critical workloads, and more. These assets are created with a desired purpose, and upon creation, the user is presented with several types of configurations options, allowing the asset to meet its specific requirements and performance thresholds.

As a result, an Azure Virtual Machine configured with an availability set, indicates that the machine is designed to withstand faults and outages, while a machine equipped with a premium Azure storage, indicates that the machine should withstand heavy workloads requiring low-latency and high-performance. Machines equipped with both are often deemed to be business-critical.

Classification: “Azure Virtual Machine with a Critical User Signed In”
Default Criticality Level: “High”

‘Azure Virtual Machine with a Critical User Signed In’ classification in Critical Asset Management in Microsoft Defender XDR

Resource-user interconnections within a cloud environment enable the creation of efficient, well-maintained, and least privilege-based systems. These connections can be established to facilitate interaction between resources, enabling single sign-on (SSO) for associated identities and workstations, and more.

When a user with a high or very high criticality level has an active session in the resource, the resource can perform tasks within the user’s scoped permissions. However, if an attacker compromises the machine, they could assume the identity of the signed-in user and execute malicious operations.

Azure Key Vault

Example of a new criticality rule classifying Azure Key Vaults:

Classification: “Azure Key Vaults with Many Connected Identities”
Default Criticality Level: “High”

‘Azure Key Vaults with Many Connected Identities’ classification in Critical Asset Management in Microsoft Defender XDR

Through the complex environments of cloud computing, where different kinds of assets interact and perform different tasks, lies authentication and authorization, supported by the invaluable currency of secrets. Therefore, studying the structure of the environment and how the key management solutions inside it are built is essential to detect business-critical assets.

Azure Key Vault is an indispensable solution when it comes to key, secrets, and certificate management. It is widely used by both business-critical and non-critical processes inside environments, where it plays an integral role in the smoothness and robustness of these processes.

An Azure Key Vault whose role is critical within a business-critical workload, such as a production service, could be used by a high number of different identities compared to other key vaults in the organization, thus in case of disruption or compromise, could have adverse effects on the integrity of the service.

List of pre-defined criticality classifications for cloud resources in Exposure Management

Protecting the crown jewels of your cloud environment

The critical asset protection, identification, and management, lies in the heart of Exposure Management and Defender Cloud Security Posture Management (CSPM) products, enriching and enhancing the experience by providing the customer with an opportunity to create their own custom business-criticality classifications and use Microsoft’s predefined ones.

Protecting your cloud crown jewels is of utmost importance, thus staying on top of best practices is crucial, some of our best practice recommendations:

Thoroughly enabling protections in business-critical cloud environments.
Detecting, monitoring, and auditing critical assets inside the environments, by utilizing both pre-defined and custom classifications.
Prioritizing and executing the remediation and mitigation of active attack paths, security issues, and security incidents relating to existing critical assets.
Following the principle of least privilege by removing any permissions assigned to overprivileged identities, such identities could be identified inside the critical asset management experience in Microsoft Security Exposure Management.

Conclusion

In the rapidly growing and evolving world of cloud computing, the increasing volume of security issues underscores the need of contextual and differentiated security solutions to allow customers to effectively identify, prioritize, and address security issues, thereby the capability of identifying organizations’ critical assets is of utmost importance.

Not all assets are created equal, assets of importance could be in the form of a highly privileged user, an Azure Key Vault facilitating authentication to many identities, or a virtual machine created with high availability and performance requirements for production services.

Protecting customers’ most valuable assets is one of Microsoft’s top priorities. We are pleased to announce a new set of business-critical cloud asset classifications, as part of Microsoft Defender for Cloud and Microsoft Security Exposure Management solutions.

Learn more

Microsoft Security Exposure Management

Start with Exposure Management Documentation, Product website, blogs
Critical Asset Management documentation
Critical Asset Protection and how to get started in Microsoft Security Exposure Management blog post
List of Microsoft’s predefined criticality classifications: Link
Microsoft Security Exposure Management what’s new page

Microsoft Defender for Cloud

Microsoft Defender for Cloud (MDC) plans
Microsoft’s Cloud Security Posture Management (CSPM) documentation
Critical Asset Protection in Microsoft Defender for Cloud (MDC) documentation

​Microsoft Tech Community – Latest Blogs –Read More