Category: News
Microsoft Learn for Organizations: Jump-start team technical training
It’s no surprise that organizations, teams, and individuals all need technical expertise to succeed. Since today’s teams have limited time to build new skills for their key projects, there’s an increasing demand for technical training that can be covered in self-directed, always-on, digital resources—outside of the classroom. To help meet these team skill-building needs, we’re happy to announce Microsoft Learn for Organizations—a faster, more focused way to help close skill gaps and drive business success across your organization. This valuable resource features curated collections that help take the guesswork out of learning journeys so learners can apply new skills to quickly unblock projects. And this is just the beginning. We’ll make regular updates to include the latest technology and skills, adding collections, features, and more.
What is Microsoft Learn for Organizations?
Microsoft Learn for Organizations serves as the front door to all that Microsoft Learn offers for learners engaged in team training. It’s your trusted source to get your teams skilled up and ready to power AI transformation with the Microsoft Cloud. Its focus is on streamlining what it takes for teams to gain technical skills to meet project and business goals. Resources include:
AI skill-building resources.
Curated collections (for organization leaders and for learners) that link to:
Learning paths and other self-paced content.
On-demand videos and events.
Gamified learning opportunities and skills challenges.
Instructor-led training (ILT) with Training Services Partners (TSPs) to help learners gain tech skills that translate from the classroom to the workplace.
Credentials, including Microsoft Certifications and Microsoft Applied Skills.
Success stories that explore how organizations achieve and benefit from a culture of learning.
Connections to a global community of learners and experts to help broaden expertise.
Which collections are available?
Microsoft Learn for Organizations includes a number of self-paced collections to help jump-start team training and skill up your teams for success. The initial collections include:
Build and modernize with AI. Help accelerate the benefits of AI at your organization by training everyone on this transformational technology.
Accelerate developer productivity. Equip yourself with essential skills to harness transformative AI tools, fostering innovation and accelerating developer productivity.
Get started with organizational skilling. Explore skill-building resources that you can use to start creating a learning culture within your organization.
Migrate and secure Windows Server and SQL Server workloads. Build the skills to guide your organization’s migration to the cloud with a wide variety of training options for Azure.
Migrate enterprise apps. Discover an extensive array of resources designed to help your organization efficiently migrate enterprise applications at scale.
Migrate SAP. Find out how to support your organization’s SAP migration efforts with a selection of skill-building resources.
Power business decisions with cloud-scale analytics. Uncover the potential of cloud-scale analytics to transform data into actionable insights at enterprise scale.
Transform your organization with skills for business professionals. Find out how to strategically apply Microsoft solutions across your organization, using training to empower business users and leaders.
Who can benefit from this new skill-building resource?
This exciting new self-service resource is for all organizations—for-profit or nonprofit, large or small—that want to train their teams and get the most value from their investment in Microsoft products, solutions, and technologies. It can benefit:
Team leaders who need to upskill team members to unblock key tech projects.
Learning managers who are focused on employee development to help meet organizational goals.
Anyone involved in coordinating training programs (formal or informal) who is interested in reducing barriers to technical skill-building.
All learners, especially those who need to accelerate project outcomes with tailored training to fit their learning styles and their demanding schedules, along with a way to certify and validate their newly gained skills.
Ready to jump-start your team training and help close skill gaps?
When you train your teams, develop a learning culture, and promote continuous learning development, it’s good not only for team members but also for your business. Closing tech skill gaps is one of the best ways for individuals to meet their professional goals and for organizations to meet their business goals—it’s a win-win.
Microsoft Learn offers expert and engaging learning experiences that are relevant to real-world challenges that your team members face every day. And Microsoft Learn for Organizations meets your team members wherever they are in their learning journey, to help them gain the technical expertise they need to thrive, demonstrate their expertise through industry-standard credentials, and validate that their skills remain top-notch.
Go to Microsoft Learn for Organizations, explore the collections and other resources, share them with your colleagues, and join the community. Stay tuned for more details as we evolve Microsoft Learn for Organizations to help ensure that your teams can keep up with changing roles and responsibilities, take their skills and projects to the next level, and help drive project and organizational success.
Microsoft Tech Community – Latest Blogs –Read More
Retirement of RBAC Application Impersonation in Exchange Online
Today we are announcing that we will begin blocking the assignment of the ApplicationImpersonation role in Exchange Online to accounts starting in May 2024, and that in February 2025, we will completely remove this role and its feature set from Exchange Online.
Modernizing Application Access
Historically, when you needed to grant an application access to more than its own mailbox in your Exchange organization using Exchange Web Services (EWS), you had limited options.
Simple delegation worked for one-to-one and even some one-to-few scenarios, but when you needed to grant access to many mailboxes, Impersonation was the way to go. Impersonation provided easy and broad access to many mailboxes, but limited options for scoping resources for access, and limited visibility outside of Exchange.
Today, the Microsoft identity platform / application model is the standard way to build apps that integrate with your data in the Microsoft cloud. Registering your app in Microsoft Entra simplifies deployment and adoption, makes permissions clearly visible, and helps to standardize your integrated applications.
How Does This Affect Me?
All apps must have an App Registration, and when using Application permissions (not Delegated), the app must use a secure credential for access.
When using EWS, you still grant the full_access_as_app Application permission, which provides the same level of mailbox access as ApplicationImpersonation. You can use an Application Access Policy to restrict the resources the application can access. You can also use RBAC for Apps to restrict the resources it can access.
Better yet, use Graph, as EWS is going away!
How Do I Find Accounts Using This Type of Access and What Actions Should I Take?
Use Exchange Online PowerShell to check for accounts that have been assigned the ApplicationImpersonation role:
Get-ManagementRoleAssignment -Role ApplicationImpersonation -GetEffectiveUsers
For EWS applications requiring 1 to many mailbox access, ensure the application is configured properly with OAuth to use App-only access.
Implement resource-scoped access using Application Access Policies or Role Based Access Control for Applications in Exchange Online to control mailbox access as needed for your scenario.
The Exchange Online Team
Microsoft Tech Community – Latest Blogs –Read More
Retirement of RBAC Application Impersonation in Exchange Online
Today we are announcing that we will begin blocking the assignment of the ApplicationImpersonation role in Exchange Online to accounts starting in May 2024, and that in February 2025, we will completely remove this role and its feature set from Exchange Online.
Modernizing Application Access
Historically, when you needed to grant an application access to more than its own mailbox in your Exchange organization using Exchange Web Services (EWS), you had limited options.
Simple delegation worked for one-to-one and even some one-to-few scenarios, but when you needed to grant access to many mailboxes, Impersonation was the way to go. Impersonation provided easy and broad access to many mailboxes, but limited options for scoping resources for access, and limited visibility outside of Exchange.
Today, the Microsoft identity platform / application model is the standard way to build apps that integrate with your data in the Microsoft cloud. Registering your app in Microsoft Entra simplifies deployment and adoption, makes permissions clearly visible, and helps to standardize your integrated applications.
How Does This Affect Me?
All apps must have an App Registration, and when using Application permissions (not Delegated), the app must use a secure credential for access.
When using EWS, you still grant the full_access_as_app Application permission, which provides the same level of mailbox access as ApplicationImpersonation. You can use an Application Access Policy to restrict the resources the application can access. You can also use RBAC for Apps to restrict the resources it can access.
Better yet, use Graph, as EWS is going away!
How Do I Find Accounts Using This Type of Access and What Actions Should I Take?
Use Exchange Online PowerShell to check for accounts that have been assigned the ApplicationImpersonation role:
Get-ManagementRoleAssignment -Role ApplicationImpersonation -GetEffectiveUsers
For EWS applications requiring 1 to many mailbox access, ensure the application is configured properly with OAuth to use App-only access.
Implement resource-scoped access using Application Access Policies or Role Based Access Control for Applications in Exchange Online to control mailbox access as needed for your scenario.
The Exchange Online Team
Microsoft Tech Community – Latest Blogs –Read More
Welcome to the Microsoft Defender Experts Ninja Hub
We’re excited to announce our Microsoft Defender Experts Ninja Hub. We have compiled document guides, videos, and other resources to help you get familiar with our Defender Experts services and stay up to date on the latest from the Defender Experts team.
We’ll update this post as we add resources, so make sure to bookmark this page: https://aka.ms/DefenderExpertsNinjaHub
Microsoft Defender Experts for XDR
Microsoft Defender Experts for XDR is a managed extended detection and response (MXDR) service that triages, investigates, and responds to incidents for you to help stop cyberattackers and prevent future compromise. Defender Experts for XDR delivers human expertise to security teams quickly to help address coverage gaps and augment their overall security operations. The documentation links below provide more information on the service, requirements, and FAQs:
What is Microsoft Defender Experts for XDR offering | Microsoft Learn
Before you begin using Defender Experts for XDR | Microsoft Learn
Get started with Microsoft Defender Experts for XDR | Microsoft Learn
How to use the Microsoft Defender Experts for XDR service | Microsoft Learn
Communicating with Microsoft Defender Experts | Microsoft Learn
How to search the audit logs for actions performed by Defender Experts | Microsoft Learn
Additional information related to Defender Experts for XDR | Microsoft Learn
FAQs related to Microsoft Defender Experts for XDR | Microsoft Learn
Microsoft Defender Experts for Hunting
Microsoft Defender Experts for Hunting proactively looks for threats 24/7/365 using unparalleled visibility of cross-domain telemetry and leading threat intelligence to extend your team’s threat hunting capabilities and improve overall SOC response. The documentation links below provide more information on the service, requirements, and reporting:
What is Microsoft Defender Experts for Hunting offering | Microsoft Learn
Key infrastructure requirements for Microsoft Defender Experts for Hunting | Microsoft Learn
How to subscribe to Microsoft Defender Experts for Hunting | Microsoft Learn
Understand the Defender Experts for Hunting report in Microsoft Defender XDR | Microsoft Learn
Ninja Show episodes featuring Defender Experts
Season 5, Episode 5: Improve your security posture with Microsoft Defender Experts for XDR
Season 3, Episode 4: Defender Experts for Hunting Overview
On-demand event sessions featuring Defender Experts
Microsoft Security Tech Accelerator 2023: Defender Experts in-depth: Running a Modern SOC in the age of LLMs
Microsoft Ignite 2023: Jumpstart your SOC with Microsoft Defender Experts for XDR
Microsoft Webinar: Revolutionize Managed XDR with Microsoft
Microsoft Ignite 2022: Introducing Microsoft Defender Experts for Hunting
Defender Experts videos
Explainer Video: Microsoft Defender Experts for XDR
Explainer Video: Microsoft Defender Experts for Hunting
Video: Adversary in the Middle Hunting Story
Deep dives from the Microsoft Security blog featuring Defender Experts
Microsoft Copilot for Security provides immediate impact for the Microsoft Defender Experts team
Detecting and mitigating a multi-stage AiTM phishing and BEC campaign
Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks
One way Microsoft Defender Experts for Hunting prioritizes customer defense
Podcasts
Microsoft Security Insights Show Episode 181: Brian Hooper and Phoebe Rogers: A day in the life of a Defender Experts for XDR analyst
Microsoft Security Insights Show Episode 168: Steve Lee, Defender Experts
To learn more about Defender Experts, click here.
Microsoft Tech Community – Latest Blogs –Read More
Migrating an Azure SQL DB to a SQL MI by utilizing SqlPackage/ADF
Scenario:
We have an Azure SQL DB that needs to be migrated to a SQL MI.
Problem:
At the time of writing the article, the Azure portal doesn`t provide a graphical interface to perform such a migration. The problem becomes more complicated with bigger databases (>100 or 150 GB).
Solution:
If the DB size is more then 300 GB, the only logical option at this time, could be breaking the original DB into a few parts and taking an export dump via SQLpackage of the individual DBs.
However, if the DB size is smaller up to 150 GB, we may try 2 techniques viz. SQLPackage or Azure Data Factory (ADF). Although, each of the techniques may have to be tweaked depending on the data size and schema complexity.
SqlPackage– While at this moment, sqlpackage is the most straightforward way of migrating an Azure SQL DB to SQL MI, for bigger DBs (>250GB), the option of using SQLpackage can run into issues like timeout or very slow progress ultimately leading to errors. Using a slightly modified command for sqlpackage may possibly help even for bigger DBs between 100-200 GB (Kindly tweak the command below as necessary):
sqlpackage.exe /Action:Export /TargetFile:”E:Backupdbexporttest.bacpac” /SourceDatabaseName:dbexporttest_new /SourceServerName:”dbexp-tst-sql-server.database.windows.net” /SourceUser:”sysadminmdA” /SourcePassword:”********” /diagnostics:true /p:LongRunningCommandTimeout=0 /p:CommandTimeout=2000000 /p:DatabaseLockTimeout= -1 /p:VerifyExtraction=False /p:compressionOption=notcompressed /p:TempDirectoryForTableData=M: dbexporttesttemp /d:True /df:M:dbexporttest2024.txt
Azure Data Factory (ADF)- Here’s how this can be attempted via ADF:
Target SQL MI- arsenal.xxxx.database.windows.net
Source Azure SQL DB- yyy.database.windows.net,1433
1)Here are the tables in the Source DB:
2) Here’s the target DB with no tables:
3)Create a new pipeline in Data Studio and drag the Copy Data Task to the Design page as shown below:
4)Click on the source, Open (pencil icon), Click again on the Edit (Pencil icon) and that opens the edit linked server section as shown below. Fill in the Source Azure DB details and hit test connection to ensure the linked server can connect to the Source Azure SQL DB.
5)Ensure that the check box below is checked (On the Source Azure SQL DB Networking Tab) so that the ADF pipeline can connect to the Azure SQL DB (If your set up prefers high security & uses a Private Endpoint, kindly set that up in Source & Target Linked servers accordingly):
6)Now click on the sink and hit the pencil icon on the right to open the Sink section:
7)Now enter the details of the Target SQL MI as shown below:
8)To ensure the linked server can connect to the target SQL MI, make the following changes in the SQL MI NSG as shown below: (Please ensure that your laptop IP is allowed, make other changes as necessary)
9)Ensure the source & target are mapped as shown below (For the demo I only chose 1 table, Also i had created the empty table in Target for simplicity. You may also use the query option to choose specific/all tables in a schema to perform the migration in batches):
10)Now validate the pipeline to ensure no errors are found:
Now hit Publish at the top to publish the changes:
11)Now hit trigger now at the top to trigger the pipeline as shown below (If the pipeline wasn’t triggered in the step above):
12)The target MI now contains the table from the Source along with the source data as shown below:
References:
Sqlpackage-
https://learn.microsoft.com/en-us/sql/tools/sqlpackage/sqlpackage?view=sql-server-ver16
SqlPackage Export – SQL Server | Microsoft Learn
Azure Data Factory–
Copy data in bulk using Azure portal – Azure Data Factory | Microsoft Learn
Copy and transform data in Azure SQL Database – Azure Data Factory & Azure Synapse | Microsoft Learn
Microsoft Tech Community – Latest Blogs –Read More
Enable Change Tracking service for Arc Onboarded machines (Windows and Linux)
Azure Arc simplifies governance and management by delivering a consistent way to manage your entire environment together by projecting your existing multicloud/non-Azure and on-premises resources into Azure Resource Manager.
Azure Arc has benefited multiple customers by simplifying governance and management by delivering a consistent multi-cloud and on-premises management platform such as patch management using Azure Update Manager, enabling Security using Defender for cloud, Standardized role-based access control (RBAC), Change tracking etc. for resource types hosted outside of Azure such as Sever, Kubernetes, SQL Server etc. Today, we will discuss and enable Change Tracking service for Arc Onboarded devices. To know more about Azure arc benefits and Onboarding process refer to the link here.
Let’s look at what the change tracking service does before we activate it.
The Change Tracking and Inventory services track changes to Files, Registry, Windows Software, Linux Software (Software Inventory), Services and Daemons, also supports recursion, which allows you to specify wildcards to simplify tracking across directories.
Let’s understand how to enable Change tracking and Inventory feature for Arc Onboarded device.
Note: Please make sure that the arc machines are registered, and their status is shown as connected before you turn on the feature, as seen below.
Go to Azure Policy then Definition and filter the category by Change tracking and Inventory. You need to enable all the built-in policies present in Enable change tracking Inventory for Arc enabled virtual machines initiatives for Arc enabled windows and Linux devices respectively.
Assign Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory built-in policy (Scope it to Subscription of Arc Onboarded device). Make Sure you have unchecked the Parameter and verify Effect to DeployIfNotexist and create Remediation task. This will ensure existing resources can be updated via a remediation task after the policy is assigned. Similarly, Configure Linux Arc-enabled machines to install AMA for ChangeTracking and Inventory built-in policy for Arc Onboarded Linux devices. Once configured using Azure Policy, Arc machine will have AMA Agent deployed.
Assign Configure Change Tracking Extension for Windows Arc machines built-in policy (Scope it to Subscription of Arc Onboarded device). Follow the same steps as mentioned in point 1. Similarly, Configure Change Tracking Extension for Linux Arc machines built-in policy for Arc Onboarded Linux devices. Once configured using Azure Policy, Arc machine will have change tracking extension deployed.
Create data collection rule.
a. Download CtDcrCreation.json file. Go to Azure portal and in the search, enter Deploy a custom template. In the Custom deployment page > select a template, select Build your own template in the editor. In the Edit template, select Load file to upload the CtDcrCreation.json file or just copy the json and paste the template. And select Save. In the Custom deployment > Basics tab, provide Subscription and Resource group where you want to deploy the Data Collection Rule. The Data Collection Rule Name is optional.
b. In the Custom deployment > Basics tab, provide Subscription and Resource group where you want to deploy the Data Collection Rule. The Data Collection Rule Name is optional. Workspace Resource ID of Log analytic Workspace. (You will get the workspace ID in the overview page of Log analytic workspace) .
c. Select Review+create > Create to initiate the deployment of CtDcrCreation. After the deployment is complete, select CtDcr-Deployment to see the DCR Name. Go to the newly created Data collection Rule (DCR) rule named (Microsoft Ct-DCR). Click on json view and copy the Resource ID.
d. Go to Azure Policy Assign [Preview]: Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory built-in policy (Scope it to Subscription of Arc Onboarded device). Make Sure you have enabled the Parameter and paste the Resource ID captured above and create Remediation task. Similarly, Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory built-in policy for Arc Onboarded Linux devices. Once configured using Azure Policy, Arc machine will have change tracking extension deployed.
After all the policies are configured and deployed. Go to the Arc device, you will be able to view the change tracking and Inventory is enabled.
Microsoft Tech Community – Latest Blogs –Read More
Securing your Azure Networks with AVNM Security Admin Rules and VNet Flow Logs
Introduction
Organizations adopting Microsoft Azure strive for a balance between providing application teams with the freedom to innovate while maintaining the security posture of the organization. Azure Virtual Network Manager provides Security Admin Rules to help achieve that goal. Security Admin Rules allow an organization to centrally manage the network security of its virtual networks to maintain compliance with its policies while giving business units the option to manage the network security of their individual workloads.
Before we dive into how Security Admin Rules work, let’s first do a refresher of the basics of Azure Virtual Network Manager.
Azure Virtual Network Manager Foundations
An Azure Virtual Network Manager instance (Network Manager) is deployed to a region. The scope of management of a Network Manager is determined by a combination of its resource scope and its functional scope.
The resource scope represents the subscription or subscriptions a Network Manager can manage. Resource scopes can include management groups to manage groups of subscriptions or it can be configured to manage individual subscriptions. The image below provides an example of how an organization could configure the resource scope of a Network Manager.
The functional scope determines which types of configurations the Network Manager will support. Today, there are two functional scopes for management of virtual networks: Connectivity and Security Admin. Connectivity Configurations are used to manage the desired topology of virtual networks’ connectivity and Security Admin Configurations are used to manage the network security of virtual networks across an organization’s Azure estate. You can apply multiple Network Managers to the same resource scope only if the functional scope is different.
Virtual networks that are within the resource scope of the Network Manager can be added into a logical grouping referred to as a Network Group. Network Groups contain one or more virtual networks and are used by applying a Connectivity or Security Admin Configuration to one or more Network Groups (hence multiple virtual networks). Virtual networks are added to Network Groups manually or dynamically. When added dynamically through the use of Azure Policy, these virtual networks can be conditionally added to network groups, automatically connecting or security those virtual networks depending on the configurations deployed to the Network Group. Connectivity and Security Admin Configurations are only applied to virtual networks that are both within the resource scope and are a member of a Network Group that is targeted by a configuration.
A Connectivity Configuration enforces either a mesh or hub and spoke network topology across one or more Network Groups. In a mesh topology, all virtual networks are connected to each other. In a hub and spoke topology, all virtual networks are connected as spokes to a hub virtual network and can optionally be connected with each other within their respective network groups.
A Security Admin Configuration contains one or more security admin rule collections. Each rule collection contains one or more security admin rules. Network Groups are associated to one or more rule collections, which apply the security admin rules to the member virtual networks of its associated Network Group(s).
Security Admin Rules are similar to Network Security Group security rules in that they operate at layer 4 of the OSI model and support 5-tuple rules. Security Admin Rules differ in that they support the AlwaysAllow action in addition to Allow or Deny, and are applied on virtual networks. I will demonstrate a variety of scenarios using Security Admin Rules in this blog.
In order for a configuration to be applied to a virtual network, the configuration must be deployed to the region the virtual network is in. Per Network Manager instance, a single Security Admin Configuration and multiple Connectivity Configurations can be deployed per region.
Security Admin Rules and Network Security Groups
The key benefit to Security Admin Rules is that they are processed before the rules within a Network Security Group because they are evaluated at a virtual network-level vs the subnet or network interface level like a Network Security Group. This provides an organization with the ability to establish a core set of “guardrail” rules while giving application teams freedom to configure Network Security Groups to their own requirements.
The visual below illustrates how Security Admin Rules work with Network Security Group security rules. If a Security Admin Rule uses the Allow action, the traffic is passed on to downstream Network Security Groups where it can be allowed or denied as needed. When a Security Admin Rule uses a Deny action, the traffic is denied at the Security Admin Rule even if the Network Security Group allows the traffic. Security Admin Rules using the AlwaysAllow action will allow the traffic even if the Network Security Group denies the traffic.
Practice use cases include:
Protecting high-risk ports by default for all new and existing virtual networks.
Ensuring critical infrastructure services traffic such as DNS and Windows Active Directory can’t be mistakenly blocked.
Ensuring security signals from applications and virtual machines cannot be blocked when being delivered to a security information and event management (SIEM) solution.
Providing support for SSH and RDP traffic to application teams while limiting the source of that traffic to a secure enclave of jump servers.
Allowing traffic from trusted boundaries by default unless application teams deny it.
Lab Environment
For the demonstrations included in this blog post, the lab environment below was utilized. The virtual network named vnetmgmt74188 contains two virtual machines. The machine named vm1mgmt74188 emulated a trusted machine and the other machine named vm2mgmt74188 emulated an untrusted machine.
The other three virtual networks emulated application team virtual networks. The network named vnets-r174188 emulated a virtual network with a workload storing or processing sensitive data, vnetp-r174188 emulated a production virtual network, and vnetnp-r174188 emulated a non-production virtual network.
Each virtual network contained a single virtual machine running a web server that was secured by a Network Security Group associated to the subnet.
AlwaysAllow Demonstration
In this scenario, the organization’s Central IT team must ensure that network traffic from production workloads to critical infrastructure services cannot be mistakenly blocked by a misconfiguration of a Network Security Group. DNS is considered a critical infrastructure service for the organization and is provided by a 3rd-party DNS service hosted at 1.1.1.1.
The scenario goal is pictured below:
The Network Security Group configured by an application team has mistakenly been configured to block DNS traffic to the organization’s preferred DNS service, as seen in the image below.
When a DNS lookup is performed on the production virtual machine directed to the DNS service, the request times out due to it being blocked by the security rule configured in the Network Security Group.
The Central IT team creates an instance of Azure Virtual Network Manager and sets its resource scope to a management group that all of the application team subscriptions are children of. It then creates a new Security Admin Configuration and adds a rule collection. The rule collection is associated with a Network Group that uses Azure Policy to automatically manage its membership based on virtual networks containing the tag environment=production. Contained in this rule collection is a Security Admin Rule, which uses the AlwaysAllow action to allow outbound DNS traffic destined to the organization’s DNS service.
The Central IT team creates a new Azure Policy definition that applies to any virtual networks with the tag environment=production. The Azure Policy is assigned to the same management group the Network Manager is scoped to.
“policyRule”: {
“if”: {
“allOf”: [
{
“field”: “type”,
“equals”: “Microsoft.Network/virtualNetworks”
},
{
“allOf”: [
{
“field”: “tags[‘environment’]”,
“equals”: “production”
}
]
}
]
},
“then”: {
“effect”: “addToNetworkGroup”,
“details”: {
“networkGroupId”: “/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/rg-demo-avnm-mgmt74188/providers/Microsoft.Network/networkManagers/avnm-central74188/networkGroups/ng-prod”
}
}
}
After Azure Policy is assigned and policy evaluation takes place, the production virtual network is dynamically added into this Network Group.
The Central IT team deploys the Security Admin Configuration to the desired Azure region. A short time later, DNS queries to the organization’s DNS service running at 1.1.1.1 are successful, demonstrating the Security Admin Rule with the AlwaysAllow action is indeed allowing the traffic.
Deny Demonstration
In this scenario, the organization has a requirement to ensure all web-based communication with production workloads that store or process sensitive data is encrypted. Production workloads that do not store or process sensitive data do not have this requirement and it should not be enforced on those workloads.
The scenario goal is pictured below.
A Network Security Group has been configured by the application team to allow HTTP to a production workload storing sensitive data, which does not align with the organization’s security policy.
Performing a curl on the virtual machine from one of the demonstration machines successfully returns the “Hello World” webpage, indicating the Network Security Group is allowing HTTP traffic.
The Central IT team does not need to create another Security Admin Configuration to satisfy this requirement. Instead, it uses the existing Security Admin Configuration and creates a new rule collection that will block this unencrypted network flow. It is associated with another Network Group that uses Azure Policy to automatically manage its membership based on virtual networks containing the tags environment=production and classification=sensitive. Contained in the rule collection is a Security Admin Rule, which uses the Deny action to block HTTP traffic.
The Central IT team creates a new Azure Policy definition that applies to any virtual networks with the tags environment=production and classification=sensitive. The Azure Policy is assigned to the same management group the Network Manager is scoped to.
“policyRule”: {
“if”: {
“allOf”: [
{
“field”: “type”,
“equals”: “Microsoft.Network/virtualNetworks”
},
{
“allOf”: [
{
“field”: “tags[‘environment’]”,
“equals”: “production”
},
{
“field”: “tags[‘classification’]”,
“equals”: “sensitive”
}
]
}
]
},
“then”: {
“effect”: “addToNetworkGroup”,
“details”: {
“networkGroupId”: “/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/rg-demo-avnm-mgmt74188/providers/Microsoft.Network/networkManagers/avnm-central74188/networkGroups/ng-sensitive”
}
}
}
After Azure Policy is assigned and policy evaluation takes place, the production virtual network containing sensitive workloads is dynamically added into this Network Group.
The Central IT team re-deploys the Security Admin Configuration to the desired Azure region. A short time later, HTTP requests from curl from the demonstration virtual machine time out because the connection is blocked, demonstrating the Security Admin Rule with the Deny action blocks the traffic.
Allow Demonstration
In this scenario, the organization must ensure that remote access to both production and non-production workloads is supported, but only when coming from a trusted enclave of jump servers. The Central IT team should allow application teams to determine if this type of access is needed for their workload. The application team has determined that this traffic is not required for their Production Workload A, but should be supported for their Non-Production Workload B.
The scenario goals are pictured below.
The Central IT team can use the existing Security Admin Configuration to satisfy these requirements. It will add additional rules to the existing production rule collection. A Security Admin Rule with the Allow action will allow SSH traffic from the trusted security enclave while a lower priority rule will deny SSH from all sources. A new rule collection for non-production will be created and associated to a new Network Group that uses Azure Policy to automatically manage its membership based on virtual networks containing the tag environment=nonproduction. This rule collection will contain the same two new rules as the production rule collection.
The Central IT team creates a new Azure Policy definition that applies to any virtual networks with the tag environment=nonproduction. The Azure Policy is assigned to the same management group the Network Manager is scoped to.
“policyRule”: {
“if”: {
“allOf”: [
{
“field”: “type”,
“equals”: “Microsoft.Network/virtualNetworks”
},
{
“allOf”: [
{
“field”: “tags[‘environment’]”,
“equals”: “nonproduction”
}
]
}
]
},
“then”: {
“effect”: “addToNetworkGroup”,
“details”: {
“networkGroupId”: “/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/rg-demo-avnm-mgmt74188/providers/Microsoft.Network/networkManagers/avnm-central74188/networkGroups/ng-nonprod”
}
}
}
After Azure Policy is assigned and policy evaluation takes place, the non-production virtual networks are dynamically added into the Network Group.
The Central IT team re-deploys the Security Admin Configuration to the desired Azure region.
The application team configured the Network Security Group protecting Production Workload A to block all SSH traffic.
Attempts to SSH from a virtual machine in a trusted enclave to Production Workload A time out because it is denied by the Network Security Group. This demonstrates how the traffic must be allowed by both the Network Security Group and the Security Admin Rule when the Allow action is used.
The application team configured the Network Security Group protecting Non-Production Workload A to allow SSH traffic from all sources.
Attempts to SSH from an untrusted virtual machine to Non-Production Workload A time out because the untrusted virtual machine is not a source included in the Security Admin Rule with the Allow action. It is instead matched to the lower-priority Deny rule, which causes the traffic to be blocked.
Attempts to SSH from a trusted virtual machine to Non-Production Workload A are successful because it matches the Security Admin Rule with the Allow action and is allowed by the Network Security Group.
Multiple Azure Virtual Network Managers
In this scenario, one of the organization’s business units has requested an Azure Virtual Network Manager instance to use to manage their subscriptions. Central IT must maintain their instance to ensure compliance with organizational security policy.
Azure Virtual Network Manager supports multiple instances as long as those Network Managers are applied at different scopes. In the scenario above, Central IT would set the resource scope of their instance higher up in the management group structure than where the business unit would assign its resource scope.
The architecture is pictured below.
The business unit builds an instance with a Security Admin Configuration containing a rule collection that applies to a new Network Group in the Network Manager for virtual networks running non-production workloads. The Network Group will use Azure Policy to automatically manage its membership based on the virtual networks with the tag environment=nonproduction. The policy will use similar logic as to the policy seen earlier.
The rule collection contains a single Security Admin Rule that has been mistakenly configured with the AlwaysAllow action to allow all inbound SSH traffic even if the Network Security Group is configured to block it.
The application team deploys the Security Admin Configuration to the relevant Azure regions.
An attacker attempts to SSH into a non-production workload from an untrusted machine. The traffic is denied and the attacker is prevented from establishing the session.
The connection fails because when multiple Network Managers apply to a virtual network and Security Admin Rules between the two instances conflict, the rule from the higher-scope Network Manager is applied. In this scenario, the Central IT instance is applied at a higher-level management scope from the business unit instance so the traffic is blocked because the source of the traffic is an untrusted machine.
Virtual Network Flow Logs and Azure Virtual Network Manager Security Admin Rules
Organizations frequently have the requirement to log when network traffic is allowed or denied to satisfy regulatory requirements and assist with troubleshooting in day-to-day operations. Traffic that is processed by an Azure Virtual Network Manager Security Admin Rule can be logged using VNet Flow Logs. VNet Flow Logs are a feature of Network Watcher and log information about the IP traffic coming in and out of a virtual network for supported workloads. This includes IP traffic processed by Network Security Groups and Security Admin Rules. It also supports evaluating the encryption status of network traffic if scenarios where virtual network encryption is used.
In this scenario we will explore how to use a VNet Flow Logs to determine if traffic is being blocked by a Security Admin Rule or Network Security Group.
VNet Flow Logs must be enabled on each virtual network. As of the date of this post, VNet Flow Logs are in Public Preview and available in a limited set of regions. Once onboarded into the preview, the VNet Flow Log must be configured on the virtual network. The logs are delivered to an Azure Storage Account in this demonstration but can also be delivered to Network Watch Traffic Analytics to provide additional insights around risky flows and top talkers.
In the command below the production virtual network is enabled for VNet Flow Logs.
After the VNet Flow Logs are enabled, An attempt is made to establish an SSH connection to a workload in the production virtual network from one of the jump hosts in the trusted enclave. The SSH connection times out because it is blocked by either a Security Admin Rule or Network Security Group.
Let’s explore how VNet Flow Logs can be used to determine which type of rule is blocking the traffic.
Within the Azure Storage Account a new container has been created named insights-logs-flowlogflowevent. This is the container where VNet Flow Logs are stored.
The latest VNet Flow Log is downloaded from the Azure Storage Account and reviewed. Searching for the jump server’s IP identifies a flow record for the virtual network the workload is in and at the time the SSH connection was attempted. The aclId property indicates the resources that evaluated the flow. In this case we see that it is a Network Security Group named nsgp-pri-r169341. The rule property indicates the name of the security rule that evaluated the traffic which was named block-all. In the flowTuples array, the highlighted record indicates the SSH traffic from the trusted jump server was denied.
Let’s look at another scenario where the application team is having issue doing load testing on their production application.
The latest VNet Flow Log is again downloaded from the Azure Storage Account. A search for the IP addressed used by the load testing service identifies a flow record for the virtual network the workload is in at the time the testing was performed Here the aclId property indicates the Network Manager Security Configuration with a Rule Collected named rc-prod evaluated the traffic. The traffic from the load testing service was denied by a rule named DenyHttp.
Putting It All Together
In this blog post, you’ve seen how Azure Virtual Network Manager Security Admin Rules, Network Security Groups, and VNet Flow Logs work together to enable organizations to secure their Azure estate. With Security Admin Rules, Central IT can install guardrails to ensure its organizational network security controls are enforced while giving application teams the flexibility to manage the network security of their applications using Network Security Groups. VNet Flow Logs provide the centralized visibility to the entire organization on how traffic is evaluated and processed across these products. This approach provides the network security and visibility organizations without sacrificing agility.
Microsoft Tech Community – Latest Blogs –Read More
Introducing Microsoft Entra License Utilization Insights
Over 800,000 organizations rely on Microsoft Entra to navigate the ever-changing threat landscape, ensuring their security while enhancing the productivity of their end users. Customers have frequently expressed their desire for greater transparency into their Entra usage, with licensing being a particularly popular request. Today, we’re excited to announce the public preview of Microsoft Entra license utilization portal, a new feature that enables customers to optimize their Entra ID Premium licenses by providing insights into the current usage of premium features.
In this post, we’ll provide an overview of Entra ID license utilization, including what it is, how it works, and how you can optimize your license to get the most out of your Entra ID Premium Licenses.
The Entra ID License utilization portal allows you to see how many Entra ID P1 and P2 licenses you have and the usage of the key features corresponding to the license type. We’re thrilled that Conditional Access and risk-based Conditional Access usage are available as part of the public preview, but this would be expanded to include usage of other SKUs and corresponding features at general availability. This perspective is an initial stride towards empowering you to comprehend your license count and the value you extract from your Entra license. It also aids in addressing any over-usage issues that might emerge in your tenants.
Try the public preview
The license utilization & insights portal is available under the “Usage & Insights” blade.
This portal would provide you with insights into the top features you’re using that correspond with your Entra ID Premium P1 and P2 licenses (as applicable). You can leverage these insights to secure and govern your users along with ensuring you comply with the licensing terms and conditions. Here is a screenshot of feature usage view you can see in the Entra portal:
What’s next?
We’ll continue to extend this transparency into Entra usage and would love to hear your feedback on this new capability, as well as what would be most useful to you.
Shobhit Sahay
Learn more about Microsoft Entra:
See recent Microsoft Entra blogs
Dive into Microsoft Entra technical documentation
Join the conversation on the Microsoft Entra discussion space and Twitter
Learn more about Microsoft Security
Microsoft Tech Community – Latest Blogs –Read More
Microsoft Secure 2024: Showcasing new generative AI cybersecurity features to help you defend
AI, in the wrong hands, fuels sophisticated attacks exploiting system vulnerabilities. In the right hands, it empowers defenders, giving organizations a decisive advantage.
Security practitioners – don’t miss Microsoft Secure on March 13, 2024. Join us for a two-hour digital event from 9:00 AM to 11:00 AM PST where our experts share insights, practices, and most importantly—new technology—to safeguard your organization.
Through the security keynote and demos, you’ll gain product knowledge, discover new offerings from the Microsoft Security portfolio, including AI for security, securing AI, and exposure management.
Here’s a sneak peek of what you can expect from this event:
Security keynote: The future of security is here
We’ll kick off at 9:00 AM PST with an announcement-packed keynote from Vasu Jakkal, CVP, Microsoft Security Business and Charlie Bell, EVP, Security Engineering. They will share how Microsoft is innovating to help you stay ahead of the curve.
One of the highlights of the keynote will be new customizable features in and ways to try Microsoft Copilot for Security. Use Copilot for Security to automate and optimize your security workflows, reduce alert fatigue, and enhance your threat intelligence.
Plus, Vasu and Charlie will share more product innovations in exposure management, as well as across Microsoft Purview, Microsoft Defender, and Microsoft Entra to help you secure and govern AI.
Breakout/demo sessions: Dive deeper into the security topics that matter to you
After the keynote, join three informative demo sessions to gain a deeper understanding of the latest security innovations from Microsoft. Below are the topics:
9:30 – 10:00 PST | Microsoft Copilot for Security: Tailoring defense with AI –
In this session, you’ll see Microsoft Copilot for Security in action and learn how to initiate it and use its customizable features to fit your security needs. You’ll also get tips and tricks on how to leverage Copilot’s AI capabilities to enhance your security posture and performance.
10:00 – 10:30 PST | Secure and govern AI to enable responsible adoption
In this session, you’ll learn how to leverage Microsoft built-in security and compliance controls in ensuring AI helps with challenges such as preventing oversharing, data leaks, and misuse.
10:30 – 11:00 PST | Stay ahead of threats with proactive posture management
In this session, you’ll learn how to detect, disrupt, and prevent threats in near real-time with Microsoft’s security operations platform.
Don’t miss this opportunity to learn, connect, and grow
Microsoft Secure 2024 is more than just an event—it’s an opportunity to be the first to see what we’re building to help you secure your organization. Whether you are new to security or a seasoned professional, you’ll find something valuable and relevant to help you take your security to the next level.
So don’t wait. Register today and join us on March 13, 2024 from 9:00 AM – 11:00 AM PST, for the ultimate AI security showcase.
Want more after Secure?
Practitioners can also join the Microsoft Secure Tech Accelerator post-event right here on Tech Community on April 3, 2024. The one-day live event gives you deeper technical information on implementation and a chance to ask our team questions. Learn more, RSVP, and build your schedule.
And if you’re attending RSA Conference 2024 in San Francisco, join us for Pre-Day on May 5, 2024 to connect with our product experts in person about the announcements at Microsoft Secure and more announcements at RSA Conference.
Microsoft Tech Community – Latest Blogs –Read More
Accelerate developer onboarding with the configuration-as-code customization in Microsoft Dev Box
As developers, we all know how long and tedious it can be to onboard to a new project. We have heard feedback from customers that it can take as long as 3-5 days to get a dev workstation up and running once a machine is in hand. Manual set up of dev environments can be error prone, time consuming (involving many readmes), and be a real point of frustration. The good news is that it doesn’t have to be this way.
Instead of waiting to get into the flow and do meaningful work, developers should be able to spend most of their time focused on their code. At Microsoft, we want to make the dev experience better, and one way to do this is by automating setup of developer environments on Microsoft Dev Box with a configuration-as-code model. Today, I am excited to announce that the Microsoft Dev Box configuration-as-code customization feature is now in preview.
Configuration-as-code customization overview
Dev Box provides developers with on-demand access to cloud-based workstations that can be preconfigured by dev teams for different projects, cutting developer onboarding times from days to minutes. Now, you can use customization in Microsoft Dev Box to take your workstation the last mile and get a more fully personalized and ready-to-code machine. Dev Box uses VM images to define its ready-to-code dev boxes, and config-as-code customization features build on top of these base images. This enables developers to create custom configurations for their team or themselves that automate common setup and onboarding tasks as code. As a result, the process of defining what you need on a dev box can be as easy as submitting a code change.
But customization doesn’t only help streamline dev workflows. It also frees up platform engineers and IT admins from custom image management. And while they don’t need to be involved in dev box customization, admins still control the guardrails in which developers operate, as well as the components they can use in their configurations. It’s this combination of capabilities that helps teams ensure dev boxes meet the unique needs of the project team as well as the compliance requirements of their organization. Read on to learn about how Dev Box customization makes this paradigm of self-service with guardrails achievable.
Creating your first customized Dev Box
Tasks are the reusable ingredients you can use to author your configuration, and platform admin teams can choose which tasks are available to their developers by defining a Catalog of tasks. A Catalog is a Git repository attached to your dev center and can be hosted in GitHub or Azure DevOps (AzDO). In this case, we’re going to provide a GitHub repository with a standard set of default Tasks to help you get started with the quick start catalog option, which provides four tasks: winget, git-clone, choco, and a generic PowerShell task.
All platform engineers have to do to set up a catalog for their developers is:
Go to the Azure portal, and navigate to your dev center.
In the left menu under Environment configuration, select Catalogs, and then select Add.
In Add catalog, pick “Microsoft’s quick start catalog” and “Dev box customization tasks” as the quick start catalog type. Then, select Add:
In Catalogs for the dev center, verify that your catalog appears. If the connection is successful, Status is Connected.
The dev team now has a catalog of tasks they can use as building blocks to customize their dev boxes.
Now developers can author a dev box configuration by creating a Dev Box customization yaml, the new file format you’ll use to customize your dev box. To try this out, you can download an example yaml configuration from our examples repository. This example configuration installs VS Code and clones down the OrchardCore .NET web app repo to your dev box. To create a dev box with this configuration, sign into the Microsoft Dev Box developer portal and use the “Add customizations from file” button to select this file.
Your dev box will be created with your base image, and the customizations you specify will be applied on top of it.
Storing configurations alongside your code in Azure DevOps
Team or project leads can streamline onboarding onto a codebase by committing their Dev Box configuration as a workload.yaml to their team’s codebase in AzDO. This will contain all the steps (packages) required to work on it, and make it that much easier for their developers to get started. All developers need to do then is paste in the clone URL with this repository when creating a dev box, and the service will fetch the AzDO repository and apply the configurations defined in that repository’s workload.yaml. With only a few clicks, the team now has access to ready-to-code dev box.
For this flow, we are using AzDO repositories, but stay tuned for GitHub support coming soon!
Authoring Dev Box configurations
The core of a file is the tasks section—this is where you’ll specify additional software to install and which settings to apply when creating a new VM.
With the Dev Box VS Code extension, writing, testing, and iterating on your configurations from your Dev Box are as easy as hitting F5. There’s no need to create a new Dev Box each time you want to test out a configuration. You can just download the extension from the VS Marketplace. From there, you can use the command palette to understand what tasks are available to you (from catalogs of Tasks attached to your dev center), and copy over snippets to, say, a devbox.yaml. You can execute this yaml configuration on your Dev Box by hitting F5, or by using the command palette (Dev Box: apply configuration).
Using secrets from Azure Key Vault in your configuration
But that’s not all. You can also use secrets, such as personal access tokens, from Azure Key Vault in your yaml configurations to clone private repositories (with the git-clone task), or with any custom task you author that requires an access token. First, make sure to give your dev center project’s managed identity the Secrets User role on your key vault. Be sure to also grant the Secrets User role to each user or user group who should be able to consume this secret during the customization of a dev box. You can now reference this secret in your yaml configuration in this format, using the git-clone task as an example:
If you wish to clone a private AzDO repository, you don’t need to configure a secret in Key Vault. Instead, you can use {{ado://devdiv}}, and this will fetch a PAT on your behalf when creating a Dev Box.
If your organization’s policies require you to keep your Key Vault private from the internet, you can set your Key Vault to allow trusted Microsoft services to bypass your firewall rule.
Creating Tasks and Catalogs to meet compliance needs
Of course, config-as-code customization not only gives developers flexibility to define their dev box configurations. It also gives admins a way to enforce guardrails on these config files and meet their unique needs of the enterprise by defining what can be used in these configurations. Think of it as pre-assembling the sets of available building blocks that teams can use to build their dev box VMs.
Platform engineers have a couple options for setting up these building blocks. First, they can create their own repository of tasks in AzDO or githubandattach it to a dev center, use the Quickstart catalog, or by create their own private fork of the Quickstart repository (microsoft/devcenter-catalog (github.com)).
Second, platform engineers and admins can create their own Tasks using any existing PowerShell scripts they have at their enterprise: all they need to do is create a task.yaml file for a given PowerShell script, and commit both the powershell script and the task.yaml annotating it to the repository that defines your catalog of tasks. For example, this task.yaml calls the powershell script “MyScript.ps1”, and declares parameters that should be passed to the MyScript.ps1, from the devbox.yaml that uses this task:
For more examples of Tasks, check out our Quickstart catalog repository: devcenter-catalog/Tasks at main · microsoft/devcenter-catalog (github.com)
Using the WinGet Config to customize your dev box
Last year, the Windows team announced the WinGet Configuration, a config file designed to consolidate manual machine setup and project onboarding to a single command that is reliable and repeatable. WinGet Configuration enables you to take the same config-as-code approach to define the unique sets of software and configuration settings required to get your Windows environment in a ready-to-code state for repos that you work on. These configuration files can also be used to setup a VM in Microsoft Dev Box, by leveraging a WinGet task that we include with the default set of setupTasks mentioned earlier. This is one more way that dev teams can use customizations to combine tasks and get the right configuration for their unique needs.
Want to learn more?
Check out our demo of Dev Box customizations that walks you through the process of how to create a ready-to-code environment.
Customize your first dev box today
Dev Box GA’ed in July 2023, and the Dev Box customization feature is now in preview. We’re excited to open it up to the wider developer community and see how customizations can give you quick access to the exact tools and configurations you need to start coding. If you’re new to Dev Box, start a proof of concept today! Follow our Getting Started instructions and set up your instance to try out the new Customizations capabilities. We look forward to hearing about it.
Additional Microsoft Dev Box resources: https://aka.ms/DevBox/Resources
Microsoft Tech Community – Latest Blogs –Read More
What’s new in MSIX: February 2024
A new version of the MSIX Packaging Tool (v1.2023.1212.0) is now available. You can download it from the Microsoft Store. This release has new enhancements in the Package Analyzer and PSF-MPT Integration. These additions aim to make conversions efficient for IT pros.
There are also enhancements to developer features to support App Attach workflows with MSIX Azure DevOps App Attach extension.
Features in general availability
ADO App Attach extension
Previously we introduced the App Attach Toolkit for Visual Studio to streamline developer workflow. This allows you to create VHD(x) images, test them locally, and publish them to your Azure Virtual Desktop (AVD) host pool, all from within Visual Studio.
Your feedback has been heard about making this available through the automated pipeline. We’re excited to announce the Azure Dev Ops App Attach extension that allows you to create App Attach ready packages from your existing build and deployment pipelines. Here is a step-by-step guide to get you started:
Download the latest version of MSIX Packaging extension and add it to your pipeline.
Add the task “Publish MSIX app attach package to AVD” to publish MSIX applications to AVD.
Provide the required parameters and run the pipeline.
Now, you can effortlessly create VHD(x) images and publish them directly to your AVD host pool, all from within your ADO pipeline.
Package Analyzer enhancement: Automated Accelerator generation
Accelerators simplify the repackaging process for applications. With this release, all the fixes that Package Analyzer detects are auto included in the Accelerator template. Of course, you can customize the template file as needed after it’s generated.
You can also create your own Accelerators using the MSIX Packaging tool.
Want to share feedback around Accelerators? Share your thoughts with us in the comment section of this post!
MPT-PSF fixup enhancements
Support for deletion markers
App-V 5.1 packages can directly be packaged to MSIX using the MSIX Packaging tool and the addition of deletion markers enhances this conversion experience. You can now use deletion markers to specify registry keys or values that you want to delete from the virtualized registry location. This helps clean up any unwanted or obsolete registry entries that may affect your app performance or functionality.
Desktop shortcuts
We announced the support for desktop shortcuts in our November blog post. With the latest version of MSIX Packaging tool, the tool detects existing desktop shortcuts during the conversion process. The latest WinAppSDK 1.4.2 is installed by the tool and it automatically adds the desktop7:Shortcut extensions in that manifest.
Frequently asked questions
How can I get access to the Insiders Program?
You can sign up for the program from this document.
Will MSIX be good enough to replace App-V?
Today, many of the App-V packages can be repackaged using MSIX Packaging Tool.
How is Microsoft getting developers to use MSIX as standard installer?
Applications are in various stages of their lifecycle. MSIX allows app developers to provide guaranteed installations, clean uninstalls, optimized upgrade experience, and a better security posture. We’re seeing a consistent rise in usage and satisfaction of MSIX from developers.
What about package customization with MSIX packaging tool?
Package customizations are currently in backlog.
While these are all the features that we’re announcing today, it’s only possible through the feedback of community members who support shaping the future of MSIX. Please do continue to provide your inputs via the Feedback Hub. If you have a feature ask, you can submit ideas in the MSIX Tech Community. If you’re interested in checking out the new features, join the MSIX Packaging Tool Insider Program today!
Thank you for your interest in MSIX!
Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X/Twitter. Looking for support? Visit Windows on Microsoft Q&A.
Microsoft Tech Community – Latest Blogs –Read More
Join Microsoft’s AI Communities: Empower Your AI Learning Journey
Inspiring Students to Join AI Communities at Microsoft
Achieving your AI learning goals is not a solitary journey. It’s a path best walked with others who share your passion and curiosity. At Microsoft, we have a variety of communities designed to connect and engage learners and technical experts for inspiration, resources, and networking. Here are some of them:
Achieve your AI learning goals with the help of our community
Connect and engage with other learners and technical experts for inspiration, resources, and networking.
AI for Everyone Learning Room
This is a dedicated and safe environment where you can skill up on AI with the help of experts and peers. Dive deep into topic-specific questions via asynchronous discussions and virtual sessions. It’s a great place to start your AI journey.
Azure AI Discord
Want to connect and chat with other developers about AI on Azure? The Azure AI Discord is the place to be. It’s a vibrant community where you can discuss, learn, and grow.
AI & ML Tech Community
This community is all about connecting with others to find answers, ask questions, and build skills to help empower your AI transformation with the Microsoft Cloud. It’s a hub of knowledge and expertise that’s waiting for you
Global AI Community
Discover AI communities worldwide, engage with peers who share similar interests, stay updated with weekly news, or establish your own user group. The Global AI community is a network of AI enthusiasts from all over the world.
Microsoft Tech Community – Latest Blogs –Read More
Welcome to the Microsoft Defender Experts Ninja Hub
We’re excited to announce our Microsoft Defender Experts Ninja Hub. We have compiled document guides, videos, and other resources to help you get familiar with our Defender Experts services and stay up to date on the latest from the Defender Experts team.
We’ll update this post as we add resources, so make sure to bookmark this page: https://aka.ms/DefenderExpertsNinjaHub
Microsoft Defender Experts for XDR
Microsoft Defender Experts for XDR is a managed extended detection and response (MXDR) service that triages, investigates, and responds to incidents for you to help stop cyberattackers and prevent future compromise. Defender Experts for XDR delivers human expertise to security teams quickly to help address coverage gaps and augment their overall security operations. The documentation links below provide more information on the service, requirements, and FAQs:
What is Microsoft Defender Experts for XDR offering | Microsoft Learn
Before you begin using Defender Experts for XDR | Microsoft Learn
Get started with Microsoft Defender Experts for XDR | Microsoft Learn
How to use the Microsoft Defender Experts for XDR service | Microsoft Learn
Communicating with Microsoft Defender Experts | Microsoft Learn
How to search the audit logs for actions performed by Defender Experts | Microsoft Learn
Additional information related to Defender Experts for XDR | Microsoft Learn
FAQs related to Microsoft Defender Experts for XDR | Microsoft Learn
Microsoft Defender Experts for Hunting
Microsoft Defender Experts for Hunting proactively looks for threats 24/7/365 using unparalleled visibility of cross-domain telemetry and leading threat intelligence to extend your team’s threat hunting capabilities and improve overall SOC response. The documentation links below provide more information on the service, requirements, and reporting:
What is Microsoft Defender Experts for Hunting offering | Microsoft Learn
Key infrastructure requirements for Microsoft Defender Experts for Hunting | Microsoft Learn
How to subscribe to Microsoft Defender Experts for Hunting | Microsoft Learn
Understand the Defender Experts for Hunting report in Microsoft Defender XDR | Microsoft Learn
Ninja Show episodes featuring Defender Experts
Season 5, Episode 5: Improve your security posture with Microsoft Defender Experts for XDR
Season 3, Episode 4: Defender Experts for Hunting Overview
On-demand event sessions featuring Defender Experts
Microsoft Security Tech Accelerator 2023: Defender Experts in-depth: Running a Modern SOC in the age of LLMs
Microsoft Ignite 2023: Jumpstart your SOC with Microsoft Defender Experts for XDR
Microsoft Webinar: Revolutionize Managed XDR with Microsoft
Microsoft Ignite 2022: Introducing Microsoft Defender Experts for Hunting
Defender Experts videos
Explainer Video: Microsoft Defender Experts for XDR
Explainer Video: Microsoft Defender Experts for Hunting
Video: Adversary in the Middle Hunting Story
Deep dives from the Microsoft Security blog featuring Defender Experts
Microsoft Copilot for Security provides immediate impact for the Microsoft Defender Experts team
Detecting and mitigating a multi-stage AiTM phishing and BEC campaign
Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks
One way Microsoft Defender Experts for Hunting prioritizes customer defense
Podcasts
Microsoft Security Insights Show Episode 181: Brian Hooper and Phoebe Rogers: A day in the life of a Defender Experts for XDR analyst
Microsoft Security Insights Show Episode 168: Steve Lee, Defender Experts
To learn more about Defender Experts, click here.
Microsoft Tech Community – Latest Blogs –Read More
Welcome to the Microsoft Defender Experts Ninja Hub
We’re excited to announce our Microsoft Defender Experts Ninja Hub. We have compiled document guides, videos, and other resources to help you get familiar with our Defender Experts services and stay up to date on the latest from the Defender Experts team.
We’ll update this post as we add resources, so make sure to bookmark this page: https://aka.ms/DefenderExpertsNinjaHub
Microsoft Defender Experts for XDR
Microsoft Defender Experts for XDR is a managed extended detection and response (MXDR) service that triages, investigates, and responds to incidents for you to help stop cyberattackers and prevent future compromise. Defender Experts for XDR delivers human expertise to security teams quickly to help address coverage gaps and augment their overall security operations. The documentation links below provide more information on the service, requirements, and FAQs:
What is Microsoft Defender Experts for XDR offering | Microsoft Learn
Before you begin using Defender Experts for XDR | Microsoft Learn
Get started with Microsoft Defender Experts for XDR | Microsoft Learn
How to use the Microsoft Defender Experts for XDR service | Microsoft Learn
Communicating with Microsoft Defender Experts | Microsoft Learn
How to search the audit logs for actions performed by Defender Experts | Microsoft Learn
Additional information related to Defender Experts for XDR | Microsoft Learn
FAQs related to Microsoft Defender Experts for XDR | Microsoft Learn
Microsoft Defender Experts for Hunting
Microsoft Defender Experts for Hunting proactively looks for threats 24/7/365 using unparalleled visibility of cross-domain telemetry and leading threat intelligence to extend your team’s threat hunting capabilities and improve overall SOC response. The documentation links below provide more information on the service, requirements, and reporting:
What is Microsoft Defender Experts for Hunting offering | Microsoft Learn
Key infrastructure requirements for Microsoft Defender Experts for Hunting | Microsoft Learn
How to subscribe to Microsoft Defender Experts for Hunting | Microsoft Learn
Understand the Defender Experts for Hunting report in Microsoft Defender XDR | Microsoft Learn
Ninja Show episodes featuring Defender Experts
Season 5, Episode 5: Improve your security posture with Microsoft Defender Experts for XDR
Season 3, Episode 4: Defender Experts for Hunting Overview
On-demand event sessions featuring Defender Experts
Microsoft Security Tech Accelerator 2023: Defender Experts in-depth: Running a Modern SOC in the age of LLMs
Microsoft Ignite 2023: Jumpstart your SOC with Microsoft Defender Experts for XDR
Microsoft Webinar: Revolutionize Managed XDR with Microsoft
Microsoft Ignite 2022: Introducing Microsoft Defender Experts for Hunting
Defender Experts videos
Explainer Video: Microsoft Defender Experts for XDR
Explainer Video: Microsoft Defender Experts for Hunting
Video: Adversary in the Middle Hunting Story
Deep dives from the Microsoft Security blog featuring Defender Experts
Microsoft Copilot for Security provides immediate impact for the Microsoft Defender Experts team
Detecting and mitigating a multi-stage AiTM phishing and BEC campaign
Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks
One way Microsoft Defender Experts for Hunting prioritizes customer defense
Podcasts
Microsoft Security Insights Show Episode 181: Brian Hooper and Phoebe Rogers: A day in the life of a Defender Experts for XDR analyst
Microsoft Security Insights Show Episode 168: Steve Lee, Defender Experts
To learn more about Defender Experts, click here.
Microsoft Tech Community – Latest Blogs –Read More
Welcome to the Microsoft Defender Experts Ninja Hub
We’re excited to announce our Microsoft Defender Experts Ninja Hub. We have compiled document guides, videos, and other resources to help you get familiar with our Defender Experts services and stay up to date on the latest from the Defender Experts team.
We’ll update this post as we add resources, so make sure to bookmark this page: https://aka.ms/DefenderExpertsNinjaHub
Microsoft Defender Experts for XDR
Microsoft Defender Experts for XDR is a managed extended detection and response (MXDR) service that triages, investigates, and responds to incidents for you to help stop cyberattackers and prevent future compromise. Defender Experts for XDR delivers human expertise to security teams quickly to help address coverage gaps and augment their overall security operations. The documentation links below provide more information on the service, requirements, and FAQs:
What is Microsoft Defender Experts for XDR offering | Microsoft Learn
Before you begin using Defender Experts for XDR | Microsoft Learn
Get started with Microsoft Defender Experts for XDR | Microsoft Learn
How to use the Microsoft Defender Experts for XDR service | Microsoft Learn
Communicating with Microsoft Defender Experts | Microsoft Learn
How to search the audit logs for actions performed by Defender Experts | Microsoft Learn
Additional information related to Defender Experts for XDR | Microsoft Learn
FAQs related to Microsoft Defender Experts for XDR | Microsoft Learn
Microsoft Defender Experts for Hunting
Microsoft Defender Experts for Hunting proactively looks for threats 24/7/365 using unparalleled visibility of cross-domain telemetry and leading threat intelligence to extend your team’s threat hunting capabilities and improve overall SOC response. The documentation links below provide more information on the service, requirements, and reporting:
What is Microsoft Defender Experts for Hunting offering | Microsoft Learn
Key infrastructure requirements for Microsoft Defender Experts for Hunting | Microsoft Learn
How to subscribe to Microsoft Defender Experts for Hunting | Microsoft Learn
Understand the Defender Experts for Hunting report in Microsoft Defender XDR | Microsoft Learn
Ninja Show episodes featuring Defender Experts
Season 5, Episode 5: Improve your security posture with Microsoft Defender Experts for XDR
Season 3, Episode 4: Defender Experts for Hunting Overview
On-demand event sessions featuring Defender Experts
Microsoft Security Tech Accelerator 2023: Defender Experts in-depth: Running a Modern SOC in the age of LLMs
Microsoft Ignite 2023: Jumpstart your SOC with Microsoft Defender Experts for XDR
Microsoft Webinar: Revolutionize Managed XDR with Microsoft
Microsoft Ignite 2022: Introducing Microsoft Defender Experts for Hunting
Defender Experts videos
Explainer Video: Microsoft Defender Experts for XDR
Explainer Video: Microsoft Defender Experts for Hunting
Video: Adversary in the Middle Hunting Story
Deep dives from the Microsoft Security blog featuring Defender Experts
Microsoft Copilot for Security provides immediate impact for the Microsoft Defender Experts team
Detecting and mitigating a multi-stage AiTM phishing and BEC campaign
Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks
One way Microsoft Defender Experts for Hunting prioritizes customer defense
Podcasts
Microsoft Security Insights Show Episode 181: Brian Hooper and Phoebe Rogers: A day in the life of a Defender Experts for XDR analyst
Microsoft Security Insights Show Episode 168: Steve Lee, Defender Experts
To learn more about Defender Experts, click here.
Microsoft Tech Community – Latest Blogs –Read More
Welcome to the Microsoft Defender Experts Ninja Hub
We’re excited to announce our Microsoft Defender Experts Ninja Hub. We have compiled document guides, videos, and other resources to help you get familiar with our Defender Experts services and stay up to date on the latest from the Defender Experts team.
We’ll update this post as we add resources, so make sure to bookmark this page: https://aka.ms/DefenderExpertsNinjaHub
Microsoft Defender Experts for XDR
Microsoft Defender Experts for XDR is a managed extended detection and response (MXDR) service that triages, investigates, and responds to incidents for you to help stop cyberattackers and prevent future compromise. Defender Experts for XDR delivers human expertise to security teams quickly to help address coverage gaps and augment their overall security operations. The documentation links below provide more information on the service, requirements, and FAQs:
What is Microsoft Defender Experts for XDR offering | Microsoft Learn
Before you begin using Defender Experts for XDR | Microsoft Learn
Get started with Microsoft Defender Experts for XDR | Microsoft Learn
How to use the Microsoft Defender Experts for XDR service | Microsoft Learn
Communicating with Microsoft Defender Experts | Microsoft Learn
How to search the audit logs for actions performed by Defender Experts | Microsoft Learn
Additional information related to Defender Experts for XDR | Microsoft Learn
FAQs related to Microsoft Defender Experts for XDR | Microsoft Learn
Microsoft Defender Experts for Hunting
Microsoft Defender Experts for Hunting proactively looks for threats 24/7/365 using unparalleled visibility of cross-domain telemetry and leading threat intelligence to extend your team’s threat hunting capabilities and improve overall SOC response. The documentation links below provide more information on the service, requirements, and reporting:
What is Microsoft Defender Experts for Hunting offering | Microsoft Learn
Key infrastructure requirements for Microsoft Defender Experts for Hunting | Microsoft Learn
How to subscribe to Microsoft Defender Experts for Hunting | Microsoft Learn
Understand the Defender Experts for Hunting report in Microsoft Defender XDR | Microsoft Learn
Ninja Show episodes featuring Defender Experts
Season 5, Episode 5: Improve your security posture with Microsoft Defender Experts for XDR
Season 3, Episode 4: Defender Experts for Hunting Overview
On-demand event sessions featuring Defender Experts
Microsoft Security Tech Accelerator 2023: Defender Experts in-depth: Running a Modern SOC in the age of LLMs
Microsoft Ignite 2023: Jumpstart your SOC with Microsoft Defender Experts for XDR
Microsoft Webinar: Revolutionize Managed XDR with Microsoft
Microsoft Ignite 2022: Introducing Microsoft Defender Experts for Hunting
Defender Experts videos
Explainer Video: Microsoft Defender Experts for XDR
Explainer Video: Microsoft Defender Experts for Hunting
Video: Adversary in the Middle Hunting Story
Deep dives from the Microsoft Security blog featuring Defender Experts
Microsoft Copilot for Security provides immediate impact for the Microsoft Defender Experts team
Detecting and mitigating a multi-stage AiTM phishing and BEC campaign
Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks
One way Microsoft Defender Experts for Hunting prioritizes customer defense
Podcasts
Microsoft Security Insights Show Episode 181: Brian Hooper and Phoebe Rogers: A day in the life of a Defender Experts for XDR analyst
Microsoft Security Insights Show Episode 168: Steve Lee, Defender Experts
To learn more about Defender Experts, click here.
Microsoft Tech Community – Latest Blogs –Read More
Defender for Cloud deployment in AWS/GCP – Agents, Resources, IAM and Cleanup options
Objective of the article
The purpose of this article is to provide organizations with a comprehensive understanding of all the agents and resources deployed as part of Defender for Server, Defender for Container, Defender for SQL in their AWS/GCP environment by Defender for Cloud. The article aims to guide organizations on the impact of Defender for Cloud on their environment and what they need to remove when switching Defender for Cloud plans on the security connector. Where possible this article should avoid duplicating information that is already available on Microsoft Learn and focus on providing information that is not publicly available or documented on Microsoft Learn.
Introduction:
Have you ever wondered about the agents, extensions, resources and roles deployed as part of Defender for Server, Defender for Container, Defender for SQL on your AWS or GCP workloads? Have you ever needed to update the selection of Defender for Cloud plans on a security connector for your AWS or GCP environment? This article provides you with a comprehensive understanding of the impact of agents and resources on your environment and guides you on what can be removed when updating the Defender for Cloud plans on a desired security connector.
The following table summarizes Microsoft agents and extensions for CWPP:
Agent
Defender for Servers
Defender for Containers
Defender for SQL on Machines
Azure Arc Agent
✔
✔
✔
Microsoft Defender for Endpoint extension
✔
Log Analytics or Azure Monitor Agent extension
✔
*In deprecation process
✔
Defender Sensor
✔
Azure policy for Kubernetes
✔
SQL servers on machines
✔
Let’s review list of agents, resources and roles per plan and cleanup options
Defender for Server – AWS:
Resource
Type
Creation Phase
Offboarding
MDE – The Microsoft Defender for Endpoint agent provides comprehensive endpoint detection and response (EDR) capabilities
Agent
Post connector creation
For Windows servers instructions: Offboard Windows servers
For non-Windows servers instructions: Offboard non-Windows servers
Azure Arc – AWS machines connect to Azure using Azure Arc
Agent
Post connector creation
SSM – SSM Agent is
mandatory for Arc onboarding
Agent
Post connector creation
Some customers rely on SSM Agent for other purposes so please check it before removal
For removal instructions please check AWS guide
DefenderForCloud-DefenderForServers;
DefenderForCloud-ArcAutoProvisioning;
DefenderForCloud-AgentlessScanner;
IAM – role
Script creation
The role name is customizable –
it is saved within the created connector
The policies associated with the role name should be removed too
For removal instructions please check AWS guide
Defender for Server – GCP:
Resource
Type
Creation Phase
Offboarding
MDE – The Microsoft Defender for Endpoint agent provides comprehensive endpoint detection and response (EDR) capabilities
Agent
Post connector creation
For Windows servers instructions: Offboard Windows servers
For non-Windows servers instructions: Offboard non-Windows servers
Azure Arc – GCP machines connect to Azure using Azure Arc
Agent
Post connector creation
microsoft-defender-for-servers
IAM – service account
Script creation
The service account is customizable – it is saved within the created connector
For removal instructions please check GCP guide
defender-for-servers
IAM – role
Script creation
The role name is customizable –
it is saved within the created connector
For removal instructions please check GCP guide
OIDC –
defender-for-servers
IAM – workload identity pool
Script creation
For removal instructions please check GCP guide
*Defender for Server P2 require Microsoft Monitor Agent (MMA or LA agent) and/or Azure Monitor Agent (AMA) for some features, but since it’s in deprecation phase, please follow these articles for details and offboarding options:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/upcoming-changes#defender-for-servers
AMA removal: Manage Azure Monitor Agent – Azure Monitor | Microsoft Learn
MMA removal: Manage the Azure Log Analytics agent – Azure Monitor | Microsoft Learn
For MMA, please make sure Legacy solutions are removed from Log analytics workspace.
Defender for Container – AWS:
Offering
Resource
Type
Creation Phase
Offboarding
Run-time threat protection
Azure Arc enabled kubernetes- Connects your EKS clusters to Azure and onboards the Defender sensor
Agent deployed on single node
Post connector creation
You can remove Azure Arc-enabled Kubernetes via Azure CLI or Azure PS:
Cleanup Azure Arc-enabled Kubernetes
Running this command will delete all arc related resources including extensions
Defender Sensor
Sensor deployed on each node
Post connector creation
You can remove defender sensor using the Azure portal, Azure CLI, or REST API: Remove the Defender sensor
Azure Policy for Kubernetes – Extends the Gatekeeper v3
Extension deployed on one single node
Post connector creation
You can remove defender extensions using the Azure portal, Azure CLI, or REST API: Remove the Defender agent
Agentless threat protection
S3
Post connector creation
Delete S3 bucket with ARN: arn:aws:s3:::azuredefender-{ AwsRegion}-{ AwsAccountId}-{ ClusterName}
For removal instructions please check AWS guide
SQS
Post connector creation
Delete a queue with ARN:
arn:aws:sqs:{ AwsRegion}:{ AwsAccountId}:azuredefender-{ ClusterName}
For removal instructions please check AWS guide
Kinesis Data firehose (Amazon Kinesis Data Streams)
Post connector creation
Delete a stream with ARN:
arn:aws:firehose:{AwsRegion}:{ AwsAccountId}:deliverystream/azuredefender-{ ClusterName}
For removal instructions please check AWS guide
DefenderForCloud-DataCollection;
DefenderForCloud-Containers-K8s-cloudwatch-to-kinesis;
DefenderForCloud-Containers-K8s-kinesis-to-s3
IAM – role
Script creation
The role name is customizable –
it is saved within the created connector
The policies associated with the role name should be removed too
For removal instructions please check AWS guide
Agentless Container Vulnerability Assessment
MDCContainersImageAssessmentRole
IAM – role
Script creation
The role name is customizable –
it is saved within the created connector
The policies associated with the role name should be removed too
For removal instructions please check AWS guide
Agentless discovery for Kubernetes
MDCContainersAgentlessDiscoveryK8sRole
IAM – role
Script creation
The role name is customizable –
it is saved within the created connector
The policies associated with the role name should be removed too
For removal instructions please check AWS guide
Defender for Container – GCP:
Offering
Resource
Type
Creation Phase
Offboarding
Run-time threat protection
Azure Arc enabled kubernetes- Connects your GKE clusters to Azure and onboards the Defender sensor
Agent deployed on single node
Post creation
You can remove Azure Arc-enabled Kubernetes via Azure CLI or Azure PS: Cleanup Azure Arc-enabled Kubernetes
Running this command will delete all arc related resources including extensions
Defender Sensor
Sensor deployed on each node
Post connector creation
You can remove defender sensor using the Azure portal, Azure CLI, or REST API: Remove the Defender sensor
Azure Policy for Kubernetes – Extends the Gatekeeper v3
Extension deployed on one single node
Post connector creation
You can remove defender extensions using the Azure portal, Azure CLI, or REST API:Remove the Defender agent
Run-time threat protection (AuditLogs)
Container.googleapis.com
Enable API
Script creation
Please note, it might be used by other solutions
For removal instructions please check GCP guide
logging.googleapis.com
Enable API
Script creation
Please note, it might be used by other solutions
For removal instructions please check GCP guide
Data Access audit logs configuration
Settings
Script creation
Please note, it might be used by other solutions
Name of component to disable:
Kubernetes Engine API
For removal instructions please check GCP guide
Pub/Sub Topic
Post creation
For each cluster in a project a topic is created with prefix: “MicrosoftDefender-“
For removal instructions please check GCP guide
Pub/sub Subscription
Post creation
For each cluster in a project a subscription is created with prefix: “MicrosoftDefender
For removal instructions please check GCP guide
SINK – log route
Post creation
For removal instructions please check GCP guide
microsoft-defender-containers;
ms-defender-containers-stream;
IAM – service account
Script creation
The service account is customizable – it is saved within the created connector
For removal instructions please check GCP guide
MicrosoftDefenderContainersDataCollectionRole;
MicrosoftDefenderContainersRole;
IAM – role
Script creation
The role name is customizable –
it is saved within the created connector
For removal instructions please check GCP guide
OIDC – containers
IAM – workload identity provider
Script creation
For removal instructions please check GCP guide
Agentless discovery for Kubernetes
containers
IAM – workload identity pool
Script creation
Please note, this identity been used by DCSPM plan as well
For removal instructions please check GCP guide
mdc-containers-k8s-operator
IAM – service account
Script creation
The service account is customizable – it is saved within the created connector
For removal instructions please check GCP guide
Agentless Container Vulnerability Assessment
containers
IAM – workload identity pool
Script creation
Please note, this identity been used by DCSPM plan as well
For removal instructions please check GCP guide
mdc-containers-artifact-assess
IAM – service account
Script creation
The service account is customizable – it is saved within the created connector
For removal instructions please check GCP guide
Defender for SQL- AWS:
Resource
Type
Creation Phase
Offboarding
Defender Agent
Agent
Post connector creation
Removed automatically on plan change
Removal can be done via Azure Portal in extension tab
Azure Monitor Agent for SQL server – Collects security-related configuration information and event logs from machines
Agent
Post connector creation
Azure Monitor Agent offboarding: Unistall AMA
Azure Arc – AWS machines connect to Azure using Azure Arc
Agent
Post connector creation
Uninstall Azure Arc
Please remove Arc only after defender agent removal
DefenderForCloud-ArcAutoProvisioning;
IAM – role
Script creation
The role name is customizable –
it is saved within the created connector
The policies associated with the role name should be removed too
For removal instructions please check AWS guide
Defender for SQL- GCP:
Resource
Type
Creation Phase
Offboarding
Defender Agent
Agent
Post connector creation
Removed automatically on plan change
Removal can be done via Azure Portal in extension tab
Azure Monitor Agent for SQL server – Collects security-related configuration information and event logs from machines
Agent
Post connector creation
Azure Monitor Agent offboarding: Unistall AMA
Azure Arc – GCP machines connect to Azure using Azure Arc
Agent
Post connector creation
Uninstall Azure Arc
Please remove Arc only after defender agent removal
microsoft-databases-arc-ap;
IAM – service account
Script creation
The service account is customizable –
it is saved within the created connector
For removal instructions please check GCP guide
defender-for-databases-arc-ap;
IAM – role
Script creation
The role name is customizable –
it is saved within the created connector
For removal instructions please check GCP guide
OIDC – defender-for-databases-arc-ap
IAM – workload identity pool
Script creation
Delete: defender-for-databases-arc-ap
For removal instructions please check GCP guide
Note: Microsoft Monitoring Agent (MMA) is being deprecated in August 2024. As a result, Azure Monitoring Agent (AMA) been used, but for customers that still use MMA, removal option:
Manage the Azure Log Analytics agent – Azure Monitor | Microsoft Learn
Please make sure Legacy solutions are removed from Log analytics workspace.
Conclusion: In this article, we have provided a comprehensive overview of all the agents, extensions, and resources deployed as part of Defender for Servers, Defender for Containers and Defender for SQL on AWS/GCP workloads. We have also presented detailed clean-up options for organizations looking to switch their Defender for Cloud plans. While our focus has been on Cloud Workload Protection Plans (CWPP), it is important to note that resources deployed by Cloud Security Posture Management (CSPM) plans are not listed here. As the solution and its features continue to evolve, the resources deployed or impacted by Defender for Cloud may vary between versions. We hope this article serves as a valuable resource for organizations looking to better understand the impact of Defender for Cloud on their AWS/GCP environment.
Acknowledgements
Special thanks to Bojan Magusic for the great partnership and technical review.
Reviewed by:
Lior Arviv, Senior Program Manager
Aviv Mor, Principal PM Manager
Ido Keshet, Principal PM Manager
Maya Herskovic, Senior PM Manager
Bojan Magusic, Product Manager 2
Microsoft Tech Community – Latest Blogs –Read More
On Your Data is now Generally Available in Azure OpenAI Service
We’re thrilled to announce the much-anticipated Azure OpenAI Service On Your Data is now generally available! The groundbreaking feature empowers you to leverage the power of OpenAI models, such as GPT-4, directly on your data with enterprise-grade security on Azure. This cutting-edge capability transforms the way you connect, interact, and ground your data, with greater accuracy and speed through a user-friendly conversational experience. You can rapidly create personalized copilots with your data to enhance user comprehension, expedite task completion, and aid decision-making.
Unleashing the Power of Your Data
Azure OpenAI Service On Your Data empowers you to unlock the full potential of your data effortlessly with enterprise-grade security. By directly running OpenAI models on your data, the requirement for extensive training is eliminated. Leveraging advanced AI capabilities such as GPT-4 allows you to streamline communication, enhance customer service, and increase productivity throughout your organization.
With Azure OpenAI Service On Your Data, you can achieve superior quality AI responses out-of-the-box as we have implemented precision prompt engineering and tuned various components such as intent extraction, search retrieval, filtering and re-ranking, data ingestion to deliver accurate, concise, and coherent responses optimized for each model.
Capabilities Generally Available
Below is a range of general availability capabilities:
Enhanced Security for Enterprise: Access your private Azure resources on both Azure OpenAI Studio and APIs with private endpoints and VPN enabled for Azure AI Search, Azure OpenAI, and Azure Blob Storage (preview). With document-level access control, responses can be generated based on the documents a user can access.
Expanded Data Sources:
Customizable Responses and Parameters: Tailor your chat experience by limiting response and custom parameters, such as the strictness and number of documents retrieved.
Azure AI Vector and Hybrid Search: Achieve more precise data retrieval with vector or hybrid search from Azure AI Search, refining the insights you gather from your data.
Semantic Search as a Default: Enjoy more context-aware and relevant results using the Semantic Search by default.
OpenAI Models Availability: Get access to OpenAI GPT-35-Turbo, GPT-35-Turbo-16k, GPT-4, GPT-4-32k models.
Private Endpoints & VPNs:
Document-level Access Control: Boost security by limiting access to documents based on Microsoft Entra ID when generating responses.
Effortless and Swift Deployment: Seamless and rapid deployment to a web application or a copilot in the Copilot Studio (preview).
Search Filter (API): Customize your searches and add context with the retrieval augmented generation (RAG) model on specific parts of our API.
Updated SDK: Streamline integration with your systems using our improved SDK, harnessing the power of Azure OpenAI On Your Data.
Supported File Types: .txt., .pdf, .docx, .pptx, .md, .html
Customer Use Case and Benefits
Azure OpenAI Service On Your Data offers multiple customer benefits. It boosts productivity in both B2C and B2B interactions, enables data analysis for insights and industry knowledge, and positively influences productivity, cost savings, and decision-making. This can contribute to your business thriving in today’s dynamic market.
Built on Azure OpenAI Service, Young Williams’ Priya bot transforms customer service and case management within government agencies. Priya provides round-the-clock assistance, addressing inquiries with realism and empathy, effectively reduces the burden on busy call centers while maintaining seamless human-like interaction. Try Priya firsthand.
“I’m thrilled about the partnerships we have with multiple states where we leveraged the On Your Data feature of Azure OpenAI Service. The Priya bot is changing how public agencies serve citizens, offering round-the-clock, empathetic assistance and easing call center loads. This collaboration highlights the impact of generative AI in improving government responsiveness and efficiency. We’re excited to keep pushing the boundaries of public service innovation.” – Rob Wells, CEO of Young Williams
Priya by Young Williams for the State of Louisiana
Kick-start Your Journey with Azure OpenAI Service On Your Data
Begin your venture with Azure OpenAI Service On Your Data – a groundbreaking technology designed to revolutionize how you connect and interact with your enterprise data. Transition your data insights into a powerful lever to boost your business performance. Utilize the compelling force of conversational AI with Azure OpenAI Service. Join us in this journey and start experiencing the transformative benefits for your business today.
Resources
Documentation for Azure OpenAI Service On Your Data
QuickStart (API, SDK, Azure OpenAI Studio)
Apply for access to Azure OpenAI Service
Microsoft Tech Community – Latest Blogs –Read More
Monitoring Kubernetes Clusters, Image Build Environment and Container Registries with Sentinel
A guide to using Microsoft Sentinel for monitoring the security of your containerized applications and orchestration platforms.
Part 1 of 3 part series about security monitoring of your Kubernetes Clusters and CI/CD pipelines by @singhabhi and @Umesh_Nagdev
Introduction
Microsoft Sentinel is a cloud-native security information and event management (SIEM) platform that provides comprehensive threat detection and response capabilities across your hybrid environment. Microsoft Sentinel can help you monitor and protect your containerized applications by collecting and analyzing data from various sources, such as Kubernetes clusters, image build environment, and container registries. In this document, you will learn how to use Microsoft Sentinel to monitor your containerized applications and respond to potential threats.
Prerequisites
Before you start, you need to have the following:
An Azure subscription. If you don’t have one, you can create one for free here
An Microsoft Sentinel workspace. If you don’t have one, you can create one by following the steps here
A Kubernetes cluster. You can use any Kubernetes cluster, such as Azure Kubernetes Service (AKS)
An image build environment. You can use any image build tool, such as Azure DevOps, GitHub Actions, or Docker Hub
A container registry. You can use any container registry, such as Azure Container Registry (ACR), or one On-Premises
Type of Logs to monitor in Kubernetes
We will discuss the logs sources and corresponding use cases in Part 2 of this blog series.
Kubernetes Audit Logs – Detailed audit trail of user and system actions like API requests, authentication, authorization etc.
Kubernetes Controller Manager Logs – Internal operations of Kubernetes controller processes.
Kubernetes Scheduler Logs – Details of pod scheduling decisions and events.
Kubelet Logs – Node level operations and container lifecycle events.
Kubernetes API Server Logs – All API requests and responses.
etcd Logs – Changes to cluster configuration and state stored in etcd.
Container Runtime Logs (Docker, containerd etc.) – Logs from the container runtimes on each node.
Ingress Controller Logs (nginx etc.) – Access logs for traffic entering the cluster.
Cluster Network Logs – Logs from cluster networking plugins like Calico, Flannel etc.
Workload Logs – Logs emitted by the applications and services running in pods.
Node OS Logs – Traditional OS and security logs for insight into host events.
Monitoring System Logs – Logs from Prometheus, Elastic etc. for availability issues.
CI/CD Pipeline Logs – Build logs for container images to check for anomalies
Figure 1. Log sources to monitor for Kubernetes
Connectors
To enable Microsoft Sentinel to collect and analyze data from your containerized applications, you need to configure the following data connectors:
Azure Kubernetes Service (AKS) connector This connector allows you to collect Kubernetes audit logs and events from your Kubernetes cluster. To configure this connector, follow the steps https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/azure-kubernetes-service-aks
Microsoft Defender for Cloud connector This connector will allow you to ingest security alerts related to your Pod and Nodes, image vulnerability scans, and recommendations for your Kubernetes Cluster
GitHub Connector In case you are using a non-Microsoft code scan solution, you can ingest the scan data using a built-in data connector for GitHub events. This connector also allows you to bring GitHub audit data that contains security events https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log
Use Workbooks and Analytics
After you configure the data connectors, you can use the following workbooks and analytics to monitor and investigate your containerized applications:
Kubernetes Monitoring. This workbook provides an overview of your Kubernetes cluster, such as node status, pod status, deployment status, and network activity. To access this workbook, go to Microsoft Sentinel > Workbooks > Templates > Kubernetes Monitoring.
Container Registry Monitoring. This workbook provides an overview of your container registry, such as image push and pull events, image vulnerabilities, and image anomalies. To access this workbook, go to Microsoft Sentinel > Workbooks > Templates > Container Registry Monitoring.
Image Build Monitoring. This workbook provides an overview of your image build environment, such as build status, build duration, build errors, and build anomalies. To access this workbook, go to Microsoft Sentinel > Workbooks > Templates > Image Build Monitoring.
Kubernetes Threat Detection. This analytic rule detects suspicious activities on your Kubernetes cluster, such as unauthorized access, privilege escalation, and malicious commands. To enable this rule, go to Microsoft Sentinel > Analytics > Rule templates > Kubernetes Threat Detection.
Container Registry Threat Detection. This analytic rule detects suspicious activities on your container registry, such as unauthorized access, image tampering, and image theft. To enable this rule, go to Microsoft Sentinel > Analytics > Rule templates > Container Registry Threat Detection.
Conclusion
In this document, you learned how to use Microsoft Sentinel to monitor and protect your containerized applications by collecting and analyzing data from Kubernetes clusters, image build environment, and container registries. You also learned how to use workbooks and analytics to gain insights and detect threats on your containerized applications. For more information on Microsoft Sentinel, visit the https://azure.microsoft.com/en-us/products/microsoft-sentinel/
Microsoft Tech Community – Latest Blogs –Read More
Defender for Cloud deployment in AWS/GCP – Agents, Resources, IAM and Cleanup options
Objective of the article
The purpose of this article is to provide organizations with a comprehensive understanding of all the agents and resources deployed as part of Defender for Server, Defender for Container, Defender for SQL in their AWS/GCP environment by Defender for Cloud. The article aims to guide organizations on the impact of Defender for Cloud on their environment and what they need to remove when switching Defender for Cloud plans on the security connector. Where possible this article should avoid duplicating information that is already available on Microsoft Learn and focus on providing information that is not publicly available or documented on Microsoft Learn.
Introduction:
Have you ever wondered about the agents, extensions, resources and roles deployed as part of Defender for Server, Defender for Container, Defender for SQL on your AWS or GCP workloads? Have you ever needed to update the selection of Defender for Cloud plans on a security connector for your AWS or GCP environment? This article provides you with a comprehensive understanding of the impact of agents and resources on your environment and guides you on what can be removed when updating the Defender for Cloud plans on a desired security connector.
The following table summarizes Microsoft agents and extensions for CWPP:
Agent
Defender for Servers
Defender for Containers
Defender for SQL on Machines
Azure Arc Agent
✔
✔
✔
Microsoft Defender for Endpoint extension
✔
Log Analytics or Azure Monitor Agent extension
✔
*In deprecation process
✔
Defender Sensor
✔
Azure policy for Kubernetes
✔
SQL servers on machines
✔
Let’s review list of agents, resources and roles per plan and cleanup options
Defender for Server – AWS:
Resource
Type
Creation Phase
Offboarding
MDE – The Microsoft Defender for Endpoint agent provides comprehensive endpoint detection and response (EDR) capabilities
Agent
Post connector creation
For Windows servers instructions: Offboard Windows servers
For non-Windows servers instructions: Offboard non-Windows servers
Azure Arc – AWS machines connect to Azure using Azure Arc
Agent
Post connector creation
SSM – SSM Agent is
mandatory for Arc onboarding
Agent
Post connector creation
Some customers rely on SSM Agent for other purposes so please check it before removal
For removal instructions please check AWS guide
DefenderForCloud-DefenderForServers;
DefenderForCloud-ArcAutoProvisioning;
DefenderForCloud-AgentlessScanner;
IAM – role
Script creation
The role name is customizable –
it is saved within the created connector
The policies associated with the role name should be removed too
For removal instructions please check AWS guide
Defender for Server – GCP:
Resource
Type
Creation Phase
Offboarding
MDE – The Microsoft Defender for Endpoint agent provides comprehensive endpoint detection and response (EDR) capabilities
Agent
Post connector creation
For Windows servers instructions: Offboard Windows servers
For non-Windows servers instructions: Offboard non-Windows servers
Azure Arc – GCP machines connect to Azure using Azure Arc
Agent
Post connector creation
microsoft-defender-for-servers
IAM – service account
Script creation
The service account is customizable – it is saved within the created connector
For removal instructions please check GCP guide
defender-for-servers
IAM – role
Script creation
The role name is customizable –
it is saved within the created connector
For removal instructions please check GCP guide
OIDC –
defender-for-servers
IAM – workload identity pool
Script creation
For removal instructions please check GCP guide
*Defender for Server P2 require Microsoft Monitor Agent (MMA or LA agent) and/or Azure Monitor Agent (AMA) for some features, but since it’s in deprecation phase, please follow these articles for details and offboarding options:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/upcoming-changes#defender-for-servers
AMA removal: Manage Azure Monitor Agent – Azure Monitor | Microsoft Learn
MMA removal: Manage the Azure Log Analytics agent – Azure Monitor | Microsoft Learn
For MMA, please make sure Legacy solutions are removed from Log analytics workspace.
Defender for Container – AWS:
Offering
Resource
Type
Creation Phase
Offboarding
Run-time threat protection
Azure Arc enabled kubernetes- Connects your EKS clusters to Azure and onboards the Defender sensor
Agent deployed on single node
Post connector creation
You can remove Azure Arc-enabled Kubernetes via Azure CLI or Azure PS:
Cleanup Azure Arc-enabled Kubernetes
Running this command will delete all arc related resources including extensions
Defender Sensor
Sensor deployed on each node
Post connector creation
You can remove defender sensor using the Azure portal, Azure CLI, or REST API: Remove the Defender sensor
Azure Policy for Kubernetes – Extends the Gatekeeper v3
Extension deployed on one single node
Post connector creation
You can remove defender extensions using the Azure portal, Azure CLI, or REST API: Remove the Defender agent
Agentless threat protection
S3
Post connector creation
Delete S3 bucket with ARN: arn:aws:s3:::azuredefender-{ AwsRegion}-{ AwsAccountId}-{ ClusterName}
For removal instructions please check AWS guide
SQS
Post connector creation
Delete a queue with ARN:
arn:aws:sqs:{ AwsRegion}:{ AwsAccountId}:azuredefender-{ ClusterName}
For removal instructions please check AWS guide
Kinesis Data firehose (Amazon Kinesis Data Streams)
Post connector creation
Delete a stream with ARN:
arn:aws:firehose:{AwsRegion}:{ AwsAccountId}:deliverystream/azuredefender-{ ClusterName}
For removal instructions please check AWS guide
DefenderForCloud-DataCollection;
DefenderForCloud-Containers-K8s-cloudwatch-to-kinesis;
DefenderForCloud-Containers-K8s-kinesis-to-s3
IAM – role
Script creation
The role name is customizable –
it is saved within the created connector
The policies associated with the role name should be removed too
For removal instructions please check AWS guide
Agentless Container Vulnerability Assessment
MDCContainersImageAssessmentRole
IAM – role
Script creation
The role name is customizable –
it is saved within the created connector
The policies associated with the role name should be removed too
For removal instructions please check AWS guide
Agentless discovery for Kubernetes
MDCContainersAgentlessDiscoveryK8sRole
IAM – role
Script creation
The role name is customizable –
it is saved within the created connector
The policies associated with the role name should be removed too
For removal instructions please check AWS guide
Defender for Container – GCP:
Offering
Resource
Type
Creation Phase
Offboarding
Run-time threat protection
Azure Arc enabled kubernetes- Connects your GKE clusters to Azure and onboards the Defender sensor
Agent deployed on single node
Post creation
You can remove Azure Arc-enabled Kubernetes via Azure CLI or Azure PS: Cleanup Azure Arc-enabled Kubernetes
Running this command will delete all arc related resources including extensions
Defender Sensor
Sensor deployed on each node
Post connector creation
You can remove defender sensor using the Azure portal, Azure CLI, or REST API: Remove the Defender sensor
Azure Policy for Kubernetes – Extends the Gatekeeper v3
Extension deployed on one single node
Post connector creation
You can remove defender extensions using the Azure portal, Azure CLI, or REST API:Remove the Defender agent
Run-time threat protection (AuditLogs)
Container.googleapis.com
Enable API
Script creation
Please note, it might be used by other solutions
For removal instructions please check GCP guide
logging.googleapis.com
Enable API
Script creation
Please note, it might be used by other solutions
For removal instructions please check GCP guide
Data Access audit logs configuration
Settings
Script creation
Please note, it might be used by other solutions
Name of component to disable:
Kubernetes Engine API
For removal instructions please check GCP guide
Pub/Sub Topic
Post creation
For each cluster in a project a topic is created with prefix: “MicrosoftDefender-“
For removal instructions please check GCP guide
Pub/sub Subscription
Post creation
For each cluster in a project a subscription is created with prefix: “MicrosoftDefender
For removal instructions please check GCP guide
SINK – log route
Post creation
For removal instructions please check GCP guide
microsoft-defender-containers;
ms-defender-containers-stream;
IAM – service account
Script creation
The service account is customizable – it is saved within the created connector
For removal instructions please check GCP guide
MicrosoftDefenderContainersDataCollectionRole;
MicrosoftDefenderContainersRole;
IAM – role
Script creation
The role name is customizable –
it is saved within the created connector
For removal instructions please check GCP guide
OIDC – containers
IAM – workload identity provider
Script creation
For removal instructions please check GCP guide
Agentless discovery for Kubernetes
containers
IAM – workload identity pool
Script creation
Please note, this identity been used by DCSPM plan as well
For removal instructions please check GCP guide
mdc-containers-k8s-operator
IAM – service account
Script creation
The service account is customizable – it is saved within the created connector
For removal instructions please check GCP guide
Agentless Container Vulnerability Assessment
containers
IAM – workload identity pool
Script creation
Please note, this identity been used by DCSPM plan as well
For removal instructions please check GCP guide
mdc-containers-artifact-assess
IAM – service account
Script creation
The service account is customizable – it is saved within the created connector
For removal instructions please check GCP guide
Defender for SQL- AWS:
Resource
Type
Creation Phase
Offboarding
Defender Agent
Agent
Post connector creation
Removed automatically on plan change
Removal can be done via Azure Portal in extension tab
Azure Monitor Agent for SQL server – Collects security-related configuration information and event logs from machines
Agent
Post connector creation
Azure Monitor Agent offboarding: Unistall AMA
Azure Arc – AWS machines connect to Azure using Azure Arc
Agent
Post connector creation
Uninstall Azure Arc
Please remove Arc only after defender agent removal
DefenderForCloud-ArcAutoProvisioning;
IAM – role
Script creation
The role name is customizable –
it is saved within the created connector
The policies associated with the role name should be removed too
For removal instructions please check AWS guide
Defender for SQL- GCP:
Resource
Type
Creation Phase
Offboarding
Defender Agent
Agent
Post connector creation
Removed automatically on plan change
Removal can be done via Azure Portal in extension tab
Azure Monitor Agent for SQL server – Collects security-related configuration information and event logs from machines
Agent
Post connector creation
Azure Monitor Agent offboarding: Unistall AMA
Azure Arc – GCP machines connect to Azure using Azure Arc
Agent
Post connector creation
Uninstall Azure Arc
Please remove Arc only after defender agent removal
microsoft-databases-arc-ap;
IAM – service account
Script creation
The service account is customizable –
it is saved within the created connector
For removal instructions please check GCP guide
defender-for-databases-arc-ap;
IAM – role
Script creation
The role name is customizable –
it is saved within the created connector
For removal instructions please check GCP guide
OIDC – defender-for-databases-arc-ap
IAM – workload identity pool
Script creation
Delete: defender-for-databases-arc-ap
For removal instructions please check GCP guide
Note: Microsoft Monitoring Agent (MMA) is being deprecated in August 2024. As a result, Azure Monitoring Agent (AMA) been used, but for customers that still use MMA, removal option:
Manage the Azure Log Analytics agent – Azure Monitor | Microsoft Learn
Please make sure Legacy solutions are removed from Log analytics workspace.
Conclusion: In this article, we have provided a comprehensive overview of all the agents, extensions, and resources deployed as part of Defender for Servers, Defender for Containers and Defender for SQL on AWS/GCP workloads. We have also presented detailed clean-up options for organizations looking to switch their Defender for Cloud plans. While our focus has been on Cloud Workload Protection Plans (CWPP), it is important to note that resources deployed by Cloud Security Posture Management (CSPM) plans are not listed here. As the solution and its features continue to evolve, the resources deployed or impacted by Defender for Cloud may vary between versions. We hope this article serves as a valuable resource for organizations looking to better understand the impact of Defender for Cloud on their AWS/GCP environment.
Acknowledgements
Special thanks to Bojan Magusic for the great partnership and technical review.
Reviewed by:
Lior Arviv, Senior Program Manager
Aviv Mor, Principal PM Manager
Ido Keshet, Principal PM Manager
Maya Herskovic, Senior PM Manager
Bojan Magusic, Product Manager 2
Microsoft Tech Community – Latest Blogs –Read More