Tag Archives: microsoft
MVP’s Favorite Content: CAE, Surface, M365, Semantic Kernel
In this blog series dedicated to Microsoft’s technical articles, we’ll highlight our MVPs’ favorite article along with their personal insights.
Florian Salzmann, Enterprise Mobility MVP, Switzerland
“Token theft is a real issue and unfortunately I have seen many cases where tokens have been used to break into a Microsoft 365 / Azure tenant.
That’s why it’s so important to secure our administrative logins as much as possible. With the “”Strictly enforce location policies”” feature, which is still in preview, token theft is much more difficult. If the IP is not trusted, the token is immediately revoked.
I have had my eye on this feature for a while now and had to try it out. I check the article regularly to see if there are any news and hints for its GA.”
*Relevant Blog: Strictly Enforce Location Policies in Entra ID: A Gift of Secure Access | scloud
Tomokazu Kizawa, Windows and Devices MVP, Japan
New Surface devices bring more value to business | Microsoft Devices Blog (windows.com)
“Surface represents a “pace car” showing what a Windows PC should be, as envisioned by Microsoft. Moreover, it’s a premium PC that offers users Windows experience. Particularly, the newly announced Surface Laptop Studio 2, equipped with Intel’s NPU, stands as a pioneering “AI PC.” It’s a significant computer leading the way in this field. Additionally, the Surface Laptop Go 3 and Surface Go 4, as more affordable versions, hold an important position, being widely applicable in business scenarios. This content excellently captures the essence and key selling points of the Surface.”
(In Japanese: Surface は、マイクロソフトが Windows用 PC としてあるべき姿を示した「ペースカー」的な存在であり、また、何よりも Windows のエクスペリエンスをユーザーが体感できるプレミアム PC です。特に今回発表された Surface Laptop Studio 2 は Intel の NPU を搭載したことにより「AI PC」の先駆けとして重要なパソコンであると言えます。そして、廉価版として広くビジネスでも使える Surface Laptop Go 3 と Surface Go 4 も重要な位置づけのパソコンとなります。Surface の意味と訴求ポイントを的確に表現した素晴らしいコンテンツです。)
*Relevant Blog: The Apple Connect: Bridging Identity Services with SSO (intuneirl.com)
Masayuki Mokudai (もくだいさん), M365 MVP, Japan
Microsoft 365 productivity illustrations | Microsoft Learn
“This content is recommended if you explore a comprehensive understanding of the architecture of each service in Microsoft 365. Among them, the architecture of “Teams and related productivity services” is particularly helpful for understanding how data is not stored in Teams but is instead distributed across various services in M365. Please also refer to my material from the MICROSOFT 365 VIRTUAL MARATHON 2022, where I explained the “Groups in Microsoft 365 for IT Architects” section.”
(In Japanese: Microsoft 365 の各サービスがどのようなアーキテクチャで実装されているのかを横断的に確認するにはこのコンテンツがおすすめです。その中でも特に「Teams と関連生産性サービス」の Architecture は、各データがTeamsではなく、M365の各種サービスに分散保存されていることへの理解の助けになります。
「IT アーキテクト向け Microsoft 365 のグループ」ドキュメントを解説した MICROSOFT 365 VIRTUAL MARATHON 2022 での私の資料も参考にしてください。)
*Relevant Article: Microsoft 365 グループ 生まれた経緯とそのコントロール MICROSOFT 365 VIRTUAL MARATHON 2022 | ドクセル (docswell.com)
Tomomitsu Kusaba, Developer Technologies MVP, Japan
Create AI agents with Semantic Kernel | Microsoft Learn
“AI generation has been attracting a lot of attention lately, and among these, the Semantic Kernel, which forms the core of the Copilot Stack, is a noteworthy SDK because it is the enterprise-ready language, C#.”
(In Japanese: 生成AIは最近非常に注目を集めており、その中でも Copilot Stack の中核をなす Semantic Kernel はエンタープライズレディーな言語の C# であることから、注目の SDK です。)
*Relevant Blog:
– Semantic KernelのFunctionを自動的に選択して回答を返すSemantic Kernel1.0.1正式版 (zenn.dev)
– Semantic Kernelを使って天気を取得してみる (zenn.dev)
*Relevant Event and Video:
– .NETラボ 勉強会 2024年1月 – connpass
– SemanticKernelの始め方 – YouTube
Microsoft Tech Community – Latest Blogs –Read More
Graph API integration for SaaS developers
Many applications integrate with Microsoft Graph APIs to enrich their functionality with user data or provide additional features on top of Office 365 or Azure services.
Some best practices can be leveraged to efficiently consume data from Microsoft Graph. This sample shows how to use delta tokens to retrieve a change set, in combination with subscriptions/webhooks, to get notified when a delta token should be used to get the latest changes without pulling the whole set of data each time.
Understanding Graph API throttling
Throttling limits prevent excessive use that could potentially impact service availability. Most services apply limits to ensure optimal performance and reliability. Microsoft Graph API applies a multilayered throttling approach with service-specific limits.
Common reasons for throttling include:
High Request Volume: Exceeding the rate limit by sending numerous requests in a short time.
Resource-Intensive Queries: Throttling may occur with complex or large data requests.
Tenant and Service-Level Limits: Throttling can affect both individual tenants and the overall service, especially in multi-tenant environments like Entra applications.
Service-wide Demand: Increased demand on Microsoft Graph can result in service-wide throttling.
Handling limitations
Handling limitations is crucial. Throttling applies to service principals or Enterprise Applications, automatically created during App Registration in the Azure portal or manually using Azure CLI/Graph API. The universal limitation for all applications is 130,000 requests per 10 seconds per app across all tenants. Services may have distinct limitations, such as combined limits for app registrations or specific limits for individual apps in separate tenants.
Throttling is inevitable due to various limitations at different levels. Requests vary in price, with read operations being less demanding than writes.
Using OData correctly to query Microsoft Graph, can significantly reduce amount of requests and traffic. Careful use of the $expand query operator is essential, as it can significantly increase data transfer. The $expand operator fetches related data, reducing the number of requests. In combination $select, $top, or $skip can be used to project data and/or paginate.
Batching is also a way to reduce the number of operations per request: instead of sending multiple requests for each operation, you can combine them into a $batch request to reduce the number of requests sent.
Limiting data fields in results
Microsoft Graph responses include default properties when no result set is specified. If you only need specific properties like display name and email address, using the $select parameter with a comma-delimited list optimizes the request and speeds up the response:
https://graph.microsoft.com/v1.0/users?$select=id,givenName,surname
Limit the number of returned results
The $top parameter enables you to limit the response to only include a specific number of records.
https://graph.microsoft.com/v1.0/users?$top=50
When it actually happens
How do you know you are throttled? It can easily be done by inspecting the HTTP status code in the response. The status code 429 indicates too many requests and is how Microsoft Graph tells the client their requests are being throttled. Graph SDK provides retry handlers, which will retry if throttled – a common pattern in most SDKs. Graph SDK is available for most of the popular programming languages including C#, Java, Python, JS, PowerShell, Go, and PHP. In our sample, we utilized Graph SDK to take advantage of built-in capabilities for retries and exponential back-off. Here is an example of specifying retry policy:
var retryHandlerOption = new RetryHandlerOption
{
MaxRetry = 7,
ShouldRetry = (delay,attempt,message) => true
};
var user = await graphClient.Me.GetAsync(requestConfiguration => requestConfiguration.Options.Add(retryHandlerOption));
However, if there is a need to interact with Graph API directly, you have to implement inspection of the HTTP header Retry-After, logic for retries, and exponential backoff logic yourself.
Graph API shadowing sample for users & groups
Now that you gained a better understanding of what can be done to avoid throttling, it’s a good time to have a look at the sample we have created to showcase how to implement best practices for dealing with throttling.
In this sample, we synchronize users and groups from Graph API into our SaaS app local storage (Cosmos DB in our case). Users and groups are synchronized from customers’ tenants (Azure AD) into SaaS solution.
Overall architecture
In our sample, Azure Durable Functions to persist delta tokens and subscriptions for each tenant. Cosmos DB persists the retrieved data, using a partitioning key composed of tenant ID (the customer tenant) and OData type (user or group in this sample).
This sample follows the main design principles when working with Graph, such as utilizing delta queries for getting change sets/deltas, as well as utilizing subscription webhooks to provide reactive functionality for scheduling the use of the delta token.
Although this sample is for user and group objects, it can be applied to many other Graph API resources.
In summary, the main principle is, to use OData delta tokens in conjunction with subscriptions (webhooks) notifications. When a notification arrives for a tenant, it’s registered for ‘later’ processing. A scheduled background job for the registered tenants then runs using the delta tokens. This approach reduces the calls to Graph, only using delta tokens, and not calling Graph on every subscription triggered.
Let’s understand the principles of delta queries and change notifications in more detail.
Delta queries running on schedule
In our scenario, the application is polling Microsoft Graph at scheduled intervals, such as 6 or 12 hours. Typically this strategy is used to keep the application’s local data store in sync with data exposed in Microsoft Graph.
One way to mitigate throttling when polling Microsoft Graph for large data sets is to use the delta query feature of Microsoft Graph. Delta query, also known as “change tracking” allows developers to request only data that has been added, updated, or deleted since the last request. This pattern will allow the application to reduce the amount of data requested by the application will reduce the cost of the request and as such, likely limit the chances of the requests being throttled.
Delta query works using the concept of a state token. An application will issue an initial request to Microsoft Graph the same way it normally does, except it will include the delta link function in the request.
Microsoft Graph will respond with the requested data as normal, except the last page of data will include an extra property deltaLink. This contains the endpoint with the state token of the delta query.
To request the changes that happened in the resulting data set from the time the previous query was submitted, the application uses the endpoint from the previous request’s deltaLink endpoint. This tells Microsoft Graph to execute the same query, but only return the items that have changed since the first request, as indicated using the state token included in the deltaLink property. The last page of results on this second request will include a new deltaLink property value that can be used for the next request, and so on.
You can find here a more detailed explanation of working with deltaLinks: Get incremental changes for users – Microsoft Graph | Microsoft Learn .
Combine delta query with change notifications
An application can subscribe to be notified when a specific resource changes, such as the users. In this case, when a user is added, updated, or deleted, the application is notified of something changed in the users endpoint by Microsoft Graph via an HTTP POST. The application can then use the delta query to request all changes since the last time it made the request.
Keep in mind, that to receive notifications, you have to create a subscription for the resource (users and groups in this case). During this process of creating a subscription, you need to submit the webhook URL as well as the expiry date and have a process of prolonging the expiry date of the subscription.
Using this strategy, applications can nearly eliminate the need to frequently poll Microsoft Graph and process those changes to keep a local data store in sync, greatly reducing the chances for their requests to be throttled.
Recommendation: schedule one Delta Query request on a long interval
Webhooks do not have guaranteed delivery. To ensure no changes are missed, it’s recommended to schedule at least one long-interval delta query request and not rely entirely on the subscription notifications to request changes from the Microsoft Graph resource. This will return all changed data that can be processed by the application in case a change notification is missed.
Conclusion
Navigating the intricacies of Microsoft Graph services requires a thoughtful approach to limitations and optimizations. Understanding the nuances of throttling, selecting relevant data through parameters like $select, implementing effective retry strategies, and utilizing delta queries in combination with change notifications contribute to a smoother experience. As you delve into the realm of Microsoft Graph, keeping these considerations in mind will not only enhance the efficiency of your applications but also ensure a more robust and resilient interaction with the diverse functionalities provided by this powerful platform. Make sure to check out the sample for a deeper understanding of how to implement the main design principles to deal with Graph API throttling: Azure-Samples/MicrosoftGraphShadow
Credits
Primary authors
Henrik Westergaard Hansen, Principal Customer Engineer Henrik Westergaard Hansen | LinkedIn
Kostina Irina, Customer Engineer Irina Kostina | LinkedIn
Reviewers
Chat GPT 3.5 ChatGPT (openai.com)
Microsoft Tech Community – Latest Blogs –Read More
Build your Web Apps faster with the Azure Cache for Redis: Quick Start Template
Are you a developer looking to quickly and securely spin up a Webapp with a database and cache? Look no further than the Azure Cache for Redis Quick Start Template, now available in the Azure Marketplace. This template allows developers to work across various databases and languages of their choice, making it easier than ever to get started.
The Quick Start Template is compatible with several popular programming languages, including **Java, .NET, Python, Go, PHP, and Node.js**. It also works with a variety of data services, such as **Azure SQL, Azure PostgreSQL, Azure MySQL, and Azure Cosmos DB for MongoDB**.
Azure Cache for Redis is a 1st party service that fully manages caching solutions based on open-source Redis, an in-memory data store that is commonly used for caching, message brokering, session management, and real-time data processing. The Quick Start Template lets you quickly and securely deploy an Azure Cache for Redis instance and connect it with your Webapp.
But that’s not all – the Azure Cache for Redis also offers several advanced features, such as data persistence, clustering, load balancing, and geo-replication, which make it easy to scale and deploy Redis-based solutions across multiple regions and data centers. Azure Cache for Redis can be used effectively with other Azure services, such as Azure App Service, Azure Kubernetes Service, Azure Functions, and Azure Logic Apps, enabling developers to easily incorporate caching into their applications without having to manage infrastructure or worry about scalability and availability.
And if you’re interested in learning more about the Azure Cache for Redis Quick Start Template, be sure to check out the upcoming Open at Microsoft episode that is all about this quick start template. The episode is hosted by Ricky Diep, Product Marketing Manager, and Catherine Wang, Senior Product Manager, and it’s a great opportunity to see the template in action and learn from the experts. In the episode, there will be a demo showcasing how Catherine quickly spun up a python web app using Azure Cache for Redis with PostgreSQL that is used for restaurant reviews.
In addition to its ease of use and advanced features, the Azure Cache for Redis Quick Start Template has several practical use cases that can enhance the performance and functionality of your web applications. For example:
Session Store: Storing user session data in Azure Cache for Redis can enhance web application performance by reducing the database server load, particularly beneficial for high-traffic or complex session data.
Message Broker: Azure Cache for Redis can also serve as a message queue broker for background processing tasks, allowing web applications to offload time-consuming tasks to background workers while maintaining reliability and scalability.
Distributed Caching: Implementing leaderboards, counters, or other real-time ranking systems can be achieved efficiently using Azure Cache for Redis, ensuring fast and accurate updates.
Content Cache: For web applications serving dynamic content, you can cache HTML fragments, page components, or entire rendered pages in Azure Cache for Redis. This approach can help offload the web server and reduce the generation time of dynamic content.
Cache-Aside is ideal for storing frequently accessed data like product catalogs, user profiles, or configuration settings. By caching this data in Azure Cache for Redis, you can reduce the latency associated with database queries. The Cache-Aside pattern is a smart caching strategy where the application itself is responsible for managing the cache. When a request for data arrives, the application first checks the cache. If the cache doesn’t contain the required data, the application retrieves the data from the primary data store, such as a database, and stores it in the cache for future use. This can improve performance and help maintain consistency between data held in the cache and data in the underlying data store.
So why wait? Head over to the Azure Marketplace and try out the Azure Cache for Redis Quick Start Template today!
TRY NOW
Resources
Learn More on Quick Deploy Template
Learn More on Azure Cache for Redis
Watch the Open at Microsoft Video
Microsoft Tech Community – Latest Blogs –Read More
Build your Web Apps faster with the Azure Cache for Redis: Quick Start Template
Are you a developer looking to quickly and securely spin up a Webapp with a database and cache? Look no further than the Azure Cache for Redis Quick Start Template, now available in the Azure Marketplace. This template allows developers to work across various databases and languages of their choice, making it easier than ever to get started.
The Quick Start Template is compatible with several popular programming languages, including **Java, .NET, Python, Go, PHP, and Node.js**. It also works with a variety of data services, such as **Azure SQL, Azure PostgreSQL, Azure MySQL, and Azure Cosmos DB for MongoDB**.
Azure Cache for Redis is a 1st party service that fully manages caching solutions based on open-source Redis, an in-memory data store that is commonly used for caching, message brokering, session management, and real-time data processing. The Quick Start Template lets you quickly and securely deploy an Azure Cache for Redis instance and connect it with your Webapp.
But that’s not all – the Azure Cache for Redis also offers several advanced features, such as data persistence, clustering, load balancing, and geo-replication, which make it easy to scale and deploy Redis-based solutions across multiple regions and data centers. Azure Cache for Redis can be used effectively with other Azure services, such as Azure App Service, Azure Kubernetes Service, Azure Functions, and Azure Logic Apps, enabling developers to easily incorporate caching into their applications without having to manage infrastructure or worry about scalability and availability.
And if you’re interested in learning more about the Azure Cache for Redis Quick Start Template, be sure to check out the upcoming Open at Microsoft episode that is all about this quick start template. The episode is hosted by Ricky Diep, Product Marketing Manager, and Catherine Wang, Senior Product Manager, and it’s a great opportunity to see the template in action and learn from the experts. In the episode, there will be a demo showcasing how Catherine quickly spun up a python web app using Azure Cache for Redis with PostgreSQL that is used for restaurant reviews.
In addition to its ease of use and advanced features, the Azure Cache for Redis Quick Start Template has several practical use cases that can enhance the performance and functionality of your web applications. For example:
Session Store: Storing user session data in Azure Cache for Redis can enhance web application performance by reducing the database server load, particularly beneficial for high-traffic or complex session data.
Message Broker: Azure Cache for Redis can also serve as a message queue broker for background processing tasks, allowing web applications to offload time-consuming tasks to background workers while maintaining reliability and scalability.
Distributed Caching: Implementing leaderboards, counters, or other real-time ranking systems can be achieved efficiently using Azure Cache for Redis, ensuring fast and accurate updates.
Content Cache: For web applications serving dynamic content, you can cache HTML fragments, page components, or entire rendered pages in Azure Cache for Redis. This approach can help offload the web server and reduce the generation time of dynamic content.
Cache-Aside is ideal for storing frequently accessed data like product catalogs, user profiles, or configuration settings. By caching this data in Azure Cache for Redis, you can reduce the latency associated with database queries. The Cache-Aside pattern is a smart caching strategy where the application itself is responsible for managing the cache. When a request for data arrives, the application first checks the cache. If the cache doesn’t contain the required data, the application retrieves the data from the primary data store, such as a database, and stores it in the cache for future use. This can improve performance and help maintain consistency between data held in the cache and data in the underlying data store.
So why wait? Head over to the Azure Marketplace and try out the Azure Cache for Redis Quick Start Template today!
TRY NOW
Resources
Learn More on Quick Deploy Template
Learn More on Azure Cache for Redis
Watch the Open at Microsoft Video
Microsoft Tech Community – Latest Blogs –Read More
Released: SCOM Management Packs for SQL Server, RS, AS (7.4.0.0)
Updates to SQL Server, SQL Server Dashboards, Reporting Services, and Analysis Services Management Packs are available (7.4.0.0). You can download the MPs from the links below. Majority of the changes are based on your direct feedback. Thank you.
Download Microsoft System Center Management Pack for SQL Server
Download Microsoft System Center Management Pack for SQL Server Dashboards
Download Microsoft System Center Management Pack for SQL Server Analysis Services
Download Microsoft System Center Management Pack for SQL Server Reporting Services
There are a lot of new features as well as some bug fixes in these MPs. You can find the full list by following the links below. Some of the bigger additions are:
For SQL MP
Added support for custom management server resource pools for agentless monitoring mode
Added new “SQL Connection Encryption Certificate Status” monitor for SQL Server on Linux, which targets DB Engine and checks if the server’s TLS certificate is valid
For AS MP
Added nine new performance collection rules
Improved the memory-related instance monitoring workflows
For RS MP
Added new “Securables Configuration Status” monitors
Improved accessibility for the Summary Dashboard view and Monitoring Wizard template
Updated the “Product Version Compliance” monitor with the most recent version of public updates for SQL Server
The operations guides for all SQL Server family of management packs live on learn.microsoft.com. The link to the operation guide for each MP can be found on the MP download page. Here are the links that show what’s new in these MPs:
Features and Enhancements in Management Pack for SQL Server
Features and Enhancements in Management Pack for SQL Server Dashboards
Features and Enhancements in Management Pack for SQL Server Analysis Services
Features and Enhancements in Management Pack for SQL Server Reporting Services
Microsoft Tech Community – Latest Blogs –Read More
Autogen: Microsoft’s Open-Source Tool for Streamlining Development
Today, we’re going to dive into an exciting tool from Microsoft Research called Autogen.
What is Autogen?
Autogen is an open-source project by Microsoft, designed to simplify the process of creating and maintaining libraries of data structures and routines. It’s a powerful tool that can significantly speed up your development process.
Why Autogen?
Autogen is incredibly versatile and can be used in a variety of programming projects. It’s especially useful when you’re dealing with large codebases or complex data structures. With Autogen, you can automate repetitive tasks, reduce errors, and ensure consistency across your project.
Getting Started with Autogen
To get started with Autogen, visit the official
Autogen GitHub page microsoft/autogen: Enable Next-Gen Large Language Model Applications.
Join our Discord: https://discord.gg/pAbnFJrkgZ (github.com)
Here, you’ll find comprehensive documentation, installation instructions, and a wealth of examples to help you understand how to use Autogen effectively.
AutoGen is a framework that enables development of large language model (LLM) applications using multiple agents that can converse with each other to solve tasks. AutoGen agents are customizable, conversable, and seamlessly allow human participation. They can operate in various modes that employ combinations of LLMs, human inputs, and tools.
AutoGen is useful for technical students because:
It simplifies the orchestration, automation, and optimization of complex LLM workflows, such as code-based question answering, retrieval-augmented generation, and conversational AI.
It offers a collection of examples spanning a wide range of applications from various domains and complexities.
It supports enhanced LLM inference APIs, which can be used to improve inference performance and reduce cost.
It leverages the strongest capabilities of the most advanced LLMs, like GPT-4, while addressing their limitations by integrating with humans and tools and having conversations between multiple agents via automated chat.
AutoGen is a framework that enables development of LLM applications using multiple agents that can converse with each other to solve tasks.
To get started with AutoGen, you need to:
Install AutoGen: You can use AutoGen from Codespaces or Docker or locally with pip by running pip install pyautogen. You also need to install Docker and the python docker package for code execution. See Installation for more details.
Create Agents: AutoGen provides customizable and conversable agents that can integrate LLMs, tools, and humans. You can create different types of agents, such as AssistantAgent, UserProxyAgent, HumanAgent, etc. See Agents for more details.
Initiate Chat: You can initiate a chat between two or more agents by calling the initiate_chat method on one of the agents. You can also specify the message, the task, and the conversation mode. See Chat for more details.
Build Applications: You can use AutoGen to build a wide range of applications from various domains and complexities, such as code generation, data analysis, summarization, etc. See Applications for some examples.
Conclusion
Autogen is a powerful tool that can greatly enhance your coding experience. Whether you’re a beginner just starting out or an experienced developer looking for ways to improve your workflow, Autogen has something to offer. So why wait? Dive into Autogen today and discover a new way of coding! You can also check out the Quickstart guide and the Documentation for more information.
Microsoft Tech Community – Latest Blogs –Read More
Identifying drift in ML models: Best practices for generating consistent, reliable responses
Identifying drift in ML models: Best practices for generating consistent, reliable responses
Addressing the challenges of model drift is crucial for successful deployments of reliable, production-ready machine learning models. Explore insights into monitoring and mitigating model drift, with strategic recommendations to enhance the accuracy and longevity of machine learning models in real-world applications.
Key Challenges
Complexity in monitoring model drift
Models naturally drift from their original input parameters and over time produce unwanted results once deployed. Inaccurate or outdated models due to drift can lead to suboptimal decision-making and pose potential business risk. To ensure accuracy throughout a model’s lifecycle, teams need a strategy for monitoring their model deployment with automated tooling and processes in place.
Interpreting and addressing the causes of model drift
Drift can be gradual or abrupt, and it can be challenging to identify and subsequently address. If not mitigated, it can digress further increasing negative business impact. Determining the cause of the drift is crucial for implementing effective corrective measures. Learning from what is working and not working will allow teams to pivot and correct when needed.
Evaluating the quality of training data
If the data used for training a model is of inadequate quality, the model may not be able to accurately interpret it. This can lead to changes in the data which translates into model drift. Teams need to ensure high quality training data for models and that it is a representative sample of the data to mitigate this.
Recommendations
As teams identifying model drift, you should:
Early detection of model drift is crucial for timely corrective actions. Monitoring allows for real-time tracking of model performance, enabling teams to identify and respond to drift promptly. Establish a robust system for automated monitoring of machine learning models in production. Regularly monitor model outputs and implement automated alerts for detecting drift early on.
Retraining models with fresh, relevant data is essential for preventing and mitigating model drift. Continuous retraining ensures that the model stays accurate and adapts to changes in the data distribution over time. Develop a continuous retraining strategy for models, incorporating new and high-quality data. Use reliable data sources that are representative of real-world scenarios and free from inconsistencies, errors, biases, and ethical challenges.
Automating the lifecycle of machine learning models enhances operational efficiency and reduces the risk of human error enabling teams to respond to model drift in a timely manner. Adopt MLOps practices to implement end-to-end automation for model management, including monitoring, retraining, and deployment. Leverage tools and techniques provided by tools to streamline operational management.
Understanding and identifying model drift
Teams building data-driven solutions actively explore ways to harness the power of their data through the development of machine learning (ML) models. However, teams challenged by the outputs of their models over time results in many of these solutions never making it into production.
For ML models to become an integral part of applications developed by any organization, it is essential to detect when an ML model drifts away from acceptable operation.
Model drift is not a technology problem; it is a change in the context of data that can be effectively managed by implementing effective analysis of the data they are trained on. This leads teams to ask, “What are the most effective methods for detecting drift in ML models?”
This article explores the key focus areas for identifying model drift where ISVs and Digital Natives can make improvements to deliver accurate ML models.
Understanding model drift and how it occurs
Drift is a concept in ML models where their performance, when deployed in production environments, slowly degrades over time. There are two distinct types of model drift, concept drift and data drift.
Concept drift occurs when the purpose of the original model changes over time and is recognized in four varieties, sudden drift, gradual drift, incremental drift, and reoccurring concepts.
Sudden drift occurs when a notable change happens in a brief period that has not yet been observed, for example, the impact of a global pandemic. Gradual drift is the opposite, occurring when a change has happened slowly over time, and this is observed in predictive models based on historical data. Incremental drift occurs when the change is not continuous, such as predicting sales of a specific product that changes in the future. Finally, recurring concepts are identifying repeating patterns, for example seasonal sales of products such as winter coats, where the model needs to be regular retraining to account for this occurrence.
Data drift, on the other hand, occurs when the distribution of the input data changes over time. For example, an ML model that predicts the likelihood of customers purchasing a product based on their age and income. If the distribution of ages and incomes of customers change significantly over time, the model will no longer be able to predict the likelihood of a purchase accurately.
It is important to understand the difference between these two types of drift because they require different approaches to address them.
Importance of high-quality, responsible training data
High-quality training data is critical to the success of a deployed, production ML model. Collecting such data requires careful consideration of the data sources and their quality. To prevent model drift, it is important to use high-quality training data that is representative of the data that the model will encounter in the real world. This can help to ensure that the model is robust to changes in the data distribution and can generalize well to new data.
Choose reliable data sources for your model’s purpose
Select data sources that are representative of the data that the model will encounter in the real world. This ensures that the model is robust to changes in the data distribution and can generalize well to new data.
Ensure that the data sources are free from inconsistencies and errors, as well as avoiding biases and ethical challenges. Low-quality data can have a significant impact on data drift, leading to the model’s accuracy degrading over time.
Retrain models with new and updated data as it arises
Retraining an ML model with new, high-quality data is a key step in preventing model drift, ensuring that it remains accurate and dependable over time.
It is important to note that retraining a model with new data is not a one-time process. As the data distribution changes over time, it is important to continuously monitor the model’s performance with tooling and retrain when necessary.
Choosing tools and techniques for identifying and addressing model drift
There are various tools and techniques that can be used to identify and address model drift. Azure provides several technologies that can help with this, including Azure Machine Learning, which provides tools for monitoring and managing model drift. These tools can help to detect drift early and provide actionable insights to address it.
Knowing that there is a drift in a model’s outputs is only part of the solution. With regular, automated monitoring in place to detect drift, develop a process for conducting a root cause analysis of the drift when detected. Insights into what is causing the drift will enable you to act such as retraining the model with new data.
As you establish these practices, automating the end-to-end monitoring, retraining, and deployment of new models will provide you with effective operational management of your ML models.
Conclusion
Addressing model drift is critical for the successful deployment and longevity of machine learning models in production. Recognizing the importance of distinguishing between concept drift and data drift while leveraging tools and techniques for monitoring and addressing drift, is crucial.
As ML models become integral to applications developed by ISVs and Digital Natives, a proactive approach to understanding and managing model drift will contribute to the sustained success of these data-driven solutions.
Further Reading
Machine Learning Monitoring: Why You Should Care About Data and Concept Drift | Evidently AI
Data quality considerations – Cloud Adoption Framework | Microsoft Learn
Data Validation at Scale with Azure Synapse – Microsoft Community Hub
MLOps: Machine learning model management – Azure Machine Learning | Microsoft Learn
Model monitoring with Azure Machine Learning | Microsoft Learn
Microsoft Tech Community – Latest Blogs –Read More
Released: SCOM Management Packs for SQL Server, RS, AS (7.4.0.0)
Updates to SQL Server, SQL Server Dashboards, Reporting Services, and Analysis Services Management Packs are available (7.4.0.0). You can download the MPs from the links below. Majority of the changes are based on your direct feedback. Thank you.
Download Microsoft System Center Management Pack for SQL Server
Download Microsoft System Center Management Pack for SQL Server Dashboards
Download Microsoft System Center Management Pack for SQL Server Analysis Services
Download Microsoft System Center Management Pack for SQL Server Reporting Services
There are a lot of new features as well as some bug fixes in these MPs. You can find the full list by following the links below. Some of the bigger additions are:
For SQL MP
Added support for custom management server resource pools for agentless monitoring mode
Added new “SQL Connection Encryption Certificate Status” monitor for SQL Server on Linux, which targets DB Engine and checks if the server’s TLS certificate is valid
For AS MP
Added nine new performance collection rules
Improved the memory-related instance monitoring workflows
For RS MP
Added new “Securables Configuration Status” monitors
Improved accessibility for the Summary Dashboard view and Monitoring Wizard template
Updated the “Product Version Compliance” monitor with the most recent version of public updates for SQL Server
The operations guides for all SQL Server family of management packs live on learn.microsoft.com. The link to the operation guide for each MP can be found on the MP download page. Here are the links that show what’s new in these MPs:
Features and Enhancements in Management Pack for SQL Server
Features and Enhancements in Management Pack for SQL Server Dashboards
Features and Enhancements in Management Pack for SQL Server Analysis Services
Features and Enhancements in Management Pack for SQL Server Reporting Services
Microsoft Tech Community – Latest Blogs –Read More
Released: SCOM Management Packs for SQL Server, RS, AS (7.4.0.0)
Updates to SQL Server, SQL Server Dashboards, Reporting Services, and Analysis Services Management Packs are available (7.4.0.0). You can download the MPs from the links below. Majority of the changes are based on your direct feedback. Thank you.
Download Microsoft System Center Management Pack for SQL Server
Download Microsoft System Center Management Pack for SQL Server Dashboards
Download Microsoft System Center Management Pack for SQL Server Analysis Services
Download Microsoft System Center Management Pack for SQL Server Reporting Services
There are a lot of new features as well as some bug fixes in these MPs. You can find the full list by following the links below. Some of the bigger additions are:
For SQL MP
Added support for custom management server resource pools for agentless monitoring mode
Added new “SQL Connection Encryption Certificate Status” monitor for SQL Server on Linux, which targets DB Engine and checks if the server’s TLS certificate is valid
For AS MP
Added nine new performance collection rules
Improved the memory-related instance monitoring workflows
For RS MP
Added new “Securables Configuration Status” monitors
Improved accessibility for the Summary Dashboard view and Monitoring Wizard template
Updated the “Product Version Compliance” monitor with the most recent version of public updates for SQL Server
The operations guides for all SQL Server family of management packs live on learn.microsoft.com. The link to the operation guide for each MP can be found on the MP download page. Here are the links that show what’s new in these MPs:
Features and Enhancements in Management Pack for SQL Server
Features and Enhancements in Management Pack for SQL Server Dashboards
Features and Enhancements in Management Pack for SQL Server Analysis Services
Features and Enhancements in Management Pack for SQL Server Reporting Services
Microsoft Tech Community – Latest Blogs –Read More
Released: SCOM Management Packs for SQL Server, RS, AS (7.4.0.0)
Updates to SQL Server, SQL Server Dashboards, Reporting Services, and Analysis Services Management Packs are available (7.4.0.0). You can download the MPs from the links below. Majority of the changes are based on your direct feedback. Thank you.
Download Microsoft System Center Management Pack for SQL Server
Download Microsoft System Center Management Pack for SQL Server Dashboards
Download Microsoft System Center Management Pack for SQL Server Analysis Services
Download Microsoft System Center Management Pack for SQL Server Reporting Services
There are a lot of new features as well as some bug fixes in these MPs. You can find the full list by following the links below. Some of the bigger additions are:
For SQL MP
Added support for custom management server resource pools for agentless monitoring mode
Added new “SQL Connection Encryption Certificate Status” monitor for SQL Server on Linux, which targets DB Engine and checks if the server’s TLS certificate is valid
For AS MP
Added nine new performance collection rules
Improved the memory-related instance monitoring workflows
For RS MP
Added new “Securables Configuration Status” monitors
Improved accessibility for the Summary Dashboard view and Monitoring Wizard template
Updated the “Product Version Compliance” monitor with the most recent version of public updates for SQL Server
The operations guides for all SQL Server family of management packs live on learn.microsoft.com. The link to the operation guide for each MP can be found on the MP download page. Here are the links that show what’s new in these MPs:
Features and Enhancements in Management Pack for SQL Server
Features and Enhancements in Management Pack for SQL Server Dashboards
Features and Enhancements in Management Pack for SQL Server Analysis Services
Features and Enhancements in Management Pack for SQL Server Reporting Services
Microsoft Tech Community – Latest Blogs –Read More
Identifying drift in AI models: Best practices for generating consistent, reliable responses
Identifying drift in AI models: Best practices for generating consistent, reliable responses
Addressing the challenges of model drift is crucial for successful deployments of reliable, production-ready machine learning models. Explore insights into monitoring and mitigating model drift, with strategic recommendations to enhance the accuracy and longevity of machine learning models in real-world applications.
Key Challenges
Complexity in monitoring model drift
AI models naturally drift from their original input parameters and over time produce unwanted results once deployed. Inaccurate or outdated models due to drift can lead to suboptimal decision-making and pose potential business risk. To ensure accuracy throughout a model’s lifecycle, teams need a strategy for monitoring their model deployment with automated tooling and processes in place.
Interpreting and addressing the causes of model drift
Drift can be gradual or abrupt, and it can be challenging to identify and subsequently address. If not mitigated, it can digress further increasing negative business impact. Determining the cause of the drift is crucial for implementing effective corrective measures. Learning from what is working and not working will allow teams to pivot and correct when needed.
Evaluating the quality of training data
If the data used for training a model is of inadequate quality, the model may not be able to accurately interpret it. This can lead to changes in the data which translates into model drift. Teams need to ensure high quality training data for models and that it is a representative sample of the data to mitigate this.
Recommendations
As teams identifying model drift, you should:
Early detection of model drift is crucial for timely corrective actions. Monitoring allows for real-time tracking of model performance, enabling teams to identify and respond to drift promptly. Establish a robust system for automated monitoring of machine learning models in production. Regularly monitor model outputs and implement automated alerts for detecting drift early on.
Retraining models with fresh, relevant data is essential for preventing and mitigating model drift. Continuous retraining ensures that the model stays accurate and adapts to changes in the data distribution over time. Develop a continuous retraining strategy for models, incorporating new and high-quality data. Use reliable data sources that are representative of real-world scenarios and free from inconsistencies, errors, biases, and ethical challenges.
Automating the lifecycle of machine learning models enhances operational efficiency and reduces the risk of human error enabling teams to respond to model drift in a timely manner. Adopt MLOps practices to implement end-to-end automation for model management, including monitoring, retraining, and deployment. Leverage tools and techniques provided by tools to streamline operational management.
Understanding and identifying model drift
Teams building data-driven solutions actively explore ways to harness the power of their data through the development of machine learning (ML) models. However, teams challenged by the outputs of their models over time results in many of these solutions never making it into production.
For ML models to become an integral part of applications developed by any organization, it is essential to detect when an ML model drifts away from acceptable operation.
Model drift is not a technology problem; it is a change in the context of data that can be effectively managed by implementing effective analysis of the data they are trained on. This leads teams to ask, “What are the most effective methods for detecting drift in ML models?”
This article explores the key focus areas for identifying model drift where ISVs and Digital Natives can make improvements to deliver accurate ML models.
Understanding model drift and how it occurs
Drift is a concept in ML models where their performance, when deployed in production environments, slowly degrades over time. There are two distinct types of model drift, concept drift and data drift.
Concept drift occurs when the purpose of the original model changes over time and is recognized in four varieties, sudden drift, gradual drift, incremental drift, and reoccurring concepts.
Sudden drift occurs when a notable change happens in a brief period that has not yet been observed, for example, the impact of a global pandemic. Gradual drift is the opposite, occurring when a change has happened slowly over time, and this is observed in predictive models based on historical data. Incremental drift occurs when the change is not continuous, such as predicting sales of a specific product that changes in the future. Finally, recurring concepts are identifying repeating patterns, for example seasonal sales of products such as winter coats, where the model needs to be regular retraining to account for this occurrence.
Data drift, on the other hand, occurs when the distribution of the input data changes over time. For example, an ML model that predicts the likelihood of customers purchasing a product based on their age and income. If the distribution of ages and incomes of customers change significantly over time, the model will no longer be able to predict the likelihood of a purchase accurately.
It is important to understand the difference between these two types of drift because they require different approaches to address them.
Importance of high-quality, responsible training data
High-quality training data is critical to the success of a deployed, production AI model. Collecting such data requires careful consideration of the data sources and their quality. To prevent model drift, it is important to use high-quality training data that is representative of the data that the model will encounter in the real world. This can help to ensure that the model is robust to changes in the data distribution and can generalize well to new data.
Choose reliable data sources for your model’s purpose
Select data sources that are representative of the data that the model will encounter in the real world. This ensures that the model is robust to changes in the data distribution and can generalize well to new data.
Ensure that the data sources are free from inconsistencies and errors, as well as avoiding biases and ethical challenges. Low-quality data can have a significant impact on data drift, leading to the model’s accuracy degrading over time.
Retrain models with new and updated data as it arises
Retraining an AI model with new, high-quality data is a key step in preventing model drift, ensuring that it remains accurate and dependable over time.
It is important to note that retraining a model with new data is not a one-time process. As the data distribution changes over time, it is important to continuously monitor the model’s performance with tooling and retrain when necessary.
Choosing tools and techniques for identifying and addressing model drift
There are various tools and techniques that can be used to identify and address model drift. Azure provides several technologies that can help with this, including Azure Machine Learning, which provides tools for monitoring and managing model drift. These tools can help to detect drift early and provide actionable insights to address it.
Knowing that there is a drift in a model’s outputs is only part of the solution. With regular, automated monitoring in place to detect drift, develop a process for conducting a root cause analysis of the drift when detected. Insights into what is causing the drift will enable you to act such as retraining the model with new data.
As you establish these practices, automating the end-to-end monitoring, retraining, and deployment of new models will provide you with effective operational management of your ML models.
Conclusion
Addressing model drift is critical for the successful deployment and longevity of machine learning models in production. Recognizing the importance of distinguishing between concept drift and data drift while leveraging tools and techniques for monitoring and addressing drift, is crucial.
As AI models become integral to applications developed by ISVs and Digital Natives, a proactive approach to understanding and managing model drift will contribute to the sustained success of these data-driven solutions.
Further Reading
Machine Learning Monitoring: Why You Should Care About Data and Concept Drift | Evidently AI
Data quality considerations – Cloud Adoption Framework | Microsoft Learn
Data Validation at Scale with Azure Synapse – Microsoft Community Hub
MLOps: Machine learning model management – Azure Machine Learning | Microsoft Learn
Model monitoring with Azure Machine Learning | Microsoft Learn
Microsoft Tech Community – Latest Blogs –Read More
Released: SCOM Management Packs for SQL Server, RS, AS (7.4.0.0)
Updates to SQL Server, SQL Server Dashboards, Reporting Services, and Analysis Services Management Packs are available (7.4.0.0). You can download the MPs from the links below. Majority of the changes are based on your direct feedback. Thank you.
Download Microsoft System Center Management Pack for SQL Server
Download Microsoft System Center Management Pack for SQL Server Dashboards
Download Microsoft System Center Management Pack for SQL Server Analysis Services
Download Microsoft System Center Management Pack for SQL Server Reporting Services
There are a lot of new features as well as some bug fixes in these MPs. You can find the full list by following the links below. Some of the bigger additions are:
For SQL MP
Added support for custom management server resource pools for agentless monitoring mode
Added new “SQL Connection Encryption Certificate Status” monitor for SQL Server on Linux, which targets DB Engine and checks if the server’s TLS certificate is valid
For AS MP
Added nine new performance collection rules
Improved the memory-related instance monitoring workflows
For RS MP
Added new “Securables Configuration Status” monitors
Improved accessibility for the Summary Dashboard view and Monitoring Wizard template
Updated the “Product Version Compliance” monitor with the most recent version of public updates for SQL Server
The operations guides for all SQL Server family of management packs live on learn.microsoft.com. The link to the operation guide for each MP can be found on the MP download page. Here are the links that show what’s new in these MPs:
Features and Enhancements in Management Pack for SQL Server
Features and Enhancements in Management Pack for SQL Server Dashboards
Features and Enhancements in Management Pack for SQL Server Analysis Services
Features and Enhancements in Management Pack for SQL Server Reporting Services
Microsoft Tech Community – Latest Blogs –Read More
Released: SCOM Management Packs for SQL Server, RS, AS (7.4.0.0)
Updates to SQL Server, SQL Server Dashboards, Reporting Services, and Analysis Services Management Packs are available (7.4.0.0). You can download the MPs from the links below. Majority of the changes are based on your direct feedback. Thank you.
Download Microsoft System Center Management Pack for SQL Server
Download Microsoft System Center Management Pack for SQL Server Dashboards
Download Microsoft System Center Management Pack for SQL Server Analysis Services
Download Microsoft System Center Management Pack for SQL Server Reporting Services
There are a lot of new features as well as some bug fixes in these MPs. You can find the full list by following the links below. Some of the bigger additions are:
For SQL MP
Added support for custom management server resource pools for agentless monitoring mode
Added new “SQL Connection Encryption Certificate Status” monitor for SQL Server on Linux, which targets DB Engine and checks if the server’s TLS certificate is valid
For AS MP
Added nine new performance collection rules
Improved the memory-related instance monitoring workflows
For RS MP
Added new “Securables Configuration Status” monitors
Improved accessibility for the Summary Dashboard view and Monitoring Wizard template
Updated the “Product Version Compliance” monitor with the most recent version of public updates for SQL Server
The operations guides for all SQL Server family of management packs live on learn.microsoft.com. The link to the operation guide for each MP can be found on the MP download page. Here are the links that show what’s new in these MPs:
Features and Enhancements in Management Pack for SQL Server
Features and Enhancements in Management Pack for SQL Server Dashboards
Features and Enhancements in Management Pack for SQL Server Analysis Services
Features and Enhancements in Management Pack for SQL Server Reporting Services
Microsoft Tech Community – Latest Blogs –Read More
Released: SCOM Management Packs for SQL Server, RS, AS (7.4.0.0)
Updates to SQL Server, SQL Server Dashboards, Reporting Services, and Analysis Services Management Packs are available (7.4.0.0). You can download the MPs from the links below. Majority of the changes are based on your direct feedback. Thank you.
Download Microsoft System Center Management Pack for SQL Server
Download Microsoft System Center Management Pack for SQL Server Dashboards
Download Microsoft System Center Management Pack for SQL Server Analysis Services
Download Microsoft System Center Management Pack for SQL Server Reporting Services
There are a lot of new features as well as some bug fixes in these MPs. You can find the full list by following the links below. Some of the bigger additions are:
For SQL MP
Added support for custom management server resource pools for agentless monitoring mode
Added new “SQL Connection Encryption Certificate Status” monitor for SQL Server on Linux, which targets DB Engine and checks if the server’s TLS certificate is valid
For AS MP
Added nine new performance collection rules
Improved the memory-related instance monitoring workflows
For RS MP
Added new “Securables Configuration Status” monitors
Improved accessibility for the Summary Dashboard view and Monitoring Wizard template
Updated the “Product Version Compliance” monitor with the most recent version of public updates for SQL Server
The operations guides for all SQL Server family of management packs live on learn.microsoft.com. The link to the operation guide for each MP can be found on the MP download page. Here are the links that show what’s new in these MPs:
Features and Enhancements in Management Pack for SQL Server
Features and Enhancements in Management Pack for SQL Server Dashboards
Features and Enhancements in Management Pack for SQL Server Analysis Services
Features and Enhancements in Management Pack for SQL Server Reporting Services
Microsoft Tech Community – Latest Blogs –Read More
Released: SCOM Management Packs for SQL Server, RS, AS (7.4.0.0)
Updates to SQL Server, SQL Server Dashboards, Reporting Services, and Analysis Services Management Packs are available (7.4.0.0). You can download the MPs from the links below. Majority of the changes are based on your direct feedback. Thank you.
Download Microsoft System Center Management Pack for SQL Server
Download Microsoft System Center Management Pack for SQL Server Dashboards
Download Microsoft System Center Management Pack for SQL Server Analysis Services
Download Microsoft System Center Management Pack for SQL Server Reporting Services
There are a lot of new features as well as some bug fixes in these MPs. You can find the full list by following the links below. Some of the bigger additions are:
For SQL MP
Added support for custom management server resource pools for agentless monitoring mode
Added new “SQL Connection Encryption Certificate Status” monitor for SQL Server on Linux, which targets DB Engine and checks if the server’s TLS certificate is valid
For AS MP
Added nine new performance collection rules
Improved the memory-related instance monitoring workflows
For RS MP
Added new “Securables Configuration Status” monitors
Improved accessibility for the Summary Dashboard view and Monitoring Wizard template
Updated the “Product Version Compliance” monitor with the most recent version of public updates for SQL Server
The operations guides for all SQL Server family of management packs live on learn.microsoft.com. The link to the operation guide for each MP can be found on the MP download page. Here are the links that show what’s new in these MPs:
Features and Enhancements in Management Pack for SQL Server
Features and Enhancements in Management Pack for SQL Server Dashboards
Features and Enhancements in Management Pack for SQL Server Analysis Services
Features and Enhancements in Management Pack for SQL Server Reporting Services
Microsoft Tech Community – Latest Blogs –Read More
Defender Experts’ recommendations for impactful security posture management
Introduction
The Microsoft Defender Experts for XDR service provides value to customers from both a proactive and reactive perspective. Proactively, we provide guidance to customers on overall security posture improvements and perform threat hunting to surface malicious activity in their environments. Simultaneously, our team reactively investigates and responds to incidents that occur in customer environments on their behalf. Working with both sides of the security equation, Defender Experts for XDR is uniquely positioned to understand the value of security controls and configurations in terms of their impact on the rate and severity of actual customer incidents.
While the basics of security hygiene, such as patching, inventory, security baselining, and least privilege delegations are undeniably important, once those bases are covered there are many more specific controls that receive less attention but can be critical in mitigating the frequency and impact of future incidents. Leveraging our experience helping customers protect themselves, we’re thrilled to share some of the security controls and configurations we find most impactful in the real world.
Top Configuration Recommendations
Listed below, in no particular order, are the top configuration recommendations from Defender Experts for XDR.
Microsoft Defender for Office
——————————————————————————————————–
Restrict user ability to release emails from quarantine
The Exchange Online Protection (EOP) quarantine is leveraged widely to prevent suspicious emails from being delivered to user inboxes without entirely deleting them. Emails that match the anti-malware, anti-phishing, and anti-spam policies configured within a given tenant will most often be sent to quarantine. This protection is significantly curtailed when end users have the capability to indiscriminately release their own emails from quarantine. Our team has investigated an unfortunate number of incidents resulting from users searching out phishing emails that were quarantined, releasing them, and promptly compromising their own account. A full access permissions group in a quarantine policy permits this to happen and is strongly discouraged.
Fortunately, regardless of the quarantine policy applied, users can’t release their own messages that were quarantined as malware or high confidence phishing – they can only request their release. But for all other emails detected as phishing, one of the following permissions groups must be applied in order to prevent unrestricted quarantine release.
Limited access permissions group
This is the recommended permissions group for most environments that are not highly restricted. Limited access permits the user to preview quarantined messages (with hyperlinks disabled), view their headers, and request their release (in addition to deleting the email or blocking the sender).
No access is the most restrictive permissions group that can be applied to a quarantine policy. The default quarantine policy AdminOnlyAccessPolicy uses this permissions group. When this is configured, the most that a user could do with a quarantined message is view the email headers.
Implementation
Within the Microsoft Defender portal under Quarantine policy, create a new policy leveraging Limited access, No access, or Specific access with the action “Allow recipients to request a message to be released from quarantine.” Then apply this quarantine policy to your anti-phishing, anti-spam, and anti-malware policies.
Quarantine policies | Step 1 Create quarantine policies | Microsoft Learn
Quarantine policies | Anatomy of a quarantine policy | Microsoft Learn
Microsoft Defender for Endpoint
——————————————————————————————————-
Enable tamper protection
Tamper protection is a critical feature of Defender for Endpoint that protects security settings from being changed. When enabled, tamper protection prevents other key components of Defender for Endpoint, including virus and threat protection, antivirus (AV), real-time protection, automatic remediation, and tamper protection itself, from being disabled. If these security features can be disabled by an attacker, then their value is nullified. Once an attacker has compromised a device, it is commonly part of their attack chain to disable any security services running on the device, thereby enabling more severe and destructive follow-on actions. This activity has been observed in Cypherpunk, DarkSide, and Ryuk ransomware operations among many others. Every supported device onboarded with Defender for Endpoint should have tamper protection enabled. It is also advisable to seriously investigate any incidents involving attempted tampering, as they often point to ongoing compromise.
Implementation
Enable tamper protection via the Defender Portal, Intune, or Configuration Manager.
Protect security settings with tamper protection | Microsoft Learn
Enable network protection in block mode
Network protection is a Defender for Endpoint feature that leverages and extends Microsoft Edge SmartScreen to protect Windows, Linux, and macOs devices. SmartScreen, when in block mode, prevents network connections from the Edge browser to known malicious websites. When network protection is enabled in block mode, these malicious connections will also be blocked from all other supported browsers (Chrome, Firefox, Brave, and Opera, etc.) and non-browser applications. The default blocklist leverages Microsoft’s extensive threat intelligence resources to protect users across all customer environments from unintentionally visiting malicious websites. Furthermore, custom indicators can be configured within a given tenant to block network connections to additional undesired domains, Ips, and URLs.
If network protection is not enabled, or not in block mode, users are vulnerable to visiting websites that are known to be malicious. This is a very common occurrence in Defender Experts for XDR investigations, resulting in malware infections, credential compromise, or other malicious activity. The Microsoft Threat Intelligence community has already done the work to provide the threat intel, so why not leverage it to protect your organization?
Implementation
Network protection can be enabled via PowerShell, MDM, Group Policy, or Microsoft Configuration Manager.
Turn on network protection | Microsoft Learn
Block untrusted and unsigned processes that run from USB
This is an Attack Surface Reduction (ASR) rule that is prebuilt within Microsoft Defender Antivirus to help prevent USB malware. When enabled in block mode, this rule prevents the execution of unsigned or untrusted executables (.exe, .dll, .scr, .ps, .vbs, .js, etc.) that are either present on mounted removable media (e.g., USB or SD card) or that were copied to disk from removable media. For some organizations, USB malware is quite rare. But for organizations with a large, distributed set of end users, or organizations with a large quantity of bring your own device (BYOD) users, this can become a constant challenge. China-based nation-state group Twill Typhoon is known to utilize removable devices containing malicious executables to infect victims, and the LemonDuck and LemonCat mining malware also spread this using this technique, among others. Enabling this rule in block mode can be very effective at preventing these types of damaging USB malware.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block untrusted and unsigned processes that run from USB | Microsoft Learn
Block JavaScript or VBScript from launching downloaded executable content
This ASR rule detects attempts by JavaScript or VBScript to launch executables downloaded from the internet and blocks them from executing if enabled in block mode. This prevents a pattern of activity known to be utilized by multiple common types of malware. The FakeUpdates/SocGholish malware in particular leverages a JavaScript backdoor to download and/or launch its payload. FakeUpdates remains relatively prevalent (Manatee Tempest – from FakeUpdates to ransomware), infecting devices via drive-by downloads from malvertising (malicious advertising), SEO poisoning, and more. Russian state-sponsored threat actor Midnight Blizzard has also been observed utilizing phishing emails containing HTML attachments embedded with the EnvyScout JS dropper to compromise victims.
Some organizations may utilize legitimate line-of-business applications that exhibit this same behavior, so it is recommended to test this rule in audit mode prior to fully enabling in block mode. Refer to the Demystifying attack surface reduction rules blog series for more information on the transition from auditing to blocking.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block JavaScript or VBScript from launching downloaded executable content | Microsoft Learn
Block Office applications from creating executable content
This ASR rule detects attempts by Office applications (Word, Excel, and PowerPoint) to execute files written to disk, and execution of untrusted files saved by Office macros. In block mode, this rule prevents these executions. Office files have long been utilized to deliver and/or run malicious code, and unfortunately this remains a successful initial access vector into many organizations with insufficient protections. Emotet, Trickbot, Hancitor, and ZLoader malware are all frequently delivered via phishing emails that either directly attach or link to these types of malicious Office files. Individual threat actors including Iran-based nation-state group Mint Sandstorm, China-based nation-state group Canary Typhoon, and Vietnam-based nation-state group Canvas Cyclone, among others, have been known to utilize these methods as well.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block Office applications from creating executable content | Microsoft Learn
Block executable content from email client and webmail
This ASR rule detects executable files and scripts attempting to run directly from Microsoft Outlook, outlook.com, or other common webmail services. When enabled in block mode, these executions will be prevented. More sophisticated threat actors and Phishing-as-a-Service (PhaaS) providers have pivoted away from this technique, but this control provides valuable protection against the low-sophistication phishing attacks that can be just as damaging. Given that phishing is one of the most prevalent initial access vectors we see today, any controls that can be applied to reduce the frequency or severity of successful phishing, without disrupting business, should be.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block executable content from email client and webmail | Microsoft Learn
Microsoft Entra ID
——————————————————————————————————-
Ensure multifactor authentication (MFA) is enabled for all users in administrative roles in Entra ID
For a long time, MFA was heralded as the ultimate impenetrable line of defense against account compromise. While we know now that there are many ways to bypass it such as cookie/token theft, SIM swapping, social engineering, etc., MFA remains a valuable control for defense in depth. All administrative user accounts should require MFA, but there are a few critical roles in particular that should be prioritized for this control:
The global admin role has the most powerful overall permissions within a tenant and should be protected accordingly.
The power of the billing admin is less widely known, but it can in fact take over a tenant from anyone, including the global admin! With the power to move subscriptions to an associated billing tenant, the billing admin could transfer subscriptions to a tenant where they hold global admin, giving them complete control.
Implementation
Within Entra ID, create a Conditional Access policy that applies to administrative roles requiring MFA on all cloud applications.
Require MFA for administrators with Conditional Access – Microsoft Entra ID | Microsoft Learn
Require MFA for self-service password reset (SSPR)
Self-service password reset enables users to reset their own password without needing to go through a help desk. When performing a password reset, users should be required to robustly verify their identity in order to prevent potential account takeover. SSPR permits four types of authentication methods, which includes email and mobile phone. A determined attacker can typically gain access to one of these methods with relative ease. Octo Tempest has been known to take over accounts via SSPR using access to user phones acquired through SIM swapping, among other methods. Requiring two authentication methods in order to complete SSPR might not stop every attacker, but it does introduce an additional defensive layer to the process that could make all the difference.
Implementation
Within Entra ID under password reset, set authentication methods to two.
Select authentication methods and registration options – Microsoft Entra ID | Microsoft Learn
Microsoft Defender for Identity
——————————————————————————————————-
Set a honeytoken account
A honeytoken account works like a security alarm; it is a dormant account with no legitimate business purpose, so any activity that occurs on the account generates an alert. This facilitates the identification of attacker activity that may otherwise have gone unnoticed. A honeytoken is a very simple and effective detective control, and can be leveraged in multiple different ways as described in Deceptive defense: best practices for identity based honeytokens in Microsoft Defender for Identity. While attack prevention is preferable to retroactive detection, these days it is not reasonable to expect that an organization will avoid being breached. It is vital to be prepared to detect attacks that get past the outer layer of defense in order to mitigate their impact.
Implementation
Create or repurpose an account with no business purpose, and ensure its privileges are removed. Tag this account as a honeytoken within the Defender portal under Settings > Identities > Honeytoken.
Entity tags in Microsoft Defender for Identity – Microsoft Defender for Identity | Microsoft Learn
Conclusion
Every organization can take actions to improve their security posture, but the sheer volume of control recommendations can sometimes overwhelm organizations into inaction. Through this blog post, the Defender Experts for XDR team has aimed to provide a discrete list of configurations and controls that we have observed to be impactful through our daily work with Microsoft customers. We hope that these recommendations will be implemented, or at least considered, for the protection of your organization as well.
If you’re interested in learning more about Defender Experts for XDR, visit the Microsoft Defender Experts for XDR web page or the Defender Experts for XDR docs page.
Microsoft Tech Community – Latest Blogs –Read More
Defender Experts’ recommendations for impactful security posture management
Introduction
The Microsoft Defender Experts for XDR service provides value to customers from both a proactive and reactive perspective. Proactively, we provide guidance to customers on overall security posture improvements and perform threat hunting to surface malicious activity in their environments. Simultaneously, our team reactively investigates and responds to incidents that occur in customer environments on their behalf. Working with both sides of the security equation, Defender Experts for XDR is uniquely positioned to understand the value of security controls and configurations in terms of their impact on the rate and severity of actual customer incidents.
While the basics of security hygiene, such as patching, inventory, security baselining, and least privilege delegations are undeniably important, once those bases are covered there are many more specific controls that receive less attention but can be critical in mitigating the frequency and impact of future incidents. Leveraging our experience helping customers protect themselves, we’re thrilled to share some of the security controls and configurations we find most impactful in the real world.
Top Configuration Recommendations
Listed below, in no particular order, are the top configuration recommendations from Defender Experts for XDR.
Microsoft Defender for Office
——————————————————————————————————–
Restrict user ability to release emails from quarantine
The Exchange Online Protection (EOP) quarantine is leveraged widely to prevent suspicious emails from being delivered to user inboxes without entirely deleting them. Emails that match the anti-malware, anti-phishing, and anti-spam policies configured within a given tenant will most often be sent to quarantine. This protection is significantly curtailed when end users have the capability to indiscriminately release their own emails from quarantine. Our team has investigated an unfortunate number of incidents resulting from users searching out phishing emails that were quarantined, releasing them, and promptly compromising their own account. A full access permissions group in a quarantine policy permits this to happen and is strongly discouraged.
Fortunately, regardless of the quarantine policy applied, users can’t release their own messages that were quarantined as malware or high confidence phishing – they can only request their release. But for all other emails detected as phishing, one of the following permissions groups must be applied in order to prevent unrestricted quarantine release.
Limited access permissions group
This is the recommended permissions group for most environments that are not highly restricted. Limited access permits the user to preview quarantined messages (with hyperlinks disabled), view their headers, and request their release (in addition to deleting the email or blocking the sender).
No access is the most restrictive permissions group that can be applied to a quarantine policy. The default quarantine policy AdminOnlyAccessPolicy uses this permissions group. When this is configured, the most that a user could do with a quarantined message is view the email headers.
Implementation
Within the Microsoft Defender portal under Quarantine policy, create a new policy leveraging Limited access, No access, or Specific access with the action “Allow recipients to request a message to be released from quarantine.” Then apply this quarantine policy to your anti-phishing, anti-spam, and anti-malware policies.
Quarantine policies | Step 1 Create quarantine policies | Microsoft Learn
Quarantine policies | Anatomy of a quarantine policy | Microsoft Learn
Microsoft Defender for Endpoint
——————————————————————————————————-
Enable tamper protection
Tamper protection is a critical feature of Defender for Endpoint that protects security settings from being changed. When enabled, tamper protection prevents other key components of Defender for Endpoint, including virus and threat protection, antivirus (AV), real-time protection, automatic remediation, and tamper protection itself, from being disabled. If these security features can be disabled by an attacker, then their value is nullified. Once an attacker has compromised a device, it is commonly part of their attack chain to disable any security services running on the device, thereby enabling more severe and destructive follow-on actions. This activity has been observed in Cypherpunk, DarkSide, and Ryuk ransomware operations among many others. Every supported device onboarded with Defender for Endpoint should have tamper protection enabled. It is also advisable to seriously investigate any incidents involving attempted tampering, as they often point to ongoing compromise.
Implementation
Enable tamper protection via the Defender Portal, Intune, or Configuration Manager.
Protect security settings with tamper protection | Microsoft Learn
Enable network protection in block mode
Network protection is a Defender for Endpoint feature that leverages and extends Microsoft Edge SmartScreen to protect Windows, Linux, and macOs devices. SmartScreen, when in block mode, prevents network connections from the Edge browser to known malicious websites. When network protection is enabled in block mode, these malicious connections will also be blocked from all other supported browsers (Chrome, Firefox, Brave, and Opera, etc.) and non-browser applications. The default blocklist leverages Microsoft’s extensive threat intelligence resources to protect users across all customer environments from unintentionally visiting malicious websites. Furthermore, custom indicators can be configured within a given tenant to block network connections to additional undesired domains, Ips, and URLs.
If network protection is not enabled, or not in block mode, users are vulnerable to visiting websites that are known to be malicious. This is a very common occurrence in Defender Experts for XDR investigations, resulting in malware infections, credential compromise, or other malicious activity. The Microsoft Threat Intelligence community has already done the work to provide the threat intel, so why not leverage it to protect your organization?
Implementation
Network protection can be enabled via PowerShell, MDM, Group Policy, or Microsoft Configuration Manager.
Turn on network protection | Microsoft Learn
Block untrusted and unsigned processes that run from USB
This is an Attack Surface Reduction (ASR) rule that is prebuilt within Microsoft Defender Antivirus to help prevent USB malware. When enabled in block mode, this rule prevents the execution of unsigned or untrusted executables (.exe, .dll, .scr, .ps, .vbs, .js, etc.) that are either present on mounted removable media (e.g., USB or SD card) or that were copied to disk from removable media. For some organizations, USB malware is quite rare. But for organizations with a large, distributed set of end users, or organizations with a large quantity of bring your own device (BYOD) users, this can become a constant challenge. China-based nation-state group Twill Typhoon is known to utilize removable devices containing malicious executables to infect victims, and the LemonDuck and LemonCat mining malware also spread this using this technique, among others. Enabling this rule in block mode can be very effective at preventing these types of damaging USB malware.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block untrusted and unsigned processes that run from USB | Microsoft Learn
Block JavaScript or VBScript from launching downloaded executable content
This ASR rule detects attempts by JavaScript or VBScript to launch executables downloaded from the internet and blocks them from executing if enabled in block mode. This prevents a pattern of activity known to be utilized by multiple common types of malware. The FakeUpdates/SocGholish malware in particular leverages a JavaScript backdoor to download and/or launch its payload. FakeUpdates remains relatively prevalent (Manatee Tempest – from FakeUpdates to ransomware), infecting devices via drive-by downloads from malvertising (malicious advertising), SEO poisoning, and more. Russian state-sponsored threat actor Midnight Blizzard has also been observed utilizing phishing emails containing HTML attachments embedded with the EnvyScout JS dropper to compromise victims.
Some organizations may utilize legitimate line-of-business applications that exhibit this same behavior, so it is recommended to test this rule in audit mode prior to fully enabling in block mode. Refer to the Demystifying attack surface reduction rules blog series for more information on the transition from auditing to blocking.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block JavaScript or VBScript from launching downloaded executable content | Microsoft Learn
Block Office applications from creating executable content
This ASR rule detects attempts by Office applications (Word, Excel, and PowerPoint) to execute files written to disk, and execution of untrusted files saved by Office macros. In block mode, this rule prevents these executions. Office files have long been utilized to deliver and/or run malicious code, and unfortunately this remains a successful initial access vector into many organizations with insufficient protections. Emotet, Trickbot, Hancitor, and ZLoader malware are all frequently delivered via phishing emails that either directly attach or link to these types of malicious Office files. Individual threat actors including Iran-based nation-state group Mint Sandstorm, China-based nation-state group Canary Typhoon, and Vietnam-based nation-state group Canvas Cyclone, among others, have been known to utilize these methods as well.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block Office applications from creating executable content | Microsoft Learn
Block executable content from email client and webmail
This ASR rule detects executable files and scripts attempting to run directly from Microsoft Outlook, outlook.com, or other common webmail services. When enabled in block mode, these executions will be prevented. More sophisticated threat actors and Phishing-as-a-Service (PhaaS) providers have pivoted away from this technique, but this control provides valuable protection against the low-sophistication phishing attacks that can be just as damaging. Given that phishing is one of the most prevalent initial access vectors we see today, any controls that can be applied to reduce the frequency or severity of successful phishing, without disrupting business, should be.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block executable content from email client and webmail | Microsoft Learn
Microsoft Entra ID
——————————————————————————————————-
Ensure multifactor authentication (MFA) is enabled for all users in administrative roles in Entra ID
For a long time, MFA was heralded as the ultimate impenetrable line of defense against account compromise. While we know now that there are many ways to bypass it such as cookie/token theft, SIM swapping, social engineering, etc., MFA remains a valuable control for defense in depth. All administrative user accounts should require MFA, but there are a few critical roles in particular that should be prioritized for this control:
The global admin role has the most powerful overall permissions within a tenant and should be protected accordingly.
The power of the billing admin is less widely known, but it can in fact take over a tenant from anyone, including the global admin! With the power to move subscriptions to an associated billing tenant, the billing admin could transfer subscriptions to a tenant where they hold global admin, giving them complete control.
Implementation
Within Entra ID, create a Conditional Access policy that applies to administrative roles requiring MFA on all cloud applications.
Require MFA for administrators with Conditional Access – Microsoft Entra ID | Microsoft Learn
Require MFA for self-service password reset (SSPR)
Self-service password reset enables users to reset their own password without needing to go through a help desk. When performing a password reset, users should be required to robustly verify their identity in order to prevent potential account takeover. SSPR permits four types of authentication methods, which includes email and mobile phone. A determined attacker can typically gain access to one of these methods with relative ease. Octo Tempest has been known to take over accounts via SSPR using access to user phones acquired through SIM swapping, among other methods. Requiring two authentication methods in order to complete SSPR might not stop every attacker, but it does introduce an additional defensive layer to the process that could make all the difference.
Implementation
Within Entra ID under password reset, set authentication methods to two.
Select authentication methods and registration options – Microsoft Entra ID | Microsoft Learn
Microsoft Defender for Identity
——————————————————————————————————-
Set a honeytoken account
A honeytoken account works like a security alarm; it is a dormant account with no legitimate business purpose, so any activity that occurs on the account generates an alert. This facilitates the identification of attacker activity that may otherwise have gone unnoticed. A honeytoken is a very simple and effective detective control, and can be leveraged in multiple different ways as described in Deceptive defense: best practices for identity based honeytokens in Microsoft Defender for Identity. While attack prevention is preferable to retroactive detection, these days it is not reasonable to expect that an organization will avoid being breached. It is vital to be prepared to detect attacks that get past the outer layer of defense in order to mitigate their impact.
Implementation
Create or repurpose an account with no business purpose, and ensure its privileges are removed. Tag this account as a honeytoken within the Defender portal under Settings > Identities > Honeytoken.
Entity tags in Microsoft Defender for Identity – Microsoft Defender for Identity | Microsoft Learn
Conclusion
Every organization can take actions to improve their security posture, but the sheer volume of control recommendations can sometimes overwhelm organizations into inaction. Through this blog post, the Defender Experts for XDR team has aimed to provide a discrete list of configurations and controls that we have observed to be impactful through our daily work with Microsoft customers. We hope that these recommendations will be implemented, or at least considered, for the protection of your organization as well.
If you’re interested in learning more about Defender Experts for XDR, visit the Microsoft Defender Experts for XDR web page or the Defender Experts for XDR docs page.
Microsoft Tech Community – Latest Blogs –Read More
Defender Experts’ recommendations for impactful security posture management
Introduction
The Microsoft Defender Experts for XDR service provides value to customers from both a proactive and reactive perspective. Proactively, we provide guidance to customers on overall security posture improvements and perform threat hunting to surface malicious activity in their environments. Simultaneously, our team reactively investigates and responds to incidents that occur in customer environments on their behalf. Working with both sides of the security equation, Defender Experts for XDR is uniquely positioned to understand the value of security controls and configurations in terms of their impact on the rate and severity of actual customer incidents.
While the basics of security hygiene, such as patching, inventory, security baselining, and least privilege delegations are undeniably important, once those bases are covered there are many more specific controls that receive less attention but can be critical in mitigating the frequency and impact of future incidents. Leveraging our experience helping customers protect themselves, we’re thrilled to share some of the security controls and configurations we find most impactful in the real world.
Top Configuration Recommendations
Listed below, in no particular order, are the top configuration recommendations from Defender Experts for XDR.
Microsoft Defender for Office
——————————————————————————————————–
Restrict user ability to release emails from quarantine
The Exchange Online Protection (EOP) quarantine is leveraged widely to prevent suspicious emails from being delivered to user inboxes without entirely deleting them. Emails that match the anti-malware, anti-phishing, and anti-spam policies configured within a given tenant will most often be sent to quarantine. This protection is significantly curtailed when end users have the capability to indiscriminately release their own emails from quarantine. Our team has investigated an unfortunate number of incidents resulting from users searching out phishing emails that were quarantined, releasing them, and promptly compromising their own account. A full access permissions group in a quarantine policy permits this to happen and is strongly discouraged.
Fortunately, regardless of the quarantine policy applied, users can’t release their own messages that were quarantined as malware or high confidence phishing – they can only request their release. But for all other emails detected as phishing, one of the following permissions groups must be applied in order to prevent unrestricted quarantine release.
Limited access permissions group
This is the recommended permissions group for most environments that are not highly restricted. Limited access permits the user to preview quarantined messages (with hyperlinks disabled), view their headers, and request their release (in addition to deleting the email or blocking the sender).
No access is the most restrictive permissions group that can be applied to a quarantine policy. The default quarantine policy AdminOnlyAccessPolicy uses this permissions group. When this is configured, the most that a user could do with a quarantined message is view the email headers.
Implementation
Within the Microsoft Defender portal under Quarantine policy, create a new policy leveraging Limited access, No access, or Specific access with the action “Allow recipients to request a message to be released from quarantine.” Then apply this quarantine policy to your anti-phishing, anti-spam, and anti-malware policies.
Quarantine policies | Step 1 Create quarantine policies | Microsoft Learn
Quarantine policies | Anatomy of a quarantine policy | Microsoft Learn
Microsoft Defender for Endpoint
——————————————————————————————————-
Enable tamper protection
Tamper protection is a critical feature of Defender for Endpoint that protects security settings from being changed. When enabled, tamper protection prevents other key components of Defender for Endpoint, including virus and threat protection, antivirus (AV), real-time protection, automatic remediation, and tamper protection itself, from being disabled. If these security features can be disabled by an attacker, then their value is nullified. Once an attacker has compromised a device, it is commonly part of their attack chain to disable any security services running on the device, thereby enabling more severe and destructive follow-on actions. This activity has been observed in Cypherpunk, DarkSide, and Ryuk ransomware operations among many others. Every supported device onboarded with Defender for Endpoint should have tamper protection enabled. It is also advisable to seriously investigate any incidents involving attempted tampering, as they often point to ongoing compromise.
Implementation
Enable tamper protection via the Defender Portal, Intune, or Configuration Manager.
Protect security settings with tamper protection | Microsoft Learn
Enable network protection in block mode
Network protection is a Defender for Endpoint feature that leverages and extends Microsoft Edge SmartScreen to protect Windows, Linux, and macOs devices. SmartScreen, when in block mode, prevents network connections from the Edge browser to known malicious websites. When network protection is enabled in block mode, these malicious connections will also be blocked from all other supported browsers (Chrome, Firefox, Brave, and Opera, etc.) and non-browser applications. The default blocklist leverages Microsoft’s extensive threat intelligence resources to protect users across all customer environments from unintentionally visiting malicious websites. Furthermore, custom indicators can be configured within a given tenant to block network connections to additional undesired domains, Ips, and URLs.
If network protection is not enabled, or not in block mode, users are vulnerable to visiting websites that are known to be malicious. This is a very common occurrence in Defender Experts for XDR investigations, resulting in malware infections, credential compromise, or other malicious activity. The Microsoft Threat Intelligence community has already done the work to provide the threat intel, so why not leverage it to protect your organization?
Implementation
Network protection can be enabled via PowerShell, MDM, Group Policy, or Microsoft Configuration Manager.
Turn on network protection | Microsoft Learn
Block untrusted and unsigned processes that run from USB
This is an Attack Surface Reduction (ASR) rule that is prebuilt within Microsoft Defender Antivirus to help prevent USB malware. When enabled in block mode, this rule prevents the execution of unsigned or untrusted executables (.exe, .dll, .scr, .ps, .vbs, .js, etc.) that are either present on mounted removable media (e.g., USB or SD card) or that were copied to disk from removable media. For some organizations, USB malware is quite rare. But for organizations with a large, distributed set of end users, or organizations with a large quantity of bring your own device (BYOD) users, this can become a constant challenge. China-based nation-state group Twill Typhoon is known to utilize removable devices containing malicious executables to infect victims, and the LemonDuck and LemonCat mining malware also spread this using this technique, among others. Enabling this rule in block mode can be very effective at preventing these types of damaging USB malware.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block untrusted and unsigned processes that run from USB | Microsoft Learn
Block JavaScript or VBScript from launching downloaded executable content
This ASR rule detects attempts by JavaScript or VBScript to launch executables downloaded from the internet and blocks them from executing if enabled in block mode. This prevents a pattern of activity known to be utilized by multiple common types of malware. The FakeUpdates/SocGholish malware in particular leverages a JavaScript backdoor to download and/or launch its payload. FakeUpdates remains relatively prevalent (Manatee Tempest – from FakeUpdates to ransomware), infecting devices via drive-by downloads from malvertising (malicious advertising), SEO poisoning, and more. Russian state-sponsored threat actor Midnight Blizzard has also been observed utilizing phishing emails containing HTML attachments embedded with the EnvyScout JS dropper to compromise victims.
Some organizations may utilize legitimate line-of-business applications that exhibit this same behavior, so it is recommended to test this rule in audit mode prior to fully enabling in block mode. Refer to the Demystifying attack surface reduction rules blog series for more information on the transition from auditing to blocking.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block JavaScript or VBScript from launching downloaded executable content | Microsoft Learn
Block Office applications from creating executable content
This ASR rule detects attempts by Office applications (Word, Excel, and PowerPoint) to execute files written to disk, and execution of untrusted files saved by Office macros. In block mode, this rule prevents these executions. Office files have long been utilized to deliver and/or run malicious code, and unfortunately this remains a successful initial access vector into many organizations with insufficient protections. Emotet, Trickbot, Hancitor, and ZLoader malware are all frequently delivered via phishing emails that either directly attach or link to these types of malicious Office files. Individual threat actors including Iran-based nation-state group Mint Sandstorm, China-based nation-state group Canary Typhoon, and Vietnam-based nation-state group Canvas Cyclone, among others, have been known to utilize these methods as well.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block Office applications from creating executable content | Microsoft Learn
Block executable content from email client and webmail
This ASR rule detects executable files and scripts attempting to run directly from Microsoft Outlook, outlook.com, or other common webmail services. When enabled in block mode, these executions will be prevented. More sophisticated threat actors and Phishing-as-a-Service (PhaaS) providers have pivoted away from this technique, but this control provides valuable protection against the low-sophistication phishing attacks that can be just as damaging. Given that phishing is one of the most prevalent initial access vectors we see today, any controls that can be applied to reduce the frequency or severity of successful phishing, without disrupting business, should be.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block executable content from email client and webmail | Microsoft Learn
Microsoft Entra ID
——————————————————————————————————-
Ensure multifactor authentication (MFA) is enabled for all users in administrative roles in Entra ID
For a long time, MFA was heralded as the ultimate impenetrable line of defense against account compromise. While we know now that there are many ways to bypass it such as cookie/token theft, SIM swapping, social engineering, etc., MFA remains a valuable control for defense in depth. All administrative user accounts should require MFA, but there are a few critical roles in particular that should be prioritized for this control:
The global admin role has the most powerful overall permissions within a tenant and should be protected accordingly.
The power of the billing admin is less widely known, but it can in fact take over a tenant from anyone, including the global admin! With the power to move subscriptions to an associated billing tenant, the billing admin could transfer subscriptions to a tenant where they hold global admin, giving them complete control.
Implementation
Within Entra ID, create a Conditional Access policy that applies to administrative roles requiring MFA on all cloud applications.
Require MFA for administrators with Conditional Access – Microsoft Entra ID | Microsoft Learn
Require MFA for self-service password reset (SSPR)
Self-service password reset enables users to reset their own password without needing to go through a help desk. When performing a password reset, users should be required to robustly verify their identity in order to prevent potential account takeover. SSPR permits four types of authentication methods, which includes email and mobile phone. A determined attacker can typically gain access to one of these methods with relative ease. Octo Tempest has been known to take over accounts via SSPR using access to user phones acquired through SIM swapping, among other methods. Requiring two authentication methods in order to complete SSPR might not stop every attacker, but it does introduce an additional defensive layer to the process that could make all the difference.
Implementation
Within Entra ID under password reset, set authentication methods to two.
Select authentication methods and registration options – Microsoft Entra ID | Microsoft Learn
Microsoft Defender for Identity
——————————————————————————————————-
Set a honeytoken account
A honeytoken account works like a security alarm; it is a dormant account with no legitimate business purpose, so any activity that occurs on the account generates an alert. This facilitates the identification of attacker activity that may otherwise have gone unnoticed. A honeytoken is a very simple and effective detective control, and can be leveraged in multiple different ways as described in Deceptive defense: best practices for identity based honeytokens in Microsoft Defender for Identity. While attack prevention is preferable to retroactive detection, these days it is not reasonable to expect that an organization will avoid being breached. It is vital to be prepared to detect attacks that get past the outer layer of defense in order to mitigate their impact.
Implementation
Create or repurpose an account with no business purpose, and ensure its privileges are removed. Tag this account as a honeytoken within the Defender portal under Settings > Identities > Honeytoken.
Entity tags in Microsoft Defender for Identity – Microsoft Defender for Identity | Microsoft Learn
Conclusion
Every organization can take actions to improve their security posture, but the sheer volume of control recommendations can sometimes overwhelm organizations into inaction. Through this blog post, the Defender Experts for XDR team has aimed to provide a discrete list of configurations and controls that we have observed to be impactful through our daily work with Microsoft customers. We hope that these recommendations will be implemented, or at least considered, for the protection of your organization as well.
If you’re interested in learning more about Defender Experts for XDR, visit the Microsoft Defender Experts for XDR web page or the Defender Experts for XDR docs page.
Microsoft Tech Community – Latest Blogs –Read More
Defender Experts’ recommendations for impactful security posture management
Introduction
The Microsoft Defender Experts for XDR service provides value to customers from both a proactive and reactive perspective. Proactively, we provide guidance to customers on overall security posture improvements and perform threat hunting to surface malicious activity in their environments. Simultaneously, our team reactively investigates and responds to incidents that occur in customer environments on their behalf. Working with both sides of the security equation, Defender Experts for XDR is uniquely positioned to understand the value of security controls and configurations in terms of their impact on the rate and severity of actual customer incidents.
While the basics of security hygiene, such as patching, inventory, security baselining, and least privilege delegations are undeniably important, once those bases are covered there are many more specific controls that receive less attention but can be critical in mitigating the frequency and impact of future incidents. Leveraging our experience helping customers protect themselves, we’re thrilled to share some of the security controls and configurations we find most impactful in the real world.
Top Configuration Recommendations
Listed below, in no particular order, are the top configuration recommendations from Defender Experts for XDR.
Microsoft Defender for Office
——————————————————————————————————–
Restrict user ability to release emails from quarantine
The Exchange Online Protection (EOP) quarantine is leveraged widely to prevent suspicious emails from being delivered to user inboxes without entirely deleting them. Emails that match the anti-malware, anti-phishing, and anti-spam policies configured within a given tenant will most often be sent to quarantine. This protection is significantly curtailed when end users have the capability to indiscriminately release their own emails from quarantine. Our team has investigated an unfortunate number of incidents resulting from users searching out phishing emails that were quarantined, releasing them, and promptly compromising their own account. A full access permissions group in a quarantine policy permits this to happen and is strongly discouraged.
Fortunately, regardless of the quarantine policy applied, users can’t release their own messages that were quarantined as malware or high confidence phishing – they can only request their release. But for all other emails detected as phishing, one of the following permissions groups must be applied in order to prevent unrestricted quarantine release.
Limited access permissions group
This is the recommended permissions group for most environments that are not highly restricted. Limited access permits the user to preview quarantined messages (with hyperlinks disabled), view their headers, and request their release (in addition to deleting the email or blocking the sender).
No access is the most restrictive permissions group that can be applied to a quarantine policy. The default quarantine policy AdminOnlyAccessPolicy uses this permissions group. When this is configured, the most that a user could do with a quarantined message is view the email headers.
Implementation
Within the Microsoft Defender portal under Quarantine policy, create a new policy leveraging Limited access, No access, or Specific access with the action “Allow recipients to request a message to be released from quarantine.” Then apply this quarantine policy to your anti-phishing, anti-spam, and anti-malware policies.
Quarantine policies | Step 1 Create quarantine policies | Microsoft Learn
Quarantine policies | Anatomy of a quarantine policy | Microsoft Learn
Microsoft Defender for Endpoint
——————————————————————————————————-
Enable tamper protection
Tamper protection is a critical feature of Defender for Endpoint that protects security settings from being changed. When enabled, tamper protection prevents other key components of Defender for Endpoint, including virus and threat protection, antivirus (AV), real-time protection, automatic remediation, and tamper protection itself, from being disabled. If these security features can be disabled by an attacker, then their value is nullified. Once an attacker has compromised a device, it is commonly part of their attack chain to disable any security services running on the device, thereby enabling more severe and destructive follow-on actions. This activity has been observed in Cypherpunk, DarkSide, and Ryuk ransomware operations among many others. Every supported device onboarded with Defender for Endpoint should have tamper protection enabled. It is also advisable to seriously investigate any incidents involving attempted tampering, as they often point to ongoing compromise.
Implementation
Enable tamper protection via the Defender Portal, Intune, or Configuration Manager.
Protect security settings with tamper protection | Microsoft Learn
Enable network protection in block mode
Network protection is a Defender for Endpoint feature that leverages and extends Microsoft Edge SmartScreen to protect Windows, Linux, and macOs devices. SmartScreen, when in block mode, prevents network connections from the Edge browser to known malicious websites. When network protection is enabled in block mode, these malicious connections will also be blocked from all other supported browsers (Chrome, Firefox, Brave, and Opera, etc.) and non-browser applications. The default blocklist leverages Microsoft’s extensive threat intelligence resources to protect users across all customer environments from unintentionally visiting malicious websites. Furthermore, custom indicators can be configured within a given tenant to block network connections to additional undesired domains, Ips, and URLs.
If network protection is not enabled, or not in block mode, users are vulnerable to visiting websites that are known to be malicious. This is a very common occurrence in Defender Experts for XDR investigations, resulting in malware infections, credential compromise, or other malicious activity. The Microsoft Threat Intelligence community has already done the work to provide the threat intel, so why not leverage it to protect your organization?
Implementation
Network protection can be enabled via PowerShell, MDM, Group Policy, or Microsoft Configuration Manager.
Turn on network protection | Microsoft Learn
Block untrusted and unsigned processes that run from USB
This is an Attack Surface Reduction (ASR) rule that is prebuilt within Microsoft Defender Antivirus to help prevent USB malware. When enabled in block mode, this rule prevents the execution of unsigned or untrusted executables (.exe, .dll, .scr, .ps, .vbs, .js, etc.) that are either present on mounted removable media (e.g., USB or SD card) or that were copied to disk from removable media. For some organizations, USB malware is quite rare. But for organizations with a large, distributed set of end users, or organizations with a large quantity of bring your own device (BYOD) users, this can become a constant challenge. China-based nation-state group Twill Typhoon is known to utilize removable devices containing malicious executables to infect victims, and the LemonDuck and LemonCat mining malware also spread this using this technique, among others. Enabling this rule in block mode can be very effective at preventing these types of damaging USB malware.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block untrusted and unsigned processes that run from USB | Microsoft Learn
Block JavaScript or VBScript from launching downloaded executable content
This ASR rule detects attempts by JavaScript or VBScript to launch executables downloaded from the internet and blocks them from executing if enabled in block mode. This prevents a pattern of activity known to be utilized by multiple common types of malware. The FakeUpdates/SocGholish malware in particular leverages a JavaScript backdoor to download and/or launch its payload. FakeUpdates remains relatively prevalent (Manatee Tempest – from FakeUpdates to ransomware), infecting devices via drive-by downloads from malvertising (malicious advertising), SEO poisoning, and more. Russian state-sponsored threat actor Midnight Blizzard has also been observed utilizing phishing emails containing HTML attachments embedded with the EnvyScout JS dropper to compromise victims.
Some organizations may utilize legitimate line-of-business applications that exhibit this same behavior, so it is recommended to test this rule in audit mode prior to fully enabling in block mode. Refer to the Demystifying attack surface reduction rules blog series for more information on the transition from auditing to blocking.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block JavaScript or VBScript from launching downloaded executable content | Microsoft Learn
Block Office applications from creating executable content
This ASR rule detects attempts by Office applications (Word, Excel, and PowerPoint) to execute files written to disk, and execution of untrusted files saved by Office macros. In block mode, this rule prevents these executions. Office files have long been utilized to deliver and/or run malicious code, and unfortunately this remains a successful initial access vector into many organizations with insufficient protections. Emotet, Trickbot, Hancitor, and ZLoader malware are all frequently delivered via phishing emails that either directly attach or link to these types of malicious Office files. Individual threat actors including Iran-based nation-state group Mint Sandstorm, China-based nation-state group Canary Typhoon, and Vietnam-based nation-state group Canvas Cyclone, among others, have been known to utilize these methods as well.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block Office applications from creating executable content | Microsoft Learn
Block executable content from email client and webmail
This ASR rule detects executable files and scripts attempting to run directly from Microsoft Outlook, outlook.com, or other common webmail services. When enabled in block mode, these executions will be prevented. More sophisticated threat actors and Phishing-as-a-Service (PhaaS) providers have pivoted away from this technique, but this control provides valuable protection against the low-sophistication phishing attacks that can be just as damaging. Given that phishing is one of the most prevalent initial access vectors we see today, any controls that can be applied to reduce the frequency or severity of successful phishing, without disrupting business, should be.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block executable content from email client and webmail | Microsoft Learn
Microsoft Entra ID
——————————————————————————————————-
Ensure multifactor authentication (MFA) is enabled for all users in administrative roles in Entra ID
For a long time, MFA was heralded as the ultimate impenetrable line of defense against account compromise. While we know now that there are many ways to bypass it such as cookie/token theft, SIM swapping, social engineering, etc., MFA remains a valuable control for defense in depth. All administrative user accounts should require MFA, but there are a few critical roles in particular that should be prioritized for this control:
The global admin role has the most powerful overall permissions within a tenant and should be protected accordingly.
The power of the billing admin is less widely known, but it can in fact take over a tenant from anyone, including the global admin! With the power to move subscriptions to an associated billing tenant, the billing admin could transfer subscriptions to a tenant where they hold global admin, giving them complete control.
Implementation
Within Entra ID, create a Conditional Access policy that applies to administrative roles requiring MFA on all cloud applications.
Require MFA for administrators with Conditional Access – Microsoft Entra ID | Microsoft Learn
Require MFA for self-service password reset (SSPR)
Self-service password reset enables users to reset their own password without needing to go through a help desk. When performing a password reset, users should be required to robustly verify their identity in order to prevent potential account takeover. SSPR permits four types of authentication methods, which includes email and mobile phone. A determined attacker can typically gain access to one of these methods with relative ease. Octo Tempest has been known to take over accounts via SSPR using access to user phones acquired through SIM swapping, among other methods. Requiring two authentication methods in order to complete SSPR might not stop every attacker, but it does introduce an additional defensive layer to the process that could make all the difference.
Implementation
Within Entra ID under password reset, set authentication methods to two.
Select authentication methods and registration options – Microsoft Entra ID | Microsoft Learn
Microsoft Defender for Identity
——————————————————————————————————-
Set a honeytoken account
A honeytoken account works like a security alarm; it is a dormant account with no legitimate business purpose, so any activity that occurs on the account generates an alert. This facilitates the identification of attacker activity that may otherwise have gone unnoticed. A honeytoken is a very simple and effective detective control, and can be leveraged in multiple different ways as described in Deceptive defense: best practices for identity based honeytokens in Microsoft Defender for Identity. While attack prevention is preferable to retroactive detection, these days it is not reasonable to expect that an organization will avoid being breached. It is vital to be prepared to detect attacks that get past the outer layer of defense in order to mitigate their impact.
Implementation
Create or repurpose an account with no business purpose, and ensure its privileges are removed. Tag this account as a honeytoken within the Defender portal under Settings > Identities > Honeytoken.
Entity tags in Microsoft Defender for Identity – Microsoft Defender for Identity | Microsoft Learn
Conclusion
Every organization can take actions to improve their security posture, but the sheer volume of control recommendations can sometimes overwhelm organizations into inaction. Through this blog post, the Defender Experts for XDR team has aimed to provide a discrete list of configurations and controls that we have observed to be impactful through our daily work with Microsoft customers. We hope that these recommendations will be implemented, or at least considered, for the protection of your organization as well.
If you’re interested in learning more about Defender Experts for XDR, visit the Microsoft Defender Experts for XDR web page or the Defender Experts for XDR docs page.
Microsoft Tech Community – Latest Blogs –Read More
Defender Experts’ recommendations for impactful security posture management
Introduction
The Microsoft Defender Experts for XDR service provides value to customers from both a proactive and reactive perspective. Proactively, we provide guidance to customers on overall security posture improvements and perform threat hunting to surface malicious activity in their environments. Simultaneously, our team reactively investigates and responds to incidents that occur in customer environments on their behalf. Working with both sides of the security equation, Defender Experts for XDR is uniquely positioned to understand the value of security controls and configurations in terms of their impact on the rate and severity of actual customer incidents.
While the basics of security hygiene, such as patching, inventory, security baselining, and least privilege delegations are undeniably important, once those bases are covered there are many more specific controls that receive less attention but can be critical in mitigating the frequency and impact of future incidents. Leveraging our experience helping customers protect themselves, we’re thrilled to share some of the security controls and configurations we find most impactful in the real world.
Top Configuration Recommendations
Listed below, in no particular order, are the top configuration recommendations from Defender Experts for XDR.
Microsoft Defender for Office
——————————————————————————————————–
Restrict user ability to release emails from quarantine
The Exchange Online Protection (EOP) quarantine is leveraged widely to prevent suspicious emails from being delivered to user inboxes without entirely deleting them. Emails that match the anti-malware, anti-phishing, and anti-spam policies configured within a given tenant will most often be sent to quarantine. This protection is significantly curtailed when end users have the capability to indiscriminately release their own emails from quarantine. Our team has investigated an unfortunate number of incidents resulting from users searching out phishing emails that were quarantined, releasing them, and promptly compromising their own account. A full access permissions group in a quarantine policy permits this to happen and is strongly discouraged.
Fortunately, regardless of the quarantine policy applied, users can’t release their own messages that were quarantined as malware or high confidence phishing – they can only request their release. But for all other emails detected as phishing, one of the following permissions groups must be applied in order to prevent unrestricted quarantine release.
Limited access permissions group
This is the recommended permissions group for most environments that are not highly restricted. Limited access permits the user to preview quarantined messages (with hyperlinks disabled), view their headers, and request their release (in addition to deleting the email or blocking the sender).
No access is the most restrictive permissions group that can be applied to a quarantine policy. The default quarantine policy AdminOnlyAccessPolicy uses this permissions group. When this is configured, the most that a user could do with a quarantined message is view the email headers.
Implementation
Within the Microsoft Defender portal under Quarantine policy, create a new policy leveraging Limited access, No access, or Specific access with the action “Allow recipients to request a message to be released from quarantine.” Then apply this quarantine policy to your anti-phishing, anti-spam, and anti-malware policies.
Quarantine policies | Step 1 Create quarantine policies | Microsoft Learn
Quarantine policies | Anatomy of a quarantine policy | Microsoft Learn
Microsoft Defender for Endpoint
——————————————————————————————————-
Enable tamper protection
Tamper protection is a critical feature of Defender for Endpoint that protects security settings from being changed. When enabled, tamper protection prevents other key components of Defender for Endpoint, including virus and threat protection, antivirus (AV), real-time protection, automatic remediation, and tamper protection itself, from being disabled. If these security features can be disabled by an attacker, then their value is nullified. Once an attacker has compromised a device, it is commonly part of their attack chain to disable any security services running on the device, thereby enabling more severe and destructive follow-on actions. This activity has been observed in Cypherpunk, DarkSide, and Ryuk ransomware operations among many others. Every supported device onboarded with Defender for Endpoint should have tamper protection enabled. It is also advisable to seriously investigate any incidents involving attempted tampering, as they often point to ongoing compromise.
Implementation
Enable tamper protection via the Defender Portal, Intune, or Configuration Manager.
Protect security settings with tamper protection | Microsoft Learn
Enable network protection in block mode
Network protection is a Defender for Endpoint feature that leverages and extends Microsoft Edge SmartScreen to protect Windows, Linux, and macOs devices. SmartScreen, when in block mode, prevents network connections from the Edge browser to known malicious websites. When network protection is enabled in block mode, these malicious connections will also be blocked from all other supported browsers (Chrome, Firefox, Brave, and Opera, etc.) and non-browser applications. The default blocklist leverages Microsoft’s extensive threat intelligence resources to protect users across all customer environments from unintentionally visiting malicious websites. Furthermore, custom indicators can be configured within a given tenant to block network connections to additional undesired domains, Ips, and URLs.
If network protection is not enabled, or not in block mode, users are vulnerable to visiting websites that are known to be malicious. This is a very common occurrence in Defender Experts for XDR investigations, resulting in malware infections, credential compromise, or other malicious activity. The Microsoft Threat Intelligence community has already done the work to provide the threat intel, so why not leverage it to protect your organization?
Implementation
Network protection can be enabled via PowerShell, MDM, Group Policy, or Microsoft Configuration Manager.
Turn on network protection | Microsoft Learn
Block untrusted and unsigned processes that run from USB
This is an Attack Surface Reduction (ASR) rule that is prebuilt within Microsoft Defender Antivirus to help prevent USB malware. When enabled in block mode, this rule prevents the execution of unsigned or untrusted executables (.exe, .dll, .scr, .ps, .vbs, .js, etc.) that are either present on mounted removable media (e.g., USB or SD card) or that were copied to disk from removable media. For some organizations, USB malware is quite rare. But for organizations with a large, distributed set of end users, or organizations with a large quantity of bring your own device (BYOD) users, this can become a constant challenge. China-based nation-state group Twill Typhoon is known to utilize removable devices containing malicious executables to infect victims, and the LemonDuck and LemonCat mining malware also spread this using this technique, among others. Enabling this rule in block mode can be very effective at preventing these types of damaging USB malware.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block untrusted and unsigned processes that run from USB | Microsoft Learn
Block JavaScript or VBScript from launching downloaded executable content
This ASR rule detects attempts by JavaScript or VBScript to launch executables downloaded from the internet and blocks them from executing if enabled in block mode. This prevents a pattern of activity known to be utilized by multiple common types of malware. The FakeUpdates/SocGholish malware in particular leverages a JavaScript backdoor to download and/or launch its payload. FakeUpdates remains relatively prevalent (Manatee Tempest – from FakeUpdates to ransomware), infecting devices via drive-by downloads from malvertising (malicious advertising), SEO poisoning, and more. Russian state-sponsored threat actor Midnight Blizzard has also been observed utilizing phishing emails containing HTML attachments embedded with the EnvyScout JS dropper to compromise victims.
Some organizations may utilize legitimate line-of-business applications that exhibit this same behavior, so it is recommended to test this rule in audit mode prior to fully enabling in block mode. Refer to the Demystifying attack surface reduction rules blog series for more information on the transition from auditing to blocking.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block JavaScript or VBScript from launching downloaded executable content | Microsoft Learn
Block Office applications from creating executable content
This ASR rule detects attempts by Office applications (Word, Excel, and PowerPoint) to execute files written to disk, and execution of untrusted files saved by Office macros. In block mode, this rule prevents these executions. Office files have long been utilized to deliver and/or run malicious code, and unfortunately this remains a successful initial access vector into many organizations with insufficient protections. Emotet, Trickbot, Hancitor, and ZLoader malware are all frequently delivered via phishing emails that either directly attach or link to these types of malicious Office files. Individual threat actors including Iran-based nation-state group Mint Sandstorm, China-based nation-state group Canary Typhoon, and Vietnam-based nation-state group Canvas Cyclone, among others, have been known to utilize these methods as well.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block Office applications from creating executable content | Microsoft Learn
Block executable content from email client and webmail
This ASR rule detects executable files and scripts attempting to run directly from Microsoft Outlook, outlook.com, or other common webmail services. When enabled in block mode, these executions will be prevented. More sophisticated threat actors and Phishing-as-a-Service (PhaaS) providers have pivoted away from this technique, but this control provides valuable protection against the low-sophistication phishing attacks that can be just as damaging. Given that phishing is one of the most prevalent initial access vectors we see today, any controls that can be applied to reduce the frequency or severity of successful phishing, without disrupting business, should be.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block executable content from email client and webmail | Microsoft Learn
Microsoft Entra ID
——————————————————————————————————-
Ensure multifactor authentication (MFA) is enabled for all users in administrative roles in Entra ID
For a long time, MFA was heralded as the ultimate impenetrable line of defense against account compromise. While we know now that there are many ways to bypass it such as cookie/token theft, SIM swapping, social engineering, etc., MFA remains a valuable control for defense in depth. All administrative user accounts should require MFA, but there are a few critical roles in particular that should be prioritized for this control:
The global admin role has the most powerful overall permissions within a tenant and should be protected accordingly.
The power of the billing admin is less widely known, but it can in fact take over a tenant from anyone, including the global admin! With the power to move subscriptions to an associated billing tenant, the billing admin could transfer subscriptions to a tenant where they hold global admin, giving them complete control.
Implementation
Within Entra ID, create a Conditional Access policy that applies to administrative roles requiring MFA on all cloud applications.
Require MFA for administrators with Conditional Access – Microsoft Entra ID | Microsoft Learn
Require MFA for self-service password reset (SSPR)
Self-service password reset enables users to reset their own password without needing to go through a help desk. When performing a password reset, users should be required to robustly verify their identity in order to prevent potential account takeover. SSPR permits four types of authentication methods, which includes email and mobile phone. A determined attacker can typically gain access to one of these methods with relative ease. Octo Tempest has been known to take over accounts via SSPR using access to user phones acquired through SIM swapping, among other methods. Requiring two authentication methods in order to complete SSPR might not stop every attacker, but it does introduce an additional defensive layer to the process that could make all the difference.
Implementation
Within Entra ID under password reset, set authentication methods to two.
Select authentication methods and registration options – Microsoft Entra ID | Microsoft Learn
Microsoft Defender for Identity
——————————————————————————————————-
Set a honeytoken account
A honeytoken account works like a security alarm; it is a dormant account with no legitimate business purpose, so any activity that occurs on the account generates an alert. This facilitates the identification of attacker activity that may otherwise have gone unnoticed. A honeytoken is a very simple and effective detective control, and can be leveraged in multiple different ways as described in Deceptive defense: best practices for identity based honeytokens in Microsoft Defender for Identity. While attack prevention is preferable to retroactive detection, these days it is not reasonable to expect that an organization will avoid being breached. It is vital to be prepared to detect attacks that get past the outer layer of defense in order to mitigate their impact.
Implementation
Create or repurpose an account with no business purpose, and ensure its privileges are removed. Tag this account as a honeytoken within the Defender portal under Settings > Identities > Honeytoken.
Entity tags in Microsoft Defender for Identity – Microsoft Defender for Identity | Microsoft Learn
Conclusion
Every organization can take actions to improve their security posture, but the sheer volume of control recommendations can sometimes overwhelm organizations into inaction. Through this blog post, the Defender Experts for XDR team has aimed to provide a discrete list of configurations and controls that we have observed to be impactful through our daily work with Microsoft customers. We hope that these recommendations will be implemented, or at least considered, for the protection of your organization as well.
If you’re interested in learning more about Defender Experts for XDR, visit the Microsoft Defender Experts for XDR web page or the Defender Experts for XDR docs page.
Microsoft Tech Community – Latest Blogs –Read More