Tag Archives: microsoft
Behind the Scenes: Creating a more accessible future with Peter Wu
Hey Microsoft 365 Insiders,
As we approach Global Accessibility Awareness Day, we’re proud to share a behind-the-scenes look with Peter Wu, Principal Software Engineer at Microsoft. Peter’s tech journey and passion for creating accessible technology are truly inspiring.
Read the full story: Behind the Scenes: Creating a more accessible future with Peter Wu
Social posts:
X: https://twitter.com/Msft365Insider/status/1788237428718727360
LinkedIn: https://www.linkedin.com/feed/update/urn:li:activity:7194003125429571585/
Threads: https://www.threads.net/@msft365insider/post/C6tqGYcBYeL
Thanks!
Perry Sjogren
Microsoft 365 Insider Social Media Manager
Become a Microsoft 365 Insider and gain exclusive access to new features and help shape the future of Microsoft 365. Join Now: Windows | Mac | iOS | Android
Hey Microsoft 365 Insiders,
As we approach Global Accessibility Awareness Day, we’re proud to share a behind-the-scenes look with Peter Wu, Principal Software Engineer at Microsoft. Peter’s tech journey and passion for creating accessible technology are truly inspiring.
Read the full story: Behind the Scenes: Creating a more accessible future with Peter Wu
Social posts:
X: https://twitter.com/Msft365Insider/status/1788237428718727360
LinkedIn: https://www.linkedin.com/feed/update/urn:li:activity:7194003125429571585/
Threads: https://www.threads.net/@msft365insider/post/C6tqGYcBYeL
Thanks!
Perry Sjogren
Microsoft 365 Insider Social Media Manager
Become a Microsoft 365 Insider and gain exclusive access to new features and help shape the future of Microsoft 365. Join Now: Windows | Mac | iOS | Android Read More
Where is the “Save” button/link to periodically save while making a post here?
Hi!
I tried to “label” this post as “Microsoft Forums” but it wouldn’t accept a custom tag. This is a simple question about creating a post here in the forums, as opposed to being about Excel. 🙂
——————-
When creating a post here, I always get a message that says:
“Your content was last saved to auto recover at XX (time). Please save your document, using the save button, regularly to avoid data loss.”
Does anyone know where that “Save” button is? I cannot find it anywhere, lol.
Thank you!!
Hi! I tried to “label” this post as “Microsoft Forums” but it wouldn’t accept a custom tag. This is a simple question about creating a post here in the forums, as opposed to being about Excel. :)——————- When creating a post here, I always get a message that says: “Your content was last saved to auto recover at XX (time). Please save your document, using the save button, regularly to avoid data loss.” Does anyone know where that “Save” button is? I cannot find it anywhere, lol. Thank you!! Read More
New Blog | Export DLP Policies, Rules and Settings using PowerShell
This blog outlines the steps to export the DLP policies, rules and settings in bulk.
Here’s a summary of the items covered:
Exporting DLP policies, rules and settings: The document explains how to use PowerShell cmdlets to export the DLP policies, rules and settings in bulk from the Security and Compliance Center PowerShell.
Viewing the value of switches: The document shows how to view the value of switches that are parsed by the cmdlets, such as the groups or users that are scoped or excluded from a policy.
Exporting as a CSV file: The document provides examples of how to export the policy scoping or exclusion details as a CSV file by using the Select -ExpandProperty parameter.
Exporting as a JSON file: The document demonstrates how to export all the policies and their attributes or sub-attributes as a JSON file by using the ConvertTo-Json cmdlet.
Read the full post here: Export DLP Policies, Rules and Settings using PowerShell
By Priyanka Agarwal
This blog outlines the steps to export the DLP policies, rules and settings in bulk.
Here’s a summary of the items covered:
Exporting DLP policies, rules and settings: The document explains how to use PowerShell cmdlets to export the DLP policies, rules and settings in bulk from the Security and Compliance Center PowerShell.
Viewing the value of switches: The document shows how to view the value of switches that are parsed by the cmdlets, such as the groups or users that are scoped or excluded from a policy.
Exporting as a CSV file: The document provides examples of how to export the policy scoping or exclusion details as a CSV file by using the Select -ExpandProperty parameter.
Exporting as a JSON file: The document demonstrates how to export all the policies and their attributes or sub-attributes as a JSON file by using the ConvertTo-Json cmdlet.
Read the full post here: Export DLP Policies, Rules and Settings using PowerShell
New Blog | Tenant health transparency and observability
By Igor Sakhnov
In previous resilience blog posts, we’ve shared updates about the continuous improvements we’re making to resilience and reliability, including our most recent update on regionally isolated authentication endpoints and an announcement last year of our industry-leading and first of its kind backup authentication service. These and other innovations behind the scenes enable us to deliver consistently very high rates of availability globally each month.
In this post, we’ll outline what we’re doing to help customers see how available and resilient Microsoft Entra really is for them, to not only hold us accountable when issues arise, but also better understand what actions to take within their tenant to improve its health. At the global level, you see it in the form of retrospective SLA reporting, which shows authentication availability exceeding our 4 9s promise (launched in spring 2021) by a wide margin and reaching 5 9s in most months. But it becomes more compelling and actionable at the tenant level: what is the uptime experience of my users on my organization’s apps and devices? Is my tenant handling surges in sign-in demand?
We often hear from customers about the effect on resilience insights when they move to the cloud. In the on-prem world, identity health monitoring occurred onsite and with tight control; operational awareness happened entirely within a company’s first-party IT department. Now, we need to achieve that same transparency or better in an outsourced, cloud-based identity service and with a federated set of dependencies.
Read the full post here: Tenant health transparency and observability
By Igor Sakhnov
In previous resilience blog posts, we’ve shared updates about the continuous improvements we’re making to resilience and reliability, including our most recent update on regionally isolated authentication endpoints and an announcement last year of our industry-leading and first of its kind backup authentication service. These and other innovations behind the scenes enable us to deliver consistently very high rates of availability globally each month.
In this post, we’ll outline what we’re doing to help customers see how available and resilient Microsoft Entra really is for them, to not only hold us accountable when issues arise, but also better understand what actions to take within their tenant to improve its health. At the global level, you see it in the form of retrospective SLA reporting, which shows authentication availability exceeding our 4 9s promise (launched in spring 2021) by a wide margin and reaching 5 9s in most months. But it becomes more compelling and actionable at the tenant level: what is the uptime experience of my users on my organization’s apps and devices? Is my tenant handling surges in sign-in demand?
We often hear from customers about the effect on resilience insights when they move to the cloud. In the on-prem world, identity health monitoring occurred onsite and with tight control; operational awareness happened entirely within a company’s first-party IT department. Now, we need to achieve that same transparency or better in an outsourced, cloud-based identity service and with a federated set of dependencies.
Read the full post here: Tenant health transparency and observability
New Blog | Vulnerability Assessment with Defender for Servers, by Defender Vulnerability Management
By Shahar Bahat
Microsoft Defender for Cloud is a comprehensive multicloud application protection platform (CNAPP) meticulously designed to safeguard your cloud-based applications from every angle, covering the entire journey from code to cloud. A pivotal aspect of cloud security involves the continuous monitoring and management of emerging vulnerabilities across your cloud workloads. By implementing strong vulnerability management practices, organizations can enhance their security posture, minimize the attack surface, and reinforce defenses against potential security breaches.
We’re excited to share that starting May 1st, we are introducing unified vulnerability assessment, and as a part of this Defender for Cloud will now exclusively offer Microsoft Defender Vulnerability Management as its primary scanner across servers and containers, as we shared in our previous recent blogs (1, 2). This strategic transition equips security administrators with access to Microsoft’s unparalleled threat intelligence, advanced breach likelihood predictions. This integration offers security administrators a centralized vulnerability scanner, serving as a unified engine for all workloads spanning cloud, on-premises, and hybrid environments. This enables a seamless and precise risk assessment process. Equipped with these functionalities, security teams can proficiently detect, evaluate, prioritize, and address vulnerabilities, effectively overseeing an extended attack surface and strengthening the overall posture against cloud risks.
Read the full post here: Vulnerability Assessment with Defender for Servers, Powered by Defender Vulnerability Management
By Shahar Bahat
Microsoft Defender for Cloud is a comprehensive multicloud application protection platform (CNAPP) meticulously designed to safeguard your cloud-based applications from every angle, covering the entire journey from code to cloud. A pivotal aspect of cloud security involves the continuous monitoring and management of emerging vulnerabilities across your cloud workloads. By implementing strong vulnerability management practices, organizations can enhance their security posture, minimize the attack surface, and reinforce defenses against potential security breaches.
We’re excited to share that starting May 1st, we are introducing unified vulnerability assessment, and as a part of this Defender for Cloud will now exclusively offer Microsoft Defender Vulnerability Management as its primary scanner across servers and containers, as we shared in our previous recent blogs (1, 2). This strategic transition equips security administrators with access to Microsoft’s unparalleled threat intelligence, advanced breach likelihood predictions. This integration offers security administrators a centralized vulnerability scanner, serving as a unified engine for all workloads spanning cloud, on-premises, and hybrid environments. This enables a seamless and precise risk assessment process. Equipped with these functionalities, security teams can proficiently detect, evaluate, prioritize, and address vulnerabilities, effectively overseeing an extended attack surface and strengthening the overall posture against cloud risks.
Read the full post here: Vulnerability Assessment with Defender for Servers, Powered by Defender Vulnerability Management
Announcing Windows Server Preview Build 26212
Announcing Windows Server Preview Build 26212
Hello Windows Server Insiders!
Today we are pleased to release a new build of the next Windows Server Long-Term Servicing Channel (LTSC) Preview that contains both the Desktop Experience and Server Core installation options for Datacenter and Standard editions, Annual Channel for Container Host and Azure Edition (for VM evaluation only). Branding has been updated for the upcoming release, Windows Server 2025 in this preview – when reporting issues please refer to Windows Server 2025 preview. If you signed up for Server Flighting, you should receive this new build automatically.
What’s New
[NEW] Delegated Managed Service Accounts (dMSA)
A new account type known as delegated Managed Service Account (dMSA) is now available that allows migration from a traditional service account to a machine account with managed and fully randomized keys, while disabling original service account passwords.
Authentication for dMSA is linked to the device identity, which means that only specified machine identities mapped in AD can access the account. Using dMSA helps to prevent harvesting credentials using a compromised account (kerberoasting), which is a common issue with traditional service accounts.
To learn more about dMSA, visit https://learn.microsoft.com/en-us/windows-server/security/delegated-managed-service-accounts/delegated-managed-service-accounts-overview.
[NEW] More Server Message Block (SMB) protocol changes.
Starting with Build 26097 and higher, we are introducing the following Server Message Block (SMB) protocol changes for QUIC, signing, and encryption:
SMB over QUIC client and server disable: Administrators can now disable the SMB over QUIC client and SMB over QUIC server options with Group Policy and PowerShell.
SMB over QUIC client and server connection auditing: Successful SMB over QUIC client and SMB over QUIC server connection events are now written to the event log to include the QUIC transport.
SMB signing and encryption auditing: Administrators can now enable auditing of the SMB server and client for support of SMB signing and encryption. This shows if a third-party client or server doesn’t support SMB encryption or signing. You can configure these settings with PowerShell and Group Policy.
For details on configuring these new settings, review https://aka.ms/SMB74MDNP.
For more information on SMB over QUIC in Windows and Windows Server Insider Preview builds, review https://aka.ms/SMBoverQUICServer and https://aka.ms/SmbOverQuicCAC.
For more information on SMB signing and encryption in Windows and Windows Server Insider Preview builds, review https://aka.ms/SmbSigningRequired and https://aka.ms/SmbClientEncrypt.
Windows Server Flighting is here!!
If you signed up for Server Flighting, you should receive this new build automatically later today.
For more information, see Welcome to Windows Insider flighting on Windows Server – Microsoft Community Hub
The new Feedback Hub app is now available for Server Desktop users!
The app should automatically update with the latest version, but if it does not, simply Check for updates in the app’s settings tab.
Known Issues
Upgrade does not complete: Some users may experience an issue when upgrading where the download process does not progress beyond 0%. If you encounter this issue, please upgrade to this newer build using the ISO media download option. Download Windows Server Insider Preview (microsoft.com)
VMs created using ISO media may not boot: Some users may encounter boot issues when creating Gen 2 VMs using this build (26063) and attempting to set the DVD ISO as boot preference. The new VM is unable to boot through the ISO and skips to subsequent boot options. This will be addressed in a future release.
Access denied error when using Diskpart –> Clean Image on Winpe.vhdx VMs created using WinPE: Create bootable media | Microsoft Learn. We are working to resolve this issue and expect to have it fixed in the next preview release.
Download Windows Server Insider Preview (microsoft.com)
Flighting: The label for this flight may incorrectly reference Windows 11. However, when selected, the package installed is the Windows Server update. Please ignore the label and proceed with installing your flight. This issue will be addressed in a future release.
Setup: Some users may experience overlapping rectangle voids following mouse clicks during “OOBE” setup. This is a graphics rendering issue and will not prevent setup from completing. This issue will be addressed in a future release.
WinPE – Powershell Scripts: Applying the WinPE-Powershell optional component does not properly install Powershell in WinPE. As a result, Powershell cmdlets will fail. Customers who are dependent on Powershell in WinPE should not use this build.
If you are validating upgrades from Windows Server 2019 or 2022, we do not recommend that you use this build as intermittent upgrade failures have been identified for this build.
This build has an issue where archiving eventlogs with “wevetutil al” command causes the Windows Event Log service to crash, and the archive operation to fail. The service must be restarted by executing “Start-Service EventLog” from an administrative command line prompt.
If you have Secure Launch/DRTM code path enabled, we do not recommend that you install this build.
Available Downloads
Downloads to certain countries may not be available. See Microsoft suspends new sales in Russia – Microsoft On the Issues
Windows Server Long-Term Servicing Channel Preview in ISO format in 18 languages, and in VHDX format in English only.
Windows Server Datacenter Azure Edition Preview in ISO and VHDX format, English only.
Microsoft Server Languages and Optional Features Preview
Keys: Keys are valid for preview builds only
Server Standard: MFY9F-XBN2F-TYFMP-CCV49-RMYVH
Datacenter: 2KNJJ-33Y9H-2GXGX-KMQWH-G6H67
Azure Edition does not accept a key
Symbols: available on the public symbol server – see Using the Microsoft Symbol Server.
Expiration: This Windows Server Preview will expire September 15, 2024.
How to Download
Registered Insiders may navigate directly to the Windows Server Insider Preview download page. If you have not yet registered as an Insider, see GETTING STARTED WITH SERVER on the Windows Insiders for Business portal.
We value your feedback!
The most important part of the release cycle is to hear what’s working and what needs to be improved, so your feedback is extremely valued. Beginning with Insider build 26063, please use the new Feedback Hub app for Windows Server if you are running a Desktop version of Server. If you are using a Core edition, or if you are unable to use the Feedback Hub app, you can use your registered Windows 10 or Windows 11 Insider device and use the Feedback Hub application. In the app, choose the Windows Server category and then the appropriate subcategory for your feedback. In the title of the Feedback, please indicate the build number you are providing feedback on as shown below to ensure that your issue is attributed to the right version:
[Server #####] Title of my feedback
See Give Feedback on Windows Server via Feedback Hub for specifics. The Windows Server Insiders space on the Microsoft Tech Communities supports preview builds of the next version of Windows Server. Use the forum to collaborate, share and learn from experts. For versions that have been released to general availability in market, try the Windows Server for IT Pro forum or contact Support for Business.
Diagnostic and Usage Information
Microsoft collects this information over the internet to help keep Windows secure and up to date, troubleshoot problems, and make product improvements. Microsoft server operating systems can be configured to turn diagnostic data off, send Required diagnostic data, or send Optional diagnostic data. During previews, Microsoft asks that you change the default setting to Optional to provide the best automatic feedback and help us improve the final product.
Administrators can change the level of information collection through Settings. For details, see http://aka.ms/winserverdata. Also see the Microsoft Privacy Statement.
Terms of Use
This is pre-release software – it is provided for use “as-is” and is not supported in production environments. Users are responsible for installing any updates that may be made available from Windows Update. All pre-release software made available to you via the Windows Server Insider program is governed by the Insider Terms of Use.
Announcing Windows Server Preview Build 26212
Hello Windows Server Insiders!
Today we are pleased to release a new build of the next Windows Server Long-Term Servicing Channel (LTSC) Preview that contains both the Desktop Experience and Server Core installation options for Datacenter and Standard editions, Annual Channel for Container Host and Azure Edition (for VM evaluation only). Branding has been updated for the upcoming release, Windows Server 2025 in this preview – when reporting issues please refer to Windows Server 2025 preview. If you signed up for Server Flighting, you should receive this new build automatically.
What’s New
[NEW] Delegated Managed Service Accounts (dMSA)
A new account type known as delegated Managed Service Account (dMSA) is now available that allows migration from a traditional service account to a machine account with managed and fully randomized keys, while disabling original service account passwords.
Authentication for dMSA is linked to the device identity, which means that only specified machine identities mapped in AD can access the account. Using dMSA helps to prevent harvesting credentials using a compromised account (kerberoasting), which is a common issue with traditional service accounts.
To learn more about dMSA, visit https://learn.microsoft.com/en-us/windows-server/security/delegated-managed-service-accounts/delegated-managed-service-accounts-overview.
[NEW] More Server Message Block (SMB) protocol changes.
Starting with Build 26097 and higher, we are introducing the following Server Message Block (SMB) protocol changes for QUIC, signing, and encryption:
SMB over QUIC client and server disable: Administrators can now disable the SMB over QUIC client and SMB over QUIC server options with Group Policy and PowerShell.
SMB over QUIC client and server connection auditing: Successful SMB over QUIC client and SMB over QUIC server connection events are now written to the event log to include the QUIC transport.
SMB signing and encryption auditing: Administrators can now enable auditing of the SMB server and client for support of SMB signing and encryption. This shows if a third-party client or server doesn’t support SMB encryption or signing. You can configure these settings with PowerShell and Group Policy.
For details on configuring these new settings, review https://aka.ms/SMB74MDNP.
For more information on SMB over QUIC in Windows and Windows Server Insider Preview builds, review https://aka.ms/SMBoverQUICServer and https://aka.ms/SmbOverQuicCAC.
For more information on SMB signing and encryption in Windows and Windows Server Insider Preview builds, review https://aka.ms/SmbSigningRequired and https://aka.ms/SmbClientEncrypt.
Windows Server Flighting is here!!
If you signed up for Server Flighting, you should receive this new build automatically later today.
For more information, see Welcome to Windows Insider flighting on Windows Server – Microsoft Community Hub
The new Feedback Hub app is now available for Server Desktop users!
The app should automatically update with the latest version, but if it does not, simply Check for updates in the app’s settings tab.
Known Issues
Upgrade does not complete: Some users may experience an issue when upgrading where the download process does not progress beyond 0%. If you encounter this issue, please upgrade to this newer build using the ISO media download option. Download Windows Server Insider Preview (microsoft.com)
VMs created using ISO media may not boot: Some users may encounter boot issues when creating Gen 2 VMs using this build (26063) and attempting to set the DVD ISO as boot preference. The new VM is unable to boot through the ISO and skips to subsequent boot options. This will be addressed in a future release.
Access denied error when using Diskpart –> Clean Image on Winpe.vhdx VMs created using WinPE: Create bootable media | Microsoft Learn. We are working to resolve this issue and expect to have it fixed in the next preview release.
Download Windows Server Insider Preview (microsoft.com)
Flighting: The label for this flight may incorrectly reference Windows 11. However, when selected, the package installed is the Windows Server update. Please ignore the label and proceed with installing your flight. This issue will be addressed in a future release.
Setup: Some users may experience overlapping rectangle voids following mouse clicks during “OOBE” setup. This is a graphics rendering issue and will not prevent setup from completing. This issue will be addressed in a future release.
WinPE – Powershell Scripts: Applying the WinPE-Powershell optional component does not properly install Powershell in WinPE. As a result, Powershell cmdlets will fail. Customers who are dependent on Powershell in WinPE should not use this build.
If you are validating upgrades from Windows Server 2019 or 2022, we do not recommend that you use this build as intermittent upgrade failures have been identified for this build.
This build has an issue where archiving eventlogs with “wevetutil al” command causes the Windows Event Log service to crash, and the archive operation to fail. The service must be restarted by executing “Start-Service EventLog” from an administrative command line prompt.
If you have Secure Launch/DRTM code path enabled, we do not recommend that you install this build.
Available Downloads
Downloads to certain countries may not be available. See Microsoft suspends new sales in Russia – Microsoft On the Issues
Windows Server Long-Term Servicing Channel Preview in ISO format in 18 languages, and in VHDX format in English only.
Windows Server Datacenter Azure Edition Preview in ISO and VHDX format, English only.
Microsoft Server Languages and Optional Features Preview
Keys: Keys are valid for preview builds only
Server Standard: MFY9F-XBN2F-TYFMP-CCV49-RMYVH
Datacenter: 2KNJJ-33Y9H-2GXGX-KMQWH-G6H67
Azure Edition does not accept a key
Symbols: available on the public symbol server – see Using the Microsoft Symbol Server.
Expiration: This Windows Server Preview will expire September 15, 2024.
How to Download
Registered Insiders may navigate directly to the Windows Server Insider Preview download page. If you have not yet registered as an Insider, see GETTING STARTED WITH SERVER on the Windows Insiders for Business portal.
We value your feedback!
The most important part of the release cycle is to hear what’s working and what needs to be improved, so your feedback is extremely valued. Beginning with Insider build 26063, please use the new Feedback Hub app for Windows Server if you are running a Desktop version of Server. If you are using a Core edition, or if you are unable to use the Feedback Hub app, you can use your registered Windows 10 or Windows 11 Insider device and use the Feedback Hub application. In the app, choose the Windows Server category and then the appropriate subcategory for your feedback. In the title of the Feedback, please indicate the build number you are providing feedback on as shown below to ensure that your issue is attributed to the right version:
[Server #####] Title of my feedback
See Give Feedback on Windows Server via Feedback Hub for specifics. The Windows Server Insiders space on the Microsoft Tech Communities supports preview builds of the next version of Windows Server. Use the forum to collaborate, share and learn from experts. For versions that have been released to general availability in market, try the Windows Server for IT Pro forum or contact Support for Business.
Diagnostic and Usage Information
Microsoft collects this information over the internet to help keep Windows secure and up to date, troubleshoot problems, and make product improvements. Microsoft server operating systems can be configured to turn diagnostic data off, send Required diagnostic data, or send Optional diagnostic data. During previews, Microsoft asks that you change the default setting to Optional to provide the best automatic feedback and help us improve the final product.
Administrators can change the level of information collection through Settings. For details, see http://aka.ms/winserverdata. Also see the Microsoft Privacy Statement.
Terms of Use
This is pre-release software – it is provided for use “as-is” and is not supported in production environments. Users are responsible for installing any updates that may be made available from Windows Update. All pre-release software made available to you via the Windows Server Insider program is governed by the Insider Terms of Use. Read More
Goodbye Planner
Just checked out the new Planner, it changed my board categories to something I don’t want, I hate it. No useful features like “@”mentions for the comments, Trello has had that feature for a decade. Why don’t we have the flexibility to use it as we see fit? Leaving this stuff up to developers will never be a good fit.
Just checked out the new Planner, it changed my board categories to something I don’t want, I hate it. No useful features like “@”mentions for the comments, Trello has had that feature for a decade. Why don’t we have the flexibility to use it as we see fit? Leaving this stuff up to developers will never be a good fit. Read More
Revolutionizing hyperscale application delivery and security: The New Azure Front Door edge platform
Prologue – The creation of a new proxy with Linux, Rust, and OSS
In this introductory blog to the new Azure Front Door next generation platform, we will go over the motivations, design choices and learnings from this undertaking which helped us successfully achieve massive gains in scalability, security and resiliency.
Introduction
Azure Front Door is a global, scalable, and secure entry point for caching and acceleration of your web content. It offers a range of features such as load balancing, caching, web application firewall, and a rich rules engine for request transformation. Azure Front Door operates at the edge of Microsoft’s global network and handles trillions of requests per day from millions of clients around the world.
Azure Front Door, originally built upon a Windows-based proxy, has been a critical component in serving and protecting traffic for Microsoft’s core internet services. As the commercial offering of Azure Front Door expanded, and with the ever-evolving landscape of security and application delivery, we recognized the need for a new platform. This new platform would address the growing demands of scale, performance, cost-effectiveness, and innovation, ensuring we are able to meet the challenging scale and security demands from our largest enterprise customers. For our next-generation Azure Front Door platform, we opted to build it on Linux and embrace the open-source software community. The new edge platform was designed to incorporate learnings from the previous proxy implementation, while allowing us to accelerate innovation and deliver enhanced value to our customers. We will delve into the key design and development decisions that shaped the next generation proxy, and a modern edge platform that meets innovation, resiliency, scale and performance requirements of Azure and Microsoft customers.
Why Linux and Open Source?
A key choice that we made during the development of the new proxy platform was to use Linux as the operating system for the proxy. Linux offers a mature and stable platform for running high-performance network applications and it has a rich ecosystem of tools and libraries for network programming which allows us to leverage the expertise and experience of the open-source community.
Another reason for choosing Linux was that it offers a vibrant ecosystem with containers and Kubernetes for deploying and managing the proxy instances. The use of containers and Kubernetes offer many benefits for cloud-native applications, such as faster and easier deployment, scaling, and updates, as well as better resource utilization and isolation. By using containers and Kubernetes, we were also able to take advantage of the existing infrastructure and tooling that Microsoft has built for running Linux-based services on Azure.
The next decision that we made was to use open-source software as the basis of the platform. We selected high-quality and widely used open-source software for tasks like TLS termination, caching, and basic HTTP proxying capabilities. By using existing and reliable open-source software as the foundation of the new edge platform, we can concentrate on developing the features and capabilities that are unique to Azure Front Door. We also gain from continuous development and enhancement by the open-source community.
How did we build the next generation proxy?
While open-source software provides a solid foundation for the new proxy, it does not cover all the features and capabilities that we need for Azure Front Door. Azure Front Door is a multi-tenant service that supports many custom proxy features that are not supported by any open-source proxy. Building the proxy from scratch was faced with multiple design challenges but in this blog we will focus on the top two that helped build the foundation of the new proxy. We will discuss other aspects such as resilient architecture and protection features in later parts of this blog series.
Challenge 1: Multi-Tenancy
The first major challenge in developing Azure Front Door as a multi-tenant service was ensuring that the proxy could efficiently manage the configurations of hundreds of thousands of tenants, far surpassing the few hundred tenants typically supported by most open-source proxies. Each tenant’s configuration dictates how the proxy handles their HTTP traffic, making the configuration lookup an extremely critical aspect of the system. This requires all tenant configurations to be loaded into memory for high performance.
Processing configuration for hundreds of thousands of tenants means that the system needs to handle hundreds of config updates every second which requires dynamic updates to the data path without disrupting any packets. To address this, Azure Front Door adopted a binary configuration format which supports zero-copy deserialization and ensures fast lookup times. This choice is crucial not only for efficiently managing current tenant configurations but also for scaling up to accommodate future growth, potentially increasing the customer base tenfold. Additionally, to handle dynamic updates to the customer configuration delivered by the Azure Front Door’s configuration pipeline, a custom module was developed to asynchronously monitor and update the config in-memory.
Challenge 2: Customer business logic
One of the most widely adopted features of Azure Front Door is our Rules Engine, which allows our customers to set up custom rules tailored for their traffic. To build the proxy from scratch means that we must enable this extremely powerful use case in the open-source proxy, which brings us to our second challenge. Rather than creating fixed modules for each rule, we chose to innovate.
We developed a new domain-specific language (DSL) named AXE (Arbitrary eXecution Engine), specifically designed to add and evolve data plane capabilities swiftly. AXE is declarative and expressive, enabling the definition and execution of data plane processing logic in a structured yet flexible manner. It represents the rules as a directed acyclic graph (DAG), where each node signifies an operation or condition, and each edge denotes data or control flow. This allows AXE to support a vast array of operations and conditions, including:
Manipulating headers, cookies, and query parameters
Regex processing
URL rewriting
Filtering and transforming requests and responses
Invoking external services
These capabilities are integrated at various phases of the request processing cycle, such as parsing, routing, filtering, and logging.
AXE is implemented as a custom module in the new proxy, where it interprets and executes AXE scripts for each incoming request. The module is built on a fast, lightweight interpreter that operates in a secure, sandboxed environment, granting access to necessary proxy variables and functions. It also supports asynchronous and non-blocking operations, vital for non-disruptive external service interactions and timely processing.
This innovative approach to building and integrating the Rules Engine using AXE ensures that Azure Front Door remains a cutting-edge solution, capable of meeting and exceeding the dynamic requirements of our customers. Though AXE was developed for supporting Rules Engine feature of Azure Front Door, it was so flexible that we use it to power our WAF module now.
Why Rust?
Another important decision that we made while building the next generation proxy was to write new code in Rust, a modern and safe systems programming language. All the components we mentioned in the section above are either written in Rust or being actively rewritten in Rust. Rust is a language that offers high performance, reliability, and productivity, and it is gaining popularity and adoption in the network programming community. Rust has several features and benefits that make it a great choice for the next generation proxy, such as:
Rust has a powerful and expressive type system that helps us write correct and robust code. Rust enforces strict rules and performs all checks at compile time to prevent common errors and bugs, such as memory leaks, buffer overflows, null pointer exceptions, and data races. Rust also supports advanced features found in modern high-level languages such as generics, traits, and macros, that allow us to write generic and reusable code.
Rust has a concise and consistent syntax that avoids unnecessary boilerplate and encourages common conventions and best practices. Rust also has a rich and standard library that provides a wide range of useful and high-quality functionality with an emphasis on safety and performance, such as collections, iterators, string manipulation, error handling, networking, threading, and asynchronous execution abstractions.
Rust has a strong and vibrant community that supports and contributes to the language and its ecosystem. It has a large and growing number of users and developers who share their feedback, experience, and knowledge through various channels, such as forums, blogs, podcasts, and conferences. Rust also has a thriving and diverse ecosystem of tools and libraries that enhance and extend the language and its capabilities, such as IDEs, debuggers, test frameworks, web frameworks, network libraries, and AI/ML libraries.
We used Rust to write most of the new code for the proxy. By using Rust, we were able to write highly performant and reliable code for the proxy, while also improving our development velocity by leveraging existing Rust libraries. Rust helped us avoid many errors and bugs that could have compromised the security and stability of the proxy, and it also made our code more readable and maintainable.
Conclusion
The Azure Front Door team embarked on this journey to overhaul the entire platform a few years ago by rewriting the proxy and changing the infrastructure hosting the proxy. This effort enabled us to increase our density and throughput by more than double along with significant enhancements to our resiliency and scalability. We have successfully completed the transition of Azure Front Door customers from the old platform to the new one without any disruption. This challenging task was like changing the wings of a plane while it is airborne.
In this blog post, we shared some of the design and development challenges and decisions that we made while building the next generation edge platform for Azure Front Door that is based on Linux and uses Rust and OSS to extend and customize its functionality. We will share more details about AXE and other data plane and infrastructure innovations in later posts.
If you want to work with us and help us make the internet better and safer, we have some great opportunities for you. Azure Front Door team is looking to hire more engineers in different locations, such as USA, Australia, and Ireland. You can see more details and apply online at the Microsoft careers website. We hope to hear from you and welcome you to our team.
Microsoft Tech Community – Latest Blogs –Read More
The 2024 Work Trend Index is now available
Every year Microsoft releases the Work Trend Index report – a report that collects data from over 30,000 people across over 30 countries via global plus industry-spanning surveys, observational studies and labor trends from the LinkedIn Economic Graph. It provides an unparalleled view into some of the most important trends underway now, and gives us a glimpse into the future of work. The latest report dropped today. Check it out now!
Microsoft Tech Community – Latest Blogs –Read More
Does anyone know if Microsoft Dynamics Sequences are in the On Premises Version of Dynamics 365 CE ?
We have an enterprise customer that uses Dynamics 365 CE On Premises (2104 9.1.18.22) and wishes to use Sequences (not all the customer Insights, but just sequences) and is asking if there is something they need to install to get it for the On Premises version
We have an enterprise customer that uses Dynamics 365 CE On Premises (2104 9.1.18.22) and wishes to use Sequences (not all the customer Insights, but just sequences) and is asking if there is something they need to install to get it for the On Premises version Read More
No licenses or products showing on my newly created standard business account
Yesterday, more than a day and a half from now, I created a Microsoft 365 business standard account, started the one month free trial. “bought” it for 3 accounts. Linked it to my domain. Then i started noticing some issues:
– I couldn’t log in to outlook, it said error 500, too many redirections.
– I tried to create two accounts for my two workers, but no licenses were showing. I created their accounts without licenses, then I checked the licenses list and product list and they are both empty. Maybe I’m doing something wrong, but I expected to see there the apps that are “included” with the subscription. I think that’s also why I can’t log in to outlook.
– I can’t go into “my sign ins or security information” , they both go to a blank page.
– And I thought the process of linking my domain to Microsoft 365 was done, because it said “the configuration is completed”, but whenever I check on “domains”, the domain shows in state “configuration incomplete”, then after clicking on that domain and into “continue configuration “, it goes again to “configuration is complete” (but in domains, still it shows “configuration incomplete”.
I called support yesterday, but got no response on any of the 3 tries. Today I got a response, they told me they raised a ticket with my issues, but even though they say it could take from 30 minutes to a full day, it’s been almost 18 hours and still I got no response. I’m inclined to not trust the help service because the responder kept telling me a notification would be sent to my email even after I explained to him multiple times that one of the things that wasn’t working was outlook.
Yesterday, more than a day and a half from now, I created a Microsoft 365 business standard account, started the one month free trial. “bought” it for 3 accounts. Linked it to my domain. Then i started noticing some issues: – I couldn’t log in to outlook, it said error 500, too many redirections. – I tried to create two accounts for my two workers, but no licenses were showing. I created their accounts without licenses, then I checked the licenses list and product list and they are both empty. Maybe I’m doing something wrong, but I expected to see there the apps that are “included” with the subscription. I think that’s also why I can’t log in to outlook. – I can’t go into “my sign ins or security information” , they both go to a blank page. – And I thought the process of linking my domain to Microsoft 365 was done, because it said “the configuration is completed”, but whenever I check on “domains”, the domain shows in state “configuration incomplete”, then after clicking on that domain and into “continue configuration “, it goes again to “configuration is complete” (but in domains, still it shows “configuration incomplete”. I called support yesterday, but got no response on any of the 3 tries. Today I got a response, they told me they raised a ticket with my issues, but even though they say it could take from 30 minutes to a full day, it’s been almost 18 hours and still I got no response. I’m inclined to not trust the help service because the responder kept telling me a notification would be sent to my email even after I explained to him multiple times that one of the things that wasn’t working was outlook. Read More
May Modern Work & Security Partner Community Call
Thank you for joining us for the May Modern Work & Security Partner Community Call.
Our next call will be on Friday 07th June. You can add these sessions to your diary via the link: https://aka.ms/MWAddToCalendar
For those of you who were unable to attend, you can find the slides attached to this post and the recording will be available on demand within the next week HERE Read More
We couldn’t retrieve the updated values from a linked Excel workbook
Hello, good morning,
I hope you’re doing well.
I have the following issue. I’m trying to link 2 Excel workbooks within a Microsoft Teams group, but when someone else accesses the workbook, the following message appears: no pudimos obtener los valores actualizados de un libro vinculado excel, which translates to We couldn’t retrieve the updated values from a linked Excel workbook. Instead of the data, #¡REF! is displayed. I don’t know what to do about it; I would greatly appreciate any help with this issue.
Thank you very much!
Hello, good morning, I hope you’re doing well. I have the following issue. I’m trying to link 2 Excel workbooks within a Microsoft Teams group, but when someone else accesses the workbook, the following message appears: no pudimos obtener los valores actualizados de un libro vinculado excel, which translates to We couldn’t retrieve the updated values from a linked Excel workbook. Instead of the data, #¡REF! is displayed. I don’t know what to do about it; I would greatly appreciate any help with this issue. Thank you very much! Read More
NEW ILT Copilot Executive Challenge Coming to you this Friday! 5/10
Release Date: May 10th, 2024
(This course will be included in the newest title plan coming out this Friday)
MS-4008: Copilot for Microsoft
365 Interactive Experience for Executives
_____________________________________________________________________________________________
MS-4008 ‘Copilot for Microsoft 365 Interactive Experience for Executives,’ will launch on May 10th. MS-4008 is a 60-minute interactive course that is tailored for executive-level professionals and business leaders aiming to augment their strategic and operational capabilities using AI. It’s ideal for those leaders looking to maximize the benefits of Microsoft Copilot within Microsoft 365 to enhance productivity, decision-making, and organizational impact.
Course Overview:
Learn how Microsoft Copilot for Microsoft 365 can transform workplace productivity and spur innovation. This course provides practical insights into creating contextual prompts for Copilot and features engaging exercises that showcase its application in everyday workflows.
What’s Included:
Introduction to Copilot for Microsoft 365: Understand the capabilities, functionality, and security features of Copilot. Gain a foundational knowledge of its impact on business operations.
Hands-on Demonstrations: Experience the versatility of Copilot through demonstrations that emphasize its integration into business workflows.
Interactive Experience: Engage in hands-on sessions that demonstrate Copilot’s practical uses in real-time scenarios.
This course offers a thorough exploration of Microsoft Copilot, illustrating its potential to streamline operations and boost productivity across your workforce.
Release Date: May 10th, 2024
(This course will be included in the newest title plan coming out this Friday)
MS-4008: Copilot for Microsoft
365 Interactive Experience for Executives
_____________________________________________________________________________________________
MS-4008 ‘Copilot for Microsoft 365 Interactive Experience for Executives,’ will launch on May 10th. MS-4008 is a 60-minute interactive course that is tailored for executive-level professionals and business leaders aiming to augment their strategic and operational capabilities using AI. It’s ideal for those leaders looking to maximize the benefits of Microsoft Copilot within Microsoft 365 to enhance productivity, decision-making, and organizational impact.
Course Overview:
Learn how Microsoft Copilot for Microsoft 365 can transform workplace productivity and spur innovation. This course provides practical insights into creating contextual prompts for Copilot and features engaging exercises that showcase its application in everyday workflows.
What’s Included:
Introduction to Copilot for Microsoft 365: Understand the capabilities, functionality, and security features of Copilot. Gain a foundational knowledge of its impact on business operations.
Hands-on Demonstrations: Experience the versatility of Copilot through demonstrations that emphasize its integration into business workflows.
Interactive Experience: Engage in hands-on sessions that demonstrate Copilot’s practical uses in real-time scenarios.
This course offers a thorough exploration of Microsoft Copilot, illustrating its potential to streamline operations and boost productivity across your workforce. Read More
ISSUES WITH GUESST ACCOUNT IN TEAMS
Hello
Please i need your help on this issue.
When they try to log in, they are prompted to use a password instead of the authentication number they were previously using.
Here is the issue this user is showing in the system and can not be added to teams as a guest contact.
It is already strange that they show up twice with different emails.
I have deleted the two guest accounts from Microsoft Entra portal.
The user is not showing in there as well.
Last I search Active Directory and nothing was there either.
However when trying to add them to teams as a guest it will not allow saying the user is already added. It also asks for the password for the user to log in.
Normally when adding someone to teams as a guest contact they just use the ID Verification number that Microsoft emails to them but that is not the case for this user
Hello Please i need your help on this issue. When they try to log in, they are prompted to use a password instead of the authentication number they were previously using. Here is the issue this user is showing in the system and can not be added to teams as a guest contact.It is already strange that they show up twice with different emails. I have deleted the two guest accounts from Microsoft Entra portal. The user is not showing in there as well.Last I search Active Directory and nothing was there either. However when trying to add them to teams as a guest it will not allow saying the user is already added. It also asks for the password for the user to log in. Normally when adding someone to teams as a guest contact they just use the ID Verification number that Microsoft emails to them but that is not the case for this user Read More
Port forwarding in Azure front door standard tier
There is one on prem web application which working on domainname.com:7071 now we are migrating this app to azure and using web app + front door. Client want to include port in URL, don’t want to migrate without port in URL. How can I achieve this in the front door? As per my reacherch front door is working on 443/80 port only.
There is one on prem web application which working on domainname.com:7071 now we are migrating this app to azure and using web app + front door. Client want to include port in URL, don’t want to migrate without port in URL. How can I achieve this in the front door? As per my reacherch front door is working on 443/80 port only. Read More
how to….copy column layout from one folder to all other email folders.
I’ve done this before but am unable to find the correct navigation to do it again.
I have selected specific columns, in a specific order, for my email display in my primary inbox.
I want to propagate that column selection/order to all other folders.
Every step-by-step I’ve found online hits a step that doesn’t work.
I’m running Outlook as part of MS 365.
I’ve been using Outlook for over 30 years, but it keeps changing in many ways that make online answers not work. And MS help didn’t understand my question, despite multiple re-phrasing.
I’ve done this before but am unable to find the correct navigation to do it again.I have selected specific columns, in a specific order, for my email display in my primary inbox.I want to propagate that column selection/order to all other folders. Every step-by-step I’ve found online hits a step that doesn’t work.I’m running Outlook as part of MS 365. I’ve been using Outlook for over 30 years, but it keeps changing in many ways that make online answers not work. And MS help didn’t understand my question, despite multiple re-phrasing. Read More
New Blog | Empower multiple teams and prioritize investigations with Insider Risk Management
Your data is a prime target in most security incidents. But when an incident occurs, do you have the information you need to prioritize incidents and contain them based on the importance of the data itself?
With insider incidents becoming a bigger concern each year and 74% of organizations saying these occurrences have become more frequent[1], detecting insider risks is now a vital part of safeguarding digital landscapes. Microsoft Purview Insider Risk Management is used by organizations across the world to correlate various signals to identify potential insider risks while ensuring user privacy by design, but it can also be used to detect data security risks coming from external attackers. The past year saw a dramatic surge in identity attacks, with an average of 4,000 password attacks per second. Some of these attacks are successful in compromising user credentials, enabling the attacker to persist in the organization’s systems as an insider, having access to sensitive data.
That is why besides data security and data compliance teams, SOC (security operations center) teams also play a pivotal role in safeguarding organizations’ data against a myriad of threats, coming from both Insiders and external attackers. However, security admins are challenged in a fragmented tooling landscape, requiring these professionals to often analyze repeated alerts and to manually correlate insights across solutions, restricting visibility on risky data and users involved in an incident. With customers that employ more security tools experiencing 2.8x more data security incidents[2], it is crucial that security teams have access to integrated solutions across their data landscape to help them triage and prioritize incidents with broader context for their investigations.
Microsoft Purview Insider Risk Management correlates various signals, such as unusual access patterns and data exfiltration, to identify potential malicious or inadvertent insider risks, including IP theft, data leakage, and security violations. Insider Risk Management enables customers to create data handling policies based on their own internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
Empowering SOC teams to better investigate insider risks
Today, we are excited to announce the public preview of Insider Risk Management context on the Microsoft Defender XDR user entity page. With this update, SOC analysts with the required customer-determined permissions can access an insider risk summary of user exfiltration activities that may lead to potential data security incidents, as a part of the user entity investigation experience in Microsoft Defender. This feature can help SOC analysts gain data security context for a specific user, prioritize incidents, and make more informed decisions on responses to potential incidents.
When looking into an occurrence in Microsoft Defender’s Incidents view, the security analyst now can dig further into an incident’s source. In the following example, a multi-stage attack stole an employee’s credentials, followed by exfiltration activities that triggered multiple data loss prevention (DLP) alerts, such as sharing payment cards information externally.
Read the full post here: Empower multiple teams and prioritize investigations with Insider Risk Management
By Nathalia Borges
Your data is a prime target in most security incidents. But when an incident occurs, do you have the information you need to prioritize incidents and contain them based on the importance of the data itself?
With insider incidents becoming a bigger concern each year and 74% of organizations saying these occurrences have become more frequent[1], detecting insider risks is now a vital part of safeguarding digital landscapes. Microsoft Purview Insider Risk Management is used by organizations across the world to correlate various signals to identify potential insider risks while ensuring user privacy by design, but it can also be used to detect data security risks coming from external attackers. The past year saw a dramatic surge in identity attacks, with an average of 4,000 password attacks per second. Some of these attacks are successful in compromising user credentials, enabling the attacker to persist in the organization’s systems as an insider, having access to sensitive data.
That is why besides data security and data compliance teams, SOC (security operations center) teams also play a pivotal role in safeguarding organizations’ data against a myriad of threats, coming from both Insiders and external attackers. However, security admins are challenged in a fragmented tooling landscape, requiring these professionals to often analyze repeated alerts and to manually correlate insights across solutions, restricting visibility on risky data and users involved in an incident. With customers that employ more security tools experiencing 2.8x more data security incidents[2], it is crucial that security teams have access to integrated solutions across their data landscape to help them triage and prioritize incidents with broader context for their investigations.
Microsoft Purview Insider Risk Management correlates various signals, such as unusual access patterns and data exfiltration, to identify potential malicious or inadvertent insider risks, including IP theft, data leakage, and security violations. Insider Risk Management enables customers to create data handling policies based on their own internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
Empowering SOC teams to better investigate insider risks
Today, we are excited to announce the public preview of Insider Risk Management context on the Microsoft Defender XDR user entity page. With this update, SOC analysts with the required customer-determined permissions can access an insider risk summary of user exfiltration activities that may lead to potential data security incidents, as a part of the user entity investigation experience in Microsoft Defender. This feature can help SOC analysts gain data security context for a specific user, prioritize incidents, and make more informed decisions on responses to potential incidents.
When looking into an occurrence in Microsoft Defender’s Incidents view, the security analyst now can dig further into an incident’s source. In the following example, a multi-stage attack stole an employee’s credentials, followed by exfiltration activities that triggered multiple data loss prevention (DLP) alerts, such as sharing payment cards information externally.
Figure 1: Incident in Microsoft Defender showing a user’s Insider Risk Level
Read the full post here: Empower multiple teams and prioritize investigations with Insider Risk Management
New Blog | Secure your AI transformation with Microsoft Security
Generative AI is reshaping business today for every individual, every team, and every industry. Organizations engage with GenAI in a variety of ways – from purchasing and using finished GenAI apps to developing, deploying, and operating custom-built GenAI apps.
GenAI broadens the attack surface of applications through prompts, training data, models, and more – thereby effectively changing the threat landscape with new risks such as direct or indirect prompt injection attacks, data leakage, and data oversharing.
In March this year, we shared how Microsoft Security helps organizations discover, protect, and govern the use of GenAI apps like Copilot for M365. Today, we’re thrilled to introduce additional capabilities for that scenario and new capabilities to secure and govern the development, deployment, and runtime of custom-built GenAI apps.
With these new innovations, Microsoft Security is at the forefront of AI security to support our customers on their AI journey by being the first security solution provider to offer threat protection for AI workloads and providing comprehensive security to secure and govern AI usage and applications.
Secure and govern GenAI you build:
Discover new AI attack surfaces with AI security posture management (AI-SPM) in Microsoft Defender for Cloud for AI apps using Azure OpenAI Service, Azure Machine Learning, and Amazon Bedrock
Protect your AI apps using Azure OpenAI in runtime with threat protection for AI workloads in Microsoft Defender for Cloud, the first cloud-native application protection platform (CNAPP) to provide runtime protection for enterprise-built AI apps using Azure OpenAI Service
Secure and govern GenAI you use:
Discover and mitigate data security and compliance risks with Microsoft Purview AI Hub, now offering new insights, including visibility into unlabeled data and SharePoint sites that are referenced by Copilot for M365 and non-compliant usage such as regulatory collusion, money laundering, and targeted harassment for M365 interactions
Govern AI use to comply with regulatory requirements with 4 new AI compliance assessments in Microsoft Purview Compliance Manager
Discover new AI attack surfaces
As organizations embrace GenAI, many accelerate adoption with pre-built GenAI applications while others choose to develop GenAI applications in-house, tailored to their unique use cases, security controls and compliance requirements. Organizations from all industries are racing to transform their applications with AI, with over half of Fortune 500 companies using Azure OpenAI.
With all the new components of AI workloads such as models, SDKs, training, and grounding data – the visibility into understanding all the configurations of these new components and the risks associated with them is more important than ever.
With new AI security posture management (AI-SPM) capabilities in Microsoft Defender for Cloud, security admins can continuously discover and inventory their organization’s AI components across Azure OpenAI Service, Azure Machine Learning, and Amazon Bedrock – including models, SDKs, and data – as well as sensitive data used in grounding, training, and fine tuning LLMs. Admins can find vulnerabilities, identify exploitable attack paths, and easily remediate risks to get ahead of active threats.
Read the full post here: Secure your AI transformation with Microsoft Security
By Daniela Villarreal
Generative AI is reshaping business today for every individual, every team, and every industry. Organizations engage with GenAI in a variety of ways – from purchasing and using finished GenAI apps to developing, deploying, and operating custom-built GenAI apps.
GenAI broadens the attack surface of applications through prompts, training data, models, and more – thereby effectively changing the threat landscape with new risks such as direct or indirect prompt injection attacks, data leakage, and data oversharing.
In March this year, we shared how Microsoft Security helps organizations discover, protect, and govern the use of GenAI apps like Copilot for M365. Today, we’re thrilled to introduce additional capabilities for that scenario and new capabilities to secure and govern the development, deployment, and runtime of custom-built GenAI apps.
With these new innovations, Microsoft Security is at the forefront of AI security to support our customers on their AI journey by being the first security solution provider to offer threat protection for AI workloads and providing comprehensive security to secure and govern AI usage and applications.
Secure and govern GenAI you build:
Discover new AI attack surfaces with AI security posture management (AI-SPM) in Microsoft Defender for Cloud for AI apps using Azure OpenAI Service, Azure Machine Learning, and Amazon Bedrock
Protect your AI apps using Azure OpenAI in runtime with threat protection for AI workloads in Microsoft Defender for Cloud, the first cloud-native application protection platform (CNAPP) to provide runtime protection for enterprise-built AI apps using Azure OpenAI Service
Secure and govern GenAI you use:
Discover and mitigate data security and compliance risks with Microsoft Purview AI Hub, now offering new insights, including visibility into unlabeled data and SharePoint sites that are referenced by Copilot for M365 and non-compliant usage such as regulatory collusion, money laundering, and targeted harassment for M365 interactions
Govern AI use to comply with regulatory requirements with 4 new AI compliance assessments in Microsoft Purview Compliance Manager
Discover new AI attack surfaces
As organizations embrace GenAI, many accelerate adoption with pre-built GenAI applications while others choose to develop GenAI applications in-house, tailored to their unique use cases, security controls and compliance requirements. Organizations from all industries are racing to transform their applications with AI, with over half of Fortune 500 companies using Azure OpenAI.
With all the new components of AI workloads such as models, SDKs, training, and grounding data – the visibility into understanding all the configurations of these new components and the risks associated with them is more important than ever.
With new AI security posture management (AI-SPM) capabilities in Microsoft Defender for Cloud, security admins can continuously discover and inventory their organization’s AI components across Azure OpenAI Service, Azure Machine Learning, and Amazon Bedrock – including models, SDKs, and data – as well as sensitive data used in grounding, training, and fine tuning LLMs. Admins can find vulnerabilities, identify exploitable attack paths, and easily remediate risks to get ahead of active threats.
Figure 1: Attack path analysis in Defender for Cloud identifies an indirect risk to an Azure OpenAI resource where an attacker can exploit vulnerabilities via an internet exposed VM to potentially gain access and control of the AI resource, model deployments, and data.
Read the full post here: Secure your AI transformation with Microsoft Security
Standardize your customer configurations in Microsoft 365 Lighthouse
Default baseline tasks keep users secure and productive
We’re excited to continue enhancing our default baseline in Microsoft 365 Lighthouse to provide a set of tasks that help Managed Service Providers (MSPs) secure users, devices, and data in their customer tenants to ensure customers remain secure and productive in a scalable way.
This post introduces tasks we added to our default baseline that are focused on several key areas, including new areas like user education and Microsoft Teams.
To learn more about the benefits of using baselines, check out the webinar on May 22, 2024: Unlock efficiency and scale with Microsoft 365 Lighthouse.
Keep your devices secure and updated with a Windows Feature Update policy
To keep Windows devices secure and updated, users need the latest security updates. Our Windows Update deployment task standardizes deployment windows, deployment rings, and update behavior. This helps you apply updates quickly and consistently. Our drift and variance detection and alerts notify you of any policy changes that could pose a security risk.
Protect company data by using a OneDrive policy
Setting up a policy for OneDrive configuration helps keep user and company data secure and provides the ability to view the status of the OneDrive sync client. The ability to view when a OneDrive client is no longer syncing or in a healthy state can help prevent data loss and maintain continuity for user data.
Configure SSPR to allow users to reset their own passwords
Self-service password reset (SSPR) gives users the ability to change or reset their password, with no administrator or help desk involvement. This ability reduces help desk calls and loss of productivity when a user can’t sign in to their device or an application.
Configure Viva Learning paths for user education
Help users onboard to Microsoft 365 and learn about features and functionality with Viva Learning paths. The set of courses included in this task also help educate users on best practices for safety and security.
Baseline tasks focused on Microsoft Teams
We’ve also added several tasks focused on Microsoft Teams. From disabling anonymous access to Teams meetings, to turning on Safe Attachments for Teams, OneDrive, and SharePoint, this set of tasks helps ensure that your customers’ productivity suite is properly configured and secure.
ASR policies and Windows Update tasks
Lastly, we’ve added several tasks focused on keeping endpoints up to date and secure. From configuration of an attack surface reduction (ASR) policy, to enabling cloud updates for Microsoft 365 apps to ensure apps are on the latest security and feature updates, we’ve made it even easier to ensure all your managed endpoints are protected and in a consistent state across your customer tenants.
Start using Microsoft 365 Lighthouse to configure your managed tenants today
These tasks are just a sampling of the deployment tasks available as part of the Microsoft 365 Lighthouse default baseline. We continue to expand into new areas to ensure that your customer tenants are securely configured to enhance productivity and usability.
To learn more about Microsoft 365 and the default baseline, check out these resources:
Start using Microsoft 365 Lighthouse
Check out default baselines in Microsoft 365 Lighthouse
Sign up for Microsoft 365 Lighthouse | Microsoft Learn
Overview of Microsoft 365 Lighthouse | Microsoft Learn
Microsoft Tech Community – Latest Blogs –Read More