Search This Blog

Monday, August 26, 2019

Privileged Identity Management – Custom Roles

As I have mentioned earlier, I believe and hope that Microsoft will be implementing more and more self service features in Azure.

This is because I believe that automation and self service are key components in a secure infrastructure, simply because manuel processes often are bypassed or not followed correctly. Either because the process is poorly described or implemented or because it´s easier to not.

Automated processes does the job as good as they are programmed to, everytime!

From that perspective Microsofts release of custom roles in Azure AD Privileged Identity Management is a great new feature.

As always, it is not quite there yet, but I hope that they will evolve this feature to meet my expectations. Winking smile

As you will know if you read earlier posts, Privileged Identity Management is a feature that allows for dynamically adding privileges to varoius types of administrative roles.

But with the new release it is possible to create custom roles in Azure AD, that can be controlled in Privileged Identity Management.

There are 3 steps to this, creating the role in Azure AD, adjusting settings for the custom role in PIM and assigning members.


Creating the role in Azure AD:

Creating a custom role is a fairly simple procedure.


Locate Roles and administrators under Azure Active Directory and choose New custom role at the top.

image


Name the role.

image


Add the permissions.

image


And create the custom role.

image


As I wrote it is fairly simple. It will after a sync be available in PIM, from my tests, this takes a little time, so be patient.


Adjusting the settings:

First locate Custom roles in PIM under Manage.

image


Under manage select Settings and select the role you wish to configure

image


Click Edit in the top and set the settings as desired

image


Assigning members:

Under manage roles your custom role should now be listed. Select the custom role and click Add member

image


This will bring up the following where you can select the directory, custom role, members and settings

image


After setting the settings wanted, I can now see the new custom role under my roles.

image


Selecting Activate, I will get the normal PIM Activation window.

image


Conclusion

As mentioned I am a big fan of automation when it comes to security management and this feature is straight up my ally.

Note that it is a preview so test it out, but I wouldn´t recommend building any new business processes on it yet.


As always, if you would like a live demo or have any questions, feel free to reach out to us at Mindcore.

Monday, August 12, 2019

Microsoft Defender ATP

This time we will take a closer look on how easy it is to onboard clients into Microsoft Defender Advanced Threat Protection with System Center Configuration Manager.

First we will go the the Microsoft Defender Security Center https://securitycenter.windows.com/

On this page we select Settings – Onboarding - Windows 10 – System Center Configuration Manager (current branch) version 1606 and later and the Download Package.

image

image

Extract the downloaded ZIP-file to get an onboard-file like this.

image

Now got to the SCCM console – Assets and ComplianceEndpoint ProtectionMicrosoft Defender ATP Policies and then select Create Microsoft Defender ATP Policy.

2019-08-05 11_19_56-Window

Name the policy and select Onboarding.

image

Select Browse.

image

Select the extracted onboarding-file.

image

With the file selected click Next.

image

Select the settings after your own choice.

image

Select Next.

image

Select Close.

image

Now lets deploy the Policy, by selecting the policy we just created in SCCM and then Deploy.

image

Select the collection used for your Microsoft Defender ATP devices, in this example a specific collection is used holding devices running Windows 10 and at the same time with active ATP license.

image

After deployment it will show up at the client as a configuration baseline, and we will speedup onboarding by forcing a Evaluation by selecting Evaluate.

image

Status will then change to Compliant.

image

When onboarded you will be able to see the computer in the Machine List in the portal.

2019-08-05 12_56_55-Window

We will also be able to see the onboarding status in the SCCM Console, in the Monitoring node.

image

On the Client we can follow onboarding in the log Applications and Services LogsMicrosoftWindows - SENSE.

image

When onboarded the client will have a running service called Windows Defender Advanced Threat Protection Service.

image

For this test we will simply try to isolate the computer from the portal, just to see if we are connected as expected.

First open the the client by clicking on the client name.

2019-08-05 13_20_35-Window

Then we select Isolate machine.

image

Allow Outlook, Teams and Skype for business communication if needed and enter a comment about why we want to isolate the computer, then select Confirm.

image

We will then see the Action, you can just close this unless we need to cancel the action.

image

Soon after the client is unable to reach the Office 365 portal.

2019-08-05 13_23_15-Window

Back in the Portal we can allow connection again by selecting Release from isolation.

image

Again we comment why we now allow connection to the machine and select Confirm.

image

Again we just close the message from Action Center.

image

And the client can again access the Office 365 portal.

2019-08-05 13_24_55-Window

The level of information and the overview is impressive, and if you have access to the licenses for Microsoft Defender ATP, the is no reason not to get started. Now test yourself.

image

Monday, August 5, 2019

Azure Bastion

Since we now have Azure Bastion in preview it’s time to take a closer look.

Azure Bastion will allow us to have private RDP and SSH access to our Virtual Machines from a HTML5 Web Browser over SSL.

We can do this without using public IP address on the VM.

Today we often connect to our virtual machines, either by exposing the virtual machines to the public Internet or by deploying a jump-host/server.

For this test we will use the following test setup.

image

First go to https://aka.ms/BastionHost, select All services and search for Bastion, then we can add Bastions to our favorites.

image

Select Bastions from our favorites.

image

Select Create Bastion.

image

Lets create a new resource group for this test.

image

Name the resource group.

image

Name the bastion instance, select Region and then create a new virtual network.

image

We need to create a subnet for our VM’s and a dedicated subnet with the name AzureBastionSubnet.

I will choose 10.10.100.0/24 for the Azure BastionSubnet and 10.10.10.0/24 for the VM subnet (LabSubnet)

image

We the select the AzureBastionSubnet as subnet and create a new public IP address, finally we click Review + create.

image

Select Create.

image

Deployment will then start, and we will have to wait until deployment is complete.

2019-07-29 11_09_54-LAB-DC01 on PCP70 - Virtual Machine Connection

Deployment is now complete.

2019-07-29 11_12_07-LAB-DC01 on PCP70 - Virtual Machine Connection

In order for this test to work we also need to deploy a virtual machine. Go to Virtual Machines  and Create Virtual machine.

image

We select our Subscription and the Resource group we already created, then we give the VM a name, select region, image type and size.

image

We will use our newly created Virtual network and VM subnet, and no public IP.

image

And the create the virtual machine.

image

Deployment will then start, and again we will have to wait until deployment is complete.

image

Deployment is now complete, lets Go to resource.

image

The VM has no public IP as shown, lets Connect.

image

It will automatically open the Bastion tab, enter Username, Password and connect.

image

You will need to allow popup from Azure.

image

and we are connected to the VM.

image

For browsers that support the advanced Clipboard API access, you will be able to use copy and paste but only text, the browser might prompt you to allow access.

image

For other browsers, you can use the Bastion clipboard tool.

2019-07-29 11_37_12-LAB-DC01 on PCP70 - Virtual Machine Connection

Now test in your own environment.