This article is contributed. See the original author and article here.
By Erin Boris, Idan Basre and Yoann Mallet
One of the latest app connectors to be added to Microsoft Defender for Cloud Apps is for Smartsheet.
As we have in the past for other protected apps, we would like to share a few examples of how to use it to secure your Smartsheet deployment.
Why Connect Smartsheet?
As with other apps, connecting Smartsheet to Defender for Cloud Apps allows you to leverage some of the built-in features of your favorite CASB, such as:
Benefit
Description
Policy or template
Threat and Anomaly Detection
Detect cloud threats, compromised accounts, and malicious insiders
The following built-in Threat detection policies automatically apply when Defender for Cloud Apps is connected to Smartsheet:
Use the audit trail of activities for forensic investigations
Leverage Advanced Hunting Queries as part of the Microsoft 365 Defender Portal to audit the use of Smartsheet and create policies
How to connect Smartsheet?
Let’s start with connecting Smartsheet.
Detailed instructions are available here, and if you prefer our video, check it out below:
Leverage Microsoft Defender for Cloud Apps with Smartsheet
The best way to get quick value from Defender for Cloud Apps when protecting Smartsheet, is to use the Advanced Hunting feature in the Microsoft 365 Defender portal.
If you have not used that portal just yet, simply visit http://security.microsoft.com and you will be redirected to it.
Once there browse to advanced hunting. This will enable you to write your own KQL queries to gather relevant information from the Defender for Cloud Apps activity logs.
Here are two relevant examples:
Scenario 1: New user invited, has an external email address
Having a new user invited to Smartsheet with an external email address may be suspicious. In order to detect this, you can leverage the following KQL Query:
CloudAppEvents
| where Application == "Smartsheet"
|extend a=parse_json(RawEventData).additionalDetails
|extend email=a.emailAddress
| where ActionType == "User Accept Invite"
and email !contains "contoso.com"
| project Timestamp,Application, AccountDisplayName, ActionType,email
Below is an example of the result of that query in Advanced Hunting:
This can potentially help you detect any attempt to exfiltrate data or identify a malicious user enabling an external account.
Another option to view all accounts with external email addresses that currently have access to Smartsheet, is from the API connector properties in Defender for Cloud Apps.
A filter can be used to see all external accounts that have accepted an invitation.
Scenario 2: File sent as attachment to external email address
When files are sent as an attachment from Smartsheet directly, to an external email address, this can be a sign of data exfiltration.
In order to identify such activities, you can leverage the following KQL Query:
CloudAppEvents
| where Application == "Smartsheet"
|extend a=parse_json(RawEventData).additionalDetails
|extend Recipient=a.recipientEmail
| where ActionType =="Sheet Send As Attachment"
and Recipient !contains "contoso.com"
| project Timestamp,Application, AccountDisplayName, ActionType,Recipient
Creating alerts from these queries
In addition to detecting these actions, Microsoft 365 Defender also allows you to create your own custom detections, and identify when these occur in near real-time, as described here.
As you can imagine, when using such powerful queries, the sky is the limit! Feel free to share any relevant KQL query you have identified for Smartsheet in the comments below.
Resources:
For more information about the features discussed in this article, please read:
We welcome your feedback or relevant use cases and requirements for this pillar of Cloud App Security by emailing CASFeedback@microsoft.com and mentioning the area or pillar in Cloud App Security you wish to discuss.
Learn more
For further information on how your organization can benefit from Microsoft Cloud App Security, connect with us at the links below:
This article is contributed. See the original author and article here.
The two billion frontline workers, which represent 80 percent of the world’s workforce, have weathered risk, exhaustion, and ongoing disruption throughout the pandemic. From shutdowns to new safety protocols to increased workloads and dwindling inventory, the frontline is constantly facing challenges. Today we are releasing a set of technology innovations and partnerships to reduce stress on the frontline and empower the way they work and interact.
This article is contributed. See the original author and article here.
At Microsoft Ignite, Microsoft Dynamics 365 Marketing announced a range of new AI features. We strongly believe in the power of AI to help businesses and their customers grow. We also recognize that these new technologies have the potential for misuse and harm.
That’s why in Dynamics 365 Marketing, we are taking an intentional and rigorous approach to upholding Microsoft’s responsible AI principles. AI requires scrutiny, thoughtfulness, and research to first understand potential impacts on people and society, and then seek solutions that mitigate harm.
As Satya Nadella says, Microsoft runs on trust. And trust must be earned in the short term as well as the long term. In Dynamics 365 Marketing, we see responsible AI as an opportunity to demonstrate trustworthiness as well as a path for innovationa way to minimize harm and expand our capacity to provide useful and delightful experiences for our customers and their customers.
Let’s take a closer look at some of the work we’re doing on a new AI feature called Content ideas.
What is Content ideas and how does it work?
The Content ideas feature in Dynamics 365 Marketing helps marketers get inspiration for emails and create their best content faster. Marketers can type in a few key points, and Content ideas will generate original content based on those key points. Under the hood, Content ideas also references the customer’s past marketing emails so it can generate ideas that are similar in tone, structure, and style. This is a powerful advancement I’m very excited about, where marketers never have to start from a blank slate when writing content.
The AI technology behind this feature is a large language model called GPT-3, developed by OpenAI and currently available in an invite-only preview as part of Microsoft’s Azure OpenAI Service as well as through OpenAI’s API. GPT-3 can perform a wide range of natural language tasks, including summarizing text, analyzing text for sentiment, andas it’s applied in Content ideasgenerating original text that looks like a human wrote it. GPT-3 is one of the leading examples of the type of AI model the industry is moving toward, rapidly accelerating AI capabilities that bring value to customers.
But large language models such as GPT-3 come with risks, including generating content that isn’t factual or content that reflects the biases of the dataset used for trainingwhich, in the case of GPT-3, was approximately 45TB of text from the internet. To mitigate such risks, OpenAI and Microsoft are committed to helping customers identify potential safety issues that could arise from using GPT-3 and providing best practices for safety. And at Microsoft, as we incorporate these kinds of technologies into our products, we’re also investing deep thought into how risks might show up for our customers in our specific scenarios, and how we can address those challenges.
Here, we’ll zoom in on one area we’re looking at closely for Content ideas: the user experience (UX).
UX questions for a responsible AI approach
Dynamics 365 Marketing has focused on human-centered research to deeply understand the needs and aspirations of marketing content creators, as well as explorations in UI design and data science, to translate responsible AI principles into a powerful UX that elevates and empowers human expertise.
As Charles Lamanna, Corporate Vice President of our Business Applications and Platform says, “An emerging technology like GPT-3 is such an exciting breakthrough in innovation. I’m proud of products like Dynamics 365 Marketing, where teams are working across engineering and design to intentionally think about how we responsibly bring AI to our customers.”
Early research leads us to these key questions:
1. How might we build transparency around how Content ideas works, so people can use the feature to meet their specific needs?
Setting clear expectations about Content ideas’ capabilities and limitations is essential, both to help people achieve their goals and to prevent people from using it in a way that isn’t intended. The more people understand how GPT-3 uses their key points to generate original content, the easier it is for them to craft key points that will get them helpful suggestions. In the current UX for Content ideas, we offer a “Learn more” panel from multiple points during onboarding. This panel is structured similar to a FAQ, addressing top questions about what the feature does and how the technology works. We’re also using design principles such as progressive disclosure to give people relevant information at just the moment they need it. For example, after marketers have submitted their key points and are waiting for Content ideas to generate suggestions, the loading screen sets expectations around potentially seeing unexpected results and offers tips for what to do next if none of the suggestions are a good fit. We’re continuing to explore ways to help people better understand how their choices affect the system outputs.
2. Once people understand how the technology works, how might we give people more control over the system?
A foundational pillar in human-AI collaboration is making sure people have meaningful oversight and control. The right amount of control helps people make the system work for their goals and context, and helps them build confidence in the system. With Content ideas, we want to empower content creators’ expertise and give them the right levers and buttons so they can use the system in ways that work for them, while automating parts of the process that don’t require human judgment. For example, we frame the feature as a brainstorming and writing partner, rather than a magical tool that does all the writing for you. In the end, the author is in chargeContent ideas makes suggestions that they can choose to use, edit, or ignore. Our research has also shown that content creators want more granular control over generated suggestions, such as being able to copy and paste smaller sections from different suggestions, and the ability to instruct the system on additional attributes such as audience and tone. We’re exploring how to integrate these potential interactions and others along these lines.
3. Once people understand how the technology works and how they can influence it, how might we help them understand their accountability and feel confident about their responsibility for the final content?
Large pre-trained language models like GPT-3 are general purpose and don’t always produce perfectly accurate results, particularly for tasks that require specific knowledge like the latest pricing data for a product. This means that even with detailed key points to start with, Content ideas might include color variations, prices, or sale dates that could look realistic but might not be correct. We want to make sure content creators feel confident in their responsibility as final owners of the content, making sure they have robust opportunities throughout the experience to check for accuracy and edit as appropriate. Additionally, in our “Learn more” panel, we directly answer the question, “Can I use the suggestions word for word?” (The short answer: Yes, as long as you review carefully for accuracy and appropriateness.) As we move forward, we’re exploring ideas such as a reminder to check for accuracy before someone adds a suggestion to their draft, or a feature to flag details that might benefit from a close read.
4. How might we measure the success of our UX to capture how well we are building trust, supporting creativity, and empowering user confidence in using Content ideas to meet their goals?
Success in UX is often measured by things like: Were we able to help someone accomplish a task more quickly? Was the task done at a higher quality? And are people satisfied with the result? Content ideas invites us to consider additional ways in which people might have a successful experience. For example, since the feature can offer a range of possible ideas for a content creator to consider, if someone is looking for multiple avenues of inspiration, creativity might look like generating many ideas and then building new ideas from thererather than copying and pasting a single idea. In our research for Content ideas, we’re considering how to qualitatively assess people’s experiencessuch as how much they felt that the feature helped them become more creative, and how confident they were over having control over the final textso that we have a more holistic understanding of where we can improve the experience to support a range of user goals. We’re also exploring ways of gathering feedback in the UI to help us understand the usefulness of generated ideas.
These are hard questions, and we don’t have all the answers yet. But we are committed to developing solutions that minimize harm and empower human expertise, while always providing our customers and our users an amazing experience. Ultimately the goal is to build high-quality experiences that establish appropriate trust, bringing sustainable value to people and businesses. We’re educating ourselves and trying to learn quickly so that we can achieve this vision for our future and yours. I’m proud that Content ideas is one of many areas Microsoft is looking at when it comes to responsibly implementing AI technologies like GPT-3, such as the recently launched Ten Guidelines for Product Leaders to Implement AI Responsibly and the new responsible AI dashboard.
And to learn more about how your organization can elevate your customer experiences, visit the Dynamics 365 Marketing webpage and sign up for a free Dynamics 365 Marketing trial to explore real-time customer journey orchestration and the other rich capabilities offered in Dynamics 365 Marketing.
This article is contributed. See the original author and article here.
I have been on a journey to explore Azure IoT and push the thousands of events that flow through my local MQTT broker (Mosquitto) into Azure IoT.
After my last post in using the Azure IoT SDK for Python conjunction with Paho MQTT I thought my work here was complete. But I have just recently been made aware that there is native support for various Arduino devices by Microsoft and Espressif. How awesome is that!
Before you get too excited given the requirements of such libraries, this is not going to work on your Arduino Uno, Arduino Mega 2560 and so on. Support for Azure IoT Hub is (for now) reserved for the newer generation of boards from Espressif (ESP32, ESP8266) and the Realtek Ameba D. These boards can contain megabytes, not kilobytes of RAM, multi-core CPU’s and are able to load in a TCP/IP stack, MQTT and so on.
If there is a theme for my house, it is bookended with reliability, and with that, it’s time to put my rack-mounted Raspberry Pi away and adopt a microcontroller. A Raspberry Pi, as great as it is, is an SBC (Single Board Computer) that needs to be updated, watered and fed. It uses a file system, a flash memory subsystem. How does this bode for reliability, and have you ever had a corrupt file system on a microcontroller?
Like any good, opinionated architect, I would urge you to stop, put away your Raspberry Pi’s and take a different approach: a microcontroller.
Today, I leverage around 30 outputs on an Arduino Mega 2560 with an Ethernet and PoE shield using MQTT (The pub/sub client library) but it’s time to modernise, and given my love of ESP devices with Tasmota, I decided to purchase an ESP32 for this very task.In this post I will illustrate how to build a bridge from Mosquitto MQTT into Azure IoT Hub using this ESP32 device.
I covered in a prior post why I am going down this path of publishing telemetry to Azure IoT Hub, along with the several ways I have illustrated how one can go about achieving this goal. From direct connection to Azure IoT Hub (via MQTT and SAS tokens) through to Azure IoT Edge running locally with MQTT and finally the SDK’s.I have been able to achieve my goals with varying levels of success but have a few concerns on the approaches I have tried thus far.
Direct-Connection to Azure IoT Hub introduces latency to the cloud.
Authentication, from SAS tokens to X509 certificates: it’s not anonymous and some of my tiny devices (Tasmota) dont bode well.
Topic structure: it is defined (devices/{DeviceID}/messsages/events/) and not free form. It means reconfiguration, which isn’t hard, but a lot of friction.
Reliability: all solutions thus far have relied on a OS which require patching, updating and are even whilst small an administrative burden.
My goals for building a solution
No reconfiguration of any of my MQTT devices (Home Assistant, PLC, Arduino Mega 2560, ~75 Tasmota devices).
Bridge my existing MQTT broker (Mosquitto) in to Azure IoT.
Run on microcontroller, as I want to be reliable.
Pretty lofty goals, you may even say I am being lazy, but the reality is I want a low friction away to derive operational intelligence from the many thousands of events each day (read below, it’s over 10K per day!)
What we are going to build
To overcome, the limitations described above we are going to use an ESP32 microcontroller with C++ code with a libraries. Just incase you are not familar, let me introduce you to the ESP32.
ESP32
Where do I start? What is not love about this SOC? The ESP32 is a modern, powerful Arduino compliant microcontroller that power many devices from my irrigation controller (Opensprinkler) through to my kids learning robot (MBot) they are either using an ESP32 or an older derivative such as an ESP8266. Today I am using this as a software bridge but there is a plethora of I/O and support for PWM, I2c and more which make them a versatile all rounder.
The ESP32 is a series of low-cost, low-power system on a chipmicrocontrollers with integrated Wi-Fi and dual-mode Bluetooth. The ESP32 series employs either a Tensilica Xtensa LX6 microprocessor in both dual-core and single-core variations, Xtensa LX7 dual-core microprocessor or a single-coreRISC-V microprocessor and includes built-in antenna switches, RF balun, power amplifier, low-noise receive amplifier, filters, and power-management modules. ESP32 is created and developed by Espressif Systems, a Shanghai-based Chinese company, and is manufactured by TSMC using their 40 nm process. It is a successor to the ESP8266 microcontroller.
See the steps below as I tease out this solution or my GitHub repo for the full Arduino sketch. To give you a better understanding on how this works I will break it down in to the logical steps below required to receive messages from Mosquitto over MQTT using
‘PubSubClient’ and to then re-publish them in to Azure IoT Hub using the ‘Esp32MQTTClient’.
Step 1 – Arduino IDE – Add ESP32 to the Board Manager
The Arduino IDE does not know about the ESP32 so the very first step we need to do leverage the the Arduino IDE’s ‘Board Manager’ capability to provide support for the ESP32. In the Arduino IDE, open ‘Preferences’ and enter in one of the following URL’s
Open ‘Boards Manager’ from ‘Tools’ > ‘Board’ menu. Search for an install ‘ESP32’. Select your specific ESP32 board from the menu post installation.
Restart the Arduino IDE.
Step 2 – We Need A Library – PubSubClient
Whilst we now have support for the ESP32, we need to add a library that will allow us to subscribe to and receive MQTT messages from our Mosquitto broker. For this very purpose we need a MQTT library. There are many but I have used ‘PubSubClient’ in the past on other projects without any issues. To install, ‘Tools’ > ‘Manage Libraries’ > ‘PubSubClient’
Step 3 – Author Some Code (Libraries and Variables)
After validating your board is working (I would suggest uploading a Blink sketch) we can start coding. This example is based off the ‘Examples > ESP32 Azure IoT Arduino > Simple MQTT’;
We need to include some libraries, we will be using the Wi-Fi (for connectivity), PubSubClient (for Mosquitto MQTT) and the ESP32MQTTClient (for Azure IoT Hub).
Regarding Azure IoT Hub you will need to define your connection string. This post does not cover creating an IoT Hub or creating a device and assumed you have created this prior. See Use the Azure portal to create an IoT Hub | Microsoft Docs for more information on creating an Azure IoT Hub, adding a device and obtaining a device connection string.
Step 4 – Author Some Code (Setup Function: Connect to Wi-Fi , Azure and Mosquitto MQTT)
Our ‘setup’ function will establish connection to our LAN via Wi-Fi and then connect in to Azure where as the ‘MQTTConnect’ function not only connects to our local MQTT broker, but it defines the MQTT topics to subscribe to. You can subscribe to multiple MQTT topics by having multiple subscribe lines. You can also use MQTT wildcard filters to match events using fewer subscriptions.
Plus sign (+): It is a single level wildcard that matches any name for a specific topic level. We can use this wildcard instead of specifying a name for any topic level in the topic filter.
Hash (#): It is a multi level wildcard that we can use only at the end of the topic filter, as the last level and matches any topic whose first levels are the same as the topic levels specified at the left-hand side of the # symbol.
The serial monitor is handy in debugging any issues either with Wi-Fi or connecting in to Azure IoT Hub.
client.on_message = on_message
void setup() {
//Set baud rate
Serial.begin(115200);
WiFi.begin(ssid, password);
while (WiFi.status() != WL_CONNECTED) {
delay(500);
Serial.println("ESP32 : Connecting to WiFi...");
}
Serial.println("ESP32 : WiFi connected");
Serial.println("ESP32 : IP address: ");
Serial.println(WiFi.localIP());
//Set MQTT details
client.setServer(mqttServer, mqttPort);
client.setCallback(callback);
//Connect to Azure IOT
if (!Esp32MQTTClient_Init((const uint8_t*)connectionString))
{
hasIoTHub = false;
Serial.println("Azure IoT Hub : Initializing IoT hub failed.");
return;
}
hasIoTHub = true;
}
void MQTTConnect() {
// Loop until we're reconnected
while (!client.connected()) {
Serial.print("MQTT : Attempting MQTT connection...");
// Attempt to connect
if (client.connect("ESP32Client")) {
Serial.println("MQTT : Connected");
// Once connected, publish an announcement...
client.publish("stat/ESP32/IP_Address","Your IP Address");
//Subscribe to topics, one topic per line.
client.subscribe("stat/+/POWER");
} else {
Serial.print("MQTT : Failed to connect to MQTT , rc=");
Serial.print(client.state());
Serial.println("MQTT : Trying again to connect to MQTT in 5 seconds");
// Wait 5 seconds before retrying
delay(5000);
}
}
}
Step 4 – Author Some Code (MQTT Call Back & Publish To Azure)
After the setup functions we now need to create a function that will listen for incoming MQTT messages that match our subscription (callback), extract the topic and payload before massaging this data and sending to Azure via another function (AzureIoTHub).
void callback(char* topic, byte* payload, unsigned int length) {
MQTTTopic = String(topic);
MQTTPayload = "";
for (int i = 0; i < length; i++) {
// Serial.print((char)payload[i]); - Use for debugging
MQTTPayload = String(MQTTPayload + (char)payload[i]);
}
}
void AzureIoTHub() {
if (hasIoTHub)
{
String tempString;
tempString = "{" + MQTTTopic + ":" + MQTTPayload + "}";
if (Esp32MQTTClient_SendEvent(tempString.c_str()))
{
Serial.println("Azure IoT Hub : Sending data to Azure IoT Hub succeed");
}
else
{
Serial.println("Azure IoT Hub : Failure...");
}
MQTTPayload = "";
MQTTTopic = "";
}
}
Step 5 – Author Some Code (Our Main Loop)
The main loop is leveraging all of these functions and its logic can be best sumarised in to a few points. Connect to MQTT if there is no connection
If there is a MQTT Topic/Message which was decoded via our ‘callback’ function send this to Azure IoT Hub and re-connect if there is no connection.
void loop() {
//Connect to MQTT and reconnect if connection drops
if (!client.connected()) {
MQTTConnect();
}
//Respond to messages received
if (MQTTTopic != "") {
Serial.println("MQTT : Topic is [" + MQTTTopic +"]");
Serial.println("MQTT : Payload is [" + MQTTPayload + "]");
AzureIoTHub();
}
client.loop();
}
Pulling It All Together
Here is a complete copy of the above, plus a bit more. You could cut and paste the below or clone my GitHub repository.
#include <WiFi.h>
#include <PubSubClient.h>
#include "Esp32MQTTClient.h"
const char* ssid = "****";
const char* password = "****";
const char* mqttServer = "****";
const int mqttPort = 1883;
String MQTTTopic;
String MQTTPayload;
//Azure IOT Hub Setup
static const char* connectionString = "****";
static bool hasIoTHub = false;
WiFiClient espClient;
PubSubClient client(espClient);
void callback(char* topic, byte* payload, unsigned int length) {
MQTTTopic = String(topic);
MQTTPayload = "";
for (int i = 0; i < length; i++) {
// Serial.print((char)payload[i]); - Use for debugging
MQTTPayload = String(MQTTPayload + (char)payload[i]);
}
}
void MQTTConnect() {
// Loop until we're reconnected
while (!client.connected()) {
Serial.print("MQTT : Attempting MQTT connection...");
// Attempt to connect
if (client.connect("ESP32Client")) {
Serial.println("MQTT : Connected");
// Once connected, publish an announcement...
client.publish("stat/ESP32/IP_Address","Your IP Address");
//Subscribe to topics, one topic per line.
client.subscribe("stat/+/POWER");
} else {
Serial.print("MQTT : Failed to connect to MQTT , rc=");
Serial.print(client.state());
Serial.println("MQTT : Trying again to connect to MQTT in 5 seconds");
// Wait 5 seconds before retrying
delay(5000);
}
}
}
void setup() {
//Set baud rate
Serial.begin(115200);
WiFi.begin(ssid, password);
while (WiFi.status() != WL_CONNECTED) {
delay(500);
Serial.println("ESP32 : Connecting to WiFi...");
}
Serial.println("ESP32 : WiFi connected");
Serial.println("ESP32 : IP address: ");
Serial.println(WiFi.localIP());
//Set MQTT details
client.setServer(mqttServer, mqttPort);
client.setCallback(callback);
//Connect to Azure IOT
if (!Esp32MQTTClient_Init((const uint8_t*)connectionString))
{
hasIoTHub = false;
Serial.println("Azure IoT Hub : Initializing IoT hub failed.");
return;
}
hasIoTHub = true;
}
void loop() {
//Connect to MQTT and reconnect if connection drops
if (!client.connected()) {
MQTTConnect();
}
//Respond to messages received
if (MQTTTopic != "") {
Serial.println("MQTT : Topic is [" + MQTTTopic +"]");
Serial.println("MQTT : Payload is [" + MQTTPayload + "]");
AzureIoTHub();
}
client.loop();
}
void AzureIoTHub() {
if (hasIoTHub)
{
String tempString;
tempString = "{" + MQTTTopic + ":" + MQTTPayload + "}";
if (Esp32MQTTClient_SendEvent(tempString.c_str()))
{
Serial.println("Azure IoT Hub : Sending data to Azure IoT Hub succeed");
}
else
{
Serial.println("Azure IoT Hub : Failure...");
}
MQTTPayload = "";
MQTTTopic = "";
}
}
Seeing This In Action
Lets drop to a video to see this in working end-to-end, to validate messages are flowing in to Azure IoT Hub I can use the Azure CLI (AZ-CLI) to monitor the output coupled with the Arduino Serial monitor.
After 24 hours of running, we can see I have published 10.52K of messages in to Azure IoT Hub and there are certain ebbs and flows that occur in my house.
24 hour period of messages flowing in to Azure IoT Hub
Conclusion
There are many ways to skin this code cat. My requirements was to publish messages in to Azure and we have been able to achieve this via different ways (I am sure there is more). Automation is a journey, which path will you take?
We illustrated a transparent side-car approach that will listen to an existing broker, on topics you desire and push these in to Azure IoT, all without making any configuration changes (the most important thing for my implementation). This method runs on a microcontroller, consumes less than 5w of power and just works.
Are there any draw backs? Sure there are. Right now this is one way in direction (simplex) and allows me to push messages in to Azure IoT but not receive messages back.
Personally, I like this approach, it combines the elegance of a SDK as it’s my code and couples the reliability of a microcontroller. It’s my code, my choices on what I do, but I do understand this is not for everyone. We now have my messages, my events, in Azure and it’s time to make some friends and learn how to derive operational intelligence from visualizations through to machine learning and beyond.
This article is contributed. See the original author and article here.
Howdy folks,
We’re thrilled to announce the General Availability (GA) of Continuous Access Evaluation (CAE) as part of the overall Azure AD Zero Trust Session Management portfolio!
CAE introduces real-time enforcement of account lifecycle events and policies, including:
Account revocation
Account disablement/deletion
Password change
User location change
User risk increase
On receiving such events, app sessions are immediately interrupted and users are redirected back to Azure AD to reauthenticate or reevaluate policy. With CAE, we have introduced a new concept of Zero Trust authentication session management that is built on the foundation of Zero Trust principles–Verify Explicitly and Assume Breach. With the Zero Trust approach, the authentication session lifespan now depends on session integrity rather than on a predefined duration. This work is consistent with an industry effort called Shared Signals and Events, and we’re proud to be the first company in the group with a generally available implementation of continuous access!
In fact, we’re so excited about CAE that we auto-enabled it for all tenants. Azure AD Premium 1 customers can make configuration changes or disable CAE in a session blade of Conditional Access.
Session blade of CAE for customizing configurations
With this GA, you’ll be more secure and resilient because the real-time enforcement of policies can safely extend session duration. In case of any Azure AD outages, users with CAE sessions can ride out these outages without ever noticing them.
“With CAE, gone are the days where we are waiting for the session to be revoked or the user to be reauthenticated for critical services like Exchange Online and SharePoint Online. If we ever had a security incident pop with a user identity, knowing that the token can be revoked instantly, is confidence inspiring. Further, the long default session lifetime with CAE is another benefit we welcome, particularly from the perspective of additional resilience to potential outages.”
— BRIDGEWATER
CAE has been one of our most popular preview features and has already been deployed successfully by thousands of customers across millions of users. You can learn more about CAE here, including a full list of apps that support CAE today.
As always, we’d love to hear any feedback or suggestions you have. Let us know what you think in the comments below or on the Azure AD feedback forum.
Recent Comments