Built-in vulnerability assessment for VMs in Azure Security Center

by Scott Muniz | Aug 10, 2020 | Alerts, Microsoft, Technology, Uncategorized

This article is contributed. See the original author and article here.

What is the built-in vulnerability assessment tool in Azure Security Center?

If you’re using Security Center’s standard tier for VMs, you can quickly deploy a vulnerability assessment solution powered by Qualys with no additional configuration or extra costs.

Qualys’s scanner is the leading tool for identifying vulnerabilities in your Azure virtual machines. Once this integration is enabled, Qualys continually assesses all the installed applications on a virtual machine to find vulnerabilities and presents its findings in the Security Center console. This offering is available to all commercial Azure customers that have enabled Azure Security Center standard pricing tier for VMs. In this post, I will focus on vulnerability scanning of virtual machines, although standard tier also offers scanning for both containers and container registries – learn more here.

How does the integration work?

Our integrated vulnerability scanner is based on 5 different stages: from discovery to findings.

[1] Discovery – To make this integration work, a policy named “vulnerability assessment should be enabled on virtual machines” which is part of the “ASC default” initiative must be enabled. Upon Azure Policy evaluation, we get the compliance data to identify potential and supported virtual machines which don’t have a vulnerability assessment solution deployed. Based on the result, we propagate the data into the recommendation so you can see all relevant virtual machines. Based on compliance data, we categorize the virtual machines as one of the following:

• “healthy” – VMs that have the extension installed and report data.
• “unhealthy” – VMs which could support the extension, but which currently don’t have it.
• “not applicable” – Where the OS type/image is not supported (for example, a virtual machine running Network Virtual Appliance (NVA), Databricks/AKS instances or Classic VMs).

[2] Deployment – This is the step where you can enable the integrated ASC vulnerability scanner by deploying the extension on your selected virtual machine/s either by using ASC console and quick fix button, or by using an automated method (see a reference below for deployment at scale).

Prerequisites for deploying the extension:

1. Running VM with a supported operating system version as mentioned here.
2. Azure VM agent installed and in healthy state.
3. Log Analytics agent installed (formerly known as the Microsoft Monitoring Agent).
4. To install using the quick fix option, you’ll need write permissions for any VM on which you want to deploy the extension. Like any other extension, this one runs on top of the Azure Virtual Machine agent.

Once all prerequisites are met, you should use our newly and consolidated recommendation “A vulnerability assessment solution should be enabled on your virtual machines”. In this recommendation, you can choose to deploy ASC integrated vulnerability scanner or 3^rd party scanner (BYOL).

This recommendation installs the extension on unhealthy machines. Review the heathy and not applicable lists too.

Once the extension is deployed, you can see if it exists, by navigating to the VM page of the Azure portal, and selecting “extensions”:

• On Windows, the extension is called “WindowsAgent.AzureSecurityCenter” and the provider name is “Qualys”
• On Linux, the extension is called LinuxAgent.AzureSecurityCenter and the provider name is “Qualys”

Like the Log Analytics agent itself and all other Azure extensions, minor updates of the vulnerability scanner may automatically happen in the background; the VA agent is self-healing and self-updating to counter common issues. All agents and extensions are tested extensively before being automatically deployed. On a virtual machine (on Windows for example), you will see a process QualysAgent.exe and service “Qualys Cloud Agent” running:

When deploying a vulnerability assessment solution, Security Center previously performed a validation check before deploying. The check was to confirm a marketplace SKU of the destination virtual machine.
Recently, the check was removed and you can now deploy vulnerability assessment tools to ‘custom’ Windows and Linux machines. Custom images are ones that you’ve modified from the marketplace defaults.

[3] Scan – The gathered data collected by the agent includes many things for the baseline snapshot like network posture, operating system version, open ports, installed software, registry info, what patches are installed, environment variables, and metadata associated with files. The agent stores a snapshot on the agent host to quickly determine differences to the host metadata it collects. Such scans occur every 4 hours and are performed per VM, where artifacts are collected and sent for analysis to the Qualys Cloud service in the defined region. For virtual machines created within European regions, the gathered information is sent securely to Qualys Cloud Service in the Netherlands. For all non-EU resources, data is sent for processing in the Qualys Cloud Service in the US.

The sent artifacts are considered as metadata and the same as the ones collected by Qualys’ standalone cloud agent – Microsoft doesn’t share customer details or any sensitive data with Qualys.

[4] Analysis – Qualys analyzes the metadata, registry keys, and other information and builds the findings per VM. Findings are sent to Azure Security Center matching customer’s ID and are removed from the Qualys Cloud.

[5] Findings – You can monitor vulnerabilities on your virtual machines as discovered by the ASC vulnerability scanner using a recommendation named “Vulnerabilities in virtual machines should be remediated” found under the recommendations list. This recommendation is divided to the affected resources and security checks (also known as nested recommendations or sub-assessments).

On the affected resources section, you will find virtual machines categorized as unhealthy, healthy, and not applicable. The section named “Security Checks” shows the vulnerabilities found on the unhealthy resource. Findings are categorized by severity (high, medium, and low). Below, you can see the matching between ASC severity on the left and Qualys’ severities on the right:

If you are looking for a specific vulnerability, you can use the search field to filter the items based on ID or security check title. Selecting a security check, will open a window containing the vulnerability name, description, the impact on your resources, severity, if this could be resolved by applying patch, the CVSS base score (when the highest is the most severe one), relevant CVEs. Then, you will also find the threat, remediation steps, additional references (if applicable) and the affected resource. Once you remediate the vulnerability on the affected resource, it will be removed from the recommendation page.

Deployment at scale

If you have large number of virtual machines and would like to automate deployment at scale of the ASC integrated scanner, we’ve got you covered! There are several ways to accomplish such deployment based on your business requirements. Some customers prefer to automate deployment by executing an ARM template, others prefer automation using Azure Automation or Azure Logic Apps and others by using Azure Policy for both automation and compliance. For all these scenarios and even beyond, we encourage you to visit our ASC GitHub community repository. There, you can find scripts, automations and other useful resources you can leverage throughout your ASC deployment. Some of the methods will deploy the extension on new machines, others cover existing ones as well. There are other scenarios where customers prefer to make API calls to trigger an installation. This is also possible by executing a PUT call to one of our REST APIs, passing the resource ID to the URL. You can also decide to combine multiple approaches.

• ARM Deployment – This method is available on the “view recommendation logic” if you decide to remediate unhealthy resources using Azure portal. The automatic recommendation script content includes the relevant ARM template you can leverage for your automation.
• DeployIfNotExists policy definition – We recently added a custom Azure Policy definition which can easily be deployed into your Azure environment and assigned at the relevant scope (resource group/subscription/management group).
• PowerShell Script – This script can be used to deploy the extension for all unhealthy virtual machines and can be automated using Azure Automation for installation on new resources. The script finds all unhealthy machines discovered by the recommendation and executes an ARM call as mentioned in the first bullet.
• Azure Logic Apps – This sample leverages another functionality available as part of Security Center’s standard tier: workflow automation. Once a new security recommendation is generated for a resource, a trigger calls a Logic App to install the agent.
• REST API – Calling an API for agent deployment is available as well. Perform a PUT request for the following URL by adding the relevant resource ID: 

  https://management.azure.com/resourceId/providers/Microsoft.Security/serverVulnerabilityAssessments/default?api-Version=2015-06-01-preview​

Troubleshooting

Below you will find a checklist for your initial troubleshooting if you experience issues related to the ASC vulnerability scanner:

• Are you running a supported OS version? Use the following list to quickly identify if your VMs are running a supported operating system version.
• Is the extension successfully deployed? Monitor VA extension health across subscriptions using Azure Resource Graph (ARG). ARG becomes handy if you want to validate the extension status across subscriptions is heathy for both Linux and Windows machines. Use the following query:

where type == "microsoft.compute/virtualmachines/extensions"
| where name matches regex "AzureSecurityCenter"
| extend ExtensionStatus = tostring(properties.provisioningState), 
        ExtensionVersion = properties.typeHandlerVersion,
        ResourceId = id, 
        ExtensionName = name, 
        Region = location, 
        ResourceGroup = resourceGroup
| project ResourceId, ExtensionName, Region, ResourceGroup, ExtensionStatus, ExtensionVersion

              Results can be exported into CSV or used to build an Azure Monitor workbook.

• Is the service running? On Windows VMs, make sure “Qualys Cloud Agent” is running. On Linux, run the command sudo service qualys-cloud-agent
• Unable to communicate with Qualys? To communicate with the Qualys Cloud, the agent host should reach the service platform over HTTPS port 443 for the following IP addresses:
  • 64.39.104.113
  • 154.59.121.74

Check network access and ensure to accept the platform URL listed.

• Looking for logs? Both agent and extension logs can be used during troubleshooting. However, Windows and Linux logs can be found in different places. Here are the paths:

Windows:

• Qualys extension:
  • C:Qualys.WindowsAgent.AzureSecurityCenter
  • C:WindowsAzureLogsPluginsQualys.WindowsAgent.AzureSecurityCenter
• Qualys agent:
  • %ProgramData%QualysQualysAgent

Linux:

• Qualys extension:
  • /var/log/azure/Qualys.LinuxAgent.AzureSecurityCenter
• Qualys agent:
  • /var/log/qualys/qualys-cloud-agent.log

Advanced scenarios

Qualys assessment and sub-assessments (security checks) are stored and available for query in Azure Resource Graph (ARG) as well as through the API. A great example for that is available in this blog post. Moreover, you can also build and customize your own dashboards using Azure Monitor workbooks and create such dashboard for more insights. You can easily deploy a Qualys dashboard leveraging ARG queries and workbooks which is available . Soon, you will be able to use Continuous Export feature to send nested recommendations for Qualys into Event Hub or Log Analytics workspaces.

On the roadmap

• Availability for non-Azure virtual machines
• Support for proxy configuration
• Filtering vulnerability assessment findings by different criteria (e.g. exclude all low severity findings / exclude non-patchable findings / excluded by CVE / and more)
• More items are work in progress.

Frequently asked questions

Question: Does the built-in integration support both Azure VMs and non-Azure VMs?
Answer: Our current integration only supports Azure VMs. As mentioned in the roadmap section, we do have plans to support non-Azure virtual machines in the future.

Question: Does the built-in vulnerability assessment as part of standard pricing tier also integrate into the Qualys Dashboard offering?
Answer: Vulnerability assessments performed by our built-in integration is only available through Azure portal and Azure Resource Graph.

Question: Is it possible to initiate a manual/on-demand scan?
Answer: Scan on Demand is a single use execution that is initiated manually on the VM itself, using locally or remotely executed scripts or GPO, or from software distribution tools at the end of a patch deployment job. To do so, the following command will trigger an on-demand metadata sync:

REG ADD HKLMSOFTWAREQualysQualysAgentScanOnDemandVulnerability /v "ScanOnDemand" /t REG_DWORD /d "1" /f

Question: I purchased a separate Qualys/Rapid 7 license, which recommendation should I use?

Answer: We provide additional method for customers who have purchased VA scanner separately and do not use the integrated solution. To enable 3^rd-party integration, use “A vulnerability assessment solution should be enabled on your virtual machines” – this recommendation appears for both standard and free tiers. Then, select “Configure a new third-party vulnerability scanner (BYOL – requires a separate license)”. For this kind of integration, you’ll need to purchase a license for your chosen solution separately. Supported solutions report vulnerability data to the partner’s management platform. In turn, that platform provides vulnerability and health monitoring data back to Security Center.

Question: Can I combine two Qualys installation approaches so that the same VM has both the integrated scanner and the BYOL agent installed?

Answer: No, this is not supported. You can’t combine additional deployment approaches of VA while using the built-in VA capabilities provided by ASC.

In the next blog posts, we will discuss on how you can leverage integration for container and container registry images. Stay tuned!

Reviewers:

• Melvyn Mildiner – Senior Content Developer
• Ben Kliger – Senior PM Manager
• Aviv Mor – Senior Program Manager
• Nomi Gorovoy – Software Engineer

Secure your Calls- Monitoring Microsoft TEAMS CallRecords Activity Logs using Azure Sentinel

by Scott Muniz | Aug 8, 2020 | Alerts, Microsoft, Technology, Uncategorized

This article is contributed. See the original author and article here.

This blog is authored and technically implemented by @Hesham Saad with hearty thanks to our collaborator and use-cases executive mind brain @yazanouf 

Before we dig deep on monitoring TEAMS CallRecords Activity Logs, please have a look at “Protecting your Teams with Azure Sentinel” blog post by @Pete Bryan on how to ingest TEAMS management logs into Azure Sentinel via the O365 Management Activity API

Collecting TEAMS CallRecords Activity Data 

This section we will go into details on how to ingest TEAMS CallRecords activity logs into Azure Sentinel via the Microsoft Graph API and mainly leveraging CallRecords API which is a Graph webhook API that will give access to the Calls activity logs. SOC team can subscribe to changes to CallRecords via Azure Sentinel and using the Microsoft Graph webhook subscriptions capability, allowing them to build near-real-time reports from the data or to alert on specific scenarios , use cases which mentioned above.

Technically you can use the call records APIs to subscribe to call records and look up call records by IDs, the call records API is defined in the OData sub-namespace, microsoft.graph.callRecords.

So, what are the key resources types returned by the API ?

The callRecord entity represents a single peer-to-peer call or a group call between multiple participants, sometimes referred to as an online meeting.  A peer-to-peer call contains a single session between the two participants in the call. Group calls contain one or more session entities. In a group call, each session is between the participant and a service endpoint. Each session contains one or more segment entities. A segment represents a media link between two endpoints. For most calls, only one segment will be present for each session, however sometimes there may be one or more intermediate endpoints. For more details click here

Below is the main architecture diagram including the components to deploy Teams CallRecords Activity Logs Connector:

Deployment steps:

Register an App 

Create and register Azure AD APP to handle the authentication and authorization to collect data from the Graph API. Here are the steps – navigate to the Azure Active Directory blade of your Azure portal and follow the steps below: 

1. Click on ‘App Registrations’  
2. Select ‘New Registration’  
3. Give it a name and click Register.  
4. Click ‘API Permissions’ blade.  
5. Click ‘Add a Permission’.  
6. Click ‘Microsoft Graph’.  
7. Click ‘Application Permissions’.  
8. Search for ‘CallRecords’, Check CallRecords.Read.All. Also, Search for ‘Directory’ and Check Directory.ReadWrite.All and ‘Click ‘Add permissions’.  
9. Click ‘grant admin consent’. 
10. Click ‘Certificates and Secrets’.  
11. Click ‘New Client Secret’  
12. Enter a description, select ‘never’. Click ‘Add’.  
13. Note– Click copy next to the new secret and store it somewhere temporarily. You cannot come back to get the secret once you leave the blade.  
14. Copy the client Id from the application properties and store it.  
15. Copy the tenant Id from the main Azure Active Directory blade and store it.  

Deploy a Logic App 

Last step is to collect the CallRecords activity data and ingest it into Azure Sentinel via a Logic App.

Navigate to Azure Sentinel workspace, click at Playbooks blade and follow the steps below: 

1. Click on ‘Add Playbook’  
2. Select ‘Resource Group’, type a name to your logic app for example ‘TeamsCalls-SecurityGraphAPI’ and toggle on ‘Log Analytics’
3. Click ‘Review + Create’ then ‘Create’
4. Open your new logic app ‘TeamsCalls-SecurityGraphAPI’
5. Under ‘Logic app designer’, add the following steps:
   1. Add ‘Recurrence’ step and set the value to 10 minute for example
   2. Add ‘HTTP’ step to create CallRecords subscriptions, creating a subscriptions will subscribe a listener application to receive change notifications when the requested type of changes occur to the specified resource in Microsoft Graph, for more details on Create Subscriptions via Microsoft Graph API
      1. Method: POST
      2. URI: https://graph.microsoft.com/beta/subscriptions
      3. Body, note that you can edit ‘changeType’ value with ‘created,updated’ for example, ‘notificationUrl’ is the subscription notification endpoint for more details on notificationUrl

         1. {
              "changeType": "created",
              "clientState": "secretClientValue",
              "expirationDateTime": "2022-11-20T18:23:45.9356913Z",
              "latestSupportedTlsVersion": "v1_2",
              "notificationUrl": "https://outlook.office.com/webhook/3ec886e9-86ef-4c86-bfff-2d0321f3313e@2006d214-5f91-4166-8d92-95f5e3ad9ec6/IncomingWebhook/9c6e121ed--x-x-x-x99939f71721fcbcc7/03c99422-50b0-x-x-x-ea-a00e-2b0b-x-x-x-12d5",
              "resource": "/communications/callRecords"
            }

      4. Authentication Type: Active Directory OAuth
      5. Tenant: with Tenant ID copied above
      6. Audience: https://graph.microsoft.com
      7. Client ID: with Client ID copied above
      8. Credential Type: Secret
      9. Secret: with Secret value copied above
   3. Add ‘HTTP’ step to list all subscriptions:
      1. Method: GET
      2. URI: https://graph.microsoft.com/v1.0/subscriptions
      3. Authentication Type: Active Directory OAuth
      4. Tenant: with Tenant ID copied above
      5. Audience: https://graph.microsoft.com
      6. Client ID: with Client ID copied above
      7. Credential Type: Secret
      8. Secret: with Secret value copied above
   4. If you want to get all sessions details per specific call record session ID follow the below steps, noting that the below example is for a single CallRecord Session ID for the sake of demonstration and hence we added a variable item, you can simply add a loop step to get all sessions IDs from the created CallRecords subscription step:
      1. Method: GET
      2. URI: https://graph.microsoft.com/beta/communications/callRecords/@{variables(‘TEAMSCallRecordsID’)}/sessions
      3. Authentication Type: Active Directory OAuth
      4. Tenant: with Tenant ID copied above
      5. Audience: https://graph.microsoft.com
      6. Client ID: with Client ID copied above
      7. Credential Type: Secret
      8. Secret: with Secret value copied above
   5. Add ‘Send TEAMS CallRecords Data to Azure Sentinel LA-Workspace’ step, after doing the connection successfully via your Azure Sentinel Workspace ID & Primary key:
      1. JSON Request Body: Body
      2. Custom Log Name: TEAMSGraphCallRecords

The complete Playbook code view have been uploaded to github repo as well, please click here for more details and check out the readme section.

Monitoring TEAMS CallRecords Activity

When the Playbook run successfully, it will create a new custom log table ‘TEAMSGraphCallRecords_CL’ that will have the CallRecords activity logs, you might wait for a few minutes till the new CL table been created and the CallRecords activity logs been ingested.

Navigate to Azure Sentinel workspace, click at Logs blade and follow the steps below: 

1. Tables > Group by: Solution > Custom Logs: TEAMSGraphCallRecords_CL
2. Below are the list of main attributes that have been ingested:
   1. TimeGenerated
   2. Type_s: groupCall
   3. modalities_s: Audio, Video, ScreenSharing, VideoBasedScreenSharing
   4. LastModifiedDateTime
   5. StartDateTime, endDateTime
   6. joinWebUrl_s
   7. organizer_user_displayname_s
   8. participants_s
   9. sessions_odata_context_s
3. As you can see from the results below we get the complete TEAMS CallRecords activity logs.

Parsing the Data 

Before building any detections or hunting queries on the ingested TEAMS CallRecords Activity data we can parse and normalize the data via a KQL Function to make it easier to use:

The parsing function have been uploaded as well to the github repo.

Part (2): we will share a couple of hunting queries and upload them to github, it’s worth to explore Microsoft Graph API as there are other TEAMS related APIs logs that can be ingested based on the requirements and use cases:

• TeamsActivity: 
  • Read all users’ teamwork activity feed
• TeamsAppInstallation:
  • Read installed Teams apps for all chats
  • Read installed Teams apps for all teams
  • Read installed Teams apps for all users
• TeamsApp
  • Read all users’ installed Teams apps

…etc

We will be continuing to develop detections and hunting queries for Microsoft 365 solutions data over time so make sure you keep an eye on GitHub.  As always if you have your own ideas for queries or detections please feel free to contribute to the Azure Sentinel community. 

Azure Cache for Redis TLS versions

by Scott Muniz | Aug 7, 2020 | Alerts, Microsoft, Technology, Uncategorized

This article is contributed. See the original author and article here.

Set-AzRedisCache -Name <YourRedisName> -MinimumTlsVersion "1.2"

param(
[Parameter(Mandatory=$true)]
[string]$redisCacheName,
[Parameter(Mandatory=$false)]
[string]$dnsSuffix = ".redis.cache.windows.net",
[Parameter(Mandatory=$false)]
[int]$connectionPort = 6380,
[Parameter(Mandatory=$false)]
[int]$timeoutMS = 2000
)
$redisEndpoint = "$redisCacheName$dnsSuffix"
$protocols = @(
    [System.Security.Authentication.SslProtocols]::Tls,
    [System.Security.Authentication.SslProtocols]::Tls11,
    [System.Security.Authentication.SslProtocols]::Tls12
)
$protocols | % {
    $ver = $_
    $tcpClientSocket = New-Object Net.Sockets.TcpClient($redisEndpoint, $connectionPort )
    if(!$tcpClientSocket)
    {
        Write-Error "$ver- Error Opening Connection: $port on $computername Unreachable"
        exit 1;
    }
    else
    {
        $tcpstream = $tcpClientSocket.GetStream()
        $sslStream = New-Object System.Net.Security.SslStream($tcpstream,$false)
        $sslStream.ReadTimeout = $timeoutMS
        $sslStream.WriteTimeout = $timeoutMS
        try
        {
            $sslStream.AuthenticateAsClient($redisEndpoint, $null, $ver, $false)
            Write-Host "$ver Enabled"
        }
        catch [System.IO.IOException]
        {
            Write-Host "$ver Disabled"
        }
        catch
        {
            Write-Error "Unexpected exception $_"
        }
    }
}

Risky Business in Azure AD…

by Scott Muniz | Aug 7, 2020 | Alerts, Microsoft, Technology, Uncategorized

This article is contributed. See the original author and article here.

Hi all, Zoheb here publishing on behalf of a guest author, Morne Naude. So without further ado…

Hi Everyone,

Morne here again and welcome to the first blog in our series on Azure Active Directory Security where we will be sharing all details on how we helped our SMC customers reduce the attack vector by enabling Identity Protection in Azure.

If you have not read our introductory blog covering the entire background on our SMC Delivery Methodology, please do give it a read now before continuing here.

How Microsoft Mission Critical Team Helped Secure AAD

If an Electron Can Be in Two Places at Once, Why Can’t You …

Well you can’t PERIOD

We refer to this as Atypical travel “Sign in from an atypical location based on the user’s recent sign-ins.“ or Unfamiliar sign-in properties “Sign in with properties we’ve not seen recently for the given user.”

Before we get on to more details on how we helped our SMC customer, here is some background information on Identity Protection & Risky Sign ins which may help you understand the subject better.

What is Azure Active Directory Identity Protection?

Identity Protection is a tool that allows organizations to accomplish three key tasks:

• Automate the detection and remediation of identity-based risks.
• Investigate risks using data in the portal.
• Export risk detection data to third-party utilities for further analysis.

Identity Protection uses the learnings Microsoft has acquired from their position in organizations with Azure AD, the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users. Microsoft analyses 6.5 trillion signals per day to identify and protect customers from threats.

This is but a few examples of risk types Azure identity protection use in its classifications.

Risk Classification

Coming back to our customers’ pain areas, we were detecting a high number of Risky Sign ins every day across the organization, we spotted these during the Azure AD Assessments as well as observations from the Risky Sign in logs.

Working with the Mission Critical team gives our customers the ultimate personalized support experience from a designated team that:

1. Knows you and knows what your solution means to your enterprise
2. Works relentlessly to find every efficiency to help you get ahead and stay ahead
3. Advocates for you and helps ensure get you the precise guidance you need.

Knowing the customer well helped us understand the extent of the problem, to work closely with their Identity team and recommend improvements to them.

There were various attack trends observed from Azure AD Connect Health related to Password spray, Breach replay, Phishing etc. on Azure and it was an urgent need of the hour to get into a better security posture.

After speaking with the messaging team, we realized that few of the Risky users had strange Mailbox rules created and were spamming multiple users in the organization (more details to come in one of our following blogs).

If you are interested to read more about Forms Injection Attacks on emails please see: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide

Our customer had no policy/process configured to tackle this issue, they only had Multi Factor Authentication (MFA) in place for Global Admins.

Policies

We suggested to enable User Risk as well as Sign-in Risk policies for users deemed as “high-risk”, below are some details on how it was enabled for our customer.

• Sign-in risk policy

Identity Protection analyses signals from each sign-in, both real-time and offline, and calculates a risk score based on the probability that the sign-in wasn’t performed by the user. Administrators can decide based on this risk score signal to enforce organizational requirements. Administrators can choose to block access, allow access, or allow access but require multi-factor authentication.

We enabled Sign in risk Policy to force “MFA” for all “High Risk” users as per configuration below.

• User risk Policy

Identity Protection can calculate what it believes is normal for a user’s behaviour and use that to base decisions for their risk. User risk is a calculation of probability that an identity has been compromised. Administrators can decide based on this risk score signal to enforce organizational requirements.

Considering the circumstances, we suggested to our customer to implement below User Risk policy, this policy would ensure that if there is any “High Risk” user he will be required to change Password as per configuration below.

So, these two policies ensured all the Risky Sign in users are forced to use MFA and change their passwords.

Notification for Risky users

Our customer has Azure AD P2 licensing, so we could leverage the full set of Identity protection features.

We configured the users at risk email in the Azure portal under Azure Active Directory > Security > Identity Protection > Users at risk detected alerts.

By default, recipients include all Global Admins. Global Admins can also add other Global Admins, Security Admins, Security Readers as recipients.

Optionally you can Add additional emails to receive alert notifications; this feature is a preview and users defined must have the appropriate permissions to view the linked reports in the Azure portal. We included members of the Identity and Security teams as well. 

The weekly digest email contains a summary of new risk detections, such as:

• New risky users detected
• New risky sign-ins detected (in real-time)
• Links to the related reports in Identity Protection

This resulted in a drastic reduction in the number of risky users and risky sign-ins. Additionally we helped implement a process of investigation and remediation of these at- risk accounts from the service desk to the internal security department. Currently the business is in the process of including Medium based at-risk accounts into the above policies.

NOTE: The features and guidelines implemented in this case were specific to this customer’s requirements and environment, so this is not a “General” guideline to enable any of the mentioned features.

Hope this helps,

Morne

Azure Advocates Weekly Roundup – Follow Us : we are everywhere!

by Scott Muniz | Aug 7, 2020 | Alerts, Microsoft, Technology, Uncategorized

This article is contributed. See the original author and article here.

August is already a week over, can you believe it? That doesn’t stop this team they’re everywhere doing great things to make the experience better for you in the docs, product and services. Have some feedback? Comment on their posts, contact them on twitter or wherever you see them engaging.

Cloud Advocates List on Microsoft Docs

Azure Cloud Adviocates Twitter List

Follow @azureadvocates on Twitter

Content Round Up

WebAssembly, your browsers sandbox
Aaron Powell

We’ve been doing web development for 30+ years and in all that time have you ever stopped to think, “This SPA needs more C++”? Well thanks to the power of WebAssembly you can finally bring C, C++, Rust, Go and other high level languages to the browser.

MS Dev Twitch Stream: Build a Virtual Reality Snake Game with JavaScript! – Aug 5th
Cassie Breviu

Azure Monitor for Azure Arc enabled servers
Thomas Maurer

Docker, FROM scratch
Aaron Powell

HobbyHack Augmented Reality on the Web Workshop Video
Aysegul Yonet

Assess AWS VMs with Azure Migrate
Sarah Lean

ITOpsTalk Blog: Step-by-Step: Traditional Windows Cluster setup in Azure
Pierre Roman

Blog/ Setting-up Visual Studio Codespaces for .NET Core (EN)
Justin Yoo

Since April 2020 Visual Studio Codespaces has been generally available. In addition to that, GitHub Codespaces has been provided as a private preview. Both are very similar to each other in terms of their usage. There are differences between both, though, discussed from this post. Throughout this post, I’m going to focus on the .NET Core application development.

Add ISO DVD Drive to a Hyper-V VM using PowerShell
Thomas Maurer

State of the Art in Automated Machine Learning
Francesca Lazzeri

• Automated Machine Learning (AutoML) is important because it allows data scientists to save time and resources, delivering business value faster and more efficiently
• AutoML is not likely to remove the need for a “human in the loop” for industry-specific knowledge and translating the business problem into a machine learning problem
• Some important research topics in the area are feature engineering, model transparency, and addressing bias
• There are several commercial and open-source AutoML solutions available now for automating different parts of the machine learning process
• Some limitations of AutoML are the amount of computational resources required and the needs of domain-specific applications

Building & Debugging Microservices faster using Kubernetes and Visual Studio
Shayne Boyer

Video: Assess AWS VMs with Azure Migrate
Sarah Lean

Let’s Talk About Azure AD and Microsoft Identity Platform
Matt Soucoup

Authenticate a ASP.NET Core Web App With Microsoft.Identity.Web
Matt Soucoup