Securing access to any resource, anywhere

Securing access to any resource, anywhere

This article is contributed. See the original author and article here.

Zero Trust has become the industry standard for safeguarding your entire digital estate. Central to Zero Trust is securing identity and access, which is essential for protecting resources, enforcing security policies, and ensuring compliance in today’s dynamic digital landscape.


 


With Microsoft Entra, we help our customers create a trust fabric that securely connects any trustworthy identity with anything, anywhere. Driven by the adoption of multicloud strategies in the era of AI, customers are encountering more challenges in securing access, not just across multiple public and private clouds, but also for business apps and on-premises resources. Unlike securing access for humans or within a single environment, where customers have established methods to address challenges, securing access anywhere is more complicated due to the dynamic nature of today’s digital estate and tools to address emerging challenges need further development. To support our customers, we unveiled our vision for securing access in any cloud at this year’s RSA conference. Today, we’re excited to dive deeper into our future investment aimed at securing access to cloud resources from any identity across diverse cloud environments.  


 


Managing multicloud complexity in a rapidly evolving digital environment


 


Organizations are grappling with substantial challenges in navigating cloud access complexities, often citing issues like fragmented role-based access control (RBAC) systems, and compliance violations. These challenges are compounded by the growing use of cloud services from various cloud service providers.  There have been links to several notable breaches attributed to over-permissioned identities. Our customer engagements reveal that organizations are currently using 7 to 8 products, including privileged access management (PAM) and identity governance and administration (IGA) solutions to tackle multicloud access challenges. Despite their efforts, such as toggling across multiple solutions and increasing their workforce, many organizations still struggle to achieve full visibility into their cloud access.


 


Our 2024 State of Multicloud Security Risk Report underscores these ongoing challenges arising from over-permissioned human and workload identities. Analysis of past year usage data from Microsoft Entra Permissions Management confirms that the complexities in multicloud environments primarily stem from rapid identity growth and over-provisioned permissions (learn more), including:   


 



  • Over 51,000 permissions that can be granted to identities – 50% of which are identified as high-risk permissions.

  • Only 2% of those 51,000 permissions were used.

  • Of the 209M identities discovered, more than 50% are identified as super identities that have all permissions to access all resources.   


 


Figure 1: 2024 State of Multicloud Security Risk key findingsFigure 1: 2024 State of Multicloud Security Risk key findings


 


 


Introducing our vision for cloud access management: Building a converged platform


 


Today, I’m excited to expand on our vision for cloud access management.


 


As businesses expand, organizations inevitably face challenges of overprovisioning at various levels. Initially, this manifests as granting more access to accommodate growing teams and workloads and can lead to overlapping access privileges. To address these issues, organizations must proactively identify vulnerabilities in identities and permissions and respond swiftly and, eventually, automatically. There’s a pressing need for a new solution that empowers all identities to access resources in any cloud securely while adhering to least-privileged permissions.


 


To address this critical need, we’re developing a converged platform that encompasses a comprehensive set of capabilities. This upcoming platform is designed to streamline the journey from risk discovery to remediation for secure access to any cloud resource whenever deviations occur, offering:  


 



  • Visibility: Gain insights into all identities and permissions assigned and used and detect risky permissions.

  • Risk remediation: Remediate risky permissions with recommendations.

  • Granular controls: Grant the right privileges for role-specific durations.

  • Automated governance: Implement continuous compliance through automated policies. 


 


Figure 2: How to secure access from any identity across multiple cloudsFigure 2: How to secure access from any identity across multiple clouds


 


Our journey to secure access to resources in any cloud is advancing by building upon our industry-leading Microsoft Entra products:  


 



  • Permissions Management (CIEM) for delivering visibility into identities, permissions, and usage.

  • Privileged Identity Management (PAM) for enforcing least-privileged controls for both human and workload identities.

  • ID Governance (IGA) for automating identity lifecycle and access workflows regardless of origin or usage.

  • Workload ID (IAM for workloads) for offering customized authorization policies for workload identities. 


 


Figure 3: Convergence of four critical areasFigure 3: Convergence of four critical areas


 


Additionally, as part of our continuous Copilot journey, we’re leveraging AI/ML to enhance all the technologies within the cloud access management platform. This enables organizations to uncover risks that are otherwise challenging to detect manually, identify the most significant risks, propose impactful remediations, and recommend usage-based custom roles and policies for any identity as the platform adoption grows. It will help simplify cloud access management and provide more effective ways to secure cloud environments for organizations.


 


 


Our commitment


 


At Microsoft, we’re committed to bringing this vision to life for our customers through the advancement and innovation of our newly converged platform, designed to secure access to resources in any cloud. Additionally, this vision extends to securing access to resources anywhere, including on-premises and business apps. Our goal is to help our customers enhance their security for any access to any resource in the era of AI and robust workload identities. 


 


We look forward to collaborating with the community to realize this vision, empowering every organization to implement least-privileged access and permissions across all identities in multicloud and hybrid environments. We’ll keep you posted on our progress towards this vision. Until our next update, we invite you to explore our products that form the foundation of our cloud access management vision. Learn more about Microsoft Entra ID Governance and Permissions Management.


 


Thank you,


Joseph Dadzie


Partner Director of Product Management


LinkedIn   


Twitter   


 


 


Read more on this topic



 


Learn more about Microsoft Entra  


Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 



 

MGDC for SharePoint: New, Updated and Upcoming Datasets

MGDC for SharePoint: New, Updated and Upcoming Datasets

This article is contributed. See the original author and article here.

In this post, I’ll cover some exciting news on Microsoft Graph Data Connect for SharePoint as of May 2024. This feature delivers rich data assets to SharePoint and OneDrive tenants. If you’re new to MGDC for SharePoint, start by reviewing this post: https://aka.ms/SharePointData.


 


JoseBarreto_0-1716565627619.jpeg


 


 


TL;DR


 


We have been busy updating our existing SharePoint datasets in MGDC and adding new ones. You can see the full list at https://aka.ms/SharePointDatasets.


 


We have updated our 3 publicly available datasets, just published 1 new dataset and will deliver 3 new datasets in the next few months. Here are some details…


New and Upcoming Datasets


 


The new SharePoint File Actions dataset was released in May 2024. This dataset delivers one object for each file accessed, deleted, downloaded, modified, moved, renamed, or uploaded. This helps you understand how documents are being used in detail. This dataset is now publicly available, billed through Azure at the regular MGDC rate.


 


The new OneDrive Sync Health datasets include information on devices running OneDrive for Business. This includes a dataset with one object for every Sync-enabled device in the tenant and a dataset with details on errors faced by these devices. They were announced by the Sync team at the Microsoft 365 Conference. Sync Health and Sync Errors are in private preview. They will be publicly available by the end of June. This was a joint project between SharePoint, OneDrive Sync and MGDC.


 


The SharePoint Files dataset includes information about files in SharePoint and OneDrive. This delivers one object for every file in the tenant stored in a SharePoint document library, including OneDrives. The Files dataset is in private preview, with Public ETA expected in a few months.


 


Updated datasets


 


Archimedes also added columns to the existing Sites, Groups and Permissions datasets.


 


For SharePoint Sites, our most popular dataset, we added several new properties. Here’s the list:


 



  • ArchiveState: The archive state of the site: None, Archiving, Archived, or Reactivating

  • RootWeb.Configuration: Root web template configuration id

  • RecycleBinItemCount: Number of items in the recycle bin

  • RecycleBinItemSize: Size of the items in the recycle bin

  • SecondStageRecycleBinStorageUsage: Size of the items in the second stage recycle bin

  • IsCommunicationSite: Indicates that the site is a communication site

  • IsOneDrive: Indicates that the site is a OneDrive

  • IsExternalSharingEnabled: Indicates if the site is configured to enable external sharing

  • SiteConnectedToPrivateGroup: Indicates if a site is connected to Private Group

  • Privacy: Privacy of the site: Private or Public. Applies only to team sites

  • Owner.UPN: User Principal Name for the owner of the site

  • SecondaryContact.UPN: User Principal Name for the secondary contact for the site

  • LastUserAccessDate: Last access by a real user for the site (in UTC)


 


That last column is very useful to identify sites that have been inactive for a long time.


For Groups, we introduced a new TypeV2 property for owners and members, to specify the type of user. The old Type property can contain User, SecurityGroup or SharePointGroup, while the new TypeV2 can be InternalUser, ExternalUser, B2BUser, SecurityGroup and SharePointGroup.


 


For the SharePoint Permissions dataset, we added the following columns:


 



  • SharedWith.TypeV2: Expands User types to InternalUser, ExternalUser and B2Buser, as described in the Groups section above

  • SharedWith.UPN: User Principal Name of sharing recipient

  • SharedWith.AadObjectId: AAD Object Id of sharing recipient. Blank if this is not an AAD object.

  • SharedWith.UserCount: Unique user count for this sharing recipient. For groups, this is the number of users in the group, including nested groups. For users, this is always 1. It will be blank if the group is empty or if the count is unavailable

  • TotalUserCount: Unique user count for this entire permission. This will be blank if the count is zero or unavailable

  • ShareCreatedBy.UPN: User Principal Name of user who created the sharing link

  • ShareLastModifiedBy.UPN: User Principal Name of user who modified the sharing link


 


The two new user count columns are a major improvement here. They do group expansion, so you can have the total number of users impacted by the permissions, including nested groups, without having to pull the SharePoint Groups and AAD Groups datasets. You can now detect oversharing using only the Permissions dataset.


 


General improvements


 


MGDC for SharePoint also improved the overall infrastructure for analytics, including:


 



  • Filtering datasets: Downloading only rows that match specific site ids or template id. See details at How can I filter rows on a dataset?

  • Dataset sampling: Get a small sample of the dataset and an full object count without pulling the entire dataset. See details at How can I sample or estimate the number objects in a dataset?

  • Improved messages: Better error messages, including when dates are out of range, or when a region has no SharePoint data.

  • Guidance: Improved documentation, including updated step-by-step guides and schema docs. We also have a new Official MGDC for SharePoint blog in Tech Community with information like useful links and frequently asked questions. Since you’re reading this on the blog, I imagine you already knew about that one :-).


 


Conclusion


 


These are the main improvements to Microsoft Graph Data Connect for SharePoint in the last few months. I hope these changes will improve the feature for your analytics scenarios. We are busy cooking up more improvements and will share them here in the blog as they become available.

Microsoft Outlook introduces SMS on Outlook Lite

Microsoft Outlook introduces SMS on Outlook Lite

This article is contributed. See the original author and article here.

Since its launch in 2022, Outlook Lite has provided a way to enjoy the key features of Outlook in a small download size for low-resource phones. We are continuously looking for ways to meet the communication needs of our core users. Now, we are excited to bring SMS on Outlook Lite to users worldwide. With SMS on Outlook Lite, you can enjoy the convenience and security of sending and receiving SMS messages from your Outlook Lite app. SMS is integrated with your email, calendar, and contacts, so you can stay in touch with your contacts in one app.


 


SMS on Outlook Lite is now available in the latest version of the app, which you can download from the Google Play Store


 


How to get started with SMS on Outlook Lite?


Getting started with SMS on Outlook Lite is easy and fast. Just follow these steps:


 


1. Download Outlook Lite from the Google Play Store (here). If you already have Outlook Lite, make sure you update to the latest version.


2. Open Outlook Lite and click on the bottom tab icon named “SMS”


3. Give required permissions to activate SMS.


4. That’s it! You can now send and receive SMS messages from Outlook Lite.


 


Keerthana_AK_0-1710839794868.png


 


What’s next for SMS on Outlook Lite? 


We are working on adding more features and improvements to SMS on Outlook Lite, such as: 



  • Tighter integration with Email, Calendar and Contacts 

  • Cloud backup of messages 

  • Enhanced Security features.


We would love to hear your feedback and suggestions on SMS on Outlook Lite. You can contact us through the app, or by leaving a comment on this blog post.


 


Thank you for using Outlook Lite! 


 

Challenges in Uploading Files Over 2GB via HTTP Protocol in IIS Web Server

Challenges in Uploading Files Over 2GB via HTTP Protocol in IIS Web Server

This article is contributed. See the original author and article here.

Recently, I had worked on a case where customer`s ask was to upload a file larger than 2gb into the IIS hosted web application.


 


In my case, customer had a normal Asp.net Framework 4.6 application and when they were trying to perform the upload operation of more than 2gb zip file(the extension did not matter…we tested it with .7z and .zip both and it had failed) and somehow on the browser page, we got a Bad request and when I checked the HAR file, i could see a 400 status code.


 


Next, I checked the application configurations…like:


 


 

system.webServer/security/requestFiltering/requestLimits/maxAllowedContentLength 

system.web/httpRuntime/executionTimeout

system.web/httpRuntime/maxRequestLength

 


 


but these values were already configured for the higher number.


 


Articles for references:


HttpRuntime.ExecutionTimeout 


MaxAllowedContentLength 
Request Filtering  


HttpRuntime.maxRequestLength 


 


Also, we checked the App Pool Managed Pipeline Mode, and the interesting part was that we got different error for both the modes.


 


I was able to recreate this scenario in my lab machine for a sample asp.net framework web application and I had captured FREB logs (Failed request tracing logs) for the site for both the scenarios these were the differences I noticed:


 



  • In both the cases, I was able to upload only 2gb file size. 

  • In Integrated Mode, when I tried to upload a 4gb file, I could see this error under the FREB log: ” 

     400 Bad request-Asp.net detected invalid characters in the Url”. So, I tried to increase the value of “maxAllowedContentLength” to the maximum supported value, which is 4gb but still it failed, and it seems that webengine code (webengine4!MgdGetRequestBasics) doesn’t support more than 2 GB content-length.



  • Next, in Classic Mode, when I tried to upload a 4gb file, i got this error under FREB log : “413.1 -request entity too large error”. So, in this case also, I increased the value of “maxAllowedContentLength” to 4gb, but it failed. We did not see any error under FREB log…it was also 200 status code but the file did not upload.


So, the conclusion is that either you keep the application pipeline mode as Integrated or Classic, you would only be able to upload a 2gb file for your web application hosted on IIS.


 


If you would like to perform a larger file upload operation, HTTP protocol isn’t the right one. You need to switch to webDav feature, or use FTP protocol that is meant to perform the file upload/download operation without any size limit or you can keep using Http protocol but  you need to send the data packets as small chunks from client to the server side and then on the server side code, you need to bundle all the chunked packets together for the file upload operation.


 


Also, note that even if you think moving to latest windows server would fix it…that’s not going to help here. This behavior will be same for all the supported IIS across all the versions of supported windows server.



Hope this article helps everyone. :smile:


 


 


 


 


 


 


 


 

Explore Cloud Computing with the New “Azure for Students” Module!

Explore Cloud Computing with the New “Azure for Students” Module!

This article is contributed. See the original author and article here.

I’m really excited to share a new module that I developed by working with the Microsoft Learn Team: “Introduction to Azure for students.” As students, we often encounter numerous tech challenges, from managing projects and assignments to exploring new fields like AI and data science. This module is designed to help you tackle these challenges head-on by diving into the fascinating world of cloud computing with Azure.


 


Designer.jpeg


 


 


Why Cloud Computing?


 


Cloud computing might sound complex, but it’s simpler than you think. Imagine it as a giant library where you can borrow books whenever you need them, without the hassle of buying or storing them. Similarly, cloud computing lets you use computing resources whenever you need them, without owning or maintaining the hardware and software. It’s flexible, easy, and often more affordable.
a4770c3e0fd64906e73172c385edbc59.jpg


 


 


What You’ll Learn


 


In this module, you’ll discover:


 



  • Core Concepts of Cloud Computing: Learn the basics and understand what cloud computing is all about.

  • Azure in Action: Explore real-world scenarios to see how Azure is used in various fields, from student projects to professional healthcare.

  • Getting Started with Azure: Find out about the tools and services that will help you begin your Azure journey.


 


Why Azure Cloud?


 


Azure is Microsoft’s cloud platform, offering over 200 products and services. Whether you’re into AI, app development, data science, or machine learning, Azure has it all. Here’s how Azure can help you as a student:


 



  • Access Powerful Tools: Utilize advanced tools and services without the need for expensive hardware.

  • Scalability: Easily scale your resources up or down based on your project needs.

  • Cost-Effective: Pay only for the resources you use and take advantage of free services and a $100 Azure credit with the Azure for Students offer.


 


How Azure Can Help with College Projects?


 


Imagine you’re working on a complex college project that involves data analysis and collaboration with classmates. With Azure, you can set up a virtual environment where everyone can work together seamlessly, share resources, and analyze data in real-time. Need to develop a mobile app for your project? Azure provides all the necessary tools and platforms to build, test, and deploy your app efficiently.


 


Special Offer for Students!


 


Being a student usually means living on a budget. Good news—Microsoft’s got your back with Azure for Students! Get a $100 Azure credit and access a sea of free services. Learning has never been so cost-effective and fun! Learn more about the Azure for Students offer.


 


1703521221247.jpg


 


 


What are you waiting for? Start learning cloud today by going through the module with hands-on experience by claiming the Azure for Students offer. Whether you’re working on a school project, developing an app, or just curious about the cloud, this module will provide you with the foundation to succeed.


Ready to get started? Sign up on Microsoft Learn to save your progress and take the first step towards an exciting career in cloud computing!

Simplify Your Azure Kubernetes Service Connection Configuration with Service Connector

Simplify Your Azure Kubernetes Service Connection Configuration with Service Connector

This article is contributed. See the original author and article here.

Workloads deployed on an Azure Kubernetes Service (AKS) cluster often need to access Azure backing resources, such as Azure Key Vault, databases, or AI services like Azure OpenAI Service. Users are required to manually configure Microsoft Entra Workload ID or Managed Identities so their AKS workloads can securely access these protected resources.


The Service Connector integration greatly simplifies the connection configuration experience for AKS workloads and Azure backing services. Service Connector takes care of authentication and network configurations securely and follows Azure best practices, so you can focus on your application code without worrying about your infrastructure connectivity.


CocoWang_0-1716567353560.png


Service Connector Action Breakdown


 


Before, in order to connect from AKS pods to a private Azure backing services using workload identity, users needed to perform the following actions manually:



  1. Create a managed identity

  2. Retrieve the OIDC issuer URL

  3. Create Kubernetes service account

  4. Establish federated identity credential trust

  5. Grant permissions to access Azure Services

  6. Deploy the application


Now, Service Connector performs steps 2 to 5 automatically. Additionally, for Azure services without public access, Service Connector creates private connection components such as private link, private endpoint, DNS record,


You can create a connection in the Service Connection blade within AKS.


CocoWang_0-1716567897332.png


 


Click create and select the target service, authentication method, and networking rule. The connection will then be automatically set up. Here are a few helpful links to for you to learn more about Service Connector.