Year: 2019

Azure Authentication, Identity, and Access Management Best Practices (The Series)

Carlos A Lopez (Twitter: @CLopezDC) Cloud Security, Exchange, Exchange Online, Hybrid Migration, Microsoft Security, Office365

Over the years, I have seen how authentication processes have been evolving into what it is and what we know today. My clients already in the cloud or looking into adopting the cloud are constantly asking me about the “Best Practices” to secure their Microsoft cloud adoption. This is why I have decided to write this blog post series of Microsoft Cloud authentication, Identity and Access Management.

Network firewalls used to be considered the perimeter defense of the network. But with cloud services, that perimeters keep getting more porous, and that perimeter defense can’t be as effective as it was before the explosion of BYOD devices and cloud applications.

Today, enterprises are starting to understand that identity needs to be the primary perimeter for security. This is a shift from the traditional focus on network security. Azure Active Directory (Azure AD) is the Azure solution for identity and access management. Azure AD is a multitenant, cloud-based directory and identity management service from Microsoft. It combines core directory services, application access management, and identity protection into a single solution.

Best Practice

  1. Centralized Identity Management (Best Practice 1/10)
  2. Enable single sign-on for the Microsoft Cloud (Best Practice 2/10)
  3. Enable Conditional Access (Best Practice 3/10)
  4. Enable self-service Password reset with Azure AD Premium (Best Practice 4/10)
  5. Enable Conditional Access for cloud access. (Best Practice 5/10)
  6. Enforce multi-factor verification for users (Best Practice 6/10)
  7. Use role-based access control (Best Practice 7/10)
  8. Turn on Azure AD Privileged Identity Management (Best Practice 8/10)
  9. Define at least two emergency access accounts. (Best Practice 9/10)
  10. Ensure all critical admin roles have a separate account for administrative tasks (Best Practice 10/10)

Exchange Online Multi-Geo for data at-rest

Carlos A Lopez (Twitter: @CLopezDC) Azure, Exchange Online, Office365

Multinational companies with offices around the world often have a need to store their employee data at-rest in specific regions, in order to meet their data residency requirements. Multi-Geo enables a single Office 365 tenant to span across multiple Office 365 datacenter geographies (geos), which gives you the ability to store Exchange data, at-rest, on a per-user basis, in your chosen geos. The two main consideration are the following:

  1. Multi-Geo is currently available to customers with a minimum of 2,500 Office 365 services subscriptions and will have to be directly requested to Microsoft.
  2. The only available Geos are: Australia, Asia Pacific, Canada, European Union, France, India, Japan, Korea, United Kingdom, and United States.

New Windows Server 2019 challenges – Change Adapter Options

Carlos A Lopez (Twitter: @CLopezDC) Azure, Backup, Windows Server, Windows Server 2019

After installing my new Windows 2019 server for an Azure Backup Server, I noticed that I now longer have access to neither the Network Card settings nor the MMC console. I was getting a message”

Win2019 Error
Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item.

After little research I found that the solution was a simple one.

  1. Elevated the command prompt (CMD) and run gpedit.msc
  2. Navigate to Computer Configuration
  3. Windows Settings -> Security Settings -> Local Policies -> Security Options
  4. Enable “User Account Control: Admin Approval Mode for the Built-in Administrator account”
  5. Reboot the server and try again.