Tools to drive your Zero Trust implementation

Today, someone said on a call that implementing a zero-trust model, was as difficult as learning a new language and did not know where to start.

PowerPoint Presentation I am trying to describe the areas and provide my peers with ideas on where to start with the basics of zero-trust. As you begin to assess your Zero Trust readiness and begin to plan on the changes to improve protection across identities, devices, applications, data, infrastructure, and networks. CIOs and IT personnel should consider these key areas to help drive the Zero Trust implementation more effectively.

  1. Strong authentication: Ensure strong multi-factor authentication and session risk detection as the backbone of your access strategy to minimize the risk of identity compromise.
  2. Policy-based adaptive access: Define acceptable access policies for your resources and enforce them with a consistent security policy engine that provides both governance and insight into variances.
  3. Micro-segmentation: Move beyond simple centralized network-based perimeter to comprehensive and distributed segmentation using software-defined micro-perimeters.
  4. Automation: Invest in automated alerting and remediation to reduce your mean time to respond (MTTR) to attacks.
  5. Intelligence and AI: Utilize cloud intelligence and all available signals to detect and respond to access anomalies in real time.
  6. Data classification and protection: Discover, classify, protect, and monitor sensitive data to minimize exposure from malicious or accidental exfiltration.

Microsoft Ignite 2019 – Exchange Online Announcements

I had the opportunity to attend the Microsoft Ignite conference In Orlando Florida last week. I had an amazing time connecting with old friends and making new ones too. I enjoyed talking with other attendees, Microsoft staff and MVPs, and vendors about the value and impact of Microsoft365, Azure and other Microsoft’s services in our daily life.

Coming from an Exchange/Messaging background, it was a little difficult to realize that the Microsoft Exchange product has reached its maturity level and the focus has been diverted into other directions, especially Azure and Security. However, the Microsoft Exchange Team managed to put several amazing breakout sessions with very important announcement that will bring benefits to the end-users and administrators.

Exchange Online Email Enhancements for End Users

  • Support for Plus Addressing

Now you can have addresses such as

  • Send from proxy address (alias)

The ability to send from an SMTP proxy address (alias) and having the that address be preserved in the recipient’s FROM and REPLY TO is one of those enhancements. (Pretty cool feature)

  • Message Recall in Exchange Online

This one is the best feature released. The current Message Recall feature is client-based, and only Outlook for Windows supports it today. The sender needs to use Outlook to recall a message, and the recipient needs to use Outlook for the recall to work. But thanks to M365 that host millions of Mailboxes, Microsoft is now able to implement a cloud-based message recall in the Office 365 datacenters that will recall the message directly from Office 365 mailboxes. It won’t matter which email client the recipient uses to sync with their Office 365 mailbox.

  • Reply-All Storm Protection

For an organization in Office 365, Microsoft will identify what looks like might be a Reply-All storm conversation. Then a temporarily block will be enabled on anyone from replying to all members of the conversation, sending a bounce message (NDR) back to anyone who tries. So, when Exchange Online detects what looks like it might be a Reply-All storm, anyone who subsequently attempts to reply to everyone will get an NDR back instead.


Some of the announcement about email enhancements for Admins

  • Modern Exchange Admin Center (EAC) Portal

Updated to look like all other Office365 admin portals

  • Customizable Recipient Limits

The setting can be found in EAC > Recipients > Mailboxes > Mailbox Features > Mail Flow, and once made available in the first part of 2020, admins will be able to customize the Recipient Limit from 1 to 1000 for individual mailboxes.

Example: Set-Mailbox -RecipientLimits 20
  • Securing SMTP Auth Submissions

Organizations required to use MFA, Conditional Access, Sign-in risk policies, and modern authentication have challenges with compliance especially with printers, scanners, or SMTP relays that does not support modern authentication. To help reduce the potential for exploiting the less secure SMTP authenticated submission protocol, last year the Exchange Team introduced the ability to disable SMTP authenticated submission for both your organization and for individual mailboxes via Remote PowerShell cmdlets.

Directory Requirement for Exchange Hybrid Using Okta SSO

This week I have been supporting client that already has a Office365 Tenant with account synchronized using Okta Universal Sync. The client would like migrate the mailboxes and stablish an Exchange Hybrid.  While the client requested that they wanted to avoid using AADConnect and would like to keep using Okta Universal Sync. There are some consideration we need to take into account.

  1. Microsoft does not support an Exchange Hybrid deployment that does not have AADConnect (DirSync legacy) to syncronize the AD objects.
  2. Okta does not recommend using the Okta Universal Sync if there is a hybrid Exchange.
  3. Okta can still be used as the authentication/federation platform.

From Okta Documentation (Okta Office 365 Deployment Guide)

“It is important to note that if another technology is performing the synchronization of accounts to Office 365, and Okta is handling the federation for authentication, you need to ensure the Okta account usernames match the Office 365 usernames. This can easily be configured in Okta using Universal Directory attribute expression, this is described later in this document. During migration to Office 365, some organizations find the need to instantiate an Exchange Hybrid configuration. in doing so, it is likely that you have one of Microsoft’s technologies performing part of the directory synchronization, DirSync, AADConnect or Forefront Identity Manager (FIM). Whilst in these Hybrid deployments, Okta cannot replace the need for these tools and instead can be
used directly alongside for single sign-on and role and license management.”