You Moved to Office 365, Now What?

all right i think we're ready to go how's everyone doing today a little tired after lunch yeah it's good we good for video all right great good afternoon this is you've moved to office 365. now what i'm put this together because this is a question that i've heard many times we're going to office 365 we moved to office 365. we really haven't looked at anything there our cio said we're going into this figure it out so what am i supposed to do with that so i'm sean metcalf founder of trimark also a microsoft certified master in active directory this is not an act directory talk it's an azure active directory talk microsoft mvp once again and speaker of

many conferences i this is my fifth time speaking of b-sides baltimore besides charm and i'm excited to say that i spoke for the first time at a conference at the first besides charm so i'm happy to be back again and hopefully you've heard of 80security.org we're working to get some more or actually get some microsoft cloud content into that site as well so there's a lot that i'm going to be talking about uh what's the cloud attacking the cloud auditing administration some security controls controlling the access of who can who can connect to it some password insights tuning up your your cloud security testing those defenses actually i move that to the end because i had so much other stuff i

wanted to talk about and then we're going to do some best practices and wrap up so a few weeks ago i tweeted out hey i'm doing this talk what do you want to hear about and a bunch of people responded and it was very interesting the responses i got so i figured i'd categorize them and put them up for you and it seemed like one of the biggest concerns that people have around officer 65 is logging what does it mean how do you configure it and the security features and controls which is perfect because i'm talking about these things so just ignore everything else to the right because i kind of touch on that but not

so much all right so the microsoft cloud you sign up for office 365 guess what the first one in gets global admin so whoever set up the microsoft cloud for you office 365 they are your global admin for your organization it may be someone in accounting and maybe someone in finance and maybe someone in contracting or it may be the executive assistant into the person who runs the company uh you might want to look into that so you can figure your azure ad connect to synchronize your users and groups you're going to go ahead and set that up maybe you'll enable the password hash sync which we'll talk about a little bit later you're going to move your microsoft mail

over to exchange online and keep one of your exchange servers on-prem for management keep in mind that if there were any issues with the way that exchange permissions were configured before just because you moved to the cloud they're still there you still have a hybrid exchange server on-prem so if an attacker compromises that exchange server they can do all the fun exchange stuff to compromise 80. so then you're going to update your mail flow and say okay no longer send it to my company.court but you're going to send it to microsoft's office 365 mx records or some other security company that has a email security control send to them and then you'll get it into your

office 365 environment and you're done right everything's great the cloud is rainbows and clouds and it's just magic everything works all the security is handled for you by microsoft because that's what you've been told right okay sorry about the microsoft joke i apologize at least it's only one but we've heard this the cloud is more secure because fill in the blank spends millions every year on cloud security it's got to be millions of dollars flowing into it amazon microsoft google they're all putting tons of money into the cloud why because they realize that this is how they're going to make revenue numbers and they will because the subscription model is adobe proved is very profitable the problem is

that we're not used to a cloud we're used to something a little more like this well maybe from like 20 years ago i apologize i'm not great at vizio so we have our internet we have our dmz and we have a router that kind of protects everything maybe a firewall if we're a little more advanced but this is well understood we we know how to secure our on-prem environment well not everyone but we're getting there right we have security uh boxes on our perimeter we have firewalls we have web content filtering we've got edr everywhere we've got all sorts of security tools and blinky boxes so we have a pretty good idea of what it

means when we configure a host-based firewall on our server which of course we don't do because we have a perimeter firewall the cloud is quite different because we've moved from the situation where we have a perimeter or maybe we don't but we have some sort of control that someone has to move through to get from the internet into our environment to get to our services and hopefully there's some documented way that that happens the cloud is a bit different because we're talking about anywhere access to these services from anywhere in the world it's not like if you're in the us and you join office 365 then microsoft is going to know that xyz corp is only accessing their cloud resources

their mail and everything else from their xyz corp environment no attackers know the cloud better than we do we're learning this we're figuring this out especially if it's been dropped in your lap and the cio says guess what we're moving officer 65 next week or maybe by the end of the month or maybe by the end of the year we've worked with customers that two three years ago were never cloud not happening never doing it guess what they're in the cloud today or they're moving to the cloud this year because from the perspective of this your executives in the organization they have heard all of the talk about the cloud and how it's cheaper and it's better and

it's more efficient and so they're moving toward no matter what so it's the train is happening the train is moving down the road the problem is that the cloud changes rapidly every three to six months every week microsoft sends out another email here's the things that have changed and we can't keep up with that because it's confusing it's difficult to find information things keep changing well attackers are way ahead of us when it comes to the cloud so we're going to talk about some of these statistics and and how we can help solve this problem azure active directory is what you get when you move to office 365 and these numbers have gone up rapidly

over the years we're talking a large number of organizations 90 of the fortune 500 are in office 365. and i'm pretty sure that number is pretty consistent as you spread out to the fortune 1000 just about every company that we work with is in office 365 or another cloud similar environment or planning to go there so what is the cloud active directory this azure active directory well you have on-prem ad and you have this azure id they are not the same thing at all azure ad is like 60 to 70 of what your on-prem ads so you're not able to take that knowledge you already have your on-prem ad and ported over to azure 80.

it's very different these lines do not align at all authentication is different management is different you don't have ntlm or kerberosoft you don't have ldap you don't have group policy all that is gone that is not in azure ad there are other hosted type offers for that which are effectively an 80 in the cloud but that's not what azure id is so one of the things we hear a lot from organizations is well we're going to move from our on-prem ad to azure 80. now mike we'll slow down let's let's talk about what that means because you don't get group policy and you're not going to be able to support your applications in the cloud in azure

80 like you do today the biggest issue is that the attackers absolutely love the cloud microsoft has posted some statistics from their ignite conference in 2018 saying that most of the data breaches involve weak default or stolen passwords and they blocked over a billion authentication requests in august of last year that they identified as malicious that's just what they blocked there's a lot of others that got through because of problems like this the passwords that we hated on-prem still followed us into the cloud and continue to be a problem and there's been a huge increase of these attacks against accounts in the cloud why because it's easy i can password spray the cloud all day

long who's gonna notice who's gonna block that i will talk about that also this got so bad last year that the us cert actually posted a bulletin in march and said brute force attacks conducted by cyber actors attackers are going after the cloud they're going to go after your company if they realize you're in the cloud and guess what they're going to know you're in the cloud from what your mx record from that ms number that is a dns text record on your on your dns it's easy to figure out who's in the cloud and which services they're using microsoft published a cloud attack timeline and one of the things that this is very is very common through this is they

password spray get access to an account often an admin account and then leverage those credentials in order to spread and get and pull data they may download the data or they may be able to reconnect to it while it's in the cloud without downloading it shift it over somewhere else and then pull it down from that later once they've dropped their access the other thing that attackers love doing is changing permissions on mailboxes which almost no one ever notices but that means that a regular user in your environment can be configured with full exchange admin privileges on the mailboxes themselves not the groups themselves same thing with on-prem it's the same issue as on-prem we just have a better understanding of

the issues on-prem how to monitor for that how to log for that how to detect it how to alert on it and there's password spray so with a tool called male sniper which is primarily an exchange recon tool which can also pull exchange mail which is published by daft hack has a wonderful password spray capability against the microsoft cloud so that's what i use and i run it against the ola url for office 365. and i had some problems doing that and i'm like oh okay well maybe maybe there's some security controls that i can figure that block this well there's this thing called ews exchange web services which has been around for quite a while

and provides tremendous capability i believe most of the applications that leverage exchange or talk to exchange use ews in some capability or another and there's a lot of interesting things here where you can just use ews and pull data out of a mailbox so let's go ahead and password spray office 365 using ews and we kick it off and it looks like it's running pretty well and then we get some passwords and we find out that some of our users have pretty bad passwords some are 2018 exclamation point password password etc and so when we look at this we can see who the user is and what their password is let's get saved to a file

so we can leverage this later if we need to we can look at the logging for this in office 365 and we can see that at the bottom there was a failure for leia here and up at the top there was a success which is interesting because she can type a lot faster than i can between these two entering the passwords as well as all these other failures if we dig into this we can see that they came from the same ip address now of course an attacker who's layered across multiple other other ones but it's one of those things that we can notice that when there's a failure and then a success for the same

account after a number of other failures this looks kind of weird maybe we should look into that maybe we should ask leia hey did you log on successfully today oh yeah this morning at 9am okay well this is at 10 30. that's kind of weird and we can look at these logs and we can see that it was specifically from other clients older office clients this points to what is called legacy authentication this is the original authentication that microsoft had when they first stood up their cloud since then they switched over to the 8 owl which are their azure active directory authentication library which has the ability to support multi-factor authentication and some stronger authentication methods

that's what outlook 2013 and newer support but if you have things like pop imap things like that don't support that which means everyone in this room unless you you've explicitly turned off legacy authentication and you're in office 365 you have this problem the other thing we can see is obviously invalid username and password attempted so how do we look for this how do we detect this let's talk about cloud auditing and it's funny because i picked out this picture i thought this was really cute yeah it's it's a joke on the logs yeah sean very funny but not as easy as it used to be rings true because in the cloud you can't easily configure what the

audit configuration is or the logging settings are for how microsoft has things configured they're either going to turn things on or turn things off and a lot of times these things are turned off by default so if we look at this table that i put together user activity and admin activity enabled by default no so you as the user of office 365 congratulations you just joined on friday you do not have any auditing enabled for user and admin activity you probably also don't have any mailbox auditing enabled by default because microsoft didn't turn that on either side note last year in june microsoft put out a bulletin said hey by the way we're going to be turning us on

over time over certain tenants over time we're taking care of it i created a tenant office 365 account for testing i think it was september october and this was not turned on so your mileage may vary on mailbox auditing i also put this together because i wanted to show the retention times so when you're talking about certain types of logons you're looking at seven days or 30 days maybe it all depends on what your subscriptions are and how your your actual tenant is configured is anyone confused yet because i'm already confused and i'm up here talking about it this is challenging i had to go through several different documents to put together this table to map

out what the auditing actually looks like because it is confusing and then the retention types vary based on what your subscription levels are so let's talk about enabling user and admin activity auditing because that jumps out at me yes absolutely we need to do that so we can go to this page audit log search we want to search for something because we saw something that was weird or someone said hey this doesn't look right can you look at this and we go here and go turn on auditing what do you mean i gotta turn on auditing okay let's turn that on great all right we turned it on now it says wait a few hours

okay sure but that means we have no data to look at if there was anything that was unusual now mailbox auditing let's go to that web page oh wait there isn't one we cannot go to a web page to enable mailbox auditing but at least powershell is our friend the fun thing about this is we have to write it we have to write a powershell query to get the auditing and to see the things are turned off which we probably already knew and then we have to actually flip the bit to turn that on and then depending on what we want actually to be configured because these things are not turned on by default so what does this mean let's

say we go through we turn on all the mailbox auditing great then we bring in a bunch of interns and new hires in the summer because our company has grown by 20 percent guess what they don't have mailbox auditing enabled we have to go and do the same exact thing again which means you're probably going to have to have a script or something that is just regularly doing this on your hybrid exchange server that one exchange server you still have on-prem to make sure that your mailbox auditing is enabled and configured challenge number two you have all this auditing you've configured in the cloud we have an on-prem sim so let's say we're doctor strange and

we're going to use the dark arts this is not the first end game reference i'm going to do this talk totally kidding uh so you have to have some understanding of magic basically to get these logs in your sim and i'm not joking this is microsoft's reference on how to get the logging into your sim and i apologize that it's so small but there are one two three four five six seven eight different reference points here unfortunately this is out of scope because i can't go through eight different reference points and it's also going to vary depending on your sim vendor because microsoft provides some audit logs in ceph format cef format and others you

have to pull from the api and then there's this other weird thing where if you have office 365 atp you've got to make sure that your global admin or your security administrator who's assigned for the security and compliance center can get this configured and then you also have to make sure it's turned on so there's a lot of confusing confusion around this and microsoft has not simplified this we've gone from the situation where there was not unified auditing years ago where exchange had its logs and office 365 say azure ad had its logs and then sharepoint had its logs well he unified all that so now there's one central component for logs kind of there's still azure id logs

there's still exchange logs there's still sharepoint logs just easier to get to them well maybe not so as we go after these logs we try to pull them into our sim my best advice for you unfortunately is to talk to your sim vendor because i don't have a good answer for that um your sim vendor has worked on this especially the big ones have worked with microsoft to pull this data and make sure they get it in then the next part is to compare what you have in your logging that you can see in office 365 with what you're getting out of your sim to make sure that they match and that you're getting the data you

need the other problem microsoft had is as of about a year and a half two years ago there were pretty much three different log aggregators within azure that you could send logs into and then microsoft tried to simplify with this with oms which is really more for like your on-prem server loads or your azure loads and finally microsoft threw up their hands and said you know what we hear you this is a problem we're going to call this sentinel and so about two months ago microsoft released what i term splunk in the cloud which effectively gives you a lot of things you really want like a cloud native sim it aggregates from different sources the

cloud and your on-prem environment pull that data in and then microsoft's analytics is going through and looking at things that are unusual and highlighting and elevating things to uh to show you that there's there's a problem and so there's this is right off the website at the bottom so i'm not going to read that but what's nice about it is there's these automatic data connectors you can go in and click and click on connect and import it in so for office 365 logs those import very easily and there's not a data ingestion cost with that right now azure sentinel is in preview so they haven't announced what the costs are but i have some ingestion costs that i

pull together based on what is on their website today so this is what the overview looks like you have your view of what your event load is this little spike here is that there was an alert you can configure different alerts or alerting uh queries that can then show up and you can build the cases out of those and then track them down one of the things that i really like that microsoft did here is we have github so basically they said here here's a place in the azure sentinel github where you can create and publish and update and do push requests for azure sentinel detections and so there's a simplified place where it's just

there you can go and look to see what the query is you can copy and paste it into the query window within azure sentinel and get that information in order to start getting detections so once you have those um sorted in then you have something like this it'd be great if microsoft had a thing that said okay show me the ones from github and then you can check each one and then have them import it so it's preview we'll see maybe we can get that i'll talk to someone but there's also hunting there's also a number of hunting uh queries that are built into the azure sentinel github as well now i'm not here to sell azure azure

sentinel so if you're happy with what you have that's great i don't work for microsoft but i want to show you that if you have you're going into office 365 and you don't have a sim on prem today this is an option you definitely want to look at because you're going to have a really hard time trying to figure out or detect any attacks quite frankly i don't think you're going to detect anything without some sort of simplified uh single pane of glass as everyone says to look at to see what that is so let's do some password spraying again so i run through do some password spraying against my my office 365 tenant and

look azure sentinel detected that i create it in a matter of i don't know 30 minutes without knowing anything about the query language which is what kesto cousteau thank you uh i like kesto and so without knowing anything about it never using it before it auto-completed and then i was able to pull things directly from the event itself and say i want this in here and i was able to create alert that identified my lab testing password spray detection again the spike again showing that there's there's cases there's alerts that are here and so if i dig into that i have some more information that i can look at i can look at the ip address i can look

at some of the other information around it but when i say this was a simple query this is a really simple query i did not really write this i just clicked into it and these different components showed up and it didn't take long at all and unlike some of the big sim vendors that talk about yeah yeah you know you have to build your own and there's a community it's in the community i've looked around these community sites and i find it very difficult to find any kind of detection queries to help me along these along this road so when we look at what this looks when we dig into this and look at it we can

see all the different fields that we really care about and we can see the older office client we can see the ip address and we can see who the user is and then we can do some additional correlation again i put this together really simply we can do additional correlation to so that it could jump out and go yeah no kidding this is actually a password attack and was successful so we can have one that shows password attacks from an ip address or multiple ip address in the same range or we could say here's a password that was attempted multiple times with this with this old client this legacy client and then it was successful

so that way we have a good idea of what's happening so again no pricing listed as of yet but the data ingestion rates that i saw for log analytics is published they say the first five gigs are free because the first one is always free and then uh there's a little bit per per gigabyte and then for holding onto that data it costs a little bit less so that way you can actually maintain it not to be outdone around the same time google's chronicle released backstory and said hey by the way we're not going to charge any data ingestion send it all in here and then we're going to use all of our magic that we built up over the

years in google type stuff and we're going to show you what these attacks look like so i couldn't really get any information beyond a video so i did a screenshot from the video to make my slide look really nice but they say it's designed for multi-petabyte analytics so we'll see what that looks like again your mileage may vary it's the cloud it will probably have changed now as i'm talking and i'm sure there's more data up there as well but one of the most important things we need to do is protect our cloud administrators according to microsoft only a certain percentage of all office 365 azure ad admin accounts require mfa for someone who i haven't talked to

already about this throw out some numbers 35 35. [Music] four and a half one one point eight percent one point eight percent of all admin accounts in office 365 that have highly privileged rights have mfa required so if you take away anything from this weekend and you're in office 365 please go back to work on monday and say guess what we need to do because password spraying is a real issue and it can be done from anywhere in the world and all it takes is one account it could be an exchange admin account now they have access to all your email including executive email and then they can get access to other things so we can run a powershell script like

this to go through and basically find our cloud admins and go ahead and require them to have mfa but i like doing things the easy way and microsoft has what are called baseline policies now in preview and one of them is cloud administration which is if you're a cloud administrator meaning that you're a member of one of these groups global admin exchange admin sharepoint admin etc it requires mfa once your account is in that you have to have mfa to off this is like the easy button and the best thing about this is while conditional access policies require azure 80 p1 for your users this is included so i'm very happy that microsoft is doing this because i've

been yelling at them for years now about these things as they come out we need these baseline protections you're in office 365 you're already paying microsoft a lot of money we should have baseline security that comes with that automatically and this is one of the things that they're doing to make sure make sure that that's available the problem is like all things cloud how do you discover this how do you find it i have not seen any cloud web admin uh cloud service web admin console that is truly intuitive and i see a lot of people nodding ahead so i i guess i guess that was the right thing to say so one of the

things microsoft talks about is you have a breakglass admin account that is excluded from policies that require mfa and conditional access so that way if i don't know hypothetically microsoft's entirely entire mfa system goes down for like a day you're still able to do some admin type stuff hypothetically but it's only for emergencies it uses a strong password you max it out at 16 characters which you may be able to do more we'll talk about that later but all the others have strong security controls and the password for this ideally is long complex completely random stored in a safe no one has access to it maybe a two key scenario but the idea is that you have that break

glass account just in case everything goes sideways because if you lock yourself out from office 365 you're gonna have a bad day so there's azure ad privileged identity management and so this is effectively temporal group access and management so the whole concept behind this is a wonderful one which is we're all here in b-sides it's the weekend none of us require at this moment i don't see many laptops so none of us require at this moment the ability to administer your office 365 or cloud environment so there's no reason for you to be in global admin there's no reason for you to be an exchange admin so the whole purpose and concept behind this is a workflow

you get in the morning i need this right i request it it goes through an approval process maybe it's auto approved maybe one person has to click approve maybe two people have to click approve for global admin and then it just works you're in and so there's certain groups that this can be set up for right off the bat automatically just as you enable it and we can have permanently assigned accounts in here that are just well understood they're already assigned they never remove they never they they never uh get updated but we can set up set up accounts that are eligible so we have darth vader here is eligible for two different groups so that means

that he can go in and request it or you know force choke someone else to request approve it or whatever so but we have that ability to control who has access and when they have access because again keep in mind that office 365 all your cloud services are accessible 24 7 from everywhere in the world by default and that's what we've moved to we've moved from our exchange on-prem environment our ad identity management on-prem to the cloud environment which is accessible from everywhere in the world and by default when you move into office 365 that is your reality you are going to be password spray we worked with customers that were password sprayed and those accounts were compromised and

then it led to other accounts getting compromised to the point where email was accessed and other bad things happen but that's for another time so let's talk about the cloud security controls there's a there's a number of security controls that can be configured gratefully accepted when we go to our cloud security controls i put together a table just real quick of some of the top ones that most people are interested in and what the subscriptions are that are required for them i think one of the confusing things is that a lot of people are thinking that mfa requires subscription when you're in office 365. i can't get mfa for my users because that would cost extra money

based on the way microsoft has has everything written your office 365 users can use the microsoft authenticator or sms text message as a secondary factor for that for users to authenticate please use the microsoft authenticator app it works very well the user types in the username and password they click login if you have it set up this way which i like they get a little push approve deny all you have to do is click on approve it makes it very easy you don't have to type in any codes but if you need something that's going to cover adfs if you need something that's going to cover additional federation type components you're looking at that second item which

is azure multi factor authentication or the mfa server as it's often referred to conditional access azure adp one pim is azure adp2 so that costs extra money sean i don't want to spend extra money for for pim for that ability to have temporal access for my admins you only have to configure this for those admins so it's worth it because you have additional protection and you can reduce the amount of accounts that are in these groups you can have a pre-approved list of who's allowed to go into those groups and control when they go in and out [Music] and then azure ad password protection which i'll talk about in a little bit is an on-prem uh password control

feature and your azure id protection which i'll cover in a bit as well as azure atp which is effectively microsoft ata but the cloud cloud-ish version of that but one of the things that i hear from customers a lot that confuses them is well i have office 365 e5 enterprise 5 i have everything no now you don't if you want everything you're going to have office 365 e5 and then you're going to add enterprise mobility and security 5 suite because that that enterprise level will give you azure ad premium two which gives you all of the other stuff and i have another slide which covers the differences between this so uh we'll get to that

so when we go into our azure ad console again this looks very different than adoc or act director uses computers this is not active directory we notice that there's other capabilities down here so if we click through this one of those is azure identity protection which is included with azure ad premium 2. you have to install this through the azure marketplace which i think is annoying and i provided feedback on it thank you but it's a dashboard that covers your identity risk and so you can provide automatic remediation of what a risky sign it is so the dashboard looks a little like this so you have identification of users that are that are logging in where

they're coming from and what microsoft identifies as a risky sign-on a lot of time this has to do with anonymous login login over vpn something like that but we can configure these risk-based policies based on what our tolerance is within our company or our organization and the risk level that we configure determines the action we can force a password change once we basically say you can't log on through this method it's too risky you need to change your password because we think your account is compromised so all other logins are blocked until they do until the user performs what is an expected or normal uh login which might be they go into the office they log in from there

or they connect in through the to the corporate vpn and then in some situations it'll notice that you're connecting from here all the time and then you go to europe that looks weird okay you need mfa now whereas before you didn't have to so again anonymous ip unfamiliar location we can configure the sign in risk here and then what the action is for the sign in risk policy and this is for the sign in method at that moment then there's the remediation policy which is what are the chances that this user account is actually compromised what if i see five logins from 20 different locations around the world within a 30-minute window i'm just making this up i don't know what their

threshold is okay don't quote me on that but something like that is unusual because most people don't travel that frequently so if that happens microsoft's going to go that looks a little unusual maybe we're going to block access to this account for everything except for what the expected authentication is maybe that person's sitting at their desk in the office and all this other stuff is happening outside of that so we can enable this and then require these users to when they sign into a non-risky session to perform an mfa registration preferably we've already pre-registered them so that we have that ability or we've already configured the environment for single um for self service passwords reset so that

way when they come in we go wait a second you look compromised when you come in through this other known normal method we're going to force you to change your password through this method that we've already pre-established so there's ways to make sure that the user can handle this kind of on their own and the system just kind of solves it for us but ultimately what we're talking about is controlling the access and how these things are configured because things like this just don't work unless you like following the rules i guess so one of the big things that microsoft put together in the past couple years is conditional access and effectively this is if this then that

if this happens then we do this if this user of a certain group authenticates a certain way from a certain place then they're allowed to have access to this service from whatever network they're coming from it does require azure adp-1 but we have a lot of flexibility in how we can control who accesses what this is effectively the microsoft cloud identity firewall which enables the control that a lot of organizations want and need because when we look at the microsoft graphic here there's a number of conditions that we have we can require we can require that they don't need to off using mfa when they're coming in on their azure 80 joined computer which by the way can be joined

to your on-prem ad and azure adjoined but if they're coming from anything else yeah you got to mfa all the time we can do a lot of that through conditional access and as i mentioned these baseline protection policies of microsoft's rolling out now with the first one being uh require mfa for admins we can set these up and say okay once these mo once you shift from preview to ga go ahead and apply them just the way i have them configured and so these are available for everyone one thing i'm really really hoping please microsoft provide the ability to disable legacy authentication through a baseline policy because that would be awesome so that way we don't have to pay for

azure adp one for our users which for something that i feel should be baked in did someone say legacy authentication okay great let's talk about that nearly 100 percent of password spray attacks that microsoft sees is from legacy authentication and blocking legacy authentication reduces copper compromise rate by 66 why isn't it 100 because people are using really bad passwords still legacy versus modern authentication this is legacy we need to get rid of this office 2010 and older 2013 prior to this patch which let's see it's 2019 now yeah it should have that patch that's on your network and the older powershell modules that were available for managing azure and office 365 in exchange that don't

support mfa we should get rid of those as well and use the newer ones because they support mfa they support those eight al libraries and even on your apple device you can configure the mail app to do mfa through the modern all so there's really no excuses so i love this slide from ignite so i'm just going to keep that up there and put it in my slide deck and really cheat about it because i couldn't figure out a better way to show this this is how do you tell if you have legacy auth in your environment you look at your user sign-ins filtered by client app and then you're looking for any of these

that i've already listed and then there's other clients that show sharepoint exchange web services and you can export and download these sign in logs sort by the client app and identify the top offenders so before you enable a conditional access policy that says block all legacy the big question is what legacy do i have do i even have it yeah you do and i bet you most of that authentication traffic is coming from password sprayers so we can disable it through conditional access by going through this process which i'm not going to cover because fingers crossed microsoft's going to release a baseline policy like soon i don't know anything i'm just hoping but yeah it's in the slide deck if you

want to go through it there's not a lot of good tutorials there's probably one that goes through it so maybe i'll do a blog post on it soon the other thing that we can do is we can disable service access for things that we know that users don't need access to and one that jumps out at everyone is ews right of course if you don't have exchange active sync and you're not using imac or pop disable those absolutely who needs those but the problem with disabling ews is that there could be an office 365 component or third-party add-in that your your company your organization uses that leverages ews so if you're going to go through and

just turn off ews for your users definitely test this out to make sure that you're not shutting them off from an application they actually need and then in azure ad connect health for adfs there's the risky ips that you can see and it can basically adjust how it handles authentications because one of the things that a lot of people don't understand that don't work with adfs is your active directory federation server your federation server from microsoft is effectively exposed to the internet it has to be in order to receive federation requests and so when it gets that federation request it's proxied back to your adfs server which is going to then provide a token in order to provide access to that

application or that system so a lot of times organizations are getting password trade against their adfs server because how do you stop that well let's get into that you want to move up to 2016 or 2019 on your adfs servers there's some basic support for this in 2012 r2 but it it doesn't work so well not at all so we want to update those 2016 or even preferably 2019 i'd caution those who want to jump right to 2019 because it's fairly new and new isn't always the best thing to do for i don't know you like your federation server that provides access to all of your cloud stuff but there is enhanced protection against these password spray lockouts that

would occur we had a customer that had an issue where their accounts were getting locked out constantly and they're like we don't understand what's happening and they were getting password spray from the internet somewhere in europe somewhere and all of their accounts were getting locked out through that through this we have the ability to control that and have kind of the smart lockout mode which is basically the system tracks the valid user where they usually authenticate from normally and then where all these other ones that are bad passwords are coming from and then has two different methods of when the attacker is attempting password spraying which are always failed logons those just get blocked kind of automatically and

over on the side and don't affect the valid user and then at the bottom i've gone ahead and extracted this best practice configuration powershell script that configures adfs 2016 exactly how you would want it to be configured and the link at the bottom here explains how to do that so we want to have some password insight into what's going on in our environment one of the things that microsoft made available is the password hash sync so what is this through azure ed connect we have the ability to take a hash of our on-prem ad password hash for our users that we want to synchronize synchronize that password up to our azure ad environment they can't be reversed so

that's good the problem is now our users that are office 365 that are sync can be password sprayed from the internet and please please please don't have a situation where your vpn isn't mfa protected because now you're providing access from your cloud in through your vpn to your internal network i'm not saying that's ever happened but the thing about this is it provides the users the ability to authenticate directly to office 365 without having to come back directly to your on-prem environment or even through adfs in some environments they're like i don't want to manage advs and trust me i understand your concern about that so this is a valid method to go through and not have to have adfs

where users can log on directly to office 365 as well as your on-prem environment but we want to make sure that we protect these accounts with mfa if that's what we're doing because we're using whatever bad passwords we have on-prem and pushing them up to our cloud and then azure ed has its own smart lockout which it's doing its own method of identifying and locking out attackers to try to prevent password spreading microsoft's working on this they've recognized it as an issue but if you want to stop password spraying yourself ensure all users have mfa configured on their accounts and it's required microsoft extended the ability of this azure id password protection which is currently configured in azure id for

with a global banned password list with micro microsoft won't publish because they don't want people to avoid it for all users so that's automatic you get that with office 365. the custom banned password list you need azure adp1 in order to put in things that you don't want users to use so if you live in this area they may have orioles they may have ravens things like that in their password then dynamic bat band passwords basically runs through this algorithm with it where it checks for letter substitution fuzzy matching so shorter versions of bad passwords are banned passwords like password without the d one two three four uh substring matching and then they're scoring so basically

everything that you do that improves that password gets another point anything below the five gets blocked automatically and microsoft extended this from azure ad to your on-prem environment but you have to have azure adp-1 in order to do that but this this builds on the whole concept of a password filter that we've known about for years we never really used unless you're in the government because a lot of times this would cause performance issues because a password filter that you may be getting from random company it interacts with lsas on your dc well that's fun you have to have dc's running 2012 or newer and they have to use sysfall with dfsr replication but you effectively deploy this agent to

your dc's which is that password filter and then you can use one or two proxy servers because your dc shouldn't be connecting to the internet the proxy servers are going to automatically update download and update this this password data from azure id and put it in a sysvol as if it was a group policy it's going to replicate automatically and then the dc's are just going to look at that data to figure out what the passwords are that users are attempting and whether or not they should be blocked you have the ability to audit this initially or just block them and setup's not that difficult this is what the custom smart lockout looks like you configure

this in azure id and the settings filter down to your on prime ad through that environment so the architecture is pretty simple again you have your member server that's running that proxy system it's going to update that sysvol again it looks like a group policy or a policy object on there the dc's themselves are going to pull that data and then when a user attempts to log on with password one two three four it'll get audited that they try to do that or it'll get blocked depending on what you've configured so furthering this conversation about what you can do on-prem when you have office 365 is your azure atp which is effectively microsoft advanced threat analytics

ata just with the cloud server components you install the sensor agent on your dc's and it sends the data to the cloud that's simply what it is and if you have ata on-prem you just imagine this little cloud here is in your data center and that's just your ata server so microsoft has provided what they call a what i call a tune-up through secure score and they've been evolving this and working on and the whole concept is so that executives can see and do a comparison between where you are and where others are in your industry and so as part of this there are certain recommendations that they have like using mfa sorry i'm having trouble reading that

too having mfa or something like blocking clients from automatically forwarding mail to another system which is something that attackers like to do so what's nice about secure scores you can go in here and configure this fairly easily look to see what the impact is for the users but you can click on this on this button at the bottom and it will go ahead and implement this for you unfortunately microsoft hasn't extended this to all of them or to many of them so there's still a lot of manual things here which includes by the way turn on exchange auditing like thanks microsoft wish there was an easier way to do that other than using exchange and

running that every so often so i went through the secure scores picked out the highest priority items bolted the ones that i thought were most important and then the ones in italics are the ones that will cost extra on top of your standard office 365 subscription but this will increase your score which ultimately doesn't mean a whole lot but some of these are very important and some of these do matter there are some other things that have lower scores there's things that aren't scored at all that are important as well so secure score is one of those things that microsoft keeps evolving and it's a good way to have a standard benchmark of like where you are versus others but

it's not the all be all or end all where you are and where you land for the security of your office 365. and then there's identity secure score which i believe microsoft's rolling in the secure score which they renamed to microsoft secure score um so cloud app security is really cool this is a way for you to actually monitor interactions with your cloud applications so one of the interesting things about that is i do a training with jared hate and we were sharing slides through teams and he hadn't accessed the slides at all and then all of a sudden he started downloading them and i got a bunch of alerts through uh this this cloud app security

component that said this is unusual this external user is downloading a bunch of files where i've never seen this before what was really nice about that is i didn't have to configure anything the alerts just showed up in the dashboard they showed up in in in this console but i also got email alerts about them so there are some extensions of some additional things that can be done here uh along those lines [Music] yes but what does it cost the problem is that with the cloud all this costs money right it's a subscription model and it gets a little tricky uh so these slides will be here for reference so i'm going to go through these a little bit

fast because i don't want to bore you with licensing details but effectively most organizations are going to be e3 20 per user per month because you get your mail through office 365 and a version of office to install and run and then e5 adds that this is again what a lot of people think i have everything because you do have everything within this but there's more azure active directory options p1 which is about six dollars per user monthly and p2 nine dollars per user monthly really p2 is primarily for pim so for your admins but this a la carte process gets expensive so microsoft recognized that and they say enterprise mobility and security e3 gives you 80 azure adp p1 plus intune

and a couple other things and then e5 gives you kind of everything else i would say that most organizations are looking for so when you add all this up it's not cheap we're looking at about 26 to 50 per user per month when you're talking about additional security controls depending on what your level of risk is and your concern is with what you expose in your cloud and the data that you're protecting a lot of organizations need this and and need this level of security and configuration and so i am almost out of time but i do want to have a quick moment of mini celebration because i tweeted out about a year and a half ago

hey can we get more than 16 characters in office 365 or an azure id and then i happen to notice when i was doing my passwords frank testing this says 256. well that's interesting looks like something's happening behind the scenes so when i went in to change the password it said it can't be longer than 16 characters so they haven't announced anything about this but my guess is that this is getting changed under the covers and once everything is there and tested this they will deploy this and everyone will know about it so very happy to say it looks like it's coming finally so i've got some cloud security best practices this covers everything that i've talked about

along with a couple other pointers here and there as well as protecting your admin accounts the basics are the same you want to ensure you have least privilege protect who has the access as well as who has the rights so in summary the cloud isn't inherently secure there's a lot of security features that definitely need to be evaluated especially based on your risk tolerance and data protection requirements these security controls need to be researched tested and implement it you definitely test before implementing don't deploy something to every admin account make sure you have a global admin that's not affected by this and security in the cloud may cost extra probably one of the most important

parts of this talk is that these features change regularly and this talk is probably already out of date but thank you very much for your time that has been mine