Tag Archives: Azure Security

Allgemein, Azure, Azure Active Directory, Azure Governance, Azure Security, Cloud, Community, Meetup, Microsoft

Speaking with Thomas Naunheim at GermanyClouds Meetup about Azure Governance Best Practices

2020-11-26 Gregor Reimling Leave a comment

In the past Thomas Naunheim and I do a lot of architecture and designing prinicple for integrating Azure in company environments. We have the idea to create a Azure Governance Best Practices session in the last couple of months to give the community our insights and best practices for Starting/Integrating Azure environments. The goal is to give you insights, where you can find the best documentations to start with a Cloud journey and which technical Azure features help to bring and hold your environment in an compliant and secure state.

The session contains the following topics:

Cloud Adoption Framework
Well-architecture Framework
Insights about Azure Policies and Azure Security Center
Azure Enterprise Scale architecture
Azure Ops
Identity and Access Management

We are exited to hold the session at the GermanyClouds Meetup on november 26. Did you interested in this topics or you are in the beginning or implementig phase, join us. We will happy to see you there and get your questions.

The session will not been recorded.

Allgemein, Azure, Azure Bastion, Azure Network, Azure Security, Cloud, Microsoft

Azure Bastion now supports VNET Peering

2020-11-15 Gregor Reimling 8 Comments

Update 2 on 01/12/2021

Microsoft has changed the #AzureBastion minimum subnet size from /27 to /26. Installed #Azure Bastion are unaffected, but new deployments require the new subnet size. Please remember this. https://docs.microsoft.com/en-us/azure/bastion/bastion-faq#subnet

Update – 12/2020

Azure Bastion is now available in West Germany Central.

Azure Bastion is a service to avoid deployment own Jumphosts and reach Azure VMs over the Management Ports (SSH and RDP) in a secure way without the need to assign Public IPs directly to Azure VMs.

Azure Bastion got a really big improvement and now supports Azure VNET Peering. This includes all VNET peering models, inside a single subscription and VNET peering across different subscriptions.

Continue reading →

Allgemein, Azure, Azure Active Directory, Azure Governance, Azure Security, Cloud, Community, Events, Meetup, Microsoft

IdentitySummit 2020 is over – Thank you

2020-10-30 Gregor Reimling Leave a comment

Our 1st IdentitySummit is over and we had a amazing Summit with our powerfull Speakers and our attendees.

We (Azure Bonn Orga Team) started planning the Summit in March 2020. The Orga Team from the AzureBonn Meetup consists of Melanie Eibl, Thomas Naunheim and René de la Motte. The idea came from Thomas (our Identity Expert) and we can say that was a wonderful idea.

We meet together at the Debeka Innovation Center (DICE) in Koblenz to organize and streaming all the sessions from one central place. The current Corona situation has unfortunately not made a complete live event possible, so we have met under the rules in force to ensure a smooth process and bring a little live feeling.

Now after 6 session in 2 parallel Tracks we can say it was worth every minute of planning – Why?

The answer is simple: First of all because of our great speakers. Each session was planned with a minimum of 300, and each session went deep into the relevant topics, showing what needs to be considered, the pitfalls and best practices available.

Continue reading →

Allgemein, Azure, Azure Active Directory, Azure Monitor, Azure Security, Cloud, Microsoft

Howto setup and monitor Break Glass Accounts in your Tenant

2020-07-31 Gregor Reimling 4 Comments

09/07/2024 – Update 2

Microsoft enforce since 1st of July 2024 the need for Multifactor Authentication if a account access the Azure Portal. This also affects Break Glass accounts when the will use to access the Azure Portal. To reflect this new requirements classic Breakglass Accounts which only have a password enabled for login will won`t work after the rollout.

Microsoft recommend to use FIDO2 or certificate based authentication for these accounts. I`ve updated the article to enable FIDO2 for Breakglass accounts.

19/01/2022 – Update 1

I´ve updated the article because the actual sign-in query only logs all login attempts of the break glass account (successfully, unsuccessfully, etc.) . I added the different IDs so that you can setup the alert mail based on a indivudal filter. Thank you goes out to Eric Soldierer for this note. I also updated some changed services that had left their preview status.

In the past I do a lot of Azure Governance workshop and one interesting topic is how to handle the Break Glass Account. Before we going deeper, first we take a look was is the Break Glass Account. For each Administrator role in Azure or Office365 is it best practice to use MFA to secure the account and get a better security for the Tenant. To realize this, normally we use Conditional Access and create a rule, that every Admin require MFA for login. But what can we do, when:

the MFA service is down
we create a Conditinal Access that with a wrong rule set and lost sign-in access
we do not regulary update our control list and the admin account goes lost

For this cases we need a Break glass account, an additional account with a high security password, to enter the Tenant in an emergeny case. For this account, there are some recommendations:

only use a generic account
create a complex password with more than 16 characters
use a seperate FIDO2 key for every breakglass account
up to 256 characters possible – the limit of 16 character is removed
for compliance reason divide the password into two parts
save each part in a different location
create a security group that contains the break glass accounts
create two break glass accounts with no standard username like breakglass@ or emergency
use the Tenant name for the account
do not use a custom domain name
~~in futher it will be possible to use FIDO2 security key for break glass (right now is in preview and not recommended for such critical scenario)~~

~~Now we can discuss in some ways a security gap – a service account with Global admin rights that do not require MFA for login~~. The use of a generic name can be a risk and the usage of this account most be transparenet for every tenant admin. Now you see, why it is so important to monitor this accounts and get notified when they will be used for login.

Continue reading →

Allgemein, Azure, Azure Network, Azure Security, Cloud, Microsoft

Connect and Secure Azure PaaS services to Virtual Networks with Private Link

2020-06-10 Gregor Reimling 2 Comments

Azure allows to use IaaS and PaaS solution together over the same network. But all Azure PaaS services using a public interface for connection. When configure the PaaS firewall to allow traffic only from internal VNETs the public interface still exists. With Azure Private Link there is a new service to disable the public interface and add a private endpoint to secure connect to PaaS from your own VNET.

When configuring the internal service Firewall to block all traffic from outside the VNET, the Firewall make a mapping from internal VNET traffic to the Public IP and block all other IP- Adress ranges – and here comes the new Azure Service Private Link into play. This blog post will cover how Private Link works and how to configure this service for your environment including own DNS solution to get a complete private based Azure VNET.

Continue reading →

Allgemein, Azure, Cloud, Community, Microsoft

Speaking at the ESPC AzureWeek about Azure Policy with Azure Security Center

2020-05-22 Gregor Reimling Leave a comment

This is a challenging time for everyone and I hope you are well. Many community conferences cancelled or moved to an online event. The online events give the oppurtunity to learn and discuss in an different way. The European Sharepoint Conference (ESPC) Team has announced the Azure Week between 25.05. – 29.05.20 as a webinar week.

The Azure Week has an great lineup with very useful sessions. Thomas Maurer open the week with a session about Modern Azure Cloud operations for IT Ops and I have the pleasure to close the week with a session about Azure Policy with Azure Security Center.

In this session we will dive into the many aspects of Azure Policy and Azure Security Center and see how they work together.

Continue reading →

Allgemein, Azure, Azure Active Directory, Azure Security, Certifications, Cloud, Microsoft, Windows Server

How I pass the Azure Security Exam Az-500

2020-04-17 Gregor Reimling 13 Comments

In the past I have taken several Azure exams, and yesterday I took the Azure Security exam Az-500. I am really glad that I passed the exam. In this article I will give you a brief overview of the topics I saw in the exam and what materials I used to prepare for the exam. I can say directly that the best way to succeed in the exam is practice.

Continue reading →

Allgemein, Azure, Azure Bastion, Azure Network, Cloud, Microsoft, Remotedesktop, Windows 10, Windows Client OS, Windows Server, Windows Server 2016, Windows Server 2019

Azure Bastion – Secure Access Azure VMs via SSH/RDP without Public IP or Jumphosts

2020-01-10 Gregor Reimling 6 Comments

Update 5 on 01/12/2021

Update 4 on 14/07/2021

Microsoft has announced a new Azure Bastion Standard SKU as part of the ongoing Microsoft Inspire 2021. The difference between Basic and Standard SKU and the deployment process are summarized in this article.

Update 3 on 16/05/2021

VNET peering support for Azure Bastion is now GA

Update 2 on 26/04/2021

I updated the article based on the latest information around Azure Bastion. One big announcement is the support for peered VNETs for Azure Bastion – this is also integrated in this article. Please feel free to share and comment 🙂

Azure Bastion is a new service to reaches Azure VMs in a secure way without needing a Jump host in the same VNET or to publish an Public IP for a VM. Many customers using Public IPs to reach VMs (Windows and Linux) in Test and Dev environment. Please avoid managing Azure VMs over a Public IP, this is unsecure – use Azure Bastion.

~~Azure Bastion is in public preview since end of June 2019~~. Azure Bastion is General Available (since Microsoft Ignite 2019) and many limitations are gone. This article will short introduce the service, the new features and how easy is it to enroll the service in the environment to reach Azure VMs (Windows or Linux) over a secure way.

Continue reading →

Allgemein, Azure, Azure Stack, Cloud, Microsoft

MSIgnite 2019 Azure News and Announcements Part 2

2019-11-18 Gregor Reimling Leave a comment

There are many new features and enhancements announced for Azure from the last Microsoft Ignite. I have written about many of them in the 1st part of this Article. This article will focus of the missed announcement in the first article.

Keep in mind our Meetup appointments in the next week in Thueringen and Cologne/Bonn.

Continue reading →

Allgemein, Azure, Azure Active Directory, Azure Security, Cloud, Microsoft

Setup Passwordless login Für Azure & Microsoft365 mit yubico 5 und FIDO2

2019-10-02 Gregor Reimling 2 Comments

Vor einigen Wochen hat Yubico zahlreiche Passwordless-Kits kostenlos zur Verfügung gestellt. Um weitere Menschen von den zahlreichen Vorteilen des Passwordless Logins mit dem integrierten FIDO (Fast IDentity Online) Standard, in Yubico Devices, zu überzeugen. Vor ein paar Tagen habe ich mein Starterpaket erhalten – an dieser Stelle vielen Dank für die Zusendung. Das Starterpaket enthielt direkt 2 Keys den YubiKey 5 NFC (USB + NFC) und den YubiKey 5C (USB Type-C). Direkt nach dem Erhalt habe ich mit der Einrichtung begonnen – die sich sehr einfach gestaltet.

Dieser Artikel stellt die Voraussetzungen und die Konfiguration des Azure Active Directorys vor, um die Kennwortlose (Passwordless) Funktion zu nutzen.

Continue reading →

09/07/2024 – Update 2

19/01/2022 – Update 1

Public & Hybrid Cloud