Browsed by
Tag: Azure

Improve your Azure Multi-Factor Authentication Notifications

Improve your Azure Multi-Factor Authentication Notifications

Recently, Uber appeared to be hacked in what is called a MFA Fatigue attack. The attacker continuously sent MFA requests to an end user hoping they would accidentally approve one of them. Microsoft has several items to help prevent MFA fatigue attacks that you can configure and enable for your end users. Traditionally, MFA notifications are push notifications where a user can either accept or deny the request. Some improvements to this have been multiple number options where the end user must select one of four numbers that is presented on the screen they are logging into. The problem with this is that leaves a 1 in 4 chance an accidental selection may result in unauthorized access.

Configure Fraud Alerts

Fraud Alerts allow your users to report fraud if they receive a two-step verification request that they didn’t initiate and automatically block their account from sign-on.

Go to the Azure … Continue...

Block Outdated Operating Systems with Microsoft Defender for Cloud Apps (Cloud App Security)

Block Outdated Operating Systems with Microsoft Defender for Cloud Apps (Cloud App Security)

In this write up I will be configuring Microsoft Defender for Cloud Apps (old name is Cloud App Security) and Conditional Access to block outdated operating systems from accessing Microsoft 365 services within my tenant.

 

Licensing

First thing you want to figure out, is licensing. You must have a license that enables “Microsoft Defender for Cloud Apps Discovery” and not “Microsoft Defender for Cloud Apps.” At the time of writing EM+S E5 sku will not work but Microsoft 365 E5 Security sku will. You will also need Azure Active Directory Premium P2 license.

Setting up Conditional Access

Once we have the proper licensing we need to route applications to Microsoft Defender for Cloud Apps. In the Azure Portal, go to Conditional Access and create a new Policy.

Assignments

In my assignments, I selected all users and excluded my break-glass account.

Cloud Apps or Actions

Next, I selected the Office … Continue...

Connect to Exchange Online PowerShell with an Azure Managed Identity

Connect to Exchange Online PowerShell with an Azure Managed Identity

Recently the Exchange Online Module v2 came out with support for connecting to Exchange Online via a managed identity. The module has several parameters:

  1. ManagedIdentity
  2. ManagedIdentityAccountId
  3. Organization

When using the ManagedIdentity parameter you must also call the Organization parameter which is the initial, or ‘.onmicrosoft’ domain.

What You Will Need

  • PowerShell
  • Az PowerShell Module (install-module az)
  • The Microsoft Graph SDK (install-module Microsoft.Graph

Create the Managed Identity, Permissions, and Runbook

Connect to Azure

First thing we must do is connect to Azure using the Az module. Open a PowerShell window and run

Connect-AzAccount

Create a Resource Group

After we are connected we need to create a Resource Group to house everything. In my example I will create a new Resource Group in the Central US region.

$rgname = "rg-exchangeautomation"
$location = "centralus"
New-AzResourceGroup -Name $rgname -Location $location

Create the Automation Account

Next, we need to create the Automation Account that runs … Continue...

Creating a Microsoft 365 Automated Off-boarding Process with SharePoint, Graph API, and PowerShell

Creating a Microsoft 365 Automated Off-boarding Process with SharePoint, Graph API, and PowerShell

In this write-up I will be creating a basic off-boarding automation that uses SharePoint as the front end, and PowerShell, the Graph API, and Azure Runbooks as the back-end. HR will input the users UPN or Email, offboard date/time, and a forwarding address to forward email to. Once the off-boarding datetime is within 1hr the automation will check the user in Azure AD to ensure its valid, the forwarding user is valid in Azure AD, document in SharePoint the users e-mail address, any and all licenses, and all group memberships. After that, it will proceed with the off-boarding where it will remove all licenses from the user, remove all group memberships, and forward email to our forwarding user. It will log everything back to SharePoint where one can review it.

Off-Boarding Stages

Pending

In Pending we have just submitted our user and the automation has not seen it, or it … Continue...

In-Depth Look at Azure Bicep Syntax

In-Depth Look at Azure Bicep Syntax

If you have not checked out my other series, “Getting Started with Bicep” then I would highly suggest starting there so you can familiarize yourself with Azure Bicep including some basic syntax and how to write your first template. This article will walk you through more advanced syntax topics including output variables, loops and more!

Comments

Comments in code help you or others figure out what something may do or why it’s there in the first place. While it does not replace full documentation, it is a great way to get a picture of what your code does.

Single Line Comment

You can comment a single line of bicep code by adding ‘//’ to it. In the example below you can see my comment added to the tagging resource that we will go over next!

Multi-line Comments

Instead of adding ‘//’ to every line you want to comment … Continue...

Getting Started With Bicep: Compiling, Deploying, and Decompiling

Getting Started With Bicep: Compiling, Deploying, and Decompiling

In the first post of the ‘Getting Started with Bicep’ series we learned what is Azure Bicep and how to install it and begin working with it. Next, we learned how to create our first Bicep template and user parameters and variables and the different data types there are. Now, in this section we will learn how to compile our Bicep templates and deploy them to Azure.

Compile Bicep to ARM

The first item we need to do is to compile or transpile (Transpiling is a specific term for taking source code written in one language and transforming into another language that has a similar level of abstraction.) our Bicep code to ARM (JSON) code. Then, once compiled, the resulting ARM (JSON) template will be deployed to Microsoft Azure.

From our previous post on ‘Getting Started with Bicep: Building your First Bicep Template‘ we created a basic Bicep … Continue...

Getting Started with Bicep: Building Your First Bicep Template

Getting Started with Bicep: Building Your First Bicep Template

In the first section, Getting Started with Bicep, an ARM DSL for Azure, we went through what is Azure Bicep, and how to install Bicep on your machine. Now, we will learn how to build our first Bicep Template.

Bicep Declaration Overview

First, lets look at a Bicep declaration in a basic form:

The highlighted Resource (below) indicates the start of the declaration of a new resource in Azure to deploy.

Next, we have the Symbolic Name (in my example: stgact), which is an identifier within the Azure Bicep file. This will allow you to get the properties from the declared resource to be used in other resources elsewhere. Keep in mind, this is not the name of the Azure resource that is deployed.

Following the Symbolic Name, we have the Resource Provider.

Next, we have the Resource Type,  this is the Azure Resource Type name for the resource … Continue...

Getting Started with Bicep, an ARM DSL for Azure

Getting Started with Bicep, an ARM DSL for Azure

Note: This is one part of a several part blog series that goes through Azure Bicep

What is Azure Bicep

Bicep is a Domain Specific Language or DSL, for deploying Azure resources in a declarative manner. It ‘aims to drastically simplify the authoring experience with a cleaner syntax and better support for modularity and code re-use. Bicep is a transparent abstraction over ARM and ARM templates, which means anything that can be done in an ARM Template can be done in Bicep.’1

Bicep moves away from the JSON syntax used by ARM Templates to something similar to HCL in Terraform. The end result is a syntax that is easier to both read and write. Bicep code is converted into ARM Template code (JSON), and then the resulting ARM Template code (JSON) is used to deploy your Azure resources.

One of the key benefits to Bicep to another DSL like … Continue...

Get Early Voting Locations, Drop Off Ballot Sites, and Election Polling Places with PowerShell

Get Early Voting Locations, Drop Off Ballot Sites, and Election Polling Places with PowerShell

The 2020 Election is happening on November 3rd, and many people have been lining up to vote early due to COVID-19. Now using PowerShell, you can get your registered polling places based on your address, all early voting locations around you, and drop off ballot locations. All of the information is retrieved using Google’s Civic Information API.

Features

Early Voting Locations

To get early voting locations you can use Get-EarlyVotingPlaces or Get-EarlyPollingPlaces. It will return as many results as the API gets and show you the starting date of the location, Name, Polling hours for each day, address, city, state, and zip code.

Ballot Drop Off Locations

If you got a Mail-in ballot, you can look up drop off locations by using, Get-BallotDropOffLocations or Get-DropOffBallotLocations. Note: Not all states publish this data. You will get a max of 10 results back and it will show you the start … Continue...

Text your Azure Infrastructure with Serverless Computing and PowerShell

Text your Azure Infrastructure with Serverless Computing and PowerShell

Due to COVID-19 and social distancing, I have found myself camping a lot more than in previous years. One problem that has brought with it is the high probability of being somewhere with no cell phone data service or poor cell phone data. Couple with my incredibly poor memory, I have often forgotten to turn off servers to save on cost in my dev or test environment until I’m out in the woods. Also, I wanted the ability to use Google Voice as well as Siri in my car or even at home, to turn off, turn on, or check the status of my servers in my Azure tenants. This has even come in handy when I didn’t have my phone on me and had to use the wife’s phone to turn on or off some servers in my tenant. (I set it to only accept messages from my phone … Continue...