Tag: Security

Information security related article

High level overview of Azure Policies/Initiatives

This is a quick introduction and testament to my experience using Azure Policy within the Azure portal.

What problems do Azure Policies solve for our organizations security?

Azure policies allow us to future proof and audit our Azure resources for vulnerable configurations. There are a few parameters/effects that allow us to either “audit”or “deny” configurations we don’t want taking place unknowingly or maliciously. Additionally we can also leave an effect in “disabled” mode.

For instance we can use a “deny” effect with the policy definition called “Storage account public access should be disallowed” and this stops anyone from creating a blob storage account with public access BUT it will not remediate already configured resources, that is another matter.

How/when/where can you apply the policies?

Use Initiatives to group multiple definitions or directly apply a single definition.

Additionally you can apply policies via Defender for Cloud’s “Regulatory Compliance” blade which for the most part are just canned initiatives with various definitions pertaining to a compliance standard ie; SOC2.

My strategy to using the Compliance based standard Initiatives is to deploy those you care about across your subscriptions/Management groups/Tenant since they deploy in an audit mode(Although you should confirm this by checking all the definitions). This will give you an idea about how vulnerable your environment is based on the standard. From this point to deny resources I’ve found the best method is use your own custom initiative via the Azure Policy blade because this will avoid confusing parameters within the standards based initiatives which are set to target on a larger scope. With your custom initiatives you lower the scope to say one test subscription. This will reduce the impact of a policy that could break something unintentionally.

Additionally using your own initiatives can slowly incorporate definitions for controls you’d like to roll out at your convenience and keep things ordered and clutter free.

How can you remediate vulnerable resources?

This is possible with definitions that use that allow for the “DeployifNotExists” effect value. The initiative itself will create a system identity that can be used to apply the changes across resources.

This is just an overview to better understand the options available from a high level perspective. Before deploying any changes as always a test subscription or resource group should be used to verify things will work as expected.

App-only Authentication for Exchange Online w/Powershell

A modern authentication alternative to using service accounts in your Azure Active directory environment that may otherwise have to bypass basic authentication protections in order to perform unattended scripting operations.

Pros:

  • Not needing to bypass the Modern Authentication enforcement in your Conditional access policies or MS365 settings.

Cons:

  • Anyone with the certificate and application information could possibly authenticate to your exchange environment so the certificate should be highly guarded.

Checking if you have accounts on different Authentication profiles that are bypassing the security defaults. Powershell commands:

# Connect to Exchange 
Import-Module -Name ExchangeOnlineManagement
Connect-ExchangeOnline

# Get all policies
Get-AuthenticationPolicy | Format-Table -Auto Name

# Get a particular users policy
 get-user -Identity service_acct | select AuthenticationPolicy

 # Set a particular users policy
  Set-User -Identity service_acct -AuthenticationPolicy "Block Basic Auth"

DISCLAIMER: Please follow your own security protocols. This is just a demo.

Demo video on setting up an Azure Automation runbook to use a registered application.

This starts from building the automation account to finally executing a script that will connect to Exchange Online and perform commands.

https://youtu.be/AMiVCqUfkb0
  • REF: https://docs.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#set-up-app-only-authentication
  • REF: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online#create-and-apply-authentication-policies