Episode 178 – Securing remote work using M365

Episode 178 – Securing remote work using M365

In Episode 178, Ben and Scott dive into what you should think about when securing Microsoft 365 at a high level and run down the areas you’ll want to focus on first.

- [Ben] Welcome to Episode 178 of the Microsoft Cloud IT pro podcast, recorded live on May 15 2020. This is a show about Microsoft 365 and Azure from the perspective of IT pros and end users. Where we discuss the topic or recent news and how it relates to you. Is this episode Scott and Ben take a high level approach and rundown what you should consider when securing your Microsoft 365 environment, based on recently published recommendations from Microsoft.

- [Scott] Mic check one, two, three.

- [Ben] Mic sir?

- [Scott] Sure.

- [Ben] Are we checking for Mic?

- [Scott] Why not, let's do it.

- [Ben] We're gonna get zoom bombed by mic.

- [Scott] That's how your weeks gone huh? I say my, I say mic check and you're gonna make mic jokes.

- [Ben] I'm gonna make mic jokes. You know what I got a lot of sleep last night after not sleeping the night before. So that may affect my sense of humor.

- [Scott] So either way you would have been grogging out of it. Love it.

- [Ben] Yeah, pretty much. However, I did make an upgrade to our home network today.

- [Scott] Oh, yeah?

- [Ben] Yes, I now have.

- [Scott] You renamed the WiFi from FBI surveillance fan to stay away there's COVID

- [Ben] No, but that would be kind of funny. I now have redundant internet coming to our house. It was even more nerdy than renaming the WiFi.

- [Scott] Oh, cool. So you run everything into a router that's gonna support that failover for you then?

- [Ben] Yep, I have a unifi USG, and it has a LAN. Well, so it has a LAN and WAN, and then a LAN slash WAN. So you can use it for whatever you want to. So right now it is set up as two LANs and I have a AT&T going into one way LAN, Comcast going into another LAN. And if one of them drops, it automatically fails over.

- [Scott] Perfect, can you bond those connections together and use them both at the same time? Or is just one strictly there for failover.

- [Ben] So technically, I could.

- [Scott] Technically.

- [Ben] Technically I could do.

- [Scott] I could have even more bandwidth. Like I can see you like the Infinity Gauntlet in your hand, you're just squeezing.

- [Ben] Yeah, I could do lots of things. So I did test it, I actually like reached over and just turned off my Comcast modem. And AT&T picked right up and turned it back on, it flipped over, I could see it in all the logs where it switches your primary way in connection, however, what I think I'm going to do. So Dan Patrick, over at CES Alliance wrote an article about this on the Build Five Nines site. And he and I were actually talking about this and trying to figure out some of the routing, I think I'm going to stick a bunch of my family and streaming devices on one way in connection, and keep the other one for work stuff now as all of that- [Scott] Gotcha.

- [Ben] All right?

- [Scott] Well, yeah, you might wanna just like separate them and keep them all on one and potentially do the failover thing, right? 'Cause then if you put one on one and one on the other, if one goes down then stuff.

- [Ben] So I think and I need to go through Dan's article and probably talk to him a little bit more about how he did it, is you can do both, where it still works as a failover. And you can have them on both VNet. So it's essentially like two VNets that, you can do policy based routing, but then it still will fail over when it fails over. I need to dig through all of it a little more.

- [Scott] Gotcha. Yeah, it's a little bit of a setup to do what he was doing. 'Cause yes, he was doing a couple things with like policy based routing on his USG user.

- [Ben] Yes, exactly. So I'm gonna go through that. I may try to do that because it would also help with my other problem is that Xfinity limits you to so much bandwidth a month.

- [Scott] Not right now, they don't.

- [Ben] Not right now they don't. But when they do go back, so I've been paying for extra because I have a tendency to go over my allocated bandwidth.

- [Scott] I do the same thing you do. Yeah, we're limited to one terabyte and. everybody says, how do you go through a terabyte? Well try having two kids at home who are streaming everything all the time? My job requires streaming like, what was I doing today? Oh, yeah, just doing some deployments and trying to test them locally meant downloading, not just a bunch of ISOs and doing installs, but full VHDs for environments. So those really don't like zip up and compress very well. So it's easy to blow through, 20 gigs in a small download. And then you kind of do that every day a couple times. And it adds up quick.

- [Ben] Yeah. So see, what you can do is you can get redundant internet. Because now you're paying almost the exact same amount. And it's like five or $10 more to have a second internet connection. Technically, now, instead of paying $50 for unlimited, I just have two of them, and I have a two terabytes which I don't know that I've ever gone over two terabytes.

- [Scott] Only if you split your traffic the right way.

- [Ben] Right, so that comes back into some of those policy based, if I can split all my streaming over one, and all my work over another, I might be able to get away with dropping my unlimited internet and putting that money towards my redundant internet.

- [Scott] Interesting. I guess that works if you live in one of those magical places, so people internationally are laughing at us 'cause they're like, what do you mean magical place? Well, one of those magical places where you can have two internet providers. The neighborhood I live in is one of those magical places where it is Comcast or Bust.

- [Ben] I'm sorry.

- [Scott] Oh, well, I could get AT&T like DSL, but it's really, really, really slow. It's not worth it. I miss my days at firehouse, let's put it that way.

- [Ben] Fair enough. I like my Comcast, so I have the Comcast one gig. That's my plain one. And that also helps you go over your internet in a hurry when you can transfer data at a gigabit per second. You can blow through a terabyte really quickly. And then my AT&T is like 50 Megs, so that is most definitely my backup. And I don't know if it'll work for streaming we'll have to see. But that is my non Cloud related not news for the week.

- [Scott] Good for you. I'm glad You're geeking out in all the right ways over there.

- [Ben] Yes, I do. Outlook add-ins are a great way to improve productivity and save time in the workplace. And Sperry Software has all the add-ins you'll ever need. The Save as PDF add-in is a best seller, and is great for project backups legal discovery and more. This add-in saves the email and attachments as PDF files. It's easy to download, easy to install, and Sperry Software's unparalleled Customer service is always ready to help. Download a free trial at SperrySoftware.com, S-P-E-R-R-Y-S-O-F-T-W-A-R-E.com, and see for yourself how great Save as PDF is. Listeners can get 20% off their order today by entering the code, Cloud IT. That's Cloud IT, C-L-O-U-D-I-T, all one word at checkout. Sperry Software work in email, not on email. So should we get on to our topic or do you have any not news you wanna talk about? Any Build sessions we should pay attention to now that schedules out?

- [Scott] So I haven't looked at the schedule for Build, but I did go through my Build attendee box and hang my lanyard up with all my other lanyards. I think there's gonna be in general, I think Build will be a little bit more developer oriented this year. It looks like it has less kind of market texture sessions. Like certainly there's the keynote and things in the beginning. But there's a pretty wide variety of sessions out there, wait, I think I saw in the catalog, they even have a couple of sessions on, like, dedicated to Rust. They're going in a certain way. If you are signed up for build, awesome, go take a look at the catalog. If you are not signed up for Build, go register and put that in and or go view any of the videos or things afterwards. It looks like they're limiting session registrations. So some sessions are filling up, which I find funny.

- [Ben] You know what I just realized, Build's gonna be over by the time people hear this, I think.

- [Scott] Yeah, well, well they can go watch the video soon.

- [Ben] Go watch the videos.

- [Scott] They will all be recorded.

- [Ben] Yes, if you're listening to this sorry you missed Build go find videos.

- [Scott] It'll come back around again. It'll be there someday.

- [Ben] Yes exactly. I did not get a Build box, I was not on the, I was not quick enough, I was too slow. Because it looks like they only sent those out to like the first few thousand attendees. I don't know how many the first few thousand is, but I was most definitely not in the box list. And I think I've seen some others that were not in the box list as well.

- [Scott] Gotcha. Yeah, I was so it was a, what was it? It was like a bamboo lunch box. It was some stickers, some socks, a lanyard and kind of a welcome to, oh welcome to Build card so.

- [Ben] Got it.

- [Scott] So it was a nice thing to get. But it's not like you're missing out on a free surface go or something like that.

- [Ben] Well, I kind of wanted the socks. But other than that, I'm fine. However, if you are listening to this, and you missed out on the Build bikes and you want swag, let us know via Twitter or Facebook or some way, go to the podcast, leave a comment. Because we have a ton of stickers that we don't have anywhere to give out because life has been canceled. And we will send you stickers because I have like 500 of them in my office and nowhere to go with them. So it does not Build swag, but we have swag, if you want it, let us know we'll send it to you. Shameless self promotion of the podcast and our stickers.

- [Scott] Gotta do what you got to do.

- [Ben] Hey, it is what it is. All right, so our topic today, we previewed this topic last week. We said we would talk about it, so we probably should.

- [Scott] Okay.

- [Scott] Let's do it.

- [Ben] It's Friday afternoon. It's been a lot of time inside our practical guide. So this is all coming from one article that you sent me that I have not read yet because I am way behind on my RSS blog reading, or I just didn't see this. But this is a practical guide to securing remote work using Microsoft 365 business premium. So last week, we had kind of talked about, hey, Microsoft 365 business premium is not as bad as those business plans used to be, it's probably worth going out looking into, definitely a better service than it used to be with some of the changes, improvements, services they've added. And now there's this practical guide that gives you a whole bunch of recommendations, configurations, things to do to help secure that, especially in this world of remote work. So we said, we'll kind of talk through this if you wanna go out and buy Microsoft 365 business premium, you have under 300 users, and you wanna know the best way to secure it. Here is some practical guidance from an article and from the mouths of Scott and Ben, and we'll see if we agree with this whole article. You know, I think guidance is good. You always have to pick what you're going to implement there. I see a lot of folks who get very frustrated when service providers like Microsoft come in, and not sometimes only say, here's some guidance for you, but they potentially implement that guidance automatically. So maybe like turning on MFA for your accounts or things like that.

- [Ben] Or security defaults.

- [Scott] Or security defaults, what used to be baselines, yes, all those kinds of things. I think it's nice. Well, it's easy to fall into the trap of saying they keep turning this stuff on. So I'm just gonna ignore it and kind of go to the side, versus hey, they keep turning this stuff on, do I need to use all of it? Or should I maybe actually be using just some of it? Like, let me take a look at some of the things they're doing and see what needs to happen along the way, because your situation is gonna be different than mine. So when we break down some of the features, it's very much and it depends, or situational kind of choice for us to see where we wanna land out.

- [Ben] Right. So this article kind of walks you through, and this article does that a little bit too. It helps you think through some of it. So the first part has some these steps and actually enabling it. There's seven steps that it walks through in terms of, like setting up your tenant identity protection, email protection, information protection, Team security devices and remote access. But then as you go down, it also says so as you go through these phases, different companies, different SMBs, in this case, because we're gonna be primarily looking at under 300 users due to the license constraints. Fallen to typically two common scenarios, although there's probably people that fall somewhere in the middle of this, they want certain features, they don't want others maybe compliance. But they have a normal scenario, which they consider a typical business that wants to enable secure, remote work, balance, kind of ease of use with security, and then a high risk for somebody that is really trying to maximize security, maybe they have HIPAA compliance needs or other regulatory requirements, that cause them to need to be significantly more secure, than they are, normally or than they are by default. So it gives different settings and different things to think about in these two different scenarios. And like you said, you could fall somewhere in the middle, you don't necessarily need all of these, it's gonna guide you through what Microsoft might think you need, given one of those two scenarios.

- [Scott] And these aren't the only two scenarios that are out there. So I would also encourage anyone who's interested in security guidance for Office 365, or Microsoft 365. Maybe you're listening to this and saying, well, it's great that they enable these features for Microsoft 365 business premium, but I might not have all these features just with my Office 365 E3 or E1 or F1, whatever it is. They actually do publish way, they publish deeper guidance, and I wanna say it's way better. But it's much deeper guidance out there, for different types of organizations. So one of the ones that I like to go to for security guidance is one that's for political campaigns. So if you think about political campaigns, they're typically going to have not the most computer savvy types of folks who are gonna be your most high risk targets. Their job isn't to use computers, their job is to be politicians. And, you know, hopefully, most forward a little bit.

- [Ben] The ways we could go with this discussion right now.

- [Scott] I understand that, but I look at things like that. Like, it doesn't matter if you're a politician, or you are someone who works in the HR department at your organization, like you're probably not a computing expert there either. And especially with the tools that we give you with email, and SharePoint, and Exchange, and Teams on the back end, and Yammer and all these other things. So I think a lot of those guides are super helpful as well, so I'll make sure I put a link to, to that guidance out there. Like I think everybody should look at the one that's guidance for political campaigns and non-profits. Like take those two and and go through them and take a look at what's in there. And I bet no matter what your organization is, even if you're not a political campaign, like if you are an enterprise, a small business, a medium business, you will find some actionable guidance in there.

- [Ben] Yeah, well, I think that's a boat, a lot of SMBs find themselves in. And I've had some clients too, that are not the 300. But their five, 10, 15 employees, kind of like you said, they're not all computer savvy. They're not necessarily focused on security. Some of them may even be dealing with HIPAA stuff, you think about like a small dentist office or doctor's office or something like that, that these are gonna be really good guides for them to go through or to have someone sit down and go through with them, to really help secure their Office 365 environment, especially given the current state of things with everybody working remotely working from home, maybe working on their own devices at home, there's a lot of things to still think about and consider for those types of companies.

- [Scott] Just a few.

- [Ben] So should we start working their way kind of through this article and talk through some of the things that they recommend?

- [Scott] Yeah, let's do it.

- [Ben] All right, so the first area, setting up your tenant, most people have probably already gone through this, they have one set up, if they don't, these are things you can think about setting up, or settings that if you do have it, you may wanna go in and think about going in Configure. So these are gonna be tasks that you're typically done, when you set up a new tenant, things that you think about them. Again, you might go through and change them. So this one when it comes to recommended settings for normal versus high risk, there actually is no difference. All of these sections are going to give you a table, and at the top, they have the task, and then a column for normal and high and then underneath they have explanation of what you should do. So setting up the tenant, at least when it comes to just that initial setup, it talks about deciding between like hybrid and Cloud only. This one is really gonna depend not so much on if you should set it up or not. But if you have on Prem AD or not. I would argue, no matter who you are, if you have on Prem ID, or on Prem AD, you should be setting up hybrid, you should be using Azure AD Connect in sinking your tenant or your users up there. If you don't have a current AD on Prem environment, and you don't ever have plans for one or need one. There's no reason to do hybrid. So this one essentially says do hybrid, do Azure AD Connect. Yeah, as long as you have an on Prem AD controller, do it, do a password hash synchronization, enable Single Sign On, use your user principal name for your primary attribute, set up password right back, so you can do your password resets in the Cloud. If you're gonna migrate email, you can think about that. And then set up your DNS based on what you're gonna use it for. That one is pretty straightforward in terms of setting up your time. And I think I don't have a whole lot on that, that I would say, think about other than do you have an on Prem domain controller or not?

- [Scott] Yeah, I think one consideration there is lots of people tend to read Microsoft's documentation, and especially in areas like hybrid identity. So you'll walk down that path, you'll say, great, I have on Prem AD, I'm gonna do AD Connect. And I'm never gonna do Cloud Identities for anything. Just make sure you leave yourself that Cloud Identity for a break class account, or like emergency access to your environment. So don't lock yourself all the way out of your tenant, by doing something crazy along the way. But most of it's pretty straightforward. And AD Connect is about as next, next, next of an implementation that you can get these days. So especially if you just need it in its default state to get you up and go, and get your on Prem identity, into Azure Active Directory, and then being able to consume those entities, so those users and groups directly within your M365 services or your Azure services, or other services.

- [Ben] And the other thing I would say is, so this gets kind of goofy. I don't know if this gets outside of SMB or not. But as you get further down through this article, it does talk about like Windows Virtual Desktop, for doing remote access RDP into those terminals using the virtual desktop. If you think you're going to go that route, which is like way down in the document, you may actually want to set up an AD Controller , or an AD server in Azure. So just because you may be Cloud only, doesn't mean you don't want that Domain controller up in Azure, especially if you are going to do Windows Virtual Desktop because right now some type of domain controller either Azure AD Domain Services, or a standard domain controller is required. Truth be told, a standard AD controller is cheaper and it was. And is required.

- [Ben] And is required, while you can do it with Azure AD Directory services. But that one gets more expensive. And it's not quite as straightforward when it comes to setting things up, in my opinion as, just throw up a domain controller and sync. Through domain controller, cheap VM and Azure, sync it up to Azure AD with Azure AD Connect. And then you could do Windows, Virtual Desktop and some other things as well.

- [Scott] Yeah, your possibilities certainly start to open up.

- [Ben] Yeah, I actually have that running in my environment.

- [Scott] Once you give yourself some of that flexibility.

- [Ben] I'm just one person and I have it set up so I can play with stuff, test stuff out, use it for different things. So kind of once you have that setup it taught goes through some of the identity protection. This gets into what you said planned for admin access, who's that admin gonna be? Like you said, do a Cloud account. Don't do all synced accounts. Set up some dedicated admin accounts. Don't make all your users admins. The one difference they have here is going security defaults versus conditional access for normal versus high risk. I would do conditional access for everybody. I don't like security defaults and 100% transparency.

- [Scott] If you're licensed for conditional access, it's going to give you the most flexibility. And flexibility in this case is gonna be really, really key to getting getting you going. And kind of being agile as you approach your implementation of zero trust and identity security within there.

- [Ben] And if you're talking Microsoft 365 premium, you're gonna have conditional access, because it's now included with all your Microsoft 365 business premium subscriptions. So I've seen people saying, hey, I wanna do MFA. Why is it only letting me do the app? And a lot of people didn't realize or didn't catch that when security defaults became the new default, that doesn't allow MFA with anything except the authenticator app from Microsoft. So that in itself is a reason to go to conditional access because how many times does the app network, you're in a spot where your phone's not giving you a push notification, if you just wanna be able to log in with a text message, or you need to give somebody else the text message, for some reason to be able to log in as you and take a look at something. Not a best security practice, but let's face it, it happens where you need to give somebody the code so they can log in with your account for whatever reason, they're getting a text message, you wanna be able to pull a code off their phone, all of that you can do with conditional access security defaults, you're locked into that app.

- [Scott] Yeah, we'll just leave it as friends don't let friends do security defaults, if they have better options.

- [Ben] Yes, absolutely.

- [Scott] I think the thing there is really you're talking about kind of a range of functionality and the options that are in front of you. So depending on your licensing, should you wanna put yourself in a better posture, there is an option out there for you. It's just, it's like everything else. It has constraints and considerations. So are those gonna drive the right behaviors, or allow you to continue to do business the way you wanna do business? If the answer is no, then don't implement.

- [Ben] Yep, absolutely.

- [Scott] That's part about Cloud. Being really straightforward and self aware as you assess features.

- [Ben] Did you just use Cloud and straightforward in the same sentence?

- [Scott] I did.

- [Ben] It used to be.

- [Scott] Oh, come on, it still is.

- [Ben] Once upon a time. Okay, so what about email protection? Any thoughts on this one?

- [Scott] I think for most customers, like if you're looking at M365, hopefully you're looking at migrating the majority of your email traffic and mailboxes, and underlying workloads that are supported by those up to Exchange Online. I think you get everything into Exchange Online and it just makes your life easier. Whether it's storage, having access to potentially EOP or other types of filtering technologies that are up there. You can do like Native Office 365 quarantined, you can still use other third party quarantine services if you want to, like if proof points your thing, then go ahead and do that. It's still super flexible for you. But I think it just gives you a lot more agility when it comes to kind of if anything, even outside the security just mailbox management, 'cause you're not managing those on Prem exchange environments anymore and worrying about how much space did I consume? I'm I backing everything up the right way? Did we actually test our backups and restore, and all that just kind of falls to Microsoft, which gives you some more time in your day to do the important things. You just have to be aware again, of kind of like quirks of Office 365. And maybe the way like Microsoft automatically trusts other Office 365 tenants. So you might see weird spam and weird places, maybe you've got to configure some additional transport rules, but that's all pretty doable, and really, honestly well baked and well known at this point.

- [Ben] Yeah, and this one does have a lot of different settings that they have different recommendations for based on your normal and high risk. Some of their normal ones, I would take the high risk approach when it comes to some, some of those things like your DKIM and your SPF. I like my email secure. I feel like when you talk to different companies, that's the way most people get in, whether it's ransomware or getting user information or getting bank accounts. It is usually not because they guess your password. Well, that does happen. It is usually somehow through email that I feel like you hear about these breaches starting or that's where the information initially comes out. So my opinion when it comes to email is, I would probably go with some of the high risk scenario settings or all of the high risk scenario settings no matter what boat you're in, because that does tend to be a point of data leakage.

- [Scott] I think one thing to consider there is, lots of people look at maybe some defaults that are here. So like enable a transport rule to block auto forwarded email. Like, all right, that gets you a little bit of the way there. But let's be honest, transport rules are way more powerful than that. I recommend if you're looking, Microsoft doesn't give like great recommendations for default transport rules or like things you should think about implementing on top of that. Thankfully, we have fun folks on the internet, like SwiftOnSecurity, who have authored like GitHub repos that are full of just really awesome anti-phishing exchange transport rules, that you can go and implement. And you do that plus quarantine. And you're in just an awesome place for kind of cutting down on all the noise that comes through in your life and hopefully making everything better for those users along the way. Right, the more that you can filter out and be sure that it's gone, the less you need to be in front of your users all the time going don't get phished.

- [Ben] Yep absolutely. Yeah, there's spend a lot of time on the email security is kind of what would come out of that. We'll put some links to some of that in the show notes as well. As IT professionals in the Cloud era, sometimes that feels like we don't speak the same language as the rest of the organization. So when stakeholders from finance or other departments start asking about a specific project or teams Azure costs, they don't always realize how much work is involved in obtaining that information. Sifting through cluttered CSVs and a complex mess of metadata, in order to manually create custom views and reports. It's a real headache. On top of helping you understand and reduce your organization's overall Azure spend, ShareGate Overcast, lets you group resources into meaningful cost hubs and map them to real world business scenarios. This way you can track costs in the way that makes most sense with your corporate structure, whether it's by product, business unit, Team or otherwise. It's a flexible, intuitive and business friendly way of tracking Azure infrastructure costs. And it's only available in ShareGate Overcast. Find out more on sharegate.com slash IT Pro. So the other area that's kind of along the same lines with email security is your information governance, especially if you're starting to put documents up in SharePoint, you have documents in your Team's files, which newsflash is also SharePoint, if people have missed that. So if you have files in SharePoint, even through emails, that information governance policies, some of the recommendations here, apply to all of the content. Some of its applies to Teams conversations, to, like we said files, data in SharePoint, emails going out. This is when you're gonna start looking at setting up some of that data loss prevention. And they do have recommended default policies for data loss prevention. And if you do need to go to that other level where you need to start putting things like HIPAA in place, or GLBA, or CCPA, although CCPA doesn't really apply to data loss prevention. PII, all of that type of stuff. There are a lot of pre-configured data classification types that are out there in Office 365, that you can configure to help that data from leaking out. So this isn't about a hacker getting in, or somebody sending you a hacking email as much as it is making sure you're not compromising information that you hold, whether it be on employees, or patients or anybody else. But protecting that with some of the data loss prevention, you have email encryption, so you can send encrypted email based on subject lines, based on auto detected information using something like sensitivity labels in Office 365. There's retention policies that can get put in place if you're in one of those companies where a law office or CPA where certain data has to be retained for seven years, or if you as a company didn't retain your financial data for seven years, and you wanna put those retention policies on data, you can set up retention policies, sensitivity labels, again, to classify data as a certain type of information, whether using some of that default sensitivity labels or creating your own, to really help categorize content that's within your Office 365 environment. And then apply policies to it to help ensure that, that data is being handled properly.

- [Scott] There's way more to dig into on that one. I always think some of the compliance features that come up along the way, with, particularly once you get into like Microsoft information protection, it looks just like a race car zooming off into the distance, and you're kind of standing there going like, whoa, I can't see any, I can't see it anymore. And it's also an area that's rapidly changing. So the one thing I think, like when it comes to Information Governance, it's always a good idea to just do the kiss thing. Like, really keep it simple. Start small, and if you see something you don't understand or you don't know about, or you don't think it's helpful, like, just skip that for now. That's okay. Not a problem. Easy enough, you can always come back and do it later, or you can wait until there's more guidance out there. I think today, if you went and read, like the documentation for how to implement, like auto classification with sensitivity labels, you go cross eyed and just banging your head against the desk for a while. And good luck if you can actually get it done.

- [Ben] Yeah, and maybe it's my background. But even going through this, I would consider this one of all of their recommendations. The most complex and the most time consuming to properly set up and configure. Like if I had to go implement this for a company, this would probably be the first one of all of these, that I would go look for somebody that's an expert in information, government and or information governance, taxonomies, content management to help me with, because this is, this topic if you like more than other tends to involve different things with legal departments, with HR departments, understanding laws and regulations, and all of that. This is not a simple topic, in my mind, or as simple as all of the other security topics discussed. And like you said, just if you're gonna do it, definitely start simple and keep it simple. Even if it's just starting by encrypting email and giving users the option to throw something into the subject, confidential, whatever, and encrypt email with a certain information in it.

- [Scott] Yeah, I think it's a hard area to get into. Like I said, like the guidance there is rough in the Docs. And if you think about a customer implementation thing for just about all these other areas, we could say, hey, if you have enough seats, go and do fast track or something like that, like there would be somebody at Microsoft who could help you even from a first party vendor perspective, for all the time that MIP and information protection and all these features have been out, Microsoft still has not GA'd a compliance offering within FastTrack. Like they're getting ready to do it now. But it's been out for a few years, like in the field as a feature. So I think even from that side, you know, finding something outside of Docs or actual information, you're gonna be stuck with either blogs or consultants. And if that's not your thing, then just wait a while. It'll come eventually. Hopefully.

- [Ben] And if you love it.

- [Scott] I'm just hoping it will.

- [Ben] If you wanna get a little bit more of a complete story, I would say it is by no means a in depth, but we did have that podcast interview we did back at Ignite September, where we kind of talked through, kind of the roadmap 'cause this product has changed names. Its functionality has evolved. We have a whole podcast just on the whole AIP, MIP, whatever the first letter is, IP, roadmap story where this is all going, how it's all evolved. And a few more details about some of this stuff. So we'll link to that one in the show notes as well. As article keeps going, Scott. Well, there's a lot more there. you still got Teams, you got Device Management, you've got access to other apps.

- [Ben] Access to other apps, we should at least do Teams and Device Management, we're gonna lose our reputation for a nice 30 minute podcast. But security is important. Configuring team security. So some of this ties into your information governance, because you're gonna have the DLP and it ties into SharePoint security. But there's also different things you want to think about with Team security. And there's a couple I wanna call out on this list in particular, or one is that, third party Cloud Storage. This is one a lot of people don't realize is that, by default in your Team's environment, if users go to files and add storage, they can add Google Drive box, Dropbox, and Citrix ShareFile. And I think I saw ignite is coming, not ignite the conference, but ignite like e.g. NYT I think.

- [Scott] Yes yep, that's gonna be a new one.

- [Ben] Those are all coming. And anybody in your organization by default can add those to a Team sign up with an account. And all of a sudden, you could start ending up with files in one of these third party services. And not necessarily be aware of it, mic stuff does give you the option to go in and turn all of these third party Cloud Storage options solutions off within your Team's environment so users can't add them. That is one that they're recommended settings for a normal scenario is to leave it as default let people do that. I would argue that that one should maybe even be off by default, because now all of a sudden you start having that information, data leakage into other services, especially if you're trying to get into the whole Office 365 ecosystem, do the DLP, setup the security, that's a big one in my opinion, in this list of recommendations.

- [Scott] I'm with you there, I don't think you enable that one by default, especially if you don't understand what Cloud Storage Services are being used with in your organization. Now if there is any question where you can't walk in and say, yes, people are using Dropbox or Google Drive, or anything else, then you don't wanna just let them arbitrarily add that to Teams, and then have that option there where they can easily have ex filtration of your company's data out to those services. It's not that you still can't have that because obviously, they can open a web browser, they can drag and drop into Google Drive for whatever it is, but you're at least making them go through the extra hurdle of doing that until you can implement some of those other solutions, maybe like a cas-bee, or something like that.

- [Ben] Yep, couple other ones you may wanna think about is Guest Access, if you're gonna allow, allow your users to invite guests into your Team's environment. Teams environments to users, are users allowed to create teams on their own. If you're doing Office or Microsoft 365 business premium, you're gonna have the MS, which means you have AD premium, which means you can go limit group creation, which would in turn limit Team's creation, so not anybody could do that. External chat if you're gonna allow users to chat with other Teams users, external users, external Skype commercial users. And then you do have a bunch of policies, you can go configure as well around what people are allowed to do in Teams, in terms of what types of messages they can use, what types of ad-inns they're allowed to use. Different settings there, but I think some of the users create Teams, third party Cloud Storage, and possibly external chat are some of the bigger ones there that you probably wanna think about going in and configure when you're getting going.

- [Scott] Yeah, I think they're the most light touch too. When you get into the messaging policies, there's so many of them. And I think it's easy to get lost in kind of the sea of configuration options that's available to you. And then once you go down the path of customizing messaging policies and meeting policies and settings and things like that around them. All of a sudden, you're off the beaten path. So you might not get Microsoft's defaults in the future. You have to pay attention when new defaults come, or those features that you want, don't want, which accounts do you apply them to? It's a lot more operational overhead for you.

- [Ben] Exactly. And then if you are using Teams, and there's involved with files, there's the whole SharePoint, to think about too, with the files in SharePoint. Device security, this one is also can be very complicated depending on what you wanna do with devices. I think there's some simpler things you can do there, especially with some of the main policies that we've talked about before. It's been a while, but there's a lot of things you can do around managing devices, without, sounds funny, managing devices without actually managing devices, and more managing the data and the apps that are on those devices.

- [Scott] Yeah, well, I mean, we've talked about that in past, I think it's all about your posture and, are you BYOD like, it was like how do you view that for your organization? And where do you wanna be, heavy handed or not heavy handed within there?

- [Ben] Yep, sorry. And it's not MAM anymore. If you don't look for MAM, look for app protection policies. And if you want the acronym for app protection policies, that's app.

- [Scott] Yes, why would it be called the same thing that all the other vendors call it? That would be too easy?

- [Ben] Yeah, I mean, you do have Intune. So if you do wanna do the whole full blown Device Management, you can use Intune. You can do Device Management. Most of the time, like we said, that app protection policies and conditional access, combined can do a lot to really help secure your data when it comes to different devices, mobile devices, that type of stuff. So that's always where I start with clients. When I start looking at that is that app, those app protection policies and conditional access?

- [Scott] Yeah, I mean, they're easy to get going with, like they're nice, they're consumable, and to a certain degree, you can like next, next, next, your way through a lot of those?

- [Ben] Yep, absolutely. And then the last step they have in here is securing access to other apps. I would say this one also gets a little bit more complex, they start talking about split tunneling your VPN, setting up single sign on with third party apps, standing up Windows, virtual desktop. These are gonna be a little bit more complicated. Some things may be a little bit more costly, something like Windows Virtual Desktop, while the licenses are free for Windows and the apps, you still gonna have to go start setting up Azure, paying for VMs, that type of stuff. I will say though, that Windows Virtual Desktop in terms of a configuration and standard up, is relatively simple. I've done it in about four or five hours. I actually have one set up right now that I was gonna use for a demo that I have like, five different test users, they can all log in, they can get into different desktops, use Office 365, use Teams. It's a nice solution if you're a small business looking for a VDI type solution.

- [Scott] Yeah I mean it's turnkey, and if you're getting into it today, you're getting into the new version of it, so you don't have to migrate, which is nice.

- [Ben] Yes, if you can actually like configure it in the UI, instead of having stuff that's only visible within PowerShell.

- [Scott] Well isn't that nice.

- [Ben] I like night gooeys. But yeah the Azure AD Single sign-on with those small business plans, you're going to have that option. You're gonna start, there's usually some configuration that goes in there, and sometimes it's also how you're licensed with those third-party apps, and if those third-party apps support Azure AD single sign-on, a lot of them do, I think there's over 3,000 Cloud apps or other apps that are listed in Azure that support Single sign-on, but some of those you do have to like upgrade to higher licensing levels for those other Cloud apps in order for them to support Single sign-on. So it's not just I have Azure Ad Single sign-on capability, so I can go do this with all the other apps, it's do those other apps support it, I'm I licensed for it in those other apps as well.

- [Scott] Yes, yeah it's a little bit of a rabbit hole for that one.

- [Ben] Yep, So that hits all of the topics in this article, again definitely go check it out if you're looking to enhance your security posture, you wanna know are you following some of the recommendations, let us know if you have any questions about us, 'cause that was a high level overview of all of them. And with that, we didn't do too bad Scott?

- [Scott] No you did good. I don't know how I did. But you did great.

- [Ben] You did fine. I don't think I have anything else. We can rap it up at 45-ish minutes.

- [Scott] Excellent. Thanks Ben.

- [Ben] All right. Thank you Scott, go enjoy your day, enjoy your weekend. As always stay healthy, and we'll talk to you next week.

- [Scott] Have a good one.

- [Ben] If you enjoyed the podcast, go leave us a 5-star rating in iTunes. It helps to get the word out so more IT pros can learn about Office 365 and Azure. If you have any questions you want us to address on the show, or feedback about the show, feel free to reach out via our website, Twitter or Facebook. Thanks again for listening, and have a great day.

(more…)

Episode 176 – April Showers Bring May Microsoft 365 Updates

Episode 176 – April Showers Bring May Microsoft 365 Updates

In Episode 176, Ben and Scott dive into the April announcements around feature updates to Microsoft Teams, Microsoft Threat Protection, and Azure Active Directory.

- Welcome to Episode 176 of the Microsoft Cloud IT Pro Podcast, recorded live on May 1, 2020. This is the show about Microsoft 365 and Azure from the perspective of IT pros and end users. Where we discuss a topic or recent news and how it relates to you. In this episode, Scott and Ben discuss some of the recent news from the month of April, including some upcoming conferences, Azure AD Security, and Microsoft Teams.

- I feel like April was never going to end.

- Well, it has, I mean, it's still might not have, but officially on the calendar it has. In our brains and collective consciousness it may have not.

- Yes, but the good news is, at least here in Florida, we are slowly starting to open back up. The question is, are you going to go out and do anything, now that it's opened back up?

- Well, we chose to open on our day of highest deaths. So my personal approach is to stay home a little bit while longer.

- You've already had it, you're immune.

- We'll see, I'm thinking about paying the 120 bucks to get the test, just to find out.

- Are you just to find out if you had it or not?

- Yeah, some of the labs are starting to get it. So Quest has one.

- Got it, interesting.

- And less little antibody test.

- I saw the mall, town center is going to open Monday, I think is what I saw. So yeah, stores, restaurants, I think they said are gonna open, but they have to be at 20% capacity. I think it was or 25% capacity.

- Yep, 25 here.

- So, we'll see. We haven't gone out and done a whole lot. We've started to see a few more people. I'm getting kind of stir-crazy and I don't know, like, I feel like we've flattened the curve and we don't need to talk about this too long 'cause we have other topics to talk about. But it's like at what point in time do you just have to start going out? Because obviously vaccines are gonna be a long way off. It feel like the curve is starting to flatten out. So I'm kind of getting close to that approach of, "All right, it's time to start getting out, "seeing some people doing some normal activities again." So yeah, my two cents.

- Slowly but surely, like get back out, see family, things like that, where you can and where it makes sense.

- And that's what we did. My wife's family came over the other day and they didn't even come inside. We actually just sat outside at the picnic tables, in the park next to our house. And it was her sister's birthday, so it was fun. It was fun to see them, we hadn't seen them in like a month. So all good, but there's some other events coming up now too, that are free. So there's some silver lining in all of this. There are some free events coming up that people can participate in.

- Nice, what type of free events are coming?

- Yes, what type of free events? So as an IT pro and as an IT pro-ish podcast, one may or may not appeal to a bunch of our audience, but Build, I have never been to a Build. This year I'm going to Build Scott, virtually because it's free and it's virtual. So that is one of the events coming up. I think you registered for it the other day. I registered for it last night. So I am going to try to keep some of the sessions. Sometimes there's some interesting things that come out of Build, especially around late Visual Studio Code or some of the PowerShell or source control stuff that I use with my PowerShell. There's always stuff that comes out around Azure and things that, well, we may not go Build applications. They still can be applicable to IT pros in terms of how you manage what developers may try to do to your environment based on new capabilities being released. So even though I'm not a developer, I still try to keep track of some of those developer-ish type conferences.

- Yeah, so I think there's some exciting things that they have planned this year, if anything, just in the delivery model that they're going to use for it. So not only is registration open and certainly you should go register because it is a free event. I think there's some constraints there for a lot of us. Like one of the things I love about, you know, going to conferences, isn't just the networking. Like that's certainly valuable. But if you are going to go to sessions, you're there and it's much easier to go and not be distracted by work. So I think lots of people are gonna be potentially competing for work over May 19 and 20 while this goes on, but it's gonna be a 48-hour event and it's gonna be running for 48 hours straight, which means you're going to have coverage in geographies, which would typically feel like they would have to miss out on an event like this, just due to time of day. So if you think about folks over in Australia, and APAC, and certainly Europe and things like that, everybody is going to be able to get in on the fun.

- Yeah, it should be good. And there's another one coming up that will be short. Let me think, it'll be the day after this recording goes live. Office 365 Nashville is doing a virtual one. So Daniel Glenn is kinda spearheading that one and that one is going to be on May 8. So this episode should come out May 7. I think registration will still be open, but it's a free virtual event that you can go sign up for. I'm actually speaking at that one because it was virtual and enabled me to speak at that one. So that one's coming up, we'll put a link in that one, if you wanna go register there. And then there's also one that Joel Oleson is doing. I can't remember the name of it right now, but we'll put it in the show notes.

- Yeah, My 365 something or on there.

- Yeah, it was gonna be like the virtual Olympics and then they ran into like some trademark issues because apparently Olympics is trademarked. Imagine that, who saw that one coming? Marathon, Virtual Marathon, I think is what it is. But it's another Microsoft 365 free Virtual Marathon. I think that one's like 36 hours straight. And I've seen like, he's trying to get 900 live sessions over the course of 36 hours.

- That's gonna be quite a bit.

- Yes, we will find the link for that and put that in the show notes as well.

- Outlook add-ins are a great way to improve productivity and save time in the workplace. And Sperry Software has all the add-ins you'll ever need. The Save As PDF add-in is a best seller and is great for project backups, legal discovery, and more. This add-in saves the email and attachments as PDF files. It's easy to download, easy to install, and Sperry Software's unparalleled customer service is always ready to help. Download a free trial at SperrySoftware.com. S-P-E-R-R-Y-S-O-F-T-W-A-R-E.com and see for yourself how great Save As PDF is. Listeners can get 20% off their order today by entering the code cloudIT. That's cloudIT, C-L-O-U-D-I-T all one word at checkout. Sperry Software, work in email, not on email.

- Those are all the events I have. Do you have any other ones that I didn't think of?

- No, we did just have the Virtual Azure Global Bootcamp, which passed. But lots of these sessions for that were recorded. So if anybody did miss the 2020 Azure Virtual Bootcamp, just hop on YouTube and search around for some of those videos and things that came out from all the wonderful speakers who put their time into it.

- All right, sounds good. Yeah, we didn't do much here because it was all virtual. So who knows if they do kind of an in person one later this year, maybe we'll try to jump on, maybe we'll just have to wait for round two and come back to it in 2021.

- It'll still be there.

- Yep, it will, hopefully I'll in person again. So there was also some news that came out these past few weeks, different things around Azure, some office 365 stuff, some Azure AD stuff, some that spans all of them like Windows Virtual Desktop. So we decided we'd just dive into some of these news articles that have our news announcements that have come out over the last few days. Take your pick. Which one would you like to start with?

- Let's see, I always like the identity stuff. I think they've done some good things there for customers, especially as some of the licensing has opened up like bringing Azure AD Premium P1 to the Microsoft 365 business here and things like that. And they're starting to open up the platform more and more for all customers. Which is always nice to see, especially in these times when everyone is working at home or remotely, or if anything, just on the go more than they are. I think that whole Zero Trust Model around identity and securing your identities and gating your access to all these resources, is super important. So one of the things they've done there is they've extended the ability to use Azure AD single sign-on for an unlimited number of cloud apps at no extra cost. And that's across every SKUs. So now in the past, you would have been limited in the number of cloud apps that you could add to a user. And then also the number that you could potentially perform SSO against your Azure Active Directory with. So this is using SSO with Azure AD, whether you're federated or unfederated. And like I said, it's available across all of the pricing tiers or SKUs of Azure AD, even Azure Active Directory free.

- Perfect, 'cause this used to be, I think the limit used to be 10, right? I think it was 10 apps.

- 10 apps, yeah but you were even limited within SKUs by how many apps you could have and some could have 10 cloud apps, but not SSO. And others could have 10 cloud apps with SSO. So now it's just open across the board, which is much nicer. I mean, it's more consumable. So you make those things more readily available and hopefully people actually use them. You know, that would be the next step is going out and getting folks to light up that feature and actually turn some of that stuff on.

- Well, and this is, like apps that are not native Office 365 apps to it. If you're doing third party apps or developing your own apps, this applies to those apps. Before it was like all the included apps were kind of excluded from those limits. They were all considered bundled in, but this is other apps that you set up SSL with, set up SAML authentication with, whatever he might be doing.

- I mean, it's interesting, like you talked about the Azure AD Premium coming to business and some of that, well, I get that some of these features cost Microsoft more money to let users use because of resources and whatever, by giving these to everybody, it's also helping Microsoft. Because the more people that roll this type of stuff out, the more secure the Cloud platform is gonna be. Because if everybody on Office 365 and Azure AD is using MFA, it's going to help Microsoft from a security perspective, protect their own platform by kind of minimizing those, their footprint, minimizing the security risks that are enabled by rolling these out to everybody and including them with all the plans.

- I also think it makes some of the security services more valuable. So if you look at the way Microsoft approaches machine learning for a couple of their different security products, if you think about risk-based sign-on with conditional access through identity protection, and even some of the features may be inside security products, like the Microsoft Threat Protection Suite or Azure Sentinel, things like that. They rely on signals. And the more signals there are, the better those services are going to become for everybody. In some cases yes, it's probably a little bit of loss on the money side, but it's potentially a gain in the features that you can offer in some of those other super sweet products that kind of build on top of everything that's there and make those true differentiators kind of across the market.

- Yeah, which there was another security. We'll keep moving on through the news. There was another security feature that there was a change to this past week. And that was the Microsoft Threat Protection is now gonna automatically be turned on for any eligible license holders effective June 1 of 2020. So approximately exactly one month from the day we're recording this. If you are licensed for Microsoft Threat Protection, which is, this isn't gonna be your lower SKU. So this is going to be Microsoft 365 E5, Microsoft 365 E5 Security, Windows 10 Enterprise E5, EMS E5, Office 365 E5. Are you getting the pattern here?

- Yes.

- And then some of those other plans like Microsoft Defender, Advanced Threat Protection, Azure Advanced Threat Protection, Cloud App Security, and then Office 365 Advanced Threat Protection Plan two.

- Some of those are interesting though, the E5s, they make total sense, but some of those like, Azure ATP was just a sub-SKUs of... 'Cause MTP is more of an overall, an overarching licensing suite that helps you bring alignment with unified reporting and some other things in there. But Azure ATP or Cloud App Security MCAS that Microsoft CASB, those were both just individual parts of that suite. Now they're saying, "Hey, if you purchase one part "of the suite, we'll give you the rest of it." So now they're saying if you have Cloud App Security and that's all you've done, you're gonna go ahead and enable some other features. Like you'll get features in Office 365 and ATP and an Azure ATP without having to do anything. Which simplifies that whole licensing thing.

- I was gonna say, just reading through this list, really reading through that list as I was listening to myself, say it out loud, I'm like, "Their naming and their licensing is getting "completely out of control." The fact that you have Microsoft Defender Advanced Threat Protection, Azure Advanced Threat Protection, Office 365 Advanced Threat Protection Plan two, it is getting really hard to keep track of all of these SKUs and what's in these SKUs, and how these SKUs impact other SKUs, and all of that.

- Yeah, did you see the one about Planner going away and being renamed, Tasks, but it's gonna be renamed six other things along the way.

- I didn't see the six other things, but I did see that that is gonna be Tasks now.

- Yes, so as we roll out the Tasks experience on Teams, desktop clients, the app will initially appear as Planner to users. The name will then temporarily change to Tasks by Planner and To-Do, and later on, it will be renamed to Tasks. I think it's the first time I've ever seen. I've ever seen an announcement that of all the product renames in one place.

- Which I don't know why it wasn't Tasks originally because you know what the URL for Planner is, don't you?

- Yes.

- It's tasks.office.com. I mean, Tasks would have probably made sense right out of the gate. I don't know, but now people are gonna be, "Did you add it to Tasks?" And it's going to be, "Well, which Tasks? "My Outlook Tasks, which then go to To-Do, "which To-Do also pulls from Planner, "which is now gonna be Tasks." Or you have your Tasks in OneNote, like I get naming things after what they do. But if you're gonna name something after what it does, you can't have five or six or seven or eight things that all do the same thing and name them all the same thing.

- A task is a task, is a task, is a task, except when it's not a task.

- And that's only when it's in the Task app or one of the several Task apps.

- Nice and easy, right?

- That add-in 'cause I know, that add-in that I talked to you about earlier, it just crashed again. I've been having problems with Edge on macOS. Anybody else who's has had problems with the... I'm running the Canary Belt. That's probably my problem.

- Yeah, Canary's had some weirdness going on lately.

- Yes, especially in macOS. But that being said, I just lost all of my notes 'cause not only does Canary crash, it will not allow me to reopen it until I restart my computer.

- It's a feature.

- Something like that. So yes, guy will pull up some more links, but I am flying blind right now in terms of what I was gonna talk about. So Microsoft Defender Advanced Threat Protection, that announcement was made. What is Microsoft Defender Advanced Threat Protection? We talked about it's gonna be turned on, but we haven't actually mentioned what it is.

- I'll be darned if I know at this point. It's gotten kinda crazy out there with some of that stuff, especially when you consider some of the Defenders Threat Protection capabilities and how they integrate maybe with Intune and device management, and what you can push down on that side. That is a product that I too am waiting for clarity in.

- You would like to know what it does? So I have it running on my Mac 'cause they do have like the whole antivirus endpoint.

- Well, you have the EV component running on your Mac, but really it's more about that Cloud-based management and kind of all the other things that go into it.

- Yes, all of that as well. I lost all my articles, I'm trying to pull these all up while I'm talking. So yes, but it is going to be enabled. It's going to be on and it does, like you said, it varies. So there's a whole Microsoft... Well, then you have Windows Defender Advanced Threat protection too that ties into it. That's based on your SKU of Windows that you're running. There are a whole bunch of that go into it. We'll just put links in the show notes about Microsoft Defender Advanced Threat Protection and let you guys go check out all of the capabilities that are not going to be enabled by default. Because I think SafeLink, Safe Attachments, they all fall under that umbrella too, don't they?

- They should, as far as I know. But who actually actually knows at that point?

- Maybe we should try to find somebody from the Microsoft Defender Advanced Threat Protection team to explain it all to us.

- We should. We've had MIP folks before it, because for MTP and kind of that overall fish in there, 'cause it is interesting where it's been going. And once you do get in there and light all those products up, some of the new things that have happened over in security.office.com, particularly when it comes to like incident hunting, they are really cool.

- Yeah, we should, so if anybody that's listening is from that team or know somebody on that team that they can put us in touch with too, we'll go out and see if we can dig up somebody. But yeah, if somebody knows and wants to send them our way or make an introduction, we'll get them on the show and we'll talk about it.

- Just that easy.

- As IT professionals in the Cloud era, sometimes it feels like we don't speak the same language as the rest of the organization. So when stakeholders from finance or other departments start asking about a specific project or Team's Azure costs, they don't always realize how much work is involved in obtaining that information. Sifting through cluttered CSVs and a complex, massive metadata in order to manually create custom views and reports. It's a real headache. On top of helping you understand and reduce your organization's overall Azure spend, ShareGate Overcast lets you group resources into meaningful cost hubs and map them to real world business scenarios. This way you can track costs in the way that makes most sense with your corporate structure. Whether it's by product, business unit, team or otherwise. It's a flexible, intuitive, and business-friendly way of tracking Azure infrastructure costs. And it's only available in ShareGate Overcast. Find out more on sharegate.com/itpro.

- So Teams, Teams has had an endless stream of new announcements and features. I feel like everybody started using it and all of a sudden they wanted all these features, Microsoft, it's like they prioritize a bunch of features all of a sudden.

- Huh? How did that happen?

- I don't know. I don't know why.

- When you have 44% usage growth in one month and then in the next calendar month, you go up another 70% over what was your new 100%. It gets interesting fast.

- Yes, and all of a sudden, like UserVoice. It's like, "Hey, this UserVoice went from, "like 100 votes to 10,000 votes "because all of a sudden everybody's using it "and wants these features." I don't know if there's actually a feature that did that, but it wouldn't surprise me.

- So good news, drum roll, you now get more than four by four in a Teams meeting. You get, I mean not four by four. Won't four by four be nice? You to get more than two by two. You now get three by three. We went from seeing four users at once, Scott to seeing nine.

- Yeah, you did and you can still pin people too. So when you go into those classrooms or you know, if you're a teacher out there and things like that, you can still just right-click and pin and get the big face in front of you. So you can do "The Brady Bunch" view of the world or you can go to a number nine. Coming to a tenant near you. I mean, Brandy it's not the, what can you do on Zoom? Can you do 50?

- Sorry, three by three.

- What can you do on Zoom? I think you can do 50 on one screen in Zoom.

- It goes up...

- Significantly higher.

- It goes up quite a bit, yeah.

- But I did see Microsoft is planning to bring more. I won't lie, I thought they were gonna go up higher than just two by two to three by three. I thought they said they were gonna try to do it so you could see everybody at once. But right now you can put 250 people in a Teams meeting. Can you imagine 250 people looking at all of them at once? It'd be like little thumbnails on most people's monitors.

- It would be like a Zoom meeting. That's what it would be like.

- Yeah, they also increased another feature. In that article was, they increased the number of participants that can take place in a live meeting. So live meetings we used to have a limit of 10,000 people for live meeting. They have doubled that to now allowing you to have 20,000 participants in a Team's live meeting.

- Yes, they have. Limits continue to rise there. It's an interesting one.

- Well, because that takes a lot of resources. Like I thought they were hurting for resources, unless they've kind of gotten a little bit of a handle on that. I was surprised to see that big of a jump in the live meeting attendees

- Resource availability has actually gotten quite a bit better. So not just for Teams things, but I'm even seeing in Azure, some of the restrictions are starting to be lifted, which is very nice.

- Yes, absolutely. It's nice to be able to start using some of this stuff to its full potential again.

- It's like all of a sudden I can create Azure SQL databases. I finally found one of my articles again.

- What else was there? Simultaneous people raising hands is coming. So you're gonna be able to raise hand. Well, before we do raise hands, just on the limit thing, that is a temporary raise.

- Was that a temporary one?

- Yes. The defaults will raise until July 1st.

- Yes.

- And then in August they're going to officially make some changes. So they call out the 20,000 number, but they might settle on something else, you know, after that, if they see that there's huge uptake to the 20,000 number and all that.

- Yeah, it'll be interesting to see once all of this is done, how it changes companies views on remote-work. Or if people tend to work remotely more, if everybody's gonna be so tired of working remotely, everybody's gonna wanna go the office. Shall be interesting.

- I don't know, do you want to go to the office? I don't feel like I do. I'm good staying right where I am.

- I've been right where I am for the last, like 12 years anyways. So hasn't changed a whole lot for me. Background effect was interesting. This one just makes me laugh 'cause they announced background effects which you used to be able to blur, now you can add pictures and I think it was the, like they did this well, they really seating they're like, "We're not gonna allow you "to put your own custom pictures in, for governance reasons." Obviously, you never know what certain people may upload as a background image. I think that day they released this, all these articles came out about how you could just go into a certain directory on your computer and add your own custom images and have them in Teams. It took less than eight hours from when it was live to when, even though they didn't give you the option to do it in the browser, they made it really easy to do by just going to a certain path in your file system, on your C-Drive and adding pictures there.

- Yeah, I've been having a bunch of fun with that one. Made my wife's the envy of all her friends at school.

- Have you seen the articles about people that took, like a screenshot or a picture of them sitting in their office and then they put that as their background picture and they're not actually at the meeting. It's just their picture.

- Yeah, that's a thing that has happened as well. You give somebody a tool and they will absolutely take advantage of it.

- That, they will. Call recording, I mean there's a bunch we'll link to the show notes. There were some updates around devices, a few meeting control changes. Most of the other ones were small. You can do things like put system audio now into a live meeting. So if you wanna play a video and feed that audio back into your live meeting to send it out to everybody, you can do that. But I think that kind of hits some of the big Team's announcements that came out in the month of April.

- Yeah, that'll probably wrap up most of them, like you said, a lot of that stuff just roadmap anyway. So it'll be filtering out. The nice thing is they've been filtering out much quicker, like you brought up.

- Any other news topics you want to cover today before we wrap up.

- Well, since we're talking about end users things, I think a good one to talk about might be some impacts to how end users interact with Azure AD. So there's a couple new experiences that are coming. So all of the new "My URLs" of Azure AD have lit up. So if you've ever pushed out things like My Apps to your users, there's gonna be a new URL and effectively a new UI coming to that. So my applications.microsoft.com is live today and ready to go. So it's kind of like My Apps, but it lets you group your applications by workspaces. They've simplified access management requests. So things that might come through privileged identity management are now gonna be consolidated and available at myaccess.microsoft.com. Sign in information is consolidated at My Sign-ins. That one's actually been out there and kicking around a while. And there's also the new, myworkaccount.microsoft.com, which brings forward kind of what would have been your account portal inside of M365 or O365. So you roll that out, that's all the new look and feel. And then you've also got the new MFA, SSPR consolidated signing experience and things like that. So if you have some downtime and you're at a help desk or you know, you're working with your end user community, and now's a good time to update some of your documentation because now that the URLs are all out there and all live, you can go ahead and get up to date screenshots and everything you might need.

- Yeah, these are nice. The, My Applications one, there's My Groups where I can do groups and...

- So My Applications is an interesting one. That's a UI that's going to be surfaced in two places. So it's going to be at myapplications.microsoft.com. And then you can also go into office.com into the app launcher and you could get to all your apps there. So the UI there is going to stay almost the same as it is today. But when you go into All Applications, you're gonna have access to that same grouping concept with the workspaces.

- Got it, well, it looks like when you go start doing the groups that actually takes you over to your, it's a URL under youraccount.activedirectory.windowsazure.com

- Makes total sense, right?

- Yeah, it's kind of like the number of admin portals.

- Just a few of those.

- I forgot how many different Office 365 tenants I'm a member of, because on that My Applications tool lets you go, you can do a drop down and look at all of the organizations. So you can jump to see all of your apps between all the different tenants you're a part of. My list got rather long.

- It does creep up.

- How many you are in, you go through and look at it and you're like, "Oh, they never actually removed me. "I'm still a guest in their tenants somewhere, or?" Those are some good URLs to know about to bookmark.

- I have quite a few of those kicking around.

- Well, since we had a longer one last week, should we wrap this one up sort of on time?

- All right, just for giggles let's do it.

- Let's do it. We can go back and do some more real work.

- Yes, it's Arm Template Friday.

- All right, I'm going to go play with Azure. I've been playing with Azure more. I've been playing with Windows Virtual Desktop and domain controllers and IS so I'm going to go back and play in Azure some more this afternoon.

- All right, sounds like a plan.

- All right, go enjoy your afternoon, don't work too hard and we will talk to you again next week, Scott.

- Thanks Ben.

- If you enjoyed the podcast, go leave us a five star rating in iTunes. It helps to get the word out so more IT pros can learn about office 365 and Azure. If you have any questions you want us to address on the show or feedback about the show, feel free to reach out via our website, Twitter or Facebook. Thanks again for listening and have a great day.

(more…)

Episode 175 – File Shares for Clients in the Cloud with Azure Files

Episode 175 – File Shares for Clients in the Cloud with Azure Files

In Episode 175, Ben and Scott talk about using Azure Files as a remote file share in the cloud for client devices and the things you’ll want to think about to get everything up and running.

- Welcome to Episode 175 of the Microsoft Cloud IT Pro Podcast recorded live on April 24, 2020. This is a show about Microsoft 365 and Azure from the perspective of IT pros and end users, where we discuss the topic or recent news and how it relates to you. In this episode, Ben and Scott discuss Azure file shares for client devices, domain controllers, Azure AD networking and other cloud services and how they all fit together.

- The thunder is never done, all the tornadoes rolling through. It was nasty last night.

- You know what? I did not hear a thing. I may or may not have been up until like, 2:30 the night before working on stuff and then I crawled in bed at like 12:30 last night. I was so tired, I passed out and I woke up when one of my kids came in our bedroom at some time, 4:00 a.m. and my wife was like, "Did the thunder wake them up?" I was like, "Was it thundering?" I never heard a thing.

- Man, corona times have not been kind to my sleep schedule. It's turned into like, aah, let's watch a movie and then the movies over and it's aah, maybe I would like just one TV show or let me read this book for a little while or whatever it happens to be. So I think last night, I was up until... Last night, I was late, it was 3:00 a.m., hence, my coffee brewing slowly this morning. So I heard that whole storm all through and the whole thing. I was sitting in my kitchen, it was awesome coming through, it was a good one. I like a good storm.

- So I woke up and I was actually bummed it didn't wake me up 'cause I'm the same way, I love a good thunderstorm, especially at night. For whatever reason, those night thunderstorms and the lightning lights up the whole house and the thunder just rolls. I don't know, it's cathartic for some strange reason, as long as there's not a tornado blowing my house down.

- Yeah, well, there's that whole thing, but it was definitely a good thunder and lightning storm and it was tornadoes and stuff farther to the north, but not so much for us. So, it was just a good rain event.

- Yes, I will say not growing up in Jacksonville, I have been impressed with the geographic surrounding of Jacksonville and how it seems to deter most storms from hitting us. Like we never really seem to get tornadoes or really bad storms from the west because of the river and because we're sitting just down low enough. I think the Gulf of Mexico messes up a lot of them and then the way Jacksonville's kind of set in on the coast if you're going up the Florida coast and up in the Georgia and South Carolina, it seems to deter any hurricanes from really having a direct hit on Jacksonville.

- Yes, it is the farthest point west on the East Coast. Like when you think about that dip in, so it's not just Florida to Georgia and all that, like pull out a map and look all the way up, it is the farthest point west, from Maine all the way down to us.

- What about the Keys? Don't the Keys loop back into the west?

- They do, but they're sitting actually like--

- They're just sitting in the middle of the ocean.

- They are, right? But they're all the way down at that eastern tip of Florida is, think about like going down to Miami and you're pretty much a straight line down to the Keys from there. So they are still farther east than we are, but as a chain of islands, they stretch pretty far over, but at that point, they're underwater anyway .

- Got it.

- So as a landmass with too big bodies of water like you talked about, between the ocean and the river, being a pretty substantial river, but at least nice and wide, it's good enough to pick up a lot of the weather that comes through here.

- I remember that growing up in Michigan too. I mean, like Michigan is significantly bigger than the river but Michigan was spared at least a lot of the bad thunderstorms and tornadoes and all of that because of like Michigan. They would hit Wisconsin, the lake would break it all up before it hit Michigan. I went and spent a week in Wisconsin. It was like tornadoes every day. Don't go to Wisconsin.

- Don't go to--

- Sorry to anybody that's from Wisconsin that's listening. I much prefer Michigan to Wisconsin.

- You're gonna start a fight or something.

- Probably. I have some good stories about Wisconsin and Michigan, but we don't need to talk about those today.

- As IT professionals in the cloud era, sometimes it feels like we don't speak the same language as the rest of the organization. So when stakeholders from finance or other departments start asking about a specific project or Teams Azure costs, they don't always realize how much work is involved in obtaining that information, sifting through cluttered CSVs and a complex mess of metadata in order to manually create custom views and reports. It's a real headache. On top of helping you understand and reduce your organization's overall Azure spend. ShareGate Overcast lets you group resources into meaningful cost tabs and map them to real world business scenarios. This way you can track costs in the way that makes most sense with your corporate structure, whether it's by product, business unit, team or otherwise. It's a flexible, intuitive and business friendly way of tracking Azure infrastructure costs and it's only available in ShareGates Overcast. Find out more on sharegate.com/itpro.

- Should we talk about what I was staying up late playing with today?

- Yeah, it sounds like you were staying up late doing things that I was not. While I was watching, crappy movies and contributing to Netflix viewing hours, you were doing real work, supposedly.

- Well, so supposedly 'cause it all started with a client question which led to me playing with this, with my own domain and Azure tenants 'cause I don't wanna break anything. So, to set this up, Azure Files with... So Azure Files has been able to do SMB for a while. You can use the like storage account name and the private key to actually map a network drive to Azure Files, all of this. They have recently and I think it's still certain aspects of this are still in preview.

- Yes, they are.

- They rolled out the ability to do Azure Files over SMB, leveraging either Active Directory or Active Directory Domain Services to authenticate users to the file shares, rather than using a storage name and a key so that all of those NTFS type permissions can be used or supported through a mapped Azure file share. But there are a ton of restrictions and requirements and prerequisites around doing that, which could lead to the question that we were actually debating before we started recording of should you actually do this and if you do this, what all do you need to think about? Because this has led me down a massive rabbit hole of VNets and DNS and AD and AD DS and all of that.

- Yes and you're leveraging preview services, which is even, well preview functionality I guess, which makes it even more interesting. So, when you initially came and you had asked me the question of, okay, I'm trying to stand up a file share and I'm doing the domain authentication thing and it's really a pain and in the back of my head, I'm thinking isn't that relatively new and probably in preview and my first question back would be, well, why do the preview functionality, right? Especially, if it's for a customer. Like typically, we don't wanna take customers into preview stuff, even if it's public preview, because if we just consider Azure life cycle, there's no guarantee that a preview service ever actually goes GA'd. So obviously, Azure Files is GA'd and all that kind of stuff and it's sitting there ready to go, but Microsoft could look at this feature where they're doing SMB file shares with AD, with Azure AD rather, and with on-prem AD and they can say like, "Yeah, I don't wanna do on-prem AD anymore, "I'm only gonna do AD "because that's an easier scenario to support."

- Well, but it's not just AAD, it's AAD DS. It doesn't support AAD.

- Yeah.

- Remember? We gotta clarify these two.

- I get my storage confused because there actually are parts of storage, like blobs and containers which do support Azure Active Directory for role based access controls and things. So you can totally do AAD authentication there. Anybody who thinks Azure Storage isn't a confusing service being that it's a storage account, but it's not just a storage, it's blobs, its files, it's tables, its queues, its disks, it's--

- Right, it's got sub services.

- It's static websites, it's like 10 other different things, it's amazing.

- Azure Files are gonna be like the Teams of Office 365 or everything's just gonna get sucked into the storage fortex.

- Well, if you think about it, storage is kind of important, right? In the grand scheme of things and the overall fabric because what is Azure? It's a bunch of hosts who are running hypervisors and it's a bunch of file servers that are pulling configuration off of storage controllers and things like that, right? So, at the end of the day, storage is what makes--

- Storage is important.

- It makes the world go round.

- Which is digressing. So, this whole storage authentication thing, I'm not gonna say it's just Azure AD DS. Should I go through the prerequisites and what I found and then we can keep talking through this scenario?

- Sure, just to lay out the scenario, what you're trying to do is you're trying to stand up a file share in Azure that is available to clients, not to other servers that exist out there.

- Yeah, so you're not going to a server.

- But to individual clients and you require per user authentication from each of those clients to the file share, right? Okay.

- Right. So, scenario being client does not want to use SharePoint or OneDrive because they don't want to deal with the whole sync thing and files and demand thing and having to access the browser and maybe not being able to sync all their files based on hard drive sizes and all that. They like traditional file shares on-premises, but they want to be in the cloud, they wanna be able to work from anywhere. So, said client wants to be able to go to Starbucks or go home or be in the office and be able to map to their network drive the same way they would if they're on-premises and they're not a huge client, so they actually don't have a current VPN to get to their on-premises server from off premises. They can't VPN into their office. Internet connection is okay, but it's not like a large enterprise network that has Cisco, has VPN, has all of that stood up. So they were like, well, what if we just move everything to the cloud and we can map this network drive from anywhere using our traditional AD usernames for securing all of this across all of our users?

- I always love when customers come up with their technical solution, right? Like they have a business problem they're trying to solve. The technology that solves that problem really shouldn't matter as long as it aligns to the business outcome. So, what is the process, the workflow or the outcome that we're trying to solve and then you can backfill technology around that. They're going backwards. They're coming to you with the technology and saying, "Hey, make this work." And then--

- Yes, because I had spent some time with them. We looked at SharePoint for maybe six or seven months and ultimately the decision was, we don't wanna use SharePoint. We want to use Azure Files. So, I was tasked with figuring out can this be possible, does this work, especially given some of these new features combined with preview? So for this all to work, you do still require Azure AD, but it also requires either an on-premises AD server or Azure Active Directory DS or Domain Services. So you have to have one of those two synced with your Azure AD and have your users synced in both places and then you can go configure this file share for either Active Directory authentication or Azure Active Directory DS authentication, but it's still also using Azure AD in the background.

- Correct.

- And the problem we started running into, well, the first problem we ran into is SMB 3.0, which Azure File uses, goes over port 445.

- It does.

- Almost every ISP block's port 445.

- They do, true story.

- So, first problem was okay, we need VPN for it, which we can talk about that more later and then we got VPN setup, we started testing this and there's a bunch of prerequisites. Your machines either have to be Hybrid Azure AD joined or they have to be AD joined, but once you get all this set up and configured, when you go to authenticate to map your network drive, your computer, even though it's using Azure AD synced with AD Domain Services or AD, it like, reaches out, but then it's like, oh, I also still have to use Domain Services or Azure AD. So it requires access to both Azure AD using new UPN and Azure AD, but then it like takes a side route and goes and has to ping to your domain server or your Azure Active Directory Domain Services server to actually do the verification for your map network drive, which means that if you're at home or if you're somewhere not in your local network or anywhere for that matter, you have to be able to properly authenticate against either a domain controller or Azure AD Domain Services wherever you are, which means that it has to either go over that same VPN that you can use to bypass the port 445 rule or it just has to be a publicly available domain controller, which we all know is a bad idea.

- Yeah, almost kind of like gives you the sense of that as you talk through it and the requirements, that while it works with clients like Mac and Windows, like it works with Windows 10 and generic SMB mounts and totally doable with a Mac and things like that. It's almost like they're not meant to be used that way.

- Yeah, yeah.

- Back to that shoehorning functionality .

- Yes, exactly. But, what fun would life be if I didn't try to shoehorn in some functionality that wasn't meant to be using preview features?

- Oh boy.

- I like to live life on the edge.

- Yes, it's a fun world you live in. So you have a number of problems or technical blockers that you need to solve along the way there. You need to configure identity in the cloud. So, some type of probably replication and resiliency on the domain side of things.

- Because the first question there is, do you do a server, running Active Directory in the cloud and replicate or do you use Azure AD DS? You need something in the cloud.

- Yes, so there's that piece and that's certainly its own can of worms and decision matrix right there. And then, you also need a VPN, as you said. So, where does that VPN endpoint leave and how are your clients going to connect to that VPN? I'd imagine maybe one of the first inclinations is, you might think in the back of your head, well, I have clients, let me connect the clients through Point-to-Site VPNs and just hook them straight up to the gateway. There's some limitations to Point-to-Site VPNs depending on the size of your customer. There are limits to the number of connections that you can have going in at any given time, which could be a limiting factor for you there. And then once you're into the VPN, there's all the routing and network security and other things that need to come into play for that client to not only talk to the DC itself, but to be able to get back to Azure Files and do all that fun stuff.

- Yes. I think you covered the biggest ones that I've encountered so far.

- Yeah, those would be most of them. So let's break some of down 'cause I think it's an interesting conversation just based on some of the paths you went down and some of the things potentially broke and we can probably talk through why they broke or why they work that way and maybe we'll leave like the whole decision about should you attach clients to Azure Files up in the air.

- So, first problem was domain controller, do I go the Azure AD DS route or do I put another server up in Azure that's just a server 2016, I think server 2019 is out there, stand it up as another domain controller and do domain replication from on-premises to the cloud.

- Yap, well, I might ask myself another question first. So, is your customer going to have more than one 128 connections at any given time, like, are there more than 128 clients that need to connect to this file share?

- And that would be a no. This is like 10 or 12 users connecting occasionally because most of the time they're in the office, which also brought up that Azure File Sync, could come into this at some point in time. They want to be able to connect to the cloud as their backup option.

- Got you.

- If they're not in the office. Something like when this whole last month happened and all of a sudden, nobody can get to their file shares unless they're in the office because they have no VPN.

- Gotcha, gotcha. All right, so that makes more sense. That's all good. Once we get through this whole thing, I might spin it on you and ask you why you didn't go another way with it 'cause I'm coming up with some other ideas as we talk through it.

- We'll see, that's good 'cause I could use... I always like more ideas. All right, so connections, we aren't a problem.

- So we need a VPN and we know we're going to be under the limits for Point-to-Site VPNs and standing all that. So we're good there, so we know we're gonna need a VNet and we're at least gonna need a VPN to connect to. And now, like you said, we need to figure out what domain or directory service are we going to leverage. Are we gonna leverage Azure Active Directory Domain Services, which is AD DS, but it's a projection of your Azure AD into a pair of managed domain controllers. So DCs that you don't RDP into, but you do have access to hook up with things like, a doc and all your tooling that you use today to manage Active Directory. So that's one path you can go down. So don't pay for servers, but pay for the service and the projection and the resiliency and SLA and everything comes with that or stand up your own and manage your own.

- Yap, which standing up and managing your own is definitely cheaper. I looked that Azure AD DS and I think it starts around $140 a month. It's a set fixed price 'cause obviously, this isn't a service that you can spin up and spin down, it's just always running. So it starts at 140 and goes up from there based on... I can't even remember, I think it was based on number of users and there's some functionality that's included in different levels, but it's not cheap considering you can stand up a whole server for like 50 or 60 bucks and AD is not a process intensive service on a Windows Server, but you are left with managing a Windows Server and you don't necessarily have HA.

- Well, you do have HA, so they are redundant pairs.

- Well, not in the DS, not if there's you spin up you own server, unless you spin up two servers.

- Not if you spin up your own. All right, yeah, so if you do AD DS, it is a redundant pair, but if you do your own server, then it's on you to figure all that out and then come up with your resiliency model, are you going to use single instance VMs with premium disk to get some type of SLA at least at the VM level? Are you gonna do availability sets? Are you gonna do zones? What does that look like and how many do you actually need?

- Yep, exactly. And then you're doing all your own patching and server management and if that server crashes and all that.

- Yeah, you're living in IS land for sure.

- Yap, so I asked about... And then I was talking to you a little bit the other day and I said okay, so what does that migration path look like? Let's say I have AD on-prem, I want to go all cloud only. So I'm doing AD on-prem Hybrid with Azure AD to sync all my users up, but now I'm getting rid of all my on-prem servers. So maybe I just wanna go Azure AD DS and deprovision my on-prem AD. Is that a migration path or what does that look like to go cloud only with Azure AD and Azure AD DS and then deep provision that Hybrid Azure AD Connect service and my on-prem AD server.

- Yes, it doesn't eliminate the VPN problem and having to connect to the DCs 'cause you still have that client authentication issue to get over.

- Right, and you still need your VPN for your port 445 going into another topic. So, there's no way to get around this VPN issue.

- You do, so all that stuff stays. Really what you've done is you shifted your... At that point, you've shifted your DCs from on-prem to Azure just inside of IaaS. But you've still got the hookups and the conductivity and all the other things that come in. So I'd be worried about a couple things in there in general, by saying my DCs are only gonna live on the cloud. Since you said your users are theoretically in normal times in the office, the majority of the time, I would want them talking to the most network close authentication service that they could. And then maybe if they were going into something like Windows Virtual Desktop or something like that up in Azure, then okay, there's your kind of file share, and you're all set and ready to go and you've got your DCs up in Azure. But if you really wanted to get rid of them, you would do AD Connect. So you would do your hybrid identity, and do all your projections from on-prem to AD. And you could configure AD DS at any point in here, 'cause that's just a projection from your Azure AD. And then once all your identities are there, and all the things that you need to do, 'cause all AD Connect is gonna do is synchronize users groups, and kind of some limited in the grand scheme of things metadata up, it's not synchronizing your computers that are showing to the domain. So that's a whole nother issue that you'd have to solve. But you could take AD Connect, and then once everything's up there users and groups, just rip AD Connect down, get everything, all the synchronization going into the new domain, rejoin all the computers to the new domain that lives up in Azure, 'cause they've got to get back in there, right? You're probably still gonna wanna manage them with GPOs and things like that. So all that gets in place and then stand down the on-prem DCs. Now I think one of the issues there is AD DS was not a real replica of your on-prem domain. So it's not all the same FSMO roles and everything else. If you don't catch everything, there's potential that you leave something behind, you'd almost want, like if this is really for backup, maybe a redundant pair of read only DCs or something like that up in Azure, that are ready to go that somebody could hook up to through that VPN on a Point-to-Site perspective. And they'd authenticate to the most network close DC. Or if they were on-prem, they'd still be able to authenticate to the one that's there. Best of both worlds maybe.

- Yeah, so it's not really a migration from AD to AD DS. It's more of a let's go have all three of them running. And then let's just remove one and make sure that you manually copied, rebuilt, did everything in Azure AD DS that you had in your on-prem DS.

- Yap, you've just got to be very cognizant of the limitations of AD DS as a projection from Azure AD, it's not the same exact type of thing. So yes, it lets you join computers and servers to domain. Yes, it has GPOs. But it doesn't have all the functionality that you're gonna get in your on-prem AD. And especially when I think about client management, you're probably doing GPOs that rely on things like ADMX templates. Maybe you're managing Office client installs, or I'm sorry, Microsoft 365 Apps for enterprise 'cause you haven't moved--

- I just wanted to say, I was trying to figure out how to get you to say that this episode.

- I had to say it twice this week in a presentation and it feels really dirty, like what, just Office Pro Plus people.

- That's a mouthful.

- It is. But you still have management that you need to do there. So then do you look downstream of saying, well do I move over to cloud policy or some other type of service, which, arguably--

- Like what it's been up into, right?

- Right, there's all these options out there. But all you wanted was a file share. And now all of a sudden, you have this technical implementation and the spread of things that operationally is turning into a little bit of a nightmare, who's gonna maintain all this stuff and keep it patched and up to date and ready to go and write all the guides for what do we do when the VPN is down and everything else that comes along the way. So that's kind of AD DS, I think when you weigh the two out in a lot of scenarios, AD DS has a place. It's quite often the path of least resistance when I think about like friction and time to implementation to just stand up new DCs, As you said, they're often cheaper to run, they can run on lower cost hardware and lower cost VM sizes, you might wanna upsize them while you're kind of configuring everything the first time and then scale them down a little bit later once everything's up and running. But it tends to be a known path, where AD DS can still have some pain points, especially if you haven't worked with it before. And you haven't really taken the time to dig through all the documentation and the FAQs and things like that.

- Yeah, I feel like going through all of this as I was digging around with it and playing with it. AD DS serves a purpose a lot more when you're gonna keep all your existing on-prem domain controllers. And Azure AD DS is simply a way to extend your Active Directory to the cloud in order to do just LDAP authentication against a cloud service without standing up another VM in the cloud.

- Yep, that seems to be what I'm seeing. I've actually used it. I've seen it used in some creative ways. And I had a customer that we ended up going down the AD DS path for, just based on how they were set up. So they were a customer who had a number of disconnected domains on-prem, that didn't have trusts or anything like that in place. So they couldn't stand up AD Connect once and have everything routed through from all these domains, user at Contoso, user at Fabrikam, all those kinds of things into AD at the same time, but relying on some of that functionality that you have where you can do the disconnected domain sync now. And you can bring all those disparate domains for those M&A scenarios into Azure AD. And what they were able to do was they were able to take six different disparate domains and user namespaces, all those use your UPNs, get them all sinking into Azure AD, which was something they didn't have access to, they couldn't put them all in the same resource domain or user domain or things on-prem. And then they were running a lot of their shared services in Azure. So every server that they stood up in Azure was joined to that AD DS instance, it wasn't joined back to company ones AD or company twos AD or company threes. And that way, if I was a user from company one, or company three, or company five, I could log into the servers in Azure to do operations and management, and run my applications. And I was able to authenticate through and do all the things that I needed to do, 'cause servers still need, like this classic auth, Kerberos or NTLM, and all that good stuff. There are use cases for it. I think you just need to understand what your use cases are. If you're just looking at AD DS and saying, alright, this is gonna be a rip and replace, replacement for my existing Domain Services. Quite often, I don't think that's exactly the case today. Give it time and it'll probably get there. It's just not there today.

- And we don't currently know when it'll get there because it has been a slow deployment or rollout.

- It has some quirks to it. I've seen AD DS deployments where you go and you stand it up the first time and you go to do your sync. And it doesn't matter if you have five users in your Azure AD or you have 25,000. You'll just hit the sync button, and you might come back like 48 hours later, and it hasn't started sinking yet. And then you go, oh, what do I do? How do I fix that? The answer is you don't, you call support and hang on the phone.

- And wait a long time. Interesting.

- All right, so you go down that path and I think you weigh the two out, you probably look at DCs.

- Yep, and that's kind of, as I've played with it, and looked at it. And as we talked about it the other day, and even based on what I've seen, you have pretty much convinced me that if we go down this route, that is the way to go in this particular case, which lead to question two. But based on time, we should probably do question two next time, or should we keep going have a really long episode? Let's keep going, it's corona times.

- Okay, yeah, nobody's listening. Nobody's driving anywhere to listen to the podcast, our numbers have actually dropped. It's kind of interesting. And I've seen that side tangent, kind of across the board. I'm in a few different podcasts groups and all of that and people are saying, overall podcast numbers seem to have declined because nobody's commuting anymore. And that's what everybody listen to podcasts.

- Yeah, I'm finding as a rabbit podcast listener. I mean, I subscribed to a lot of podcasts and listen to a lot of things. I'm just falling behind. It's the drain of the times that catches up with you. So where I might have gone and been done with work and just tried to decompress for 30 minutes. Now it's turned into kids are at home, everybody's at home, things are going on, and all of a sudden there's that other Zoom invite for like a happy hour and you haven't talked to people in weeks 'cause you're quarantined and you like, aah I gotta get like, your self isolating or whatever it is, you just have all these other competing things going on. And I am falling behind on all sorts of things which I intend to listen to at some point. It's just gonna take me a while to get there.

- Yep.

- Outlook Add-ins are a great way to improve productivity and save time in the workplace and Sperry Software has all the Add-ins you'll ever need. The Save as PDF add-in is a best seller and is great for project backups, legal discovery and more. This Add-ins saves the email and attachments as PDF files. It's easy to download, easy to install and Sperry Software's unparalleled customer service is always ready to help. Download a free trial at sperrysoftware.com, sperrysoftware.com and see for yourself how great say this PDF is. Listeners can get 20% off their order today by entering the code Cloud IT. That's Cloud IT, C-L-O-U-D-I-T all one word at checkout. Sperry software work in email, not on email.

- Okay, so after that side topic, after that brief commercial on podcast listenership, tidbit of random information. So let's just say for argument's sake, we've decided we're gonna put our DC in the cloud, Azure, it's a server we're doing IS we're gonna stand up a brand new domain controller up there. Now I have all my machines that are still on-prem. And I am going to, again, for argument's sake, because we wanna shift to this whole cloud only model, we are going to eventually will replicate AD for now, but eventually that on-premises domain controller is gonna get depreciated, removed. So our only domain controller is gonna be in the cloud, but I still want to be able to join machines to it. I still need to authenticate against it for something like, Azure file shares and the scenario we talked about. Now I have a whole other set of problems or challenges, I won't call them problems, challenges or things to think about because I have to be able to connect to it to go into my computer, my settings, join domain, and then actually reach out to that domain controller, especially in the case which my own tenant is in this case where I wanted my domain to sync up to Azure AD properly. So my UPN suffix is intelligent.com, which is also my website, which also has public DNS records. So DNS resolution can be a little challenging because I need intelligent.com to resolve to my internal domain controllers, as well as to my external domain controllers if I wanna hit my website, and all of that, going over this VPN connection to it hit my DC.

- Yes.

- Does that make sense?

- It does. Basically, if you wanna be able to authenticate to the DC, you have to be hooked up to the network. And that means you need all the routing and game resolution and other things in place.

- Yes. So I am partway through that. I think I might have it figured out, but we had to record a podcast. So I'll go back to it today. But essentially, same type of thing. I'm using the same VPN gateway because I needed that VPN gateway anyways, for my Azure file shares over SMB. And what I was struggling with last night was to get all of my DNS settings set up properly. So I could join a Windows 10 machine that's running as a VM on my laptop, connected over VPN to join this domain controller sitting up in Azure and the leverage the DNS in Azure so that I actually hit that instead of going out and trying to hit my public website when I tried to join the domain. So my DC up there has, oh and stop this all off. Don't ask the story behind this. I have two virtual networks that I have peered in Azure AD. And my domain controller sits in one virtual network and my VPN gateways sits in another virtual network. So I'm connecting to VPN, connecting to the virtual network in Azure, going over the peering connection between one virtual network to the other virtual network in order to hit my domain controller sitting in said network.

- Yap, so you got a hub spoke.

- Because I like to make things complicated.

- You're trying to make your 12th person entity the largest enterprise in the world.

- Well, this is just my personal, this is a one person entity. This is me right now.

- You and all the voices in your head that told you this would be a good idea to go down this path. Yeah, some interesting things start to happen along the way there I think, as you discovered, particularly with name resolution, when you have a VNet in Azure, there's kinda three DNS models that you can go with, you can do Azure provided DNS, which gives you resolution within the VNet itself. So I stand up VM one and VM two. And I can ping VM one and VM two, and they'll resolve by name, and all those kinds of things, I can do and I slick ups and CM, and I can actually pull their private IPS and I'm all good. Sometimes you don't wanna do that. And you wanna do, bring your own DNS. So you do BYOD DNS, and you take your VNet, and you set your VNet settings to say, no, this is my DNS server. That way, when clients query the VNet for DNS, it's going to point them back to your domain controller, and go like, oh, why are we doing this VNet level, because remember that's where all your network configuration is driven from, you really don't make changes to the NICs on VMs in Azure, you make changes to the configuration of the virtual NIC outside and then that's projected down to your virtual machine, or your virtual machine gets its configuration from there. So you've got to have that resolution end-to-end. So peering is kind of interesting, because you've also got peering with a VPN gateway. So you now you need to allow gateway transit on one end, but not the other end. And you need to make sure that your potential routing and things are in place, you might need UDR at some point, depending on how else you wanna shift traffic around in there. You get all that up and running, I bet your primary VNet, you were going in and saying like, "Oh, this is great. "I'm gonna set it to my custom DNS." And if you stood up VM one next to DC one, they would totally resolve and they do what they need to do. But you introduced that VNet peer. Which then makes resolution a little bit weirder 'cause your client, so you're hooked up on that Point-to-Site VPN or Site-to-Site whatever you're using. So your client now, where is it pulling its DNS from, it's pulling its DNS from the same VNet as the VPN gateway, which most of us I think, would just leave in Azure provided DNS by default. Because it's just a hub, right? It's sitting there doing what it needs to do, let it do it.

- Right, which is what I did.

- Yap, you might see the VM on the other side, but it's gonna resolve as the internal name with the cloud at .net, and all that, and not as the proper NetBIOS name that you're gonna need to join the network. So probably some more configuration to do where now you take the peered network and the peered network that or the hub rather, is also needs to have its DNS configuration updated, so that it pulls its DNS from the DC over in the spoke.

- Yeah, and that was the hint that we found for anybody that finds themselves in a wonky scenario such as myself. I was going out and pinging it and I was like, well, when I do an NsLookup, and I'm looking for my domain controller, it's coming back with this internal.cloudapp.net, not my domain and you were like, I bet your DNS was wonky in that VNet that you have your gateway in. And low and behold, it was.

- Yep, so that's one option is go down that path. The other option is, if you're just doing this for POC, you can't use a host file because of the whole SRV record thing the server records, but you can use an LMHOST file to go ahead and point to your DCs. It's a pain in the proverbial rear end to set it up. But you can do it. I think the other thing to think about is identity is really a core service. It's typically, maybe when you just look at kinda your topological design and you're thinking about how to approach that with your customer, your identity, your firewall, your logging and management. Those are all core services, right or shared services. They're not really application or kind of segment specific. So something like your DC may not actually be living in a spoke in your final configuration, it might be closer in the hub anyway, which will make things a little bit easier.

- Yes, in theory, had I done this properly, and I didn't already have some of these VNets configured and I was paying attention to what I was doing at 2:00 a.m. the other night, I would have just put my gateway in the same VNet with my domain controller instead of in a separate one. And at this point in time now, it's just can I actually do this? Realistically, I should probably just go delete my gateway and go standard up in my other VNet and save myself some hours. But again, I get into this and I look at this as learning and figuring this out. And how does this all work together? And can I get it to work? Not necessarily, is this the way I should do it?

- Absolutely, I'm not saying you shouldn't try things out.

- Yes, but I've wholeheartedly agree with you.

- I just wanna make sure we have the conversation in case somebody actually does end up listening to this and they go, "Oh, that's people are going down some crazy path." Or somebody looks at it and they're like, "Hey, they sound like they know what they're talking about. "Maybe I should go do that." I always like to talk about the other ways you can do it too.

- Yes, don't do it the way I did it unless you have a very specific reason other than it was 2:00 a.m. and I created my gateway in the wrong subnet and I wanted to experiment with is.

- Alright, so DC up, client connects and VPNs there. Theoretically, you can just hook up to files now.

- Theoretically, I think, oh, so Azure Files now gets really weird. Should I talk about Azure Files in the security there?

- Absolutely.

- So as they rolled all this out now, we can connect, we're gonna assume that you can... So first thing you should do with Azure Files is once you get all of this figured out, go connect with the storage account in the key to make sure you can actually connect that your routing is going properly. Because at this point in time, assuming you're connected to VPN, you have your network set up right. Download the VPN client to, this is another thing. There's a VPN client that does an executable that goes sets up the whole network and the routing and everything in your Windows 10 machines. Don't touch that until your network is all configured. Because what that executable is doing is downloading a configuration file making a bunch of changes. If you change your network, your VPN client doesn't get that change. And you actually have to just disconnect, remove that VPN connection, go download it again, go set it up again, and get all those network changes. So we're gonna assume all of that took place. I can connect with a storage account name and key. But now I wanna connect using my username instead of that storage account key so I can leverage all the normal NTFS file permissions and permission folders in this Azure file share differently and all of that stuff. So first, the machine you do all this from has to be domain joined and there's some certain PowerShell scripts, you have to go run to actually set up your file share in Azure to be able to authenticate against AD. And those do have to be run from a domain controller, so you go run those scripts. Now your Azure Files are set to authenticate with an AD server. And there are a couple levels of permissions that you need to set and the documentation does walk through all this, but you have to set the RBAC permissions on the file share itself. There are three permissions in RBAC for SMB, specifically, an SMB, I think it's an SMB file reader, an SMB file contributor, and an SMB... It's like, it's not advanced contributor, it's something else, but it's another level up from contributor. So the first thing you have to do is go in set these RBAC permissions. This is gonna look against Azure AD for these RBAC permissions, which is why you have to have everything synchronized together. That does not give you access to the file shares that just gives you that RBAC permission to leverage the Azure service. Now you can go mount it, again with that primary key and your storage account name, and then right click in Windows and go into the properties in security, and then start setting the security on the shares and the folders and the files looking back against your domain controller. So there's both of those permissions that have to be set. And then once all of that is done, assuming whatever client you're connecting to, can connect to both Azure AD and to your domain controller. You can go in and do a typical net use, point it to the Azure file share, you can do a slash you and throw in your UPN from Azure AD, or you can just do the net use and it'll prompt you for a username and password. Type all that in and in theory, you have a map to network drive that's using your typical permissions coming from a domain controller.

- Mm-hmm, in theory.

- In theory, again, taking all those prerequisites and everything we just talked about being configured perfectly for that to even work.

- Yes.

- And there you have it. And there was something else I had to do. I'd have to dig through it. But I did also have to create a private endpoint for my Azure Files. And I can't remember at what point in time they hit that and why I had to do that.

- Why would you want, why?

- 'Cause it's a private endpoint that points to a private IP for my... maybe I didn't need this. This may have been one of my testings. When I was trying to play with everything. I don't think I actually need this.

- So I don't think you would off the top of my head, you could connect across the public endpoint and do things that way. The private endpoint would arguably be more secure for you, especially 'cause your VPNing in, that way your VPNing in. And when they go to connect to the file share, they're actually connecting through the private endpoint. And they're routing straight into the storage service. And even though the public FQDN is still there, nobody can connect to it that way, they can only come through the private endpoint.

- I think this was when all of my testing was going on to try to figure out how all these configurations worked. I think I created this. And yeah, as we're talking about it, looking at it, I don't think I actually need it anymore.

- Hey, look, you simplified things, while making it--

- I simplified things or get rid of a private endpoint connected to a storage account. That yes, that in theory would all work and that would provide you a way to actually be anywhere as long as you connected to the VPN first, you could go mount these file shares as a user instead of using that primary storage key. And then one thing, this client had talked about is, they're like, well, when I'm on-premises, then can I speed up my connection? Because now inevitably, you're going over the internet, you're connecting to a file share. And if you're pulling 100 meg, 200 meg files back and forth over a VPN connection to an Azure file share. It's not gonna be nearly as quick.

- Especially a Point-to-Site connection.

- Yes, especially Point-to-Site connection. It's not gonna be nearly as quick if you're just pulling it off your local server. So then they were like, "What can we do like the Azure File Synced?" So you can have a cached copy locally in the office and use this as kind of a backup emergency option. If we wanna get to those files from externally. And also if you're doing Azure File Sync, it does give you some of that DR type scenario where our office catches fire, we lose our server. And now we, again we have this backup option, we have all of our files up in Azure Files where we can get to them, restore them, do all that if the need arises.

- Mm hmm, it would be there. And it would all be very nifty. Lots of moving parts.

- Yes, that is the biggest thing I took away from this is, this is not, I come from the Office 365 said, this is not stand up an Azure or a SharePoint site and do a sync. There's a lot of moving parts, a lot of routing, a lot of networking. There's a lot of stuff to figure out and take into consideration if you wanna go this route. So you said you had one other thing too, that you were gonna throw out there as why didn't you just do this? What is your thoughts on this whole configuration setup other than SharePoint a lot easier.

- SharePoint would have been easier, you should have just convinced them to go that way. And if SharePoint wasn't there thing, there's lots of other file storage services out there. Like, I don't know, Box or Dropbox. Pick one of those--

- ShareFile or yes.

- Yeah, if files is your thing, and per user authentication is your thing. And you want it to be resilient and live in the cloud. Here you go. There's the right tool for the right job.

- Right, we had an episode a while back about that. About picking the right tools, specifically when it comes to cloud storage.

- Yeah, so I think one of the other things to maybe think about is, you're doing this as a one off scenario. And you're doing it for the time when those users need to be away from the office and kinda have that remote connectivity through. I think another thing to think about would be what if you didn't have the VPN, and you didn't have that whole client setup piece, and maybe you didn't do Azure Files. You just went with a traditional set of DCs and a replicated file share that lived in the cloud. So say you did like DFSR or something like that over a Site-to-Site VPN connection from the office, you have your clients rather than coming across a VPN and dealing with that headache, maybe just stand up like Windows Virtual Desktop or RDS services, and something like that, and have them connect to that service when they need to. So okay, you need to go to the cloud, your remote, here's your desktop in the cloud, it can talk to all the things you need to talk to, without all those routing issues and everything else that you've kind of run into along the way with ports and protocols. 'Cause then it's just a 443 connection. And anybody can do that. And you'd have more control over sizing, latency, performance, I think you'd have some better client controls there 'cause you'd already have the DCS and Azure, you'd still have AD, but it might let you even move away from Azure Files, which you might not need in this scenario and just have, like you said, like a regular file share running up there, and maybe make it a little bit better like that customer unset file share on their DC say, "Hey, we're gonna Azure, we can make it better." But you really don't need a path service like we can live IaaS and it's a known quantity.

- What if you just did Windows Virtual Desktop, so same thing you're talking about Windows Virtual Desktop, DC sitting in Azure, again, now, you're not dealing with VPN, you're not dealing with network 'cause you're all sitting on the internal Azure network. And you just did Azure file shares with Windows Virtual Desktop and a DC and Azure, because like you said, now you're not dealing with port 445. Everything is in the same VNet, you don't have any routing issues. You can join your Windows Virtual Desktop to your domain, Azure file shares should work, significantly easier. And you could also go that route. You're not gonna have the latency there. Because again, you're going over all that internal networks at this point in time.

- Yeah, I mean, it depends on how you're gonna use it, right? Do you need that per user authentications, probably the biggest thing in there. And just based on the path you're going down with per user authentication and the way it is today being a preview back to that lifecycle thing, it might be easier to go with known quantity, and say, this is gonna be supported and ready to go. Especially, I'd imagine you're looking at something like this for a customer because of the time that we're in. They're coming up with some specific needs based on what's going on today. And we don't know how long what's going on today is gonna go on. And sometimes that roadmap for Azure Files is a little murky. So you might have some other options in there that potentially simplify things or maybe give you some other costs levers or controls.

- Yep, and we did start going down that path, or at least having some of those initial conversations about maybe you do leverage Windows Virtual Desktop for everything because at that point in time, now every computer in the office is essentially just a thin client. It's a terminal, can even be an iPad. With those nifty new keyboards and mice that are hopefully coming today via UPS. And your office computer could just be pretty much anything at this point in time, because you're just connecting to Windows Virtual Desktop and doing everything in the cloud.

- I think it depends on how you look at it. I was maybe thinking of it more as your file share scenario where it's a backup. So maybe you have a limited size host pool. But because it lives in Azure, it can scale when it needs to. So it's not a problem that it's only I forgot maybe one available desktop post sitting there. Because it's gonna be able to scale from one to 12 on demand as users are coming in and out versus having 12 or however many you need running all the time. And then it truly is that backup scenario.

- Yeah, and that's kind of one of those key differentiators is I think this might start as a backup and then turn into maybe this is our everyday functionality, or everyday scenario, we'll just kinda have to see where this goes. But it has been a very interesting exercise on my part to figure all this out.

- Yeah, is always fun to play with new stuff. Welcome to Azure.

- Yes, thanks. I've actually been doing a little bit more Azure stuff. I have a couple other projects that are tied all into Azure IaaS, it's bringing me back to my roots as a system admin and dealing with servers and racks. Only some of it's a little bit more abstract now.

- It's all just in a JSON file someplace.

- Yes, I did not have like these predefined Azure DNS things before to figure out crazy VPN routes and VNet peerings.

- Yeah, but now you've done it--

- It can't work over a peer.

- You'll never forget.

- That's the theory. That's the hope, the plan. All that. All right, well, thanks for this extended episode.

- Yeah, no, thank you. It's fun.

- It was. And we have lots more stuff that we can talk about. We actually have like three or four topics today. So we've got lots more fun stuff coming in the future. So go enjoy your cloudy day while you sit inside in social isolation. Don't work too hard. Go take a walk in the beach. Have you gotten out there yet? Have you gone out and taken a walk on the beach?

- I have not gone to the beach yet. It's been a week. We're going out on the boat this weekend. So that's plan.

- Nice. That sounds nice and relaxing.

- Yeah, all right, man. Well, until next week.

- All right, enjoy.

- If you enjoyed the podcast, go leave us a five star rating in iTunes. It helps to get the word out, so more IT pros can learn about Office 365 and Azure. If you have any questions you want us to address on the show or feedback about the show. Feel free to reach out via our website, Twitter or Facebook. Thanks again for listening and have a great day.

(more…)