Microsoft recently announced that from 1st September 2022, they will stop supporting Version 1 of Azure AD Connect.
Azure AD Connect is a tool provided by Microsoft to synchronise Windows Server Active Directory environments with Azure AD. All version 1 installations of Azure AD Connect will stop working 12 months from the date they are superseded by a newer version.
We are advising that all customers running Version 1, upgrade as soon as possible to avoid any potential disruption.
Is the upgrade essential?
If you do not upgrade and continue to run a retired version of Azure AD Connect, it may unexpectedly stop working. You also might not have the latest security fixes, performance improvements, troubleshooting diagnostics tools, and service enhancements.
Cobweb can complete the upgrade to Version 2 for you through our Professional Services team who will conduct a discovery to determine the upgrade path options and recommend a course of action.
Alternatively, you may choose to carry out the upgrade internally.
To ensure you are not impacted by this change, you should implement a plan to have your existing installation of Azure AD Connect upgraded to version 2 as soon as possible.
Perform an initial discovery of the existing Azure AD Connect version and configuration
Provide recommendations on the options available for delivery of Azure AD Connect version 2
Advise on new Windows Server hardware or software required to support Azure AD Connect version 2
Perform the upgrade with support from the appropriate IT or Support teams where required.
To find out more information, book an upgrade or for any other Azure-related enquiry please fill in our contact form.
Security is always high on the agenda for any IT Administrator. New vulnerabilities and threats are being identified every day, with Microsoft reporting a rapid rise in cyber crime in the past year.
With this in mind, it is important to keep your Azure environment secured to protect your business from threats, vulnerabilities, and data breaches. Microsoft consider security a shared responsibility between themselves and their Azure customers.
Microsoft is responsible for the physical security at their Azure Datacentres. Access is only granted if there is a valid business justification, and to the specific area of the datacentre required. The entire facility perimeter is comprised of a high steel or concrete wall, with a specific access point all staff and visitors must go through. Once inside, two factor authentication with biometrics must be completed to continue to move through each area of the building. Cameras and security staff are posted all around the building, inside and out, and full metal body scans must be completed when entering and exiting the building.
For your Azure platform, there is a joint responsibility and as such Microsoft provides the necessary tools to help secure your virtual infrastructure, with the primary being Microsoft Defender for Cloud.
Microsoft Defender for Cloud is designed to help you gain an understanding and improve the overall security posture of your environment.
The tool continuously scans every Azure resource you deploy to assess the resource configuration, identifying risks and providing security hardening recommendations such as the ones shown below.
You can drill down into each recommendation, which provides a detailed justification, a list of relevant resources associated, and the remediation steps. For many of the recommendations, the tool can automatically perform the remediation task for you.
The recommendations are organised into three colour coded categories, helping you identify the most severe and critical security issues in your environment.
There are some platform designs the tool cannot account for, so consideration needs to be made when following the recommendations to ensure they are appropriate for your individual needs.
These factors include the type of workload, are the resources being assessed running in a dev/test environment or are they running a mission critical workload, and whether there are any cost implications of configuring the recommended changes.
If implementation is not required, the recommendations can be overridden so you are no longer alerted about them.
Another important feature of Microsoft Defender for Cloud is the real time threat intelligence capability.
Microsoft’s dedicated Cyber Security teams, comprising of thousands of security experts located across 70 countries, leverage Artificial Intelligence (AI) to monitor billions of signals across the Azure ecosystem every day to identify vulnerabilities, detect threats, and prevent attacks. Microsoft Defender for Cloud taps into this telemetry to help protect your workloads and provide security alerts notifying you of any potential threats.
These alerts are arranged by severity, with the highest meaning there is a high probability your environment is compromised and must be investigated as a priority, and the lowest meaning there is potential suspicious activity.
Defender for Cloud Threat Intelligence also includes anomaly detection, which is specific to your deployment. Using machine learning, it creates a baseline of normal behavioral patterns in your environment, and any activity determined to be outside of these conditions will trigger a security alert.
Other features of Defender for Cloud include analysing your resources for compliance with industry and regulatory standards, such as ISO 27001, and Azure Firewall Manager to protect your infrastructure.
Ensuring your Azure platform is secure is a shared responsibility between Microsoft and you, with Microsoft giving you the necessary tools and information required to help achieve this.
To learn more, or if you would like assistance digesting and interpreting the information provided by Microsoft Defender for Cloud in your environment contact us (firstname.lastname@example.org) who will be happy to put you in touch with a member of the Cobweb Azure team.
When creating a landing zone for your new Azure resources do you have to repeat the same set of configurations on your Azure subscriptions each time? For example:
Do you create the same Resource Groups and Azure resources (such as VNETs, Subnets, Recovery Service Vaults etc.)?
Do you have to apply the same Role Based Access Control (RBAC) permissions to the Subscription or Resource Groups?
Do you have to apply the same Azure Policies to each subscription to meet a regulatory compliance or company policy? For example, apply policies to restrict deployments to approved Azure regions, VM sizes etc.
Have you wondered if there was a better way to complete this repeatable configuration? There is and it’s called Azure Blueprints.
Azure Blueprints is a Microsoft governance tool which works with Azure Policy and Azure Resource Manager (ARM) templates to define a set of Azure configurations. An Azure Blueprint can be used to expedite the deployment and build of an environment to a particular set of standards, in a repeatable way.
With Azure Blueprint you can deploy the following artifacts:
Apply subscription permissions with Role Based Access Control (RBAC).
Launch Azure Resource Manager (ARM) templates to deploy Azure resources.
Apply Azure Policies and Initiatives to lock down the subscription.
Once a Blueprint has been built and tested it can be exported and redeployed to each new subscription(s) you have in your organisation.
At the time of writing Azure Blueprints is in Preview and is expected to be released into general availability shortly.
How do Blueprints work?
The Azure Blueprint package can be built from the Azure Portal and applied to a specific subscription or to Azure Management Groups, including multiple subscriptions. Each Azure Blueprint package contains a group of artifacts, an artifact defines the deployment parameters such as Policy, Role, ARM or Resource Group.
During the build process a Blueprint will go through the following stages:
Stage 1 – Draft
Once a Blueprint has been built or changed, the Blueprint is saved as a Draft version.
Stage 2 – Published
Once the Draft version is complete the Blueprint is Published. This requires a version number and change note to be added to the Blueprint. Azure always defaults to the latest version of the Blueprint.
Stage 3 – Assigned
Once the Blueprint has been published it is ready to be assigned to either a subscription or Management Group. During the assignment process, it is possible to apply a lock to the deployed resources. There are three possible locks for an assignment:
Don’t Lock – Deployed resources can be deleted.
Do Not Delete – Deployed resources cannot be deleted, even by subscription owners; they can be modified.
Read only – Deployed resources cannot be deleted or modified, even by subscription owners.
Once the Blueprint has deployed the specified resources, permissions, and policies the Assigned Blueprints section will show the latest version of the Blueprint.
If Azure Policies have been defined in the Blueprint, the specific policies are shown in the Azure Policy section of the Azure Portal. Using the Azure Policy portal, we can see which resources are compliant or not. Azure Policy will be discussed in a future blog.
Azure Blueprints will save you time when deploying your Azure landing zones and ensure your environment meets defined standards for a consistent approach when setting up Azure subscriptions.
If you would like more information on how to use Azure Blueprints for your deployments, please contact email@example.com for a demonstration and walk-through.