Azure VMware Solution using a public IP down to the NSX-T Edge; configure SNAT, No-SNAT & DNAT

Azure VMware Solution using a public IP down to the NSX-T Edge; configure SNAT, No-SNAT & DNAT

by | Jun 14, 2024 | Technology

This article is contributed. See the original author and article here.

Azure VMware Solution


How To Series: Configuring NSX-T SNAT, No-SNAT & DNAT rules


 


Overview


Requirements


Lab Environment


NAT Rules


Kusto for NSX-T NAT Rule Logs


 


Overview


Many Azure VMware Solution customers are new to NSX-T and for a use requiring connecting directly to the internet through and Azure Public IP, then understanding how and when to use NAT functionality is a must have skillset.  This This blog uses an example to walk through the configuration of NSX-T NAT rules to enable access from AVS guest VMs to VMs and services on-premises, in Azure and the Internet.


For this lab, ExpressRoute connections to Azure (vWAN) and to on-premises have been provisioned. 


 


Requirements



  • Internet Connectivity has been set to “Connect using Public IP down to the NSX-T Edge” via the Azure Portal.

  • Cloudadmin (or equivalent role) to the Azure VMware Solution NSX-T console.

  • Azure VMware Solution diagnostics enabled and  log analytics workspace to store the logs configured.


FastTrack_Mark_0-1714935522961.png


 


Figure 1: Log Analytics diagnostics for Azure VMware Solution 


 



  • Check that you have set the ‘Configure the AVS SDDC to connect using Public IP down to the NSX-T Edge’ in the Internet connectivity under the menu item ‘Workload networking/Internet connectivity’ option.

  • Create (using the +Add button)  4 Public IPs


FastTrack_Mark_3-1714941202399.png


Figure 2: Setting up the NSX-T public IP and four Internet IPs.


 


 


Lab Environment


There are four routes that will be explored in this lab.  Each route requires specific configuration of the NSX-T NAT rules.  Logs generated by the NAT rules are stored in a log analytics workspace. 



  • From AVS guest VM’s to the public Internet

  • From AVS guest VM’s to Azure native 

  • From AVS guest VM’s to the on-premises environment

  • From the public Internet to a specific VM guest server.


This lab does not incorporate NSX-T Firewall settings; the NAT rules are used for routing, not for traffic restrictions or filtering.  Note that AVS workloads are a range of IP addresses in the 192.168.0.0/24 network range, Azure native IP addresses are 10.5.4.0/22, and the on-premise environment is 172.21.86.0/24 and 192.168.87.0/24


 


FastTrack_Mark_2-1714935783732.png


Figure 3: NSX-T Public IP NAT rules lab.



NAT Rules


SNAT rules are used to allow access to the Internet from virtual machines and NVAs running in the Azure VMware Solution.


No-SNAT rules are used to allow access to on-premises and Azure native services from VMs running in the Azure VMware Solution.


DNAT rules are used to allow access from the Internet to VM’s running in the Azure VMware Solution.


 


Create a SNAT rule:


Source Network Address Translation (source-nat or SNAT) allows traffic from a private network to go out to the Internet. First let’s make sure that the DNS service can reach the default DNS server 1.1.1.1.  When first logging into the NSX-T interface, first log into NSX-T, alarms will be present because the DNS service is unable to reach the upstream DNS servers at 1.1.1.1.


FastTrack_Mark_0-1715055879854.png


Figure 4:  Alarms showing DNS service 1.1.1.1 is unreachable.


 


In this scenario, we want the application servers AppServer-01 and AppServer-02 to be able to access the Internet.


From the NSX-T console select Networking / NAT / Tier-1 Gateway and click on “ADD NAT RULE”


FastTrack_Mark_0-1714938165574.png


Figure 4: Create a SNAT rule


 


Add Name ‘AppServers via HTTP’, select SNAT as the action (default) and enter the two IP addresses of the AppServers (192.168.103.10, 192.168.103.11).  This means the rule only applies to these two IP addresses. Next leave the Destination IP|Port as blank (ie any IP is allowed).  In the translated IP|Port, use the first available public IP (20.95.39.0), or you can fill it in with any of the public IPs created when you configured the portal for NSX-T public IP.  Use a specific IP if you need to enable a partner or customer to add the site/service to a Whitelist.  If you have multiple rules, select a priority to ensure this rule is hit in the correct order.  Note, the lower the number, the higher the priority.  So a rule with priority 10 will be checked before a rule with priority 20.  Enter a description, then click save.


 


FastTrack_Mark_1-1714938333183.png


Figure 5:  Filling the the SNAT rule parameters


 


At this point you will be able to access the Internet from the two AppServers.


Create a No-SNAT rule:


A No-SNAT rule prevents the translation of the internal IP address of packets sent from an AVS SDDC to other networks internal to the organization or otherwise outside of the SDDC environment.  This is important when using the “Connect using Public IP down to the NSX-T Edge” option in the Azure portal because without No-SNAT rules, you will not be able to access Azure or on-premises resources from workloads running in AVS.


In this simple lab environment, the Azure environment contains RFC 1918 addresses 10.X.X.X/8  and the on-premises environment contains 172.21.x.x/16 addresses.   Due to the nature of NAT/SNAT, connectivity from Azure and on-premises network into the 192.168.0.0/22 address exists, however outbound initiated connectivity from AVS workloads  does not.


From the NSX-T console select Networking / NAT / Tier-1 Gateway and click on “ADD NAT RULE”


 

FastTrack_Mark_0-1714940644364.png


Figure 6: Creating a No-SNAT rule


 


This demo configuration is very open, in production you would likely identify specific vNets where you require access, not the entire 10.0.0.0/8 supernet. 


Click on “ADD NAT RULE” and enter the NAT rule Name “Access Azure from AVS”, change the Action to “No-SNAT”.  Set the Source IP to 192.168.96.0/20  (this will cover all of the 192.168.x.x addresses in our lab environment), set the Destination IP|Port to 10.0.0.0/8  and leave the Translated IP|Port empty.   Enter a Description “Enable access from AVS without SNAT. (No-SNAT)”


FastTrack_Mark_2-1714940770649.png Figure 7: No-SNAT rules parameters


 


Create a DNAT rule:


Destination network address translation (DNAT), it is a technique for transparently changing the destination IP address of a routed packet and performing the inverse function for any replies. In this use case, we will create a DNAT rule that enables access to a virtual machine running in the Azure VMware Solution through a public IP address created when you enable the “Connect using Public IP down to the NSX-T Edge” option in the Azure Portal; here you can see we have configured 4 IP public addresses (20.95.39.0 to 20.95.39.3).


 


Create a DNAT rule that allows access on port 80 to the web server running in VLAN-2 with IP address 192.168.101.10.


We are going to assign it a public facing IP address of 20.95.39.1 from the pool of IP’s defined in the screenshot above.


From the NSX-T console select Networking / NAT / Tier-1 Gateway and click on “ADD NAT RULE”


 


FastTrack_Mark_4-1714941385688.png


Figure 8:  Creating a NAT rule to support DNAT.


 


Add in the parameters as described, and enable logging.


FastTrack_Mark_5-1714941479865.png


Figure 9:  Adding the DNAP rule parameters


 


At this point,  go to a web browser and enter http://publicIPselected  and you will see the web site running on your webserver.


 


Tips & Tricks


If access is blocked, check that any NSX-T Distributed firewall rules in place are configured to allow traffic from the Internet to the webserver/service.


 


 


 

Microsoft Fabric: A Must-learn Solution for Informed Data Professionals

Microsoft Fabric: A Must-learn Solution for Informed Data Professionals

by | Jun 13, 2024 | Technology

This article is contributed. See the original author and article here.

As a seasoned data aficionado and SQL expert with three decades of experience, I’ve navigated the Microsoft data product universe from SQL Server to Azure Synapse Analytics to Power BI—and all the data software and solutions in between. I’ve also witnessed the evolution of extract, transform, and load (ETL)/extract, load, and transform (ELT) operations, transforming raw data into actionable business gold to tackle industries’ most time-sensitive and intricate challenges.


 


Data was good—until it wasn’t. As data volumes exploded, it became very clear that efficient, real-time insights required data sharing and collaboration across organizations’ data silos and data roles (data engineers, scientists, and analysts). However, this proved to be easier said than done. Piecing together disparate services and storage systems is a complex, time-consuming task, further complicated by security and compliance concerns, so it’s a tall order, to say the least.


 


With the growing need for a centralized, unified, compliant solution for all data-related needs, Microsoft Fabric arrived on the scene, ready to store, secure, scale, collaborate, model, query, update, enrich, analyze, report, and create dashboards, to manage all of our multifaceted data challenges.


 


What is Microsoft Fabric?


Fabric is a unified analytics solution that delivers an integrated and simplified experience for all analytics workloads and users on an enterprise-grade data foundation with pervasive data governance, greatly simplifying data management. As an integrated software as a service (SaaS) solution, it ingests, stores, processes, and analyzes data in a single environment without the complex and time-consuming need for provisioning. It supports some of the most familiar data languages, like T-SQL, PySpark, Scala, SparkR, and others, and it accommodates all data roles. From streaming data to collaboration, Fabric is your go-to, centralized, end-to-end, AI-powered analytics platform for handling any type of data and efficiently managing your data estate.


 


OneLake, considered to be the OneDrive for your data, is a single open-format repository in Fabric—a unified, logical data lake for your whole organization. It accepts any data at any speed, whether batch or streaming, and is accessible by all analytics engines on the platform, eliminating the need for data movement or duplication.


 


madisonmast_0-1717442128084.png


Figure 1. Diagram of different experiences all accessing the same OneLake data storage. (Source: What is Microsoft Fabric?)


 


Microsoft Fabric experiences



  • Data Engineering makes the most of the top-tier Spark platform for large-scale data transformation and democratization, integrating with Data Factory for efficient scheduling and orchestration.

  • Data Factory merges with Power Query Online, offering over 200 native connectors for diverse data sources, both on premises and in the cloud.

  • Data Science enables seamless building, deployment, and operationalization of machine learning models, enriching organizational data with predictive insights.

  • Power BI is a leading business intelligence platform, helping to ensure quick and intuitive access to all data in Fabric for better informed data-driven decisions.

  • Real-Time Analytics simplifies integration, efficiently handling and analyzing high volumes of data and offering powerful analytical capabilities.

  • Synapse Data Warehouse delivers superior SQL performance and scale, separating compute from storage for independent scaling and natively storing data in the open Delta Lake format.


 


madisonmast_1-1717442128091.png


Figure 2. Experiences available in Microsoft Fabric.


 


Something for everyone


Imagine having the power to create your own data lakehouse or data warehouse in a matter of seconds. (Check out the Microsoft Fabric decision guide: Choose a data store.) That’s what Fabric, a SaaS platform, offers you. It allows you to centralize your data into OneLake by using common data methods, like Dataflow Gen2, data pipelines, Spark Notebooks, or T-SQL. (Explore the Microsoft Fabric decision guide: Copy activity, dataflow, or Spark.)


 


Data lakehouse


madisonmast_2-1717442128094.png


 


Figure 3. Diagram of a data lakehouse, displaying the folder structure of a data lake and the relational capabilities of a data warehouse. (Source: Explore the Microsoft Fabric lakehouse)


 


Whether you choose a data lakehouse or a data warehouse, you have easy access to robust querying and transaction capabilities. Fabric is the one-stop shop for all your data tasks across your data estate.


 


Here’s a snapshot



  • OneLake is the single source of truth for your organization’s data.

  • Data Warehouse is a traditional data warehouse that supports full transactional T-SQL capabilities like an enterprise data warehouse. It’s especially useful for industries like e-commerce, retail, healthcare, and others that need advanced analytics for large datasets.

  • Data lakehouse is a one-size-fits-all solution for storing, managing, and analyzing any type of data. It’s also ideal for real-time data processing with live analysis.

  • Copilot in Fabric brings generative AI features with new ways to transform and analyze data, generate insights, and create visualizations and reports:


    • Data Engineering and Data Science. Copilot streamlines your workflow with intelligent code completion, code suggestions, automation of routine tasks, and industry-standard code templates.

    • Data Factory. Whether you’re a citizen integrator or a professional data wrangler, Copilot is your ally. It offers intelligent code generation and explanations to simplify your data transformation.

    • Power BI. Simply describe your data insights needs or queries, and Copilot can analyze and present the relevant data in a visually compelling report, instantly transforming your data into actionable insights.



 


How to get started with Microsoft Fabric



  1. Sign up for a free Microsoft Fabric trial, and test it out.

  2. For resources to help you skill up on Microsoft Fabric, check out the Microsoft Fabric Career Hub, where you can find the Microsoft Cloud Skills Challenge | 30 Days to Learn It and become eligible for 50% off a Microsoft Certification exam.

  3. Review Course DP-600: Microsoft Fabric Analytics Engineer, and complete the lab exercises for each module. Plus, get more interactive practice with our end-to-end Microsoft Fabric tutorials.

  4. To help prepare you for Exam DP-600: Implementing Analytics Solutions Using Microsoft Fabric, watch the recorded Exam Cram for DP-600 sessions, with me as your host.

  5. For detailed information on specific topics to be covered on the exam, watch the Exam Readiness Zone DP-600 videos.

  6. To hone your test-taking skills and learn the types of questions you can expect on the exam, take the free Practice Assessment for Exam DP-600.

  7. Pass the Certification exam, and earn the Microsoft Certified: Fabric Analytics Engineer Associate Certification.


 


madisonmast_3-1717442128105.png


Figure 4. Steps in the Fabric Analytics Engineer Associate Certification journey. (Source: Microsoft Fabric Career Hub)


 


Consider earning a Microsoft Applied Skills credential


If you’re not quite ready to earn the Fabric Analytics Engineer Associate Certification, why not start with an Applied Skills credential? These are project-based credentials that focus on a specific skill rather than on a broad role. You can complete the online assessment in just two hours, whenever you’re ready.


Two Applied Skills scenarios that validate Microsoft Fabric skills are Implement a data warehouse in Microsoft Fabric and Implement a lakehouse in Microsoft Fabric. Both equip you with foundational Microsoft Fabric skills.


madisonmast_4-1717442128107.png


Figure 5. Applied Skills scenarios for Microsoft Fabric.


 


For more on Applied Skills credentials, read my blog post Real skills for real-time results with Microsoft Applied Skills credentials.


 


Meet Barbara Andrews, Microsoft Learn expert 


Barbara Andrews began her professional career as an accountant but soon discovered that she loves technology and has a passion for learning and teaching. She has worked with almost every on-premises Microsoft server technology (except Exchange Server) and has worked her way through many Azure services. As a Microsoft Technical Trainer, Barbara specializes in Azure infrastructure, data, and AI. She has a passion for helping working professionals and career changers build skills and pursue their dream careers, and she has upskilled more than 20,000 students, both online and in person.


 


Learn more about Barbara Andrews.

How to achieve cloud-native endpoint management with Microsoft Intune

How to achieve cloud-native endpoint management with Microsoft Intune

by | Jun 12, 2024 | AI, Business, Microsoft 365, Technology

This article is contributed. See the original author and article here.

In this post, we’re focusing on what it really takes for organizations to become fully cloud-native in endpoint management—from the strategic leadership to the tactical execution.

The post How to achieve cloud-native endpoint management with Microsoft Intune appeared first on Microsoft 365 Blog.

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

Effective strategies for conducting Mass Password Resets during cybersecurity incidents

by | Jun 11, 2024 | Technology

This article is contributed. See the original author and article here.

You’re in the middle of a cyber incident, and you know certain accounts have been compromised, but you are not certain of the full extent of the Threat Actor’s impact. What do you do? Oftentimes, Microsoft Incident Response will recommend a mass password reset. This helps you regain control of your identity plane, deny other avenues of access, and disrupt any persistence the attacker may have established in your environment. However, and especially for larger organizations, navigating mass password resets can be a complex task. In this blog post, we’ll discuss the practical challenges of performing a mass password reset, how to prepare to carry one out, and best practices in performing them.


 


Identifying the need for a mass password reset


 


A mass password reset is not always required, but it is important to identify the circumstances under which it is. Some considerations for when a mass password reset is the best course of action include:



  • Active Directory database exfiltration: When there is evidence of Active Directory Domain Services (AD DS) database exfiltration by a suspected threat actor.

  • Active Directory database staging: When there is evidence of AD DS database staging with intent to exfiltrate by a suspected threat actor.

  • Compromised privileged identities: When a threat actor has compromised credentials belonging to one or more privileged groups such as Domain Admins, Enterprise Admins, or built-in Administrators.

  • Attacker-in-the-Middle: When there is evidence of an Attacker-in-the-Middle (AiTM) attack or other threat-actor-introduced proxy services which may have gathered user credentials.

  • Cloud or third-party identity platform compromise: When there is evidence of a compromise on an authoritative Identify platform such as Microsoft Entra Connect, AD FS, RADIUS (Remote Authentication Dial In User Service) Servers, or 3rd party identity solutions.

  • Ransomware deployment: When a threat actor has been able to successfully deploy ransomware by compromising accounts belonging to privileged Active Directory (AD) groups.

  • Privileged credentials exposed in Business Email Compromise (BEC): When a BEC has exposed privileged credentials in emails.

  • Privileged credentials exposed in exfiltrated data: When data exfiltrated from productivity and collaboration tools (such as OneDrive or SharePoint) has exposed privileged credentials.

  • Privileged credentials exposed in code: When privileged credentials have been exposed in an online code or source control repository.

  • Attribution to nation state or Advanced Persistent Threat (APT): When an attack has been attributed to an APT or nation state.


 


Organizational challenges and scenarios


 


Almost all organizations have remote users: many have hybrid users, and some have entirely remote workforces. This means that every organization has unique requirements and considerations for when a mass password reset is required. In this section, we will consider some of those requirements and how organizations can best prepare and respond if the need arises. Scenarios to consider include:



  • Local users: Users primarily onsite with line of sight to a domain controller.

  • Remote users: Users who primarily use VPN (virtual private networks) or have hybrid identities.

  • Administrative controls: Whether password resets are driven by administrators or end-users.

  • Service account management: Considerations for service accounts, which often have never-expiring passwords.

  • Privileged identities: Special considerations for managing privileged cloud and on-premises accounts.


 


Users onsite with direct access to domain controllers


 


This scenario is the least complicated one: if all users are primarily onsite with line of sight to a domain controller, then a simple flag on every user account to require the user to change password at next logon can be used to enforce the password change. Users can be given a deadline and informed they are required to change their passwords by the deadline, and, if they fail to do so, their accounts will be disabled. Several PowerShell scripts are available online that allow for enumeration of users in specific organizational units (OUs) and manipulating the “User must change password at next logon” flag to facilitate a gradual password reset rollout so an organization’s helpdesk is not inundated. When the users arrive in the office and attempt to log on, a message will prompt them to change their passwords.


 


Gradual, but expedited expiration of passwords using Fine Grained Password Policies (FGPP) and the progressive reduction of password age through domain policy modifications offer alternative methods for enforcing a mass password reset for domain users. However, a significant drawback to this approach is the potential for a threat actor to remain within an authenticated session until a logon event triggers the password reset. When considering this method, it’s important to balance the urgency of credential changes with the need to provide users with a grace period. Since many organizations have a portion of their workforce operating remotely, this strategy is often employed as part of a broader series of steps designed to secure all user accounts across various scenarios.



Remote users who use VPN to access the environment


 


This scenario is more common when most users are primarily remote, or there is a mix of remote and onsite users. In this scenario, users rely on authentication mechanisms separate from their domain password; for example, certificate-based authentication. Once the users are authenticated using the VPN solution, they can be treated like the previous scenario since they will have line of sight to a domain controller.


 


An important consideration for remote users is whether you will execute an administratively managed password reset (which is where an admin resets credentials for users and relies on users to use self-service password reset (SSPR) to regain access) or allow users to change their credentials gracefully on their own.


This scenario becomes more challenging when the VPN solution relies on the domain password as one (or the primary) factor for authentication and the VPN solution does not support a password reset during the sign-in flow. In such a scenario, if the organization has been set up for SSPR before the incident occurs, it makes the password reset process much easier to handle. If an organization does not have SSPR capabilities, a mass password reset will require some manual intervention. This could take the form of users having to call in to the help desk or attend a centralized location that has been set up for this purpose, provide verification of their identity over voice, video, or in person, and then have their password manually reset.


 


Alternatively, for VPN solutions that do not support a password reset during the authentication flow, you may wish to consider migrating the authentication source of your VPN solution to Microsoft Entra ID either temporarily to allow the session to be interrupted with a password reset, or permanently to gain the benefit of additional Microsoft Entra ID features like Conditional Access policies.


 


Users primarily remote with hybrid (on-premises) identities


 


With hybrid identities, an organization’s identities (users and computers) are already synchronized to Microsoft Entra ID. In this scenario, line of sight to a domain controller is not a requirement to orchestrate a mass password reset. Microsoft Entra ID supports flagging users to reset their credentials at next sign-in, similar to on-premises Active Directory.

Admins can use Microsoft Graph to set the user attribute either to “forceChangePasswordNextSignIn” or “forceChangePasswordNextSignInWithMfa” on the desired users to interrupt their next sign-in and allow them to change their password gracefully. If the password writeback feature is enabled in Microsoft Entra ID and the organization’s users are enabled for SSPR, then a password reset via either the MyAccount portal or SSPR portal will ensure that the newly reset password is synchronized back on-premises. If password writeback and SSPR are already enabled, this is the scenario with the fastest route to threat actor removal and least amount of manual work. There are some scenarios where an organization may not want to use SSPR, which we will discuss later in this post.


 


Considerations for service accounts


 


Service accounts with their never-expiring passwords and traditionally overprivileged nature tend to be the bane of any Active Directory administrator’s existence. This is particularly problematic when a mass password reset must be performed and little-to-no inventory exists that maps applications to service accounts. An effort should be made to inventory all service accounts and their associated services and applications. Where possible, service accounts should be migrated to Group Managed Service Accounts (gMSA). This has the dual advantage of making service accounts more manageable and removing the manual overhead associated with service accounts. This is also a great opportunity to “right size” the service accounts that tend to be traditionally overprivileged.


 


Considerations for privileged identities


 


All privileged cloud accounts should have phishing-resistant MFA enforced. Also, it is strongly advised to use Just in Time (JIT) administration methods, for example Microsoft Entra ID Privileged Identity Management (PIM). In addition, there should exist a clear separation of on-premises and cloud administration with separate identities for each realm. Identities belonging to the privileged on-premises AD DS groups should not be synchronized to Microsoft Entra ID. Conversely, all privileged cloud roles should be held by cloud native identities and must not be synchronized from AD DS. Most organizations will choose to manually reset any privileged credentials for a high level of assurance and control. It is important to verify when passwords were reset with PowerShell or Microsoft Graph; otherwise, it is very likely that some accounts may be missed.


 


Assurance and control considerations for a mass password reset


 


As we’ve detailed, there are several different scenarios that necessitate a mass password reset. This means that there are different levels of control or assurance an organization might require while performing a mass password reset. When SSPR mechanisms can be reliably used to provide assurance, organizations can use that feature to accelerate a mass password reset.


 


However, there are situations where an organization may not want to use the existing SSPR solution. For example, when an advanced threat actor has abused the organization’s SSPR system, or where there is actual evidence of AD DS database exfiltration. In such a scenario the organization would likely not choose to use that mechanism to enforce the mass password reset because the threat actor could re-establish initial access or persistence via SSPR.


 


Where an organization seeks a high degree of control and assurance for a mass password reset there will, unfortunately, be an element of manual intervention. However, with preparedness ahead of time, Microsoft Entra ID features such as a Temporary Access Pass, when combined with Conditional Access policies, can be used to automate some aspects of assurance and control. In any event where a high degree of assurance and control is desired, some level of manual intervention to verify users’ physical identities and the issuance of such temporary access passes is inevitable. In a subsequent post we will examine different Microsoft Entra ID features that can be used to accomplish this.


 


Conclusion and next steps


 


There are several variables and considerations for a mass password reset, and there is no one-size-fits-all solution. However, we can, with adequate preparedness, make this process less onerous and more manageable for organizations.


 


We recommend exploring other blogs from Microsoft Incident Response for expert guidance and tailored solutions to improve your incident response capabilities. Additionally, consider the benefits of Microsoft Entra ID for advanced identity and access management, which can strengthen your defenses against identity-related breaches.

NIST CSF 2.0 – Protect (PR) – Applications for Microsoft 365 (Part 1)

NIST CSF 2.0 – Protect (PR) – Applications for Microsoft 365 (Part 1)

by | Jun 10, 2024 | Technology

This article is contributed. See the original author and article here.

shawnrosco_0-1717968678915.png


 


The National Institute of Standards and Technology (NIST) published the first version of its Cybersecurity Framework (CSF) in 2014. Ten years later NIST released the second iteration of CSF, entitled NIST CSF 2.0. Microsoft and its partners have supported organizations in implementing the original CSF guidance, going as far as building and enhancing an assessment in Microsoft Purview Compliance Manager since 2018. This blog and series will look to apply NIST CSF 2.0 to Microsoft 365 and discuss changes from the previous publication.


 


It is somewhat improper to look at any particular CSF Functions in a vacuum or singular vantage point. NIST CSWP 29 (the primary document) illustrates and describes CSF Functions as “a wheel because all of the Functions relate to one another. For example, an organization will categorize assets under IDENTIFY and take steps to secure those assets under PROTECT. Investments in planning and testing in the GOVERN and IDENTIFY Functions will support timely detection of unexpected events in the DETECT Function, as well as enabling incident response and recovery actions for cybersecurity incidents in the RESPOND and RECOVER Functions. GOVERN is in the center of the wheel because it informs how an organization will implement the other five Functions.”


 


NIST CSF 2.0 WheelNIST CSF 2.0 Wheel


 


Therefore, despite the blog title, there will be occasional references to other CSF Functions and Categories, as well as future blogs covering other Functions. This discussion will also endeavor to focus primarily on Microsoft 365 but venture into Azure topics periodically by the nature of each solution. This blog or any subsequent blogs in the series will not be an exhaustive review of all possible applications of NIST CSF 2.0, nor exhaustive of the technologies mentioned and their abilities to manage cybersecurity risks.


 


As a final caveat, Amy Adams in Talladega Nights once spoke of one of the most talented individuals behind a wheel this way, “Ricky Bobby is not a thinker. Ricky Bobby is a driver.” I want to believe I might be the latter.


 


NIST CSF 2.0 – Protect (PR)


PR as a function is intended to cover “safeguards to manage the organization’s cybersecurity risks” and contains five Categories. The prior CSF publication included six categories, but two were significantly edited and renamed. PR.MA: Maintenance for example was mostly removed with remnants found elsewhere. Let’s first dive into PR.AA. NOTE: Text in green are excerpts from CSF documentation.


 


Identity Management, Authentication, and Access Control (PR.AA): Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access


 


Identity and access are not just about directories and networks. Organizations of all sizes and industries are challenged with controlling access to digital estates that are often complex and boundaryless because of accelerated technology adoption. Microsoft Entra’s family of solutions shown below employs a variety of measures to manage access to resources limited to authorized users, services, and hardware.


shawnrosco_2-1717968678930.png


 


To meet the spirit of NIST CSF 2.0 PR.AA and a multitude of organizational scenarios, access decisions will need to be based upon periodic and real-time risk assessment. Automated and agile solutions are also necessitated for IT and security teams to avoid the manual processes traditionally associated with granting and managing access rights. Lastly, organizations will need to begin implementing some of the latest phishing-resistant multifactor authentication approaches using FIDO2 security keys, passkey technology, and/or certificate-based authentication to meet the barrage of sophisticated identity threats.


 


PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization


 


Microsoft Entra ID (fka Azure Active Directory) can serve firstly as the management solution of identities and credentials for “authorized users” in Microsoft 365, along with other infrastructure and platforms. In the Entra ID admin center, you can create and manage user accounts, different types of groups (e.g., security groups, distribution groups), and memberships to groups for enhanced access permissions and group-based policies.


 


Additionally, Microsoft Entra ID Governance comes with Microsoft Entra ID P2 and enables entitlement management, a feature for managing identity and access lifecycle at scale, automating workflows, assignments, reviews, and expirations. Entitlement management is able to bundle together an “access package” consisting of resources like groups, applications, and SharePoint Online site access that users need to perform their tasks or projects. These access packages can be bound to a department, role type, internal vs external user, newly onboarded employees, etc. Lastly, organizations can automate the creation and removal of identities based on employment status, integrating with HCM or HR systems for efficient governance.


 


Management of “credentials of authorized users” can also include the management of a self-service password reset (SSPR) process for users. Microsoft Entra’s SSPR allows users to change or reset their password without administrator intervention but reliant on thoughtful policy. This feature is designed to reduce help desk calls and improve productivity by enabling users to unblock themselves if they forget their password or get locked out of their account. Administrators can configure the number of methods required for password reset or unlock, and users are prompted to confirm their registered information periodically.


 


Microsoft Entra External ID also enables internal users to collaborate with external users (guests) by inviting them to your organization, managing guest accounts in the Microsoft Entra admin center or by PowerShell, and ensuring they have appropriate access while maintaining control over your resources. External ID B2B collaboration is particularly useful for inviting external business partners to access apps and resources using their own credentials. This eliminates the need for managing new credentials, as guests authenticate with their home organization or identity provider. However, it is important to document and enforce least privilege per PR.AA-05 below for these users.


 


Lastly, Microsoft Entra ID allows for central management of device identities and monitoring, with features like viewing total, stale, noncompliant, and unmanaged devices. By registering and joining devices to Entra ID, organizations can enable Seamless Sign-on to both cloud-based and on-premises resources.


 


shawnrosco_3-1717968678943.png


 


Cross-Function Tip: PR.AA-01 could be included in your organization’s plan for the Detect (DE) Function and Continuous Monitoring (DE.CM) Category. Changes and actions taken by administrators in the management process can be “adverse events” resulting from malicious lateral movement or compromised identities.


 


PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions


 


Microsoft Entra ID Conditional Access policies can further prove the authenticity of an authorized user and their access activity, and dynamically adjust the bounds of that identity based upon various conditions. A Conditional Access policy can analyze details of a session or authentication attempt based upon conditions such as the network or location of the session, and the current identity risk of a user (leaked credentials, signs of a password spray attack, etc.) Microsoft Entra also uses industry standard continuous access evaluation (CAE) with token protection features to verify identities and assess based upon context.


 


shawnrosco_4-1717968678951.png


 


During the device registration process in your organization, the user’s identity is also bound to the device based upon Microsoft Entra ID policies. Enrolled Windows devices, for example, will have an encrypted session key issued by Microsoft Entra that ensures token requests are not tampered with when a device is accessed, and subsequently Microsoft 365 applications. Other Microsoft Entra ID mechanisms are in place to prove and bound identities within device interactions, as well as prevent various types of credential theft. You can read more about them here.


 


For high-risk actions, organizations can require a step up proof of identity in real-time using Microsoft Entra Verified ID


 


PR.AA-03: Users, services, and hardware are authenticated


 


Starting in 2019, Microsoft provides on-by-default multifactor authentication in all new Microsoft 365 tenants. This can be reviewed and controlled in the Microsoft Entra admin center. In addition, Microsoft started automatically rolling out “Microsoft-managed” Conditional Access policies that force an MFA action when an admin signs into the Microsoft 365 admin portal, and when any user attempts a high-risk sign-in.


 


You can view the policies and their impact using the new policy view user experience in Microsoft Entra. Within the portal, administrators can also review a policy summary, alerts, recommended actions, and an impact summary. Administrators can also create their own custom policies focused on certain users, groups, or roles if scenarios are not covered by the default policies automatically deployed. It is possible to clone a policy and then make changes to an existing templated policy as well to suit these needs.


 


Cross-Function Tip: PR.AA-03 can be included in your organization’s plan for the Detect (DE) Function and Continuous Monitoring (DE.CM) Category. Security teams can monitor authentication events using sign-in and audit logs with Microsoft Sentinel and reason over them with support from Microsoft Copilot for Security.


 


PR.AA-04: Identity assertions are protected, conveyed, and verified


 


For those less familiar with the term “identity assertion(s)”, NIST 800-63C Digital Identity Guidelines gives an explanation of this requirement in greater detail. You can define Microsoft Entra ID as an Identity Provider or IdP that can convey an assertion to a Relying Party (RP), and these “assertions are statements that contain information about a subscriber”. The RP “uses the information in the assertion to identify the subscriber and make authorization decisions about their access to resources controlled by the RP.” In other instances, Microsoft Entra ID could be considered an RP when receiving assertions from an external IdP to grant guest access to Microsoft 365.


 


Organizations can, as a part of Microsoft Entra ID P1 and P2, configure Microsoft Entra SAML token encryption with RP apps that support SAML assertions. This encryption ensures that the content of the token cannot be intercepted easily, and personal or corporate data remains secure. OpenID Connect (OIDC) alternatively is another method to enable single sign-on with an OAuth-enabled RP app by exchanging ID tokens issued by Microsoft Entra authentication servers. An organization can register an app in the Microsoft Entra admin center to configure both federated SSO scenarios (and others) for conveying, protecting and verifying identity assertions. It’s important to note that even without token encryption, Microsoft Entra ID already requires encrypted HTTPS/TLS channels for token exchanges, adding a layer of security.


 


As mentioned in PR.AA-01, eternal IdPs or external Microsoft 365 tenants can convey identity assertions to an organization through External ID. A simple invitation and redemption process lets an external party use their own credentials (via their own IdP) to access your company’s resources as the RP. Once the guest redeems their invitation or completes sign-up, they’re represented in your directory as a user object. Below is a sample flow aligned to B2B collaboration guidance, and gates 1-4 & 6 can be configured as allowable or not.


 


shawnrosco_5-1717968678957.png


 


Cross-Function Tip: PR.AA-04 can be included in your organization’s plan for the Govern (GV) Function and Cybersecurity Supply Chain Risk Management (GV.SC) Category. As an organization works with various partners and suppliers, it’s important to ensure “supply chain risk management is integrated into cybersecurity and enterprise risk management”. Compromised identities from a supplier can directly impact external access and identity assertions for example.


 


PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties


 


Beyond identity, credential and authentication management covered in other AA subcategories, this subcategory can necessitate more robust written and technical policies. A solution to consider first is role-based access control (RBAC) enabled by Microsoft Intune and Microsoft Entra, which helps your organization manage who has access to internal resources and what they can do with those resources. By assigning roles to your users, you can limit what they can see and change. A built-In or custom role defines the set of permissions granted to users assigned to that role. Organizations can manage role assignments following least privilege principles to define which users are assigned to the role, resources they can see, and resources they can change.


 


With Microsoft Entra ID P2, Microsoft Privileged Identity Management (PIM) also allows an organization to manage, enforce, review, and incorporate least privilege and separation of duties for important administrative roles and entitlements. PIM supports a similar degree of control with groups and the associated entitlements and authorizations in Microsoft 365. From a management perspective, an approval process can be enforced to justify an elevation of a user/identity to a more privileged role and documented within PIM for later review if necessary.


 


Access to critical assets like sensitive data or information in Microsoft 365 may be authorize to users that do not have elevated administrative roles discussed in the previous paragraph. A user may be an analyst within a financial department, a human resources coordinator, or a junior engineer for a research and development project. Users in these roles may not have entitlements to export large quantities of data or grant entitlements to other users but are equally governed by defined written policies and technical policies administered in Microsoft Purview and Microsoft Entra.


An organization can develop Microsoft Purview sensitivity labels to manage and enforce access authorizations for files, emails, and meetings across Microsoft 365: SharePoint, Teams, PowerBI, OneDrive and more. Label policies can then restrict which users or groups of users have authorization to access the labeled content.  


 


PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk


 


From a Microsoft 365 perspective, there is physical access to two different types of assets:



  1. Physical compute resources (such as servers) and networking components at Azure datacenters across the globe

  2. Endpoints (laptop, mobile device, etc.)


According to the shared responsibility model in the cloud, a PaaS and SaaS offering like Microsoft 365 and it’s comprised solutions alleviate the responsibility of managing monitoring or enforcing access control to physical assets hosted in the Azure data center.


 


shawnrosco_6-1717968678965.png


 


Azure datacenters deploy several safeguards to project physical assets, such as: video surveillance, perimeter fencing, 24×7 security officer postings with background checked personnel, locked server racks and server floors, integrated alarm systems, time and area-bound access granted through a protected ticketing system, and multi-factor access control including biometric scanning. As mentioned in the Category description of PR.AA, “logical access” to Microsoft 365 infrastructure, including customer data, is prohibited from within Microsoft datacenters. For more information about physical access security or to geek out on granular details like the material used to construct perimeter fences (spoiler – it’s steel and concrete), here is your muse.


 


Beyond the datacenter – laptops, mobile devices, and other endpoints can be considered a physical asset in the sense that unfettered physical access to them could create risk for an organization. The Protect (PR) Function at the highest level is defined as “safeguards to manage the organization’s cybersecurity risks”. Safeguarding endpoints as a physical asset, however, cannot be protected by fences and video surveillance realistically as you would a data center physical asset. Therefore, it is important to evoke other Categories, like Awareness and Training (PR.AT) and Data Security (PR.DS), within the PR Function to train employees to safeguard their endpoints and avoid negative impacts of a lost or stolen device. Organizations can also document this risk in your Organizational Profile and/or System Security plan.


 


Cross-Function Tip: The Identify (ID) Function contains a Category for Asset Management (ID.AM) that pertains to an organization’s strategy for inventorying and managing physical assets like endpoints. The lifecycle of a hardware component can include wiping and recommissioning/decommissioning previously used devices, as well as a process of remote wiping a lost or stolen machine using Microsoft Intune. Much of ID.AM pertaining to servers and network-related physical assets are managed at the Microsoft datacenter for Microsoft 365 tenants.


“You gotta learn to drive with the fear”


In this blog we covered all of the PR.AA Subcategories, where they apply to Microsoft 365, and how Microsoft solutions address each applicable element. This coverage is not comprehensive of all risk or all strategies; yet, the intent is to prime your organization’s approach. Subsequent blogs will explore other Categories within the Protect Function shown below.


 


NIST CSF 2.0 Protect (PR) CategoriesNIST CSF 2.0 Protect (PR) Categories


 


Organizations establishing or reviewing their risk management practices can appreciate the importance of awareness. A proper identity and access control strategy starts by being risk informed, even if the risks presently outweigh the mitigations. Let’s press into the risk to grow as organizations and security practitioners.


 


Reese Bobby offered sage wisdom to his son Ricky in the theatrical number, Talladega Nights, “You gotta learn to drive with the fear. And there ain’t nothing more frightening than driving with a live cougar in the car.” Drive with the fear. Drive with a live cougar in the car.