In what follows we proceed to talk about the co-working between Microsoft Entra (Azure AD; PIM) and Microsoft Purview. The aim is to present the possibilities of leveraging PAM to deploy labels, policies and similar to mail-enabled groups (M365 Group for this post).
Please do not see this as a limitation, rather, the possibility to use this tech in scenarios that require a mail-enabled group to be assigned for example, when assigning super users, creating test DLP policies, etc., or in this case deploying labels like a hero! TBH the possibilities are endless.
Recently reorganized enters Microsoft Entra (refer launch post under link), now defined as the product family encompassing all of MSs’ identity and access capabilities. This family now comprises the following three products (two of which are new):
The products in the Entra family will help provide secure access to everything for everyone, by providing identity and access management, cloud infrastructure entitlement management, and identity verification.
Microsoft Entra will verify all types of identities and secure, manage, and govern their access to any resource. The new Microsoft Entra product family will:
Protect access to any app or resource for any user.
Secure and verify every identity across hybrid and multi-cloud environments.
Discover and govern permissions in multi-cloud environments.
Simplify the user experience with real-time intelligent access decisions.
The specific part of Entra we will use for this solution is Azure AD, finer granularly PIM (Privileged Identity Management). To be clear, one of the pivotal parts of this solution utilizes a feature called “Privileged Access Groups” which is still in preview at the time of writing this post.
Double Key Encryption or DKE is a method of protecting data above anything else. As the name eludes it uses two keys together to protect the content. In the way that, one key is held by Microsoft (they protect it!) and the other is held purely by the customer (therefore by extension who are responsible to protect the key!). The mechanism of DKE piggy backs on the Azure Purview Label Set and when configured correctly allows a label to apply DKE protection to the data which it labels.
many enterprise IT departments these days are afraid of goldenticket or pass the ticket attacks -which is good because privilege escalation and privileged account exploitation are at the center of cyber attacks as we see them. Attackers crash through the network perimeter, hijack credentials and use them to move laterally throughout the network, taking additional credentials and escalating privileges along the way to accomplish their goals. In this blog series we will have a look at kerberos golden ticket and silver ticket attacks. I’ll try my best to explain how it works and how Azure ATP / Advanced Threat Analytics can help to detect.
with the acquisition of Secure Islands in November 2015, Microsoft announced (June, 2016) a new product called Azure Information Protection. This new service builds on the new adoption for document and file labeling and the already existing server Azure Rights Management (Azure RMS). With AIP you can classify, protect and encrypt content from the beginning and within its lifecycle. Furthermore you can define by whom mails or files can be opened, can set an expiration date and you can revoke file access from already sent files. But more on the details later. Since October, 4 2016 Azure Information Protection is GA and it’s time for us to have a look on what’s behind.
in many Windows 10 or MDM workshops, we come back to the point that we discuss how clients or devices will be connected with our on premise environment in future. Of course we then talk about Azure Active Directory. Reason enough that we deal with it here once.
In general I can tell you, that all Microsoft Online Services handle authentication via Azure AD (AAD). So whether you are using O365 (Exchange Online, SharePoint Online, etc.) or services from Azure (OMS, Azure Remote Apps, etc.) – the authentication process is always handled via Azure AD.