Kurt Shintaku's Blog

“If we play our cards right, the next decade could be some of the best 10 years ever in human history”, says Stanford Professor Erik Brynjolfsson.

Check out the WorkLab podcast to learn how AI can help create a whole new world of careers and economic opportunity.

• A Stanford Professor on How AI Will Transform Productivity
  https://www.microsoft.com/en-us/worklab/podcast/stanford-professor-erik-brynjolfsson-on-how-ai-will-transform-productivity?ocid=FY24_soc_omc_br_li_ProductivityAI

Microsoft focuses heavily on both the security of our cloud and providing our customers with the security controls they need to protect their cloud workloads. 

As a leader in cybersecurity, we embrace our responsibility to make the world a safer place. This is reflected in our comprehensive approach to ransomware prevention and detection in our security framework, designs, products, legal efforts, industry partnerships, and services.

This eBook provides our customers with guidance on how to leverage our Azure cloud native controls to optimize their defenses against ransomware attacks.

• Azure Defenses for Ransomware Attack https://azure.microsoft.com/en-us/resources/azure-defenses-for-ransomware-attack/

Windows Server 2012/R2 is end of life in less than 2 weeks at the time of this post.

Additionally, for those looking for “MAK Keys” to enable “Extended Security Updates” (ESUs) as was done with Windows Server 2008, they are not available.

Q: But what about Microsoft’s documentation that implies I can still get a MAK key?

The language used referencing the availability of MAK keys was for Windows Server 2008.  Today, there are no “Extended Security Update” SKUs to purchase from the commercial price list used by resellers on behalf of  customers with Enterprise Agreements or Select.

In English, there’s no “Extended Security Updates” to buy from your reseller to put on your Microsoft contract.  Go ahead.  Ask them.

Q: So what does one do if your Windows Server 2012 VMs/Servers have no direct connection to Azure Arc?

Customers need to set up a proxy gateway, enabling your servers to specifically communicate with Azure Arc.  If you do not have one established, you’ll need to get one working before October 10, 2023.

Review the following for a brief summary.

• Network connectivity for Azure Arc-enabled servers
• Azure Arc network requirements
• Azure Arc for Servers: Getting started

This came up recently that I thought warranted posting a note around: 

Customers that are licensed for SQL Server via the legacy “Server/CAL” licensing are unfortunately not eligible for the majority of the listed in-box benefits of “Azure Arc for SQL” .

WHAT SQL SERVER/CAL LICENSED CUSTOMERS CAN & CAN’T DO WITH AZURE ARC FOR SQL
As shown in the Azure Arc for SQL Server docs:
(https://learn.microsoft.com/en-us/sql/sql-server/azure-arc/manage-configuration?view=sql-server-ver16&tabs=azure#license-types)

SQL Server/CAL licensed customers can use the following:

1. Connect to Azure
2. SQL Server Inventory
3. Entra ID Authentication
4. Defender for Cloud
   (Requires subscription)
5. Govern through Microsoft Purview
   (Requires subscription)

SQL Server/CAL licensed customers cannot use the following:

1. Best Practices Assessment
2. Detailed Database Inventory
3. Automated Backups
4. Automated Patching

Azure Arc for SQL is largely a solution for SQL Servers licensed “per Core”.

For a limited time – September 1, 2023 – November 30, 2023 – you can save up to 50% compared to pay-as-you-go pricing when you purchase one-year Azure Reserved Virtual Machine (VM) Instances for Dv3s VMs in the Azure US West region.

For any EA, PAYGO or MCA customer, simply purchase a one-year term for Azure Reserved Virtual Machine Instances for qualified Dv3s instances in the US West region to take advantage of this offer.  The offer applies to any of the following VM series:

• D2v3
• D4v3
• D8v3
• D16v3
• D32v3
• D48v3
• D64v3

For further details, visit:

• OFFER: Save on select VMs in US West for a limited time
  https://learn.microsoft.com/en-us/azure/cost-management-billing/reservations/limited-time-us-west

This is a wrap up of what was launched at the recent Microsoft event – some on stage & some backstage.

Surface Laptop Studio 2
The most powerful Surface ever built.

• More choices for connectivity with 2x Thunderbolt 4 USB-C®, USB-A and microSD reader
• Faster DDR5X RAM with up to 64GB configurations
• Over 2X the power with the latest 13th Gen Intel® processors and cutting-edge GPUs from NVIDIA® with more vRAM
• New Wide-FOV camera & NPU bringing AI Windows Studio Effects to x86 for the 1st time
• More accessible haptic touchpad

Learn More about Surface Laptop Studio 2>

Surface Laptop Go 3
Go faster. With up to 32% more power.

• ~35% faster with Intel Core i5 processors and longer battery life
• 12.4” PixelSense touchscreen for intuitive and natural interaction 
• Increased RAM and storage options that offer more space for important apps
• Lightweight at only 2.48 lb

Learn More about Surface Laptop Go 3>

Surface Go 4
The most secure Surface Go ever.

• New Intel® processor N200 with 50% increase CPU, 50% increase GPU performance, and faster memory for snappy multitasking
• Ultra-portable and versatile at just 1.2 lb with tablet to laptop flexibility
• Touch and pen enhancements in Windows and Microsoft 365 for more natural interaction

Learn More about Surface Go 4>

Surface Hub 3
Bridging Workforce Collaboration with Microsoft Teams Rooms

• New hybrid work scenarios with Portrait Mode: new 50” Surface Hubs will support Portrait Mode and snap rotation, allowing you to use the device in different

• Increased compute and improved graphics: enable faster multi-tasking and support for line-of-business applications with the latest Intel® processors and NVIDIA® GPUs
• Streamlined management & support: use the same tools to manage Hub as your other meeting room devices, such as Microsoft Endpoint Manager and Microsoft 365 Admin Center.

Learn more about Surface Hub 3>

Complete the steps below in order to enable Active Directory for all shares in this storage account. Watch the video below for an end-to-end walkthrough

• Step 1: Enable Active Directory authentication
• Step 2: Enable share-level permissions
• Step 3: Assign directory/file-level permissions
• Step 4: Mount files share using AD credentials

Video tutorial on enabling identity-based access
Watch the video below an end-to-end walkthrough of how to configure on-premises Active Directory to enable identity-based access all file shares in this storage account as documented at “Overview – On-premises AD DS authentication to Azure file shares”.

• Replace an on-premises file server with Azure file shares
  An end-to-end demo and description of the various Azure file share features that enable an IT Admin to understand and configure identity-based authentication "AD authentication", networking, private endpoint and other features of an Azure file share.
  https://youtu.be/a-Twfus0HWE

Did you know that in Windows 11 you can hit WIN-ALT-K to MUTE your microphone for any app that leverages the Taskbar Mute button ("Call Mute") like Microsoft Teams. (As of Windows 11 version 22H2)

• Keyboard Shortcuts in Windows
  https://support.microsoft.com/en-us/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec

Alternatively, there’s a more comprehensive tool within Windows PowerToys that accomplishes the same thing and supports Windows 10 called “Video Conference Mute”:

• PowerToys Video Conference Mute
  https://learn.microsoft.com/en-us/windows/powertoys/video-conference-mute

#microsofteams #teams #powertoys #keyboardshortcuts #windows #windows11 #mute

The July 2023 announcement around the coming Azure AD Multi-factor Authentication “registration campaign” that will be pushed to end users on Sept 25th, 2023 to have them register for Microsoft Authenticator app-based MFA… caught several Microsoft 365 Admins I’ve talked to by surprise.  The only reason they were alerted to the campaign was because there was a last minute email that was sent directly to M365 Admins.

WAYS TO STAY UP TO DATE WITH MESSAGE CENTER
The announcement was made in the Microsoft 365 Message Center and underlines the importance of reviewing alerts posted there.  The following are best practices, as a Microsoft 365 Admin, for staying up to date with Message Center notices.

• Get Message Center posts emailed to you
• “You can select to have a weekly digest emailed to you and up to two other email addresses. The emailed weekly digest is turned on by default. If you aren’t getting your weekly digests, check your spam folder. See the Preferences section of this article for more information on how to set up the weekly digest.”
• Track new and changed features in the Microsoft 365 Message center
• See snapshot above for where to configure email notifications.
• Sync Message Center messages to Microsoft Planner
• “Keep track of which Message Center changes require tasks to be done, when, and by whom, and to track each task to completion… Make a note of something and tag it to check on later. Sync your messages from the Microsoft 365 admin center to Microsoft Planner.”
• Track message center tasks in Microsoft Planner
• Automate alerts of key notices from Message Center using Microsoft Power Automate
• Use Microsoft Power Automate to send an alert with key notices from the Office 365 Message Center
• Microsoft 365 message center – Connectors
• Review Message Center posts from the mobile Microsoft 365 Admin App
• Track message center notifications from the mobile the Microsoft 365 Administration App

THE “OFFICE 365 UPDATE SCOUT” POST
A very good summary of these techniques and more are available at:

• Staying on top of Microsoft 365 / Office 365 Updates
  https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/staying-on-top-of-microsoft-365-office-365-updates/ba-p/1201118

Recently, folks using Azure AD Multi-factor Authentication (MFA) have started receiving “last chance” emails (like that in the snapshot to the left) about the Authenticator App Registration Campaign that is being launched on all Microsoft-managed Azure AD tenants starting Sept 15th. (Note: This date has since been pushed out to Sept 25th – see below)

WHAT IS THIS?
This is an urgent initiative to drive Azure AD users to transition from SMS/Voice-based Multi-factor Authentication to Microsoft Authenticator app-based MFA. 

These telephony-based methods of MFA can be circumvented through SIM-swapping and other techniques bad actors use. The frequency of breaches led by the fallibility of SMS/Voice MFA has been increasing throughout the world and it is considered in trending threat to identities such as those in Azure AD tenants.

WHEN DID THIS GET ANNOUNCED?
This Microsoft Authenticator “registration campaign” to drive users to move off of SMS/Voice MFA was announced in the Message Center (MC650420) back in July. 

It has since been UPDATED on Sept 18th, 2023 to announce that the registration campaign will launch from Sept 25th to Oct 20th. (Changed from Sept 15th)

Here’s the current Message Center message:

(Updated) Changes to the registration campaign feature in Microsoft Entra (previously Azure Active Directory)

MC650420 · Published Jul 20, 2023 · Last updated Sep 18, 2023

MAJOR UPDATE | ADMIN IMPACT | NEW FEATURE | USER IMPACT

Message Summary

Updated September 18, 2023: Deployment will begin September 25th and will run to October 20th. These dates replace the dates mentioned in the email "We’re enabling a stronger form of multifactor authentication beginning September 15, 2023" that you might have received. We apologize for the inconvenience.

Publicly switched telephone networks (PSTN) such as SMS and voice authentication are the weakest forms of MFA. To help your users move away from these less secure MFA methods we are introducing changes to the Microsoft managed state of the registration campaign (aka Nudge) feature in Microsoft Entra (previously Azure Active Directory).

When this will happen:

Starting late September 2023 and expect to complete by late October 2023.

How this affects your organization:

Users in your organization who are relying on PSTN (SMS and/or voice) for MFA will be prompted to use the Microsoft Authenticator app. Users can skip this prompt for a maximum of 3 times, after which registration of the app will be required by default. Note: admins can decide it they want to opt out of the “limited” 3 snooze configuration or give their end users the ability to snooze indefinitely.

What you can do to prepare:

We urge you to motivate your users to immediately stop using SMS and voice for MFA. You can take advantage of several new admin levers to achieve this such as system-preferred MFA and Microsoft Authenticator Lite, in addition to registration campaign. However, if some of your users require more time you can exempt them for now. Sign in as Global Administrator or Authentication Policy Administrator and go to Microsoft Entra > Identity > Protection > Authentication methods > Registration campaign and exclude these user groups.

Stay alert, stay secure!

Microsoft Identity & Network access (IDNA) product group

HOW DO I DISABLE THIS FOR OUR TENANT?
For folks that have situations that prevent the mandated use of Authenticator apps (Union rules, lack of phones, etc.)  I wrote up some instructions on how to disable the MFA/Microsoft Authenticator App registration campaign for all users:

1. Go to https://entra.microsoft.com/
2. Go to Identity –> “Protection”
3. Click “Authentication Methods”
4. Click “Registration Campaign”
5. Click “Edit”
6. Set the State drop down from “Microsoft Managed” to “Disabled”
7. Click “Save”

ALTERNATIVES TO DEPLOYING THE AUTHENTICATOR APP FOR MFA
Organizations need to transition from SMS/Voice MFA – not just because it puts your organization at risk, but because Microsoft will be pulling the plug on the service in the future.

So what does one do?  The answer for many organizations in either Windows Hello for Business or FIDO2 keys – like those from Yubico.  These device are durable, portable, and act like the keys to the ignition of your PC.

• Yubico – FIDO2 Authentication Keys
  https://www.yubico.com/