Kurt Shintaku's Blog

Recently, folks using Azure AD Multi-factor Authentication (MFA) have started receiving “last chance” emails (like that in the snapshot to the left) about the Authenticator App Registration Campaign that is being launched on all Microsoft-managed Azure AD tenants starting Sept 15th. (Note: This date has since been pushed out to Sept 25th – see below)

WHAT IS THIS?
This is an urgent initiative to drive Azure AD users to transition from SMS/Voice-based Multi-factor Authentication to Microsoft Authenticator app-based MFA. 

These telephony-based methods of MFA can be circumvented through SIM-swapping and other techniques bad actors use. The frequency of breaches led by the fallibility of SMS/Voice MFA has been increasing throughout the world and it is considered in trending threat to identities such as those in Azure AD tenants.

WHEN DID THIS GET ANNOUNCED?
This Microsoft Authenticator “registration campaign” to drive users to move off of SMS/Voice MFA was announced in the Message Center (MC650420) back in July. 

It has since been UPDATED on Sept 18th, 2023 to announce that the registration campaign will launch from Sept 25th to Oct 20th. (Changed from Sept 15th)

Here’s the current Message Center message:

(Updated) Changes to the registration campaign feature in Microsoft Entra (previously Azure Active Directory)

MC650420 · Published Jul 20, 2023 · Last updated Sep 18, 2023

MAJOR UPDATE | ADMIN IMPACT | NEW FEATURE | USER IMPACT

Message Summary

Updated September 18, 2023: Deployment will begin September 25th and will run to October 20th. These dates replace the dates mentioned in the email "We’re enabling a stronger form of multifactor authentication beginning September 15, 2023" that you might have received. We apologize for the inconvenience.

Publicly switched telephone networks (PSTN) such as SMS and voice authentication are the weakest forms of MFA. To help your users move away from these less secure MFA methods we are introducing changes to the Microsoft managed state of the registration campaign (aka Nudge) feature in Microsoft Entra (previously Azure Active Directory).

When this will happen:

Starting late September 2023 and expect to complete by late October 2023.

How this affects your organization:

Users in your organization who are relying on PSTN (SMS and/or voice) for MFA will be prompted to use the Microsoft Authenticator app. Users can skip this prompt for a maximum of 3 times, after which registration of the app will be required by default. Note: admins can decide it they want to opt out of the “limited” 3 snooze configuration or give their end users the ability to snooze indefinitely.

What you can do to prepare:

We urge you to motivate your users to immediately stop using SMS and voice for MFA. You can take advantage of several new admin levers to achieve this such as system-preferred MFA and Microsoft Authenticator Lite, in addition to registration campaign. However, if some of your users require more time you can exempt them for now. Sign in as Global Administrator or Authentication Policy Administrator and go to Microsoft Entra > Identity > Protection > Authentication methods > Registration campaign and exclude these user groups.

Stay alert, stay secure!

Microsoft Identity & Network access (IDNA) product group

HOW DO I DISABLE THIS FOR OUR TENANT?
For folks that have situations that prevent the mandated use of Authenticator apps (Union rules, lack of phones, etc.)  I wrote up some instructions on how to disable the MFA/Microsoft Authenticator App registration campaign for all users:

1. Go to https://entra.microsoft.com/
2. Go to Identity –> “Protection”
3. Click “Authentication Methods”
4. Click “Registration Campaign”
5. Click “Edit”
6. Set the State drop down from “Microsoft Managed” to “Disabled”
7. Click “Save”

ALTERNATIVES TO DEPLOYING THE AUTHENTICATOR APP FOR MFA
Organizations need to transition from SMS/Voice MFA – not just because it puts your organization at risk, but because Microsoft will be pulling the plug on the service in the future.

So what does one do?  The answer for many organizations in either Windows Hello for Business or FIDO2 keys – like those from Yubico.  These device are durable, portable, and act like the keys to the ignition of your PC.

• Yubico – FIDO2 Authentication Keys
  https://www.yubico.com/

Today’s Microsoft enterprise customers are looking to accelerate their migration to the cloud so they can modernize their IT environments and take advantage of Azure infrastructure, tooling, and services. Oracle customers are looking for:

• PERFORMANCE: The highest level of Oracle database performance, scale, and availability, as well as feature and pricing parity
• SECURITY: The simplicity, security, and latency of a single operating environment (datacenter) within Azure
• APP & AI SERVICES: The ability to build new cloud native applications using OCI and Azure technologies, including Azure’s best-in-class AI services
• SUPPORT: The assurance of an architecture that is tested and supported by two of the most trusted names in the cloud

NATIVE ORACLE DATABASE SERVICES IN MICROSOFT AZURE
That’s why we are expanding our partnership with Oracle, enabling Oracle’s 430,000 customers[i] to apply the unique services of the Microsoft cloud to Oracle’s mission-critical databases through a new service, “Oracle Database@Azure”.

Oracle Database@Azure delivers all the performance, scale, and workload availability advantages of Oracle Database on OCI with the security, flexibility, and best-in-class services of Microsoft Azure, including best-in-class AI services like Azure OpenAI. This combination provides customers with more flexibility regarding where they run their workloads. It also provides a streamlined environment that simplifies cloud purchasing and management between Oracle Database and Azure services.

With this new offering, Azure is the only cloud provider other than Oracle Cloud Infrastructure to host Oracle services, including Oracle Exadata Database Service and Oracle Autonomous Database on Oracle Cloud Infrastructure in Azure datacenters.

Our deep partnership with Oracle continues to focus on reducing the common hurdles customers face when migrating workloads to the public cloud. Oracle Database@Azure is our new offering to bring Oracle Database services inside Azure. With the ability for customers to migrate Oracle databases “as is” to OCI and deploy them in Azure alongside their current workloads in the Microsoft Cloud, organizations can create new solutions and further competitive differentiation.

VIDEO: Watch Oracle Chairman & CTO, Larry Ellison & Microsoft CEO Satya Nadella talk with Alysa Taylor, Microsoft CVP of Azure & Industry about this revolutionary new offering from Oracle & Microsoft.

(Fun Fact: This is the first time Larry Ellison has ever set foot on Microsoft’s campus.)

—————————-

For more information, on this exciting new announcement, please visit:

• Azure.com/oracle: “Migration and modernization for Oracle workloads”
• Oracle.com/azure: “Oracle and Microsoft expand partnership to deliver Oracle database services on Oracle Cloud Infrastructure in Microsoft Azure”
• Partnership news page: “Accelerating cloud transformation with Microsoft and Oracle”
• Press release: “Microsoft and Oracle expand partnership to deliver Oracle Database Services on Oracle Cloud Infrastructure in Microsoft Azure”
• Announcement blog: “Microsoft expands partnership with Oracle to bring customers’ mission-critical database workloads to Azure”

Large organizations frequently provision a singular instance of Azure OpenAI Service that is shared across multiple internal departments. This shared use necessitates an efficient mechanism for allocating costs to each business unit or consumer, based on the number of tokens consumed.

This article delves into how chargeback is calculated for each business unit based on their token usage.

• Calculating Chargebacks for Business Units/Projects Utilizing a Shared Azure OpenAI Instance
  https://techcommunity.microsoft.com/t5/apps-on-azure-blog/calculating-chargebacks-for-business-units-projects-utilizing-a/ba-p/3909202

To help every customer get AI-ready, we’re rolling out Semantic Index for Copilot, which connects you with your organization’s most relevant and actionable information.

Semantic Index for Copilot is a sophisticated map of your user and company data. For example, when you ask it about the “March Sales Report,” it doesn’t simply look for documents with those words in the file name or body. Instead, it understands that “sales reports are produced by Kelly on the finance team and created in Excel.”

And it uses that conceptual understanding to determine your intent and help you find what you need. The Semantic Index for Copilot is critical to getting relevant, actionable responses to prompts in Microsoft 365 Copilot. And it enhances enterprise search results for E3 and E5 customers—whether they are using Copilot or not.

Learn more about this new capability in Microsoft 365 E3 and E5:

https://msft.it/60499jBCt

#Microsoft365

<stolen from Samir Saini>

Attention State, County, Local Government IT Innovators! September has arrived, and I’m thrilled to share my lineup of the Top 5 Must-Attend Microsoft virtual training & learning events for you. Get ready to supercharge your digital transformation journey with the Microsoft Cloud!

🔒 9/5 – CYBERSECURITY – Protect Data and Mitigate Risk: https://mktoevents.com/Microsoft+Event/405792/157-GQE-382 Learn how to secure data and reduce risks with Microsoft Purview Information Protection and risk mgmt. solutions. Explore how to manage data protection policies across your organization and protect your people and data against cyberthreats.

☁ 9/7 – INFRASTRUCTURE – Modernize Your Infrastructure and Workloads https://msevents.microsoft.com/event?id=2286485869
Learn about the benefits of migrating and modernizing your workloads in the Azure cloud or in an hybrid cloud environment to strengthen reliability and security and accelerate innovation!

🤖 9/14 – GENERATIVE AI – The Future of Work with AI! https://msevents.microsoft.com/event?id=1453252446
Learn about our Azure OpenAI service, how to fine-tune language models to your specific needs across a variety of use cases, from summarization to content and code generation…and so much more!

💻 9/19 – MODERN WORK – Evolving Work with Windows in the Cloud https://msevents.microsoft.com/event?id=4226906705
Learn about the evolution of Windows, including our Windows 365 Cloud PC offering and Azure Virtual Desktop, and how these solutions are helping to manage hybrid work setups while safeguarding data across devices.

⚙ 9/21 – LOW-CODE/NO CODE – Power Platform & Copilot https://msevents.microsoft.com/event?id=4046052840
Learn more about the Power Platform with Azure, helping you do more with less by modernizing legacy apps, building new ones, automating manual processes, or generating insights for anyone in our organization.

Microsoft continues to develop and advance cloud services to meet the full spectrum of government needs while complying with United States regulatory standards for classification and security. The latest of these tools, generative AI capabilities through Microsoft Azure OpenAI Service, can help government agencies improve efficiency, enhance productivity, and unlock new insights from their data.

Many agencies require a higher level of security given the sensitivity of government data. Microsoft Azure Government provides the stringent security and compliance standards they need to meet government requirements for sensitive data.

Currently, large language models that power generative AI tools live in the commercial cloud. For government customers, Microsoft has developed a new architecture that enables government agencies to securely access the large language models in the commercial environment from Azure Government allowing those users to maintain the stringent security requirements necessary for government cloud operations.

If you’re an Azure Government customer (United States federal, state, and local government or their partners), you now have the opportunity to use the Microsoft Azure OpenAI Service through purpose-built, AI-optimized infrastructure providing access to OpenAI’s advanced generative models.

…

Read the full article at:

BLOG: Unlock new insights with Azure OpenAI Service for government

https://azure.microsoft.com/en-us/blog/unlock-new-insights-with-azure-openai-service-for-government/

Wanna get off of Group Policy & on-prem configuration policy management?

Is your GP a mess & are you constantly running GPResults cuz you don’t know how GPOs are going to impact your users & devices?  

Are you looking to move to cloud-based Intune policy to eliminate the need corpnet or VPN connectivity to apply policies?

The Group Policy analytics tool can help you overcome these challenges by providing:

• A detailed report for each GPO that shows you the settings, conflicts, usage, and Intune equivalent policy (if one exists).
• A migration tool that lets you export your GPO settings to Intune policies and apply them to your devices.

You can use Group Policy analytics to import, analyze, and migrate GPOs and their settings.  Read about it and the “Group Policy Migration Readiness” report here:

• BLOG: The Group Policy analytics tool is now generally available
  https://techcommunity.microsoft.com/t5/intune-customer-success/the-group-policy-analytics-tool-is-now-generally-available/ba-p/3913190
• DOCS: Use Microsoft Intune to analyze and import group policies
  https://learn.microsoft.com/en-us/mem/intune/configuration/group-policy-analytics

Are you looking for:

1. SUPERVISION: Directly-supervised case during Critical Situations & issues of the highest severity
2. ESCALATION: Managed escalation for matters that increase in urgency or need increase attention
3. SECURITY 911: Immediate assistance during breaches, compromises, ransomware, DDOS attacks & other cybersecurity incidents
4. RESPONSE TIMES: Documented & defined Service Response Times
5. ADVISORY: Expert technical assistance & guidance for deployments, configurations
6. TROUBLESHOOTING: 24/7 technical support for all cloud & software product solutions from Microsoft
7. TRAINING: Unique, one-of-a-kind workshops from a catalog of over 500 course offerings, available in-person or virtually from experienced support engineers
8. ENHANCED SUPPORT: Access more than 8 add-on support services for differing needs including
1. Designated Engineering
2. Mission Critical Support
3. Enhanced Response
4. Developer Support
5. Office 365 Engineering Direct
6. …
9. ENGINEERING ACCESS: Cases may be escalated to product engineering for review when the issue is confirmed to be a product issue by support
10. CHANGE REQUESTS: “Design change requests” may be submitted to engineering for missing functionality
11. ROOT CAUSE: Analysis reports are generated to share with exec management to understand root cause & what is being done to prevent the issue from happening in the future
12. PROACTIVE ASSISTANCE: Accelerate the progress of IT staff-led Microsoft projects with expert support engineering assistance through a catalog of over 1000+ Unified Proactive offerings.

If this sounds like what you’re interested in, you’re looking to enroll in Microsoft Unified Enterprise Support.  Support agreements start at $50K for existing Microsoft customers with Master Business Agreements.

Contact your Microsoft Account Executive to be put in touch with a Microsoft Services Executive to discuss Unified Enterprise Support.

Read more about Unified Enterprise support below.

• SITE: Unified Enterprise Support Overview:
  https://www.microsoft.com/en-us/unifiedsupport/overview
• DOWNLOAD: Unified Support Overview datasheet
  https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWSHNl
• DETAILS: Support Plan Details
  https://www.microsoft.com/en-us/unifiedsupport/details

Azure Governance Visualizer (AzGovViz) is a PowerShell script that iterates through an Azure tenant’s management group hierarchy down to the subscription level.   You can run the script either for your Tenant Root Group or any other Management Group.

By polling Azure ARM, Storage and Microsoft Graph APIs, the script captures data from the most relevant Azure governance capabilities such as:

• Azure Policy
• Azure role-based access control (Azure RBAC)
• Azure Blueprints

From the collected data, the visualizer shows your hierarchy map, creates a tenant summary, and builds granular scope insights about your management groups and subscriptions.

Do you want to get granular insights on your technical Azure Governance implementation? – document it in CSV, HTML, Markdown and JSON? Azure Governance Visualizer is a PowerShell based script that iterates your Azure Tenant´s Management Group hierarchy down to Subscription level. It captures most relevant Azure governance capabilities such as Azure Policy, RBAC and Blueprints and a lot more. From the collected data Azure Governance Visualizer provides visibility on your HierarchyMap, creates a TenantSummary, creates DefinitionInsights and builds granular ScopeInsights on Management Groups and Subscriptions. The technical requirements as well as the required permissions are minimal.

The visualizer provides a holistic overview of your technical Azure Governance implementation by connecting the dots.

• DOWNLOAD: Azure Governance Visualizer
  https://github.com/azure/azure-governance-visualizer