This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction to Microsoft Intune with the link here. The previous article mentioned Microsoft Intune with its broad offerings and common ways to use them. This article discusses device management with Intune specifically. 

Microsoft Intune is a cloud-based service that manages devices and their applications. These devices can include mobile phones, tablets, and notebooks. It can help configure specific policies to control applications. It allows people in the organization to use their devices for school or work. The data stays protected, and the organizational data can be isolated away from the personal data on the same device. It is part of Microsoft’s Enterprise Mobility and Security EMS suite. It integrates with the Azure Active Directory to control who has access and what they can access. It integrates with Azure Information Protection for data protection.  

Device management overview is a key task for the Intune administrator. It enables organizations to protect and secure their resources and data from different devices. A device management provider can ensure that only the authorized users can get access to the devices and their applications.

Intune offers Mobile device management and Mobile application management. Some key tasks for such management include 1) supporting diverse mobile platform and their ecosystems 2) ensuring devices and applications are compliant with the organization's security requirements, 3) creating policies that keep the organization data safe on organization-owned and personal devices, 4) using a single solution to enforce policies and 5) protecting the company’s information by controlling the way data is used.

In-tune works seamlessly with on-premises solutions for mobile devices and application management. Many organizations use an on-premises Configuration Manager to manage devices, and this can be cloud-attached to Microsoft Intune. The benefits of Intune and cloud include conditional access, running remote actions, using Windows autopilot and more. Microsoft Endpoint manager is a solution platform that unifies several services. It includes Microsoft Intune for cloud-based device management and configuration manager with Intune for cloud-attach device management. This option to ‘co-manage’ with Configuration Manager and Intune is just right for leveraging the cloud to manage the devices in the field. There is also an option for Endpoint manager tenant attach where the devices are uploaded to the Endpoint manager admin center without enabling auto-management or switching to Intune

Intune also integrates with other services to extend security and protection. Microsoft 365 is a key component to simplify common IT tasks and it works with Intune, Azure Active Directory and more. Windows Defender includes many security features to help protect windows client devices. Together with Intune, it enables Windows Defender SmartScreen to look for suspicious activities. Using the Microsoft Defender for Endpoint, it helps prevent security breaches on mobile devices. Conditional access is a feature of Azure Active Directory and together with Intune, it makes sure only compliant devices are allowed access to emails and other applications.

The choices for the approaches to manage devices and applications depends on the organization and their requirements. There are some features that are built-into the Intune and this helps with managing those devices. Another approach helps manage the applications on those devices. There is a also a combination that can do both.

The device management admin center offers many capabilities that allow administrators to enroll devices, set device compliance, manage devices, manage applications, iOS eBooks, install Exchange, manage roles, manage windows client updates, manage software updates, Azure Active Directory,  manage users, groups and members and troubleshoot. Microsoft Intune offers a planning guide to get started.

This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction of Microsoft Graph with the link here. The previous articles discussed the Microsoft Graph, its connectors and Data Connect. This article discusses Intune. The Microsoft Graph API for Intune enables programmatic access to Intune information for a tenant. The API performs the same Intune operations as those available via the portal.  It just behaves like another service that provides data into the Graph API. 

Microsoft Intune is a cloud-based service that manages devices and their applications. These devices can include mobile phones, tablets, and notebooks. It can help configure specific policies to control applications. It allows people in the organization to use their devices for school or work. The data stays protected, and the organizational data can be isolated away from the personal data on the same device. It is part of Microsoft’s Enterprise Mobility and Security EMS suite. It integrates with the Azure Active Directory to control who has access and what they can access. It integrates with Azure Information Protection for data protection.  

Since it is a cloud service, it can work directly with clients over the internet, or be managed with Configuration Manager and Intune. The rules and configuration settings can be set on personal, and organization owned devices to access data and networks. Authenticated applications can be deployed on devices. The company information can be protected by controlling the way users' access and share information. The devices and applications can be made compliant with the security requirements. The users must opt into the management with Intune using their devices. Users can opt in for partial or full control by organization administrators. These administrators can add and assign mobile apps to user groups and devices, configure apps to start or run with specific settings enabled and update existing apps already on the device, see reports on which apps are used and track their usage and do a selective wipe by removing only organization data from apps. App protection policies include using Azure AD identity to isolate organization data from personal data, helping secure access to personal devices, and enrolling devices. 

Intune makes use of app protection policies and device compliance policies to protect data. It uses profiles and configuration policies to protect data. It uses applications and application configuration policies to manage applications. It saves the device compliance results to Active Directory for conditional access. It uses groups from Active Directory for regulating all the activities it performs for users. The authentication and authorization helper libraries that work with Active Directory are used by SaaS applications and Office 365 to integrate with Application stores and device experiences.  In a way, Intune works like a collection of microservices instead of a monolithic control and state reconciliation plane. The end-user devices make use of Network access control partner, Mobile Threat defense connector, and Telecom expense management routines to connect with the microservices that protect data and configure devices. 

Microsoft Intune includes settings and features to enable or disable different devices within the organization. These are added to configuration profiles that can be created for different devices and different platforms. Intune can be used to assign the profile to devices. These configuration profiles help to complete several tasks such as blocking ActiveX controller in Microsoft Edge, allowing users to AirPrint specific printers, allow or deny access to Bluetooth, give access to corporate networks, manage software updates or run as a dedicated kiosk device. There are a few cloud based artifacts that administrators can leverage for this purpose. They include administrative templates which are hundreds of settings that give administrators a simplified view of settings. They include group policy analytics which analyzes on-premises GPO and shows which policy settings are supported. Custom settings help extend settings for administrators when the built-ins don’t suffice. Software updates are delivered through delivery optimization. They include derived credentials which can be included with profiles to connect to VPN and WiFi.

 

DNS Domain Ownership enforcement:

DNS Domain Ownership enforcement:............. 1

Problem statement:............................... 1

Solution:................. 1

Conclusion:............ 2

 

Problem statement:

Domain Name Service (DNS) records are registered with an authority in a network to allow hosts to be reached by their names. The records map names to ip addresses that can be resolved in the network. A hierarchy of domain name servers can translate external traffic to network hosts. This enables users to reach web sites and organizational resources from the internet or intranet respectively. When these records are created, they are a new instance and do not affect the existing records. If they are untouched, they resolve to specific hosts that can be reached and do not interfere with security or usages of existing hosts. However, an unintended or hostile update to the record can take down the reachability of critical business resources. This article explores the need for DNS security and the ways to perform updates securely – whether to rely on features specific to a DNS server or streamline and harden the process surrounding the use of DNS servers and associated network.

Solution:

The API based approach with chain the ownership resource to the DNS record so that all changes can be authenticated, authorized and audited. These include:

2) the integration between the ticketing framework and the message queues 

In this case, each record on the dns server has a owner associated with the workflow that generated the record. All actions taken on the records are logged against this resource. The API is as follows: 

Create resourceowner  POST /rest/api/2/resourceowner 

Get resourceowner     GET /rest/api/2/resourceowner/{resourceownerIdOrKey} 

Delete resourceowner  DELETE /rest/api/2/resourceowner/{resourceownerIdOrKey} 

Edit resourceowner    PUT /rest/api/2/resourceowner/{resourceownerIdOrKey} 

Assign        PUT /rest/api/2/resourceowner/{resourceownerIdOrKey}/record 

Get records GET /rest/api/2/resourceowner/{resourceownerIdOrKey}/record 

Add record   POST /rest/api/2/resourceowner/{resourceownerIdOrKey}/record 

Update recordPUT /rest/api/2/resourceowner/{resourceownerIdOrKey}/record/{id} 

Delete recordDELETE /rest/api/2/resourceowner/{resourceownerIdOrKey}/record/{id} 

Notify        POST /rest/api/2/resourceowner/{resourceownerIdOrKey}/notify 

Create or update remote resourceowner link POST /rest/api/2/resourceowner/{resourceownerIdOrKey}/remotelink 

Get resourceowner watchers GET /rest/api/2/resourceowner/{resourceownerIdOrKey}/watchers 

Add watcher   POST /rest/api/2/resourceowner/{resourceownerIdOrKey}/watchers 

Remove watcherDELETE /rest/api/2/resourceowner/{resourceownerIdOrKey}/watchers 

Get create resourceowner meta GET /rest/api/2/resourceowner/createmeta 

Conclusion:

Some solutions involve recurring best practice patterns such as an automation framework that can enable background processing with the help of a persistence layer, a message queue and a synchronous full-stack service model. Others require general purpose but pre-defined grouping of cloud service resources. Organizations will find they will not need to repeat the discovery and implementation of dns record owner security. 

 DNS record updates 

Problem statement: 

Domain Name Service (DNS) records are registered with an authority in a network to allow hosts to be reached by their names. The records map names to ip addresses that can be resolved in the network. A hierarchy of domain name servers can translate external traffic to network hosts. This enables users to reach web sites and organizational resources from the internet or intranet respectively. When these records are created, they are a new instance and do not affect the existing records. If they are untouched, they resolve to specific hosts that can be reached and do not interfere with security or usages of existing hosts. However, an unintended or hostile update to the record can take down the reachability of critical business resources. This article explores the need for DNS security and the ways to perform updates securely – whether to rely on features specific to a DNS server or streamline and harden the process surrounding the use of DNS servers and associated network. 

Solution: 

The original DNS protocol for external name servers has the following limitations: 

1. Complex management: Manually introduced errors in misconfiguration of name servers occur occasionally due to the complexity of managing them. A syntax error in zone data file might go unnoticed and will render that name server unable to load that zone. This might return either old data or no data. If the syntax error is in the name server’s configuration file, it will prevent the name server from starting. 

2. Attack vulnerabilities: If the administrators do not take the simple precaution of configuring their forwarders to process recursive queries only from internal ip addresses, it might lead to cache-poisoning attack where a hacker can induce the name server to cache fabricated data. 

This can have significant impact on eCommerce because a hacker could redirect traffic intended to say a bank’s web site to a web server with a replica of the site’s content, and steal account numbers and passwords 

3. Difficult upgrades: Upgrading to a new version of the name server is not just a simple software update. It might involve downloading new source code, compiling, testing, installing, and in many cases without an upgrade advisor or migration path. If this task becomes an onus, administrators will tend to put it off. This can have a manifest as delayed impact to businesses. 

For example, the LiOn worm had a patch released but months after that, the worm continued to infect nameservers around the internet. 

4. Ever growing attack options: One of the biggest challenges for IT organizations is the ever-increasing number of DNS attacks and their types. The attacks that are well-known include: 1) TCP SYN flood attacks where connections are orphaned by flooding DNS Servers with TCP connection requests until the target machine fails, 2) UDP Flood attack where a large number of UDP packets to a random part on a target server causes it to fail, 3) LAND attacks where a spoofed TCP or UDP packet with the target’s host to an open port as both the source and the destination will cause the machine to reply to itself continuously. 4) Cache poisoning attack where legitimate requests are sent to a malicious website and 5) proxy attacks where a machine can penetrate the network and route the legitimate requests to malicious websites.

 

This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction of Microsoft Graph with the link here. The previous articles discussed the Microsoft Graph, its connectors and Data Connect. This article discusses introduces Intune. The Microsoft Graph API for Intune enables programmatic access to Intune information for our tenant. The API performs the same Intune operations as those available via the portal.  It just behaves like another service that provides data into the Graph API.

Microsoft Intune is a cloud-based service that manages devices and their applications. These devices can include mobile phones, tablets and notebooks. It can help configure specific policies to control applications. It allows people in the organization to use their devices for school or work. The data stays protected, and the organizational data can be isolated away from the personal data on the same device. It is part of the Microsoft’s Enterprise Mobility and Security EMS suite. It integrates with the Azure Active Directory to control who has access and what they can access. It integrates with Azure Information Protection for data protection.

Since it is a cloud service, it can work directly with clients over the internet, or be comanaged with Configuration Manager and Intune. The rules and configuration settings can be set on personal, and organization owned devices to access data and networks. Authenticated applications can be deployed on devices. The company information can be protected by controlling the way users' access and share information. The devices and applications can be made compliant with the security requirements. The users must opt into the management with Intune using their devices. Users can opt in for partial or full control by organization administrators. These administrators can add and assign mobile apps to user groups and devices, configure apps to start or run with specific settings enabled and update existing apps already on the device, see reports on which apps are used and track their usage and do a selective wipe by removing only organization data from apps. App protection policies include using Azure AD identity to isolate organization data from personal data, helping secure access on personal devices, and enrolling devices.

Intune makes use of app protection policies and device compliance policies to protect data. It uses profiles and configuration policies to protect data. It uses applications and application configuration policies to manage applications. It saves the device compliance results to Active Directory for conditional access. It uses groups from Active Directory for regulating all the activities it performs for users. The authentication and authorization helper libraries that work with Active Directory, are used by SaaS applications and Office 365 to integrate with Application stores and device experiences.  In a way, Intune works like a collection of microservices instead of a monolithic control and state reconciliation plane. The end-user devices make use of Network access control partner, Mobile Threat defense connector, and Telecom expense management routines to connect with the microservices that protect data and configure devices.

The technology behind the software updates, push notifications is not a new one. The benefits of synchronization over an always-online solution are quite clear – reduced data transfer over the network, reduced loads on the enterprise server, faster data access, increased control over data availability. But it is less understood that there are different types of synchronization depending on the type of data.  For example, the synchronization may be initiated for personal information management (PIM) such as email, calendar entries, etc. as opposed to application files. The latter can be considered artifacts that artifact-independent synchronization services can refresh. Several such products are available, and they do not require user involvement for a refresh. This means one or more files and applications can be set up for synchronization on remote devices although they are usually one-way transfers.

Data synchronization, on the other hand, performs a bidirectional exchange and sometimes transformation between two data stores. This is our focus area in this article. The server data store is usually larger because it holds data for more than one user and the local data store is usually limited by the size of the mobile device. The data transfer occurs over a synchronization middleware or layer. The middleware is set up on the server while the layer hosted on the client. This is the most common way for smart applications to access corporate data.

Synchronization might be treated as a web service with the usual three tiers comprising of the client, the middle-tier, and enterprise data. When the data is synchronized between an enterprise server and a persistent data store on the client, a modular layer on the client can provide a simple easy to use client API to control the process with little or no interaction from the client application. This layer may just need to be written or rewritten native to the host depending on whether the client is a mobile phone, laptop, or some other such device. With a simple invocation of the synchronization layer, a client application can expect the data in the local store to be refreshed.

The synchronization middleware resides on the server, and this is where the bulk of the synchronization logic is written. There can be more than one data store behind the middleware on the server-side and there can be more than one client from the client-side. Some of the typical features of this server-side implementation includes data scoping, conflict detection and resolution, data transformation data compression, and security. These features are maintained with server performance and scalability. Two common forms of synchronization middleware are a standalone server application and a servlet running in a servlet engine.  The standalone server is more tightly coupled to the operating system and provides better performance for large data. The J2EE application servers rely on an outside servlet engine and are better suited for high volume low payload data changes.

The last part of this synchronization solution is the data backend.  While it is typically internal to the synchronization server, it is called out because it might have more than one data stores, technologies, and access mechanisms such as object-relational mapping.

 

Microsoft Graph 

This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction of this topic with the link here. The previous article discussed the Microsoft Graph Data Connect used with Microsoft Graph. This article discusses the best practices for using Microsoft Teams activity feed notifications. Microsoft Graph enables integration with the best of Microsoft 365, Windows 10 and Enterprise mobility and security services in Microsoft 365, using REST APIs and client libraries

Microsoft Graph provides a unified programmability model by consolidating multiple APIs into one. As Microsoft’s cloud services have evolved, the APIs to reference them has also changed. Originally, when cloud services like Exchange Online, Sharepoint, OneDrive and others evolved, the API to access those services was launched too. The list for SDKs and REST APIs for these services started growing for developers to access content. Each endpoint also required Access Tokens and returned status code that were unique to each individual service. Microsoft Graph brought a consistent simplified way to interact with these services.

This article covers the best practices for using Microsoft Teams activity feed notifications in Microsoft Graph which apply to:

-          Creating call-to-action notifications

-          Requesting responses to notifications

-          Creating notifications about external events

Microsoft Teams displays notifications in both activity feed and toast formats. Users can receive notifications from multiple sources across chats, channels, meetings, or other applications.  It is recommended that the content be localized in a notification feed or toast and the application must also be localized for this purpose. Appropriate titles and descriptions must be provided for the notified activity types. Short tiles such as @mention or Announcements are preferable. Notifications should be filtered to show only what is relevant to the user. Promotional notifications must be avoided. Notifications from messages and those coming from activity feed notifications can be redundant. Those duplicates must be removed. The text preview section in notifications can be used so that the user can take the necessary action.  A period at the end of the notification title is not required and this will be consistent with those that Teams generates. The relationship between the notification and the content must be clear to the user. The feed experience should be self-contained. The application does not send more than ten notifications per minute, per user. The load time of the application does not negatively affect the experience for the users. The user must be informed about the notification’s storage period.

The activity feed notifications or bot framework messages can be used but they should not be used together. The activity feed notifications must appear in the Teams activity feed for the convenience to the user to take actions. It can include links to other locations, but the user must be able to decipher the notification and follow the link to the source. The corresponding API allows the user to take notifications for each notification type. Delegated notifications create a better notification experience. These can be delegated or application-only calls. The sender of the notifications appears as the user who initiated the notification in delegated calls but appears as the application in the application-only calls.

The bot framework messages are delivered as the chat or channel messages and triggered by the keyword @mention the name of the user. This in-lining of an alert as a chat or channel message is required for the purpose of broadcasting to all channel members. These are some of the best practices to use with such notifications.

 

 Microsoft Graph 

This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction of this topic with the link here. The previous article discussed the Microsoft Graph Data Connect used with Microsoft Graph. This article discusses known limitations and workarounds. Microsoft Graph enables integration with the best of Microsoft 365, Windows 10 and Enterprise mobility and security services in Microsoft 365, using REST APIs and client libraries

Microsoft Graph provides a unified programmability model by consolidating multiple APIs into one. As Microsoft’s cloud services have evolved, the APIs to reference them has also changed. Originally, when cloud services like Exchange Online, Sharepoint, OneDrive and others evolved, the API to access those services was launched too. The list for SDKs and REST APIs for these services started growing for developers to access content. Each endpoint also required Access Tokens and returned status code that were unique to each individual service. Microsoft Graph brought a consistent simplified way to interact with these services.

Some limitations apply to the application and servicePrincipal resources. Some application properties will not be available. Only multi-tenant applications can be registered. Azure Active Directory users can register applications and add additional owners. Support for OpenID connect and OAuth protocols have limitations. Policy assignments to an application fail. Operations on ownedObjects that require appId fail. The best resolution for these limitations is to wait for the changes being made to the application and servicePrincipal roles.

Cloud solution providers must acquire tokens from Azure AD v1 endpoints because Azure AD v2 is not supported for their applications. These include usages of those applications for their partner managed customers.

The pre-consent for CSP applications does not work in some customer tenants. These manifest as error issuing tokens when an application uses delegated permissions or error with an access denied message in using Microsoft Graph after an application acquires token with application permission. The suggested workaround in this case involves opening an Azure AD Powershell  session and connecting to the customer tenant and downloading and installing the Azure AD powershell v2 followed by creating the Microsoft Graph service principal.

Other forms of identity related limitations include conditional access policies requiring consent to permission. The ClaimsMappingPolicy API might require consent to both  the Policy.ReadAll and Policy.ReadWrite.ConditionalAccess for the List operation on /policies/claimMappingPolicies and /policies/claimMappingPolicies/{id} objects. If there are no such objects available to retrieve in a List operation, either permission is sufficient to call the methods. If there are claimMappingPolicy objects, the app must consent to both permissions.