Microsoft

At the February Microsoft 365 Security & Compliance user group, Eric Woodruff (@msft_hiker), author of Eric On Identity, gave an excellent presentation on the topic of passwordless authentication. This struck a chord with my recent experience in the field, particularly in terms of the new Authentication Strengths feature in Azure AD. This post is based on my Q&A with Eric and feedback I submitted to the Azure AD team (thanks to the brilliant @merill for that) and sets it in a wider picture, namely that we’re making better technology than we’re using; there seems to be a gap in terms of getting the security we know we need into widespread practice....

I’ve put this post together as an update for a number of schools who have asked me how we’re going on our Private Preview of MCC and will try to keep it generally updated on our progress. I’ll start with a bit of background though, for anyone new to this. You had me at DOINC The best product acronym Microsoft ever devised was DOINC, for the Delivery Optimisation In-Network Cache. This was a service that would store local copies of Windows and Office apps and updates so that client devices could access a fast, consistently-connected local copy rather than downloading from peers or over the Internet....

Microsoft made a decision to force what they consider to be insecure certificate bindings out of use, placing my great little workaround for modernising NPS onto life support. When their planned changes kick in, my own fleet of Azure AD-joined devices will be kicked out. Third-party products exist which solve this problem by operating independently of AD, however in a cash-strapped education context they aren’t financially viable against the negligible cost of running NPS....

I’ve been tacking in the direction of cybersecurity in recent years and specifically within the Microsoft 365 suite. I took the Security Administrator track on my Enterprise Admin certification and didn’t find that too difficult as it was grounded in my day-to-day. This one was pushing the boat out as it’s more Azure-based and honestly I wasn’t expecting to pass first time, but it fairly soaked up these dull days between Christmas and New Year!...

Schools can hardly be the only organisations with legacy applications in regular use for vital ’line-of-business’ functions. Hopefully for the most part these are visible to IT, securely contained and have an end-of-life date with a succession plan rather than being adopted through choice into a modern desktop environment. A while ago I encountered a nasty and unavoidable case of the latter and had to figure out a solution. The application I was tasked to deploy was for processing sensitive financial data on our most heavily-secured devices and relied on Internet Explorer and Java....

In a masterful stroke of irony, within days of me sharing my solution for NPS RADIUS with AADJ devices, itself made necessary because Microsoft doesn’t consider the needs of their cloud-first customers, they made a major change to how certificates work in Active Directory in KB5014754 without considering the needs of their cloud-first customers. This change breaks the mechanism my solution relies on to operate and while there is a workaround, it is only viable until the change kicks in....

Delighted that the Microsoft education team gave me the opportunity to present some of my recent work to their top schools around the country and thankful for the great encouragement from those that attended. Honestly, the education community is just brilliant – and I’m proud to be a part of it!

Microsoft’s Network Policy Server (NPS) has been running network authentication in the enterprise for decades but is now out of the loop when it comes to a modern cloud-first infrastructure. Using an inventive approach, I show that it is possible to overcome its recalcitrance and get it authenticating Azure AD-joined (AADJ) as well as on-prem AD clients. This is the long-form writeup of the project I presented at Microsoft’s Australia-wide Surface Gold & Lighthouse Virtual Event in May 2022....