I'm co-presenting at Whitehall Media’s Identity Management Europe event

Reading Time: 2 minutes

Speaking

On October 2nd, 2024, Whitehall Media organizes its Identity Management Europe event (idmeuropeoct2024, #wmidm) at Van der Valk Hotel in Utrecht.

Raymond and I are excited to be invited as the IT Bro’s to present at this event as identity architects and share our unique view on password-less.

 

About Whitehall Media

Whitehall Media is a leading provider of strategic enterprise-level technology events.

Founded in 2006 and based in Manchester, in the United Kingdom, Whitehall Media Ltd. delivers high-quality, content-focused conferences. Its 2024 event line-up features events on cyber security, identity management and risk management.

 

About IDM Europe

Identity Management Europe is a recurring event on Identity and Access Management. Whitehall Media hosts this year’s annual IDM Europe event at Van der Valk hotel Utrecht in Utrecht, the Netherlands on October 2nd, 2024.

The focus on this year’s all-day event is on providing frictionless digital experiences, increasing the value of IAM-centric initiatives, managing different levels of privilege, the role of context-based identity in security, bridging the CIAM-SSID gap, and using blockchain to secure third-party relationships.

The program features speakers from vendors, from systems integrators, from practitioners at large organizations and from independent experts offering a keynote by Robert Garskamp, 15-minute sessions, 45-minute seminars, panel discussions and plenty opportunities to network.

Other Whitehall Media events on identity management are IDM UK, IDM Nordics and IDM Dach for their respective geographical regions.

 

About our session

Raymond and I will be presenting a 15-minute session:

A Life without Passwords: Dream or Reality?

15:35-15:50 CEST

“Users should never have to deal with passwords in their day-to-day lives.”

– Sander Berkouwer

The early days of multi-user IT brought us passwords. However, we can safely conclude password-based authentication doesn’t cut it anymore. Recent research showed 81% of hacking-related breaches leveraged either stolen or weak passwords and 20% of support costs for enterprise IT departments are about forgotten passwords… Nobody loves multi-factor authentication either, because it’s complicated to implement and difficult to use.

 

Join us!

If you have a registration code, you can register for IDM Europe and join the incredible line-up!

Note:
Registration is subject to Whitehall Media’s Privacy Notice and Terms & Conditions.

 

0  

Join Raymond and me as we discuss “UnOauthorized” with Eric Woodruff

Reading Time: 3 minutes

UnOauthorized

Birds of a feather flock together. So, when fellow Security MVP and Identity nerd Eric Woodruff  visited our home country, Raymond Comvalius and I didn’t hesitate to offer him a pancake ‘breakfast’ to chat about all things Entra. Lunch and a laid-back conversation on Raymond’s couch unearthed some valuable discussion for us Identity & Security nerds.

One thing to note is that mere days before our couch chat, Eric on Identity presented on the secret sauce for some first-party Entra ID applications that allowed users to perform privileged actions in the Microsoft 365 back-end, without any indication in these applications’ OAuth scopes of these privileges.

 

About “UnOauthorized”

Eric poked around and discovered that:

  • Microsoft’s own Device Registration Service could modify privileged role memberships, thus could add and remove Global Administrators.
  • Microsoft’s Viva Engage (or Yammer as it was previously called) could delete and permanently delete privileged users, including – you guessed it – Global Administrators.
  • Microsoft Right Management Services could create users.

Eric discovered these vulnerabilities while working in his role as a Senior Security Researcher at Semperis. As Semperis is a known ‘force for good’ in the Identity space, Eric responsibly disclosed these vulnerabilities, and Microsoft addressed them to make sure these vulnerabilities would not have organizations’ access control model collapse upon themselves as a house of cards. We sat down and discussed these topics close to our hearts.

Here are a few discussion topics from the interview:

Microsoft didn’t issue a CVE to the vulnerabilities Eric discovered

Interestingly, Eric disclosed his findings with Microsoft in the first half of 2024. At that time, Microsoft hadn’t decided to issue CVEs to vulnerabilities in their cloud services. We talked about the impact of that. While it made it slightly harder for Eric to discuss his findings with other security researchers as he didn’t get clear CVE-2024-xxxx numbers for his findings, he did buy a new washer and dryer from Microsoft’s bounty reward. 😊

Typical misconfigurations of applications in Entra

As a leading Community Contributor for ENow Software’s free AppGov Score and Application Governance Accelerator solution, Enterprise Applications and Application Registrations in Entra are close to my heart.  Eric received a lot of questions whether the “UnOauthorized”attack vector would work with third-party applications. While this specific vulnerability does not, third-party apps are affected by other vulnerabilities, and we discussed the general infancy of knowledge of Entra applications and

  • API permissions and roles that allow elevation to Global Administrator permissions
  • Using out-of-date authentication libraries
  • Still using the deprecated Windows Azure Active Directory API

These can really ruin an Entra admin’s day when exploited.

From a community point of view, we shared a lot of actionable insights. For first-party Entra applications, Microsoft is the only organization able to address vulnerabilities, but for third-party applications we all agreed that an ecosystem push is required.

Ownership of Entra app management in organizations

We also discussed who in organizations might ‘own the problem’ of Entra application security. It’s unclear in most organizations. Eric agreed that many attendees of his Black Hat session might struggle with that question getting home and trying to prioritize Entra application security over other security issues.

The role of backup and restore in Entra app management

As Semperis provides an Entra backup and restore solution, we discussed the scarcity of Entra application restore options and how that possibly inhibits admins from actioning and addressing misconfigurations in their Entra applications. Without a way to ‘undo’ changes to applications, would you feel comfortable changing apps to conform to the ideal standard? Maybe. Maybe, not. It likely depends on the size of your team, your risk tolerance and other factors.

 

Watch the ‘UnOAuthorized’ Interview now

UnOauthorized on Youtube

The video of our conversation is now available for free – grab your drink of choice and have a watch. It provides an insightful snapshot of Entra application security today, ways forward and the typical roadblocks we might encounter when trying to change the world – or at least Entra applications – for the better.

0  

I’m speaking at NT Konferenca 2024

Reading Time: 2 minutes

NT Konferenca 2024

I’m proud to announce that for the sixth year in a row, I’m invited to speak at NT Konferenca in Slovenia. I’ll be presenting two break-out sessions.

 

About NT Konferenca

NT Konferenca is the biggest Slovenian technological conference. NT Konferenca is not just about IT trends and solutions. It is also about the ways to include them in everyday business processes and how to effectively use them in business challenges to reach objectives in a more rapid, time-efficient and affordable way.

The 29th NT Konferenca event takes place from September 23rd to September 25th, 2024, in Grand Hotel Bernardin in Portorož, along Slovenia’s coastline. With fantastic speakers, many I call friends, like Ljubo Brodaric, Slavko Kukrika, Tomislav Lulic, Paula Januszkiewicz, Barbara Forbes and Aleksandar Nikolic, the 2024 edition of NTK shapes up to be another fantastic event.

 

About my sessions

I’ll present two 45-minute sessions:

You can't do Zero Trust with AD FS. Here's how to leave it behind

Tech, level 300

Active Directory Federation Services (AD FS) has long been considered the best way to authenticate to the Microsoft Cloud in Hybrid Identity scenarios.

However, AD FS does not adhere to Zero Trust principles, and it's a pain to maintain and secure. If you don't need the functionality that AD FS offers, you can go all-in on Zero Trust by leaving AD FS behind.

I show you what to look for, how to make the right decisions and how to tell your boss. I also show you how to migrate off AD FS and how to properly decommission your AD FS deployment to make sure nothing is left behind that reminds you of your organization's AD FS past.

 

Five Do's and Don'ts for your Entra ID!

Tech, level 300

With Microsoft's focus on Defender for * and Entra Premium P2 features, you might start to believe that you can't be successful in your identity and zero trust journeys when you don't have these products and licenses. The opposite is true: without doing the basics in your Azure AD tenant, all these advanced products don't perform as well as you'd think…

After numerous Entra ID security assessments, I have identified the basics that most organizations seem to have forgotten. Without these basic measures, their Azure and Microsoft 365 services are at risk in terms of security, privacy, and productivity. For most organizations applying these basics is trivial and relatively easy to start with.

Come to this session to learn at least five Do's and five Don'ts for your Entra ID tenant!

 

Join us!

Tickets are limited, but still available for NT Konferenca.
Register here and join me for these sessions.

Further reading

I'm speaking at NT Konferenca 2023
I’m presenting at NT Konferenca 2022
I'm speaking at NT Konferenca 2021
I’m speaking at the 2020 NT Konferenca
I’m speaking at NT Konferenca 2019

0  

What's New in Entra ID for August 2024

Reading Time: 5 minutes

Entra ID

Entra ID, previously known as Azure AD is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID and in the Message Center, Microsoft communicated the following planned, new and changed functionality for Entra ID for August 2024:

 

What's Planned

Upcoming MFA Enforcement on Microsoft Entra admin center

Service category: MFA
Product capability: 
Identity Security & Protection

As part of Microsoft’s commitment to providing organizations with the highest level of security, Microsoft previously announced that Microsoft will require multi-factor authentication (MFA) for users signing into the Azure portal, the Entra admin center and Intune admin center.

This change will be rolled out in phases, allowing organizations time to plan their implementation. Starting October 15, 2024, MFA will be required to sign in, but won’t be required yet for the Azure Command Line Interface, Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools.

 

Add sign-in method picker user experience update on the My Security Info page

Service category: MFA
Product capability: End User Experiences

Starting late August 2024, the Add sign-in method dialog on the My Security Info page of the My Sign-ins portal will be updated with improved sign-in method descriptions, and a modern look and feel. With this change, when people select Add sign-in method, they'll initially be recommended to register the strongest method available to them which is allowed by organizational authentication method policy. People can select Show more options and choose from all available sign-in methods allowed by their organization’s policy.

 

Migrate to the Authentication methods policy

Service category: MFA
Product capability: 
User Authentication

On September 30th, 2025, Microsoft is retiring the ability to manage authentication methods in the legacy Multifactor Authentication (MFA) and Self-Service Password Reset (SSPR) policies in Entra ID.

Organizations should migrate their methods to the converged authentication methods policy where methods can be managed centrally for all authentication scenarios including passwordless, multi-factor authentication and self-service password reset.

 

User admin and license admin roles are enabled to manage self-service license requests in the Microsoft 365 admin center

Service category: License assignment
Product capability: User administration

User admin and License admin roles in the Microsoft 365 admin center will be enabled to manage self-service license requests, with rollout starting early September 2024 and expected completion by mid-September 2024. Admins should familiarize themselves with the licensing process.

 

Enforce policy approval settings for admins

Service category: Entitlement Management
Product capability:
Entitlement Management

Starting August 26, 2024, changes to Entitlement Management enforce approval settings for Global Administrators and Identity Governance Administrators, preventing them from bypassing access package policy approvals.

No action is needed from your organization as this is an automatic update.

 

Provisioning UX Updates

Service category: Provisioning
Product capability: Outbound to SaaS Applications

Microsoft starts releasing user experience updates for application provisioning, HR provisioning, and cross-tenant synchronization in October 2024. This includes:

  • A new overview page
  • User experience to configure connectivity to your application
  • A new create provisioning experience.

The new experiences include all functionality available to admins today, and no action is required.

 

What’s Deferred

Changes to My Groups Admin Controls

Service category: Group Management
Product capability: AuthZ/Access Delegation

In October 2023 Microsoft shared that, starting June 2024, the existing Self Service Group Management (SSGM) the Restrict user ability to access groups features in My Groups setting in the Microsoft Entra Admin Center will be retired. These changes are under review and will not take place as originally planned. A new deprecation date will be announced in the future.

 

What's New

Face Check with Entra Verified ID Generally Available

Service category: Identity verification
Product capability: Verified ID

Face Check is a privacy-respecting facial matching feature for high-assurance identity verifications and the first premium capability of Microsoft Entra Verified ID.

Powered by Azure AI services, Face Check adds a critical layer of trust by matching a person’s real-time selfie and the photo on their passport or driver’s license. By sharing only match results and not any sensitive identity data, Face Check strengthens an organization’s identity verification while protecting privacy.

 

Device based conditional access to M365/Azure resources on Red Hat Enterprise Linux Generally Available

Service category: Conditional Access
Product capability: SSO

Since October 2022, people using Ubuntu Desktop 20.04 LTS & Ubuntu 22.04 LTS with Microsoft Edge browsers could register their devices with Entra ID, enroll into Intune management, and securely access corporate resources using device-based Conditional Access policies.

Now, Entra ID extends support to Red Hat Enterprise Linux 8.x and 9.x (LTS) which makes these capabilities possible:

  • Entra ID registration and Entra ID enrollment of devices with RedHat Enterprise Linux
  • Conditional Access policies protecting web applications via Microsoft Edge
  • Standard Intune compliance policies
  • Support for Bash scripts with custom compliance policies
  • Package Manager now supports RHEL RPM packages in addition to Debian DEB packages

 

Enable, Disable, and Delete synchronized users accounts with Lifecycle Workflows Generally Available

Service category: Lifecycle Workflows
Product capability: Identity Lifecycle Management

Lifecycle Workflows is now able to enable, disable, and delete user accounts which are synchronized from Active Directory to Microsoft Entra. This allows organizations to complete the employee offboarding process by deleting the user account after a retention period.

 

Configure Lifecycle Workflow Scope Using Custom Security Attributes Generally Available

Service category: Lifecycle Workflows
Product capability: Identity Lifecycle Management

Organizations can now leverage their confidential HR data stored in custom security attributes, in addition to other attributes to define the scope of their workflows in Lifecycle Workflows for automating joiner, mover, and leaver (JML) scenarios.

 

Workflow History Insights in Lifecycle Workflows Generally Available

Service category: Lifecycle Workflows
Product capability: Identity Lifecycle Management

With this feature, organizations can now monitor workflow health, and get insights across all their workflows in Lifecycle Workflows including viewing workflow processing data across workflows, tasks, and workflow categories.

 

Configure custom workflows to run mover tasks when a user's job profile changes Generally Available

Service category: Lifecycle Workflows
Product capability: Identity Lifecycle Management

Lifecycle Workflows now supports the ability to trigger workflows based on job change events like changes to an employee's department, job role, or location, and see them executed on the workflow schedule. With this feature, organizations can leverage new workflow triggers to create custom workflows for their executing tasks associated with people moving within the organization, including:

  • Trigger workflows when a specified attribute changes
  • Trigger workflows when a user account is added or removed from a group's membership
  • Tasks to notify a person’s manager about a move
  • Task to assign licenses or remove selected licenses from a user account

 

Microsoft Entra ID FIDO2 provisioning APIs Public Preview

Service category: MFA
Product capability: Identity Security & Protection

Microsoft Entra ID now supports FIDO2 provisioning via Graph API, allowing organizations to pre-provision security keys (passkeys) for people in the organization. These new APIs can simplify user onboarding and provide seamless phishing-resistant authentication on day one.

 

What's Changed

Restricted permissions on Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync

Service category: Provisioning
Product capability: Entra Connect

As part of ongoing security hardening, Microsoft has removed unused permissions from the privileged Directory Synchronization Accounts role. This role is exclusively used by Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync, to synchronize Active Directory objects with Microsoft Entra ID. There's no action required by organizations to benefit from this hardening,

0  

On-premises Identity-related updates and fixes for August 2024

Reading Time: 2 minutes

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates to improve the experiences and security of Microsoft’s on-premises powerhouses.

This is the list of Identity-related updates and fixes we saw for August 2024:

 

Windows Server 2016

We observed the following update for Windows Server 2016:

KB5041773 August 13, 2024

The August 13, 2024, update for Windows Server 2016 (KB5041773), updating the OS build number to 14393.7259, is a monthly cumulative update. It includes the following Identity-related improvements:

  • This update removes the NetJoinLegacyAccountReuse registry key in the context of the Domain join hardening changes as described in KB5020276. The hardening behavior will persist regardless of the key setting.
  • This update hardens Windows DNS server security to address the Windows DNS Spoofing Vulnerability detailed in CVE-2024-37968. If the configurations of domains are not up to date, admins might get the SERVFAIL error or time out.

 

Windows Server 2019

We observed the following update for Windows Server 2019:

KB5041578 August 13, 2024

The August 13, 2024, update for Windows Server 2019 (KB5041578), updating the OS build number to 17763.6189, is a monthly cumulative update. It includes the following Identity-related improvements:

  • This update addresses a security feature bypass vulnerability in Protected Process  Light (PPL). After installing this update, LSA Protection (RunAsPPL) can no longer be bypassed.
  • This update removes the NetJoinLegacyAccountReuse registry key in the context of the Domain join hardening changes as described in KB5020276. The hardening behavior will persist regardless of the key setting.
  • This update hardens Windows DNS server security to address the Windows DNS Spoofing Vulnerability detailed in CVE-2024-37968. If the configurations of domains are not up to date, admins might get the SERVFAIL error or time out.

 

Windows Server 2022

We observed the following update for Windows Server 2022:

KB5041160 August 13, 2024

The August 13, 2024, update for Windows Server 2022 (KB5041160), updating the OS build number to 20348.2655, is a monthly cumulative update. It includes the following Identity-related improvements:

  • This update addresses a security feature bypass vulnerability in Protected Process  Light (PPL). After installing this update, LSA Protection (RunAsPPL) can no longer be bypassed.
  • This update removes the NetJoinLegacyAccountReuse registry key in the context of the Domain join hardening changes as described in KB5020276. The hardening behavior will persist regardless of the key setting.
  • This update hardens Windows DNS server security to address the Windows DNS Spoofing Vulnerability detailed in CVE-2024-37968. If the configurations of domains are not up to date, admins might get the SERVFAIL error or time out.
1  

What's New in Veeam Backup and Replication v12.2 for Identity Admins

Reading Time: 2 minutes

Veeam Backup & Replication

Today, Veeam released v12.2.0.334 of its Backup and Replication (VBR) core product and v12.2.0.4093 of Veeam ONE. Veeam also introduced v6.2 of the Veeam Agent for Windows and the Veeam Agent for Linux. Additionally, the latest version of Veeam Backup for Nutanix AHV is v6 since today,

 

The focus of these releases is on new workloads support, both in the datacenter and in the cloud, but these releases also offer various other features and enhancements.  Not every feature is as interesting as other features, so I decided to provide you with the five features that sparked my interest as an Identity admin:

 

New built-in role: Security Administrator

The Security Administrator role is new for Veeam Backup and Replication v12.2. This new role is tailored towards security teams, enabling organizations to delegate certain sensitive tasks, such as managing saved credentials, backup encryption passwords and four-eyes authorization requests, without providing the ability to manage other backup server settings, backups and restores.

By empowering designated personnel to perform these functions, organizations can ensure internal compliance with security best practices such as zero trust.

 

New built-in role: Incident API Operator

The Incident API Operator role is new for Veeam Backup and Replication v12.2. This user role is designed exclusively for interaction with the Veeam Incident API REST endpoint.

It’s ideal for automated systems or users who only need to create or manage incidents without having broader access to the backup server, which enhances the overall security posture by adhering to the principle of least privilege.

 

Additional LSASS and NetBIOS checks in the Security & Compliance Analyzer

In Veeam’s ongoing effort to bolster security, they have expanded the analyzers checks to include LSASS and NetBIOS configuration on network interfaces of the backup server.

These enhancements ensure your system adheres to best practices for protecting credentials in memory, securing against unauthorized access, and managing legacy network protocols.

 

Gmail and Microsoft 365 support email notifications for Veeam Backup for Nutanix v6

V12.1 brought notifications for Veeam Explorers, in addition to basic SMTP servers. This change did not find its way to the then current version of Veeam Backup for Nutanix, but it has now!

In addition to basic SMTP servers, v6 now supports Google Gmail and Microsoft 365 with their OAuth 2.0 protocol-based secure authorization and access-token-based authentication.

 

Database authentication for Oracle

The Veeam Plug-in for Oracle RMAN integrates Oracle Recovery Manager (RMAN) with Veeam Backup & Replication. It enables application consistent backup and recovery operations for Oracle databases, ensuring flexible recovery options to minimize downtime and maximize data integrity.

This plug-in now supports database authentication in both standalone and managed modes. This capability is particularly beneficial for Oracle environments where OS authentication is disabled.

In addition to enhanced authentication capabilities, it also improves Oracle Real Application Clusters (RAC) processing because the previous requirement of adding the grid user to the oradba group is no longer necessary.

0  

Entra ID Application Security – A Complex Problem with a Community Solution

Reading Time: 5 minutes

Microsoft Entra ID

Application governance in Entra is a hot topic these days, especially in the context of zero trust, where we aim for least-privilege access in terms of Graph API permissions, explicitly verify the identities of publishers and people in our organizations and assume breach.  Many organizations are decommissioning Active Directory Federation Services (AD FS) and switching to Entra ID to authenticate and authorize their Software as a Service (SaaS) and homegrown web applications. Their business cases are clear:

  • Reduce costs, complexity and (in most cases) systems running legacy versions of Windows Server.
  • Gain the automatic scale and flexibility to meet the organizational needs towards Software as a Service (SaaS) apps.
  • Gain identity detection and threat response features that are an integral part of Entra licenses.
  • Improve the user experience for people who work in other geographies than the one(s) where AD FS is hosted.
  • Provide self-service password reset and password-less authentication options.

Managing Entra ID is not for the faint of heart. Microsoft services change far more regularly than the Windows Server operating systems did. Documentation lags. Certifications need yearly upkeeping. Settings need to be managed in several portals and can be ridiculously complex to manage at scale.

One particularly complex area of Entra ID is application management. The new model, based on service principals, API permissions and settings for modern authentication protocols, is nothing like providing access to an application in the world of Active Directory. This is for a good reason, as today’s Internet-connected world requires more secure settings and protocols.

Applications in Entra are mostly misunderstood and they tend to be a blind spot that many organizations have not yet illuminated. Heck, even Microsoft doesn’t get their applications or administrative roles right, resulting in the mailboxes of their top brass getting compromised and thousands of Entra tenants getting compromised monthly.

 

It's an ecosystem

I’ve worked with many organizations to address their Entra application governance issues. These organizations were able to limit the permissions on their enterprise applications and application registrations, but for some applications, we must move up the supply chain. Examining our results led to three distinct discoveries:

Assigning least administrative permissions for 3rd party applications sometimes fails

Certain API permission combinations and privilege roles allow Entra ID applications to be abused to ultimately gain global administrator privileges. Removing high-risk permissions from this app obviously limits the functionality of the application that uses these permissions, but may also lead to the application breaking, when it checks for the permissions during startup or run…

Veeam’s Backup for Microsoft 365 v7 solution is a prime example. It shows up in several reports for several of its traits. The immediate issue is the combination of Cloud Application Administrator role (assigned to its enterprise application), the EWS.AccessAsUser.All, and EWS.full_access_as_app permissions (assigned to the app registration) allow it to be abused to gain global administrator privileges in a supply chain attack.

I brought it to the attention of the people at Veeam. Mike Resseler, Director of Product Management at Veeam, has indicated that they are working on applying the principle of least administrative privilege further in their software. It takes time.

Some applications still use the Windows Azure Active Directory API

Another issue that we see with 3rd party solutions is the insisted use of the now deprecated Windows Azure Active Directory API User.Read.All permissions, instead of the Microsoft Graph API permissions to read Entra objects.

While existing Entra apps can continue to address the Windows Azure Active Directory API without problems, applications that are newly onboarded since June 30th, 2024, receive HTTP 403 errors, unless specifically configured.

The access through the Windows Azure Active Directory API is primarily used to support people picker functionality in apps. Breaking this access can have a severe impact on applications using this access. Yet, one in roughly eight applications typically still use User.Read.All permissions to the Windows Azure Active Directory API. We typically encounter these situations when:

  • Microsoft’s communications may not have reached these vendors.
  • Vendors may not know how to address this issue.
  • Customers may be stuck with older versions of the apps or earlier iterations of permission sets.

All these situations require interaction with the vendor to resolve.  This takes time.

Some vendors don’t follow the principle of least privilege access

While User.Read.All feels like the least privilege to support people picker functionality, it might not be. In January 2024, Microsoft made the User.BasicRead.All permission available for both delegated and app-only access. This specific API permission provides information on the userPrincipalName, displayName, first and last name, email address, and photo for the people in your organization. In most cases, this limited access to people’s information should suffice.

The least privilege User.BasicRead.All permissions has been available for over half a year. Yet, I have only seen a handful of ISVs use it… You guessed it: it takes time.

 

Imagine…

To paraphrase John Lennon’s inspiring song…

Imagine there's no app misconfigs. It isn't hard to do.
Nothing to kill or die for. And no breaches too.
Imagine all the vendors sharing all that’s good…

I am imagining this. I believe in working with application vendors and getting them to embrace recommended practices. It takes time and requires endurance and a community commitment to improving security at each step.

 

Community-based resources

I have been working with ENow Software to create, maintain, and expand their Application Governance solutions for the past few years. One of my guiding principles was that our insights into Entra application management should be included in free resources for everyone. We’ve delivered on that promise with several Community resources for organizations to start moving towards a more secure future:

  1. Community Forum for Application Security

Application governance and security are newer initiatives for many organizations. Many organizations do not have an internal expert in this area. In fact, many organizations are still figuring out who should even own this responsibility. The AppGov Community Forum is a free site moderated by Microsoft Identity & Security MVPs, like me who will answer your Entra ID application questions and curiosities. Identity admins, developers, and other professionals can share their experiences, hear how others are solving the problem, and escalate application issues to Vendors using our community networks.

  1. AppGov Score – the free Application Governance Scorecard

Not sure where to start? This scorecard and assessment can be a logical first step. To improve anything, you must first know your current state. AppGov Score will scan your Entra ID applications and grade the security of your Enterprise Applications, Application Registrations, Tenant Settings. The Hunting Analysis will show if your apps are at risk of being exploited by known attackers and permission gaps.

  1. Rich Entra ID Application Security Blog Site

In addition to the Community Site and AppGov Score, ENow works with several Microsoft MVPs to publish quality blog content each week. Their blogs include practical how-to tips that explain what the risks are and how to solve them. Here are a few recent titles for reference:

Note:
ENow’s Application Governance solution is completely separate from the Microsoft Application Governance feature and does not require expensive Microsoft licenses. In the same way, ENow’s AppGov Score is completely different from Microsoft’s Identity Secure Score.

With the information from the scorecard, admins can fiddle around with their favorite scripting or development tools to pinpoint and remediate the surfaced misconfigurations. Alternatively, they can upgrade to the paid App Governance Accelerator to get this information at their fingertips and continuously track progress, set alerts, and address recurring situations through automated workflows.

 

Join us!

If you have any questions on Entra applications, ask them on ENow’s Application Governance Community. With several other Microsoft Most Valuable Professionals (MVPs), we’re monitoring the forum to get you the best Entra ID app security guidance going forward.

You may say I'm a dreamer, but I'm not the only one.
I hope someday you'll join us, and the ecosystem will be as one…

0  

VMware addresses ‘ESX Admins’ authentication bypass vulnerability (CVE-2024-37085) in ESXi 8.0 Update 3

Reading Time: 2 minutes

Today, Broadcom issued a second update to VMSA-2024-003 for VMware ESXi, specifically to address the vulnerability CVE-2024-37085. This vulnerability, with a CVSSv3 base score of 6.8 out of 10 (Moderate), allowed an adversary with sufficient Active Directory permissions to gain full access to ESXi hosts.

 

About the vulnerability

For an adversary to abuse this vulnerability;

  • The ESXi host(s) need to be configured with default settings;
  • The ESXi host(s) need to be configured to use Active Directory for user management, and;
  • The adversary needs to have sufficient permissions in Active Directory Domain Services, to either;
    • Recreate the ‘ESX Admins’ group when it was previously deleted or renamed, or;
    • Add one or more accounts to the ‘ESX Admins’ group.

If the above three conditions were met, and the permissions in Active Directory pertain to the same Active Directory to which the ESXi host(s) are configured towards, the adversary would gain full access to the ESXi host(s).

Edan Zwick, Danielle Kuznets Nohi, and Meitar Pinto from Microsoft reported this issue to Broadcom.

 

About the fix

Broadcom VMware addressed the vulnerabilities in ESXi version 8.0 Update 3 ISO Build 24022510, released on June 25th, 2024.

Broadcom VMware did not address the vulnerability in ESXi version 7.0 and has no patch planned for these versions, even though Broadcom extended support on these versions to October 2025 (was: April 2025). For version 7.0 of ESXi, Broadcom offers a workaround for ESXi hosts already configured for Active Directory user management.

This workaround entails removing the default access for the ‘ESX Admins’ group to ESXi hosts, using the following esxcli command:

esxcli system permission unset -i 'DOMAIN\esx^admins' –group

Replace DOMAIN with the sAMAccountName of the Active Directory domain the ESXi host is configured to for user management.

These settings take effect within a minute. A reboot is not required.

 

Concluding

Please install the updates for the version(s) of ESXi in use within your organization, as mentioned above and in the advisory for VMSA-2024-0013.

If this is not feasible, apply the workaround.

0  

VMware vSphere 8.0 Update 3 adds federation support for four Identity Providers

Reading Time: 2 minutes

On June 25th, 2024, Broadcom made vSphere 8.0 Update 3 generally available.

In the details of the Release Notes for vSphere 8.0 Update 3 and ESXi 8.0 Update 3, Broadcom announces PingFederate Support in vSphere Identity Federation. This is a huge update for Identity and Access admins using VMware's virtualization platform as it broadens their options to provide single sign-on (SSO) and multi-factor authentication (MFA) for accessing vCenter Server.

 

About vSphere Identity Federation

vSphere Identity Federation provides support for federated authentication to sign in to vCenter Server. With vSphere Identity Federation configured, sign-ins are redirected to an identity provider (IdP), based on the Open ID Connect protocol. From a vSphere perspective, this identity provider is designated as an external provider.

In the world of federation and modern authentication, access is granted based on claims that are exchanged between the Identity Provider (IdP) and the relying functionality. Claims token, containing claimtypes and values for these claimtypes, but also the claims issuance rules are defined by the admin of the IdP. vCenter Server acts as a relying party, accepting claims, because of the trust setup between vSphere and the IdP, based on certificates.

With subsequent releases of vSphere 7 and 8, VMware have been adding more ways to introduce modern authentication to vSphere.

 

Why use vSphere Identity Federation?

vSphere Identity Federation provides:

  • Single Sign-On (SSO) access with existing federated infrastructure and applications.
  • Use multi-factor authentication (MFA) and other authentication assurance mechanisms.
  • Strictly separate datacenter security from identity, because vCenter Server never handles the user’s credentials.

However, there are a couple of caveats that you should be aware of.

 

Supported Federation providers

The following federation providers are now supported with vSphere Identity Federation:

  • Microsoft Active Directory Federation Services (AD FS)
    (since vSphere 7.0)
  • Okta
    (since vSphere 8.0 Update 1)
  • Microsoft Entra ID
    (since vSphere 8.0 Update 2)
  • PingFederate
    (since vSphere 8.0 update 3)

 

Concluding

Building a straight-forward and secure vSphere delegation model has been on the mind of many vSphere admins throughout the years. vSphere Identity Federation is a logical building block towards this lofty goal.

Further reading

vSphere 7’s vCenter Server Identity Provider Federation feature allows for MFA
Ten Things You should know about vCenter Identity Provider Federation
Building a straight-forward vSphere delegation model for running virtual Domain Controllers safely

0  

What's New in Entra ID for July 2024

Reading Time: 2 minutes

Microsoft Entra ID

Entra ID, previously known as Azure AD is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID, Microsoft communicated the following planned, new and changed functionality for Entra ID for July 2024:

 

What's Planned

New SAML applications can't receive tokens through OAuth2/OIDC protocols Generally Available

Service category: Enterprise Apps
Product capability: Developer Experience

Starting late September 2024, applications indicated as 'SAML' applications (via the 'preferredSingleSignOnMode' property of the service principal) can't be issued JWT tokens. This means they can't be the resource application in OIDC, OAuth2.0, or other protocols using JWTs. This change will only affect SAML applications attempting to take a new dependency on JWT-based protocols; existing SAML applications already using these flows won't be affected. This will improve the security of apps.

 

What's New

Active Directory Federation Services (AD FS) Application Migration Wizard Generally Available

Service category: AD FS Application Migration
Product capability: Platform

The Active Directory Federation Services (AD FS) application migration wizard allows admins to quickly identify which AD FS relying party applications are compatible with being migrated to Microsoft Entra ID. The tool shows the migration readiness of each application, highlights issues and the suggested actions to remediate, guides the admin through preparing an individual application for migration, and configuring their new Microsoft Entra application.

 

Insider Risk condition in Conditional Access Generally Available

Service category: Conditional Access
Product capability: Identity Security & Protection

The Insider Risk condition in Conditional Access, is a new feature that leverages signals from Microsoft Purview's Adaptive Protection capability to enhance the detection and automatic mitigation of Insider threats. This integration allows organizations to more effectively manage, and respond, to potential insider risks by using advanced analytics and real-time data.

This is a premium feature and requires an Entra P2 license.

 

Adversary in the Middle detection alert Generally Available

Service category: Identity Protection
Product capability: Identity Security & Protection

The Adversary in the Middle (AitM) detection in Identity Protection will be triggered on a user account that has been compromised by an adversary that has intercepted the user's credentials, including tokens that were issued to the user. The risk is identified through Microsoft 365 Defender and will flag the user with High risk to trigger the configured Conditional Access policy.

 

New Federated Apps available in Microsoft Entra Application gallery Generally Available

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In July 2024, Microsoft added the following new applications in the Entra Application Gallery with Federation support:

  1. Fullstory SAML
  2. LSEG Workspace

 

What's Changed

Easy authentication with Azure App Service and Microsoft Entra External ID Generally Available

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

This feature offers an improved experience when using Microsoft Entra External ID as an identity provider for Azure App Service’s built-in authentication, simplifying the process of configuring authentication and authorization for external-facing apps. Admins can complete initial configuration directly from the App Service authentication setup without switching into the external tenant.

0