Entra ID Application Security – A Complex Problem with a Community Solution

Reading Time: 5 minutes

Microsoft Entra ID

Application governance in Entra is a hot topic these days, especially in the context of zero trust, where we aim for least-privilege access in terms of Graph API permissions, explicitly verify the identities of publishers and people in our organizations and assume breach.  Many organizations are decommissioning Active Directory Federation Services (AD FS) and switching to Entra ID to authenticate and authorize their Software as a Service (SaaS) and homegrown web applications. Their business cases are clear:

  • Reduce costs, complexity and (in most cases) systems running legacy versions of Windows Server.
  • Gain the automatic scale and flexibility to meet the organizational needs towards Software as a Service (SaaS) apps.
  • Gain identity detection and threat response features that are an integral part of Entra licenses.
  • Improve the user experience for people who work in other geographies than the one(s) where AD FS is hosted.
  • Provide self-service password reset and password-less authentication options.

Managing Entra ID is not for the faint of heart. Microsoft services change far more regularly than the Windows Server operating systems did. Documentation lags. Certifications need yearly upkeeping. Settings need to be managed in several portals and can be ridiculously complex to manage at scale.

One particularly complex area of Entra ID is application management. The new model, based on service principals, API permissions and settings for modern authentication protocols, is nothing like providing access to an application in the world of Active Directory. This is for a good reason, as today’s Internet-connected world requires more secure settings and protocols.

Applications in Entra are mostly misunderstood and they tend to be a blind spot that many organizations have not yet illuminated. Heck, even Microsoft doesn’t get their applications or administrative roles right, resulting in the mailboxes of their top brass getting compromised and thousands of Entra tenants getting compromised monthly.

 

It's an ecosystem

I’ve worked with many organizations to address their Entra application governance issues. These organizations were able to limit the permissions on their enterprise applications and application registrations, but for some applications, we must move up the supply chain. Examining our results led to three distinct discoveries:

Assigning least administrative permissions for 3rd party applications sometimes fails

Certain API permission combinations and privilege roles allow Entra ID applications to be abused to ultimately gain global administrator privileges. Removing high-risk permissions from this app obviously limits the functionality of the application that uses these permissions, but may also lead to the application breaking, when it checks for the permissions during startup or run…

Veeam’s Backup for Microsoft 365 v7 solution is a prime example. It shows up in several reports for several of its traits. The immediate issue is the combination of Cloud Application Administrator role (assigned to its enterprise application), the EWS.AccessAsUser.All, and EWS.full_access_as_app permissions (assigned to the app registration) allow it to be abused to gain global administrator privileges in a supply chain attack.

I brought it to the attention of the people at Veeam. Mike Resseler, Director of Product Management at Veeam, has indicated that they are working on applying the principle of least administrative privilege further in their software. It takes time.

Some applications still use the Windows Azure Active Directory API

Another issue that we see with 3rd party solutions is the insisted use of the now deprecated Windows Azure Active Directory API User.Read.All permissions, instead of the Microsoft Graph API permissions to read Entra objects.

While existing Entra apps can continue to address the Windows Azure Active Directory API without problems, applications that are newly onboarded since June 30th, 2024, receive HTTP 403 errors, unless specifically configured.

The access through the Windows Azure Active Directory API is primarily used to support people picker functionality in apps. Breaking this access can have a severe impact on applications using this access. Yet, one in roughly eight applications typically still use User.Read.All permissions to the Windows Azure Active Directory API. We typically encounter these situations when:

  • Microsoft’s communications may not have reached these vendors.
  • Vendors may not know how to address this issue.
  • Customers may be stuck with older versions of the apps or earlier iterations of permission sets.

All these situations require interaction with the vendor to resolve.  This takes time.

Some vendors don’t follow the principle of least privilege access

While User.Read.All feels like the least privilege to support people picker functionality, it might not be. In January 2024, Microsoft made the User.BasicRead.All permission available for both delegated and app-only access. This specific API permission provides information on the userPrincipalName, displayName, first and last name, email address, and photo for the people in your organization. In most cases, this limited access to people’s information should suffice.

The least privilege User.BasicRead.All permissions has been available for over half a year. Yet, I have only seen a handful of ISVs use it… You guessed it: it takes time.

 

Imagine…

To paraphrase John Lennon’s inspiring song…

Imagine there's no app misconfigs. It isn't hard to do.
Nothing to kill or die for. And no breaches too.
Imagine all the vendors sharing all that’s good…

I am imagining this. I believe in working with application vendors and getting them to embrace recommended practices. It takes time and requires endurance and a community commitment to improving security at each step.

 

Community-based resources

I have been working with ENow Software to create, maintain, and expand their Application Governance solutions for the past few years. One of my guiding principles was that our insights into Entra application management should be included in free resources for everyone. We’ve delivered on that promise with several Community resources for organizations to start moving towards a more secure future:

  1. Community Forum for Application Security

Application governance and security are newer initiatives for many organizations. Many organizations do not have an internal expert in this area. In fact, many organizations are still figuring out who should even own this responsibility. The AppGov Community Forum is a free site moderated by Microsoft Identity & Security MVPs, like me who will answer your Entra ID application questions and curiosities. Identity admins, developers, and other professionals can share their experiences, hear how others are solving the problem, and escalate application issues to Vendors using our community networks.

  1. AppGov Score – the free Application Governance Scorecard

Not sure where to start? This scorecard and assessment can be a logical first step. To improve anything, you must first know your current state. AppGov Score will scan your Entra ID applications and grade the security of your Enterprise Applications, Application Registrations, Tenant Settings. The Hunting Analysis will show if your apps are at risk of being exploited by known attackers and permission gaps.

  1. Rich Entra ID Application Security Blog Site

In addition to the Community Site and AppGov Score, ENow works with several Microsoft MVPs to publish quality blog content each week. Their blogs include practical how-to tips that explain what the risks are and how to solve them. Here are a few recent titles for reference:

Note:
ENow’s Application Governance solution is completely separate from the Microsoft Application Governance feature and does not require expensive Microsoft licenses. In the same way, ENow’s AppGov Score is completely different from Microsoft’s Identity Secure Score.

With the information from the scorecard, admins can fiddle around with their favorite scripting or development tools to pinpoint and remediate the surfaced misconfigurations. Alternatively, they can upgrade to the paid App Governance Accelerator to get this information at their fingertips and continuously track progress, set alerts, and address recurring situations through automated workflows.

 

Join us!

If you have any questions on Entra applications, ask them on ENow’s Application Governance Community. With several other Microsoft Most Valuable Professionals (MVPs), we’re monitoring the forum to get you the best Entra ID app security guidance going forward.

You may say I'm a dreamer, but I'm not the only one.
I hope someday you'll join us, and the ecosystem will be as one…

0  

VMware addresses ‘ESX Admins’ authentication bypass vulnerability (CVE-2024-37085) in ESXi 8.0 Update 3

Reading Time: 2 minutes

Today, Broadcom issued a second update to VMSA-2024-003 for VMware ESXi, specifically to address the vulnerability CVE-2024-37085. This vulnerability, with a CVSSv3 base score of 6.8 out of 10 (Moderate), allowed an adversary with sufficient Active Directory permissions to gain full access to ESXi hosts.

 

About the vulnerability

For an adversary to abuse this vulnerability;

  • The ESXi host(s) need to be configured with default settings;
  • The ESXi host(s) need to be configured to use Active Directory for user management, and;
  • The adversary needs to have sufficient permissions in Active Directory Domain Services, to either;
    • Recreate the ‘ESX Admins’ group when it was previously deleted or renamed, or;
    • Add one or more accounts to the ‘ESX Admins’ group.

If the above three conditions were met, and the permissions in Active Directory pertain to the same Active Directory to which the ESXi host(s) are configured towards, the adversary would gain full access to the ESXi host(s).

Edan Zwick, Danielle Kuznets Nohi, and Meitar Pinto from Microsoft reported this issue to Broadcom.

 

About the fix

Broadcom VMware addressed the vulnerabilities in ESXi version 8.0 Update 3 ISO Build 24022510, released on June 25th, 2024.

Broadcom VMware did not address the vulnerability in ESXi version 7.0 and has no patch planned for these versions, even though Broadcom extended support on these versions to October 2025 (was: April 2025). For version 7.0 of ESXi, Broadcom offers a workaround for ESXi hosts already configured for Active Directory user management.

This workaround entails removing the default access for the ‘ESX Admins’ group to ESXi hosts, using the following esxcli command:

esxcli system permission unset -i 'DOMAIN\esx^admins' –group

Replace DOMAIN with the sAMAccountName of the Active Directory domain the ESXi host is configured to for user management.

These settings take effect within a minute. A reboot is not required.

 

Concluding

Please install the updates for the version(s) of ESXi in use within your organization, as mentioned above and in the advisory for VMSA-2024-0013.

If this is not feasible, apply the workaround.

0  

VMware vSphere 8.0 Update 3 adds federation support for four Identity Providers

Reading Time: 2 minutes

On June 25th, 2024, Broadcom made vSphere 8.0 Update 3 generally available.

In the details of the Release Notes for vSphere 8.0 Update 3 and ESXi 8.0 Update 3, Broadcom announces PingFederate Support in vSphere Identity Federation. This is a huge update for Identity and Access admins using VMware's virtualization platform as it broadens their options to provide single sign-on (SSO) and multi-factor authentication (MFA) for accessing vCenter Server.

 

About vSphere Identity Federation

vSphere Identity Federation provides support for federated authentication to sign in to vCenter Server. With vSphere Identity Federation configured, sign-ins are redirected to an identity provider (IdP), based on the Open ID Connect protocol. From a vSphere perspective, this identity provider is designated as an external provider.

In the world of federation and modern authentication, access is granted based on claims that are exchanged between the Identity Provider (IdP) and the relying functionality. Claims token, containing claimtypes and values for these claimtypes, but also the claims issuance rules are defined by the admin of the IdP. vCenter Server acts as a relying party, accepting claims, because of the trust setup between vSphere and the IdP, based on certificates.

With subsequent releases of vSphere 7 and 8, VMware have been adding more ways to introduce modern authentication to vSphere.

 

Why use vSphere Identity Federation?

vSphere Identity Federation provides:

  • Single Sign-On (SSO) access with existing federated infrastructure and applications.
  • Use multi-factor authentication (MFA) and other authentication assurance mechanisms.
  • Strictly separate datacenter security from identity, because vCenter Server never handles the user’s credentials.

However, there are a couple of caveats that you should be aware of.

 

Supported Federation providers

The following federation providers are now supported with vSphere Identity Federation:

  • Microsoft Active Directory Federation Services (AD FS)
    (since vSphere 7.0)
  • Okta
    (since vSphere 8.0 Update 1)
  • Microsoft Entra ID
    (since vSphere 8.0 Update 2)
  • PingFederate
    (since vSphere 8.0 update 3)

 

Concluding

Building a straight-forward and secure vSphere delegation model has been on the mind of many vSphere admins throughout the years. vSphere Identity Federation is a logical building block towards this lofty goal.

Further reading

vSphere 7’s vCenter Server Identity Provider Federation feature allows for MFA
Ten Things You should know about vCenter Identity Provider Federation
Building a straight-forward vSphere delegation model for running virtual Domain Controllers safely

0  

What's New in Entra ID for July 2024

Reading Time: 2 minutes

Microsoft Entra ID

Entra ID, previously known as Azure AD is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID, Microsoft communicated the following planned, new and changed functionality for Entra ID for July 2024:

 

What's Planned

New SAML applications can't receive tokens through OAuth2/OIDC protocols Generally Available

Service category: Enterprise Apps
Product capability: Developer Experience

Starting late September 2024, applications indicated as 'SAML' applications (via the 'preferredSingleSignOnMode' property of the service principal) can't be issued JWT tokens. This means they can't be the resource application in OIDC, OAuth2.0, or other protocols using JWTs. This change will only affect SAML applications attempting to take a new dependency on JWT-based protocols; existing SAML applications already using these flows won't be affected. This will improve the security of apps.

 

What's New

Active Directory Federation Services (AD FS) Application Migration Wizard Generally Available

Service category: AD FS Application Migration
Product capability: Platform

The Active Directory Federation Services (AD FS) application migration wizard allows admins to quickly identify which AD FS relying party applications are compatible with being migrated to Microsoft Entra ID. The tool shows the migration readiness of each application, highlights issues and the suggested actions to remediate, guides the admin through preparing an individual application for migration, and configuring their new Microsoft Entra application.

 

Insider Risk condition in Conditional Access Generally Available

Service category: Conditional Access
Product capability: Identity Security & Protection

The Insider Risk condition in Conditional Access, is a new feature that leverages signals from Microsoft Purview's Adaptive Protection capability to enhance the detection and automatic mitigation of Insider threats. This integration allows organizations to more effectively manage, and respond, to potential insider risks by using advanced analytics and real-time data.

This is a premium feature and requires an Entra P2 license.

 

Adversary in the Middle detection alert Generally Available

Service category: Identity Protection
Product capability: Identity Security & Protection

The Adversary in the Middle (AitM) detection in Identity Protection will be triggered on a user account that has been compromised by an adversary that has intercepted the user's credentials, including tokens that were issued to the user. The risk is identified through Microsoft 365 Defender and will flag the user with High risk to trigger the configured Conditional Access policy.

 

New Federated Apps available in Microsoft Entra Application gallery Generally Available

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In July 2024, Microsoft added the following new applications in the Entra Application Gallery with Federation support:

  1. Fullstory SAML
  2. LSEG Workspace

 

What's Changed

Easy authentication with Azure App Service and Microsoft Entra External ID Generally Available

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

This feature offers an improved experience when using Microsoft Entra External ID as an identity provider for Azure App Service’s built-in authentication, simplifying the process of configuring authentication and authorization for external-facing apps. Admins can complete initial configuration directly from the App Service authentication setup without switching into the external tenant.

0  

On-premises Identity-related updates and fixes for July 2024

Reading Time: 2 minutes

Windows Serrer

Even though Microsoft’s Identity focus moves towards the cloud, Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates to improve the experiences and security of Microsoft’s on-premises powerhouses.

This is the list of Identity-related updates and fixes we saw for July 2024:

 

Windows Server 2016

We observed the following update for Windows Server 2016:

The July 9, 2024, update for Windows Server 2016 (KB5040434), updating the OS build number to 14393.7159, is a monthly cumulative update. It includes one Identity-related improvement.

This update addresses a security vulnerability in the Remote Authentication Dial-In User Service (RADIUS) protocol. Because of weak integrity checks in MD5, an attacker might tamper with packets to gain unauthorized access. This vulnerability makes User Datagram Protocol (UDP)-based RADIUS traffic over the Internet nonsecure against packet forgery or modification during transit. For more information about this vulnerability, see CVE-2024-3596.

 

Windows Server 2019

We observed the following update for Windows Server 2019:

KB5040430 July 9, 2024

The July 9, 2024, update for Windows Server 2019 (KB5040430), updating the OS build number to 17763.6054, is a monthly cumulative update. It includes the following Identity-related improvements:

  • This update addresses an issue with Windows Local Administrator Password Solution (LAPS). Its Post Authentication Actions (PAA) do not occur at the end of the grace period. Instead, they occur at restart.
  • This update addresses a security vulnerability in the Remote Authentication Dial-In User Service (RADIUS) protocol. Because of weak integrity checks in MD5, an attacker might tamper with packets to gain unauthorized access. This vulnerability makes User Datagram Protocol (UDP)-based RADIUS traffic over the Internet nonsecure against packet forgery or modification during transit. For more information about this vulnerability, see CVE-2024-3596.

 

Windows Server 2022

We observed the following update for Windows Server 2022:

KB5040437 July 9, 2024

The July 9, 2024, update for Windows Server 2022 (KB5040437), updating the OS build number to 20348.2582, is a monthly cumulative update. It includes the following Identity-related improvements:

  • This update addresses an issue with Windows Local Administrator Password Solution (LAPS). Its Post Authentication Actions (PAA) do not occur at the end of the grace period. Instead, they occur at restart.
  • This update addresses a security vulnerability in the Remote Authentication Dial-In User Service (RADIUS) protocol. Because of weak integrity checks in MD5, an attacker might tamper with packets to gain unauthorized access. This vulnerability makes User Datagram Protocol (UDP)-based RADIUS traffic over the Internet nonsecure against packet forgery or modification during transit. For more information about this vulnerability, see CVE-2024-3596.
0  

Sympathy for the devil, empathy for the Identity professional

Reading Time: 5 minutes

Sympathy for the Devil (Nicolas Cage)

Working with Microsoft-focused identity admins, I noticed a couple of common themes with these fellow identity people that make them feel like they can't make any right decisions anymore, they got stuck somehow and feel miserable all the time… In their minds, a perfect storm is raging.

Identity professionals in this state are experienced as none-productive, perhaps even as 'the devil'. However, the strongest feeling I have for their situation is empathy.

I can also see some clear paths forward… even ones that don't require copious amounts of caffeine, alcohol or other (non-) stimulants.

 

Accelerating change is overwhelming?

Especially in the Identity space, change is ever accelerating. For some people, the speed of change is becoming unbearable. When you spend over 50% of your working time to keep up with product releases, product changes and product renames, it can overwhelm. Especially when the first years of your career Microsoft's identity changes only meant a new version of Active Directory roughly every three years…

Because Identity touches everything, identity admins also feel they need to remain generalists of some sort, keeping up to date with not just Microsoft Entra ID-related news, but also Azure- , Microsoft 365- and Dynamics 365-related news, along with all the possibilities of cloud and hybrid management opportunities for devices and Windows Server installations… and maintain the necessary certifications, of course.

The facts are:

Nobody expects you to know everything

In a slide deck a couple of years ago, Sami Laiho pointed out that there are only perhaps 100 people worldwide who know almost everything about Windows. He did not consider himself as one of these people, although everyone I know points  to him for answers.

There is no shame in saying 'I don't know'.

There's no shame in seeking help

Seeking help and asking for feedback is a skill. Not everyone possesses this skill. For those whom this skill comes naturally, they feel it's a sign of strength. They don't hold back to ask  'stupid questions', to remain unstuck and be the best versions of themselves.

Microsoft certifications don't define your worth

Within Microsoft partners, certifications by employees define partnerships levels. Managers in these organizations emphasize certifications not just in your best interest, but also in the best interest of the Microsoft Partnership Network (MPN).

If your manager wants you to achieve additional Microsoft certifications, make sure you are compensated in time and/or money.

 

Fear of failure (atychiphobia)?

The technologies that haven't been renamed from Azure AD to Entra and Entra ID present a peek in Microsoft's decisions regarding the futures of these services and products. When you're currently relying on Azure MFA Server, Azure AD B2C, the Windows Azure AD Connector for Forefront Identity Manager or the Azure AD Content Pack for Power BI, your organization relies on services and products Microsoft is actively discontinuing or is about to announce to do so.

As an early adopter of many Microsoft identity products and services, it might feel that you are getting burned. For many Microsoft Identity professionals it has led to the conclusion that they will never ever embrace public preview features and/or insider releases, again. That might be a healthy stance. However, some identity admins feel blocked even embracing generally available features and RTM releases of Windows Server. Entra ID Domain Services runs the Windows Server 2012 R2 functional level, but when you as an admin still run Windows Server 2012 R2 in your own datacenter, you're the proverbial dead man walking…

The facts are:

Failure doesn't exist

You just tried your hand at your first attempt. That's all. There's always the second attempt to get it right. Or a third. Only after so many attempts you can start to see that it's impossible. But because you tried it in three different ways, the problem isn't you.

Cleaning up pays dividends

Many IT professionals feel buried in technical debt. You can't make many wrong decisions when you remove technical debt as a priority. From my experience, cleaning up outdated and stale technologies, objects, applications, services, systems and processes has always been more beneficial to the organization then simply deploy additional stuff. Also, it made new implementations more straightforward.

 

Taking everything too serious?

I come across admins that have a harder time coming up with new Domain Controller names than names for their children. I kid you not.

The facts are:

Technology is only temporary

That Domain Controller you are deploying is only around for a couple of years, people. Then, we transition it to a fresh Domain Controller running a newer version of Windows Server, or we decommission it. I'm not saying you can go all out on Domain Controller names (it helps to be able to distinguish between Domain Controllers and the other mere mortal hosts on the network), but you don't have to fold your mind into a pretzel to come up with a name or naming convention that suits your organization for thousands of years to come.

It's a marathon, not a sprint

Don't fret your job. Don't blow yourself up by trying to do everything. IT is work that remains to be work that is performed by humans. For years to come this will remain true.

As we as IT Professionals gain experience, we increasingly offer common sense-based value, still  outpacing ongoing automation initiatives.

 

Are you sure your brain isn't playing tricks on you?

'Happiness in intelligent people is the rarest thing I know.'
– Ernest Hemingway

Our minds are complex. Undeniably, a larger percentage of people working in IT than people not working in IT have attention deficit hyperactivity disorder (ADHD) or attention deficit disorder (ADD), either diagnosed or not. This condition has certain effects.

The facts are:

People with AD(H)D typically assume responsibility

People with AD(H)D) typically like to do what they feel they're good at. They'll try to do that as much as possible to avoid other tedious or uninteresting work. When that suddenly doesn't feel as something they're good at, it feels like they won't ever feel happy again in their work. It's the AD(H)D brain playing tricks. Luckily, it's easy to spot: just like within the thinking of adolescents, the mind deals with absolutes like 'everything', 'nothing', 'never', 'always' and 'all the time' when playing tricks. Ignore your mind when it serves up that kind of language.

People with AD(H)D feel guilty

When people from a very young age are told  that they need to change to fit in, e.g. sit still in class and pay attention for hours on end, it instills a feeling of negative self-awareness and negative self-image. It's always them. (please refer to the previous item). It's admirable to see how people actually get anything done with this mindset, but they actually pull it off. It should be something they are proud of, but that too, it seems, gets lost in a sea of negativity, blame and guilt. You are good enough.

 

Keep up the good work!

You got this. 💪

1  

The Recording of our '265 Days of Alarming Entra ID Application Discoveries' webinar is now available on-demand

Reading Time: < 1 minute

265 Days

On July 10th, 2024, Nicolas Blank, Alistair Pugin and I recorded a 1-hour webinar on the alarming discoveries we did while using ENow Software's Application Governance Accelerator.

The recording of this webinar is now available on-demand.

0  

Why backing up and restoring Entra ID with Veeam is a big thing

Reading Time: 3 minutes

Veeam plans to backup and restore Entra ID

During the Opening Keynote of VeeamON 2024 in Fort Lauderdale from June 3rd, 2024, to June 5th, 2024, Anton Gostev, Chief Product Officer at Veeam announced providing data resilience for several new platforms, including Entra ID (previously known as Azure AD).

As a Veeam Vanguard, I have had many discussions with Veeam leadership stressing out the importance of backing up and restoring objects in Entra ID. I’m glad to see that Veeam is now building this capability.

 

Why Entra ID backup and restore matters

Veeam already offers backing up and restoring data in Microsoft 365, both through self-managed instances of Veeam Backup for Microsoft 365 and through the Veeam Data Cloud for Microsoft 365 service. Veeam also offers backing up and restoring resources in Microsoft Azure, through Veeam Backup for Azure.

For some restoration actions, however, merely being able to backup and restore data from Microsoft 365 and Azure is insufficient. For some actions, objects in Entra ID and specific attributes for these objects are required to be able to restore resources and re-attach them to their rightful owner.

The Hybrid Identity scenario

When organizations operate Hybrid Identity environments, consisting in most cases of Active Directory, Entra ID (previously known as Azure AD) and Entra Connect Sync (previously known as Azure AD Connect), it’s critical for security and compliance purposes that they can ensure the availability and integrity of both on-premises Active Directory as well as Entra ID.

Regardless of the Hybrid Identity configuration, some attributes and some objects are not synchronized or synced back. Typical user attributes include strong authentication settings. Typical group attributes include memberships and dynamic group definitions. Entra-joined devices live in Entra ID only. Conditional Access policy definitions live in Entra ID only. When a user account is disabled in Active Directory on-premises, all the Teams memberships for the corresponding user object in Entra ID are irrevocably removed at that time.

Without the ability to backup and restore objects and attributes in Microsoft Entra ID, this information is lost forever when removed, inadvertently changed or improperly managed. As Entra ID provides authentication and authorization to all Microsoft 365, Dynamics 365 and Azure resource, this is increasingly seen as an unacceptable risk.

Cloud-only scenario

For organizations that merely have cloud-only objects and attributes that aren’t synchronized to an on-premises Identity store, the availability and integrity of objects and attributes in Entra ID is even more critical. When Entra ID is unavailable, all sign-ins stop and thus all access stops.

 

What Veeam plans to offer…

From the previews shown at VeeamON 2024, it seems that Veeam is joining the ranks of Quest, Commvault, Zoho, Avepoint, Keepit, Semperis and Rubrik to offer backing up and restoring the following Entra ID tenant’s objects:

  • Users
  • Groups
  • Privileged roles
  • Administrative Units (AUs)
  • Serviceprincipals (Application registrations and enterprise applications)

Furthermore, Veeam offers backing up the sign-in logs and audit logs of your organization.

Depending on the Entra licensing, organizations may merely have (immutable) access to the sign-in logs and audit logs for 30 days, after which they are irrevocably deleted by Microsoft. With Veeam, these logs can be protected for years, if need be.

 

… as part of Veeam Backup and Replication

These capabilities will be part of a future version of Veeam Backup and Replication (VBR).

This makes sense, as the two Veeam products that backup Microsoft 365 and Azure seamlessly integrate with VBR – although running both Veeam Backup for Microsoft 365 and Veeam Backup and Replication on the same Windows host can be tricky.

As Entra ID provides the identity and access management platform for both Microsoft 365 and Azure, being able to restore user objects, groups, etc. that govern this access, from the central Veeam Backup and Replication makes sense.

However, when an organization has merely adopted Veeam Backup for Microsoft 365 or Veeam Backup for Azure, it makes less sense, as the infrastructure now must be augmented with Veeam Backup and Replication. The question towards these organizations, of course, is how they would follow the 3-2-1 rule with these point solutions without Veeam Backup and Replication…

 

Looking forward

I’m looking forward to backing up and restoring Entra ID objects and their attributes with my favorite  backup and replication solution!

Veeam aims to publicly release the first version of this capability in Q4 2024.

Further reading

VeeamOn 24 – Day 1 Keynote Announcements – Ready, Set, Virtual! (readysetvirtual.com)
VeeamON 2024 Recap – Original-Network.com
Exciting Announcements at VeeamON 2024: New Hypervisors and Workloads | Nothing a Jameson can't fix (nicostein.com)

0  

I’m a 2024-2025 Microsoft MVP

Reading Time: < 1 minute

Microsoft Most Valuable Professional

Today, I received an e-mail message from Microsoft congratulating me on being accepted to the Microsoft MVP program.

Microsoft is pleased to welcome me back to the Microsoft Most Valuable Professionals (MVP) program in recognition of my outstanding contributions to the community in the following technical areas:

  • Identity & Access
  • Windows

It’s an honor to be part of this wonderful group of people helping others and closing the feedback circle with Microsoft, especially for the situations in which people use Microsoft products in ways and social circumstances that Microsoft had never imagined for these products, systems and services.

Thank you! Thumbs up

0  

On-premises Identity-related updates and fixes for June 2024

Reading Time: 2 minutes

Windows Serrer

Even though Microsoft’s Identity focus moves towards the cloud, Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates to improve the experiences and security of Microsoft’s on-premises powerhouses.

This is the list of Identity-related updates and fixes we saw for June 2024:

 

Windows Server 2016

We observed the following update for Windows Server 2016:

KB5039214 June 11, 2024

The June 11, 2024, update for Windows Server 2016 (KB5039214), updating the OS build number to 14393.7070, is a monthly cumulative update. It includes the following Identity-related improvements:

  • This update addresses an issue that affects lsass.exe. It stops responding. This occurs after you install the April 2024 security updates on Windows servers.
  • This update addresses an issue that affects lsass.exe. It leaks memory. This occurs during a Local Security Authority (Domain Policy) Remote Protocol (LSARPC) call.

 

Windows Server 2019

We observed the following update for Windows Server 2019:

KB5039217 June 11, 2024

The June 11, 2024, update for Windows Server 2019 (KB5039217), updating the OS build number to 17763.5936, is a monthly cumulative update. It includes the following Identity-related improvements:

  • This update addresses an issue that affects lsass.exe. It stops responding. This occurs after you install the April 2024 security updates on Windows servers.
  • This update addresses an issue that affects lsass.exe. It leaks memory. This occurs during a Local Security Authority (Domain Policy) Remote Protocol (LSARPC) call.

 

Windows Server 2022

We observed the following update for Windows Server 2022:

KB5039227 June 11, 2024

The June 11, 2024, update for Windows Server 2022 (KB5039227), updating the OS build number to 20348.2527, is a monthly cumulative update. It includes the following Identity-related improvements:

  • This update affects Server Message Block (SMB) over Quick UDP Internet Connections (QUIC). It turns on the SMB over QUIC client certificate authentication feature. Admins can use it to restrict which clients can access SMB over QUIC servers.
  • This update addresses an issue that affects lsass.exe. It stops responding. This occurs after you install the April 2024 security updates on Windows servers.
  • This update addresses an issue that affects dsamain.exe. It stops responding. This occurs when the Knowledge Consistency Checker (KCC) runs evaluations.
  • This update addresses an issue that affects lsass.exe. It leaks memory. This occurs during a Local Security Authority (Domain Policy) Remote Protocol (LSARPC) call.

 

KB5041054 June 20, 2024

The June 20, 2024, update for Windows Server 2022 (KB5041054), updating the OS build number to 20348.2529, is an out-of-band update. It does not include Identity-related improvements.

 

0