Category: Skype for Business

August 7th, 2020 by Author

So how often do you check for PowerShell updates? My guess would be not at all as its hard to keep up to date to ensure you have the latest and greatest module available.

So as an example I have two module installed on my client device which I have updated for a while.

Check out my Get-InstalledModuleUpdate script available on Github aimed to help in this situation. It puts all the installed module into an array and check for the latest versions available on the PowerShell Galley.

The Author – Blogabout.Cloud

Posted in Skype for Business

August 7th, 2020 by Tobie Fysh

Survivable Branch Appliances are a pretty common device in multi-site companies that need local breakout for calls or need to have the ability to make calls when the connection to the Front End pool of Skype for Business servers is unavailable (WAN outage, etc).

In patching of these this question comes up at least every 3 months:

“I’ve applied all the Windows Updates that Sonus say my SBA needs however it’s still showing as needing updates in WSUS”


“We’ve had a vulnerability scan and loads of updates are missing from all of our SBAs”

So what gives?

This comes down to past decisions from Microsoft and Sonus…..

In the dim and distant Microsoft used to release multiple updates every Patch Tuesday. You could choose if you wanted to install update X for GDI+ but not update Y for TrueType fonts. That meant that other software companies could say:

“Yea – we found an issue with Contoso Magic Application and KB938464 so if you want to use our software to do your business critical function don’t install that update…..

……honest – we’ll release an update to fix this in our application at some point”

And you as an administrator would be told from the business that you can’t install that update as they need Contoso Magic Application to just work.

So how does this relate to SBA’s

Each month Sonus looked at the updates available and then at the profile of the SBA with the Sonus hardened config on there and said:

“okay, so update X and Y we need, but update Z is for part of Windows that is not exposed to the network with our hardening so therefore no need to install it”

Thus inside the PKG file you download from Sonus you have a list of updates that are allowed and only those would get installed.

Then things changed

Microsoft got bored of having to support a Swiss Cheese deployment of Windows so they started in October 2016 to release single monthly updates for OS. I believe that this is in part to do with this statistic I picked up from Henk van Roest who stated “30% of support calls to Microsoft are fixed by applying updates that are already available”. You could no longer pick and choose which updates to install, you either installed this months updates or you didn’t.

However Sonus still release an update each month that contains this update. However they have not gone back and subsequently authorised the updates that came out prior to October 2016.

Where does this leave you as an Administrator?

The reason for applying updates from the Sonus PKG file is to ensure that the SBA stays in Appliance Mode. Appliance Mode means that the SBA call paths are supported by Sonus. However – you will not be able to install all Windows Updates that a offered from WSUS and thus may fall down on an audit. So, you have a choice:

  • Stay in Appliance Mode - only apply PKG files from Sonus
  • Apply all updates - keep off those audit reports
The choice is yours!

Posted in Skype for Business

August 7th, 2020 by Author

This week Microsoft has announced the final release of the security configuration baseline settings for Windows 10 and Windows Server version 2004. This version sees 1 additional policy and 1 policy removed, Microsoft has also made 2 recommendations that organizations might worth considering.

Download the Microsoft Security Compliance Toolkit that allows you to test the recommended configurations, and customize/implement as appropriate.

Notable changes are as followed;

LDAP Channel Binding Requirements In the Windows Server version 1809 Domain Controller baseline we created and enabled a new custom MS Security Guide setting called Extended Protection for LDAP Authentication (Domain Controllers only) based on the values provided here. This setting is now provided as part of Windows and no longer requires a custom ADMX. An announcement was made in March of this year and now all supported Active Directory domain controllers can configure this policy. The value will remain the same in our baseline, but the setting has moved to the new location. We are deprecating our custom setting. The new setting location is: Security SettingsLocal PoliciesSecurity OptionsDomain controller: LDAP server channel binding token requirements.
Note: this new policy requires the March 10, 2020 security update. (We assume that, as security conscious baselines users, you are patching!) Details of that patch are here.
Policy updated
Microsoft Defender Antivirus File HashMicrosoft Defender Antivirus continues to enable new features to better protect consumers and enterprises alike. As part of this journey Windows has a new setting to compute file hashes for every executable file that is scanned, if it wasn’t previously computed. You can find this new setting here: Computer ConfigurationsAdministrative TemplatesWindows ComponentsMicrosoft Defender AntivirusMpEngineEnable file hash computation feature.
You should consider using this feature to improve blocking for custom indicators in Microsoft Defender Advanced Threat Protection (MDATP). This new feature forces the engine to compute the full file hash for all executable files that are scanned. This can have a performance cost, which we minimize by only generating hashes on first sight. The scenarios where you may want to test more thoroughly for performance include devices where you frequently create new executable content (for example, developers) or where you install or update applications extremely frequently.
Because this setting is less helpful for customers who are not using MDATP, we have not added it to the baseline, but we felt it was potentially impactful enough to call out. If you chose to enable this setting, we recommend throttling the deployment to ensure you measure the impact on your users’ machines.
Worth considering
Account Password LengthIn the Windows 10 1903 security baselines we announced the removal of the account password expiration policy. We continue to invest in improving this experience. With Windows 10 2004, two new security settings have been added for password policies: ‘Minimum password length audit’ and ‘Relax minimum password length limits’. These new settings can be found under Account PoliciesPassword Policy.
Previously, you could not require passwords/phrases greater than 14 characters. Now you can! Being able to require a length of more than 14 characters (maximum of 128) can help better secure your environment until you can fully implement a multi-factor authentication strategy. Our vision remains unchanged in achieving a password-less future, but we also recognize that this takes time to fully implement across both your users and your existing applications and systems.
You should be cautious with this new setting because it can potentially cause compatibility issues with existing systems and processes. That’s why we introduced the ‘Minimum password length audit’ setting, so you can see what will happen if you increase your password/phrase length. With auditing you can set your limit anywhere between 1 and 128. Three new events are also created as part of this setting and will be logged as new SAM events in the System event log: one event for awareness, one for configuration, and one for error.
This setting will not be added to the baseline as the minimum password length should be audited before broad enforcement due to the risk of application compatibility issues. However, we urge organizations to consider these two settings. Additional details about these new settings will be found here, once the new article get published in the coming days.
(NOTE: As of the today the link is not yet live, we are actively working to ensure it gets posted soon!)
As a reminder, length alone is not always the best predictor of password strength, so we strongly recommend considering solutions such as the on-premise Azure Active Directory Password Protection which does sub-string matching using a dictionary of known weak terms, and rejects passwords that don’t meet a certain score.
Worth considering
Turn on Behavior MonitoringIn keeping with our principals of criteria for baseline inclusion we have found that the following setting does not need to be enforced; there is no UI path to the setting, you must be a privileged account to make the change, lastly we do not feel a mis-informed Admin would change this setting.  Based on these principals we are removing Computer ConfigurationAdministrative TemplatesWindows ComponentsMicrosoft Defender AntivirusReal-time ProtectionTurn on behavior monitoringPolicy removed

The Author – Blogabout.Cloud

Posted in Skype for Business

August 7th, 2020 by Tom Arbuthnot

A long asked for API feature, the ability to pragmatically collect the PSTN call records and charges from Microsoft Teams e.g. the phone bill. Up until now, you have only been able to get this by exporting it from the Teams Admin Center into Excel, but now, in beta, you can collect these records from Microsoft Graph

It forms part o the call records API callRecord: getPstnCalls

You can expect to see lots of call reporting/bill generation products to use this API to collect this information for billing. Many large organisations cross charge their telephony costs by country or department.

This is something Modality Systems (who I work for) have been doing for some time in a somewhat bespoke way for large enterprises by programmatically exporting the excel from the Teams Admin Center (basically making automated website calls) into SQL then into Power BI, but the API will provide a much more robust and supportable method to export the data from Microsoft.

APIs under /beta in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported, but hopefully, this will come out of beta too. I will update the blog when it is out of beta.

This will cover any PSTN call scenarios

  • Microsoft PSTN Audio Conferencing
  • Microsoft Calling Plans
  • Microsoft Communications Credits
  • Microsoft Call Queues and Auto Attendants (the PSTN legs)
  • Direct Routing (though with no charges/costs since that information is not held by Microsoft)

Lee Ford at Symity was very fast in producing a PowerShell script to collect the call records from the API. You can check out his work here. Thanks Lee!



The API will give you the following for each record:

pstnCallLogRow resource type

Property Type Description
id String Unique call identifier. GUID.
callId String Call identifier. Not guaranteed to be unique.
userId String Calling user’s ID in Graph. GUID. This and other user info will be null/empty for bot
call types (ucap_in, ucap_out).
userPrincipalName String UserPrincipalName (sign-in name) in Azure Active Directory. This is usually the same as user’s SIP Address and can be same as the user’s e-mail address.
userDisplayName String Display name of the user.
startDateTime DateTimeOffset Call start time.
endDateTime DateTimeOffset Call end time.
duration Int32 How long the call was connected, in seconds.
charge Double Amount of money or cost of the call that is charged to your account.
callType String Whether the call was a PSTN outbound or inbound call and the type of call such as a
call placed by a user or an audio conference.
currency String Type of currency used to calculate the cost of the call (ISO 4217).
calleeNumber String The number dialed in E.164 format.
usageCountryCode String Country code of the user, ISO 3166-1
tenantCountryCode String Country code of the tenant, ISO 3166-1
connectionCharge Double Connection fee price.
callerNumber String Number that received the call for inbound calls or the number dialed for outbound
calls. E.164 format.
destinationContext String Whether the call was domestic (within a country or region) or international (outside a
country or region) based on the user’s location.
destinationName String Country or region dialed.
conferenceId String ID of the audio conference.
licenseCapability String The license used for the call.
inventoryType String User’s phone number type, such as a service of toll-free number.

Posted in Skype for Business

August 6th, 2020 by Tom

Disclaimer: Logitech kindly sent me this headset, enabling me to write this review. This post may continue affiliate links.

Overnight, without warning, many of us were working at home. Not just “sometimes working at home”, not “working at home when not travelling”, not even “working at home when everyone else is out”, but proper, alongside everyone else in the home, all trying to get along, working at home.

As we cleared our desks, grabbed what we thought we’d need for – well, we didn’t really know, I guessed maybe a month (!!) – and headed home, likely one of the things we made sure we had was our headset. Little did we know, back in March, that we’d be using it so much for so long.

Why a good headset is even more important today than ever

“right now I think having a decent headset and webcam are critical components of your setup. Why? Because these two devices are the means by which 100% of your interaction happens.”Tweet This

A good quality headset has always been an important part of a successful UC strategy, and we are lucky to have plenty of choice. However, right now I think having a decent headset and webcam are critical components of your setup. Why? Because these two devices are the means by which 100% of your interaction happens. Your co-workers, your partners, your customers: they all experience you through these two devices.

If you are to bring your best self to a meeting, be taken seriously and land your point – then in 2020, more so than ever, you need to consider what devices you are using and whether they are helping you to achieve those goals.

What is a Lockdown Headset?

There’s something else. The requirements for a headset in lockdown are different from working in an office.

Way, way different.

In an office:

  • dedicated desk space, charging dock on hand
  • plenty of time between uses for charging
  • background office noise

In lockdown:

  • sometimes at a desk, sometimes in the lounge, sometimes in the kitchen, depending on what everyone else is doing. Can’t rely on the charging dock being there
  • Up to 8 hours a day solid use
  • Sporadic charging due to having to go from “working” to “home” and not having time to charge
  • still plenty of background noise
  • causing annoyance to other people in the house because your active noise cancelling means you’re shouting during calls
  • having to “share” your device with small people who want to try it on without respecting it like you do

It’s a harsher environment than the average office. A headset that’s right for the office might turn out to be a problem in lockdown. Unfortunately, none of us got the choice when it happened. We grabbed what we had, and headed home.

Logitech Zone Wireless

It’s against this backdrop that I review the Logitech Zone Wireless headset, because I feel like that’s the reality for many people today.

This is a Bluetooth headset, which comes with a USB dongle. You can pair with multiple devices (your computer and your phone) – well, up to 8 devices, with 2 connected at any time.

It’s a boom headset – which I like. Boom-less headsets might look cool, but the microphone quality is never as good, sorry.

In many respects it does everything you’d expect a Microsoft Teams certified headset to do. I’m going to concentrate here on the things that are different.


I can happily wear this headset for 12 hours at a time. I have done, on multiple occasions in the last couple of weeks. The headband expands with a slider, it doesn’t have “clicking” set points – meaning you can get it exactly right. The ear pads are made of something like leather (but they don’t smell like leather so I guess not) and are padded for comfort. They’re quite large (7cm across) which I think helps with the comfort. Here are two photos: first the stock photo from Logitech’s website, and then my photo of the unit I have:

My own workflow is to have them connected to both computer and phone, and then listen to music from my phone when I need to concentrate in between calls I run on my computer. Right now I’m listening to the Calm app, trying to de-stress. The sound is immersive, all I can hear are the birds singing, the water in the background and the soothing voice instructing me to concentrate on my breathing….

Interestingly, the boom for this headset is on the left, not on the right. I’m not sure if this is usual or not – but for the longest time I was wearing it the wrong way around. It doesn’t really matter, other than it seems to be slightly uncomfortable after several hours when you’re wearing it like that. This is NOT super obvious – there are left/right markings on the inside of the headband, but they don’t stand out. I thought maybe it was just me, but even Logitech’s stock product shots appear to show them with the boom extended for wearing the “wrong” way around:

Maybe how you wear them doesn’t matter, other than to effect the audio channels? This would seem to be the case actually, given that the boom does extend both ways.


The on-headset buttons are what you’d expect: volume, on/off/pair, ANC, and the Microsoft Teams button. The Teams button is actually configurable via the Logi Tune app, meaning you can map single press, double press and long press to different actions.

I have mapped the double press action to the “Headset status report” which tells me the battery state. This is really useful when I’ve finished the call and had to run to do something, putting the headset down and then forgetting about it, only coming back to it 2 mins before another call hours later.

Also worth noting is that you can configure the sleep settings via the app as well – meaning that if you do leave it on, it won’t drain the battery overnight.

All the buttons are touch-press buttons. Personally, I tend to prefer toggle switches because it’s more obvious what the current state is. Also, I find combining the power on/off button with the pairing button confusing – I sometimes hold the power button too long when I’m turning on or off and end up putting the device into pairing mode.


Some headsets feel like you have to handle them with kid gloves. This isn’t one of them. It feels sturdy, with metal arms and a firmness to it. The wires for each side are unusually on the outside of the sides of the headband, not integrated into it. I guess that this actually makes it stronger. It’s not unpleasant to look at, but it might take some getting used to (although, once it’s on you don’t see it!).

It’s successfully withstood some fairly robust handling from the smallest member of the house, who loves pretending to “work like Daddy”…

Battery & Charging

The battery life is great. It’s advertised as 14 hours talk or music (with ANC on). I’ve not tried that but I’ve used it solidly for 6 hours already today on back-to-back calls, and the battery is at 70% with the status telling me “8 hours left”.

One really interesting thing about this headset is that you can charge it wirelessly, using any Qi charger. This has been a huge win for me in lockdown – we already have a number of wireless chargers around the house, so I can take calls from multiple places and then leave my headset there overnight rather than taking it back to my study to charge it. It sounds like a silly thing, but my study is next door to the nursery and so there are very definite “no-entry” times if I don’t want to be responsible for ruining a good night’s sleep…

The charging point is the ear piece that doesn’t have the boom. All the photos show the headset charging whilst folded up, like this:

However, I found it easier to just place it onto the charger un-folded, like this:

That way, it’s ready for use and I can just grab it and put it on.

This has been a bit of a game-changer for me. I can add more headset charging points anywhere I like, for relatively little money by using standard Qi chargers. Note though, that by default the wireless charger isn’t included – only a USB cable for charging. Qi chargers aren’t expensive, just letting you know. 🙂

Microphone / ANC

I recorded a short video using the Logitech Zone Wireless headset as the audio input source, both in a quiet room and with noisy cafe background sounds. Hopefully this will help you get a feel for how it sounds and how the Active Noise Cancelling works:

Other Stuff

The Logi Tune also has an option to adjust Sidetone. This controls how much of your own voice you hear through the headset. Not all headsets with ANC have this, but they should. Without Sidetone, you can’t hear yourself properly and are way more prone to shouting. In the office this just gets you a reputation. At home, this gets you yelled at. 🙂

By cranking the Sidetone right up I can make sure that I don’t raise my voice too much, and disturb everyone else. It’s a silly, small thing – but when everyone is living within the same four walls, stuff like that really does make a difference.


I like this headset. It’s become my daily driver throughout lockdown. It’s not failed me yet: I’ve never found it without charge and I’ve not had to plug it in during a call. Given how much I’ve been on Microsoft Teams in the past few weeks: that’s a real achievement. Personally, the On/Off/Pair button still annoys me – but I’ve got around that by just keeping it on all the time and putting it on the wireless charger when I’m not using it. If you’re after a solid workhorse that will make you sound good, then you should definitely consider the Logitech Zone Wireless headset.

Posted in Skype for Business

August 6th, 2020 by johnacook

Posted in Skype for Business

August 6th, 2020 by johnacook

Posted in Skype for Business

August 6th, 2020 by Jim Flack

Digital transformation, cloud computing, and a sophisticated threat landscape are forcing everyone to rethink the functions of each role on their security teams, from Chief Information Security Officers (CISOs) to practitioners.

With billions of people around the globe working from home, changes to the daily practice of cybersecurity are accelerating. Organizations are shifting from defending a traditional network perimeter (keeping business assets in a safe place) to more effective zero trust strategies (protect users, data, and business assets where they are). This transformation brings technology changes and also opens up questions of what people’s roles and responsibilities will look like in this new world.

At the same time, continuous delivery models are requiring security teams to engage more closely during business planning and application development to effectively manage cyber risks (vs. the traditional ‘arms-length’ security approaches). This requires security professionals to better understand the business context and to collaborate more closely with stakeholders outside of security.

In this new world, traditional job descriptions and security tools won’t set your team up for success. Leaders must create role clarity in this transformation to help their teams navigate uncertainty. This will reduce distractions and stress, as well as help people focus on the important tasks that make the whole team shine.

While each organization and each person will have a unique journey, we have seen common patterns for successfully transforming roles and responsibilities. To help security leaders and practitioners plan for this transformation, Microsoft has defined common security functions, how they are evolving, and key relationships. In this blog, we’ll provide a summary of our recommendations to help you get started.

Security roles must evolve to confront today’s challenges

Security functions represent the human portion of a cybersecurity system. They are the tasks and duties that members of your team perform to help secure the organization. Depending on your company size and culture, individuals may be responsible for a single function or multiple functions; in some cases, multiple people might be assigned to a single function as a team.

High performing security teams understand their individual roles, but also see themselves as a larger team working together to defend against adversaries (see Figure 1). The following functions represent a fully populated enterprise security team, which may be aspirational for some organizations. Organizations often need to prioritize where to invest first based on their risk profile, available resources, and needs.

An image showing each function works as part of a whole security team, within the organization, which is part of a larger security community defending against the same adversaries.

Figure 1: Each function works as part of a whole security team within the organization, which is part of a larger security community defending against the same adversaries.

Policy and standards

This team develops, approves, and publishes security policy and standards to guide security decisions within the organization and inspire change. This team must take into account cloud platforms, DevOps processes and tools, and relevant regulations, among other factors. Read more about security policy and standards function.

Security operations center (SOC)

A security operations center (SOC) detects, responds to, and remediates active attacks on enterprise assets. SOCs are currently undergoing significant change, including an elevation of the function to business risk management, changes in the types of metrics tracked, new technologies, and a greater emphasis on threat hunting. Read more about the SOC function.

Security architecture

Security architecture translates the organization’s business and assurance goals into a security vision, providing documentation and diagrams to guide technical security decisions. A modern architecture function needs to consider continuous delivery, identity-centric security solutions for cloud assets, cloud-based security solutions, and more. Read more about the security architecture function.

Security compliance management

The objective of cloud security compliance management is to ensure that the organization is compliant with regulatory requirements and internal policies. As you modernize this function, consider the role that cloud providers play in compliance status, how you link compliance to risk management, and cloud-based compliance tools. Read more about the security compliance management function.

People security

People security protects the organization from inadvertent human mistakes and malicious insider actions. The cloud and changing threat landscape require this function to consider how to effectively engage employees in security, organizational culture change, and identification of insider threats. Read more about the people security function.

Application security and DevSecOps

The objective of application security and DevSecOps is to integrate security assurances into development processes and custom line of business applications.

Cloud services and APIs have enabled a faster delivery cadence and influenced the creation of the DevOps team model, driving a number of changes. The biggest change we see is the integration of security into the development process, which requires culture and process adjustments as each specialty adopt the best of each other’s culture. This function must also adopt an agile mindset and stay up to date on new tools and technologies. Read more about the application security and DevSecOps function.

Data security

The main objective for a data security team is to provide security protections and monitoring for sensitive enterprise data in any format or location. New regulations and data loss prevention models are influencing the evolution of this function, and the sheer volume of data being stored on numerous devices and cloud services has also had a significant impact. Read more about the data security function.

Infrastructure and endpoint security

The infrastructure and endpoint security function is responsible for security protection to the data center infrastructure, network components, and user endpoint devices. Software-defined datacenters and other cloud technologies are helping solve longstanding data center security challenges, and cloud services are transforming the security of user endpoint devices. Read more about the infrastructure and endpoint security function.

Identity and keys

The main objective of a security team working on identity management, is to provide authentication and authorization of humans, services, devices, and applications. Key and certification management provides secure distribution and access to key material for cryptographic operations (which often support similar outcomes as identity management).

One of the big changes is that identity and key/certification management disciplines are coming closer together as they both provide assurances on the identity of entities and enable secure communications. This function also plays a significant role in modernizing security by establishing an identity-based perimeter that is a keystone of a zero-trust access control strategy. Read more about the identity and keys function.

Threat intelligence

Security threat intelligence provides context and actionable insights on active attacks and potential threats to empower organizational leaders and security teams to make better (data-driven) decisions. Threat intelligence usually grows from a technical scope into servicing the larger organization with strategic, tactical, and operational (technical) threat intelligence. Read more about the threat intelligence function.

Posture management

Posture management builds on existing functions like vulnerability management and focuses on continuously monitoring and improving the security posture of the organization. Posture management is typically one of the largest changes because it supports decisions in many other functions using information that only recently became available because of the heavy instrumentation of cloud technology. This function includes zero-trust based access controls, real-time risk scoring, threat and vulnerability management, and threat modeling, among others. Read more about the posture management function.

Incident preparation

The primary objective for the incident preparation function is to build process maturity and muscle memory for responding to major incidents throughout the organization, including security teams, executive leadership, and many others outside of security. These practice exercises have become powerful tools to ensure stakeholders are informed and familiar with their role in a major security incident. Read more about the incident preparation function.

Looking forward

In the beginning of the journey, clarity is critical to shine a light on the path forward and the journey ahead. As you walk the path, healthy doses of empathy and continuous learning are key to maintaining forward momentum. Organizations should invest in both formal training and supporting self-directed exploration to ensure people get the knowledge they need and have the confidence to take the risks required to transform.

In addition to the cloud security functions guidance, Microsoft has also invested in training and documentation to help with your journey—see the CISO Workshop, Microsoft Security Best Practices,  recommendations for defining a security strategy, and security documentation site.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How to organize your security team: The evolution of cybersecurity roles and responsibilities appeared first on Microsoft Security.

Posted in Skype for Business

August 6th, 2020 by Jim Flack

Not long ago when I spoke with customers about Zero Trust, our conversations focused on discussing the principles, defining scope, or sharing our own IT organization’s journey. Zero Trust was something interesting to learn about, and most organizations were very much in the exploratory phase. As COVID-19 forced organizations across the world to send their workforce home, organizations rapidly focused on Zero Trust approaches to alleviate challenges of enabling and securing remote work. Using Zero Trust to secure users, data, and devices (wherever they may be) has changed from optional to a business imperative overnight.

Companies found that traditional security models required bringing users and data to ‘safe’ network places, which doesn’t scale and doesn’t provide the needed visibility. Employees are getting their work done any way they can– using personal devices, sharing data through new services, and collaborating outside the confines of traditional protections of the corporate network. Earlier adopters of Zero Trust approaches were able to adapt quickly, but many others instantly faced an expanded attack surface area and new security challenges they were not fully prepared for.

At Microsoft, we have been helping customers navigate these challenges by sharing our learnings and building controls, tools, and practices to enable daily application of Zero Trust principles. We have been focusing on providing organization quick wins that close critical gaps today and laying a strong foundation of Zero Trust expertise and technology to build on in the future.

Today and in my presentation at Blackhat 2020, I’d like to share some insights we’ve learned through this journey to help you with yours:

1. Start with strong authentication

Many customers I meet with share that trying to figure out where to start their Zero Trust journey is a major challenge. I always recommend starting with multi-factor authentication (MFA). Verifying a user’s identity with strong authentication before granting them access to corporate resources is the most effective step to quickly improve security. Our studies have shown that accounts secured with MFA are 99.9% less likely to be compromised. Strong authentication not strengthens your overall security posture and minimizes risk, it lays a strong foundation to build on—such as securely connecting employees to apps with single sign-on (SSO) experiences, controlling access to resources with adaptive access policies, and more.

2. Endpoint visibility is critical and getting more challenging

In a Zero Trust security model, we want to have visibility into any and all endpoints accessing the corporate network so we can only allow healthy and compliant devices to access corporate resources. Device security posture and compliance should be used in your access policies to restrict access from vulnerable and compromised devices. This not only helps strengthen security and minimize risk, but also enables you to improve your employees’ productivity by supporting more device types and experiences. In a recent Microsoft study, more than 50% of organizations reported seeing a greater variety of endpoint platforms because of supporting remote work.

3. Apps and data are primary attack surfaces

With employees increasingly accessing corporate data on new devices and collaborating in new ways, most security teams are seeing that their application and data security tools aren’t giving them the visibility and control they need. This de facto expansion of the enterprise attack surface makes it critical to discover the cloud apps in use, assess them for risk, and apply policy controls to ensure that data isn’t leaking through these applications. Finally, make sure the sensitive data in these apps is protected wherever it travels or lives by automatically classifying, labeling, and applying protection to files.

3. Integrated solutions are more critical than ever

CISOs reported in a recent Microsoft study that Threat Protection is now a higher priority for them. With an increasing attack surface area and velocity, integrated threat protection solutions can now share signals across detection, prevention, investigation, and response. While most organizations already use threat protection tools, most don’t share signals or support end-to-end workflows. Because most attacks involve multiple users, endpoints, app, data, and networks, it’s imperative for tools to work together to deliver streamlined experience and end-to-end automation. Look for opportunities to integrate your threat protection solutions to remove manual tasks, process friction, and the morael issues they generate.

5. Zero Trust improves end-user experience

Security leaders are often challenged to balance security and a more streamlined end-user experience. Fortunately, Zero Trust enables both at the same time because security is built around the users and business assets, rather than the other way around. Instead of users signing in multiple times, dealing with VPN bandwidth constraints, and working only from corporate devices, Zero Trust enables users to access their content and apps from virtually any device and location securely.

To listen to my presentation on Zero Trust at Blackhat register here. Check out the Microsoft Zero Trust Maturity Model vision paper (click to download) detailing the core principles of Zero Trust, and our maturity model, which breaks down the top-level requirements across each of the six foundational elements.

We’re also publishing deployment guides for each of the foundational elements.  Read the latest guides for IdentitiesDevices, and Networking. Look out for additional guides in the Microsoft Security blog.

Learn more about Zero Trust and Microsoft Security.

Also, bookmark the Security blog to keep up with our expert coverage on security matters. And follow us at @MSFTSecurityfor the latest news and updates on cybersecurity.


The post Zero Trust: From security option to business imperative overnight appeared first on Microsoft Security.

Posted in Skype for Business

August 6th, 2020 by Alex Simons (AZURE)

Howdy folks,


Today, we’re announcing the general availability of user provisioning from SAP SuccessFactors to Azure AD. In addition, SAP and Microsoft have been working closely together to enhance existing integrations between Azure AD and SAP Cloud Identity Services of the SAP Cloud Platform, making it easier to manage and secure your SAP applications.


User provisioning from SAP SuccessFactors to Azure AD is now generally available

With the integration between Azure AD and SAP SuccessFactors, you can now automate user access to applications and resources so that a new hire can be up and running with full access to the necessary applications on day one. The integration also helps you reduce dependencies on IT helpdesk for on-boarding and off-boarding tasks.

Thanks to your feedback on our public preview, we’ve added these new capabilities:

  • With enhanced attribute support, you can now include any SAP SuccessFactors Employee Central attributes associated with Person, Employment and Foundation objects in your provisioning rules and attribute mapping.
  • Using flexible mapping rules, you can now handle different HR scenarios such as worker conversion, rehire, concurrent assignment, and global assignment.
  • In addition to email, we now support writeback of phone numbers, username, and login method from Azure AD to SAP SuccessFactors.


We’d like to say a special thank you to SAP SuccessFactors team who helped us enhance the integration. Here’s what they had to say:

“Enabling end-to-end user lifecycle management is critical. The Azure AD and SAP SuccessFactors integration will help streamline HR and IT processes to help our joint customers save time, improve security, and enable employee productivity.“ – Lara Albert, VP, Solution Marketing, SAP SuccessFactors


We’d like to also thank our preview customers and partners who provided great feedback on different aspects of this integration! Here’s what one of our system integrator partners, Olikka, had to say:


“Inbound provisioning from SAP SuccessFactors to Azure AD and on-premises Active Directory has helped us reduce the time customers need to spend on-boarding/off-boarding and adjusting access through the employee lifecycle. The integration that Microsoft has delivered means that we can avoid building complex custom connectors and managing on-premises infrastructure. This enables Olikka to get the customer up and running quickly while leveraging their existing Azure AD subscription.” – Chris Friday, Senior Project Consultant, Olikka




Using Azure AD to manage and secure your SAP applications

Our new provisioning integration between Azure AD and SAP Cloud Identity Services allows you to spend less time creating or managing accounts for individual SAP applications. With this integration, you can now use Azure AD to automatically provision user accounts for SAP Analytics Cloud. In the coming months, we will expand this support to additional SAP applications like SAP S/4HANA, SAP Fieldglass, and SAP Marketing Cloud.




We’re also enabling One-click SSO to simplify the configuration and setup of single sign-on with SAP Cloud Identity Services. One-click SSO allows you to quickly setup single sign-on between Azure AD and SAP Cloud Platform without needing to copy and paste values from different admin portals.


Learn more

User provisioning from SAP SuccessFactors to Azure AD requires an Azure AD P1 license, all other features referenced in this blog are available across all licensing tiers. To get started with these integrations, read our SAP identity integration documentation.


SAP Cloud Platform is also available on Azure regions around the globe to complement your SAP S/4HANA on Azure implementations, providing low latency and ease of integration. Learn more about SAP solutions on Azure at and explore our SAP on Azure use cases to get started.


Together, our integrations with SAP allow you to manage and protect access to all your critical SAP landscape. As always, we’d love to hear any feedback or suggestions you may have. Please let us know what you think in the comments below or on the Azure AD feedback forum.

Best regards,

Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division


Learn more about Microsoft identity:

Posted in Skype for Business