Ben Love [00:00:01]:
All right, good morning, everybody, and welcome to Today’s webinar. My name is Ben Love. I’m the managing director and founder of Grassroots it, and I’m joined today by Cameron Fairfall, senior engineer at Grassroots it. Good morning, Cameron.

Cameron Fairfull [00:00:14]:
Morning, Ben. Morning, everybody.

Ben Love [00:00:17]:
So today we are going to be exploring a part of Microsoft 365. So Microsoft 365, as we all know, is, is vast. There is a lot under the hood there. And specifically the point of today’s webinar too, is that a lot of the stuff that’s under the hood there you may and probably do already have access to as part of whatever licensing you have in place, or it’s a very small and minor upgrade to add the licensing that you need to get some very sophisticated features. So today is really just about exploring what some of those features are and what you can do with them, what the business benefits are for you, so that you know what you have access to and you can choose what to do with that in your organisation. So specifically today we’re going to be exploring identity access management and threat protection. And we do have some other webinars coming in this same series later this year, exploring some of the other parts of Microsoft 365 that you may not really know all that much about just yet. So, Cameron, let’s kick on, shall we? What’s next?

Cameron Fairfull [00:01:26]:
Yeah, absolutely. So the first part that I would like to start with is actually where you start when you’re trying to log into Microsoft, and that is Microsoft entry id. So enter id is the entry point whenever somebody is trying to log into their Microsoft 365 account. And it handles quite a number of different things within Microsoft 365. The biggest of those are obviously users and groups, but you can also handle app registration and enterprise apps, devices, password resets, et cetera. So enter ID allows you to really govern everything that you need to for all of your users. It allows you to make sure that the users have the right access to the right resources and that you are able to manage the user access, access to all of those resources. There’s a number of different ways that you can manage that.

Cameron Fairfull [00:02:35]:
And that is as simple as somebody going in and clicking and adding the user access as needed, right through to automating that access as you need to.

Ben Love [00:02:50]:
So in layman’s terms, Cameron, is Microsoft entry id, where usernames and passwords are set up and stored and created?

Cameron Fairfull [00:03:00]:
Absolutely.

Ben Love [00:03:01]:
Okay. So when someone tries to, when one of your users tries to log on to something to do with Microsoft 365, essentially the first point is they’re coming back here into the Microsoft entropy to make sure that their username and password are correct, for starters, and also to validate what it is within Microsoft 365 they’re allowed to have access to.

Cameron Fairfull [00:03:24]:
Yeah, absolutely. So. And entra id also handles all of the other checks that a user might need to go through while they’re logging in. So we’ll talk about that more as we work through all of this. So.

Ben Love [00:03:43]:
Very good.

Cameron Fairfull [00:03:44]:
Yeah, so we might move on to the next slide, which is talking specifically about multifactor authentication. Now, I did have a couple of facts that I wanted to kind of drop in here first, and that was on average, it takes a hacker 2 seconds to crack an eleven character numeric password these days, and somewhere under a minute to crack a seven character password that contains alphanumeric characters. So uppercase, lowercase number, or some special character that is significantly quicker than it has ever been, purely due to all of the tools that they have available. And that’s one of the reasons why multifactor authentication is so important for your users when they are logging in and trying to access anything within your Microsoft 365 tenant.

Ben Love [00:04:41]:
So the message really is that a username and a password, no matter how strong that password is, is really not enough these days.

Cameron Fairfull [00:04:48]:
No, not at all. Not at all. Once upon a time, absolutely. That was considered the most secure way for anybody to log into a system that needed any sort of authentication, whereas now you need that extra layer of protection purely because it’s so easy for passwords to be guessed. And the problem is, a lot of the time these days, there’s a little bit of password exhaustion where users require username and password for just about every system that they use. And so they start reusing those passwords consistently and they will simply use less complex and easier to guess passwords for the more passwords they need to remember.

Ben Love [00:05:36]:
Multifactor authentication, for us here at grassroots it and the way we look at this is multifactor authentication these days is really non negotiable. It really is simply table stakes for being in the game. And that’s not only on your Microsoft 365 tenant, but it’s everywhere you go. I think we’re all familiar with Internet banking. I don’t think there would be any Internet banking out there anymore that allows you to transfer money around without having to enter in some sort of a multi factor token, a multi factor authentication thing. So we really do consider MFA to be absolute baseline requirement and something that you need to have across all of your platforms and applications.

Cameron Fairfull [00:06:21]:
Yep, absolutely. And multifactor authentication these days is a lot more than just getting like an extra pin or number. There are many different ways that you can do it. So there are, you can use fingerprints, you can use facial recognition, you can use what they call Fido keys as well, or a passkey. And that’s a physical device that has the specific token on it that allows a user to verify who they are and allow that user to then access the accounts that they need to access. So the three most common factors that anyone will talk about with MFA is something you know, and that’s your username and your password or your pin and something you have. So that’s like a smartphone or again, that, that secure USB key that I was talking about and something that you are. So that’s a fingerprint or facial recognition.

Cameron Fairfull [00:07:25]:
And you can, you can add that multi factor in to various layers across your organization as well. So you don’t just have to have it. When you’re logging in to check your emails online, you can use something like Windows hello as a multifactor when you are connecting into your computer, when you’re logging in in the morning, you can use a Fido key to be able to access specific applications. And you are able to add different layers of multi factor authentication as users are authenticating across different areas or trying to access different areas of everything that’s connected within Microsoft 365.

Ben Love [00:08:12]:
Fantastic. Thank you.

Cameron Fairfull [00:08:17]:
And the next part, and this is probably one of the biggest areas now, is conditional access policies. So conditional access policies allow you to control how access is granted to Microsoft 365. For a user, there are a number of checks that a conditional access policy will go through. You can target them specifically at a user or group. You can target them at a specific resource as well. So for instance, you might have one of your line of business apps connected through entraid and allow users to use their Microsoft 365 username and password to log into that specific system. So you can target a conditional access policy directly at that particular application if you want them only to be able to log in from certain locations, or you want to set an extra condition on that, such as they can only log in from a device that is considered connected to your network and has all of the appropriate checks and things added to that.

Ben Love [00:09:30]:
So one of the, we’re seeing this in use a lot, for example, with of course the rise of remote work and people working from home. You know, these conditional access policies is somewhere where you can enforce that people can only use companies provided laptops to access the system. This is conditional access policies are where you can say that nobody from Russia is allowed to log onto our systems, things like that.

Cameron Fairfull [00:09:57]:
Yep, session control is another one as well. Session control allows you to control the way that the user is logging in. So you can require that they are only logging in through Microsoft approved apps. So for instance, Edge browser, the Outlook app, on their phone or on their device, any of the office suite products, etcetera. So it gives you that little bit of extra control as well. You can also elevate the requirements for MFA for a user when they’re logging in based on the systems that they are connecting to as well. So conditional access policies will allow you to to specify a base level of MFA so the user can use a code or their authenticator app. Then you can elevate that to the next level.

Cameron Fairfull [00:11:00]:
And this is where you start looking at phishing resistant MFA, and you only allow them to use a code that they have to enter into their authenticator app right through to the very highest level where you require users to have like a security USB key or a Fido key, or use some sort of biometrics to be able to connect into that specific location that they’re accessing as well.

Ben Love [00:11:32]:
Now Cameron, can I ask, would you see that conditional access is a feature of Microsoft 365 that is getting a lot of uptake that everybody is aware of and everybody is using to its full potential?

Cameron Fairfull [00:11:47]:
It’s starting to. As we progress more into businesses needing to be more mindful about their cybersecurity and how they are managing their cybersecurity, we are seeing a lot more uptake of conditional access policies where they’re blocking access from all countries except for Australia and New Zealand, or they might have an office in Australia and something in Southeast Asia, so they’re limiting sign in to just those particular locations. The other thing that you can do with conditional access as well is use sign in risk. And that’s something that’s really good. That ties in with enter id and assessing a user’s login for the risk based aspects of them logging in. So it looks at a number of different signals and decides whether the login is of low risk, which means that it’s a normal login right through to high risk, which means that there’s every chance that that account has been compromised and it can take automated actions on that account as you need it to.

Ben Love [00:12:56]:
Yeah, I see things like any cloud based service, but in this context, obviously Microsoft 365, by the very nature of what it is, it risks giving us a bigger surface area for malicious actors to attack because it is in the cloud. I mean, by design, it’s accessible from anywhere, globally, and from anybody who has obviously got permissions to do so. So things like conditional access policies, to my way of thinking, can massively reduce that potential attack surface that your organization is exposing there by locking it down to, as you say, just a particular country or just particular devices that can log on. I think conditional access is a really powerful feature in Microsoft 365 that really needs to be used more, I think more awareness.

Cameron Fairfull [00:13:51]:
Correct? Absolutely correct. The other benefits as well with conditional access is that you can target specific user groups and specific apps, so you can really refine how those users, or which users are allowed to access things without needing to have a lot of heavy administration in the back end. To maintain access to particular apps and things like that, you can set it once in a, in a particular policy and then it just maintains that access automatically for you.

Ben Love [00:14:30]:
Good stuff.

Cameron Fairfull [00:14:31]:
Yeah. All right, threat protection. So we are going to start looking a little bit more at some of the extra bits and pieces that come with Microsoft on their defender side of things. So Microsoft defender will come as standard with a number of different Microsoft licensing skus. These start with Microsoft 365 business premium and any of your enterprise licensing skus as well. So e three, e five, etcetera. And they are very beneficial. And grassroots has actually seen some great benefit from having some of these implemented.

Cameron Fairfull [00:15:18]:
So the first two that I wanted to talk about are safe links and safe attachments. So safe links is a layer of security that rewrites a link that is incoming in an email message or an office document, and it passes that link through, Microsoft checks whenever somebody clicks on it. So it’s, it’s always a real time check or a time of click check. So that regardless of when the link was received, it will always be checked whenever the user receives it. So if a user receives an email that has a shortened link or something in it that someone sends through, and it’s a legitimate link when it first comes through, but then they go and rewrite that link and change that link to be something that goes to a malicious location every time the user clicks on that particular link. Office, sorry. Microsoft will check that link and verify that where it’s going, it’s not listed in any of their malicious URL’s. And make sure that that user’s not going to be redirected to somewhere that they shouldn’t be going, such as asking them to log in to be able to try and steal their credentials.

Ben Love [00:16:39]:
And look, email is still such a common, if not the most common attack vector for malicious actors. Sending through dodgy emails with a link in there to get you to click on it, which will take you to a dodgy website or somewhere that you don’t want to be. So addressing those links with this safe links feature really just protects your users across that major risk point.

Cameron Fairfull [00:17:09]:
Yeah, absolutely. And then safe attachments. So this one actually goes through Microsoft’s anti malware protection in exchange online, and it scans the email attachment and looks for any malicious content that may be in the attachment. So to, as an example, somebody sends through a, a particular file, it’s got some malicious HTML in it that may be pretending to be a PDF file, for instance, as an invoice or something like that. Safe attachments will grab that attachment, open that attachment in a sandbox environment. So that’s an environment that is brought up. They look at that particular attachment and then it’s taken down again. And if there’s anything malicious that’s in that particular attachment, it will either remove the attachment from the email but still deliver the email with the note saying that it has removed the attachment, or it will simply not deliver the email based on the type of content that is in the attachment.

Cameron Fairfull [00:18:23]:
There are a couple of different ways that you can deliver emails. So you can, you can set up safe attachments so that it will, it will deliver the email almost instantly. And then Microsoft, once they’ve checked the attachment, will then attach the, attach it back to the email once it’s considered safe, or you can have it so that it will complete all of the scanning before it delivers the email. And it really comes down to preference on how you want those safe attachments to be able to be delivered to a user. There’s also some other features. So there is a monitor feature as well. So if Microsoft detect that there is any sort of malicious content that comes in, it will actually look at other emails that have come through as well and see if those messages may contain the same or similar types of malicious attachment. And, and it will then go and remove those attachments from those emails as well, which is something that is actually very beneficial if there is something that does manage to make it through this first line of checking.

Ben Love [00:19:43]:
Clever stuff.

Cameron Fairfull [00:19:45]:
Absolutely.

Ben Love [00:19:47]:
Now, Cameron, we’re about to launch into the next couple of things here. And these ones we’re going to be talking about. Microsoft defender. I just want to highlight here for everybody, there are different Microsoft defenders.

Cameron Fairfull [00:20:00]:
Yes.

Ben Love [00:20:01]:
Okay. So Cameron’s going to go into a bit of detail, but Microsoft has this fantastic habit of just confusing what they name products. So we’re about to talk about two different things, but they’re both called defender. Cameron.

Cameron Fairfull [00:20:16]:
Yeah, absolutely. So the first one is defender for Office 365. This was previously known under a different name that many of you may actually know, which is Office 365, advanced threat protection. That is how it first started out. And defender for Office 365 is purely just looking at all of your Office 365. So your Office apps, your email, etcetera, and seeing if there is anything in there that it needs to be concerned about. It’s its biggest job, obviously, is anti spam, anti malware, and anti phishing. They are the three biggest things that it does.

Cameron Fairfull [00:21:06]:
But there’s also a whole bunch of other threat protection information behind that that it actually, that it actually looks at as well. And they’re some of the, the things that done kind of in the background and their background checks that help the anti spam and the anti phishing policies that you might have configured to be able to make sure that where an email is coming from is legitimate or that an email was sent from a legitimate source. So the three big things that it does uses SPF or sender protection framework, DKIM, which is domain keys, identified mail, and DMARC. And apologies, I cannot remember what the acronym DMARC stands for, but DMARC is essentially a way of quarantining emails that may have come from somewhere that is not covered by those first two areas that I talked about, which is SPF and DKIM and DMARC, you can configure in a multitude of ways to then take the appropriate steps before the email even gets to defender for office 365 and starts putting its own, or looking at the data that’s coming through and putting its own protections on that particular data. So any spam, it does exactly what you think it will. It looks at emails that are coming in, it decides, are these emails from bulk sender or are these emails coming in, you know, of a consistent message within them that will, that would be considered spam? So, you know, those emails that you’re coming through that are like, hey, we can quote you on a new website, or would you like us to, you know, send you more information about this? And that’s exactly what anti spam is all about. It’s looking at the number of people that an email is sent to and the content of that email and deciding whether it should allow it through, whether it should quarantine it, or whether it should just block it altogether. Anti phishing.

Cameron Fairfull [00:23:30]:
Anti phishing ties very heavily into your SPF and your Dkim. And that specifically looks at where the emails are coming from and who the email sender is pretending to be. So a perfect example of this is somebody using a Gmail account that is pretending to be Ben, who emails me and says, hey, Cameron, I need you to do this very urgent thing for me. And that’s what anti phishing is designed to do. It looks at it and it goes, hang on, that wasn’t sent from an allowed location, and it’s pretending to be Ben, who’s part of this organization when it’s not coming from Ben. And it will block that email. And then anti malware is obviously doing a very similar thing to what safe attachments does. And I mentioned this before, anti malware is the engine behind safe attachments.

Cameron Fairfull [00:24:25]:
And it, it specifically looks at anything that’s coming in, whether that be in email, that can be in Microsoft Teams, and it can be in a number of different areas across your or your Microsoft 365 tenant, even SharePoint actually. And it will determine whether any of the content that has been put up there is malicious. And if need be, it will take that, take that content down or quarantine the email that it may have that malicious content in it, so that a user can then go and look at that email and decide whether it’s something that is legitimate or something that is malicious, and they don’t need to actually see it anymore. So I mentioned earlier that there’s also a few different variations of licensing. And this actually falls under Defender as well. So Defender has two different iterations of licensing. There is Office 365, sorry, defender for Office 365 plan one, and that includes all of your base level prevention. Then there is Defender for office 365 plan two, and that has some additional prevention and detection pieces that come with it.

Cameron Fairfull [00:26:00]:
It allows you to do some additional investigation and response features. It also comes with some attack simulation training and a couple of features that allow you to further interrogate the emails that are coming into your organization and take action against those emails that may have made it through to a mailbox or multiple users mailboxes because they initially seemed legitimate, but on further inspection, they were not. And it allows you to go and move those emails out of a user’s mailbox and to their deleted items or into quarantine or something similar to that. And the other piece that it allows you to do is some specific seam integrations for automated investigation and remediation if you have more or additional security measures put in place for your tenant. And then the next part of defender is defender for endpoint. And so this is more like your traditional antivirus, but a little bit better. So the base level of defender for endpoint will do all of your standard antivirus protections. It now does ransomware protection as well, and it uses the Microsoft machine learning in the background to be able to look at all of the information that is coming from your endpoint and determine whether that is safe or whether it is malicious and something that needs to be prevented or investigated further.

Cameron Fairfull [00:27:49]:
Again, defender for endpoint comes in two iterations. For the licensing, there is defender for endpoint plan one and defender for endpoint plan two. And they literally differentiate between the amount of features that you have with your licensing and the application. Defender for endpoint in plan one or plan two comes with your next generation protection for anti malware and antivirus. You can do manual response actions so you can send files to quarantine. You can do detections on a device. It will let you do attack surface reduction. And attack surface reduction is something that allows you to harden your devices so it can prevent things from like zero day attacks.

Cameron Fairfull [00:28:50]:
So they’re an attack that is brand new. Not many people know about, or not many of the security firms know about, and they’re still working out how to protect you against them. But it can see those particular behaviors that might come with some sort of an attack like that. And attack surface reduction will let you reduce the, the actual chance of them being able to do anything malicious on your device. Centralized configuration and management is very handy. So you can do that through the Microsoft Defender portal, or you can do that through Microsoft Intune if you are managing your devices through intune as well. And it also protects a number of different platforms. So it’s not just Windows devices.

Cameron Fairfull [00:29:42]:
You can also protect macOS, you can protect Apple iOS, so your mobile phones and Android devices as well. And I would actually encourage people to download the Defender app on their actual mobile device and just have a look and see what it can do. It’s actually quite a very handy little application. And then when you look at Defender for Endpoint plan two, that extends out some of the features within Defender for Endpoint, and you start looking at your advanced threat protection. Lost the word. But you start looking at some of the advanced threat protection features that you can actually use. So one of those is endpoint detection and response. And that’s just looking at like visibility across your devices and seeing incidents that may have happened and being able to understand what those, those particular incidents did on a device.

Cameron Fairfull [00:30:52]:
And if there’s any sort of breach that may have happened and being able to understand what happened. There are a number of automated investigation or remediation triggers that you can also, you can also configure. And they, they’re both directly through the defender portal or through intune, but also through a siem as well. If you’ve got something that is ingesting all of that security data and processing it for you, there’s threat analytics as well. So that looks at the current threat landscape and gives you an insight into what may be some of the common attacks that are happening at the moment. I had a look the other day and Microsoft have well over 100 hundred listed at the moment. And then this does require signup. But with defender for endpoint plan two, you also have access to Microsoft security experts and so you can go directly to Microsoft and ask them to help you when you have a threat that is happening within your environment so that they can then look at all of the signals that are being received by defender for endpoint and determine the best way to help protect your environment.

Ben Love [00:32:17]:
Fantastic stuff. Thank you, Cameron.

Cameron Fairfull [00:32:19]:
No worries. I do still have a little bit more to go if you’re interested in hearing it. Yeah, so please do.

Ben Love [00:32:25]:
We have got some cracker questions lining up. By the way, I’m really keen to get into some q and a, but please, no worries.

Cameron Fairfull [00:32:31]:
So some of the common settings that are available in Defender but go across all of the licensing levels, and these actually tie in really well with looking at things like your essential aid alignment and other just basic cybersecurity controls and that’s device control. So you have the ability to manage things like USB devices and removable media, so you can stop users from being able to plug mass storage devices into their computer and download all the information off your sharepoint or out of a team or something that might be considered sensitive or is something that only your business uses so you can stop them from being able to take that. There’s web threat protection and web content filtering as well, application control, and that’s a big one. And that’s allowing only trusted applications to run. So users can not go and install any application that they wanted to and they would need to go through the process of allowing that application as a trusted application. There is vulnerability management as well. And the vulnerability management again falls under year essential eight, where you have visibility of something that might be considered a vulnerability on a device and that doesn’t just stem from your operating system on your computer. That could be an application, it could be something specific that is underlying in an application.

Cameron Fairfull [00:34:14]:
So you install one application and it needs another application to run, but you don’t use that other application, it just sits there and runs as needed. But there might be something found that’s a vulnerability in there that could be a high risk vulnerability that needs to be remediated. So it’s good at giving you visibility of all of that. And then depending on the license level that you have, you can also automate some of the remediation that you need to complete for that. Vulnerability management.

Ben Love [00:34:39]:
Well there’s a lot of, for those people who are already on the essential eight journey, there’s a lot of the stuff Cameron’s talking about here, such as application control and vulnerability management and all of those words there that all become quite relevant when you’re, when you’re aligning your organization to the essential aid or to any of the other frameworks like the NIST or the CIS. But I know a lot of people here are already looking at the essential.

Cameron Fairfull [00:35:11]:
And that’s it for me. That’s all I have.

Ben Love [00:35:15]:
Fantastic. Thank you, Cameron. So everybody, we will move into some q and a now if that’s all right. We have had some really quality questions come through in the chat, Cameron, which I’m really actually quite interested to hear your take on. So if it’s all right with you Cameron, I’ll read out these questions and maybe you can help address them for the room.

Cameron Fairfull [00:35:37]:
Yeah, absolutely.

Ben Love [00:35:39]:
So we’ve got a question here from Shane. I think this is a great one, actually. Shane, great way to start not understanding how we could have had office 365 for years and never heard of entra id. Is this something that is switched off by default?

Cameron Fairfull [00:35:56]:
Well the answer to that is no, it’s switched on by default. Actually, when you are looking at your admin portal for office 365 and you’re looking at all of your users, it’s just basically a pretty way of showing you enter id. You’ve always had enter id there. It’s always been that driver for managing all of the user information. It’s just if you’re not looking for it, you won’t find it.

Ben Love [00:36:24]:
Cameron, what about the words entra id? Because those words are only new.

Cameron Fairfull [00:36:29]:
They are absolutely only new. So Microsoft changed the name of Azure active directory about six months ago, maybe a little bit longer, a little bit.

Ben Love [00:36:39]:
More than that I think. But yeah, very recently.

Cameron Fairfull [00:36:42]:
But very recently to enter id so that it wasn’t becoming confused with some of the other active directories that are still very much in use across a large number of organizations.

Ben Love [00:36:55]:
Shane, the topic of identity management, which is what intra id is all about, is becoming bigger and bigger. It is becoming a very important piece. Microsoft obviously decided that they were going to call it out a little while ago and differentiate it into almost its own product and feature set. And they labeled that entrant id. But as Cameron said, a lot of the functionality, all of the core stuff, it’s been there all along. It’s just Microsoft have been building out on it quite a lot lately and have of course, given it a snappy new title of entra. All right, next question here is from Stuart. This is an interesting one, Stuart.

Ben Love [00:37:36]:
Actually, I’m not sure. We’ll have to see whether we can actually understand your question here. One of the difficulties this is, to quote Stuart, one of the difficulties with enter is, is face recognition and pin capabilities. We are experiencing users forgetting their password when logging into non Microsoft SSO linked products like Alaya care. Now, I think I understand that. I wonder if we can take Stuart off mute just for a minute to see if he can just explain that to us because this is a really interesting one that I think is probably worth understanding because. Sorry, Stuart, bear with me. I’m just going through the thing here.

Cameron Fairfull [00:38:22]:
Stuart, I’ve allowed your microphone. You should be able to unmute yourself now.

Speaker C [00:38:30]:
Unmuted. Look out. Unmuted.

Ben Love [00:38:32]:
There we go. Welcome, Stuart. Now, Stuart, we didn’t talk a lot about SSO or single sign in during the webinar, but just for everybody else in the audience, essentially that’s when a non Microsoft app can be configured to look at your username and passwords in enterid as its identification. So there is a single username and password for a user held in enter id. And that can authenticate not only people to your Microsoft apps, but to third party apps as well. Stuart, can you please explain your situation and we’ll see if Cameron’s got some comments.

Speaker C [00:39:06]:
Absolutely. So Alacare is a third party product, Microsoft product housed in downtown AWS Sydney. But we’ve been able to employ Microsoft same sign on into Alaya care for ease of use. That was in the days when we had an on site domain on our server. Ever since we worked with you folks to shut down all of our on site site products and move fully into entra, we get the occasional staff member who, when they click on the icon for layer care, the shortcut, rather fire it up. And we’ve still got it in that no trusted network mode. So every time you log in, it’s going to be asking you the credentials. People sometimes can’t remember their password so they’ve got their username.

Speaker C [00:40:12]:
That’s, that’s easy. That’s their email address because they log on to their laptop maybe using facial recognition or the Pin which is available through entra SSO doesn’t always let you ask about that. It wants to know your username, wants to know your password and then our multi factor authentication.

Ben Love [00:40:40]:
Interesting scenario.

Speaker C [00:40:41]:
There may be a way of forcing it, I don’t know, but that’s what we’re experiencing.

Cameron Fairfull [00:40:48]:
Look Stuart, this is definitely a unique one. I’m going to say it’s probably a combination of things that we could look at for. This one is that you could set a subset of users to not being able to use Windows hello or a Pin or facial recognition or something like that when they log into their device and that will force them to use their password every time they log in so they less chance of them forgetting it. But on the flip side, there may be some further configuration that we could look at within a layer care that would allow a different way for users to authenticate when they are going through that login process. And that’s something, that’s something that you would need to work on with the third party vendor to understand. The best way for us to be able to make that login process for a user as seamless as possible.

Speaker C [00:41:48]:
We might need to explore it because it actually isn’t anything to do with third party vendors or it’s using the Microsoft authentication broker to log in. But you’re right, it could all be a configuration piece and maybe we can explore that.

Ben Love [00:42:06]:
Yeah, no, that’s a curly one, Stuart. We might take that offline if that’s all right, Stuart.

Speaker C [00:42:11]:
Absolutely. Just saying. I wouldn’t want to turn Windows hello off because that would be the guaranteed way to get a mutiny across 200 people.

Ben Love [00:42:21]:
For anybody who’s not aware, Windows hello is a feature in there that lets you use things like fingerprint scanning, facial recognition and actually just a numeric pin number to log onto your computer rather than having a full password there. It’s another feature, it’s all very secure. It’s integrated into enter id. But that’s pretty cool stuff. Look, let’s keep moving through these questions if that’s all right. So Stuart, you actually, we had a second one here. So Cameron Stuart writes, does locking down to australian IP addresses using conditional access limit Microsoft’s ability to provide support if required?

Cameron Fairfull [00:43:00]:
Well the short answer is no. The longer answer is Microsoft don’t actually have direct access to your tenant. So Microsoft use a feature called lockbox if they need to directly access your tenant. The way that Microsoft would gain access would be via you contacting support, a support representative reaching out and then them doing some sort of a shared session with you for them to simply see what you are doing within the tenant and then assist you to make whatever changes are needed, rather than Microsoft having direct access to your tenant.

Ben Love [00:43:39]:
Fantastic. Thanks, Cameron. All right, Natasha, Natasha’s question, what level of Microsoft licenses gives access to safe links and safe attachments?

Cameron Fairfull [00:43:51]:
So you would need defender for Office 365 plan one, which you can get with Microsoft 365 Business premium and the Microsoft 365 enterprise licensing, which is e three and e five.

Ben Love [00:44:10]:
So Microsoft 365 Business premium, I would just encourage everybody to think about that particular plan as the default plan that you should be looking at getting, unless you have a specific use case for getting a larger or a smaller plan. But business premium, that’s kind of the sweet spot. That’s got all of the good stuff in it at the right price. Ian, hello there. Ian’s question, if you lock down access to australian IP domains only, can’t this just be bypassed via a VPN?

Cameron Fairfull [00:44:43]:
IaN absolutely it can. And we have seen a few of those attacks where the attacker has realized that they have the correct credentials but they’re being blocked by conditional access and they simply pivot to using a VPN to then make themselves look like they are in Australia and then try and access that account. There is unfortunately no way around that. The thing that you can do, however, is you can make sure that you’ve got alerting configured so that if there are any sort of logins where the activity is detected as coming from a VPN, you can have some sort of alert triggered that will go to yourself or whoever looks after your it to say hey, this user account connected via VPN is legitimate.

Ben Love [00:45:41]:
Fantastic. Thank you. And if anybody here is still using VPN’s for their own productivity, to VPN back into their own office network or something, please talk to us after this. Okay, it’s time that VPN’s are retired. They are a bit of a security concern as far as I’m concerned. All right, next question here. Chris. Hello Chris.

Ben Love [00:46:05]:
Chris, that’s right. Ben, do you have a security audit tool that we can go through all of this and then ensure we are set up properly to defend against the nasty people? Cameron, can we help Chris do a cybersecurity audit on all of this?

Cameron Fairfull [00:46:19]:
Absolutely. So we have a couple of different options available. We can go as far as looking at your alignment to essential eight. We can just look at a more higher level cybersecurity audit and just go across everything that you use in your business and see how it aligns with what best practices. Or we can just do a simple audit across your Microsoft 365 tenant and look at all of the common configuration points that grassroots it would expect to see configured or enabled to then give you a report and give you some recommendations and some guidance on where to start securing your tenant.

Ben Love [00:47:10]:
Great. Thanks, Cameron. All right, Stuart’s got another question here. Does defender for endpoint plan one or two present as a viable alternative to the Sophos product that is currently running for them?

Cameron Fairfull [00:47:25]:
I’m a little bit of a Sophos fanboy, unfortunately. I’ve seen the benefits with a teenage son who tries to do silly things on the computer at home and gets blocked because they have sophos there. And I wouldn’t put that same trust in Defender. I think defender works well with another antivirus solution that is more mature and more stable, and the two actually work hand in hand together to actually give you that extra level of protection where you can do some of those defender for endpoint security configurations that you want to apply directly to a machine, but then also use sophos for that very specific, the antivirus and ransomware detection and things like that.

Ben Love [00:48:19]:
Fantastic. Thank you. All right, Mithy writes, does the defender for endpoint can only. Just trying to interpret this defender for endpoint. Can it only be implemented using intune intune, or can it be included in one of your security packs? So the grassroots it security pack there, I think Mithy is referring to.

Cameron Fairfull [00:48:44]:
So there’s a bit of a combination there. There are some features that do require you to have intune, and there’s some of the slightly more advanced features like the application control and web controlling, USB devices, etcetera. And then there are some that can be configured just through the Microsoft defender, the Microsoft Defender portal. So it’s a bit of a combination there, Mithy. And best practice would be to use it through intune. It’s much more configurable that way.

Ben Love [00:49:22]:
Just as a general comment on intune, intune is the way it is all going. So if you do not already have intune in place, or if you do not already have intune on your roadmap, I strongly encourage you to at least get it onto the roadmap somewhere because that simply is the direction that all of this is going. All right, Rowan, this is a bit of a philosophical question from Rowan. As big as Microsoft are, is there a risk in centralizing this through the one provider, or do the pros out way the cons? Cameron, interested in your position on this one?

Cameron Fairfull [00:49:59]:
I can see both pros and cons. The biggest con is if Microsoft goes offline for whatever reason, hasn’t happened very frequently. But that’s not to say that it can’t happen. And the downside is if your system that you’ve connected through enter id only allows access via that particular sign in method, then users can’t log in. The best way to overcome that is to make sure that you have accounts that you can still access a particular system with. Should you not be able to log in via some form of single sign on or same sign on.

Ben Love [00:50:47]:
So what we would refer to as a break glass user account. Yeah. Written on a bit of paper in a sealed envelope in a fireproof safe somewhere.

Cameron Fairfull [00:50:58]:
That’s a post it note on the bottom of the CEO’s.

Ben Love [00:51:02]:
Yeah, silly me. All right, Mithy’s got another question. What is the purpose and the target market for Microsoft Business essential or standard? And if none of those security features are available for these plans.

Cameron Fairfull [00:51:22]:
So they aim at giving you different access or different levels of access, I should say so. Business essentials is obviously that it’s at the lowest level, it gives you the 365 apps online, it gives you a mailbox, it gives you access to Sharepoint teams and those sorts of things. Standard obviously gives you a few extra bits. You can download the Office apps and have them installed on your device. But again, they don’t come with those additional add ons that you see with Business premium that give you all those additional features within entraid and the defender side of Microsoft as well, where you can add on all of those additional security features that you really need these days.

Ben Love [00:52:13]:
Thanks Cameron. And Mithi, I’ll just reiterate what Cameron basically just said there. Yeah, the Microsoft business essentials truly is the bare bones stuff to really start getting the security features that in my opinion we just all need should be non negotiable these days. It’s business premium is the plan that you need. There’s a lot of cool stuff in business premium too, that goes above and beyond just a defensive stance. There’s a lot of good stuff there to, you know, that you really need to make sure you’re taking advantage of what you’re getting in the license there, to make sure you’re maximising that ROI on those licenses as well. All right, that’s the end of our questions. There were some really great questions there.

Ben Love [00:52:56]:
I really appreciate those, Cameron, thank you for your time. You’re an absolute wealth and font of knowledge about all things Microsoft 365 and cybersecurity. So thank you. Thank you again. And of course, if anybody has any further questions, would like to continue the discussion about anything we’ve touched on today. Please, you know where to find us www.grassrootsit.com dot au or email us inquiriesrassrootsit.com dot au. Thank you all. Have a great day.

Cameron Fairfull [00:53:23]:
Thank you, everybody.