Category: Uncategorized

Microsoft Cloud Licensing and Cost Summary

Here’s a simple high level guide to navigating Microsoft licensing from a security perspective.

This guide won’t go into the details of ‘why’ you need these licenses, and it won’t discuss the operational costs of implementing these security solutions.

Your main reference for Microsoft enterprise licensing is here!
(don’t worry if you’re not in the US, it will ask you to switch)

On the left hand side of this page is a pdf you should download and really get to know:

Budgeting for security in any organization can be a challenge. Let’s assume you’re taking the leap with Microsoft but you want to work it into your budget.

Consider E5 licenses for a subset of users and E3 for the rest.

This will allow you to optimize the use of the security related features for your critical infrastructure and then grow out to the larger cost of protecting everything.

P1 vs P2

Next look at the P1 vs P2 features. If you have that E5 license then you’re mostly set with the P2 features since they’re included with E5.
If you have E3 then consider adding all of the P2 features until it makes more sense cost-wise to switch to E5. The order in which you add the P2 features will depend on your security priorities.

Don’t shrug off the importance of many of these P2 features. Here are some links to look at for more information:

Additional cost considerations:
  • DDoS protection
  • WAF
  • SIEM – Microsoft Sentinel
  • EASM – External Attack Surface Management

See the link for the Pricing Calculator below to dig into the cost of these additional services.

References:

M365 Licensing (includes everything related to E3, E5, P1, P2, etc.)
Defender for Cloud Pricing
Pricing Calculator – select the ‘Security’ side menu and go from there

Performing a Security Audit on Logic Apps

As DevOps move toward no-code apps in the cloud, there becomes a need for security reviews and controls to prevent risky

This is nothing new, but the need for better security reviews is becoming clear as more people try to rush to get their apps done in the easiest way possible.

Here’s a simple approach to identifying security risks in your logic apps:

  1. Create an architecture diagram of your logic app. This can be a simplified version that just shows the high level logic.
  2. Break down the logic app by it’s components:
  • The individual logic app components – you likely won’t find too many security problems here.
  • all the parameters – don’t hardcode passwords into parameters!
  • connectors – Often the culprit of weak security in logic apps. Really understand what these connectors are communicating with. Don’t allow public access. Limit the roles/permissions.
  • app registrations – another culprit of weak security. If app registrations are needed for your logic apps, be sure permissions are set to their most restrictive settings. avoid read.all readwrite.all settings.
  • managed identities – if possible, use managed identities instead of user accounts for your connectors. Many logic apps don’t yet support managed identities, so those apps will require additional monitor and possibly frequent password/secret changes.

3. Use Resource Locks to prevent changes. If someone tries to turn off resource logs be sure it’s logged and alerted on.

4. Restrict user/admin access to your logic apps. Some apps can have really powerful permissions/access, so you don’t want users to ever have the ability to change logic apps unless they’ve been given specific short-term permissions to do so.

5. LOG EVERYTHING – wherever possible, enable logging within logic apps and connectors. Store logs in a Log Analytics Workspace. Use Azure Monitor alerts ore Microsoft Sentinel to monitor/report/alert on all activities.

6. Perform ‘attack simulations‘. Run your logic apps through test conditions which will trigger your alerts. Validate your alerts work as expected.

7. Build a ‘logic app security audit’ spreadsheet. Use this as a template for repeated audits for future logic app security testing. Use the above ideas as the initial framework for your spreadsheet.

I’m a Microsoft Recognized Community Hero!

I’m very excited to have been recognized by Microsoft as an Azure Community Hero!

Having worked with (not employed by..) Microsoft for several years as a Security Solutions Advisor/Developer, in 2021/22 I began taking on more of a volunteer role finding ways to give back to the community in any ways I could find.

After several months of contributing on the Microsoft Q&A sites I was very surprised to receive this badge(r) of recognition which they title ‘Microsoft Azure Community Hero’.

So I hope you don’t mind me sharing in my happiness for this honor.

Isn’t it cute?

https://jumpnet.enjinx.io/eth/asset/68c0000000000065/183?source=EnjinWallet-1.15.1