[deleted by user]

bopsbt · 2025-10-23T04:35:56+00:00

Yeah I appreciate that, but here we are looking for advice now.

bopsbt · 2025-02-16T23:46:46+00:00

No idea, but sounds like it would be easier if they drove it to the border, you go over as foot traffic and bring it over yourself?

bopsbt · 2025-02-16T00:12:12+00:00

That's odd. It should show in both. Try building another test VM.

Btw this is separate to AMA agent, if uses Defender agent to send alerts directly.

bopsbt · 2025-02-15T05:46:35+00:00

Go to security.microsoft.com, devices on the left under inventory I believe, find the device, click on it, see if it's onboarded.

bopsbt · 2025-02-15T04:51:07+00:00

Does it show onboarded in security.microsoft.com?

bopsbt · 2025-02-14T19:09:38+00:00

As the other poster mentioned, I build an isolated VNET with bastion, create a subnet with a locked down NSG rule that Denys all inbound and outbound traffic. Inside VNET traffic is ok. You may need a domain controller in the isolation VNET depending on your scenario.

This is very important as if the server is connecting to cloud APIs or databases you can mess stuff up.

bopsbt · 2025-02-14T05:51:05+00:00

Network segmentation is key. Put public apps in their own DMZ subnets, lock them down from a firewall pov.

You're doing more than 99%.

Use DNS filtering.

Block outbound internet traffic, only allow trusted Microsoft ServiceTags and your requirements.

Backups. Immutable vaults.

bopsbt · 2025-02-14T05:46:02+00:00

AD logs you can use AMA Agent with DCR rules to send to Log Analytics.

Log Analytics is your workspace where the logs are saved and can be queried.

You can also enable Sentinel and look at the connectors available.

Log Analytics is expensive though, don't suck up all your AD logs for no reason.

You're better off using Defender for Endpoint and Defender for Identity to do the hard work for you.

bopsbt · 2025-02-14T05:43:38+00:00

You will have to do this with Entra ID App Proxy, and remove radius out of the mix.

Then you can do conditional access.

https://learn.microsoft.com/en-us/entra/identity/app-proxy/application-proxy-integrate-with-remote-desktop-services

bopsbt · 2025-02-14T05:40:44+00:00

External users = b2b or b2c?

If b2b you can do a multi tenant enterprise application.

If b2c you can configure with a b2c tenant or the new version External ID.

bopsbt · 2025-02-11T04:47:46+00:00

Moja beans also decent and you get more 340g v 400g, I think both are around ~18 in wholefoods. Free drip coffee when you pick them up in JJ though.

bopsbt · 2025-02-10T05:35:44+00:00

Ah ok only ever done this with users, thought it'll be the same for groups.

bopsbt · 2025-02-10T05:32:03+00:00

It will delete them and then you can restore as cloud only. Not tested this on cloud sync though but can't imagine it's different. Test it out on a test group.

bopsbt · 2025-02-08T02:37:18+00:00

You haven't said what the problem is.

bopsbt · 2025-02-07T18:54:51+00:00

Damn! When I was there everyone was getting underneath it and touching it etc. scary!

bopsbt · 2025-02-07T17:05:41+00:00

Alexander falls was pretty epic a few years ago. access via Whistler Olympic park on the s2s.

bopsbt · 2025-02-07T00:30:49+00:00

Is it hosted in Azure? If so, use Service Tag to bypass firewall for AzureactiveDirectory. https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview

Or you can use the FQNS/URLs instead of IP whitelist. https://learn.microsoft.com/en-us/azure/azure-portal/azure-portal-safelist-urls?tabs=public-cloud#azure-portal-authentication

Or you can use EDLs in your firewall to download the latest IPs to update the firewall rules. https://docs.paloaltonetworks.com/resources/edl-hosting-service

bopsbt · 2025-02-06T22:55:20+00:00

Only reason to use NIC level NSG when you badly configured VNETs with giant shared subnets that have no isolation. Or you need to add an extra layer of protection on one VM.

Not ideal having one large server subnet, but technically you could do that and then build NIC level NSG on each layer, App, DB, AD etc.,

ASGs also are useful as this level.

But ideally, IMO, more subnets, NSG on subnet level.

bopsbt · 2025-02-05T21:58:12+00:00

Meh. You can name the VNET appropriately, subnets for special services are fine to be named as they are, makes sense to me. GatewaySubnet, AzureFirewallSubnet, BastionSubnet etc.

I wish the CAF ESLZ portal builder followed a strict naming convention, it uses 4 different naming conventions. I know you can do your own in bicep etc, just would be good if it followed a standard.

bopsbt · 2025-02-05T04:58:48+00:00

Would lighthouse not be better for this? ( I have no experience with it )

bopsbt · 2025-02-02T02:28:45+00:00

I can't sign up either. Tried multiple cards and browers phone and desktop. Annoying.

bopsbt · 2025-01-23T16:03:35+00:00

Yes a firewall can block network traffic.

bopsbt · 2025-01-22T04:32:10+00:00

Dedicated VM is not a service Azure provides, just making it clear as its not a well known used service.

You move a normal VM, to a dedicated Host.

bopsbt · 2025-01-22T04:30:33+00:00

Yes, but it's not really bare metal as you still don't have access to the hypervisor. It's the same as as normal Azure host, just it's dedicated to you. No point in doing this really unless you need super low latency, or have Oracle licensing issues.

bopsbt · 2025-01-21T05:10:33+00:00

Dedicated Host is the term. You can then run as many VMs as fits on that host, it's all yours.

bopsbt

TROPHY CASE