Automating Azure Securely: Microsoft Graph, Identity & Cloud Automation with Ahmed Uzejnovic [MVP]

1
00:00:00,000 --> 00:00:06,000
Hello and welcome to another edition of the M65 podcast. My today guesses Amit

2
00:00:06,000 --> 00:00:11,000
Usinov, I always spelled right and I T. Amit Usinovich.

3
00:00:11,000 --> 00:00:12,000
Yeah.

4
00:00:12,000 --> 00:00:18,000
Okay. Yeah. He is an IT automation and infrastructure specialist from Salzburg

5
00:00:18,000 --> 00:00:23,000
with strong focus on PowerShell, Microsoft Graph, API, Azure Automation

6
00:00:23,000 --> 00:00:28,000
System, Center or Casting in Hybrid Microsoft and Ryan Lens.

7
00:00:28,000 --> 00:00:35,000
Amitus passionate about building automation that actually is all its real world

8
00:00:35,000 --> 00:00:39,000
operational problems, security, real and at scale.

9
00:00:39,000 --> 00:00:45,000
Behind his daily work, he actively share knowledge to blocks, community sessions,

10
00:00:45,000 --> 00:00:48,000
and conference speaker.

11
00:00:48,000 --> 00:00:54,000
Yeah. And in this episode, we will explore secure cloud automation,

12
00:00:54,000 --> 00:00:59,000
Microsoft Graph, identity driven automation, Azure Skipping and how

13
00:00:59,000 --> 00:01:04,000
organization can automate smarter without compromising security.

14
00:01:04,000 --> 00:01:05,000
So, yeah.

15
00:01:05,000 --> 00:01:12,000
How did your journey into automation and infrastructure begin?

16
00:01:12,000 --> 00:01:20,000
It begins when I started working at the company in the local IT support.

17
00:01:20,000 --> 00:01:27,000
Good. So, I was there five years and three years of that I was in the IT support.

18
00:01:27,000 --> 00:01:34,000
And there I've seen many things. So, you have to imagine I have started in the IT

19
00:01:34,000 --> 00:01:39,000
support with school knowledge. So, I come from the school, I teach at

20
00:01:39,000 --> 00:01:45,000
the teaching school and yeah, I started there and learnt so much things.

21
00:01:45,000 --> 00:01:52,000
But I have seen there are so many potential for things, what are easy to automate.

22
00:01:52,000 --> 00:01:58,000
So, because if you have a user on-boarding or you just a living,

23
00:01:58,000 --> 00:02:04,000
you have always the same same problems. So, you're sitting there and you have to use a

24
00:02:04,000 --> 00:02:09,000
living or a decade who has done the user living before.

25
00:02:09,000 --> 00:02:15,000
Something sitting there three or four hours and done 20 user living.

26
00:02:15,000 --> 00:02:23,000
And I started in my desk to automate this.

27
00:02:23,000 --> 00:02:27,000
For support, for support, for step one script, second script.

28
00:02:27,000 --> 00:02:33,000
And then we get some scripts there and it was a little bit better, but it was not

29
00:02:33,000 --> 00:02:42,000
perfect. And then my chef, so my chef said, okay, he knows something,

30
00:02:42,000 --> 00:02:47,000
something, this was my idol, also my ex-boyfriend MVP.

31
00:02:47,000 --> 00:02:54,000
And he comes to us and we have done in I think two or three days the user

32
00:02:54,000 --> 00:03:00,000
living, a file user living and this user living is working in this company as

33
00:03:00,000 --> 00:03:05,000
well today. So, they're working with that. This is really cool.

34
00:03:05,000 --> 00:03:11,000
And this was the start of my journey here. After that, I have started with the user

35
00:03:11,000 --> 00:03:15,000
on-boarding, have done some exchange tasks, some paracuda, firewall,

36
00:03:15,000 --> 00:03:21,000
rule automations and so on. And has seen, okay, there are much,

37
00:03:21,000 --> 00:03:29,000
much, many, much potential and started to look around where I can do this

38
00:03:29,000 --> 00:03:35,000
more than in the local company for the other company where I have only done

39
00:03:35,000 --> 00:03:42,000
automation and started to work with systems and orchestrate the eight

40
00:03:42,000 --> 00:03:45,000
automation, a little bit of power apps, power, automate and so on.

41
00:03:45,000 --> 00:03:49,000
So this was my pick innings here.

42
00:03:49,000 --> 00:03:57,000
And what, why you choose Microsoft technology and

43
00:03:57,000 --> 00:04:02,000
Azure and not, I don't know, other Unix or something.

44
00:04:02,000 --> 00:04:05,000
I think you can also automate a lot in script.

45
00:04:05,000 --> 00:04:11,000
I think it was like, like, it grows so you come there in the company and

46
00:04:11,000 --> 00:04:15,000
the world company is using Microsoft. So you try to automate that,

47
00:04:15,000 --> 00:04:24,000
what you have. And I have, I have also done something with Linux and

48
00:04:24,000 --> 00:04:28,000
Dresperify and these things, but this was all private stuff and

49
00:04:28,000 --> 00:04:34,000
nothing, enterprise related, I would say. And all the enterprise

50
00:04:34,000 --> 00:04:38,000
related, we had only Microsoft and then we started to automate

51
00:04:38,000 --> 00:04:41,000
this Microsoft stuff.

52
00:04:41,000 --> 00:04:46,000
You say you have started, I think, try to do traditional scripting.

53
00:04:46,000 --> 00:04:51,000
And now, yeah, we have, I think, modern cloud automation.

54
00:04:51,000 --> 00:04:56,000
How did it change over the years you working in automation?

55
00:04:56,000 --> 00:05:00,000
So at the beginning, we started only on premise.

56
00:05:00,000 --> 00:05:05,000
So there was no cloud, nothing from other. We had on premise exchange,

57
00:05:05,000 --> 00:05:08,000
on premise files, whereas there were no one drive.

58
00:05:08,000 --> 00:05:12,000
There were no, it was SharePoint, but on premise.

59
00:05:12,000 --> 00:05:17,000
But there were no clouds. So you have to work with this stuff.

60
00:05:17,000 --> 00:05:24,000
And after some, I would say after three or four years, then it started.

61
00:05:24,000 --> 00:05:29,000
There was a agent subscription. Okay, we have an agent subscription in the company,

62
00:05:29,000 --> 00:05:36,000
but nothing else. What did it? And then I have started, okay,

63
00:05:36,000 --> 00:05:41,000
what is Asia? What we can do with Asia? What we have potential to do with Asia?

64
00:05:41,000 --> 00:05:45,000
And find out, okay, there is Asia automation. There is a half-true occurred.

65
00:05:45,000 --> 00:05:50,000
You can connect your cloud workloads with on-premise workloads.

66
00:05:50,000 --> 00:05:57,000
So this was really cool. Later then, there was Asia arc.

67
00:05:57,000 --> 00:06:04,000
Yeah, there were many things. What happened there?

68
00:06:04,000 --> 00:06:13,000
The last thing, the Azure services map, and I think there was a growing over-towel services.

69
00:06:13,000 --> 00:06:17,000
There are also services I never have heard before.

70
00:06:17,000 --> 00:06:20,000
It's a satellite service, and so on. It's really interesting.

71
00:06:20,000 --> 00:06:24,000
How and this ever is going.

72
00:06:24,000 --> 00:06:29,000
Yeah, before, before there was, I have tested something with,

73
00:06:29,000 --> 00:06:34,000
not with AI. It was before AI, some, the face recognition,

74
00:06:34,000 --> 00:06:38,000
APIs, and some, some things, this all was on Asia,

75
00:06:38,000 --> 00:06:41,000
but you have only to try to test it.

76
00:06:41,000 --> 00:06:46,000
It's a little bit, but you have tried it. So I have tried the service,

77
00:06:46,000 --> 00:06:51,000
at registration, credit, small script, and tried the first recognition API.

78
00:06:51,000 --> 00:06:55,000
So it works. So I put it in my face that recognizes me,

79
00:06:55,000 --> 00:06:58,000
but that in the picture with more people, it recognizes more people.

80
00:06:58,000 --> 00:07:04,000
So this was before AI really. And then after I was there,

81
00:07:04,000 --> 00:07:10,000
yeah, this was not about, yeah, I do this all on my song.

82
00:07:10,000 --> 00:07:15,000
But you're working so long in this automation part.

83
00:07:15,000 --> 00:07:19,000
What's, what's, keep you exciting about it?

84
00:07:19,000 --> 00:07:22,000
In automation.

85
00:07:22,000 --> 00:07:23,000
Yeah.

86
00:07:23,000 --> 00:07:24,000
That's really automation part.

87
00:07:24,000 --> 00:07:32,000
So the excited thing is that you can help others to move their workloads

88
00:07:32,000 --> 00:07:36,000
to things what are

89
00:07:36,000 --> 00:07:40,000
educationally or

90
00:07:40,000 --> 00:07:42,000
what's metas more.

91
00:07:42,000 --> 00:07:48,000
So if you have some people, what, I would say,

92
00:07:48,000 --> 00:07:55,000
like I said, at the beginning, the guy who's done the use of boarding every day for two or three hours,

93
00:07:55,000 --> 00:07:57,000
he has more potential.

94
00:07:57,000 --> 00:08:05,000
So my intention is to give people three room to find or to do things,

95
00:08:05,000 --> 00:08:10,000
what are metas more to be creative to, I would say,

96
00:08:10,000 --> 00:08:16,000
when I script is running to hours, in this time, I can do other things.

97
00:08:16,000 --> 00:08:23,000
So learn something new to Asia course or learn something new about it.

98
00:08:23,000 --> 00:08:30,000
Check the new newly, new posts on, on, on Reddit or I don't know.

99
00:08:30,000 --> 00:08:36,000
And only to not do stuff, what, what you don't drink forward.

100
00:08:36,000 --> 00:08:42,000
This is the main focus why I love automation and doing automation.

101
00:08:42,000 --> 00:08:47,000
And the second thing is I always have left automation,

102
00:08:47,000 --> 00:08:50,000
not only in IT perspective.

103
00:08:50,000 --> 00:08:53,000
So I have, and background,

104
00:08:53,000 --> 00:08:59,000
background, also in electrician a little bit.

105
00:08:59,000 --> 00:09:01,000
And electrician automation.

106
00:09:01,000 --> 00:09:05,000
There is also, you can also automate a bunch of stuff.

107
00:09:05,000 --> 00:09:09,000
Also using the Raspberry Pi Arduino and so things.

108
00:09:09,000 --> 00:09:13,000
So it's also a little bit from, from this perspective.

109
00:09:13,000 --> 00:09:15,000
And you can combine that.

110
00:09:15,000 --> 00:09:20,000
So because you are solving a problem, a electrician problem.

111
00:09:20,000 --> 00:09:26,000
Is it the same when you solving a problem in automation or you try to define a process?

112
00:09:26,000 --> 00:09:30,000
So in automation, you need to do processes.

113
00:09:30,000 --> 00:09:34,000
Because if you don't have a good process, you can't get a good automation.

114
00:09:34,000 --> 00:09:37,000
Like if you're in front of reset, if you have shit data, you get the shit process.

115
00:09:37,000 --> 00:09:41,000
So it's, you need good data, you need a good structure.

116
00:09:41,000 --> 00:09:45,000
And then you get the good automation out there.

117
00:09:45,000 --> 00:09:48,000
It's, it's a for dimension here.

118
00:09:48,000 --> 00:09:56,000
Or as well, if I have not, or for if I'm building a house, if I have not a solid underground,

119
00:09:56,000 --> 00:10:00,000
the house will maybe be there two, three or five years.

120
00:10:00,000 --> 00:10:05,000
And then it will, I have to rebuild it.

121
00:10:05,000 --> 00:10:15,000
So always, the cool thing is you need to first think about what I want.

122
00:10:15,000 --> 00:10:26,000
And then sets the, I would say it in English, the group file.

123
00:10:26,000 --> 00:10:33,000
But we need to think what you want and set the main starts that you are stable.

124
00:10:33,000 --> 00:10:41,000
And then take parts to parts to parts, to process, to process, to process.

125
00:10:41,000 --> 00:10:45,000
And then you can scale it.

126
00:10:45,000 --> 00:10:51,000
You don't have one big process with many things out there and nothing is working.

127
00:10:51,000 --> 00:10:52,000
Good.

128
00:10:52,000 --> 00:10:55,000
So try to begin with one small step.

129
00:10:55,000 --> 00:10:58,000
If the small step is working, go to the next one.

130
00:10:58,000 --> 00:11:03,000
And as I have an idea of that, what you want at the end.

131
00:11:03,000 --> 00:11:05,000
So it's not a problem.

132
00:11:05,000 --> 00:11:08,000
If you have all the small script or something, something.

133
00:11:08,000 --> 00:11:12,000
The script is working and the script does this, what it does.

134
00:11:12,000 --> 00:11:20,000
It's not problems only through lines, but it's a part of the big one at the end.

135
00:11:20,000 --> 00:11:27,000
I think when people hear automation, they often think it's a script.

136
00:11:27,000 --> 00:11:30,000
But it's that.

137
00:11:30,000 --> 00:11:37,000
But what did you think do modern clouds automation actually mean today?

138
00:11:37,000 --> 00:11:40,000
Modern cloud automation.

139
00:11:40,000 --> 00:11:43,000
So we have many workloads.

140
00:11:43,000 --> 00:11:45,000
I would say in the cloud.

141
00:11:45,000 --> 00:11:55,000
So clouds are nothing other than on premise systems with many data centers, data outsourced at the center.

142
00:11:55,000 --> 00:12:04,000
So we have to find cloud automation to definition.

143
00:12:04,000 --> 00:12:14,000
So we have many frameworks and we need to connect this framework to get something to work.

144
00:12:14,000 --> 00:12:21,000
So mainly automation is to connect to frameworks or data.

145
00:12:21,000 --> 00:12:26,000
Some data with frameworks to get results out of it.

146
00:12:26,000 --> 00:12:31,000
To move data from one place to other places in them, the main thing.

147
00:12:31,000 --> 00:12:34,000
For example, we have a hrtate base.

148
00:12:34,000 --> 00:12:38,000
And at the other side, we have an active directory.

149
00:12:38,000 --> 00:12:41,000
And then we need somehow.

150
00:12:41,000 --> 00:12:46,000
So the hrtate base cannot natively write data into an active directory.

151
00:12:46,000 --> 00:12:48,000
And they don't know how to do it.

152
00:12:48,000 --> 00:12:52,000
So we need something in the middle.

153
00:12:52,000 --> 00:12:55,000
To get the data from the hrtate base.

154
00:12:55,000 --> 00:13:05,000
And then we have a process that is to set it out to the active directory or other framework.

155
00:13:05,000 --> 00:13:14,000
And this is the definition, not definition, but mainly all processes should work in this order.

156
00:13:14,000 --> 00:13:22,000
But because we have always to get some data and write it at the other point.

157
00:13:22,000 --> 00:13:29,000
And that's one topic, I think, in automation that becomes in the last year, I think, very important.

158
00:13:29,000 --> 00:13:30,000
It's Microsoft Graph.

159
00:13:30,000 --> 00:13:36,000
Can you a little bit tell about Microsoft Graph and why it's becoming so important?

160
00:13:36,000 --> 00:13:43,000
So Microsoft Graph, if you don't know what it is, it is the backend of Asia.

161
00:13:43,000 --> 00:13:49,000
So you can, it's the API backend of Asia.

162
00:13:49,000 --> 00:13:58,000
So you can with Graph, nearly automate or reach all Microsoft services, nearly all Microsoft services, programmatically.

163
00:13:58,000 --> 00:14:03,000
So you don't need as an administrator, you can.

164
00:14:03,000 --> 00:14:11,000
So you can do mainly all things click in the Asia portal.

165
00:14:11,000 --> 00:14:17,000
But it's not recommended for some things for for configurations.

166
00:14:17,000 --> 00:14:22,000
If you have to do more configurations, you can automate that.

167
00:14:22,000 --> 00:14:28,000
Or if you have what you can do.

168
00:14:28,000 --> 00:14:33,000
So if you have to have multiple customers or Asia automation.

169
00:14:33,000 --> 00:14:41,000
I would say Asia automation because you can configure Asia automation as well with the.

170
00:14:41,000 --> 00:14:43,000
As code.

171
00:14:43,000 --> 00:14:49,000
So you write a, you can do it to zero form you put in a script.

172
00:14:49,000 --> 00:14:56,000
And then your Asia automation will be built, will be built like a blueprint.

173
00:14:56,000 --> 00:14:57,000
So you can imagine it.

174
00:14:57,000 --> 00:14:58,000
You have a plan.

175
00:14:58,000 --> 00:15:03,000
Then you import that plan and this plan is in each 10 at the same.

176
00:15:03,000 --> 00:15:08,000
So you can don't we can make any.

177
00:15:08,000 --> 00:15:10,000
Or Fed is here.

178
00:15:10,000 --> 00:15:13,000
So every.

179
00:15:13,000 --> 00:15:15,000
Every tenant will be the same.

180
00:15:15,000 --> 00:15:20,000
If I click that, if I have also a time saving perspective.

181
00:15:20,000 --> 00:15:21,000
So.

182
00:15:21,000 --> 00:15:28,000
Where I deploy a script and deploy that Asia automation account and all resources.

183
00:15:28,000 --> 00:15:31,000
What I need for that is automation accounts.

184
00:15:31,000 --> 00:15:33,000
I finished in some minutes.

185
00:15:33,000 --> 00:15:35,000
And I have a.

186
00:15:35,000 --> 00:15:38,000
A failure rate of zero.

187
00:15:38,000 --> 00:15:43,000
And if I let's do this some consultant or some other IT guy.

188
00:15:43,000 --> 00:15:45,000
You have to do this five times.

189
00:15:45,000 --> 00:15:49,000
And it is possible that you forgot to click or something else here is checklist.

190
00:15:49,000 --> 00:15:56,000
With the at the end here we can use graph API or some power share bottles to automate this.

191
00:15:56,000 --> 00:15:58,000
And this this side.

192
00:15:58,000 --> 00:16:01,000
And sorry, because your question was what is the graph API.

193
00:16:01,000 --> 00:16:03,000
So.

194
00:16:03,000 --> 00:16:08,000
They graph that you can also manage into manage Asia.

195
00:16:08,000 --> 00:16:11,000
Enter ID users manage Asia.

196
00:16:11,000 --> 00:16:13,000
I registrations.

197
00:16:13,000 --> 00:16:15,000
Intro rolls and so on.

198
00:16:15,000 --> 00:16:19,000
Many things you can manage with graph API.

199
00:16:19,000 --> 00:16:20,000
Autopilot.

200
00:16:20,000 --> 00:16:25,000
So you can see you have many things we can do.

201
00:16:25,000 --> 00:16:28,000
And the good thing is.

202
00:16:28,000 --> 00:16:35,000
There is a really easy way to authenticate to a makes you graph API.

203
00:16:35,000 --> 00:16:39,000
It works natively with Asia automation.

204
00:16:39,000 --> 00:16:41,000
And you can add so to this natively.

205
00:16:41,000 --> 00:16:44,000
If Asia functions.

206
00:16:44,000 --> 00:16:46,000
Or other connectors.

207
00:16:46,000 --> 00:16:47,000
But if.

208
00:16:47,000 --> 00:16:50,000
And we can add the use third party.

209
00:16:50,000 --> 00:16:52,000
Third party systems.

210
00:16:52,000 --> 00:17:00,000
But then we like you want from your script on your premium server to access or from your laptop to access.

211
00:17:00,000 --> 00:17:02,000
Asia makes the graph API.

212
00:17:02,000 --> 00:17:05,000
Then you can you need a token.

213
00:17:05,000 --> 00:17:09,000
You need a token to get into the into the session.

214
00:17:09,000 --> 00:17:13,000
You can be achieved with.

215
00:17:13,000 --> 00:17:18,000
And the second, the token can be achieved with.

216
00:17:18,000 --> 00:17:24,000
At registration and at registration has three possibilities to get there.

217
00:17:24,000 --> 00:17:26,000
So we have.

218
00:17:26,000 --> 00:17:27,000
We can get secrets.

219
00:17:27,000 --> 00:17:29,000
We can get.

220
00:17:29,000 --> 00:17:32,000
It's certificate or federal credentials.

221
00:17:32,000 --> 00:17:34,000
Where we can use managed identity.

222
00:17:34,000 --> 00:17:39,820
We can relate to that to the Federalized Conventions and Managed Identity because this is very

223
00:17:39,820 --> 00:17:40,980
interesting.

224
00:17:40,980 --> 00:17:46,680
Eugit, a hybrid worker from Azure Automation and Azure Arc there.

225
00:17:46,680 --> 00:17:58,280
But for the first, we can, with this ap imagination, control what permissions our script have, I

226
00:17:58,280 --> 00:18:00,360
would say, or our ap imagination.

227
00:18:00,360 --> 00:18:04,520
So you can assign the ad-trigger situation, the service principle of the app registration,

228
00:18:04,520 --> 00:18:06,040
Azure roles.

229
00:18:06,040 --> 00:18:14,920
And the Azure roles are on something like user read or enter ID, user read, global reader,

230
00:18:14,920 --> 00:18:23,680
contribute, Azure administrator, global administrator, what's not recommended to you, but you can assign

231
00:18:23,680 --> 00:18:27,920
specific roles for your resources.

232
00:18:27,920 --> 00:18:32,080
Or you can assign application permissions.

233
00:18:32,080 --> 00:18:38,720
So what are the specifics for this draft endpoint?

234
00:18:38,720 --> 00:18:46,040
So if we have a draft endpoint where we want only to read user data.

235
00:18:46,040 --> 00:18:54,620
And then we go to the app registration, go to the RP permissions and add only the permissions

236
00:18:54,620 --> 00:18:56,100
for that.

237
00:18:56,100 --> 00:19:06,620
So in the Maxis documentation, you have it in the Maxis documentation, you have a very good,

238
00:19:06,620 --> 00:19:11,660
I would say, a very good documentation for this draft of the endpoints.

239
00:19:11,660 --> 00:19:13,860
So every endpoint is documented.

240
00:19:13,860 --> 00:19:19,900
And in every endpoint, you can see a table of what permissions you are need and what are

241
00:19:19,900 --> 00:19:23,860
the least privileged permissions.

242
00:19:23,860 --> 00:19:30,940
You should always use the least privileged permissions, because you don't want to,

243
00:19:30,940 --> 00:19:33,940
that your app have more rights than you need it.

244
00:19:33,940 --> 00:19:37,100
You always check that out.

245
00:19:37,100 --> 00:19:46,780
And yeah, I think with the Graph API and the app registration there, we have nearly unlimited

246
00:19:46,780 --> 00:19:50,180
possibilities to automate workloads in Asia.

247
00:19:50,180 --> 00:19:55,140
Okay, let me think about security.

248
00:19:55,140 --> 00:20:03,140
What are organizations still getting wrong about automation security from your process?

249
00:20:03,140 --> 00:20:06,660
They are using secrets hard coded.

250
00:20:06,660 --> 00:20:14,540
Yeah, or passwords or authentication data, what is hard coded.

251
00:20:14,540 --> 00:20:28,540
So they have many scripts and have, okay, the password, I would say the security, the security,

252
00:20:28,540 --> 00:20:34,740
at all, I would say before five or six years before.

253
00:20:34,740 --> 00:20:41,500
It was not that big problem if there is a hard coded secret or a hard code password or something

254
00:20:41,500 --> 00:20:42,500
else.

255
00:20:42,500 --> 00:20:43,500
Okay, it's no problem.

256
00:20:43,500 --> 00:20:51,060
Here is the password, log in there, save it in the text file on the server.

257
00:20:51,060 --> 00:20:57,140
But it has changed in the summer, some last years because there are many attacks.

258
00:20:57,140 --> 00:21:07,660
And the thinking of all that is going deeper and better and the company says understand,

259
00:21:07,660 --> 00:21:12,420
okay, if I get security breach, it costs more.

260
00:21:12,420 --> 00:21:18,620
Then if I get no security breach, so better to invest in security in small things.

261
00:21:18,620 --> 00:21:29,940
So to, because I would say to check what I need to do to don't hard code passwords or secrets

262
00:21:29,940 --> 00:21:31,700
in my scripts.

263
00:21:31,700 --> 00:21:33,980
So that are not big things.

264
00:21:33,980 --> 00:21:40,700
So you can use, for example, if you had an Asia automation environment, if I have a

265
00:21:40,700 --> 00:21:41,700
panic.

266
00:21:41,700 --> 00:21:49,580
So you have the possibility to use variables in Asia automation.

267
00:21:49,580 --> 00:21:53,700
What is as or not the best thing, but better than hard coded.

268
00:21:53,700 --> 00:22:02,340
The second thing is you can use Azure Key Vaults and then get the, from Asia, they manage

269
00:22:02,340 --> 00:22:07,100
identity access to the Asia Key Vaults and then you can access the Asia Key Vaults from

270
00:22:07,100 --> 00:22:12,380
the managed identity, and so from the hybrid worker of chemists.

271
00:22:12,380 --> 00:22:16,100
So you don't need to be in Asia to use the Asia Key Vault already.

272
00:22:16,100 --> 00:22:23,020
If you have an Asia action server, you can join use Asia Key Vault or use some other power

273
00:22:23,020 --> 00:22:25,500
services modules for secrets and so on.

274
00:22:25,500 --> 00:22:28,180
So that is all possible.

275
00:22:28,180 --> 00:22:33,060
It's, and now for the administrator, a little bit annoying, he has to learn how to do that.

276
00:22:33,060 --> 00:22:39,020
It's easier in the password, it's hard coded, seeks to do this there for developing stuff,

277
00:22:39,020 --> 00:22:48,660
but it helps so much if this is not there because if you get a pre-gent test, the password,

278
00:22:48,660 --> 00:22:51,020
hard coded, what should you do?

279
00:22:51,020 --> 00:22:53,660
Nothing, you have a problem.

280
00:22:53,660 --> 00:22:54,980
It's sensitive.

281
00:22:54,980 --> 00:23:00,540
If you get a secret at the beginning, there were many people who have said, "Okay, we have

282
00:23:00,540 --> 00:23:02,980
now a trickestration."

283
00:23:02,980 --> 00:23:07,860
At this abstract, it gets all permissions what we need.

284
00:23:07,860 --> 00:23:09,700
So, okay, I want to automate teams.

285
00:23:09,700 --> 00:23:13,900
I give you all the teams permissions.

286
00:23:13,900 --> 00:23:14,900
Okay, good.

287
00:23:14,900 --> 00:23:21,780
Now we want to automate groups, users, and the thing that is most critical are abstract

288
00:23:21,780 --> 00:23:29,780
restrictions, because you can in the abstract registration, give you permissions to get all

289
00:23:29,780 --> 00:23:31,540
other permissions.

290
00:23:31,540 --> 00:23:35,100
So it's a little bit tricky here.

291
00:23:35,100 --> 00:23:43,140
So you need always to be aware to don't have one abstract registration with many permissions,

292
00:23:43,140 --> 00:23:50,940
because if your secret is reached, then I can, if it's not configured, other, I can access

293
00:23:50,940 --> 00:23:54,300
your tenant from anywhere.

294
00:23:54,300 --> 00:23:59,020
If I have to client ID in the secrets, I can access your tenant.

295
00:23:59,020 --> 00:24:03,580
In the eras, I can also see what's to have when I get the token.

296
00:24:03,580 --> 00:24:07,460
In the token, I see the permissions what the tokens have.

297
00:24:07,460 --> 00:24:12,100
Only the RPK permissions, lots of the roles, but you see that.

298
00:24:12,100 --> 00:24:16,180
And then you can work and you can compromise tenant.

299
00:24:16,180 --> 00:24:19,100
It's not a big problem.

300
00:24:19,100 --> 00:24:26,740
So all because that I say, because of that, I would say, always check how to...

301
00:24:26,740 --> 00:24:32,500
Secure your secrets and your credentials and your data.

302
00:24:32,500 --> 00:24:38,900
So the, say, the invest in KeyWalt is the better thing.

303
00:24:38,900 --> 00:24:47,900
Invest in KeyWalt or other password solution as or for developing and so on.

304
00:24:47,900 --> 00:24:56,660
When you, as you move from on-prem to to to cloud, what surprised you?

305
00:24:56,660 --> 00:25:03,140
Most when you, when you're moving in the cloud or in this automation space.

306
00:25:03,140 --> 00:25:13,380
Sorry, you don't move from, I would say, you let the cloud go down and go up to the cloud.

307
00:25:13,380 --> 00:25:18,580
But let's on-premise go down and go only to the cloud.

308
00:25:18,580 --> 00:25:22,620
You have always a 50/50 thing.

309
00:25:22,620 --> 00:25:27,580
So I don't know many companies who are only on the cloud.

310
00:25:27,580 --> 00:25:36,660
So mainly in that deck region, the companies are in the cloud.

311
00:25:36,660 --> 00:25:40,940
The most of them because of exchange.

312
00:25:40,940 --> 00:25:47,220
They go to the, to the clouds and the other workloads are still on-premise.

313
00:25:47,220 --> 00:25:51,300
And you always working at booth sites.

314
00:25:51,300 --> 00:25:59,740
So from this year, there was nothing, what surprised me or make me, yeah, makes in some things,

315
00:25:59,740 --> 00:26:03,660
make you annoying when you start to, to, to web to the cloud and the graph API and the

316
00:26:03,660 --> 00:26:07,300
automation because there are some new things.

317
00:26:07,300 --> 00:26:11,860
But there was nothing but I say, okay, this is really, really bad or something else.

318
00:26:11,860 --> 00:26:16,460
More, it, it's good because it's better documented than on-premise.

319
00:26:16,460 --> 00:26:18,740
You have better documentation.

320
00:26:18,740 --> 00:26:19,940
You have more people.

321
00:26:19,940 --> 00:26:21,020
What are working with this test?

322
00:26:21,020 --> 00:26:27,100
This is new technology and the technology is developed.

323
00:26:27,100 --> 00:26:35,940
I would say it's, it's not, like systems that are orchestrated that there are, it's, I'm

324
00:26:35,940 --> 00:26:42,300
a chemist product, automation, automation of chemist products and there are still releases.

325
00:26:42,300 --> 00:26:47,220
There are still update from 2022 to 2025.

326
00:26:47,220 --> 00:26:49,380
But there are nothing new in it.

327
00:26:49,380 --> 00:26:55,980
So there are only updates that is checked if there is, it is compatible at that was it.

328
00:26:55,980 --> 00:27:02,420
So there are nothing really new features out there and in the clouds, there are, I would

329
00:27:02,420 --> 00:27:07,420
say, all one new features of.

330
00:27:07,420 --> 00:27:14,580
And when you think in your career, working with graph, what was the most powerful automation

331
00:27:14,580 --> 00:27:16,380
you have ever built?

332
00:27:16,380 --> 00:27:26,380
Whoa, that was a delta sync, like group delta sync.

333
00:27:26,380 --> 00:27:30,940
How, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait,

334
00:27:30,940 --> 00:27:32,460
not the group delta sync.

335
00:27:32,460 --> 00:27:36,460
The most powerful automation.

336
00:27:36,460 --> 00:27:45,020
Wait a second.

337
00:27:45,020 --> 00:27:47,020
No, this was not.

338
00:27:47,020 --> 00:27:48,020
Hard is awesome premise.

339
00:27:48,020 --> 00:27:49,020
What does it count?

340
00:27:49,020 --> 00:27:50,020
What does it count?

341
00:27:50,020 --> 00:27:58,020
I have a customer that what is on premise and has several domains and this was really hard

342
00:27:58,020 --> 00:28:05,740
but an empty forest, but this was some premise in the cloud with Grave API.

343
00:28:05,740 --> 00:28:14,300
And it's, it's hard to say because we're using it, like, like small activities, like web

344
00:28:14,300 --> 00:28:15,300
flow types.

345
00:28:15,300 --> 00:28:24,300
So you don't build one big automation with one, I would say, with only like with groups or

346
00:28:24,300 --> 00:28:27,020
with, with users.

347
00:28:27,020 --> 00:28:37,260
So you create a user, then you update the user as you find, you give the user groups, you

348
00:28:37,260 --> 00:28:39,060
try to, to onboard the user.

349
00:28:39,060 --> 00:28:47,180
So you need always to pick some, some picks, but when I have to, to say what was the power

350
00:28:47,180 --> 00:28:57,700
for the automation, it was a delta sync, it was a delta sync of Microsoft's graph

351
00:28:57,700 --> 00:29:04,300
groups.

352
00:29:04,300 --> 00:29:15,420
And if the groups are changing on premise, we updated it in the directly, this was long

353
00:29:15,420 --> 00:29:16,740
time ago.

354
00:29:16,740 --> 00:29:21,420
Oh, I think you can cut out this.

355
00:29:21,420 --> 00:29:24,340
So, it's okay.

356
00:29:24,340 --> 00:29:30,660
It's very hard because it's, it's very hard because there are many small pieces what we are

357
00:29:30,660 --> 00:29:35,540
using, but we have not one big graph automation there.

358
00:29:35,540 --> 00:29:40,260
So, yeah, this one is also, it's unscripted.

359
00:29:40,260 --> 00:29:43,460
So I think it's, it's, it's, it's, it's quite so.

360
00:29:43,460 --> 00:29:46,740
And then it's more harder on, on, on your side.

361
00:29:46,740 --> 00:29:49,220
I only asked the questions.

362
00:29:49,220 --> 00:29:56,100
But they can you know that tell how important our permission and concert management in graph

363
00:29:56,100 --> 00:30:00,020
based automation is.

364
00:30:00,020 --> 00:30:03,740
So you have permissions.

365
00:30:03,740 --> 00:30:09,180
What's, so you have an app registration and the app registration, like I have explained,

366
00:30:09,180 --> 00:30:11,700
can have permissions.

367
00:30:11,700 --> 00:30:18,780
And when you try to, to access this app registration, you can also access this app registrations.

368
00:30:18,780 --> 00:30:25,020
Um, with your user and then your user get access to this apps.

369
00:30:25,020 --> 00:30:31,340
So and when you have tried it some, or you have something see it, you log in at the, at the

370
00:30:31,340 --> 00:30:39,060
app and then you have to concept to click, okay, concepts give, give this app run, give,

371
00:30:39,060 --> 00:30:41,740
give this app the rights to do something.

372
00:30:41,740 --> 00:30:48,700
So you can use a read or user read, read all or update groups or something else.

373
00:30:48,700 --> 00:30:58,620
And you as administrator have to choose what permissions you use the water that is logging

374
00:30:58,620 --> 00:30:59,940
in half.

375
00:30:59,940 --> 00:31:07,740
So if you give the application too much permissions here, then the end user also has these permissions

376
00:31:07,740 --> 00:31:13,540
and can compromise your tenant or do stuff what they had don't have to do there.

377
00:31:13,540 --> 00:31:22,700
So always be aware if you configure app registration for end users that has only rights for, it's

378
00:31:22,700 --> 00:31:27,380
a dashboard, if it's a dashboard only to for read things.

379
00:31:27,380 --> 00:31:32,500
So reads into data, read device management data and so on.

380
00:31:32,500 --> 00:31:35,780
And not something right or delete permissions.

381
00:31:35,780 --> 00:31:37,820
That's not good.

382
00:31:37,820 --> 00:31:48,940
The other thing is you're back.

383
00:31:48,940 --> 00:31:52,540
So we had a little bit of internet problems.

384
00:31:52,540 --> 00:31:57,940
We have talked how important our permissions and concept management in graph based automation

385
00:31:57,940 --> 00:31:59,420
is.

386
00:31:59,420 --> 00:32:11,300
And so let us go to the next topic and what security practice showed every admin follow

387
00:32:11,300 --> 00:32:15,180
before automation with graph.

388
00:32:15,180 --> 00:32:23,060
What security check this every administrator follow before using age automation, right?

389
00:32:23,060 --> 00:32:25,620
Yeah, automation with graph.

390
00:32:25,620 --> 00:32:26,620
I think.

391
00:32:26,620 --> 00:32:39,940
So before starting with graph, you have to have a solid understanding on how our identity

392
00:32:39,940 --> 00:32:45,540
and role permissions are the permissions works in Asia.

393
00:32:45,540 --> 00:32:53,340
So normally there are the permissions and the roles are out of the box.

394
00:32:53,340 --> 00:32:56,900
So there are a few we have only to use it.

395
00:32:56,900 --> 00:33:03,900
So always now to give least privilege permissions or roles.

396
00:33:03,900 --> 00:33:11,820
So only give this permissions at scale the permissions for use the permissions.

397
00:33:11,820 --> 00:33:17,260
So that you can only do that what I want not more.

398
00:33:17,260 --> 00:33:26,980
Not that this is possible, but always try in the west time time for that that your application

399
00:33:26,980 --> 00:33:33,140
or your scripts can only do that things for this the purpose for it.

400
00:33:33,140 --> 00:33:41,020
So this is the main main thing you have to know here.

401
00:33:41,020 --> 00:33:46,660
And what did you think is graph knowledge become essential for all Microsoft admin

402
00:33:46,660 --> 00:33:49,580
strategies?

403
00:33:49,580 --> 00:34:00,500
I think yes, because if you know graph, you know, as a backend or you know what you can

404
00:34:00,500 --> 00:34:10,300
do with with with the endpoints or with your services.

405
00:34:10,300 --> 00:34:15,060
Imagine you're an engineer administrator.

406
00:34:15,060 --> 00:34:19,660
You're already in the portal and you know, okay, when I click there, then this happens.

407
00:34:19,660 --> 00:34:25,540
When I click there, then I see this, I see these reports and so on.

408
00:34:25,540 --> 00:34:29,980
But you have never a fall list of what can we do.

409
00:34:29,980 --> 00:34:38,620
And then when you get to the graph, graph API, you have a documentation of all endpoints.

410
00:34:38,620 --> 00:34:46,020
And at the end, every click what you are doing manually at the at the Asia front end, it's

411
00:34:46,020 --> 00:34:50,380
nothing other than a HTTP call to the graph API.

412
00:34:50,380 --> 00:34:57,580
And all these are documented in Microsoft learn graph API documentation for Microsoft intune.

413
00:34:57,580 --> 00:35:01,580
You have all managed device and parts there.

414
00:35:01,580 --> 00:35:06,300
And then you can see the in detail.

415
00:35:06,300 --> 00:35:08,700
But I can do with intune.

416
00:35:08,700 --> 00:35:19,060
So if sub customer asked me, okay, can we do this and this and this with graph in intune

417
00:35:19,060 --> 00:35:21,420
or can we do this in intune?

418
00:35:21,420 --> 00:35:28,300
So the first thing what we are doing is open the documentation, check the intune graph documentation

419
00:35:28,300 --> 00:35:33,820
and truth if there are endpoints for it.

420
00:35:33,820 --> 00:35:38,300
And then you can find it mostly there are endpoints.

421
00:35:38,300 --> 00:35:50,180
Sometimes there was something like, this is a good example for reset MFA.

422
00:35:50,180 --> 00:36:03,740
So before there was a MFA or MFA methods, the stronger the cache method.

423
00:36:03,740 --> 00:36:09,980
So there was only one command that it was reset it for more.

424
00:36:09,980 --> 00:36:17,580
And the problem now was that Microsoft has dedicated this this model, this command that

425
00:36:17,580 --> 00:36:21,580
this was not any more possible.

426
00:36:21,580 --> 00:36:24,820
So now we have to create a script.

427
00:36:24,820 --> 00:36:35,860
So this was a make for example, a make of graph script what has reset all this methods,

428
00:36:35,860 --> 00:36:38,060
but not with one endpoint.

429
00:36:38,060 --> 00:36:46,460
So you have to delete each authentication method once at them was one button in the in

430
00:36:46,460 --> 00:36:48,380
make sure of the Asia.

431
00:36:48,380 --> 00:36:53,780
And then you checked with graph X ray graph X ray is a tracker when you click the button,

432
00:36:53,780 --> 00:36:57,380
you can see what the endpoint is triggered at the end.

433
00:36:57,380 --> 00:37:00,100
And there was an endpoint for that.

434
00:37:00,100 --> 00:37:03,620
But it was only used internally.

435
00:37:03,620 --> 00:37:08,220
It looks like there was no documentation for it and you have as or not you are not what

436
00:37:08,220 --> 00:37:10,380
you wasn't able to to trigger the method.

437
00:37:10,380 --> 00:37:11,740
I have tried it.

438
00:37:11,740 --> 00:37:14,180
So it was not possible.

439
00:37:14,180 --> 00:37:21,980
So there might be some, I would say some, some things what you can do with the graph API,

440
00:37:21,980 --> 00:37:26,900
is possible in the in the front end.

441
00:37:26,900 --> 00:37:32,380
But this was the only thing what I've had found until now, all other things are there

442
00:37:32,380 --> 00:37:34,380
possible.

443
00:37:34,380 --> 00:37:39,820
And to come to the to the undercrations with your heads, what was the most powerful automation,

444
00:37:39,820 --> 00:37:47,620
this was a very, the recent MFR was a very powerful automation there because you have

445
00:37:47,620 --> 00:37:54,540
to trigger there are many endpoints and delete all strong authentication.

446
00:37:54,540 --> 00:38:02,540
And you was only able to delete these authentication when the main authentication method was deleted

447
00:38:02,540 --> 00:38:03,540
as last.

448
00:38:03,540 --> 00:38:10,020
So you have to find the other endpoints where you can find out the standard authentication

449
00:38:10,020 --> 00:38:16,260
methods then set the standard authentication methods to the end, delete before other

450
00:38:16,260 --> 00:38:18,100
methods and so on.

451
00:38:18,100 --> 00:38:23,260
So what was the question again?

452
00:38:23,260 --> 00:38:31,980
Yeah, that's just a bit talk more about security automation.

453
00:38:31,980 --> 00:38:38,140
I think it's a little bit a buzzy word actually.

454
00:38:38,140 --> 00:38:45,060
But what do security automation in Azure actually mean in practice?

455
00:38:45,060 --> 00:38:56,700
So it means to have an understanding or a idea of how I run, I will go to Azure automation,

456
00:38:56,700 --> 00:39:08,460
how to run my scripts and how to use secrets, manage the identity, how to use all this security,

457
00:39:08,460 --> 00:39:10,780
related stuff.

458
00:39:10,780 --> 00:39:18,460
So how to manage it, for example, I would say, okay, we have a company, we have Azure

459
00:39:18,460 --> 00:39:25,860
automation, we have cloud, we have identity, Azure, the entry ID.

460
00:39:25,860 --> 00:39:38,100
And now we need to update user data or yeah, so.

461
00:39:38,100 --> 00:39:48,060
But we need to find a way to securely do that from our premise because the data is in

462
00:39:48,060 --> 00:39:52,660
the edge update base, what we have in the on the option system.

463
00:39:52,660 --> 00:40:02,860
So now we have a hybrid worker and this hybrid worker needs, needs rights in direction

464
00:40:02,860 --> 00:40:06,100
of the edge our system, okay.

465
00:40:06,100 --> 00:40:15,460
So it's the first thing where we need maybe credentials or a user what has specific rights

466
00:40:15,460 --> 00:40:17,300
to access the database.

467
00:40:17,300 --> 00:40:24,860
So here we have to think, okay, if I go ahead and say, okay, I have user name, I have a password

468
00:40:24,860 --> 00:40:28,740
and hard code it, this is the first thing what is wrong.

469
00:40:28,740 --> 00:40:37,340
So here I have to think, okay, where I have to save my dad, my secret data.

470
00:40:37,340 --> 00:40:44,620
So if you can use Azure key vault here, you can use the Azure automation, Azure Aborts

471
00:40:44,620 --> 00:40:51,620
or the credentials in Azure automation, it's also possible.

472
00:40:51,620 --> 00:40:59,060
The first thing, second thing, are the permissions on their cloud side.

473
00:40:59,060 --> 00:41:07,420
So I'm like we have discussed already, you have always to don't to use the least privileged

474
00:41:07,420 --> 00:41:08,420
permissions.

475
00:41:08,420 --> 00:41:15,020
So if you already many, many companies have already app registration, then they say, okay,

476
00:41:15,020 --> 00:41:16,820
we have already app registration.

477
00:41:16,820 --> 00:41:19,900
Let us use this app registration for this service.

478
00:41:19,900 --> 00:41:26,220
Let us say, okay, for what is this app registration used?

479
00:41:26,220 --> 00:41:36,100
The most common, the most common answer is for all these automation stuff we have.

480
00:41:36,100 --> 00:41:42,700
So mainly with Ben say, okay, then we have to separate all these automation stuff to

481
00:41:42,700 --> 00:41:51,060
specific doing specific app registrations because that is not a good way to manage that.

482
00:41:51,060 --> 00:41:57,540
So you need for each service your app registration to access it.

483
00:41:57,540 --> 00:42:05,460
If it's more work here, but it's more secure.

484
00:42:05,460 --> 00:42:10,860
So I have one app registration for my user interactions, I had one app registration for

485
00:42:10,860 --> 00:42:18,460
my group interactions for my manage devices interaction for intune interactions and so on.

486
00:42:18,460 --> 00:42:31,460
So always scale that and don't, I would say, don't put all all darker in one thing.

487
00:42:31,460 --> 00:42:34,780
Awesome.

488
00:42:34,780 --> 00:42:40,420
And then we think about trigger automation.

489
00:42:40,420 --> 00:42:50,700
How should organization security trigger automation work lots from your perspective?

490
00:42:50,700 --> 00:42:52,100
Trigger automation.

491
00:42:52,100 --> 00:43:00,780
So if you can trigger automations, you have something in a automation called webhooks and webhooks

492
00:43:00,780 --> 00:43:03,260
can be triggered throughout anywhere.

493
00:43:03,260 --> 00:43:14,740
So you have to know if your webhook, your link for webhook goes in false hands.

494
00:43:14,740 --> 00:43:19,500
In other hands, then this person can always call your rum book.

495
00:43:19,500 --> 00:43:25,900
And if you have configured parameters on your webhook, then you can do stuff with it.

496
00:43:25,900 --> 00:43:28,460
So it's not that good.

497
00:43:28,460 --> 00:43:32,740
If it's a rum book for this trigger, a trigger, a sync or something else, okay?

498
00:43:32,740 --> 00:43:34,580
But it's a webhook.

499
00:43:34,580 --> 00:43:39,820
You have always to know, handle the webhook like a secret.

500
00:43:39,820 --> 00:43:42,820
So it's really important.

501
00:43:42,820 --> 00:43:51,860
And also there's a possibility to run Azure automation workloads with API.

502
00:43:51,860 --> 00:43:58,420
But for that you need as those specific rights to access this API.

503
00:43:58,420 --> 00:44:05,340
So you need as a registration to get the token to authenticate against it or connect to the

504
00:44:05,340 --> 00:44:06,340
Azure account.

505
00:44:06,340 --> 00:44:09,580
And then you are possible to use Azure automation command.

506
00:44:09,580 --> 00:44:12,860
Let's trigger these automations.

507
00:44:12,860 --> 00:44:20,020
And these rights should only have administrators or people who know what they do and always

508
00:44:20,020 --> 00:44:21,940
know what they do.

509
00:44:21,940 --> 00:44:26,060
So it's have always to be a process behind that.

510
00:44:26,060 --> 00:44:31,380
So I would not trigger Azure automation without the process.

511
00:44:31,380 --> 00:44:32,380
Why?

512
00:44:32,380 --> 00:44:37,020
So I need always to know what I'm doing here.

513
00:44:37,020 --> 00:44:50,380
And yes, you have as of the possibility to run the can run the rubbook out of the out of

514
00:44:50,380 --> 00:44:53,900
Azure automation.

515
00:44:53,900 --> 00:44:56,260
But that was it.

516
00:44:56,260 --> 00:45:01,820
And so you can run it over our API or over the webhook.

517
00:45:01,820 --> 00:45:08,820
Managing.

518
00:45:08,820 --> 00:45:16,100
When we think, I think a little bit, I think about my question.

519
00:45:16,100 --> 00:45:23,180
What role do management identities play in reducing risk?

520
00:45:23,180 --> 00:45:32,420
So the good thing about managed identities is that you don't leak any secrets or something

521
00:45:32,420 --> 00:45:33,420
else.

522
00:45:33,420 --> 00:45:35,020
So you don't need a secret.

523
00:45:35,020 --> 00:45:38,420
The password management is done by the actions of itself.

524
00:45:38,420 --> 00:45:43,300
So behind every managed identity, it's a service principle.

525
00:45:43,300 --> 00:45:50,500
And Microsoft wrote that the secrets are the passwords, the extensions of this managed identity.

526
00:45:50,500 --> 00:45:51,780
It is self managed.

527
00:45:51,780 --> 00:45:54,940
So like a group, group managed service account.

528
00:45:54,940 --> 00:46:03,620
So you don't need to think about a secret or the secret will expire or something else.

529
00:46:03,620 --> 00:46:06,180
Or the certificate will expire.

530
00:46:06,180 --> 00:46:14,900
So with the managed identity, you have the possibility to don't have a password.

531
00:46:14,900 --> 00:46:16,740
This is the main thing.

532
00:46:16,740 --> 00:46:20,900
What is for what is the managed identity here?

533
00:46:20,900 --> 00:46:25,620
And it's nothing else of like an on-premise service account.

534
00:46:25,620 --> 00:46:29,540
But you don't have to think about the password.

535
00:46:29,540 --> 00:46:31,420
It's the best thing.

536
00:46:31,420 --> 00:46:34,620
And then you can manage the identity.

537
00:46:34,620 --> 00:46:41,100
You can give him access to your roles, to your services.

538
00:46:41,100 --> 00:46:50,700
And then you can use this managed identity to trigger, to authenticate at the end, to authenticate

539
00:46:50,700 --> 00:46:54,580
and get permissions for your services.

540
00:46:54,580 --> 00:46:55,380
Yeah.

541
00:46:55,380 --> 00:46:59,660
And then you can automate.

542
00:46:59,660 --> 00:47:08,540
So for example, I give the managed identity from Asia Automation Joel, a specific Joel,

543
00:47:08,540 --> 00:47:12,380
for get devices from it you.

544
00:47:12,380 --> 00:47:19,140
And then I can connect my Asia Automation account is connect/identity.

545
00:47:19,140 --> 00:47:27,420
And are possible then I am possible to reach these endpoints, the managed identity inputs.

546
00:47:27,420 --> 00:47:32,740
We've one line of code at that.

547
00:47:32,740 --> 00:47:37,340
And I don't need to achieve a token or something else.

548
00:47:37,340 --> 00:47:40,540
So you can easily out it.

549
00:47:40,540 --> 00:47:51,700
Because you have to think the Asia Cloud is not, you cannot access all things what you

550
00:47:51,700 --> 00:47:53,300
want.

551
00:47:53,300 --> 00:47:55,740
You need always to give you access.

552
00:47:55,740 --> 00:47:57,660
So it is all there.

553
00:47:57,660 --> 00:48:03,340
But you need some identity, what have access to resources, to it or to a service.

554
00:48:03,340 --> 00:48:09,140
So when I start with Asia Automation, I always need to activate the managed identity of Asia

555
00:48:09,140 --> 00:48:13,260
Automation because Asia Automation at the beginning is isolated.

556
00:48:13,260 --> 00:48:19,860
So Asia Automation can do nothing without a managed identity there.

557
00:48:19,860 --> 00:48:23,260
So I have to give your managed identity.

558
00:48:23,260 --> 00:48:30,820
And then I have to give the managed identity rights to Intune or to exchange.

559
00:48:30,820 --> 00:48:39,060
And then I can start with automation where the managed identity already have access.

560
00:48:39,060 --> 00:48:44,540
Without a big deal.

561
00:48:44,540 --> 00:48:53,900
So coming to the next, I have a little bit of a look into Asia groups, energy security groups.

562
00:48:53,900 --> 00:49:01,660
And I have extract the most five keywords, the passwords, I don't know, or we call it.

563
00:49:01,660 --> 00:49:04,900
And you can rank them and say, why?

564
00:49:04,900 --> 00:49:05,900
Okay.

565
00:49:05,900 --> 00:49:12,020
So the keyword, then we have additional conditions like access, public identity management, zero

566
00:49:12,020 --> 00:49:15,260
trust principles and user trainings.

567
00:49:15,260 --> 00:49:19,740
How will you rank them?

568
00:49:19,740 --> 00:49:22,260
Zero trust.

569
00:49:22,260 --> 00:49:24,100
Zero trust.

570
00:49:24,100 --> 00:49:26,620
Zero trust first.

571
00:49:26,620 --> 00:49:32,500
Because I don't want to trust anyone.

572
00:49:32,500 --> 00:49:37,380
I have to know who I have always if you want.

573
00:49:37,380 --> 00:49:41,340
So like you need always a key to come in.

574
00:49:41,340 --> 00:49:44,500
I will never give you a key.

575
00:49:44,500 --> 00:49:46,140
You need always a key.

576
00:49:46,140 --> 00:49:55,100
So this is something like it's the the secure way to secure something.

577
00:49:55,100 --> 00:49:59,140
So you need always to authenticate again.

578
00:49:59,140 --> 00:50:02,380
Cool.

579
00:50:02,380 --> 00:50:07,060
So now to one of my favorite parts in all sessions.

580
00:50:07,060 --> 00:50:12,460
Now look into some some quotes from from the groups.

581
00:50:12,460 --> 00:50:18,140
And I give you the quote and you you give me you say what you're thinking about this

582
00:50:18,140 --> 00:50:19,140
quote.

583
00:50:19,140 --> 00:50:26,980
So the first one is automation without security is just acceleration risk.

584
00:50:26,980 --> 00:50:34,300
Yep, it is this I would say 100% sure.

585
00:50:34,300 --> 00:50:38,300
Yeah, it is identity.

586
00:50:38,300 --> 00:50:39,300
Yeah.

587
00:50:39,300 --> 00:50:40,300
Yeah.

588
00:50:40,300 --> 00:50:41,780
No, no.

589
00:50:41,780 --> 00:50:44,140
I give the words back to you.

590
00:50:44,140 --> 00:50:45,140
Okay.

591
00:50:45,140 --> 00:50:54,420
So because if you don't secure your automation, if you don't secure it, you're maybe on

592
00:50:54,420 --> 00:51:01,420
your laptop or I don't know where, what don't have internet access then I don't need to secure

593
00:51:01,420 --> 00:51:02,420
it.

594
00:51:02,420 --> 00:51:08,700
But if I have internet access and if I am in the clouds, I have all and other users are

595
00:51:08,700 --> 00:51:13,300
using it and then I have data what needs to be protected.

596
00:51:13,300 --> 00:51:19,700
Then I have always to have a security perspective or security mindset here.

597
00:51:19,700 --> 00:51:24,100
Without security mindset, it will go wrong.

598
00:51:24,100 --> 00:51:31,780
People not not in one here or two or three, but it will go wrong at one point.

599
00:51:31,780 --> 00:51:37,020
And the next quote is identity is a new security parameter.

600
00:51:37,020 --> 00:51:38,900
It's not a new security parameter.

601
00:51:38,900 --> 00:51:40,860
It's an old security parameter.

602
00:51:40,860 --> 00:51:44,780
What is older than I?

603
00:51:44,780 --> 00:51:46,780
And I'm not this guy.

604
00:51:46,780 --> 00:51:47,780
Great.

605
00:51:47,780 --> 00:51:53,500
And then the third one Microsoft graph is becoming the operating layer of Microsoft 365.

606
00:51:53,500 --> 00:51:55,700
100% sure.

607
00:51:55,700 --> 00:51:56,700
Yeah.

608
00:51:56,700 --> 00:51:57,700
Okay.

609
00:51:57,700 --> 00:52:06,340
The best automation is the nobody noticed.

610
00:52:06,340 --> 00:52:07,340
It is.

611
00:52:07,340 --> 00:52:08,340
Yeah.

612
00:52:08,340 --> 00:52:14,340
Because you don't know what, but there is something happening, but it's happening.

613
00:52:14,340 --> 00:52:17,420
So yeah, it's the best one.

614
00:52:17,420 --> 00:52:22,620
Cloud automation should reduce complexity, but create more of it.

615
00:52:22,620 --> 00:52:26,500
Or it's 50, 50.

616
00:52:26,500 --> 00:52:28,500
Okay.

617
00:52:28,500 --> 00:52:35,660
Then the nearly last part, it's the rapid fire out.

618
00:52:35,660 --> 00:52:44,060
It's, I say, I give you short questions and you say what you, what first come in your mind.

619
00:52:44,060 --> 00:52:45,060
Okay.

620
00:52:45,060 --> 00:52:47,780
Partial or portal?

621
00:52:47,780 --> 00:52:48,780
Portual.

622
00:52:48,780 --> 00:52:53,460
Favorite Microsoft graph feature?

623
00:52:53,460 --> 00:52:55,500
Mix three.

624
00:52:55,500 --> 00:53:00,100
Most underrated Azure service.

625
00:53:00,100 --> 00:53:07,940
Oh, it's, it's most under Azure service.

626
00:53:07,940 --> 00:53:09,940
Azure monitor.

627
00:53:09,940 --> 00:53:10,940
Okay.

628
00:53:10,940 --> 00:53:16,980
One automation have every adventure to learn.

629
00:53:16,980 --> 00:53:19,980
Automation.

630
00:53:19,980 --> 00:53:21,980
Automated process.

631
00:53:21,980 --> 00:53:22,980
Okay.

632
00:53:22,980 --> 00:53:26,460
Big security mistake and automation.

633
00:53:26,460 --> 00:53:27,980
How code is secrets?

634
00:53:27,980 --> 00:53:28,980
We have it.

635
00:53:28,980 --> 00:53:32,580
And for you, Azure automation or Azure functions.

636
00:53:32,580 --> 00:53:34,620
Azure automation.

637
00:53:34,620 --> 00:53:38,620
Most overused bus cloud passwords.

638
00:53:38,620 --> 00:53:44,180
How is the only one?

639
00:53:44,180 --> 00:53:49,820
And also we got answer.

640
00:53:49,820 --> 00:53:53,060
Most API SDK.

641
00:53:53,060 --> 00:53:56,660
I can rest AP or SDK.

642
00:53:56,660 --> 00:53:58,340
Rest API.

643
00:53:58,340 --> 00:54:02,580
One partial command you use constantly.

644
00:54:02,580 --> 00:54:06,300
Combat from Jason.

645
00:54:06,300 --> 00:54:10,820
Best way to learn Microsoft graph.

646
00:54:10,820 --> 00:54:12,820
Do it.

647
00:54:12,820 --> 00:54:20,380
Copy T or energy during the profits.

648
00:54:20,380 --> 00:54:23,220
I put a full cloud mate.

649
00:54:23,220 --> 00:54:25,380
Hydrate.

650
00:54:25,380 --> 00:54:30,180
One automation task every company shows implement tomorrow.

651
00:54:30,180 --> 00:54:33,420
Of boarding and onboarding.

652
00:54:33,420 --> 00:54:39,260
Most exciting trend and as an identity.

653
00:54:39,260 --> 00:54:50,980
One word describing the future of automation.

654
00:54:50,980 --> 00:54:52,620
Work load.

655
00:54:52,620 --> 00:54:53,620
Cool.

656
00:54:53,620 --> 00:54:55,580
So yeah, thank you for your time.

657
00:54:55,580 --> 00:54:59,220
So you want me to think about this session.

658
00:54:59,220 --> 00:55:02,900
What will you say is it's the key point.

659
00:55:02,900 --> 00:55:06,780
Admins should take from from the session today.

660
00:55:06,780 --> 00:55:14,460
So from the session, the admins should take away when they are writing scripts.

661
00:55:14,460 --> 00:55:22,340
When they are using credentials or using graph secrets at registrations and so on.

662
00:55:22,340 --> 00:55:23,340
Secured.

663
00:55:23,340 --> 00:55:24,340
This fix.

664
00:55:24,340 --> 00:55:26,340
So always.

665
00:55:26,340 --> 00:55:28,620
Have in mind or managed.

666
00:55:28,620 --> 00:55:34,500
Managed entities are secured but always have in mind.

667
00:55:34,500 --> 00:55:41,100
Think of how the attacker would try to compromise you.

668
00:55:41,100 --> 00:55:43,660
So what is that the thing.

669
00:55:43,660 --> 00:55:49,140
So I always think about what.

670
00:55:49,140 --> 00:55:51,780
What what take a technique.

671
00:55:51,780 --> 00:55:54,460
What when he gets this thing what he can do.

672
00:55:54,460 --> 00:55:57,180
So if he can do less, it's better.

673
00:55:57,180 --> 00:55:58,460
Always think of that.

674
00:55:58,460 --> 00:56:03,020
So try to secure things that the attacker can get your daughter.

675
00:56:03,020 --> 00:56:04,020
Awesome.

676
00:56:04,020 --> 00:56:07,100
I say thank you for the session and for your time.

677
00:56:07,100 --> 00:56:09,500
That was a really, really interesting session.

678
00:56:09,500 --> 00:56:11,300
So yeah, thank you so much.

679
00:56:11,300 --> 00:56:14,300
Have a good.