Are your Microsoft solutions’ doors wide open & exposed to security threats?

Discover how you can keep your Microsoft solutions safe. This doesn’t just cover Microsoft Dynamics 365 Business Central, CRM and the Power Platform but also Teams, Microsoft 365 (aka Office) and much more. Recently Microsoft have upped their game and introduced brand new security protocols. Not only will they keep your solutions safe but also limit who has access to them. Listen to the episode to understand more about the new security methods and if you haven’t already actioned them why you need to move fast. 

Discover even more episodes from the Tecman Talks Dynamics Podcast

- Welcome to a new edition of "Tecman Talks Dynamics." I'm joined with Liz, Matt, and your first time on the podcast-

- Yep.

- Mark. Do you wanna explain what you do at Tecman, what your title is, first and foremost?

- Yeah, it's Operations Manager, yeah. Work in operations team, which can be a little bit subjective sometimes. But yeah, so we look after the cloud services, I guess.

- Okay, so that's where we're gonna probably change what we normally talk about on our podcast. It is around Business Central, but it's one of those things that spins out from it.

- So it's all things that, if you're gonna run your system in the optimal way and make sure that it's protected and safe and things, there's set up around it that's really important. But that isn't actually directly in the product.

- No, correct.

- And that's things that most customers will have somebody that looks after a lot of this. Some won't, but every customer needs to think about how they manage this side of their admin.

- It's more your traditional IT security.

- It is, yeah.

- And using management.

- Exactly, and if you haven't got that traditional IT role within the business, then how do you make sure that these things are considered and these things are set up and monitored and managed in the right way.

- And we know security's become a really, really hot topic over the last probably five, 10 years.

- Absolutely.

- And it continues to be. And with that Microsoft have, over time, NAV, as it used to be, the vision used to have its own user creation, that's was migrated and it became part of our general network. So if I had one user, it would, without my password and credentials, wouldn't allow me to log into Business Central, or NAV and NAV Business Central. But as the security's tightened up what's changed in that model? We have a couple of phrases don't we, that we talk about here, where we've got another bunch of acronyms.

- DAP and GDAP.

- Which we love, GDAP, DAP.

- GDAP, I'm really struggling. DAP and GDAP, yep.

- Yeah, so I guess where this has come from and really is traditionally, as a cloud service provider, where we resell a subscription. When you create a customer relationship, historically it used to inherit the role of administrator, global administrator, or delegated admin privileges.

- So, the relationship as in customer and we as a partner?

- Correct, yeah.

- That's the relationship?

- And so any partner that wants to sell a subscription, be it 365, Office, Power BI, has to have a relationship with a customer, okay? So it's hard to imagine now how it used to be, but even six months ago, 12 months ago, every partner inherited a role of global administrator.

- So they had a huge accounts to do a lot of stuff.

- So yeah, in a customer, where we just supplied their Business Central licences, we had full admin access.

- Yeah, and potentially we could allow any of our staff to inherit that role of delegate admin to all of our customers. And a customer could have three or four different partners, be selling different subscriptions. And all of those partners could be global admins and all of their staff could also be global admins.

- And that's of their Azure tenant. So their cloud based-

- Yeah, the tenancy, and anything with that tenant, so it could be Azure, could be 365, Power BI, Business Central.

- Yep.

- So only, I think it was April last year, April 22, Microsoft announced it, because of partner feedback. And it's only started to be enforced now, but what they're doing is taking the DAP role away and forcing GDAP, to make it more granular. So a Business Central partner can just have d365 admin and the telephony partner can just be Teams app and so on and so, or SharePoint admins.

- Because previously, I guess if we went in to do something, we could impact something that-

- Yeah, absolutely.

- Office and vice versa or could come and make a mistake.

- Yeah, a lot of conflicts of interest going on there. So yeah, anybody could go in and just do it, make a mistake, or not suggesting there's anything untoward, but you know, three or four different partners, all being admins of one customer. And sometimes the customer doesn't even know that, wasn't really aware of it.

- Mm.

- So rightly so, Microsoft listened to a lot of partner feedback and from June this year, enforced on partners to take away their admin role and make it granular. So we've gone through all that. We did that back in May. So now all of our customers, unless they want something different, we've only got the Dynamics 365 admin role.

- So what does that give us then?

- So we can get into the BC admin centre, manage the environments, manage your telemetry, the capacity, table size, all that kind of thing.

- And does that mean every user from Tecman can log into that computer?

- Yeah, we get that control.

- So when a customer said to me the other day, why is every single Tecman person in my user list?

- Yeah, that's different slightly, that's-

- It's not overused though. It's people that we deem-

- Yeah, yeah.

- Support, yeah.

- Support the consultants. It's the developers.

- So when that support, or anybody goes into a customer's Business Central environment, a user gets created, okay. So that's what customers are noticing. Everybody can have that. 'Cause everybody by default is a support admin. So we can all get into the environment. So yeah, that's what customers see a long list now.

- Yeah, but that's never taking one of their paid user licences is it?

- No, no, no.

- That's always-

- it's, they've taken away the, so you can't see their full name now. You'd notice you don't see first name surname. It's just, I think it's Tecman technician you see now.

- Right, it used to just be a whole, just big gooey, didn't it? Yeah, it's just Tecman technician now, you see.

- So, yeah, many customers didn't realise that multiple partners had full control of all the tenants.

- Yeah.

- So yeah, it's much better now. Much, much better way of doing things now. We still see customers come across some other partners who've still got other resellers as full admins, but Microsoft now is starting to pull those. If you-

- Oh, okay.

- If partners don't-

- So if someone switched partners-

- Yeah?

- Do you, is there something that you have to do to remove that privilege or do you switch it from one to the other? Can you have more than one if you wanted to?

- Yeah, you can still have plenty, yeah. Yeah, so we see, so most of our customers will have at least us and another partner because it could be a 365 partner or a Teams partner, SharePoint partner. But they should now have granular access and it's up to the customer really to manage that and monitor that. But really due diligence should be the other partner to relinquish control.

- So I guess there's quite a few where they, they've just got a full user set up called so and so admin or whatever they decide to call it and just give them global admin, and so that remains.

- Yeah, so Microsoft on the 1st of June, well I think it was the start of this year, new relationships were only GDAP only. But then just about now I think they're starting to, tenant by tenant or region by regions enforcing it. So if the partner doesn't do it, Microsoft will just take that role away. So you know, we're seeing customers move across from other partners who've still got, like I said, still got delegate admin. So you know, when we see that, we'll highlight it with a customer. But yeah, I mean worryingly we still see customers with no 2FA policies enforced.

- And so 2FA is?

- Two-factor authentication.

- Which means you would get like a phone-

- Yeah.

- you get an id.

- We're all use it in our personal lives but-

- Yeah.

- So again, that's nothing to do with Business Central setup?

- No, no.

- That would all be part of your Azure?

- Yeah, so any customer, with any cloud subscription, be it Teams, 365, Power BI, has a tenant. Customer might not know they've got a tenant, but they have a tenant. Every user who wants to access a cloud service, could be a BC, could be anything. You need to have some credentials. Really, you should have 2FA enforced. So you access that service, you get prompted for a code or a text or a phone call, whatever it is, to validate who are really, so-

- So our recommendation would be that everybody sets that up and that is the recommendation for, across all service-

- Every cloud service.

- not just Business Central, but-

- Yeah.

- Any product across the whole-

- Correct, and-

- And in terms of setup and things, that's something they should do with their existing kind of modern workplace partner or it's a service that we can offer now, that we can help them set up those.

- Absolutely yeah.

- Those kinds of things.

- New tenants, it's on by default.

- [Liz] Yeah.

- But obviously a lot of what we're seeing is legacy tenants that have been there for years and years and years and-

- So everyone should have a look into that-

- [Mark] 100%.

- and if they don't have it, think about how they get that into place 'cause it's important from a security point of view.

- There's been some more, I guess some more complexity added into it recently, isn't there, with basic authentication going?

- Yeah.

- Service to service kind of authentication. So rather than having, you know, setting up a user, let's say to be the integration to your website, it's now a service to service, and the authentication actually is a lot more secure.

- Yeah.

- But it just takes a bit more set up and kind of understanding of the backend to put that in place and-

- Yeah, I mean 2FA only applies, or MFA as it's also known, only applies to user, interactive user accounts.

- Yeah.

- But yeah, you're right. There's another authentication type, OAuth, which is in most cases, it's a service to a service, not a user to a service. That has its own, you know, concerns around security. You know, somebody really needs to manage that. You know, you've got client secrets. They can expire, you know, they need storing somewhere safe. Certificates, if you don't use client secrets, you use certificates. Well, you know, you need to manage the renewal date to those certificates.

- And actually a lot of the time the services that we're talking about are absolutely key to people's business processes, aren't they? So in terms of things like integration between your website and your ERP, and websites, handheld devices, anything kind of external to Business Central that talks to it. If your security certificate expires or your-

- It stops.

- or you have a, yeah, then everything just stops.

- Yeah.

- So it's really important that somebody is managing that and somebody is understanding how that all fits together and how that works.

- Yeah, absolutely. So you write about the basic authentications that was deprecated, I'll lose track now probably October 21 I think.

- Yeah, if you had that, you'd know about it by now.

- Yeah, that's gone.

- Already spoken to, so that's gone.

- Yeah, so anything with Business Central now that has a third party integration, it would use OAuth and that's managed by a service principle or a app registration. That's all part of the tenant. So again, that needs monitoring, maintaining, securing. So yeah, you know, if you're not using Tecman as that primary Azure active directory, tenant admin, all these things need, you know, at least on the radar. You need to know who looks after this for you. You know, we're seeing now, again, customers coming across from other partners who have got service to service authentication with a secret, that only has a two year maximum lifetime. So if that expires, then something breaks, it's then a chain of events to work out actually, "This is expired now."

- And everything stops usually on a Friday night.

- Yeah, yeah.

- There's nobody available to look at that till Monday mornings, which means all weekend you can't take any web orders.

- [Mark] Yeah.

- You know, it's quite serious. It's quite, there's a massive impact. And that's almost something that each, 'cause they should be doing that, they should be assessing the impact of what would happen if this went wrong. When they think about how they're gonna manage it and the investment they're gonna put into managing it.

- And you talked about those client secrets, putting them somewhere safe. What do you do? Like put 'em in a box under your bed or-

- Azure Key Vault really.

- Is that where you keep your money is it Matt?

- Yes, shh.

- Yeah, Azure Key Vaults really is the place to store secrets, any kind of passwords really. That's probably-

- It sounds quite dramatic doesn't it? It sounds a bit-

- That probably comes more under an Azure service. 'Cause Key Vault is an Azure resource as opposed to tenant management. We're talking about tenant management. But if the customer's got a Key Vault, then that'll be in their Azure subscription.

- Okay.

- Yeah, and with GDAP being introduced, what services do we used to be able to do that suddenly have been removed? You talked about a couple of them-

- Yeah.

- It's certainly high level stuff.

- Yeah, so again, it's hard to imagine how this was six months ago, but you know, if we weren't nominated as a primary tenant admin, we could go and reset a password, create a user, set up 2FA, reset 2FA if a customer loses their phone or breaks their phone. And we used to do that because we could, help people out obviously. We can't now, as much as we'd like to. It's the right thing to do, obviously, 'cause-

- Protects the customer, yeah.

- Yeah, absolutely, yeah, so-

- There's certain things in BC we can't do as well isn't there, without a global admin, in terms of-

- Yeah, yeah, the list is getting smaller. But the outstanding thing now is we can't schedule job queues, we can't create job queues without an internal BCU.

- You could run once can't you, I think if, on a test-

- Yeah.

- So for testing, but we can't, miles of security things.

- Sometimes though I think that that's not necessarily a bad thing. You know, there are a lot of these things they should, the customer should understand what is going on. So actually, us setting up things like that, which could impact performance, it could impact, you know, we don't necessarily understand what time of day these things can run. It's probably better that-

- I think all of them is good practise. It's making customers aware that if there's a problem and they phone you up and expects us to do something, it's not us being awkward. We physically or technically can't do it. Not physically-

- So the message we're trying to get across really is if, you know, you need to at least to tell us who that nominated partner is so we can refer the caller to that partner to get that done. Or if you want us to do it, we can do it for you.

- But it would have to be made.

- Yeah, we need to know about it. And I think, and a lot of the customers probably, possibly aren't aware that this has happened.

- Yeah, so the first time they're gonna try and do something is when they've got a problem and then it's gonna be a long or a more slower response.

- Yeah, I suppose as well for the customers that are migrating from older versions where they might have had it on-premise and it was quite easy to administer and it was kind of very much a self-contained piece of software. It isn't anymore. It's now part of a big-

- Cloud services.

- system of different products.

- But that's always been It's one of the key benefits we talk about Business Central, it's part of the Microsoft ecosystem. You can utilise this, you get this high level of security, but with it comes extra setup or maintenance and-

- Yeah, it's no longer just a little piece of software on its own. It's part of-

- Yeah, it's not just a software as a subscription, it's a cloud service that we are providing and you know, somebody, can be us, has to manage the, you know, the bigger picture really.

- And obviously Microsoft see a lot of these issues, which is why they're introducing this.

- Yeah.

- If it was a smaller provider, a lot of the time it, you wouldn't get all this protection.

- No.

- And it'd be far worse, the implications of actually somebody getting in or damaging or getting rid of something that shouldn't be there. You did, you mentioned it to me once. It was really interesting. You talked about the two factor authentication where you got a phone and we're waiting for the code to come through. There was this example of, if I lost my phone and I'm the admin at Tecman, what happens then? And that was a genuine issue. And if anyone's lost a phone and you can't get-

- Oh yeah, well if anyone goes out on a Saturday night, leaves the phone in the back of a taxi. Not saying that anyone has done that.

- Everybody here I think.

- What hap- you know, yeah, you know that.

- If you don't have a phone it takes a while to get that set up. If from a business point of view and you needed to make changes, Microsoft have introduced a service I believe? Break-Glass?

- Yeah, Break-Glass, yeah, yeah. So yeah, there's a flip side to having 2FA, you know, if you've got one designated dedicated global admin and you're not relying on a partner, you know, that guy needs to have, or lady, needs to have four weeks holiday and get sick and lose their phone, break that phone and you know, how do you then get your access to your tenant then?

- So how do you then?

- How do you, yeah?

- So there are-

- Ask the one most likely to leave their phone in the back of a taxi.

- I've never done that.

- I mean, really that one person should have a DR, documented. There are ways around it. Microsoft called it the Break-Glass. So when it really does hit the fan, you break that glass and you can get in. There's obviously hoops to jump through 'cause everyone can't do it. But I think it's good to have, you don't wanna have too many global admins, but you know, if you've got a partner you can trust and rely on and also an internal admin, then I think that's a pretty good place to be.

- Yeah, I think with the internal admin for a lot of companies, that would be one person they'd be reliant on, so.

- Yeah.

- And it is making-

- I think to have a little bit of backup to that, which is a company where you're not reliant on one person. There's lots of us that can assist. I think that's probably part of the policy that a customer should have. So most of the time they can be self-sufficient, but there's always that backup if you need it.

- And a good thing with GDAP is you can, 'cause it's granular, you can choose which partners have which-

- Yeah.

- manage which aspects.

- So it gives a bit-

- You don't need-

- It gives a bit.

- Yeah, you don't need to give the keys to the kingdom.

- It gives enough to help out when they need it.

- It's enough to help 'em out, yeah.

- I think it's important though 'cause customers, as they're relying more and more on technology and this transformation we've been talking about for ages to digitise everything. If you're not aware of these problems and you think, "Well the IT person has got their phone," and like you said, but the problem happens when they're on holiday or you would never have thought of, "Well, what's the impact on my business?"

- Yeah.

- And it can be critical, like you said, the certificates expiring. If that stops you taking web orders and it takes you 24 hours or whatever to sort it out what does that do not just on your day's business, but the repeat business. Because "I'm not going back there," you know.

- It's different isn't it? Your DR policy used to be about taking your tape and putting it in, you know, taking it, make sure someone take it off site at night. That's completely different now. So it probably needs that everyone needs to review those policies and review what they would do in the event of this, and this is why we've introduced a new service to do this because we can't do it as part of our support contract because it's not standard support.

- Yeah.

- Some customers-

- Don't need it.

- Don't need it, 'cause they're covered for that. Some customers need a lot of support. Some customers probably want something in the middle-

- Yeah.

- where they have someone. So to charge everyone as part of the support contract wouldn't be fair. So it's just an initial service that we can now have to help people out as much or as little as they need it.

- There's always a backup, as somebody else, I can do it.

- Yeah, and to just to give a, some advice. We would always recommend that they have somebody internally that understands this.

- Yeah.

- But you know, we're here as as a backup to discuss those ideas.

- And we talked about BC, this is CRM as well, I'm guessing isn't it from-

- Yes, it's any- We've got quite a few CRM users as well that do that.

- Yeah.

- Okay, is there anything else that you think is worth mentioning around any of these changes or things that, examples, scenarios that we haven't covered?

- It's still evolving. It's still, it still changes.

- Well, that's the other thing that's difficult, to manage it internally for customers, isn't it? Is that they can't necessarily keep up to date. It's not their day job.

- [Mark] Yeah.

- It's our day job.

- Yeah.

- So I think we, you know, I hope that we can keep on top of all this stuff and we can push information out.

- Yeah.

- I feel like though, that sometimes people don't read the emails properly that we send out about this because it sounds quite techy. And they might just, "Oh no, I don't wanna, that's not-" But it is important. This is the security of your data and your systems and the impact is so, you know, if we do send something out and you know, people don't understand it or, then come and talk to us and let us explain it.

- Let us explain it because it is, you know-

- Let us explain it because it is, you know, it's the equivalent to going out your warehouse and leaving the door wide open, isn't it?

- Yeah.

- I mean, there is on the website on the Tecman.co.uk, there's a blog about this, I just printed it out so I could just refresh myself, but, "important changes to the Microsoft partner administrative poo- privileges." I'm really struggling-

- Are you alright this morning?

- I've lost my, I left my phone in the taxi last night. But there is a basic overview of what has changed. So we've put that on the blog so that's available. You can speak to your customer engagement manager and they'll help you out, put you in touch with Mark and his team around what this means. So we're trying our best to get that information out. But it is important that customers are aware of it. I know we covered it, I think last year a little bit at the user day. We've got that happening again in October. No doubt there'll be some sessions around that.

- Yeah.

- But we are doing our best to get as much information as we can out and to help and make people aware of what this means. It's nothing scary, but it's just understanding it and putting the-

- Yeah, it's awareness.

- in place.

- That's great, thank you Mark.

- No problem.

- Yes, thanks Mark.

- And the moral of the story, don't leave your phone in the back of the taxi.

- Perfect, okay, well thanks. Thanks everyone for contributing today to the podcast and thanks everyone who has tuned in and, tuned in, is that still a thing now? You don't have a wireless anymore though. Has watched this on YouTube or Spotify or wherever you're getting it from, we appreciate you listening. So thanks again and we'll see you soon on another episode of "Tecman Talks Dynamics"

Publish modules to the "off-canvas" position.