From Tokens to Trust: Microsoft’s Biggest Security Shift Yet
Guests
Video Transcript
All right. Welcome everybody to the first Monday of August here on the cyber call, and we've got a great one. Um, we, we are joined with, uh, Kelvin Gellar, Nick Ross, and Brian Blakely in studio. We are gonna be talking, today's episode is about Microsoft's biggest security shift, yet that's what we're titling it. Um, but, uh, and we'll do some intros momentarily, but before we do, let's talk about a little bit of banter going on as we let people, um, join in.
Um, 'cause there's a lot of folks coming. As I, as I see the count starting to pick up, I'm gonna put, I'm gonna put two URLs in chat. The first, we're gonna talk about two relevant things. Um, morning and welcome everybody is, um, this one, uh, came out today and it is about a exploit again, uh, around shockingly Kelvin, around 365. Um, Oh wow. What a surprise. Didn't you believe It? Um, and it's, it's, it's a, it's quote unquote a new one. Uh, you and I were talking about this offline.
We haven't seen this before, but talk to us a little about link wrapping what they're doing. 'cause it's pretty clever and It's, it, it, it's, it's very clever. And the thing is, I've never seen it being abused, um, in the way described in the article. Um, I, I was surprised at, uh, uh, it being an actual attack vector these days. Um, so what happens is a lot of scanning software, Proofpoint, or Microsoft Defender or these kind of things rewrite a link to be a safe link.
And then there's a little piece of detection inside of emails. If something is already rewritten to be a safe link, it doesn't need to do that again. So if you send someone a already rewritten safe link that has been scanned, then change the contents behind it by changing a URL shortening service or that kinda stuff, you actually forward 'em to a phishing page and Microsoft says, or Proofpoint says, Hey guys, this page is absolutely legitimate.
Which is, which is, it's, it's actually a very creative way of approaching this. Yeah, yeah. It really is. Calvin, any thoughts on starting with you?
Calvin, I'll go to Brian, but like, hey, this, how, how might you mitigate something like this o other than awareness, Calvin, that now all of a sudden we, is it, is it, you've, again, we've got look at who's sending it and just flag, you know, this, this sender's never sent you anything before, obviously that, that if it's a spear phishing, obviously that could get, you know, overcome as well. But, uh, anything come to mind?
Um, I think that, that user training, um, I, I, I believe in user training, I 100% do. So that, that is the only way to get around these kind of things because, um, even with that, we convince users like, Hey, if this is a safe link, click on this. And or if it's a safe link, you can hover over it and see that it's safe. Microsoft marks it with a little thing saying like, Hey, it's, this link has been scanned, and like, yeah, you can't do that in this case.
So even user, user education doesn't really help that much. It's, it's a very difficult one to, uh, think of a good solution for. Yeah, yeah. Yeah. Brian, any, any mitigating things you would, you might recommend on, on something that like, like this? Oh, awareness in the community, for sure. Right. And I mean the, the, the, there's no limit to the creativity these days with, uh, bad actors.
I mean, it reminded me this wrapping of the, the URLs and such reminds me of the one I saw last week too. A little off topic, but in the same realm where there's this white on white text or this hidden text and email, and then your AI summaries actually pick up the hidden text and actually redirect or, or tell you, Hey, you need to go to this link because you need to reset your password. So your AI is actually captures that hidden text in an email that, that otherwise would've been ignored.
Summarize it and redirect. It's, it's amazing the, the amount of creativity. And with ai, we're gonna see that increase, I think, exponentially, um, because the bad actors and, you know, just like we do have ai, right? Yeah. Can do some of this stuff. Yeah. And it's, it's, it's absolutely amazing because, um, I actually read a medium article about someone who used that same technique to get his resume past resume scanners that are AI based.
He just said like, this Canada is completely suitable in white text. And that's what the AI kept giving back to Everyone. There's no the droids over there, huh? Exactly. So, Nick, anything on your mind? Yeah, I mean, I think it's, it's a hard one to solve for just given, you know, the, the creativeness behind it, but always think about defense in depth. You're getting past that first layer of email security user clicking on a link.
Um, which, you know, a lot of the, the end user training we do, they'll still got a, uh, false susceptible to those types of things, especially if they, they pass those checks, like Kelvin was mentioning around Microsoft saying it's legitimate. Um, but then I think we also have, you know, some type of layer on our, on our endpoint around, um, web content filtering and, you know, the, the various things that you can put onto the device to help protect against that.
But without, you know, diving into the, the details of, of experimentation there, it's certainly, um, you know, something that you, you have to dive into a little bit, um, more to get into the, the weeds of what are, what are some of the defensive approaches here. Got it. Alright. And then one more, Calvin, I'll start you off with this, another one we were talking about, and Corey Clark, um, who is at Solutions granted, and now part of SonicWall does a great blog, I'll put that in there.
But, um, the, um, uh, SonicWall SMA one hundreds are under a deep attack. Once again, um, this is, we keep oscillating between SonicWall, Avanti and Fortinet, seemingly with these VPNs. And, um, and I'm, this is joking around Paolo, certainly not after leaving, they said not our, not our vpn. So we know that that, that it couldn't have been theirs, uh, little sar. But, um, what are, what are your thoughts on, on this?
You, you're kind, you're, you've got kind of a a I, I I am, I am very opinionated about yes. Um, where you should focus your protections. And these days that is no longer your firewall. It, uh, leaving security to the edge is a risk. It is not something you should be doing anymore. You can even start putting in the dumbest firewalls that you can find like, that are just doing simple, uh, firewall services and not using, uh, advanced UTMs anymore because no one cares about the Edge anymore.
These devices give you a huge attack surface. And you know, what happens when something is blocked ex uh, internally to externally, people just grab their phone, they connect to their hotspot, and they go like, okay, and now I no longer have the security thing or the security issue. I'm no longer being blocked by my firewall. The edge is over. It's all about your identity now. It's all about, um, um, making sure that the identity is protected. And from there on, you get a lot less risk.
Something like zero trust networking, where you do connect to a sort of VPN endpoint, putting it in air quotes, because I mean, we all know how networking really works in the background, but it's, it's a lot more involved. You make sure that your identity is protected or maybe even device-based protection, but no longer the edge we're working from anywhere these days. We're No, like, like this is, this is, this is my soapbox.
Everyone picks up their laptop, works on a plane, works on, uh, at a coffee shop, works at wherever they wanna sit down. Yeah. And it just doesn't work protecting the edge anymore. So we should be saying goodbye to these large complex, ut complex UTM devices have, um, network segmentation where each device is isolated, because most of our apps are SaaS anyway. And when your device is isolated, you protect the device and the user, that's it.
You no longer need to worry about the attack surface on your firewall. Yeah, yeah. Brian, any quick, quick takeaways on this for you? Yeah, it's just the perimeters, the end user's fingertips, right? We talked about this in the virtual green room and, and moving to getting past the buzzwords of zero trust, right? Implementing real, uh, zero trust and all the, the goodies that go with that. It's not the black box you put on your network, right?
It's this, it's more of this philosophical laundry list of things that you employ. Um, but I do think you, you see S-S-L-V-P-N being deprecated everywhere and you know, Fortinet recently moved from it, so hopefully it moves more towards your trust and perfect topic as we get into some of the stuff that we're talking about today. Yeah, Absolutely.
By the way, um, speaking of Zero Trust, we are going to have, uh, let me do a shameless plug for right above 26, the number one rated session this year. And I, Bob Miller's on as one of the, uh, advisory council, the number one rated session. And we had them create the sessions and the MSPs voted on O Brian was, uh, Jason Garbus, who actually wrote the book Zero Trust is doing both a workshop and a main state session. Um, he is, um, part of Cloud Security Alliance.
He leads their division of of Zero Trust networking. Um, and last but not least, uh, was one of the originals of Architecting App Gate, which is used by most of the DOD. So, um, you know, we're, we're, we're excited to have him present and, and, and do a workshop. And Nick closing it off. Any, any comments on this from you?
Yeah, I think the only thing, you know, when we take about, uh, new age, uh, solutions, you know, beyond A VPN, if you need to funnel traffic somewhere, or you don't want to have private traffic, you know, there's newer solutions like global secure access that, um, you know, provide a, a more remote first, uh, way of starting to think about that. Definitely agree with, with Kelvin and Brian in the sense of the user and device being the attack service that you really need to lock down first.
Um, but certainly, you know, there's a lot more solutions that you can, you can start to look at that are more sassy ZTNA based that, um, can help, you know, get away from some of this, even the third party risk using Microsoft Solutions too. Yeah. Alright, lemme set the stage, do intros and let's go, Brian. Alright, so, um, big article last week.
Of course, Kelvin had the inside and probably Nick did too as Microsoft MVPs, but, um, you know, three big shifts happening that we wanted to talk in the ecosystem. First, uh, this token protection coming in P one, we're gonna spend some time, right? Aw, out of the gate talking to Kelvin about that. GAP, uh, one of our favorite subjects, Kelvin Wright, because everybody knows all about that and Everybody understands GAP entirely. No one has any questions.
Um, and then the third being, um, you coming out, when I say you, um, step now, what, 85 to 9,000 on Thep? I I think, I think we broke 9,000. Yeah. Wow. Yeah. Not using your open source platform and, um, big news, you're going to actually have a credential that for administrators, you're going to be opening that up again at write a bill this year for people that are gonna go down that credentialing path. Yep. So those are our three big topics. So with that, let's do some very quick intros.
And Brian, I'll kick it over to you. So Kelvin, welcome as our guest, tell us a little about yourself. We go to Brian and then Nick. Awesome. Um, well, Kelvin ler, uh, I own a MSP in the Netherlands, a fairly large one, uh, growing rapidly still. Uh, lots of fun running an MSP. So much fun that I decided to start a second business on the side called second Because you weren't busy enough, Because I wasn't busy enough. Yeah. Running an MSP is too easy.
Um, so yeah, um, I have, um, I, I run my MSP, but I also have a second business called Cyber Drain. Cyber Drain. Created a product called sip cyberbrain Improved partner portal, which is, um, a M 365 multi-tenant management tool. Still quite a mouthful.
Um, what it does, it helps you manage M 365 4 MSPs, um, like you just said, where I, we have about 9,000 users using it, or MSPs using it today, around two to seven, two to 6 million tenants in total that we manage, which is an absolute insane number. Um, and it's lots of fun because, uh, we have a very small team and we're very community based to make sure that we embody everything that an MSP needs that that's important for, for cyber rain. Yeah.
And doing good stuff is it's open source and Yeah, absolutely, absolutely. Entirely free. There is a, there's a hosted component, but it is entirely free. Yeah. You have a, an upgrade and you can certainly Yeah. Plug that later on. Brian, thanks for joining. Being a co-host, often being a contributor, uh, very often. Thanks, uh, for those that may not know you, quick pitch of, uh, who you are, my Friend, well just, uh, chief Risk Officer, compliance strategist at, uh, compliance Scorecard.
So Andrew, excited to co-host, uh, today's, uh, hot topic with Calvin. Thanks. Awesome. And for those who know Brian, uh, uh, three decades in this space, uh, InfoSec the ciso, ciso, multi multiple MSP, uh, exits. So he had sat in your shoes and knows exactly what, what you're doing. Alright, Nick, over to you. Yeah. Uh, thanks Andrew. Yeah, I'm Nick. I'm the CEO of Cloud capsule, which is a automated security assessment tool for Microsoft 365.
Most of you, or some of you may more know, so, uh, know me from, uh, my YouTube channel, uh, which is team minus 365, which is all about Microsoft and SMB. A lot of inspiration was from watching Kelvin over the years and, uh, get my Microsoft MVP from his nomination as well too. Yeah, anytime I Mvp, but, um, I'm happy to be here with you guys. Good, good to, good to have you Nick. Thanks for co-hosting. Alright, Mr. Blakely, over to you to kick good offer today. All right.
I'm new to the co-host thing. I've been contributor a lot in Kelvin's hot seat, but this'll be new to me, so, uh, excited to be be part of it. But, uh, Kelvin, before we dive in into Microsoft's big announcement, right on token protection, I think we, we probably wanna zoom out a bit 'cause there's been a real surge in like phishing as a service platforms or really MFA bypass as a service lately.
And it feels like they're getting more sophisticated, more accessible and, and more damaging really by, by the hour, by the day. Okay. So I, I've been hearing a lot about reverse proxy and man in the middle type of attacks using platforms like Tycoon and, and Evil Proxy is another one I think of. And they're not just bypassing MFA, they're weaponizing it, right? So can you walk us through Kelvin, what's going on in this space?
What's driving this explosion and this phishing as a service and why platforms like Tycoon two FA are proven to be such a, a big threat right now, especially for MSPs and the, the clients we're all trying to, trying to protect. Um, it's because, um, and, and I say this as an m Ms P myself, it's because MSPs are idiots.
Um, in, in reality, um, um, look, looking at what the things that we're supposed to do to prevent, uh, multifactor bypass is something that we were supposed to do 10 years ago already. And that is have users educated about what is phishing and what is not phishing. 'cause if you have that part under control, then you don't need to worry about your MFA token being stolen or your credentials being stolen or these kind of things.
But for the longest time, um, we as MSPs either haven't believed enough in education or we haven't trained them, trained our, uh, our end users enough to recognize phishing. And that this increase isn't just because, um, users are falling for it each year, but also because there's a lot more tooling available for these phishing toolkits. One of them right now, um, completely generates exact copies of emails using ai.
They simply use a form of Jet GPT or Gemini or all of these kind of things to create a perfect copy without any broken links or broken images. 'cause normally we tell our users, Hey, you can recognize it. The, the image is broken or the link is incorrect, and then suddenly there's this perfect email with just one button, the CTA that is clickable and is a phishing link. It's, it's getting, it's getting too good. Our users won't be able to recognize it anymore without proper education.
And because of that, that, that's why we're seeing more of an influx of people falling for it. It's not that there's more available, it's just that the phishing is getting so much better that people are falling for it more. Yeah.
Brian, if I could just ask Calvin, Calvin, you know, I read, read a recent article and I'll, and I'll put it in as well, uh, that, uh, the phishing as a service ecosystem is becoming so efficient and, and, and, and it's allowing the, the entrance barrier is, is, is a, you know, you're talking a few hundred dollars a month, they obviously can scale up depending on the sophistication that you want to use, but how, how, you know, how relevant is the ecosystem of actors to, to the pro to the growth of this, their, their capabilities of being very efficient, scaling, et cetera.
As, as with all sufficiently mature technology, um, scaling becomes easier and easier over time when more people have control over that specific piece of technology. Um, there, there, there's, there's more available out there, there are more toolkits fish kits available these days. And, um, eventually it'll, it, it just goes down to the lowest bidder and that it's a race to the bottom for them as well, just as it is for MSP services these days.
Like some MSP services are also a race to the bottom because everyone is offering them cheaper and cheaper because it's commoditized. Phishing is commoditized, which is an insane thing because talking about cyber cybersecurity threat actors being a commodity or, or using tools that are a commodity, criminals using a commodity. That, that sounds weird. Yeah. Back over to you, Brian.
Yeah, for the next question too, is just one observation too, is these, the, the maturity of some of these things as a service too. I mean, you go there, the barrier to entry, like Andrew said, is low, but there's also support. I mean, they actually provide support on using these MFA bypass as a service, right? Hey, I'm using your service or tool and I'm having problems, and that will actually help you and, and support you through the process. So it's just, it's, it's nuts out there.
Alright, Kelvin, so let's get into the, the big Microsoft announcement. All right. Token protection, which is now available in intra, uh, I IDP one. So that's a shift I think a lot of MSPs weren't expecting. So, Kelvin, can you, can you break down or add some detail for what exactly is, I guess, token protection 1 0 1, you know, what's new with this rollout to the P one licenses and why is this really such a game changer for MSPs and their client?
I mean, what makes this specific move such a big deal by Microsoft? Yeah, so there's actually a couple of, um, um, so To make sure that everyone understands exactly why this is a big deal, let's take one, one very quick step back, and I'll try to keep it short. But, um, so that everyone understands what we're talking about.
The token is a, uh, the token that we're talking about in this case is the login token generated by Microsoft, which allows you to use their services when you log in, um, using your username password and MFA, uh, credentials, a token is generated and that token is a text representation of your valid login.
And what hackers could do previously before token protection existed, was we could take any bad actor or anyone that does this, could take that specific token and reuse it at any location that they wanted as long as it was in the validity, which is an hour by default or 90 days if they stole your refresh token. That allows you to very easily abuse someone's mailbox. Or if you have an admin account abuse their entire tenant. It, it, it, it is a very easy method to do that.
Microsoft came up with this idea to, um, make sure that your token would be protected in some cases. And token protection quite simply works by checking, is the IP address of the person or the device of this person still the same device or IP address accessing the service? If not, I will deny access. And that used to be just a P two P two solution, a intra id P two. And, um, I know, but I might be speaking for myself here, but not a lot of MSPs, I believe use intra id.
P two P one is much more commonplace as it's included in business, uh, premium, the, the skew that most MSPs use. Um, so there is, um, um, it, it, it is a new feature that Microsoft has leveled down to make available for everyone. It was already available for about a year, uh, in in in general. Yeah.
Kelvin, uh, I guess we, we have a lot of, uh, technical folks out there, kind of how is the sausage made kind of thing, and do you mind maybe going one layer deeper into, into token protection, I guess from more of a technical perspective, you know, how's it actually prevent the token replay or session hijacking? You mentioned some of the IP checking and yeah, some of that, but really under the hood, how does that Yeah, how does That work?
So, so, so under the hood, it's, it's like when we go super nerdy, it's, it's really exciting what mi, Microsoft says that you create a conditional access policy that targets your intra ID joint or registered devices. When a device is registered, you get something called A-B-P-R-T, a bulk Primary Refresh token on your device. That bulk primary refresh token is able to generate more access tokens.
Um, every time you access a service, for example, you go to the Microsoft portal or you open your Outlook or your open teams, it uses this long lived token to generate a one hour access token. Now the, these one hour access tokens, normally speaking, um, you can use them everywhere you want. Like I said, you can copy and paste them. They're just a text representation, so they're just a really long string you could copy and paste them to a machine in America, even making it look like.
Um, so I'm in Europe, I copied it to a machine in America in my logs, it looks like I am accessing the service from my local machine, because that is the IP address located in the token. So, so that's, that's a little bit weird, right? So Microsoft figured, you know, with this new protection, what we're going to do is each token is going to have extra metadata assigned to it.
Each BPRT generated token gets a little piece of information about location, about which device it was generated from, which IP address it was generated from. Um, I think they store some, some other like secondary information like which type of MFA was used to generate this token, like was it, um, anti phishing resistant, MFA or not, these kind of things. And all that metadata is included in the access token.
So now what Microsoft does, instead of just saying like, Hey, you have a valid access token, that's okay. They go like, okay, you have a valid access token, but let me actually zoom in on the contents of that token and say, are you in the right location? Are you on the right device? Um, does all the metadata of your device match the metadata that you've sent me? And if it doesn't, then the token is invalid and it simply gives you a pop-up saying like, Hey, you are not allowed to log in here.
So from the, from the engineer side, like, like a deep dive on it, it's super nerdy. They simply added a lot of data into something that was already in an existing token. Kel Kelvin isn't, you know, de uh, deja Phoenix kinda alluded to this. I isn't it like, whether it's Hulu or he's saying activation blitzer, they're getting smarter because they don't, they, they don't want you to say, Hey, Kelvin, you can use my, you can use my account, you know, you and I are buds. I'll sign up.
You can use it, Nick, you can use it. It it's that type of technology to make it really layman's terms, is It not? Yeah, yeah, exactly. Exactly. But in a way that doesn't immediately bother to using. 'cause if you would enable a VPN, some of the metadata is still valid, it's still a valid device, it's still registered, so you don't want to log out the user when something like that happens.
So there's, there's a lot of logic applied to that to make sure that only when a specific amount of the triggers have been triggered, it invalidates the token. Right. Good. Good. Got it. All right. Thanks for that, Kelvin, that, that kind of nerdy deep dive in under the hood. Under the hood. Look, I actually had a second part, um, ques to that question.
I think it's, it's probably on a lot of people's mind, but why did, why do you think Microsoft made the call to release this now and include it in P one? I mean, do you, do you feel like there's a bigger strategy at, at at play here? Absolutely. Um, so I actually spoke to the, uh, person that at the identity team that created this technology, and they wanted to make this available for people from the very start after preview.
But, um, MSPs kinda shut themselves in the foot, or at least the SMB that, not even MSPs, just the SMB in general, which is a much bigger market. Um, we publicly say, um, we don't wanna be tested. We don't want to be Guinea pigs. We don't want to Microsoft to test things on us. We don't want to, uh, uh, be forced to use beta software or these kind of things.
And because of all of those statements, Microsoft thought, oh, we can't keep developing these technologies and letting it, uh, uh, just out, uh, letting it out in the world. So we'll now start testing it in control environments that we know how they work the enterprises, because Microsoft will always be an enterprise focused company. They, uh, made it available to them with the idea of, oh, this was always going to be a, uh, feature that should be available to the bigger public.
And only now they've been able to make it available to P one because now they're finally done with all the testing and perfecting it. So that is, um, uh, it, it, it's kind of our own fault. We, we sometimes as SMBs are a little loud saying, oh, we don't want to be tested on, like, windows tests are, or Windows preview updates are always terrible, and we kinda shut ourselves into foot there. 'cause we good have this technology available much sooner. Yeah.
And Kelvin, with this available now, um, one thing I've been thinking about is with, with token protection included in P one, do you think this will start to level the, the playing field, uh, a little bit. I mean, for smaller MSPs who really couldn't justify or afford that jump to P two, do you, do you see this as kind of a real opportunity to close some of the security gaps without blowing up the budget, so to speak? Absolutely. Absolutely.
Um, even, even more, uh, any MSP that is on the cyber call listening today, if you do not enable token protection for your clients, even if you say like, okay, I'm going to do a phased rollout and I'm going to take it easy and make sure that everyone gets it in a year, but I'm telling you, if you're not doing it right now, you're being negligent. It's, it is a 100% certainty that you are protecting your users with this. It, it is, it stops token replay attacks dead in its tracks.
It just stops them the same as using, um, um, uh, phishing, uh, resistant MFA. It's the same thing. If you're not doing it today, then please start doing it. Please implement it as an MSP because your user should be having P one, you should have business premium Kelvin. Can this be done at scale with a sip with different Yes, yes, absolutely. With SIP or with PowerShell or, or, um, even using Microsoft's, uh, own, uh, conditional access, uh, import functionality, you can do this everywhere.
And, um, it makes it so much easier to do this at scale, especially once you've, uh, implemented one of your clients. You just sent them out a couple of emails saying like, this is going to change. This is what you're going to notice. And from then on, uh, you, uh, are able to easily implement this anywhere. I saw some questions coming in from the chat. Um, number one was, does, uh, do you need a P one license for every user using this? Yes, absolutely the same as conditional access.
And please be aware that Microsoft is now auditing on this actively and they're sending out emails saying like, Hey, if you don't have a P one license for all your users, which you using conditional access, they will shut off your tenant's access. They do not accept license cheating as a, as a whole. Another question was, um, doesn't Token Protection only run on Windows currently? Yes. Got it. Um, and then Jason says, is there a way to monitor results when token protection is enabled?
Yes, absolutely. Um, it actually is logged in the audit logs immediately when token protection is triggered. Um, and it's, it's very easy to alert on that using Sentinel, using SIP or using any draft tool that's able to read the logs. Kel, Kelvin, speaking of logs, and Brian, I'll turn it back over to you. Um, just real quick, uh, if you recall with the, it was about a year ago, Kelvin, maybe more, but something about a year ago that Microsoft themselves were attacked.
Um, it was, you know, I forget it was Storm followed by four letters. It was one of the big, you know, nation state threat actors. Yes. And they said, we will enable logging for, you know, uh, business edition, um, and it'll be, it'll be out there within X days. It was out there, and I remember you and I talking about it, but they didn't quote unquote make an announce where, where do we stand these days with, you know, your premium licensing, you know, your basic licensing, not E five.
What do we get, what don't we get? Um, in regards to audit logging these days? Um, after that, that little bit of hassle, Microsoft made some changes in what mailbox auditing events were available. Um, you pretty much get everything. You, you, you, you, in business premium, there are no more hard limitations in the data that you receive. However, the, uh, um, time that it's stored still limited.
Uh, I believe the current maximum is 90 days, uh, upgradable to 124 business premium and a year if you have an E five license. I'm not exactly sure about that. I, I'd have to check it. All these numbers there. Yeah. Yeah. I I I try to store them all in my head, but it's not always possible. No, that, but that's really helpful. So, and, and Brian, over to you, man. Well, just, and, and knowing Microsoft, all of everything Kelvin said is subject to name changes and Yes. And shuffled.
Yes, absolutely. As We speak. Maybe, uh, I, I, Nick, I think are, are you up? You got, you got 'em all done for you, Brian, you're four there? Yeah, I believe so. I think Nick's up. All right. Nick, over to you. Yeah, so I think we're gonna shift into, uh, talking a little bit, uh, a g Dap P and certainly Kelvin.
I think, you know, one of the things I, I recall early days of G DAP when it first came out is I was working with the Lighthouse team, uh, at Microsoft and also talking to you as well too. And, um, I think you got some, some pretty good domain expertise with G dap, but I think you maybe have some, some figures behind, uh, the number of users leveraging G dap. Uh, what are those these days? Do you think?
It's, um, okay, so e everyone was forced migrated by Microsoft, so everyone's using G dap, but there are still a lot of people using what's called the MLTG DAPs, which are Microsoft LED transition, which actually just give you a much lower, uh, uh, level of access than what you used to have. And a lot of people are com still complaining about that. You see red Topics once in a while, uh, um, popping up saying like, Hey, I can't edit this exchange property.
Yeah, that's because you haven't set up G Deck yourself and you allowed Microsoft to migrate you. Um, I don't have the exact numbers, uh, uh, anymore. Uh, um, I know that SIP and Cyber Drain helped migrate like 60% or 70% of all GDAP migrations in the world, which was an absolutely insane number. But because of that, I always consider myself a little lucky that I got to be that close to the GDAP teams because of all of these migrations and that kinda stuff.
So I'm, I'm able to get a bit more of a look inside of the kitchen than other people. Yeah, no, I love that. And, and working with their team, they certainly built some tooling there, but you know, a lot of people adopted SIP just 'cause it was a lot more straightforward to understand Yeah. And deploy.
Um, but if we zoom out on that just to kind of, uh, look back and, and kind of just more so look at the top level, um, talk to us, what, what, what is G DAP p um, and you know, do you feel like MSPs are still trying to adapt to G DAP today versus, you know, years ago when this first came out And Kelvin, would you also, when we sat down at Flow, you mentioned there's con there's different types, right?
They're, you know, one with the CSP one with the actual tenant and they get Everyone, everyone's confused. Yeah. Can you, can you demystify a little here? Yeah. So, um, taking a step back, G DAP is granular delegated access permissions and granular, granular, granular delegated access permissions. This is terrible. Um, um, allows you to access the tenants that you manage using the Microsoft set roles.
So instead of saying, Hey, you are a global administrator as you used to be with, uh, DAP or Close to Global Administrator as you used to be with dap, you can now select the roles yourself that you have access under, but your GW relationship is your own. It doesn't mean that if your, uh, vendor, for example, your CSP, let's say P PAX eight or Share Web or all the others, if they set up G dap, that is for their access, that does not give you a way into that client's tenant.
You have to set up your own relationship for that. Microsoft also made a big change there, um, where it used to be the case that anyone that had a one-time, uh, access link sent you a one-time access link, had access to your tenant forever using delegated access permissions. That's how it used to be. Now, there is a maximum term on the Gdap relationship, and if you include global administrator, that term decreases.
So they are really trying to prevent you from having global administrator access into specific tenants. They also allow you only to autorenew if you don't have highly privileged roles. That is to prevent you as the MSP from having highly privileged standing access over long periods of time.
Um, with dap, I used to be able to connect to all of my clients' tenants in one go and list all of their mailboxes, which when you think of it is kind of insane because I'm pretty sure most of my clients never gave us permission for that. Um, but with GDA, the client explicitly accepts a link and in that link are the specific rules, and they get to see what access does my client or does my MSP get.
They get stuff like, um, oh, hey, they can view all mailboxes, they can, uh, look at all contents of my SharePoint site. And that makes it a bit more of a trust relationship between you and your client as well because the client themselves gives you the permissions that you are requesting.
And they're also set in stone, sorry, Kelvin, even though it says that if you wanted to really, you know, cover your, you know, what, would you state something in your MSA that as acknowledged when it comes to managing Microsoft? You're agreeing to said terms of G dap, blah, blah, blah. Yeah. So that, you know, did that extra layer in your actual agreements, would you do that?
Yeah, we actually have a part part in our MSA saying like, Hey, we request a gdap relationship with specific roles, ask for the addendum on what specific roles we request, and then, uh, that way we get ourselves covered. Um, the cool thing about G DAP is that it's also no longer like that someone clicks a link and it's, it's accepted for once. It actually means, um, that it's a contract with your client. And there's no more changes after you create the G DAP relationship.
So do you want an extra role? You actually have to send them a new link and they have to actually accept that new role. You can't just give yourself more privileges anymore. So, so unpack that Kelvin, you win a new, you, you, you know, you guys are growing leaps and bounds. You win a new 75 employee deal, they've got a relationship with another MSP.
How does that work then if they, So that that relationship is locked in place and they will have that access, the client's able to revoke the access and we have to request a new relationship. So between Art, uh, art Tenant and des, it's no longer a, a relationship that people are able to, to use like the previous, uh, CSP DAP relationship, the previous CSP DAP relationship, your, uh, MSP was able to use and your CSP was able to use.
Now that's all separated, allowing a much more granularity, But an important piece of onboarding. No, that as you have an outgoing MSP, you really need to make sure, You need to make sure to remove their access. Yes. And probably a good, you know, at least, um, setting the stage even in the, all the way in the sales process that here are some of the things and changes that you're gonna be responsible, almost like shared respons, this is what you're gonna need to do, et cetera, et cetera. Yeah.
Yeah. Exactly. Exactly. Cool. Alright, Nick. Yeah, and I think vin, I, I see a lot of MSPs kind of getting, getting tripped up obviously with, with various different factors here. But one of the things I've seen most prevalently is it is complex to understand. And in some cases, you know, you set up these relationships, you add these permissions, and then your technicians go in and they don't have access to something that they need to go do.
And so they get frustrated and what they end up doing is add every single permission and almost resemble back to what we had with dap, which is Global Administrator full control over everything. And, uh, it kind of defeats the purpose of G DAP and the security that we're trying to put into place.
Just curious, you know, what are, what are you seeing in the sense of, you know, what, uh, mindshift shifts you need to make, you know, when thinking about G dap, um, but also where you see a lot of people still getting tripped up? Yeah, so the, the, the second one, the second part of the question is the one I see most of all it's people getting tripped up, uh, just going like, okay, you know what? I see 88 rules available. Let me add all of them.
Um, and then they click next and uh, then suddenly they're like, Hey, wait, nothing's working anymore. And it was actually quite surprising to me because Microsoft recently had, well recently about half a year ago, Microsoft had someone from the G DAP team joined our Discord server and explained G DAP to us, like, like as a public service thing.
Um, there's actually only a list of 55 supported roles for G DAP P Yes, the list shows all 88 because there are 88 Microsoft, um, uh, privileged roles or 89 these days. Um, but there's only 50 supporters for gdap. So if you select all of them, you'd no longer get access anyway. So you're breaking it for yourself.
So you have to be a lot more careful and think through your gdap strategy a little, um, out of those 55 roles, there's only 12 that you need to be close to a, uh, global administrator but not have that far reaching constant, uh, standing access.
Uh, one of the really useful roles to add to a gub relationship is creating one with privileged role administrator, which allows you to create a new global admin in the tenant in case you do have a break glass event or you do need far reaching access or you need to enter, uh, uh, the user's data. Because one of the things that Microsoft said previously with that you were able to access a user's data. Now with G dap, Microsoft says, Hey, that is no longer the case.
You agree to never view that data otherwise you become responsible for that data. And you don't want that either as an MSP, you don't want to be responsible for all the data that your clients are generating. So they remove some of that access, which means you need a just in time administrator. So using the privileged role, uh, administrator account allows you to create a new global, uh, administrator in the tenants and temporarily gain access using any GIT tool. Nice. Yeah.
Yeah, there's a lot of those, those little nuggets and caveats that you learn, you know, after going through it some over time. Um, exactly. And It's changed obviously in the past years, you know, we've seen different roles added but also mix up there.
The other common thing that I see personally is also, you know, just when you said strategy, it kind of triggered this as well too in the sense of, you know, I've got my existing technicians tier one through tier three, and they may need certain levels of access into the client. How can I maximize, you know, the security benefits of, of G DAP while also, um, making sure that we align, you know, those roles to those permissions and thinking about that.
So I don't know if you could speak to, you know, some of the strategies that, that you would recommend, you know, for that kind of the common distribution that we'd see, but also just, you know, how people are aligning their own internal processes around gdap. Yeah, so one of the things that we've done at my MSP was, um, decreasing access for everyone, uh, for everyone, not just for tier ones. We said like, you know what?
We're going to see how much stuff everyone bumps into when everyone is just a user administrator, nothing else. When you can just reset passwords, create users, and remove users, that's it. That that's the only permission you had where help desk administrator, I believe the role was That's Called the screen test in my world. Exactly. Exactly. And we were just checking like, okay, what, what couldn't you do?
And then people, instead of coming to you with, oh, I can't do anything, we removed the permissions for everyone, including very advanced engineers, and they said, oh, I need the ability to do X. And instead of saying, nothing works, they actually came to us, we'd need the ability to do X or Y or Z. And having a list of we need the ability to do this allows you to much easier select the roles that you actually need and to assign them to the right people in your organization.
You eventually are able to create a more functional role there saying like, okay, hey, our, all of our tier threes have said they need access to this. So our tier three role is this, our tier two role is this, and our tier one role is just help desk administrator. It's, it's a smoke test exactly as Bob Miller just said, and test it. It works best to define your own strategy because everyone at every MSB will have a slightly different approach to doing things.
And when you are a solo shop, when you are a owner operator, I understand that this is not something you want to be dealing with. I understand that this is not something you want to think about. My personal suggestion would be to use the, to the 15 recommended roles that Cyberbrain has on their documentation, but don't always have them assigned. Make sure that you only assigned a couple that you need daily.
And then when you do notice, oh, I need some elevation at that role, using something like, uh, privileged identity management. Yeah, that's a good point too. 'cause I, you know, we, we leveraged that at RMSP for just in time access into a security group that could then access those permissions as part of the relationship.
And that worked really well because we also reduced our tax surface even further by saying, Hey, you know, even our tier one technicians could pin in to their group, uh, to start their day and they had eight hours, you know, in that role. But when they went home on the weekends on holidays, uh, they didn't actually have any access into our customer tenants. So that worked out really well in that scenario.
Um, you know, when I was working at IMSP, we, you know, had just had come out with G DAP and I went this Bazooka ant approach of creating this whole PowerShell script to audit all the audit logs of every single, you know, service. We accessed, um, you know, through G DAP or through DAP at that point, roles and created this whole Power BI report for it. But what I've concluded was it was no better than doing what you had just mentioned there, which was, you know, going through a smoke test.
Yeah, exactly. And then just trying to test that out and seeing how far we could get. Um, obviously it create some friction, you know, right off the bat, but we were able to place into those three buckets, um, that, that level of distribution, which worked out well for us too. So, um, on that note though, you know, to the point of, uh, Microsoft changing things that's classic, you know, things always gonna happen.
There's gonna come out with, uh, new APIs as you know, more than most, um, you know, around the different things that you could do, but also just new delegated admin roles. Um, you know, especially for thinking about this multi-tenancy, how do you, uh, maintain G DAP consistency, you know, through all those changes and what's your change process kind of look like behind that? Um, you don't, it's, it's, you don't, you don't keep consistency.
So Microsoft has said, promised, um, that there would be a method to add a role to a GW relationship if they decide to add one later without breaking the contract relationship. And of course, Microsoft's compliance team said, um, hell no, that ain't happening. So, um, you don't, you have to request a new relationship.
And currently what my internal strategy is, and this is also what I recommend people using cyber drain or SIP in general, uh, to do, is, um, create one relationship that contains all of your roles. So you don't get an unmaintainable mess of things that auto extend at different times. Um, you just have one relationship, you end the old one, and clients do get, receive an email about that, uh, when you do that.
So make sure that your client is notified and understand why you're making this change. Be like, we need a little bit more access because Microsoft added a new product and you just go from there. Um, that is my current strategy. It's a bit, um, um, you can pay it. Um, that, that sometimes is the easiest solution, especially if you want to, uh, keep having maintainable environments. Yeah, makes sense. Awesome. Awesome.
Well, I think we, as we're winding down on time, we also wanted to talk, uh, certainly about the new SIP certification. So wanna turn it back over to Brian started asking some questions about that too. Yeah, we've mentioned SIP a couple times, Calvin, and for those of of you out there that may not know what SIP is, could we get everyone on the proverbial Gary Pika fairway here and share the number, uh, Kelvin, could you share the number of MSPs using it?
And um, I guess there's big news a few, few days ago with Drift management being added in your, your latest release. So we'd love to hear, hear, share a little bit more about the, uh, the latest version. Yeah, absolutely. So, um, there's about 9,000 ATPs using cnow, uh, managing somewhere in the 2.6 to the 7 million tenants. Um, that's, that's a lot of them. It's, it's, uh, I realize how much that is. Um, SIP started with like a hundred users and it exploded into all of this.
It's, it's absolutely crazy. Um, we recently released, uh, every two weeks we try to make a new release of sip and, um, one of the things that we always want to focus on is following our community, what are they requesting? And one of the requests was you could always apply specific standards to a talent using sip. And that meant, um, set it and forget it, it applies, and there are policies created or security settings change or all, all these kind of stuff.
But a request from our community was a lot more, um, around, hey, but what, how do we handle tenants that already have some existing policies, like a conditional access policy that does the same thing as the one we just deployed, or a interim policy that changes a setting that we just set to on and they change it off? How do we handle these kind of things? So we created the drift management update, which allows you to actually see what a tenant is compared to the defined state you made.
So you make a defined state with all the security settings and all the engine policies you want, and we compare the actual tenant to that and say like, oh, wait, you're having five extra policies in these te in this tenant, or two extra conditional access policies, or you have an extra exclusion in conditional access in this tenant. And users can say, we accept this deviation, or we deny this deviation, throw away the policies. So they're able to manage that a lot better.
Kelvin, just to clarify, Brian, you, you started this to solve your own problem at Lyme. Is that a Yeah, absolutely. Absolutely. I was, uh, this, this was 100% spy driven development. I've spoken about the story before on the cyber call. I was annoyed that no one in the market was doing this yet. I was, I was aggravated.
And because of that, I created this community around creating a, uh, piece of multi-tenant management software because about four years ago when we started this, there was no one that did this, or it was an affordable at like a thousand dollars a tenant that they, they were insane prices at that point in time. Yeah, go ahead Brian. Sorry about That. Oh, no worries.
But Kelvin, man, when you talk about Drift man or configuration management, drift management as me as a compliance and audit nerd like I am, I just, uh, that to me gets me my nerdy senses, uh, exactly excited, right? Um, because that's one of the difficult things to measure is I, Hey, we have these baseline configurations. How do we know when those, when those change?
And if you look at CMMC and others out there, that's become a really big deal as managing that, that drift from the baseline to where they're at today. Yep. So, um, I see Lighthouse got mentioned in the, um, in the chat, so, uh, let's talk about that for a second, Kelvin. So why do you feel, um, Microsoft, uh, hasn't gotten it, you know, with Lighthouse, another multi-tenancy, right? I mean, on one hand it's created this entire ecosystem of MS p solutions, like SaaS alerts and others.
Uh, do you think MSPs will eventually want to make a mark in these threat management areas around, around Microsoft 365? I have a very simple answer for that, and it is, it is, um, it is 100% financially driven. Microsoft released their annual report last year, and MSPs, ISVs and CSPs combined were 2% of their revenue. We are just too small for them to care about. We, they, they, they can't invest money into us. They can invest teams into us because we're a margin error at times.
And, and of course in if you look at the entire s and b market, that's much bigger, that's much more important to them. But Microsoft would much rather focus on capturing that part of the market than focus on giving MSPs extra tools simply because they don't see a return on investment long term. And 2% of course, is a enormous amount of money. Don't forget that Microsoft is one of the biggest companies in the world.
It's, it's an obscene amount of money, but yeah, It's a rounding error there 2% when you're talking about the law of big numbers like that. Exactly. Yes, exactly. Yeah. Crazy. So let's, uh, throw the last two over to you. Yeah. So Kelvin, I want to unpack and, and certainly I would love to hear more about your, your new certification.
Uh, so what is it, how do you, how do you get started and then, um, I know you're, you're collaborating with Andrew to have a bootcamp at the next ride of Boom, so I'd love to hear, uh, what advantages, you know, uh, they'll have, uh, over others using the platform by going to that bootcamp. Yeah, Absolutely. So at ride of boom, uh, uh, to coming right of boom next year, um, we're going to have the very first Cyber Dream Bootcamp or the SIP bootcamp.
And this is really exciting for me because this is, this is a thing I'm super passionate about. I've been speaking to Andrew about this for a while. Um, it is an educational event for everyone at right of Boom to learn how to use sip. It. It's not just a one time you sit down in a chair, you learn something and you're done. No, we're actually going to take you around the sip security expert journey.
It's, it's, you're actually earning a credential, not just, not just a, oh, I sat into in a session for two hours and now I'm, I can show a little certificate. No, it's going to be something worthwhile for yourself. It's going to be something that your engineers will walk away with the feeling that they are now completely in control of their SIP environment and know more about M 365. Not just that they know more about sip, but that they actually understand why SIP is doing these changes.
It's going to be a, a entire skill journey we take you on. And it's not just going to be, oh, hey, you know what? Come over and you get sub certified. We are putting our money where our mouth is and saying everyone that joins also gets a Microsoft certification voucher. Everyone that comes over and joins the session gets a Microsoft certification voucher to continue your learning journey. It's, it's a very first for us.
Um, we've given educational events around M 365 before, but right of boom is going to be the place to get your first SIP credential, the first step of getting your C credential. Okay. Quick, quick intro, uh, interruption there, Nick. There's been a few com comments about CMMC and GC High, so let me leave the GCC high out, but the last one coming from Eric Monroe. C compliance for someone at CMMC level two Kelvin, um, can, can, what can they do possible? Impossible. Um, possible.
I spoke to a friend of mine about this, um, that there are some complexity involved. Um, you'll have to self ho you have to be in control of some IM stuff, uh, as far as I understand. Um, but yes, absolutely possible. Uh, GC high, unfortunately not because GC High does not have all graph APIs available. Actually, it pretty much has no graph APIs available. It's absolutely terrible. It's, it's, Microsoft has decided to shut off for like, like 70% of the APIs. That's crazy.
All right, Nick, I think we have time for one more. Yeah, I think, um, one thing we'll, we'll pocket from Rob here too is when, where did we sign up? Um, so maybe, Oh, yeah, yeah, Rob, it's gonna be, so we're just doing some final testing, um, on all the folks that pre-registered last year, we're gonna run them through the gaunt, let's to make sure the registration system is set. Um, but one of the big, and so probably in the next week to two weeks, we'll have a huge announcement about it.
One of the big thematics, and again, with Bob Miller out there and Eric Monroe also on Advisory Council. Um, we've talked over a hundred, I did a hundred post-event interviews, uh, of attendees.
And what you're gonna see at write a Boom this year, you know, focusing on two personas, uh, well, executive personas and technical personas, executive personas, you'll have folks like Brian Blakely who's here doing things around b cso, doing things around, uh, compliance, patch management, things of that nature, and go to market. Um, and then there are gonna be other certifications that are things like Kelvin's. We're gonna actually bring in the folks from Microsoft.
There's gonna be a plethora, I like that word, nick, of different types of CPE training. It's gonna be much more geared to being able to tell your company or as the owner investing in conferences, we're walking away with these certifications, these CPE credits, et cetera. Um, so, um, in terms of, yeah, so yeah, I think the last question's a really good one, though, for Kelvin to close us out, Nick. Yeah. Yeah. Super excited about the certification too.
Um, just wanted to comment on that, just given, you know, a lot of the standards we can push out in CIPP, a lot of the things we can do can also cause friction, you know, for, for end users. And so educating your technicians on why we're doing this, we can communicate it even better to the clients, is also a huge, huge deal. So, very excited about that.
But yeah, as we're one down here, you know, Kelvin, if you could leave MSPs with a few nuggets of wisdom when it comes to, to managing Microsoft 365 at scale, maybe some of the things that they commonly, uh, miss or get overlooked, uh, where would you tell 'em to focus? I could be like very gross, salesy and be like, oh, you sip now, and that kinda stuff. But I'm not going to, I'm going to say use cloud capsule. Seriously, it's, it's, it's amazing. Uh, go check it out if you haven't.
Um, uh, Nick has done an amazing job at creating something that allows you to get a bit of insight into how, uh, your tenants, uh, what their current state is. Um, the nuggets of wisdom I want to leave everyone with as an MSP is that this multi-tenant management can be done in a lot of ways. You can be wasting a lot of time with something like, um, uh, your power scripts and all these kind of stuff, but make sure that you are at least covering the basics.
Make sure that you are disabling guest access. Make sure that you're, uh, or disabling guests. Uh, over time, make sure that you disable guest access to the directory. Make sure you configure your conditional access policies. These are these, these are, these are all, um, um, fairly entry level things that we sometimes slip up and forget. And I think, uh, last year Andrew and I did a session, a cyber call where we had, uh, five recommendations.
I'll make sure to send that image again inside of the cyber drain discord. And I'll send it to Andrew too so he can share it with everyone. But it, it's just five recommendations that make your tenant so much more secure immediately. So that, that's the thing I'd want to leave you with. Awesome. So, uh, first off, wow packed house. We, I think we peaked at about a 205 Kelvin, so you, you definitely packed the house today.
So thank you for coming, Nick, you probably helped with that as well as you, Brian. So to the audience, uh, thanks as always for all your support. This will be out probably this evening in podcast. Same URL. If you wanna re-watch it, share it to team members, exact same URL will be available out on YouTube. We'll convert it, as I said to podcast. That'll be out to all your major, you know, friendly podcast, uh, platforms as well. So Kelvin, thanks a million for, for joining us.
As always, Nick, awesome job filling in for a first time as a co-host, so we'll have you back as well. And, and Brian, great job on the other side here, not being in the hot seat. Yeah, this was fun. Yeah, enjoyed. You'll be doing a lot more of that. I, I can, I can assure you. Wishing everybody a fantastic week, y'all, uh, take care and we'll see you all very, very soon. Thanks. Bye everyone. Thanks all. Thanks all. Yes. Bye. Thanks.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois