topic Re: Best practice for Entra/Azure Services? in General Topics

Best practice for Entra/Azure Services?

VikingsFan — Wed, 31 Jan 2024 21:27:25 GMT

We currently have a few servers that are being used for Azure/Entra/Intune connector use: Entra Connect, Entra AD Connect, Intune Certificate Connector, etc. While building them out there were so many URLs the server was trying to access we ended up allowing most traffic out without filtering it.

We noticed there are updatable objects for Azure/Entra and would like to use those but there are a ton. Do most people go through each category and only select the US options (assuming you're in the US) and even then I'm not familiar with what categories would be needed for basic Entra/Intune connectivity.

For example... I was going to go through each category and pick out each one of these but then it got to be a bit cumbersome:

Public - Central US
Public - East US
Public - North Central US
Public - South Central US
Public - West Central US
Public - West US

Just looking to see what other places are doing to tackle this issue.

Thanks!

Re: Best practice for Entra/Azure Services?

the_rock — Wed, 31 Jan 2024 22:47:05 GMT

Thats exactly what I did for one customer, based on location. Another client simply wanted cloud services allowed in general.

Best,

Andy

Re: Best practice for Entra/Azure Services?

VikingsFan — Wed, 31 Jan 2024 23:21:58 GMT

Appreciate the response! I was hoping there was an easier/better way than going through the 93 Azure Public Services and then checking off potentially 6 geo locations inside each one... that's a lot of clicking. 😄 It would be nice if CheckPoint had a higher level category like they have for Germany (Azure Germany Services).

Since this will most likely be many, many objects.. I'm guessing these can all go into a network group and then the group applied to the security rule?

Re: Best practice for Entra/Azure Services?

the_rock — Wed, 31 Jan 2024 23:27:29 GMT

I know, I know, lots of clicking in IT world generally haha. Anywho, you are right, you add them, click any, ctrl+a to select all, right click and then select to group them.

I agree with your point. I also wish there were objects that represent say specific region, rather than 10 or 15 of them, but hey, it is what it is...there are way worse things in life : - )

Best,

Andy

Re: Best practice for Entra/Azure Services?

PhoneBoy — Fri, 02 Feb 2024 02:36:53 GMT

Updatable Objects use vendor-provided information to populate.
If the vendor doesn’t provide it at the desired level of granularity (I.e. Microsoft), we can’t.

Re: Best practice for Entra/Azure Services?

VikingsFan — Fri, 02 Feb 2024 20:42:08 GMT

Think I understand. What I was referring to is using exactly what is in the tree list but haven't them pre-grouped by the geolocation. Similar to how China and Germany already have their own top level folder. As it is now, if I wanted only US services, I'll have to go through 93 subfolders and choose up to 6 or 7 US locations under each one. Not sure if you meant the tree structure is exactly how Microsoft sends it and it can't be adjusted.

Not a huge deal and was mainly looking for ideas if there was a better way. Thanks!

Re: Best practice for Entra/Azure Services?

the_rock — Fri, 02 Feb 2024 20:56:18 GMT

I dont believe there is better way sadly, but I could be mistaken : - )

Andy