On the Practical 365 podcast this week, Rich Dean and I tackle a hot topic that’s got the tech world buzzing – Microsoft’s alleged security misstep that may have paved the way for the SolarWinds hack. We also chat with Julian Stephan from Quest Software, who shares some valuable insights on Active Directory modernization.

In Case You Missed It: The AD FS Vulnerability That Could Have Been Prevented

On the show, Rich and I discuss ProPublica’s recent article “Microsoft Chose Profit Over Security and Left U.S. Government Vulnerable to Russian Hack, Whistleblower Says“.

It reveals that back in 2016, a Microsoft cybersecurity expert, Andrew Harris, discovered a critical flaw in Active Directory Federation Services (AD FS). This wasn’t just any old bug – it was a vulnerability that could allow attackers to silently infiltrate cloud systems. In summary, here’s what happened:

  • Harris found the flaw while investigating a breach at a major U.S. tech company.
  • The vulnerability was in AD FS, which millions use for single sign-on to cloud-based programs.
  • Harris warned Microsoft repeatedly, but the company allegedly prioritized securing government cloud contracts over addressing the issue.
  • In 2020, Russian hackers exploited this very flaw in the SolarWinds attack, compromising multiple U.S. federal agencies.

What’s particularly concerning is that after the SolarWinds hack, Microsoft President Brad Smith told Congress that “there was no vulnerability in any Microsoft product or service that was exploited” in the attack.

This revelation raises serious concerns about how large tech companies (certainly not only Microsoft) balance security with business interests, and not to take security claims at face value.

Read more on ProPublica

This Week’s Guest: Julian Stephan Talks AD Modernization

We welcome Julian Stephan from Quest Software to the show. With nearly five years at Quest and over two decades of Microsoft experience under his belt, Julian will be speaking at TEC 2024 in Dallas later this year, and shares his experience with us as we discuss:

  • The nitty-gritty of Active Directory modernization – it’s not just about moving stuff to the cloud, folks.
  • How to juggle identities and devices when you’re making the leap from on-prem AD to Azure AD.
  • The role of security tools like Microsoft Defender for Identity in plugging those pesky vulnerabilities.
  • The constant uphill battle IT pros face in keeping up with the breakneck pace of tech changes.
  • How AI tools and Microsoft Copilot are becoming the IT pro’s new best friends.

Julian also talks to us about some upcoming Practical 365 articles that promise to offer real-world solutions to common AD modernization headaches. If you’re knee-deep in AD modernization, you’ll want to keep an eye out for these.

We’ll be back in two weeks’ time with more Microsoft 365 insights and probably a few more tech world controversies to dissect. Until then, stay secure, and don’t forget to hit that subscribe button on iTunes and Spotify!

About the Author

Steve Goodman

Technology Writer and Chief Editor for AV Content at Practical 365, focused on Microsoft 365. A 12-time Microsoft MVP, author of several technology books and regular Microsoft conference speaker. Steve works at Advania in the UK as Field Chief Technology Officer, advising business and IT on the best way to get the most from Microsoft Cloud technology.

Leave a Reply