The sudden onset of the COVID-19 pandemic sent much of the world into a frenzy. With businesses concerned for the safety and wellbeing of their employees and customers, and many governments strongly advising social distancing, the need to ramp-up the remote workforce went from a distant goal to a top priority almost overnight. One of the many groups greatly impacted by this new priority is the group of people responsible for collaboration platforms such as Microsoft 365. The need to quickly enable remote workers has made it seem necessary for many groups to ignore or postpone best practices and security considerations in favor of business continuity. Azure AD’s Identity Governance is one set of tools designed to help strike the balance between security and productivity, enabling quick turnaround on required resources while providing checks and balances to mitigate risk.

What is Azure AD Identity Governance? 

Simply put, Azure AD Identity Governance is about “ensuring the right people have the right access at the right time.” More specifically, it is a set of 3 primary tools designed to control and audit access to company resources.   

Entitlement Management is about creating Access Packages to control the scope and duration of access to groups, applications, and SharePoint sites.    

Access Reviews are about auditing access to ensure previously granted permissions are still appropriate and necessary. 

Privileged Identity Management covers the just-in-time elevation of tightly scoped roles to allow users to perform privileged operations when needed while maintaining lower permission levels during their day-to-day job functions.   

These three functions work synergistically to help keep a watchful eye on the collaboration space without impeding productivity. Part 1 of this series will cover Entitlement Management in detail.   

Entitlement Management 

Setting up an Access Package 

The key component of Entitlement Management is the creation of “Access Packages”.  An Access Package is a collection of resources that users can be granted or request access to. Unlike simply adding users directly to Groups, these packages can control the duration, approval process, and periodic reviews of those assignments.   

The first step of creating an Access Package is naming and describing its purpose.  You can also create “Catalogs” to group multiple packages and delegate the administration of them to the appropriate users.

Next, you determine the Resource Roles that will be part of this package. It can be a combination of Groups/Teams, Applications, and SharePoint sites. In this case, we will grant access to the “COVID-19 Response Team” team in the Member role.

We’ll then move onto the Request process. Since this team may be made up of external collaborators who are unknown at this time, we’ll select “For users not in your directory”, and we’ll allow “All users (All connected organizations + any new external users)” to request access. 

Since we are allowing as of yet unknown external users, we must require approval (other settings allow you to disable approval). We will set a specific user to provide approval, ensure a decision is made within 2 days, and force both the requestor and the approver to provide a justification for the access. We’ll enable this access request when we are ready to start requesting access.

Next, we will set the lifecycle of the access being provided. In this case, we will allow for 30 days of access, with the ability to request an extension (which also requires approval). If this was a longer duration or did not expire, we could also tie access to an Access Review, which we’ll cover later.

The last page will show a summary of all the choices to allow you to make any desired changes before creating the package.  

Once the package is created, the browser will display a list of all Access Packages the current user has access to. From here, you can use the ellipsis to copy the link used to request access. This link can be emailed, put on a public site, or shared in any other traditional way.

Requesting Access

To request access via an Access Package, a user can use the link generated during the creation process. Once they sign in to the 365 tenant, they will be presented details of the access being requested. The user would then select the package and push the “request access” button. 

From there, because we require justification, the user will be presented an area to provide the reason they are requesting access.

They will receive confirmation that their request was submitted.

Approving Access

After requesting access, the Approver will receive an Email with actions to Approve or Deny the request, and a summary of the information about the request. 

Pressing the Approve or deny request button takes you to an Approvals page where you can approve or deny and provide the required justification. 

Now that the request has been approved, the user should have access to the Team as a Member.  When the expiration date is reached in 30 days, that access will be revoked unless an extension is requested. 

Summary

Entitlement Management using Access Packages is a great way to govern access to resources such as Teams, SharePoint sites, and Applications, especially when external users are involved or the context of the access is limited to a specific timeframe. Users can request access as needed, owners can be empowered to grant access on demand, and removal of access can be automated to prevent lingering exposure of company information.  

Next up: Access Reviews

Configure periodic, guided reviews of access to resources with suggestions based on login activity and automated resolution based on dispositions. 

The post Balancing Security and Productivity in Microsoft 365 During Times of Crisis – Part 1 appeared first on Thrive.

Timlin recently helped a customer automate the creation of new SharePoint site collections designed for external sharing. Prior to our work, the client had a number of manual steps that included completing a PDF form, manually logging and tracking the request, spinning up the site and associated security, and manually inviting the external users.  With the new automated process, the client simply fills out a Power Apps form that allows them to specify email addresses for the external access, and all the remaining steps are fully automated.

When looking for the underlying solution to automate this process, we decided on Microsoft Graph API.  We needed to be able to authenticate with Microsoft Graph API and execute actions against it via Microsoft Flow.  We have used this for many of our solutions, and in this post, we will detail just what is needed to authenticate with Microsoft Graph API and how to use its Invite API to invite guest users to your tenant.

Setting Up an Azure AD App Registration

The main requirement for this process to work is the Azure Active Directory App Registration. This App Registration serves as the authentication handshake between Microsoft Flow and Microsoft Graph API. You will need an elevated level of privilege to create the app registration and assign it the permissions we need in this example.

First, navigate to your Azure Portal (https://portal.azure.com) and click on Azure Active Directory.

If Azure Active Directory is not present in your quick links section, simply search for it and click on it from there. Next, navigate to “App Registrations” on the left-hand navigation menu and then “New Registration”.

You can name this Registration whatever you’d like, leave the rest of the settings as they stand and click “Register”.

Authentication and Permissions for our Azure AD App Registration

Now that we have our App Registration created, we need to setup two things: our App Secret and the required App Permissions.

First, navigate to “Certificates & secrets” and click on “New Client Secret”.

We can call our Secret anything we’d like. In this instance, we’ll just name it “Secret”. The expiration date is up to you but keep in mind if you select an expiration date other than “Never” that you will need to update this Secret key down the line in order for your functionality to continue working.

You should now have a Secret key appear. Make sure to copy and save the key somewhere safe as you will only see it this one time.

Next, we need to give our App Registration a single permission called “User.Invite.All”. This gives the App Registration access to invite guest users to our tenant. To do so, navigate to “API Permissions” and click on “Add a Permission”.

In the now visible pop-up menu, click on “Microsoft Graph” followed by “Application permissions”.

If we now search for “User.Invite”, we will see our required permission. Check it off and click “Add permissions”.

Lastly, we need to grant the permission itself to the Application. To do so, click on the “Grant admin consent” button found at the bottom of the screen. If this is greyed out for you, it means that you do not have admin permission on your tenant to execute this action.

Setting Up Our Microsoft Flow

Now that we have our App Registration setup, we can create our Flow that will invite external users to our tenant. Be sure to keep our App Registration up in a separate window/tab as we will need some information from this shortly.

Our Flow consists of only two actions and a trigger. For now, we’ve set this up to be on a manual trigger, but you can always alter this for your needs. The two actions are an “Initialize Variable” action and an “HTTP” action (the HTTP action does appear as a Premium action but is available with appropriate licensing). The Initialize action will simply hold the Graph API invitation’s URL.

Next, our HTTP action will consume our GraphURL variable and build the JSON Body that we will send to the Graph Invite API.

Each property we specified in the Body is detailed below:

1. Invited User Email Address – The email address of the external user we will be inviting
2. Invite Redirect URL – The URL the external user will be redirected to once accepting the invitation
3. Send Invitation Message – If set to false, the user will not receive their invitation email, but they will still be added into Azure AD. If set to true and no Customized Message Body is sent, the default invitation email will be sent to the external user.
4. Invited User Message Info and Customized Message Body – This allows for you to send a customized invite message to the user. This object is optional.

Next, we need to take care of authentication on this HTTP call. Click on “Show advanced options” to reveal the authentication options.

In your example, replace the first part of the tenant URL with your tenant name. For Client ID, this can be found in your newly created App Registration on the Overview page.

Next, select “Secret” for “Credential Type” and paste in the Secret you saved from earlier in the field labeled “Secret”.

You’re Finished!

With this, the Flow should be fully configured and ready to go. If you run the Flow, you should be presented with the following email upon completion in the inbox you specified. The user will have a guest user profile generated in your tenant’s Azure Active Directory. Within 5 to 10 minutes after this invitation, the user will also have a SharePoint User Profile created as well.

Let us know if you have any questions on this process or would like us to help you set it up.  

The post How To Invite External Users Using Microsoft Flow and Microsoft Graph API appeared first on Thrive.

Microsoft Ignite 2019 has come to a close, but we’re recapping all the fun that was had with a round-up of the top takeaways, announcements, and moments at this year’s event in Orlando. 

This year’s attendees were lucky enough to experience first-hand new Microsoft feature announcements, compelling sessions, and inspiring keynote speakers. 

Top Announcements from Microsoft Ignite

• Autonomous Systems – You can now design and manage autonomous systems across their lifecycle with a comprehensive portfolio of leading-edge technology that you can apply to your real business scenarios. 
• Microsoft Endpoint Manager – Provides transformative, modern management and security that meets customers where they are and helps them move to the cloud.
• Microsoft Flow Becomes ‘Power Automate’ – UI flows bring together the rich feature set of API-based digital process automation (DPA) that is available today, with RPA UI-based automation to create a truly end-to-end automation platform.
• Power Platform Certification – In addition to the existing fundamentals and role-based certification types, Microsoft has added a third certification type—specialty. Specialty certifications validate deep technical skills and the ability to manage industry solutions, including third-party solutions, on or with Microsoft platforms. 
• Teams Announcements – At Ignite, Microsoft announced a variety of new capabilities in Teams to help customers in all industries work in new ways and better respond to the evolving needs of their business.
• Project Cortex – A new service that uses AI to create a knowledge network that reasons over your organization’s data and automatically organizes it into shared topics like projects and customers. 
• Teams for Virtual Consultation – Healthcare providers can now schedule and conduct B2C virtual consultations through Teams with new Virtual Consults capabilities, and new features like SMS Sign-In and Global Sign-Out make it quick and easy for Firstline workers to securely access Teams from their mobile devices.
• Edge Announcement – The new Microsoft Edge is built on the Chromium engine, providing best-in-class compatibility with extensions and web sites, providing great support for the latest rendering capabilities, modern web applications, and powerful developer tools across all supported platforms.
• Updates to Azure Product and Service Offerings – A host of exciting updates about Azure Arc, Azure Stack, Azure Quantam, and Azure Synapse.

Top Takeaways from Microsoft Ignite

• The Microsoft community is stronger than ever:  Community Central proved to be a popular place for the Microsoft community to gather and connect at this year’s event.
• The tech industry is truly investing in women in business:  Female power and investment was a huge focus during the 2019 event, with daily sessions regarding women in business and technology, and a successful lunch & learn panel event. In addition, Microsoft is keeping the investment going after the conference — for every Ignite conference evaluation submitted, they are donating $1 to Girls Who Code.

 

View this post on Instagram

 

A post shared by Blair Niederhauser (@kcbrunetteintech) on Nov 9, 2019 at 9:18am PST

• Microsoft Azure and the future of cloud computing:  From the Community Central day dedicated to Azure topics to the community whiteboard wall which encouraged people to talk about what Azure means to them, there sure was a lot of buzz about the future of cloud computing.

Top Moments from Microsoft Ignite 2019

Attendees of Microsoft Ignite know how to get social! Here are a few of our favorite photos shared during the week through the #MSIgnite hashtag. 

 

View this post on Instagram

 

A post shared by Daniel Rubino (@daniel_rubino) on Nov 4, 2019 at 1:06pm PST

A post shared by ShareGate (@sharegatetools) on Nov 12, 2019 at 8:00am PST

 

View this post on Instagram

 

A post shared by Bexar County IT (@bexarcountyit) on Nov 8, 2019 at 1:58pm PST

 

View this post on Instagram

 

A post shared by Scott Duffy – Azure Trainer (@softwarearchitect.ca) on Nov 8, 2019 at 4:28pm PST

 

View this post on Instagram

 

A post shared by Kyla Mitsunaga (@withwarriors) on Nov 7, 2019 at 9:33pm PST

 

View this post on Instagram

 

A post shared by jon (@jonmedel) on Nov 7, 2019 at 3:30pm PST

 

View this post on Instagram

 

A post shared by Danny (@dannycire) on Nov 7, 2019 at 2:07pm PST

 

View this post on Instagram

 

A post shared by Veritas Technologies LLC (@veritastechllc) on Nov 7, 2019 at 3:40pm PST

 

View this post on Instagram

 

A post shared by BindTuning (@bindtuningcom) on Nov 7, 2019 at 4:19am PST

My summary of #Teams announcements from Ignite 2019. Great to see better integration with Yammer and Outlook, and private channels finally available. #MSIgnite #Office365 pic.twitter.com/MdzYwDcbUq

— Chris O’Brien (@ChrisO_Brien) November 6, 2019

This may be the most awesome sticker I’ve gotten at #MSIgnite pic.twitter.com/Gf29FUxQ38

— Jen Gentleman (@JenMsft) November 6, 2019

Today, I shared my story of how I’ve used personal branding to redefine myself from a shy, awkward outsider to a confident speaker at #MSIgnite. It was the most challenging and terrifying session I have ever presented, but also the most rewarding. Thank you all #HumansofIT pic.twitter.com/WrZBCB9hSS

— Cathrine Wilhelmsen (@cathrinew) November 7, 2019

My most important take-away from #MSIgnite:#Microsoft transformed totally into an open, diversity embracing company. At the booth and on stage I met knowledgeable people with different genders, colors and nationalities. This is how it should be everywhere. Well done

— Tobias Zuegel (@MrAzureAD) November 8, 2019

#MSIgnite smiles from amazing people! pic.twitter.com/HiUiolwzRm

— Octavian (@octav_cm) November 7, 2019

The power of computer to produce images is mind blowing, stepping into technology literally… #MSIgnite pic.twitter.com/V5M9SvwZ91

— Tim Milan (@tmilan) November 6, 2019

Great things happening at @MS_Ignite! Hear what #LiveTiles Enterpise Sales Lead, Colin Burke has to say about the experience below.

Learn more: https://t.co/tf2aouGGkR#wiseupyourworkplace pic.twitter.com/FSm0nDeuYw

— LiveTiles (@livetiles) November 7, 2019

What were your favorite moments from MS Ignite? Let us know by following us on LinkedIn and starting a conversation with a comment on this post! 

The post Top Takeaways, Announcements, and Moments from Microsoft Ignite 2019 appeared first on Thrive.

Secure Score metrics are an important guideline used to ensure security and performance across your Office 365 tenant. Secure Score analyzes your Office 365 organization’s security based on your regular activities and security settings and assigns a score. Think of it as a credit score for security.

A few tasks in the Secure Score toolbox are repeated tasks of reviewing certain logs within Office 365 and Azure. These tasks are typically repeated on a weekly or monthly basis. In this article, we will discuss how to automate a couple of these review tasks. By the end of this article, you should have a good understanding of how Azure Automation is used and how you can continue to use it to help streamline your Secure Score efforts.

Creating an Automation Application

Our first step in the process is to create an Azure Automation application.

Navigate to your Azure portal (https://portal.azure.com), click on “Create a resource”, search for “Automation” and click on “Create”.

Please note that provisioning a Microsoft Bot, Azure Active Directory Application, App Service, and other Azure resources will result in associated costs. In order to fully understand the associated costs that may incur from following this guide, please refer to the Azure Pricing Calculator which can be found here.

In the configuration menu, give the Automation Account a Name, select the appropriate Subscription based on your tenant, select “Create New” or “Use Existing” Resource group, and then select the appropriate Location. The last option to “Create Azure Run As account” is not necessary in this guide but is something you may want to utilize in the future, so we can leave this set to “Yes”. This account can be used to automate Azure specific functions. These are functions that you can run within the Azure CLI (not functions such as Exchange/MSOL commands). When finished, click on “Create” to create all the required resources.

When all resources have finished provisioning, click on the “Go To Resource” button in the notifications area to go to our new Automation resource or search for it in your resources list.

Once there, navigate to “Runbooks” in the “Process Automation” section.

By default, these resources are provisioned with example runbooks. The runbooks here are using the various methods of creating an automated function such as Python, PowerShell, and the Graphical Interface provided by Microsoft. We can ignore all of these examples, but feel free to look at them later on as they provide a good insight into everything we can do with Azure Automation.

Creating Our Runbook

While still in the Runbook section, click on the “Add Runbook” button.

In the new menu that appears, click on “Quick Create”. You will need to fill in two values here: the Name of the runbook and the platform or Runbook Type in which we will build it. Type in the name of the runbook that you would like, and select PowerShell as the Runbook type.

Before we jump into the code of the runbook, we need to set up the credentials that we will use for automation. The account that we use will need to be an Exchange Administrator, have the Discovery Management role in Exchange, and not have MFA configured on the account (unfortunately, there is no way to handle this automation on an account with MFA just yet, but this may change in the future). We recommend provisioning an Azure Service Account that you can use for this functionality. This will ensure that you don’t have an overly provisioned account that is currently being used for other things in your tenant.

In the Automation Resource section, scroll down to the Shared Resources section and click on “Credentials”.

Once there, click on “Add a Credential” and fill in all of the required fields. The name of this can be whatever you’d like it to be. This will be used to reference this set of credentials within the code. The username and password should be one with the roles defined above and should follow standard login standards for Office 365 such as joesmith@contoso.com.

Coding our Azure Automation Runbook

Navigate back to the runbook you created earlier.

Once there, click on the “Edit” button to edit the code within.

Our first step is to grab the set of credentials we stored in our application earlier. To do so, use the dropdown on the left-hand side for “Assets”, click on “Credentials”, and you should see the credential object you created.

Use the … menu to “Add to Canvas”. This should then give you the PowerShell needed to pull the Credential object. We will also store this as a variable as shown below.

In this article, we will be covering how to automate two Review processes in the Secure Score toolbox. These are mailbox auditing and mailbox forwarding rules. Mailbox auditing needs to be automated as it will only affect users currently in your system. Any users added after this command is run will not have Mailbox Auditing enabled and therefore you will receive no points on Secure Score. The review of Mailbox Forwarding rules is something done weekly, and with this process automated you should always receive the Secure Score points for this task. We will first need to connect our runbook to the necessary areas of Office 365. These will be the ExchangeOnline and MsolService connect prompts. I will be posting the remainder of the code required for this runbook below and will break down what each piece is doing afterwards.

      #Connect to Azure Automation
      $Credentials = Get-AutomationPSCredential -Name ‘AutomationCredentialsSecureScore’
      #Connect-MsolService -Credential $Credentials

The post Azure Automation – How to Automate Secure Score Metrics appeared first on Thrive.