Overview: Constantly improving Security on Azure and Office 365 is essential to a lot of companies. Microsoft provide outstanding infrastructure and monitoring for companies and it is also the companies responsibility to configure and secure O365 and Azure to ensure security and allow for the appropriate liberalization of services so the business can operate effectively. This post outlines some basic items to look at to optimize the balance of security and it meeting you business needs.
I generally go through the infrastructure and write up a report for management in the form of: Finding, Recommendation and Management Comment.
Finding: The company users login using their Azure AD accounts and the credentials page has not got customized branding to help user know they are logging into the companies secure resources (SharePoint, email etc.) Recommendation: Using the "Azure Portal", use the "Azure Active Directory" Service > "Company Branding" to upload the company logo in banner and square format and update the colour/theme for match the firms branding.
Management Comment: We accept the finding and wish to mark the changes immediately.
Microsoft Provide Tooling to help identify improvements and below are two tools you can use to help clarify the current environment so improvements can be recommended.
Work In Progress.. Problem: Using O365 as an Extranet. A basic analysis before starting is a minimal requirement. The existing Extranet will make a lot of the questions fairly easy to clarify. You can cover this in tremendous detail but to avoid information paralysis, I recommend a decision maker, and preferably someone that already works on Extranet. A committee is cool if you have the cash but it's so hard to guess at the future, my preference is to get the broad strokes right and amended once we are in the weeds. These four points can be answered with the right people in 1 meeting or may take months for complex organisations especially if there is no clear leader to make decisions.
Consideration Point: 1. Who is using the Extranet? Clients, partners, vendors, ..., I'll refer to these users as Client Users 2. How will Client and Company users authenticate? O365 options including ADFS, Another federation service e.g. Ping, Passport/Live, Google, Facebook,... 3. Self-registration or known approved Client Users? Try to figure out what the process for onboarding Client User will be. 4. Client User Profile Usage? Will the client users amend content, have the ability to share permissions or old school, they will read web published pages (read-only). Will client users have OneDrive, use teams, only SharePoint or other O365 applications.
2.> O365 authentication The most basic option is to allow O365 users, as long as a user has an O365 account they can be a Client User. You can also use any Microsoft account for a client user.
4.> Client Usage Profiles O365 can share a document anonymously in a link within an email. Obviously, this means anyone can potentially access the file. However, to replace attachment in an email and wide distribution this is a great step forward, as you can control versions and retract the access at any point. Additionally, the link settings can be customised to control who can use the link. For example, you can set the specific people who get the link or you could specify only internal people get the link. Once it is set to "Anyone" the email or link can be forwarded and literally anyone can get access.
Governance: Manage O365 to apply the businesses rules so users comply with governance. O365 has an easy straight forward configuration to make this happen. When configuring sharing governance you need to ensure it is done at the O365, SharePoint Admin and Site Admin levels. If 1 of these says no external sharing you can't share so it is a fairly granular approach. This allows Extranet and Intranet to live on the same O365 tenant.
Licensing: As a general rule, there is no cost for External users, I believe the allowed usage is 5 client Users for every internal O365 user. Pls, check with Microsoft as business scenarios play out differently.
Multi-geo Phase 2 (SPO) : SPO & O365 groups coming March 2019 into GA by 30 March 2019 confirmed. DLP per satellite geo. Hub sites can span multi geos. Search works across geo I.e. all user access across geos is returned.
Microsoft as of 2019 Feb are still using Microsoft Information Protection (MIP)/ Azure Information Protection AIP interchangeably as this video from Ignite 2018 Oct highlights. Today I went to the Ignite tour and AIP and MIP are being used to mean the same topic that I'm refering to as AIP in this post.
The screen shot from the Ignite London presentation shows where AIP is today as presented by Maayan Nasman Rand. The presentation was a good overview of AIP. The big improvement to AIP over the past 3 months is the Analytics/Monitoring, this was not working and now it's very good but still in preview.
AIP is getting closer but I feel the big missing piece is the encryption used by AIP does not allow SPO to provide previews and more importantly search cannot index the data in SPO. Despite this key missing piece, I'd use it on O365 without encryption if I'm in a SharePoint store.
The native applications auto labeling is improving quickly.
The Auto-labeling feature is new and useful.
A few months ago, AIP labels were merged into the Security & Compliance Centre, worth noting is if you had labels in AIP admin, you need to migrate the lables using "Unified labeling" option and the policies need to be manually brought into the Security & Compliance Centre.
Auto-labeling is now in the Mac Office suite and also it is coming to the Office apps in Droid and iOS (preview).
The UI ribbon for AIP in Office on Windows has also been updated to a new look.
Microsoft Cloud App Security (MCAS) has scanners to perform labeling (like AIP scanner but also works on SP2013 and SP2016).
3rd party product Adobe Pro does not do yet have the ability to update labels, but it's coming soon (Jun 2020?). They use the SDK that developers can all use.
The Monitoring/Reporting is actually working, a year back it was flakey and the UI and find-ability UI is much improved.
Overview: I was talking to the board of a company yesterday and they asked me about Modern architectures. The diagram, below is the most simplistic view I could make of designing an architecture that is technology agnostic.
Overview: In the SaaS Document Management space Box.com is a competitor to SharePoint Online. A medium size client request recently came into integrate with a client and deliver files into Box.com, as it is something I have not done before I was eager to see how easy it is.
I merely need to create folders within the clients tenant if needed and drop files into specific folders from a scheduled job that runs every 5 minutes.
Box.com has API similar to SharePoint CSOM to pragmatically work with your Box tenant.
Box.com functionality is specific to Documents so the API is really small and easy to learn.
There are multiple ways to pragmatically authenticate to you Box.com tenant, PoC keeps it simple. Actual must use JWT for the connecting service account.
Implementation Details: Box.com has several was to problematically connect and to test the API's. For my PoC I used the Developer Token approach. We should switch this over to the JWT OAuth approach but for the PoC and working with the API's I used the Developer Token approach.
1. Once you tenant is setup and you have configured your client, set the developer Token that last for 1 hrs as shown in the screen above. 2. Create a new C# console and add the Box C# SDK reference as shown below.
3. You will need to add the Developer Token, Client Secret and ClientId in order to programtically connect from the console. Below is my app.config. <?xml version="1.0" encoding="utf-8"?> <configuration> <startup> <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" /> </startup> <appSettings> <add key="ClientId" value="f9y555fiqwqcbv555lst88dmzbxzqa7n"/> <add key="ClientSecret" value="CoTT555U7oN555wKF555aPYz5555"/> <add key="DeveloperToken" value="TjxJh555ivvW555EE555NTerb555"/> </appSettings> 4. Connect to your tenant using Box.com's API's/ SDK
5. Run the Console and the console looks as follows:
6. Code the file upload logic:
Overall I think Box.com is a good option if you don't already have O365. It's pretty expensive for a small feature set but it is a valid option for clients.
The search indexing is ridiculously slow so very hard to build search based solutions using the API.
Overview: Azure has a plethora of options for using NoSQL, I have used RavenDB and DocumentDB a couple of years back. Both are easy and great tools for the right situation, DocumentDB now falls under CosmosDB as a product at Microsoft. However, I feel that CosmosDB would be anyone's default choice today on Azure as DocumentDB is really a feature subset of CosmosDB.
CosmosDB: "Azure Cosmos DB is a global distributed, multi-model database (db) that is used in a wide range of applications and use cases. It is a good choice for any serverless application that needs low order-of-millisecond response times, and needs to scale rapidly and globally." CosmosDB is used by Microsoft's Skype, MSN, Xbox, Office 365, Azure products.
Def: CosmosDB is a Planet scalable NoSQL JSON database that has multiple API support (including SQL(Core)). Multiple copies/instance around the world (think SQL AOAG).
Encrypted on Azure at Rest and in Motion.
Partitions are managed transparently and users are routed based on geographic location and usage.
One write db and multiple reads. Can set automatic failover so if the write db is unavailable, one of the read db's becomes the write db.
Determinant geo-replication - Use to be 1 master and multiple read copies of the data. Not all copies can be written to but if you have country data residency rules you can't configure data to be within specific regions. I.e. I can't specify certain bits of data are only stored in a specific region. You can specify a region/location for a container, but not split a container. : Check! Not a fact.
Backup and Recovery - Point in time recovery and MS ticket needs to be raised. Can't structure complex backup plans. Take it or leave it approach.
Limited LINQ support
SQL API is very limited compared to SQL relational databases, offering no joins or aggregation capability such as GROUP BY.
Temporal Tables don't exist, there are good auditing options such as the "Change Feed" where all changes can be streamed into an external database/system.
Entity Framework support is limited. Consider a PoC before using.
Consistency (copy data to other read-only debs) 5 options: "Strong" (commit to all dbs and acknowledge state, so slow to align but all reading same data but it may be stale. "Eventual", reads what is in the local db you are going to. The default is "Session". As always, it depends on the requirement.
More Info: NoSQL options - https://www.nebbiatech.com/2017/02/09/exploring-the-nosql-options-on-azure/