Montag, 5. April 2021

Viva Connections, SharePoint HOME, global Navigation and Microsoft Teams

Microsoft Viva Connections is one of the four Viva modules. Announced as the "home site app," Viva Connections for Teams combines SharePoint intranet capabilities with the chat and collaboration features of Microsoft Teams. With Viva Connections, users will see relevant content, sites and news from across the organization right in the Teams app bar.
Viva Connections uses the global navigation links along with personalized content provided by Microsoft Graph. The global navigation is configured in the SharePoint HOME site. Therefore, the recommended first step is to set up a SharePoint HOME site in the tenant. Technically also any other SharePoint modern site can be used in the Tenant.

Setting up the SharePoint HOME site

The HOME site in SharePoint Online must be set up via PowerShell. As of today, there can only be one HOME site in the tenant.
Setting up a HOME site with PowerShell:

  • Connect to SPO: Connect-SPOService -Url https://contoso-admin.sharepoint.com
  • Setup Home Site: Set-SPOHomeSite -HomeSiteUrl <siteUrl>

Details are described in the following Microsoft articles:

Configuring Global Navigation

Since the Viva Connections app in Teams integrates the SharePoint intranet with the Teams app, it makes sense to enable global navigation for the HOME site. However, this is not a must. The Viva Connections App in Teams also works with the classic navigation.

Details:
  • As long as global navigation is disabled, the Home icon is associated with the SharePoint home site.
  • Customizing global navigation requires a home site.
  • To enable global navigation, site owner permissions (or higher) are required for the home site.
  • Users need read access (or higher) to the home site to view the global navigation links.
  • Audience targeting can be applied to navigation links in the global navigation.
  • After global navigation is enabled, it may take up to 24 hours to display.
How to enable global navigation in SharePoint HOME site is described in this Microsoft article: Enable global navigation & configure the global Navigation.


Viva Connections

The user used to create the Viva Connections desktop package requires site owner privileges for the home site in SharePoint. The PowerShell script to create the app package can be downloaded here: Viva Connections for desktop PowerShell script.
During the setup in PowerShell, the following parameters need to be set:
  • URL of your tenant's home site: Enter the URL of the tenant's home site that begins with "https://". This page becomes the default landing page for Viva Connections.
  • Name: The name of your Viva Connections desktop package, as it should appear in Teams App bar.
  • App short description (80 characters): A short description for your app that will appear in Teams App Catalog.
  • App long description (4000 characters): A long description for your app that will appear in Teams App Catalog.
  • Privacy policy: The privacy policy for custom Teams apps in your organization (must start with https://). If you don't have a separate privacy policy, press Enter and the script will use Microsoft's default SharePoint privacy policy.
  • Terms of use: the terms of use for custom Teams apps in your organization (must start with https://). If you don't have separate terms of use, press Enter and the script uses the default SharePoint terms of use from Microsoft.
  • Company name: Your organization name, visible on the app page in Teams App Catalog in the "Created by" section.
  • Company website: Your organization's public website (must start with https://), which will be linked to your organization's app name on the app page in Teams App Catalog in the "Created By" section.
  • Icons: You must provide two PNG icons that will be used to represent your Viva Connections desktop app in Teams; a 192X192 pixel color icon for the Teams App Catalog and a 32X32 pixel monochrome icon for the Teams App Bar.

Result: Your Viva Connections desktop app has been successfully created! Please find the app manifest in location 'C:\Users\%name%\Desktop', filename 'Viva-Connections'.zip. Please upload this app in Teams Admin Center to proceed:

Upload the Viva Connections desktop package in the Teams Admin Center:

Pin the app to the navigation bar in the Teams client by default for your users:

The user will then see the app in the left bar the next time he launches Teams:













Donnerstag, 11. Februar 2021

Microsoft Teams only

When you need to establish HOME Office workplaces quickly and easily, a Microsoft Teams Only setup is an option. Of course, a planned and coordinated rollout of Office 365 overall, including an adoption and training concept, is the preferred approach. Nevertheless, sometimes it simply has to go fast and then a pragmatic solution is required.

Overview

If the focus is a solution for virtual meetings and collaboration, the planning approach is primarily about not encouraging uncontrolled sprawl in the involved backend systems SharePoint, Exchange and Azure AD. The Microsoft Team service is based on these services and therefore cannot work without them. This is also reflected in the fact that by assigning a Microsoft Teams license, access to SharePoint is also technically included.
The services and licenses listed in the "Minimum technical requirements" section are required per user to use Microsoft Teams. The services in parentheses are optional depending on business requirements and deployment scenarios.
Even if Microsoft Teams should only be used in the context of Online Meeting, the owner of a Team has further options available. For example, he can create additional Channels in a Team or create additional SharePoint Lists and Libraries in the associated SharePoint Team Site. This applies to users who have a Teams license because they need to create Teams Meeting, for example. To join a Teams Meeting invited from another tenant, a user only needs an account in an Azure AD or a LiveID / Guest User.

Minimum technical requirements

Azure Active Directory Account / synchronized identities to Azure Active Directory

Exchange Online / Exchange Hybrid: Details: https://docs.microsoft.com/en-us/microsoftteams/exchange-teams-interact

The SMTP matching to match on-premises user accounts to Office 365 user accounts option can be used to merge mailboxes at a later date. This is relevant when users and mailboxes need to be created in Exchange Online in parallel with existing mailboxes in Exchange Server on-premises, for example because Exchange Hybrid cannot be implemented in a short term.

SharePoint Online & OneDrive for Business: Details: https://docs.microsoft.com/en-us/microsoftteams/sharepoint-onedrive-interact

The following is not a general recommendation. The described actions make sense if the goal is to use Microsoft Teams only as an ad hoc solution for online meetings etc. and not to use any other Office 365 service for now.

  • Restriction that users cannot create additional SharePoint Site Collections.
  • Further options for restrictions in SharePoint Online & OneDrive:
    • Restrict content from being shared anonymously.
    • Conditional Acceess Policy that only allow access to SharePoint. This prevents services such as PowerApps and Power Automate being used in SharePoint.

Access monitored via Microsoft Cloud App Security. Details and examples can be found here: Secure your environment by Conditional Access & App Controls

Licenses / Apps:

The bracketed apps in the following list are not mandatory to work with Microsoft Teams as such. However, the Teams App license as such must be assigned to a user so that the basic Teams functions are available and the client can be used:

Microsoft Teams, (SharePoint & OneDrive), (Exchange Online), (Office for the web), (Microsoft Planner), (Microsoft Stream), (Whiteboard).

If the user is not assigned a SharePoint license, OneDrive for Business is also not available to him. This has the effect that in personal chats no attachments can be attached to the chat by this user. The user will see the following message:

He can still chat with other users.

If the Exchange Online license is missing or no Exchange Hybrid is in use, the calendar is not available in Teams.

Weitere Details und Abhängigkeiten sind in diesem Artikel von Microsoft beschrieben: Prerequisites and environmental dependencies for Teams.

Example setup:

Tips

To keep track of Teams usage and keep users themselves engaged, Microsoft is already providing some Azure features:

Scripts to generate custom reports can also be easily created using PowerShell. The CLI for Microsoft 365 can be used for this: https://pnp.github.io/cli-microsoft365.








Freitag, 1. Januar 2021

Hello 2021 - what can we expect from you?

 

This whitepaper summarizes the trends and what we can expect in the IT industry in 2021. Of course, it will still be about new features and options. However, the challenges that companies had and have to deal with COVID-19 also brought topics such as IT security and governance back into focus.

In conclusion, the current challenges have made it clear that the question "What do I get out of a new tool or service and what would it take for me to implement it?" is really only the second question. Question number 1 was and will remain for now: "What do I need as a company to be able to work productively?"

After the ECJ declared the Privacy Shields as invalid in the summer of 2020, the topic of GDPR will continue to affect us in 2021.

Details on this and other topics in the free whitepaper Hello 2021 - what can we expect from you?


Freitag, 18. Dezember 2020

Hybrid AAD Join with Okta as Identity Provider

Okta (https://www.okta.com ) offers access and authentication management capabilities just like Microsoft with Azure AD. A current scenario that continues to cause problems is the combination of both solutions: Hybrid AAD Join with Okta as Identity Provider.

In general, the combination of Azure AD and Okta works. Okta provides various HowTo articles, FAQ and whitepapers on this. For example Add Office 365 to Okta or, focusing hybrid AAD Join with Okta as Identity Provider, this:

However, there is another option to continue using Okta as an identity provider and to register devices in Azure AD independently. In the end, this was the solution that worked for us in a project with a customer, because the following options can only be used when a device is registered in Azure AD:
  • Endpoint Manger / Microsoft Intune
  • Windows Hello for Business
  • Windows Autopilot
  • Conditional Access Policies
  • Etc.

Configure hybrid Azure Active Directory join bypassing Okta

When Okta is used as the identity provider, all authentication requests use the Okta service. This is also true when a device wants to authenticate or tries to join Azure AD.

This Microsoft tutorial describes step-by-step how to setup a hybrid Azure AD join: Configure hybrid Azure Active Directory join for managed domains

Here are the steps to „Configure hybrid Azure Active Directory join bypassing Okta“:

1. Changed the Service Connection Point configuration in Azure AD Connect to Azure AD:
2. Set machine proxy configuration on Win10 device: Win10 (1709 and later) tries to complete the hybrid Azure AD join via a scheduled task. This is done in the machine context. To get this done a machine proxy is needed. This can be done via netsh winhttp set proxy proxy:port. You can also do it using a GPO in local Active Directory: https://support.microsoft.com/en-us/help/4494447/use-group-policy-to-apply-winhttp-proxy-settings-to-clients

3. Configure the auto-enrollment Group Policy for a single PC. The necessary change here is:  Change the policy from device to user credentials: https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy#configure-the-auto-enrollment-group-policy-for-a-single-pc

At the end Okta is no longer involved if a device joins Azure AD but still the Identity Provider if a user is doing a log-in to Office 365.



Donnerstag, 17. Dezember 2020

Onetime Passcode Authentication to access Microsoft 365 Group resources

Onetime passcode authentication via email is an Azure AD feature and currently still in preview. The preview function must be activated in Azure AD under User Settings -> Manage external collaboration settings:

Starting March 2021, the Onetime Passcode feature will be enabled by default for all new and existing tenants. If the feature should not be available, it must be disabled.

Users who want to use Onetime Passcode for login must login using a link that contains the Tenant context. For example: https://%tenant name%.sharepoint.com/teams/demo

Direct links to applications and resources also work if they contain the tenant context. Logging in using endpoints that do not contain the Tenant context is currently not possible. For example, using https://myapps.microsoft.com, https://portal.azure.com results in an error.

User experience for Onetime Passcode

When accessing an Office 365 resource, the user is prompted to authenticate. It does not matter whether the access is done via the browser or via an app. If an Onetime Passcode is used for authentication, the dialog looks like this:

Onetime Passcodes are valid for 30 minutes. After 30 minutes, the respective one-time passcodes is no longer valid and the user must request a new one. Sessions expire after 24 hours.

Access works for services belonging to the Microsoft 365 Group, such as SharePoint, Planner or Teams. Access to, for example, PowerBI or Microsoft Stream did not work when this article was written.

Administration / Inviting a guest user via Onetime Passcode

To enable a guest user to log in via the Onetime Passcode feature, they must be created/invited as follows. The guest user is invited in Azure AD to the Microsoft 365 group belonging to the SharePoint site or Microsoft Team with his email address:

The user will then receive the following email:


When clicking on the link in the mail, the steps described under "User experience for Onetime Passcode" will follow. It depends on the user / account whether he can log in via username & password or the Onetime Passcode option is used. The user will receive an email / Onetime Passcode if:

  • He does not have an Azure AD account.
  • He does not have a Microsoft account (Live ID)

At the time of invitation, there is no way to verify whether the user being invited will use the Onetime Passcode option or not. The option, if enabled in the tenant, is available as a fallback if no other authentication method can be used.

Whether a user will use the Onetime Passcode method can be checked in the user profile details after the first login:







Mittwoch, 16. Dezember 2020

Update on Information Protection, Azure Purview & GDPR

Information Protection

The settings for a Sensitivity Label have changed since Ignite in September 2020. One of the first steps is now to specify whether the label should be used for “Files & Email”, for “Groups & Sites” or also for the new Azure Purview integration:

Even if the dialog looks a bit different in detail, no new feature has been added to the „Files & Email“ section.

In the „Groups & Sites“ area we now have the feature "Control External Sharing for SharePoint Online Sites":

The settings in the label override the settings in the SharePoint Admin Center when the label is assigned to a site.

Note that SharePoint Online caches these settings. If a label is reassigned or updated, it can take up to 24 hours for the changes to take effect. If a label is assigned directly when the page is created, the settings take effect within 15 minutes.

Azure Purview:

Sensitivity labels can now be extended to Azure Purview. This enables labels to be applied to SQL columns and files in Azure Blob Storage.

This is also a relevant new function, especially in the context of GDPR, as personal data is usually stored and processed in various IT systems. Details on this: Microsoft Information Protection and Microsoft Azure Purview: Better Together

The function is currently still in preview status and can be activated in the Security Center in the Sensitivity Labels area:

What is Azure Purview

Azure Purview is a data governance service. The service aggregates data from on-premises systems, multi-cloud scenarios and software-as-a-service (SaaS) applications. The service creates a Purview data map based on this data:

Details: https://azure.microsoft.com/en-us/services/purview/

GDPR

Both features, sensitivity labeling and integration with the Azure Purview service, support the requirements of the GDPR. Parallel to the updates of the technical features, Microsoft has taken action in response to the decisions of the EuGH (Privacy Shield agreement / Schrems II).  

In this press release, which is unfortunately only available in German, Microsoft explains the details of the Defending Your Data program and that these efforts will be part of future contracts with enterprise and public sector customers. The two most important details are:

·        Microsoft is committed to challenging any request by a government entity for data from enterprise or public sector customers where there is a legal basis for doing so.

·        Microsoft will compensate customers for financial damages if their data must be released to a government agency in violation of the EU General Data Protection Regulation (EU GDPR).

Details in the press release linked above.







Mittwoch, 30. September 2020

Secure your environment by Conditional Access & App Controls

With the Azure AD Conditional Access feature, rules for access to Microsoft Cloud Services and other apps registered in Azure AD can be bound to conditions.

An example is the rule: When accessing with an unmanaged device, the user is prompted to use multi-factor authentication.

With the feature "Use Conditional Access App Control" as an option in the Session Controls area within Azure AD Conditional Access, advanced scenarios can be setup.

Options:

  • Prevent data exfiltration
  • Protect on download
  • Prevent upload of unlabeled files
  • Block potential malware
  • Monitor user sessions for compliance
  • Block access
  • Block custom activities

Example:

  • Automatically assign a sensitivity label when a file is downloaded.
  • Filter based on regular expressions: “Include Files that match a custom expression
  • Block Upload if Maleware is detected.
  • This is can be done because the Cloud App Security service then acts as a proxy for accessing the application:

Setup Conditional Access App Control

The options listed above affect all resisted apps under https://portal.cloudappsecurity.com/#/connected-apps?tab=proxy.  By default, this list is empty:

To register an app, the wizard can be used in Cloud App Security via Investigate -> Connected Apps -> Conditional Access App Control Apps. Another and much simpler way is to use a conditional access policy as an easy start:

  1. Azure AD Security -> Conditional Access

  2. New Policy

  3. Section „Access controls“ -> „Session“

  4. Use „Use Conditional Access App Control“

  5. Use „Use custom policy to set an advanced policy in Cloud App Security“


Configure the policy in the menus "Users and Groups" etc. that it will be applied the next time the app to be registered is started. This then results in apps that are authenticated via Azure AD being automatically registered in Cloud App Security under „Conditional Access App Control“:

The above method works for the so called featured apps. In order to make this option work for the Office 365 Featured Apps, Office 365 must be registered under "Connected Apps" in Cloud App Security:

Once an app is registered, session policies can be created that will take effect when the app is used.

Example: If the user Oliver Hardy tries to download a document from Microsoft Teams (SharePoint) that contains the term "confidential", the download is blocked.

Further scenarios

  • Monitor / block activities based on file conditions like Classification Label, File Name, Files Size or File Extension
  • Apply rules based on Maleware detection
  • Apply classification label to downloads
  • Block downloads based on conditions
  • Monitor / block activities like Cut/Copy Item, Paste Item, Print Item, Send Item


Impact from the user's perspective

When opening the app, the user is notified that access is monitored by Cloud App Security. The fact that a proxy is involved can also be recognized by the URL. This now has the addition access-control.cas.ms:



If the user Oliver Hardy now tries to download a document he gets the following message: