Dienstag, 8. Juni 2021

Sensitivity Labels & Default sharing link type

You can configure the default sharing link type for SharePoint and One Drive for Business in the SharePoint Admin Center:

With PowerShell you now can associate a default sharing link type to a sensitivity label.
If you have a label called "TOP SECRET". You could already configure this label to stop external sharing on sites associated with this label:

Now you can fine tune even this and specify the default sharing link type usingt PowerShell:
  • Set-Label -Identity 'TOP SECRET' -AdvancedSettings @{DefaultSharingScope ="SpecificPeople"}
  • Set-Label -Identity 'TOP SECRET' -AdvancedSettings @{DefaultShareLinkPermission ="Edit"}

This feature is now (06/08/2021) in public preview.

Montag, 7. Juni 2021

Customize Built-In Classifiers

As part of data classification in Microsoft 365 compliance center you can now customize built-in classifiers (sensitive information types) to meet organization's needs.
This update includes:

  • Ability to edit custom dictionaries

  • New validation functions like for example…:
    • Custom checksum validator
    • Date validator
    • Luhn check (The Luhn algorithm will detect any single-digit error, as well as almost all transpositions of adjacent digits.)
    • Etc.
  • Ability to define Proximity at pattern and element level
Rollout will begin mid-June and is expected to be complete by mid-July 2021.
For all of you who wants to start with custom sensitive information types; this feature is already here: https://docs.microsoft.com/en-us/microsoft-365/compliance/create-a-custom-sensitive-information-type

Sonntag, 9. Mai 2021

Zero Trust (TIC3.0) Workbook & Microsoft Teams

Microsoft provided a powerful new Azure Sentinel Workbook: https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-azure-sentinel-zero-trust-tic3-0-workbook/ba-p/2315195

The Zero Trust (TIC3.0) Workbook has two general aspects. On the one hand, it provides a topic-based overview of Microsoft Security & Compliance features:

This "overview" can be filtered and segmented by topics:

The other aspect is that this is not just static content. Wherever possible, the data from the tenant is displayed for the selected topic:

As shown in the screenshot, it is always possible to jump from the Zero Trust (TIC3.0) Workbook to the underlying KQL Querrey in order to evaluate further details.

Whether data can be viewed from the tenant depends on which services are included in Azure Sentinel. Example:

Microsoft Teams & Zero Trust (TIC3.0) Workbook

With the "Unified Communications & Collaboration" filter, the focus of the Workbook is among other things on the Microsoft Teams service. Here, recommendations and details of a Zero Trust strategy are now also displayed as well as data on the tenant:
The Zero Trust (TIC3.0) Workbook can therefore be used to develop an IT security and compliance strategy on the one hand, and on the other hand provides direct data for each topic that is selected.
The focus is not only on the SaaS solutions around Office 365; with the connectors that can be integrated into Azure Sentinel, a comprehensive overall picture is easily possible.

Sonntag, 2. Mai 2021

Showing Azure AD Sign-in locations in a world map

 "We need an overview showing from where people are logging on to our Microsoft Cloud environment."  This requirement came up as part of a project.And the first approach was to use the features that are directly available in Microsoft Cloud solutions:

Azure AD Sign-In Logs:

Here, however, came the request to display this info on a world map to visually see where the login-ins came from. Cloud App Security offers this feature as a standard feature on the dashboard (https://portal.cloudappsecurity.com/#/dashboard).

Cloud App Security:

However, the Cloud App Security feature is not available in all license bundles, and the dashboard can only be filtered by the apps used.


The Azure AD sign-in logs are also available as a workbook template in Azure Sentinel. And this workbook template can be customized / extended:

To add a world map to the standard workbook with the regions from which the accesses occurred, the following steps are necessary:

  • Azure Sentinel -> Workbooks -> Azure AD Sign-in logs -> View saved Workbook. (See screenshot above)
  • In the upper left pane, "Select Edit" and then on the "Sign-ins by Location" report, select the "Edit" option for that report:
  • In the edit mode the button "Add -> Add Query" is available. In the new query that is created, copy the text from the query "Sign-ins by Location" and select "Map" as visualization:
  • The values for "Location Info using" and "Country/Region field" in the Map Settings must be configured at least:
  • Result:

The workbook and therefore the map can now be filtered by the following values:
  • TimeRange
  • Apps
  • Users
  • Category (Sign-in Logs / Non interactive sign-in logs)

Related topics

The Traffic Analytics feature focuses on the following scenarios: https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics

    • Visualize network activity across your Azure subscriptions and identify hot spots.
    • Identify security threats to, and secure your network, with information such as open-ports, applications attempting internet access, and virtual machines (VM) connecting to rogue networks.
    • Understand traffic flow patterns across Azure regions and the internet to optimize your network deployment for performance and capacity.
    • Pinpoint network misconfigurations leading to failed connections in your network. 

Montag, 5. April 2021

Viva Connections, SharePoint HOME, global Navigation and Microsoft Teams

Microsoft Viva Connections is one of the four Viva modules. Announced as the "home site app," Viva Connections for Teams combines SharePoint intranet capabilities with the chat and collaboration features of Microsoft Teams. With Viva Connections, users will see relevant content, sites and news from across the organization right in the Teams app bar.
Viva Connections uses the global navigation links along with personalized content provided by Microsoft Graph. The global navigation is configured in the SharePoint HOME site. Therefore, the recommended first step is to set up a SharePoint HOME site in the tenant. Technically also any other SharePoint modern site can be used in the Tenant.

Setting up the SharePoint HOME site

The HOME site in SharePoint Online must be set up via PowerShell. As of today, there can only be one HOME site in the tenant.
Setting up a HOME site with PowerShell:

  • Connect to SPO: Connect-SPOService -Url https://contoso-admin.sharepoint.com
  • Setup Home Site: Set-SPOHomeSite -HomeSiteUrl <siteUrl>

Details are described in the following Microsoft articles:

Configuring Global Navigation

Since the Viva Connections app in Teams integrates the SharePoint intranet with the Teams app, it makes sense to enable global navigation for the HOME site. However, this is not a must. The Viva Connections App in Teams also works with the classic navigation.

  • As long as global navigation is disabled, the Home icon is associated with the SharePoint home site.
  • Customizing global navigation requires a home site.
  • To enable global navigation, site owner permissions (or higher) are required for the home site.
  • Users need read access (or higher) to the home site to view the global navigation links.
  • Audience targeting can be applied to navigation links in the global navigation.
  • After global navigation is enabled, it may take up to 24 hours to display.
How to enable global navigation in SharePoint HOME site is described in this Microsoft article: Enable global navigation & configure the global Navigation.

Viva Connections

The user used to create the Viva Connections desktop package requires site owner privileges for the home site in SharePoint. The PowerShell script to create the app package can be downloaded here: Viva Connections for desktop PowerShell script.
During the setup in PowerShell, the following parameters need to be set:
  • URL of your tenant's home site: Enter the URL of the tenant's home site that begins with "https://". This page becomes the default landing page for Viva Connections.
  • Name: The name of your Viva Connections desktop package, as it should appear in Teams App bar.
  • App short description (80 characters): A short description for your app that will appear in Teams App Catalog.
  • App long description (4000 characters): A long description for your app that will appear in Teams App Catalog.
  • Privacy policy: The privacy policy for custom Teams apps in your organization (must start with https://). If you don't have a separate privacy policy, press Enter and the script will use Microsoft's default SharePoint privacy policy.
  • Terms of use: the terms of use for custom Teams apps in your organization (must start with https://). If you don't have separate terms of use, press Enter and the script uses the default SharePoint terms of use from Microsoft.
  • Company name: Your organization name, visible on the app page in Teams App Catalog in the "Created by" section.
  • Company website: Your organization's public website (must start with https://), which will be linked to your organization's app name on the app page in Teams App Catalog in the "Created By" section.
  • Icons: You must provide two PNG icons that will be used to represent your Viva Connections desktop app in Teams; a 192X192 pixel color icon for the Teams App Catalog and a 32X32 pixel monochrome icon for the Teams App Bar.

Result: Your Viva Connections desktop app has been successfully created! Please find the app manifest in location 'C:\Users\%name%\Desktop', filename 'Viva-Connections'.zip. Please upload this app in Teams Admin Center to proceed:

Upload the Viva Connections desktop package in the Teams Admin Center:

Pin the app to the navigation bar in the Teams client by default for your users:

The user will then see the app in the left bar the next time he launches Teams:

Donnerstag, 11. Februar 2021

Microsoft Teams only

When you need to establish HOME Office workplaces quickly and easily, a Microsoft Teams Only setup is an option. Of course, a planned and coordinated rollout of Office 365 overall, including an adoption and training concept, is the preferred approach. Nevertheless, sometimes it simply has to go fast and then a pragmatic solution is required.


If the focus is a solution for virtual meetings and collaboration, the planning approach is primarily about not encouraging uncontrolled sprawl in the involved backend systems SharePoint, Exchange and Azure AD. The Microsoft Team service is based on these services and therefore cannot work without them. This is also reflected in the fact that by assigning a Microsoft Teams license, access to SharePoint is also technically included.
The services and licenses listed in the "Minimum technical requirements" section are required per user to use Microsoft Teams. The services in parentheses are optional depending on business requirements and deployment scenarios.
Even if Microsoft Teams should only be used in the context of Online Meeting, the owner of a Team has further options available. For example, he can create additional Channels in a Team or create additional SharePoint Lists and Libraries in the associated SharePoint Team Site. This applies to users who have a Teams license because they need to create Teams Meeting, for example. To join a Teams Meeting invited from another tenant, a user only needs an account in an Azure AD or a LiveID / Guest User.

Minimum technical requirements

Azure Active Directory Account / synchronized identities to Azure Active Directory

Exchange Online / Exchange Hybrid: Details: https://docs.microsoft.com/en-us/microsoftteams/exchange-teams-interact

The SMTP matching to match on-premises user accounts to Office 365 user accounts option can be used to merge mailboxes at a later date. This is relevant when users and mailboxes need to be created in Exchange Online in parallel with existing mailboxes in Exchange Server on-premises, for example because Exchange Hybrid cannot be implemented in a short term.

SharePoint Online & OneDrive for Business: Details: https://docs.microsoft.com/en-us/microsoftteams/sharepoint-onedrive-interact

The following is not a general recommendation. The described actions make sense if the goal is to use Microsoft Teams only as an ad hoc solution for online meetings etc. and not to use any other Office 365 service for now.

  • Restriction that users cannot create additional SharePoint Site Collections.
  • Further options for restrictions in SharePoint Online & OneDrive:
    • Restrict content from being shared anonymously.
    • Conditional Acceess Policy that only allow access to SharePoint. This prevents services such as PowerApps and Power Automate being used in SharePoint.

Access monitored via Microsoft Cloud App Security. Details and examples can be found here: Secure your environment by Conditional Access & App Controls

Licenses / Apps:

The bracketed apps in the following list are not mandatory to work with Microsoft Teams as such. However, the Teams App license as such must be assigned to a user so that the basic Teams functions are available and the client can be used:

Microsoft Teams, (SharePoint & OneDrive), (Exchange Online), (Office for the web), (Microsoft Planner), (Microsoft Stream), (Whiteboard).

If the user is not assigned a SharePoint license, OneDrive for Business is also not available to him. This has the effect that in personal chats no attachments can be attached to the chat by this user. The user will see the following message:

He can still chat with other users.

If the Exchange Online license is missing or no Exchange Hybrid is in use, the calendar is not available in Teams.

Weitere Details und Abhängigkeiten sind in diesem Artikel von Microsoft beschrieben: Prerequisites and environmental dependencies for Teams.

Example setup:


To keep track of Teams usage and keep users themselves engaged, Microsoft is already providing some Azure features:

Scripts to generate custom reports can also be easily created using PowerShell. The CLI for Microsoft 365 can be used for this: https://pnp.github.io/cli-microsoft365.

Freitag, 1. Januar 2021

Hello 2021 - what can we expect from you?


This whitepaper summarizes the trends and what we can expect in the IT industry in 2021. Of course, it will still be about new features and options. However, the challenges that companies had and have to deal with COVID-19 also brought topics such as IT security and governance back into focus.

In conclusion, the current challenges have made it clear that the question "What do I get out of a new tool or service and what would it take for me to implement it?" is really only the second question. Question number 1 was and will remain for now: "What do I need as a company to be able to work productively?"

After the ECJ declared the Privacy Shields as invalid in the summer of 2020, the topic of GDPR will continue to affect us in 2021.

Details on this and other topics in the free whitepaper Hello 2021 - what can we expect from you?