Creating unique file permissions with Teams

Microsoft Teams is a really easy way to share files with others. However, the modern concept with Microsoft Teams is that once you are part of the Team then you have the same rights as everyone else. This generally means that all Team members have the ability to read, write, modify and potentially delete files. This is common across all channels in the Team.

One thing that you really don’t want to do is go into the SharePoint back end of the Teams files and modify the default permissions. If you do, you’ll cause a whole lot of problems. We are expecting private channels in Teams very soon but here’s an easy way to overcome the default common sharing options in Teams by creating a separate area with unique permissions and linking that back into the Team.

image

Firstly navigate to your Team.

image

Select the Files tab to the right of Conversations to see all the files for that channel as shown above. These are common files that all Team members have the same rights to.

Select the Open in SharePoint option as shown above.

image

This will take you to the location of those channel files in SharePoint as shown above. This location is typically a subfolder with the name of the channel (here General), in a Document Library called Documents

You will need appropriate permissions to complete the process from here. So you will need to be an admin of the Team or a SharePoint Site owner.

image

In the top right of the screen select the COG then Add an app from the menu that appears as shown.

image

Typically, you’ll select to a new Document Library and give it a name.

image

In this case, a new Document Library called Final Presentations has been created as shown.

image

Once you are at this new location, select the COG again in the top right and this time select Library settings as shown.

image

Select the second option from the second column at the top of the page called Permissions for this document library.

image

Now it is just good ol’ SharePoint permissions configuration.

Typically, you firstly select Stop Inheriting Permissions.

image

In this case, Sales members will be changed from Edit to Read permissions by selecting that group and then the Edit User Permissions button. However, you can configure whatever permissions suit your needs.

image

Make sure you select OK after you have made you changes.

image

Once you have completed the require permissions, you need to return to the Team and link this new location there.

image

Inside the Team, select the channel in which you wish this new location to be linked and select the + icon on the right as shown.

image

From the dialog that appears, select Document Library as shown.

image

You can either navigate or input a direct link here. In this case the destination site, Sales, is selected.

image

You should then see the new location you created (here Final Presentations). Select this and then the Next button.

image

Give the new tab a name, which can be different from the location if you wish, and press Save.

image

You should now see the location you created and any files in there as shown above. These items have permissions governed by those set previously in SharePoint but now they are also displayed and accessible in Teams. The great thing is you can link this new location in multiple places and you can link from locations not even in the current Team. As long as users have permissions, they can see and interact with those files based on those permissions.

Hopefully, that is an easy way to create locations for file with unique permissions but still have them accessible for users via Teams.

Need to Know podcast–Episode 211

Where’s Brenton? Share your thoughts here – http://bit.ly/whereisbj

Microsoft has rolled back it’s recent planned partner changes. we have some new Intune security baseline policies to try (and troubleshoot) and Teams leads Slack in user numbers. I speak with Marc Kean to get the low down on what Azure storage is all about. All this and a lot more on this episode.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-211-azure-storage/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@marckean

@directorcia

Updates to partner program (again)

Microsoft Intune announces security baselines

Exchange Online PowerShell WinRM issue

What is Azure Lighthouse?

Without-enrollment and Outlook for iOS and Android

Teams reaches 13 million active users

Planner and To-Do integration

New PowerApps and Flow licensing

Azure storage

Azure File Sync

Exchange Online PowerShell WinRM issue

image

I went into my PowerShell ISE today, as I always do, and tried to connect to Exchange Online. However, as you can see from the above error message:

Connecting to remote server outlook.office365.com failed with the following error message: The WinRM client cannot process the request.

I couldn’t connect! Why was this I wondered? It was working last time. I then proceeded to waste a good amount of time trying to troubleshoot WinRM errors to no avail. Only at the point of frustration did I actually read more of what the error message actually said:

Basic authentication is currently disabled in the client configuration. Change the client configuration and try the request again.

I then tried to connect to Exchange Online via PowerShell using another machine of mine and received the same error. I then tried a VM in Azure and that worked fine. It was at this point that I started to suspect it was something to do with my Intune policies as the Azure VM was stand alone.

I had just recently implemented the Security Baselines provided by Microsoft.

image

I was working my way through some of the reports of conflicts and misconfigurations by adjust my existing best practices policies to suit. I didn’t appreciate that these Security Baselines actually implement policies that get pushed out to devices! I thought they just compared your settings to what Microsoft recommended as best practice.

image

When I went to the affected workstations and ran the command:

winrm get winrm/config/client/auth

I got the above in which you can see that the Basic auth setting is indeed set to false but that it is set by a GPO. Ok, so where is this GPO I wondered? Given that all the affected machines were Azure AD joined without a local domain controller it meant that the GPO was going to be Intune, as that is where the policies are pushed from in my case.

image

When I repeated that winrm command on a machine that worked I saw the above, Basic = true and no Source=”GPO”.

I then tried in vain to change the GPO locally using PowerShell and the GP console to alter the setting but with no luck.

Suspecting Intune and my policy fiddling, I totally disabled all configuration policies for the device but the problem continued. I then deleted the Security Baseline policies I had created and BAM, everything worked!

Ok, so the problem was the Security Baseline policies, but how? Well, it turns out that these Security Baselines actually do apply an additional policy to your devices once you enable it. Now my question was, where exactly does it do this and can I alter the Security Baseline if desired?

image

Turns out, that the location for what affected me is in the Remote Management section of the MDM Security Baseline policy as shown above.

image

Unfortunately, I had breezed over these options when I first set up the policy using the wizard. You can expand each of the options there and make adjustments if you need! D’Oh!

The lessons here are, firstly that if your implement the MDM Security Baseline or the Microsoft Defender ATP baseline, these will create policies and apply these to your environment. Secondly, you can customise these baselines if you wish, both during the creation process and afterward if you wish. Thirdly, you need to be careful with these policies as they set a lot of settings that you may not seem to immediately come from Intune.

I’ll spend some more time looking at these in detail and reporting back. My own personal best practice policies are pretty close to the Microsoft ones, but it is great that I can do a comparison between them and improve my own.

A frustrating self inflicted issue to resolve but I have learned much in nutting it out and I hope if you have the same issues that this information saves you the time I had to invest to resolve it!

CIAOPS Techwerks 8–Adelaide October 24

bw-car-vehicle

I am happy to announce that Techwerks 8 will be held in Adelaide on Thursday the 24th of October. The course is limited to 15 people and you can sign up and reserve your place now! You reserve a place by completing this form:

http://bit.ly/ciaopsroi

or  sending me an email (director@ciaops.com) expressing your interest.

The content of these all day face to face workshops is driven by the attendees. That means we cover exactly what people want to see and focus on doing hands on, real world scenarios. Attendees can vote on topics they’d like to see covered prior to the day and we continue to target exactly what the small group of attendees wants to see. Thus, this is an excellent way to get really deep into the technology and have all the questions you’ve been dying to know answered. Typically, the event produces a number of best practice take aways for each attendee. A special part of this event will be sessions by MVP Amy Babinchak as well as some other surprise guests.

Recent testimonial – “I just wanted to say a big thank you to Robert for the Brisbane Techworks day. It is such a good format with each attendee asking what matters them and the whole interactive nature of the day. So much better than death by PowerPoint.” – Mike H.

The cost to attend is:




























Patron Level Price Inc GST
Gold Enterprise Free
Gold $ 33
Silver $ 99
Bronze $ 176
Non Patron $ 399


The CIAOPS Techwerks events are run regularly in major Australian capital cities, so if you can’t make this one or you aren’t in Adelaide on that date, stay tuned for more details and announcements soon. If you are interested in signing up please contact me via emails (director@ciaops.com) or complete the form:

http://bit.ly/ciaopsroi

and I can let you know all the details as well as answer any questions you may have about the event.

I hope to see you there.

CIAOPS Need to Know Microsoft 365 Webinar–July

laptop-eyes-technology-computer

It’s been a long time between drinks but the free CIAOPS Need to Know webinars are back. I’ve done a technology refresh, which means I’ll be attempting to use Microsoft Teams Live Events now. Given this is the first public attempt at this I welcome you to come along and watch all the stuff ups and gaffs that are no doubt going to plague me as I try and get the technology to work. It’ll be fun. Come join me and make this rebirth memorable.

You’ll also notice that I’ve re-branded the webinars to Microsoft 365, which means I’ll be looking deeper into this “new” service from Microsoft.

You can register for the regular monthly webinar here:

July Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – July 2019
Thursday 26th of July  2019
11am – 12am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

There of course will also be open Q and A so make sure you bring your questions for me and I’ll do my best to answer them.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Need to Know podcast–Episode 210

Brenton speaks with global Azure black belt Sarah Young about the new Azure Sentinel service. Of course we also update you on all the happenings in the Microsoft Cloud and there has been plenty of late, so listen along to get all the latest and learn about Azure Sentinel.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-210-sarah-young/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

Sarah Young

@contactbrenton

@directorcia

Faster, with a modern design, and new features – the new Outlook on the web is here

Tracking failed logins with Cloud App Security

New Azure discount for CSP partners to come live in October

OneDrive Roundup – June 2019

Announcing question and answer in Yammer

First Microsoft Cloud regions in the Middle East now available

Step 10. Detect and investigate security incidents: top 10 actions to secure your environment

All 10 steps

Upload Bitlocker keys to Azure AD

Bitlocker is the Microsoft technology that allows you to full encrypt your Windows PC hard disk. This is a good thing as it provides additional security and protection for that device, especially if that device ever gets lost or stolen. Typically, Bitlocker will use the Trusted Platform Module (TPM) chip on your PC to provide the encryption key for BitLocker. This means that the user doesn’t have to type in a password to unlock their drive for use. Now having an automatically managed key raises a question, what happens if you actually need that key? If everything is automated and I never see the key how can I get access to it if needed? If, say, the original PC died and I wanted to recover the original encrypted drive how would I recover? To do that, you’d need the encryption key.

You can manually backup you BitLocker Recovery key to a file or USB drive however, if your device is Azure AD joined then that Recovery Key should be saved directly into Azure AD. Here’s how you check this.

SNAGHTML1d8570c5

If you are using something Microsoft 365 Business and Intune navigate to Intune inside the Azure portal. Select Devices.

image

Select All Devices.

image

Select the PC in question from the list.

image

Now select the Recovery keys option.

image

On the right you should see the Recovery keys listed. You’ll note here that I don’t see the expected BitLocker Key.

image

If you don’t see the Recovery Key for your device go to that device and open BitLocker management on your PC. Select the option to Back up your recovery key as shown.

image

Then select the option to Save to your cloud account as shown. This should then upload the Recovery Key to Azure AD, provided you have an Azure AD joined machine first of course.

image

If you return to the device in Intune and refresh the display, you should now see the Recovery key for you device as shown above.

image

If you do not have access to the Intune portal, perhaps because you are not an administrator, simply navigate to:

https://account.activedirectory.windowsazure.com

and login with your Microsoft 365/Office 365 credentials and view your profile. You should then see any registered device plus the option to get the BitLocker keys as shown. Remember BitLocker is for Windows devices, not iOS or Android.

Even though Azure AD joined machines should save BitLocker keys automatically, I’d suggest you go and have a look and make sure that they are indeed actually there! Best be sure I say.