Creating a file location with unique permissions in Microsoft Teams

I wrote and article about:

Creating unique file permissions with Microsoft Teams

but I thought I’d also do a video:

https://www.youtube.com/watch?v=13BifpwKTt4

as I do get this question a lot about having a different set of file permissions for users inside a Microsoft Team. Best practice is NOT to alter any of the existing permissions that are provisioned by channel creation. Instead, create a separate area, with the permissions you want, and then link that back into your team.

That provides a lot more flexibility and doesn’t ‘break’ any of the standard settings.

Getting Message Center information into Teams

Recently, I wrote the following article:

Syncing M365 Message Center to Microsoft Planner

which took you through the process of getting Message Center information into Microsoft Planner. as good as that it is, the best place for that information should really be in Teams. The reason? With Teams people can ‘chat’ about the topics which adds far more value for an organisation in my opinion.

The good news is that it is very easy to not only sync messages with Microsoft Planner but also have them displayed in Microsoft Teams. It is all accomplished using Power Automate.

image

Create a new Flow and use the When a new task is created trigger as shown above. You’ll then need to configure this trigger action to point to the same Microsoft Plan into which you have already set up to sync with the Microsoft Message Center.

image

The next action should Get task details as shown above. You’ll need this to actually read the notes from each task, which contains the details of each item from the Message Center.

image

In my case, I save the Description field from the task into a string variable using the Initialize variable action as shown. I then use a number of separate Compose actions to search and replace text inside that variable to tidy up and format the Description field for posting into a Teams chat.

For example I remove the /r/n characters and replace them with the HTML line feed tag </br> using the following expression:

replace(variables(‘description’),decodeUriComponent(‘%0D%0A’),'</br>’)

image

Once I have the Description field formatted the way I want it then I use the Post a message (V3) action as seen above. The Title of the new task from Planner is the subject of the thread and the body is my now nicely formatted Description field, which is the data from the Message Center item.

SNAGHTML210e1093

You can see the result in a channel in Microsoft Teams above. Now others can easily add their reactions, comments and generally collaborate far easier than within Microsoft Planner.

I think having the Message center information delivered to Microsoft Teams make a lot of sense since it is a place more people will be spending more of their time generally. However, getting the Message Center information into Microsoft Teams still requires the sync configuration to a Plan first. However, once that is done, Power Automate allows you to achieve just about anything!

10 years an MVP

MVP_Logo_Horizontal_Preferred_Cyan300_RGB_300ppi

image

I am happy to report that I have been renewed as an MVP for 2021-22. That now makes me a 10 year veteran of the program. I am very proud of that achievement in an ever changing technology environment.

As always, thanks to Microsoft for the recognition, for the last, and every other year. I am proud and honoured to be part of the MVP community and the amazing people there. The MVP community, as always, is an inspiring place to be and a group of individuals who love sharing, learning and helping others. Their influence and interactions continue to help me improve both professionally and personally.

I need to also thank everyone who takes the time to do things like read and comment on my blog, watch my YouTube channel, use my Github repo, attend events where I speak and more. Thanks everyone, I really do appreciate it. It is always good to understand the impact you are having out there.

Going forward, it seems we are in for more uncertain times, and we all know technology will continue to rapidly evolve. The best mindset to use is to look at both of these as a challenge not a burden. I appreciate that maybe difficult but you’d be amazed at what an open minded approach can achieve. Change what you can and be at peace with what you can’t, is a good recipe to strive for.

Once again, thanks to Microsoft for this award. I will continue to work hard to live up to the expectations of program going forward and thanks to everyone else out there who has been part of this journey with me.

Need to Know podcast–Episode 268

In this episode I speak with Ian Mikutel from Microsoft who is Head of Product for Microsoft Whiteboard for Teams & Surface. Ian shares some exciting news about the recently released updates for Microsoft Whiteboard as well as what is coming down the pipeline. I love Microsoft Whiteboard and use it regularly and I’d encourage you to also look at the enhancements it now provides, especially inside Microsoft Teams. of course, there are plenty of updates from the Microsoft Cloud that I’ll share with you. so listen along and let me know what you think.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020.

Brought to you by www.ciaopspatron.com

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-268-ian-mikutel/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

Ian Mikutel – Twitter, Linkedin

Microsoft Whiteboard

Meet the new Microsoft Whiteboard designed for Hybrid Work

Microsoft Whiteboard roadmap

CIAOPS Secwerks event

Explore Microsoft 365 extensibility opportunities with the Microsoft 365 Extensibility look book

Bringing Visio to Microsoft 365: Diagramming for everyone

A new, more powerful, and customizable Microsoft Bookings is here

Windows 11 leak reveals new UI, Start menu, and more

Announcing new Microsoft Defender for Endpoint capabilities on Android and iOS

Monitoring Microsoft Security Posture in Azure Sentinel

Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign

Microsoft acquires ReFirm Labs to enhance IoT security

Say it with Microsoft Dictate

Announcing a more intuitive sharing experience across Microsoft 365 for better collaboration

Using Defender for Endpoint API and Power Automate

I recently detailed:

Using Defender for Endpoint API and PowerShell

to produce this type of output

image

which is all well and good but does lack some flexibility when it comes to output as well as being something you need to manually initiate. There is way to deliver more using Power Automate.

To do this you’ll still need to complete the initial steps from the previous article and create an Azure AD app in the destination tenant and save the access information. This basically allows access to the destination tenant to extract data. However, now, rather than embedding that sensitive information inside a public script and having the credentials ‘in the open’, they can be securely stored in Azure Key Vault. This will provide a secure repository for the Azure AD app credentials while still allowing them to be readily accessible by service like Power Automate. To use Azure Key Vault you will need a paid Azure subscription.

image

In a nutshell, we want to create a basic Flow in Power Automate like that shown above. In this case it is initiated manually but it could just as easily be triggered on a schedule using the Recurrence action in Flow. Next, the required parameters are grabbed from the Azure Key Vault.

image

When you are building this Flow, if you see a dialog like shown above, it means you don’t have a Power Automate license that includes the ability to use Premium connectors like Azure Key Vault and HTTP. Licensing the Power Platform is beyond the scope of this article but, if you see that dialog you’ll probably need to purchase a stand alone license of Power Automate to gain access to the required premium connectors.

image

You construct the HTTP action as shown above, using the parameters from the Azure Key Vault to access the Azure AD app via the API URL:

https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilitiesByMachine

that will return a list of vulnerabilities exactly like the PowerShell script did in JSON format.

image

After parsing the JSON output from the HTTP action that executes the API request, the results are mapped to a simple SharePoint list as shown.

image

Thanks to the magic of SharePoint, you get results that look like the above, which is vulnerabilities by machine, or

image

vulnerabilities by severity above, thanks to the ability to easily sort lists in SharePoint.

You’ll also notice that conditional column formatting has been applied to to highlight the severity. Yet another benefit SharePoint lists provide.

So the basis of all of this is an Azure AD app with the appropriate permissions inside a tenant that you wish to obtain information from. From there you can use an API request using PowerShell or Power Automate or whatever, to pull the desired information. The easily way to format that information is to send the results to SharePoint, as done here, to slice and dice as well as display the information any way you want.

This output could as easily have been sent to Power BI, Power Apps, an email, or any other service in Microsoft 365. That’s the benefit of using the Power Platform and things like Flow to get the information. Now the possibilities are endless.

A few important point to note about this:

1. You are in control of the permissions and credentials for obtaining the information using the API. You are not surrendering or trusting these to a third party to access the source data.

2. Credentials are save in Azure Key vault which ensure they are secure and access is controlled by you.

3. You can use this technique with just about any API to import information. All you need is the API URL and the appropriate permissions inside the Azure AD app.

4. You can extract information from multiple tenants into a single source tenant if you wish, you are not limited to just pulling information from the tenant where the Flow was created.

5. The extracted data can be mapped to any Microsoft 365 service. Here it was to SharePoint as that is the easiest, but it could just as well be sent to any Microsoft 365 service. This provides a huge amount of flexibility.

6. You can modify, enhance, extend, etc the Flow at any stage to suit any changing needs.

7. The Flow and the process it executes lives inside you Microsoft 365 tenant and is subject to all the compliance and security options that Microsoft provides here.

8. You can trigger the data extraction to happen on a scheduled basis of your choice with Flow easily.

I see lots and lots of benefits of using this process to regularly pull information from any tenant on just about anything and report it in what ever way you wish. It puts you in control of the whole process, and most importantly, the security of executing this, which in a world moving to zero trust, is a huge benefit.

Hopefully, this will inside you to start playing around with the possibilities when it comes to API and Power Automate.

Cybercrime reporting poll

pexels-donald-tong-143580

I’ve created an anonymous public poll asking the question:

Are you reporting cybercrime incidents, like ransomware, to government or police authorities?

which is here:

https://forms.office.com/r/mENdwmaXRj

as the results rolling you can see the summary here:

http://bit.ly/ciapoll01

I’m interested to see what people are doing when it comes to reporting incidents to authorities?

Exchange user best practices script

image

I’ve created a new Exchange user best practices summary script which you can find at:

https://github.com/directorcia/Office365/blob/master/o365-mx-usr-all.ps1

The idea with this script is to give you a quick visual summary of your user mailboxes to ensure they conform to best practices.

When you run the script without any command line options you will see the above output. Each row is a user with their name at the end of the line. The entries on the right provide you an indication of settings status. A green dot is for good and a red X is for bad. You will see this creates a matrix of settings for each mailbox. These settings are designated by a letter (currently a through p). These letters correspond to the following settings:

a = Mailbox type: S = Shared, R = Resource, U = User
b = Enabled
c = Inactive
d = Remote PowerShell Enabled
e = Retain Deleted Items for at least 30 days
f = Deliver to Mailbox and Forward
g = Litigation Hold Enabled
h = Archive Mailbox Status
i = Auto-expanding Archive Enabled
j = Hidden From Address Lists Enabled
k = POP Enabled
l = IMAP Enabled
m = EWS Enabled
n = EWS Allow Outlook
o = EWS Allow Mac Outlook
p = Mailbox Audit Enabled

image

If you use the –verbose command line option, you’ll get additional information about the script operation as you see above.

If you use the –debug command line option, a log file of the script process will be created in the parent directory.

If you use the –prompt command line option, the script will wait after each user for you to press ENTER.

If you use the –select command line option, the script will prompt you to select the users you wish to display.

If you also specify any letter from, currently, a through p on the command line, those settings will not be checked by the script. Thus, specifying dhl on the command line will not check or display Remote PowerShell Enabled (setting = d), Archive Mailbox Status (setting = h) or IMAP enabled (setting = l).

Thus:

.\o365-mx-usr-all.ps1 dhl

will display:

image

(note: no d, h or l in the output)

and

.\o365-mx-usr-all.ps1 dhl –select

will display:

image

no d, h or l settings as well as prompting for selection of users to check and display.

The script requires that you are connected to Exchange Online first via PowerShell prior and this can be done using my script:

https://github.com/directorcia/Office365/blob/master/o365-connect-exo.ps1

In summary then, this script when run without any command line options is designed to give you a quick reference to your user mailboxes and whether they have best practice settings enabled. You can also run the script with number of different command line options to create a log, individually select users and settings to test as well as pause after each user if desired.

I’ll continue to update and improve this script over time so make sure you follow my Office 365 GitHub repository, which you can find here:.

https://github.com/directorcia/Office365/

Prevent alerts from DiscoverySearchMailbox

image

When you set up bulk alerting for mailboxes you may end up enabling alerts for system mailboxes like DiscoverySearchMailbox as shown above. This will mean receiving regular alerts about changes to that mailbox by the system. This basically means Exchange Online is performing some expected administrative process on a mailbox, which triggers a configured alert.

To reduce the noise caused by these alerts you can do the following to disable it:

image

Firstly connect to Exchange Online using PowerShell. My script for that is here:

https://github.com/directorcia/Office365/blob/master/o365-connect-exo.ps1

next run the command to find any DiscoverySearchMailbox

get-mailbox -ResultSize unlimited | Where-Object {$_.name -MATCH “Discovery”} | Select-Object alias, displayname, auditenabled

which should give you a result like shown above.

$dsm = get-mailbox -ResultSize unlimited | Where-Object {$_.name -MATCH “Discovery”}

Run the above command to save the mailbox details to a variable. Then run:

set-mailbox -identity $dsm.alias -AuditEnabled $false

to disable auditing for that mailbox.

image

if you now re-run

get-mailbox -ResultSize unlimited | Where-Object {$_.name -MATCH “Discovery”} | Select-Object alias, displayname, auditenabled

you should find that the auditing is now disabled for that mailbox as shown above.