SharePoint Online – Enable External collaboration through B2B extranet Sites

Collaboration, Office 365 July 12, 2019 Leave a comment

On every business operations its crucial to sanction external partners,vendors to collaborate on their quotidian operations. Withal there are cases wherein only business to business collaboration like sharing between two organization is required and remains a vital factor to their business.

To felicitate a classical external collaboration site it was always bit challenging for administrators from SharePoint on premise workloads. Extensive orchestrating is required in terms of provisioning hardware or VM resource, security hardening and getting the access on the firewalls etc..,

With Office 365 B2B there are much more easier ways to roll out this feature to business with no additional server provisioning, no certificate requirement and simple administration. This magnificently reduces the traditional deployment costs. By default we get secure sharing, seamless collaboration and we have much detailed governance and audit reporting.

This article contours the steps involved in planning for an external business sharing in SharePoint online.

Configure External Authentication for Guest Users:

As an initial prerequisite we need to plan for the authentication and management through Azure AD for all the guest users.

At this moment we have the authentication via one-time pass code which will be sent to their email address for the non Microsoft accounts.Enabling one-time passcode feature can be used when external sharing of files,folders,document libraries and sites is done. Currently the one-time passcode is under preview and subsequently will replace the AD-Hoc sharing from onedrive and sharepoint in office 365.

Below are the major key points of enabling the azure B2B:

  1. MFA can be enabled for the B2B Invited Guest Users.
  2. If we have configured Google federation in our Azure AD tenant then the federated users can consume the permissible SharePoint and one drive resources shared with them.
  3. Much granular level of sharing options are present and subject to organization settings.

Follow the below steps to enable the pass code authentication:

login to azure portal – navigate to azure active directory – choose organizational relationship settings – Enable the option Enable Email one-Time Pass code for guests.

There are few other options on controlling the guest users permissions and can be added based on the requirement.

Now we have the one time pass code enabled we would need to enable the integration for SharePoint and one-drive with azure AD to enable this service on these workloads with the below two commands.

Set-SPOTenant -EnableAzureADB2BIntegration $true

Set-SPOTenant -SyncAadB2BManagementPolicy $true

Ensure that the below configuration is set

Having the authentication part configured now we would need to create an extranet site in few clicks.

1) Create an external business-sharing site in SharePoint Online (This site can be used for sharing between the Tenants)

On the Active sites page of the new SharePoint admin center, select Create – – select Other options —

Select More templates

Choose Team site (classic experience).

Here we need to provide a title and name for the site that we are creating.

There are few other options like timezone, admin, storage quota and server resource quota which can be configured based on our requirement.

Now the sharing capability needs to be enabled and there are 2 places where it can be controlled organizational level and site level.

The first step is to enable them at the organizational level

Login to office 365 portal – search for external

Choose the option new and existing guests

There are few other options which can be controlled from the SharePoint admin center

We can further restrict the site collaboration only to few selected domains.

The guest permissions must also be selected based on our business requirement .

Choose the first option which is applicable for the invited guest users. There are other options to limit the sharing option to least permissible users via targeting them to a security group.

Finally navigate to the sites and here we have option to further control the site permissions.

Here we have the option to share new and existing guests.

Now we have configured the org level settings we can test this behavior from site admin side

Navigate to the site with site admin privilege and create a folder with sharing partner.

While sharing a document to the external partner we will be notified with the message info as we see below.

The guest user will receive the invitation email with a link to access the folder.

They need to Enter their Microsoft credentials (the credentials for the account that the invitation was sent to). And User will be challenged for Verification code which will be sent to their email account.

This cool feature helps the admin to accomplish the business requirement with ease of operation , no additional resource cost and providing them with much controlled and tracking them through auditing and reporting of external users.

Microsoft Teams – Manage External and Guest Access communication for users

Microsoft Teams June 25, 2019 Leave a comment

Microsoft Teams becoming an unrivaled communication platform its been adopted by most of the corporate organizations right from small, medium and large scale businesses.

Teams adoption rate have been thriving a lot and there are organizations managing their daily operations and projects completely via better organized Teams and channels.

In this article we will have an overview and the options available to expose Microsoft Teams for communication to the external network and other office 365 organizations.

As an initial prerequisite we must ensure that all the Office 365 URL and IP Ranges are allowed.

Login to Microsoft Teams Admin center portal here we have 2 options.

  1. External Access
  2. Guest Access

For external access the screenshot is pretty much explanatory. The best way is to add only the allowed domains which would block the other external organizations.

We do have an option to toggle the second feature where the Skype for Business online users have the ability to communicate with the Skype Users. But then if all the users are switched to Teams only mode then enabling the latter functionality will not be working.

External access lets our Teams users communicate with allowed domains.
Only the allowed domains in the list can communicate with each other.
They cannot be a member of a Teams or any Channels, however they can initiate peer to peer chats, audio , video calls and can join the meeting initiated from Outlook.

As of now below are the features that will be working between external access domains.

With Guest Access anyone with a business or consumer email account, such as Outlook, Gmail, or others, can participate as a guest in Teams. We can grant them access to our existing teams and channels.

Guest access can be further manipulated based on our business requirements with the below options.

Meeting and messaging choices can be further controlled in guest access.

Once the guest access is enabled the end users can go ahead and add external ids like gmail in their channels like below.

The external guest account will receive a descriptive invite which will provide information about Microsoft Teams.

Note: For all the invited external users a corresponding azure AD account will be created in our Tenant with the user type of Guest.

Few users reported challenge in communicating with allowed federated domains.

While most of the users were able to communicate across federated domains and there were few users experiencing the below error.

On further analysis found that there are two federation policies.

And the affected users were assigned to disabled federation access policies.

After moving them to federation only policy the issue got resolved.

Grant-CsExternalAccessPolicy -Identity “S Hameed” -PolicyName FederationOnly

Thanks & Regards

Sathish Veerapandian

Create Customized App Package for Azure Bot and publish them in Microsoft Teams

Azure Bots, Microsoft Teams June 1, 2019 Leave a comment

In the previous article , we had an overview and example of how to start creating Microsoft Azure Bots and integrate with Teams. Furthermore once the bots are integrated with teams ,we would need to create application package for our Azure Bot, so that we can provide better end user experience.

To interpret further once the azure bot is available to the end users via teams it will not be showing to them as an application (example shown below). Providing them as vanilla format will not be more intriguing to the consumers.

In Microsoft Teams there is an option to create a customized app package for our azure bots. Once we create and publish them, it will be available for end users in the app section. From Microsoft Teams users can search and install them on their Teams Client.

With app studio package admins can create their own customized apps for Microsoft Teams and publish them to individual users, teams and globally to the whole organization. Search and install app studio package from app section in Microsoft Teams.

Once after it is installed , open App Studio and use the Manifest Editor to create the App Package.

Here there are two options:

Create a new app – Used to create our own customized app.

Import an existing app – We can import our own customized existing app.

In this section create a new app is selected since the scope is to create an app for an existing azure bot service.

In the app section provide the information as requested.

App ID is crucial here and it must be the value of the Azure Bots from the setting page of the Azure Bots that we are creating the APP Package. Rest all information is descriptive and can be added easily.

There is an option for customized branding to insert the iconic image of our app which will be shown to the end users while interacting and also the terms of use can be added over here.

Capabilities tab is a vital section as this determines the functionality of the bot. Select only the bot section , add the required information and leave the others with default configuration .In above example existing bot must be selected because the app package is been created for an active bot. Provide them a name and use the option select from one of my existing bots.

The other options have to be chosen very carefully based on your bot functionality. For instance choosing My Bot is a one-way functional only for a bidirectional bot will not provide the message input window to the end users during the interaction.

It is important to note that for a 1:1 bot it needs to be selected only in personal scope. Choosing the other options for a 1:1 bot will create a malfunctioning of the app to the end users.

On a security perspective there are few options to restrict, provide SSO and Device permissions.

Provide the below information for the SSO.

And we have the option to control the device permission which is really great.

Having done all these settings above there is an option to test and distribute the created app package.

The easiest way is to install in our own client before distributing them by choosing the first option install your app in teams for testing.

After installation the app is ready to be launched.

Now on a user experience it provides us a prime look to our Azure Bot and looks appealing.

Its better to change the bot profile icon as well to show the same icon in the chat conversation.

Having tested this app from individual level client , now it is time to publish them to all users. Download them as json file and upload it from a teams client with global admin privilege.

The application must be downloaded from the teams client that was used to create this manifest file. Once after its been downloaded we can see it would have been downloaded them as json file along with the associated PNG files.

This zip file needs to be uploaded from the teams client using the option upload a custom app.

Once logged in with Global Admin Credentials – Navigate to store and use the option – upload a custom app.


There is  2 options to upload for me or my teams and upload for the whole tenant which will make the app be available for all users.

Once after its uploaded , successfully this new app for the azure bot will be available for end users and they can search in the store and install them.

Finally the App can be updated to next version with ease of operations or deleted with the below settings from the Teams client with Global Admin Credentials.

There are much more ways to control this app visibility and user experience on teams client like side loading the apps for easier communication , restricting them only via 3rd party apps etc. We will discuss about these configurations in the next upcoming blog.

Thanks & Regards

Sathish Veerapandian

Create Microsoft Azure Bot and Integrate with Microsoft Teams

Azure Bots, Microsoft Teams May 22, 2019 Leave a comment

As we are heading towards the modern workplace model, we are thriving a lot on reducing the first level of tasks. One of the preferred feasible solution is to create a self-query knowledge base through which the end users can attempt to address their issues on their own before contacting the IT Team. Eventually API integrations with bots can reduce the first level of recurring tasks. Through Microsoft Bot Framework quite a lot of organizations are filling these requirements and increasing the operational excellence values.

In this article we will focus on how to create a bot in Azure and integrate them with Microsoft Teams.

In summary Bot usually comprises of three concepts dialog, channels and state. In my point of view dialog play a fundamental role in the Bot Framework. The dialogues will be organized in a natural sequence based on the input from the user it can respond, skip to next answer or even go in a sequential loop. In the back-end the programs will be configured to respond to the dialogues in a consecutive manner. Currently the underlying solution can be via C# , Node.Js or Rest API

Channels are the medium through which a user can communicate with the bots. There are more than 15 channels at this moment that can be integrated with Azure Bots. There is also an option to run our bot via our own client application using the direct line as our channel.

The Bot state service basically stores and retrieves state data that can be associated with User, conversation or a specific user. The former 2 are fully dependent on this data and state remains a database for them.

Bot Builder remains as a SDK framework which can be on C#, Node.Js or in RestAPI. Bot Service is used to build the bots, develop, test them and finally deploy on Azure.

In order to create a Bot login to Azure Portal and look for Bot service – and create Web app Bot.We require a web app bot because Bot is basically a web service that is exposed to a RestAPI.

Choose Web App Bot and create them

Now we can create a web app bot – provide them a name

Choose the language . In this example node.js is been chosen.

Provide all the basic required information. Here it is strongly recommended to turn on the application insights and this will provide the statistical consumption of the Bot service utilization. This utilization report is definitely required at a later stage to measure the utility of this service. We can select the option auto-create app ID an password. After this we are done with creating the Azure Bot.

We see here something called LUIS App Location. Microsoft uses LUIS(Language Understanding Intelligent Service).It is an AI service used to build natural language into apps, bots and IOT devices. This makes all the end user queries to learn easily and subsequently improve without manual intervention.

Once the validation is successful we can go ahead and create the bot.

The bot have been created and we need to plan, build, test and publish them. There are lot of many ways to create and publish them.

Here i have followed this Microsoft article and is straight forward to create and make your bot up and running with JavaScript.

Once the above is completed we need to deploy the bot in azure. We can follow the steps in this Microsoft Article. Also there are lots of articles available in the internet to make up running first bot in the internet. Here is one example.

Below is an example of hello world bot. This bot will respond hello world for all user input. The below node.js and package.json can also be used for creating the first bot. We need to have all the prerequisites for this on the local PC Visual Studio, Node Js Modules and bot builder modules installed. The Microsoft article linked previously have all the prerequisites and readiness.

Create nodejs and this is the nodejs for helloworld bot.

Install them from nodejs command prompt

Create index.js and below is the indexjs for helloworld bot.

Once after everything is done we can start

Later we can use the same steps mentioned in the Microsoft article to publish them on Azure Bots.

Having followed the above article with the prerequisites , we can test our bot in web chat.

Having tested this once we navigate to channels tab now we have option to integrate our bot with more than 15 channels. Only the web chat will be enabled by default.

Here we will focus on integrating our bot with Teams.

After we click on Microsoft Teams, we will be getting the below option. In our case it will be only messaging channel since the bot which is used here for testing is 1:1 messaging bot.

We need to agree for the terms of service

We could see the Teams added into our channel.

It is time to test our bot in Teams. In-order to test them in teams we need to take the app id from the settings page of the bot.

Once we search with the app ID in teams we would be able to see this bot as a contact in Microsoft Teams and we can also interact with them.

Finally the Bot is up running and integrated with teams the next step is we need to create an app package for this bot and publish in teams. We will look in the next article on how to create a custom app package and publish them on Microsoft Teams.

Thanks

Sathish Veerapandian

Plan and configure Azure Information Protection

Azure, Azure Information Protection April 21, 2019 Leave a comment

Corporate data leakage and losing critical confidential information is been often considered as to be an employee negligence. These days the corporate services are available to all end users from anywhere which makes the employee more productive and work from anywhere. On the flip side if there are no security enforced, for instance a sales officer might leave a confidential customers list on a shared computer in a public place. Its very important for the employers to classify, label and protect their electronic data based on their business models.

Using Microsoft azure information protection will augment and sheild all the office 365 and azure workloads. We have option to enforce the classification or to provide users the option to classify on their own. This article emphases on enabling the Azure Information Protection on Office 365 workloads.

Classify the data based on the Business:

Applying the protection on documents is purely based upon the business model. It varies based on every business deliverable and needs to be identified and defined in the first place.  This is the first approach to start with Classifying the documents. Better to involve every team in this initial phase and gather the sensitive data that’s been transmitted via electronic way. Security team plays a key important role at this point, since they would already have the data classification based on the present business operations.

Identify the target Users:

Based on the cataloguing of the document now we need to create labels which will identify the sensitive documents on the transit. Protection can be enforced if the user has Office 365 E5 license or we can recommend classifying the document if the user has office 365 E3 license.

We can categorize the users based on their daily chores and its very important because a license plays a key role in this decision. For instance, there is no much concern on enforcing Azure Information Protection policies on receptionist account, rather it can be recommended to classify the document based on the key words. In a real scenario for critical document operators like finance, procurement, HR and key persons can go with E5 license and rest can be with E3 licenses.

Decide your tenant key:

By default, Microsoft manages the tenant key, and this is the root keys for the entire organization. 

This key will be used to provide cryptographic security to any objects associated in this domain from users, computers and protecting the documents. If the organization does not have any issues with Microsoft holding the tenant key then we can go with this approach. The tenant key life is automatically recycled by Microsoft to ensure the security.

If there are any regulatory requirements, then there is an additional option called BYOK (bring your own key). Here we use the Azure Key Vault and have 2 options. Either create the Key directly from the Azure Key Vault or create the Key in On Premise, export and then import this key into the key vault.

Deploy the Azure Information Protection Client for Targeted Users:

According to utilize this Azure information protection, service the end users must have this client installed on their PC’s including the Outlook add-in and must be logged in with their Microsoft Azure AD synced account. So ensure that this client is installed on the targeted users PC through group policy. This Azure information protection client is free and doesn’t include any license cost.

Enable Protection activation:

Ensure protection activation is enabled.

Navigate to Azure Information Protection – Protection Activation – Ensure its activated



Create the labels:

Once after gathering the important document types from different business units its better to create the labels based on the keywords.  In below examples we ‘ve created three document category A,B & C.

To create Label – Login to Azure Portal – Click on Azure Information Protection – Navigate to Labels and create label

Now we have the permission

Not Configured – Go with this option only if we need to preserve document with the previously created labels.

Protect – We are enforcing the AIP and going with this newly created label.

Remove protection – Select this option to remove protection if a document or email is protected

We have other options to enforce in the document like document visual marking , footer text and footer font name.

When we select on protect now we need to select our key and have 2 options

Azure Cloud Key – Managed by Microsoft.

HYOK –Key generated from the on-premise certificate authority.

The permissions need to be selected based on our requirement.

Co-owner – Full Access.

Co-Author- Editorial Access.

Reviewer- Editor without change rights.

Viewer – Only view access.

Custom – We can create permissions on our own.

Set the file content expiration which will expire the file after this specific period. So, the file travels with the permission enforced from Azure.

User Defined Permissions:

This option lets users specify who should be granted what authorizations. This can be given to end users to enforce them on outlook , word, excel, PowerPoint and file explorer.

Now we have an option target the users based on group and apply this label. However the best viable option is to create classification polices and add the labels to them.

Create Classification policies:

There are default classification policies and templates which can be used for protecting documents. But it’s always recommended to study the business requirements and create the classification policies based on the business requirements.

We need to navigate to the Azure information protection policy and target users and add this label.

In below example we have created a policy for one region, targeted users .

The created labels can be added here.

Additionally, there is an option to select the default label assigned to these users. There are other significant options which needs to be chosen based on the corporate necessities.

Client behavior:

After the policy is targeted users will see the document category available from the Azure information protection policy applied for the user.

Once the client is installed both on sender and recipient side and authenticated and a document is shared we can see the category based on the classification.

When the end user is not enforced but trying to save a credit card information in the word document a suggestion is triggered from the AIP.

When end users receive a protected document, they can see their permission level.

This is only the internal user experience. The external user experience is totally different where they will receive a welcome email with a notification that they have received a protected message. The moment when they click on the link the users can login with the one-time pass code which will come in a separate email or login with gmail credentials.

To conclude the Azure Information Protection is a remarkable offer from Microsoft which must be implemented after several iterations and careful planning. Also, this is a continuous process where the policies must be revisited and updated regularly as per the local regulatory  and business changes. Moreover, stringent polices should not be applied without proper evaluation since it can deteriorate the normal business operations. While this is just an overview of azure information protection and there are lots of features to explore and implement in any environment after vigilant planning.

Thanks & Regards

Sathish Veerapandian

Office 365- Configure one drive for business file retention policy

Office 365, One Drive for Business April 3, 2019 Leave a comment

Its always better to configure retention for office 365 work loads in order to ensure that the data is available as per the company legal requirements. Usually we pay more attention to Email data and retention policies are applied to all mailboxes, however we might miss out to configure the retention on other work loads.

In this article we will be focusing on the options available to retain the data in one drive for business personal files of an office 365 users.

Essentially we see there are 2 level retention policies available for one drive for business. We will be looking at how to configure them and grant the permission for a delegated assignee when required to access the retained data for a terminated employee.

User Level Retention:

To illustrate if a user resigns ,we remove the license and delete synchronized AD account.If we need to keep the deleted users one drive personal site to stay around for 5 years then we can configure the retention setting on the one drive admin center.

The maximum retention value is 10 years and in below example we are setting them to 2 years from the one drive admin center.

There is a small admonition on applying only this retention policy to the users because this policy is applicable only when the synchronized users are deleted and licenses removed. There could be more odds that a resigned employee can delete the required confidential data before leaving the organization from original location and 2 stages recycle bin.

File Level Retention:

To alleviate the above demeanor we can configure a new retention policy from the security and compliance center only for one drive for business files. As of now we have option to create retention policy based on newly created files and last modified date and time.

Navigate to –
security and compliance -> data governance -> retention ->create new policy -> 

Create retention policy by selecting – When it was created.

When selected we are deciding on a course of action to retain all the newly created files for 5 years. Upon this setting the new files can be preserved up to 10 years.

In the location we choose only one drive because in our case we are targeting only one drive file level retention.

Review and create the policy.

Same as above create a file level retention based on file modification date.

Once the above policy is created files based on created date and modified date will be retained for 5 years.

Where do these files gets stored ?

Based on the above configuration the files that have been modified/newly created will be preserved for 5 years.
During this interval if any attempt of file deletion that comes on above scope will be deleted however a copy of these files will be stored in the preservation hold library which only the admin of the folders and admins can access. After 5 years these files will be permanently purged.

The preservation hold library can be accessed by navigating to the below URL

https://domainname-my.sharepoint.com/personal/username_domain_com/_layouts/15/viewlsts.aspx

Once accessed above url we will get access to preservation hold library

Below options we have for recovery on choosing a required file

By merest chance if the admin tries to delete these files from the Preservation Hold Library it wouldn’t be successful and will throw the below error.

We also need to make a note that all the files which are deleted and getting retained in Preservation hold library will consume the end user one drive quota which we need to think of only for E1 licensed users who have maxed out of their quota.

Transferring ownership of a old resigned employee:

If we need to Transfer access to different user who resigned long back and his files are retained as per retention policy.
There are multiple ways of doing this, however on the below example shows only how to perform this via power-shell.

Connect to SPO

Connect-SPOService -Url https://tenantname.sharepoint.com


Restore Deleted Personal Site of the Resigned user

 Restore-SPODeletedSite -Identity https://tenantname-my.sharepoint.com/personal/username_domain_com

Restore Site to requested user by mentioning his login name

 Set-SPOUser -Site https://tenantname my.sharepoint.com/personal/username_domain_com  -LoginName username@domain.com -IsSiteCollectionAdmin $True

Thanks & Regards

Sathish Veerapandian

Microsoft forms Error – Sorry something went wrong

Azure March 20, 2019 Leave a comment

Recently while accessing Microsoft forms users were getting the error. Sorry, something went wrong.

The issue was reported by all the users even they have required licenses assigned to them.

The forms were enabled for the affected user



Solution:

We’ve to enable the collab DB service from the azure portal which is required for this Microsoft forms.

Navigate to Azure Portal – Access Azure Active Directory – Select Enterprise Applications – Search for CollabDb Service




Navigate to properties – ensure Enabled for users to sign-in is turned on.

Once after enabling the sign-in option on the azure portal this has fixed the issue.

%d bloggers like this: