Wednesday, 27 February 2019

MCAS overview MSIgnite London

Work in progress from MSIgniteTour London
Microsoft Cloud app security brokers (CASB) helps manage Shadow IT, detect high-risk OAuth apps, and control high-risk user sessions in real-time for your Office 365 environment.

Covers:
  1. Azure AD (AAD)
  2. Threat protection
  3. Information protection 
  4. SaaS e.g. box, SPO, ODfB
Shadow IT discovery:
Log collector uses proxy or proxy logs.  Find apps people are using.  
Can write back to block app usage at the proxy.  See people using dodgy saas apps. Supports script generation for most devices.

OAuth e.g. G-suite, attackers faking to get access to user info.  MCAS has risk score for apps used. Show all usage, correct users access.

O365 apps:
Check all apps against score:

MCAS protects for:
  • Malicious employees
  • Malware & ransomware
  • Rogue applications
  • Compromised accounts


Investigate:
Helps investigate abnormal behaviour.  Alert and highlight concerns.  Gain insight into user activity.
Can take action such as lock account, or req re-login.

File security:
Prevent sensitive info in the cloud, uses MIP Framework that uses AIP. Show public internet available info, only show SaaS services business control.  Can also force governance on 3rd party SaaS such as box

Block download of data:
Conditional access, so user using an unmanaged device, route user thru MCAS.  Can calc risk and decide on how they access e.g., an unmanaged device could for MFA.  Lots of controls, boilerplate web access, block, MFA, ...

SPO & O365 groups coming March 201

Multi-geo Phase 2 (SPO) : SPO & O365 groups coming March 2019 into GA by 30 March 2019 confirmed.  DLP per satellite geo.  Hub sites can span multi geos.  Search works across geo I.e. all user access across geos is returned.


Today notes:
  • SC can’t be moved between geo locations.  
  • Satellite only in 14 core data regions I.e can’t use China but could use Hong Komg or Singapore.
  • Aimed at 2500 user tenants or bigger, with min 5% users moved.

Tuesday, 26 February 2019

Microsoft Information Protection Update

Microsoft as of 2019 Feb is still using Microsoft Information Protection (MIP)/ Azure Information Protection AIP interchangeably as this video from Ignite 2018 Oct highlights.  Today I went to the Ignite tour and AIP and MIP are being used to mean the same topic that I'm referring to as AIP in this post.

MIP is a framework that includes AIP includes AIP scanner (files share and SharePoint on-prem.), DLP (cloud), RMS, Azure Advanced Threat Protection, MCAS (cloud), Windows Information Protection (integrates, understands AIP labels), need a central portal to monitor in to the "Security and Compliance Centre" (SCC).

The screenshot from the Ignite London presentation shows where AIP is today as presented by Maayan Nasman Rand.  The presentation was a good overview of AIP.  The big improvement to AIP over the past 3 months is the Analytics/Monitoring, this was not working and now it's very good but still in preview.


  • AIP is getting closer but I feel the big missing piece is the encryption used by AIP does not allow SPO to provide previews and more importantly search cannot index the data in SPO.  Despite this key missing piece, I'd use it on O365 without encryption if I'm in a SharePoint store.   
  • The native applications auto labelling is improving quickly.
  • The Auto-labeling feature is new and useful.
  • A few months ago, AIP labels were merged into the Security & Compliance Centre, worth noting is if you had labels in AIP admin, you need to migrate the labels using "Unified labelling" option and the policies need to be manually brought into the Security & Compliance Centre.
  • Auto-labeling is now in the Mac Office suite and also it is coming to the Office apps in Droid and iOS (preview).
  • AIP is an add on, new Office and Office for Mac and Android have the AIP plug-in already installed.  Applies to all office products including Outlook, Word, Excel, PPTX.
  • The UI ribbon for AIP in Office on Windows has also been updated to a new look.
  • Microsoft Cloud App Security (MCAS) has scanners to perform labelling (like AIP scanner) but also works on g-suite and Box others are coming
  • AIP Scanner works on file shares (CIFS) and SP2013 and SP2016 on-prem.
  • 3rd party product Adobe Pro does not do yet have the ability to update labels, but it's coming soon (Jun 2020?).  They use the SDK that developers can all use.  
  • The Monitoring/Reporting is actually working, a year back it was flakey and the UI and find-ability UI is much improved.
  • A couple of Preview Screens show today:



Previous AIP Posts:
AIP - Protect your companies documents (Catching up to Symantec's product quickly)
SharePoint Saturday AIP Notes

Tuesday, 12 February 2019

Using Box.com Programmaticly - Part 2

Also see: Part 1 post on Using Box.com

Overview:  The last post outlines programmatic access box.  This post shall do the same but use the JWT approach that does not expire the access token.

Steps:
  1. Setup the JWT
  2. Retrieve the config.json file
  3. Program out access as shown below using the .NET SDK for Box.com:
        private static BoxClient GetAuthenticatedClient()
        {
            try
            {
                IBoxConfig config = null;
                using (FileStream fs = new FileStream(ConfigSettings.ConfigFilePath, FileMode.Open))
                {
                    config = BoxConfig.CreateFromJsonFile(fs);
                }
                var jwt = new BoxJWTAuth(config);
                var userToken = jwt.UserToken(ConfigSettings.UserId);
                return jwt.UserClient(userToken, ConfigSettings.UserId);
            }
            catch (Exception ex)
            {
                Utilities.WriteLog("GetAuthenticatedClient", ex.Message, ex.StackTrace);
            }
            return null;
        }

var fr = new BoxFolderRequest                {
            Name = FolderName,
            Description = "Created through code",
            Parent = new BoxRequestEntity { Id = "6665556661"}

            };   // Specify the new folder details
BoxClient = GetAuthenticatedClient();
var folder = BoxClient.FoldersManager.CreateAsync(fr, null).Result;  // Create a new folder

Alternatively create the JWT by hand and don't use the SDK's:




















Simple C# SDK example using a JWT











The below image outlines the Developer console settings I used to get Box.com SDK working for C#

Tip:  Ensure the App has been shared with the folder you are working on, unless your app has enterprise rights, then it's work anyway.











To see the email adress of the app, you can use the following URL: https://paulbeck.app.box.com/app-api/enduserapp/contacts 

Friday, 1 February 2019

Modern Architecture - 50,000 foot

Overview:  I was talking to the board of a company yesterday and they asked me about Modern architectures.  The diagram, below is the most simplistic view I could make of designing an architecture that is technology agnostic.


Friday, 25 January 2019

O365 SharePoint ADFS AAD Authentication in Pictures

SharePoint on-prem. using Active Directory Federation Services (AD FS) 


Sunday, 13 January 2019

Using Box.com Pragmatically

Overview:  In the SaaS Document Management space Box.com is a competitor to SharePoint Online.  A medium size client request recently came into integrate with a client and deliver files into Box.com, as it is something I have not done before I was eager to see how easy it is.

Requirement:
  1. I merely need to create folders within the clients tenant if needed and drop files into specific folders from a scheduled job that runs every 5 minutes.  
  2. Box.com has API similar to SharePoint CSOM to pragmatically work with your Box tenant.   
  3. Box.com functionality is specific to Documents so the API is really small and easy to learn.
  4. There are multiple ways to pragmatically authenticate to you Box.com tenant, PoC keeps it simple.  Actual must use JWT for the connecting service account.
Implementation Details:
Box.com has several was to problematically connect and to test the API's.  For my PoC I used the Developer Token approach.  We should switch this over to the JWT OAuth approach but for the PoC and working with the API's I used the Developer Token approach.
1. Once you tenant is setup and you have configured your client, set the developer Token that last for 1 hrs as shown in the screen above.
2. Create a new C# console and add the Box C# SDK reference as shown below.
3. You will need to add the Developer Token, Client Secret and ClientId in order to programtically connect from the console.  Below is my app.config.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <startup> 
        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />
    </startup>
  <appSettings>
    <add key="ClientId" value="f9y555fiqwqcbv555lst88dmzbxzqa7n"/>
    <add key="ClientSecret" value="CoTT555U7oN555wKF555aPYz5555"/>
    <add key="DeveloperToken" value="TjxJh555ivvW555EE555NTerb555"/>
  </appSettings>
4. Connect to your tenant using Box.com's API's/ SDK

5. Run the Console and the console looks as follows:
6. Code the file upload logic:

Final Thoughts:
  • Overall I think Box.com is a good option if you don't already have O365.  It's pretty expensive for a small feature set but it is a valid option for clients.
  • The search indexing is ridiculously slow so very hard to build search based solutions using the API.
Part 2 of using Box.com programmatically, I discuss using JWT for access.