SkyNorth

Create Azure Bot Registrations with Azure CLI

Wed, 02 Jan 2019 20:31:22 Z

There's a lot to decipher when looking at automating the creation of Bot Channel Registrations within Azure. At the time of this writing, the Azure CLI has the most complete set of automation options and the fastest time to value. This sample deploys a Bot Channel, and then configures it to be used with Microsoft Teams, but can also be used for configuring Facebook, web chat, and other channels.

Here it is, enjoy!

https://github.com/SkyNorth/Automation/blob/master/Azure/Bots/New-AzureBotRegistration.ps1

Silver DevOps Competency

Wed, 07 Nov 2018 19:03:43 Z

We are very excited to announce that we have achieved the Silver competency in DevOps!

DevOps starts with culture - something we are very passionate about at SkyNorth. We believe it is critical to learn from your failures - to experiment and fail fast. To reduce handoffs and increase autonomy. Let's move away from "if it's not broke, don't fix it" , and adopt a "constant beta/continuous improvement" mindset. Technology evolves so fast, we need to change our way of thinking to keep up and do more with less.

The Admins guide to securing your Office 365 data

Wed, 17 Oct 2018 02:05:06 Z

During my time at Microsoft and SkyNorth, one of the hottest cloud migration topics we have with clients, is around access and data security.

While most companies believe their on-premises data is secure, we’ve found it is usually at higher risk then data stored in a correctly configured Office 365 tenant. If you can properly answer the four primary concerns of the public cloud, O365 solutions will increase your security and flexibility.

How do we limit and control access?
How to ensure it’s the correct person?
How do we secure our data?
How do we secure our devices?

Out of the box, O365 cloud identities are accessible everywhere via internet, and secured with only username and password. This appears sketchy at best, until you start looking at all the built-in features that O365 & Azure Active Directory offer. When developing your O365 access policies you need to put together a plan that focuses on the 3 core areas.

The Who and Where
The What
The How

Please keep in mind, some of these technologies cross boundaries and can be used in conjunction with other features to maximize your cloud security strategy. If you haven't seen the Microsoft Identity and Device Access article. it is a must read (after you finish reading my blog post).

The Who and Where

Do you know who is accessing your cloud services, and where they are logging in from?

Option 1 - ADFS Server
- Pros
  - Many people already have this infrastructure in place from past SSO requirements
  - Uses Microsoft technologies
- Cons
  - Requires a lot of extra infrastructure and setup (ADFS, Proxy, x2 for HA)
  - Limited Options
  - This has became the 'outdated' way of providing a secured Single Sign-On solution
- Extras
  - Limiting Access to Office 365 Services Based on the Location of the Client
Option 2 - Conditional Access
- Pros
  - Extremely configurable and stackable rules
  - Tied to your cloud login
  - Available to all Azure Applications and internal apps that are published via Azure Application Proxy
- Cons
  - Requires Azure AD Premium Plan 1
- Extras
  - Limit logins based on the following policies
  - Allows you to limited login based on the following
    - Select Users
    - Trusted IP Range
    - Trusted Applications
    - Browser or Client Application
    - Device Platforms
    - Device Compliance (Requires Intune)
    - Login Risk (Requires Azure Active Directory Premium Plan 2)
    - Allows SharePointusers to only have READ access via Browser session, and others WRITE/EDIT via controlled Application

How do we ensure it’s the correct person?

Option 1 - Multi-Factor Authentication (MFA)
- Pros
  - Helps ensure the person is who they say they are
  - Easy to use and configure
  - Available for on-prem applications, rdp, and VPN via MFA Server
- Cons
  - Limited to call/text or mobile application
- Extras
  - A second form of user identification such as a phone call, email, or mobile app

Option 2 - ADFS Server 2016 – MFA First
- Pros
  - Skews attempts to brute-force login attempts
  - Validates the users device before the username/password
- Cons
  - Requires a lot of extra infrastructure and setup (ADFS, Proxy, x2 for HA)
- Extras
  - ADFS 2016 allows you to prompt for device MFA first, ensuring no password is passed to the session until the first factor has been passed
Option 3 - Password-free Login
- Pros
  - Very secure
  - Easy to use
  - No passwords to remember
  - Corporate Credentials are not passed through the session
  - Only devices with an approved certificate/key will be allowed access
- Cons
  - Certificate Based requires infrastructure and setup (ADFS, Proxy, x2 for HA)
  - Authenticator/Hardware Key have limited support at this time
- Extras
  - ADFS: Certificate Authentication with Azure AD & Office 365
- - Windows Hello for Business
  - Why a PIN is better than a password
  - Can Use Biometrics as a form of PC Authentication
    - Fingerprint
    - Facial recognition
  - Microsoft Authenticator App
    - Password-less phone sign-in with the Microsoft Authenticator app (public preview)

The What?

What data are people accessing and how do we secure it?

Option 1 - SharePoint Site Permissions
- Pros
  - Highly customizable at different SharePoint levels (Site/Web/Library/Item)
  - Have remained the same with all versions of SharePoint
- Cons
  - Can get complicated with breaking inheritance
  - Auditing/Ensuring users are correctly setting permissions
- Extras
  - Understanding permission levels in SharePoint
Option 2 - External Sharing Settings
- Pros
  - Allow or prevent external users from accessing your SPO data
- Cons
  - A misconfigured policy could mean bad news for your company
  - It's not meant for every type of business or scenario
- Extras
  - Manage external sharing for your SharePoint Online environment.
Option 3 - Tenant Restrictions
- Pros
  - Increased security
- Cons
  - Makes external collaboration difficult
- Extras
  - Use Tenant Restrictions to manage access to SaaS cloud applications
    - Prevent your users from accessing other data
    - This is handled via proxy server and HTTP Headers that identify and prevent external access
Option 4 - Azure Rights Management / Azure Information Protection
- Pros
  - Increased data security
  - Available to many data formats
  - Set up on the SPO library or global rules via Azure
  - Labeling Support for O365 Data Classification
- Cons
  - Multiple setup/config areas that do not span a broad spectrum of services
  - Typically requires an internet connection to pass ACL validation
- Extras
  - Protect SharePoint libraries to prevent read/write/edit/print/etc.
    - Enabled on the document library or list level.
  - Protect files with Azure Information Protection
    - Gives you the option to classify, encrypt, and secure your data at a local level
      - For use with O365 documents, as well as on-prem file storage
      - Uses Azure RMS to encrypt and secure access
Option 5 - Data Loss Prevention
- Pros
  - Easy to configure rules
  - Used for SharePoint/OneDrive/Exchange
- Cons
  - Other similar methods make it confusing to determine the best use
    - AIP / Transport Rules / Classification & Labels
- Extras
  - Overview of data loss prevention policies
    - Searches through your existing data to find matches that may need protection
- - - Create a DLP query to identify what sensitive information now exists in your site collections.
    - Create a DLP policy to monitor and automatically protect sensitive information in your site collections.

The How?

How are people accessing cloud services, and how do we secure it?

Option 1 - Azure AD Device Registration / Workplace Join
- Pros
  - Identifies what users and devices are using cloud services
  - Configure MFA for first-time registration
  - Allows easy SSO access to all of your apps
- Cons
  - There isn't much security you can place around the device without extras
  - MFA Conditional Access rules are met with registered devices so you will not receive a call/text
- Extras
  - Azure AD Device Registration
Option 2 - Azure AD Joined Device
- Pros
  - Same as Option 1
  - Azure AD Bitlocker Recovery
  - PIN Sign-In
  - Enterprise State Roaming Features
  - Automatic MDM Enrollment (With AAD Premium P1)
- Cons
  - On-premises domain access would typically require VPN client
  - There isn't much security you can place around the device without extras
Option 3 - O365 Mobile Device Management (MDM)
- Pros
  - Comes with O365 E3
- Cons
  - Limited control
- Extras
  - Provides Selective Wipe and removal of certain data
  - Set up O365 MDM
Option 4 - Microsoft Intune
- Pros
  - Highly configurable
  - Tied with your cloud identity and your device
  - Can manage Windows/iOS/Android Devices (limited MAC OSx Support)
- Cons
  - Requires Intune or EM+S subscription
- Extras
  - What is Intune?
  - Contains Mobile Application Management policies (MAM)
    - Prevent Cut/Copy/Paste
    - Prevent SaveAs
    - Require a PIN for specific Mobile Apps
    - *With or without device enrollment*
  - Selective or Full Wipes of the device
  - Manages device compliance settings
    - Encryption/Password Rules/Etc.
  - Manages device configuration settings
    - Blocks to cameras, screen shots, USB ports, and tons more
  - Conditional Access via Compliance Policy and Device Registration
    - Allow only ‘domain joined’ devices to access cloud data

I hope I've made an extremely complex topic a little easier for everyone to understand. Like I mentioned above, there isn't a single solution that you should decide on for all business & security scenarios. You may need to mix-and-match and you may also need to use features I didn't even mention here. If you find yourself in a confusing situation and need help finding the best approach please feel free to reach out to SkyNorth!

Need Help?

Be sure to contact SkyNorth Software today for an O365 Data Security Assessment or any of your data security needs!

What is our Data Security Assessment?

It’s a comprehensive technology and process review for how you handle data security within your organization.

How much does it cost?

It’s FREE! Out introductory package is completely free and includes a 1-hour finding call with self-help documentation. If you’d like to have a more comprehensive review or added support, you can look at our PREMIUM or PREMIUM – WITH SUPPORT options on our website.

Copy Azure Blobs with Data Factory Event Trigger

Fri, 05 Oct 2018 16:11:11 Z

NOTE: This article applies to version 2 of Data Factory. The integration described in this article depends on Azure Event Grid. Make sure that your subscription is registered with the Event Grid resource provider. For more info, see Resource providers and types.

Overview

This article builds on the concepts described in Copy Activity in Azure Data Factory. We will be using an event trigger to copy blobs between Azure Storage accounts.

There are scenarios where you need to copy blobs between storage accounts. It could be for another layer of redundancy, or simple to move to a lower tiered storage account for cost optimization. In this article, we will show you how to copy blobs immediately after they are created using Data Factory event triggers.

Prerequisites

1.) Azure Data Factory version
2.) Azure storage accounts for source and destination. Each storage has a container called backups
3.) Event Grid enabled as a resource provider on your Azure subscription

This is what our resource group looks like:
NOTE: The storage accounts are in the same location to prevent egress charges

Create Linked Storage Accounts

NOTE: Datasets and linked services are described in depth at Datasets and linked services in Azure Data Factory.

In this demo we will use two storage accounts named dfcopyeventsource and dfcopyeventdestination.

Create linked services for both storage accounts in Data Factory under the connections tab. For simplicity we will just use the storage account account key for authentication. We will just add a _ls suffix to these so we they are linked services later.

Select "Use account key" for authentication method

Both storage accounts are now linked.

Create Datasets

Now we will create a Dataset for each storage account with _ds as a suffix. For simplicity, use binary copy. Be sure to add the path backups.

Publish the Datasets

Create Pipeline

Now we will create a Pipeline and add the Copy Data activity. Our pipeline is called copy_blob_pipeline.

Drag the Copy Data activity onto the canvas.
1.) Name it Copy Data Activity
2.) Select source Dataset
3.) Select destination Dataset (sink)

Testing Pipeline

Publish all resources and your Pipeline should be ready to test. We will add event triggers after confirming the copy data activity works as expected.

Take the following steps to test the Pipeline

1.) Upload test data to source storage account
2.) In Data Factory, click the Debug button
3.) Verify the pipeline finishes without error and the data was moved to the destination

Adding Event Trigger

We will be adding a Blob Created event trigger to the copy_blob_pipeline. It will watch the source storage account under the backups container for new blobs, and then copy only the new blobs to the destination storage account. To accomplish this, we need to parameterize our Pipeline and source Dataset. The event trigger will inject information about the blob into our parameters at runtime.

Parameterize Pipeline

Edit the copy_blob_pipeline and add two parameters:
1.) sourceFolder
2.) sourceFile

Add Event Trigger with Parameters

We'll create the event trigger and configure it to inject the new blob sourceFolder and sourceFile into the pipeline parameters we just created.

Parameterize Source Dataset

The final step is to parameterize the source Dataset dfcopyeventsource_ds. On the Connection tab, add @pipeline().parameters.sourceFolder and @pipeline().parameters.sourceFile to their respective input boxes.

Testing Trigger

Publish All and the Event Trigger will be live and watching the source storage account. Upload a file to the source and then view the monitoring tab to validate the pipeline executed without issues. If all is configured correctly, the blob will be copied to the destination storage account.