by Contributed | Jan 9, 2021 | Technology
This article is contributed. See the original author and article here.
We can use Azure DevOps to perform all the policy operations – Create and Assign Policy and Initiatives, Remediate non-compliant resources,
and check compliance status.
Steps to setup the environment for policy operations
- Login to your Azure DevOps Organization and select Releases as shown below and click on New. Select New Release Pipeline.
- This will open a pop-up window and will ask to select a template.
- Select Azure Policy Deployment and Click on Apply
- Post template selection, We will get a small pop-up window to show us the stage details of this pipeline release. Close this window and proceed with next step.
- Before configuring the different Tasks of the stage, please make sure you have setup a Service connection to integrate your Azure DevOps organization with your Azure Subscription. We need to connect to our Microsoft Azure subscription, to a different build server or file server, to an online continuous integration environment, or to services you install on remote computers.
Please refer the below Microsoft article for step-by-step process to setup the service connection.
https://docs.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml
Once we setup the service connection, we can get to see/update them as below-
- We need to click on Stage1- Tasks option as highlighted below. Here, we do not need to add/update artifacts as we are not using any GitHub repository for policy operations in this article. Leave it as it is.
We can update the name of pipeline, stage, Agent and Tasks as per our convenience.
- Once We click, we will get to see the Stage Details and the Tasks in the hierarchy. Like here in the below snippet-
Stage Name – Stage 1
Tasks – Create Azure Policy and Assign Azure Policy
- Select any Task. Here we have selected the first task – Create Azure Policy. Please note that since here we are using Azure PowerShell as the backend script, please select the appropriate Task Versions. Here Task version represents the PowerShell version, and the versions may vary depending upon the cmdlets we will be using. It is always recommended to use the latest version.
Choose Azure Resource Manager as Azure Connection Type. If you have access to multiple Azure subscriptions linked through Service connection, you may choose any one of them and that will be used as scope for this policy assignment and creation.
Choose Script Type as Inline Script as we are providing the PowerShell script as inline content. We can use Script File Path as well in case we are using any repository like GitHub as the source for files.
- Copy below PowerShell code into the Inline Script block. We need to update the highlighted/bold values as per our requirement and add our policy in Json format like below
$definition = New-AzPolicyDefinition -Name 'denyCoolTiering2' -DisplayName 'denyCoolTiering2' -Description
'Deny cool access tiering for storage' -Policy '{
"if": {
"allOf": [{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "kind",
"equals": "BlobStorage"
},
{
"field": "Microsoft.Storage/storageAccounts/accessTier",
"equals": "cool"
}
]
},
"then": {
"effect": "deny"
}
}'
- Similarly update the Inline Script of second Task- Assign Azure Policy. Please use the below code as reference and update the bold/highlighted values with your own policy details that is there defined in the target subscriptions.
$definition = Get-AzPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq 'denyCoolTiering2'}
New-AzPolicyAssignment -Name "denyCoolTiering2" -DisplayName "denyCoolTiering2" -PolicyDefinition $definition
- Post updating both the Tasks, Click on Save and a new pop-up window will come up. Select the folder (if you have any hierarchy) with your comments (optional) and click OK.
- Now click on “Create a New Release” and another window will pop-up, click on “Create” and proceed.
Once you click on create, you will get to see a message like in the below snippet that “Release has been created”.
- Click on the message link – “Release has been created” and it will show the progress of all the Tasks in the stage
It will start from Queued and will go into in Progress and then Succeeded. If there is some syntax or runtime error, the task will fail with Failed message. We can click on the status and see the error/failure reason.
If we click on Succeeded link in the Stage, you will get to see the status of each step that was performed by the agent and further we can click on the succeeded status of each step to see the operation logs(Refer below snippet).
- Likewise, we can create either other Stages in the same release or Tasks in the same stage or a new Release for other policy operations like Compliance Check and Remediate. Please refer the below snippets. The steps will remain the same and only Inline Script needs to be updated.
Notes:
- In case of assigning a DINE policy, please make sure that managed identity must complete replication through Azure Active Directory before it can be granted the needed roles as per the documentation here: Remediate non-compliant resources – Azure Policy | Microsoft Docs. Else, the remediation tasks will fail due to missing permissions.
- You may encounter below errors while executing the script in the pipeline.
- The Service Principal (SPN) used by Azure DevOps to connect to your Azure subscription requires the Owner role and you may get this error while SPN has the less than the owner role.
By default, the SPN created by Azure DevOps to connect to your Azure subscription is assigned the Contributor role. For updating the assignment of security roles on a resource group requires the Owner role. You need to ensure that the SPN used by Azure DevOps has the Owner role assigned at the subscription level. This is accomplished through the Access control (IAM) blade for the subscription –
- The same SPN also requires Read directory data permissions to your Azure AD.
Steps to Grant Azure AD permissions:
By default, the SPN created by Azure DevOps is only granted sign in and read user profile permissions against Azure AD. We now need to grant the SPN the additional read directory data permission.
- Go to Azure AD -> App Registrations.
- Select the SPN that Azure DevOps uses
- Select API permission and then click on ‘Add a permission’
- Select Azure Active Directory Graph from the list
- Select Application permissions.
- Select Directory.Read.All permission from the list and click on Add permissions.
- Click on ‘Grant admin consent for Directory’.
Once permission is granted and the status shows as Green, Try running the deploying the Policy through Azure DevOps, it should work.
- Creating and Assigning Policy Initiatives:
In case of creating and assigning policy Initiatives, the above steps from 1-13 will remain the same except the sample code in steps 9 and 10. Please update the script as below:
Creating Policy Initiative : (Replace the code at Step 9)
$jsonPolicysetdefinition = @"
[ {
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea3f2387-9b95-492a-a190-fcdc54f7b070",
"parameters": {
"tagName": {
"value": "[parameters('tags')]"
}
}
},
{
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c",
"parameters": {
"listOfResourceTypesAllowed": {
"value": "[parameters('resourceTypes')]"
}
}
}
]"@
$jsonPolicydefinitionparameter = @"
{
"tags": {
"type": "String"
},
"resourceTypes": {
"type": "Array"
}
}"@
$Initiative= New-AzPolicySetDefinition -Name 'PolicyInitiativeTest' -PolicyDefinition $jsonPolicysetdefinition -Parameter $jsonPolicydefinitionparameter -SubscriptionId ‘abcd-e44e-4a99-a89c-45be63c6a8ad'
Write-Host $Initiative.PolicySetDefinitionId
Write-Host "##vso[task.setvariable variable=Initiative;isSecret=false;isOutput=true;]$Initiative.PolicySetDefinitionId"
Assign Policy Initiative: (Replace the code at Step 10)
$jsonPolicyassignmentparameter = @"
{
"tags": {
"value": "AnotherTag"
},
"resourceTypes": {
"value": [
"microsoft.devtestlab/labs/costs",
"microsoft.media/mediaservices/streamingpolicies",
"microsoft.security/iotsecuritysolutions/iotalerts",
"microsoft.security/iotsecuritysolutions/analyticsmodels/aggregatedrecommendations",
"microsoft.sql/managedinstances/metricdefinitions",
"microsoft.sql/managedinstances/databases/vulnerabilityassessments/rules/baselines",
"microsoft.sql/managedinstances/databases/backupshorttermretentionpolicies"
]
}
}"@
$Policy = Get-AzPolicySetDefinition -Name 'PolicyInitiativeTest'
$remediationID = New-AzPolicyAssignment -Name 'PolicyInitiativeAssignment' -Scope '/subscriptions/abcd-e44e-4a99-a89c-45be63c6a8ad' -PolicySetDefinition $Policy -PolicyParameter $jsonPolicyassignmentparameter -Location 'eastus' -AssignIdentity
$roleDefId = Get-AzRoleDefinition 'Contributor'
New-AzRoleAssignment -Scope '/subscriptions/abcd-e44e-4a99-a89c-45be63c6a8ad' -ObjectId $remediationID.Identity.PrincipalId -RoleDefinitionId $roleDefId.Id
for($i=0; $i -lt $initative.Properties.policyDefinitions.Length; $i++){
Start-AzPolicyRemediation -Name '$i Initiative' -PolicyAssignmentId $remediationID.PolicyAssignmentId -PolicyDefinitionReferenceId $initative.Properties.policyDefinitions[$i].policyDefinitionReferenceId }
by Contributed | Jan 8, 2021 | Technology
This article is contributed. See the original author and article here.
Welcome back after the holiday break! Together, let’s make 2021 our best IoT year yet!
If you are still trying to decide on your New Year’s resolutions, consider the options below. Pick one or more and make it happen!
- Learn something new about IoT:
- Keep up with new IoT updates:
- Share what you know about IoT with your local user group, youth organization, and/or school
The New Year is a perfect opportunity to re-focus. Hopefully, one or more of these resolutions caught your eye. Now that you have your goals in mind, take a few minutes to make your plan. Add a placeholder to your calendar to make time or add a To Do list task as a reminder. Remember that small changes can bring big rewards if you commit. Consistency and follow-through are key.
Best of luck to you in this new year! I’d love to hear whether you found this list helpful, if you plan to do any of these items, or if you already had some of these on your own list.
Did I miss anything noteworthy? Do you have other IoT-related resolutions that you want to share?
by Contributed | Jan 8, 2021 | Technology
This article is contributed. See the original author and article here.
News this week includes:
Attack simulation training in Microsoft Defender for Office 365 now Generally Available
IoT is now Generally Available as a solution covered by FastTrack for Azure to eligible customers
Announcing new H5P and OneNote integration to help bring interactive content to life
Shawn is our member of the week and a fantastic contributor in the Microsoft Edge Insider community.
View the Weekly Roundup for Jan 4-8th in Sway and attached PDF document.
https://sway.office.com/s/Q64u3T42X0ryrbJz/embed
![[Guest Blog] Humans of Mixed Reality: Making Tech a Place for All](https://www.drware.com/wp-content/uploads/2021/01/286x286)
by Contributed | Jan 8, 2021 | Technology
This article is contributed. See the original author and article here.
This article was written by Microsoft Mixed Reality Program Manager for Diversity, Equity and Inclusion as part of our Humans of Mixed Reality Guest Blogger Series. Dr. Dalya Perez shares her personal career journey in technology, and how she came to discover and love the mixed reality space.
To my fellow Mixed Reality community members, my name is Dr. Dalya Perez. I am the Microsoft Mixed Reality inaugural Program Manager for Diversity, Equity, and Inclusion. Like so many others, I began a new role recently amidst remote onboarding, racial justice uprisings, and a global pandemic, all while juggling the last month of a PhD program, dissertation, parenting a toddler and a tween, and tag-teaming work from home strategies with my beloved spouse in our cozy home. To say the least, it has been a heck of a transition, but I’m beyond happy to be here with all of you doing D&I in this moment in history. Thank you sincerely for welcoming me, and I look forward to meeting you if I haven’t yet.
Background
Pictured above: Dr. Dalya Perez
I come from humble beginnings. I am the daughter of a Jewish Egyptian refugee mother and a Filipino immigrant father, and a first generation undergrad/grad/PhD in my family. I grew up in Bothell, Washington, just up the road from Microsoft’s Redmond campus, yet never visited until my interview last year. I grew up in a multi-ethnic-racial community, constantly navigating and code-switching between middle-class white suburbia at school, Ashkenazi centric synagogue culture, Catholic Filipino family, to name a few. Our home was full of relatives, grandparents, and foods from across the oceans. I grew up grappling with those questions of “what are you?”, “where are you from?”, “why does your food smell weird?” – all while trying to figure out how and where I belong.
Pictured above: Dalya’s parents Josee and Mel Perez circa 1969
Career Beginnings
Diversity, equity, and inclusion have been deeply ingrained and interwoven across my personal, academic, and professional journeys. From my early career working in Latinx health clinics, to being the Executive Director of an LGBTQIA+ youth organization, I began my career with grassroots community organization. As a critical race scholar, I dedicated myself to studying educational leadership and policy and to implementing design-based interventions that bring about remediation and close equity disparities for underrepresented communities. In my last team, the Brotherhood Initiative, I was a founding member of a research project that aimed to brdige the graduation gap for men of color in higher education. I am proud to say that we were successful in graduating the first cohort with a 99% graduation rate. The key to this success was getting critical stakeholders across divisions and roles to collaborate. I believe that building collaborative relationships between people who view the problem space from different, unique vantage points is critical to designing strong D&I programs in all industries, but especially in tech.
Pictured above: University of Washington’s Brotherhood Initiative
My career at Microsoft
Joining Microsoft has taught me that cultural and systemic norms that have excluded historically marginalized groups from tech are the same and, in some cases, adjacent to the structural inequity in public sectors: educational pipelines, hiring biases, and the need for cultural competence to name a few. I am thrilled to be able to work somewhere with such potency of groundbreaking technology like mixed reality and being able to play a role where I can pair this with transformational change, access, and equitable policies for Black, Latinx, women, and many more communities historically underrepresented in tech. There’s work to do and we are lucky to be in a company and team with executive leadership all in for D&I. The alignment from the top down and bottom up is incredible.
As we cross into 2021, I know we still have a long road of navigating the pandemic. That said, we’re also going into this new year with a stronger sense of confidence and resilience in working remotely, parenting, home-schooling. With the incredible technology which enables us to do this work and be a team, to be flexible, adaptable…. I’m amazed at what we have been able to do. From my family to yours, wishing you a happy new year, wellness, and patience as we forge ahead into the unknown.
My number one priority in my first year has been to meet as many people on our team as possible and learn about your D&I journey. How do you use your tech superpowers in mixed reality to drive positive impact in your local company? Remember that D&I work is about relationships and community – we all have a story, and we all have a part in D&I work. Better yet, we have the tech tools to truly create change.
If you have ideas on how we can use mixed reality to promote inclusion and accessibility for all, please reach out. I look forward to building up this Mixed Reality Community as a safe space for all to learn, grow and become better humans.
Pictured above: Dalya, husband Brian, and kids Amiel (2) & Carlos (10)
#MixedReality #CareerJourney
by Contributed | Jan 8, 2021 | Technology
This article is contributed. See the original author and article here.
The change from using Microsoft Stream to OneDrive for Business and Microsoft SharePoint for meeting recordings will be a phased approach. While GCC customers can opt out starting October 5 they are unable to opt in (this feature will be rolled out to all GCC customers starting January 11, 2021, unless they’ve opted-out).
Starting on January 11, 2021 all new Teams meeting recordings for GCC customers will be saved to OneDrive for Business and SharePoint unless you delay this change by modifying your organization’s Teams Meeting policies and explicitly setting them to Stream.
If you’ve opted-out but are ready to turn on this feature, you may do so by setting your Teams Meeting Policy explicitly to OneDrive for Business.
Starting on March 1st, 2021 no new meeting recordings will be saved to Microsoft Stream (Classic), instead all customers will automatically have their meeting recordings saved to OneDrive for Business and SharePoint even if they’ve changed their Teams meeting policies to Stream.
We recommend that customers roll this feature out before this date so that they can control the timing of the release.
Microsoft Teams has a new method for saving meeting recordings. As the first phase of a transition from classic Microsoft Stream to the new Stream, this method stores recordings on Microsoft OneDrive for Business and SharePoint in Microsoft 365 and offers many benefits.
Benefits of using OneDrive for Business and SharePoint for storing recordings :
- Retention policies for Teams meeting recording
- Benefit from OneDrive for Business and SharePoint information governance
- Easy to set permissions and sharing
- Share recordings with guests (external users) with explicit share only
- Request access flow
- Provide OneDrive for Business and SharePoint shared links
- Increased quota
- Meeting recordings are available faster
- Bring your own key (BYOK) support
Caveats to consider:
- There will be English-only closed captions (meeting transcription is not yet available in GCC)
- You can control with whom you share the recording, but you won’t be able to block people with shared access from downloading the recording.
- You’ll not get an email when the recording finishes saving, but the recording will appear in the meeting chat once it’s finished. This will happen much quicker than it did in Stream previously
Administration and configuration
What you need to do to prepare ?
The meeting recording option is a setting at the Teams policy level. The following example shows how to set the Global policy. Make sure that you set the meeting recording option for the policy or policies that you have assigned to your users. If some of your users have assigned a per-organizer or per-user policy, you must set this setting on this policy if you want them to also store the meeting recordings in OneDrive for Business and SharePoint
Teams meeting policy changes take a while to propagate. Check back after a few hours of setting it, then sign out and sign in again.
- Install Skype For Business Online PowerShell. Note: Skype for Business Online Connector is currently part of the latest Teams PowerShell module. If you’re using the latest Teams PowerShell public release, you don’t need to install the Skype for Business Online Connector. See Manage Skype for Business Online with PowerShell.
a. Download Skype for Business Online PowerShell.
b. Follow the prompts to install it.
c. Restart your machine.
- Launch PowerShell as an admin
- Import the SkypeOnline Connector and sign in as a Teams admin.
… and then run the following set of PowerShell commandlets :
Import-Module SkypeOnlineConnector
$sfbSession = New-CsOnlineSession
Import-PSSession $sfbSession
Use Set-CsTeamsMeetingPolicy to set a Teams Meeting Policy to transition from the Stream storage to OneDrive for Business and SharePoint.
Set-CsTeamsMeetingPolicy -Identity Global -RecordingStorageMode
“OneDriveForBusiness”
Opting out of OneDrive for Business and SharePoint to continue using Stream
Even if a policy says it is set to Stream, it might not be set. Typically, if the policy is not set, then the default setting is Stream. However, with this new change, if you want to opt-out of using SharePoint or OneDrive for Business, then you must reset the policy to Stream to ensure that Stream is the default.
To configure the abovementioned you will need to leverage PowerShell.
- Launch PowerShell as an admin
- Import the SkypeOnline Connector and sign in as a Teams admin.
- Import-Module SkypeOnlineConnector
… and then run the following set of PowerShell commandlets :
$sfbSession = New-CsOnlineSession
Import-PSSession $sfbSession
Set-CsTeamsMeetingPolicy -Identity Global -RecordingStorageMode
“Stream”
Permissions or role-based access
We recommend that the recipient is required to be a logged-in user when sharing Teams Meeting Recordings.
Select the People in (Your Organization) option when you share the file as documented in Share SharePoint files or folders. External sharing is not designed for the distribution of large files or a large number of files.
Meeting type
|
Who clicked on Record?
|
Where does the recording land?
|
Who has access? R/W, R, or sharing
|
1:1 call with internal parties
|
Caller
|
Caller’s OneDrive for Business account
|
Caller is owner and has full rights.
Callee (if in the same tenant) has read-only access. No sharing access.
Callee (if in different tenant) has no access. Caller must share it to the Callee.
|
1:1 call with internal parties
|
Callee
|
Callee’s OneDrive for Business account
|
Callee is owner and has full rights.
Caller (if in the same tenant has read-only access. No sharing access.
Caller (if in different tenant) has no access. Callee must share it to the Caller.
|
1:1 call with an external call
|
Caller
|
Caller’s OneDrive for Business account
|
Caller is owner and has full rights.
Callee has no access. Caller must share it to the Callee.
|
1:1 call with an external call
|
Callee
|
Callee’s OneDrive for Business account
|
Callee is owner and has full rights.
Caller has no access. Callee must share it to the Caller.
|
Group call
|
Any member of the call
|
Member who clicked on Record’s OneDrive for Business account
|
Member who clicked on Record has full rights.
Other members from the same tenant have Read rights.
Other members from different tenant have no rights to it.
|
Adhoc/Scheduled meeting
|
Organizer
|
Organizer’s OneDrive for Business account
|
Organizer has full rights to the recording.
All other members of the meeting have read access.
|
Adhoc/Scheduled meeting
|
Other meeting member
|
Member who clicked on Record
|
Member who clicked on Record has full rights to the recording.
Organizer has edit rights and can share.
All other members have read access.
|
Adhoc/Scheduled meeting with external users
|
Organizer
|
Organizer’s OneDrive for Business account
|
Organizer has full rights to the recording.
All other members of the meeting from the same tenant as the organizer have read access.
All other external members have no access, and the Organizer must share it to them.
|
Adhoc/Scheduled meeting with external users
|
Other meeting member
|
Member who clicked on Record
|
Member who clicked on Record has full rights to the recording. Organizer has edit rights and can share.
All other members of the meeting from the same tenant as the organizer have read access.
All other external members have no access, and the Organizer must share it to them.
|
Channel meeting
|
Channel Member
|
Teams’ SharePoint location for that channel
|
Member who clicked on Record has edit rights to the recording.
Every other member’s permissions are based off of the Channel SharePoint permissions.
|
Frequently Asked Questions
Where will the meeting recording be stored?
- For non-Channel meetings, the recording is stored in a folder named Recordings that is at the top level of the OneDrive for Business that belongs to the person who started the meeting recording. Example:
recorder’s OneDrive for Business/Recordings
- For Channel meetings, the recording is stored in the Teams site documentation library in a folder named Recordings. Example:
Teams name – Channel name/Documents/Recordings
How do I handle recordings from former employees?
Since videos are just like any other file in OneDrive for Business and SharePoint, handling ownership and retention after an employee leaves will follow the normal OneDrive for Business and SharePoint process.
Who has the permissions to view the meeting recording?
- For non-Channel meetings, all meeting invitees, except for external users, will automatically get a personally shared link. External users will need to be explicitly added to the shared list by the meeting organizer or the person who started the meeting recording.
- For Channel meetings, permissions are inherited from the owners and members list in the channel.
How can I manage transcripts?
Transcription of recorded Teams meetings in GCC is not yet available. This article will be updated to discuss managing transcripts once the feature ships to GCC.
How will my storage quota be impacted?
Teams meeting recording files live in OneDrive for Business and SharePoint and are included in your quota for those services. See SharePoint quota and OneDrive for Business quota.
You get more storage with OneDrive for Business compared with Stream and more fungible storage with SharePoint.
How can I play a Teams meeting recording?
Your video will play on the video player of OneDrive for Business or SharePoint depending on where you access the file.
If you plan on deprecating adding to Stream, will existing videos stay as is and for how long?
Stream as a platform will not be deprecated in the near future. The videos that currently live in Stream will remain there until we start migrating. Upon migration, those videos will be migrated to OneDrive for Business or SharePoint as well. Check Stream classic migration for more information.
How do I apply a retention label ?
See How to auto-apply a retention label.
How do I assign policies to my users in Microsoft Teams and which policies take precedence?
See Which policy takes precedence?.
Quick Links
Read additional documentation here.
Watch “Meeting Recording” on our Microsoft 365 YouTube Channel for more information here :
https://www.youtube-nocookie.com/embed/8iol0KfCeL8
Recent Comments