by Contributed | Jul 1, 2021 | Technology
This article is contributed. See the original author and article here.
Howdy folks,
I’m excited to share the latest Active Azure Directory provisioning capabilities to help you with your user lifecycle and directory management needs.
Automate provisioning users from Azure AD into on-premises applications
Azure AD now supports provisioning into on-premises applications, and we have a preview that we’re excited for you to deploy and share your feedback.
You must have an Azure AD Premium P1 or P2 tenant and an on-premises application that uses SQL as a data store or supports SCIM. You can request an invitation to the preview here. We plan to remove the invitation requirement in the coming months and add support for provisioning users into LDAP directories (excluding AD DS).
For those customers who have previously deployed Microsoft Identity Manager (MIM), you can reuse your existing connectors and configuration without needing a full MIM deployment. And for those customers building new applications, you can use our SCIM reference code to stand up a SCIM endpoint and easily provision users into your application, whether it’s on-premises or in the cloud.
More apps with pre-built user provisioning connectors
Azure AD service now supports more than 200 provisioning connectors! Checkout the growing list of applications here. Don’t see an app you’re looking for? Request your application vendors to support the SCIM standard and onboard to the Azure AD application gallery. We’ll work with the ISV to quickly onboard.
New app integration wizard available in the Microsoft 365 admin center
To help more admins connect third party apps to Azure AD, we’ve launched a new app integration wizard in the Microsoft 365 admin center. The app integration wizard makes it easier to connect apps in our app gallery to Azure AD by taking admins through a guided configuration experience in setting up single sign-on. Once applications have been setup for single sign-on, admins can then automate user provisioning using the hundreds of pre-built provisioning connectors.
Provisioning logs are now generally available
Monitor and troubleshoot your provisioning deployment with the provisioning logs using the UI, API, or by exporting the data as a CSV. You can also build custom dashboards, alerts, and queries on the data using our Azure Monitor integration.
Simplify building and testing expressions
Azure AD’s provisioning service allows you to transform data prior to exporting it into a target system. In order to make it easier to build and test the expressions used to transform data, we’ve built an expression builder that is now available in public preview. Learn more about it here, or visit our tips for general guidance on writing expressions.
HR-driven provision updates for international assignments, gig economy workers, and cross-domain manager references
- In large multi-national corporations, employees may temporarily work in international locations and return to their home base after the assignment is over. Typically HR creates a new user profile corresponding to this assignment, so we have updated our user provisioning integrations with Workday and SuccessFactors to support retrieval of international assignment data.
- In today’s gig economy, we see a rise in conversion scenarios, wherein a full-time worker converts to a contingent worker or vice versa. When this happens, HR teams that use Workday deactivates the previous employment record and creates a new employment record that usually retains the previous employee ID. Classically, handling this scenario required manual intervention or creation of two separate Workday provisioning jobs to process full-time employees and contingent workers. With a recent update to our Workday integration, you can seamlessly handle this scenario so that the active employment record in Workday always takes over the ownership of the corresponding identity.
- If you are integrating HR provisioning with multiple on-premises Active Directory (AD) domains, you may come across scenarios where the user is part of one AD domain and the user’s manager is part of another AD domain. Such cross-domain manager references can now be resolved with a recent update and you can also search for duplicate UPNs / samAccountName values across multiple domains. Learn more in our cloud HR planning guide.
A new version of Azure AD Connect sync is available
The latest version of Azure AD Connect sync has added the following capabilities:
- Now supporting Selective Password hash Synchronization
- A new Single Object Sync cmdlet helps you troubleshoot your Azure AD Connect sync configuration
- Default to the V2 endpoint, which provides improved performance and allows for syncing of groups with more than 50,000 members.
- A new built-in role, the Hybrid Identity Administrator, can be used for admins that are responsible for configuring the service.
Azure AD Connect cloud sync updated agent
With agent version # 1.1.359, Azure AD Connect cloud sync admins can now use GMSA cmdlets to set and reset their gMSA permission at a granular level. In addition, the limit of syncing members using group scope filtering has increased to 50,000 members. For more details on agent updates, including bug fixes, check out the version history.
As always, we’d love to hear your feedback or suggestions in the comments or on Twitter (@AzureAD).
Best regards,
Alex Simons (@Alex_A_Simons)
Corporate VP of Program Management
Microsoft Identity Division
Learn more about Microsoft identity:
by Contributed | Jul 1, 2021 | Technology
This article is contributed. See the original author and article here.
By Lothar Zeitler – Senior Program Manager | Microsoft Endpoint Manager – Intune
Mobile devices have become powerful enough to support various computationally intensive tasks. To help manage more complex projects, Samsung offers Samsung DeX, which creates a desktop experience for mobile users. With Samsung DeX, you can use mobile apps in desktop mode and work from your phone or tablet in a PC-like user interface. Samsung DeX is available on premium models. For more information and a list of supported devices, go to Samsung DeX (link to Samsung.com).
The Samsung DeX platform is an extension of Android Nougat‘s multi-window mode, which means that you can use almost any Android application in desktop mode on a supported device. However, to optimize desktop/DeX performance, developers might need to customize their application (see Optimizing your app on the Samsung website). Note that both application and device policies implemented with will continue to work with DeX without modification.
To use Samsung DeX, you simply connect a USB–C to HDMI cable to an external monitor. The DeX interface then appears on the screen via the video stream. You can also connect a mouse and keyboard to the mobile device via Bluetooth. Samsung DeX is also available as desktop (host) application for Windows and macOS, which allows you to work simultaneously between your mobile device and your computer.
IT administrators who manage mobile devices with Microsoft Intune can use the service to manage Samsung DeX configurations. In this article, we will explain how to set up and configure DeX for managed Samsung devices in Intune.
Set up device management in Intune
First, you will need to create an enrollment profile and set up a device group for Samsung devices that are corporate-owned with a work profile. For detailed instructions, see Corporate-Owned devices with a Work Profile.
An example enrollment profile for “Corporate-owned devices with a work profile” looks like this:
Example enrollment profile for “Corporate-owned devices with a work profile”.
Next, we create a new device group to add all Samsung models with the same enrollment profile dynamically. We will use this dynamic group to assign policies, apps, and configurations, including the DeX configuration, to each new device that belongs to that group. We used the same enrollment profile name “Samsung COPE Test for DeX OEMConfig” for our device group. When you create this new group, make sure to select “Dynamic Device” in the Membership type field.
Example dynamic device group for DeX devices.
As a membership criterion for the group, we use the name of the enrollment profile. We define the rule criteria under Dynamic device members > Add a dynamic query. Under Property, we select enrollmentProfileName then under Operator, select Equals, and under Value, we enter the profile name “Samsung COPE Test for DeX OEMConfig.“
Example dynamic device query for the “Samsung COPE Test for DeX OEMConfig” profile.
Now, all devices that are enrolled with this profile in Intune automatically become members of our group.
Configure Samsung DeX settings
OEMConfig is an Android standard that we use to add, create, and customize OEM-specific settings, including DeX settings, for Android Enterprise devices. OEMConfig configuration settings are delivered to a device via an OEMConfig app. This section explains how to add an OEMConfig app and then create an OEMConfig profile.
Add the Knox Service Plugin app
Samsung offers the Knox Service Plugin (KSP) to help IT admins create and push app configurations to managed devices. To apply an OEMConfig configuration to a Samsung device, the KSP app must be installed first. The KSP app is available in Google Play and can be automatically deployed to devices using Intune.
In the Microsoft Endpoint Manager admin center, add the KSP app via the Managed Google Play Store. For detailed instructions, see Add and assign Managed Google Play apps to Android Enterprise devices.
Adding the “Knox Service Plugin” via the Managed Google Play Store.
Once the KSP app is visible in the apps list in Intune, you can assign it to the device group. Navigate to Apps > Knox Service Plug–In > Properties > Assignments (select Edit).
Adding a new app assignment for the Knox Service Plugin app.
On the Edit application page under the Required option, we add the same device group we created earlier: “Samsung COPE Test for DeX OEMConfig.“ This will enforce a mandatory install of the app on any device in the group. For detailed instructions, see Assign apps to groups with Microsoft Intune.
After a device is enrolled using the QR code and the applicable profile, the KSP app is automatically installed. Once installed, the OEMConfig policy will be assigned to the device.
Create and assign an OEMConfig policy
We typically use OEMConfig to configure settings that aren’t built into Intune, and the available settings depend on what the original equipment manufacturer (OEM) includes in their OEMConfig app. For detailed information on OEMConfig policies, see Use and manage Android Enterprise devices with OEMConfig in Microsoft Intune.
First, we need to create an Android Enterprise configuration profile with the type OEMConfig.
Creating a new Android Enterprise OEMConfig configuration policy.
We continue to use the same name as the enrollment profile for the OEMConfig profile: “Samsung COPE Test for DeX OEMConfig,” and then select the Knox Service Plugin as the OEMConfig app, which means it is the designated app to deploy the OEMConfig profile to devices.
Assigning the Known Service Plugin to the newly created OEMConfig profile.
On the Configuration settings page, we search for DeX settings (select the Locate search link). This will show us all available DeX settings that we might want to configure later. You can configure additional settings in the profile, beyond the DeX configuration. There are different parameters and options for each item in the profile configuration settings.
Clicking on the “Locate” search link to show all available DeX settings.
In our example scenariowe want to use the DeX for Windows application to display the DeX interface on the PC when connecting the device, and we also want to use the PC keyboard and mouse. With this setup, a user can easily copy data between a PC and DeX device. You can allow or block the direction of data flow, i.e., PC → DeX or DeX → PC, can under Configure file transfer settings, as shown below.
Example of all available DeX customization options with the “Configure file transfer settings” highlighted.
As a next step, we want to configure the connection settings and use a custom background picture.
now create an OEMConfig policy called “Samsung COPE Test for DeX OEMConfig.“ First, we define a profile name, “DeX Config.“ For our example, we will also add a Knox license key for the E-FOTA service.
Creating a new OEMConfig policy named “Samsung COPE Test for DeX OEMConfig”.
The DeX customization profile (Premium) item takes us to the list of configuration options for DeX. First, we set the Auto-start DeX on HDMI connection to True, which will configure DeX to start automatically when an HDMI connection is established. We also set the Enable Mouse Cursor Flow option to True, which will enable mouse movements between the connected screen and the DeX device.
Configured settings under the “DeX customization profile (Premium)” setting.
Next, we will set a custom wallpaper image that will show when a device is in DeX mode. Under the Set DeX Wallpaper, we select a Web URL for the Wallpaper Image, enter the image’s URL, and then choose when to display the wallpaper should be changed (option: Which Wallpaper to setup? All, On lock screen, or Not configured).
Configuring a custom wallpaper image that will show when a device is in DeX mode.
Note: To edit previous KSP configuration settings, select the ellipses next to an item (…).
To edit previous KSP configuration settings, select the “ellipses” button next to an item.
Once the DeX configuration is complete, we select Next twice. Then, under Add Groups, select the group “Samsung COPE Test for DeX OEMConfig” that we previously created.
Assigning a group under a new OEMConfig profile.
On the summary page, review the settings and select Create to create the profile.
Summary page of a new OEMConfig profile.
The configuration is now ready to use. When you connect a DeX device, a connection dialog appears.
Connection dialog example when connecting a new DeX device to your device.
Select Start Now to establish a connection to the external device or screen and start DeX interface.
Wallpaper configuration example from a recently connected DeX device that received the configured OEMConfig.
Note: The wallpaper configuration in the OEMConfig, like other settings too, is dynamic. When you change the image source in the settings, the wallpaper will change.
Note: If you want to use the DeX host application, you must first install the software on the PC. When a DeX device connects to the PC, the DeX icon will appear in the tray.
Example of the DeX icon in the Windows system tray when a DeX device connects to the PC.
Tips for using OEMConfig and DeX
When using OEMConfig and DeX, there are a few considerations and practices to keep in mind.
OEMConfig variations
OEMConfig is a functionality that is available as part of Android Enterprise. Almost all OEMs provide an app to support device–specific configurations. However, the set of options varies from OEM to OEM.
Debug mode
Samsung has an optional OEMConfig setting for debug mode. In debug mode, the KSP app remains visible and active on the device to facilitate troubleshooting.
KSP Debug Mode |
KSP Configuration |
KSP Profile |
 Screenshot of the Knox Service Plugin in Debug Mode on a DeX device. |
 Screenshot of the Knox Service Plugin and configurations applied on a DeX device. |
 Screenshot of the Knox Service Plugin and configured settings on a DeX device. |
Error messages
OEMConfig error messages are displayed in the Microsoft Endpoint Manager admin center. Select Devices > All devices, choose the device from the list, and then go to App Configuration.
Screenshot of the “App configuration” blade in the Microsoft Endpoint Manager admin center.
Note: The error messages in the admin center are identical to the messages created by the KSP app. You can find a list of error messages in the Samsung Knox documentation.
Device-wide policies
You can apply some DeX policies to all users on the device, regardless of work profile and personal settings. You’ll find these settings under the Know Service Plugin settings, as shown below.
Screenshot of an sample OEMConfig and highlighted example of the “Device-wide policies” that can be targeted to DeX devices.
Expand this section to find the device-wide DeX policies.
Screenshot of an sample OEMConfig and an expanded “DeX policy” section to find device-wide policies.
Now that you have a better understanding of how to manage Samsung DeX devices in Microsoft Intune, you can help your company take advantage of this technology. If you have any questions, reply to this post or reach out to @IntuneSuppTeam on Twitter.
by Contributed | Jul 1, 2021 | Technology
This article is contributed. See the original author and article here.
Whether it’s for reporting and offloading queries from production, there are things you need to keep in mind when using a Geo Replicated Azure SQL Database Readable Secondary. Discuss with MVP Monica Rathbun the challenges when it comes to performance tuning, what to keep in mind, and what to expect.
Watch on Data Exposed
Resources:
by Contributed | Jul 1, 2021 | Technology
This article is contributed. See the original author and article here.
Your feedback informs us on what you want added, improved, and enhanced in Project for the web. As you may be aware, UserVoice will be retired at the end of June 2021. We value your input and want to keep the momentum of our conversations going. Please continue to provide us your suggestions either within the app or in the comment section below.
The updates for June are as follows:
New Features
- Choice Custom Fields: Create custom fields that allow you to quickly choose from several pre-set options. To learn more about these new fields, check out our blog post here.
- Filter by Progress States: Filter your projects so you only can see your Not started, In progress or Completed tasks. Hide tasks that aren’t applicable to your work right now!
- Filter on the Board & Timeline: Quickly find your tasks by filtering your tasks on Board & Timeline by keyword or assignee.
- Import from Project desktop: Users can import .mpp files from Project desktop to Project for the web. This functionality is available to all users, and you can learn more about how to use this feature by reading our blog post here.
- Project Power BI Template App: The Project Power BI Template is now available as an app accessible from Power BI or on App Source (Microsoft Project for the Web)
- Copy link to task improvements: When you copy a link to your task, the link will be shown with the task name as the URL.
Upcoming Features
- Assign tasks to non-group members: Assign tasks to add anyone in your organization to your project automatically.
- Rollup Custom Fields: Add summary, average, max, or minimum calculations to your numeric custom fields. See the rollup value of all your subtasks in your summary task field.
Microsoft Project Trivia!
Last Month:
- Question: In project management, milestones often represent significant events that happen during the project process. How can you create milestones in Project for the web?
- Answer: You can create a milestone by setting your task’s duration to 0 days.
This Month:
- Question: Users of Project for the web can use the Board view as a Kanban Board for work management. What language does the word Kanban originate from, and what does it mean in that language?
by Grace Finlay | Jul 1, 2021 | Marketing, Tips and Tricks
Email marketing is one of the top advertising channels. For every dollar you pay, you expect to receive a significant return on your investment. However, have you yet to achieve a high Return On Investment (ROI) from your email marketing efforts? If not, here are some tips to get on the right track to achieve high sales figures and big profits.
One crucial factor that plays an essential role in all email marketing strategies is the subject line. The subject line is one of the first few emails that will arrive in the recipients’ inboxes. Thus, your subject line must be catchy, attractive, eye-catching, and personalized to make sure that your emails stand out from the crowd. However, before you get into the subject line personalization, you must understand the benefits of doing so. This article will provide you with valuable tips that will help you personalize your emails and achieve high marketing conversion rates.
Personalization is the best way to differentiate your brand from the rest. Studies have shown that email marketing strategies that focus on offering customers personalization achieved better results and achieved higher levels of response and engagement. In fact, a recent study revealed that email marketing strategies that provide customers personalization gained twice the response rate as those which did not. So, in this case, personalization is not only about making your emails stand out from the crowd, but it is also about convincing your customers to give your emails a second look.
Personalization is also an important email marketing strategy to counter the “spam” problem. Studies show that spam messages often receive the worst open rates of any email marketing strategy. Therefore, you must take steps to ensure that your emails don’t end up in the spam folder. The easiest way to do this is to personalize your email marketing strategies.
Another email marketing strategy that many companies overlook is designing sponsorship email campaigns. Typically, sponsorship email campaigns are characterized by text-based content. However, plain text proves to be much more effective than the typical image-based email copy. A plain text sponsorship email campaign is often more compelling for your target audience because text is more informative and unique than the average image-based email copy. Furthermore, the text is more customizable, allowing you to design email copy that is specific to your target audience. Finally, one can enhance email campaigns designed for mobile devices with custom graphics and images. One reason why mobile email campaigns are much more successful is that these devices are easier to access and use on a regular basis. Because of this, you must invest time in ensuring that your email designs are accessible across all different types of mobile devices. By investing time and effort into making sure that your email campaigns are accessible across various mobile devices, you will be able to enjoy a higher level of revenue per customer.
by Contributed | Jul 1, 2021 | Technology
This article is contributed. See the original author and article here.
The pandemic has permanently changed how organizations of all sizes work. A substantial increase in hybrid and remote work has presented new compliance challenges, and organizations have responded by growing their compliance functions. A recent study shows that there were 257 average daily regulatory alerts across 190 countries in 2020 and keeping up with regulatory changes continues to be the top compliance challenge[1].
To help organizations simplify compliance and reduce risk, we built Microsoft Compliance Manager, generally available since September 2020. Compliance Manager translates complex regulatory requirements into specific recommended actions and makes them available through premium assessment templates, covering over 300 regulations and standards. By leveraging the universal mapping of actions and controls, premium assessment templates allow customers to comply with several requirements across multiple regulations or standards with one action, providing an efficient solution to manage overlapping compliance requirements. Premium assessment templates along with built-in workflows and continuous compliance updates allow organizations to constantly assess, monitor, and improve their compliance posture.
To meet customers where they are in their compliance journey, we are excited to announce that Compliance Manager premium assessment templates will no longer require a Microsoft 365 E5 or Office 365 E5 license as a prerequisite. This update enables all enterprise customers to assess compliance with the regulations most relevant to them and meet their unique compliance needs. Starting July 1st, 2021, all Enterprise customers, both commercial and government, can purchase premium assessment templates as long as they have any Microsoft 365 or Office 365 subscription. Customers who have already purchased a premium assessment template or are using the default templates included with their subscription will not experience any disruption or change. Customers with Microsoft 365 E1/E3 or Office 365 E1/E3 subscriptions will now be able to see the list of 300+ premium assessment templates in their tenants. The capability to create a new template, customize an existing template, or add customized actions to a given template will continue to require a Microsoft 365 E5 or Office 365 E5 subscription.
We look forward to hearing your feedback.
Get Started
Navigate to the Microsoft 365 compliance center or sign up for a Microsoft 365 E5 Compliance trial to get started with Compliance Manager premium assessments today! Compliance Manager premium assessment SKUs can be purchased in Microsoft admin center.
Learn more:
- Compliance Manager licensing details.
- List of premium assessment templates here.
- Learn more about Compliance Manager here.
Shilpa Bothra,
Product Marketing Manager
On behalf of the Compliance Manager team.
[1] Cost of Compliance, 2021, Thompson Reuters
by Contributed | Jul 1, 2021 | Technology
This article is contributed. See the original author and article here.
It’s been nearly two years since we first announced the July 31, 2021 retirement of Skype for Business Online. Hundreds of upgrade workshops and millions of successful Skype for Business Online to Teams transitions later, we’re closing in on this significant milestone.
With a month before service retirement, we encourage remaining Skype for Business Online customers to continue transitioning users and workloads to Teams. Here’s some additional guidance to help ensure a successful journey to Teams:
Microsoft-assisted Upgrades to Teams
Organizations that have not yet upgraded to Teams Only will be scheduled for Microsoft assisted upgrades to Teams to help with last-mile technical elements of the transition. Scheduling notifications are sent to tenant admins within the Microsoft 365 Message Center and Teams admin center 90 days before the date of the assisted upgrade. Even after scheduling, customers may still self-upgrade prior to the assisted upgrade date to better control the timing of their upgrade experience.
Assisted upgrades will begin in August 2021 with tenant-specific dates shared in the scheduling notifications mentioned above. Organizations that are scheduled for assisted upgrades after July 31, 2021 will be able to use Skype for Business Online until their upgrade is complete.
The assisted upgrade experience will differ slightly depending on whether organizations have a Skype for Business Online-only or a Skype for Business Online with hybrid environment.
- Skype for Business Online-only: The assisted upgrade process will apply the TeamsUpgradeOverridePolicy policy to the tenant. When this policy is applied, all Skype for Business Online users will be placed in Teams Only mode.
- Skype for Business Online users in hybrid environment: The assisted upgrade will only switch Skype for Business Online users to Teams Only mode if they’re not already in that mode. Skype for Business Server users won’t be impacted by the assisted upgrade process and will remain on-premises.
The duration of the upgrade will vary by volume of users and the characteristics of the deployment. In most cases, users within a tenant will be upgraded within 24 hours of the start of the upgrade. During this time, end users will still have access to Skype for Business Online functionality. Once the upgrade has completed and users sign out of Skype for Business Online, they’ll start using Teams for messaging, meetings, and calling. Post-upgrade, all new online users will be added in Teams Only mode.
Learn more about the post-upgrade experience.
Migrating Skype for Business Online Meetings and Contacts to Teams
Regardless of whether an organization manages all aspects of the upgrade or use the assisted process, our guidance includes steps to ensure meetings and contacts are successfully migrated from Skype for Business Online to Teams.
- Migrating Meetings Data to Teams: It’s important for customers with Skype for Business Online-only deployments to use the Meeting Migration Service (MMS) to migrate existing Skype for Business Online meetings to Teams meetings prior to the assisted upgrade date to avoid the potential for data loss. Learn more about how MMS works.
- Migrating Contacts to Teams: Existing contacts from Skype for Business Online including federated (but no distribution lists) will be migrated when users log into Teams for the first time. Users must take this step within 90 days of the completed upgrade.
Got that. What else?
Here are a few other things to know about the retirement of Skype for Business Online:
We’re here to help
The following upgrade resources are available to help enable a successful transition to Teams and prepare for the retirement of Skype for Business Online:
Organizations that have completed their transitions can attest to the transformational benefits Teams brings. And while the retirement of Skype for Business Online has us a little nostalgic, we can’t be more excited about how Teams helps our customers accomplish more across work, school, and life.
See you in Teams!
by Contributed | Jul 1, 2021 | Technology
This article is contributed. See the original author and article here.
Why?
In April, I showed how to unpack and repack Power Apps .msapp files of Canvas Apps in the blog post Power Apps Source Code file editing for Canvas Apps (microsoft.com) Using this functionality, we can view and edit the source code of Canvas Apps. In a recent announcement (Canvas source code tool integrated with Power Platform CLI | Microsoft Power Apps), Microsoft announced that the same functionalities are now available within the Power Platform VS Code Extension of Visual Studio Code!
This means that after installing this extension, we can do the same unpacking and packing without leaving Visual Studio Code.
What?
This posts will show how easy it is to use Visual Studio Code so we can unpack and (re)pack .msapp files of Canvas Apps:
How?
1) First install the Power Platform VS Code Extension in your Visual Studio Code Client using the Visual Studio Marketplace (Power Platform VS Code Extension – Visual Studio Marketplace).
2) After installing the extension a computer restart may be required. We can from this moment on, run commands from within Visual Studio using the built-in Terminal.
In my example I saved the text file with commands as a Power Shell file (.ps1). In this type of files, short cuts like F8 can be used to run selected commands:
Notice the improved commands where referencing (input and output) files is much easier now!
In the Marketplace screenshot above, you can see that the extension is in Preview at the moment.
Please be aware of this and read the announcement link above on how to report issues.
Originally published at Power Apps: source code edit for Canvas Apps in Visual Studio Code » Knowhere365
by Scott Muniz | Jul 1, 2021 | Security, Technology
This article is contributed. See the original author and article here.
The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the UK’s National Cyber Security Centre (NCSC) have released Joint Cybersecurity Advisory (CSA): Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.
The CSA provides details on the campaign, which is being conducted by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS). The campaign uses a Kubernetes® cluster in brute force access attempts against the enterprise and cloud environments of government and private sector targets worldwide. After obtaining credentials via brute force, the GTsSS uses a variety of known vulnerabilities for further network access via remote code execution and lateral movement.
CISA strongly encourages users and administrators to review the Joint CSA for GTSS tactics, techniques, and procedures, as well as mitigation strategies.
by Contributed | Jul 1, 2021 | Technology
This article is contributed. See the original author and article here.
ADF does not directly support copying a folder/multiple files from SharePoint Online, but there are workarounds to achieve this. Two additional steps needed here as compared to single file copy are:
- Get the list of files:
- User can maintain the file names in a text file manually, OR
- Use Web Activity to call SharePoint Rest API to get the list of files.
- ForEach Activity to loop the list of relative file names and pass the file name to Copy Activity (Base URL changes a bit as compared to single file copy)
Below is how the pipeline flow would look like:
Web1 – Get the access token from SPO
Web2 – Get the list of files from SPO folder
ForEach1 – Loop the list of file names
Copy1 – Copy data with HTTP connector as source
Step1:
Grab Access token from SPO
Copy file from SharePoint Online leverages AAD/service principal authentication and SharePoint API to retrieve files.
- Register SharePoint Application and Grant permission – https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-app?tabs=dotnet#register-your-application-with-an-azure-ad-tenant
a) Register AAD Application
- On Azure Portal, go to AAD app registration page: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps
- New Registration à Enter your App name
- Go to “Certificates & secrets”, create new client secret, you can set the expire to 1Y/2Y/Never
b) Grant SharePoint site permission to your registered App (need site owner permission on SharePoint)
Full details on how to register app and also granting permissions is mentioned in prerequisites here – https://docs.microsoft.com/en-us/azure/data-factory/connector-sharepoint-online-list#prerequisites
c) Create an ADF Pipeline. Start with creating a Web Activity to get the access token
Headers:
- Content-Type: application/x-www-form-urlencoded
- Body: grant_type=client_credentials&client_id=[Client-ID]@[Tenant-ID]&client_secret=[Client-Secret]&resource=00000003-0000-0ff1-ce00-000000000000/[Tenant-Name].sharepoint.com@[Tenant-ID]
Debug run to check if the activity succeeds and also check the activity output to see if it returns the access token in the payload. You can also verify the same using Postman client to check if the token is valid.
Step 2:
Get the list of Files
- Create another Web Activity to get the list of files
Headers:
- Authorization: @{concat(‘Bearer ‘, activity(‘WebActivity1Name’).output.access_token)}
- Accept: application/json
Debug run to see if the activity succeeds, and check it shows the list of files under the folder in the output.
Step 3:
Loop the list of relative file names
- Create a ForEach Activity with inner Copy activity
- Items: @activity(‘WebActivity2Name’).output.value
Step 4:
Create Copy activity
- New dataset -> HTTP -> Binary type:
a) HTTP linked service
b) Configure copy activity HTTP source
Dataset properties:
- Name: RelativeURL (Any name)
- Value: @{item().ServerRelativeUrl}
- Request method: GET
- Additional header: “Authorization: Bearer <accessToken>” (accessToken is generated in Step1)
Tip: You can test with a static access token gotten from the previous Web activity output first. You can also use expression (add dynamic content): @{concat(‘Authorization: Bearer ‘,activity(‘WebActivityName’).output.access_token)}
c) Configure Linked Service properties
- Name: FileName (Any Name)
- Value: @dataset().RelativeURL
2. Create Copy sink as below
Successful pipeline run as follows:
Thanks to @Jijo Puthooran for helping me in authoring this blog.
Recent Comments