Migrating Your DataCenter to Azure

One of the last tasks in my CTO tenure at ShareSquared was to move us fully to Azure. Like many SoCal organizations, we had a data center location in Los Angeles with a couple of racks of equipment.

This included several large machines for running our virtual environments with SharePoint and 3rd party products.  As part of another separate goal, I was able to get Sharesquared to Gold cloud partner and that gave us $12K in yearly spend for an Azure subscription.  This means we can do many of the things we were doing in the data center via IaaS in Azure.

The data center included the following:

  • ForeFront TMG for data center firewall
  • Domain Controllers
  • ADFS (serving our O365 logins)
  • Misc servers to support development (SharePoint, SQL Server, TFS, etc)

Moving the Domain Controller:

We wanted to have a backup strategy in case we ended up needing to fail back to ADFS.  The only way that would work is to have a domain controller in Azure with ADFS enabled.  There are some issues with doing this of course.  The first is you can’t simply make one of your current domain controllers a VHD and upload it.  Azure VMs need lots of “agents” to support all that fancy security and configuration.  Therefore, I had to make a DC in the Azure tenant.  This meant I had to create a VPN from our data center to the Azure VM.

Creating a VPN connection to Azure isn’t totally straight forward, but luckily Apple iOS already forced me to move to L2TP and SSL VPN end points.  Unfortunately, Azure only supports SSL VPN connections directory from the VMs.

Setting up the VPN:

ForeFront TMG was out gateway firewall.  TMG has many cool features even for how old it is.  Originally I wanted the VPN traffic to go straight to the DC with RAS but that proved to be difficult with the whole SSL VPN configuration.  If I had been able to use L2TP or PPTP then life would have been a breeze.  But its not, so had to fall back to SSL VPN that terminated at the ForeFront device.  The TMG software is very flexible, probably too much so.  After some serious testing/configuring, I was able to setup and connect to the SSL VPN from the Azure VM.  Unfortunately, TMG puts everything into “virtual networks” so I ended up having to create firewall rules between VPN clients, local network, internet for every possible path, that took the most time of the entire migration.

Creating the Domain Controller and Moving the Roles

Once the VPN was working and all the firewall allow rules were setup I was able to promote the Azure VM to a DC.  Once that once done I was able to move all the DC roles to the Azure VM.

I also installed the Azure AD Connect client and had it take over as the primary replication services.

Unfortunately, running a DC in Azure comes with some price when you don’t do things quite right, hey, you live an learn!  What I will simply say is…

  1. Understand how to do authoritative restore (the whole D3 method) aka DFS sucks
  2. Back up your sysvol in case you need it later – for us this wasn’t as important as we didn’t need to apply GPO or run any login scripts anymore

Migrating ADFS

Similar to Active Directory Domain Controller, ADFS has a primary server and secondary servers.  You can’t really configure a second ADFS server and have your external services point at it.  You have to make the ADFS server a part of the ADFS farm, then make it the primary server.  The old ADFS will still work and accept traffic, but the UI will only work on the primary.

Breaking the links

At some point you have to break the linkage.  That means demoting the DCs in your data center and breaking the ADFS secondary link.  Additionally you will need to make sure your ADFS login\DNS is switched to point to your new Azure ADFS server.

Be sure that you put some effort into your Network Security Groups for your virtual network!  PAW machines are your friend!  And spend the extra money for Azure Security Center.  Your machines are going to get hammered.

Testing the changes

#1 – Doing One user (Me)

Before I broke all the linkages I wanted to test moving my account to “Cloud Only”.  This was pretty much a disaster so my account ended up in deleted limbo hell over and over.  Why?  Well, you have to move your account out of the AD Connect Sync set, this will cause it to get “deleted” from Azure AD (at least it goes into a “Deleted” state).  After this happens you should be able to restore it from deleted and then clear the “ImmutableId”.  Unfortunately, this does not work and nothing I did would allow me to clear it.  So I decided to change my email alias away from the chris@blah.com to chris@blah.onmicrosoft.com.  This worked to get me away from any time of account deletion every sync, but it came at a big price:

  • Delve page broke with a correlation error
  • Project Server broke because it couldn’t match me to my enterprise resource or email alias, so I couldn’t submit time or see any tasks – this was a big ouch!

Final steps

Once I determined that the final product would not produce the weird errors above we picked a weekend for me to do the migration.  It was incredibly easy once all the plumbing was setup.  I ran a few commands to break the federation and boom, all done.  The Azure AD Connect was still running with password write back so we had a working fallback just in case we decide later to move to a full Azure AD environment.  But with the progress on the new Active Directory Services in Azure, that seems like a 0% chance.

The last gotcah was that I put the Azure VM in our non-gold partner subscription (the one with $12K to use), mainly because we didn’t have it setup at the time.  Moving the VM was a bit painful (hint, you do not need to download the VHD, let Azure move it directly between subscriptions).  But once I successfully moved it, it fired up, but I had to do the authoritative restore again (seems like you should be prepared to do this often in Azure).


ShareSquared is moved fully to Azure IaaS and PaaS.  No more monthly fee from a co-lo.  And we are utilizing out IUR for Azure for being a Gold Partner saving us quite a bit every month!

If you need help moving your organization fully to Azure, I’m always available to help!



Your New Best Friend – Microsoft.SharePoint.Utilities.WebTemplateExtensions.ScriptUtility.CreateFormula!

A new REST endpoint will be coming to SharePoint Online soon.  This end point will allow you to fire a “setup script” that will execute all kinds of actions upon a new or existing site.  You can get a feel for how it works from this slide:

As you can see, it is targeted at site creation and templating, but it can happen at any time.  The site script itself will be json based and allow you to define “actions”.  These actions have a “verb” and then all the properties that support that verb:

Actions that will be supported when its released include the following (notice the “more to come” comment:

One of the more exciting features of the site script is the ability to call “Flows” or even send messages to queues which could then fire Azure Functions!

This really starts to make things interesting in that your imagination is now the limit as to what you can do.  3rd party vendors reactions will be on both sides of the fence with this (“ah crap, now they can do it”, or, “ohh, what can we do with that?”).

I think is it one of the biggest game changers to come along in SharePoint Online and SharePoint land in a long time.  Kudos to Sean Squires (@iamseansquires)


Microsoft Ignite Review

After two months of reviewing, finally, here is my Microsoft Ignite Review!

This is all the stuff I gleaned from the various slides (over 800) from Microsoft Ignite.   The conference’s overall focus based on all the sessions\slides centered on the following major topics in what I deem to be in order of importance:

  1. Security, Security, Security (AIP, EMS, ATA, Intune, Windows Defender *, etc)
  2. Windows 10 (Deployment, Apps, Management, and obviously…security)
  3. Office 365 (Teams, Groups, Reporting and Analytics)
  4. Data warehousing and ML processing (U-SQL, R, Hadoop, Azure Data Lake)
  5. Azure IoT – device registration, messages\queues wrapped in data warehouse message processing and BI reporting goodness
  6. Azure Stack (hardware partners, capacity planning, billing, security, network topology)
  7. Azure (Scale Sets, New VM Sizes, New Services, automation and devops)
  8. Exchange (Hybrid setup, multi-domain sync scenarios, security)
  9. Log/Application Analytics of anything and everything (Managing assets, productivity, security, apps, etc)
  10. Dynamics 365
  11. Cosmos DB
  12. Office (Outlook, Excel, Access, Add-ins)

Here’s how things eventually broke down (as of the time I downloaded everything).  As you can see out of the total PPTs, I only gave the best of the best nod to 6%, and gave another 18% the “you must see” nod.  This will significantly speed up your review process.

  • Break Out PPTs – 551
  • Theatre PPTS – 360 – I did not review these, but I’m sure there is some good stuff here!
  • Best of the best – 33 (6%)
  • Must see – 100 (18.1%)

You may take a look and wonder, uhh, where is your ranking?  Yeah, I used to rank them all 1-5, but I just didn’t have the time (believe me, some did deserve a 1).  And since I have caused enough fireworks already for 2017, it was better I just ignore the bad ones.  So here ya go…

The best of the best:

If you just don’t have the time to look at even my reduced set of “good” ones, then I simply suggest you take the time to look at these, they represent the top of the technical content in great formats with lots of information you can use or learn from…very simply, they are “the best of the best” from Ignite!

  1. BRK2059 – Your attacker thinks like my attacker – A common threat model to create better defense
  2. BRK2141 – Taming the Beast – How We Secure the World s Largest Enterprise Cloud Service
  3. BRK2151 – Past, present, and future – GPU and AI infrastructure on Microsoft Azure
  4. BRK2175 – Reimagine what is possible with your videos using state-of-the-art AI technologies
  5. BRK2177 – The Microsoft vision for Blockchain
  6. BRK2195 – What s new and what s coming for Actionable Messages in Outlook
  7. BRK2203 – Protect and control your sensitive emails with new Office 365 Message Encryption capabilities
  8. BRK3051 – Get your enterprise network ready for Office 365
  9. BRK3056 – Windows 10 and Windows Server 2016 – Next generation networking
  10. BRK3060 – Defending against malware with robust and practical application whitelisting
  11. BRK3069 – Enhance your security posture on Windows 10
  12. BRK3072 – Halt hackers – Do those tricks still work with Windows 10
  13. BRK3086 – Azure Cosmos DB – The globally distributed, multi-model database
  14. BRK3107 – Enterprise Power BI deployments with Microsoft Power BI Solution Templates
  15. BRK3109 – Experience Microsoft SQL Server 2017 – The fast and the furious
  16. BRK3124 – Manage Microsoft Azure at enterprise Scale – The Microsoft Internal Story
  17. BRK3126 – Stay Ahead of the Cyberattacks with Office 365 Threat Intelligence
  18. BRK3130 – Prepare for the GDPR and data privacy compliance with Microsoft SQL technology
  19. BRK3158 – Design your Exchange infrastructure right (or consider moving to Office 365)
  20. BRK3167 – Tips and tricks with Azure Resource Manager
  21. BRK3186 – Running Exchange hybrid over the long term
  22. BRK3217 – Graph extensions in Microsoft SQL Server 2017 and Azure SQL Database
  23. BRK3241 – Secure your data in Azure SQL Database and SQL Data Warehouse
  24. BRK3248 – Exchange Online Multi-Geo Capabilities
  25. BRK3283 – Security and identity in ASP.NET Core
  26. BRK3285 – Going underground – Discovering, exploiting, & defending against covert channels in modern computing
  27. BRK3301 – Let s talk about Conversation Design
  28. BRK3309 – Securing virtual workloads in less than 60 minutes – A live guarded fabric deployment
  29. BRK3317 – Implement microservices patterns with .NET Core and Docker containers
  30. BRK3323 – Modernizing ETL with Azure Data Lake – Hyperscale, multi-format, multi-platform, and intelligent
  31. BRK3354 – Using custom themes and designs to standardize the creation of clean, functional SharePoint sites
  32. BRK4014 – Deep Dive on Windows 10 Fall Creators Update Internals (WARNING – highly-technical)
  33. BRK4033 – Deep dive with Microsoft Cognitive Toolkit (WARNING – highly technical but oh soo good!)

The best technical session powerpoints that you MUST review are the following:

  1. BRK1023 – System Center for the modern datacenter – First look at advancements coming this year
    1. This has everything in it and the kitchen sink!
  2. BRK1032 – Learn all about running multi-terabyte SAP HANA infrastructure on Microsoft Azure
    1. The size and scale of these systems is just INSANE!
  3. BRK2000 – All about how security keys work in Office 365\Azure Key Vault (Microsoft Managed, BYOK, HYOK)
  4. BRK2015 – Mobile device and app management overview with Microsoft Intune
  5. BRK2018 – Share corporate resources with your partners using Azure Active Directory B2B collaboration
  6. BRK2019 – Productivity and protection for your employees, partners, and customers with Azure Active Directory
  7. BRK2021 – Learn About Microsoft Advanced Threat Analytics Futures
  8. BRK2039 – Understand how your users are using Office 365 – Introducing Advanced usage reporting tools
  9. BRK2045 – Dive into Office 365 for the US government and defense industry
    1. Everything you wanted to know about government and the cloud!
  10. BRK2053 – Low investment, high reach enterprise experiences using bots and Adaptive Cards
  11. BRK2060 – How Microsoft uses Windows Defender ATP – Welcome to a SecOps world!
  12. BRK2064 – How Microsoft uses a data-driven defense
  13. BRK2074 – Deploying and managing Windows Information Protection (WIP) with Azure Information Protection
  14. BRK2075\BRK2076 – Extending Windows Hello with trusted signals
  15. BRK2077 – Credential protection in Windows – An overview
  16. BRK2084 – Windows Defender Exploit Guard – Reducing the Attack Surface while balancing productivity & security
  17. BRK2108 – Digital transformation with Microsoft Azure and Azure Stack
  18. BRK2109 – Discover whats new with Windows Server management experiences (aka project Honolulu)
  19. BRK2130 – Getting 99.999% availability for my IaaS Service – Running highly available Azure VMs
  20. BRK2143 – Lessons learned from the Azure Stack Early Adoption Initiative
  21. BRK2156 – Self-service BI and enterprise reporting on-premises with Power BI Report Server
  22. BRK2165 – Mars putting Yammer on rocket fuel with bots, AI and analytics
  23. BRK2180 – Delivering simple and powerful serverless business applications
  24. BRK2181 – Accelerate productivity with search and discovery in SharePoint and Office 365
  25. BRK2182 – Take Control of Your Data Protection and Compliance Posture with New Microsoft Compliance Solutions
  26. BRK2186 – Azure API Management – Why, what, how, and what s next
  27. BRK2187 – An overview of Web Apps for Containers on Linux
  28. BRK2188 – Enterprise integration with Microsoft Azure Logic Apps
  29. BRK2190 – Orchestrating one million containers with Azure Service Fabric
  30. BRK2199 – Infrastructure as code – Leverage Ansible and Terraform on Microsoft Azure
  31. BRK2208 – Introduction to Windows IoT
  32. BRK2211 – Azure Media Services and video AI – Building next generation cloud video applications
  33. BRK2212 – Gain visibility into network performance and availability with network monitoring solutions in Azure
  34. BRK2217 – Modernize your on-premises applications with SQL Database Managed Instances
  35. BRK2293 – Understanding big data on Azure – structured, unstructured and streaming
  36. BRK2301 – Configuring Calling Plans in Microsoft Office 365
  37. BRK2317 – Modernizing your remote access – the choices and options available
  38. BRK2319 – It s here, and customers LOVE it! The Cisco Integrated System for Microsoft Azure Stack
  39. BRK2374 – Stop data exfiltration and advanced threats in Microsoft Office 365 and Azure
  40. BRK2394 – How to achieve stress-free OSD with Windows 10 and Microsoft System Center
    1. Gotta admit I had never heard of this company before now.  Migration to Windows 10 is a must as its just so amazing.  This peer to peer migration strategy is very intriguing!
  41. BRK2396 – Protect Azure IaaS deployments using Microsoft Azure Security Center
  42. BRK2425 – Edge functionality gains, security improvements and enterprise compatibility with IE enterprise mode
  43. BRK3002 – Virtualize Office 365 ProPlus
    1. Gotta give kudos to this presentation, information rich, understanding of the topic and lots of links for people who don’t watch the video.
  44. BRK3007 – Decipher delegation – Nine things you should know
    1. Wow would have thought skype delegation was so complex!?!
  45. BRK3008 – Microsoft Cloud App Security deep dive – Learn how to deploy and manage
  46. BRK3011 – Manage and secure Android, iOS, and MacOS devices and apps with Microsoft Intune
  47. BRK3015 – Deep-dive – Azure Active Directory Authentication and Single-Sign-On
  48. BRK3016 – Shut the door to cybercrime with Azure Active Directory risk-based identity protection
  49. BRK3035 – Plan and configure Hybrid Voice in Skype for Business and Office 365
  50. BRK3036 – Understanding Call Queues and Auto Attendant
  51. BRK3053 – Troubleshooting Office 365 identity – How modern authentication works and what to do when it doesn t
  52. BRK3054 – Unleash Office 365 Groups – Deep dive – really best of the best around organization and information for Office 365 groups!
  53. BRK3087 – Azure SQL Database – The world s first intelligent cloud database service
  54. BRK3090 – Microsoft Azure Stack usage and billing
  55. BRK3110 – Globally distributed, secure MongoDB with Azure Cosmos DB
  56. BRK3111 – Keeping your sensitive data secure in Office 365 with Data Loss Prevention
  57. BRK3116 – Integrating Azure Stack into your Datacenter
  58. BRK3118 – Keeping your on-premises data up to date with the on-premises data gateway
  59. BRK3119 – Learn how to use Microsoft Intune with the new admin console and Microsoft Graph API
  60. BRK3121 – Leverage intelligent video to power a collaborative organization with Microsoft Stream
  61. BRK3125 – Advanced Threat Protection for your Office Environment
  62. BRK3129 – Manage hybrid cloud and transform your workplace with PowerShell and Azure Automation
  63. BRK3133 – Quickly find what s relevant and reduce risk with intelligent eDiscovery in Office 365
  64. BRK3134 – Real time data-science with Azure Cosmos DB
  65. BRK3139 – Respond quickly to threats with next-generation security operation, and investigation
  66. BRK3144 – Storage Spaces Direct – Be an IT hero with software-defined storage!
  67. BRK3147 – Kubernetes on Windows
  68. BRK3149 – Understanding Azure Stack architecture and how to capacity plan solution purchases
  69. BRK3185 – Improvements and innovations in calendaring with Microsoft Outlook and Exchange
  70. BRK3189 – Modernizing existing .NET applications with Windows Containers and Azure cloud
  71. BRK3197 – Entity Framework Core 2.0 – Data on server, cloud, mobile, and more
  72. BRK3198 – Monitor and investigate actions on your user and data with alerts, insights and reports
  73. BRK3202 – Modern business processes with Microsoft Graph and Azure Functions
  74. BRK3204 – Azure App Service inside your virtual network
  75. BRK3206 – Accelerating Blockchain application development on Microsoft Azure
  76. BRK3208 – Azure Service Fabric overview and the road ahead
  77. BRK3211 – Microsoft System Center 2016 in action – Customer use cases to implement today
  78. BRK3219 – Meet the most demanding HPC customer needs on Azure with Cycle Computing and Batch
  79. BRK3220 – Microsoft Azure virtual machine infrastructure innovation and automation
  80. BRK3236 – Multi-Geo Capabilities in OneDrive and SharePoint Online
  81. BRK3243 – Migrating to Azure using Azure Migrate and Azure Site Recovery
  82. BRK3252 – Geek out with the product team on SharePoint lists and libraries
  83. BRK3263 – Secure Exchange on-premises as well as Microsoft secures Exchange Online
  84. BRK3268 – Troubleshooting processes with Process Explorer and Process Monitor – unfortunately you do have to watch the video for this
  85. BRK3274 – Supercharge Your Debugging in Visual Studio – another gotta watch the video one
  86. BRK3277 – DevOps for data science
  87. BRK3293 – How the Portland Trail Blazers use personalization and Acxiom data to target customers
  88. BRK3295 – What s new in Azure Active Directory Domain Services
  89. BRK3300 – Patterns, Architecture, & Best Practices – Scaling Machine Learning Algorithms with Azure HDInsight
  90. BRK3313 – Plan, orchestrate, and tune large resource deployments on Azure IaaS
  91. BRK3316 – Operationalizing Microsoft Cognitive Toolkit and TensorFlow models with HDInsight Spark
  92. BRK3320 – Streaming Big Data on Azure with HDInsight Kafka, Storm and Spark
  93. BRK3336 – From source to production – The latest in open source container dev tools
  94. BRK3375 – Windows Defender ATP machine learning – Detecting new and unusual breach activity
  95. BRK4016 – Getting peak performance from your SQL Data Warehouse column store
  96. BRK4029 – Inside Exchange Online
  97. BRK4040 – Deep dive – Advanced workflow automation with Microsoft Flow
  98. BRK4022 – Exchange High Availability and Storage for Insiders
  99. BRK4023 – Azure ExpressRoute new features, best practices, and customer experiences
  100. BRK4036 – Bot Framework patterns and practices straight from our customer

“Odd and interesting” mentions:

  • BRK1070 – Pretty sweet set of slides and content flow.  Probably not something you will buy or use, but pretty sweet none-the-less.
  • BRK2034 – Succeed with app compat for Windows as a service
  • BRK2136 – Solving your printing problems with Windows Server and Microsoft Azure
    • Didn’t realize printing needed extra configuration in hybrid environment
  • BRK2140 – Yammer as a Platform for Digital Transformation
    • Some interesting slides here
  • BRK2314 – Most apps are not designed this way, but its the next logical evolution for them.  Being able to move your session from one device to another without losing state or data context.
  • BRK2403 – I’m not sure why we need yet another search platform introduced into the Office 365 mix.  I think Ceres works just fine in the context of the Graph APIs…not sure the strategy here.
  • BRK2414 – Extend Microsoft Dynamics 365 for Finance and Operations
  • BRK2415 & BRK2319 – Cisco and Lenovo show off their platform plays for Azure Stack.  They promote these as everything you need to run and get going with Azure Stack.
  • BRK3003 – Moving to a hybrid Unified Communications environment – Based on these slides, I don’t envy someone that has to manage a forest and trying to go hybrid with Skype for Business.  Lots of moving parts!
  • BRK2394 vs BRK3005 – Interesting that you have a Microsoft product for Office deployment, then a vendor presentation that says that they have a better way.  I do gotta admit, I like their way (P2P) better.
  • BRK3063 – Next-Gen AV – Windows Defender Antivirus unleashed – has some interesting stats in here about antivirus and some Gartner comments
  • BRK3077 – Next gen packaging and deployment of Windows apps in the enterprise
  • BRK3083 – Practical data science for a DBA with SQL Server 2017 and Cortana Intelligence – worth checking out if you do any big data style processing
  • BRK3102 – How Microsoft Legal drives down eDiscovery costs with machine learning in Office 365 – You really need an E5 tenant in order to do most of this…
  • BRK3260 – Manage Windows devices in the complex hybrid cloud world of today – not terribly deep, but I gotta say that this was the most well put together, concise and to the point of all the Intune/SCCM/Windows 10/EMS prezos
  • BRK3331 – Azure Service Fabric for Linux
  • BRK3361 – Veeam for the Microsoft Cloud
  • BRK3376 – Managing ongoing Microsoft Office 365 ProPlus client health and applications compatibility – check out the readiness toolkit, its actually pretty amazing!
  • BRK4006 – Dig deeply into BranchCache – Learning from the experts – this was soooo funny, I wish I had been there to see this in person!
  • BRK4008 – Azure Cosmos DB, design patterns and case studies for globally distributed applications – what a simple and straight forward view of comosDB use case and micro services of a real life customer

Here are product focused items with various announcements:

  • Office 365
    • BRK1005 – Lots of enhancements in the routes and networking between Office 365 data centers
    • BRK1008 – Enhancements around reports and reporting data, many more data points for analysis.  Service notices that are translated to user target languages. Scoped Admin Roles (Azure Active Directory Administrative Units)
    • BRK1009, BRK2011 – (2011 is the better one), New Roles introduced for Office 365 (Reporting).  Team and Groups reporting in Usage Analytics.  Reporting Graph API.
    • BRK1006, BRK1010 – Office 365 is probably the most accessible (disabilities) cloud based platform on the planet
    • BRK1074 – All about groups.
    • BRK2132 – Love this take on Office 365 Adoption, very well done
    • BRK2181 – Slides 14, 21 and 31 are the best.  Image text extraction, Multi-geo search and Visual Intelligence
    • BRK3133 – Slide 23 tells you about the increase in the limits for indexed Exchange Online and SPO (10 to 250 attachments is exciting)
    • BRK3237 – Create and manage sharing and access policies for SharePoint – check out slide 43 for some feature coming for sharing and access policies
    • BRK3239 – Manage SharePoint using the new Sharepoint Admin Center – slide 25 on the new and coming Admin Center for SharePoint online
    • BRK3248 – Exchange Online Multi-Geo Capabilities – check out all the new cmdlets for the geo default preferred location.  Supposed to be available on 3/2018 – slide 33
    • BRK3359 – Deep dive – Compare SharePoint Designer and Microsoft Flow scenarios – check out slides 36 and 38
  • Office
    • BRK2062 – All about Office Add-Ins.  Excel 1.7 APIS, Custom Functions in Excel, Centralized Deployment for Outlook, Single Sign On for Word, Excel and PowerPoint coming
    • BRK2127 – Interesting tidbits on LinkedIn integration with your profile card(s) – slide 13
    • BRK3182 – =YOUASKED.WELISTENED() join us to learn what s next for Excel add-ins – custom functions are part of the add-ins architecture, pretty cool stuff!
    • BRK3184 – Deploying and using Outlook mobile in the Enterprise – slide 48 has the new stuff coming to Outlook mobile apps
    • BRK3185 – Improvements and innovations in calendaring with Microsoft Outlook and Exchange – this has so much in it it is crazy!!!
    • BRK3216 – How Graph powers intelligent experiences in SharePoint and Office 365 – Check out slide 47 for the upcoming new Graph endpoints
    • BRK3231 – Deploy Microsoft OneDrive across users and devices – Deep dive with the product team – check out slide 4 and 5 for future of OneDrive features adds
  • OneNote
    • BRK1019 – Better consistency across devices. 100+ new features added to OneNote (Insert Meeting Details, Version History, Multiple Windows, Customization Pens, Solve & Graph Math, Ink Effects)
  • FastTrack – basically use it…its free.  Funny thing is that eventually this service will need to scale down and there will be a mass layoff\reorg once you have hit critical mass
    • BRK1036 – Dynamics CRM FastTrack seems to be REALLY hot
  • Azure
    • BRK2130 – So we have moved from just using one cloud to leveraging the cloud for much more advanced availability scenarios.  This really outlines everything you need to know about Azure Availability Sets.
    • BRK2180 – This is a great review of the serverless architecture of new app development.  Information on Functions and Logic Apps
    • BRK2190 – Why you should use Service Fabric and not try to do it on your own
    • BRK3243 – Migrating to Azure using Azure Migrate and Azure Site Recovery – some pretty cool tools for discovery your on-premises resources and prepping for migration to Azure,  check out slide 41 on UEFI VM migration!
    • BRK3295 – What s new in Azure Active Directory Domain Services – check out slide 45 for what they are “considering” adding to AADDS.
  • Azure Stack
    • BRK2106 – slide 57 has updates on the App Server in Azure Stack Preview 2
  • LogicApps
    • BRK2188 – Nice review of logic apps.  Slide 20 has the Logic Apps roadmap
  • IOT
    • BRK2208 – Really great mapping of Azure security features and some solely targeted at IoT technologies
  • Dynamics
  • Windows Server
    • BRK1038 – Container optimized Nano Server.  .NET Core 2.0 and SMB Support for containers.  Linux containers with HyperV isolation. Windows subsystem for Linux
  • Skype
    • BRK2004 – Some pretty interesting sets of use cases for people moving PBX to Skype For Business
    • BRK2010 – Very interesting information on Skype Call Quality Dashboard reporting and the roles
  • System Center
    • BRK1023 – Hybrid is the name of the game (monitor your cloud resources).  Alerts Management (Intelligent Correlation), Workload Insights (Azure IaaS OS and workflow monitoring), Situation Management future focus.  Azure security.  Nano Server is 78MB, 107MB with .NET compressed!
  • Operations Manager
    • BRK1023 – Web site is HTML 5.0.  MP Updates, 3rd Party MPs (like Solarwinds).  Linux Kerberos support.
  • Data Protection Manager
    • BRK2013 – Instant Restore of cloud recovery points.
  • Virtual Machine Manager
    • BRK2013 – Enhance Storage QOS, enhanced console session. Linux shielded VMs.
  • Yammer
    • BRK2103 – slides 23 and 24 have some good stuff about new features added to Yammer recently.  It’s not dead yet…
    • BRK2165 – interesting usage of yammer data to feed a bot and vice versa
  • SharePoint
    • BRK2422 – Feature Pack 2 brings SPFx to your on-premises farm!
  •  StaffHub
    • BRK2042 – Slide 22, Integration with flow
  • SQL Server
    • BRK3241 – Secure your data in Azure SQL Database and SQL Data Warehouse – slide 22, support for MFA at SQL tooling level and definitely check out slide 26
  •  PowerBI
    • BRK3152 – Slide 37, custom visual improvements, filter API for slicers
  •  Security
    • BRK1051 – Some simple best practices when using Azure\Office 365
    • BRK1056 – This thing is a plethora of “oh my god, what do I need to manage” type of view.
    • BRK2001 – A typical anatomy of a security attack
    • BRK2012 – A lot of information about EMS and how Microsoft is securing your cloud apps
    • BRK2015 – Lots of information on Intune.  The coolest slide is #25 where they talk about GeoFencing assets.  Runs through some of the top requests for Intune and when they will be released.
    • BRK2018 – Slide 46 is pretty interesting, type 1,2,3 support of sharing (JIT AAD, JIT MSA)
    • BRK2019 – Slide 9 shows 3rd party apps and Azure AD usage (Google Apps is #1).  Slide 25 shoes RSA, DUO and TruSona are new MultiFactor Auth partners.  Governance partners are Omada, SailPoint, Saviynt.
    • BRK2020 – Slide 10 shows future features for AIP.  Office 365 message encryption (GA). Azure Information Protection convergence to 80+ sensitive information types used in Office 365. Azure Information Protection scanner for on-premises file shares (preview). Microsoft Cloud App Security label and protect Office files in cloud apps (preview). Native labeling experience in Word, PowerPoint & Excel on Mac, iOS, Android and web apps. Native labeling in Outlook on Mac, iOS, Android and web apps. DLP triggers based on labels.
    • BRK2064 – This is probably one of the better takes on implementing security in a Microsoft world presentations that I have ever seen
    • BRK2077 – no real announcements, but really interesting reading of Credential Guard and what it does and does not protect
    • BRK2079 – Really good introduction to Intune, Azure AD and SCCM interconnectivty
    • BRK2129 – Nice high level overview of the various privacy and compliance features in Office 365 (not very deep technically).  The GDPR slides are pretty sweet (39+)
    • BRK2141 – Probably one of the best sessions of Ignite!
    • BRK2182 – The Compliance Manager will be very popular!  Coming in November!
    • BRK3008 – Really great information on using Cloud App Security!  Best prezo on this topic\product!
    • BRK3011 – This was a really indepth session about the future of Intune and IOS and Mac devices.  Must read for anyone that has Mac devices.
    • BRK3012 – Somewhat medium level depth session on conditional access via EMS
    • BRK3013 – The “Access Review” feature is a great new addition!
    • BRK3014 – Some really good stuff in here…definitely take a look
    • BRK3015 – This had to be one of the more in-depth Azure AD auth sessions of the entire Ignite, very well done.
    • BRK3016 – This has some really juicy stats in it as far as hacked accounts\passwords go.  A must read/review.

Things that WERE great:

More Product Engineering Group (PEG) vs Product Marketing Group (PMG)presentations.  You can see this based on presenter titles Program Manager vs Product Manager.  This can be a good and a bad thing, PEG sessions tend to be very technical, but lacking in the presentation skills, whereas PMG is the opposite (with a few notable exceptions).  This year, the PEG presenters were on their game and only a couple sessions showed the lack of presentation skills.  This shows that Ignite was highly technical in nature this year vs highly marketing based in the past.

I love to see MVPs have the oppty to present (real world consulting is way better than just a simple technical presentation any day), and there were certainly a few that got on stage for break outs, but this year had a few small set.  Most seemed to fall into the Theatre sessions, which makes sense.

Things that weren’t that great:

  • The Windows 10 security powerpoints all started off with the same 10 slides, seemed like there was only really 4 slides difference between about 5 sessions.  I’m guessing those could have been consolidated easily and more room made for other content areas
  • Yeah, Windows 10 is awesome, but Ignite went overboard on the number of sessions around Windows 10 deployment…way too many!
  • There were two too many Intune sessions with the same content.
  • Same goes for several of the Azure Stack sessions.  The only you really need to watch\read is the one by Snover and Russinovich!
  • BRK2134 – Having a partner join you on stage that has no idea what they are doing, well, speaks for itself.  This was a disappointment on many fronts especially having a 3rd party vendor join in the session that should not have been there.

Compliance Manager and GDPR – “Data Subject Action Pattern”

Over the past week, I have spent my extra time reading over every article in the GDPR and how it maps to technology (or the lack thereof).

Today, Microsoft has released the Compliance Manager tool for individuals and organizations to use to “assess” their readiness for the upcoming GDPR articles that are supposed to go into effect on May 25th, 2018.  The interesting thing, or not, about this tool is. it is simply a check list of the articles from the GDPR.  In the future it will cover, NIST 800-53, ISO 27001, and ISO 27018.  It doesn’t not actually do any checks against your tenant like the Office Security Score tool does to tell you if you are in violation of anything…and nor should it.  This means…

You still have to do the compliance work!

In the absence of any other compliance management focused tools, this is a great start to helping you track most of the things you need to do.  Not only that, but being able to know when a particular article was last checked via the reports is a great way to ensure that a Data Protection Officer (DPO) is not forgetting their responsibilities to “data subjects”.   It should be noted that the Compliance Manager tool will not suffice for the “Certification” in article 42 of GDPR.  So you should still be prepared to pay an outside auditing firm to review your code of conduct, data flows, etc.  And if you want the full disclosure with T&Cs, you can review what Tina Ying (Office Marketing) wrote here. You can even watch a quick video on YouTube.

Some things I’d like to see added to the Compliance Manager:

  1. Custom policy creation and tracking (for state legislation, etc)
  2. Events that filter into the Office Graph or the Office 365 management api for when a compliance goal is met or the task has not been review in x period of time

As I’m sure you are painfully aware, there is a *huge* sales and marketing push by Microsoft and other tech vendors to take advantage of GDPR.  Funny thing is most of the people that bring it up haven’t even read the thing and really don’t know anything about it!  Which brings me to my next item to point out:

Office 365 is (will be) GDPR Compliant

The first thing you need to know about the phrase “Office 365 is GDPR compliant”, is that it means “Microsoft” will be covered, not you!  Office 365 cannot fix or make you compliant through a simple check list.  Microsoft is attempting to make all of their cloud services and products GDPR ready, and at some point they will be sharing everything they learned about their internal journey with us (hmm, I wonder what their Compliance Manager report looks like).  Don’t hold your breath here, by the time they share it with us, it will be too late for you!  If you are already familiar with Compliance Manager, you are probably saying “but they provide all these helpful actions for each article”.  Ok, some of these are valid and some are not.  The reality is that they only apply to Microsoft 365 cloud services and will not help you with all your systems outside of Microsoft 365.

So back to GDPR.  Have you read it?  I have…top to bottom and vice versa, 3 times, both versions.

What most people don’t realize is that each Member state can override certain articles to make them more strict (like national security, public interest, etc).  The date above is for all the changes that a Member State would like to be made to be integrated into their countries legal system.  What does that mean?

There could be 28 different versions of GDPR after May 25th, 2018!

The compliance manager will help you with the high level articles, but the details for each country will be a toss up and I’m pretty sure you won’t see 28 versions of GDPR in the compliance manager.

So that all being said…

What do you need to do to be GDPR compliant? 

A check list\tool can help, taking the time to read the articles is better, or, if you prefer not to put your legal hat on, having a consultant like me teach you what’s in it and how to mitigate potential violation(s) is best!

After you have an understanding of it, you will realize:

Its a lot. 

Development re-work, notification systems, records management…a lot.  And yes, I said Records Management.  When you look at the GDPR, it really is enforcing you to:

Implement a “case-based” system for “data subjects” across *all* your platforms.

Just as a side note, “Case-based” records management is a feature long absent from SharePoint or Office 365 “content services”.  And no, “Labels” will not help you whatsoever with GDPR.

So, net net, if you haven’t started yet, then you won’t make the deadline of May 25th, 2018 (which I’m guessing some countries won’t have the full set of articles legally integrated on that date so you may have more time depending where you or your data subject lives).

I will be posting a presentation soon (about 80% done) that reviews every article and what you should do (if anything) and how a Microsoft product or service “may” help you.  The more in-depth version of the presentation will go into development patterns and show you some simple things you can do to implement what I am coining as the “Data subject action pattern

I will be speaking at DevIntersections about GDPR and how all these articles map to the various Azure technologies and how you must redesign your apps and your thinking to be able to support my new “Data subject action pattern“.


SharePoint 2013 – This product requires Microsoft .Net Framework 4.5

So in addition to the .NET Framework 4.6, it turns out that 4.7 will also cause the same issue.  You can utilize this script to remove them both to proceed with installation:

function UninstallKB($kbNumber)
$setup = Start-Process -FilePath "wusa" -ArgumentList "/uninstall /kb:$kbNumber /quiet" -Wait -PassThru

if ($setup.ExitCode -eq 0) {

function CheckForKB($kbNumber)
$list = wmic qfe list

foreach($line in $list)
if ($line.contains($kbNumber))
UninstallKB $kbNumber;

#output .net frameworks…
ls -r ‘HKLM:\software\microsoft\NET Framework Setup\NDP\v*’ | foreach { $_.getValue(‘Version’) } | sort -unique

CheckForKB “3102467”;  #.net 4.6
CheckForKB “3186539”;  #.net 4.7

What is in the Microsoft Teams “Electron” App?

So you decided to install Microsoft Teams eh?

Did you know it is an Electron app?

Do you know what you just did?

Probably not.  Electron is a platform to run node.js and any other supported JavaScript frameworks across multiple platforms.  This means any application that utilizes electron will be made up of many different “inherited” technologies and core components.  Each application is required to provide a license file that defines all the “used” 3rd party components.

So have you checked to see what you have installed when you installed Microsoft Teams?  Its a pretty massive set of frameworks, most open source and available from github.  The list is long and “somewhat” distinguished.

If you weren’t aware of what you just did when you installed Microsoft Teams, this blog post puts it into perspective for you.  This blog post is also used as a reference for a Teams Desktop App deep dive post later this year.  I’ll be updating the usage of each of these components over the next few months and updating as the list changes, so here ya go:

  • electron
    • What is it?
    • Where did it come from?
      • 1.7.1 <https://github.com/electron/electron/archive/v1.7.1.zip>
  • Chromium
    • What is it?
    • Where did it come from?
  • ffmpeg
    • What is it?
    • Where did it come from?
      • 56.0.2924.87 <https://github.com/zcbenz/chromium-source-tarball/releases/download/56.0.2924.87/chromium-56.0.2924.87.tar.xz>
  • debug
    • What is it?
    • Where did it come from?
      • 2.6.3 <https://github.com/visionmedia/debug>
  • socket.io
    0.9.6 <undefined>
  • @nodert-win10/windows.applicationmodel
    0.2.95 <https://github.com/NodeRT/NodeRT>
  • @paulcbetts/cld
    2.4.6 <https://github.com/dachev/cld>
  • @paulcbetts/spellchecker
    4.0.5 <https://github.com/atom/node-spellchecker>
  • ajv
    4.11.8 <https://github.com/epoberezkin/ajv>
  • ansi-regex
    2.1.1 <https://github.com/chalk/ansi-regex>
  • ansi-styles
    2.2.1 <https://github.com/chalk/ansi-styles>
  • asn1
    0.2.3 <https://github.com/mcavage/node-asn1>
  • assert-plus
    1.0.0 <https://github.com/mcavage/node-assert-plus>
  • async2.2.0 <https://github.com/caolan/async>
  • asynckit
    0.4.0 <https://github.com/alexindigo/asynckit>
  • aws-sign2
    0.6.0 <https://github.com/mikeal/aws-sign>
  • aws4
    1.6.0 <https://github.com/mhart/aws4>
  • azure-storage
    2.3.0 <https://github.com/Azure/azure-storage-node>
  • balanced-match
    0.4.2 <https://github.com/juliangruber/balanced-match>
  • bcrypt-pbkdf
    1.0.1 <>
  • bl
    1.0.3 <https://github.com/rvagg/bl>
  • boom
    2.10.1 <https://github.com/hapijs/boom>
  • brace-expansion
    1.1.6 <https://github.com/juliangruber/brace-expansion>
  • browserify-mime
    1.2.9 <https://github.com/broofa/node-mime>
  • caseless
    0.12.0 <https://github.com/mikeal/caseless>
  • chalk
    1.1.3 <https://github.com/chalk/chalk>
  • co
    4.6.0 <https://github.com/tj/co>
  • combined-stream
    1.0.5 <https://github.com/felixge/node-combined-stream>
  • commander
    2.9.0 <https://github.com/tj/commander.js>
  • concat-map
    0.0.1 <https://github.com/substack/node-concat-map>
  • core-util-is
    1.0.2 <https://github.com/isaacs/core-util-is>
  • cryptiles
    2.0.5 <https://github.com/hapijs/cryptiles>
  • d
    1.0.0 <https://github.com/medikoo/d>
  • dashdash
    1.14.1 <https://github.com/trentm/node-dashdash>
  • delayed-stream
    1.0.0 <https://github.com/felixge/node-delayed-stream>
  • ecc-jsbn
    0.1.1 <https://github.com/quartzjer/ecc-jsbn>
  • electron-remote
    1.1.2 <https://github.com/paulcbetts/electron-remote>
  • electron-spellchecker
    1.0.4 <https://github.com/paulcbetts/electron-spellchecker>
  • emissary
    1.3.3 <https://github.com/atom/emissary>
  • es5-ext
    0.10.15 <https://github.com/medikoo/es5-ext>
  • es6-iterator
    2.0.1 <https://github.com/medikoo/es6-iterator>
  • es6-symbol
    3.1.1 <https://github.com/medikoo/es6-symbol>
  • es6-weak-map
    0.1.4 <https://github.com/medikoo/es6-weak-map>
  • escape-string-regexp
    1.0.5 <https://github.com/sindresorhus/escape-string-regexp>
  • event-kit
    1.5.0 <https://github.com/atom/event-kit>
  • extend
    3.0.0 <https://github.com/justmoon/node-extend>
  • extsprintf
    1.0.2 <https://github.com/davepacheco/node-extsprintf>
  • forever-agent
    0.6.1 <https://github.com/mikeal/forever-agent>
  • form-data
    2.1.4 <https://github.com/form-data/form-data>
  • fs-jetpack
    0.6.5 <https://github.com/szwacz/fs-jetpack>
  • fs.realpath
    1.0.0 <https://github.com/isaacs/fs.realpath>
  • generate-function
    2.0.0 <https://github.com/mafintosh/generate-function>
  • generate-object-property
    1.2.0 <https://github.com/mafintosh/generate-object-property>
  • getpass
    0.1.6 <https://github.com/arekinath/node-getpass>
  • glob
    7.1.1 <https://github.com/isaacs/node-glob>
  • graceful-readlink
    1.0.1 <https://github.com/zhiyelee/graceful-readlink>
  • grim
    1.5.0 <https://github.com/atom/grim>
  • har-schema
    1.0.5 <https://github.com/ahmadnassri/har-schema>
  • har-validator
    4.2.1 <https://github.com/ahmadnassri/har-validator>
  • has-ansi
    2.0.0 <https://github.com/sindresorhus/has-ansi>
  • hash-base
    3.0.4 <https://github.com/crypto-browserify/hash-base>
  • hashids
    1.1.1 <https://github.com/ivanakimov/hashids.js>
  • hawk
    3.1.3 <https://github.com/hueniverse/hawk>
  • hoek
    2.16.3 <https://github.com/hapijs/hoek>
  • http-signature
    1.1.1 <https://github.com/joyent/node-http-signature>
  • inflight
    1.0.6 <https://github.com/npm/inflight>
  • inherits
    2.0.3 <https://github.com/isaacs/inherits>
  • is-my-json-valid
    2.16.0 <https://github.com/mafintosh/is-my-json-valid>
  • is-property
    1.0.2 <https://github.com/mikolalysenko/is-property>
  • is-typedarray
    1.0.0 <https://github.com/hughsk/is-typedarray>
  • isarray
    1.0.0 <https://github.com/juliangruber/isarray>
  • isstream
    0.1.2 <https://github.com/rvagg/isstream>
  • jodid25519
    1.0.2 <https://github.com/meganz/jodid25519>
  • jsbn
    0.1.1 <https://github.com/andyperlitch/jsbn>
  • json-edm-parser
    0.1.2 <https://github.com/yaxia/json-edm-parser>
  • json-schema
    0.2.3 <https://github.com/kriszyp/json-schema>
  • json-stable-stringify
    1.0.1 <https://github.com/substack/json-stable-stringify>
  • json-stringify-safe
    5.0.1 <https://github.com/isaacs/json-stringify-safe>
  • jsonify
    0.0.0 <https://github.com/substack/jsonify>
  • jsonparse
    1.2.0 <https://github.com/creationix/jsonparse>
  • jsonpointer
    4.0.1 <https://github.com/janl/node-jsonpointer>
  • jsprim
    1.4.0 <https://github.com/joyent/node-jsprim>
  • jwt-decode
    2.1.0 <https://github.com/auth0/jwt-decode>
  • keyboard-layout
    2.0.11 <https://github.com/atom/keyboard-layout>
  • keytar4
    4.0.2 <https://github.com/atom/node-keytar>
  • keytar
    3.0.2 <https://github.com/atom/node-keytar>
  • lodash.assign
    4.2.0 <https://github.com/lodash/lodash>
  • lodash
    4.17.2 <https://github.com/lodash/lodash>
  • lru-cache
    4.0.2 <https://github.com/isaacs/node-lru-cache>
  • md5.js
    1.3.4 <https://github.com/crypto-browserify/md5.js>
  • mime-db
    1.27.0 <https://github.com/jshttp/mime-db>
  • mime-types
    2.1.15 <https://github.com/jshttp/mime-types>
  • minimatch
    3.0.3 <https://github.com/isaacs/minimatch>
  • minimist
    0.0.8 <https://github.com/substack/minimist>
  • mixto
    1.0.0 <https://github.com/atom/mixto>
  • mkdirp
    0.5.1 <https://github.com/substack/node-mkdirp>
  • ms
    0.7.2 <https://github.com/zeit/ms>
  • nan
    2.7.0 <https://github.com/nodejs/nan>
  • node-uuid
    1.4.7 <https://github.com/broofa/node-uuid>
  • oauth-sign
    0.8.2 <https://github.com/mikeal/oauth-sign>
  • once
    1.4.0 <https://github.com/isaacs/once>
  • path-is-absolute
    1.0.1 <https://github.com/sindresorhus/path-is-absolute>
  • performance-now
    0.2.0 <https://github.com/meryn/performance-now>
  • pify
    2.3.0 <https://github.com/sindresorhus/pify>
  • pinkie-promise
    2.0.1 <https://github.com/floatdrop/pinkie-promise>
  • pinkie
    2.0.4 <https://github.com/floatdrop/pinkie>
  • process-nextick-args
    1.0.7 <https://github.com/calvinmetcalf/process-nextick-args>
  • property-accessors
    1.1.3 <https://github.com/atom/property-accessors>
  • pseudomap
    1.0.2 <https://github.com/isaacs/pseudomap>
  • punycode
    1.4.1 <https://github.com/bestiejs/punycode.js>
  • qs
    6.4.0 <https://github.com/ljharb/qs>
  • readable-stream
    2.0.6 <https://github.com/nodejs/readable-stream>
  • request
    2.81.0 <https://github.com/request/request>
  • rimraf
    2.6.1 <https://github.com/isaacs/rimraf>
  • rxjs-serial-subscription
    0.1.1 <https://github.com/paulcbetts/rxjs-serial-subscription>
  • rxjs
    5.2.0 <https://github.com/ReactiveX/RxJS>
  • safe-buffer
    5.1.1 <https://github.com/feross/safe-buffer>
  • sax
    0.5.2 <https://github.com/isaacs/sax-js>
  • semver
    5.1.0 <https://github.com/npm/node-semver>
  • sntp
    1.0.9 <https://github.com/hueniverse/sntp>
  • spawn-rx
    2.0.10 <https://github.com/paulcbetts/spawn-rx>
  • sshpk
    1.11.0 <https://github.com/arekinath/node-sshpk>
  • string_decoder
    0.10.31 <https://github.com/rvagg/string_decoder>
  • stringstream
    0.0.5 <https://github.com/mhart/StringStream>
  • strip-ansi
    3.0.1 <https://github.com/chalk/strip-ansi>
  • supports-color
    2.0.0 <https://github.com/chalk/supports-color>
  • symbol-observable
    1.0.4 <https://github.com/blesh/symbol-observable>
  • tough-cookie
    2.3.2 <https://github.com/salesforce/tough-cookie>
  • tunnel-agent
    0.6.0 <https://github.com/mikeal/tunnel-agent>
  • tweetnacl
    0.14.5 <https://github.com/dchest/tweetnacl-js>
  • underscore-plus
    1.6.6 <https://github.com/atom/underscore-plus>
  • underscore
    1.8.3 <https://github.com/jashkenas/underscore>
  • util-deprecate
    1.0.2 <https://github.com/TooTallNate/util-deprecate>
  • uuid
    3.1.0 <https://github.com/kelektiv/node-uuid>
  • v8-profiler-jrieken
    5.6.5 <https://github.com/node-inspector/v8-profiler>
  • valid-url
    1.0.9 <https://github.com/ogt/valid-url>
  • validator
    3.35.0 <https://github.com/chriso/validator.js>
  • verror
    1.3.6 <https://github.com/davepacheco/node-verror>
  • wrappy
    1.0.2 <https://github.com/npm/wrappy>
  • xml2js
    0.2.7 <https://github.com/Leonidas-from-XIV/node-xml2js>
  • xmlbuilder
    0.4.3 <https://github.com/oozcitak/xmlbuilder-js>
  • xmlhttprequest
    1.8.0 <https://github.com/driverdan/node-XMLHttpRequest>
  • xtend
    4.0.1 <https://github.com/Raynos/xtend>
  • yallist
    2.1.2 <https://github.com/isaacs/yallist>

Microsoft Security Features (And How To Use and Find Them)

Working on some security stuff over the next few weeks and decided to write up a blog post on all the Microsoft Security features.  Aka, what they are and what uses them and how you actually find them!  You will also realize that the same name is used a couple of times (“Advanced Threat Protection”) and some things aren’t really products but a marketing term for a “set of products”.  In some cases, the names have changed so Google/Bing search results are crazy!

Someone needs to manage product names with SEO in mind at Microsoft!

  • Azure Key Vault
  • Advanced Threat Analytics (ATA)
    • What is it and what does it do?
      • A proprietary network parsing engine that captures authentication and authorization data.
      • ATA will discover a well known set of attack types such as Pass-the-ticket,  Pass-the-hash, Overpass-the-hash, and many more!
    • What uses it?
      • It uses other systems (like a span port on a switch).
    • How do you get to it?
      • ATA is an on-premises software solution (download it here – amazingly not in the MSDN download center).  You must install it and configure it to monitor the traffic on your network.
      • ATA has to be configured to received data from your SIEM, Windows Event Forwarding and Windows Event Collectors
  • Office 365 Advanced Threat Protection
    • What is it and what does it do?
      • Protects your email from various different attack vectors including “possible” zero-day protection.  Provides the following:
        • Safe LInks, Safe attachments, spoof intelligence, quarantine, anit-phishing
    • What uses it?
      • Exchange Online and if enabled, your Hybrid setup of your on-premises Exchange
    • How do you get to it?
      • You have to add a subscription that contains this feature, once enabled you will have reports in your Exchange Online portal to view all security events
  • Windows Defender Advanced Threat Protection (aka Windows Defender Security Center)
    • What is it and what does it do?
      • An agent-less built in feature of Windows 10 OS that utilizes “sensors” to analyze user and app behavior to detect anomalies.
    • What uses it?
      • Windows 10 (v1703+)
    • How do you get to it?
      • Do a search for “Windows Defender Security Center” on your windows 10 device.
  • Compliance Manager
    • What is it and what does it do?
      • A new tool that will be release later this year that will score your environment on its compliance abilities to common laws and regulations.
    • What uses it?
      • Office 365 services
    • How do you get to it?
      • TBD
  • Azure Conditional Access
    • What is it and what does it do?
      • Allows you to prevent a user or app to login based on policies and threat analytics
    • What uses it?
      • Azure Active Directory
    • How do you get to it?
      • Open your Azure Portal
      • Find the Azure Active Directory you want to configure, select it
      • Click “Conditional Access”
  • Office 365 Conditional Access
    • What is it and what does it do?
      • Allows you to drill down into the sites in SharePoint Online that you’d like to lock down based on limited policy (Modern Auth, IP)
    • What uses it?
      • SharePoint Online
    • How do you get to it?
      • Open your Office 365 Portal
      • Click “SharePoint”
      • Click  “Access Control”
  • Windows Hello
    • What is it and what does it do?
      • Allows you to use Biometric based factors for authentication
    • What uses it?
      • Windows 10+
    • How do you get to it?
      • It is a part of the Windows 10 Operating System.  You can enable it with these steps:
        • Open “Settings”
        • Click “Accounts”
        • Click “Sign in options”
  • Multi-Factor Authentication
    • What is it and what does it do?
      • Only using a password has become bad practice.  Enabling both a password and a token are common place (even though many people have not protected their Azure Admin account with MFA!)
    • What uses it?
      • Anything and everything that utilize authentication via Azure AD or even Hotmail\Passport
    • How do you get to it?
      • You can get there by selecting a user in your Office 365 admin page, then click “Manage multi-factor authentication or browse to Azure AD here
      • Tokens are available via the Microsoft Authenticator app (iPhone, Android)
  • Cloud App Security (used to be called “Office 365 Advanced Security Management”)
    • What is it and what does it do?
      • This tool will monitor your employee application usage (including cloud based apps) and give you an idea of what rouge IT solutions may be lingering on your network.
      • A Cloud App catalog can be constructed that would allow you to trust or untrust applications.  Example, If you have chosen OneDrive as your personal file solution, then all instances of Box and DropBox should be disallowed (after migration of course).
    • What uses it?
      • It runs behind the scenes gathering data and information on the apps that are running on your users computers.  The data that is gathered is anonymous so that you abide by various new laws (such as our friends in the EU have enacted).
    • How do you get to it?
  • Data Loss Prevention
    • What is it and what does it do?
      • Allows you to control the type of data that is being sent from your Office 365 environments
    • What uses it?
      • Exchange, SharePoint, Skype
    • How do you get to it?
  • Customer Lockbox
    • What is it and what does it do?
      • It prevents Microsoft engineers from accessing your content in Office 365.
    • What uses it?
      • Office 365 systems
    • How do you get to it?
      • Open your O365 admin portal
      • Expand the “SERVICE SETTINGS” node
      • Click “Customer Lockbox”
      • Toggle the switch to “On”
      • NOTE:  When a Microsoft Engineer needs to access your environment to fix an issue, be aware that the Customer Lockbox requests have a default lifetime of 12 hours, after which they expire.
  • Windows Information Protection
    • What is it and what does it do?
      • An extension to the Information Rights Management (IRM) conversation.  WIP is designed to be seemless.  The idea is that data that starts on your network should stay on your network. If it needs to go somewhere else, then policy should define the rules.  WIP does this.
    • What uses it?
      • Windows 10 (v1607+) with all Microsoft Office products and Microsoft Edge. Universal Windows Apps support WIP but have to be enabled to do so (Microsoft is working with 3rd parties).
      • Azure Rights Management (cloud based IRM) will kick in if your have to share data outside your network (such as with Business Partners).
    • How do you get to it?
      • You can enable WIP by configuring a policy in your Intune portal or utilize System Center Configuration Manager (SCCM) – steps here.
  • Azure Storage Service Encryption
    • What is it and what does it do?
      • Encrypts all the blobs in your storage account using an encryption key
    • What uses it?
      • Azure Storage Accounts
    • How do you get to it?
      • Go to your Azure Portal and select “Storage Accounts”
      • Select a Storage Account
      • In the properties window, select “Encryption”, click “Enabled”
        • NOTE:  If you are missing the “Encryption” node, then is could be:
          • The storage account is “classic”
          • The storage account is not “Blob Storage”
        • NOTE: You cannot utilize your own key with this services (aka, no BYOK)
        • NOTE:  If you enable after you have created an account, only new blobs are encrypted!
        • NOTE:  It is also possible that the Azure Security Center may “recommend” you enable encryption for your older storage accounts
  • Device Guard
    • What is it and what does it do?
      • A group of features.  Combined they lock down a system such that only trusted applications are allowed to execute, thereby preventing malware from ever running on your computer.
    • What uses it?
      • Windows 10 and Windows Server 2016 operating systems
    • How do you get to it?
      • You have to have UEFI running in Native Mode on Windows 64bit, Second Layer Address Translation (SLAT) and Virtualziation Extensions (Intel VT or AMD v) and preferably with a Trusted Platform Module (TPM)
      • Install the “Hyper-V Hypervisor” feature
      • You have to create a Code Integrity Policy and then deploy it to the targeted systems.  This file is called SIPolicy.p7b and lives in the C:\Windows\System32\CodeIntegrity or <EFI System Partition>\Microsoft\Boot for UEFI computers
      • NOTE:  These policies can get very complex very fast, check out all the stuff you can do here
  • Windows Defender Credential Guard
    • What is it and what does it do?
      • Prevents credential theft attacks such as Pass-the-Hash or Pass-the-Ticket.
      • Sets up a virtualization like approach to allow only access to the system software that should be able to get to them
      • Uses the new Virtual Secure Mode (VSM) to secure data in memory, also called Virtualization Based Security (VBS)
    • What uses it?
      • Any software that has to do NTLM or Kerberos authentication
    • How do you get to it?
      • This is a part of the operating system in Windows 10 and Server 2016
  • UEFI Secure Boot
    • What is it and what does it do?
      • Ensures that all software loaded at boot time is trusted.  No “Bootkits” can be loaded.
    • What uses it?
      • Pretty much all of the latest hardware (laptops, servers) have a UEFI bios now, so you get this by default.  You can turn it off, but you would only do so if your operating system was not a part of the trusted set of software
    • How do you get to it?
      • When you computer loads, jump into the UEFI bio settings,  from there you can turn it on or off.  Unless you have a really special Linux distro (or your own) you should probably leave it on!
      • NOTE:  Secure Boot does not require a TPM
  • Trusted Boot Process
    • What is it and what does it do?
      • It is the steps after the Secure Boot process ends.  It makes sure that all the Windows OS level items are secure and trusted.  No “Rootkits” can be loaded.
      • These include:
        • OS Loader, Kernel, System drivers, System Files, ELAM Driver
      • What uses it?
        • Windows 8.1+ and Server OSes
    • How do you get to it?
      • Nothing to “see” here
  • Enterprise Mobility + Security
    • What is it and what does it do?
      • It is a subscription in Office 365.  It is not “technically” a product, but a set of services that will light up in your tenant if you purchase it
    • What uses it?
      • Office 365 and Azure (in terms of “lighting up” available services)
    • How do you get to it?
      • Open your Office 365 portal
      • Click “Billing”
      • Click “Subscriptions”
      • Click “Add subscription”
      • Search for “Enterprise Mobility + Security”
      • Select it, Buy It!
  • MDM for Office 365
    • What is it and what does it do?
      • It allows you to do some really basic mobile device policy enforcement such as password requirements, data encryption, no jail broken phones.
      • You can also enforce things like blocking cloud backup, screen capture, app store, and bluetooth.
    • What uses it?
      • Policies are enforced by the applications you download such as Outlook for iPhone, etc
    • How do you get to it?
  • Microsoft Intune
    • What is it and what does it do?
      • Microsoft’s hard core MDM solution.  It goes waaay past the basic MDM you get with Office 365.
      • Intune adds many more features and functionality around device management such as windows updates and software push aka Mobile App Management (MAM).
    • What uses it?
      • Any registered or unregistered devices that want to access your cloud services
    • How do you get to it?
      • Open your Office 365 portal, in the “Admin Centers”, select “Intune” or just go to the Intune Portal
  • Intelligent Security Graph
    • What is it and what does it do?
      • Marketing term mainly…not really a product
      • It is a network of security related systems and events that are continually analyzed to determine what attackers are trying to do against the Microsoft Cloud Infrastructure.
    • What uses it?
      • Nothing you are directly exposed too.  This is a behind the scenes system of systems that uses various algorithms to find attack patterns.
    • How do you get to it?
      • Its abstracted away from you, nothing to see here…literally.
  • Azure Monitor
    • What is it and what does it do?
      • It is the log aggregator for all Azure services.  Any future products will also send their data here.
    • What uses it?
      • All Azure services are monitored by Azure Monitor
    • How do you get to it?
      • It has many entry points to gain access to the monitoring data.  Azure Portal, PowerShell, CLI, REST and a .NET SDK
  • Azure Advisor
    • What is it and what does it do?
      • Evaluates your Azure subscriptions for several categories of security.  High Availability, Security, Performance, and Cost
    • What uses it?
      • Nothing technically uses this feature, but it does provide you will recommendations on how to best use Azure and its many features in an optimal manner
    • How do you get to it?
  • Database Threat Protection
    • What is it and what does it do?
      • Protects your Azure Databases from potential internet based threats.  This can be super helpful for when you want to ensure that your developers have actually followed best practices when designing the applications that make calls into your database.
    • What uses it?
      • Azure SQL Databases, possibly other db platforms in the future
    • How do you get to it?
      • Open your Azure Portal
      • Navigate to the “” category
      • Select your SQL Database
      • Click the “Auditing and Threat Detection” node
      • Toggle the buttons to enable “Auditing” and “Threat Detection”
      • NOTE:  It costs $15/server/month
  • Azure Network Monitor (aka Network Watcher, aka Network Performance Monitor)
    • What is it and what does it do?
      • Similar to the Solarwinds Traffic Analyzer and Network Performance Monitor, Azure Network Monitor allows you to setup monitors between services and servers in your Azure instance.  You can also monitor your ExpressRoute traffic if you have that setup.
    • What uses it?
      • Nothing really uses it other than you.
    • How do you get to it?
  • Office 365 Secure Score
    • What is it and what does it do?
      • This tool will evaluate your Office 365 tenant and compare your settings and service configurations to over 364 different reference points
    • What uses it?
      • Nothing uses it, its another recommendation tool like Azure Advisor
    • How do you get to it?
  • Operation Management Suite (OMS)
    • What is it and what does it do?
      • Its your SCOM server in the cloud, only, much cooler!  You can utilize events to fire off configuration tasks similar to how SolarWinds uses its NCM product to push configurations to Cisco devices
      • OMS is not really a single product, but a set of services, these include:
        • Log Analytics
        • Automation
        • Backup
        • Site Recovery
    • What uses it?
      • OMS uses everything else.  It can make changes to your infrastructure based on the data it is receiving.
    • How do you get to it?
      • Open your Azure Portal
      • The OMS services are under the “MONITORING + MANAGEMENT” category

Testing Office 365 Connectivity

Recently had a customer with an issue with accessing Office 365\SharePoint site.  They were complaining that the performance was not great.  So I needed to see what issues they might be having with their network.  Results were really interesting, they were being routed (via ATT) from SJC to CHI to NYC to DUB then back to LAX and finally to the US West data center in SJC.  Woah…that’s definitely not good!

Decided to write down all the tools I use and the script commands I execute to test a sites connectivity to Office 365.

  1. Fiddler
    1. Open a site collection, sort the HTTP requests by latency\execution time
  2. MeasurementLab tools
  3. Ping – Network level
  4. Tracert – Transport level
  5. WireShark – For really tough, weird things that don’t show up in regular network tools (Session, Transport issuse)

Services to ping:

  • Exchange
    • ping outlook.office365.com
      • Ensure you are getting the closest data center:
        • outlook-namcentral3.office365.com –
        • outlook-namnorthwest.office365.com –
        • outlook-apacsouth.office365.com –
        • outlook-emeawest.office365.com –
        • etc…
    •  SharePoint
      • Resolve-DnsName tenant.sharepoint.com
        • Determine DNS servers serving your requests
      • ping tenant.sharepoint.com -t
      • ping (tenant.sharepoint.com)
        • Target latency = <100ms
      • ping (outlook.office365.com)
        • Target latency = <50ms
  •  Skype
    • ping global.tr.skype.com
    • ping -t
      • Target latency = <20ms
  • Azure
  • Other IPs

Services to tracert (use the db-ip.com service to find their locations):

  • tracert
  • tracert

Look up each ip along the way…to see if unnecessary routing is occurring.  If it is, then ISP needs to configure route to data center or customer needs to setup ExpressRoute.


Painful Example:

  • – local router (San Jose)
  • – Chicago (ATT)
  • – New York (ATT)
  • – New York (ATT)
  • – New York (ATT)
  • – Dublin (Microsoft)
  • – Los Angeles (Microsoft)
  • – Los Angeles (Microsoft)
  • – Los Angeles (Microsoft)
  • – San Jose (Microsoft)

Helpful references:

Nintex 2016, SharePoint 2016, non-compliant roles

You may run into an issue with your Nintex Services not starting on your non-central administration servers as in this image:

You can attempt to browse the web and Nintex support pages, but they will be of little help:

It turns out that the services did not get installed as part of the solution deployment.  In otherwards, the Nintex Services are missing on your SharePoint server.

In this case, you have to install the services manually in order to start them and have your server be compliant. The three services are:

  • Nintex Connector Workflow Queue Service – (C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\BIN\NintexWorkflow\Nintex.Workflow.Connector.QueueService.exe)
  • Nintex External Relay Service -(C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\BIN\ExternalPlatform\Nintex.External.RelayService.exe)
  • Nintex Workflow Start Service – (C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\BIN\NintexWorkflowStart\Nintex.Workflow.Start.Service.exe)

You can manually install these services to the other servers by running the .net installutil utility (Except in the case for two of them you have to use the “sc” tool).  Note that there are two versions of this tool, 32bit and 64bit.  If you use the wrong one, you will get the dreaded “System.BadImageFormatException”, and if it does successfully run, the service won’t be visible to SharePoint due to Nintex “programming practices”.  The install tool is located in:

  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

The series of commands in an administrator command (cmd.exe) window would be:

  • sc create “Nintex Connector Workflow Queue Service” binPath=”C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\BIN\NintexWorkflow\Nintex.Workflow.Connector.QueueService.exe” DisplayName=”Nintex Connector Workflow Queue Service” start=auto
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe “C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\BIN\ExternalPlatform\Nintex.External.RelayService.exe”
  • sc create “Nintex Workflow Start Service” binPath=”C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\BIN\NintexWorkflowStart\Nintex.Workflow.Start.Service.exe” DisplayName=”Nintex Workflow Start Service” start=auto

Why do you have to use “sc create”?  Because the internal name of the Queue Service is actually “Nintex Connector Workflow Queue Service Recycle”.  For the other, the name ends up being “NWStart”…SharePoint doesn’t like it when services don’t match what they expect!

Once you run the install commands, the services will display in your Services applet:

Once they are installed, switch back to Central Administration, click “Start” on the servers.  They should now start without error and your servers will be in “compliance”!