Conference wrap up

Well, another conference has come and gone.  Microsoft Ignite was a good conference.  I learned a lot and am glad I came, although my legs are pretty sore from walking.  The actual conference center is massive and it seemed like each session I wanted to attend was on the opposite sides of the center.  I walked 8 miles yesterday!  Good Grief!

So, here are my three take aways from the conference.

1. I finally feel like I have a good understanding of how to provision our exchange online and identity accounts to azure from our IDM solution.  After having several technical discussions with the Microsoft experts onsite, and talking with my dev manager back at VUMC, I feel pretty confident we have a path going forward and we know what we want to do with our direction.  This one thing made the entire conference worth the trip.
2. I learned a lot about Microsoft teams.  I really want to look more into this and leverage this new tool.  There was a big push for teams here.  I like the persistent chat features, and the collaboration tools.  I know Sal does this with his team.  So I want to see about how we can leverage this in ADI.
3. Microsoft has done a TON with its products that I have fallen behind on.  There are extensive changes to Excel, OneNote, Visio, Outlook, Powerpoint, etc.  I feel like I only use 5% of each of these products.  I am going to need to invest more time in learning the latest and relearning these tools.  I really liked the pivot chart and get and format tools in excel.  There are some great options there.  Plus, I liked how you could tie visio to data on the backend.  Overall, there is a lot still to learn here and some great options!

Overall, this was a good conference and I am glad I came.  But I will admit I am pretty fried at this point.  Four days was plenty.  If I come again, I will probably plan on leaving Thursday night.  I don’t know that my brain can take more sessions.  Or my feet can walk anymore!

 

Using MS OneNote



Personal Productivity and five steps.

“Your mind is for having ideas, not holding them.” – David Allen

Put all your ideas, thoughts, to do list, pictures, white boards, actionable emails, all this should go into the same section in one note.  “The Collection Section”.  Why?  then it is easy to find.  #1  Collect all things in one place.

Some books on productivity:

• 5 minute rule
• Getting things done
• Take back your life

How to use OneNote for this.

Use OneNote on your mobile devices.  Then set a section as your default section using your cog wheel.

You can go to Chrome, and save to onenote.  Will save a picture of the website and can be accessed later.  easy way to save that knowledge.

ANother example, is to use office lens.  Sign in using your account.  sign in.  Office Lens will clean up picture.  Again, set default location.  Pictures are all saved into onenote.  OR you can take onenote pictures which will reframe it.

Lifecycle of using oneNote – five steps.

1. Want to change your habits.  Need to break down habit you already have.  Set a goal to be more structured and productive.  Best way to succeed: visualize it, and think of how you would feel if you were successful in that.  Feelings will help you make it easier to reach that goal.  Try for 14 days to one month before tuning or changing.
2. Capture. – take time to capture all these thoughts and ideas.  It takes time to keep all this in your heads.  all these thoughts are in your head and pop up all the time.  If you record them, then you can forget about them later.
   1. your thoughts
   2. your ideas
   3. your insights
   4. your dreams
   5. your to do lists

configure the send to onenote for config values in OneNote in the One Note client.  this will make it so that everything that is sent to onenote will go to the same section.

quicknotes – this can be done using WIN + N.

As for emails, if it can be done in <2 mins, then do it right away.  Get them out of the way. This helps others to not have to wait for you.  and keeps inbox clean.  The rest can be sent to onenote.  The goal is an empty inbox.

sending email to onenote get all the content and metadata. Then, move emails to Archive.  A “not inbox”.

Meetings: from the calendar item, you can click OneNote,  and it will prepopulate in onenote with invitees, time, locatino, and agenda.  Then you can keep track of what happens.

Skype for business meetings.  Go to sharing in Skype for Business: it will again move comments to oneNote.

Microsoft Flow. – workflow tool for online outlook  or other devices and clients.  INteresting.  Tool allows you to set rules.  For example, when a message is flagged, then move a copy to onenote.

3. process and organize. Organize content into other smaller sections.  Can use Dynamic and Static categories.  Dynamic comes and goes. Static – need to be able to access in the future.

Possible categories:

• meeting notes
• current
• twitter
• mobile
• archive
• somedayMaybe
• StaticContent
  • services
  • notes from the field.
  • speaker Evals
  • classes
  • blog
  • etc…

You can use custom tags to create tasks in oneNote.

tag items with TODO and then use find tags.  (This is cool, but  kind of cumbersome.)

The Pomodoro technique.  Induces the flow state in 10-25 min intervals.  Our brains are wired so that it is difficult to get started, but then difficult to stop.  Want to reach that Flow state.  Focused time.  Using your TODO list, you can take those 20 min gaps, and get stuff done.

Schedule time on your calendar to deal with TODO list items. Set time at least once a week to process and look for items to do from your TODO list.  Music between 50-80 BPM is perfect for helping you focus helps your brain produce Alpha waves.  Turn off all notifications by using “presentation settings”.  Goal is to be single tasked.  If you can do it for more than 7 mins, then you will reach the flow state.

Say No to all the distractions.  Focus.  The speaker created a windows script that shuts out all distractions.  Then re-enables it.

Key take away – is collecting.

 

 

 

Troubleshooting Office 365 Identity authentication

How modern auth works and what to do when it doesn’t.

Modern auth

Why do enterprises like it?

• Auth against own environment.
• No password
• Avail across platforms
• Avail for different prods
• Not only enterprises!

Pic (pwd prompt)

If password prompt for outlook pops up, how do you deal with it?

How does login for outlook work?

Azure AD Federated auth works with other partners.

(works with Ping! Should we use Ping or ADFS?  We might be able to shut down ADFS if no one uses it?)
 

More Fun with IDM provisioning for Exchange

So, after talking to my dev manager back at my office, I went back again to talk with the MS Tech folks to see if they could answer a few more questions.  I ended up talking with a guy named Phillippe Signoret, a Program manager for Active Directory (phsignor@microsoft.com).  Here is what I found out.

1. Is Azure AD a mirror copy of the on prem AD? No.  Azure AD will have additional attributes that are specific to the cloud environment.  However, all attributes that are being Synced from the on prem AD environment will be the same.
2. Does Azure AD sync back to the On Prem AD? Mostly No. There are a few things that are synced back, particularly around groups.  But aside from that, attributes only flow one way.
3. Can we run scripts to update both AzureAD and on Prem AD to keep both in sync if we want to verify that a particular attribute is the same?   No.  Azure AD Connect will mark one environment as the master or owner of that data. So once that happens, it can only be updated from that environment.  So, for example, we couldn’t run “modifyProxyAddress” on an account in the cloud and on prem.  The on prem command would succeed, however, the remote command would fail because it knows that on prem is the owner of the data.
4. Understanding our environment, how would he recommend we move forward (see previous posts)? Once I described how our IDM environment works, and that existing powershell scripts update more than just simple creation of mailboxes, he recommended that we try as much as possible to run our scripts on the on prem AD environment, and then let AAD Connect sync them to the cloud.  He thought that if we run into issues not having an on prem exchange environment, we might be able to just apply the schema updates for Exchange to our AD environment, and that would let us update the attributes and have them flow to the cloud.  He wasn’t 100% certain of this and said we would have to test to see if we could still run Exchange commands with only the schema updates.  He also said that there may be some commands that can only be run with an active exchange environment, but those could be run remotely. So we would have to know when to run on prem and when to run remotely depending on the command and what it would do.  But he stressed several times that the data should flow from On Prem to Azure AD.  He said that was the approach he would strongly recommend.

Overall, it was a great high level design discussion.  It is a good high level start, but sounds like we have a lot of investigating to do still….

The untold truth of social engineering

Milad Aslaner

(Scariest session I’ve attended in a long time)

What is the background of social engineering?  Con mans.  Today, you just need a computer and you can be a con man.  Social engineering is basically being a con man.  They try to build trust, and then get to the next level.

There are key steps that hackers take before they start an attack.

Attack landscape has changed.  Before hackers would try to attack the infrastructure to get secret data.  Now, they just ask for the data.  Phishing data emails

Attacker sends 100 emails, 23 will open it. 11 will open the attachment.  6 will do it in the fist hour.

Operation Stuxnet

Nuculear facility in Iran.  They threw USB sticks into the parkinglot of the facility.  People found them, and plugged them in.  That is how the hackers got into that network.

Barium, Lead, Strongtium.  All three are attack groups that leverage social media to attack various groups.

All of them leveraged social engineering.

Digitalization is happening everywhere.  So you have to prepare and set security for these new digital endeavors.  Information is the new currency.  With information, you can rule the world.  The weakest link is always the human.

Can’t rely solely on technology.

Human attacks:

• Its free
• Ignorance
• I have nothing of value
• Trust – I trust what I see.

Its not the user’s fault.  The attacks are so complex, they can’t tell the difference between legitimate emails and phishing attacks.

Amount of data flowing is mind blowing!

Data Hunting

All kinds of data that we share is available.  We freely give out info about ourselves.  What we like.  What we don’t like.  Our favorite restaurants, foods, etc.

Hackers can leverage public data to guess passwords or challenge questions.

Hackers can use google.

Site:.gov intex:password filetype:xls

Maltigo.  Tool can crawl many different data points for info.  Start with one point of info, and see where it goes.  He put in one person’s name, and found email, twitters, web sites. Etc.  I can then find out what he is following, what he likes, etc.  Using maltigo, you can see all kinds of data about a person and who they are.  [this is freaking scary!]

Art of the attacks

Three types of attacks:

Human – putting pressure on someone.  Emotion.  For example, if you use the word “because”, people will do what you want.  Triiger words.

Computer – exploits on machines.  Like USB attack

Mobile – take a legitimate app, download, then modify and push it to another store.

1. Starts with research.
2. Target identification
3. Establish trust
4. Begin infiltration. Can be that day, or months or years later.

Social Engineering Toolkit – TrustedSec.

This tool automates the creation of hacker websites.  It will clone websites. And then you can point phishers to it.  It took 2 mins to create this.

So, what to do?

Threat Intelligence.  Collects data on possible threats.  Then they run analytics.  Then leverage what they learn across the stack.

In addition to the products, they also use the Digital Crime Unit.  Work to destroy bots.

All connects to the Microsoft stack.

Example:

Windows Defender Security Center.  – Sal – are you guys using this for Azure?

 

Office 365 Exposed

Tony Redmond and Paul Robichaux

Cool.  Got to sit in the studio audience for this.  They are broadcasting or recording for podcast for 0365.

Crowds are massive. Easier to atttend streamed keynotes.  Big problems are the distance between buildings.  Food here is just above average. 

Lots of talk about compliance and GDPR from the show floor.  

New Microsoft announcements:

1. Tons of teams announcements.  Good job of breaking teams down in architecture. Where it stores files, and how it will replace skype for business client. Lots of good.  Less effective: lack of offline access and tough on slow networks.  Teams was announced last year, and available in March.  Lots of usage and pilots among people here.  125k orgs are now using teams.  Teams is built for the enterprise.  
2. Multi geo tenants for exchange.  Not a solution for network problems.  Moving data to new geo locations won’t solve performance issues.  Rather, geo tenants allows for those who have data restrictions can take advantage of it.  GA early 2018.
3. Exchange 2019. Sharepoint and skype 2019. For exchange it is the tenth product release. Gives a feeling of confidence to folks who are still on prem.  This will extend support for on prem till 2028.  Could be a big deal for enterprise companies to allow them to continue to run in a supported manner.  Also allows for hybrid customers to be supported. 

Every time you create a team, it creates a group.  So groups is a big foundation for teams.  10M users use teams daily.  

Big lesson around teams is “let me turn off self service”. Groups by nature are self service.  Lots of people have disabled groups.  But this causes issues when people decide to give up waiting for It groups.  

Another issue is there is no limit on the names that are used to create teams.  Big issue when users create teams which creates groups if they use the same name.   Could have many teams named “Chris group”.  Feedback: naming policy is bad.  

Drag and drop support for groups.  This is a win.  Not yet on mobile, but perhaps coming?

Future options coming in the future.

• Expiration based on usage not on date.  Potential future option.
• Collaboration outside of firewall.  Allows users outside the org.
• Reattestation of guests.  Every x days question to see if guest is still valid?
• Add guest, with some protections.
• Compliance. Retention policy.  Soft deleted teams. Labels.  (Tag content.  Can do it manually, or apply auto labeling). Then, tie label to a policy.  Look in this area.  Some pieces in place, but looking for future enhancements.
• Tell where teams were created from and where groups were created from.
• Programmatically create teams.  Preprovision teams automatically.  

Big take away:

Linked in content sync.  Starting soon, there will be a connection to LinkedIn from O365.  Set on by default.  Will eventually be enabled outlook desktop.

Expo…

Wow.  Just spent the last four hours in the expo.  This is a huge area filled with tech people and vendors.  Sat through some product demos, and heard about some cool new features.  I’d sum up what I learned in a few short items.

• I hate salesmen.  I like free stuff, but I hate badge scanning knowing it will lead to more spam email.  So I avoided most of the vendors.
• Learned that Visio can be linked to data in excel or databases.  Could be used to make cool dashboards, or other interesting graphs and designs.  That is pretty cool.
• Learned that Lieberman software has some cool identity management tools including some great password protection services.  They may be worth chatting with as a possible vendor for IDM replacement.
• Our old buddies sail point were there as well. They were very excited about their new integration with epic.  They wanted to talk to me at length about it.  So, probably need to add them to the list as well.
• Wow there is a lot of crap worthless stuff that vendors will give you to try and get your contact info.  
• I really don’t like crowds.  Why do I keep coming to these things?
• One place offered alcoholic lollipops.  I don’t drink, but after spending four hours talking to vendors, I was tempted….

Rock your profile in LinkedIn

(Interesting session.  Wonder how linked in will integrate with 0365)

You never get a second chance at making a first impression.  People will research you online.  Key areas that you should focus on:

LinkedIn is trying t create a digital network/graph that includes all these

• Members, 
• Companies
• Jobs
• Skills
• Schools
• Knowledge

Allows to optimize and efficiency for all the world.

Best practices for LinkedIn profile:

• Add a photo
• Headline section.  Update this with a grab attention phrase.
• Summary section.  Pulls people in.  One minute elevator pitch.  First person narrative.  Three short paragraphs.  I’m motivated by… I’m passionate about…  I have experience in…
• Work history section.  Include more description in the work history section.  Not a resume and bullet point.  Three quick paragraphs.  What you did, what projects.  What tech.  More personal narrative.
• Add skills to your profile.  At least five skills. Soft and tech.
• Add certifications, publications, dev, etc.  
• include location, education, volunteer experiences, accomplishments.

Follow companies.  They will produce content.  Share info in your update feeds.  

Influencers – follow them.  

Publishing is the next level.  Like a blog.  

Surviving identity management in a hybrid world

azure ad connect

First, if you are using Dir sync, it is almost too late to migrate.  Need to do that SOON!

Azure AD connect.  Manages accounts and identities for the cloud.  Several options:

1. Verified domains.  If you have a verified domain, you can have up to 300k objects.
2. Fix on prem issues first.
3. No server core

When you are ready to start there are some options.  Express settings is basic.

First, need on prem AD.  Foundation of all user IDs.  Then comes cloud based identities.  (Get the azure stencils for Visio.  )

Can then add MFA to sign on after that.

Demo.  Password sync will sync password hash to the cloud. This means we won’t need to have a direct connection to the cloud AD environment.  This is default.  Also supports ADFS, OR on prem path through to auth back to on prem AD.

They showed running the azure ad connect tool to sync users accounts, groups etc to the cloud.  Pretty easy and straight forward.

Best practice:

• Don’t change the password for the service account
• Configure the scheduler to have different sync times and cycles
• Understand ports requirements – Kerberos, ldap, etc.  firewalls that need to be opened.
• Disable unwanted sync results.  Some won’t be necessary.
• Filtering units groups domains and attributes.  Can have different filters so please configure them!

Powershell scripts is the answer

Just talked to a tech professional in the immersion zone.  This is a great place where they have all kinds of labs set up where people can learn new technologies, and have hands on experience.  They have all kids of labs.  Unfortunately, they didn’t have a lab around how to manage exchange online through powerscripts.  Of course that would have been too easy.

However, I was able to speak with an EMS tech professional.  He told me that what I was describing was pretty simple.  All we need to do is go through our existing powershell scripts and find any existing calls and replace them with their online exchange equivalents.  He thinks that 80% of our effort will be pretty straight forward.

Here are a few articles that will help:

Using powershell with Exchange Online: https://technet.microsoft.com/en-us/library/jj200677(v=exchg.160).aspx

Connect to online exchange through powershell:  https://technet.microsoft.com/en-us/library/jj984289(v=exchg.160).aspx

Exchange online commandlets: https://technet.microsoft.com/en-us/library/jj200780(v=exchg.160).aspx