Updating exchange online from IDM

I spoke with the exchange online tech guys in the expo area about how to replicate the current functionality we have from our IDM environment in regards to exchange config. In particular, I asked about the following use cases:

1. Create new accounts
2. Remove accounts
3. Allow end users to manage their own email alias/proxy addrs 
4. Auto set out of office for vacation
5. Auto set out of office for terminated employees
6. Manage vanity domains

After he understood our environment and where we were wanting to take it, he recommended that we use power shell scripts or MICROSOFT graph to replicate our current functinoality.  I asked him if we needed to have an exchange instance on prem so we could sync to the cloud and he said no, he wouldn’t recommend that.  He said that was heavy overhead for what we were drying to do.

So, assuming we won’t have a local exchange env, we need to learn more about scripting in powershell / Microsoft graph, and see how we can leverage these APIs to replicate what we do today.  Need to look into training, or see if I can find a session on this while I am here.

(I am reposting this since my previous post has disappeared magically.  😩)

Microsoft Teams and how to drive adoption

Successful adoption is not about tech, but more that it is a change in human behavior.  They need to see the value for them in this.

Teams consist of : chat, calls and meetings, office 365 integration, customizable and extensible, and enterprise security.

Teams unified for office 365.  

Joint modifying of docs.

First need to identify early adopters and business outcomes to show early wins. IT led adoption appears faster than just organic growth.   Recommend we take a deliberate approach.  Ready out to people and consciously make the choice to adopt.  

Everything is open and shared.  Big paradigm shift.  Pilot group need t have a shared mission.  Used to sharing data.  Need a reason to get together and talk.  Shared purpose.

Need to go all in.  They need to take communications that used to be external, and move into teams.  Can be very hard to do. Bring external communications and files into the environment. Remind folks to move chat from skype to teams.  Chat is persistent.

Recognize that this is a change, and be open about it.  It is a big change.  Establish champions and ambassadors.   Channel internally.  

@@@@@

Need to look into how to use MS Teams for our department.  I like the persistent chat and shared docs.  I would like to know how this relates and impacts our current strategy of using box for file storage and sharing?  Sounds like to use Teams we would need to have our files all in sharepoint.  Need to ask hogan about this.

Provisioning to O365 cloud

So, I just spoke with a guy name Romero at the MS Tech Expo.  He works  EMS Identity space.  I described for him our current environment, and asked him about the best way to provision identities to the O365 cloud.  

We discussed it for a while and he had a few recommendations.

1. Use Azure AD Connect to sync accounts and attributes to the cloud.  (Pretty sure we are planning on this)

2. For licensing, he recommended we use group based licensing.  We could simply add users to a group and have the group sync to the cloud as well.  Or we could use dynamic groups and have it based off an attribute.  The dynamic group would then automatically recognize new users and add them to the licenses.

3. Commended NOT using ADFS, but rather just to sync the password hash into the cloud AD environment for authentication directly to the cloud.

He made it sound like it was a petty easy solution and wouldn’t be difficult.  Curious to get the input from the VUMC IT teams on this and what they think.

ADFS what’s new and upcoming

ADFS largest federation provider for azure ad. Released ADFS 2016.  High adoption rates.

Nobody likes passwords.  Alpha numeric passwords are hard for humans to remember and easy for computers to guess.  Use of username and passwords in extranet leads to DOS attacks.  Traditional network boundaries are devolving due to productivity gains.  People want work on the go.  This pushes user Auth to the extranet.  

Passwordless auth options.

1. Virtual smart card.  Windows hello for business.  Uses biometrics.  Works well with windows 10.  Doesn’t work for mobile or older versions of windows.  Advantage is that auth pattern works from external networks. 

New tool: http://ADFS.microsoft.com 

2. Certificate based authentication.  Works for managed devices.  Good for browser based auth. Also supports O365 quirks Microsoft authenticator for iOS apps. Requires exchange on line and azure ad. 

3. Azure MFA. Supports all options.

Time based TOTP IS USED AS THE PRIMARY LOGIN CREDENTIAL.

Avail from ms auth app.  Can be pushed as part of MDM solution.  TOTP is only single factor.  So, need to add a cert, or a user/pwd.  But login only occurs after the  other.  Can use thumbprint, or face scan for bio to unlock pin.

What to do about passwords now?

@@@@@

Azure ad in cloud has some good tools for identifying bad actors attacking an account.  Can check for Ip addresses.can check for failed attempts from unfamiliar IP address.  This is a premium feature.  

@@@@@

Try to move away from pwds.  Until then, use security tools to identify threats early.

@@@@@

Hello for business is a good solution.  But it is depending refreshing windows 10.  

Improvements in excel

Personalized custom functions already exist.  Now JavaScript custom functions will be supported.  

So you write this once, and then you can use it as often as you want in your org.  That is nice and cool.

Insights automatically.  Creates pivot tables and charts automatically.

That is pretty cool.  So the data is enhanced automatically and produces charts from the data that is provided.  Data that is sent to the cloud is not collected. Size and data types is collected to improve service, but no details of the values is stored.

Collaboration

Works from mac, mobile, etc.  you can see others modifying each cell. (#N/A now treated as blank not 0 in charts.). Live and in person.

File must be in share point or in one drive for this to work.
Data get and transform tools

Can get all files from a folder.  Then you can combine and format.  

How big can you bring files data?  

Columns from examples. Takes data from one column, and creates a rule for getting that data.

@@@@@@@@@@

Interesting session.  I really need to take a class on excel.  There is some really cool things you can do in it now that I was not aware of.

Create a modern workplace with office 365

Two main concepts.  Deliver experience to delight end users and provide them on secure platforms.

Modern workplace 

Disruptive techs is forcing changes in the WP.  Millennial will make up 50% of workforce in 2020.  They demand new environments.  More dynamic, remote, etc. Cyber threats are more complex.  Lots of other things.  

Microsoft 365 is. A fundament shift in how to design, build,and support new solutions.

Creativity and teamwork, simplicity and security.

Creativity

AI efforts can automate routine tasks.  Moe searchable content in highly personalized ways.  New gestures, and content types.  New ui.  Available on any device on any platform. Apps, files, preferences follow you.

Resume from other device- tells that you were looking at something on the phone.  Very cool

Wow. PowerPoint slides have great template improvements.  Can modify the slides for you.  Ok, that was freaking cool.  Slides can be beautified by applying AI templates.

Windows ink.  Using pen to select and delete from docs.  Very cool.

Word editor is new as well.  Not just spell check, but helps suggest editing changes.

Excel integrates with cloud.  Example from stocks to bug data.  Prepopulates data.  

Teamwork

Office 365 groups

Microsoft teams – starting point to work together and stay connected.  Chat, calls, files, meetings, etc.

Skype is being enhanced.  Teams will evolve as core communications product.  Will replace Skype eventually.

Teams leverages shRepoint for file shares. 

One drive improved.  

Files on demand.  

Demo – focused inbox.  Flags email to prioritize them.  Summarize email at the top for flights, reservations, etc.  

outlook learns about who you email to and can warn you of similar emails.

You can include Cortana and it can schedule meetings through email.  Includes everyone on the TO list.

You can flag docs to be reviewed, and it will prompt your coworker.  Also add tasks to their calendar.

Teams – each team has working sessions.  You can bring folks outside of org into the team.  All content.  Files,  one book, notebook, etc.

Everyone shares the same content.  Add third party apps.  Threaded persistent conversations.  

Collaboratively work on docs.

Join meetings from teams. Recording meetings can be seen later.

Files on demand allows you to use the file explorer to access files across local, one drive, etc.

GE round table.  

Windows infrastructure improvements

Windows auto pilot. What took hours, takes a few minutes.  Coming to windows 10 in early 2018. Deploys preconfigured machines.  Asks five questions.  Attach wifi.  Knows by serial number it is assigned to me.  Personalized experience.  Provisions policies, configured, etc.  device gets mail, calendar, total environment.  This rocks!

Windows analytics – a lot of data gathering and insights into usage patterns of various machines and apps.  

Flexibility – hybrid scenarios.  On prem and cloud.  In the fall, pcs can be joined to AD and AAD at the same time. Wonder how that impacts our move off of our shared AD environments.

Securing landscape

Identity and access mgmt.  conditional access. In future limit conditional access by who and where you are.  Coming in few months. (Need to look into IDM solutions)

Azure advanced threat protection.

New tech allows accessing work docs from unmanaged devices.  Auto disables download and print.  But allows read only process.

Secure email protections with consumer email providers.  Demo with gmail and not allowing them to forward or copy and paste.  That is pretty cool.

Automated actions for threats and cyber attacks.  In one minute, they analyzed the threat, and remediated it.  

Azure advanced threat protection for on premAD environments.  Wow.   Automated dealing with threats.  Wonder how that will impact sals team?

First line workers. Microsoft 365 f1.  Tailored to the needs of first line staff. 

Wow.  Lots of cool stuff here.  

Key note address- satya nadella

Diversity of roles and functions is unlike anything seen before at a MS conference.  Technicians that administer all types of technologies.  Also people in all the business functions and technology executive leaders.  Related to the digital transformation.  Smart factories, smart cities, precision farming and precision medicine.  Digital tech is integrated in all of it.

Most critical thing for all of us to bring everyone across all the expertise and techs to support the digital transformation.  Want to build a broad understanding of technologies, as well as go deep in areas. 

Timeless values

1. Empower people

2. Inclusive designs

3. Build trust in technology ( control data and secure data)

Microsofts vision is to empower every person and every organization on the planet to achieve more.

Intelligent cloud and intelligent edge. 

We need to change the culture within our orgs to enable digital feedback loops to improve the process of transformation.  To facilitate these new systems of intelligence, start with the modern workplace.

No longer about routine tasks.  More about unlocking the creativity of your orgs.  Ensuring security of digital estate.  Microsoft 365 purpose is to unlock a new culture of work.  

Mixed reality – demo of a Ford Focus and mixed reality. 

Pretty cool. They showed the modification of the side mirror, and how it would affect the driver view without modifying the actual vehicle.  That was pretty cool.  Realtime modification of the vehicles design using mixed reality and teams. (Need to understand teams better)

Microsoft 365 now integrating with linked in.  From exchange, can get to linked in profile.  

Integrating bing for business with 0365. Allows you to search from bing across websites,  exchange, work documents, etc. tracks all employees actions for future metrics. This is both cool and creepy.  The system knows a whole lot about you…

Microsoft graph extended when added with linked in and dynamic 365.  All built on top of azure.  Then you can build AI first business apps.

Ai business

Interesting.  HP solving 70-80% of support calls through AI, without any interactions with people.

Epic built on top of azure.

Microsoft Ignite 2017

Once again I find myself far from home and at a conference.  Microsoft Ignite is huge.  Over 15k people.  So, what are my biggest questions that I want answered while I am here?

1. The biggest question I have is about Office 365 in the cloud.  I want to understand what products are offered and how they may be used by VUMC.  But most importantly, I want to understand how the provisioning process could be done.  I know there are many ways to provision to the cloud.   My identity Dev manager tells me of at least three.  I would like to learn about best practices especially considering our unique environment.

2. I want to understand cloud dev environments better and what is available there.  Having a dev environment that was more flexible and could stretch and refresh as my dev teams need it would be extremely valueable for us.  

3. Finally, I want to know what I don’t know.  What has happened with Microsoft technologies over the past few years?  I admittedly have not paid much attention to them.  So I am curious to learn how they have advanced.

Well, people are streaming into the keynote, which starts in 45 mins.  So guess I will head that way.  It’s at moments like this that I remember how much I don’t like crowds and being in large groups of people and I wonder why I keep coming to these conferences…

Final Wrap Up – Top Three Take Aways

I’m actually posting this from home.  I was too tired to finish this in SF.  Overall, I was very happy with the conference and the information it provided.  It is hard to identify my top three takeaways for this conference because there was lots of information.  I think they did a great job of balancing very complex and technical discussions with palette cleansing entertainment.

So, here are my top three take aways:

1. The first take away is that we need to do a better job in software development to be more security minded.  Of the top seven security issues, two of them had to do with insecure software coding (https://danataconference.wordpress.com/2017/02/15/the-seven-most-dangerous-new-attack-techniques/).  Basic things like code reviews, and using third party source code scanning can make a difference.  We need to look in our department for how we can be more security minded in our application development.  ( https://danataconference.wordpress.com/2017/02/16/how-to-transform-developers-into-security-people/ )
2. We need to more aggressively examine our use of privileged accounts and how we can better secure them.  TLAs tied to primary accounts could be used for the most sensitive systems.  Perhaps installing a PAM vendor?  Need to look into this! (https://danataconference.wordpress.com/2017/02/16/privileged-access-management-unsticking-your-pam-program/)
3. Finally, we need to develop more skills around coding to cloud based APIs.  As more and more infrastructure moves to the cloud, we should help drive adoption by partnering with our infrastructure teams and helping them to build tools that our customers can use.  ( https://danataconference.wordpress.com/2017/02/14/tidal-forces-the-changes-ripping-apart-security-as-we-know-it-rich-mogul/ )

So those are my top three take aways.  I was very pleased with this conference.  I don’t know that I would go every year, but every other year I think this would definitely be worth the time and investment.

Until my next conference, see ya!

 

Final Keynote: Seth Meyers

Just left the final keynote for RSA 2017.  They had Seth Meyers come in and give the final keynote.  He’s a funny guy, and had a lot of funny jokes about current events, politics, etc.  However, I couldn’t help but feel a little sorry for him.

You have to know your audience, especially as a comedian.

So at one point in his show, he asks how many people have been to Vegas.  Now, maybe in his regular crowds that type of question would elicit a huge reaction from the group with hooting and hollaring.  But he is here at RSA2017.  This place is packed full of thousands of nerds.  And no joke, like three people in this huge audience shouted out and cheered.  He looks out at all of us computer geeks, and starts laughing at us.  He then says, “Really?  There is only like three of you out there?  Well, don’t let anyone ever tell you that security people aren’t cool.”

His best line was about how the entire 2016 presidential campaign was like months of superbowl advertising for security professionals.  The rest of the world is all aghast at the hacking and leaks and email scandals, and all the security people are saying, “I told you so.  Now will you listen to me?”

Anyways, it was funny, but 98% of his jokes were completely unrelated to RSA or security.  But oh well.  After a week of serious thinking and deep complicated topics, my mind is jello anyways.

I’ll post my top three take aways from the conference later.  Right now, I’m pretty mentally exhausted.  Overall, its been a great week.