Latest SharePoint Dev Weekly – Episode 66

Latest SharePoint Dev Weekly – Episode 66

Am a keen follower of Microsoft's SharePoint Blog and proud to provide this direct from the Microsoft Tech Community:

SP-dev-weekly-episode-66-hugo-promo.png

 

In this session of SharePoint Dev Weekly, hosts – Vesa Juvonen (Microsoft), Waldek Mastykarz (Rencore), and typically a special guest from the SharePoint PnP Community, discuss the latest news and topics around SharePoint development.

 

In this episode Vesa and Waldek are joined by Hugo Bernier  Director of Consulting Services at Point Alliance in Toronto. Hugo is an old friend and contributor to the PnP community and now a MVP who has delivered many code samples and reusable controls to-date (SharePoint Framework Samples repository) with more to come in 2020.

 

This episode was recorded on Monday, January 13, 2020.

 

The above is kindly provided by the Microsoft Tech Community!

SharePoint Development Community (PnP) – January 2020 update

SharePoint Development Community (PnP) – January 2020 update

Am a keen follower of Microsoft's SharePoint Blog and proud to provide this direct from the Microsoft Tech Community:

pnp-jan-2020-promo.png

 

Latest monthly summary of SharePoint Development guidance for SharePoint Online and on-premises is now available from the SharePoint Dev Blog. Check the latest news, samples and other guidance from this summary.

 

The above is kindly provided by the Microsoft Tech Community!

Streamline deployment and management of Microsoft Teams with Office 365 ProPlus

As more and more Office 365 customers adopt Microsoft Teams, we’ve heard from many of you that you want to deploy and manage Teams the same way you deploy and manage other Office 365 apps. To streamline that process, we made Teams available through Office 365 ProPlus alongside Word, Excel, PowerPoint, Outlook, and OneDrive. We first provided this option to customers on the monthly channel several months ago. Starting on January 14, 2020, customers on the semi-annual channel will start to receive Teams through Office 365 ProPlus as well. With that date approaching, we want to remind you how to configure Office 365 ProPlus and Teams updates to meet the needs of your organization.   

Deploy and manage Teams through Office 365 ProPlus 

If you are an existing Office 365 ProPlus (or Office 365 Business) customer on the semi-annual channel, Teams will be included in your organization’s next update starting on January 14, 2020, as a part of the normal update process. 

If you’re ready for Teams to be deployed on your users’ machines, you don’t need to take any action. You can learn more how to adopt Teams in this article. If Teams is already installed on a user’s machine, there will be no impact when the semi-annual update rolls out.  

Learn more about how Teams updates, after it is installed.  

Customize Teams deployment as a part of Office 365 ProPlus 

While the number of customers using Teams continues to grow, we recognize that not all customers are ready for Teams to be automatically deployed on their users’ machines. You can manage your preferences and configure each Office 365 ProPlus app using the Group Policy or the Office Deployment Tool. Learn more about how to deploy and manage or exclude Teams in your Office 365 ProPlus updates in this articleDeploy Microsoft Teams with Office 365 ProPlus 

Send us your feedback 

Every innovation we make with Microsoft 365, the world’s productivity cloud, is designed to help you and your organization unlock new forms of productivity to achieve more. Thank you for being our customers and we look forward to your feedback and insights. 

Visit our Tech Community page to learn more about Office 365 ProPlus.

Latest SharePoint Dev Weekly – Episode 65

Latest SharePoint Dev Weekly – Episode 65

Am a keen follower of Microsoft's SharePoint Blog and proud to provide this direct from the Microsoft Tech Community:

sp-dev-weekly-episode-65.jpg

In this session of SharePoint Dev Weekly, hosts – Vesa Juvonen (Microsoft), Waldek Mastykarz (Rencore), discuss the latest news and topics around SharePoint development.

 

In addition to drawing attention to the latest advancements being delivered by the SharePoint Community and Microsoft, Vesa and Waldek’s discussion this week focused on:  Predictions for 2020.

 

This episode was recorded on Tuesday, January 7, 2020.

 

The above is kindly provided by the Microsoft Tech Community!

Securing ALL your cloud apps with Microsoft

For most customers, cloud apps run the workplace. While we see an average of 129 IT-managed applications, Discovery data from our Cloud Access Security Broker (CASB) shows that the total number of apps accessed by employees in large organizations often exceeds 1,000.

 

Now, let’s think back to 1985. Windows 1.0 launched and provided the ability to display content in different spaces at the same time, a revolution in the OS space at the time. Fast forward back to 2019 and today the average employee switches between 35 job-critical applications more than 1,100 times every day. Sound like a lot? Take a look at how many cloud applications are open in your browser right now while you are reading this blog.

 

There is no debate today that our working environment and the tools we use in order to maintain our productivity continue to change rapidly. As the cloud transformation continues, it enables organizations to optimize their employee productivity by giving them the ability to choose the tools that are right for them across apps, devices and more.

 

But this flexibility and power of choice comes with great responsibility. The freedom to use any cloud app introduces a requirement to consider what you are doing with it and the risk you may bring to a business. According to LogicMonitor’s cloud report, 83% of business workloads will have migrated to the cloud by 2020, although most agree that the information is migrating much faster than this, while the security controls that are able to protect it lag behind. This is a clear risk as evidenced by the Box information leakage which was caused by insufficient control of the uploaded data.

 

But expecting users to take responsibility for this is simply not going to work and is not an option for most organizations. The right security controls need to be put in place to ensure that no sensitive information leaks out of the organization, even when flexibility is provided for the adoption of cloud apps.

 

To help you with this, we have compiled some general best practices to help protect your organization in this world of flexibility:

  1. Set up single sign-on for adopted apps in your organization to enable a better authentication experience for users and enforce appropriate elevated assessments with conditional access and MFA
  2. Minimize and control permission scopes given to users and OAuth apps being used in your organization to limit the potential impact of a breach
  3. Control the information being upload to cloud services – limit the type of documents being uploaded, classify uploaded documents and encrypt them when required
  4. Limit external sharing permissions by enabling controls for things like the creation of public links or sharing with external users
  5. Leverage cross service UEBA capabilities to detect potentially compromised accounts or insider threats
  6. Manage ALL users and devices, do not allow unmanaged guest users or un-monitored usage from un-managed devices.
  7. Monitor and control all your environments continuously, do not rely only on periodic reports and audits. Detecting policy violations in real time or near real time minimizes the risk for a wide exposure.

As Microsoft Cloud App Security became a leading CASB in the market, we took the approach of protecting all cloud apps, not just our own, recognizing that this was the correct set of outcomes for customers. It is important that as a multi-mode CASB, we provide rich visibility, control over data, and sophisticated analytics to identify and combat cyberthreats across ALL your cloud services.

So let’s beyond the realm of theory and bring this to life by exploring a few scenarios.

 

Protect your sensitive information

According to Varonis more than 30% of companies have more than 1000 sensitive folders which are accessible by everyone. Microsoft Cloud App Security enables granular control and DLP capabilities over the content shared on leading apps like G Suite, Box, Dropbox and Salesforce, protecting sensitive client information on platforms like ServiceNow, making sure there are no S3 AWS buckets left open and exposed to the wide world and preventing users from sharing sensitive files with external users in Webex chat rooms. Information exposure control via a unified labeling mechanism is also available for non-MSFT apps like G Suite and Box via a native integration with Microsoft Azure Information Protection.

 

Protect against insider threats and anomalous behaviors

According to the Insider Threat Report 2018, 90% of organizations feel vulnerable to insider threat attacks, whether they are malicious, accidental or due to compromised accounts. Microsoft Cloud App Security provides advanced UEBA capabilities to detect anomalous behaviors by users, detecting abuse of privileged accounts or performing activities from an unusual location, client or device. The native integration with Azure Active Directory enables further enrichment of user identity and improves detection capabilities across used non-MSFT apps. These detection capabilities are enabled out of the box for apps like Salesforce, ServiceNow, G Suite, Google Cloud Platform, Box, Dropbox, Okta and WebEx teams.  

 

Protect against threats, malware and ransomware

Microsoft Cloud App Security utilizes the MSFT security eco-system and deep integration with the Intelligent security graph to provide wide coverage of potential threats from Tor-based access, to potential Ransomware and Malware attacks back to potentially leaked credentials. The protection is available across all connected services that are available in Microsoft Cloud App Security.

 

Gain investigation capabilities into complex environments

In today’s complex environments, whether it is the usage of multiple cloud apps or the use of a one with complex structure like Salesforce it is not enough to have periodic audits on per app basis. To get the broader picture, stay up to date and be able to control incidents across your entire environment it is critical to have full visibility of what is happening across all of the apps in your environment. The ability to control the activities, set clear policies and automate the process is crucial to maintain a secure and controlled workplace. Microsoft Cloud App Security enables a cross app unified policy and investigation capabilities to get clear visibility and control over user activities in the connected apps. 

 

Get real-time controls for user access and sessions from managed and un-managed devices

Microsoft Cloud App Security enables granular access and session controls for all governed users in the system. Controlling risky access and session enables admins to limit app access, block downloads and restrict activities like copy/paste in web-based cloud apps. Microsoft Cloud App Security also enables to control the access and session from unmanaged devices while the user tries to access enterprise managed apps. These controls are enabled for more than 25 leading SaaS apps like Box, Concur, GitHub, G Suite, Confluence, Salesforce, Slack, Workday and also available for any cloud web-based app using SAML and SSO.

 

Protect against malicious OAuth apps in leading SaaS platforms

Microsoft Cloud App Security enables IT to gain an overview of authorized applications across their cloud services Office 365, Salesforce and G-Suite. The capabilities allow them to continuously monitor new app permissions and provides controls to prevent and remediate malicious OAuth apps from gaining access to the corporate data.

 

Going beyond the top Cloud apps we can recognize a large amount of growing productivity, Finance, HR and CRM apps like Workplace by Facebook, SAP Concur, Citrix Sharefile, Atlassian Confluence and Zoom that are being adopted by organizations or more specifically by the users in these organizations.

Being able to scale protection and align with the growth of this eco-system is one of Microsoft Cloud App Security’ top missions in the upcoming future.

 

You can learn more about Microsoft Cloud App Security here, and please let us know any questions you have!

 

Thank you

@Adam Hall  on behalf of the entire MCAS team

Securing ALL your cloud apps with Microsoft

Securing ALL your cloud apps with Microsoft

This post is authored by @Boris_Kacevich 

 

For most customers, cloud apps run the workplace. While we see an average of 129 IT-managed applications, Discovery data from our Cloud Access Security Broker (CASB) shows that the total number of apps accessed by employees in large organizations often exceeds 1,000.

 

Now, let’s think back to 1985. Windows 1.0 launched and provided the ability to display content in different spaces at the same time, a revolution in the OS space at the time. Fast forward back to 2019 and today the average employee switches between 35 job-critical applications more than 1,100 times every day. Sound like a lot? Take a look at how many cloud applications are open in your browser right now while you are reading this blog.

 

There is no debate today that our working environment and the tools we use in order to maintain our productivity continue to change rapidly. As the cloud transformation continues, it enables organizations to optimize their employee productivity by giving them the ability to choose the tools that are right for them across apps, devices and more.

 

But this flexibility and power of choice comes with great responsibility. The freedom to use any cloud app introduces a requirement to consider what you are doing with it and the risk you may bring to a business. According to LogicMonitor’s cloud report, 83% of business workloads will have migrated to the cloud by 2020, although most agree that the information is migrating much faster than this, while the security controls that are able to protect it lag behind. This is a clear risk as evidenced by the Box information leakage which was caused by insufficient control of the uploaded data.

 

But expecting users to take responsibility for this is simply not going to work and is not an option for most organizations. The right security controls need to be put in place to ensure that no sensitive information leaks out of the organization, even when flexibility is provided for the adoption of cloud apps.

 

To help you with this, we have compiled some general best practices to help protect your organization in this world of flexibility:

  1. Set up single sign-on for adopted apps in your organization to enable a better authentication experience for users and enforce appropriate elevated assessments with conditional access and MFA
  2. Minimize and control permission scopes given to users and OAuth apps being used in your organization to limit the potential impact of a breach
  3. Control the information being upload to cloud services – limit the type of documents being uploaded, classify uploaded documents and encrypt them when required
  4. Limit external sharing permissions by enabling controls for things like the creation of public links or sharing with external users
  5. Leverage cross service UEBA capabilities to detect potentially compromised accounts or insider threats
  6. Manage ALL users and devices, do not allow unmanaged guest users or un-monitored usage from un-managed devices.
  7. Monitor and control all your environments continuously, do not rely only on periodic reports and audits. Detecting policy violations in real time or near real time minimizes the risk for a wide exposure.

As Microsoft Cloud App Security became a leading CASB in the market, we took the approach of protecting all cloud apps, not just our own, recognizing that this was the correct set of outcomes for customers. It is important that as a multi-mode CASB, we provide rich visibility, control over data, and sophisticated analytics to identify and combat cyberthreats across ALL your cloud services.

Top CASB use cases to boost your cloud security strategy.png

 

So let’s beyond the realm of theory and bring this to life by exploring a few scenarios.

 

Protect your sensitive information

According to Varonis more than 30% of companies have more than 1000 sensitive folders which are accessible by everyone. Microsoft Cloud App Security enables granular control and DLP capabilities over the content shared on leading apps like G Suite, Box, Dropbox and Salesforce, protecting sensitive client information on platforms like ServiceNow, making sure there are no S3 AWS buckets left open and exposed to the wide world and preventing users from sharing sensitive files with external users in Webex chat rooms. Information exposure control via a unified labeling mechanism is also available for non-MSFT apps like G Suite and Box via a native integration with Microsoft Azure Information Protection.

 

Protect against insider threats and anomalous behaviors

According to the Insider Threat Report 2018, 90% of organizations feel vulnerable to insider threat attacks, whether they are malicious, accidental or due to compromised accounts. Microsoft Cloud App Security provides advanced UEBA capabilities to detect anomalous behaviors by users, detecting abuse of privileged accounts or performing activities from an unusual location, client or device. The native integration with Azure Active Directory enables further enrichment of user identity and improves detection capabilities across used non-MSFT apps. These detection capabilities are enabled out of the box for apps like Salesforce, ServiceNow, G Suite, Google Cloud Platform, Box, Dropbox, Okta and WebEx teams.  

 

Protect against threats, malware and ransomware

Microsoft Cloud App Security utilizes the MSFT security eco-system and deep integration with the Intelligent security graph to provide wide coverage of potential threats from Tor-based access, to potential Ransomware and Malware attacks back to potentially leaked credentials. The protection is available across all connected services that are available in Microsoft Cloud App Security.

 

Gain investigation capabilities into complex environments

In today’s complex environments, whether it is the usage of multiple cloud apps or the use of a one with complex structure like Salesforce it is not enough to have periodic audits on per app basis. To get the broader picture, stay up to date and be able to control incidents across your entire environment it is critical to have full visibility of what is happening across all of the apps in your environment. The ability to control the activities, set clear policies and automate the process is crucial to maintain a secure and controlled workplace. Microsoft Cloud App Security enables a cross app unified policy and investigation capabilities to get clear visibility and control over user activities in the connected apps. 

 

Get real-time controls for user access and sessions from managed and un-managed devices

Microsoft Cloud App Security enables granular access and session controls for all governed users in the system. Controlling risky access and session enables admins to limit app access, block downloads and restrict activities like copy/paste in web-based cloud apps. Microsoft Cloud App Security also enables to control the access and session from unmanaged devices while the user tries to access enterprise managed apps. These controls are enabled for more than 25 leading SaaS apps like Box, Concur, GitHub, G Suite, Confluence, Salesforce, Slack, Workday and also available for any cloud web-based app using SAML and SSO.

 

Protect against malicious OAuth apps in leading SaaS platforms

Microsoft Cloud App Security enables IT to gain an overview of authorized applications across their cloud services Office 365, Salesforce and G-Suite. The capabilities allow them to continuously monitor new app permissions and provides controls to prevent and remediate malicious OAuth apps from gaining access to the corporate data.

 

Going beyond the top Cloud apps we can recognize a large amount of growing productivity, Finance, HR and CRM apps like Workplace by Facebook, SAP Concur, Citrix Sharefile, Atlassian Confluence and Zoom that are being adopted by organizations or more specifically by the users in these organizations.

Being able to scale protection and align with the growth of this eco-system is one of Microsoft Cloud App Security’ top missions in the upcoming future.

 

You can learn more about Microsoft Cloud App Security here, and please let @Boris_Kacevich know any questions you have!

 

Thank you

@Adam Hall  on behalf of the entire MCAS team

SharePoint Dev Weekly – Episode 64

SharePoint Dev Weekly – Episode 64

Am a keen follower of Microsoft's SharePoint Blog and proud to provide this direct from the Microsoft Tech Community:

episode-64-promo.png

In this session of SharePoint Dev Weekly, hosts – Vesa Juvonen (Microsoft), Waldek Mastykarz (Rencore), discuss the latest news and topics around SharePoint development.  Vesa and Waldek are joined by Thomas Gölles  team lead responsible for modern workplace solutions at Solvion (MVP) in Austria. 

 

In addition to drawing attention to the latest advancements being delivered by the SharePoint Community and Microsoft, Vesa, Waldek and Thomy’s discussion this week focused on:  Increasing cloud adoption across Europe, personal Bots, concierge Bots, Teams and custom customer Graphs to extend the Microsoft Graph. 

 

This episode was recorded on Monday, December 16, 2019.

 

The above is kindly provided by the Microsoft Tech Community!

Troubleshooting Office Client Policy Service (OCPS)

Troubleshooting Office Client Policy Service (OCPS)

The Office cloud policy service (OCPS) is a cloud-based service that enables you to apply policy settings for Office 365 ProPlus on a user’s device.  The policy settings roam to whichever device the user signs into and uses Office 365 ProPlus.  As end users become increasingly mobile, IT Pros need a single approach to secure Office 365 ProPlus for traditional on-premises domain devices, Azure AD registered devices, Azure AD Joined, and Hybrid Azure AD joined devices.  OCPS applies to all scenarios above without the need to download and replicate any content such as Administrative Template files (ADMX/ADML) on-premises.  The goal of this blog is to provide some transparency of how the service works to help IT Pros during their validation phase and to encourage transition from classic domain-based policy to OCPS service for Office 365 ProPlus.

 

Requirements of OCPS

1. At least Version 1808 (August 2018) of Office 365 ProPlus
2. User accounts created in or synchronized to Azure Active Directory (AAD). The user must be signed into Office 365 ProPlus with an AAD based account.
3. Security groups created in or synchronized to Azure Active Directory (AAD), with the appropriate users added to those groups.
4. To create a policy configuration, you must be assigned one of the following roles in Azure Active Directory (AAD): Global Administrator, Security Administrator, or Office Apps Admin.
5. Connectivity to addresses below. Microsoft recommends proxy bypasswhitelist for these URLs
*.manage.microsoft.com, *.officeconfig.msocdn.com, config.office.com over 443

 

Steps to perform proof of concept and validation
1. Create a test user, ours will be “Gottlieb Daimler”, gdaimler@contoso.com.
2. Create security group “OCPS Service Validation” and add user to group within Active Directory Users and Computers.
3. Allow AAD Connect to synchronize user and group to Azure AD. (lunch break 🙂 or force synchronization via commands below)

(optional) From AAD Connect Server and elevated PowerShell, run the following commands:
PS C:WINDOWSsystem32>import-module adsync
PS C:WINDOWSsystem32>Set-ADSyncScheduler -NextSyncCyclePolicyType Delta
PS C:WINDOWSsystem32>Start-ADSyncSyncCycle

Browse Azure AD portal and explore Users – All Users, select Gottlieb Daimler and then Groups. Verify that group “OCPS Service Validation” has been assigned and source says, “Windows Server AD”. This confirms user and group were synced into Azure AD successfully and we can proceed to next steps.
4.  Create your first OCPS policy and select “Create” button:

Create1.png

5. Complete input fields, when selecting assigned security group input “OCPS” and service should filter results to “OCPS Service Validation” group.  Next, define a policy.  For the demo, I chose policy “VBA Macro Notification Settings”, “Enabled” where VBA Macro Notification Settings are set to “Disable all with notification”.   Once selections have been made “Create” or “Save”.

Create4.png

Create3.png

6. From Policy Management, we can now see our policy exists.

Create2.png

So, we’ve got a policy, we’ve assigned it to a security group containing our test user, our next step is to validate. My test machine happens to be classic on-premises domain joined machine. My user, Gottlieb Daimler, is signed in with his normal Active Directory credentials which is displayed in upper right hand corner of Word.

Create5.png

Traditional Group Policy uses Client-Side Extensions in Windows to apply policy every 90 minutes.  IT Pros can force policy by using command line “gpupdate /force” and inspectverify registry as well as application behavior prior to broad deployment.  OCPS checks for policy upon initial Office application launch, calls into cloud service endpoints listed above, determines policy applicability based on group membership and priority assignment and registry keys are populated. 

 

Specifically, there are two locations of interest in registry.

1. HKEY_CURRENT_USERSoftwareMicrosoftOffice16.0CommonCloudPolicy
This will contain information about FetchInterval, 90 minutes is default, as well as record of Last Fetch Time and Last Payload Hash.

2. HKEY_CURRENT_USERSoftwarePoliciesMicrosoftCloud. This key will contain path to registry keys representing the policy assignment. For example, ours will be HKEY_CURRENT_USERSoftwarePoliciesMicrosoftCloudOffice16.0wordsecurity
Vbawarnings = 2 (DWORD)

 

IT Pros can achieve the same behavior of gpupdate by simply deleting the key HKEY_CURRENT_USERSoftwareMicrosoftOffice16.0CommonCloudPolicy, close Office application and relaunch to fetch policy.  I typically use tools like Process Monitor to help trustverify operations of this type with filters such as “Path” contains “CloudPolicy” or where Operation is “RegSetValue” etc.  Opening a Word document containing a Macro displaying warning with notification as expected.

Proof.png

FAQ:
How does conflict resolution work if the same policy is set via traditional domain-based policy as well as OCPS?
OCPS takes priority if there are any conflicts with traditional domain-based policies.

 

Currently policies are limited to user settings. Are there plans on adding machine settings?
Yes. This has been accepted and currently is in our backlog. We hope to have this available next year.

 

Group Policy provides a view of all policies on the device or for the specified user. Does OCPS support this?
Currently OCPS does not provide a list of all Office policies applied to a specific user or device. This is on our backlog and we hope to have this available next year.

 

Will OCPS support other platforms such as MacOS, Android and iOS?
Yes, OCPS in the future will also support additional platforms such as MacOS, Android and iOS. We will create additional blog postings per platform once features are generally available.

 

The Author

This blog post is brought to you by Dave Guenthner, a Senior Premier Field Engineer and “ProPlus Ranger” at Microsoft. Feel free to share your questions and feedback in the comments below.

Building dynamic, lean & universal packages for Office 365 ProPlus

Building dynamic, lean & universal packages for Office 365 ProPlus

As an admin, you might have been tasked with the deployment of Office 365 ProPlus to your organization. But such a deployment is more than just Office. After the initial migration to ProPlus, you might have to provide ways for your users to acquire automated installs of additional Language Packs, Proofing Tools, products like Visio and Project or other components.
This blog post will walk your through a concept of building dynamic, lean & universal packages for Office 365 ProPlus, greatly reducing long-term maintenance costs and effort needed in managed environments.
Grab a coffee, it’s a long post. Let’s roll.
 

The challenge

When you plan your upgrade to Office 365 ProPlus, the actual upgrade from a legacy version to the always-current Office 365 ProPlus is front and center. But looking beyond the initial deployment, there are other scenarios you’ll need to cover as an admin. After you upgraded your users, they might need one of the following components going forward:
 
  • Additional Language Packs
  • Proofing Tools
  • Visio
  • Project

So in managed environments each of the above would require a dedicated installation package in order to allow an automated and controlled way to e.g. install additional languages for a user. Usually, for each of the above components, an admin would combine the necessary source files (~2.5 gigabyte), a copy of the Office Deployment Tool (ODT) together with a configuration file into a package.

But, especially in larger organizations, you often do not run a single installation of Office 365 ProPlus. You might have a mix of update channels (often SAC and SAC-T) and maybe you are currently transitioning from 32 bit to 64 bit, and for quite some time you will have to support both architectures.

So at the end, we would not have one package per component, but rather four, covering each possible permutation of SAC/SAC-T and x86/x64.
The end result would be:

 

  • High number of packages, the four listed components would result in 16 or more packages.
  • High bandwidth consumption, as a client might get the full 2.5 GB package pushed down before install
  • High maintenance costs to keep embedded source files current.
  • High user impact, if you haven’t kept the source files current and installing a component will perform a downgrade, just to perform an update to the current version soon after.
  • Low user satisfaction when having to pick the matching package out of a bunch of options.

 

While the initial upgrade to Office 365 ProPlus is a one-time activity, the above scenarios will be applicable over a longer period as users might need additional components days, weeks or even years after the initial deployment.
So, how do we build packages which are less costly to maintain over a long time frame and avoid the above downsides?

 

The solution: Dynamic, lean and universal packages

Good news: There is a way to resolve all of the above issues by implementing self-adjusting, small and universal package. I will give you the “meat and potatoes” of the concept before we dive into sample scenarios:
Build dynamic packages where you don’t hard-code anything. Leverage features of the Office Deployment Tool (ODT) to allow the packages to self-adjust to the requirements:
  • Use Version=MatchInstalled to prevent unexpected updates and stay in control of the version installed on a client. No hard-coding of a build number (which gets outdated quickly) required.
  • Use Language=MatchInstalled to instruct e.g. Visio or Project to install with the very same languages which are already installed for Office. No need to list them or build a script which injects the required languages.

 

Build lean packages by removing the source files from the packages. This has multiple benefits:

  • Package size is much smaller, from 2.5 GB down to less than 10 megabytes for the ODT and its configuration file.
  • Instead of pushing a 2.5 GB install package to clients, we allow clients to pull what it needs on demand from Office CDN which saves bandwidth:
    • When adding Project to an existing Office 365 ProPlus install, we need to download less than 50 megabytes as Office shared components are already installed.
    • Visio installs are typically between 100-200 megabytes, based and the number of languages as the templates/stencils are a substantial part of the download.
    • Installing Proofing Tools is typically between 30-50 megabytes versus a full Language Pack is somewhere between 200 to 300 megabyte.
  • A 2nd install scenario is often less frequent, which lowers the burden on the internet traffic ultimately reducing the impact.
  • You don’t have to update the source files every time when Microsoft releases new features, security and quality fixes.
 
Build universal packages by not hard-coding things like the architecture or update channel. ODT will dynamically match the existing install ; so your packages work across all update channels and architectures. Instead of having e.g. four packages to install Visio, you will have a single, universal package which will work across all permutations of update channels and architectures.
  • Leaving out OfficeClientEdition makes your package universal for mixed x86/x64 environments.
  • Leaving out Channel makes your package universal across update channels, even ones you don’t support :smile:.

 

How to and benefit of building dynamic, lean & universal packages

The idea behind this concept is to not hard-coding everything in the configuration file, but rather leverage the cleverness of the Office Deployment Tool (ODT) as much as possible. Let’s have a look at a “classic” package, built to add Project to an existing install of Office 365 ProPlus. We have the source files (~2.5 gigabyte in size) and a configuration file which explicitly states what we want to achieve:
Lean5-Pic1.jpg







 
When applying  the concepts of dynamic, lean, universal packages, the result would look like this:
 Lean5-Pic2.jpg

 

So what have we changed and what are the benefits of doing so?

  • Removed OfficeClientEdition-attribute, as the ODT will automatically match the installed version.
    • Benefit: Configuration file now work for both x86 and x64 scenarios.
  • Remove Channel, same reason, ODT will automatically match the already assigned update channel.
    • Benefit I: Package works for all update channels (Monthly, Semi-Annual, SAC-T, you name it)
    • Benefit II: It will also work for update channels you don’t offer as central IT. Some users are running Monthly, some are on Insider builds? Don’t worry, it just works!
  • Added Version=MatchInstalled which will ensure that ODT will install the exact same version which is already installed.
    • Benefit: You are in control of versions deployed, no unexpected updates.
  • Added Language ID=”MatchInstalled”  and TargetProduct  designed to match the currently installed language(s), replacing a hard-coded list of languages to install.
    • Benefit I: User will have the same languages in Project as already installed for Office.
    • Benefit II: No need to re-request Language Pack installs.
    • Benefit III: Will also work for rarely used languages which you as central IT admin don’t offer, leading to happier users.
  • Removed the source files, the ODT will fetch the correct set of source files from the Office CDN just-in-time.
    • Benefit I: Package never gets old. No maintenance of source files needed.
    • Benefit II: Download is ~50 megabyte instead of pushing 2.5 GB around.

 

Another example: Adding Language Packs and Proofing Tools the dynamic, lean & universal way

Let’s have a brief look at other scenarios as well, like adding Language Packs and Proofing Tools. The classic configuration file to install the German Language Pack might look like this:
 







If you’re running SAC as well as SAC-T and have a x86/x64 mixed environment, you would need three additional files to cover the remaining permutations of configurations. Or you just go the dynamic, lean and universal way:
 







 
This single configuration file will work across x86/x64 and all update channels (Insider Fast, Monthly Targeted, Monthly, SAC-T, SAC, and so on). So if you want to offer 5 additional languages in your environment, just build 5 of these “config file + ODT” packages and you’re good to go. For Proofing Tools you just change the ProductID to “ProofingTools”.
 

Prerequisites

I hope this new concept helps you to build dynamic, lean and universal packages and reduce the overall effort of managing Office 365 client Apps.
There are some prerequisites you must meet to make this concept work in your environment:
  • Use Office Deployment Tool 16.0.11615.33602 or newer to enable Version=MatchInstalled to work.
  • The ODT must be able to locate the matching source files on the Office CDN.
  • Ensure that the context your using for running the install can traverse the proxy. Check out our Office 365 ProPlus Deployment and Proxy Server Guidance  for a deep-dive on this.
  • Make sure, that the account (user or SYSTEM) used to install the apps is able to connect to the internet.

 

The Author

This blog post is brought to you by , a ProPlus Ranger and senior ProPlus deployment expert at Microsoft. Feel free to share your questions and feedback in the comments below.
Announcing Updates to the M365 Attack Simulator

Announcing Updates to the M365 Attack Simulator

Overview

The Microsoft 365 Attack Simulation team is pleased to announce the release of several new features in our phish simulation tool. This includes:

  • an attachment-based phishing attack
  • the ability to filter your simulation user targets by directory metadata like title, city, and department
  • the inclusion of IP addresses and client data in the simulation detail report
  • Simulation phish message simulations are included in your user phish submission reports 

Attachment Attack

We know that phishing attacks that use attachments are very popular and an effective way for attackers to get malicious code to run on your endpoints. Teaching your users to be wary of attachments can reduce your overall risk. To help you educate your users of this risk, we’ve added a new type of simulation attack called Spear Phishing (Attachment) to the catalog.

 

To launch an attachment attack, navigate to the home page of the Attack simulator:

 

clipboard_image_0.png

 

Then, click Launch Attack and walk through the wizard:

 

First, give the attachment attack campaign a relevant, distinctive name.

clipboard_image_1.png

 

Second, select users from your directory that you wish to target with the attachment attack.

clipboard_image_2.png

 

Third, configure the attack with the sender, the name and type of the attachment, and the subject line of the email.

clipboard_image_3.png

 

Fourth, enter a custom email template, or use one from the existing library. Remember that the point of the attachment attack is to get the user to open the attachment, so don’t necessarily include a credential harvesting link, but do reference the attachment in the body of the email.

clipboard_image_4.png

 

Lastly, confirm that you are ready to send the simulation off.

clipboard_image_5.png

 

Within minutes, your users will receive the phishing email and will be able to see the attachment. This attachment does NOT contain any malicious content or executable code. Instead, it relies on a hidden image file which makes a call back to Microsoft’s servers to indicate that the user has opened the file.

clipboard_image_6.png

 

Here, you see the user has opened the file, which contains similar content to what you would see on the final page of a credential harvesting simulation. The user’s name is populated, along with some educational messaging about the dangers of phishing.

clipboard_image_7.png

 

If you have enabled the Outlook Reporting add-in for your organization, note that the user should go ahead and report this message as phishing.

clipboard_image_8.png

 

Once they select report phishing, the user will be asked to confirm the report. Note below that we’re including these reported messages in your report phish message pipeline via the Outlook reporting add-in so you can now track which of your users correctly reported this message as part of the simulation.

clipboard_image_9.png

 

After the users have performed their actions, the simulation administrator can then review the final output of the campaign in the Attack Simulator portal.

 

clipboard_image_10.png

 

Directory Filtering

Another quality of life feature we have added is the ability to perform an filtered search of your directory based on metadata like Title, Department, and City. This allows the simulation administrator to refine target groups based on existing directory data instead of having to manually select those users, leverage CSVs, or create custom directory groups. We encourage organizations to target high risk segments of their user population with more frequent simulations to further reduce your risk of getting phished.

clipboard_image_11.png

 

Advanced Reporting Updates

The final feature we’ve made available is the inclusion of detailed client information in the detail report of any given campaign, including username, action performed, datetime stamp, IP address, and client type information. This will allow you to better understand where your users are performing the risky actions.

clipboard_image_12.png

 

Outlook Reporting Add-In Integration

We’re also including simulation phish messages in the normal reporting pipeline so that you can now track which of your users has correctly reported phish messages as part of the simulation exercise.  This can be found by navigating to Threat Management–>Explorer–>View Submissions–>User Submissions.

clipboard_image_13.png

Wrapping it up

So, there you have it – a whirlwind tour though the new updates to Office 365 ATP’s Attack Simulator. We’d like to encourage you to start taking advantage of the new functionality by the following the link (https://protection.office.com/attacksimulator) and we look forward to your feedback! More information on Attack Simulator can be found in the Attack Simulator documentation on Microsoft Docs.