Monday, February 28, 2022

This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction to Microsoft Intune with the link here. The previous article mentioned Microsoft Intune with its device and application management capabilities. This article discusses its usage with Microsoft 365. 

Microsoft 365 scenarios include productivity, collaboration, education, people, and workplace intelligence. It includes services that manage user and device identity, access, compliance, security and helps protect organizations from data leakage or loss.

The scenario used to describe Microsoft 365 is often the one used to set up the infrastructure for hybrid work. This is achieved by allowing on-site and remote workers to access the organization’s on-premises and cloud-based information, tools, and resources easily and securely.

Microsoft 365 for enterprise consists of local and cloud-based applications and productivity services, Windows 10 enterprise, and device management and advanced security services. The applications work with a full suite of online services for email, file storage and collaboration, meetings and more. The windows 10 enterprise improves productivity and security and for IT professionals, provides comprehensive deployment, device, and app management. The device management and advanced security services includes Microsoft Intune that enables workforce productivity while protecting organizational data.

Microsoft 365 enterprise is available in three plans which include E3, E5 and F3. E3 provides access to Microsoft 365 core products and features which further workforce productivity. E5 includes Defender for office 365, security tools and collaboration tools. It includes all the E3 capabilities plus advanced security, voice, and data analysis tools. F3 helps workers in the field with purpose-built tools and resources.

Microsoft 365 add-ons are available for E3 users. These add-ons are for Identity and Threat protection, Information protection and compliance, Microsoft 365 E5 Compliance, and Microsoft 365 E5 Insider Risk. These add-ons enable E3 users to take advantage of features in E5.

With these capabilities, IT professionals managing on-site, and cloud-based infrastructure enable hybrid worker productivity. Those workers can access cloud-based service and data in their Microsoft 365 subscription and organizational resources anytime and from anywhere. Their sign-ins are secured, and their applications and devices can be managed with cloud security. The hybrid workers can be as productive and collaborative as on-premises.

Sunday, February 27, 2022

The standard Microsoft 365 cloud is used by Enterprise, Academia and even home Office 365 tenants. It has the most features and tools, global availability, and lowest prices. Since it’s the default choice between the clouds, everyone qualifies. That said there are sovereign 365 clouds for advanced data protection.

The scenario used to describe the Microsoft 365 is often the one used to setup the infrastructure for hybrid work. This is achieved by allowing on-site and remote workers to access the organization’s on-premises and cloud-based information, tools, and resources easily and securely. The key layers of architecture that empower these workers include the following capabilities. MFA enforced with security defaults helps protect against compromised identities and devices by requiring a second form of authentication for sign-ins. Optionally, conditional access can be enforced with MFA based on the properties of the sign in. Conditional access policies can also be authored to be risk-based so that the sign-ins can be protected with Azure AD identity protection. Self-service password reset is another feature where Intune can step in with automations that are self-service for the users. It leverages the Azure Active Directory to turn on self-service password reset where the organization’s workforce is asked to register. When they register, they get instructions for resetting their password themselves. The Azure AD application proxy provides remote access for web-based applications hosted on intranet servers. Azure Point-to-site VPN can create a secure connection from a remote worker’s device to the intranet through an Azure Virtual Network. Windows 365 supports remote workers who can only use their personal and unmanaged devices with Windows 365 cloud PCs. Remote desktop services allow employees to connect to their domain joined windows computers. Remote Desktop Services Gateway encrypts communications and prevents the RDS hosts from being directly exposed to the internet. Microsoft Intune manages devices and applications. Configuration Manager manages software installations, updates, and settings on the devices. Endpoint Analytics determines the update readiness of the windows clients. Windows Autopilot sets up and pre-configures Windows devices.

One of the ways for new and upcoming services involves writings APIs once but exposing the through Microsoft Graph and other outlets with the help of wrappers

Saturday, February 26, 2022

This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction to Microsoft 365 with the link here. The previous article mentioned Microsoft 365 with its broad capabilities. This article discusses its usage with Intune and Microsoft Graph. 

Microsoft 365 for enterprise is a complete, intelligent solution that empowers everyone to be creative and work together securely. It is designed for large organizations, but it can also be used for medium-sized and small businesses that need the most advanced security and productivity capabilities. Microsoft Intune manages devices and applications. Configuration Manager manages software installations, updates, and settings on the devices. Endpoint Analytics determines the update readiness of the windows clients. Windows Autopilot sets up and pre-configures Windows devices.

Microsoft Intune APIs serve to expose all features of Microsoft Intune for programmatic access. They can be used to define and enforce compliance policies, protect company data, create and deploy device configuration policies, create and deploy device access control policies, and perform remote actions to manage devices. They can be used to deploy apps to devices, manage access to eBooks, and define and deploy app configuration settings, app protection settings, and app usage policies. They can be used to automate defining and assigning role-based access control, auditing and reporting compliance, usage and access and managing telecom expenses. All the Intune APIs are made available via Microsoft Graph.

Microsoft Graph enables integration with the best of Microsoft 365, Windows 10 and Enterprise mobility and security services in Microsoft 365, using a standard set of REST APIs and client libraries for all data sources that makes it convenient for developers to seamlessly integrate different data sources. It uses the concepts of users and groups to elaborate on these functionalities.  A user is an individual who uses Microsoft 365 cloud services and for Microsoft Graph, it is the focus for which the identity is protected, and access is well managed. The data associated with this entity and the opportunities to enrich the context, provide real-time information, and deep insights are what makes Microsoft Graph so popular. A group is the fundamental entity that lets users collaborate and integrate with other services which enable scenarios for task planning, teamwork, education and more.  

By providing a common API framework to expose device management and application management capabilities to developers for building mobility and security services using Microsoft 365, the combination of Intune, Microsoft 365 and Graph provides unparalleled capabilities. With these capabilities, IT professionals managing on-site, and cloud-based infrastructure enable hybrid worker productivity. Those workers can access cloud-based service and data in their Microsoft 365 subscription and organizational resources anytime and from anywhere. Their sign-ins are secured, and their applications and devices can be managed with cloud security. The hybrid workers can be as productive and collaborative as on-premises.

Friday, February 25, 2022

Thursday, February 24, 2022

These APIs serve to expose all features of Microsoft Intune for programmatic access. They can be used to define and enforce compliance policies, protect company data, create and deploy device configuration policies, create and deploy device access control policies, and perform remote actions to manage devices. They can be used to deploy apps to devices, manage access to eBooks, and define and deploy app configuration settings, app protection settings, and app usage policies. They can be used to automate defining and assigning role-based access control, auditing and reporting compliance, usage and access and managing telecom expenses. All the Intune APIs are made available via Microsoft Graph.

Microsoft Graph enables integration with the best of Microsoft 365, Windows 10 and Enterprise mobility and security services in Microsoft 365, using REST APIs and client libraries. It uses the concepts of users and groups to elaborate on these functionalities. A user is an individual who uses Microsoft 365 cloud services and for Microsoft Graph, it is the focus for which the identity is protected, and access is well managed. The data associated with this entity and the opportunities to enrich the context, provide real-time information, and deep insights are what makes Microsoft Graph so popular. A group is the fundamental entity that lets users collaborate and integrate with other services which enable scenarios for task planning, teamwork, education and more.

The standard Microsoft 365 cloud is used by Enterprise, Academia and even home Office 365 tenants. It has the most features and tools, global availability and lowest prices. Since it’s the default choice between the clouds, everyone qualifies. That said there are sovereign 365 clouds for advanced data protection.

Together Intune, Microsoft Graph and Microsoft 365, can ensure a modern workplace.

Wednesday, February 23, 2022

This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction to Microsoft Intune with the link here. The previous article mentioned Microsoft Intune with its device management capabilities. This article discusses the lifecycle of devices and applications.

Microsoft Intune is a cloud-based service that manages devices and their applications. These devices can include mobile phones, tablets, and notebooks. It can help configure specific policies to control applications. It allows people in the organization to use their devices for school or work. The data stays protected, and the organizational data can be isolated away from the personal data on the same device. It is part of Microsoft’s Enterprise Mobility and Security EMS suite. It integrates with the Azure Active Directory to control who has access and what they can access. It integrates with Azure Information Protection for data protection.

Intune can help with the lifecycle management of the devices and applications. All devices must go through various stages of the lifecycle from enrollment, through configuration and protection, to retiring the device when it is no longer required. As an example, a phone used by an end-user for work purposes must first be enrolled with an Intune account to allow the company to manage it, then it must be configured for compliance and the data stored must be protected and finally, the device must be retired by wiping away all the sensitive data. Setting up device enrollment is the first step and the devices that can be enrolled can vary in size, shape, model, and functionality. Even personal notebooks can be enrolled with the guarantee that the data will be isolated between usages for work and personal requirements. Devices must be configured next to leverage all the offerings of Intune such as to be secure and compliant with the company standards, to manage how the devices operate, and to adhere to one or more policies. Devices do not necessarily lose functionalities when they are configured. They might just have more protection added to use those functionalities. When users want to access company resources such as their work email or company network, they need not know all the complex settings Intune reduces this burden for them. The Intune client software can also add more device management capabilities to the devices. The protection of the device is from unauthorized access or malicious attacks. These additional layers of protection are provided by multi-factor authentication, Windows Hello for business settings, and policies applied with the Intune client software. Finally, the devices go through the end of the lifecycle including resetting and removing from management. If they are lost or stolen, then they must be properly replaced.

The app lifecycle is somewhat like the device lifecycle in that it is also cyclic, but it goes through the lifecycle stages for add, deploy, configure, protect and retire. The first step in the application lifecycle is the addition of the application. The procedures remain the same for many different types of applications. The next stage is deploy, and Intune can assign devices and users to the applications. Additionally, in some app stores, app licenses can be purchased in bulk across users. Deployment is transparent. For example, license usage can be tracked from the Intune administration console. The configure part of the application lifecycle is easy to do with the tools that Intune provides and generally involves updating the application, configuring extra functionality, and managing browser policies. Intune gives many ways to help protect the data in the applications, but the main ones are the use of conditional access and application protection policies. The former controls access to say emails and services based on conditions and the latter protects company data used by the applications by say preventing their running if the device is jailbroken or rooted. Finally, an application can become outdated or require to be removed and this is made easy with uninstallation.

Together device and application lifecycle can ensure that they pose no risk to the company and allow the devices to expand their capabilities safely and securely.

Tuesday, February 22, 2022

This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction to Microsoft Intune with the link here. The previous article mentioned Microsoft Intune with its broad offerings and common ways to use them. This article discusses device management with Intune specifically.

Device management overview is a key task for the Intune administrator. It enables organizations to protect and secure their resources and data from different devices. A device management provider can ensure that only the authorized users can get access to the devices and their applications.

Intune offers Mobile device management and Mobile application management. Some key tasks for such management include 1) supporting diverse mobile platform and their ecosystems 2) ensuring devices and applications are compliant with the organization's security requirements, 3) creating policies that keep the organization data safe on organization-owned and personal devices, 4) using a single solution to enforce policies and 5) protecting the company’s information by controlling the way data is used.

In-tune works seamlessly with on-premises solutions for mobile devices and application management. Many organizations use an on-premises Configuration Manager to manage devices, and this can be cloud-attached to Microsoft Intune. The benefits of Intune and cloud include conditional access, running remote actions, using Windows autopilot and more. Microsoft Endpoint manager is a solution platform that unifies several services. It includes Microsoft Intune for cloud-based device management and configuration manager with Intune for cloud-attach device management. This option to ‘co-manage’ with Configuration Manager and Intune is just right for leveraging the cloud to manage the devices in the field. There is also an option for Endpoint manager tenant attach where the devices are uploaded to the Endpoint manager admin center without enabling auto-management or switching to Intune

Intune also integrates with other services to extend security and protection. Microsoft 365 is a key component to simplify common IT tasks and it works with Intune, Azure Active Directory and more. Windows Defender includes many security features to help protect windows client devices. Together with Intune, it enables Windows Defender SmartScreen to look for suspicious activities. Using the Microsoft Defender for Endpoint, it helps prevent security breaches on mobile devices. Conditional access is a feature of Azure Active Directory and together with Intune, it makes sure only compliant devices are allowed access to emails and other applications.

The choices for the approaches to manage devices and applications depends on the organization and their requirements. There are some features that are built-into the Intune and this helps with managing those devices. Another approach helps manage the applications on those devices. There is a also a combination that can do both.

The device management admin center offers many capabilities that allow administrators to enroll devices, set device compliance, manage devices, manage applications, iOS eBooks, install Exchange, manage roles, manage windows client updates, manage software updates, Azure Active Directory, manage users, groups and members and troubleshoot. Microsoft Intune offers a planning guide to get started.

Monday, February 21, 2022

This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction of Microsoft Graph with the link here. The previous articles discussed the Microsoft Graph, its connectors and Data Connect. This article discusses Intune. The Microsoft Graph API for Intune enables programmatic access to Intune information for a tenant. The API performs the same Intune operations as those available via the portal. It just behaves like another service that provides data into the Graph API.

Since it is a cloud service, it can work directly with clients over the internet, or be managed with Configuration Manager and Intune. The rules and configuration settings can be set on personal, and organization owned devices to access data and networks. Authenticated applications can be deployed on devices. The company information can be protected by controlling the way users' access and share information. The devices and applications can be made compliant with the security requirements. The users must opt into the management with Intune using their devices. Users can opt in for partial or full control by organization administrators. These administrators can add and assign mobile apps to user groups and devices, configure apps to start or run with specific settings enabled and update existing apps already on the device, see reports on which apps are used and track their usage and do a selective wipe by removing only organization data from apps. App protection policies include using Azure AD identity to isolate organization data from personal data, helping secure access to personal devices, and enrolling devices.

Intune makes use of app protection policies and device compliance policies to protect data. It uses profiles and configuration policies to protect data. It uses applications and application configuration policies to manage applications. It saves the device compliance results to Active Directory for conditional access. It uses groups from Active Directory for regulating all the activities it performs for users. The authentication and authorization helper libraries that work with Active Directory are used by SaaS applications and Office 365 to integrate with Application stores and device experiences. In a way, Intune works like a collection of microservices instead of a monolithic control and state reconciliation plane. The end-user devices make use of Network access control partner, Mobile Threat defense connector, and Telecom expense management routines to connect with the microservices that protect data and configure devices.

Microsoft Intune includes settings and features to enable or disable different devices within the organization. These are added to configuration profiles that can be created for different devices and different platforms. Intune can be used to assign the profile to devices. These configuration profiles help to complete several tasks such as blocking ActiveX controller in Microsoft Edge, allowing users to AirPrint specific printers, allow or deny access to Bluetooth, give access to corporate networks, manage software updates or run as a dedicated kiosk device. There are a few cloud based artifacts that administrators can leverage for this purpose. They include administrative templates which are hundreds of settings that give administrators a simplified view of settings. They include group policy analytics which analyzes on-premises GPO and shows which policy settings are supported. Custom settings help extend settings for administrators when the built-ins don’t suffice. Software updates are delivered through delivery optimization. They include derived credentials which can be included with profiles to connect to VPN and WiFi.

Sunday, February 20, 2022

DNS Domain Ownership enforcement:

DNS Domain Ownership enforcement:............. 1

Problem statement:............................... 1

Solution:................. 1

Conclusion:............ 2

Problem statement:

Domain Name Service (DNS) records are registered with an authority in a network to allow hosts to be reached by their names. The records map names to ip addresses that can be resolved in the network. A hierarchy of domain name servers can translate external traffic to network hosts. This enables users to reach web sites and organizational resources from the internet or intranet respectively. When these records are created, they are a new instance and do not affect the existing records. If they are untouched, they resolve to specific hosts that can be reached and do not interfere with security or usages of existing hosts. However, an unintended or hostile update to the record can take down the reachability of critical business resources. This article explores the need for DNS security and the ways to perform updates securely – whether to rely on features specific to a DNS server or streamline and harden the process surrounding the use of DNS servers and associated network.

Solution:

The API based approach with chain the ownership resource to the DNS record so that all changes can be authenticated, authorized and audited. These include:

2) the integration between the ticketing framework and the message queues

In this case, each record on the dns server has a owner associated with the workflow that generated the record. All actions taken on the records are logged against this resource. The API is as follows:

Create resourceowner POST /rest/api/2/resourceowner

Get resourceowner GET /rest/api/2/resourceowner/{resourceownerIdOrKey}

Delete resourceowner DELETE /rest/api/2/resourceowner/{resourceownerIdOrKey}

Edit resourceowner PUT /rest/api/2/resourceowner/{resourceownerIdOrKey}

Assign PUT /rest/api/2/resourceowner/{resourceownerIdOrKey}/record

Get records GET /rest/api/2/resourceowner/{resourceownerIdOrKey}/record

Add record POST /rest/api/2/resourceowner/{resourceownerIdOrKey}/record

Update recordPUT /rest/api/2/resourceowner/{resourceownerIdOrKey}/record/{id}

Delete recordDELETE /rest/api/2/resourceowner/{resourceownerIdOrKey}/record/{id}

Notify POST /rest/api/2/resourceowner/{resourceownerIdOrKey}/notify

Create or update remote resourceowner link POST /rest/api/2/resourceowner/{resourceownerIdOrKey}/remotelink

Get resourceowner watchers GET /rest/api/2/resourceowner/{resourceownerIdOrKey}/watchers

Add watcher POST /rest/api/2/resourceowner/{resourceownerIdOrKey}/watchers

Remove watcherDELETE /rest/api/2/resourceowner/{resourceownerIdOrKey}/watchers

Get create resourceowner meta GET /rest/api/2/resourceowner/createmeta

Conclusion:

Some solutions involve recurring best practice patterns such as an automation framework that can enable background processing with the help of a persistence layer, a message queue and a synchronous full-stack service model. Others require general purpose but pre-defined grouping of cloud service resources. Organizations will find they will not need to repeat the discovery and implementation of dns record owner security.

Saturday, February 19, 2022

DNS record updates

Problem statement:

Solution:

The original DNS protocol for external name servers has the following limitations:

1. Complex management: Manually introduced errors in misconfiguration of name servers occur occasionally due to the complexity of managing them. A syntax error in zone data file might go unnoticed and will render that name server unable to load that zone. This might return either old data or no data. If the syntax error is in the name server’s configuration file, it will prevent the name server from starting.

2. Attack vulnerabilities: If the administrators do not take the simple precaution of configuring their forwarders to process recursive queries only from internal ip addresses, it might lead to cache-poisoning attack where a hacker can induce the name server to cache fabricated data.

This can have significant impact on eCommerce because a hacker could redirect traffic intended to say a bank’s web site to a web server with a replica of the site’s content, and steal account numbers and passwords

3. Difficult upgrades: Upgrading to a new version of the name server is not just a simple software update. It might involve downloading new source code, compiling, testing, installing, and in many cases without an upgrade advisor or migration path. If this task becomes an onus, administrators will tend to put it off. This can have a manifest as delayed impact to businesses.

For example, the LiOn worm had a patch released but months after that, the worm continued to infect nameservers around the internet.

4. Ever growing attack options: One of the biggest challenges for IT organizations is the ever-increasing number of DNS attacks and their types. The attacks that are well-known include: 1) TCP SYN flood attacks where connections are orphaned by flooding DNS Servers with TCP connection requests until the target machine fails, 2) UDP Flood attack where a large number of UDP packets to a random part on a target server causes it to fail, 3) LAND attacks where a spoofed TCP or UDP packet with the target’s host to an open port as both the source and the destination will cause the machine to reply to itself continuously. 4) Cache poisoning attack where legitimate requests are sent to a malicious website and 5) proxy attacks where a machine can penetrate the network and route the legitimate requests to malicious websites.

Friday, February 18, 2022

This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction of Microsoft Graph with the link here. The previous articles discussed the Microsoft Graph, its connectors and Data Connect. This article discusses introduces Intune. The Microsoft Graph API for Intune enables programmatic access to Intune information for our tenant. The API performs the same Intune operations as those available via the portal. It just behaves like another service that provides data into the Graph API.

Microsoft Intune is a cloud-based service that manages devices and their applications. These devices can include mobile phones, tablets and notebooks. It can help configure specific policies to control applications. It allows people in the organization to use their devices for school or work. The data stays protected, and the organizational data can be isolated away from the personal data on the same device. It is part of the Microsoft’s Enterprise Mobility and Security EMS suite. It integrates with the Azure Active Directory to control who has access and what they can access. It integrates with Azure Information Protection for data protection.

Since it is a cloud service, it can work directly with clients over the internet, or be comanaged with Configuration Manager and Intune. The rules and configuration settings can be set on personal, and organization owned devices to access data and networks. Authenticated applications can be deployed on devices. The company information can be protected by controlling the way users' access and share information. The devices and applications can be made compliant with the security requirements. The users must opt into the management with Intune using their devices. Users can opt in for partial or full control by organization administrators. These administrators can add and assign mobile apps to user groups and devices, configure apps to start or run with specific settings enabled and update existing apps already on the device, see reports on which apps are used and track their usage and do a selective wipe by removing only organization data from apps. App protection policies include using Azure AD identity to isolate organization data from personal data, helping secure access on personal devices, and enrolling devices.

Intune makes use of app protection policies and device compliance policies to protect data. It uses profiles and configuration policies to protect data. It uses applications and application configuration policies to manage applications. It saves the device compliance results to Active Directory for conditional access. It uses groups from Active Directory for regulating all the activities it performs for users. The authentication and authorization helper libraries that work with Active Directory, are used by SaaS applications and Office 365 to integrate with Application stores and device experiences. In a way, Intune works like a collection of microservices instead of a monolithic control and state reconciliation plane. The end-user devices make use of Network access control partner, Mobile Threat defense connector, and Telecom expense management routines to connect with the microservices that protect data and configure devices.

The technology behind the software updates, push notifications is not a new one. The benefits of synchronization over an always-online solution are quite clear – reduced data transfer over the network, reduced loads on the enterprise server, faster data access, increased control over data availability. But it is less understood that there are different types of synchronization depending on the type of data. For example, the synchronization may be initiated for personal information management (PIM) such as email, calendar entries, etc. as opposed to application files. The latter can be considered artifacts that artifact-independent synchronization services can refresh. Several such products are available, and they do not require user involvement for a refresh. This means one or more files and applications can be set up for synchronization on remote devices although they are usually one-way transfers.

Data synchronization, on the other hand, performs a bidirectional exchange and sometimes transformation between two data stores. This is our focus area in this article. The server data store is usually larger because it holds data for more than one user and the local data store is usually limited by the size of the mobile device. The data transfer occurs over a synchronization middleware or layer. The middleware is set up on the server while the layer hosted on the client. This is the most common way for smart applications to access corporate data.

Synchronization might be treated as a web service with the usual three tiers comprising of the client, the middle-tier, and enterprise data. When the data is synchronized between an enterprise server and a persistent data store on the client, a modular layer on the client can provide a simple easy to use client API to control the process with little or no interaction from the client application. This layer may just need to be written or rewritten native to the host depending on whether the client is a mobile phone, laptop, or some other such device. With a simple invocation of the synchronization layer, a client application can expect the data in the local store to be refreshed.

The synchronization middleware resides on the server, and this is where the bulk of the synchronization logic is written. There can be more than one data store behind the middleware on the server-side and there can be more than one client from the client-side. Some of the typical features of this server-side implementation includes data scoping, conflict detection and resolution, data transformation data compression, and security. These features are maintained with server performance and scalability. Two common forms of synchronization middleware are a standalone server application and a servlet running in a servlet engine. The standalone server is more tightly coupled to the operating system and provides better performance for large data. The J2EE application servers rely on an outside servlet engine and are better suited for high volume low payload data changes.

The last part of this synchronization solution is the data backend. While it is typically internal to the synchronization server, it is called out because it might have more than one data stores, technologies, and access mechanisms such as object-relational mapping.

Thursday, February 17, 2022

Microsoft Graph

This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction of this topic with the link here. The previous article discussed the Microsoft Graph Data Connect used with Microsoft Graph. This article discusses the best practices for using Microsoft Teams activity feed notifications. Microsoft Graph enables integration with the best of Microsoft 365, Windows 10 and Enterprise mobility and security services in Microsoft 365, using REST APIs and client libraries

Microsoft Graph provides a unified programmability model by consolidating multiple APIs into one. As Microsoft’s cloud services have evolved, the APIs to reference them has also changed. Originally, when cloud services like Exchange Online, Sharepoint, OneDrive and others evolved, the API to access those services was launched too. The list for SDKs and REST APIs for these services started growing for developers to access content. Each endpoint also required Access Tokens and returned status code that were unique to each individual service. Microsoft Graph brought a consistent simplified way to interact with these services.

This article covers the best practices for using Microsoft Teams activity feed notifications in Microsoft Graph which apply to:

- Creating call-to-action notifications

- Requesting responses to notifications

- Creating notifications about external events

Microsoft Teams displays notifications in both activity feed and toast formats. Users can receive notifications from multiple sources across chats, channels, meetings, or other applications. It is recommended that the content be localized in a notification feed or toast and the application must also be localized for this purpose. Appropriate titles and descriptions must be provided for the notified activity types. Short tiles such as @mention or Announcements are preferable. Notifications should be filtered to show only what is relevant to the user. Promotional notifications must be avoided. Notifications from messages and those coming from activity feed notifications can be redundant. Those duplicates must be removed. The text preview section in notifications can be used so that the user can take the necessary action. A period at the end of the notification title is not required and this will be consistent with those that Teams generates. The relationship between the notification and the content must be clear to the user. The feed experience should be self-contained. The application does not send more than ten notifications per minute, per user. The load time of the application does not negatively affect the experience for the users. The user must be informed about the notification’s storage period.

The activity feed notifications or bot framework messages can be used but they should not be used together. The activity feed notifications must appear in the Teams activity feed for the convenience to the user to take actions. It can include links to other locations, but the user must be able to decipher the notification and follow the link to the source. The corresponding API allows the user to take notifications for each notification type. Delegated notifications create a better notification experience. These can be delegated or application-only calls. The sender of the notifications appears as the user who initiated the notification in delegated calls but appears as the application in the application-only calls.

The bot framework messages are delivered as the chat or channel messages and triggered by the keyword @mention the name of the user. This in-lining of an alert as a chat or channel message is required for the purpose of broadcasting to all channel members. These are some of the best practices to use with such notifications.

Wednesday, February 16, 2022

Microsoft Graph

This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction of this topic with the link here. The previous article discussed the Microsoft Graph Data Connect used with Microsoft Graph. This article discusses known limitations and workarounds. Microsoft Graph enables integration with the best of Microsoft 365, Windows 10 and Enterprise mobility and security services in Microsoft 365, using REST APIs and client libraries

Some limitations apply to the application and servicePrincipal resources. Some application properties will not be available. Only multi-tenant applications can be registered. Azure Active Directory users can register applications and add additional owners. Support for OpenID connect and OAuth protocols have limitations. Policy assignments to an application fail. Operations on ownedObjects that require appId fail. The best resolution for these limitations is to wait for the changes being made to the application and servicePrincipal roles.

Cloud solution providers must acquire tokens from Azure AD v1 endpoints because Azure AD v2 is not supported for their applications. These include usages of those applications for their partner managed customers.

The pre-consent for CSP applications does not work in some customer tenants. These manifest as error issuing tokens when an application uses delegated permissions or error with an access denied message in using Microsoft Graph after an application acquires token with application permission. The suggested workaround in this case involves opening an Azure AD Powershell session and connecting to the customer tenant and downloading and installing the Azure AD powershell v2 followed by creating the Microsoft Graph service principal.

Other forms of identity related limitations include conditional access policies requiring consent to permission. The ClaimsMappingPolicy API might require consent to both the Policy.ReadAll and Policy.ReadWrite.ConditionalAccess for the List operation on /policies/claimMappingPolicies and /policies/claimMappingPolicies/{id} objects. If there are no such objects available to retrieve in a List operation, either permission is sufficient to call the methods. If there are claimMappingPolicy objects, the app must consent to both permissions.

Tuesday, February 15, 2022

Azure Well-Architected Framework

The Cloud Adoption Framework helps to create an overall cloud adoption plan that guides programs and teams in their digital transformation. The plan methodology provides templates to create backlogs and plans to build necessary skills across the teams. It helps rationalize the data estate, prioritize the technical efforts, and identify the data workloads. Its important to adhere to a set of architectural principles which help guide development and optimization of the workloads. The Azure Well-architected framework lays down five pillars of architectural excellence which include:

- Reliability

- Security

- Cost Optimization

- Operational Excellence

- Performance efficiency

The elements that support these pillars are Azure well-architected review, azure advisor, documentation, patterns-support-and-service offers, reference architectures and design principles.

This guidance provides a summary of how these principles apply to the management of the data workloads.

Cost optimization is one of the primary benefits of using the right tool for the right solution. It helps to analyze the spend over time as well as the effects of scale out and scale up. The Azure Advisor can help improve reusability, on-demand scaling, reduced data duplication, among many others.

Performance is usually based on external factors and is very close to customer satisfaction. Continuous telemetry and reactiveness are essential to tuned up performance. The shared environment controls for management and monitoring create alerts, dashboards, and notifications specific to the performance of the workload. Performance considerations include storage and compute abstractions, dynamic scaling, partitioning, storage pruning, enhanced drivers, and multilayer cache.

Operational excellence comes with security and reliability. Security and data management must be built right into the system at layers for every application and workload. The data management and analytics scenario focus on establishing a foundation for security. Although workload specific solutions might be required, the foundation for security is built with the Azure landing zones and managed independently from the workload. Confidentiality and integrity of data including privilege management, data privacy and appropriate controls must be ensured. Network isolation and end-to-end encryption must be implemented. SSO, MFA, conditional access and managed service identities are involved to secure authentication. Separation of concerns between azure control plane and data plane as well as RBAC access control must be used.

The key considerations for reliability are how to detect change and how quickly the operations can be resumed. The existing environment should also include auditing, monitoring, alerting and a notification framework.

In addition to all the above, some consideration may be given to improving individual service level agreements, redundancy of workload specific architecture, and processes for monitoring and notification beyond what is provided by the cloud operations teams.

Monday, February 14, 2022

Continuous Encoder

BERT is an algorithm for natural language processing that interprets search queries as almost humans do because it tries to understand the context of the words that constitute the query so results match better than without it. It was proposed by Google and stands for Bidirectional Encoder Representations from Transformers. To understand BERT, we must first understand the meaning of the terms Encoder and Bidirectional. These terms come from the machine learning neural network techniques where the term encoding and decoding refer to states between words in a sequence. A short introduction to neural networks is that it comprises of layers of sensors that calculate probabilities of the inputs, in this case these are words, with weighted probabilities across a chosen set of other inputs and are also called features. Each feature gets a set of weights as probabilities in terms of how likely it is to appear together with other words chosen as features. A bag of words from the text is run through the neural network and gets transformed into a set of output that resemble some form of word associations with other words but, in this process, it computes the weighted matrix of words with its features which are called embeddings. These embeddings are immensely useful because they represent words and their context in terms of the features that frequently co-occur with these words bringing out the latent meanings of the words. With this additional information on the words from their embeddings, it is possible to find how similar two words are or what topics the keywords are representing especially when a word may have multiple meanings.

In the above example, the transformation was forward only with associations between the left to the right context for a layer, but the calculations performed in one layer can jointly utilize the learnings from both sides. This is called bidirectional transformation and since a neural network can have multiple layers with the output of one layer performing as input to another layer, this algorithm can perform the bidirectional transformations for all layers. When the input is not just words but a set of words such as from a sentence, it is called a sequence. Search terms form a sequence. BERT can unambiguously represent a sentence or a pair of sentences in the question/answer form. The state between the constituents of a sequence is encoded in some form that helps to interpret the sequence or to generate a response sequence with the help of decodings. This relationship that is captured between an input and output sequence in the form of encodings and decodings helps to enhance the language modeling and improve the search results.

Natural language processing relies on encoding-decoding to capture and replay state from text. This state is discrete and changes from one set of tokenized input texts to another. As the text is transformed into vectors of predefined feature length, it becomes available to undergo regression and classification. The state representation remains immutable and decoded to generate new text. Instead, if the encoded state could be accumulated with the subsequent text, it is likely that it will bring out the topic of the text if the state accumulation is progressive. A progress indicator could be the mutual information value of the resulting state. If there is information gain, the state can continue to aggregate, and this can be stored in memory. Otherwise, the pairing state can be discarded. This results in a final state aggregation that continues to be more inclusive of the topic in the text.

State aggregation is independent of BERT but not removed from it. It is optional and useful towards topic detection. It can also improve the precision and relevance of the text generated in response by ensuring that their F-score remains high when compared to the aggregated state. Without the aggregated state, the scores for the response was harder to evaluate.

Sunday, February 13, 2022

Standard enterprise governance guide and multi-cloud adoption

Cloud governance is a journey not a destination. Cloud governance creates guardrails that keep the company on a safe path throughout the journey of adopting the cloud along the way there are clear milestones and tangible business benefits. Processes must be put in place to ensure adherence to the stated policies. There are five disciplines of cloud governance which support these corporate policies. Each discipline protects the company from potential pitfalls. These include cost management discipline, security baseline discipline, resource consistency discipline, identity baseline discipline, and deployment acceleration discipline.

The actionable governance guide is an incremental approach of the cloud adoption framework governance model. It can be established with an agile approach to cloud governance that will grow to meet the needs of any scenario.

This governance guide serves as a foundation for an organization to quickly and consistently at garb governance guardrails across their subscriptions. Initially, an organization hierarchy may be created to empower the cloud adoption teams. It will consist of one management group for each type of environment, two subscriptions, one for production workloads and another for non-production workloads, consistent nomenclature to be applied at each level of this grouping hierarchy, resource groups to be deployed in a manner that considers its contents lifecycle and region selection such that networking, monitoring and auditing can be in place. These patterns provided room for growth without complicating the hierarchy.

A set of global policies and RBAC roles will provide a baseline level of governance enforcement. Identifying the policy definitions, creating a blueprint definition, and applying policies and configurations globally are required to meet the policy requirements.

Controls can be added for multi-cloud adoption when customers adopt multiple clouds for specific purposes. All of the IT operations can be run on a different cloud provider.

In a multi cloud identity could be specific to a cloud or it could be hybrid, facilitated through replication to say Azure Active Directory from an on-premises instance of Active Directory. Each cloud may also have its own identity provider, membership directory as well as authentication and authorization models. Its operations can be managed by monitoring and related automated processes. Disaster recovery and business continuity can be controlled by recovery services and their vaults. Monitoring security violations and attacks as well as enforcing governance of the cloud can be done with the same service. All of these above are used to automate compliance with policy

The changes required to monitor new corporate policy statements include the following: connecting the networks, consolidating identity providers, adding assets to the recovery services, adding assets for cost management and billing, adding assets to the monitoring services and adopting governance enforcement tools.

Saturday, February 12, 2022

Microsoft Graph

This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction of this topic with the link here. The previous article discussed the Microsoft Graph Data Connect used with Microsoft Graph. This article discusses the API. Microsoft Graph enables integration with the best of Microsoft 365, Windows 10 and Enterprise mobility and security services in Microsoft 365, using REST APIs and client libraries

The data virtualization platform that Microsoft Graph presents also supports querying relationships between:

· Azure Active Directory

· Exchange Online – including mail, calendar and contacts.

· Sharepoint online including file storage

· OneDrive

· OneDrive for business

· OneNote and

· Planner

As a collaborative app development platform Microsoft Graph is not alone. Microsoft Teams, Slack, Google Workspace are applications with collaboration as their essence and designed for flexibility of hybrid work. For example, Teams toolkit for Visual studio code lets us use existing web development framework to build cross platform Team applications against any backend. Microsoft Graph provides both the seamlessness and the data for realtime collaboration.

Connectors and Microsoft Data Connect round up the data transfer mechanisms. Connectors offer a simple and intuitive way to bring content from external services to Microsoft Graph which enables external data to power Microsoft 365 experiences. It does this with the help of REST APIs that are used to 1. Create and manage external data connections, 2. Define and register the schema of the external data type(s), 3. Ingest external data items into Microsoft Graph and 4. Sync external groups. Microsoft Graph Data Connect augments Microsoft Graph’s transactional model with an intelligent way to access rich data at scale. It is ideal to connect big data and for machine learning. It uses Azure Data Factory to copy Microsoft 365 data to the application’s storage at configurable intervals. It provides a set of tools to streamline the delivery of this data into Microsoft Azure. It allows us to manage the data and see who is accessing it, and it requests specific properties of an entity. It enhances the Microsoft Graph model, which grants or denies applications access to entire entities.

Sample code for enriching user information:

public static void AddUserGraphInfo(this ClaimsPrincipal claimsPrincipal, User user)

{

var identity = claimsPrincipal.Identity as ClaimsIdentity;

identity.AddClaim(

new Claim(GraphClaimTypes.DisplayName, user.DisplayName));

identity.AddClaim(

new Claim(GraphClaimTypes.Email,

claimsPrincipal.IsPersonalAccount()? user.UserPrincipalName : user.Mail));

identity.AddClaim(

new Claim(GraphClaimTypes.TimeZone,

user.MailboxSettings.TimeZone ?? "UTC"));

identity.AddClaim(

new Claim(GraphClaimTypes.TimeFormat, user.MailboxSettings.TimeFormat ?? "h:mm tt"));

identity.AddClaim(

new Claim(GraphClaimTypes.DateFormat, user.MailboxSettings.DateFormat ?? "M/d/yyyy"));

}

Sample delta query for mail folders

Public async Task<IMailFolderDeltaCollectionPage> GetIncrementalChangeInMailFolders()

{

IMailFolderDeltaCollectionPage deltaCollection;

deltaCollection = await _graphClient.Me.MailFolders

.Delta()

.Request()

.GetAsync();

return deltaCollection;

}