Did you know that any user in your organisation can sign into Microsoft Flow with their personal account and create a flow that connects to your organisation’s Office 365 tenant?
This means that an employee can (even accidentally) create a flow that monitors a SharePoint site (obviously they need to have access to the site) and posts the contents to Twitter, Dropbox or any other external service.
The bad news is that as the Office 365 tenant admin we have no way of blocking this in the UI. The good news is that Microsoft can. So raise a service request with them and ask them to disable ‘Cross tenant Flow creation’. This will force all of your data to stay within your tenant and prevents data loss.
When managing Office 365 (and it’s related Azure Active Directory) in a large enterprise your security team is wary about allowing third party applications to access enterprise data.
Take for example the list of options that you have available in the ‘configure’ tab in Azure AD under the ‘integrated applications’ section. If you turn on the ‘Users may add integrated applications’ you will start seeing a number of applications showing up in Azure AD under the applications section. What this means is that users are accessing third party applications and using their work account as the identity.
Where this gets a little scary is with the option that says ‘Users may give applications permission to access their data’. Depending on the type of permission requested by the application the user consents to in the consent page of the app (shown during the sign on process), they can potentially give third party applications access to their email, content in SharePoint Online etc. as shown by Roger from BestForTheKids.
Where I come from this is a big fat no from security. We typically require the security team vetting every SaaS application where the checks include performing vendor assessments, finding out what information is stored and how secure it is, whether the content is stored in Australia (data sovereignty).
Fine, let’s say we disable all this to prevent end users willy nilly giving third party applications access to corporate data. You will be faced with a dilemma when you have an application that has been approved (eg Microsoft’s own Fast Track portal http://fasttrack.microsoft.com) by your security team your users will still not be able to sign in to the third party app because of the above settings where we disabled users adding apps.
When a user tries to sign into the portal they will be shown an error message saying ‘Sorry but we’re having trouble signing you in. We received a bad request’.
So how do you go about whitelisting only certain apps on your Office 365 / Azure Active Directory tenant? I reached out to my friends at Microsoft and this time they had an answer that made me happy.
Today the only way for an admin to consent to an application for his entire tenant is to send an interactive sign-in request with the query parameter ?prompt=admin_consent. We usually ask the app developer to invoke this request in their app somehow. But you can actually craft the request as a link yourself and have an admin click on it. There’s documentation on http://aka.ms/aaddev on how to craft a sign in request. We are working on adding this capability to our portal directly so you dont have to do this.
So the trick is to open a browser session in private/incognito mode and navigate to the target application (e.g. Fast Track) and try to sign in. This will redirect you to Microsoft’s login page. When you are at this page insert the ?prompt=admin_consent parameter to the query string in the the address bar and hit enter to reload the sign in page. Now sign in as a global administrator for the tenant and you will be taken to the admin consent page. Review the settings that you are approving and click on Accept. Viola you’ve now approved the app in your tenant. Now any user in your organisation can sign into the third party app without login errors and won’t even see the consent screen.
After installing the Office 2016 Preview on build 10074 of the Windows 10 Technical Preview I came across a recurring sync issue with OneDrive. All the Office documents would show up with the following error ‘Files can’t be synced. Open the document in Office for more info.’
It didn’t make any difference if you opened the document in Word, Excel and saved them back they would still show up with sync errors.
To fix the issue I turned off the ‘Use Office to sync files faster and work on files with other people at the same time’ from the Settings tab (right click the OneDrive icon on the status bar). An Exit and restart of OneDrive fixed the issue and everything comes up green again.
I’m guessing this is something to do with the Office 2016 preview since I’ve been running Windows 10 TP for a few months now and didn’t have any sync issues.
This not only fixed the sync issue but also made Office use the local files instead of taking a few seconds connecting to OneDrive each time I saved.
To get Skype for Business (Office 2016) working with an older OCS or Lync server create the following registry key and you are good to go.
DisableServerCheck (DWORD 32-Bit Value): 1
A quick way to get the Tenant Id for your Office 365 / Azure AD tenant is to login to the Azure AD Portal, drill down to the directory and copy the ID from the URL.
Love the Tubecast Windows Phone app which lets me cast to any device in the house.