Allowing third party applications in your Office 365 tenant

When managing Office 365 (and it’s related Azure Active Directory) in a large enterprise your security team is wary about allowing third party applications to access enterprise data.

Take for example the list of options that you have available in the ‘configure’ tab in Azure AD under the ‘integrated applications’ section. If you turn on the ‘Users may add integrated applications’ you will start seeing a number of applications showing up in Azure AD under the applications section. What this means is that users are accessing third party applications and using their work account as the identity.

integrated-applications-azure

Where this gets a little scary is with the option that says ‘Users may give applications permission to access their data’. Depending on the type of permission requested by the application the user consents to in the consent page of the app (shown during the sign on process), they can potentially give third party applications access to their email, content in SharePoint Online etc.

Where I come from this is a big fat no from security. We typically require the security team vetting every SaaS application where the checks include performing vendor assessments, finding out what information is stored and how secure it is, whether the content is stored in Australia (data sovereignty).

Fine, let’s say we disable all this to prevent end users willy nilly giving third party applications access to corporate data. You will be faced with a dilemma when you have an application that has been approved (eg Microsoft’s own Fast Track portal http://fasttrack.microsoft.com) by your security team your users will still not be able to sign in to the third party app because of the above settings where we disabled users adding apps.

When a user tries to sign into the portal they will be shown an error message saying ‘Sorry but we’re having trouble signing you in. We received a bad request’.

So how do you go about whitelisting only certain apps on your Office 365 / Azure Active Directory tenant? I reached out to my friends at Microsoft and this time they had an answer that made me happy.

Today the only way for an admin to consent to an application for his entire tenant is to send an interactive sign-in request with the query parameter ?prompt=admin_consent. We usually ask the app developer to invoke this request in their app somehow. But you can actually craft the request as a link yourself and have an admin click on it. There’s documentation on http://aka.ms/aaddev on how to craft a sign in request. We are working on adding this capability to our portal directly so you dont have to do this.

So the trick is to open a browser session in private/incognito mode and navigate to the target application (e.g. Fast Track) and try to sign in. This will redirect you to Microsoft’s login page. When you are at this page insert the ?prompt=admin_consent parameter to the query string in the the address bar and hit enter to reload the sign in page. Now sign in as a global administrator for the tenant and you will be taken to the admin consent page. Review the settings that you are approving and click on Accept. Viola you’ve now approved the app in your tenant. Now any user in your organisation can sign into the third party app without login errors and won’t even see the consent screen.

05_thumb

 

Allowing third party applications in your Office 365 tenant

Fix: Windows 10 (Technical Preview) OneDrive Sync Issues with Office 2016 Preview

After installing the Office 2016 Preview on build 10074 of the Windows 10 Technical Preview I came across a recurring sync issue with OneDrive. All the Office documents would show up with the following error ‘Files can’t be synced. Open the document in Office for more info.’
It didn’t make any difference if you opened the document in Word, Excel and saved them back they would still show up with sync errors.

To fix the issue I turned off the ‘Use Office to sync files faster and work on files with other people at the same time’ from the Settings tab (right click the OneDrive icon on the status bar). An Exit and restart of OneDrive fixed the issue and everything comes up green again.

I’m guessing this is something to do with the Office 2016 preview since I’ve been running Windows 10 TP for a few months now and didn’t have any sync issues.

This not only fixed the sync issue but also made Office use the local files instead of taking a few seconds connecting to OneDrive each time I saved.

OneDriveSync

Fix: Windows 10 (Technical Preview) OneDrive Sync Issues with Office 2016 Preview

Standalone Installer for Azure PowerShell modules

The How to install and configure Azure PowerShell MSDN article only provides a link to the Web Platform installer to download and install the Azure PowerShell module. This is a problem when you need to install on a locked down server which doesn’t have access to the wider internet.

Fortunately the standalone installer is available on GitHub at https://github.com/Azure/azure-sdk-tools/releases

AzurePowershell

Standalone Installer for Azure PowerShell modules