Azure + iPad = Productivity

I don’t spend much timing writing code these days but when I do I want it to be productive as possible. Whether it is at my desk, in a meeting room or in bed in the middle of the night.

So this weekend I went about setting up a workflow that would let me access a powerful machine in the cloud with the latest version of Visual Studio and get access to it in a secure manner. Here is what I used to get it all going.

Azure DevTest Labs

The DevTest Labs is a neat Azure service that gives you a virtual machine running the greatest and latest version of Visual Studio. You can save yourself a ton of time by not having to deal with downloading and waiting through a Visual Studio install.

IFTT

The dollars can add up quickly when you leave a high end virtual machine running on Azure. Using a combo of Azure Runbooks, web hooks and IFTT buttons, I was able to set up a nice widget that would let me quickly start up and shut down my VM. Using iOS widgets and IFTT, it was just a swipe away from the home screen on my iPad/iPhone to start up my VM.

Jump Desktop Connect

The last piece of the puzzle was to get into my VM. When you are working in a corporate environment behind firewalls and proxies that only allow http traffic to flow through, RDP is simply not going to cut it. Plus you open up your surface area by exposing your VM to the public internet. Jump Desktop to the rescue to solve both the issues. The Jump Desktop Connect is a free app that you install on the PC/Mac that you need remote access to. You can then use the awesome Jump Desktop apps on iOS, Android, Mac or Windows and punch through any firewall to get to your remote machine.

Oh and by the way did I tell you that Jump Desktop is one of the few RDP apps that will let you use a mouse on your remote machine? Productivity FTW!

Azure + iPad = Productivity

Blocking Microsoft Flow’s access to your Office 365 tenant

Did you know that any user in your organisation can sign into Microsoft Flow with their personal account and create a flow that connects to your organisation’s Office 365 tenant?
This means that an employee can (even accidentally) create a flow that monitors a SharePoint site (obviously they need to have access to the site) and posts the contents to Twitter, Dropbox or any other external service.
The bad news is that as the Office 365 tenant admin we have no way of blocking this in the UI. The good news is that Microsoft can. So raise a service request with them and ask them to disable ‘Cross tenant Flow creation’. This will force all of your data to stay within your tenant and prevents data loss.

Blocking Microsoft Flow’s access to your Office 365 tenant

Allowing third party applications in your Office 365 tenant

When managing Office 365 (and it’s related Azure Active Directory) in a large enterprise your security team is wary about allowing third party applications to access enterprise data.

Take for example the list of options that you have available in the ‘configure’ tab in Azure AD under the ‘integrated applications’ section. If you turn on the ‘Users may add integrated applications’ you will start seeing a number of applications showing up in Azure AD under the applications section. What this means is that users are accessing third party applications and using their work account as the identity.

integrated-applications-azure

Where this gets a little scary is with the option that says ‘Users may give applications permission to access their data’. Depending on the type of permission requested by the application the user consents to in the consent page of the app (shown during the sign on process), they can potentially give third party applications access to their email, content in SharePoint Online etc. as shown by Roger from BestForTheKids.

Where I come from this is a big fat no from security. We typically require the security team vetting every SaaS application where the checks include performing vendor assessments, finding out what information is stored and how secure it is, whether the content is stored in Australia (data sovereignty).

Fine, let’s say we disable all this to prevent end users willy nilly giving third party applications access to corporate data. You will be faced with a dilemma when you have an application that has been approved (eg Microsoft’s own Fast Track portal http://fasttrack.microsoft.com) by your security team your users will still not be able to sign in to the third party app because of the above settings where we disabled users adding apps.

When a user tries to sign into the portal they will be shown an error message saying ‘Sorry but we’re having trouble signing you in. We received a bad request’.

So how do you go about whitelisting only certain apps on your Office 365 / Azure Active Directory tenant? I reached out to my friends at Microsoft and this time they had an answer that made me happy.

Today the only way for an admin to consent to an application for his entire tenant is to send an interactive sign-in request with the query parameter ?prompt=admin_consent. We usually ask the app developer to invoke this request in their app somehow. But you can actually craft the request as a link yourself and have an admin click on it. There’s documentation on http://aka.ms/aaddev on how to craft a sign in request. We are working on adding this capability to our portal directly so you dont have to do this.

So the trick is to open a browser session in private/incognito mode and navigate to the target application (e.g. Fast Track) and try to sign in. This will redirect you to Microsoft’s login page. When you are at this page insert the ?prompt=admin_consent parameter to the query string in the the address bar and hit enter to reload the sign in page. Now sign in as a global administrator for the tenant and you will be taken to the admin consent page. Review the settings that you are approving and click on Accept. Viola you’ve now approved the app in your tenant. Now any user in your organisation can sign into the third party app without login errors and won’t even see the consent screen.

05_thumb

 

Allowing third party applications in your Office 365 tenant

Fix: Windows 10 (Technical Preview) OneDrive Sync Issues with Office 2016 Preview

After installing the Office 2016 Preview on build 10074 of the Windows 10 Technical Preview I came across a recurring sync issue with OneDrive. All the Office documents would show up with the following error ‘Files can’t be synced. Open the document in Office for more info.’
It didn’t make any difference if you opened the document in Word, Excel and saved them back they would still show up with sync errors.

To fix the issue I turned off the ‘Use Office to sync files faster and work on files with other people at the same time’ from the Settings tab (right click the OneDrive icon on the status bar). An Exit and restart of OneDrive fixed the issue and everything comes up green again.

I’m guessing this is something to do with the Office 2016 preview since I’ve been running Windows 10 TP for a few months now and didn’t have any sync issues.

This not only fixed the sync issue but also made Office use the local files instead of taking a few seconds connecting to OneDrive each time I saved.

OneDriveSync

I know you can buy Microsoft Office for Mac now, but after all these years, I’m going to stick to what I know.

Fix: Windows 10 (Technical Preview) OneDrive Sync Issues with Office 2016 Preview