Follow me on Twitter @AntonioMaio2

Monday, November 14, 2016

SharePoint 2010 Security Patches - How Vulnerable Are You?

YES, this blog post is about SharePoint 2010! 


YES, SharePoint 2010 is old, over 6 years old actually. 
YES, its no longer officially supported by Microsoft, without very specific Premiere Support that is.
YES, we still see a lot of it out there!
YES, if you're going to continue to stick with SharePoint 2010 for now, you must keep current with security patches!

One of the most common security issues we see with SharePoint 2010 farms is that administrators have not kept up with security patches and updates.  This not only makes it difficult to support and maintain the SharePoint environment, but it also opens your farm up to security vulnerabilities - security vulnerabilities that have already been fixed! 

This article reviews all SharePoint 2010 security updates that have been released in the last 5+ years since Service Pack 1, and discusses the importance of keeping up to date with those patches.

Thursday, November 3, 2016

Office 365 Security
New Innovations Announced at Microsoft Ignite 2016

I had the privilege of attending the Microsoft Ignite 2016 conference in Atlanta, GA this past September.  It was of course full of great sessions, demos and announcements.  I was impressed at how many of those sessions focused on the security capabilities of the Office 365 platform. I left with the feeling that, through these sessions, announcements, demos and innovations, that Microsoft is clearly demonstrating their commitment and continued investment in providing a secure environment for our corporate data in Office 365.  They've robust feature set that enables both them as operators of the service, and us as customers and users of the service, to protect our sensitive data in Office 365.

That said, the security of our data, even within the Microsoft cloud, is always a shared responsibility. Microsoft provides the most secure cloud platform available and with that robust feature set, they give customers the ability to control how information is secured, accessed, shared, governed and monitored.  Its still up to us as customers to make efficient use of those controls in ways that protect our businesses and keep our users productive.

As we saw at Ignite, Microsoft has continued to innovate providing us ever more robust security controls for Office 365.  In this blog we're going to look at some of the great new security features that were demo'ed and revealed that Microsoft Ignite.  At the end of this blog, I've also included the slides from today's webinar.

Monday, October 24, 2016

When to Use What in Office 365 +
What Can We Share Externally in SharePoint Online?

On October 4th I gave a presentation at the Microsoft Technology Center in Houston on When to Use What in Office 365. It was part of a free roundtable seminar series offered by Protiviti. We had a great turn out and a lot of really good questions. Thank you to everyone that came and my sincere apologies for the delay in posting this presentation.  I wanted to share my slides with the attendees and anyone that reads my blog, and answer a particularly interesting question that came up during the presentation.

Thursday, October 20, 2016

Synchronizing Custom AD Attributes to Office 365 - Part 3

This blog is the 3rd in a 3 part series on synchronizing and working with custom AD attributes in Office 365. In this post we continue with our final step, showing you how to customize the AD Connect synchronization rules.  This will allow your custom AD attributes (customized by extending your AD schema) can be stored in extension attributes in Office 365, so that you can retrieve and work with them.


So, how do we get our custom on premise AD attributes into Office 365 extension attributes so that we can use the Windows Azure AD Module for PowerShell to actually read them?

Synchronizing Custom AD Attributes to Office 365 - Part 2

This blog is the 2nd in a 3 part series on synchronizing and working with custom AD attributes in Office 365. In this post we continue with showing you how to retrieve attributes in Office 365 using PowerShell.


PowerShell can be used to both verify that your custom attributes have actually been synchronized to Office 365, and it can be used to actually accomplish things with those attributes, like having them sync'ed to your user profile in SharePoint Online (but that's for another article).

Synchronizing Custom AD Attributes to Office 365 - Part 1

Synchronization of identities has come a long way since the early days of DirSync.  We've now seen 2 major releases of the latest generation sync tool, Azure AD Connect, and it has introduced a long list of new features.  End of support for DirSync and Azure AD Sync are scheduled for April 13, 2017 (announcement).

If you're looking for a list of the benefits of upgrading to the latest version of AD Connect, please see my blog on that topic here: Why upgrade DirSync to Azure AD Connect.  One of those great new features is the ability to synchronize directory extension attributes or even custom attributes from an on premise Active Directory environment to Azure AD within Office 365.  This post is about some of the limitations still in place around custom attributes, and some suggestions on how to deal with them once they've been synchronized.

Monday, October 17, 2016

How Secure Is My Data in Office 365?

A few weeks ago, on September 21, I gave a session at the DFW user group meeting called How Secure is My Data in Office 365?  Thank you to all those that attended and my apologies for the delay in posting my presentation.  Life has been busy.

I actually get asked this question quite often from clients that are concerned about migrating their data and workloads to Office 365.  Organizations tend to have an easier time when it comes to moving Exchange to Office 365.  However, the question tends to come more from clients considering moving SharePoint team sites or OneDrive for Business to the cloud.

Its important to consider the question from various angles.  Here is a summary of the points I make during my session to help answer the question...

How secure is my data in Office 365?


Sunday, October 2, 2016

Office 365 Nightly PowerShell Scripts: Encrypting Admin Credentials

When using remote PowerShell to perform tasks in Office 365 we typically need to provide our administrator credentials to create the initial connection.  These are typically a Global Administrator's username & password, or at least an Exchange or SharePoint administrator's username & password.  These are highly privileged accounts and we need to ensure that the username and password associated with these accounts do not get compromised or stolen.  So, when we need to run remote PowerShell scripts on a nightly automated basis, without administrator intervention, how do we secure those highly privileged credentials?  

Monday, September 26, 2016

Microsoft Ignite 2016 - Must See Sessions for Office 365 & SharePoint Security

Welcome to Microsoft Ignite 2016 in Atlanta Georgia!  
This year's conference will once again be full of great content and great speakers about the Microsoft solutions that we all work with.  Myself, I tend to be interested in more technical content about SharePoint Server, SharePoint Online and the Office 365 service.  It looks like the session line up won't disappoint!

As my work tends to focus on security, information protection, information governance and identity management, my conference session schedule tends to focus on technical sessions related to these topics.  Here are my MUST SEE session picks for this week.

Wednesday, September 7, 2016

New Office 365 Data Centers in the UK (and elsewhere) Helping to Meet Data Residency Needs

When it comes to the security of your information, "where" it is stored matters... too many.

"Where" in this case, refers to the country in which the data actually sits.  Concerns about storage location or country is often referred to as Data Sovereignty or Data Residency (https://en.wikipedia.org/wiki/Data_residency).  To some, data sovereignty is a very important privacy concept when they consider the security of their data - people will talk about retaining ownership of data, not allowing foreign governments to have access to data through legal or judicial processes and keeping data secure from prying eyes by service providers, police services or governments agencies (ex. NSA).  Often, these concerns refer to the U.S. Patriot Act as a source of the issue with many believing that the U.S. Patriot Act gives US government agencies wide sweeping abilities to access anyone's data stored on US soil, or managed by any US firm.

More often than not though, what executives and data owners in organizations outside the US are concerned about is a perception problem: the perception of storing data in another country some how being less secure, or the perception that a foreign government agency can access your organization's data.  Sometimes the concern is about an organization storing data in a foreign country getting into the media... and the media story thus creating a perception problem for the organization.  In reality, the U.S. Patriot Act expired on June 1, 2015.  It was replaced by the U.S. Freedom Act on June 2, 2015, which has similar provisions to the U.S. Patriot Act, but imposes new limits on data collection activities by U.S government agencies.  As well, there are already international legal procedures in place, which predate the U.S. Patriot act, which allow one country to request data from another country about an organization when legal wrong doing is suspected... and the country being requested will usually comply.  All that said, there are some countries (Ex. Germany with the German Data Protection Act), or states/provinces within countries (Ex. Nova Scotia and British Columbia in Canada), which do have such laws in place and they typically refer very specifically to the storage and privacy of the personal data for individuals (PII or personally identifiable information).  Some companies also have policies in place which mandate that the organization's data must be stored and housed within the organization's country boundaries.

As a result, whether its a concern of perception or a legitimate law or policy, Microsoft continues to make it easier for organizations to meet their data residency needs.

Today, Microsoft announced that new Office 365 data centers are now available the United Kingdom - you can visit the official announcement here.  Multiple data centers are now available in the UK to help organizations meet in-region data residency, fail over and disaster recovery requirements. This will to help address the legal, regulatory and compliance needs of Microsoft clients in the banking, government, public sector and healthcare industries.

In June 2016, we saw new data centers launch in Canada for Office 365 and Azure (in Toronto and Quebec City).  As well, June brought us new data centers in Germany hosting Microsoft Azure, with Office 365 coming later this month (in Frankfurt and Magdeburg).  Although, as a standard security policy, Microsoft does not disclose the exact location of their data centers, we can see which countries and cities the data centers are located within:

  • You can view the Microsoft Office 365 data centers that are currently available here: Office 365 Data Center Map.
  • You can view the Microsoft Azure data center regions that are currently available here: Azure Regions Map.
These new data centers are a huge investment and continue to reaffirm Microsoft's commitment to provide the most secure cloud services in the industry.

Tuesday, July 5, 2016

Why Upgrade DirSync To Azure AD Connect

I've worked with several clients recently that are still using older versions of the Microsoft Active Directory synchronization tool, affectionately named DirSync, and have not yet upgraded to the latest version which is now called Azure AD Connect.  Integrating your on-premises directory with Azure AD makes your users more productive by providing a common identity for accessing multiple resources.  Managing the synchronization process in a well planned, robust and automated way helps to ensure that users can reliably access both on premise and cloud environments in Office 365.

Short Product History

DirSync was a free tool from Microsoft originally released in 2012/2013 which synchronizes Active Directory objects like user accounts and groups from an on premise Active Directory forest to an instance of Azure Active Directory. That Azure Active Directory instance can reside in Office 365. 

DirSync allowed organizations that wanted to move internally hosted services to Office 365 to still manage their user accounts within an on premise AD forest if they wished. This simplified the migration process to Office 365. It was also a required base technology component if you wanted to deploy services in a hybrid configuration with Office 365 - for example, if you wanted to use a SharePoint farm on premise and SharePoint Online in Office 365, and have those environments work together.

 DirSync received a major update in Oct 2014, which most notably removed the need for the FIM infrastructure, and was renamed to Azure AD Sync (AAD Sync). At that time, both DirSync and Azure AD Sync continued to be supported because AAD Sync did not include all capabilities of DirSync.

In Jun 2015, another major update was publicly released and the product was once again renamed to its current form: Azure AD Connect 1.0.  AD Connect combines all capabilities of both DirSync and AAD Sync into one product.  At this time, DirSync and AD Sync are deprecated and all future fixes/enhancements are being implemented in AD Connect.  In February 2016, AD Connect version 1.1 was released with more major new enhancements.  When installing version 1.1, ensure that you install Azure AD Connect version 1.1.110.0 from February 26, 2016 or later, which can be downloaded here: Azure AD Connect Download.

DirSync & Azure AD Sync Deprecated & Support Ends April 2017 

We already know that all new investment has been placed in Azure AD Connect, and no new updates are being released for DirSync or AAD Sync.  However, on April 13, 2016 Microsoft announced that both DirSync and Azure AD Sync are now deprecated.  As well, Microsoft will officially end support on April 13, 2017 - here is the Official Announcement.

This alone is one major reason to upgrade to Azure AD Connect.

Reasons to Upgrade to Azure AD Connect

If you're looking for more specific reasons to upgrade to Azure AD Connect from the original DirSync, here are those which I feel are most notable:
  • Replacement of FIM - The underlying FIM (ForeFront Identity Manager) infrastructure has been completely removed and replaced with its own dedicated infrastructure, allowing for much more customization and control over the synchronization process.  In the past, we had ways to manipulate the sync process, but they would not have necessarily been supported by Microsoft.  The control and flexibility we now have is fully supported by Microsoft.
  • Automatic Upgrades - The upgrade process to AD Connect from previous versions, including DirSync and AAD Sync, is very simple,  You simply run the installation wizard for AD Connect on the server in which you are already running any previous version (DirSync, AAD Sync or even a old versions of AD Connect) and the wizard seamlessly upgrades to the latest version of AD Connect.
  • More Frequent Synchronization - The default scheduling frequency has been modified from occurring every 3 hours to every 30 minutes.  This is a huge change which allows changes in user accounts in your on premise AD to get to Azure AD and Office 365 much faster.
  • Built-In Scheduler - AD Connect now has its own built in Scheduler for controlling the timing of the synchronization process.  Previous versions used a scheduled task in Windows Task Scheduler, and having its own built in scheduler means that you have greater and supported control over the timing and frequency of the synchronization process.
  • Manual Synchronization via PowerShell - You can manually start a full synchronization process using the PowerShell cmdlet: Start-ADSyncSyncCycle -PolicyType Initial.  If you wish to only synchronize changes, you can modify that slightly and use Start-ADSyncSyncCycle -PolicyType Delta.  This is useful when you have a multi-forest environment which can take a very long time to sync, depending on the number of objects.
  • Robust PowerShell Support - The product now has robust PowerShell support for a whole suite of commands including starting sync, stopping sync and even configuring the scheduler.  You can even check the status of the current sync which is in progress by using the cmdlet: Get-ADSyncConnectorRunStatus.  You can see a full list of commands supported here: Azure AD Connect Documentation and Azure AD Connect Scheduler.
  • Multi-Factor Authentication for the Global Admin Account - You can now use Azure multi-factor authentication (MFA) when first configuring the AD Connect installation and when doing its first synchronization with Azure AD.  This is new in version 1.1.
  • Domain and OU Filtering - You may now select specific domains or organization units (OUs) to synchronize in the AD Connect configuration wizard. Although it was previously possible to do this in Azure AD Connect by manipulating the sync services console, this is now much easier to configure and manage.  This feature allows you to more easily focus the synchronization process on only specific domains or specific OUs in your organization, thereby simplifying the overall and ongoing management of the process.
  • AD Attribute Filtering - We are able to filter users for the synchronization process based on AD attributes. 
  • Change the User's Sign In Method (even after first sync) - In previous versions, if a user's sign in method changed you needed to delete the synchronization configuration and reinstall it.  It is now possible to change a user's sign in method after first configuration and first sync, simply by running Azure AD Connect configuration wizard again.
  • Staging Mode - You can deploy a 2nd AD Connect server in the AD Forest in "Staging Mode".  This allows the server to be on standby, should the main synchronization server become unavailable.  Switching the Standby Mode AD Connect server to full active mode is still a manual process.
  • Azure AD Connect Health for Sync - This new component is installed with AD Connect and allows you to automatically monitor the health of your AD synchronization process.  It will automatically send alerts email notifications related to the health of the environment, when critical events occur.  It will also provide insights into the latency of the sync process, or trends related to user adds, updates and deletes.  More information is available on this component here and here.


Some of these features came with the upgrade to AAD Sync, but many were only recently provided in AD Connect 1.1.  The release history of Azure AD Connect can be found here: Azure AD Connect Release History.

We have seen major updates to DirSync over the last several years which provide a lot of value to our environments by making it much easier to manage the synchronization process for on premise user identities to Azure AD and Office 365.  Due to these great new capabilities and the fact that support officially ends April 13 2017 for both DirSync and Azure AD Sync, the upgrade to Azure AD Connect is highly recommended and necessary.

   -Antonio

Thursday, June 30, 2016

SPTechCon Boston: Real World SharePoint Information Governance Case Studies

Thanks to everyone that attended my session today at SPTechCon in Boston on Real World SharePoint Information Governance Case Studies!  We had a great crowd with lots of really good questions. I hope everyone got something useful or helpful out of the presentation.

You can find my slides from the session here:


Please reach out if you have any questions.
Enjoy.
-Antonio