Wednesday, 30 May 2018

Azure Information Protection - Protect your companies documents

Azure Information Protection (AIP) can be used to protect documents owned by your organisation to ensure they are retractable, encrypted, visible to the correct people.

Technical High-Level Overview:  
1. When AIP is used to label a document, the document is encrypted and the permissions saved within the document, the document needs to interact with the Azure RMS (AIG) Service.  
2. When the document is opened, the end user needs to authenticate, get their permissions and if they have permission, the document is decrypted and opened.

Pre-Steps to get AIP working on a Word Document:
1.> On your Azure Portal go to Azure Information Protection to Activate AIP and add labels to the global policy.
2.> On a client machine with Word/Office, install the  Azure Information Protection Client add-in (AzInfoProtection.exe).  5 min video on setting up AIP on a client and introductory information.

3.> Open a word document, and set the label on the document, this shall encrypt the docx file.

Admin Demos:
1.> Creating Labels in Azure Information Protection - 2 min (3MB)
2.> Adding Labels to AIP Policies - 2 min (2MB)


  • Event Driven Protection
  • Auto classify 
  • Office document labels (Azure retention labels)
  • E-Discovery relook
  • data 
  • AIP works doc-centric: pdf and office docs anywhere
  • O365 DLP is SPO, OD4B, application level controlled

Azure Information Protection scanner for automated classification requires the AIP Premium P2 licence.
Document tracking and revocation requires either the P1 or P2 AIP licence.  The O365 E3 does not have the revocation and tracking included.

Common Issues:

Problem:  Added a new label and it is showing on Office, when I try set the new lable I receice the error "Azure Information Protection cannot apply the label because the client isn't fully configured..."

Resolution: Give it time to propagate the update made tot he labels in Azure or use the Azure RmsAnalyzer tool to fix the client machine.

Problem:  Can't view on OWA.  
Resolution:  Protected encrypted documents are not available in Office Web Apps, use the Office products such as Word.

Problem:  I can't track or revoke a file with my O365 E3 account.

Resolution:  Only people that need to track need this capability so you can get away with far fewer licences than the number of users. 

AIP Folks to follow 
Bram de Jager

Jethro Seghers
Albert Hoitingh

Sunday, 27 May 2018

SharePoint Framework Notes

As the SPFx is progressing and changing rapidly, I shall try to update this page as time goes by.  I have been dabbling with the SharePoint Framework (SPFx) for a few months and went to a day workshop with Andrew Connell (AC) on SPFX as the SharePoint Conference 2018 North America on 20 May 2018.  I would definitely recommend attending Andrew Connell training (I have gone to a lot of workshops and presentations over the years and he is excellent) I am not an expert but these notes are my summary of items to be aware of.

Last Updated:15 June 2018
  • To use the SPFx on-prem. with SP2016, you need to have feature pack 2.  SP2016 only for SPFx web parts does not do    SP2019 will be behind SP365 but it shall have all the updates circ May 2018 when it is released circa Sept-Oct 2018. 
  • Safer to user SPFx on modern pages rather than classic SP pages.
  • Development can be done on any laptop with any editor.
  • Either build Web Parts in the local or O365 (/_layouts/15/workbench.aspx) Workbench.

  • What you need is 1. Node.js, 2. npm, 3. Yeoman, 4. GULP, 5. Webpack (used to check and load dependency JS modules).  AC suggests for simplicity install and forget about: Node.js, Yeoman, Gulp and webpack.  You'll use them but you don't really need to understand them.
  • Language-wise, use JavaScript or you can use TypeScript which obviously converts down into normal JS but makes it easier to program (e.g. type ahead/intelisense).
  • Use NVM (allows for multiple versions of Node.js; you may have clients of different versions and NVM allows you to have multiple Node.js versions on a machine) and use the LTS (Long-term support) versions: v8.11.2 or v8.9.4
  • Install the following pre-reqs using npm:  yomen, gulp and the MSfx template for yeomen scaffolding namely @microsoft/sharepoint…
  • VS code makes a good editor, I think Mark Rackly has built a VS template that will do all the scaffolding instead of using yeoman.
SPFx Eqivalancy Comparison:

SPFx Tool C# WSP Tool Desc
Node.js .NET Used to run npm and compile the SP package (*.sppkg) using gulp and webpack.  Runs a local server to use the tooling
npm Nuget Download 3rd party packages/frameworks e.g. jQuery or Angular
yeoman Visual Studio Generates basic SPFx web part files, same as a template built using VSIX in VS.  Ensure you have all the basic parts to build a SPFx web part
gulp MSBuild or F5 Builds the package
webpack NA checks dependant files are included in the package.  AC explained it as shaking the tree (removes unnecessary js libraries and ensure libraries are included)

SP2016 on-prem. Dev vs No FTC Sp2016 on-prem. vs SPO SPFx
  • WSP
  • Timer
  • Custom Service Apps
  • Event Handlers

Node.js - Allows you to create a web server and compile JS on the server-side.  It's 2 main functions to use in SP are: 1) Need it for local development workbench and 2) Node.js has npm (package manager) built in, you need node.js that uses npm and webpack to uses gulp to build packages (like we did with MSBuild for WSP's).
webpack - build tool that manages code.  Manages styles and JS files.

Sunday, 20 May 2018

Visual Studio Code - IDE Tips

VS Code - Short cuts
Ctrl + S = Save the current page
Alt+ Shift + A = Comment out multiple lines
Ctrl + / = Comment out a single line of code, same cmd to toggle the comment off

VS Code is perfect for comparing two files.  Select the two source file, right click > Select to Compare >

Azure Helper

Azure Services - Replacing Data Centres with "Azure Virtual Networks"
There are so many different services that are constantly being changed and new services added.  This info looks at using an "Azure Virtual Network" to replace traditional data centres.  This "Azure Virtual Network" scenario covers VM's, Virtual Networking (subnets and VPN's), Resource Groups and backups (Recovery Service vaults).

Replacement of a traditional data centre
Tip:  Virtual Networks is a service offered by Azure.  "Azure Virtual Networks" is my term referring to using Azure to host VMS on Azure that happen to us the Virtual Networks service.
  1. Hierarchy is "VM" assigned to a "VNet" that is in a "Resource Group" on Azure tenant.
  2. VPN creates an encrypted secure tunnel between an office location (from the router/or a specific machine) directly to your VNet, allowing the office to use the VM's internal IP addresses.
  3. Use the "Azure AD Domain Service" rather than a DC on a VM or on-prem/data centre to connect machines together.
  4. "Recovery Service Vault" allows you can set up customised policies to back-up the entire VM's.
Azure SQL

T-SQL to create a new login and assign permissions to a specific database using SQL Server Management Studio:
Use master

USE AzureTimesheetDB
EXEC sp_addrolemember 'db_datareader', 'TestReader';

Add rights to the TestReader user to run a specific Stored Proc:
USE AzureTimesheetDB;   
    TO TestReader ;  

Azure Virtual Desktop/ Azure VDI

Microsoft Azure Virtual Desktop (AVD), previously called Windows Virtual Desktop (WVD) is Microsoft's Azures implementation of VDI (Virtual Desktop Infrastructure).  The most common VDI I came across is Citrix Virtual Apps and Desktops (CVAD).  VDI provides a user with a remote desktop instance so a user has their desktop apps and setup from anywhere without need a local laptop build. i.e. don't need to have a full laptop/client machine locally.  The machine is instead hosted as in AVD's case in an Azure Data Centre and the user logs in with their network credentials and gets their instance to work on.  No need to build laptops and easy to move laptop for the user.  Laptop is no longer a risk as the data is held in the data centre.  


I'm not a huge fan of tags, even in complex environments I find naming the resources and arranging the resource groups logically pays a high return.  One exception I use is I tag a common tag "Environment" on all my enterprise resources.  This allows me to quickly filter for production or test environment resource only with the Azure Portal.

updated: 2021/07/07 Azure Data Studio

Azure Data Studio can be used instead of SSMS to look at and query SQL database. 

Thursday, 3 May 2018

TLS 1.2 and SharePoint on-prem.

Problem:  By default SharePoint 2016 and SP 2013 use TLS1.0 for its communication protocol (think SSL version number).  A lot of companies and partners are now insisting your internal SharePoint farms support TLS 1.2 and not the earlier versions.  For various compliance frameworks (DSS PCI, HIPPA) you need to ensure you no longer use TLS1.0 or 1.1 and only support TLS 1.2 and soon to be TLS 1.3.  The problem is that earlier versions have potential vulnerabilities and can lead to various attach including being susceptible to man in the middle attacks.

TLS/SSL Basics:

Three Areas of Concern:
  1. SharePoint Farm (upgrade to SSL across the farm, Supports TLS 1.2 on SP2010 & 2013 since +_Oct 2016) - biggest lift
  2. CSOM Client VM (Ensure the client VM can send TLS1.2) - Jump boxes, browser
  3. Ensure the Communicating App support TLS1.2 (Either .NET4.6.2 compiled apps default to TLS1.2 or problematically enforce the TLS order/version. 
Our business needs three parts:
1. SharePoint farm upgrade thru DTAP environments and Test
2. Calling application needs to use TLS 1.2 as the default and can potentially call backwards.  This includes IE/Chrome, calling CSOM code (either fix works: .NET 4.6.2 upgrade or pragmatically enforcing TLS), PowerShell
// C# CSOM programmatic fix to TLS inaccuracies
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls | SecurityProtocolType.Ssl3;
3. If your tools are on a Server ensure outbound TLS traffic is allowed.  IIS TLS settings affect both inbound and outbound traffic, overwrite the outbound if you need to in the registry.

Validate SSL SharePoint Web Front End:
Use PowerShell to check the WFE or an external tool like HTBridge.
Here is a great tool to look at your HTTPS web server/endpoint setup externally:

Tip: Removing TLS1.0 and 1.1 needs to be thoroughly tested as there are numerous dependencies such as OWA, Workflow, CSOM, Internal Comms, SQL Server.