Sunday 18 November 2018

SAML, OAuth and OpenID Connect

Rough Notes - Fix

OverviewSAML has been around for a fair amount of time  (roughly 8 years) and still is widely used for authentication and authorisation of end-users on the Internet.  OAuth2 is used to allow internet users to give internet/web-based applications access to the user's information without the user password.  OpenID Connect is an extension to OAuth2 and generally the way to go instead of SAML for user authentication.

Azure Active Directory Supports:
  1. SAML 2.0
  2. OAuth 2.0,
  3. OIDC, and
  4. WS-FED.
SAML:
  1. SAML is an umbrella standard that covers federation, identity management and single sign-on (SSO); and
  2. SAML is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based a markup language for security assertions.
Limitations of SAML:
1.       It was launched in November 2002 which supports SSO but has now been deprecated by a lot of auth suppliers.
2.       SAML is not supported with native Mobile Applications. Hybrid mobile apps can work with it.
3.       As it has now deprecated, finding it may not be supported by the latest technologies applications and technologies. 

OAuth 2.0:
1. Derived from OAuth, Auth2 uses 2 passwords and is more secure.
2. (Open Authorization) is a standard for authorization of resources. It does not deal with authentication. It was released in 2006.
Limitations of OAuth:
1.       It only deals in Authorization so we have a limitation that we cannot verify the user's identity, i.e. Authentication.


OpenID Connect:
  1. OpenID Connect (OIDC) is a protocol to verify user identities and get the user profile information. OIDC enables devices/apps to verify identities based on the authentication done by an authentication server
  2. It was launched in February 2014
  3. OpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0, an authorization framework
  4. OpenID Connect is built on top of OAuth 2.0, specifies a RESTful HTTP API, and uses JSON as a data format (JWT). It has a specialized set of predefined data types and endpoints for exchanging user information between the identity provider and the application.
  5. There are two different types of flows in OIDC, pick the appropriate flow, normally Code flow over implicit.
Advantages of OpenID Connect
1.       It supports SSO and federation.
2.       Has good support with .Net Core.
3.       It supports a wide range of clients like web applications, mobile apps and JavaScript applications.
4.       Have support with Azure AAD B2C as per Microsoft guidelines and others like Google+.

Comparing Differences:
  1. https://www.gluu.org/resources/documents/articles/oauth-vs-saml-vs-openid-connect/
  2. https://stackoverflow.com/questions/7699200/what-is-the-difference-between-openid-and-saml.
  3. https://www.quora.com/What-is-the-difference-between-OAuth-OpenID-and-OpenID-Connect

Support with Azure b2c
  1. https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-oidc-idp
Web sign-in with OpenID Connect in Azure Active Directory B2C
  1. https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/development/enabling-openid-connect-with-ad-fs
  2. https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-2.2

Using Postman to Generate an OAuth Token Example


Using the Generated Bearer token in a get Request
Tip:  To examine a Bearer token use the website https://jwt.io 

Saturday 8 September 2018

SharePoint Saturday 2018 - Cambridge

Here is my slide deck from SharePoint Saturday Cambridge 2018  Introduction to Azure Information Protection (10 MB includes recordings)

Sessions I attended:
1. PowerApps Jump Start by Sandy Ussia
I got some useful pointers in this session, Sandy presents well and focused on business/citizen developers. 
2. Office 365 Security and Compliance with Albert Hoitingh and Daniel Laskewitz
This was two sessions and amazing.  Hands-on how it works and what I need to know.  Absolutely brilliant double session.  These guys really know AIP, DLP and O365 security.  Great info in a small focused setting.
3. Managing Content in O365 with Erica Toelle
I did not know Erica, I do now!  And wow she is good, she covered O365 security center, Cloud App Security (new service looks for security on O365 tenants) and AIP.  Great knowledge, humble and so easy to talk to.
4. My presentation on AIP, I cover a few points from Erica's session, as most of the audience were in both our sessions, I skipped over the info Erica already provided.
5. Containers with Anthony Nocentino
Amazing presenter - very engaging and I learnt a lot about containers.

A great conference, well organised - the sessions info were outrageous.  The speaker's dinner in Sidney Sussex College was quite an experience.  Thanks to the organizers:  Paul Hunt, Mark Broadbent, & Andy Dawson

Wednesday 1 August 2018

JSLink on Modern Sites

Problem:  I want to use JSLink/CSR to amend a view on a list for a client on SharePoint Online/O365 and I can't find the JSLink property on the List View Web Part to perform simple Conditional formatting on a column.  JSLink as brilliant for achieving this task in SP 2016 and 2013.
Hypothesis: Modern sites use the Modern List View Web Part that is a new implementation of the LVWP.  https://techcommunity.microsoft.com/t5/Microsoft-SharePoint-Blog/Introducing-SharePoint-modern-list-library-web-parts/ba-p/64581  I assume pragmatically 1 can still use JSLink, but on "modern" pages this needs to be verified.

Resolution: Use "Column Formatting" as outlined here: https://docs.microsoft.com/en-us/sharepoint/dev/declarative-customization/column-formatting#get-started-with-column-formatting





Sunday 15 July 2018

Power Platform Notes - Power Apps, CDS, Power BI & Power Automate

Power Apps

Variables:
Microsoft Docs "PowerApps and Excel both automatically recalculate formulas as the input data changes".
  • Contextual variables - scoped at a screen level
  • Global variables - scoped app level
  • Fx> Set(MyUniqueClientNo, 12)
Functions:
Fx> UpdateContext({MyTimesheetId: 34})
Tip from Shane Young:  Note the setting variable may be the reference, so for a control use:
Fx> UpdateContext({MyTimesheetId: txtTimesheetId.Text}) not
Fx> UpdateContext({MyTimesheetId: txtTimesheetId.Text}) unless you want the context to float

Pass a variable to another screen use the Navigate overload, OnSelect property of a button
Fx> Navigate(Screen2, ScreenTransition.None, {TSvar: MyTimesheetId}
MyTimeSheet Id is a contextual variable

If Statement:
Fx> If(MyUniqueClientNo = 12, lblAns.text = 'yes', lblAns.text = 'No')

Environments:
  1. Power Platform allows you to create multiple environments, each environment is connected to you AAD tenant.
  2. Policies can be applied to prevent DLP against all environments or specific environments.
  3. Use Environments for DTAP, business units, or Extranet vs Intranet.
  4. Updated June 2022: Environments can be of type: Default (don't use and rename), Developer, Trial, Sandbox or Production.
  5. Each Power App environment can have no CDS/Datavserse or a single CDS/Dataverse connect.
Manged vs Un-Managed Solutions:
Solution are useful for packaging and moving assets between environments or tenants.  Manged restricts who can edit the applications in the solution.  I like to keep each solution with a single app in it.  On large projects, it's a good idea to keep environment variables, custom connectors, cloud flows, apps in separate solutions.  It makes it easier to deploy pieces.    

Managed Environments:
Don't mix up with Managed solutions as I did recently.  Managed environments allow for a host to control all the environments.  You also should use a dedicated host production environments with Dataverse database to control all the environments.  You need to install solution on the host.  Managed environment have no correlation to managed solutions.  You need managed environments is you are going to use Power Platforms simple ALM for App deployment.

ALM:
Power Apps has it's own source control and you can manually export and import entire projects "Export package" not connections are not export as part of the package.  Solutions are the best way to move code between environments.  It's a good idea to use environment variables  Get ADO, more secure, better tooling using solutions over manual exporting code using packages.  Power Apps Build Tools allows for ADO/DevOps integration generally using solutions to deploy.  At a minimum you should have your own dev env (Sandbox or Developer type), a test (Sandbox type) and production (production type env) for any serious app you build.

Add "Power Platform Tools"

Example Power Platform ALM deployment using DevOps - 5 environments

Update Jan 2022
Solutions are used to in Power Apps to package and move code and resources such as flows, env variables, canvas apps, Dataverse tables between environments.  It's a good idea to not use the default environment as everyone has access to the environment.  The DTAP around ALM can get pretty complex and I like to keep it fairly simple.  Connectors can get nasty in packaging.  ADO using AppBuild Tools makes for a good CI/CD solution for Power Apps.

Environment variables are a great way to manage configuration, they can also easily be configure in the pipelines to replace with the appropriate values.  Tip:  Don't ever set the current value in an env var it get carried thru to the next DTAP env.  Also env vars support Azure Key Vault, use it for secrets.

Custom Connectors and getting Connection References correct when using managed environments to deploy code need to use environment variables so they can easily be set for each environment using CI/CD.  It's a good idea to create connections in solutions and use a dedicate Owner account.  Connection references in solutions - Power Apps | Microsoft Learn

There is also a great tool to unpack .msapp solutions for raw review and storage in git.  https://powerapps.microsoft.com/en-us/blog/source-code-files-for-canvas-apps/ for me, it's main use is verifying code and standards and comparing versions.  Post on unpacking solutions.  You can also see how many controls you have in you Canvas app.  MS have the guideline of 500 controls in an app.  

Have a: 
  1. Dev environment that is of the "sandbox" type.  Have an un-managed solution that will act as your base canvas app for all new Power Apps.  When you export the solution remember to export as a managed solution and ensure environment variables are emptied before publishing the export.  Good place to backup to a repository such as TFS Azure DevOps/Git.
  2. Test env of the type "production" or "sandbox".  Only allow managed solutions to be deployed.  Watch out for custom connectors, I can't get them to deploy correctly in solutions.
  3. Prd env must be of type "production".
Manual ALM i.e. Use PowerApps to store Dev versions, Exporting solutions and unpacking managed solutions into UAT and production.  Manual ALM is good even manually moving the applications by hand is simple and safe.  There are backups and manual backups to avoid a source code repository.  I also like the testing framework in Power Apps.  Using the build tools getting full ALM/CI/CD it is easy to then move your Power Platform into a higher ALM CI/CD level using the Power Platform Build tools, DevOps, and PowerShell cmds.  
Update April 2022: Great simple video on ADO for Power Platform 

Licencing:
Updated: Power Apps Licencing Summary as of 30 December 2019
"To run standalone apps, guest users need the same license as users in your tenant."  Microsoft Docs.  
  • PowerApps using AAD B2B user (both members and guest) using standalone Power Apps shall require the Power Apps licence (not necessarily Portal Apps).  Steps to Share Power Apps with Guests
  • SharePoint user interacting with a Power Apps form on a SharePoint list do not require a Power Apps licence.
Coding Standards for Power Apps:
  • Microsoft provide a whitepaper as a suggestion for using naming/coding standards.
  • Controls and variables should use prefixed Camel case e.g. txtContactEmail
  • Data sources use Pascal Case e.g. ContactUsers 
  • Screen must be Full names e.g. Edit Contact User Screen as they are read as named by screen readers like JAWS and Microsoft reader.
  • Prefix controls and collections (Label is lbl, Textbox is txt, Button is btn, Collection is col, drop down lists are ddl, Form is frm, Group is grp, Gallery is gal, Icon is ico, Images are img, Table is tbl.  I also prefix my components with com.
  • Variable naming is: gbl for Global and context variables are var
  • Use Containers for layout and groups for control aggregation.
  • Use TabIndex so keyboard navigation makes sense.  Use the AccessibleLable over HintText.  Ensure colour contracts and use the approved colour templates stored in global variables.  All fonts, sizing and colouring must come from global variables so the app can be easily changed.  Use the App Checked and complete all identified accessibility issues/concerns.  Test on actual devices and use screen readers.
  • Ensure App Insights is setup, capture and log errors, also use the monitoring (maybe not in production).
Power Apps Portals:
Build responsive website using CDS.  Allow anonymous access or implement multiple Identity Providers (IdP) such as AAD B2C, AAD, Google+, LinkedIn.

Updated: 28 July 2018:
Common Data Service (CDS): Comes from Dynamics CRM Sales, pretty much used like CT's in SharePoint.
  • Based on Azure SQL & uses CosmosDB with a nice API that support REST/ODatav4;  
  • Has Row, field RBAC and uses AAD for authentication;
  • Allows Power BI, Power Apps (previously labeled as PowerApps) & Flow (Power Automate - new name since Ignite 2019) to work with CDS (renamed to Dataverse);
  • Use Power Query to Import data easily or data flows
  • Multiple data source such as SQL Server, Cosmos, files, Excel, Search, 3rd parties such as SAP.
  • CDS is not part of the O365 licencing (including E5), you need to get a PowerApps P1 or P2 (Now Power Apps for Users as licencing changed circa Oct 2019).  Note Power Apps licencing included with O365 is extremely limited and for instance does not cover CDS;
  • One Power Platform Environment ties to one CDS/Dataverse database
  • Any type of data; any type of app.  
  • Easy to use; secure.
https://docs.microsoft.com/en-us/powerapps/maker/common-data-service/data-platform-intro

Examples: 
Insert or Update using Patch to CDS:
Patch(
        Vote,
        Defaults('Employee Sentiment'),
        {
            userid: UserID,
            vote: ThisItem.Vote,
            votedate: Now()
        }
    );
Select from CDS:
UpdateContext( { locVotes: LookUp('Vote', votedate = <date>) });

Tip: XrmToolBox is a fantastic tool.  Multiple contributors have added to the client application, there are so many useful features for instance FetchXMLBuilder allows you to query the Dataverse tables.

Power Automate

Updated 11 December 2019:
Microsoft Power Automate (previously called Microsoft Flow, is an user friendly workflow tool/service): Simple workflow engine sitting on Azure Logic App.
Basic business process flows are:
  1. Automated Flows - used when event/status change e.g. CDS row status changes
  2. Button Flow/Instant Flow - Events such as a click triggers the flow;
  3. Scheduled Flow - in effect timer jobs;
  4. Business Process Flow - ensures users enter  data consistently (think Windows Presentation Framework) & follows the same steps every time; and
  5. UI Flow (preview) - Provides RPA capabilities;
https://docs.microsoft.com/en-us/power-automate/get-started-logic-flow

Building Blocks for Power Automation are:
  • Trigger - what starts the workflow, can be manual trigger or an automated trigger
  • Actions - ,
  • Conditions,
  • Data operations, 
  • Expressions - basic operations like adding two numbers together, making a string upper case, and
  • Flow Type - see the 5 flow types above.
Display directions using Map on a Image control in PowerApps:
https://dev.virtualearth.net/REST/v1/Imagery/Map/road/Routes/driving?waypoint.1=51.525503,-0.0822229&waypoint.2=SE9%4PN&mapSize=600,300&key=<key>
https://dev.virtualearth.net/REST/v1/Imagery/Map/road/Routes/driving?waypoint.1=" & EncodeUrl(txtDriverLocation.Text) & "&waypoint.2=" & EncodeUrl(txtDriverLocation.Text) & "&mapSize=600,300&key=AsR555key

Tuesday 3 July 2018

Visual Studio Code - Azure functions using local Node and JavaScript Problem Solving

Problem:  When I deploy my function locally, I get warnings.  The local server still works but fixing the Functions Worker Runtime issue.


The Visual Studio Terminal when debugging locally output the following warnings:

"your worker runtime is not set. As of 2.0.1-beta.26 a worker runtime setting is required.
Please run `func settings add FUNCTIONS_WORKER_RUNTIME <option>` or add FUNCTIONS_WORKER_RUNTIME to your local.settings.json
Available options: dotnet, node, java"

Later it show that Java is the default language:
"Could not configure language worker java."

Resolution:
Open the local.settings.json file and add the "FUNCTIONS_WORKER_RUNTIME" value as shown below.  "FUNCTIONS_WORKER_RUNTIME": "node",



Problem:  When debugging my Azure Function using Node, I get the following error: "Cannot connect to the runtime process, timeout after 10000 ms - (reason: Cannot connect to the target:)." and the debugger stops.  the local server still serves the application but I cannot debug.


Resolution: After reading many blogs, I was not having any joy.  Finally, I remembered that I have changed the port number the previous day.  In desperation, I changed the port number in the launch.json file back to it's original and the debugger started working.


Sunday 17 June 2018

Azure Powershell from VS Code

Overview:  I am moving over to using Visual Studio code for everything including PowerShell.  Historically, I would use PowerGUI as it was the best IDE for PS for many years but PS ISE is excellent and I don't see a material difference these days.  Basically, I use VS code for my ISE for JS, SPFx, C# unless the full versions of Visual Studio speed up my delivery rate, this allows me to remain in VS code without going to PowerGUI or 1 of the Windows PS consoles/IDE.

Get the VS code debugger working: 

Get the IDE (VS Code) ready
On a new VS Code install, add the VS Extension "PowerShell", the VSIX has the description "Develop PowerShell scripts in Visual Studio Code!"



Run and Verify PS is working and output returned is working

Add the Azure Account Extension
Sign into Azure
A notification pops up to authenticate the machine/laptop with you Miscrofot credentials.  Run the popup and sign in to authenticate the local dev IDE.

 Open the Cloud Shell
Verify you are signed in



Wednesday 6 June 2018

Geo-replication in SharePoint and SPO to the rescue

Geo-Replication on SharePoint (Not covering email or OneDrive)

Problem: Over the past 7 years, I have worked on a few clients that require some form of Geo-Replication of share SharePoint farms.  Geo-replication is normally needed for compliance.  This post assumes you need to geo-replicate and not why you need to geo-replicate

Tip: Geo-replication can be used for performance but the complexity that it brings I feel is an added bonus and should not be undertaken for performance gains, there are easier better pragmatic answers to performance such as Riverbed devices, caching and CDN's to name a few.

Initial Hypothesis:  Large organisations existing in multiple geographic regions and need to abide by country regulations and often other industry standards bring the need to geo-replication capability.  I recently completed several high profile projects for a big four consultancy that needed to ensure SharePoint data does not leave its jurisdiction depending on its metadata.  Building on-prem SharePoint farms were extremely complex and the 3 big services that needed to be centralized or copied are Search, MMS and the Content Type Hub.  There are more like AAD but for my situation, I needed to be able to have multiple SharePoint farms in specific regions that connected to centralised services.

Thoughts: MS has OneDrive and the email piece working in local geographies.
SharePoint is coming with multi-tenancy and users will get unified search results across geographic regions.
  1. Search each tenant holds their own index, not a central index for search - "good news for data location compliance".  Somehow MS are intermingling all the search results using federation - so they appear as an ordered result set from multiple different Geo indexes.  
  2. Profile Services (use to be UPS) gets core fields from central AAD and local fields are stored at a tenancy level (good news).  
  3. Taxonomy (MMS) is replicated downwards from the central MMS.
  4. Each tenant has it's own content type hub (I never liked this), the CTH uses a star topology to push the CTHub from the central tenant to the regional tenants so the copies including GUIDs are identical.
SPO to the Geo-Rescue (coming soon, in pre-beta/private preview as of 6 June 2018):
  • SPO is implementing multiple tenants across O365 like O365 previously did for OneDrive, you can specify where sites get created i.e. region/country.  Each region as it's data centres specified and the URL of the Sites clearly indicates where the site is hosted.
  • The search index is kept in-country and federated up to the central tenant for a seamless search experience across multiple region tenants.
  • Central taxonomy is automatically replicated to the regional tenant.  MMS us a star topology to distribute and keeps GUIDs in sync.
  • UPA holds only key data centrally and each region holds additional properties (good for GDPR and other DPA regulations).
  • AAD shall be controlled centrally and I believe AAD's have regional copies.  * Each O365 has it's own AAD today, this will be the big change to facilitate SSO.
RoadMap:
OneDrive is multi-geo now. Offered to large enterprises only, must have certain number of users.
Circa Q1 2019 SharePoint will offer multi-geo.

http://blog.sharepointsite.co.uk/2013/08/stretched-farms-geo-replication-and.html