Sunday 12 January 2020

APIM Notes

 5 Pricing Versions of APIM:

  1. Developer Version (No SLA) - No prod data but has all the premium features.
  2. Consumption Model (99.95% SLA) - priced per request serviced.  Missing Dev portal, not a static IP adr - automatically scales, 
  3. Basic  (99.95% SLA)  - No AAD integration - Scales to 2 units
  4. Standard  (99.95% SLA)  - Scales to 4 units
  5. Premium  (99.99% SLA)  - Allows Custom Domains - unlimited scale.  Also allows a single APIM instance to be scaled to more than 1 Azure Region.  Also direct VNET access is only available in premium.
One can move (scale up or down) between Azure APIM pricing tiers but it take up to 45 minutes.  
All consumption pricing tiers require the owner to setup or perform scaling. 
APIM has Metrics to determine if the number of APIM units should be increased or decreased.  The best metric is the capacity metric made up of  Note: Ignore short spikes look for an average over 15 minutes.  Microsoft suggests that the APIM Capacity metric running over 60% to 70% for a period of 30 minutes would indicate that scaling is appropriate.
When building your scaling strategy understand that adding APIM Units takes time (roughly 30 min) so scaling at 60% may not work for flash traffic in which case you'll need to account for this outside of only using metrics for scaling.
Tip: Regionally deployed APIM instances point to a single back-end URL, so it is best to keep the traffic routed to APIM in the same region as the back-end for simple scenarios, use the other region for failures and obviously you can multi-route back end traffic using Front Door for larger deployments.

Tip: Use Azure Key Vault for secrets.

Developer Portal - part of APIM, this portal/website is highly "customisable" and allows users to discover/consume our API's.  User can check their access (only see API's they have access to) and to try/test the API.

Tips:

  • Users > Groups > Products > API EndPoints
  • Subscriptions assigned to 1) products or/and 2)API endpoints.
  • Transition policies great for turning SOAP into JSON.  There are a lot of OOTB policies, easy to create policies using C#.
  • APIM Extension for VS Code is nice for working with APIM.
More Info:
https://www.youtube.com/watch?v=0yf_xm5cPIo
https://www.youtube.com/watch?v=gA2yxwKo0M0

PB APIM Series:

Posted by Paul Beck at 17:12 0 comments
Labels:

Thursday 9 January 2020

Microsoft Azure MFA Notes (Az-300)

Study Notes on Multi Factor Authentication:
  • AAD MFA: for 2nd factor done via Text, MS Authenticator, Phone Call 
  • Azure MFA Server - For AD on-prem. MFA.  Most advanced set op options for integrating on-prem. infrastructure with MFA cloud service.  Download and install on a Windows server.  Don't need to AD Connect sync accounts to Azure AD (AAD).


  • Azure MFA Server needs to use the Azure MFA Service to send SMS and Text authentication and MS Authenticator.
  • The Azure MFA Server downloan includes a GDPR.exe utility for generation GDPR reports for a user.
  • MFA billing is per User and is included in AD premium licences
  • Conditional Access - so don't need for every user but when advanced roles can enforce MFA
  • Azure SDK is only a Web Service since 2018
  • ADFS has 2 MFA approaches/options: Azure MFA Server - no need to replicate users to AAD or ADFS 3 (Win 2016) upwards can use cloud based (no Azure MFA Server required).
  • Password Stuffing - Hacker uses compromised password on different sites as people tend to reuse.
  • Know e.g. password, or something you have e.g. RSA token, something you are e.g. fingerprint.  MFA must use 2 or more of these types.  Out-of-band device e.g. you phone using MS Authenticator.
  • As a general rule with the 2nd factor Auth on Azure, if you want to add a pin to the auth, you can't use the cloud service but need to be using Azure MFA Server.
  • OATH tokens for RSA or other outside token MFA (also for offline on phone via MSAuthenticator) but it requires Azure MFA Server to implement.  Azure portal also has basic OATH integration for 3rd party vendors.
Posted by Paul Beck at 07:19 0 comments
Labels: ,

Monday 30 December 2019

Power Apps Licencing

Overview:  Licensing has change a fair amount over the past 3 years for Power Apps and Flow.  This post summaries my understanding of licencing on the Power Platform as of Dec 2019.

Update 4 Nov 2021: Power Apps licencing was halved in price in 2020, a few days ago at the Microsoft ignite conference, a 3rd pricing option for Power Apps, "Pay-as-you-go" is an option.  The other two options are "Per User" or "Per App" plans mention below.

Types of Licences:
1. O365 and D365 licencing: Basic PowerApps licencing comes with these plans but you only get a small subset of connectors (missing Azure SQL and CDS Connectors).
2. Per-User or Per-App Plans: There are no more PowerApps P1 and P2 plans, you either need to use "per-user" or "per-app" Power Apps licencing plans.
3. Community Plan:  Allows a developer/creator the full set of functionality, free of change but the apps can't be shared.

"To run standalone apps, guest users need the same license as users in your tenant."  Microsoft Docs.  
  • Power Apps uses AAD B2B (both members and guest) 
  • Using standalone Power Apps shall require the Power Apps licence (not necessarily Portal Apps).  Steps to Share Power Apps with Guests
  • SharePoint user interacting with a Power Apps form on a SharePoint list do not require a Power Apps licence as you already have O365.
Updated: 29 May 2020 
Problem:  I cannot import Power App solution (zip) files into other DTAP Power App Environments.  The "Import" button is disabled.
Initial Hypothesis:  My trial per User Power App licence expired and most functionality was still working with my O365 Power App built in licence.  Administrator could not get my old licence renewed or add a Power Apps per user per app licence.
Resolution:  The Ops team assigned me a Dynamics 365 licence, and Import functionality is working again.



Posted by Paul Beck at 03:06 0 comments
Labels: ,

Thursday 12 December 2019

PL-900 Microsoft Power Platform Fundamentals Beta Exam

Overview:  This morning, I took the PL-900 Beta exam; it is seriously tough.  I don't think I passed but let us see as the results come out 2 weeks after the beta is closed.

My Thoughts: The exam covers three products: Power BI, Power Apps & Power Automate (formerly called Microsoft Flow) but is extremely wide-ranging on relying Microsoft technology.  You really need to have worked in detail with the products as the questions were not straight forward and often combine multiple related services/products.

What I learnt:  You need to know the 3 products well, and how the interact.  My connectors knowledge could be better, CDS comes in a lot, and my Dynamics 365 knowledge is lacking.  There were some Cognitive service questions that I was not ready to deal with.  It is a good test of knowledge, that has helped me realize I have holes in my knowledge on the Power Platform.

The exam itself:  Microsoft exams become easier as you learn how they ask questions, I found some of the language and questions difficult to follow.   What is the question actually being asked but this is pretty standard in a lot of Microsoft certification exams.

I did the exam remotely using Pearson/VUE software, which is great.  No need to book and go to a test centre.  They check your environment and identification and watch you throughout.  I got a warning for reading aloud, which until that point was awesome as the wording of the questions is not the easiest to understand, but it makes sense as people could record the questions using audio for cheating with brain dumps.

Summary:
  • I am convinced that I failed PL-900.  
  • I learnt a lot preparing for the exam and it was a good experience.
  • I need to look at Dynamics & Cognitive Services in more detail.
  • Remote exams are awesome and secure the way they are done & don't talk to yourself during the exam.
  • I've missed taking Microsoft and other certifications.
Posted by Paul Beck at 12:04 0 comments
Labels: , , , , ,

Tuesday 3 December 2019

Microsoft Teams Governance

Update 2020/07/07:  I recently watch a presentation by Rupert Squires on MS Teams Governance that provides a good introduction into Team Governance and thoughts for your MS Teams projects: https://www.slideshare.net/RupertSquires/positive-governance-in-5-steps-for-microsoft-teams

 Storage: MS Teams stores data in SharePoint, exchange and OneDrive for Business (OF4F).  Each team has it's own dedicate site per team.  Chats are stored in the senders OD4B, images stored in exchange.  The Teams will provision in the location where the tenant was setup.  In the O365 Admin centre, you can see where your instance of Microsoft Teams is located, mine is in the EU zone.


If location is important to you for compliance reasons, it's important you select the correct location.  I favour the EU zone as Europe is pretty strict on data, pretty central globally to my user bases.  But it does come down to your clients needs.

All data is encrypted at rest and encryption in transit and Teams data is stored in the Microsoft Data centre for your region

MS Teams Configuration: Team admin allows for a great degree of control in allowing different users different rights.  You can turn-off feature to groups of people easily to align with your companies governance.  There are a few dials to help you get granular control.

O365 Group Naming Policies is good for controlling access.  This allows for a common easy understanding of Groups, what the group has access to .

Sensitivity Labels/Azure Information Protection - very useful

Team Creation Thoughts - Should anyone be allowed to create your teams results in complex scenario that has be to governed and brought back under control.  Too much restriction results in people not using teams and potentially using shadow IT to achieve their goals.  Privacy must be appropriate, public vs private, don't allow people just to go for public because it sounds more open.  Each team should have a purpose, likely to have an end date (not always).  Don't just follow org structure.

Teams is not a replacement to all tools but it works best if you work out the right tool and often Teams can replace a variety of tools in large enterprises.

Teams should be using Teams instead of Email.  This is generally how one can tell if teams are being well implemented.  For me, I want to use teams for all communications and project related file store.  Email should be last resort.  Remove Skype if you have Teams.  Consider removing Zoom, WebEx, GoTo... you have teams, use this as the chat, calls or team meeting tool by default.  Schedule meetings from Teams if possible so it's in the correct team.  The meeting is therefore context based.
Don't allow people to add any app, think about it.  The exception is possibly small companies.

MS Teams ALM: Ensure that Teams are deleted when no longer needed.  ShareGate's Apricot tool is great for getting Teams under control.  Archive before deleting a MS team if you require the data or you have to be available.  Owners can delete a Team, the Team goes into the recycle bin for the default set period (30 days maybe).  It will be gone after this including the underlying storage data.

Note: When you delete a team all the underlying corresponding data is also deleted from SharePoint, Exchange and OneDrive.

MS Teams Series:
https://www.pbeck.co.uk/2019/12/microsoft-teams-governance.html
https://www.pbeck.co.uk/2020/05/microsoft-teams-overview.html
https://www.pbeck.co.uk/2020/06/multi-geo-for-ms-teams.html
Posted by Paul Beck at 16:45 0 comments
Labels: , , ,

Web Api hosted on Azure App Service with OIDC security using Azure AD B2C

Problem:  I want to add security to my .NET core ASP.NET Web API C# application using Azure AD B2C.

Terminology:
  • .NET Core - revision of the .NET framework.  Allows your application to run on Linux, Macs and Windows.  You do not need to have the .NET framework installed.   
  • ASP.NET Web API - Follows the MVC pattern using Controllers and Models to provide an HTTP services e.g. Give me the temp in Paris today.
  • Azure App Service  - Host an MCV or Web API on Azure.  Acts as a web server, it is scale-able and fully manged.
  • Azure Active Directory (AAD) B2C - AAD B2B is different to AAD B2C, totally separate services on Azure.  Business 2 Consumer (B2C) provides applications with an identity repository.  B2C provide authentication and identity management as a service to web applications and mobile applications.  Think of it as the same Google authentication but you own the identity provider instead of rely on third-party authentication providers like Google.
  • IdP - Indentity Provider, B2C is one of 2 AAD service for managing users/identities on Azure.
  • MVC - Model, View Controller is a pattern used to aggange software.  In this post I'm refering to project that utilise the MVC templates to create a project for web sites or Web API.



Problem: MVC web application hosted on a Web App, using Azure B2C, B2C holds users and also uses a social Identity Provider (IdP) namely Google.

Figure 1, Create a new project on the Google Developer Console

Figure 2, OAuth Consent Screen setup
Figure 3, Add the Credentials to Google
AAD B2C linkup to Google IdP.

High-Level Approach:
  1. Create your own Azure tenant & B2C service instance on Azure (using the Azure Portal)
  2. Register your ASP.NET Web application on the Azure tenant (using the Azure Portal)
  3. Create User Flows (Policies) on the B2C tenant (This allows you to create the flow to sign-in a user, create a new account, or a user to reset their password,...)
  4. Setup Google to connect to the B2C IdP (see figure 1-3)
  5. Update application created in Step 4 so that is is aware of the Google IdP
  6. Perform Authentication setup - create MCV web application using Visual Studio
Tip: This approach and technology is extremely well documented by Microsoft.


Posted by Paul Beck at 12:58 0 comments
Labels: , , ,

Monday 2 December 2019

Box.com to SharePoint migrations & O365 improvements

Box.com Tenant to SPO Tenant migrations:  Mover has been bought by MS and allows moving files from Box.com, drop box and others into SharePoint (it's going to be free).

  • Fast Track has a tool that can do Box.com migrations, but the Mover tool is a great option.  
  • Mover allows for incremental update, permissions are roughly copied.  
  • File versions are not copied, only the latest file.  
  • Look out for file size and file types in the source.  
  • Look out for file names, 0365 has restrictions on special chars, and Mover shall remove them from the destination file name e.g. *,/<>.:
  • Original Box.com timestamps are kept
  • I didn't need to move custom properties from Box into SharePoint metadata and I can't see this functionality (I did read the ProvenTeq do metadata migrations)
  • A scan of the source data and a spike/PoC is a good idea to know what limitation you shall face.
  • Mover is a good starting place for the technology to migrate from Box onto SharePoint Online.
  • ProvenTeq have a Box.com to SharePoint migration tool - I haven't used it.
  • MigrationWiz can migrate from Box.com to SharePoint (I've never used it).  
  • Use "Box embedded widget" to access Box content from inside SharePoint.
  • Custom code for migrations: Box.com and SharePoint REST have great API's but you'll need to manage the throttling, changes/updates and permissions yourself.  Use a tool unless there is no suitable tool.  
  • The same common sense approach as outlined a few years ago for Lotus Notes to SharePoint on-prem. migration is essential.
Key SharePoint online limitations have been increased namely:
  • 500k site collections per tenant is raised to 2 million SC/tenant
  • SharePoint Online & OD4F file upload max size increased to 100GB max size
Sensitivity Labels: AIP, DRP, Teams, unified labeling experience across O365.  Sensitivity labels will be added to document added using an O365 E5 licence for the import from Box.com. 

  • Sensitivity labels work with teams now!  
  • Private channel are now available.
  • Sensitivity labels therefore allow for governance and protecting your teams and team channels.

OD4B: Allows external upload only permissions.  Really useful as the number of large clients that still only support SFTP/SSH or worst FTP to share files.  Very quick low risk locked down way of getting files from clients and partners.

O365 tenant to tenant migrations: There seems to be a lot happening in this area but right not it's use the tools and Fast track.

 Plus Addressing in Exchange Online: Exchange online offer Plus Address.  Allows you to signup to newsletters and you can identify if you email address is sold on.  e.g paul@radimaging.co.uk, i will get the email for paulnews365@radimaging.co.uk, if it is sold on, you know where news365.com have sold on my details.
https://office365.uservoice.com/forums/273493-office-365-admin/suggestions/18612754-support-for-dynamic-email-aliases-in-office-36


Posted by Paul Beck at 18:39 0 comments
Labels: , , ,
Subscribe to: Posts (Atom)