Episode 187 – AAD Alternate Login ID and Sensitive by Default in SharePoint

- Welcome to Episode 187 of the Microsoft Cloud IT pro podcast, recorded live on July 14 2020. This is a show about Microsoft 365 and Azure from the perspective of IT pros and end users. Where we discuss the topic or recent news and how it relates to you. In this episode, Ben and Scott covers some recent Microsoft 365 News, including Azure AD alternate login ID, sensitive by default in SharePoint and OneDrive and some other security related news. It's Wednesday, this has me all thrown off my game, cause I'm going on vacation, and I'm not--

- It's not even Wednesday, it's only Tuesday.

- Yeah, see, I told you. Tuesday has me all turned off my game. Cause I am going on vacation to a remote cottage in Michigan to enjoy the sun and the sand and the water in social isolation from everyone, including a cell phone signal.

- You think it's gonna be done.

- Yes, I'm actually looking forward to it. My parents have a cottage up there, I have not seen it yet. So they got it like a year ago and I have not been up there to visit or to see the cottage because the last time we were up there it was winter. And just you don't go up there in the winter. Well, you could, but my kids would not have enjoyed it as much as I would have.

- I think it's safe to say one does not go to Michigan in the winter, let alone to the cottage, the remote cottage at Michigan.

- At Michigan, one absolutely goes to Michigan because there's snow to play in.

- Yeah.

- Then well billing to be had, sledding to be done, snowboarding. All of the fun winter sports.

- Yeah, and you can almost go find yourself a real mountain.

- I could, I could just go to Denver instead or to Utah or Montana, Canada. All of the above definitely have better skiing. But they're also--

- The northeast.

- All the more expensive and I don't have family there.

- The Northwest, little bit of Europe, bring the family with you.

- I have always wanted to go to the Alps, to go skiing. My brother has done it, I have not.

- I will not discourage you.

- Perfect.

- You should live your dreams.

- Now I just have to convince my family. I need to get all my kids skiing. Do you know how hard it is to teach kids to ski and snowboard in Florida?

- I do as I've been flying my mind around too, to do the same thing.

- Yeah, once they get a little older, we'll teach them. We'll get them and then I'll go to Switzerland and--

- I'm gonna teach them how to ride the one wheel cause that's not like snowboarding, but it's close.

- How close is it? Because I believe you have had the privilege of riding a one wheel a lot.

- I bought one so yeah, now I gotta get my money's worth out of it.

- Yes well, but do you get to ride it or have your kids hijacked it?

- No, I ride it.

- Okay. Is it like snowboarding then?

- Not quite with the stock tire that comes on it. I think you need a different tire to make it feel a little bit more like that. But it is super fun. It's definitely a thing that you can get into with potentially like a deeper carve than a longboard. It's different than skateboarding or snowboarding or skiing, or any of those things, but it's definitely fun. It's addicting.

- I might have to add that to my Christmas list, birthday list when I stopped buying LEGO sets. are a great way to improve productivity and save time in the workplace and Sperry software has all the add ins you'll ever need. The Save as PDF add in is a best seller and it's great for project backups, legal discovery and more. This add in saves the email and attachments as PDF files, it's easy to download, easy to install and Sperry software's unparalleled Customer service is always ready to help. Download a free trial at Sperry software.com. S-P-E-R-R-Y-S-O-F-T-W-A-R-E.com and see for yourself how great Save as PDF is. Listeners can get 20% off their order today by entering the code "CloudIT". That's cloud IT, C-L-O-U-D-I-T all one word at check out. Sperry software work in email, not on email.

- So, in other news, should we talk about cloud news?

- Yeah,

- We could just turn into the rambling guys podcast.

- No, there's been a bunch of fun stuff with Azure AD.

- There has been. So this was when, I think it came out yesterday. So it came out Monday, July 13 cause I saw it right before I crawled in bed last night. In this one is that, using some PowerShell now, you can go in and enable user friendly sign in to Azure AD with email as an alternate login to an ID. As an alternate login ID, which is normally your UPN. So this is interesting because I still talk to clients that just assume they're always using their email cause they don't realize email and UPN are 99% of the time, the exact same in Office 365 but in reality, your UPN and your email, do not have to match up one for one. And Microsoft just, I would say they encourage you to keep the same because it does tend to lead to less confusion for people, when your UPN and your email address are the same thing.

- True story. So now with this one, you don't have to do that which can come in handy, especially when it comes to, some of those cases where you have trusted domains because I was thinking through this last night and making sure that it all made sense in my head is, a lot of times you may have two different domains you have, well, two different domains, you can't have the same UPN suffix in the two different domains. So people run into problems because of how Azure AD sync works. You can only put it on one server, you have to trust your domain. You have to sync all your users up and then they end up with different UPNs or different email addresses. Now you could in theory, sync two different domains with two different UPNs, set the same email address for all the users and let them use that single email address as their login ID. Instead of having separate UPNs from separate domains. Did I think through all that properly?

- I'm still confused as to why you'd want to, you'd be losing the ability for per user resolution, like if every user had the same email address, and you turn this on, what user would it resolve to when they log in?

- Sorry, I probably phrased that wrong, not the same user, but users from two different domains with two different UPN all having the same email domain. So think your UPN is user one at Company A, and then you have user B at company two, but they could both have user one at parent company.com and user two at parent company.com as their email address and now use that to log in, even though their primary UPN suffix is different.

- Correct, and it should still resolve back, so I haven't turned this one on yet, but it looks like what it's using is any addresses that resolve in the proxy addresses attribute. So as long as you've got that in there, you'd be cleared and ready to go. So it certainly helps out in situations like that. I've worked with a number of organizations where sign in IDs do not equate to email addresses in any way, shape or form. Like every law firm, I've worked for almost 99% of the time, my login for Active Directory was just employee ID, lots of financial institutions were that way. So you'd be a number to log into your computer and then you'd have your email address and all the other things on the other side, which led to all those customizations of like you said, swapping in email address and sending it up as the UPN attribute through AD Connect and weirdness ensues, because users have two different login names and everything else. So effectively with this, you can still keep your UPN, your users still resolve to their UPN. But theoretically, anything that's a match within a proxy addresses attribute should go ahead and get them through. But certainly you wouldn't wanna end up in that situation where multiple users have the same email address and proxy addresses cause I don't know how it would resolve. Does the first one win, does a random one win, that could be a little weird.

- Yes, I misspoke there. When I was talking about users with the same email addresses. I meant just users with the same domain.

- I totally get where you're going.

- But you're still gonna have some weird user behavior, I think with this one cause you're logging in with the email address and effectively what you're doing is, you're using that address for Home RAM discovery, and then relying on things like synced passwords and Azure AD to go ahead and pick things up. So this isn't gonna work if you have ADFS. Cause well, you'd still be redirected through Home RAM discovery or HAD to your ADFS server. But then in ADFS, you're gonna have to use your real login and password. This is you sync your passwords and do password hash synchronization and all that stuff to Azure AD. And you're relying on that as a login mechanism. And then once you've logged in with your email address, you're still resolving to your UPN. So, if you log in with Ben.Stegink, but you're B Stegink is your actual username. That's still what's gonna show up inside of the sweep bar and things like that when you go to your profile.

- Yes, and it does look like, like you were saying, it can be any proxy address. So it's not just your primary SMTP but in theory, if I had B Stegink as my UPN and I had an email address that was Ben Stegink and Ben and B Steg and all of those I could in theory use any of those email addresses to login. But you're right, I have not turned this on and tried it yet. I should definitely do that. Because why wouldn't I want to try something that just came out in preview in my primary tenant?

- I thought that's what your primary tenant was there for?

- Oh, it is, you should see the fun I have with my primary tenant because of all the different preview features that are lit up in it. Can be somewhat unpredictable at times. But yeah, I like this update. I think there's a lot of different scenarios this can help with and then you combine this with the cloud provisioning, that's still in preview and you start getting lots of options when you do have multiple domains, or like you said, if you wanna keep that UPN and login ID different.

- Yeah, and flexibility's a good one here. I think it's a feature that unblocks a couple of scenarios and they're important scenarios. And if you can make it easier to start synchronizing your data and onboarding that just accelerates you into ultimately the licensing you bought anyway. You didn't buy Microsoft 365, so you could figure out how to synchronize identity to it, you probably bought it for email or for SharePoint or teams or something else along the way. So if you can accelerate along, why not?

- And there are things to be careful of with this. There are still some limitations in preview that are covered in the documentation. One of these, Scott, I know this is gonna shock you. B to B invites. So guest users, if they accept an invite sent to an email as an alternate login ID, and they sign in with an alternate email, your guest access through the whole tenant endpoint may not work. Imagine that Guest Access not working with something like this.

- Yeah, I could imagine that one's a little weird and who knows how they solve that over time. But ultimately, because you're still signing into your Azure AD tenants, you're gonna need some type of resolution over in that other tenant. So if you've enabled alternate login, but I haven't enabled alternate login, how is my tenant gonna know to sign me in when all I'm coming over with is my email address?

- Yeah, that one does get weird. And there's some other ones in there, like you had said it, may still show the UPN instead of the email when you logged in in different places.

- Which I think is fine. I'd want it to show my UPN and not my email address.

- How would this work with something like teams, when you're doing teams calling and technically it's using a sip address?

- I don't know.

- I don't either. That would be another interesting scenario. You were supposed to know cause, in theory, a lot of times your sip matches your email, but your sip doesn't even have to match your email and your login ID, so technically doing the team's call, you might have to use that UPN yet or make sure your sip address gets updated if everybody's using and familiar with their email for their primary login. I think Microsoft recommends sip and email being the same though.

- Yeah, this doesn't do anything to negate good metadata and attribute hygiene within your directories. Whether it's your on prem directory or your cloud directory. If you've gone down a path where sip addresses are really weird, and like you said, they don't match UPNs or email addresses, then, sorry, that's on you. You've taught all your users how to dial in a different way.

- Well, I was just thinking like if your sip address matches your UPN and then everybody uses their email address to log in and again, that's why Microsoft tends to recommend UPN and email and sip all stay the same, because technically this I think your UPN and your sip would tend to stay the same in your alternate Login, your email would be something different. But that is another scenario I can think that you may want to be cautious with.

- Yes.

- Did you have another Azure AD one that you wanted to talk about?

- I've seen a couple of things pop up over the last few days when it comes to, just back to that hygiene thing and metadata and making sure things are where they need to be. That help you do things like find expiring service principles within your directory. So we've been talking a lot on the side about things like managed identities and getting these services to talk to each other. In Azure managed identities don't work for anything, or you're creating maybe like applications in your Azure AD. And you've got that application ID and that client secret that you that you need to maintain. It's helpful to understand when those are coming up for expiration and when you potentially need to renew them, and reconfigure your applications to get them to where they need to be. So I've been playing around with some of that myself. And I can put a couple quick scripts in the show notes for this one to do things like find those expired service principles. Another one that I thought was interesting that I saw pop up on Twitter, for Azure AD hygiene was a quick little snippet of PowerShell that can help you go ahead and just audit your granted oath permissions within your tenancy. So if you had a user, say, you've enable user consents, for, you just leave open blanket maybe cause you haven't locked that down, it's helpful to periodically check those and see what applications users have consented to, and especially any kind of persistent grants that have been made out there. It's like the same thing you might do in exchange where you wanna check and make sure that users don't have like SMTP forwarding addresses that are going to weird Gmail addresses or things like that along the way, but I think it's always good to think about how you operationalize those workloads and get them to where they need to be.

- Yeah, no, I agree. I've gone into my Azure AD tenant before and looked at some of what I've granted to my tenant, my account and I'm like, oh, I forgot that I had granted that application or that third party service, those rights back like six years ago, and maybe I don't want them to still be there. So to be able to go through run these scripts, check that health, that security, who might have been granted access in various ways, is definitely something that should probably be done on a regular basis, much more regularly than I do at my own tenant. And whenever you can script it, and send that output somewhere to keep an eye on it, even better.

- Yeah, automate all the things. It's not hard to do. And now that we've got all this extra time on our hands, make it happen.

- I don't know who has extra time on their hands.

- Well, I mean, come on, you just made it easier for your users to log in. You don't even need to go reconfigure Azure AD Connect anymore once you do this.

- That's true. So I can go take your scripts which these are really nice, short, concise scripts that can be used for that.

- Do you feel overwhelmed by trying to manage your Office 365 environment? Are you facing unexpected issues that disrupt your company's productivity, Intelligink is here to help, much like you take your car to the mechanic that has specialized knowledge on how to best keep your car running. Intelligink helps you with your Microsoft Cloud environment because that's their expertise. Intelligent keeps up with the latest updates in the Microsoft Cloud to help keep your business running smoothly and ahead of the curve. Whether you are a small organization with just a few users up to an organization of several thousand employees. They want to partner with you to implement and administer your Microsoft cloud technology. Visit them at intelligent.com/podcast that's I-N-T-E-L-L-I-G-I-N-K.com/podcast. For more information or to schedule a 30 minute call to get started with them today. Remember, Intelligink focuses on the Microsoft Cloud so you can focus on your business.

- So I have another security announcement that I saw and I've been playing with. And I talked to somebody about this because I didn't even realize this was an option. So this applies to data loss prevention in Office 365, Microsoft 365, whatever we wanna call it,

- I think we're supposed to call it Microsoft 365.

- You work there now, what is the official? Are we always supposed to use, I always use Microsoft 365.

- Let's go with that for now.

- Okay, we'll go with that for now. Data Loss Prevention in Microsoft 365 is that whole concept of I want to store certain information in SharePoint, maybe I'm putting in maybe I'm a doctor's office, I'm putting in patient records. I'm a financial institution, I am putting in credit card numbers, bank account numbers, these types of things are being stored within documents in SharePoint, maybe or people could send them out via email, you're using it via teams. This announcement applies specifically to OneDrive and SharePoint, because you obviously may not want that information to be shareable. That's the whole data loss prevention part of it, prevent that information from being shared. Maybe it's internally, maybe it's externally. But either way, you wanna put these policies in place to protect that sensitive information, PII, HIPAA financial information, whatever that sensitive information may be. In the past, or even today, I guess the way data loss prevention still works, and the way it finds that information is taking advantage of search under the covers. So you put information in there, search goes out and runs as it's indexing all your content. It is finding the sensitive information and then it uses that information that it has grabbed from search, to say no, you're not allowed to share this document externally. No, you're not allowed to email this document or link to this document from SharePoint, from OneDrive. However, we all know how search works, especially when it comes to SharePoint and that there is a delay there. In SharePoint Online, you don't always know how much that delay is, usually what I've seen, it's about 20 to 30 minutes before a new content is picked up. And your data loss prevention would apply. Which means that if you uploaded a document, went to share it externally right away, you could actually get sensitive information out of SharePoint sharing it externally by sharing it as soon as you uploaded it. Microsoft recognized this problem and there has been a feature that's been in preview for a while now called sensitive by default. And it just hit GA about a week ago. This announcement was from July 7 of 2020. And this applies to both OneDrive and SharePoint, now that it's GA, the preview was actually just SharePoint and they didn't have a timeline on OneDrive. Lo and behold it hit GA and you get it for both. What this does is, as soon as you upload a document to SharePoint or OneDrive, it's immediately marked sensitive, regardless of what information is in there. So as soon as it's uploaded, it's unable to be shared, it is locked. It's classified as sensitive. And then it waits until search has a chance to process it and verify that it's safe. And at that point in time, you're now able to share that document out. It's not marked as sensitive anymore. And it wouldn't get caught by a data loss prevention policy that applies to sensitive information. So they flipped it if you go into PowerShell and mark new files sensitive by default. Now, instead of being able to share them until they're classified as sensitive, they're classified as sensitive until they're deemed safe. And then you can go on and share them. Downside is, this only applies to new files. There's no way to go in and set all your old file sensitive by default. Hopefully, if you have DLP on, and you have old files in there, they've already been searched and classified sensitive or not anyways, so you don't necessarily need this for old files, but it does help with that potential data leakage of sensitive files that was there in the past in SharePoint and OneDrive.

- Yes, and it's a requirement that you turn DLP on to start using this, cause like you said, it does use that as an engine on the back end.

- Yeah.

- So if you have an onboard and in DLP, this might be a nice, easy, on ramp to figure some of that out.

- Yeah, exactly. So I would recommend, if you have any sensitive information out there and you're using DLP in any form or fashion, you should go turn this on today. Because if you do have a potential vulnerability there.

- Yep, I think you do that and, like you said, be mindful of what it's going to do with lock down concept initially until the indexer has a chance to grab things. You just need to be aware that now you could potentially have users sharing files out? And then maybe opening something like a HelpDesk ticket with you and saying, "Hey, Ben, I shared my file 15 minutes ago and, the person I sent it to says they can't get into it, even though they got the link."

- Yep, exactly. And they do say in this announcement, too, that they have been able to get the performance to be a little bit better. So they say 95% of the cases, the entire process should be done in less than five minutes.

- I would not take that as any type of promise though.

- No, there's no SLA,

- Cause there is no SLA, like you said around indexing.

- It's just what they've seen. It could be more could be less, you could fall into the 5% of cases. There's no guarantee there. So like you said, Scott, you do have to be aware that you could get users that are unable to access files and you have to wait a little bit longer before they can get to them, or they may have actually contain sensitive information and they shouldn't be able to access them anyways. Or you had a false positive in DLP, which also could happen.

- Never happens, I mean, sometimes happens, maybe more than once.

- Was that kind of like a 95% of the cases that showed us maybe sometimes, never possibly.

- Yeah, it goes back to that whole 76% of all statistics are true.

- I thought the 76% were made up.

- Well, it depends.

- All right, well, what else do we have?

- We can keep talking about Microsoft 365 stuff. So particularly in the lens of going down that security path again, the new version of Microsoft secure score has been GAed. So if you've been paying attention, there was a public preview of the new secure score that came out earlier this year, and it's certainly been kicking around for at least the last six months or so. And now that global rollout is complete. So you can get your gamification on with improving the security posture of the workloads that you choose to leverage within your Microsoft 365 tenant. Wow, that's a lot, that's a loaded statement.

- Yeah, that was like a mouthful.

- Clouds getting hard.

- And this is the new, this is where I get confused. I have so many different versions of the security center. And the Compliance Center.

- This isn't Security Center.

- And this isn't the whole center, this is just the scoring part of the new Security Center. I'm looking at screenshots from the article. And this looks like, is this still in the old security compliance center or is the new secure score only in the new security center, because some people I think are still kicking around to the old Security and Compliance Center as well.

- I've only been using the new one. So I've the old one in a while.

- I haven't either. But every once in a while it still shows its face. But all the screenshots of this are showing at the new security center, which is security dot something security.Microsoft, Security.Office, Security.Microsoft.com I believe. Oh, again, I can't keep track. But yeah, there's some new areas they focused on in this release, they improved the assessment and scoring models. They added some planning workflow and posture monitoring improvements, added metric trend reports to drive meaningful planning and status discussions with leadership.

- I think this new one is, it's positioned in a way or at least the data is positioned to make it more actionable, potentially for security professionals within your organization. So the older or previous versions of secure score, they would give you a number. And it was always very hard to quantify that number within your organization, especially as compared to all the other orgs out there. Sometimes it really just didn't matter. So now what the new version does, is you can decide what metrics you wanna bubble to the top or what you wanna make important with in there. So you've got things like the actions to review card where you can come in and understand very quickly where maybe your overall tenant configuration, its security posture is regressed in some way, because you've decided to make some change. Like hypothetically you go and enable alternate login IDs and Microsoft flags that is something that's going to potentially make your score lower. I don't know whether that's true or false. But, just as an example, you do get, I think, a little bit of a better view of the world. And certainly, it's also more condensed, so you get more data at once, to hopefully understand where you wanna take things within your tenant. I still think it's very important to understand that you're dealing with a number here that Microsoft has opted to provide as a piece of functionality within Microsoft 365. It might not be a number that's relevant to you, or the way it's presented, it might make it look worse than it actually is for you. So you need to take all that with a grain of salt weigh it out.

- Yep, exactly. It was looking down through some of what they've added cause again, frankly, I can't always keep track in my head, what's new and what's not. It looks like they've added a lot more space and created room to add a lot more details on your different improvement actions. So if you're gonna say require MFA for 80 privileged roles, there's currently a lot more white space on the page so that they can add more details in the future around a high level overview of what it is and then giving you options to that you accept the risk, that you wanna resolve it, that you're planning it. It has some details around the user impact, and then documentation on how to implement it to meet that specific action or that specific checklist on your security plan to go make the necessary fixes and changes if you want to implement that particular item.

- Yeah, I think that's probably one of the better things here, is you can start to use the new secure score as a way to come up with those action plans. So they have included functionality to turn it into a little bit of a planning tool for what are we going to do? What are we not going to do? So you can do things like for a suggested improvement, you have certain statuses that are available that you can mark things as you can say, this is something that we plan on working on. It makes sense for us, this is something that's still to do. And for this other thing, we're just gonna accept that risk. Like for our organization, it really doesn't impact us or it's not important. So we just wanna turn that one off and not have it bubble up anymore, maybe until the next time and a new feature comes out around it.

- Yep, and it looks like to another one that I haven't seen this before is your ability to change your own score zone. It goes back to what you were saying about how Microsoft picks a number and the baseline they set may not be 100% where your metrics are. So you can go in and customize your own score zone. So you can say a score is bad and our organization if our secure score is less than or equal to 30%, and it's good if it's greater than or equal to 50%, or 60%. And then it's okay between those percentage points. So it gives you your ability to define your own risk tolerance there, for instance, like my environment has a secure score of 41.62%. So I think, by and large, I don't know that I've ever seen anybody hit 100%. And it's really hard to get up in those higher percentages for your secure score. So by adjusting those you can actually show hey, even though it says 41%, we're still in a really good place from a security standpoint, based on what our specific tolerances are for where we wanna be with that secure score.

- Yes, I think that's important. Another thing to recognize too, is that there are multiple products within Microsoft 365, which are potentially giving you these numbers that equate to actions you might wanna take within your environment. So well this new release. So secure score has this, quote unquote, improved scoring model that hasn't made its way through the rest of the ecosystem. So there's other components or there's other things that have secure score in the name, like identity secure score, which is different than Microsoft secure score, and particularly different in the way that they're calculated. So if you're relying on something like that, just be mindful that those are different. If you are pulling information out of the graph API, that might be different than the information that's presented within the new secure score. So you just have to make sure you're mindful of where the data is coming from and have a way to aggregate it together for yourself. And I think that's one of the things like this show has put a big disclaimer at the top of these, like, we've said it a bunch of times, but numbers are just numbers, you have to decide how impactful they are.

- Well, there's an Azure secure score too. That's also different than this.

- That's totally different. Yeah and then there's security center. And yeah, though we can.

- Yes.

- All very different.

- Yeah, they are, but a nice improvement, nice updates to the secure score in Microsoft 365. So I think that'll wrap it up for today. That covers some fun, new security improvements coming to or now GAed in your Microsoft 365 tenant.

- Coming to a tenant near you.

- Yes, so, go enjoy your day, get some work done. Stay safe, stay healthy.

- And all the things.

- Yes.

- can ride my one wheel.

- We will be coming to you from Michigan for the next couple podcasts. I will be recording remote on location in Michigan.

- Can't wait to see how good your cell phone works.

- Well, at my parents' house it will be fine. Just not at the cottage, parents' house will be good to go. But my audio might not be good cause there's no way I'm packing this mic to go to Michigan. I will be using my headset. So go enjoy your day. Enjoy the rest of your week, and we'll talk to you next week or in two weeks, whenever we talk again.

- Thanks, Ben.

- If you enjoyed the podcast go leave us a five star rating on iTunes. It helps to get the word out so more IT pros can learn about Office 365 and Azure. If you have any questions you want us to address on the show or feedback about the show. Feel free to reach out via our website, Twitter or Facebook. Thanks again for listening and have a great day.