Saturday, January 13, 2018

Approach to a more trusted Azure AD B2B invite handling

Simple approach to invite guest users is via the Azure AD admin portal. Disadvantage is that you have no control at all over the invite email that is being sent:
  • It comes from the mail origin instead of the inviting company
  • It is sent on behalf of the account of Azure AD Admin (or other admin account that possesses the 'Guest inviter role'), iso an account of the actual business user at the inviting company
  • The mail is in a standard format, without branded to the inviting company
  • The mail includes a suspicious looking "Get Started" button
  • The mail includes a "Click here to unsubscribe" link, which again looks suspicious as the receiver never subscribed to invites from
This results that - and in my opinion, in current days very understandable and justified - invited persons may not trust the invite email, suspect it is a phishing mail.
My first approach to improve on this is to invite the guest users via 'New-AzureADMSInvitation' PowerShell cmdlet, and make up the email text itself. However, you still have very little control over the mail setup: the only thing you can do it to specify the invite message. And this is limited to plain text, you cannot make a rich format including company logo. All of the above drawbacks still hold.
On questioning to Microsoft, their advice for now is to use the Azure AD B2B Invite API to make a company-customized invite experience. But this requires an Azure App to be designed, developed + deployed. Although sure would be fun to do, current I lack the time for that.
Therefore I decide for an approach in the middle. Still use the PowerShell cmdlet to create the guest accounts. But instead of direct sending the invite email, I let the PowerShell script make up a 'mailto:' specification that includes the guest user redeem-url. These specifications are exported per invited user via a .csv file. Next the Azure AD admin sends the .csv file to the responsible business user of the inviting company. And he or she can then direct from the received .csv file with the 'mailto:'specifications make up an invite mail in their own email outbox, make some final changes and additions (e.g. add personal mail signature; including items like company logo, contact details of the business user, ...); and next send out the mail. The invited guest then receives the mail from the mail domain of the inviting company, and of a person (s)he likely already is in contact with. As extra bonus I apply Office 365 email encryption, to give the invited user the trust that only he or she is able to read the invite mail.

Friday, December 29, 2017

How-To: enable Azure Active Directory for Powershell on Windows 7 system

The AzureAD PowerShell module contains multiple convenient cmdlet's to manage an Azure AD tenant, a.o. to invite external accounts (e.g.: Automatically Provision Azure AD B2B Guest Accounts). When you try to use the AzureAD PowerShell module on a Windows 7 system, you may run into issue: The specified module 'AzureAD' was not loaded because no valid module file was found in any module directory
If so, the solution is import the module file via it's exacte filepath (inspiration for this: Azure RM PowerShell Module / Other Installation methods)
And the AzureAD cmdlets can be succesful utilized:

SharePoint Online External Sharing: blacklisting overrules whitelisting

Via the configuration capabilities of Office 365 SharePoint Online External Sharing, the SharePoint administrator has full control to both allow and disallow specific organizations by domain. Be aware that the 'disallow' configuration has higher prevalence then the 'allow': if you run into a situation that you cannot invite a guest account of whitelisted domain, then check your blacklisting (on tenant plus site collection level) whether the organization domain is also listed there.
Result: blacklisting overrules the whitelisting allowance

Sunday, December 17, 2017

Beware Column Formatting with JSON requires the New Experience

Column Formatting with JSON is a nice approach, with relative low knowledge hurdle, to customize the rendering result of a column. However, be aware that it only works in the New / Modern Experience; for Lists that are in the Classic Experience the Column Formatting is ignored / not applied.

Thursday, December 14, 2017

Automatic Azure AD B2B redemption is not feasible

Azure AD Business-2-Business is the enterprise-ready and secure new approach to enable SharePoint Online external sharing. In this approach, externals are added as guest users in the Azure AD of the inviting company. The guest account in the host Azure AD functions as placeholder to the actual account of the invited guest in external identity administration. Azure AD B2B is an implementation of federated Identity Management.
The process to authorize an external person for access in shared SharePoint Online site consists of 2 steps:
  1. First, Azure AD admin (or anyone who has the “Guest Inviter” role) has to add a guest account to the host Azure AD
  2. Next, site owner can invite the guest account to the external shared site
However, it turns out that there is some usage unclarity and sequence dependency in this process:
  • Usage unclarity: For the first step, the guest receives invite in mailbox to accept / redempt the invite. But next the guest user is redirected to empty Apps page in the tenant of inviting organization ==> no authorizations are granted yet;
  • Sequence dependency: The site owner cannot execute the 2nd step until the Azure AD invite is redempted ==> 'Sharing failed: Sharing to external users is not supported' (which is a misleading / incorrect error message; sharing is supported, yet not to the particular guest account as long (s)he has not redempt the invitation to the hosting Azure AD)
To address the first drawback, which may result in negative first impression with the invited guest ("I only see an empty Apps page, cannot do anything"), you can utilize the PowerShell Azure AD cmdlet 'New-AzureADMSInvitation' with '-SendInvitationMessage' parameter set to false. The result is that the invited guest is not informed yet of the invite to Azure AD, that from the perspective of the guest user is useless anyhow: one can only do something after authorized to a SharePoint site. But the indirect result is that the Azure AD invite is not redeemed - the guest is not made aware nor asked to perform the redemption -, and this results that the site owner cannot add the guest user. A catch22 situation.
A potential way out would be to automatic redempt the Azure AD invitation on behalf of the invited guest. However, this is only possible in case the organization of invited guest itself has an Azure AD tenant. Although the usage of Azure is growing in the market, there is and will remain a large set of organizations that have not themselves an Azure subscription + tenant. And then the automatic redemption on behalf of guest users is not possible.

Thursday, December 7, 2017

How-to identify faulty webpart on SharePoint (Online) page

Today business called in distress: they made a change in the start page of an important business site (solution) in SharePoint Online; and next on opening the page in browser it remained loading / spinning.
To support, I was temporary granted contributor authorization, and then applied the following steps to analyze + identify:
  • Step 1: very important, determine whether you can reproduce yourself;
  • Step 2: (answer was yes) Open the page in webpart maintenance mode, by adding "?contents=1" to query string;
  • Identify in the set of webparts on page which one could potential cause a problem; e.g. ImageViewer webpart is very unlikely; but anything that adds content can be;
  • Step 4: Close first of the potential suspect webparts;
  • Step 5: Reopen the page in normal mode, and verify whether it now can load;
  • Step 6: Continue with 4 and 5, until finally the page loads successful again;
  • Step 7: Once the faulty webpart identified, re-add the other ones: open page in edit mode, insert webpart, and select the closed webparts from webpart category 'Closed Parts'
  • Fix the faulty webpart, or delete it from the page.
In this particular situation, a Content Editor WebPart was added to the page that contained script with self-reference to reload the page; resulting in endless loop. This cannot be fixed, best option is to delete from page, and re-code the client script (but make sure to avoid the self-reloading...)

Friday, December 1, 2017

2 approaches to enable MFA for Azure AD B2B guest accounts

Element of Azure AD B2B SharePoint External Sharing, is to enforce multi-factor authentication for the external guest accounts. Documentation how-to enable is a bit difficult to find. Also in my search I encountered that there are actually 2 approaches to enable MFA condition for guest accounts.

Option 1: Direct enable on Azure AD user level

This is the option I first trembled into, due (my) inability to find proper documentation how to enforce the MFA rule. Approach here is to open Azure AD Admin, open 'All Users', click 'multi-factor authentication' in the top bar, and select the (guest) user accounts for which to enable MFA. Frankly I have the suspicion that this approach is there by accident. Motivation for that thought is that I only could enable MFA for guest users via a trick: selecting only guest users does not offer the enable/disable MFA option. However if you also select a regular account, the menu option becomes visible and the execution is applied to all selected accounts, including the guests. Not direct logical, may very well be a functional bug.

Option 2: Indirect enable via Azure AD Conditional Access

This approach appears to be the more structural, with management on higher level as individual guest users. Approach consists of following steps:
  • Create in Azure AD 'groups and users' a new group with dynamic membership, and rule equal to "userType Equals Guest"
  • Create in Azure AD Conditional Access a new policy, as membership include the just created group (of external accounts), as App select Office 365 SharePoint Online, and as Control select 'Grant Access under condition of Conditional Access.
These 2 configuration steps ensure that MFA is immediate applied for all guest accounts, without need to maintain this on the individual user account.