Azure AD App Only Authentication

In a simple way, App Only authentication is the ideal method if you want to execute  a task by daemon. This allows you to execute some code without the permissions of a user or without an auth token of a user.

As part of a series of articles, idea of this 1st post is to give you an basic  fundamental understanding on creating an Azure AD App and grant permissions for this App to communicate with SPO.

let’s get this started. Simply head on to your Office365 home page and switch to Admin Centers. From the left pane, click on “Azure Active Directory”. From Azure AD, search for “App Registrations” and click “Add new application registration” link.

A new application interface will pop-up for you. Enter a name, Application type and Sign-on URL and click “Create”. Sign-in URL can be any and it also can be amended later to reflect a different one. A future post will discuss this again on what sort of URLs are used here.

image 

Once the app creation done, you will be given with the app ID and other details related to it.

image

Next- Select Settings –> Required permissions and Add

clip_image001

clip_image002

In this case the API going to be SPO. You can choose the right API based on the requirement.

image

Next, hit “Grant Permission” button on the required permissions tab to provide none-tenant admin user access the application.

A self-signed or public (commercial) certificate must be provided now and then update the Azure AD manifest accordingly.

Following PS can be used to provision the certificate but ensure you have installed OfficeDev PnP PowerShell.

$certroot = 'C:\Site Creator'
$certname = "IntelAi-Cert-1"
$password = ConvertTo-SecureString "P@$$w0rd" -AsPlainText -Force
$startdate = Get-Date
$enddate = $startdate.AddYears(4)
makecert.exe -r -pe -n "CN=$certname" -b ($startdate.ToString("MM/dd/yyyy")) -e ($enddate.ToString("MM/dd/yyyy")) -ss my -len 2048
$cert = Get-ChildItem Cert:\CurrentUser\My | ? {$_.Subject -eq "CN=$certname"}
Export-Certificate -Type CERT -FilePath "$certroot\$certname.cer" -Cert $cert -Force
Export-PfxCertificate -FilePath "$certroot\$certname.pfx" -Cert $cert -Password $password -Force

Following line will copy a string to your clipboard

Get-PnPAzureADManifestKeyCredentials -CertPath 'C:\Site Creator\IntelAi-Cert-1.cer' | clip

Following is how the copied string would look like. It has to be added to the manifest file of the Azure AD application.

"keyCredentials": [
 {
  "customKeyIdentifier": "5lca+kziogw7T6MB4kUrxseK5m8=",
  "keyId": "84153f1a-90b7-4802-b99a-bb75d4f9a35b",
  "type": "AsymmetricX509Cert",
  "usage": "Verify",
  "value": "MIIDAjCCAe6gAwIBAgIQkawCJU0cWYxH8RamKNuqqTAJBgUrDgMCHQUAMBkx
 }
],

Select your application under app registrations in Azure AD. Replace the “KeyCredentials”:[], section, as shown below.

image

Now this can be tested whether the application has required permissions to connect to the SharePoint Online site. For the ClientID, you need to provide application ID of the app you have created.

$password = ConvertTo-SecureString "P@$$w0rd" -AsPlainText -Force
Connect-PnPOnline -Url https://site.sharepoint.com/ -ClientId 0c01f61e-ba27-4ae7-ab19-174884a949fc -CertificatePath 'C:\Site Creator\Site-Cert-1.pfx' -CertificatePassword $password -Tenant intelai.onmicrosoft.com
$myWeb = Get-PnPWeb
$myWeb.Title

DISCLAIMER NOTE: This is an enthusiast post and is not sponsored by Microsoft or any other vendor.

Advertisements

Announcing the new Microsoft and Open Source Partner Community

open

It’s known for years now that Microsoft’s affair with Open source. Day by day this bound has been grown and now it’s obviously a blessed marriage. Microsoft’s one of the biggest strength is partner and technical community eco system. Unlike any other parties, Microsoft has done a lot to build the community eco system which connects every individual in the world with products and technologies in various ways.

In the other hand, Open source parties had this flaw where the community and support contribution to the product stack were very low.

Azure grown unbelievably faster unlike any other cloud service in past few years and open source migrations to the Azure has increased massively. Infect 1 in 3 VMs in Azure are Open source. This drastic growth rang the bells to Microsoft for the next button to be pressed. While open source resources are being moved to Azure, it is also a critical point to implement connectivity between open source vendors, partners and technical communities with Microsoft Partners and Technical Communities. This is a long due marriage which could have happened before but finally here we are.

At Microsoft Worldwide Partner Conference 2016, Microsoft announced the launch of Microsoft and Open Source partner community on Microsoft Partner Network, the place for us to connect and collaborate with the vast and diverse ecosystem of partners who develop and distribute open source solutions and services on Microsoft Azure.

This community is open to discuss about diverse range of open technologies runs on Azure. It will allow anyone to stay tuned with updates, Share information on various criteria’s of open technologies and even to simply start a discussion on your own topic which shall be responded by the community.

Eventually, Microsoft has implemented another bridge between open source and Microsoft community across the globe. 

Original Announcement on MPN

Azure AD Conditional Access for Office 365 (Exchange and SharePoint Online) Preview Release

Yesterday Microsoft announced one of the most awaited feature for Office 365, “Azure AD Conditional Access Preview” for SharePoint Online and Exchange.

What is Conditional Access and What it is for ?

Security has been one of the key elements in systems for decades but for the present time it needs to be much more comprehensive than ever before with the evolvement of the cloud and mobile era. With the rise of devices used by a person and the ability to access corporate resources from anywhere in the world, there is a massive demand of securing corporate resources. Ultimately the latest strategies of securing corporate resources are defined by the new ways which users are used to accessed them.

Microsoft has taken another big leap of security capabilities with this release today. Azure Active Directory Conditional Access Features Allows you to secure and manage your corporate resources in simple ways in cloud or even on premise. If you want to ensure an stolen user credential or unmanaged device will not harm your corporate resources, Azure AD Conditional Access if made for you.

clip_image001

How is the access Enforced

Generally when a user signs in to a service, Azure Active Directory checks whether the security inputs of this user meets the access requirements you defined. and if the requirements are met, user will be authorized to access the service or application.

The enforcement can be done in two ways. You can define policies to configure the access either way, for users or devices.

  • User based Access (Control who you want to allow access)

User Attributes – User Attributes level can be used to define policies of which users can access organization’s resources.

Group Membership of a User – or either based on the Group/Groups of user which he/she represents in.

Multifactor Authentication (MFA) – Multifactor Authentication can be configured to ensure better security. User has to provide more than one factor (Password) which could be either a PIN or Phone Number. That ensures extra level of security for your organization’s resources.

Sign-in and User Risk – This capability known as “Conditional Access Risk Policies” comes with Azure AD Identity protection. This will allow you to track unusual sign in activities and risk events based on the access trends and implement advance protection. Global and Multi-region companies will benefit a lot with the capability.

  • Device Based Access (Control what you want to allow access)

Enrolled Devices – Using Microsoft Intune, you can use Device Level Access to control only MDM (Mobile Device Management) Enrolled devices are allowed to access resources. Intune is capable to validate if the device is enrolled with MDM. Also device level access will ensure that only the matched devices with the policies (such as force file encryption on a granted device) you have configured are allowed to access. Even you can flush out the content of a device remotely which was stolen or misused using MDM solutions.

The best part is, It’s not just limited to the cloud, you can also use device based access policies to control your on premise resources or even cloud based SaaS or line of business applications.

What does this Preview Brings you?

This release is a much awaited capability for most of the organizations and a huge step on the Access Policy framework. Conditional Access for CRM and Yammer been already there but Specially for SharePoint and exchange, the call has been ringing there for quite long time.

These three conditions are released for SharePoint and Exchange online as preview. Microsoft Recommends to enable these policies alongside risk based conditional access policy available with Azure Identity Protection.

  • Always require MFA
  • Require MFA when not at work
  • Block access when not at work

Conditional Access Policies are supported in Browser based access to Exchange Online, SharePoint Sites and OneDrive and even for Desktop Applications that uses modern authentication mechanisms.

Across the mobile devices, these are the tested desktop and mobile applications connects to Exchange and SharePoint so far by Microsoft.

  • For Windows 10, Windows10 Mobile, Windows 8.1, Windows 7 and Mac
  • Outlook, Word, Excel and PowerPoint in Office 2016
  • Outlook, Word, Excel and PowerPoint in Office 2013 (with modern authentication enabled)
  • OneDrive Sync Client (with modern authentication)

For IOS

  • Outlook Mobile App

Resources:

Detailed Explanation of Azure Ad Conditional Access

Conditional Access Policy Support for Mobile Devices

Original Announcement

Enabling Multi-Factor Authentication in Office 365 (MFA)

MFA or Multifactor Authentication been there for quite some time now. Everyone on the internet already used to it which provides better security on the applications over the internet.

The name describes it all, basically the MFA allows you to have more than one method of signing in to a service or application such as your Outlook.com account, Facebook or Gmail or even your e-banking login. This means, you have multiple factors to verify your identity in order to sign you in.

Beyond the traditional single password you supposed to use, MFA allows you to have more than one method to sign in such as Phone Number, Passcode in addition to the password. With this capability, even if your password was stolen, stealer won’t be able to use it to sign in to your account without knowing the phone number or passcode which is required to sign in.

Microsoft is massively investing on security and compliance day by day with lots of new improvements on these criteria’s. Yet this isn’t very new for O365, MFA for O365 was first introduced in February 2014 through this blog article.

Now let’s see how we can set this up and let our users to utilize the service in a more secure way as they waited for it.

You need to login to Office 365 as Global administrator and open up Admin Panel. New Admin Panel makes this pretty easy for us.

Before start, let’s not forget this insightful article on MFA here. you can get a good briefing through this one to get started.

clip_image001

Direct to Users and open up Active users in this case. Under More Dropdown, Click on “Setup Azure multi-factor auth” link. This will take you to the MFA configuration page.

clip_image002

Select the User you want to force MFA for.

clip_image003

From the right pane, click “Enable” link to enable MFA. You can perform this as a bulk operation too by selecting everyone or several.

clip_image004

Click “Enable” to perform the operation

clip_image005

Hit on “enable multi-factor auth” to start the enabling. This is just a few seconds work. Before this step, ensure that you have taken necessary actions to inform users on what they need to do when they sign in to portal next time and when using other devices.

clip_image006

Successful message will indicate that everything went well.

clip_image007

At the very next login to the portal by the selected user/s, it will prompt to insert the security code texted or given via a call on the user’s mobile phone number.

By selecting Different verification option, user/s can select whether it’s a text message or a voice call which provides the security code. Pretty simple !

clip_image008

Then we can Enforce the MFA. Enforcing and Enabling are two different things. You need to enable MFA first before Enforcing. Enforcing Option will only appear after enabling.

With Enforcing, you are as a admin enforcing end users to have APP Passwords for their non-browser application such as Outlook, Skype for Business or Lync.

clip_image009

Simply select User/s as same as we did before and click on “Enforce” Link on right pane. Click Enforce again on the prompt message.

clip_image010

Just in a few seconds, Success message will indicate that you are done.

clip_image011

Additionally, If you click on “Manage User Settings” Link on the right pane, there are few more features to ensure better security.

You can Enforce to provide contact methods for selected users again.

Delete all app passwords created by the selected users.

Or restore MFA on all devices which are remembered.

These options can be utilized in special events as you need.

clip_image012