blog.atwork.at

news and know-how about microsoft, technology, cloud and more.

How to create or renew Service Principal Names in Azure Active Directory

When an automated task or an app needs to access data from Office 365, you need to create an app in the tenant’s Azure Active Directory (AAD). For having full control, e.g. for deleting objects in AAD, a so called Service Principal Name (SPN) can be used. That is similar to a Global Admin in Office 365, but just for apps and usually with a predefined expiration date. Which is good. Or?

Azure information protection user experience with external users

Due to the coming GDPR regulation in May 2018 many customers are working very actively towards this date and check their compliance and security environment. Many requests arise around Azure Information protection which gives customers the ability to classify and protect their data in an easy, reproducible way. Data classification helps users to differentiate between data that can be shared outside an organization and data that is classified or NDA information. Many statistics show that less than 5% of all data from an organization are in that high classification range.

Azure Information protection helps you classify and protect that type of data. One of the main questions here is: how is that handled with external or guest users? What is the user experience for an external user and how can he open those protected messages (Mails or Documents). The user experience is demonstrated below.

How to restrict access and to connect to a single SQL Azure database only

As of today, many organizations use various Microsoft Azure services. SQL Azure databases are popular among them. Often, IT Administrators want to allow departments or vendors full access to just one specific SQL Azure database and to restrict their access to other resources. See here how this works.

How Azure Security Center protects your data against cyber attacks

In many scenarios, public cloud services allow a high grade of elasticity, flexibility and cost effectiveness combined with standardization. On the other hand, every customer needs to build trust to the desired platform and that all his services and data are protected against any attacks. So, it’s very interesting to see, what kind of mechanisms the large cloud providers as Microsoft are using to keep data safe and how they detect attacks and what countermeasures they execute.

Nachlese zum GDPR Workshop mit atwork, Microsoft und Grant Thornton

atwork organisierte einen GDPR-Workshop, der diese Woche bei Microsoft in Wien stattgefunden hat. Als kompetenten Partner aus der Wirtschaftsprüfung und Steuerberatung konnten wir Philipp Mattes von Grant Thornton gewinnen, der den ersten Teil präsentierte. Unsere Security Expertin Martina Grom informierte in Teil Zwei über die technischen Möglichkeiten mit den Microsoft Cloud Services. Sehen Sie hier eine Nachlese.

Use Azure AD app principal without user context

For an application registered in AAD to be able to run in application context only without a user context the "Company Administrator" role has to be assigned to the application in order to be able to access administrator endpoints for APIs like the Microsoft Graph. No additional permissions have to be assigned to the application after assigning this role.The assignment has to be done using PowerShell and looks like this: (the app registration has to be done beforehand)Install-Module AzureADConnect-AzureAD$app = Get-AzureADServicePrincipal -SearchString "your app name"$role = Get-AzureADDirectoryRole | Where-Object { $_.DisplayName -eq "Company Administrator" }Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $app.ObjectIdNote that you have to replace the string "your app name" with the name provided to your app registration. The script intalls (if not already installed) the AzureAD PowerShell module and uses the contained commandlets to get the service principal of the app registration by name, gets the Azure AD Directory Role "Company Administrator" and adds this role to the service principal of the app. After the role has been added, the app might, e.g., make queries to the user endpoint of the Microsoft Graph API to get properties from any users in the AAD.

Add your local IP address to a SQL Azure Firewall easily

When working with SQL Azure you are aware that a connection is just established, if the client’s IP address is configured in the firewall of the SQL Azure database server. You needed to open the Azure Portal-SQL servers service, and add your IP address manually. Well, the good story is, now the SQL Server 2016 Management Studio does this for you!