Category: Microsoft
Category Archives: Microsoft
Season of AI: Getting started with Azure AI Studio
Join us for an incredible online event from the “Season of AI” series.
Getting Started with Azure AI Studio
Dive deep into the capabilities of Azure AI Studio, now in General Availability.
We’ll cover all facets of the UI and create applications featuring Multi Modality, Prompt Flow, and our own data!
This session is perfect for anyone interested in the power of AI and how Azure AI Studio can facilitate innovation tailored to our unique requirements and aspirations.
Join us for an incredible online event from the “Season of AI” series.Getting Started with Azure AI StudioDive deep into the capabilities of Azure AI Studio, now in General Availability.We’ll cover all facets of the UI and create applications featuring Multi Modality, Prompt Flow, and our own data!This session is perfect for anyone interested in the power of AI and how Azure AI Studio can facilitate innovation tailored to our unique requirements and aspirations. Read More
Azure Certifications
Hi Azure Community.
If any of you are looking to get certified in the many Azure certifications out there and need guidance you can join a Microsoft Learning Room that is managed by MCTs (Microsoft Certified Trainers). It’s called “Microsoft Exam Prep by MCTs”.
Have a look here. Microsoft Learning Room Directory – Microsoft Community Hub
Here is the room you can join and get exam tips from experts and others starting their journey.
Below is a screenshot of what channels we have in the Learning Room.
This Thursday, June 13th @ 11am EST is a live event where an MCT will talk about how to prepare to take exam AZ-104 Microsoft Azure Administrator.
See you there!
Hi Azure Community.
If any of you are looking to get certified in the many Azure certifications out there and need guidance you can join a Microsoft Learning Room that is managed by MCTs (Microsoft Certified Trainers). It’s called “Microsoft Exam Prep by MCTs”.Have a look here. Microsoft Learning Room Directory – Microsoft Community Hub Here is the room you can join and get exam tips from experts and others starting their journey.
Below is a screenshot of what channels we have in the Learning Room. This Thursday, June 13th @ 11am EST is a live event where an MCT will talk about how to prepare to take exam AZ-104 Microsoft Azure Administrator.
See you there! Read More
Microsoft 365 data residency offerings now available in Spain
We are excited to announce that Microsoft 365 and its associated data residency offerings – Advanced Data Residency (ADR) and Multi-Geo capabilities – are now available for commercial customers in our new cloud region in Madrid, Spain.
With the availability of Microsoft 365 will now offer Multi-Geo and ADR add-ons to provide customers provisioned in Spain with greater control over the location of their cloud data.
Multi-Geo allows customers to configure in which geographies their Microsoft 365 user data is stored at rest, on a per-user basis and within a single tenant. Exchange Online, SharePoint, OneDrive, and Microsoft Teams are available for Multi-Geo configuration.
ADR provides guarantees that certain customer data will be stored at rest (in this case, in Spain) for several core online services, including Exchange Online, SharePoint Online, OneDrive, Microsoft Teams, Copilot for Microsoft 365, Exchange Online Protection (EOP), Office for the Web, Viva Connections, Viva Topics, and certain Purview products.
ADR and Multi-Geo include data residency commitments for Copilot for Microsoft 365 customers as of March 1, 2024. For information about data residency and Copilot for Microsoft 365, see Data Residency for Microsoft Copilot for Microsoft 365.
This new cloud region will provide artificial intelligence (AI) and other cloud services to contribute to the digital transformation and the development of the AI economy in Spain.
“We are committed to supporting Spain, by making investments, forging business partnerships, and creating programs that ensure broad access to cloud and AI services that empower organizations and individuals to develop and use technology in ways that will serve the public good. We do so by delivering a data center infrastructure that provides the most innovative cloud and AI services, offering the highest levels of reliability, security, privacy and data residency. Proof of this is the high-level certification within the National Security Scheme, obtained by the new cloud region.” — Alberto Granados, Country Manager, Microsoft Spain
This is the second new cloud region we have launched this year, continuing a series of datacenter launches that include Poland, Italy, and Mexico in the last 18 months.
Learn more about empowering your organization with Microsoft 365, ADR, and Multi-Geo.
— Microsoft 365 Datacenter and Data Residency Teams
Microsoft Tech Community – Latest Blogs –Read More
Effective strategies for conducting Mass Password Resets during cybersecurity incidents
You’re in the middle of a cyber incident, and you know certain accounts have been compromised, but you are not certain of the full extent of the Threat Actor’s impact. What do you do? Oftentimes, Microsoft Incident Response will recommend a mass password reset. This helps you regain control of your identity plane, deny other avenues of access, and disrupt any persistence the attacker may have established in your environment. However, and especially for larger organizations, navigating mass password resets can be a complex task. In this blog post, we’ll discuss the practical challenges of performing a mass password reset, how to prepare to carry one out, and best practices in performing them.
Identifying the need for a mass password reset
A mass password reset is not always required, but it is important to identify the circumstances under which it is. Some considerations for when a mass password reset is the best course of action include:
Active Directory database exfiltration: When there is evidence of Active Directory Domain Services (AD DS) database exfiltration by a suspected threat actor.
Active Directory database staging: When there is evidence of AD DS database staging with intent to exfiltrate by a suspected threat actor.
Compromised privileged identities: When a threat actor has compromised credentials belonging to one or more privileged groups such as Domain Admins, Enterprise Admins, or built-in Administrators.
Attacker-in-the-Middle: When there is evidence of an Attacker-in-the-Middle (AiTM) attack or other threat-actor-introduced proxy services which may have gathered user credentials.
Cloud or third-party identity platform compromise: When there is evidence of a compromise on an authoritative Identify platform such as Microsoft Entra Connect, AD FS, RADIUS (Remote Authentication Dial In User Service) Servers, or 3rd party identity solutions.
Ransomware deployment: When a threat actor has been able to successfully deploy ransomware by compromising accounts belonging to privileged Active Directory (AD) groups.
Privileged credentials exposed in Business Email Compromise (BEC): When a BEC has exposed privileged credentials in emails.
Privileged credentials exposed in exfiltrated data: When data exfiltrated from productivity and collaboration tools (such as OneDrive or SharePoint) has exposed privileged credentials.
Privileged credentials exposed in code: When privileged credentials have been exposed in an online code or source control repository.
Attribution to nation state or Advanced Persistent Threat (APT): When an attack has been attributed to an APT or nation state.
Organizational challenges and scenarios
Almost all organizations have remote users: many have hybrid users, and some have entirely remote workforces. This means that every organization has unique requirements and considerations for when a mass password reset is required. In this section, we will consider some of those requirements and how organizations can best prepare and respond if the need arises. Scenarios to consider include:
Local users: Users primarily onsite with line of sight to a domain controller.
Remote users: Users who primarily use VPN (virtual private networks) or have hybrid identities.
Administrative controls: Whether password resets are driven by administrators or end-users.
Service account management: Considerations for service accounts, which often have never-expiring passwords.
Privileged identities: Special considerations for managing privileged cloud and on-premises accounts.
Users onsite with direct access to domain controllers
This scenario is the least complicated one: if all users are primarily onsite with line of sight to a domain controller, then a simple flag on every user account to require the user to change password at next logon can be used to enforce the password change. Users can be given a deadline and informed they are required to change their passwords by the deadline, and, if they fail to do so, their accounts will be disabled. Several PowerShell scripts are available online that allow for enumeration of users in specific organizational units (OUs) and manipulating the “User must change password at next logon” flag to facilitate a gradual password reset rollout so an organization’s helpdesk is not inundated. When the users arrive in the office and attempt to log on, a message will prompt them to change their passwords.
Gradual, but expedited expiration of passwords using Fine Grained Password Policies (FGPP) and the progressive reduction of password age through domain policy modifications offer alternative methods for enforcing a mass password reset for domain users. However, a significant drawback to this approach is the potential for a threat actor to remain within an authenticated session until a logon event triggers the password reset. When considering this method, it’s important to balance the urgency of credential changes with the need to provide users with a grace period. Since many organizations have a portion of their workforce operating remotely, this strategy is often employed as part of a broader series of steps designed to secure all user accounts across various scenarios.
Remote users who use VPN to access the environment
This scenario is more common when most users are primarily remote, or there is a mix of remote and onsite users. In this scenario, users rely on authentication mechanisms separate from their domain password; for example, certificate-based authentication. Once the users are authenticated using the VPN solution, they can be treated like the previous scenario since they will have line of sight to a domain controller.
An important consideration for remote users is whether you will execute an administratively managed password reset (which is where an admin resets credentials for users and relies on users to use self-service password reset (SSPR) to regain access) or allow users to change their credentials gracefully on their own.
This scenario becomes more challenging when the VPN solution relies on the domain password as one (or the primary) factor for authentication and the VPN solution does not support a password reset during the sign-in flow. In such a scenario, if the organization has been set up for SSPR before the incident occurs, it makes the password reset process much easier to handle. If an organization does not have SSPR capabilities, a mass password reset will require some manual intervention. This could take the form of users having to call in to the help desk or attend a centralized location that has been set up for this purpose, provide verification of their identity over voice, video, or in person, and then have their password manually reset.
Alternatively, for VPN solutions that do not support a password reset during the authentication flow, you may wish to consider migrating the authentication source of your VPN solution to Microsoft Entra ID either temporarily to allow the session to be interrupted with a password reset, or permanently to gain the benefit of additional Microsoft Entra ID features like Conditional Access policies.
Users primarily remote with hybrid (on-premises) identities
With hybrid identities, an organization’s identities (users and computers) are already synchronized to Microsoft Entra ID. In this scenario, line of sight to a domain controller is not a requirement to orchestrate a mass password reset. Microsoft Entra ID supports flagging users to reset their credentials at next sign-in, similar to on-premises Active Directory.
Admins can use Microsoft Graph to set the user attribute either to “forceChangePasswordNextSignIn” or “forceChangePasswordNextSignInWithMfa” on the desired users to interrupt their next sign-in and allow them to change their password gracefully. If the password writeback feature is enabled in Microsoft Entra ID and the organization’s users are enabled for SSPR, then a password reset via either the MyAccount portal or SSPR portal will ensure that the newly reset password is synchronized back on-premises. If password writeback and SSPR are already enabled, this is the scenario with the fastest route to threat actor removal and least amount of manual work. There are some scenarios where an organization may not want to use SSPR, which we will discuss later in this post.
Considerations for service accounts
Service accounts with their never-expiring passwords and traditionally overprivileged nature tend to be the bane of any Active Directory administrator’s existence. This is particularly problematic when a mass password reset must be performed and little-to-no inventory exists that maps applications to service accounts. An effort should be made to inventory all service accounts and their associated services and applications. Where possible, service accounts should be migrated to Group Managed Service Accounts (gMSA). This has the dual advantage of making service accounts more manageable and removing the manual overhead associated with service accounts. This is also a great opportunity to “right size” the service accounts that tend to be traditionally overprivileged.
Considerations for privileged identities
All privileged cloud accounts should have phishing-resistant MFA enforced. Also, it is strongly advised to use Just in Time (JIT) administration methods, for example Microsoft Entra ID Privileged Identity Management (PIM). In addition, there should exist a clear separation of on-premises and cloud administration with separate identities for each realm. Identities belonging to the privileged on-premises AD DS groups should not be synchronized to Microsoft Entra ID. Conversely, all privileged cloud roles should be held by cloud native identities and must not be synchronized from AD DS. Most organizations will choose to manually reset any privileged credentials for a high level of assurance and control. It is important to verify when passwords were reset with PowerShell or Microsoft Graph; otherwise, it is very likely that some accounts may be missed.
Assurance and control considerations for a mass password reset
As we’ve detailed, there are several different scenarios that necessitate a mass password reset. This means that there are different levels of control or assurance an organization might require while performing a mass password reset. When SSPR mechanisms can be reliably used to provide assurance, organizations can use that feature to accelerate a mass password reset.
However, there are situations where an organization may not want to use the existing SSPR solution. For example, when an advanced threat actor has abused the organization’s SSPR system, or where there is actual evidence of AD DS database exfiltration. In such a scenario the organization would likely not choose to use that mechanism to enforce the mass password reset because the threat actor could re-establish initial access or persistence via SSPR.
Where an organization seeks a high degree of control and assurance for a mass password reset there will, unfortunately, be an element of manual intervention. However, with preparedness ahead of time, Microsoft Entra ID features such as a Temporary Access Pass, when combined with Conditional Access policies, can be used to automate some aspects of assurance and control. In any event where a high degree of assurance and control is desired, some level of manual intervention to verify users’ physical identities and the issuance of such temporary access passes is inevitable. In a subsequent post we will examine different Microsoft Entra ID features that can be used to accomplish this.
Conclusion and next steps
There are several variables and considerations for a mass password reset, and there is no one-size-fits-all solution. However, we can, with adequate preparedness, make this process less onerous and more manageable for organizations.
We recommend exploring other blogs from Microsoft Incident Response for expert guidance and tailored solutions to improve your incident response capabilities. Additionally, consider the benefits of Microsoft Entra ID for advanced identity and access management, which can strengthen your defenses against identity-related breaches.
Microsoft Tech Community – Latest Blogs –Read More
Partner Case Study Series | Iraya Energies
Using Microsoft Azure to serve the data needs of the energy industry
Headquartered in Kuala Lumpur, Malaysia, with offices in Singapore, the Philippines, Denmark, Norway, and the United States, Iraya Energies employs a talented mix of data scientists, geoscientists, and engineers. The tech startup became a Microsoft partner in December 2018 and has utilized Microsoft Azure for a few years. ElasticDocs Intuitive Knowledge Container, the company’s flagship product, is a cloud-enabled web solution that organizes, structures, and accesses unstructured data for the energy industry. It’s available in a Software-as-a-Service model through the Microsoft Azure Marketplace.
Iraya Energies implemented ElasticDocs on Azure to access graphics processing capabilities for machine learning training and inference for experimentations. ElasticDocs employs Azure Synapse Analytics and Azure Machine Learning resources. Azure Synapse Analytics lets users query data at scale using either serverless on-demand or provisioned resources, and Azure Machine Learning accelerates the creation and deployment of machine learning models.
Continue reading here
**Explore all case studies or submit your own**
Microsoft Tech Community – Latest Blogs –Read More
Myths and misconceptions: Windows 11 and cloud native
Let’s discuss the myths around the move to cloud-native management, with Microsoft Intune and Microsoft Entra ID, and Windows 11. In this post, we will address some common questions and misconceptions by sharing insights and perspectives gathered from the conversations we’ve had with organizations of all sizes from around the globe this past year.
We understand that as an IT pro a big part of your role is to help manage change, and to mitigate risks when implementing those changes. So, when considering a joint move to cloud-native management and keeping up to date with Windows 11, why does the task seem so daunting? Is it a singular, monolithic project—or two distinct, related endeavors? Let’s look at the impact and progress you can make when you decouple the efforts and pursue them in parallel.
Misconception #1: To deploy Windows 11, you must also go full cloud native.
We hope everyone’s running a currently supported version of Windows 10 and well on their way to Windows 11. For those beginning that journey, you can confidently move to Windows 11 by leveraging your existing tooling. There’s minimal effort needed for IT admins and limited impact on the people in your organization. If you’re an IT admin, here’s what this means for you.
For those exploring the notion of cloud-native management, we encourage you to check out 3 reasons why now is the time to go cloud native for device management. If you have already embraced cloud-native management, you may be realizing benefits, and we encourage you to continue applying it to move devices forward. If you are already using Microsoft Intune for updates, then use Intune for your Windows 11 rollout. If you are still using Microsoft Configuration Manager, then use in-place upgrades in Configuration Manager.
You can accelerate and simplify the processes around upgrading and begin the move to cloud-native management by enabling co-management and moving the Windows Updates workload to Intune. This also enables you to schedule and deploy updates (including the Windows 11 upgrade) with Windows Autopatch and ultimately choose the level of control that’s best for your organization. This allows you to immediately take advantage of:
Cloud-delivered driver and firmware updates
Simplified configuration with automatic gradual rollouts
Safeguard holds to help protect against known compatibility issues
Using Windows Update for Business reports for Windows Updates in Microsoft Intune
Enabling Windows Autopatch allows you more time to focus on what adds value to your business by automating routine update management processes. With our detailed reports, Windows Autopatch provides actionable insights to speed up the process to secure your environment. For example, Westpac was able to transform its IT department and enable secure, inclusive, flexible work with Windows 11 Enterprise and Windows Autopatch.
From a provisioning perspective, we recommend you use Windows Autopilot to deploy your new Windows 11 devices as cloud native. In other words, these devices are natively joined to Microsoft Entra ID and managed by Microsoft Intune. We fully understand that the process of moving your entire estate of Windows devices to cloud-native management will take time. However, you shouldn’t keep provisioning new Windows 10 PCs with your current tools. Instead, whichever tool you’re using to deploy new PCs, make the switch to deploy Windows 11 now using that same tool.
Misconception #2: That name change means a bigger change.
When looking at the name change of Windows 10 to Windows 11, it’s easy to recall the past. Remember the large-scale, often multi-year projects that were required to get from Windows XP to Windows 7 and again from Windows 7 to Windows 10? This is not the case with moving to Windows 11.
The fact is that Windows 10 to Windows 11 is, by design, the same as a Windows 10 feature update. If you’re like most organizations, feature updates aren’t major projects. Windows 11 is built on Windows 10, even carrying a Windows 10 version number for the highest compatibility. So, you can take a more business-as-usual approach to this upgrade.
Misconception #3: Application compatibility is a risk when upgrading to Windows 11.
Windows 11 is built on the same foundation as Windows 10. It’s an evolution that improves upon Windows 10 strengths and addresses its limitations. Benefits of Windows 11 include enhanced security, productivity, and user experiences, all while maintaining existing app investments and workflows. As a continuation of Windows 10 servicing, Windows 11 is built with the same application compatibility you have come to know with Windows 10-to-Windows 10 feature updates.
Since the initial release, organizations moving to Windows 11 have observed that applications running on Windows 10 continue to run on Windows 11 without issues. In fact, we’ve noted a higher than 99.7% app compatibility between Windows 10 and Windows 11. You can and should be confident that the application compatibility processes used to get you to Windows 10 won’t need to be repeated when moving to Windows 11. Most organizations and independent software vendors (ISVs) simply haven’t seen a need to test each application to unblock Windows 11 because they just work.
In the unlikely event that you do encounter a compatibility issue, you’re equipped with tools to help you identify and resolve any compatibility problems. Microsoft App Assure service helps you proactively analyze app portfolios, fix and shim apps that might require a fix, and monitor app performance and reliability on Windows 11 before and after upgrading your organization.
App Assure reports on over 1 million evaluated apps, unblocking nearly 146 million devices, preventing 55.5 million escalations, and saving an estimated 9.6 billion dollars in customer cost.
Misconception #4: The Windows 11 experience change means business productivity will be adversely impacted.
You’ve probably heard various opinions on the look and feel of the user interface (UI) in Windows 11. As we saw in a Forrester Consulting study, Windows 11 helped organizations realize incremental productivity gains for information workers, as well as surges in productivity for the IT and security teams.
The most prominent UI change we made with Windows 11 is the visual aspect of the Start menu and taskbar. This enables a vastly better user experience when using wide screens. No more constant swiveling from the center to the bottom left of the screen! Additionally, you and your users have more options to personalize and customize your desktop experience.
The Start menu is also more adaptive and responsive across a broader array of devices and orientations. You can easily switch between tablet and desktop, and support multiple monitors with different resolutions, making it easier to work across different screens.
We’ve heard fantastic feedback from businesses where this user experience change helped rebuild confidence in the IT department as a team that adds value to the business. The conversation isn’t just about the user experience. The changing mindset of the IT team leads you to be more flexible with the delivery of solutions, while meeting the business where they are.
Misconception #5: Variation in device configuration increases total cost of ownership.
Multiple configurations support the dynamics of your business. Nearly all organizations have users with different roles and personas. Each might require different applications, tools, and configurations to accomplish their duties. Similarly, configuration complexity tends to increase with different geographies, languages, security controls, regulatory requirements, and more.
This transition is the same for Windows versioning: as you move to Windows 11, you’ll likely have devices at varying versions of Windows 10 alongside your Windows 11 devices. As you pursue a transition to cloud-native in parallel, you’ll likely end up with a matrix of versions and management/identity states.
There are ways to minimize the disruption of this transition and total cost of ownership. Striving to move all workloads to Intune — not just for cloud-native devices, but also for your existing devices — gets you to a single pane of glass for managing your estate.
For new devices, these should be deployed as Windows 11, cloud-natively managed. For existing devices, upgrade in place to Windows 11 and transition individual devices from hybrid to Microsoft Entra joined at the next planned device refresh. Leave a device in the hybrid joined state until it’s replaced or, opportunistically, when the device needs to be reimaged or reprovisioned. This approach has been used with great success by organizations that have completed their cloud-native transition.
Every step counts
While there are costs and risks associated with either adopting or resisting change, the move from Windows 10 to Windows 11 can be taken with confidence and considered business-as-usual. Indeed, many organizations have already built the muscle to successfully deploy the fourteen Windows 10 semi-annual feature updates to date, and Windows 11 simply represents their next rollout. The management tools, processes, and risk mitigations you have in place will continue to work for your Windows 11 deployment as they are today. Your organization should not be afraid of moving to Windows 11.
Embrace your parallel journey as an opportunity to optimize your IT processes, improve user experiences, and deliver more value to your organization. Your transition to the cloud, while related, shouldn’t delay or be delayed by your Windows 11 rollout. They are complementary activities, and we’re here to support you along the way:
Need tailored guidance to help with planning, preparation, and deployment? Explore FastTrack for Windows 11.
Looking for a step-by-step walkthrough of preparation and deployment, including security recommendations? Check out the Windows 11 setup guide.
Explore how to use Windows Update for Business reports for Windows Updates in Microsoft Intune.
Curious how to best keep your Windows ecosystem up to date? Try the Manage Windows updates in the cloud learning path.
Interested in Windows Autopatch? Check out What is Windows Autopatch?
Have questions? Join our monthly Windows Office Hours on the Tech Community. We have product and engineering experts from across Windows, Intune, Windows 365, public sector, security, and more on hand to help.
Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.
Microsoft Tech Community – Latest Blogs –Read More
Pulling cell value based on sequence of numbers.
Hi,
I have created a spreadsheet to map data flow for my company and assign a scoring of 1 – 3 for four categories.
I have a list of a risk ratings based on the 4 scores given.
The scoring looks like this on the main tab. I’ve added a section at the bottom of the first line to input the risk rating (which I’ll replicate when I’ve figured it out how to do it). I want it to pull the rating from the list based on the 4 scores given.
so for the first entry from G8 the example above the risk rating will be ‘Low’. as it would flow 3,3,3,1. which is the third sequence on the left hand list on the snip above.
I assume this would be easier if the risk rating list was in the same format as the scoring table on the main tab but I couldn’t work it out when I changed the list.
any help would be appreciated and apologies if my query is not clear.
Hi, I have created a spreadsheet to map data flow for my company and assign a scoring of 1 – 3 for four categories. I have a list of a risk ratings based on the 4 scores given. The scoring looks like this on the main tab. I’ve added a section at the bottom of the first line to input the risk rating (which I’ll replicate when I’ve figured it out how to do it). I want it to pull the rating from the list based on the 4 scores given. so for the first entry from G8 the example above the risk rating will be ‘Low’. as it would flow 3,3,3,1. which is the third sequence on the left hand list on the snip above. I assume this would be easier if the risk rating list was in the same format as the scoring table on the main tab but I couldn’t work it out when I changed the list. any help would be appreciated and apologies if my query is not clear. Read More
SharePoint list threshold limit
Hi
We run an access database connected to SharePoint online lists. One of the lists has 16000 items and I need to add an additional field (type lookup) but when trying to add this get an error saying “the attempted operation is prohibited because it exceeds the list view threshold”
I can’t seem to find a way to increase the 5000 threshold limit to get around this. Is the only option to removed items to get the limit under 5000 to then be able to add a field?
(we can’t create a new list and copy the data in as the autonumber ID from the existing list is used in the database)
Any suggestions would be appreciated!
Hi We run an access database connected to SharePoint online lists. One of the lists has 16000 items and I need to add an additional field (type lookup) but when trying to add this get an error saying “the attempted operation is prohibited because it exceeds the list view threshold”I can’t seem to find a way to increase the 5000 threshold limit to get around this. Is the only option to removed items to get the limit under 5000 to then be able to add a field? (we can’t create a new list and copy the data in as the autonumber ID from the existing list is used in the database)Any suggestions would be appreciated! Read More
Top Stories: June 11, 2024
Check it out!
English Top Stories: June 11, 2024 | Microsoft
Français À la une : 10 juin 2024 | Microsoft
Español Novedades más relevantes: 11 de junio de 2024 | Microsoft
Português Notícias principais: 11 de junho de 2024 | Microsoft
Check it out!
English Top Stories: June 11, 2024 | Microsoft
Français À la une : 10 juin 2024 | Microsoft
Español Novedades más relevantes: 11 de junio de 2024 | Microsoft
Português Notícias principais: 11 de junho de 2024 | Microsoft Read More
Safe Links API
Hi all,
I’m confused about the Safe Links feature which is called “Do not rewrite URLs, do checks via SafeLinks API only”.
There are two descriptions which are contradictory to me.
1st:
Do not rewrite URLs, do checks via SafeLinks API only: Select this option to prevent URL wrapping and skip reputation check during mail flow. Safe Links is called exclusively via APIs at the time of URL click by Outlook clients that support it.
(https://learn.microsoft.com/en-us/defender-office-365/safe-links-policies-configure)
2nd:
Do not rewrite URLs, do checks via SafeLinks API only: If this setting is selected (on), no URL wrapping takes place but the URLs are scanned prior to message delivery. In supported versions of Outlook (Windows, Mac, and Outlook on the web), Safe Links is called exclusively via APIs at the time of URL click.
(https://learn.microsoft.com/en-us/defender-office-365/safe-links-about)
So what exactly happens, if I enable the API check only? Are links scanned prior delivery or not?
Thanks
Hi all,I’m confused about the Safe Links feature which is called “Do not rewrite URLs, do checks via SafeLinks API only”. There are two descriptions which are contradictory to me. 1st:Do not rewrite URLs, do checks via SafeLinks API only: Select this option to prevent URL wrapping and skip reputation check during mail flow. Safe Links is called exclusively via APIs at the time of URL click by Outlook clients that support it.(https://learn.microsoft.com/en-us/defender-office-365/safe-links-policies-configure)2nd:Do not rewrite URLs, do checks via SafeLinks API only: If this setting is selected (on), no URL wrapping takes place but the URLs are scanned prior to message delivery. In supported versions of Outlook (Windows, Mac, and Outlook on the web), Safe Links is called exclusively via APIs at the time of URL click.(https://learn.microsoft.com/en-us/defender-office-365/safe-links-about)So what exactly happens, if I enable the API check only? Are links scanned prior delivery or not? Thanks Read More
Date help
Dear Experts,
I have an issue like this, given a Column “A” with the dates, my settings are like this,
Text function to extract is not helping somehow in “B2” to get the Month for each row.
Thanks in Advance,
Br,
Anupam
Dear Experts, I have an issue like this, given a Column “A” with the dates, my settings are like this,Text function to extract is not helping somehow in “B2” to get the Month for each row. Thanks in Advance,Br,Anupam Read More
How to download a SharePoint site template from the new Microsoft Lookbook New UI
Hi all,
Looks like Microsoft Lookbook has a new UI https://adoption.microsoft.com/en-us/sharepoint-look-book. However I don’t see any options/links to their repo to download a site template. The old UI redirects you to https://github.com/SharePoint/sp-dev-provisioning-templates. The new lookbook just shows information about the site template.
Does anyone know how I can download a site template from the new lookbook?
Thank you!
Hi all,Looks like Microsoft Lookbook has a new UI https://adoption.microsoft.com/en-us/sharepoint-look-book. However I don’t see any options/links to their repo to download a site template. The old UI redirects you to https://github.com/SharePoint/sp-dev-provisioning-templates. The new lookbook just shows information about the site template. Does anyone know how I can download a site template from the new lookbook? Thank you! Read More
This is another big change for personal account users!
I wonder if there will be blocked accounts?
“Starting September 16th, Microsoft personal email account users (e.g. Outlook.com, Hotmail.com, Live.com) will need to move to Modern Authentication methods in their email application. These will be necessary for all Outlook users.”
I wonder if there will be blocked accounts?Keeping our Outlook Personal Email Users Safe: Reinforcing Our Commitment to Security – Microsoft Community Hub”Starting September 16th, Microsoft personal email account users (e.g. Outlook.com, Hotmail.com, Live.com) will need to move to Modern Authentication methods in their email application. These will be necessary for all Outlook users.” Read More
Exchange 2010 SP3 Upgrade failing Organization Checks
Hi
I’m working on a project to remove the last Exchange 2003 server from the Exchange 2010 organization, which has now completed.
Next phase is to introduce an Exchange 2016 Server into the existing 2010 org and setup for coexistence prior to migration. The main issue is that I need to upgrade all Exchange 2010 SP1 servers to SP3 to support Exchange 2016 and in production this is failing the Organization checks.
The upgrade worked fine in UAT, which uses the same AD functional level (Windows Server 2008R2) and consists of all Windows Server 2016 DCs, same as production.
Since starting to update production 2010 servers I receive the following message after the Organization checks fail:
I have tried to update to SP2, which was a mission to find the installer as it is ancient (same as Exchange 2010 I know!), but to the same result and have tried everything to resolve the issue but to no avail.
Current Prod
AD Schema version = 87 (Windows Server 2016)
Exchange Schema rangeUpper = 14726
Current UAT
AD Schema version = 87 (Windows Server 2016)
Exchange Schema rangeUpper = 15334
I have read that the solution may be to add a legacy Windows Server 2012 as there is a problem with SP3 updates on Server 2016 DCs, but it worked on these fine in UAT so I’m rather perplexed as to this being the only solution.
Can anyone give me further advice as to what could be attempted next please? – Before we bite the bullet and introduce a legacy 2012 server just to upgrade to Exchange 2010 SP3 and then remove as soon as done, assuming it works!!
Please any suggestions would be greatly received?
Thank you
MB
Hi I’m working on a project to remove the last Exchange 2003 server from the Exchange 2010 organization, which has now completed. Next phase is to introduce an Exchange 2016 Server into the existing 2010 org and setup for coexistence prior to migration. The main issue is that I need to upgrade all Exchange 2010 SP1 servers to SP3 to support Exchange 2016 and in production this is failing the Organization checks. The upgrade worked fine in UAT, which uses the same AD functional level (Windows Server 2008R2) and consists of all Windows Server 2016 DCs, same as production. Since starting to update production 2010 servers I receive the following message after the Organization checks fail: I have tried to update to SP2, which was a mission to find the installer as it is ancient (same as Exchange 2010 I know!), but to the same result and have tried everything to resolve the issue but to no avail. Current ProdAD Schema version = 87 (Windows Server 2016)Exchange Schema rangeUpper = 14726 Current UATAD Schema version = 87 (Windows Server 2016)Exchange Schema rangeUpper = 15334 I have read that the solution may be to add a legacy Windows Server 2012 as there is a problem with SP3 updates on Server 2016 DCs, but it worked on these fine in UAT so I’m rather perplexed as to this being the only solution. Can anyone give me further advice as to what could be attempted next please? – Before we bite the bullet and introduce a legacy 2012 server just to upgrade to Exchange 2010 SP3 and then remove as soon as done, assuming it works!! Please any suggestions would be greatly received? Thank you MB Read More
OneDrive Error -10001 in MacBook Pro M2 Pro with macOS14.5
After install the newest version OneDrive app from Microsoft web.
OneDrive app didn’t start correctly, pop up an error code -10001, I cannot even click any button in the icon tool (Top Right corner), so it’s not possible to Quit OneDrive or get into the setting page in the App.
I try the following ways, but this issue keep happening when the app was starting up.
1. Move the OneDrive application to the trash and download the program again from official OneDrive web (version 24.086.0428.0003)
2. Reboot the MacBook
3. Update the macOS to latest macOS14.5 (2024-06-11)
4. Delete all the file that I can find in Finder App
MacBook Pro 14″ 2023 M2 Pro, from Taiwan Apple Store
—
I try to found solution in Microsoft Community, however the user that have the same error, cannot fix there problems too!
More than 20 users click “I have the same question” under the error-10001 post. No one has respond that their problem were solved. I believe this error happens currently for more than one year.
1. FreyaVandenBroeck with MacBook Air MacOS 14.5 (23F79) on 01 Jun 2024
https://techcommunity.microsoft.com/t5/onedrive/onedrive-on-mac/m-p/4157541
2. Benjamin Wang1 with MacBook Pro 2019 Intel i9 MacOS 13.4. on 02 Jul 2023
After install the newest version OneDrive app from Microsoft web.OneDrive app didn’t start correctly, pop up an error code -10001, I cannot even click any button in the icon tool (Top Right corner), so it’s not possible to Quit OneDrive or get into the setting page in the App.I try the following ways, but this issue keep happening when the app was starting up. 1. Move the OneDrive application to the trash and download the program again from official OneDrive web (version 24.086.0428.0003)2. Reboot the MacBook3. Update the macOS to latest macOS14.5 (2024-06-11)4. Delete all the file that I can find in Finder App MacBook Pro 14″ 2023 M2 Pro, from Taiwan Apple Store—I try to found solution in Microsoft Community, however the user that have the same error, cannot fix there problems too!More than 20 users click “I have the same question” under the error-10001 post. No one has respond that their problem were solved. I believe this error happens currently for more than one year. 1. FreyaVandenBroeck with MacBook Air MacOS 14.5 (23F79) on 01 Jun 2024https://techcommunity.microsoft.com/t5/onedrive/onedrive-on-mac/m-p/4157541 2. Benjamin Wang1 with MacBook Pro 2019 Intel i9 MacOS 13.4. on 02 Jul 2023https://answers.microsoft.com/en-us/msoffice/forum/all/onedrive-files-on-demand-didnt-start-error-code/9dbb2cab-e46b-4359-af4c-d12daf987ef7 Read More
Lockscreen text not showing up
Basically, whenever I turn off my pc and turn it back on, the lockscreen appears, but without text.
(I have absolutely no clue what label to use for this)
Basically, whenever I turn off my pc and turn it back on, the lockscreen appears, but without text.(I have absolutely no clue what label to use for this) Read More
Part 6: Introducing Deployment Stacks to Azure Data Factory
Introduction
This is part 6 on our series on Azure Data Factory CI/CD. This section will cover how to incorporate Azure Deployment Stacks into your Azure DevOps Pipelines.
Architecture and Scenario
Creating resources in Azure
Create Azure Storage Containers
Create Azure Key Vaults
Create Azure Data Factory: With Key Vault Access
Configure Azure Data Factory Source Control
Construct Azure Data Factory Data Pipeline
Publishing Concept for Azure Data Factory
Configure Deployed Azure Resources.
The YAML Pipeline Structure
The Publish Process
ARM Template Parameterization
ADF ARM Template Deployment
How to use Azure DevOps Pipeline Templates
How to Deploy Linked Templates for Azure Data Factory
What are Deployment Stacks?
As per MS Learn documentation a Deployment Stack is:
An Azure deployment stack is a resource that enables you to manage a group of Azure resources as a single, cohesive unit. When you submit a Bicep file or an ARM JSON template to a deployment stack, it defines the resources that the stack manage. If a resource previously included in the template is removed, it will either be detached or deleted based on the specified actionOnUnmanage behavior of the deployment stack. Access to the deployment stack can be restricted using Azure role-based access control (Azure RBAC), similar to other Azure resources.
The TL/DR summary is that deployment stacks are an Azure resource that tracks what has been deployed as part of an ARM deployment. This will allow us to destroy resources that are no longer part of the deployment.
How Does This Impact Data Factory?
When are editing and building pipelines in our Data Factory there is often the need to remove old Datasets, Linked Services, and/or Pipelines. If you are familiar with the ADF deployment process, then you are aware that we are deploying ARM templates in incremental mode.
This means that anything we remove from the Data Factory such as a Linked Services will still be out in the Data Factory’s upper environments which we shouldn’t have portal access to. This is a concern as it can be seen as a security threat as it violates Least Privilege Access principles as the Data Factory could have resources it no longer needs access to, specifically if leveraging things like connection strings. Additionally, there is a risk that pipelines that are no longer maintained could be triggered on accident in upper environments.
Thus, if we had a way to remove resources which are no longer defined in our collaboration branch we should!
How to Implement?
So, Deployment Stacks may sound great? However, how hard are they to update in our pipelines? Well, if you’ve been following to this point and leveraging YAML Templates, not hard at all! If your pipelines aren’t leveraging YAML Templates, that’s alright as the process isn’t all that complicated.
First, we have to understand that to implement Deployment Stacks it’s really just a different deployment command. In our previous posts we leveraged AzureResourceManagerTemplateDeployment@3. For Deployment Stacks there is no ADO task available so we will leverage the Azure CLI. This can also be done with PowerShell.
By changing the deployment command, we will be telling the Azure Resource Manager to deploy our resources like we were doing before AND create a deployment stack to track them.
This will be achieved by switching our AzureResourceManagerTemplateDeploymentTask with an Azure CLI task for one that will execute the `az stack group create` command. Here is what the expanded full task would look like in a single environment with just the minimum necessary.
– task: AzureCLI@2
displayName: create deployment stack
inputs:
azureSubscription: AzureDevServiceConnection
scriptType: ‘pscore’
scriptLocation: ‘inlineScript’
inlineScript: >
az stack group create –name “DeploymentStackResourceName” –action-onunmanage deleteAll `
–deny-settings-mode denyDelete –resource-group “ResourceGroupName `
–template-file ARMTemplateForFactory.json –parameters “ParameterFile”
–yes
If wanting to follow along with a template, please check out this task template I have created on my YAML Template Repository. Furthermore, building on our article leveraging deployment templates across environments I have updated our adf deployment job template to now deploy via stacks.
One note I will call out here….have no fear the `create` command does effectively an upsert so will create the stack if it doesn’t exist and update if it already does. Thus we can keep the command as `create`.
End Result
To save the details here I clone the existing pipeline ‘pl_copy_data’ and renamed it ‘delete-me’. This was on purpose as I wanted to see if it would delete the underlining LinkedServices or just the pipeline. To outline the steps up to this point:
Create a new pipeline from ‘pl_copy_data’ called ‘delete-me’
Deployed ADF w/ the new pipeline
Removed the ‘delete-me’ pipeline from my git backed ADF instance
Redeployed my ADF instance
After these steps I now see the following under the Resource Group blade-Deployment Stacks:
We can see now that it shows the /factories/pipelines type resource called ‘delete-me’ is showing in a deleted state. Just to confirm I launched the ADF instance and looked at what pipelines are available to it:
This confirms that the delete-me pipeline has been successfully removed and in addition the pl_copy_data and it’s Linked Services still are intact.
Conclusion
By introducing Deployment Stacks into our ADF CI/CD pipelines we now have a way to remove resources that are no longer being leveraged by the Data Factory automatically via existing CI/CD processes. This is a big step to cleaning up and securing ones Azure Data Factory Environment.
Please be sure to check out any of the blogs in our Unlock the Power of Azure Data Factory: A Guide to Boosting Your Data Ingestion Process Series and our series on YAML Pipelines as well TheYAMLPipelineOne on GitHub for additional YAML Pipeline references.
Microsoft Tech Community – Latest Blogs –Read More
3 Microsoft marketing campaigns that can help position your AI-powered solutions
The transformation to AI-based automation is a new reality for businesses worldwide. By 2025, it’s expected that 95% of all new digital workloads will deploy to the cloud and 90% of enterprise apps will use AI technology. As a Microsoft partner, you can leverage three customizable ready-to-use marketing campaigns to drive demand and convert leads.
The Era of AI campaign allows you to market your Azure AI solutions to help your customers quickly adopt and deploy Microsoft Copilot, solidify their technology foundation, leverage AI-infused SaaS apps and services, learn to use AI securely and responsibly, and much, much more.
Copilot for Microsoft 365 is a ready-to-use campaign that empowers you to shows customers how real-time intelligent assistance, combined with their data, can enhance productivity.
With the Build and Modernize AI Apps campaign, you have a unique opportunity to drive the value of the Azure platform to build or modernize existing customer applications with AI.
Download digital marketing assets from the Partner Marketing Center (PMC) to market your AI-powered solutions that are aligned to Microsoft value propositions and messaging.
With go-to-market resources like these comprehensive Campaigns in a Box, not only can you stay ahead of the curve, but you’ll also empower your customers to harness the full potential of AI with Azure. Whether you’re adopting Microsoft Copilot, enhancing creativity and productivity with Copilot for Microsoft 365, or building and modernizing applications, your opportunities are virtually endless.
Start your campaign today in PMC
Microsoft Tech Community – Latest Blogs –Read More
General availability of Azure WAF Bot Manager1.1 Ruleset
Today, we are launching the general availability of Bot Manager1.1 ruleset in Azure WAF integrated with Azure Front Door.
Bot Manager1.1 extends all the rules in the existing Bot Manager1.0 ruleset and adds multiple new rules to provide comprehensive bot management capabilities to web applications. The new capabilities introduced in this ruleset include new Goodbots rules and a new Badbots rule.
The main value prop of the new ruleset is to reduce false positives in good bot detections and increase true positives in malicious bot detections.
Benefits of the new rules in the Goodbots rule group:
Improving SEO rankings due to good bots crawling websites and reducing FP (false positive) seen by customers.
Customer websites are crawled by good bots which results in increased SEO (search engine optimization) rankings. With Bot Manager 1.1 ruleset, a comprehensive set of rules are added to the Goodbots rule group which allows a larger set of legitimate published bots. Examples of such Goodbots include Googlebot, Bingbot etc.
As a real-life scenario, we encountered an issue with the Bot Manager1.0 ruleset where certain Goodbots were absent, leading to blocked requests to web applications. For example, a valid Google crawler bot was getting blocked by the Bot Manager1.0 100200 rule, which resulted in lower SEO rankings for the customer and eventually disappearing from the SEO rankings. As a workaround, the customer disabled rule 100200 which brought their SEO rankings up but resulted in lowered protection from true malicious bots that have falsified their identities. Prior to implementing the Bot Manager1.1 ruleset, the only other alternative to allow legitimate crawlers was to add custom rules to allowlist their IP addresses. However, this approach posed challenges due to the dynamic nature of crawler IPs, which change frequently.
With the new updates to Bot Manager1.1, a comprehensive list of good bot IPs is added to the existing rule 200100 which results in lower false positive detections by the Bot Manager ruleset. The 200100 rule from Bot Manager1.0 ruleset is now revamped to only include good bots in the search engine crawler category.
Bringing clarity to the Goodbots rule group
With Bot Manager 1.1 ruleset, many new verified good bot rules have been added that target different categories of good bots. These new rules include the link checker, social media, content fetchers, feed fetcher and advertising bots. Additional bots that don’t fit into any particular category are added to 200200 as verified miscellaneous bots. This empowers customers to have granular control over their WAF policy. For example, if a customer does not wish to have social media bots crawling their sites, they can achieve this by changing the action associated with the social media rule.
Benefits of the new rule in the Badbots rule group:
Today customers see malicious bots perpetuating many malicious attacks. Examples includes:
Scraping websites and spreading dis-information, executing targeted phishing attacks and social engineering attacks.
Spamming customer websites with form submission pages.
Manipulating rankings of content tooling websites’ analytics pages.
Launching denial-of-inventory attacks.
and many others.
The new Bot Manager1.1 ruleset incorporates a novel rule, Bot100300, complemented by the existing rules in the Badbots rule group rules, effectively mitigates malicious bot attacks.
Let’s take a closer look at the Bot Manager1.1 ruleset:
Goodbots rule group
The following screenshot describes the new good bot rules added to the new ruleset
The details of all the good bot rules are given below:
Good bot rule ID
Status
Description
Explanation
200100
Updated
Verified search engine crawlers
Search engine bots- Google, Yahoo, Bing etc.
200200
Updated
Verified misc bots
All verified good bots that do not fit into any specific good bot category
200300
New
Verified link checkers
Link checker bots give information about a link or a domain name. It returns the screenshot or metadata about the link that the user trying to get to.
200400
New
Verified social media bots
Social media bots – Facebookbot, LinkedInbot etc.
200500
New
Verified content fetchers
Content fetcher bots retrieve content for websites on desktop, in-app browsers, mobile apps etc.
200600
New
Verified feed fetchers
Feed fetcher bots periodically refresh feeds like the RSS feeds requested by users.
200700
New
Verified Advertising bots
Advertising bots – GoogleAds, BingAds etc.
The default action for all the new good bot rules is ‘allow’ by default but it is possible to change them to any of the supported actions.
Badbots rule group
The following screenshot describes the new bad bot rule, rule Bot100300.
The bots detected by the Bot100300 rule includes risky IPs that are based on their high-risk score detected by threat intelligence. These IPs differ from the Bot100100 rule, which identifies verified malicious IPs detected by Microsoft Threat Intelligence and are subject to a different set of criteria, including their Tactics, Techniques, and Procedures (TTPs), any related lateral threat activity seen by the IP, and other indicators of compromise.
The default action for Bot100300 is ‘block’ by default but it is possible to change it to any of the supported actions.
JavaScript(JS) challenge mitigation in Bot Manager1.1 ruleset
The ruleset the newly released JS challenge on AFD WAF as an action to any of the Bot Manager rules. The JS challenge is an addition to existing actions and provides all the feature benefits of the invisible web challenge to protect web applications.
JS challenge action is available in Bot Manager 1.0 as well for backward compatibility.
How to enable Bot Manager1.1 ruleset
The Bot Manager1.1 ruleset can be assigned through the drop-down “Assign” option as part of the managed rulesets.
The new Bot Manager1.1 ruleset expands the bot management capabilities to provide comprehensive protection against malicious bots while allowing verified good bots to go through Azure WAF.
You can obtain more details about this feature on MS Learn at What is Azure Web Application Firewall on Azure Front Door? | Microsoft Learn and Azure Web Application Firewall DRS rule groups and rules | Microsoft Learn
Sowmya Mahadevaiah
Principal Product Manager, Azure Networking
Microsoft Tech Community – Latest Blogs –Read More
Need to Locate data in workbook
Hello, spent hours on this over weeks and at a loss.
list of 10k+acct #s and values ($) on a sheet, need formula to locate what other sheets/cells they are located. Seaching over 12 sheets in the same workbook. potential of duplicate billings or missed, each sheet (beside master) is a processed billing. Helllp please.
ie.
Hello, spent hours on this over weeks and at a loss. list of 10k+acct #s and values ($) on a sheet, need formula to locate what other sheets/cells they are located. Seaching over 12 sheets in the same workbook. potential of duplicate billings or missed, each sheet (beside master) is a processed billing. Helllp please.ie. Read More
