Category: Microsoft
Category Archives: Microsoft
Using Speech to text in Android & iOS App
I have to extract text from audio files (which are extracted from a video). Does this support mp3? The audio files can be longer duration, should I use SDK or Rest API?.
I have to extract text from audio files (which are extracted from a video). Does this support mp3? The audio files can be longer duration, should I use SDK or Rest API?. Read More
Protecting Containers: A Primer for Moving from an EDR-based Threat Approach
Many security teams are familiar with an EDR-based approach to security. However, container protection within their cloud ecosystem can seem much more challenging and complex.
Protecting containers requires an understanding of the complete attack surface that containers expose–whether you are running them using an orchestrator like Kubernetes or locally using Docker.
In this article, we will describe the attack surface, how it compares and aligns with the security technologies you might already have, and then make the case for a stronger focus on pre-deployment protections, adding to standard EDR post-deployment detections.
Let’s start by looking at the container-based CI/CD deployment process that we will use in the article. We will discuss security controls (preferring Cloud Native) that you may need at each phase.
Note: This is a simplistic pipeline that you can customize. The idea here is to focus more on the foundational concepts related to container driven development/deployment.
Fig. Container driven development and deployment pipeline
How Does Container Security Compare to Modern Work Security?
In general, we look to EDR to provide threat and anomaly detections and to take actions such as automated attack disruption. (Automatic attack disruption in Microsoft Defender for Business – Microsoft Defender for Business | Microsoft Learn)
We can also consider, earlier in the attack lifecycle, how to reduce attack surface on physical/virtual assets, (including mobile devices, laptops, workstations, and servers) with AV components such as Attack Surface Reduction (ASR) rules (Use attack surface reduction rules to prevent malware infection – Microsoft Defender for Endpoint | Microsoft Learn), which prevent attacks by blocking common entry points. Additionally, Microsoft Edge and Defender AV can detect and block “potentially unwanted applications.” (PUA) (Block potentially unwanted applications with Microsoft Defender Antivirus – Microsoft Defender for Endpoint | Microsoft Learn)
When we think about the purpose of EDR on a system, consider when, within the MITRE kill chain, defenders typically look to this solution to take effect. Some of the benefits include (not exhaustive):
Telemetry from the end points (user and servers). However, in case of Containers, an EDR solution would need to be aware of presence of a containerization technology and runtimes like Containerd.
Threat Detection: EDR needs to be sophisticated enough to detect container specific attacks (see MITRE Container Matrix above).
Compliance: In cases where you are running your containers on a Docker host an EDR can help identify the security weaknesses in Docker hosts (https://learn.microsoft.com/en-us/azure/defender-for-cloud/harden-docker-hosts.)
The Importance of Shifting Left, In General
As we shift left in our threat driven approach to security, even with traditional solutions, managing vulnerabilities and misconfigurations is a logical step “left” in the kill chain, i.e., not just locking doors, but adding locks and fixing cracks on the small, hidden windows which might be attractive to an attacker with determined, malicious intent.
For a continued healthy security posture at scale, we can automate some of the post-breach activities, reducing time commitments, thereby shifting our focus to blocking or updating vulnerable applications, fixing over-privilege for browser extensions, addressing weak or self-signed certificates, and applying configuration baselines among other activities (many of which can also be automated.)
Since modern workers draw their applications from a massive library of republished SaaS solutions, without automation and prioritization, shifting left can be a tall task for security teams. Therefore, we layer on a threat-driven approach to prioritization, considering Microsoft’s visibility to the threat landscape, so organizations can quickly mitigate those vulnerabilities and misconfigurations that are accessible, exploitable, and with potential breach of sensitive or proprietary data first.
This technology has recently been described in the market as “XSPM.” With Microsoft’s native end-to-end, approach, we call this “exposure management.” (https://techcommunity.microsoft.com/t5/security-compliance-and-identity/introducing-microsoft-security-exposure-management/ba-p/4080907)
The Intricacies of Securing Containers Versus Endpoints or VMs Alone
Modern Work security often relies on securing proprietary applications that are deployed on end user devices. As a result, the attack vectors, corresponding techniques, and attack surface are very different from a container-based Enterprise Application. Refer to MITRE Containers Matrix: https://attack.mitre.org/matrices/enterprise/containers/
vs. MITRE Windows Matrix:
https://attack.mitre.org/matrices/enterprise/windows/
If you are using Kubernetes you should also consider https://microsoft.github.io/Threat-Matrix-for-Kubernetes/ (we will not do a deeper dive on Kubernetes in this article)
Container applications certainly complicate matters for security teams whose task is to reduce risk for the businesses they protect. Containers don’t follow the same rules as modern work environments when it comes to the existing threat landscape.
Since the purpose of using containers is efficiency, bundling application code with its dependencies for seamless, repeatable, and fast deployment at scale, protection must also support these business goals.
Does EDR Provide Any Protection for Containers?
Containers are inherently different from the end user’s SaaS driven assets because they are, by definition, DevOps assets–as we see from the figure above. Container images may be built with custom code (potentially embedded secrets) while also drawing from libraries of pre-built (and therefore potentially vulnerable) binaries.
Therefore, “shifting left” takes on new meaning and requires a process driven DevOps or “code-to-cloud” approach to security.
Considering our earlier EDR-based methods for securing and protecting, we’ll observe that containers are, at their essence, processes, running with their own potentially configured network isolations (port controls). At runtime, they do utilize the VM kernel. The image will have required application binaries as well.
So, it follows that EDR could detect certain “broken rules” of even newly built container apps, that anomalies would be detected if the app begins to act out of normal bounds for an application. More specifically, as an example, signals related to “Create or Modify System Process” https://attack.mitre.org/techniques/T1543/
A capable EDR solution like Microsoft’s Defender for Endpoint (MDE) will cover several of these Techniques.
Additionally, as mentioned above, Defender for Servers P2 provides a set of Docker hardening recommendations aligned with the Center for Internet Security (CIS) Docker Benchmark.
Does EDR Provide Enough Protection for Containers?
But here, also, is where the phrase “too little, too late” comes to mind as, containers, at runtime are meant to deploy, shut down, and redeploy at scale.
Allowing EDR to kill a process to disrupt potential attacks, might also mean shutting down entire business apps at scale, thereby disrupting the balance of risk versus business requirements. So, EDR, though important on the host, won’t be enabled with all of its powerful end-user focused capabilities for container hosts/clusters.
Additionally, EDR might not be aware of the application libraries present in the containerized applications.
How Should Containers Be Secured Then?
Therefore, to properly reduce business risk, defenders, again, need to “shift left,” in this case, ensuring security as the image is being developed.
Like the concept of a layered approach for modern work, defense in depth means reducing the attack surface earlier in the kill chain and utilizing protective and detective tools for the entire kill chain. For instance, in end-user environments, you might be using Defender for Office for anti-phishing policies and to paint the full picture of potential phishing or malware in teams before it ever touches the endpoint, you’ll look to Defender for Identity and Entra ID to mitigate identity risks and add detections such as lateral movement, and you’ll look to Defender for Cloud Apps to create SaaS app usage policies and alert on things like unusual addition of credentials to OAUTH apps.
We will need a similar suite of tools for containers based on how they work. Cloud Native solutions like Defender for Cloud provide a suite of capabilities that help you centrally achieve defense in depth.
Linting at Developer IDE as the application and Dockerfile (https://docs.docker.com/develop/security-best-practices) is built–for example, Docker Linter https://github.com/hadolint/hadolint/releases
Running Static Tests as the code is checked in to repos like GitHub https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-devops-github-connector-microsoft/ba-p/3818803
Running Dynamic Application Security Tests (DAST) as the code is deployed in a test environment–like a test AKS Cluster or temporary Docker Host. These are language agnostic and can be automated in a CI/CD pipeline, automated on a schedule, or run independently by using on-demand scans.
Image Vulnerability scanning as the pipeline uploads the image to a container registry like Azure Container Registry (ACR). The Cloud Native solutions like Defender for Cloud have native integration, and, as a result make this process completely frictionless, (https://learn.microsoft.com/en-us/azure/defender-for-cloud/agentless-vulnerability-assessment-azure)
Once the application is deployed on the VM or Kubernetes Cluster, you will have EDR type technologies to monitor the container’s activities. If you are leveraging Kubernetes the solution should also protect against these techniques https://microsoft.github.io/Threat-Matrix-for-Kubernetes/. Defender for Containers, for example, provides coverage (https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#deprecated-defender-for-containers-alerts)
There are many other things that are applicable to securing the pipeline like securing Kubernetes RBAC, ensuring images are pushed/ pulled from private repositories etc.
Summary
We saw that Container Security requires a holistic approach and simply relying on the traditional tools you use for securing your Modern Workspace will not suffice.
Cloud Native solutions like Defender for Cloud provide you with capabilities that allow centralized enforcement of layered security.
Microsoft Tech Community – Latest Blogs –Read More
Revisiting Enterprise Policy as Code v10
As EPAC has reached version 10, it is time to revisit Enterprise Policy as Code (EPAC for short) to give you an update from the original post (https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/azure-enterprise-policy-as-code-a-new-approach/ba-p/3607843) published on September 12th, 2022.
The maintainers of the OSS project EPAC work daily with Microsoft’s customers implementing Azure governance and security in general and more specifically Policy implementation via EPAC. EPAC was born out of the need to manage Policy at scale, while dramatically reducing the cost of implementation with traditional Infrastructure as Code (IaC) tools, such as ARM, Bicep, and Terraform. Those tools are great for IaC in general; however, their lack the knowledge of dependencies between definitions, assignments, exemptions, and role assignments and the simplifications to Policy Assignments and Policy Exemptions. EPAC understands the dependencies and will sequence the deployment correctly.
EPAC consists of PowerShell scripts and a starter kit:
Deployment scripts to create deployment plans, deploy the created Policy plan, and deploy the created role assignment plans. They can be executed manually (not recommended) or any CI/CD tool capable of running PowerShell core.
Scripts for operational tasks related to Policy, for example: creating remediation tasks at scale, extracting documentation, etc. Note: I’m not covering them in this article.
Hydration scripts, for the initial setup of EPAC. This is a work-in-progress. One of the scripts can extract exiting Policy resources from Azure tenants in EPAC format to enable a smooth transition to EPAC.
Starter kit contains sample pipelines/workflows for Azure DevOps and GitHub.
For the details, please follow these links:
Documentation: https://aka.ms/epac.
PowerShell module in the PowerShell Gallery: https://www.powershellgallery.com/packages/EnterprisePolicyAsCode
GitHub repository with the source code: https://github.com/Azure/enterprise-azure-policy-as-code
Blog Posts:
Azure Enterprise Policy as Code – A New Approach (the original post): https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/azure-enterprise-policy-as-code-a-new-approach/ba-p/3607843
Azure Enterprise Policy as Code – Azure Landing Zones Integration: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/azure-enterprise-policy-as-code-azure-landing-zones-integration/ba-p/3642784
Infrastructure as Code Testing with Azure Policy: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/infrastructure-as-code-testing-with-azure-policy/ba-p/3921765
Azure Policy Recommended Practices: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/azure-policy-recommended-practices/ba-p/3798024
Alexey Nazarov is starting a new series on Azure Policy. You can find the first entry: link will be added here when it is published.
Getting started
Decide on your approach!
EPAC is extremely flexible as you can implement any Policy development workflow, branching strategy, CI/CD tool, organizational structure for single and multi-tenant scenarios. The key decisions are:
Consume EPAC as a PowerShell module, or by forking the GitHub repo.
Implement GitHub flow (simple) or Release flow (allows for staged deployment of changes) as your CI/CD and branching approach.
One centralized team (recommended) or multiple teams (by function, and/or hierarchical) managing Policy.
Handling existing Policy implementation by
Exporting them into the EPAC repository and subsuming all existing Policies into EPAC (recommended)
Enabling co-existence with the desired state strategy set to owned only. Owned only should be used for a short transitional period (weeks); keeping it longer leads to increasing difficulty managing your Policy deployments.
Implementing EPAC
Create an empty git repository in your favorite source control tool.
Use the hydration kit or manually create Definitions folder.
Populate the Definitions
From scratch (see starter kit)
Export of your environment,
Azure Landing Zones (https://learn.microsoft.com/en-us/azure/architecture/landing-zones/landing-zone-deploy). Note: EPAC contains great integration with Azure Landing Zones (https://azure.github.io/enterprise-azure-policy-as-code/integrating-with-alz/).
Combination of the above.
Create your CI/CD pipelines/workflows in your favorite CI/CD tool.
EPAC deployment scripts
EPAC contains three scripts to deploy Policy. They are individual scripts to enable approval gates and implement the least privilege principle for the service principals executing the job/stages in CI/CD.
EPAC environments
As with any other software development, Policy development requires a development and testing area for just Policy. This can be one or more EPAC environments.
Simple flow using GitHub Flow
In the simplest case you’ll deploy the developed Policy resources to your tenant root or pseudo root beneath tenant root for each tenant. The downside of this approach is that any mistakes in Policy development immediately impact deployments to production, breaking your solutions CI/CD and in rare cases could even break running systems. The obvious advantage is its simplicity. You would name such an environment with the generic word tenant, prod, or something descriptive of the tenants. If you have multiple tenants, your CI/CD will run multiple deployments (one per tenant).
Release flow
If you have differentiated your Azure tenant or tenants into nonprod and prod environments, using Release flow (https://devblogs.microsoft.com/devops/release-flow-how-we-do-branching-on-the-vsts-team/) makes more sense. Steps:
Develop Policy in a feature branch.
Pull request into main, deploys Policy to nonprod after a successful PR merge.
Let it “soak” in for a few days and observe if it causes any issues for your solutions.
Create a releases branch deploys the changes to prod.
If you need to deploy prod Exemptions during the “soak” period, you need a way to fast-track those exemptions without deploying the Policy changes being “soaked”. This is done by creating a releases-prod-exemptions-fast-track branch which plans the deployment with ‘Build-DeploymentPlans ‑BuildExemptionsOnly’ and Deploy the Policies with Deploy-PolicyPlans. No role changes will occur in this pipeline.
Global settings file
The global-settings file ‘global-settings.jsonc’ in the ‘Definitions’ folder for release flow would look like this.
{
“$schema”: “https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/global-settings-schema.json”,
“pacOwnerId”: “11111111-2222-3333-4444-555555555555”,
“pacEnvironments”: [
{
“pacSelector”: “epac-dev”,
“cloud”: “AzureCloud”,
“tenantId”: “77777777-8888-9999-1111-222222222222”,
“deploymentRootScope”: “/providers/Microsoft.Management/managementGroups/mg-epac-dev”,
“desiredState”: {
“strategy”: “full”,
“keepDfcSecurityAssignments”: false
}
},
{
“pacSelector”: “nonprod”,
“cloud”: “AzureCloud”,
“tenantId”: “77777777-8888-9999-1111-222222222222”,
“deploymentRootScope”: “/providers/Microsoft.Management/managementGroups/mg-nonprod”,
“desiredState”: {
“strategy”: “full”,
“keepDfcSecurityAssignments”: false
}
},
{
“pacSelector”: “prod”,
“cloud”: “AzureCloud”,
“tenantId”: “77777777-8888-9999-1111-222222222222”,
“deploymentRootScope”: “/providers/Microsoft.Management/managementGroups/mg-enterprise”,
“managedIdentityLocation”: “eastus2”,
“desiredState”: {
“strategy”: “full”,
“keepDfcSecurityAssignments”: false
},
“globalNotScopes”: [
“/providers/Microsoft.Management/managementGroups/mg-nonprod”,
“/providers/Microsoft.Management/managementGroups/mg-epac-dev”
]
}
]
}
Policy Assignment and effect parameters
Using JSON for parameters works great for smaller Initiatives and single Policy Assignments. However, when assigning the big security and compliance-oriented Initiatives, such as ‘Microsoft cloud security benchmark’, ‘NIST 800-53’, and ‘CIS’ (often multiple of them), defining ‘effect parameters via JSON is cumbersome and time consuming. You will need to define hundreds or even thousands of parameters. I had a customer which had ~5000 lines of JSON just for the effect parameters. This makes the JSON file hard to maintain and completely unreadable.
EPAC solves this problem by reading them from a spreadsheet (CSV file). The spreadsheet only defines the Policy name and effect, while EPAC will figure out the parameter names and settings for all the assignments driven by this spreadsheet. If the Initiative does not parameterize the effect, EPAC will automatically generate ‘overrides’ to implement. Lastly, if the effect is Deny, EPAC will only set the Policy to deny in one of the Initiatives and set the effect to Audit for the remaining Initiatives; this prevents the already difficult to read error messages blocked by a Deny from getting more complex.
Efficient Exemption definitions
Normally when creating an Exemption for a Policy if that Policy is included in multiple Initiatives assigned (a frequent occurrence with built-in security and regulatory compliance Initiatives), you must define one exemption per Policy, per Assignment, and per Scope and find (tedious) the policyDefinitionreferenceId in the Initiative definition. For an average exemption, this can be tens or even hundreds of entries in the definition files.
Staring with v10.0.0, this can be simplified to one entry, defining instead of a policyAssignmentId and policyDefinitionReferenceId, the Policy definition Id or Name. EPAC will find all the assignments which include that definition either directly assigned, or due to being included in an assigned Initiative and create one exemption per relevant Assignment. EPAC will generate unique names and augment the displayName and description for the exemptions.
Staring in v10.1.0, instead of specifying one scope per entry, you can define a scopes array. EPAC will generate a set of exemptions for each scope while augmenting the displayName and description with the last part of the scope (or a string override in the definition). Assuming five Assignments containing the Policy definition with the specified Id would generate ten Exemptions. If you specified 16 scopes, that number will be an impressive 80 Exemptions.
{
“exemptions”: [
{
“name”: “short-name”,
“displayName”: “Descriptive name displayed on portal”,
“description”: “More details”,
“exemptionCategory”: “Waiver”,
“scopes”: [
“humanReadableName:/subscriptions/11111111-2222-3333-4444-555555555555”,
“/subscriptions/11111111-2222-3333-4444-555555555556/resourceGroups/resourceGroupName1”,
],
“policyDefinitionId”: “/providers/microsoft.authorization/policyDefinitions/00000000-0000-0000-0000-000000000000”,
}
]
}
What we learned
Security and regulatory compliance Initiatives
Limit the number of assigned Initiatives to a handful or less. Always assign ‘Microsoft cloud security benchmark’; Defender for Cloud relies on the input generated by the included Policies.
Management Groups and Policy Resources
Custom Policy/Initiative Definitions and Policy Assignments need to be deployed at a scope. They should always be deployed at the top Management Group (MG) in each tenant. That MG should be the single MG (no siblings) underneath the “Tenant root group” as recommended by Microsoft (see https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-areas) or at the actual “Tenant root group” if you are not following Microsoft’s recommendation verbatim. Keep the management group names and display names the same readable name to keep Policy and RBAC elements readable. Do not use GUIDs or other obfuscated names for management groups.
Policy Assignments
Policies are inert elements in Azure until you create a Policy Assignment at a scope. Each assignment should:
Define semi-readable short name (limited to 24 characters by Azure)
Define a readable displayName (visible in Portal).
May have metadata, such as a work item id.
Assignments containing Policies with Modify or DeployIfNotExists Policies require a Managed Identity (MI). The MI must be granted Azure roles, as specified in the details section of the Policy rule. EPAC calculates these. I prefer System-assigned Managed Identity SPN (service principal names) since they cannot be used outside a single assignment, eliminating the minimal (Azure provides controls for the usage) threat of malicious usage. However, to reduce the number of role assignments, user-assigned MI can be used.
Custom Definitions
First question the need for any custom Policy/Initiative definition requested. While the built-in Policies are not perfect, the choices made are often made due to constraints and conflicts between settings and include tradeoffs in risk versus usability. If you still think you need custom definitions, sleep on it, and revisit the topic one more time.
If you have multiple tenants, the same definition should be propagated to every tenant (DRY principle) by EPAC. Do not use a separate repo which would cause copy/paste issue (WET anti-pattern).
Policy Exemptions
Even with the best intentions some Policies may get in the way. If there is a business reason within acceptable risk parameters, you can grant an Exemption.
Exemptions come in two flavors (without any technical meaning):
Mitigated – Most often used for permanent exemptions. An example is allowing public IP addresses for a storage account which is used as an upload folder AND mitigations, such as Virus scans and deleting processed data.
Waiver – Most often used for temporary exemptions to allow a solution team to fix their non-compliant deployment. Generally granted until Monday after the ETA (estimated time of arrival) for the fix.
Exemptions allow metadata. Add a link in metadata to the work item (e.g., Azure DevOps work item, GitHub issue, Jira ticket, etc.) to keep a record of why the exemption was granted and who granted it.
If you exempt an entire subscription with a Mitigated, it is likely that you should have used notScope (called Excluded Scope in Azure Portal) in the Assignment instead.
Warning: When you delete a Policy Assignment with Exemptions, then the Exemptions are not deleted and become orphaned.
Operating Azure Policy
Operational tasks (e.g., Remediation tasks, generating documentation) must be scripted. Do not use CI/CD tools to execute operational tasks since CI/CD is intended to deploy resources, not to operate those resources.
Keeping track of built-in Policy changes
I frequently consult AzAdvertizer (https://www.azadvertizer.net/). In addition, I keep track of changes by cloning and following Microsoft’s official Azure Policy repo on GitHub (https://github.com/Azure/azure-policy/tree/master/built-in-policies). When I receive an email about a merged PR (pull request), I’ll fetch the latest version from GitHub into my clone. This allows me to use Visual Studio Code on my local clone instead of using Azure Portal or GitHub web interface.
That’s it for this round
Remember to thoroughly test the code and policies in a safe environment before deploying to production. If there are any issues with the code, please raise a GitHub Issue.
Until next time.
Disclaimer
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
Microsoft Tech Community – Latest Blogs –Read More
Boost your career with the help of our latest Azure skilling resources
Like a fast-approaching deadline on a crucial project, the pace of technological advancement can feel daunting. With rapid developments in areas such as AI, cloud optimization, app development, and data analysis, what’s the best way to advance your career?
In this comprehensive overview, we’ll supply you with the latest and greatest of our curated Azure learning resources. Level up your technical skills and unlock exciting career possibilities related to our top 5 Azure solution areas (click to jump to each section):
Data insights with Microsoft Fabric
Enhance developer productivity
The future is AI-powered, and you can be the architect
The AI revolution is well underway. As it fundamentally reshapes our interactions and experiences with technology and the cloud, now is the time to catch up on how Azure AI works.
Let Microsoft Copilot guide your way to inspiration
One of our most exciting recent developments is Microsoft Copilot, an AI companion that works everywhere you do and intelligently adapts to your needs. In our new video series, you will find the best resources for learning how to use Copilot:
Episode 1: Get an overview of Microsoft Copilot and get skilling resources for Dynamics 365 and Power Platform.
Episode 2: Discover available learning resources for GitHub Copilot.
Episode 3: Watch a demonstration of how to set up and use GitHub Copilot with Visual Studio Code and Code Spaces for JavaScript and Python development.
Convenient, efficient data storage with Azure Cosmos DB
After learning how to use Microsoft Copilot to help you develop a new AI-powered intelligent app, you’ll need somewhere to store and manage all that data. Imagine a giant, super-flexible storage box for all your app’s data, accessible from anywhere in the world. That’s Azure Cosmos DB in a nutshell.
Developers around the world recently got started learning about this data storage gamechanger with our Azure Cosmos DB Developer Cloud Skills Challenge. This free, interactive, cheerfully competitive learning experience is built on task-based achievements to help advance your technical skills and prepare for Microsoft role-based certifications.
Accept the challenge to build intelligent apps
Developing your core skills for developing AI-powered intelligent apps is a great way to stay competitive in the market—but we want to make it fun, too. So we launched a series of skills challenges that combine AI, cloud-scale data, and cloud-native app development to put you on the fast track and earn badges along the way!
Maximize Microsoft Fabric for unprecedented data insights
Don’t let data blind spots hold your business back. Microsoft Fabric empowers you to unlock the hidden potential of your data, fueling smarter decisions that drive growth and mitigate risk.
Decipher your data with a little help from your friends
Our Microsoft Fabric Learn Together series has already helped hundreds of data devotees prepare for the Fabric Analytics Engineer Associate certification exam. Watch previous sessions on-demand to help you complete the associated learn module and check back to see when the next live series drops.
Speaking of dream teams, we also recently launched our Fabric Global AI Hack on GitHub. Our experts set up a virtual playground for creating and experimenting with Fabric, and teams submitted their best Fabric AI hacks to win prizes.
The friendly competition didn’t stop there. We also put together two Cloud Skills Challenges to sharpen participants’ data analysis abilities. Anyone looking for a future as a Fabric Analytics Engineer had the chance to earn 50% off their certification exam.
Dive deep into data analytics with these live events
Looking to whip your tech skills into shape? Our Microsoft Virtual Training Days are two-day, four-hour sessions, packed with practical knowledge and interactive exercises for in-demand skills related to Fabric.
Learn even more about Microsoft Fabric, including how you can earn 100% off the cost of a certification exam, at the Fabric Career hub.
Unleash your inner coding machine to enhance developer productivity
With the growing complexity of intelligent apps, unlocking developer productivity is key to building the future. Working smarter and more efficiently is more important than ever, and we’re here to show you how.
Choose your own coding adventure
We recently launched a pair of Cloud Skills Challenges focused on different coding languages but with a shared goal: Teach developers what they need to know to produce effective, efficient code.
The Python Data Science Cloud Skills Challenge has been helping developers become more efficient with this versatile language, especially when building complex applications. Likewise, the Java Apps on Azure Cloud Skills Challenge paved the way for participants to start building, migrating, and scaling Java apps using Azure services.
For more, dive into our complete collection of GitHub and Azure developer learning resources.
Migrate and modernize to the cloud and unlock endless possibilities
Ditch the server headaches. Migrating to the cloud empowers your business with agility, scalability, and a whole lot less IT burden. Explore these recent Azure resources to learn more about migrating and modernizing your tech stack.
Become a guardian of cloud-based data
Want to keep your databases running smoothly and securely? As an Azure Database Administrator, it’s your duty to keep cloud-based data accessible, secure, and performing at its best. One of our recent Cloud Skills Challenges addressed the operational aspects of cloud-native and hybrid data platform solutions.
Take database performance to the next level
The learning resources in our Azure migrate and modernize collection is geared toward helping you better understand how to improve performance with the latest Azure capabilities.
Optimize your cloud resources to supercharge performance
Whether you’re new to the cloud or have already migrated your on-prem workloads to Azure, it’s critical to learn to maximize your investment. Get the most out of your cloud to boost your ROI and watch your success soar.
Make the most of Azure with interactive events
Optimization on Azure is all about getting the most value out of your cloud investment. Our Azure Optimization Cloud Skills Challenge gathered participants to conquer a curated set of lessons about optimizing cloud architectures and workloads—all in 30 days or less.
In our new Optimization Learn Live video series, Azure experts guide learners through using optimization tools effectively, including the Cloud Adoption and Well-Architected frameworks, Azure Pricing, Microsoft Cost Management, and Azure Advisor.
Finally, Azure Optimization Virtual Training Days covered aspects of Azure optimization for learners of any skill level. They had the opportunity to experience implementing security controls, preparing cloud environments with Azure Landing Zones, and assessing and remediating deployed workloads for cost-optimization, operational excellence, performance efficiency, reliability, and security.
Explore optimization at your own pace with these resources
Optimization is a big topic, with several solutions and concepts to learn that will help you thrive in a cloud-based job. Design for optimization from the start and learn to monitor, manage and optimize existing environments in Azure Optimization Learn Modules.
Dig into learning about Azure pricing with top resources on optimizing your cloud compute costs through Azure Reserved Instances and Azure Savings Plans. Learn more about which option is right for your organization based on usage and workloads, and start saving!
Natalie will edit here and rewrite Copilot section to include GitHub Copilot and Copilot all up. [NM1]
Microsoft Tech Community – Latest Blogs –Read More
Attack Simulation Training is now available for GCC High and DoD customers
We are excited to announce that Attack Simulation Training is released for Department of Defense (DoD) and Government Community Cloud High (GCC High) environments.
Attack Simulation Training is an intelligent phish risk reduction tool that measures behavior change and automates deployment of an integrated security awareness training program across an organization. Through this platform you get a safe and controlled environment to gauge awareness levels, identify vulnerabilities, and improve overall security posture. It is designed to simulate realistic phishing attack scenarios, allowing you to see how your end-users would perform in the case of an actual attack. This gives valuable feedback on areas where enhancements can be made, and helps organizations to better comprehend the tactics, techniques, and procedures used by attackers.
Additionally, you can run training only campaigns independently of simulations to make sure that your end users have robust knowledge and skills on recognizing different attack patterns and reporting these. There are 90+ training modules available from Terranova and SANS.
Please note that certain features, such as Payload automation, MDO recommended payloads, ML-based Predicted Compromised Rate, and Attack sim Graph APIs are not available in the GCC High & DoD environments.
Get started:
Attack simulation training can be accessed in web version via:
Department of Defense (DoD) environment: https://security.apps.mil
Government Community Cloud High (GCC High) environment: https://security.microsoft.us
You can access it under Email & Collaboration menu in the Microsoft defender portal (as shown in the below screenshot):
The documentation is same as worldwide environment. You can refer to the documentation here Get started using Attack simulation training | Microsoft Learn
License check:
If your organization has any of the following licenses, you will be able to access Attack simulation in the Microsoft Defender platform:
DoD: Microsoft 365 G5, Office 365 G5, Microsoft 365 G5 Security, Microsoft Defender for Office 365 (Plan 2) for DoD
GCC High: Microsoft 365 E5 for GCC High, Microsoft 365 G5 Security for GCC High, Office 365 E5 for GCC High, Microsoft Defender for Office 365 (Plan 2) for GCC High
Learn more about licensing requirements at Microsoft 365 Defender for US Government customers | Microsoft Docs.
Microsoft Tech Community – Latest Blogs –Read More
Announcing General Availability of Microsoft Entra External ID
I’m thrilled to announce that Microsoft Entra External ID, our next-generation, developer-friendly customer identity access management (CIAM) solution will be generally available starting May 15th. Whether you’re building applications for partners, business customers or consumers, External ID makes secure and customizable CIAM simple.
Microsoft Entra External ID
Secure and customize external identities’ access to applications
Microsoft Entra External ID enables you to:
Secure all identities with a single solution
Streamline secure collaboration
Create frictionless end user experiences
Accelerate the development of secure applications
Secure all identities with a single solution
Managing external identities, including customers, partners, business customers, and their access policies can be complex and costly for admins, especially when managing multiple applications with a growing number of users and evolving security requirements. With External ID, you can consolidate all identity management under the security and reliability of Microsoft Entra. Microsoft Entra provides a unified and consistent experience for managing all identity types, simplifying identity management while reducing costs and complexity.
Building External ID on the same stack as Entra ID allows us to innovate quickly and enables admins to extend the Microsoft Entra capabilities they use to external identities, including our industry-leading adaptive access policies, fraud protection, verifiable credentials, and built-in identity governance. Our launch customers have chosen External ID as their CIAM solution as it allows them to manage all identity types from a single platform:
“Komatsu will be using Entra External ID for all external-facing applications. This will help us deliver a great experience to our customers and ensure we’re a trusted partner that is easy to do business with.”
– Michael McClanahan, Vice President, Transformation and CIO
Streamline secure collaboration
Boundaries between consumers and business customers are blurring, as are the boundaries between partners and employees. Collaborating with external users like business customers and partners can be challenging; they need access to the right internal resources to do their work, but that access must be removed when it’s no longer needed to reduce security risks and safeguard internal data. In this changing world, even trusted collaboration needs least-privilege safeguards, strong governance, and pervasive branding. With ID Governance for External ID, the same lifecycle management and access management capabilities for employees can be leveraged for business guests as well. Guest governance capabilities complement External ID B2B collaboration that’s already widely used by Entra customers worldwide to make collaboration secure and seamless.
For example, you may want to collaborate with an external marketing agency on a new campaign. With B2B collaboration, you can invite the agency staff to join your tenant as guests and assign them access to the relevant resources, such as a Teams channel for communication, a SharePoint site for project management, and a OneDrive folder for file sharing. Cross-tenant access settings allow you to have granular controls over which users from specific external organizations get access to your resources, as well as control which external organizations your users access. ID Governance for External ID will automatically review and revoke their access after a period of inactivity or when the project is completed. This way, you can seamlessly collaborate while ensuring only authorized external users have access to internal resources and data.
Create frictionless end user experiences
Personalized and flexible user experiences are critical to drive customer adoption and retention. External ID lets you reduce end-user friction at sign in by natively integrating secure authentication experiences into your web and mobile apps. You can leverage a variety of authentication options, such as social identities like Google, Facebook, local or federated accounts, and even verifiable credentials to make it easy for your end users to sign-up/sign-in. External ID enables you to immerse end-users in your brand and create engaging user-centric experiences with progressive profiling, increasing end-user satisfaction and driving brand love.
External ID allows you to further personalize and optimize end-user experiences by collecting and analyzing end-user data, improving their user journey while complying with privacy regulations. Our user insight dashboards help monitor user activities and sign-up/sign-in trends, so that you can assess and improve your end-user experience strategy with data.
Accelerate the development of secure applications
Identity is a foundational building block of any modern application, but many developers may have little experience integrating identity and security into their apps. External ID turns your developers into identity pros by making it easy to integrate identity into web and mobile applications with a few clicks. Developers can get started creating their first application in minutes either directly from the Microsoft Entra portal or within their developer tools such as Visual Studio Code. We recently announced that our Native Authentication now supports Android and iOS, allowing developers to build pixel-perfect sign-up and sign-in journeys into mobile apps using either our API or the Microsoft Authentication Library (MSAL):
“A mobile app sign in journey could have taken us months to design and build, but with Microsoft Entra External ID Native Auth, it took the team just one week to build a functionally comparable and even more secure solution.”
– Gary McLellan, Head of Engineering Frameworks and Core Mobile Apps, Virgin Money
Backed by the reliability and resilience of Microsoft Entra, developers can launch from a globally distributed architecture designed to accommodate the needs of growing user bases; ensuring their external-facing apps can handle millions of users during peak periods, without disrupting end-user experiences or compromising security.
Try it out!
We are currently offering an extended free trial for all features until July 1, 2024!* Start securing your external-facing applications today with Microsoft Entra External ID.
After July 1st, you can still get started for free and only pay for what you use as your business grows. Microsoft Entra External ID’s core offer is free for the first 50,000 monthly active users (MAU), with additional active users at $0.03 USD per MAU (with a launch discounted price of $0.01625 USD per MAU until May 2025). Learn more about External ID pricing and add-ons in our FAQ.
*Existing subscriptions to Azure AD B2C or B2B collaboration under an Azure AD External Identities P1/P2 SKU remain valid and no migration is necessary – we will communicate upgrade options once they are available. For multi-tenant organizations, identities whose UserType is external member will not be counted as part of the External ID MAU. Learn more.
Learn More
Want to learn more about External ID? Check out these resources:
Website
Documentation
Developer Center
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
Microsoft Entra News and Insights | Microsoft Security Blog
Microsoft Entra blog | Tech Community
Microsoft Entra documentation | Microsoft Learn
Microsoft Entra discussions | Microsoft Community
Microsoft Tech Community – Latest Blogs –Read More
Introducing the 2024 Imagine Cup World Championship Judges!
Get ready for the pinnacle of startup innovation as the Imagine Cup World Championship unfolds live at Microsoft Build on May 21! Three outstanding startups from across the globe are poised to showcase their AI-solutions on the global stage, vying for the coveted title and a chance to win USD100,000 and a mentorship session with Microsoft Chairman and CEO, Satya Nadella.
Since the start of the 2024 season back in October, the competition has been a journey of collaboration with expert mentors and growth for participating startups. From a pool of tens of thousands of applications, the field was narrowed to the elite semifinalists, and now, only three world finalists remain.
As the anticipation mounts for the grand finale, our esteemed panel of judges face a daunting task. Drawing on their industry expertise and personal insights, they will meticulously evaluate each startup’s pitch and engage in Q&A sessions. Their evaluation criteria extends beyond mere innovation to encompass the responsible use of AI technology, accessibility for all users and the fundamental business viability of each startup.
The culmination of this journey promises to be nothing short of spectacular. Live on the global stage, the judges’ decision will be unveiled, determining the ultimate champion of the 2024 Imagine Cup!
But who are the discerning minds tasked with determining the 2024 World Champion?
Let’s meet the judges!
CEO, Neo; Co-founder of Code.org
Ali Partovi heads Neo, a startup accelerator, diverse mentorship community, and VC fund that helps tomorrow’s tech leaders maximize their potential. Ali invests in people smarter than himself and has backed Airbnb, Dropbox, Facebook, & Uber.
He grew up in Tehran during the Iran-Iraq war, attended Harvard, and sold his first startup, LinkExchange, in 1998. He co-founded Code.org (#HourOfCode) to bring Computer Science to classrooms. He’s passionate about education and loves climbing, guitar, puzzles, and family.
Microsoft Corporate Vice President of Ecosystems
As Microsoft Corporate Vice President of Ecosystems, Annie Pearl leads a globally-distributed organization that empowers current and future customers to discover and engage with AI capabilities on the Microsoft Cloud. Teams under her oversight develop and build on platforms, such as Founders Hub and Microsoft Learn, to reach new audiences, skill them on Microsoft’s technology, and help them build the most innovative and AI-driven solutions.
Annie joins Microsoft with +15 years of tech leadership experience in both startup ventures and established enterprises. She served as the Chief Product Officer at Calendly, a premier scheduling automation platform. There, she led the end-to-end strategy and execution of the product vision and roadmap. Under her guidance, Calendly achieved remarkable growth, solidifying its position as the leading scheduling automation tool in the market.
Before her tenure at Calendly, Annie held the role of Chief Product Officer at Glassdoor, where she shaped the product vision and user experience for millions of job seekers and employers worldwide. Earlier in her career, she led Enterprise product teams at Box, contributing to its trajectory both before and after its 2015 IPO. Notably, Annie also played a pivotal role as the VP of Product and a founding team member at Xpert Financial, an early-stage financial services startup.
Annie started her career as a Lawyer and held roles in management consulting before transitioning to the tech industry.
Founder & CEO ROYBI (Roybi Robot & RoybiVerse)
Elnaz is a successful entrepreneur and CEO, renowned for her innovations in the field of EdTech, AI, and Robotics. She is the founder of ROYBI® Robot, an AI-powered smart toy that teaches children language and STEM skills. This groundbreaking product has won several prestigious awards, including being named one of TIME Magazine’s Best Inventions in Education and winning the World Economic Forum smart toy award.
With over 15 years of experience as a serial entrepreneur, Elnaz has established herself as a leader in the industry. As the CEO of ROYBI, an investor-backed EdTech company, she has raised millions in funding to focus on early childhood education and self-guided learning through artificial intelligence.
Elnaz’s journey to success has been shaped by her early experiences growing up as a woman in Iran, where opportunities were limited. However, her drive and passion for entrepreneurship led her to the U.S., where she has significantly contributed to the tech industry. Her achievements include being selected as Inc. Top 100 Female Founders, Nasdaq Entrepreneurial Center Milestone Maker, named the Woman of Influence by Silicon Valley Business Journal, and Entrepreneur of The Year in Silicon Valley.
_________
Whether you’re a tech enthusiast, aspiring entrepreneur, or simply someone who loves to witness the inspiring passion and innovation of students – this is an event you won’t want to miss! Gain insights into cutting-edge use cases of AI technology and discover how these startups are shaping the future to make a real impact on the world.
Tune in, cheer for your favorites, follow along, and get inspired by the ingenuity of these student founders.
Mark your calendars for May 21 to witness this moment!
Microsoft Tech Community – Latest Blogs –Read More
Time Stamp Location
Greetings
I receive daily report from various machines, and I am attempting to locate the change of shifts time stamps.
Is there a way to locate the first previous time stamp from the start of the shift (the end of the previous shift) and the first-time stamp after the start of shift (workers actually start using the machine)
The file is a sample, and the shift change is 6am (06:00:00″ hh:mm:ss).
Either VBA or function will be greatly appreciated so I can stop manually filtering and looking for Less than .25 or greater than .25.
Greetings I receive daily report from various machines, and I am attempting to locate the change of shifts time stamps. Is there a way to locate the first previous time stamp from the start of the shift (the end of the previous shift) and the first-time stamp after the start of shift (workers actually start using the machine) The file is a sample, and the shift change is 6am (06:00:00″ hh:mm:ss). Either VBA or function will be greatly appreciated so I can stop manually filtering and looking for Less than .25 or greater than .25. Read More
“Enhancing Service Delivery at NSFAS through Microsoft Technologies”
By integrating Microsoft technologies, NSFAS can streamline application processes, enhance communication with applicants, and automate administrative tasks, resulting in improved efficiency, transparency, and service delivery to students in need.
By integrating Microsoft technologies, NSFAS can streamline application processes, enhance communication with applicants, and automate administrative tasks, resulting in improved efficiency, transparency, and service delivery to students in need. Read More
log in everytime
Hi,
Unfortunately, I have to log in to Microsoft To Do on my devices every time I open it. This has only recently happened and was not the case before. I use a Windows 11 and a Windows 10 computer.
Does anyone have any advice?
Many thanks and best regards
Leo
Hi,Unfortunately, I have to log in to Microsoft To Do on my devices every time I open it. This has only recently happened and was not the case before. I use a Windows 11 and a Windows 10 computer.Does anyone have any advice?Many thanks and best regardsLeo Read More
Continuous Silent Crash (latest canary)
Keeps crashing with no warning or error message. Open tabs are only sharepoint pages.
Latest Canary version
Keeps crashing with no warning or error message. Open tabs are only sharepoint pages. Latest Canary versionVersion 126.0.2558.0 (Official build) Canary (arm64) Read More
SharePoint Roadmap Pitstop: April 2024
Ahh, Welcome to Q4 – for those of us that follow the fiscal. April isn’t just for rain showers. It’s a month to keep cranking and refining productivity and collaboration in Microsoft 365.
April 2024 brought some great new offerings: SharePoint brand center (Preview) with custom fonts support, Search from Viva Connections in Teams mobile, SharePoint: New feedback button, New Planner (GA), SharePoint eSignature + Approvals, SharePoint pages: New heading support, Clipchamp: Silence Removal, Microsoft Loop: Guest Sharing, and more. Details and screenshots below, including our audible companion: The Intrazone Roadmap Pitstop: April 2024 podcast episode – all to help answer, “What’s rolling out now for SharePoint and related technologies into Microsoft 365?”
In the podcast episode, we share some audio from the recent New Planner events on April 3rd and 4th – their launch event and AMA. You’ll hear Howard Crow (Partner GPM) talking about how the Planner team approaches infusing AI into your planning cycles, plus a great Planner + Copilot question from the AMA audience, answered by Holly Pollock (Principal Product manager).
All features listed below began rolling out to Targeted Release customers in Microsoft 365 as of April 2024 (possibly early May 2024).
Inform and engage with dynamic employee experiences
Build your intelligent intranet on SharePoint in Microsoft 365 and get the benefits of investing in business outcomes – reducing IT and development costs, increasing business speed and agility, and up-leveling the dynamic, personalized, and welcoming nature of your intranet.
SharePoint brand center (Preview) + custom fonts support
We’re introducing new SharePoint branding capabilities to improve consistency across your sites and pages. The SharePoint brand center gives you a centralized branding management application to empower your brand managers and designer advocates to work with your brand assets — to further customize SharePoint and Viva Connections.
To enable the new brand center the global administrator will need to perform a set of simple steps in the Microsoft 365 admin center to create/activate the Brand center app.
And first to come to brand center is the ability to add and use custom fonts. This means you can use custom fonts within both SharePoint and Viva Connections Desktop experience. Newly added font packages appear for use within the Change the Look edit pane.
Roadmap ID: 124838 – Custom fonts roadmap ID: 375490
Viva Connections in Teams: Search your intranet in Microsoft Teams on iOS and Android tablets
You no longer need to use a different app, or a separate browser, to search your intranet. Search is such a core, expected capability – especially when it’s the front door to your coverall employee experience – to find document, conversations, people – all the goodness of your intranet while on the go. Mobile first means fewer compromises. So go ahead, search your intranet from your device.
Roadmap ID 382643.
Learn more.
SharePoint in Microsoft 365: New feedback button
We’re introducing a feedback button for people to submit compliments, problems, or suggestions about SharePoint features and functionality. The feedback icon – a person with a square search bubble – will be visible on SharePoint sites in the upper-right area, near the Settings icon and your profile.
Once you pop open the “Submit feedback to SharePoint engineering” pane, click on one of the three buttons to classify your feedback: “Give a compliment” | “Report a problem” | “Make a suggestion.” The team will review all feedback submitted by customers to improve products and troubleshoot product issues.
A note: Feedback collection is on by default and can be turned off using the Cloud Policy service for Microsoft 365 in the Microsoft 365 Apps admin center. It takes a village – and we thank you in advance for letting us know what you like and what you feel we could do better or different in the future.
Roadmap ID 383405.
Learn more.
Teamwork updates across SharePoint team sites, OneDrive, and Microsoft Teams
Microsoft 365 is designed to be a universal toolkit for teamwork – to give you the right tools for the right task, along with common services to help you seamlessly work across applications. SharePoint is the intelligent content service that powers teamwork – to better collaborate on proposals, projects, and campaigns throughout your organization – with integration across Microsoft Teams, OneDrive, Yammer, Stream, Planner and much more.
Microsoft Planner GA (April 3rd, 2024) – Short summary
The new Microsoft Planner journey is off and running. It starts in Teams – and it started (GA) on April 3rd, 2024. The new Planner brings together the simplicity of Microsoft To Do, the collaboration of Microsoft Planner, the power of Microsoft Project for the web — all into a simple, familiar experience. It’s streamlined and faster, brings all your tasks in one place, brings together all your lists, plans and projects, and now you can Pin your favorite plans.
The new Planner is designed to help Ideate with the team – Manage your career goals – Plan that team sprint – and keep track of all the moving parts and deadlines of a product release.
A few top-level resources to learn more:
Read the full GA blog post, “The new Microsoft Planner begins roll out to General Availability (GA),“ by Roberto Bojorquez (Planner GPM – Microsoft)
“Meet the Makers” 4/3
New Planner AMA 4/4
Visit the Microsoft Planner adoption hub
Microsoft SharePoint eSignature: Creators and recipients can view, track, and sign requests in the Approvals app in Teams
Not only can you send a document out for an e-signature, but you can also track the requests in the Approvals app in Microsoft Teams. People get notified about new requests, will be updated about ongoing requests, and will be able to initiate signing the document all within their flow of work in Microsoft Teams.
Roadmap ID 385012.
Learn more.
SharePoint pages: New heading level options for web parts
It’s time to let page authors choose heading levels – often within the Text web part – to define information hierarchy. This is similar to how people use Microsoft Word to apply a numbering scheme to the headings in documents (Heading 1, Heading 2, and so on).
Now you can apply a numbering scheme to the headings for your SharePoint pages. And, no matter where you use the headings on your page, they will have the same consistent look every time, and again add a level of hierarchy to the flow of information.
Roadmap ID 387500.
Related technology
Microsoft Clipchamp: Remove pauses and silences in your videos
Microsoft Clipchamp is introducing a new smart AI-powered feature called Silence Removal that automatically finds and deletes unwanted silences and pauses longer than 3 seconds in video and audio. The feature is currently free to use in preview and will be available as part of a premium subscription after the preview.
Roadmap ID 383137.
Learn more.
Microsoft Loop: Guest Sharing
Microsoft Loop now allows business-to-business (B2B) guest sharing for workspaces, pages, and components – subject to your preferred administrator policy. It’s been a highly-requested feature, and it’s great to see the SharePoint content services platform take an existing capability and apply it in the right way for a new app that sits on top of its storage platform.
So, get Loop’y with your guests. This new and powerful canvas allows you to stay in sync across applications — enabling teams to think, plan, and create together — inclusive of external people that you ‘loop in.’
A future note: Sensitivity labels for Loop workspaces, pages, and components will begin rolling out in the first half of 2024. A sign of continued Loop innovation on top of SharePoint.
Loop components in OneNote
You can create or insert Loop components into your OneNote notebook. With Loop components in OneNote, users can bring unstructured, collaborative content from Loop components in Microsoft Teams and Microsoft Outlook into OneNote notebooks – extending the real-time collaboration and sharing. You, too, can augment and recall collaborative notes within the familiar workflow of OneNote, enabling tasks to be completed more efficiently.
It’s a nice balance of structured, unchanging content blended with content that may shift and change by design.
Roadmap ID 379968
Learn more.
OneNote is now available for the Apple Vision Pro
We have worked closely with Apple for many years to bring these experiences to iPhone, iPad, and Mac. Now, with Apple Vision Pro, OneNote will make use of the infinite canvas of spatial computing and can appear side-by-side with other great Microsoft apps like Word, Excel, and Teams at any scale for incredible multitasking.
OneNote for Apple Vision Pro is a native app. You can plan trips, practice daily habits, and create/edit your task list, all in spatial reality – the OneNote experience on the Apple Vision Pro helps you stay productive, no matter where you are.
Brainstorm your next big idea with mind maps in Visio for the web
It’s time to organize your thoughts and find clarity. Mind maps help you brainstorm and capture ideas in one place. Using a mind map, you start with a single central node or idea, then expand it by adding additional nodes as you explore different aspects and details. As you continue to brainstorm, you can easily modify the mind map by adding new nodes or removing redundant ones—without disrupting the visual fidelity of the diagram.
Mind Maps are currently rolling out to Visio for the for people with a Visio Plan 1 or Visio Plan 2 license.
Learn more about how to create a mind map in Visio for the web.
Calling all Microsoft 365 developers… two things for you this month
Dev item #1: The Microsoft Build 2024 session catalog (at least a partial one) is now live.
If you awake asking “How will AI shape your future?” Then Build is for you. And this year it’s packed with lots of AI, Copilot, and a dash of Windows on Arm. Microsoft Build is May 21-24, 2024 | Seattle and online. Join in the Build action to grow your skills in topics like building copilots, generative AI, securing applications, learning more about cloud platforms, low-code, all to unleash your creativity with the power of AI. All to answer your morning question, “How will AI shape my future?”
Dev item #2: The PnP community site got as nice, big makeover – and not only is it pretty, it’s got loads of content: Blogs, Community calls, guidance, samples & solutions, SDK, tools, and the Microsoft 365 & Power Platform Community initiative coordinators (these cool profile cards so you see some of the folks behind it all.
Officially it’s the Microsoft 365 & Power Platform Community site where you learn from others how to build apps on Microsoft 365 & Power Platform. AKA, don’t reinvent the wheel. And they’ve stamped it with their main motto: “Sharing is caring” — and they care to share, so I’m sharing their URL: Go to https://aka.ms/Community/Home which resolves to https://pnp.github.io/ – you decide which is easier to remember – all I’ll say is that it’s worth going to.
May 2024 teasers
Psst, still here? Still scrolling the page looking for more roadmap goodness? If so, here is a few teasers of what’s to come to production next month…
Teaser #1: SharePoint Premium: New autofill columns [Roadmap ID: 389375]
Teaser #2: SharePoint + Stream: New video page templates [Roadmap ID: 124823]
… shhh, tell everyone.
Helpful, ongoing change management resources
“The new Microsoft Planner begins roll out to General Availability” by Roberto Bojorquez (Planner GPM)
“Meet the Makers” webinar | April 3rd, 2024
New Planner AMA (video + all Q&A) | April 4th, 2024
“Stay on top of Office 365 changes“
“Message center in Office 365“
Install the Office 365 admin app; view Message Center posts and stay current with push notifications.
Microsoft 365 public roadmap + pre-filtered URL for SharePoint, OneDrive, Yammer and Stream roadmap items.
New Planner | GA Blog | “Meet the Makers” | New Planner AMA
SharePoint Facebook | Twitter | SharePoint Community Blog | Feedback
Follow me to catch news and interesting SharePoint things: @mkashman; warning, occasional bad puns may fly in a tweet or two here and there.
Thanks for tuning in and/or reading this episode/blog of the Intrazone Roadmap Pitstop – April 2024. We are open to your feedback in comments below to hear how both the Roadmap Pitstop podcast episodes and blogs can be improved over time.
Engage with us. Ask those questions that haunt you. Push us where you want and need to get the best information and insights. We are here to put both our and your best change management foot forward.
Stay safe out there on the road’map ahead. And thanks for listening and reading.
Thanks for your time,
Mark Kashman – senior product manager (SharePoint/Lists) | Microsoft)
Microsoft Tech Community – Latest Blogs –Read More
Public Preview: App Insights integration for Python apps on App Service
The Azure Monitor and App Service teams are happy to share that Application Insights integration with App Services for Python apps is now available for Public Preview. You can now easily monitor your Python apps on App Service without changing your code by leveraging auto-instrumentation that is integrated into the App Services platform.
This integration supports App Service deploy as code for Python versions 3.11 and lower. Deploy as container scenarios are not currently supported, but we plan to introduce this capability at a future date. We also plan to support Python 3.12 in the near future.
With this feature enabled, the App Service platform will instrument popular Python libraries in your code and automatically channel correlated application-level logs, metrics, and distributed tracing to your Application Insights resource. This will allow you to understand how your Python application is performing and more easily determine the cause of any incidents.
You can enable the feature at resource creation or from the App Insights blade after your App Service resource is created. Please review our documentation to learn more.
Turn On App Insights during App Service Resource Creation
When you create a new Python web application (version 3.11 and lower) using the “Deploy as code” option, you can select “Yes” on the “Enable Application Insights” in the “Monitoring” tab. If you select “Yes”, then your non-containerized Python application will pipe data to an Application Insights resource allowing you to automatically monitor your workloads.
Turn On App Insights after App Service Resource Creation
Open your App Service application in the portal and go to the App Insights menu item.
Select “Enable” in the toggle under “Application Insights (Preview)”
Select a location for your Application Insights resource (It’s suggested to create the resource in the same region as the Web App.)
Microsoft Tech Community – Latest Blogs –Read More
Best practices to architect secure generative AI applications
As development of applications powered by these advanced generative AI (Gen AI) tools surges, offering unprecedented capabilities in processing and generating human-like content, so does the rise of security and privacy concerns. One of the biggest security risks is exploiting those tools for leaking sensitive data or performing unauthorized actions. A critical aspect that must be addressed in your application is the prevention of information leaks and unauthorized API access due to weaknesses in your Gen AI app.
This blog post delves into the best practices to securely architect Gen AI applications, ensuring they operate within the bounds of authorized access and maintain the integrity and confidentiality of sensitive data.
Understanding the risks
Gen AI applications inherently require access to diverse data sets to process requests and generate responses. This access requirement spans from generally accessible to highly sensitive data, contingent on the application’s purpose and scope. Without careful architectural planning, these applications could inadvertently facilitate unauthorized access to confidential information or privileged operations. The primary risks involve:
Information Leaks: Unauthorized access to sensitive data through the exploitation of the application’s features.
Escalated Privileges: Unauthorized elevated access, enabling attackers or unauthorized users to perform actions beyond their standard permissions by assuming the Gen AI application identity.
Mitigating these risks necessitates a security-first mindset in the design and deployment of Gen AI-based applications.
Best practices for granting permissions
Limit Application Permissions
Developers should operate under the assumption that any data or functionality accessible to the application can potentially be exploited by users through carefully crafted prompts. This includes reading fine-tunning data or grounding data and performing API invocations. Recognizing this, it is crucial to meticulously manage permissions and access controls around the Gen AI application, ensuring that only authorized actions are possible.
A fundamental design principle involves strictly limiting application permissions to data and APIs. Applications should not inherently access segregated data or execute sensitive operations. By constraining application capabilities, developers can markedly decrease the risk of unintended information disclosure or unauthorized activities. Instead of granting broad permission to applications, developers should utilize user identity for data access and operations.
Utilizing User Identity for Data Access and Operations
Access to sensitive data and the execution of privileged operations should always occur under the user’s identity, not the application. This strategy ensures the application operates strictly within the user’s authorization scope. By integrating existing authentication and authorization mechanisms, applications can securely access data and execute operations without increasing the attack surface.
Examples of insecure practices
Here are a few examples of practices that can lead to data breach:
Placing sensitive data in training files used for fine-tuning models, as such data that could be later extracted through sophisticated prompts.
Using the application identity to access segregated grounding data found in vector databases, APIs, files, or any other sources. Such practice should be limited to data that should be available to all application users, as users with access to the application can craft prompts to extract any such information.
Granting application identity permissions to perform segregated operations, like reading or sending emails on behalf of users, reading, or writing to an HR database or modifying application configurations. Calling segregating API without verifying the user permission can lead to security or privacy incidents.
To mitigate risk, always implicitly verify the end user permissions when reading data or acting on behalf of a user. For example, in scenarios that require data from a sensitive source, like user emails or an HR database, the application should employ the user’s identity for authorization, ensuring that users view data they are authorized to view.
Applying best practices
In the diagram below we see an application which utilizes for accessing resources and performing operations. Users’ credentials are not checked on API calls or data access. This creates a security risk where users without permissions can, by sending the “right” prompt, perform API operation or get access to data which they should not be allowed for otherwise.
By explicitly validating user permission to APIs and data using OAuth, you can remove those risks. For this, a good approach is leveraging libraries like Semantic Kernel or LangChain. These libraries enable developers to define “tools” or “skills” as functions the Gen AI can opt to use for retrieving additional data or executing actions. Such tools can use OAuth to authenticate on behalf of the end-user, mitigating security risks while enabling applications to process user files intelligently. In the example below, we remove sensitive data from fine-tuning and static grounding data. All sensitive data or segregated APIs are accessed by a LangChain/SemanticKernel tool which passes the OAuth token for explicit validation or users’ permissions.
Using Microsoft Azure AI Search for grounding
As an alternative, Microsoft provides an out of the box solution for user authorization when accessing grounding data by leveraging Azure AI Search. You are invited to learn more about using your data with Azure OpenAI securely.
Conclusion
The integration of Gen AIs into applications offers transformative potential, but it also introduces new challenges in ensuring the security and privacy of sensitive data. By adhering to the baseline best practices outlined above, developers can architect Gen AI-based applications that not only leverage the power of AI but do so in a manner that prioritizes security.
Roee Oz, Architect, Microsoft Defender for Cloud
Microsoft Tech Community – Latest Blogs –Read More
Server 2025 Build 26040 download
Hello! Does anyone have the windows server 2025 Build 26040 iso? I have been trying to find it since I have heard that it uses the windows 10 kernel
Hello! Does anyone have the windows server 2025 Build 26040 iso? I have been trying to find it since I have heard that it uses the windows 10 kernel Read More
Update from Edge 122….120 to 124….67 shows greyed out Show Buy Now Pay Later option and it is ON
With Edge GPO’s AutofillCreditCardEnabled and EdgeShoppingAssistantEnabled set to ZERO (Off) along with the many other GPO’s controlling Edge Wallet with is NOT desired in our business environment, the Show Buy Now and Pay Later (BNPL) option under Wallet settings is initially greyed out but ON (big DOT to the RIGHT). The workaround on Win 10 PC’s (x86 and x64) which is NOT practical in a large server community using Windows Server 2016 through 2022 is to set AutofillCreditCardEnabled to ONE in the Edge policy registry and restart the Edge browser then turn on Save and fill payment info setting and then turn OFF Show BNPL option and afterwards Save and fill payment info. Then the AutofillCreditCardEnabled setting is restored to ZERO and the Edge browser is restarted. Now the Wallet settings appear as before under Edge 122, but the “briefcase” policy icon is NOT present on the left of the Show BNPL option setting which now has the setting big dot to the LEFT (OFF) and greyed out. I also noticed that the Preferences file for the Edge Profile (Default) does NOT contain the “edge_wallet_bnpl_enabled”:false, setting UNTIL the previously mentioned registry and settings operations are completed.
Hopefully, these are appearance issues with the Version 124 Wallet settings AND Show BNPL option is indeed DISABLED after upgrade to Edge Version 124.0.2478.67. I’d like confirmation that Show BNPL option is indeed OFF after this upgrade with our Policy settings before I upgrade our business environment and I’d like to see this FIXED to show the three Payment Method Wallet settings to be DISABLED with the GPO “briefcase” icon as it does for us in Version 122.0.2365.120 of Edge with our GPO’s.
ChevITGuy
With Edge GPO’s AutofillCreditCardEnabled and EdgeShoppingAssistantEnabled set to ZERO (Off) along with the many other GPO’s controlling Edge Wallet with is NOT desired in our business environment, the Show Buy Now and Pay Later (BNPL) option under Wallet settings is initially greyed out but ON (big DOT to the RIGHT). The workaround on Win 10 PC’s (x86 and x64) which is NOT practical in a large server community using Windows Server 2016 through 2022 is to set AutofillCreditCardEnabled to ONE in the Edge policy registry and restart the Edge browser then turn on Save and fill payment info setting and then turn OFF Show BNPL option and afterwards Save and fill payment info. Then the AutofillCreditCardEnabled setting is restored to ZERO and the Edge browser is restarted. Now the Wallet settings appear as before under Edge 122, but the “briefcase” policy icon is NOT present on the left of the Show BNPL option setting which now has the setting big dot to the LEFT (OFF) and greyed out. I also noticed that the Preferences file for the Edge Profile (Default) does NOT contain the “edge_wallet_bnpl_enabled”:false, setting UNTIL the previously mentioned registry and settings operations are completed. Hopefully, these are appearance issues with the Version 124 Wallet settings AND Show BNPL option is indeed DISABLED after upgrade to Edge Version 124.0.2478.67. I’d like confirmation that Show BNPL option is indeed OFF after this upgrade with our Policy settings before I upgrade our business environment and I’d like to see this FIXED to show the three Payment Method Wallet settings to be DISABLED with the GPO “briefcase” icon as it does for us in Version 122.0.2365.120 of Edge with our GPO’s. ChevITGuy Read More
Regarding Microsoft having error – Run time error 76
Respected Sir,
We are having Microsoft office 2021 and there is occured error – run time error 76.
Kindly resolve the issue on priority basis.
Regards,
Shree Maharudra Infrastractures pvt Ltd
Respected Sir,We are having Microsoft office 2021 and there is occured error – run time error 76. Kindly resolve the issue on priority basis. Regards,Shree Maharudra Infrastractures pvt Ltd Read More
Impact on current SSO settings on Microsoft graph connector with Confluence
Hi there!
We’d like to set up the Confluence Cloud Microsoft Graph connector, and the thing is that some of our users sign in to Atlassian using SSO and others do not, especially for those using their personal email to log in. Therefore, we’re wondering if there are additional steps to consider when we come to the connection and permissions settings.
Do some of you have experienced the same situation by chance?
Any feedback would be greatly appreciated. Thank you in advance for your help!
Mél
Hi there!We’d like to set up the Confluence Cloud Microsoft Graph connector, and the thing is that some of our users sign in to Atlassian using SSO and others do not, especially for those using their personal email to log in. Therefore, we’re wondering if there are additional steps to consider when we come to the connection and permissions settings.Do some of you have experienced the same situation by chance?Any feedback would be greatly appreciated. Thank you in advance for your help! Mél Read More
Nested If With And
Creating a RAG report where i will format background Red Amber Green based on the values in 2 columns.
RULES
If col H is greater than 1 then it is GREEN.
If col H is less than 1 AND col K is less than 1, then RED
If col H is less than 1 AND col K is greater than 1 then AMBER
Here is how I wrote it…
=
IF(H1>=1,”Green”,
IF(AND(H1<1,K1<1),”Red”,
IF(AND(H1<1,K1>=1),”Amber”)))
It doesn’t seem to be giving me the correct data. Some are right, some are wrong.
Creating a RAG report where i will format background Red Amber Green based on the values in 2 columns.RULESIf col H is greater than 1 then it is GREEN.If col H is less than 1 AND col K is less than 1, then REDIf col H is less than 1 AND col K is greater than 1 then AMBER Here is how I wrote it…=IF(H1>=1,”Green”,IF(AND(H1<1,K1<1),”Red”,IF(AND(H1<1,K1>=1),”Amber”)))It doesn’t seem to be giving me the correct data. Some are right, some are wrong. Read More