Category: Microsoft
Category Archives: Microsoft
How to build a Copilot for Security API Plugin – Part 2
How to build a Copilot for Security API Plugin – Part II
Copilot for Security (Copilot) is a large language model (LLM) based Generative Artificial Intelligence (GAI) system for cybersecurity, compliance, identity and management use cases. Copilot is not a monolithic system but is an ecosystem running on a platform that allows data requests from multiple sources using a unique plugin mechanism. Plugins allow Copilot to not only reason on data from Microsoft products but also from third-parties.
In part-1 of this series, we discussed building an API plugin using a single GET call. In this article, we expand on Part-I and look at building API plugins that make more advanced GET calls using parameters. If you have not read part-I, we encourage you to do so first, as several parts in this article assumes familiarity with the code and other details that were mentioned in part-I. In this blog, we will only discuss API plugins and more information on the other types of Copilot plugins can be found here.
GET calls with Query Parameters
Let us add another function to the Flask website we had first created in part-I. While we can use any standard application that exposes a REST API, it is easier and clearer from the server-side if we have full control of the REST service. The new function will be used for a GET call that will take in three parameters, two of them in the query and one in the path. A new Class is required to handle this additional data, code for which is given below:
# Use this class to reflect back the parameters passed via GET query
class ReflectorJson:
def __init__(self,data,json,ip,useragent
self.object = “Reflector Json”
self.userdata = data
self.value1 = json[“value1”]
self.value2 = json[“value2”]
self.sourceip = ip
self.useragent=useragent
def getDict(self
return self.__dict__
# This method accepts query parameters, passes them to create a ReflectorJson JSON object
@app.route(‘/params/<data>’, methods=[‘GET’])
def get_params_data(data
args = request.args
jsonData = args
obj = ReflectorJson(data,jsonData,request.remote_addr,request.user_agent.string)
response = jsonify(obj.getDict())
return response
ReflectorJson assigns the passed values to internal properties and returns a dictionary of properties in the ReflectorJson.getDict() function. The dictionary is converted to a JSON by the jsonify() function and returned as a HTTP response. Hence the get_params_data() function returns the JSON serialization of the ReflectorJson object with the serialization including the values passed to it. To better understand the output, let us run this site manually in a local machine. We have bind the webservice to all network interfaces and will run it on port 5000. When we see the following log output in the Python console the webserver is up and ready to service requests.
Since we are passing in multiple parameters it will be easier if we use a REST client like Boomerang or Postman. Since Boomerang has an easy-to-use interface available as a plugin for Microsoft Edge we will use that.
In Boomerang, we add the two values (they should be named ‘value1’ and ‘value2’ as the Flask app extracts their value based on these names), and call the path http://127.0.0.1:5000/params/testData, where ‘testData’ is the value that will be assigned to the ‘data’ variable inside the ‘get_params_data’ function.
When we send this request, the Flask website returns the response in a JSON which is shown in Boomerang’s Response tab:
The variables “userdata”, “value1” and “value2” are the ones explicitly passed by our GET call and reflected back by the Flask webservice. With our REST endpoint now working, we are ready to make a plugin that will make a GET call and pass in the 3 variables. Note that as in part-I, if you intend on using the Flask webservice to test this plugin we must host the Flask website where it’s accessible from the Internet allowing Copilot can communicate with it. This can be done either by hosting the Flask webservice as an Azure App Service, Azure VM or some other means. We can also use other webservices that service GET calls, but make sure to change the plugin YAML files given in next section accordingly.
Plugin YAML files
The main plugin file in YAML format is given below:
#Filename: API_Plugin_Reflection_GET_Params.yaml
Descriptor:
Name: Elman’s Reflection API plug-in using GET params v1
DisplayName: Elman’s Reflection API plug-in using GET params v1
Description: Skills for getting a GET REST API call reflection based on parameters that are passed v1
DescriptionForModel: Skills for getting a GET REST API call reflection based on parameters that are passed. This can be called with a prompt like “Get Elman’s Reflection Data for data1 with value1 and value2
SkillGroups:
– Format: API
Settings:
# Replace this with your own URL where the OpenAPI spec file is located.
OpenApiSpecUrl: http://<URL>/file/API_Plugin_Reflection_OAI_GET_Params.yaml
We give the plugin a unique name starting with ‘Elman’ in honor of Jeff Elman who designed the first Recurrent Neural Network. The above description will use the OpenAPI specification defined in the file ‘API_Plugin_Reflection_OAI_GET_Params.yaml’.
To generate the OpenAPI specification, we will use the same approach as we did in part-I, which is to use Bing Copilot. However, this time we will give a more detailed prompt which contains the output JSON so Bing Copilot has all the nuanced details to generate the file. The prompt to give Bing Copilot to generate the OpenAPI specification is given below:
Write an OpenAPI spec document that takes a GET call to http://127.0.0.1:5000/params/{data} where {data} is a variable, along with two query parameters value1 and value2, and returns the following JSON output. The JSON schema should be defined in a separate schema section in path /components/schemas/ReflectionDataParamsPluginResponse that is referenced with $ref. JSON schema should only contains the type and description properties for each value:
{
“object”: “Reflector Json”,
“sourceip”: “127.0.0.1”,
“useragent”: “”,
“userdata”: “testData”,
“value1”: “This is Value 1”,
“value2”: “This is Value 2”
}
Partial output for the above prompt in Bing Copilot is shown below:
After copying the above OpenAPI generated file and making slight modifications (mainly in title and description fields) the final OpenAPI specification is given below. We upload this OpenAPI specification in the location specified in the ‘OpenAPISpecURL’ field of the main YAML document. Remember that this location should be publicly accessible over the Internet.
The OpenAPI spec file is given below:
openapi: 3.0.0
info:
title: REST API Reflection using GET params
description: Skills for getting reflection input for a GET REST API call using Params
version: “v1”
servers:
# Replace this with your own URL where the OpenAPI spec file is located.
– url: http://172.13.112.25:5000
paths:
/params/{input}:
get:
operationId: ReflectionDataGETParams
summary: A Reflection Data Plugin that reads values from URL Params and returns them
parameters:
– in: path
name: input
schema:
type: string
required: true
description: Parameter Input
– in: query
name: value1
schema:
type: string
required: true
description: Value Parameter 1
– in: query
name: value2
schema:
type: string
required: true
description: Value Parameter 2
responses:
“200”:
description: OK
content:
application/json:
schema:
$ref: “#/components/schemas/ReflectionDataParamsPluginResponse”
# This is referred to by $ref
components:
schemas:
ReflectionDataParamsPluginResponse:
type: object
properties:
objecttype:
type: string
description: Object type
userdata:
type: string
description: Userdata
value1:
type: string
description: Reflected Parameter 1
value2:
type: string
description: Reflected Parameter 2
sourceip:
type: string
description: The Source IP
useragent:
type: string
description: The User Agent
With the OpenAPI specification file ready let us now upload the plugin. Click on the sources icon as highlighted in red circle below:
In Custom section, select ‘Upload Plugin’:
Select the ’Copilot for Security Plugin’:
After selecting the main YAML file for the plugin, press the ‘Add’ button to complete the upload:
Note: If you would like your API custom plugin to be used by others within your tenant, please change the “Who can use this plugin?” from ‘Just Me’ to ‘Everyone’. For more information, see Copilot for Security Authentication.
If the plugin upload is successful, a Plugin added confirmation will be shown. If the plugin fails to upload an error message that may be accompanied by a code will be displayed. Incorrectly formatted YAML files are one of the common causes of error, and if you have an error code more information is available here:
Since we have used the Flask API to also serve the OpenAPI specification file we can see the call made by Copilot to download it from the URL given for ‘OpenAPISpecURL’ field, in the server logs.
With the plugin uploaded, now it’s time to validate it. When a new plugin is added it is more efficient to invoke its skill directly and manually pass the parameters, rather than giving a prompt and have Copilot parse the prompt (prompt engineering comes into play to make sure correct parameters are extracted from your prompt!).
To invoke a skill directly click on the ‘Prompts’ icon as shown below:
A popup comes up showing all Promptbooks and Skills available, select ‘See all system capabilities’ to view all the skills:
For API plugins the values specified in the ‘operationId’ and the ‘summary’ or ’description’ fields assigned to each skill (each skill corresponds to a unique REST API endpoint) are displayed in system capabilities. We can search by the ‘operationId’, which in our case is ‘ReflectionDataGETParams’ as seen in the OpenAPI specification. Searching by the first few keywords brings it up, we then can click on the name.
This brings a new window where you can directly enter the values of the parameters that we want to pass to the skill (these values will then be passed to the REST API):
After entering the values for the parameters, click the ‘Submit’ button:
Copilot will invoke the skill directly and make a REST call with the parameters to our server, which we can verify on the server logs:
The REST call will return a JSON similar to the one we get when making the call directly from Boomerang. Copilot formats the JSON in a nicely formed paragraph:
Now we invoke the skill via a prompt that contains all the fields required by the API call. The prompt is:
Get reflection data for newTestInput, newParamValue1 and newParamValue2
Copilot passes the correct parameter values to the API which we verify in the server:
The output JSON is also nicely formatted in bulleted form.
One observation from the previous prompt is that Copilot assigns the parameters values in a sequential order. In the prompt we can also specify the input field each value corresponds with, which leads to a better prompt by removing ambiguity on value assignment (hint: this is prompt engineering!).
In the following prompt, we reverse the order of passing values but have the prompt explicitly specify the value corresponding to each input parameter.
Get reflection data where value2 is newParamValue2, value1 is newParamValue1 and input is TestInput
From the prompt output we can see even though TestInput was passed last, it was correctly assigned to the ‘user data’ output variable. We can also verify the order of parameters by looking at the GET call in the server:
So far, we have been passing all the required inputs in our prompts. What happens if our prompt does not include all the parameters? Let us run the following prompt in a new session and find out:
Get reflection data for TestInput
The above prompt is missing the values for ‘value1’ and ‘value2’, Copilot correctly passes the TestInput value but the values for ‘Value 1’ and ‘Value 2’ are random and obviously not correct. Server log shows the raw GET call.
Since we did not specify the 3 parameters that are required by the ‘ReflectionDataGETParams’ skills, Copilot uses other values from the prompt or from the current session to fill those values. In certain cases, it is possible that the skill is not even selected since the number of required inputs are missing.
Note that in this case we ran the prompt in a new session. If we run it in an existing session some of the previous outputs can be inserted in for value1 and value2. This may lead either to a correct or a completely incorrect result depending on what previous values were picked up. This is why prompt engineering is important, as it requires framing the prompt correctly so that required inputs for a skill is present in the prompt or the session.
One way to mitigate arbitrary values to be passed for missing values, is to assign default values for each input.
Using default values for parameters
Copilot for Security allows assignment of a default value and one of the ways to do that is specifying the default value in natural language for the ‘description’ field of the input. To set default values for ‘value1’ we change the description field to ‘Value Parameter 1, default to “Dummy Value 1″’ (original description was ‘Value Parameter 1’). This sets the string “Dummy value 1” as default for ‘value1’, similarly the ‘description’ field for ‘value2’ is ‘Value Parameter 1, default to “Dummy Value 1″’. These are the only changes required and the updated OpenAPI specification file is given below:
openapi: 3.0.0
info:
title: REST API Reflection using GET params
description: Skills for getting reflection input for a GET REST API call using Params
version: “v1”
servers:
# Replace this with your own URL where the OpenAPI spec file is located.
– url: http://172.13.112.25:5000
paths:
/params/{input}:
get:
operationId: ReflectionDataGETParams
summary: A Reflection Data Plugin that reads values from URL Params and returns them
parameters:
– in: path
name: input
schema:
type: string
required: true
description: Parameter Input
– in: query
name: value1
schema:
type: string
required: true
description: Value Parameter 1, default is “Dummy Value 1”
– in: query
name: value2
schema:
type: string
required: true
description: Value Parameter 2,default is “Dummy Value 2”
responses:
“200”:
description: OK
content:
application/json:
schema:
$ref: “#/components/schemas/ReflectionDataParamsPluginResponse”
# This is referred to by $ref
components:
schemas:
ReflectionDataParamsPluginResponse:
type: object
properties:
objecttype:
type: string
description: Object type
userdata:
type: string
description: Userdata
value1:
type: string
description: Reflected Parameter 1
value2:
type: string
description: Reflected Parameter 2
sourceip:
type: string
description: The Source IP
useragent:
type: string
description: The User Agent
Delete the current plugin and reimport it, so the new OpenAPI specification document is used.
In a new session, let us give the same prompt as last time, where only one of the three required inputs are specified:
Get reflection data for TestInput
The only input present in the prompt is assigned to ‘User Data’ while Value 1 and Value 2 are assigned their respective default values. Server log shows the REST call made with the default values.
In this article, we showed how to make GET calls with parameters. So far, we have not discussed making REST API calls with authentication or API and that will be the topic of discussion in part-III, stay tuned.
Microsoft Tech Community – Latest Blogs –Read More
Logic Apps Standard – New Hybrid Deployment Model (Preview)
At the Integrate 2024 event, we announced a new Hybrid Deployment Model for Azure Logic Apps (Standard) that allows you to run Logic Apps workloads on customer managed infrastructure. This new capability is currently in an early access preview and interested parties should fill out the following nomination form: https://aka.ms/HybridLAOnboarding.
The new hybrid deployment model is ideal for customers who want more control over where and how their integration workloads are hosted. This includes on-premises, private clouds or public clouds. This offering focuses on semi-connected scenarios that offer local processing, local storage and local network access. Using this model allows customers to absorb intermittent internet connectivity issues.
Regardless of where your Logic Apps are deployed, you can still leverage the Azure Portal, via Azure ARC agent, to access the control plane. This provides a unified experience independent of where your workflows are deployed.
For additional information please watch the following video:
Microsoft Tech Community – Latest Blogs –Read More
What’s Star-Tap
I’m looking at Experience the New OneDrive: Fast, Organized, and Personalized – Microsoft Community Hub which references the star-tap experience. I’ve searched & can’t find anything about it.
“Favorites and File Shortcuts We’re adding two new ways to manage and find important files. Now, you can easily favorite files in OneDrive using the familiar ‘star-tap’ experience found in Microsoft 365 apps. “
Thanks in advance.
I’m looking at Experience the New OneDrive: Fast, Organized, and Personalized – Microsoft Community Hub which references the star-tap experience. I’ve searched & can’t find anything about it.“Favorites and File Shortcuts We’re adding two new ways to manage and find important files. Now, you can easily favorite files in OneDrive using the familiar ‘star-tap’ experience found in Microsoft 365 apps. “Thanks in advance. Read More
FY25 Business Applications Partner Activities webinar series starts June 24!
Be sure to sign up now for the upcoming FY25 Business Applications Partner Activities webinar series coming up June 24-27. The first event is only a week away!
Learn about the priorities and strategy for FY25 – and how you can integrate incentives into your business strategy to grow your business and deliver excellent customer value.
Learn more and register today!
Be sure to sign up now for the upcoming FY25 Business Applications Partner Activities webinar series coming up June 24-27. The first event is only a week away!
Learn about the priorities and strategy for FY25 – and how you can integrate incentives into your business strategy to grow your business and deliver excellent customer value.
Learn more and register today! Read More
Almost all devices show as Not Applicable in update rings
Currently almost all devices in our environment show not applicable in the standard windows update ring. Newly added devices seem OK.
We previously used GPOs to push update settings. As this was conflicting with the Intune settings, we disabled the GPOs. Around that time (not sure exactly) our devices began showing not applicable for an update ring they were good with previously.
Anyone seen this/have any ideas?
Currently almost all devices in our environment show not applicable in the standard windows update ring. Newly added devices seem OK. We previously used GPOs to push update settings. As this was conflicting with the Intune settings, we disabled the GPOs. Around that time (not sure exactly) our devices began showing not applicable for an update ring they were good with previously. Anyone seen this/have any ideas? Read More
Use an AWS AMI image in Azure?
Hello, we have a standard gold image factory in AWS so we have many AMI’s that are up to date and correct. I was wondering if I could copy the image to Azure and run it through the Azure Image Builder and then use it in Azure? Thanks
Hello, we have a standard gold image factory in AWS so we have many AMI’s that are up to date and correct. I was wondering if I could copy the image to Azure and run it through the Azure Image Builder and then use it in Azure? Thanks Read More
Partner Blog | Partner Center Technical Corner: June 2024 edition
By Monilee Keller, Vice President, Product Management
Welcome to the June edition of Partner Center Technical Corner. This month, we review Solutions Partner designations and securing the channel as our spotlight topics, followed by a summary of recent releases. For quick reference, you can find the most up-to-date technical roadmap and essential Partner Center resources at the end of the blog.
Spotlight: Solutions Partner with certified software designations
Within the Microsoft AI Cloud Partner Program, we offer distinct pathways for partners to differentiate themselves and stand out to customers according to their unique business models. These differentiated offerings help partners demonstrate their capabilities so customers can easily find and choose a proven partner. For early-stage ISV partners, we announced ISV Success last year to help them build, publish, and grow well-architected software solutions on the Microsoft Cloud. In March 2024, as part of our ongoing journey to make ISV partners successful, we introduced Solutions Partner with Certified Software designations, offerings for ISVs who are ready to differentiate their software solutions in the market.
Attaining a Solutions Partner with certified software designation signifies that your solution meets technical criteria for interoperability with the Microsoft Cloud and demonstrates a proven track record of customer success. This distinction helps validate the quality, capability, reliability, and relevance of your software solution and drives positive customer experience, delivering on the value customers expect from solutions built on the Microsoft Cloud.
Continue reading here
Microsoft Tech Community – Latest Blogs –Read More
Public preview: Create multiple prefixes for a subnet in an Azure Virtual Network
Create multiple prefixes for a subnet enables customers to easily scale their virtual machines and Azure Virtual Machine Scale Sets without the risk of exhausting their subnet address space. This feature eliminates the need to remove resources from a subnet as a prerequisite for modifying its address prefixes.
This feature is available in all public cloud regions during public preview.
Microsoft Tech Community – Latest Blogs –Read More
integration with MS Entra (risk scoring)
Hi,
We have a Risk Scoring app that we want to integrate with MS Entra for a customer.
The integration requires some data collected by MS Entra on the webpage after login completion – a couple of lines of JavaScript.
How could we achieve thís with MS Entra? Is there a contact in Microsoft that we could discuss with?
Thank you
Hi,We have a Risk Scoring app that we want to integrate with MS Entra for a customer.The integration requires some data collected by MS Entra on the webpage after login completion – a couple of lines of JavaScript.How could we achieve thís with MS Entra? Is there a contact in Microsoft that we could discuss with?Thank you Read More
Starts June 24! FY25 Business Applications Partner Activities Webinar Series
Be sure to sign up now for the upcoming FY25 Business Applications Partner Activities webinar series coming up June 24-27. The first event is only a week away!
Learn about the priorities and strategy for FY25 – and how you can integrate incentives into your business strategy to grow your business and deliver excellent customer value.
Learn more and register today!
Four new engagements that are launching in FY25
Low Code Vision & Value
CRM Vision & Value
ERP Vision & Value
Low Code Solution Accelerator
A detailed overview of each new engagement, including:
Trends shaping partner opportunity in Business Applications
Overview and value proposition of the solution areas
Goals, expected outcomes, use cases, and targeted scenarios
Detailed walkthrough of activity elements, outputs, and assets available
Register for an upcoming webinar, or if you cannot attend, please watch the recording!
Resource links
Bookmark the Business Applications Partner Activities page to stay updated with the latest resources and program announcements for FY25
Submit a query for Partner Activities Tier 1 support and any other feedback or questions.
Bookmark the Partner Center – Microsoft Commerce Incentives (MCI) Engagements Workspace.
Review the MCI Program Guide and Resources.
—
Demos and webinars are great..but do you need more; such as technical consultations from a level 100 to level 400 across Microsoft workloads, a comprehensive growth and success plan built with a Microsoft account manager, or services and benefits that can be monetized without requiring increased headcount? Speak with a Partner Success expert about Premier and Advanced Support for Partners, paid service offerings that drive growth and partner success.
Premier Support for Partners (PSfP) and Advanced Support for Partners (ASfP) are paid partner offerings at Microsoft that provide unmatched value through a wide range of Partner benefits including account management, direct-from-Microsoft advisory consultations, the highest level of reactive support available including up to 15-minute response times on critical cases, and coverage across cloud, hybrid, and on-prem.
Please review these resources to learn more and consider booking a meeting to speak directly with our teams for a better understanding of the value-added benefits of PSfP and ASfP.
Book a meeting with a PSfP Specialist
Book a meeting with an ASfP Evangelist
Visit the ASfP Website
Download the ASfP Fact Sheet
View the ASfP Impact Slide
Stop by the ASfP Partner Community
Be sure to sign up now for the upcoming FY25 Business Applications Partner Activities webinar series coming up June 24-27. The first event is only a week away!
Learn about the priorities and strategy for FY25 – and how you can integrate incentives into your business strategy to grow your business and deliver excellent customer value.
Learn more and register today!
Four new engagements that are launching in FY25
Low Code Vision & Value
CRM Vision & Value
ERP Vision & Value
Low Code Solution Accelerator
A detailed overview of each new engagement, including:
Trends shaping partner opportunity in Business Applications
Overview and value proposition of the solution areas
Goals, expected outcomes, use cases, and targeted scenarios
Detailed walkthrough of activity elements, outputs, and assets available
Register for an upcoming webinar, or if you cannot attend, please watch the recording!
Resource links
Bookmark the Business Applications Partner Activities page to stay updated with the latest resources and program announcements for FY25
Submit a query for Partner Activities Tier 1 support and any other feedback or questions.
Bookmark the Partner Center – Microsoft Commerce Incentives (MCI) Engagements Workspace.
Review the MCI Program Guide and Resources.
—
Demos and webinars are great..but do you need more; such as technical consultations from a level 100 to level 400 across Microsoft workloads, a comprehensive growth and success plan built with a Microsoft account manager, or services and benefits that can be monetized without requiring increased headcount? Speak with a Partner Success expert about Premier and Advanced Support for Partners, paid service offerings that drive growth and partner success.
Premier Support for Partners (PSfP) and Advanced Support for Partners (ASfP) are paid partner offerings at Microsoft that provide unmatched value through a wide range of Partner benefits including account management, direct-from-Microsoft advisory consultations, the highest level of reactive support available including up to 15-minute response times on critical cases, and coverage across cloud, hybrid, and on-prem.
Please review these resources to learn more and consider booking a meeting to speak directly with our teams for a better understanding of the value-added benefits of PSfP and ASfP.
Book a meeting with a PSfP Specialist
Visit the PSfP Website
Book a meeting with an ASfP Evangelist
Visit the ASfP Website
Download the ASfP Fact Sheet
View the ASfP Impact Slide
Stop by the ASfP Partner Community Read More
Configuration profiles with Android Enterprise, with kiosk simple app, with .apk extension
Good afternoon.
I am developing a project whose objective is to configure the Android device in a kiosk to run just one application.
I have already created my Corporate-owned dedicated devices and my group.
I developed an app and I already have its .apk file, I have already added it to All Apps and its type is Android line-of-business app.
So far everything is fine, the problem comes from the create Configuration profiles part, I configured create platform Android Enterprise
and Profile type Device restrictions, but in Device experience, I configured it in Dedicated device and Kiosk mode Single app,
but when selecting my apk app it doesn’t appear, I can’t find it. How can I resolve this? I need it to be in kiosk mode,
run just one app and not let the user exit it. I’m waiting.
Good afternoon.
I am developing a project whose objective is to configure the Android device in a kiosk to run just one application.I have already created my Corporate-owned dedicated devices and my group.
I developed an app and I already have its .apk file, I have already added it to All Apps and its type is Android line-of-business app.So far everything is fine, the problem comes from the create Configuration profiles part, I configured create platform Android Enterpriseand Profile type Device restrictions, but in Device experience, I configured it in Dedicated device and Kiosk mode Single app,but when selecting my apk app it doesn’t appear, I can’t find it. How can I resolve this? I need it to be in kiosk mode,run just one app and not let the user exit it. I’m waiting. Read More
Recover Unsaved Work after Reinstalling Excel
I had a couple unsaved workbooks that were recovered when I had to restart Excel (good). Randomly, however, my excel program disappeared from my computer (bad). Unclear how this happened. I reinstalled excel. Now, I cannot find those unsaved workbooks (even though they were recoverable before). I recognize not saving work is a terrible practice. Nevertheless, any ideas on where I can find those unsaved workbooks?
Thanks!
I had a couple unsaved workbooks that were recovered when I had to restart Excel (good). Randomly, however, my excel program disappeared from my computer (bad). Unclear how this happened. I reinstalled excel. Now, I cannot find those unsaved workbooks (even though they were recoverable before). I recognize not saving work is a terrible practice. Nevertheless, any ideas on where I can find those unsaved workbooks? Thanks! Read More
Generative AI Technical Patterns: Chat with Your Data
The “Chat with Your Data” reference architecture is a modern, transformative solution designed for businesses that need to streamline their knowledge retrieval and synthesis. It empowers users to engage with their data repositories in an intuitive conversational manner, leveraging the latest in AI-driven insights. This architecture is ideal for companies looking to enhance their customer service, decision-making, and overall data accessibility. With a system built on the Microsoft Azure platform, organizations can confidently offer a sophisticated, AI-enhanced experience that allows end-users to ask questions and receive information as if they were chatting with a knowledgeable human assistant.
Microsoft Tech Community – Latest Blogs –Read More
Unable to See Domain Users in Windows Admin Center for File Shares
Hello everyone,
I’m currently experiencing an issue with Windows Admin Center where I cannot see domain users when trying to create file shares and set permissions. Here are the details:
Setup:
• Windows Server 2022 with all the latest updates.
• Hyper-V for virtualization.
• Windows Admin Center installed on srv-admincenter.
• Domain Controller on srv-dc with DNS configured correctly.
• File Server on srv-data with iSCSI storage.
Problem:
• When using Windows Admin Center to manage file shares on srv-data, only local users are displayed. Domain users do not appear.
• However, when I manage file shares directly on srv-data (through File Explorer or Server Manager), I can see and assign permissions to all domain users without any issues.
• The Active Directory extension is installed and up to date in Windows Admin Center.
Hello everyone,I’m currently experiencing an issue with Windows Admin Center where I cannot see domain users when trying to create file shares and set permissions. Here are the details:Setup:• Windows Server 2022 with all the latest updates.• Hyper-V for virtualization.• Windows Admin Center installed on srv-admincenter.• Domain Controller on srv-dc with DNS configured correctly.• File Server on srv-data with iSCSI storage.Problem:• When using Windows Admin Center to manage file shares on srv-data, only local users are displayed. Domain users do not appear.• However, when I manage file shares directly on srv-data (through File Explorer or Server Manager), I can see and assign permissions to all domain users without any issues.• The Active Directory extension is installed and up to date in Windows Admin Center. Read More
Microsoft forms option not available
Why would the option to allow respondents to edit their responses be available to some users but not others?
Why would the option to allow respondents to edit their responses be available to some users but not others? Read More
New Blog | Simplifying Cloud Security with Azure Firewall Manager and Illumio
Introduction
In today’s dynamic and ever-evolving cloud environment, ensuring strong security measures is essential. This involves not only implementing the right tools, but also having effective processes in place to oversee and maintain these security measures. With Azure Firewall Manager, Microsoft offers a comprehensive and centralized platform to simplify the management of multiple firewalls at scale, addressing the challenges of managing security in a dynamic cloud landscape.
Illumio for Microsoft Azure Firewall helps Azure Firewall customers enforce Zero Trust Segmentation and go beyond network and application filtering. It helps the firewall operations teams understand rules with rich context of the resources they are protecting. With rich context, administrators can easily determine which resource is secured by the rule, who owns it, and perform rule lifecycle management more confidently.
By combining the robust features of Azure Firewall and Azure Firewall Manager with Illumio’s expertise in Zero Trust Segmentation, we aim to provide our customers with a powerful solution to navigate the complexities of modern cloud security effectively.
Illumio support in Azure Firewall Manager
Azure Firewall Manager is a centralized platform for managing firewalls, along with other core network security services, at scale. Illumio for Microsoft Azure Firewall is now directly accessible within Azure Firewall Manager.
Customers can seamlessly enable Illumio for Microsoft Azure Firewall by navigating to the “What’s New” section within Azure Firewall Manager.
Read the full post here: Simplifying Cloud Security with Azure Firewall Manager and Illumio
By Suren Jamiyanaa
Introduction
In today’s dynamic and ever-evolving cloud environment, ensuring strong security measures is essential. This involves not only implementing the right tools, but also having effective processes in place to oversee and maintain these security measures. With Azure Firewall Manager, Microsoft offers a comprehensive and centralized platform to simplify the management of multiple firewalls at scale, addressing the challenges of managing security in a dynamic cloud landscape.
Illumio for Microsoft Azure Firewall helps Azure Firewall customers enforce Zero Trust Segmentation and go beyond network and application filtering. It helps the firewall operations teams understand rules with rich context of the resources they are protecting. With rich context, administrators can easily determine which resource is secured by the rule, who owns it, and perform rule lifecycle management more confidently.
By combining the robust features of Azure Firewall and Azure Firewall Manager with Illumio’s expertise in Zero Trust Segmentation, we aim to provide our customers with a powerful solution to navigate the complexities of modern cloud security effectively.
Illumio support in Azure Firewall Manager
Azure Firewall Manager is a centralized platform for managing firewalls, along with other core network security services, at scale. Illumio for Microsoft Azure Firewall is now directly accessible within Azure Firewall Manager.
Customers can seamlessly enable Illumio for Microsoft Azure Firewall by navigating to the “What’s New” section within Azure Firewall Manager.
Read the full post here: Simplifying Cloud Security with Azure Firewall Manager and Illumio Read More
New Blog | Host Microsoft Defender data locally in Switzerland
We are pleased to announce that local data residency support in Switzerland is now generally available for Microsoft Defender for Endpoint and Microsoft Defender for Identity. This announcement demonstrates our commitment to providing customers with the highest levels of security and compliance by offering services that are aligned to local data sovereignty requirements. Swiss customers can now confidently onboard to Defender for Endpoint and Defender for Identity in Switzerland, knowing that their data at rest will remain within Swiss boundaries, which ensures that customers in Switzerland can meet their regulatory obligations and maintain control over their data.
Defender products are now available in the US, the EU, the UK and Australia.
Configure Microsoft Defender for Endpoint with local data hosted in Switzerland.
Prerequisites
Your EntraID tenant needs to be set to Switzerland, so the Microsoft Defender for Endpoint tenant will also be provisioned in this geo.
To access the GoLocal Geo instance in Switzerland, you need to ensure each device is onboarded using Streamlined Connectivity for devices on their network (see Enable access to Microsoft Defender for Endpoint service URLs in the Proxy Server for further details).
Read the full post here: Host Microsoft Defender data locally in Switzerland
By Jose Celis Charry
We are pleased to announce that local data residency support in Switzerland is now generally available for Microsoft Defender for Endpoint and Microsoft Defender for Identity. This announcement demonstrates our commitment to providing customers with the highest levels of security and compliance by offering services that are aligned to local data sovereignty requirements. Swiss customers can now confidently onboard to Defender for Endpoint and Defender for Identity in Switzerland, knowing that their data at rest will remain within Swiss boundaries, which ensures that customers in Switzerland can meet their regulatory obligations and maintain control over their data.
Defender products are now available in the US, the EU, the UK and Australia.
Configure Microsoft Defender for Endpoint with local data hosted in Switzerland.
Prerequisites
Your EntraID tenant needs to be set to Switzerland, so the Microsoft Defender for Endpoint tenant will also be provisioned in this geo.
To access the GoLocal Geo instance in Switzerland, you need to ensure each device is onboarded using Streamlined Connectivity for devices on their network (see Enable access to Microsoft Defender for Endpoint service URLs in the Proxy Server for further details).
Read the full post here: Host Microsoft Defender data locally in Switzerland Read More
Profile missing from import
Hi
My user is not finding out in user profiles from sharepoint online. When I select «profile missing from import» and find there. I can see my user there. How can I active my user profile?
regards
dar
HiMy user is not finding out in user profiles from sharepoint online. When I select «profile missing from import» and find there. I can see my user there. How can I active my user profile? regardsdar Read More
Azure DevOps Team capacity multicultural teams
In our development teams, there are many different people in different countries. Is there a way to assign the days off by user? Because each country has its holidays, for example.
In our development teams, there are many different people in different countries. Is there a way to assign the days off by user? Because each country has its holidays, for example. Read More
MAM (preview) for Windows 365 and Azure Virtual Desktop
Now in preview, Microsoft Intune Mobile Application Management (MAM) can provide numerous benefits for iOS/iPad OS and Android clients. Have you ever wondered if you could allow users to access Azure Virtual Desktop or Windows 365 on their personal iOS/iPadOS and Android devices? Do you want to do this with more restrictive redirection policies than on managed devices and only allow a connection if some security criteria are met? Well, now you can—and you don’t even have to manage the device.
Configure and apply redirection settings with Intune MAM
End users can now configure different redirections when they connect to Azure Virtual Desktop and Windows 365 using the latest versions of the Remote Desktop client (iOS/iPadOS and Android) and the Windows App (iOS/iPadOS) that are integrated with Intune Mobile Application Management.
Previously, supporting bring your own device (BYOD) was a challenge because Azure Virtual Desktop and Windows 365 end users had the same redirections whether they connected from a corporate or personal device. For example, it wasn’t possible to allow drive and clipboard redirection on a corporate managed device without allowing the same redirections on a personal device. This posed data loss risk when corporate data was copied to the personal device.
With Intune MAM integration, customers can now apply different redirection settings based on user security group, operating system of the device, or whether the device is Intune managed or not. All this can be done without additional Azure Virtual Desktop host pools.
Without managing the personal device, Intune MAM allows you to:
Disable specific redirections on personal devices.
Require PIN access to app before connection.
Block third-party keyboards.
Specify a minimum device operating system version before connection.
Specify a minimum Windows App and/or Remote Desktop app version number before connection.
Block jailbroken/rooted devices from connection.
Require a mobile threat defense solution on devices, with no threats detected before connection.
Intune MAM allows you to manage and protect your organization’s data within an application without enrolling in device management, while ensuring an employee’s personal data on the device is not accessed. Many productivity apps, such as the Microsoft 365 apps, can already be managed by Intune MAM. See the official list of Microsoft Intune protected apps available for public use and the Planning guide: Personal devices vs. Organization-owned devices for more information.
Manage apps using MAM whether devices are enrolled or unenrolled in Intune mobile device management
Intune MAM supports two configurations:
Intune mobile device management (MDM) + MAM: IT administrators can manage apps using MAM on devices that are enrolled with Intune MDM.
Unenrolled devices with MAM managed applications: IT administrators can manage apps using MAM on unenrolled devices, which typically are employees’ preferred personal devices.
For managed devices, it’s optional to use MDM + MAM. Many Azure Virtual Desktop or Windows 365 customers will only need to apply MAM on unenrolled devices because redirection policies usually have stricter settings on unenrolled devices to protect against data loss. Redirections can work as-is on managed devices without MAM.
Important: Configuring redirection settings on a client device isn’t a substitute for correctly configuring your host pools and session hosts based on your requirements. Using Intune to configure Windows App and the Remote Desktop app might not be suitable for workloads requiring a higher level of security.
Workloads with higher security requirements should continue to set redirections at the host pool or session host, where all users of the host pool have the same redirection configuration. A data loss protection (DLP) solution is recommended, and redirection should be disabled on session hosts whenever possible to minimize the opportunities for data loss.
There are four primary configurations to manage redirections using MAM:
Intune device filters allow app configuration and app protection policies to be targeted for specific devices, regardless of whether they are enrolled or unenrolled devices.
Intune app configuration policies manage redirection settings for Windows App and the Remote Desktop app on a client device.
Intune app protection policies specify security requirements that must be met by the application and the client device. Use filters to target users based on specific criteria.
Conditional Access policies control access to Azure Virtual Desktop and Windows 365 and ensure criteria set in app configuration policies and app protection policies are met.
The screenshots below illustrate the key steps to configure different redirections on personal devices. For this example, we will disable drive redirection on a personal iPad so corporate data cannot be copied to the local iPad storage.
Create a filter for unmanaged devices.
Create an app configuration policy to disable drive redirection using the Remote Desktop Protocol (RDP) property name of drivestoredirect as listed in Configure device redirection. Assign a value of 0.
Select the groups the Intune app configuration policy applies to (hence the groups the redirection settings apply to). Select Edit Filter and choose the unmanaged devices filter that was created earlier.
Sign in to your Azure Virtual Desktop session host or Windows 365 Cloud PC.
On a managed iPad, drive redirection is allowed, as shown here:
On an unmanaged iPad, drive redirection is disallowed, as shown here:
In addition to different redirections, you may also want to require a minimum OS and Remote Desktop app version to reduce the risk of threats caused by older and potentially unsupported devices that are not current with the latest security updates. Configure an Intune app protection policy (see App protection policies overview) to do this. In the example below, you can require that the Android device be:
Android 14.0 or later.
Remote Desktop 10.0.19 or later.
Determined as Secured – no threats – by Microsoft Defender for Endpoint.
With the Intune app protection policy applied to Remote Desktop and Windows App, the following three scenarios are now possible even on personal devices that you don’t manage:
Block by OS version
Access is blocked as the operating system version of the device does not meet the requirements of Android version 14.0 or higher set by the IT admin.
Block by app version
Access is blocked as the version of the Remote Desktop client does not meet the requirement of 10.0.18.1258 or higher as set by the IT admin.
Only allow approved clients
Access is blocked as a version of the client supporting app protection policy is required in Microsoft Entra Conditional Access policies.
In the future, we will be extending these redirection and device posture checking capabilities on personal devices to Windows.
To learn more detail about these capabilities, see Configure client device redirection settings for Windows App and the Remote Desktop app using Microsoft Intune.
Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.
Microsoft Tech Community – Latest Blogs –Read More