User Profile
Slee6004
Brass Contributor
Joined 9 years ago
User Widgets
Recent Discussions
Azure app registration process and what is the default Roles and administrators assigned?
Hi community members, I am new to App registration and have read all the MS references about Azure App registration process but can't find the answer about the default "Roles and Administrators". I start to check on previous registered apps wanted to learn and follow the best practices. From those articles it looks like we can assign roles using RBAC, which depends on the app design. But I noticed that all the apps registered have the "Cloud Application Administrator" role assigned. Is this by default? It seems like this role "Can create and manage all aspects of app registrations and enterprise apps except App Proxy.". Not quite following the logic, why and how this works so any insights can share with me would be great help. Thanks in advance!821Views0likes2CommentsRe: How to redirect performance logs to another Azure log analytic workspace
Thanks for your feedback. We did check on that and it's configured with correct data. We may mess up Azure policies while cleaning up/consolidating to a new LAW. Not sure if we need to reinstall AMA to get the correct extension and/or get a new set of Azure policies to enforce new AMA installation. Any suggestions would be appreciated.886Views0likes0CommentsHow to redirect performance logs to another Azure log analytic workspace
Dear members, I am new to Azure monitor/log analytic workspace and I'm in the process of configuring it. Initially, we believed that having two LAWs would suffice for our business requirements, and we put significant effort into adjusting Azure Policies exclusions to make it work. However, we didn't succeed in that approach. After gaining a deeper understanding of LAW, we decided to using a single LAW and have most of our resources report to it. To achieve this, we cleaned up Azure policies and direct DCRs to point to this unified LAW. The issue we currently face is that the specific group of VMs continues to send performance data to the outdated LAW, and we can't identify where to make the necessary changes. We have triple checked all levels of management groups of Azure policies or the remaining active DCRs yet still no luck. All of these VMs have the AMA installed. Is there a need to update the AMA, which we may be unaware of? We are running out of ideas on where to adjust the settings so that we can consolidate all the logs into this single LAW. We would greatly appreciate any suggestions or recommendations from forum members! Thank you in advance for any help! SallyRe: How you control OneDrvie sync to personal devices?
Hi Recep_Gencaslan695, thank you for your insights. We do have Intune licenses, but it is currently in pilot mode so not fully configured yet. We currently permit syncing to a specific domain, which is the aspect the business is interested in removing restriction from. The rationale is that it is easier for them to transfer content from their personal PC/Mac. However, in today's cybersecurity landscape, I believe it's imperative to adopt Zero Trust principles. This entails continuously evaluating all entry points and user identities continuously. Allowing OneDrive sync to personal PC/Mac without robust mitigation controls in place could potentially expose us to a high risk of cyberattacks. I was told that content in OneDrive is already containerized and encrypted, and we have DLP scan looking for sensitive data. Since we have E5 so there are advanced event logging and logs are kept for one year. Additionally we have other 3rd party tool to monitor bulk data transfer so we should be protected. I am not sure all those mitigation controls will help protect our content. Seems to me they are more reactive approaches. This is why I'd like to ask the community members' experiences at different organizations. Any feedback is appreciated. Thanks once again!1.7KViews0likes1CommentHow you control OneDrvie sync to personal devices?
Hi forum members, Under today's cyber security landscape, what is the policy for organizations control OneDrive for business sync content to personal devices? I mean allow or block it and what is the reasons behind those decisions? My organization has it configured to only allow syncing only computers joined to our domains. But the business has access to our affiliated tenant's OneDrive for business so threaten to save data there. Now we are at the point where content will be either be exfiltrated and no control or allow syncing to personal devices. Wanted to get some feedback from the forum and see what the best practices are. Any suggestions is greatly appreciated.Solved2.2KViews0likes3CommentsRe: Concerns using Microsoft MFA
Hi Chandrasekhar_Arya, thanks for your reply. It is very helpful! If I understand correctly, when we use Microsoft MFA+ PHS, we will need to configure Conditional Access Policy and lefverage Trusted locations+ Identity to control the access. Additionally, we can add device and other controls in the conditional access policies to further fine-tuning it. But in terms of VPN access, I am not familiar with how it works so not sure how to configure CA. Are you saying it has no difference from other access sources so we should just treat them the same and use the same or similar policy? Any suggestions is appreciated. Thank you once again for all your help! Sally1.6KViews0likes3CommentsConcerns using Microsoft MFA
Dear Forum members, My company is using ADFS + DUO but thinking about using Microsoft PHS + MS MFA. We are testing staging roll out but have been told that our Security team has concerns about MS MFA: Can't differentiate session initiation so VPN users will always get flagged No VPN blocking Password portal explicit registration We are using Cisco VPN which of course should work well with DUO. I can understand nobody likes to change but financially MS MFA is more cost effective for us. Since we haven't use MS MFA yet, I am not sure those concerns are valid or not. And if those are valid concerns, are there any workaround, mitigation strategies or alternative approaches that we can convince our security team to migrate over? Any recommendations/suggestions are greatly appreciated! SallySolvedRe: What is the recommendation about security measurement for logging from different IP addresses
Thank you, eliekarkafy for your feedback. As you suggested, we have trsuted location configured and block all countries except the one we are located. But with DUO MFA as the custom control, it prompts all the time even though users don't require it. It's all due to one of our CA policies (all apps from all users at all locations except trusted ones require DUO MFA. There is nothing wrong with it except extra MFA prompts cause MFA fatigue. These extra prompts are the one our security team has more concerns than devices have changed location so is willing to not prompt for location changes. This concept is different from what I have learned about security practices so just wanted to have some suggestions from the community. Thanks again for your information. Appreciate it! Sally931Views1like2CommentsWhat is the recommendation about security measurement for logging from different IP addresses
Hi all, I have a question about MFA. When the managed devices travel to a different location, should we prompt for MFA? What is the best practice these days? I know it varies at different organizations and also depends on how much risk organizations are willing to take. Just wanted to know general practices to cover two types of traveling: 1. travel between home and office; 2. travel to unusual places (eg. on vacation, attend conference or at business trip, etc). To avoid MFA fatigue, we would like to have scenario 1 not to have MFA prompt while scenario 2 we would like to have MFA to ensure the legit usage of managed devices. Is this doable via conditional access control? To add a little bit complexity, we use DUO MFA and understand using custom control won't support certain features. To avoid MFA fatigue, we are told to disable Continuous Access Evaluation at CA policy to support scenario 1. Is there any security concern if we disable CAE? Or is there any method we can avoid MFA fatigue but still have MFA control? Any feedback/suggestions will be greatly appreciated. Thank you! SallySolvedAny potential concern of large SharePoint document libraries (>5,000)?
Hi SPO community, Our organization is currently in the process of migrating on-premises file shares to SharePoint Online (SPO). To accommodate users who are unwilling to relinquish their folder structure, the migration team has opted to move the nested folder structure, along with all the files, into a single document library. Consequently, this has resulted in significantly larger document libraries (>5,000 items). The largest one currently holds 131,000 files with multiple layers of folders. Fortunately, with nested folder structure the 5,000 item view restriction is not a concern for our users. However, my main apprehension revolves around potential post-migration maintenance issues. One particular concern is that with over 20,000 items, auto-indexing may not occur, which could potentially impact the Search function adversely. I am curious if there are any other potential concerns associated with creating such large document libraries. If you possess any insights or information to share on this matter, I would be extremely grateful. Thank you in advance!Solved4.1KViews0likes6CommentsBest practices for container sensitivity labels
Hi all, My company is trying to leverage Sensitivity labels for Teams and hoping to help Teams external sharing (currently not allow guest access). There are couple concerns: 1. Should we use the same set of label names as File Sensitivity labels? The concern is that in the future if container labels inherit to files inside then it will be too complicated for my users to understand how it works. 2. The thoughts is to have three container labels (Public, Non-public and Confidential). The concern is how to deal with users add highly confidential files (with File label) to Public Teams and share externally. I don't see any alerts we can use nor use DLP to block it (from what I understand container labels doesn't work in DLP). Is there any alerting system to inform users/admins or prevent it happens? Want to see how everyone uses container labels for Teams. Any information you may share/suggest is greatly appreciated! Sally1.8KViews0likes0CommentsCan Auto-labeling apply to more than 100 SPO/ODFB sites?
Dear all, My company is in the process purchasing E5 and EMS E5 licenses and hoping to use auto-labeling features for my 2000+ site collections with tons of sub sites at some site collections. While researching more technical details about this feature, I have come across this article: https://docs.microsoft.com/en-us/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide While reading one item caught my eyes, specifically for SPO and ODFB: Maximum of 10 auto-labeling policies per tenant, each targeting up to 10 sites (SharePoint or OneDrive) My understanding of this is that I can only apply labels up to 100 sites! I am not sure the sites refer to site collection or sub site but clearly I have more than 100 of either types of sites. Am I reading it wrong or is it an actual technical limitation of this auto-labeling feature? As I indicated my SPO has more than 1000 site collections and some have more than 1000 sub sites - 10 times more than the limitation. I have 9000+ users so have that many ODFB sites created too. How can I use auto-labeling feature for my SPO and ODFB environment? Any suggestion is greatly appreciated. Sally999Views0likes0CommentsCSOM code needs to use modern authentication
To whom may be willing to help, I am an O365 Global administrator with very little knowledge about code. We run into issues and need help. With no coding background I am seeking help for some basic knowledge to educate myself first. We have migrated all SharePoint sites to O365 but site provisioning and some custom processes are still using old CSOM code developed while we were on-prem. We use those for couple tasks: 1. site provisioning 2. Read list item, check date and send notification if items will expire soon 3. Search files and copy to other file share location 4. Rollup tasks to root site All those customized code work fine until I configured SPO block access for "Apps that don't use modern authentication" -- service account login failed. After troubleshooting and checking by other teammates I was told couple things: * SPO API works but not function properly with modern authentication method * The PnP Core is in Beta which tends to have errors so isn't useful for production code * The Graph API lacks some critical functionality so not useful neither. I am trying to understand the statement and do some research to educate myself. I just read MS article "Provisioning "modern" team sites programmatically" where it talks about using PnP CSOM core component to provision sites. After reading the article I have couple questions and wondering if someone is willing to help me understand: 1. It looks like the PnP Core component released on 10/2017. is it still in Beta and not use modern authentication? Or are they different components? If it's latter, which one should be used for site provisioning and can do the modern authentication? Is there any github example for such case? I did google search which shows couple results. But I don't know which one uses modern authentication. 2. Just like SharePoint itself there are always several ways of doing the same tasks. I heard about SharePoint framework and all those APIs, .NET core, etc. In terms of tasks like what we are doing (site provisioning, read/copy files, etc), which is(are) recommended method(s) for us? I know it's a broad question and depends on the solutions/scenarios. I just want to know in general at high level when to use what so I can do more digging to learn more. Any information you can provide is greatly appreciated! Thanks in advance!!! Sally7.2KViews0likes3Comments
Recent Blog Articles
No content to show