Monday, 3 May 2021

Message Centre to Teams using Power Automate

 This post is made to accompany the YouTube tutorial video here: 

Watch the video to see the configuration in real time! All the steps have been documented in black and white here for your reference.

Note: You will need to have Power Automate licencing in order to run this flow. For more info on Power Apps (including Power Automate) trial licences go here: https://docs.microsoft.com/en-us/powerapps/maker/signup-for-powerapps


Configure API Access:

Before creating the Power Automate flow you first need to create an application registration within Azure AD to allow for authentication and access to the Microsoft Message Centre API.

During this process there are specific values that you will need to take note of in order to provide values for the Power Application connection. These are the TenantID, ClientID,  SecretID which will be generated when you create an App Registration within Azure AD.


Step 1: Setup API Access for the Power Automate Flow

a) Log into the Office 365 Admin Center as a Global Administrator, click Admin Centers in the left-hand menu, and click Azure Active Directory. Alternatively, you could log into http://portal.azure.com with your Office 365 administrator account.


b) In the Azure Administration Console, click Azure Active Directory, and under Manage click App Registrations.


c) Click the "+ New Registration" button:


d) Enter any name for your App such as MessageCentreAPI (must be a minimum of 4 characters):


g) Click the Register button at the bottom of the panel.


h) Once the App has been created, several IDs will be shown for your App.  The "Application (Client) ID" represents the ClientID you need for the flow. The Directory (Tenant) ID is the TenantID that you will also need for the flow.  Copy and save that value to use in your Flow.



i) Click the Certificates and Secrets menu item. Then click "New client secret"



j) In the Add Client Secret screen, enter any name for your key (maximum 16 characters) and select a Duration, after which it will expire (This is an added security feature as you don’t want secrets floating around forever).  Then click Save.


Once saved, the key (or SecretID in our case) will be displayed in the value field. 

Important: The Azure portal will only display the SecretID, at the time when it is initially generated.  You cannot navigate back to this page and retrieve the SecretID again later.



Copy and save that value to use in our Power Automate Flow. Be sure to keep your ClientID and SecretID saved privately and securely. 


Step 2: Grant Required Permissions to Your App

Once you have created the App and saved the ClientID and SecretID, you need to grant permissions to the app so it can access the Message Centre API.  You do this in the Azure portal using the following steps:

a) In the Settings page for your App, click the API Permissions menu item:


b) You will see a default Graph API User.Read permission there. Delete this as you don’t need it:


c) Click Add a Permission:

d) Select Office 365 Management APIs and click Select


e) Select Application Permissions


f) Select the “ServiceHealth.Read” permission:


g) Click Add Permissions

h) Once the permissions have been configured you will still see a warning notification in the Status column because admin consent hasn't been granted yet. Click the “Grant admin consent for <tenant name>” button:


i) Once you have granted consent you will see that the Status has been updated to Granted for <your tenant>:




Step 3: Create Flow from Template:

Within the existing Office 365 templates there is an excellent starter flow that does much of what you need to do. This is called “Email me a weekly summary of Office 365 message center notices” (which really rolls off the tongue):



When you initially open this template it will look like this:



This is a great start but you need to make some changes to make this work the way you need for this scenario. Here is an overview of what you are going to do to each of these components:




 

Step 4: Make changes to the existing template

First thing you need to do it edit the Recurrence time to be 1 day instead of 1 week.


Edit the “Get Office 365 messages” node. Select the “Show Advanced Options” to see all the values that you can edit. In here you need to add the Tenant ID, Client ID and Secret that was created in Azure AD in Step 1.



 Parse Subscribed Services

The original "Parse subscribed services" node from the original template is fine to use without editing. However, it doesn’t have the Category row in it that the Message Centre usually displays (plan for change, stay informed, etc), so this needs to be added:


The schema ends up looking like this:

{
    "type": "object",
    "properties": {
        "value": {
            "type": "array",
            "items": {
                "type": "object",
                "properties": {
                    "AffectedWorkloadDisplayNames": {
                        "type": "array"
                    },
                    "AffectedWorkloadNames": {
                        "type": "array"
                    },
                    "Status": {},
                    "Workload": {},
                    "WorkloadDisplayName": {},
                    "ActionType": {},
                    "AffectedTenantCount": {},
                    "AffectedUserCount": {},
                    "Classification": {},
                    "EndTime": {},
                    "Feature": {},
                    "FeatureDisplayName": {},
                    "Id": {},
                    "ImpactDescription": {},
                    "LastUpdatedTime": {},
                    "MessageType": {},
                    "Messages": {
                        "type": "array",
                        "items": {
                            "type": "object",
                            "properties": {
                                "MessageText": {
                                    "type": "string"
                                },
                                "PublishedTime": {
                                    "type": "string"
                                }
                            },
                            "required": [
                                "MessageText",
                                "PublishedTime"
                            ]
                        }
                    },
                    "PostIncidentDocumentUrl": {},
                    "Severity": {},
                    "StartTime": {},
                    "Category": {},
                    "Title": {}
                },
                "required": []
            }
        }
    }
}

 

Filter Array:

The filter array provided in the template has one filter for looking for the Message Type equaling Message Center. For this daily digest we don’t want to see all the messages but instead we want to see only those from the last day. To do this we will add another filter that only allows messages from the previous day. In this case I am using the last 25 hours to ensure that there is no gap between when a message was added and when the daily reoccurrence fires. To do this click on the Edit in Advanced Mode button and paste in one of the filter options below:


There are two choices on this filter. The first is to only list new items to the list and the second is to list new and updated items.

The filter for new items only for the previous 25 hours looks like this:

@and(equals(item()?['MessageType'], 'MessageCenter'),greater(item()?['StartTime'], addHours(utcNow(), -25)))

The filter for new and updated items for the previous 25 hours looks like this:

@and(equals(item()?['MessageType'], 'MessageCenter'),greater(item()?['LastUpdatedTime'], addHours(utcNow(), -25)))

Choose which ever one suits your needs better.


Conditional – If Statement

After we have filtered the array down it could be that we find that there are no messages. In this case rather than post an empty table we can instead have some text to tell us that there was not messages. To do this create a Condition and check the length of the array. If the array is 0 in length then send the message and if it’s not then continue processing the array.



The expression used here is to check the length of the Filter_array output:

length(body('Filter_array'))

 

If YES

If Yes then send a message “You can relax, there were no new Message Centre message today!”:



If NO

This section will contain the rest of the steps to generate the table and post it. The "If no" section is going to end up looking like the screenshot below. Follow the next steps to create this part of the flow:


 

Create HTML Table

Edit the Create HTML table from the original template to make the values equal those shown below (or you can select the table items that interest you):



In order to get a text list of the Affected Workloads for each Message Centre post you need to split the array and convert it to a string. You do this with the “join” expression:

join(item()?['AffectedWorkloadDisplayNames'],', ')

 

 Compose

Add a new Compose node. This will be used to make some edits to the HTML used in the table.


The expression is expanded in the Expression editor window:


Note: The way the expression pop over is displayed depends on how big your window is. So if it doesn't look like this then expand your window to see all the goodness.


In this compose block we give the HTML table a border to make it look better in Teams. To do this you create an expression where you replace the table tag with a table tag that has a border.

replace(body('Create_HTML_table'),'<table>','<table border="2">')

 

Compose 2


In order to make the table more pretty we give each of the cells 10 pixel padding around it.

replace(outputs('Compose'),'<td>','<td style="padding:10px;">')

 

Compose 3


Finally we make the table super pretty by making the header purple and have white text.

replace(outputs('Compose_2'),'<th>','<th style="padding:10px; background-color:#464EB8; color:white;">')

 

Teams Message

When editing the Teams message text ensure that you're in HTML editing mode and not the plain text editing mode. After doing that you want to enter the following HTML and under the Advanced section add a title (e.g. Daily Message Centre Update):


The HTML:

<html>

<body>

<p>&nbsp</p>

@{outputs('Compose_3')}

</body>

</html>


After doing this you will be done. Delete any remaining nodes that were left over from the initial template and test the flow. 


Daily Digest:

Here is an example of what the output should look like in the designated Teams channel: 



If there are no messages for that day you should see the following message posted in the channel:




Logic Apps


If you have Azure with consumption billing in place then you can also build this same flow and run it for under 1 cent per day using Logic Apps! 




This is a great option if you don't already have Power Automate licencing in Office 365. The one difference is that Logic Apps do not have the template that we used to build the Power Automate version from so there are a couple of extra steps you need to do to build some of the steps. It should be pretty straight forward to figure out based on the information already provided in the Power Automate flow. Here is an example that I built and tested in Logic Apps:




The Wrap Up


Taaa Daaaa, there you have it. Fun times with Power Automate. The great bonus here is that you and your team can now discuss and add conversations around these daily updates to further dig into areas that might be of interest to your business or customers. This can lead to valuable discussions about these changes that are persisted for future review. Enjoy!



Read more →

Thursday, 22 October 2020

Teams Phone Screen Capture Tool

If you’re ever putting together documentation, training material or blog posts on Teams Phones, you don’t want to be in a situation where you are taking photos of the screen of the phone with a camera. Instead it’s always better to get a crisp and clear pixel perfect screen shot. Fortunately, Teams phone devices allow you to do this, however, it’s not very well documented. In this blog post I’m going to take you through the process of taking screen captures on Microsoft Teams phones and also introduce you to a tool that I created for taking screen shots and animated GIFs of your Teams Phone devices.

 

Teams Phone Screen Capture Tool

 

The Teams Phone Screen Capture Tool was created to both make screen captures easier to take and also to create fully marked up animated GIFs of your Teams Phone Screen for documentation, blog posts, training material, etc.


Tool Features:
  • Capture jpeg images of static screen images.
  • Capture animated GIF screen captures
  • Edit the length of captured GIFs
  • Resize captured GIFs
  • Markup captured GIFs with rectangles or circle shapes in multiple colours
  • Currently supports Poly and Yealink devices. AudioCodes is not supported yet due to their current implementation methodology.

 

Version 1.00 – Initial Release


Download from Github

 

 

How to Enable the Screen Capture Feature on Teams Phones

 

The screen capture feature is enabled on each of the Teams phone brands in a slightly different way. I have created a walk through for how it’s done on each device brand.

 

Screen Capture with Poly Teams Phones

 

Step 1: Navigate to Settings > Device Settings > Debug > Screen Capture



Step 2: Navigate to Settings > Device Settings > Admin Only > (Enter Password) > Network Configuration > Web User Interface


Note: The default password is "456".


Step 3: Open the Teams Phone Screen Capture Tool in PowerShell:


IPAddress: Enter the IP Address of the Poly Phone.

Phone Type: Poly

Password: <“456” is the Poly default>

Click the “Show Screen Button”

The tool will then try to connect with the details given. Once connected you should see the screen in real time:


Now you can Save a Screenshot or record an animated GIF.

 

Screen Capture with Yealink Teams Phones


Step 1: Navigate to  Settings > Device Settings > Admin > (Enter Password) > Debug > Screen Capture > Enable

 

Note: The default password is "admin".


Step 2: Open the Teams Phone Screen Capture Tool in PowerShell:


IPAddress: Enter the IP Address of the Yealink Phone

Phone Type: Yealink

Password: <“admin” is the Yealink default>

Click the “Show Screen Button”

The tool will then try to connect with the details given. Once connected you should see the screen in real time:


Now you can Save a Screenshot or record an animated GIF.

  

Screen Capture with AudioCodes Teams Phones


The AudioCodes Teams phones don’t offer the same web-based access to their screen captures taken on a device. For this reason the tool does not support them at the moment. If you do want to take a screen capture on an AudioCodes phone you can but it’s a bit more work. You’ll need an SSH client (Putty will do) and a TFTP client in order to pull down a copy of the screen shot off the phone.


Here are the steps required:

Step 1: Turn on the Screen Capture setting in the phone:  Settings > Device Settings > Device Administratoion > (Enter Password) > Debugging > Screen Capture


Step 2: Access the phone via SSH

Note: The default username/password is "admin"/"admin".


Step 3: Run a TFTP client on your PC



Step 4: Run the commands from the SSH command line:

screencap /sdcard/screen_cap.png

curl -T /sdcard/screen_cap.png tftp://host_ip

 


These commands will make the phone take a screen capture which is saved onto the phone. Then the second command sends the screen capture to your TFTP server which you need to have running and accepting inbound file transfers.

This is not the most elegant of solutions and I hope that AudioCodes adds a web-based method for accessing the screen shots in the future.


GIF Editing Studio


After you have finished capturing the GIF a new window will be displayed that allows you to edit the GIF. The screen looks like this:



If you would like to mark up the GIF with coloured circles or rectangles to highlight something on the screen, you do this by first selecting the frame you want the shape to appear on, then select the "Markup Shape" and "Markup Colour" values, and then you simply click and drag on the image to place the shape where you want it. This will make the shape appear on the particular frame you had selected. If you would like to extend the amount of time it is on the screen for, you select the shape in the "Markup Shapes" list and edit the StartFrame and/or EndFrame column value(s). 

You can also edit the dimensions, location, colour and shape after selecting the shape in the list. Once you have made the changes you want to the selected shape you click the "Update Shape" button and it will save the changes. If you no longer want a shape that you had previously added you select the shape from the list and click the "Delete Shape" button to remove it. Note: when you select a shape in the "Markup Shapes" list the first frame that it appears on will be shown in the image box and the shape will be highlighted in light blue so you know which shape you've selected (if you un-select the shape in the list it's real colour will be displayed).

You can change the length of the animated GIF by changing the "Start Frame" and "End Frame" values underneath the image on the left hand side of the interface. The start and end frames selected will be reflected in the final GIF that is exported from the tool. The "Image Size" value allow you to change the height of the image when you change the height the width will be automatically changed to match. If you are making a long animated GIF then it can be useful to reduce the size of the output in order to keep the file size down on the exported GIF. By default the GIF will loop for an infinite amount of time if you would like it to only loop once you un-check the "Infinite Loop" checkbox.


Teams Admin Portal - Device Setting


You can control the Screen Capture setting that each of the phone brands devices need turned on in order to get access the screen capture images. The setting is found in the Devices > IP Phones > Configuration Profiles (tab) > + Add > Screen Capture:


This allows you to push this setting out to phones if that is how you want to do it. Keep in mind though that the Web User Interface setting required for Poly phones to support screen capturing is not available from the Admin Portal.


The Wrap Up


There you go, a new tool for your screen capturing pleasure. Enjoy!




Read more →

Thursday, 10 September 2020

Using DLP Policy to Block Passwords in Microsoft Teams Chats and Channels

You may have heard that the massive Twitter hack recently came from an admin credentials found in a Slack channelThis raises the question: how can you avoid people putting passwords into Microsoft Teams channels and chats to avoid this kind of situation happening to your business? In the case of Microsoft we are talking about Office 365 passwords being passed around in chats by help desk personnel or staff that didn't realise the potential implications of leaving this data lying around. I had a look through the Microsoft Sensitive Information Types and noticed that there was not a built-in policy for AD and AAD password formats. You may be excused from thinking that the built in DLP policies are the only ones that are available to you. However, you have the ability to create your own DLP policies and, with some fine tuning, make them block things like passwords from being posted in Teams. In this blog post I’m going to give an example of how you could use a custom AD/AAD password Sensitive Information Type to create a DLP policy in Teams for stopping people from sending around Office 365 passwords in Teams chat and channel messages. You could also use the Sensitive Information Type created here with Communications Compliance policies, etc, but we are going to focus on DLP policies for this example. 

Data Loss Prevention Licencing


First things first, let's talk about the licensing that you need to do DLP within Teams. I find the licensing for these security features to be a bit of a minefield, and this is a good example. If you’re talking about DLP for Exchange and SharePoint then you can do that with a Office/Microsoft E3 licence, so of course you would expect the same for Teams. Unfortunately that’s not the case. You need Office/Microsoft E5 licensing (or a handful of different add-on licences) in Teams to take advantage of DLP policies. Here’s a spiel from Microsoft docs that explains it for you:

“Data loss prevention capabilities were recently added to Microsoft Teams chat and channel messages for users licensed for Office 365 Advanced Compliance, which is available as a standalone option and is included in Office 365 E5 and Microsoft 365 E5 Compliance. Office 365 and Microsoft 365 E3 include DLP protection for SharePoint Online, OneDrive, and Exchange Online. This also includes files that are shared through Teams because Teams uses SharePoint Online and OneDrive to share files. Support for DLP protection in Teams Chat requires E5.”

You can read more here: docs

Sensitive Information Types


The concept of a Sensitive Information Type usually relates to matching data that might be considered private or sensitive. This is especially the case when dealing with organisations that might store customer data and have compliance around keeping this data safe and not sending it off site, etc. Microsoft has built many data matching policies for things like passport numbers, US Social Security numbers, Australian Tax File numbers, etc. If you would like to see a list of these pre-built rules and how they match data, there is some good documentation here: docs

Something that’s not on this list is AD or AAD passwords, which in some ways I find to be a bit weird considering this is what’s used for Office 365 sign-ins. 

A Sensitive Information Type is made up of the following things (as described by Microsoft Docs):

  • Primary pattern: employee ID numbers, project numbers, etc. This is typically identified by a regular expression (RegEx), but it can also be a list of keywords.
  • Additional evidence: Suppose you're looking for a nine-digit employee ID number. Not all nine-digit numbers are employee ID numbers, so you can look for additional text: keywords like "employee", "badge", "ID", or other text patterns based on additional regular expressions. This supporting evidence (also known as supporting or corroborative evidence) increases the likelihood that nine-digit number found in content is really an employee ID number.
  • Character proximity: It makes sense that the closer the primary pattern and the supporting evidence are to each other, the more likely the detected content is going to be what you're looking for. You can specify the character distance between the primary pattern and the supporting evidence (also known as the proximity window) as shown in the following diagram:

  • Confidence level: The more supporting evidence you have, the higher the likelihood that a match contains the sensitive information you're looking for. You can assign higher levels of confidence for matches that are detected by using more evidence.

So when you build your own Sensitive Information Type, the main things that you need to worry about are being able to capture the sensitive information using a regular expression, and making a list of words that are likely to be used in close proximity to the text captured by the regular expression. This is what we are going to focus on next.

Primary Regex Pattern


As previously mentioned the primary matching rule is a regular expression. Something that’s not really documented as clearly in the Microsoft docs is that they police the regular expression rules for Sensitive Information Types so you can’t go and put in some super CPU-intensive rule that will affect the performance of the platform. If you put in a Regex expression that doesn’t adhere to these rules, then you will get an “Invalid Regex” error that shows up when you enter your regex. I hit this in the first Password check rules that I created and I had to do some massaging of the regex to get it into a format that passed these rules. Here’s a list of the rules for your reference:

When entering the regex value for a new Sensitive Information Type, the following rules are used to check the regular expression:

1. Cannot begin or end with alternator "|", which matches everything because it's considered an empty match.
For example, "|a" or "b|" will not pass validation.

2. Cannot begin or end with a ".{0,m}" pattern, which has no functional purpose and only impairs performance.
For example, ".{0,50}ASDF" or "ASDF.{0,50}" will not pass validation.

3. Cannot have ".{0,m}" or ".{1,m}" in groups, and cannot have ".*" or ".+" in groups.
For example, "(.{0,50000})" will not pass validation.

4. Cannot have any character with "{0,m}" or "{1,m}" repeaters in groups.
For example, "(a*)" will not pass validation.

5. Cannot begin or end with ".{1,m}"; instead, use just "."
For example, ".{1,m}asdf" will not pass validation; instead, use just ".asdf".

6. Cannot have an unbounded repeater (such as "*" or "+") on a group.
For example, "(xx)*" and "(xx)+" will not pass validation.

More information available here: docs.

Now let's consider the rules that govern what an Active Directory and Azure Active Directory complex password will look like. These are the rules that describe a complex password for both platforms:

Passwords must be a minimum of 8 characters and a maximum of 256 characters.
Passwords require at least include characters that match three out of four of these:
  • Lowercase characters
  • Uppercase characters
  • Numbers (0-9)
  • Symbols
In order for us to capture passwords using a Sensitive Information Type policy, we need to be able to describe the item as a regular expression. To do this you will need to have some RegEx skills and understanding. Teaching RegEx is a bit outside of the scope of this article so rather than doing that I'm going to give one that I prepared earlier. The following Regex fulfills Microsoft’s regex limitations and will match AD/AAD complex password formats as described above. Here is is:

((?=[\S]*?[A-Z])(?=[\S]*?[a-z])(?=[\S]*?\d)|(?=[\S]*?[A-Z])(?=[\S]*?[a-z])(?=[\S]*?[^a-zA-Z0-9])|(?=[\S]*?[A-Z])(?=[\S]*?\d)(?=[\S]*?[^a-zA-Z0-9])|(?=[\S]*?[a-z])(?=[\S]*?\d)(?=[\S]*?[^a-zA-Z0-9]))[^\s]{8,256}

Yep, that's quite a hefty regular expression. Feel free to break it down and try to figure out how it works. Or just test it out and see if it works the way you want it to :)


Additional evidence


In addition to just having a Regex rule, we also need to have some additional evidence in the Sensitive Information Type configuration. The additional evidence usually comes in the form of words that might be found near the RegEx matched password. In this case is fairly likely that the word “password” will be included in the same message in which the actual password will be sent. The words that you include in the list will be match any case type (upper or lower or combination) so you only need to put the words in once. For this example, I am going to keep this simple and match some common password variations:

"password","pass","pwd"



Create the Sensitive Information Policy


Log into the https://compliance.microsoft.com/ and open the Data Classification > Sensitive Info Types (tab) and click the "+ Create Info Type" button.

Step 1: Give it a name.


Step 2: Add and element.


Step 3: Enter the regular expression that I detailed earlier. Add the supporting element key word list I mentioned earlier. The minimum count in this case is 1 because we only need to see one of these key words to make a match.

Note: Be careful when you're cutting and pasting quote marks in the key word list. There are different kinds of quote marks that look almost the same but are not the same. The keywords text box is looking for the default vertical quote marks and not the fancier angled quote marks. If you get this wrong then the rule may not match!

Step 4: Set the confidence level. In this case I have set a 100% confidence level because we don't have multiple levels of matching rules and it won't be used in this case. For character proximity I have used 300 characters, which means the key words have to be within 300 characters of the regex pattern match.


Step 5: That's it for creating the sensitivity label.


Step 6: Test the sensitivity label by making a txt document and putting example text in it and uploading it to the test dialog:

Now on to creating the DLP Policy...



Let’s Create the DLP Policy


Log into the https://compliance.microsoft.com/ and open the Data Loss Prevention section and click the "+ Create Policy".

Step 1: I've elected to do this in the new compliance portal. Open the Data Loss Protection section (you may need to select Show All.. at the bottom of the list to see this option) and Create a new policy. Select Custom categories and Custom policy Template.


Step 2: Give it a name:

Step 3: We are just going to use the policy in Teams to stop people sending passwords. On this screen you could also elect to limit the scope of this policy to just help desk and admin staff members to avoid false positives for general users that don't deal with passwords. However in this case, I just left it as All.

Step 4: Select "Create or customise advanced DLP rules"


Step 5: Click "Create rule"


Step 6a: Give it a name and select our previously created Sensitive Info Type for detecting passwords:


Step 6b: Select the Action that you would like taken if a password is found. In this case I am blocking the user from sending the message (what actually happens practically is that the message is sent for a couple of seconds and then replaced with an error message).


Step 6c: I added a policy tip here, however, these don't show up when Teams messages are blocked at the moment. You never know, they might add this in the future so it's worth adding some text here.


Step 6d: I also selected to send an email alert to an angry administrator that will be likely to have some harsh words with the person sending around passwords willy-nilly:



Step 7: Almost finished:

Step 8: Even more almost finished:

Step 9: Yep, finished now:




Let’s Test it Out


What's it look like in practice? Well check this out:



If the user clicks on the "What can I do?" link in the message, they will be able to see details of why the message was blocked and depending on what settings you chose, the DLP policy may have the options to report back that it was incorrectly flagged or to provide a business justification for sending the message:


The user receiving the message will see:


When do DLP Rules Not Work?


Something that you need to be aware of with Teams is that it won’t check for the regex and additional evidence across multiple Teams chat messages. So if someone was to send the password in a separate line, like shown below, it would still send this:


Based on this, don't expect a DLP policy to police people that are trying to get around the system. The expectation is really that your internal users are not deliberately trying to do the wrong thing, but rather, that they have unknowingly done something that they should have tried to avoid.

There is also the potential to block messages where someone was having a legitimate conversation and was not sending a password to someone at all. Here’s an example of people having a conversation that could get blocked by these rules:



The Wrap Up


There it is, if you run a multi-billion dollar social network you too can use DLP to stop your passwords being stored in your Teams channels or chat for eternity by stopping it ever being allowed to be written in the first place. Keep your passwords safe everyone. Till next time.





Read more →

Popular Posts