Teams Real Simple with Pictures: Deploying Microsoft Entra Internet Access in Preparation for Teams

Ok - 17 days to the holiday and counting! But before I get to a beach on the Atlantic one of the things I really wanted to do is ensure I get the opportunity to get a blog down on Microsoft Entra Internet Access. I think it's going to be an important solution moving forward. So this begs the question - what exactly is it? And why do I think it's important? Microsoft Entra Internet Access (MEIA) is part of Microsoft Entra Global Secure Access service defined as 'securing access to Microsoft 365, SaaS, and public internet apps while protecting users, devices, and data against internet threats...". Announced alongside Private Access at the Microsoft Entra moment prior to Inspire back in July, it's an '..identity-centric, device-aware, cloud-delivered Secure Web Gateway (SWG)' which is part of Microsoft's SASE/SSE strategy alongside Defender for Cloud Apps. Chances are you've already seen something like this from the likes of Z-Scaler and Palo Alto. But this is Microsoft's proprietary gateway built right into Microsoft Entra. That's awesome. But aside from being a net new proprietary feature what's its value? The importance of the SWG is, amongst other things, its ability to prevent attacks such as token replay attacks and attacker in the middle (AITM) attacks by ensuring conditional access to Microsoft 365 services through compliant networks and endpoints. Therefore, as attacks are becoming more sophisticated and we are seeing things such as token theft to breach tenants, or bypassing MFA, new defences such as a SWG are as timely as they are necessary. For me? This could become as fundamental as MFA and Conditional Access. Now at the time of writing this solution is actively being developed and Teams itself isn't supported. But we know it will be. And it will be soon. The point is this shouldn't be a blocker to implementation - it'll still cover Exchange, SharePoint, OneDrive and other things such as the Graph so let's not wait - let's get it in for Teams. So this blog is an exploratory one. It's the tip of the iceberg and you'll want to investigate your own scenarios, read others blogs and bear in mind that whilst for Windows only, it'll cover more in the future. I know this is something that we'll be collectively working on and writing more about in the future.

Teams Real Simple with Pictures: Making Teams Just in Time with PIM for Groups

So I booked a holiday to Gran Canaria last week. The positives: time with the family, late summer sun, changing it up with the scenary and a great package and price. Negatives: it's on 20th September so large parts of my workload are now super time sensitive. It's going to be wild. For real. But here on the bank-holiday weekend in the UK I've got a little time to write: and today I have decided to do it on the idea of making Teams Just in Time (JIT) which, I guess, is a concept very applicable to my own situation. So why would we do this? Well, one of the issues we have in Teams is that we don't need access to all Teams all the time, and also we have access to Teams that sometimes we don't need to have access to all the time. In other words, there could be reasons why we need Just in Time access, and not need whats called standing access. For example, I need to access a Team for a day in order to access specific assets in that team, or apps built within that team. I am sure you can think of your own. Now, we could go down another route and use Entitlement Management, Access Packages and Access Reviews right? Yeah, we could. But let's say I only want to give access for a specific period of time, to do something specific and then the user is removed and has to apply again to be added to it, and that's all auditable at the same time. This is where PIM for groups will come into it's own, especially where Entra ID roles are group specific. A team which shows for a specific period of time to do what's needed and collaborate with others, and disapears again when the time limit is reached. I personally think this one is worth exploring as it could really change the way we think of Teams.

Teams Real Simple with Pictures: Removing and Modifying users appearing in the Org Chart

This week I am off to Ireland in person for the first time since the pandemic. Exciting. But I have a ton to get through. My own conference Metaverse One is on Wednesday (please feel free to register it's 100% free to attend), speaking at Microsoft Ireland is on Wednesday, and to top things off I have Bizz Summit on Saturday. So yeah. Full on. This week is going to be something short and it's another enquiry I got from the Microsoft Tech Community a few weeks back. It was as follows: I can't remove a person I want to from the org chart in Microsoft Teams. So how do we do it? Seemed a pretty fair question: people move in organisations all the time, and it's unlikely Microsoft would set a functionality which couldn't be modified. Not of this nature. But the thing was I knew how to do it and was pretty familiar having deployed Azure AD hundreds of times in the past in addition to reviewing Profile+ some time back which is also dependent on this functionality. So how do we do it?

Teams Real Simple with Pictures: Nested Dynamic Groups via Azure AD in Entra

So imagine this scenario. Say we have two teams in our organisation. One team is the Sales Team. The other is the Marketing Team. I need to ensure specific users are part of the Sales Team dependent upon their role. I need to then make sure that specific users are part of the Marketing Team dependent upon their role. For this? We can use Dynamic Groups. But now we need to ensure that everyone in the Sales and Marketing Team need to be in a third team - the Commercial Team, and this also needs to be done automatically without manual adds. For this we are going to use a new functionality called Nested Dynamic Groups. Users of Dynamic Group A comprise of Users dynamically added and removed within Dynamic Group B and Dynamic Group C. Sounds pretty nuts. But it's straightforward as I'll show you. Nested Dynamics Groups support Security Groups and Microsoft 365 groups - so we can use them for Teams. As a public preview feature there is some caveats such as they aren't supported in the rule builder. The full list is in the footnotes I'm sure they'll knock them out soon.

Teams Real Simple with Pictures: Setting up a Multi-Stage Access Review for Inactive Users in a Team

So Build is in the books. And it was awesome. And I got to catch up with friends such as Vesa Nopanen, Chirag Patel, Sharon Sumner, Al Eardley, Kevin McDonnell, Chris Huntingford and Claire Smyth. I got to speak a bit on Metaverse and delivering next-gen experiences at scale at Microsoft 365. I got to start an Anti-Sticker and Pro-Golf (the car) movement with Garry Trinder. And then there was great food - and I am going to call out the wall full of doughnuts up on the first floor where I was speaking in particular. But all good things must come to an end. And by end I mean an opportunity to do other good things such as getting back to the blog. Now, I was torn between doing something quick and dirty this week, and doing something a bit more intricate. This is because Stranger Things Season 4 came out a few days ago. But however interesting the Mind-Flayer is, the Demogorgon - whoever they got this time running around going off their nut in Hawkins, Azure AD has a few new pieces currently in Preview regarding the old Identity Governance. So this is going to show off both multi-stage access reviews, as well as the ability to now remove Azure AD inactive users within the context of Teams. This will be another tool in the toolkit for dealing with Stale Users and Stale Guests: all of which could be used to get through to your users or your data.