App Access Checker in Power Platform Admin Center
Here’s how to ensure the user has correct permissions/licenses to use the App.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
Modern Share Experience on Views in Power Platform | [Preview]
Here’s how you can share Views and Dashboards in Dynamics 365 CRM.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
Azure Firewall: New Monitoring and Logging Updates
This article is contributed. See the original author and article here.
Contributors: Eliran Azulai and Yuval Pery
Monitoring, management, and innovation are core pillars of Azure Firewall. With this in mind, we are delighted to share the following new capabilities:
- Resource Health is now in public preview
- Embedded Firewall Workbooks is now in public preview
- Latency Probe Metric is now in general availability
When you monitor the firewall, it’s the end-to-end experience that we continuously strive to improve. Our aim is to empower you to make informed decisions quickly and maximize your organization’s security demands. Understanding the importance of having visibility into your network, this release focuses on making it easier for you to monitor, manage, and troubleshoot your firewalls more efficiently.
Azure Firewall is a cloud-native firewall as a service offering that enables customers to centrally govern and log all their traffic flows using a DevOps approach. The service supports both application and network-level filtering rules and is integrated with the Microsoft Threat Intelligence feed to filter known malicious IP addresses and domains. Azure Firewall is highly available with built-in auto-scaling.
Resource Health is now in public preview
With the Azure Firewall Resource Health check, you can now view the health status of your Azure Firewall and address service problems that may affect your Azure Firewall resource. Resource Health allows IT teams to receive proactive notifications regarding potential health degradations and recommended mitigation actions for each health event type. For instance, you can determine if the firewall is running as expected with an “Available” status or if there was downtime due to platform events with an “Unavailable” status.
This preview is automatically enabled on all firewalls and no action is required to enable this functionality. For more information, see Azure Resource Health overview – Azure Service Health | Microsoft Learn
Easily view the resource health status and history of your firewall
Embedded Firewall Workbooks are now in public preview
The Azure Firewall Workbook presents a dynamic platform for analyzing Azure Firewall data. Within the Azure portal, you can utilize it to generate visually engaging reports. By accessing multiple Azure Firewalls deployed throughout your Azure infrastructure, you can integrate them to create cohesive and interactive experiences.
With the Azure Firewall Workbook, you can extract valuable insights from Azure Firewall events, delve into your application and network rules, and examine statistics regarding firewall activities across URLs, ports, and addresses. It enables you to filter your firewalls and resource groups, and effortlessly narrow down data sets based on specific categories when investigating issues in your logs. The filtered results are presented in a user-friendly format, making it easier to comprehend and analyze.
Now, Azure Firewall predefined workbooks are two clicks away and fully available from the Monitor section in the Azure Firewall Portal UI:
View valuable insights in a dashboard view using Azure Firewall Embedded Workbooks
Latency Probe metric is now generally available
The Latency Probe metric is designed to measure the overall latency of Azure Firewall and provide insight into the health of the service. IT administrators can use the metric for monitoring and alerting if there is observable latency and diagnosing if the Azure Firewall is the cause of latency in a network. This troubleshooting metric is helpful for proactively engaging in potential issues to traffic or services in your infrastructure.
Azure Firewall latency can be caused by various reasons, such as high CPU utilization, throughput, or networking issues. As an important note, this tool is powered by Ping Mesh technology, which means that it measures the average latency of the ping packets to the firewall itself. The metric does not measure end-to-end latency or the latency of individual packets.
View the overall latency of the Azure Firewall using the Latency Probe metric
Learn more
When you’re ready to try these new capabilities, just navigate to Azure Firewall Monitoring in the Azure Portal, and select Logs, Metrics, or Workbooks to use these new features. If you do not have logs, navigate to Azure Firewall Diagnostic settings to get started. And continue to provide us with feedback! To give us feedback just tap the feedback icon 
Learn more in the following support articles:
Latency Probe metric – Microsoft Learn
Resource Health – Microsoft Learn
Azure Firewall Workbook – Microsoft Learn
Azure Firewall – Microsoft Learn
Azure Firewall Manager – Microsoft Learn
About the author
Suren Jamiyanaa is a Product Manager in Azure Network Security. She joined the team in 2019 where she focuses on innovating the Azure Firewall product for customers in a modern cloud network strategy.
Tips & Tricks #5: Unable to login to Azure SQL Managed Instance using AAD Integrated
This article is contributed. See the original author and article here.
Issue:
Trying to login to Azure SQL Managed Instance (MI) from SQL Server Management Studio (SSMS) using AAD-Integrated keeps getting the below error. However, the user is able to connect to MI using AAD-Password, AAD-MFA and SQL Authentication without any issue:
Below is the detailed error from SSMS:
===================================
Cannot connect to mySQLMI.xxxxxx.database.windows.net.
===================================
One or more errors occurred. (mscorlib)
——————————
Program Location:
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)
at System.Data.SqlClient.SqlInternalConnectionTds.GetFedAuthToken(SqlFedAuthInfo fedAuthInfo)
at System.Data.SqlClient.SqlInternalConnectionTds.OnFedAuthInfo(SqlFedAuthInfo fedAuthInfo)
at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
at System.Data.SqlClient.SqlInternalConnectionTds.CompleteLogin(Boolean enlistOK)
at System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean ignoreSniOpenTimeout, TimeoutTimer timeout, Boolean withFailover, Boolean isFirstTransparentAttempt, Boolean disableTnir)
at System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString connectionOptions, SqlCredential credential, TimeoutTimer timeout)
at System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(TimeoutTimer timeout, SqlConnectionString connectionOptions, SqlCredential credential, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance)
at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData, DbConnectionPool pool, String accessToken, Boolean applyTransientFaultHandling, SqlAuthenticationProviderManager sqlAuthProviderManager)
at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions)
at System.Data.ProviderBase.DbConnectionFactory.CreateNonPooledConnection(DbConnection owningConnection, DbConnectionPoolGroup poolGroup, DbConnectionOptions userOptions)
at System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection)
at System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions)
at System.Data.ProviderBase.DbConnectionClosed.TryOpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions)
at System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource`1 retry)
at System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1 retry)
at System.Data.SqlClient.SqlConnection.Open()
at Microsoft.SqlServer.Management.SqlStudio.Explorer.ObjectExplorerService.ValidateConnection(UIConnectionInfo ci, IServerType server)
at Microsoft.SqlServer.Management.UI.ConnectionDlg.Connector.ConnectionThreadUser()
===================================
One or more errors occurred. (mscorlib)
——————————
Program Location:
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at System.Threading.Tasks.Task`1.get_Result()
at System.Data.SqlClient.SqlInternalConnectionTds.c__DisplayClass134_1.b__0()
at System.Threading.Tasks.Task`1.InnerInvoke()
at System.Threading.Tasks.Task.Execute()
===================================
<S:Envelope xmlns:wsa="http://www.w3.org/2005/08/addressing” xmlns:wsse=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd” xmlns:wsu=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd” xmlns:wsp=”http://schemas.xmlsoap.org/ws/2004/09/policy” xmlns:wst=”http://schemas.xmlsoap.org/ws/2005/02/trust” xmlns:S=”“>http://www.w3.org/2003/05/soap-envelope”> S:mustUnderstand=”1″ wsu:Id=”Action”><A class="fui-Link ___1eya986 f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1x7u7e9 f10aw75t fsle3fq f17ae5zn" title="http://schemas.xmlsoap.org/ws/2005/02/trust/rstr/issue%3c/wsa:action%3e%3cwsa:to" href="http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuehttp://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue S:mustUnderstand=”1″ wsu:Id=”To”><A class="fui-Link ___1eya986 f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1x7u7e9 f10aw75t fsle3fq f17ae5zn" title="http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous%3c/wsa:to%3e%3cwsse:security" href="http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoushttp://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous S:mustUnderstand=”1″><wsu:Timestamp wsu:Id="TS" xmlns:wsu="2021-06-03T14:54:06.2749193Z2021-06-03T14:59:06.2749193Z2021-06-03T14:54:06.2749193Z2021-06-03T14:59:06.2749193Z”>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd”>2021-06-03T14:54:06.2749193Z2021-06-03T14:59:06.2749193Z xmlns:S=”“>http://www.w3.org/2003/05/soap-envelope”> xmlns:wsu=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd” xmlns:wsp=”http://schemas.xmlsoap.org/ws/2004/09/policy” xmlns:wst=”“>http://schemas.xmlsoap.org/ws/2005/02/trust”> xmlns:wsa=”“>http://www.w3.org/2005/08/addressing”> xmlns:psf=”0x8004882c0x80045b00″ target=”_blank” rel=”noreferrer noopener” aria-label=”Link http://schemas.microsoft.com/Passport/SoapServices/SOAPFault”>0x8004882c0x80045b00″>http://schemas.microsoft.com/Passport/SoapServices/SOAPFault”>0x8004882c0x80045b00 (System.Data)
Reason:
This error may occurs when the computer account “AZUREADSSOACC” has an issue such as being removed or disabled for some reason.
How this account created:
When you enable Azure Active Directory Seamless Single Sign-On feature from Portal; this account will be created in your on-premises Active Directory (AD) in each AD forest that you synchronize to Azure AD (using Azure AD Connect), along with a number of Kerberos service principal names (SPNs) that are created to be used during the Azure AD sign-in process.
Azure Active Directory Seamless Single Sign-On feature will allow the users to login to their Azure SQL without the need to type in their passwords, and usually, even type in their usernames as shown below:
Mitigation:
- If the user removed the computer account “AZUREADSSOACC“, we recommend to re-enable the Azure Active Directory Seamless single sign-on feature if possible.
- If the user disabled the computer account “AZUREADSSOACC“, they can follow the below steps to enable it back:
To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
In the console tree, click Computers.
Where? Active Directory Users and Computersdomain nodeComputers
Or, click the folder that contains the computer account that you want to enable as shown below:
In the details pane, right-click the desired computer account, and then click Enable Account.
For more information about this issue, please refer to the following documents:
- Azure Active Directory Seamless single sign-on
- Quickstart: Azure Active Directory Seamless single sign-on
- Azure Active Directory Seamless Single Sign-On: Technical deep dive
- Configure and manage Azure AD authentication with Azure SQL
Microsoft Purview in the Real World (August 11, 2023) – Encrypted Emails and Purview eDiscovery
This article is contributed. See the original author and article here.
Disclaimer
This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.
All the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data.
Target Audience
Microsoft customers who want to better understand Microsoft Purview.
Document Scope
The purpose of this document (and series) is to provide insights into various user cases, announcements, customer driven questions, etc. It is not meant as the final answer to all Purview related questions.
Topics for this blog entry
Here are the topics covered in this issue of the blog:
- Topic – Purview related eDiscovery and Office Message Encrypted (OME) emails
- Use Case #1 – legal or HR review of Office Message Encrypted (OME) emails within Purview eDiscovery
- Use Case #2 – legal or HR review of OME emails that have been exported from Purview to a PST and/or Exchange Mailbox and then opened within an Outlook thick client.
Out-of-Scope
This blog series and entry is only meant to provide information, but for your specific use cases or needs, it is recommended that you contact your Microsoft Account Team to find other possible solutions to your needs.
Not done – OME and eDiscovery
1 – Roles Based Access Control (RBAC) for Purview
If you want to leverage Purview RBAC roles to access and view emails/files, you will need to open the Purview eDiscovery console. The Purview RBAC roles are not “usable” within Outlook thick or thin clients.
Here is a link to the RBAC information and a screenshot related specifical the Review role within that RBAC:
Assign eDiscovery permissions in the Microsoft Purview compliance portal | Microsoft Learn
2 – Accessing emails that have been encrypted via OME inside of Purview eDiscovery
- Let us first understand how Purview deals with encrypting/decrypting data, as it relates to eDiscovery. The following chart from Microsoft documentation should provide more light on what is decrypted in the Standard and Premium versions of Purview.
Decryption in Microsoft Purview eDiscovery tools | Microsoft Learn
- The following is the link and screenshot to the Microsoft documentation that tells you what Purview eDiscovery tasks can be run on encrypted data.
Decryption in Microsoft Purview eDiscovery tools | Microsoft Learn
- In conclusion, if you have the proper version of Purview eDiscovery (ie. Premium) and the proper RBAC role, you can view emails that have been encrypted using OME.
3 – Accessing emails that have been encrypted via OME and then exported to a PST and/or Exchange mailbox
Before we start this section, please note that review of eDiscovery related data from within Outlook is not a Microsoft best practice. We recommend you perform your reviews from within Purview eDiscovery or another eDiscovery solution designed for legal and HR investigations.
With that being stated, let us look at what options are available if you do decided to try and review encrypted (OME) that has been exported from Purview eDiscovery.
- First, let us return to the supported decryption charted from above, we can see what versions of Purview support decryption of data when exporting to PST files.
Decryption in Microsoft Purview eDiscovery tools | Microsoft Learn
- Next, let us again return to one of the charts above, notice that you can export encrypted data (to email/PST). This applies to the export of encrypted data but DOES NOT decrypt data as part of its export process.
Decryption in Microsoft Purview eDiscovery tools | Microsoft Learn
- So, this begs the following:
- Question – if my data is exported and still encrypted with OME, how can I read OME emails from the exported PST file?
- Answer – The official answer is you need additional rights tied back to RMS, in particular the RMS Decrypt role. Please note the information in the following link and screenshot for specifics.
Decryption in Microsoft Purview eDiscovery tools | Microsoft Learn
From the link and screenshot above, there are 2 items listed:
- You need to assign the RMS Decrypt role to your user performing the review. This is separate from the Reviewer role specific to Purview eDiscovery.
- It is recommended that you run the ScanPST.exe tool on the exported PST. This tool does not decrypt data only verifies and fixes PST files that might have become corrupted.
Important Note
For a deeper understanding of what rights are needed and work flow you should follow (if you are pursuing this email review process) you should contact your Microsoft Account Manager or certified Microsoft Partner.
Appendix and Links
Recent Comments