What are Sensitivity Labels?

Microsoft Purview Sensitivity Labels are a data classification and protection system that helps organizations identify, classify, and protect sensitive information across Microsoft 365 and other services. They help you:

• Classify your data: Define different levels of sensitivity for your data, such as Confidential, Highly Confidential, and Public.
• Protect your data: Apply protection settings to different levels of sensitivity, such as encryption, access restrictions, and data loss prevention.
• Track your data: Track the movement of sensitive data and identify potential data breaches.

Here are some of the benefits of using Microsoft Purview Sensitivity Labels:

• Reduces the risk of data breaches: By classifying and protecting your sensitive data, you can make it more difficult for unauthorized users to access it.
• Improves compliance: Sensitivity labels can help you meet compliance requirements for data privacy and security.
• Increases productivity: By making it easier for users to identify and protect sensitive data, you can help them be more productive.

Allow the creation of Sensitivity Labels

The creation of Sensitivity Labels, may be disabled in your Office 365 tenant. To ensure you can create Sensitivity Labels, run the following script in a PowerShell window. Make sure to change the variables to your environment accordingly.

$AdminCenterURL = "https://dev-admin.sharepoint.com"
Connect-SPOService -Url $AdminCenterURL
Set-SPOTenant -EnableAIPIntegration $true

Import-Module AzureAD
Connect-AzureAD
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting["EnableMIPLabels"] = "True"
Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting

If you don’t have the AzureAD PowerShell module installed, install it before executing the script by running:

Install-Module AzureAD -AllowClobber

Creating a Sensitivity Label

To create a Sensitivity Label, follow the following steps:

• Access the Microsoft Purview compliance portal at https://compliance.microsoft.com/ with your Microsoft 365 credentiais.
• Select Information protection –> Labels

• Select “Create a label”

• Give the label a name. Example: Confidential. In the end, click Next.

• Define the scope of the label. Choose both “Items” and “Groups & sites”. This will allow you to apply the label to both documents and SharePoint sites. In this post, I will focus on SharePoint sites.

• Choose the protection settings for the labeled items. Select “Apply or remove encryption”. If you want to apply a content marking to the labeled items, select “Apply content marking”.

• Define the encryption settings. Select “Configure encryption settings” with the following parameters:
  • Assign permissions now or let users decide? : Assign permissions now. With this setting, when the label is applied, the permissions we will define below will be applied
  • User access to content expires: Never. With this setting, users will not loose access after a period of time.
  • Allow offline access: Always. With this setting, users may edit documents offline.

In the end, select “Add permissions”.

• For this example, for simplicity, in the “Assign permissions” screen, select “Add any authenticated users”.

• Select “Choose permissions”

• Select “Viewer” permission and click “Save” twice to close the “Assign permission” window.

With this permission, we are granting all authenticated users the Viewer permissions which will grant readonly permissions to the documents classified with this label.

• Next, we want to add edit permissions to a group of users. Select “Assign permission” again.

• Select “Add users or groups” and choose a group of users you want to assign edit permissions to.

• Select the “Reviewer” permission

• Confirm all permissions and click Next.

• Don’t select the option “Auto-labeling for files and emails”. Click Next.

• Select “Privacy and external user access” and “External sharing and Conditional Access” options.

• In “Privacy” section, select “Private”. This way, only team owners and members can acess the group or team. In the “External user access”, don’t select the option “Let Microsoft 365 Group owners add people outside your organization to the group as guests.”. This way, only users from within the organization can access the SharePoint site.

• In “Define external sharing and conditional access settings”, select “Control external sharing from labeled SharePoint sites” and “Use Microsoft Entra Conditional Access to protect labeled SharePoint sites”. In the “Control external sharing from labeled SharePoint sites” section, select “Only people in your organization”. This way, SharePoint sites labeled with this label, will only be acessed by and shared with people in your organization. In the “Use Microsoft Entra Conditional Access to protect labeled SharePoint sites”, select “Allow limited, web-only access”. This will only allow users from unmanaged devices (devices not managed by your organization, typically personal devices) to access documents in the labeled SharePoint sites using the browser (not being to synchronize the document libraries for offline access, download documents or open documents in the Office desktop applications).

• In the “Auto-labeling for schematized data assets (preview)” section, leave the option unselected and click “Next”.

• Review the label settings and click “Create label” to finish the label creation process.

Publish a Sensitivity Label

In order for a label to be made available, we need to publish it. To publish a label, follow the following steps:

• In the Labels page, select the label and the option “Publish label”.

• In “Assign admin units” page, leave the default values and click “Next”.

• In “Publish to users and groups”, add all users and groups and then click “Next”. If you want to test the Label to a restricted group of users, select a group with the users that you want to include in test.

• In “Policy settings”, leave all options unselected and click “Next”.

• In Default settings for documents, select “None” for “Default label”. With this selection, labels won’t be applied by default to Office documents. Click “Next”.

• In Default settings for emails, select “Same as document” in “Default Label” and leave the checkbox “Email inherits highest priority label from attachments” unchecked and click “Next”.

• In “Default settings for meetings and calendar events”, select “None” for “Default label” and click “Next”.

• In “Default settings for sites and groups”, select “None” for “Default label” and click “Next”.

• In “Default settings for Fabric and Power BI content”, select “None” for “Default label” and click “Next”.

• In “Name your policy”, name your policy and give it a description.

• Review and submit the Label policy to finish the policy creation process.

NOTE: New labels may take up to 1h to be available. Updates to existing labels may take up to 24h to take effect.

Testing Access to SharePoint

To test if the label is successfully applied, we are going to create a SharePoint Team site and apply the label to the site. Follow the following steps:

• Click SharePoint in the left top corner to go to the SharePoint homepage
• In the SharePoint homepage, create a new site.

• Choose a Team Site

• Choose any template. For simplicity, I selected “Standard team”.

• Click on “Use Template”

• Set the site name, group email address and site address.

• Set the sentitivity label for the new site by choosing the label we created earlier. The privacy will automatically be set to Private as we defined in the label settings.

• Add site owners and members to the site.

• Access the site with an unmanaged device. In this example, the site was created as a “Private” group and with the label “Confidential”. As the site was configured to only allow access from the browser and not allow the use of Office desktop applications by devices not managed by the organization, a message appears at the top of the site indicating that it is not possible to download the documents or sync the documents for offline access.

• In the “Documents” document library, verify that it is not possible to sync documents for offline access (“Sync” command should not be available in the command bar).

• In the “Documents” document library, verify that it is not possible to download documents (“Download” option should not be available in the document context menu).

• In the “Documents” document library, verify that it is not possible to open a document using the desktop application and that documents can only be opened using the browser.

Related Articles

To learn why your business should migrate to SharePoint Online and Office 365, click here and here.

If you want to learn how to develop SPFx solutions, click here.

If you want to learn how you can rename a modern SharePoint site, click here.

If you want to learn how to save time time scheduling your meetings, click here.

If you want to learn how to enable Microsoft Teams Attendance List Download, click here.

If you want to learn how to create a dynamic org-wide team in Microsoft Teams with all active employees, click here.

If you want to modernize your SharePoint classic root site to a modern SharePoint site, click here.

If you are a SharePoint administrator or a SharePoint developer who wants to learn more about how to install a SharePoint 2019 farm in an automated way using PowerShell, I invite you to click here and here.

If you learn how to greatly speed up your SharePoint farm update process to ensure your SharePoint farm keeps updated and you stay one step closer to start your move to the cloud, click here.

If you prefer to use the traditional method to update your farm and want to learn all the steps and precautions necessary to successfully keep your SharePoint farm updated, click here.

If you want to learn how to upgrade a SharePoint 2013 farm to SharePoint 2019, click here and here.

If SharePoint 2019 is still not an option, you can learn more about how to install a SharePoint 2016 farm in an automated way using PowerShell, click here and here.

If you want to learn how to upgrade a SharePoint 2010 farm to SharePoint 2016, click here and here.

If you are new to SharePoint and Office 365 and want to learn all about it, take a look at these learning resources.

If you are work in a large organization who is using Office 365 or thinking to move to Office 365 and is considering between a single or multiple Office 365 tenants, I invite you to read this article.

If you want to know all about the latest SharePoint and Office 365 announcements from Ignite and some more recent announcements, including Microsoft Search, What’s New to Build a Modern Intranet with SharePoint in Office 365, Deeper Integration between Microsoft Teams and SharePoint and the latest news on SharePoint development, click here.

If your organization is still not ready to go all in to SharePoint Online and Office 365, a hybrid scenario may be the best choice. SharePoint 2019 RTM was recently announced and if you to learn all about SharePoint 2019 and all its features, click here.

Happy SharePointing!

The post How to protect sensitive information in SharePoint Online using Purview Sensitivity Labels appeared first on Blog IT.

Introduction

From a security standpoint, it is important to protect access to information to ensure that only the right people in an organization has access to it.

Users can share files and folders in Microsoft SharePoint by sending a link. They should select a link type based on the people to whom they want to give permission. The following link types are available:

• Anyone with the link (previously called “anonymous access” or “shareable”)
• People in your organization with the link
• People with existing access
• Specific people

By default, default sharing is configured to “People in [Organization”], meaning that when sharing or making use of the “Copy link” option to share a document with someone, the link you provide may be accessed by the whole organization. To prevent this, we can change the default sharing to “Poeple with Existing Access”, meaning that when sharing or making use of the “Copy link” option to share a document with someone, the link you provide may be accessed by people that already have access to the document, making it a more secure way to share a document with someone.

The Code

The PowerShell script below allows you to change the default sharing to “People with Existing Access” for all sites in your tenant.

NOTE: For now,

Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking
 
$AdminSiteUrl = "https://dev-admin.sharepoint.com"
 
#Connect to SharePoint Online
Connect-SPOService -Url $AdminSiteUrl
 
#Get All SharePoint Sites
$Sites = Get-SPOSite -Limit All

#Iterate each site and change the default sharing
ForEach ($Site in $Sites)
{
    $SiteUrl = $Site.URL
    Write-Host "Setting Sharing to DefaultLinkToExistingAccessin $SiteUrl" -ForegroundColor "Green"
    Set-SPOSite -identity $SiteUrl -DefaultLinkToExistingAccess 1
}

Sharing experience before running the script:

Sharing experience after running the script:

Related Articles

To learn why your business should migrate to SharePoint Online and Office 365, click here and here.

If you want to learn how to develop SPFx solutions, click here.

If you want to learn how you can rename a modern SharePoint site, click here.

If you want to learn how to save time time scheduling your meetings, click here.

If you want to learn how to enable Microsoft Teams Attendance List Download, click here.

If you want to learn how to create a dynamic org-wide team in Microsoft Teams with all active employees, click here.

If you want to modernize your SharePoint classic root site to a modern SharePoint site, click here.

If you are a SharePoint administrator or a SharePoint developer who wants to learn more about how to install a SharePoint 2019 farm in an automated way using PowerShell, I invite you to click here and here.

If you learn how to greatly speed up your SharePoint farm update process to ensure your SharePoint farm keeps updated and you stay one step closer to start your move to the cloud, click here.

If you prefer to use the traditional method to update your farm and want to learn all the steps and precautions necessary to successfully keep your SharePoint farm updated, click here.

If you want to learn how to upgrade a SharePoint 2013 farm to SharePoint 2019, click here and here.

If SharePoint 2019 is still not an option, you can learn more about how to install a SharePoint 2016 farm in an automated way using PowerShell, click here and here.

If you want to learn how to upgrade a SharePoint 2010 farm to SharePoint 2016, click here and here.

If you are new to SharePoint and Office 365 and want to learn all about it, take a look at these learning resources.

If you are work in a large organization who is using Office 365 or thinking to move to Office 365 and is considering between a single or multiple Office 365 tenants, I invite you to read this article.

If you want to know all about the latest SharePoint and Office 365 announcements from Ignite and some more recent announcements, including Microsoft Search, What’s New to Build a Modern Intranet with SharePoint in Office 365, Deeper Integration between Microsoft Teams and SharePoint and the latest news on SharePoint development, click here.

If your organization is still not ready to go all in to SharePoint Online and Office 365, a hybrid scenario may be the best choice. SharePoint 2019 RTM was recently announced and if you to learn all about SharePoint 2019 and all its features, click here.

Happy SharePointing!

The post Set Default Sharing to “People with Existing Access” in SharePoint Online appeared first on Blog IT.

This post explains how to extend a Client ID / Client Secret pair using PowerShell. Examples of protected resources are SharePoint and Microsoft Graph.

Introduction

By default, a Client ID / Client Secret pair is only valid for 1 year. This post explains how to extend a client/secret using PowerShell, without the need for you to create a new Client ID / Client Secret pair.

The Code

#Application ID
$ClientID =  "" #Place your Client Id Here
$ClientSecret = "" #Place your Client Secret Here

#Connect to AzureAD
Connect-AzureAD

#Get the Client ID
$App = Get-AzureADServicePrincipal -All $true | Where-Object { $_.AppID -eq $ClientID }

#Get the Current Expiry Date
$CurrentExpiryDate = (Get-AzureADServicePrincipalPasswordCredential -ObjectId $App.ObjectId).EndDate
Write-Host "Current Expiry Date: "$CurrentExpiryDate -BackgroundColor Green

#Extend the validity of the App by 1 year
$StartDate = Get-Date
$EndDate = $StartDate.AddYears(1)
New-AzureADServicePrincipalPasswordCredential -ObjectId $App.ObjectId -StartDate $StartDate -EndDate $EndDate -Value $ClientSecret
New-AzureADServicePrincipalKeyCredential -ObjectId $App.ObjectId -StartDate $StartDate -EndDate $EndDate -Value $ClientSecret
$NewExpiryDate = (Get-AzureADServicePrincipalPasswordCredential -ObjectId $App.ObjectId).EndDate
Write-Host "New Expiry Date: "$NewExpiryDate -BackgroundColor Green

Related Articles

To learn why your business should migrate to SharePoint Online and Office 365, click here and here.

If you want to learn how to develop SPFx solutions, click here.

If you want to learn how you can rename a modern SharePoint site, click here.

If you want to learn how to save time time scheduling your meetings, click here.

If you want to learn how to enable Microsoft Teams Attendance List Download, click here.

If you want to learn how to create a dynamic org-wide team in Microsoft Teams with all active employees, click here.

If you want to modernize your SharePoint classic root site to a modern SharePoint site, click here.

If you are a SharePoint administrator or a SharePoint developer who wants to learn more about how to install a SharePoint 2019 farm in an automated way using PowerShell, I invite you to click here and here.

If you learn how to greatly speed up your SharePoint farm update process to ensure your SharePoint farm keeps updated and you stay one step closer to start your move to the cloud, click here.

If you prefer to use the traditional method to update your farm and want to learn all the steps and precautions necessary to successfully keep your SharePoint farm updated, click here.

If you want to learn how to upgrade a SharePoint 2013 farm to SharePoint 2019, click here and here.

If SharePoint 2019 is still not an option, you can learn more about how to install a SharePoint 2016 farm in an automated way using PowerShell, click here and here.

If you want to learn how to upgrade a SharePoint 2010 farm to SharePoint 2016, click here and here.

If you are new to SharePoint and Office 365 and want to learn all about it, take a look at these learning resources.

If you are work in a large organization who is using Office 365 or thinking to move to Office 365 and is considering between a single or multiple Office 365 tenants, I invite you to read this article.

If you want to know all about the latest SharePoint and Office 365 announcements from Ignite and some more recent announcements, including Microsoft Search, What’s New to Build a Modern Intranet with SharePoint in Office 365, Deeper Integration between Microsoft Teams and SharePoint and the latest news on SharePoint development, click here.

If your organization is still not ready to go all in to SharePoint Online and Office 365, a hybrid scenario may be the best choice. SharePoint 2019 RTM was recently announced and if you to learn all about SharePoint 2019 and all its features, click here.

Happy SharePointing!

The post Extending ClientID/Secret Expiration Date using PowerShell appeared first on Blog IT.

The technology world is moving fast towards Software as a Service (SaaS) solutions in several areas from collaboration, e-commerce and many other types of solutions, moving from a reality where systems and respective data where deployed within the companies infrastructure (On-Premises) to the Cloud.

One of the main concerns of companies in choosing a Cloud collaboration platform, in which the Office 365 is an example and leading platform, is the security of their information. One of the biggest challenges in Office 365 is related to the demystification that having the information in the Cloud is less secure than if it resides on the premises of the organizations themselves.

To address these same concerns, Microsoft has made a very strong investment in security of the Office 365 platform which provides users and system administrators with several features to address these needs and apply a set of best practices in three main areas:

• • Security

• • Privacy

• Compliance

Below we present some of the main features natively offered by the platform.

Regarding Security, the Office 365 platform ensures the encryption of data in transit and at rest. At rest, Bitlocker technology is used to encrypt all information on the servers’ hard drives. In addition, all files are segmented (in small pieces called chunks) and each segment is individually encrypted and encryption keys are securely stored in a different physical location.
In transit, all files are encrypted with TLS using 2048-bit keys.

Regarding Privacy, it is possible to define differentiated access policies based on 4 vectors: user, device, location and sensitivity of the information. Some examples include defining a time bound window when sharing information or only allow sharing with certain domains.

In what regards to Compliance, the main concern is to define a set of rules that allow sensitive information to be protected and to prevent the leakage of sensitive information outside of the organization. The Office 365 platform offers the following features to address this need:

• Data Loss Prevention: allows organizations to create policies to protect their most sensitive information. Example: prevent documents with credit card information or citizen card numbers from being shared outside the organization.
• Information Rights Management: allows organizations to create policies that protect the content of documents stored in the Office 365 platform. Examples: prevent documents from being printed and prevent “Copy & Paste” from document contents. It is important to note that IRM policies continue to apply after documents are downloaded and viewed offline.

Using DLP together with IRM provides a very powerful combination in order for companies to protect their most sensitive documents.

• Mobile Device Management: allows organizations to create policies to manage security when accessing corporate information using mobile devices. Examples include defining PINs to access corporate information, prevent sensitive content from being copied from an corporate document to personal applications (prevent for example a user from copying credit card numbers to the body of an email and sending it to someone outside of the organization) or prevent Screen Capture of information within sensitive documents.

These are just a few of the examples of the vast set of features available to users and administrators to protect information residing on the Office 365 platform.

A very important note is that Microsoft does not have access to the organization’s data and the only occasions where this may be necessary is in resolving support incidents that require access to the data. In these cases, and using a feature called Customer Lockbox, the customer can approve or reject access requests, and access is only granted in case the request is approved. In addition, all accesses are audited to ensure the transparency of the process.

Security is therefore and increasingly not only a central concern for customers who evaluate a migration to the Cloud but rather a concrete reality for those who already enjoy it.

In you are interested in learning more about this subject, you can check out:

• My Intelligent Security, Compliance and Privacy in Office 365 session at SharePoint Saturday Lisbon post
• The Microsoft Office 365 security page
• The “Videos On Office” Microsoft Mechanics channel in YouTube

Related Articles

To learn why your business should migrate to SharePoint Online and Office 365, click here and here.

If you want to convert your tenant’s root classic site into a modern SharePoint site, click here.

If you or your customers are not ready to move entirely to the Cloud and Office 365, a hybrid scenario could be an interesting scenario and SharePoint 2019 RTM was recently announced with improved hybrid support! To learn all about SharePoint 2019 and all its features, click here.

If you are a SharePoint administrator or a SharePoint developer who wants to learn more about how to install a SharePoint 2019 farm in an automated way using PowerShell, I invite you to click here and here.

If SharePoint 2019 is still not an option, you can learn more about how to install a SharePoint 2016 farm in an automated way using PowerShell, click here and here.

If you want to learn how to upgrade a SharePoint 2013 farm to SharePoint 2019, click here and here.

If you want to learn all the steps and precautions necessary to successfully keep your SharePoint farm updated and be ready to start your move to the cloud, click here.

If you learn how to greatly speed up your SharePoint farm update process to ensure your SharePoint farm keeps updated and you stay one step closer to start your move to the cloud, click here.

If you want to learn how to upgrade a SharePoint 2010 farm to SharePoint 2016, click here and here.

If you are new to SharePoint and Office 365 and want to learn all about it, take a look at these learning resources.

If you are work in a large organization who is using Office 365 or thinking to move to Office 365 and is considering between a single or multiple Office 365 tenants, I invite you to read this article.

If you want to know all about the latest SharePoint and Office 365 announcements from SharePoint Conference 2019, click here and here.

Happy SharePointing!

The post Intelligent Security in Office 365 appeared first on Blog IT.

Last Saturday, I delivered a session at the SharePoint Saturday event, that was for the first time held in Lisbon.

My session was entitled “Intelligent Security, Compliance and Privacy in Office 365”,  focused on security, compliance and privacy around the Office 365 platform. The main topics of the session were:

• Office 365 Platform Security
• Privacy (Differentiated Access Policies, External Sharing, Granular Access Controls)
• Compliance (Data Loss Prevention, Information Rights Management, Mobile Device Management)
• Transparency (Customer Lockbox, SharePoint Insights)
• Advanced Threat Protection

You can find the slide deck here.

Related Links:

SharePoint Saturday Lisbon 2016 web site
My SlideShare web site
|create|it| web site

If you are new to SharePoint and Office 365 and want to learn all about it, take a look at these learning resources.

UPDATE 01/11/2018:

If you or your customers are not ready to move entirely to the Cloud and Office 365, a hybrid scenario could be an interesting scenario and SharePoint 2019 RTM was recently announced with improved hybrid support! To learn all about SharePoint 2019 and all its features, click here.

UPDATE 21/11/2018:

If you want to know all about the latest SharePoint and Office 365 announcements from Ignite and some more recent announcements, including Microsoft Search, What’s New to Build a Modern Intranet with SharePoint in Office 365, Deeper Integration between Microsoft Teams and SharePoint and the latest news on SharePoint development, click here.

Happy SharePointing!

The post Intelligent Security, Compliance and Privacy in Office 365 session at SharePoint Saturday Lisbon appeared first on Blog IT.

Here’s what I’ll be talking about:

Information security is one of the most important concerns when designing a content management solution. Learn about Information Rights Management (IRM) and what it allows you to do to protect your information and control its usage. Learn how it can be applied to SharePoint 2013 and SharePoint Online and the main differences between the way it works in each version.

In this webinar for IT Pro’s you will:

1. Learn what is Information Rights Management (IRM)
2. Learn how IRM works in SharePoint 2013 and SharePoint Online
3. Learn how to manage IRM

You can register for my webinar on Information Rights Management here. I hope you can join me!

The post Webinar: Information Rights Management in SharePoint appeared first on Blog IT.

To configure and set configuration data, Microsoft has an MMC Snap-In called “SSO Configuration Application”, that allow us to create and manipulate applications and their properties (http://www.microsoft.com/en-us/download/details.aspx?id=14524).

From the community there are several tools to set SSO configuration. The most well know was created by Richard Seroter in 2007 that allow us to manipulate previously created properties in an easy way (http://seroter.wordpress.com/2007/09/21/biztalk-sso-configuration-data-storage-tool/).  There are also some Richard Seroter tool improvements, like a version from Mark Burch in http://biztorque.net/archive/2010/06/07/74.aspx, that allow us to create new SSO properties.

BizTalk Deployment Framework also include an SSO module, that use a different approach of using the Excel to set SSO config data in each environment (http://biztalkdeployment.codeplex.com/).

To get configuration from SSO by code, you can use “SSOConfigHelper.cs” included in Microsoft BizTalk Server 2006 SDK, but still working with the latest Biztalk server versions (http://www.getcodesamples.com/src/2B2085E1/C4A921B1).
Just get the code and include “Microsoft.BizTalk.Interop.SSOClient.dll” in SSO install folder (for example C:\Program Files\Common Files\Enterprise Single Sign-On\Interop1.1\Microsoft.BizTalk.Interop.SSOClient.dll) and call the read method, setting the previous create application and property name.

Hope that 4 posts about SSO will help you to use SSO more frequently in BizTalk programming.

The post BizTalk Server Single Sign On – Save config data in SSO appeared first on Blog IT.

The SSO configuration to support this feature is very easy.
First enter SSO Administration tool, and create a new affiliate application with the above settings (you can put any name in the application name):

In BizTalk Server Administration, when setting the receive location configuration, set the use SSO option, and use an isolated host with a running account that belongs to the SSO application administrators group (images above).

In the send port adapter configuration set the affiliate application created earlier.

To finalize the configuration, you must set SSO to allow ticket usage (by default is not allowed).
Execute the following instruction in the command prompt “ssomanage -tickets yes” (http://msdn.microsoft.com/en-us/library/aa559512.aspx)

The credential mapping is working without any “hand made” code creation.

The post BizTalk Server Single Sign On – Using SSO with adapters appeared first on Blog IT.

First create a new affiliate application and a credential mapping as i show in the last post.

1. Create a new class library project called “Test.SSO”
2. Add a reference to the assembly “Microsoft.BizTalk.Interop.SSOClient.dll”, located in “C:\Program Files\Common Files\Enterprise Single Sign-On”
3. Add the following code in a new class called SSOManager

   using System;
   using System.Collections;
   using System.Collections.Specialized;
   using Microsoft.BizTalk.SSOClient.Interop;
   namespace Test.SSO
   {
        public static class SSOManager
        {
             /// <summary>
             /// Get external application credentials.
             /// </summary>
             /// <param name="ticket">Credential ticket generated by biztalk receive port.</param>
             /// <param name="appName">Application name to get external credentials.</param>
             /// <param name="userAccount">User account to get external credentials.</param>
             /// <returns>ArrayList with mapped credentials.</returns>
             public static ArrayList GetExternalApplicationCredentials(string ticket, string appName, string userAccount)
             {
                  ISSOTicket ssoTicket = new ISSOTicket();
                  string externalUsername;
                  string[] credentials = ssoTicket.RedeemTicket(appName, userAccount, ticket, SSOFlag.SSO_WINDOWS_TO_EXTERNAL, out externalUsername);
   
                  if (credentials == null || credentials.Length == 0 || String.IsNullOrWhiteSpace(externalUsername))
                  {
                       return null;
                  }
   
                  ArrayList credentialsList = new ArrayList();
                  credentialsList.Add(externalUsername);
                  credentialsList.AddRange(credentials);
                  return credentialsList;
             }
        }
   }
   

4. Create a new Orchestration called SSOOrch
5. Include a reference to the previous created class library
6. Publish a new wcf service  using “WCF Service Publishing Wizard” and publish it at basic auth (http://msdn.microsoft.com/en-us/library/bb226564.aspx)
7. Set the Orchestration receive location to receive messages from the service created
8. Configure the receive location security área like the following image, but checking “Use Single-On” option.
   
9. Create na Orchestration variable called ssoMapping as ArrayList
10. Add a new expression shape in the orchestration
11. Add the following code in the previous expression Shape (TestApp is the name of the affiliate application previously created)
    ssoMapping = Test.SSO.SSOManager.GetExternalApplicationMapping(SSOOrch(BTS.SSOTicket), “TestApp”, SSOOrch(BTS.WindowsUser));
12. Complete the orchestration by setting a send shape to file system.
13. Deploy the orchestration and set the regular configurations, but very important – set an host instance with an account that belongs to a SSO application administration group
    
14. Invoke the previously created wcf service with an account that you have set in the SSO mapping.
15. If you debug the orchestration, you will get in the ssoMapping ArrayList 4 parameters with the data you have set in “User Id”, “MappedUser”, “”MappedPassword” and “MappedDomain” as you see in the next image.
    

Hope this example will help you to easily use SSO in BizTalk Server.
Happy coding.

The post BizTalk Server Single Sign On – Get mapped credential by code appeared first on Blog IT.

It’s very easy to configure SSO to store credential mapping data.
First access mmc console and choose Enterprise Single-Sign-On application.

Then choose Affiliate Applications and select “Create Application”.

The application creation wizard starts. Choose “next”.

For 1 on 1 credential mapping, select “Individual” application Type. To read about all mapping types, check http://msdn.microsoft.com/en-us/library/aa578204.aspx.
Select the application name, description and leave the other options unchecked (if you are using dev or single server, check the option “Allow local accounts for access accounts”).

Set the Windows group that will manage this Affiliate Application in the “Application Administrators” picker.
Set the windows group for which mappings can be created in “Application Users” picker.
You can check more about this configurations in http://msdn.microsoft.com/en-us/library/aa561561.aspx.

In the Options menu check the following options:

• • Enabled.
  • Allow Windows initiated SSO.
  • Tickets Allowed (with all ticket options selected).
  • Application Users cannot create mappings (only a security measure).

A ticket is a kind of SSO encrypted context, that contains the request user domain and username and the ticket expiration time.
You can check more info about SSO tickets in  http://msdn.microsoft.com/en-us/library/aa578039.aspx.

In the fields menu, you must choose the destiny application attributes to map in this SSO affiliate application.
I have created 3 attributes (Mapped User, Password and Domain).
The User ID mapping is created by default and is a mapped credential unique key.
The masked attribute is used for the password fields, and the synchronized attribute determines that the field is used for password synchronization.

The affiliate application is created successfully.

After creating the affiliate application it’s very easy to create a mapped credential.
Just go to the Affiliate Applications menu, select the previously created “TestApp” application and “New Mapping” option.

In the “Create New Mapping” menu select the windows account to map and the unique destiny account name to map.
Check the “Set credentails for this mapping” option.

In the Set Credentials menu, set the mapped data.
The user id can be used to store the mapped user data, but beware because user id must be unique. So I have created the MappedUser field, because I can have multiple source accounts to map to the same destiny account data.

The new mapped credential appears in the “TestApp” affiliate application mapped credentials.

In the next post I will show how to get the mapped credentials data by code, to use for example in a BizTalk Orchestration or Pipeline.

The post BizTalk Server Single Sign On Configuration appeared first on Blog IT.