KeePass and Multifactor Authentication

One of the frustrations of modern security is the imposition of more onerous user-verification requirements. The benefits of the University introducing Multifactor Authentication (‘MFA’) are well-proven, but it does add a further step that can be inconvenient. In an effort to make life a little bit easier, and following a debate about this area on our IT Discussion mail-list, I share the following advice.

Using a password manager is an essential step in keeping secure. KeePass is an excellent example of the genre and my personal favourite. The latest version has also added a feature that promises to make life that little bit easier: it can act as your MFA authentication app.

I’m assuming that you already have a KeePass entry for your SSO logon, with an auto-type entry set. If not, here’s the auto-type syntax that I use:
{USERNAME}{TAB}{TAB}{TAB}{TAB}{ENTER}{DELAY 1000}{PASSWORD}{ENTER}

The steps to allow KeePass to also handle your MFA are as follows:

1.Visit https://mysignins.microsoft.com/security-info and, yes, log yourself in.

2. Click ‘add sign-in method’:

 

 

 

 

3. Choose ‘Authenticator App’ from the list:

 

 

 

 

 

4. Microsoft will recommend their own Authenticator application, but click instead on ‘I want to use a different authenticator app’:

 

 

 

 

 

5. You’ll need to have KeePass installed and running shortly, but at this stage you can just click ‘Next’:

 

 

 

 

 

6. You’re presented with a QR code, as most apps are mobile-based and can use a phone camera. Ignore the QR code and click ‘can’t scan image’:

 

 

 

 

 

7. The page will create a security key code, with a ‘copy to clipboard’ button next to it. Click on that:

 

 

 

 

 

8. Switch to KeyPass, right-click your entry for your University SSO account, select ‘Edit Entry (Quick)’, then ‘OTP Generator settings’. You’ll get a dialogue box. Paste the security code into the ‘shared secret’ field. No other values need to be changed, so then click ‘OK’:

 

 

 

 

 

 

 

 

9. When prompted for your MFA authentication code, ask KeyPass to copy that to the clipboard for you:

 

 

 

 

 

10.  In the ‘Enter Code’ window, just right-click and ‘Paste’:

 

 

 

 

 

 

 

 

I’m hoping that future revisions of KeePass will make this even easier*, but this is a great step forward and makes a useful app that little bit better still.

 

*I haven’t yet worked out the correct syntax for auto-type to also supply the code. So far this is almost, but not quite, entirely unlike the right answer:
{USERNAME}{TAB}{TAB}{TAB}{TAB}{ENTER}{DELAY 1000}{PASSWORD}{ENTER}{DELAY 1000} {TIMEOTP}{ENTER}

This provides username, password, and the first five digits of the current MFA code, even with 6 specified. That’s a work-in-progress but if you’ve solved it I’d be delighted to hear.

Posted in Uncategorized | Leave a comment

Teams SharePoint sites

Underneath a Microsoft Team there is a SharePoint site which stores the Team’s data. You can think of Teams as a veneer on a SharePoint site, or ‘edited highlights’ of it. But the key thing is that Teams thinks it’s in charge. It created the SharePoint site, and it wants to manage what happens there. Editing the site behind a Team is the electronic equivalent of breaking into someone’s house and moving things around while they’re asleep. And hoping that they don’t notice what you’ve done when they wake up. If they do see what’s happened you can be sure they’re not going to be happy about it.

We  understand that it can be very tempting to consider bypassing the Team and going straight to SharePoint to make changes. All the data is there. It’s just sooo accessible. There are even lots of people out there telling you precisely how to do make changes there, and encouraging you to try (probably while secretly giggling: they know what can happen).

Our advice is simple: resist the temptation. Be strong.

Since we have had another support ticket today from someone who broke their Team, let’s go over some of the reasons behind our well-trodden warning once more.

Because Teams is a layer on top of SharePoint, changes at the back-end mean that Teams doesn’t necessarily see what it’s expecting. It’s a big ask for error-correcting code within Teams to understand every possible back-end change, correct for it, and display your content as if nothing had happened. It’s nice that you have so much confidence in the product! You might be fortunate and make changes that Teams doesn’t notice. But that’s a big risk to take with your data. If Teams does notice – and there’s every chance it will – you should be prepared that it will have broken the relationship between Teams and SharePoint entirely. Bear in mind too that Teams is constantly being improved, patched, and updated. A change that Teams copes with today may be one that breaks your site tomorrow: keep in mind that Teams thinks that it owns and manages the site storing its data.

Let’s take one simple example – today’s real-world one – someone had renamed the site and the home page of a Teams SharePoint site. Teams is looking for the original unaltered address –  Teams created the site, thinks it’s in charge of it, and hasn’t been informed of any changes. Suddenly it finds a coup has taken place! The directions it’s following lead nowhere. Your site is now broken.

Teams does what it can to interpret and correct for this but it’s doomed to fail. Even reverting your changes is not guaranteed to fix things, since it can be difficult to precisely undo every change completely. So the solution is to rescue what you can from SharePoint, delete the broken Team, and start again with a new Team that isn’t estranged from its home site.

 

 

 

SharePoint behind Teams: leave it alone; it should only be managed by the Teams app.
SharePoint on premises: going out of support imminently; please move your content.
SharePoint online: this is the one you can make changes to. 🙂

Posted in Uncategorized | Comments Off on Teams SharePoint sites

Office 365 Personal Bookings Pages: coming soon

Microsoft intend for Personal Bookings to be another way to allow people to interact with your calendar. So if you’ve used Microsoft Bookings in the past you may well feel you’re already up to speed with the idea – but they are very definitely not the same.

This feature is intended to eliminate the back-and-forth of trying to find a timeslot to meet with someone. The idea is that you choose to make times available, and then can publish that availability yourself. You will be in full control of what, if anything, is made available to book.

 

Once this feature is rolled out you will be able to configure it either at https://outlook.office.com/findtime/dashboard/ or in Outlook Web App’s settings (search for ‘personal’).

Organisations which have access to early previews and beta releases will already be seeing this functionality, with it being made available from mid April 2022. The rest of us will have to wait until June 2022, according to Microsoft’s roadmap.

Meeting types

By default you’ll be offering a 30 minute online Teams meeting, although this can of course be changed. The options you can configure include duration, minimum and maximum amounts of warning you’ll get in advance, location (if not an online Teams meeting), and of course your selected availability. You’ll also be able to share direct URL links to a particular meeting type that you’ve created.

 

Posted in Uncategorized | Comments Off on Office 365 Personal Bookings Pages: coming soon

Last call for Basic Authentication

“Basic Auth is still one of, if not the most common ways our customers get compromised, and these types of attacks are increasing.” ~Microsoft Exchange Team

Basic Authentication is the prompt for username/password that we’re all familiar with. You’ve probably filled in that info millions of times. But it’s no longer good enough. It doesn’t support multifactor verification, it isn’t good at coping with brute-force attacks, and the application you use needs to explicitly know what your username and password are.

The alternative is Modern Authentication. This uses the Active Directory Authentication Library and OAuth 2.0 protocols. Your apps no longer need to store your credentials, instead relying on time-limited tokens – plus of course they permit the use of multifactor authentication for further confirmation you’re the legitimate account-holder.

In Nexus365’s console we see Basic Authentication logins as ‘legacy authentication clients’ in our logs. And the thing about anything that starts to be described as ‘legacy’ is that it is going to fall out of support. Microsoft have delayed that date before but the security vulnerabilities of doing nothing have forced their hand. They have announced that they will start forcibly turning off support for Basic Authentication in Office365 tenancies, starting from 1st October 2022. All tenancies will have Basic Authentication disabled by the end of the year.

This means that we need to be ready. There are fewer than 150 days to go. We can’t ask them where we will be in the list, and we can’t ask them to postpone. So we have to assume that Basic Authentication will cease to be supported from 1st October. We might get a few more days than that, but we might not.

Supported Clients

Outlook 2013 – the oldest client which can use Modern Authentication, in the form of OAuth 2.0. This requires registry tweaks
(HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Identity (EnableADAL = 1 and Version = 1😉

Outlook 365; Outlook 2016; Outlook 2019 – Modern Authentication is supported out-of-the-box. For a very slight speed improvement you can tell the app to attempt Modern Authentication connections first. Further details here: https://docs.microsoft.com/en-us/exchange/troubleshoot/administration/modern-authentication-configuration
HKEY_CURRENT_USER\Software\Microsoft\Exchange  – Set a value: AlwaysUseMSOAuthForAutoDiscover = 1

Basic Authentication will also be turned off for the following protocols:

  • MAPI
  • RPC
  • OAB
  • EWS
  • POP
  • IMAP
  • Remote Powershell

SMTP AUTH will not be turned off, however, unless nobody in our tenancy is using it.

What will happen if I do nothing?

Applications which rely on Basic Authentication will no longer be able to connect. You’ll see HTTP 401 error: ‘bad username or password’.

What should I do?

Reconfigure your apps to use Modern Authentication. For example both POP and IMAP can use OAuth but you need an app that’s current enough to be aware of OAuth. This also applies to EWS apps and ActiveSync – the protocols can support Modern Authentication but may need to be modified to make a request that isn’t Basic Authentication after September. If you have Teams Rooms devices, bear these factors in mind.

Posted in Uncategorized | Comments Off on Last call for Basic Authentication

Microsoft Feedback

We regularly get support tickets in our help system asking us to ‘ask Microsoft to…’ or ‘request Microsoft fix this’ which, in the past, have been difficult to fulfil. Microsoft have attempted to improve user input and feedback via the UserVoice system, which allowed people to vote for their preferred changes/improvements. The number of votes gave Microsoft a clear view of where they should best target their development effort.

Now the process has been refined further. UserVoice has been replaced with the Feedback Portal. There is also documentation on how this works here. In general though, if you have clicked the ‘Feedback to Microsoft’ or the ‘I have a suggestion’ boxes in any of your Office applications, you are actually sending this directly to Microsoft. There is therefore no need to log a ticket for us to do this for you and in fact to do so will simply delay them receiving your request.

The portal allows you to see, edit, and delete, any of your previous feedback should you change your mind.

Microsoft have stated that while not every bit of feedback can be guaranteed to be actioned, the data is sent to the relevant product teams and it should all get evaluated.  There are several responses you should expect to see to any feedback you’ve given, which include letting you know it’s being worked on, or requesting additional information. The feedback portal does also allow you to give feedback on itself, if you feel that it too can be improved.

Posted in Uncategorized | Comments Off on Microsoft Feedback

Leavers’ Process

If you have staff who will be leaving your department you need to consider all of the services that staff member may have used. They may well be owners of shared files, of automated scripts, they might be the manager of a mail-list, and they might own a vital shared mailbox.

There are so many things to consider that IT Services have compiled a list that you can check (requires SSO to view) – and you should begin planning at least a month before the staff member’s last day. Trying to reinstate or recover content afterwards is not straightforward and, in many cases, can’t be done.

Here’s the link: https://help.it.ox.ac.uk/removing-access-for-staff

Posted in Uncategorized | Comments Off on Leavers’ Process

Teams and maillists

After resolving a confusing support ticket we have identified that some University members were adding maillists to Teams: please do not ever try to add a maillist email address to a Team. It won’t do what you want and it has adverse effects.

Why? In part it’s because the Maillist service (Sympa) and Nexus365 are entirely separate. There is no integration at all – they’re run as separate services and they’re managed by different staff within IT Services. We believe that what is happening is someone assumes that adding a maillist’s address to a Team would be a quick and simple way to populate it.

It isn’t, and it doesn’t.

Here’s why:
  1. Maillist/Sympa is an external organisation, as far as Nexus365 is concerned. Any maillist address you add is treated like any other external user account with a non-nexus address. Teams (and other Nexus365 services) do not see a maillist’s address as a bulk list of users. It has no way to expand the list and see its membership. Instead, Nexus365 would assume that you are adding ONE user. It is entirely unaware that the email address you’re adding has any connection with a bulk senders list.
  2. Anyone in the maillist can receive the welcome email from Teams which invites them to join the Team, whether or not they’re part of the University.

This is where the problem begins, particularly if – as has happened in a few of the examples we’ve looked into – that user attempts to specify their own Oxford address as the recipient address for this external account. This is not something we can limit without hindering external collaboration in Teams works for the whole University.

When you add a maillist to a Team, what you’ve actually done is generate a code for that user to join your team, but which has now been emailed to the maillist’s entire membership. So under these circumstances anyone can use that code and take up that presence in your team rather than the genuine Nexus365 account. This causes a conflict which we have to unpick (by deleting the errant account entry).

The maillist account only becomes seriously problematic in a Team IF someone receives the invite, AND goes through the process to validate and join that account in teams. A Team Owner can remove the errant entry (which will show as an external user) from your Team themselves, without IT Services’ intervention. We only need to be involved if a maillist member has responded to the welcome message. 
 .
N.B. To prevent this specific issue recurring the Nexus Team are now pre-emptively blocking the addition of the University’s maillist domain names from being added to a Team’s membership.
 .
If you want to bulk add users to a team, consider using the methods detailed in the Power Automate (Flow) User Group Thread. Microsoft is working on a method of using .CSV imports for Teams and group memberships but there has been no news yet on a date for release. In the meantime the PowerAutomate “join to group” or “Join to team” methods are the only ones available.
Posted in Uncategorized | Comments Off on Teams and maillists

Outlook 2013: last call to keep up with minimum requirements

After 1st November 2021 the oldest supported version of Outlook that will be able to connect to Nexus365 services is Outlook 2013 – as long as it has updates and fixes on top. The number of the oldest supported version is 15.0.4971.1000 (Service Pack 1 with the October 2017 Update).

Microsoft are blocking older versions because of the following reasons:

  • Support for basic authentication is ending, as a way to improve the security of your mailbox’s content.
  • Microsoft are moving towards HTTP/2 – which uses full-duplex communications to decrease latency. Improved header compression and multiplexing help improve throughput even further.
  • Newer versions of Outlook crash less often: Outlook’s reporting means that many of the most frequent causes of crashes have been identified and fixed.
Posted in Uncategorized | Comments Off on Outlook 2013: last call to keep up with minimum requirements

Automated transcription in online meetings

General advice from Peter Kent, Head of IT Governance and Communications, Office of the CIO at JISC.AC.UK:

What follows is a generic example of how you could approach managing the data protection aspects of using this feature. This is not legal advice. Always run any guidance past your internal data protection/compliance teams. Bear in mind that any guidance is usually general, and specific circumstances/contexts should always be considered.

What is live transcription?

Live transcription is a feature in Teams and Zoom meetings which transcribes speech to text. When enabled, the transcribed text will appear as on-screen subtitles, attributed to the speaker. Transcripts can also be shown in separate panels, and feature in recorded meetings too. But there are times when you should not use live transcription or share recorded meetings with transcriptions – more details below.

Why use live transcription?

Live transcription makes online meetings more inclusive, giving any hard-of-hearing meeting participants the opportunity to join in.

How accurate is live transcription?

Live transcription is undertaken by computers and cannot be guaranteed to be accurate. For example, the text displayed may be erroneous, or the text may be attributed to the wrong speaker.
Accuracy will be lower if technical or niche terms (jargon) are used. Accuracy will also suffer if the speaker talks too fast, is talking from a noisy environment, or if more than one person talks at once.

When should live transcription not be used?

Some providers may retain anonymised copies of audio and associated transcripts to improve the accuracy of their technology. This should be made clear to users as part of your obligation to provide privacy information. It may, in some cases, be possible to re-identify participants and cause harm to your organisation and others if the content of the calls provides sufficient context. Given this, and the potential inaccuracies of live transcription you should assess the risks of using the feature when sensitive topics are being discussed.

Should I tell speakers and meeting participants that live transcription is enabled?

Yes. Tell meeting participants that their speech will be live transcribed and attributed to their name. If this is an external event, you could include this detail in the privacy notice for the event. Give them the opportunity to submit any comments or questions via a chat panel rather than by talking, so you can read those out without attributing them to anyone.

Can I share recorded meetings with live transcriptions enabled?

The following data protection restrictions are in place to protect individuals and your organisation from the potential accuracy issues highlighted above.

External meetings (those hosted by your organisation but having non-organisation participants) featuring live transcriptions can be recorded and shared only if one of the following three conditions is met:

  1. The transcripts are amended prior to sharing (learn how to edit transcripts Zoom recordings and Teams recording):
    · The transcript content is verified and corrected as necessary.
    · Where the meeting has been advertised with speakers’ names (for example, to boost participation with a popular speaker), these speakers can be referred to by their first name and/or initials in any speaker attribution.
    · Any non-advertised speakers and all other participants can be referred to as [participant] in any speaker attribution.
  2. The transcripts are removed prior to sharing. The easiest way to do this is to download the recording files from Zoom or Teams and then share only the video (.mp4) file via Onedrive or Sharepoint. Please note – if a recording is being shared publicly (for example on the organisation website or on Youtube) it should include a transcript to comply with accessibility legislation.
  3. The recording is being shared with a defined group of identifiable individuals, and the inclusion of full names in any speaker attribution is required to facilitate discussion (such as for subscriber group meetings). In situations such as this, names may be used but the participants must be made aware of this beforehand.

Internal meetings (those hosted by your organisation and only having your organisation participants) featuring live transcriptions can be recorded and shared within your organisation without restriction.

Who can I talk to about a use case that might need to be treated differently?

If you have a use case that might be a bit different to those listed here, or you have a query about naming participants or privacy notices, please get in touch with your organisation’s data protection team.

How do I enable live transcriptions in my meeting?

Use this link to learn how to enable live transcriptions in your Teams meeting.

Posted in Uncategorized | Comments Off on Automated transcription in online meetings

Fixed: Outlook Shared Calendar notifications

The Microsoft Exchange team have announced that an update to shared calendar notifications is now leaving preview and entering production. These improvements are gradually being made available for Outlook-on-the-web (a.k.a OWA), Outlook for Mac and mobile (it’s already rolled out for these two) and, finally, for Outlook on Windows.

The intention is that this is just an improvement – there should be no glaringly-obvious user-noticeable changes beyond snappier performance. There are some minor improvements, but they take the form of more intelligent handling of things like amended meetings, with fewer confusing dialogue boxes needing an answer. As an example, if you amend a long-established recurring meeting Outlook can now update it, leaving historical meetings alone, but allowing future meetings to have revised attendees/dates/times. It doesn’t break them, and most of the confusing user prompts are no longer needed.

To get an overview of what’s new Microsoft have provided this page. For a nice friendly video (which was on that page but now isn’t any more) showing how to enable it, and what’s new, there’s this link: video guide.

What’s changed?

  1. More responsive, faster updates.
    What we’ve all grown used to is shared calendars lagging behind the times – there might be changes that have happened in that calendar which haven’t yet appeared for our view of it. This leads to differing out-of-sync versions. After this change, editing a shared calendar should be as responsive as editing your own.
  2. Meeting organiser improvements.
    You can extend a recurring meeting without impacting any historical exceptions to it. If you modify the meeting’s attendee list, updates are only sent to those you’ve changed. Draft meetings will now appear in your calendar (unsent), rather than your Drafts folder. And if someone accepts a meeting but doesn’t send a response, you can still see they’ve accepted it via the ‘tracking’ tab of the meeting. One potential gotcha is that when you forward a meeting to a new attendee, existing attachments remain but you can’t add new ones. This ensures that all attendees can see all of the original attachments, with the same content.

 

Technical details of the changes

Attribute Old Model New Model
How a shared calendar is stored A hyperlink-like entry is placed in your mailbox. A new calendar is created within your mailbox containing a copy of the data (going back 12 months)
How a shared calendar is accessed Reads/writes the owner’s mailbox. Reads/writes local copy of the shared calendar.
How a shared calendar syncs Original mailbox is periodically polled. Changes synced instantly to your cached copy. (Push notifications used)
Apps allowing access to a shared calendar Outlook on Windows and Mac, and OWA. Outlook on Windows, Mac, iOS, Android. Also OWA, Calendar for Windows 10, and all REST/EAS apps.

Is this enabled for me yet?

Ways to check:

  1. Can you see the shared calendar on a mobile phone’s copy of Outlook?
  2. Is ‘Turn on shared calendar improvements’ ticked? (Find this in File>Account Settings> Account Settings> [your email account] >Change > More Settings > Advanced)
  3. Admins can check group policy restrictions: HKCU\Software\Policies\Microsoft\Office\16.0\Outlook\Options\Calendar
    The value ‘SharedCalendarImprovements’  controls this setting and will be set to 1 if enabled; zero if it’s disabled.
  4. Check the ‘calendar properties’ dialogue box. You will need ‘editor’ or ‘delegate’ permission to do this. If the type has changed from ‘Type: Folder containing Calendar items (MAPI)’ to ‘Type: Folder containing Calendar items (REST)’ then it is enabled.
  5. Admins can check using Powershell – use the Get-MailboxCalendarFolder  cmdlet and check the ExtendedFolderFlags lookikng for a ‘SharedIn’ value.
  6. MFCMAPI will show the shared calendar in the calendar subtree and there will be an entry in the ‘common views > associated contents’ table called ‘SharingCalendarGroupEntryAssociatedLocalFolderId’.

Can I force an update?

Requirements: the shared calendar owner is hosted in Exchange Online, and you have specifically been granted you permissions to their calendar.

The simple solution is to ask the calendar’s owner to re-share the content with you, which they can do from any Outlook application. You can accept the invitation using an updated version of Outlook to force the update to this new calendar model. To do this without the user’s intervention:

  1. Navigate to the Calendar module and find the shared calendar you want to upgrade.
  2. Right-click on the shared calendar and select Delete Calendar.
  3. Close and restart Outlook.
  4. From the Home ribbon in the Calendar module: Choose Open Calendar > Open Shared Calendar
  5. Enter the name of the person who has shared their calendar with you
  6. Click OK to close the dialog.
  7. The shared calendar will reappear in your Calendar list and should now be upgraded.

Note that there may be a short delay for the first synchronisation as the content is copied but future content changes should appear near-instantly.

 

Further reading: Microsoft calendar sharing

EDIT HISTORY:
Page was amended 2nd June as Microsoft have updated the page to which I linked, and removed the video guide from their page. A new link has been added for the video.

Posted in Uncategorized | Comments Off on Fixed: Outlook Shared Calendar notifications