Видео

So you assigned the information rights management permissions on the file (like limiting printing) to a dynamic group? Then after adding a new user to that dynamic group, after a few days they are still unable to print or perform the actions assigned in IRM? I honestly haven't tried this yet, so I'm not 100%, but I haven't heard of any issues with this. I'll try to give it a try though and get back to you on that.

@@Ben_Stegink even if the dynamic group is used to give access to the complete file (co-owner), any new members of this dynamic group are not granted to past files with the same label. Same behaviour with static groups.

Yup, it's a really subtle different between the read-only and view-only when you're changing those permissions.

Erick, sorry was out on a vacation and just now getting to this. From a Microsoft Terms of Service, I honestly don't know. From a technical perspective for the longevity of the flow with per user licenses to ensure it continues to work withouth having to export/import to chnage the Flow owner, that woul 100% be the way to set it up.

You're welcome, glad it was helpful!

Correct, once you set this up you will have to select a sensitivity label every time you create a Team. So if you don't want the one for the private team, you may also create a labels that is general, or something else for "non-private" Teams.

There is a setting in your sensitivity labels can control users ability to lower a sensitivity and even some restrictions around it (like requiring justification to lower it). In this way you can audit when and why a user might lower the sensitivity, or even set up alerts for it in various ways. However, I'm not aware of being able to set it to only be lowered by peopler with specific permissions.

Love it! Glad you found the videos and always fun to hear from a podcast listener 😀. Trying to get some RUclips videos with a little more regularity too. Feel free to let me know if there are any podcast our RUclips video topics you want covered!

I've actually seen this error more and more across all of Teams, Public, Private, and Shared Channels. It appears to be something to do with Teams caching, either in the browser or on the local machine. That being said, having to clear your cache every time this happens is a bit of a pain. I'll let you know if I come up with a better solution for it. But hoping Microsoft also addresses it in a future update.

Glad to hear it!

I'm trying to run a powershell script that connects to microsoft teams. The account I'm logging in with uses MFA and this causes the script to fail when I try to login with stored credentials. Do you have any tips or resources you can direct me to so that I can bypass this issue? @@Ben_Stegink

There is absolutely a risk of ending up in a costly place. However, I still think there are some benefits that can be had from this. I have a lot of clients successfully using both of these tools and avoiding a safe and costly place. I also agree that writing code can also be a legitimate alternative to these tools and have worked with companies that have done that as well. However, not all companies are in a place where that is possible for them and Logic Apps and Power Automate are great tools to have in their toolbelt. When talking about all of these options, C#, Azure Functions, Power Automate, Logic Apps, or any other tools, it's all about choosing the write tool for the job and ensuring that it is properly managed and governed. While I appreciate the insight and I agree that you can end up in a sad and costly place with either of these. However, based on my experience and work with 100's of clients, I strongly disagree with your premises that you will ALWAYS end up there.

I've been using Logic Apps for years and it's enabled me to bring value that I wouldn't otherwise have been given budget to accomplish. There are always tradeoffs.

@negiro5453 have you verified that the document doesn't have unique permissions itself and the view only was set at the library, but not on the individual file? That's about the only thing I can think off of the top of my head is that somehow the document didn't get that view only permission set on it for some reason.

@penguin12902, that's a really good question. I haven't actually tried it, so I'm not 100% sure. But, you can go in to the authentication method where you enabled FIDO2 and disable the other options. I've never tried to reduce it down to just that single option, but that's where I would start. Disable everything except for FIDO2 and see if that does it.

@@Ben_Stegink I was unable to make it work. However I was able to have my user choose "use a different authenticator" and they use the Yubico Authenticator App with the Fido2 key.

Glad to hear that!

Short answer is yet, you'll need conditional access to get to that level. As far as getting more granular, there would be some additional things you could do with conditional access (which you can do at the site level). But if you need to get down to the filer/folder level you'll probably also need to bring in some sensitivity labels and even authentication contexts. This approach is definitely a bit hacky and like you said, even a bit unreliable with different file types.

Hm...that's an interesting one. I haven't heard of this happening before. How long ago did you do the domain change? Wondering if maybe it's some delay with everything recognizing the URL change?

If you want to do it as a credential object, you would need to pull the client id and secret from it and separate them out to pass them into the two parameters. Alternatively, you could use a variable instead of the credential and, for the secret, make it an encrypted string variable. If you want to get really fancy (maybe I should create a video on this), you could also use Key Vault to store the client id and secret and pull them from Key Vault.

@@Ben_Stegink thank you. I would really appreciate if you can make a video on this.

@ExJester04 first of all, thank you! I'm glad this breakdown helped. It's definitely not something that every org would use. One scenario might be if you create SharePoint sites for various projects, and certain projects need to have a conditional access policy applied. You could have an authentication context for "confidential projects" that you apply to all those sites in order to set certain conditional access settings at the site itself. As for your question about at the document or the site level, you may want a different label if you have a specific document or file that is more secure than the content in the site as a whole. So maybe a site is confidential or secret, but then you have a very specefic file that is top secret or restricted and you would want to set that at the document. However, in that case, you couldn't take advantage of authentication contexts as those are only at that site or group level. Hope that helps explain it a little more and answer's your question 🙂

You're welcome, glad it was helpful!

My pleasure 😊

Glad it was helpful!

@Philip, sorry, somehow I missed your comment. Were you using the AzureAD Module or the AzureADPreview Module? If you were just using the "normal" one, give the preview module a try. There may also be a way to do this with the Graph Module since everything will be switching over to that module.

Michael, so this is interesting thought. I guess I would say maybe, but lean towards it's still two factor? Reason being, is that the touch isn't really a fingerprint. It's just anything conductive. I could touch it with a toe, the back of my hand, one of my clients I think, even had his cat registering a touch on the device. So...it's not really something unique to you. So, I guess it's three factors from the perspective you need to have the pin, the key, and physically be present to use it? But, in the same respect, it could also be closer to two factors because there isn't much security in just the touch of a conductive piece of metal. Also for me, sometimes I have two security keys plugged in; maybe they are even for different services. The touch helps to identity which key you are trying to use for authentication. So, I guess I really don't think of that touch as being much of a security mechanism. However, if you do want to disable the touch aspect on the YubiKey specifically, it does appear that you can customize the policies around PIN and Touch - docs.yubico.com/yesdk/users-manual/application-piv/pin-touch-policies.html

No problem 👍

You're welcome, glad I could help!

This is definitely something you can do. I've done it for clients in the past with some text boxes, formulas, etc. I"ll actually show a similar solution at an event coming the end of this month where I walk through the basics of building a user management system on the Power Platform - academy.collab365.com/offer/c365-solday2/solutions-day-q3-2022

Awesome, glad to hear it!

Cliff, you can't go back and retroactively do it in bulk that I'm aware of that's general available. I haven't tried it, but it's possible you could write a PowerShell script to do it as well. If you have E5 licenses, you could also use the autolabel functionality there to do it. However, all that being said, there is also a preview feature rolling out now to configure a default sensitivity label for a document library. I haven't tried it yet, but based on the documentation this will apply a default library to all new content as well as content that doesn't have a label yet. So you wouldn't be able to pick documents and bulk apply them, but you could do it on a library by library basis. - docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-sharepoint-default-label?view=o365-worldwide.

@@Ben_Stegink thanks

Agree 100%! Right now I tend to do a lot of hiding/showing and then re-organizing Teams to try to keep them organized, but having some sort of grouping would be awesome!

Akash, yeah...the SharePoint permission this definitely isn't fool proof. There are ways to work around it. Honestly, if you want it to be 100% secure, you need to go with conditional access and the app enforced restrictions there. I should make a video specifically around app enforced restrictions as well.