Office Flash Friday Broadcast for 2019-04-12

Show Notes

Prioritized Guide to Hardening Win 10

  • Please read this!
  • Applies to various entitlement levels

Power BI gets AutoML!

Step 1: turn it on.

Step 2: enjoy the democratization of machine learning.

Power BI New Workspace Experience GA

  • Contact list
  • OneDrive workspace
  • Usage metrics
  • Tenant setting for enabling users to create workspaces
  • Existing workspaces will continue to work as is, upgrade coming in the future

Power BI Report Builder Available!

What’s old is new!

New Power BI Regions in France and Korea

Office Flash Friday Broadcast for 2019-04-05

Show Notes

Teams – 10 Great Integrations

Some you know, some you may not – check them out!

Teams IT Pro Training Updates

New info on:

  • Live events
  • Compliance features
  • More!

Azure Security Center Improvements

  • It’s Azure, and security – which means we ALL CARE!
  • New compliance dash, file security (which you may be using in business workflows!) and more

Whitepaper – Current State of Securing Mobile Mail w/EMS

  • Good overview of options and impacts
  • Read thru and see what current state for your scenarios is

AAD Password Protection GA!!

Avail for cloud and hybrid

Flow April 2019 Features Releases

Power Apps March Update Summary

Just a quick review of adds

  • SPO Doc libs in Canvas apps
  • App height/width adaptive capabilities
  • Fixes/updates to barcode scan, full screen droid video and more

SharePoint March pitstop

  • Org news and news order w/authoritative news
  • LinkedIn co-author
  • Page templates
  • Planner updates

Bonus Content from Nick the CSM!

OFF TOPIC SHOW – Revisiting Win10/Office 365/Imprivata in Modern Shared Clinical Workstation scenarios

What a long title – again!

In early 2018, the Microsoft Technology Center (MTC) in Minneapolis completed several rapid prototype sprints with customers in health care who had a few common challenges around shared workstations and easy user access to Office 365.  In March of 2019 we revisited the topic, this time involving key industry software partner Imprivata.  This post is an update to the original test ( and includes both an OFF demo show episode as well as the technical overview below.

As a recap, we are attempting to address the following core challenges identified with customers when implementing Microsoft Modern Workplace solutions:

  • Many health care orgs use a “Modern Shared Clinical Workstation” model and manage login/logout to apps within that tool using smartcard/tap solutions
  • These locations use only a single Windows Profile – users don’t use the traditional Windows login UI
  • On these stations users may have web-only Office access but want to use the “full” Teams client for collaboration
  • Users need a fast and secure login experience that ensures no “cross-over” access between sessions on the shared workstation

So, that’s the goal, and hopefully you all find this content useful.  Our sincere thanks go out to the Imprivata team, and in particular Steve Furtsenau, for their support and participation.  You guys were great to work with, and we appreciate the dedication you showed helping our mutual customers.  Ditto to Randall Irwin, Technical Specialist from Microsoft, who went above and beyond herding all the cats.

Now, here is the overview video and the companion technical content (below the video).  While this isn’t comprehensive to all scenarios, we found this approach to be a good starting point for organizations facing this challenge.  This isn’t meant to be authoritative, but rather to provide guidance and information that might help our customers.

As always, feedback most welcome 🙂

– Doug Splinter, Director – Microsoft Technology Center, Minneapolis

Click on the image above to watch the overview


The following document outlines research done around improving both user and IT management experiences for Windows-based access to Office 365 services in mixed client access/license scenarios commonly found in health care provider organizations.

The target audience is IT departments, Microsoft Partners, and technical teams tasked with enabling Office 365 services in these environments.  The content assumes customers are familiar with Microsoft Office 365 capabilities and have knowledge of Windows PC management, Imprivata OneSign, and related technologies.

During testing we found there were several areas where issues were experienced that impacted usability and/or access to Microsoft Teams and Microsoft Office Web Applications in common health care provider shared workstation environments.  These areas were as follows:

  • Poor user experience when signing in/out of Office 365 services in common health care provider shared workstation scenarios; users entering credentials mutliple times
  • Users with both selective app access (Microsoft Teams) and/or browser-only access to services encountered issues getting quickly signed in via methods such as proximity cards

The goal is to review customer feedback/issues in each of these areas, and then document approaches developed during rapid prototype test work.

Clinical Shared Use Workstation Scenario Review

Many clinics hospitals have the concept of a Modern Shared Clinical Workstation (MSCW) in use to support locations where users simply ‘walk up’ to machines that are already unlocked or authenticated at the Windows OS level.  These PCs are usually constantly signed with local Active Directory Domain Services (ADDS) accounts that represent the location (ex: CareStationMSPB1-1222) of the machine as opposed to the user(s) currently using it.

This means that users who access/use the SIDW machines DO NOT login at the Windows OS level Graphical Identification and Authentication (GINA) login prompt, but rather use apps and browser-based services on the always signed-in desktop session.  At the Windows level, this results in a Windows profile that is essentially shared across all users of the MSCW PC.

Even though the local Windows profile remains constant, users still need to authenticate and do both sign-in and sign-out of apps/services within the MSCW session; it is extremely important that this transaction happens successfully and predictably without impacting user productivity.  One example of an issue customers encountered surrounded properly removing credentials to prevent “carryover” from one Office 365 user session to the next.  For example, a user might sign in, check their email, and then close their web browser.  The next user might open the service and then see the previous users email instead of their inbox; a concern both at the security and privacy level.

Authentication-management techniques for the app-level “sessions” within these MSCW are commonly supported via clinical SSO tools from Imprivata, who was our test partner for the scenario.  The technical goal is simple: secure sign in and clean sign out while preserving the common session.

Improving SIDW Scenario User Experience with Clinical SSO Tools

Clinical SSO tools such as Imprivata  are in use in most environments to provide basic authentication and SSO within the local MSCW profile.  These tools have custom in-session login windows that users sign in/out from, and they therefore can track and audit the status of local users.  They also commonly support authentication via proximity cards and/or certificates for faster or more secure login.

It is important to note that ALL of our test scenarios leveraged Imprivata as a clinical SSO provider for O365 sign-in/out management; we did not develop a reference architecture pattern for access without Imprivata OneSign in use and deployed.

At a technical level these tools operate under the single/shared profile context, and then provide their SSO and related capabilities to apps, either via direct API integration or via ‘pushed’ credentials into application-level login windows of forms.  The end goal is to give the users easy access to needed apps and services similar to what they would have in a unique Windows profile environ, but without the need to shut down other running apps/services that a Windows login would require.

One of the critical capabilities these tools offer to support our scenario is the ability to run scripts or perform actions on certain events, such as when a user uses “log in” to the SSO tool.  We focused on leveraging the built-in capabilities of OneSign and AAD/O365 in our solution development to ensure supportability and flexibility – config not code was our goal.

Reference User Experience Outline

The end goal is a good user experience that gets people signed in according to policy, and properly signed out when done.

Here is the targeted user process flow that was tested:

User A

o   User A “badges in” to ICU Workstation 1 using a SmartCard to authenticate to Imprivata OneSign.

  • User A opens Imprivata-provided shortcut to Office365 portal and gets a seamless SSO experience for their account
  • Microsoft Teams is auto-launched w/seamless SSO for user A
  • Other Imprivata OneSign driven events are processed

User B

o   User B badges into ICU Workstation 1 (we are assuming User A just walks away)

  • User A’s open browser and apps should be closed automatically
  • User A is fully signed out from client app and browser services in the common MSCW session
  • User B opens Imprivata-provided shortcut to Office365 portal and gets a seamless SSO experience for their account
  • Microsoft Teams is auto-launched w/seamless SSO for user A
  • Other Imprivata OneSign driven events are processed

Technical Recipe Card and Configuration Info

To achieve the above, the below environment config was used.  Please note that this is a general listing.  Additonal information is available on both companies technical support and documentation sites for configuration of the base environments of Office 365 and Improvata  – this is just an overview that should give admins with experience an understanding of our specific deplyment configuration that resulted in the provided demonstration.

  • Microsoft
    • Office 365
      • Office 365 tenant setup and configured for basic services
        • Microsoft Teams enabled and configured
        • Additonal O365 services configured as needed (OneDrive for Business, Stream, etc.)
      • Users licensed for Office F1 + EMS capabilities
      • Current version of Azure AD Connect deployed
        • Configured to support Seamless SSO via Password Hash Sync (PHS)
        • Device configuration set to suppor
      • Workstation
        • Windows 10 build 1809 – all current patches applied
        • Joined to Active Directory Domain Services (ADDS)
        • Windows PC ybrid Azure Active Directory (AAD)
        • Internet Explorer (as present in 1809 Windows 10 build) used as browser
        • Microsoft Teams client deployed as standalone (not via join Office Pro Plus)
  • Imprivata
    • Imprivata RFID Reader model HDW-IMP-75
      • Note on hardware – we a tested a few other models as well; Win 10 driver + Imprivata version + RFID card compatability are the key elements to consider
      • RFID cards assigned to users in Imprivata
    • Imprivata OneSign version 6.2
      • OneSign environment configured to integrate and sync with with ADDS
      • Configured to use “run as” impersonation technique for launching services
      • Imprivata ISXRunAs samples follow
        • Teams:  “C:\Program Files (x86)\Imprivata\OneSign Agent\ISXRunAs.exe” /profile “__INSERT COMMON SESSION PROFILE PATH OR VAR__\AppData\Local\Microsoft\Teams\update.exe” –processStart “teams.exe”
        • O365 Web Services: “C:\Program Files (x86)\Imprivata\OneSign Agent\ISXRunAs.exe” “C:\Program Files (x86)\Internet Explorer\iexplore.exe” “”

Configuration Notes

  • Local profiles are generated for each user on the machine even though they don’t interactively login – this is expected due to the Imprivata RunAs launch technique
    • Note: To avoid user “first run” settings in browsers, default initial profile setting should bet set – approaches here are mature in most IT organizations, so we did not specifically test or document these settings.
  • We did not test full Office Pro Plus clients – that is planned for the future
  • We did some basic successful testing of Chrome as a browser option, and did achieve seamless SSO with the Windows 10 Account extension deployed. We did not test admin-level deployment and management of the extension.
  • While we see no reason it would fail, we did not test ADFS or other SAML IdPs in our deployment.


That’s it for our PoC results/solution overview.  We hope you find the content useful in helping you integrate Office 365 services in your environment.

Office Flash Friday Broadcast for 2019-03-29

Show Notes

AutoCAD integration with OneDrive and SharePoint

PowerApps for US Gov is GA

Will support requirements for FedRAMP High, and requirements for criminal justice.

What’s coming for Power BI, PowerApps, Flow

Check out the free event this coming Tuesday! 8am – 9:30am Pacific.

Power BI XLMA Endpoints in Public Preview

  • Premium feature
  • Connectivity to Power BI datasets in third party BI tools
  • SSMS connectivity
  • SQL Profiler
  • DAX Studio
  • Excel connectivity without requiring a Pro license
  • Today is read-only, read-write coming soon – will enable DevOps/ALM

Power BI Windows App Slideshow Mode

March Surface Hub Updates!

  • Software improvements!
  • Native whiteboard app int preview
  • Camera switching

Teams Live Events GA!

  • Go check it out – we’re using it today 🙂
  • Now GA!

Improved management of Teams Apps

  • Admin app policies
  • Capabilities to

Whiteboard and Teams integration

Real shared whiteboarding – here we go!

OneNote March updates

  • New/improved features
  • Nav/Search
  • File embed

Office Flash Friday Broadcast for 2019-03-22

Show Notes

Teams Enterprise Connect

  • Coming – Secure private channels
  • Backgrounds, Content Camera, Whiteboard App integration
  • Information Barriers (Coming) + DLP – just a reminder, this is GA 🙂
  • Dynamic e911, Location Based Routing, Music on Hold, and Busy on Busy

Security Updates from Ignite Amsterdam – Mac Defender!

  • ATP for Macs announced!
  • Integrated into Defender cloud dashboard

Risk-based Threat and Vulnerability Management

A better way to look at threat remediation

SCCM + Intune – Spring update

  • Roll-up and catch up post
  • Another great res for your upgrade cycle (April 2020 cometh soon)

ICYMI: Teamwork Governance Resources

Slow down so you can go faster in the long run…start with governance, or start adding it now!

Office Flash Friday Broadcast for 2019-03-15

Show Notes

Power BI Dataflows Lineage

Power BI AI in Dataflows

Supporting today: language detection, sentiment scoring, key phrase extraction, and image tagging.

Power BI Multi Geo in Premium GA

Allows more control over data residency as well as potentially improving performance. Docs call out what goes with capacity region and what stays in home region.

Power BI AAD B2B Guest Editing, Management

Power BI Desktop March 2019

  • Single select slicers
  • Heat maps on Bing Maps visual
  • Cross highlight on axis labels
  • Default tooltip formatting
  • Adjust map point sizes
  • Zoom buttons on map
  • Accessible visual interaction
  • Q&A recommendations (misspellings, disambiguation)
  • New modeling view GA
  • New DAX! ContainsString, ContainsStringExact, DistinctCountNoBlank, LookupValue
  • PDF connector now supports tables spanning pages
  • Azure Cost Management connector

Power BI On-prem Gateway February Update

M365 for Government Expands services

  • Expansion to GCC HIH + DoD
  • More + improvements to security offerings coming to GCC- ATP, etc.

Reminder – Win 7 horizon approaches…and we have resources to help

  • Desktop assessments, app assure, migration tools, telemetry , reporting and more!
  • Start your project > program conversion now – please!

Teams March roundup

A few items:

  • 5k people in a Team
  • IT Pro training updates
  • Firstline worker support
  • EDU + GCC updates
  • Healthcare-specific feature announcements
  • Graph API updates (these are really useful!!)
  • Much more!

EMS: Investigations w/UEBA-based priority!

  • Score on alert, activity, impact (blast radius), Azure Sentinel integration
  • Goal – meet reqs w/less SecOps labor

EMS: Current state of MacOS management

  • Been a while since we’ve summarized current state, this post updates us on current state
  • AAD integration, Intune enrollment + mgmt, SCEP updates, JAMF integration, etc.

Microsoft Cloud App Security @ RSAC 2019

  • UBA, active DLP, custom reporting
  • Native service integration x-MS stack

No broadcast for Friday, March 8th

Sorry folks! Doug is on vacation, so no broadcast today! See you next week!


I’m here…and I don’t want to come back 🙁

– Doug

Office Flash Friday Broadcast for 2019-03-01

Show Notes

Azure Sentinal

Win Defender ATP – Win 7/8/10!!

EDR fro all windows

What’s New in M365 in February?

  • Security alerts for Microsoft accounts on your phone
  • Office app for Windows 10
  • Extract data into Excel on Android
  • Add photos/files to To-Do items
  • More…

Power BI Python Visuals

Leverage the power of Python visuals in your Power BI reports. Examples:

Tailoring Help and Support for Power BI

Customize links for training, discussion forums, licensing requests, and help desk.

Power BI Premium Deployment Whitepaper Released!

Office Flash Friday Broadcast for 2/15/2019

Show Notes

Power BI a Leader in Gartner’s Magic Quadrant or Analytics and BI

Power BI Export to PDF and On-Demand Email Subscriptions Available

PDF export in addition to PowerPoint! Also, subscription can now be trigged on-demand.

Power BI Export with Filters

Works with PDF and PowerPoint. Includes filters, slicers, cross-highlighting… more. Check out the post!

Power BI Admin Portal Bulk Operations

Replaces the need for repetitive admin operations that were usually solved with PowerShell. Examples: restore deleted workspaces, assign admin to orphaned workspaces.

Power BI Embedded Support for Service Principals

This approach replaces the previous approach of using a named Power BI Pro (and hence license) user for interacting with the Power BI API in embedded scenarios. Easier to create, cheaper, more secure!

Power BI Desktop Update for February

  • More formatting control of filtering pane
  • Cross highlighting from points in a line chart
  • Change default cross highlighting/filtering behavior in a report
  • Rounded corners!
  • Key influencers visual
  • Insights questions in Q&A and autogenerated Q&A question suggestions
  • A BUNCH of cool custom visuals!
  • A BUNCH of data connectors!
  • Better error messages for DQ/live connections

Flow Updates!

  • Flow now has the advanced condition capabilities that have been in Logic Apps.
  • SharePoint “Remind Me” feature based on a date in metadata
  • Code peek
  • New connectors: Microsoft Security Graph, XooaDB

Autopilot Remote Wipe for EDU

Great for end of year!

Feb Teams Roundup

  • Teams rooms
  • Usage Reporting
  • Templates and Bots
  • 3rd Party – MindMeister, Jira and more!

Teams Healthcare Announcements

ICYMI: O365 Privacy – new features review

  • Specialized Compliance workspace
  • Consistent labeling across Win, Mac, iOS, Droid
  • New analytics capabilities
  • Better support for comms review – important to regulated industries

SharePoint – Lots to catch up on!!