Help me customize Access Package emails

SysAdmins find it a lot of work maintaining permissions to resources like Azure.

Both Devs and SysAdmins love Identity Governance and in particular Access packages as resources are now more secure and quicker for to grant access to.

❌ Access Package requests do not show the product or user in the email subject. If subjects contained the same details it would be easier to quickly see who is requesting lots of access on a regular basis.

Suggestion:

  • Email subject – At a minimum add the product name and the user to the subject. Give the ability to fully customize it.
  • Email body – Give the ability to edit text
Bad Example – See the red box – This subject should be customizable

Bug – Help me to open my Teams website tabs in the browser (Broken because URL’s are case-sensitive)

Update: Microsoft have fixed this bug in June 2024

When you are in Teams looking at a webpage often you want to open it in the browser. E.g, Loop pages. Recently it started giving: “The link has been removed.”

Figure: New bug – The link has been removed “The link has been removed”

After very careful inspection in Teams I realized that the URL was being changed when I clicked on the ‘open in browser’ button to all lowercase. This breaks any sharing links to things like SharePoint as they are case-sensitive.

Figure: Line 1 – The original sharing link – Line 2 The Sharing link after Teams saves it

Suggestion:

URL’s by nature are case-sensitive and should not be changed

Microsoft Teams – Help me create a Team without a sensitivity label

Update – Microsoft has fixed this issue in the latest version of Teams v2 (24152.405.2925.6762)

The new Microsoft Teams app is a huge improvement over the older version. However, there is currently one serious fault.

A new Team should not automatically apply a ‘Sensitivity label’ unless a “Compliance policy” sets it as the default.

In the new Teams app only, when creating a Team, it cannot be created without a “Sensitivity label”.

Figure: See the red box – New team defaults to “Private – Sensitive-Accounting Documents” | Click to change

Figure: Choose 'None' Sensitivity | Click Public
Figure: In the Sensitivity Label dropdown | Choose ‘None’ | Click Public to close this window

Figure: See the red box - Team will be created with a Sensitivity label
Figure: Blocked – See the red box – Team will be created as Public with a sensitivity label that only a few people can read

Help Me View “My Access” approval details directly

When it comes to software, user experience is paramount. One area that could benefit from improvement is the way we handle ‘My Access’ approvals.

Current Experience

When someone requests access, the recipient gets a detailed email with a neat table. This table clearly shows who requested what access and their reasons for doing so.

Figure: Access request shows reasons

Room for Improvement 

However, when it comes to approval notifications, the details are missing. The recipient only knows that the access was approved but doesn’t see who approved it or why. To find this information, they have to click a link and navigate through the history to locate the specific approval.

Figure: Approval email doesn’t show who approved it and why they approved the access

Suggestion 

It would significantly enhance the user experience if the approval email could directly provide these details, similar to the access request email. This change would offer users a consistent experience, reduce the number of steps to find information, and increase overall efficiency.

Keeper – Help me to deep link directly to a report

It would be really useful to be able to link directly to particular reports in Keeper. For example I can put a link on our intranet to https://keepersecurity.com.au/en_US/console/#auditreporting but I would like to link directly to ‘Recent Activity’ or ‘All Security Events’.

If you agree please vote for this suggestion on https://keeperapp.canny.io/feature-requests/p/deep-link-to-report

Figure: Allow linking directly to reports
Figure: Allow linking directly to reports

Tina CMS – Help me to add users to roles automatically

https://github.com/tinacms/tinacms/discussions/3816

Currently to add users to roles in Tina CMS there is a multi-step process. First users must be added to Azure AD and added to the enterprise App in AD as users. Then they need to be manually invited in Tina CMS and thirdly added to a role in the particular project. This is a time-consuming manual process and could easily be resolved. This would be really painful in large organizations.

Setting up System for Cross-domain Identity Management (SCIM) for Tina CMS would provide a range of benefits for organizations looking to manage their user identities and access across multiple systems. With SCIM, organizations can easily provision and deprovision users in Tina CMS and manage their access rights.

One of the key benefits of using SCIM with Tina CMS is increased efficiency and reduced errors. With SCIM, user accounts can be created or updated in real-time across multiple systems, ensuring that access rights are always up-to-date and accurate. This eliminates the need for manual updates and reduces the risk of errors, saving time and resources for IT teams.

Enabling SCIM for Tina CMS is improved security and compliance. SCIM provides a standardized way to manage user identities and access, which can help organizations meet security and compliance requirements more easily. By ensuring that access rights are properly managed and maintained, organizations can reduce the risk of data breaches and unauthorized access to sensitive information.

Figure: Roles should be maintained using a SCIM imported group

Help me to see how many staff are accessing SharePoint with the mobile Apps

I am very interested in how people are accessing our services.  I especially like how I can see that our users are accessing Dynamics 365 on their mobile app.  

  1. SharePoint should display similar results.  I would like to see how many of our SharePoint users are accessing our intranet via the ‘SharePoint app’ and also SharePoint Lists via the ‘Lists’ app.
Figure: Dynamics usage report shows that a number of people are using the Sales app to access Dynamics
Figure: SharePoint usage report should show the same things
Figure: Office365 Power BI app shows Outlook Mobile and Teams but doesn’t have SharePoint stats

GitHub – Azure/Login – Allow custom expiry time for OIDC token

OIDC is the recommendation method to login to Azure from GitHub pipelines now as it provides better security and doesn’t rely on storing a secret.

Currently OIDC login tokens expire in just 5 minutes🔥, causing long running scripts to fail.

Related GitHub Issue: https://github.com/Azure/login/issues/180.

Your Azure credentials have not been set up or have expired, 
1955 | please run Connect-AzAccount to set up your Azure credentials. 
1956 | ClientAssertionCredential authentication failed: A 
1957 | configuration issue is preventing authentication - check the 
1958 | error message from the server for details. You can modify the 
1959 | configuration in the application registration portal. See 
1960 | https://aka.ms/msal-net-invalid-client for details. Original 
1961 | exception: AADSTS700024: Client assertion is not within its 
1962 | valid time range. Current time: 2022-10-20T07:47:12.7446078Z, 
1963 | assertion valid from 2022-10-20T07:37:08.0000000Z, expiry time 
1964 | of assertion 2022-10-20T07:42:08.0000000Z. Review the 
1965 | documentation at

❌ Bad example – Error on deployment – assertion valid from 2022-10-20 07:37 to 2022-10-20 07:42 🔥(5 minutes)

- uses: azure/login@v1
        with:
          client-id: ${{ env.CLIENT_ID }}
          tenant-id: ${{ env.TENANT_ID }}
          subscription-id: ${{ env.SUBSCRIPTION_ID }}
          enable-AzPSSession: true

❌ Bad example – Needs 1 more parameter – (e.g. token-expiry: 30M)

- uses: azure/login@v1
        with:
          client-id: ${{ env.CLIENT_ID }}
          tenant-id: ${{ env.TENANT_ID }}
          subscription-id: ${{ env.SUBSCRIPTION_ID }}
          enable-AzPSSession: true
          token-expiry: 30M

✅ Good example – Allow the token expiry to be set to a more reasonable time

Help me to allow SSO from Azure

Being able to sign in using Azure to almost everything has been around for a few years now. Why is this still not available to use in 1Password? This means that staff just require a single password to login to almost all the services that they use. They can make that a nice long password or even be password-less and sign into everything.

If SSO with Azure was enabled then we would also be able to use Conditional Access Policies. We already have Conditional Access policies that not only check where a user is signing in from (which can also be done in 1Password) but we are also able to restrict which devices can login and for users of Azure AD Premium P2 we can use Microsoft’s AI and stop ‘Risky Users’ from signing into our 1Password. This would also allow us to use our existing MFA solution (instead of needing a new one for 1Password).

Help me to add folders and subfolders

1Password has decided to use a solution to sort passwords using free text tags. This works well in small teams but in large teams this won’t work. Can you imagine how many possible spellings there are for Service-Account? The only other solution is to have multiple vaults, but that isn’t ideal either as then we would need a vault for SysAdmin-SVC-Accounts, Designer-SVC-Accounts and Dev-SVC-Accounts. This presents problems because then we would need to set permissions on each of those. There is also a possibility that we might need to put the same login in more than 1 of those vaults. This would not be a problem if we had folders and subfolders.

It would even work better if Tags could be specified by Admin users and passwords could be set to require at least 1 tag. But as it stands, if we want our users to add and update details then they are able to create free text tags or even worse not put a tag at all.

Figure: Note that tags are entered in free text and not required