GitHub – Azure/Login – Allow custom expiry time for OIDC token

OIDC is the recommendation method to login to Azure from GitHub pipelines now as it provides better security and doesn’t rely on storing a secret.

Currently OIDC login tokens expire in just 5 minutes🔥, causing long running scripts to fail.

Related GitHub Issue: https://github.com/Azure/login/issues/180.

Your Azure credentials have not been set up or have expired, 
1955 | please run Connect-AzAccount to set up your Azure credentials. 
1956 | ClientAssertionCredential authentication failed: A 
1957 | configuration issue is preventing authentication - check the 
1958 | error message from the server for details. You can modify the 
1959 | configuration in the application registration portal. See 
1960 | https://aka.ms/msal-net-invalid-client for details. Original 
1961 | exception: AADSTS700024: Client assertion is not within its 
1962 | valid time range. Current time: 2022-10-20T07:47:12.7446078Z, 
1963 | assertion valid from 2022-10-20T07:37:08.0000000Z, expiry time 
1964 | of assertion 2022-10-20T07:42:08.0000000Z. Review the 
1965 | documentation at

❌ Bad example – Error on deployment – assertion valid from 2022-10-20 07:37 to 2022-10-20 07:42 🔥(5 minutes)

- uses: azure/login@v1
        with:
          client-id: ${{ env.CLIENT_ID }}
          tenant-id: ${{ env.TENANT_ID }}
          subscription-id: ${{ env.SUBSCRIPTION_ID }}
          enable-AzPSSession: true

❌ Bad example – Needs 1 more parameter – (e.g. token-expiry: 30M)

- uses: azure/login@v1
        with:
          client-id: ${{ env.CLIENT_ID }}
          tenant-id: ${{ env.TENANT_ID }}
          subscription-id: ${{ env.SUBSCRIPTION_ID }}
          enable-AzPSSession: true
          token-expiry: 30M

✅ Good example – Allow the token expiry to be set to a more reasonable time

Help me to allow SSO from Azure

Being able to sign in using Azure to almost everything has been around for a few years now. Why is this still not available to use in 1Password? This means that staff just require a single password to login to almost all the services that they use. They can make that a nice long password or even be password-less and sign into everything.

If SSO with Azure was enabled then we would also be able to use Conditional Access Policies. We already have Conditional Access policies that not only check where a user is signing in from (which can also be done in 1Password) but we are also able to restrict which devices can login and for users of Azure AD Premium P2 we can use Microsoft’s AI and stop ‘Risky Users’ from signing into our 1Password. This would also allow us to use our existing MFA solution (instead of needing a new one for 1Password).

Help me to add folders and subfolders

1Password has decided to use a solution to sort passwords using free text tags. This works well in small teams but in large teams this won’t work. Can you imagine how many possible spellings there are for Service-Account? The only other solution is to have multiple vaults, but that isn’t ideal either as then we would need a vault for SysAdmin-SVC-Accounts, Designer-SVC-Accounts and Dev-SVC-Accounts. This presents problems because then we would need to set permissions on each of those. There is also a possibility that we might need to put the same login in more than 1 of those vaults. This would not be a problem if we had folders and subfolders.

It would even work better if Tags could be specified by Admin users and passwords could be set to require at least 1 tag. But as it stands, if we want our users to add and update details then they are able to create free text tags or even worse not put a tag at all.

Figure: Note that tags are entered in free text and not required

Help me to use Office365 groups in SharePoint Online

See the below text from our document on how to set up the security ourselves

Context 

Whenever you create a Site Collection, two O365 groups get created (xxx-Owners and xxx-Members). For retro-compatibility, these O365 groups are automatically added to the SharePoint groups at creation time.  

Figure: SharePoint Advanced Permission setup – 3 traditional SharePoint Groups 
Figure: “Members” SharePoint group has exactly one member – the Office 365 Group 
Figure: “Owners” SharePoint group is Empty!

(Note for SharePoint gurus: O365-xxx-Members is mapped to SharePoint-xxx-members, but O365-xxx-Owners is mapped to… Site Collection Administrators! Crazy.) 

Figure: “Site Collection Administrators” are mapped to The Site Owners Office 365 Group 

SharePoint membership grants access to SharePoint resources, while access to Teams features (Channels, tabs, apps) is controlled directly via O365 groups.  

Problem 

The problem with this model is we cannot add AD (Active Directory) groups (or even O365 groups) within O365 groups (no nesting allowed). So, if we want to give access to two different sites to the same people (say SSWDevelopers), we must add ALL MEMBERS manually on EACH generated O365 group. That is ridiculous, and hard to maintain long term. 

Help me find a SharePoint List

See the below screenshot – this is the default on the lists app. It shows all lists that I have permissions for and have added as a favourite list.  Although it says ‘Home’ it shows not only lists in the ‘Home’ site but also any other lists that I have access to.  These lists are not in the ‘Home’ site but are in other sites.  

If I don’t know what the name of the list is that I am looking for how do I find it?

Figure: All lists shown that I have access to

It would be better if I could see the hub-site navigation from the normal SharePoint site. That way I could just navigate to the SysAdmins site and see the lists in that site, or the Designers and see those lists.  That would give more context.

Figure: Dropdown from regular hub-site navigation

Help me to share a whiteboard to just 2 people

In Teams when in video chat with only 1 other person and click Share Content | (there is no Whiteboard app)

❌ Figure: Bad Example – With only 1 other person in the chat there is no whiteboard

When I add someone else to the call I can see the whiteboard app. 

✅ Figure: Good Example – With 2 or more people in a video chat Whiteboard is there

This is weird and wastes a lot of time debugging why this feature comes and goes.  The button should always be there and if Microsoft don’t want to enable it for 2 people for some reason pop a message that says “Whiteboard is for 3 or more users”.

Help me to show version history in Desktop/Web versions of Office

In SharePoint it shows the file history fine.  But the history doesn’t completely appear in the Desktop/Web versions of Office.

We find ourselves looking at version history when debugging SharePoint stuff for clients, and it is useful.
Until now we had never gone to Word to view the history – so to find out it does not work is concerning 🔥

In SharePoint we see:

✅ Figure: Good Example – In SharePoint the file history is complete

In Web version of Word we see:

❌ Figure: Bad Example – Web version of Word shows disabled AD users as “Unknown”

In Desktop versions of Word we see (Note we see more file history in the desktop version too):

❌ Figure: Bad Example – The Desktop version of Word shows old users as “Unknown”

Allow me to open in desktop app

When creating a new document directly in Microsoft Teams, Teams always opens the web version of the Office app that you are asking for (e.g. Word).

Please add a checkbox for Teams for open in Desktop App instead.

Figure: Open in Desktop App checkbox here

Note: It even ignores the setting in Teams to always open in the Desktop app:

Figure: Teams ignores its own setting “Open in Desktop App” when creating a new file

Help me have a consistent experience between the Windows version and the Teams version

This is the history from Microsoft:  

Some background on the tech stack and roadmap:

  • The first Whiteboard app we released was a Windows (UWP) app on an Azure back end. This is still the form factor with the richest feature set.
  • We later added the web app (Web + Teams) which we are gradually evolving. The web canvas will eventually be the single canvas that powers all apps.
  • In parallel, we are moving the back end to ODSP (OneDrive/SharePoint). This is the right platform to handle the required scale, compliance, and sharing capabilities.
  • At the end of this transition period all clients (Teams, Web, Windows, iOS, Android, Surface Hub) will run on a single version of the web canvas to support collab scenarios across all devices.

That transition is complex because we need to build up capabilities on the web app to the level of the Windows client (and beyond), while transitioning the back end, and while also supporting cross-device collaboration sessions across different app versions (e.g. Windows and web) and back-ends.