How to automate IT governance compliance audits and reduce the high energy/cost of traditional training and overseeing methods of monitoring and managing compliance.
2. Tulsa TechFest 2016 | Fri, Aug 5th, 2016 | OSU - Tulsa | 70+ Speakers, 20+ Tracks & 85+ Sessions!
Low Cost Governance with
Microsoft Online Services
LOW COST, RICH CAPABILITY & RESOURCE INVESTED
BY SCOTT MITCHELL
3. Tulsa TechFest 2016 | Fri, Aug 5th, 2016 | OSU - Tulsa | 70+ Speakers, 20+ Tracks & 85+ Sessions!
Session Objectives and Takeaways
• Demonstrate how to use automation for applying IT/Information Governance
• Discover the features and capabilities of Azure Automation
• Illustrate the power of data driven automation using XML & PowerShell
• Perform CRUD operations on SharePoint Data using the REST API
• Give a working demo!
And… My main objective is to
• Inspire you to create solutions based on these ideas
4. Tulsa TechFest 2016 | Fri, Aug 5th, 2016 | OSU - Tulsa | 70+ Speakers, 20+ Tracks & 85+ Sessions!
• Training programs are ineffective at driving policy compliance. People do not
remember and abide by policies without continued awareness updates and
retraining
• There is no immediate feedback when policies are inadvertently violated
• Tools that monitor and include end user communication and awareness features
are expensive and require more IT energy to operate
• Tools that apply controls are not flexible when exceptions are necessary and
systems become brittle and hard to extend
Current State Problem Statements
5. Tulsa TechFest 2016 | Fri, Aug 5th, 2016 | OSU - Tulsa | 70+ Speakers, 20+ Tracks & 85+ Sessions!
Test Policy for Demonstration Purposes
ESTABLISHED POLICY
PROJECT SITES ARE NOT TO HAVE SUBSITES
Policy Definition
Per PMO Office
Project sites should not be structurally modified such as renaming
the status list, document library or adding subsites.
Project sites have end user training and processes paired with the
site itself that break down if process related or project related
material are buried in subsites.
Policy Link https://stmtrial01.sharepoint.com/sites/it/_layouts/15/osssearchres
ults.aspx?k=project%20site%20integrity
Exception Notice Site Owners are notified of noncompliance
Remediation
Steps
Site owner is tasked to place content in original locations and
remove subsites.
• PMO claims that their business processes
break down often when PMs alter site
structures.
• IT does not have the ability to configure
granular controls to manage this policy
through permissions
• Training is costly and not effective
• By the time problems are detected rollups
and planning metrics have already gone
off track
6. Tulsa TechFest 2016 | Fri, Aug 5th, 2016 | OSU - Tulsa | 70+ Speakers, 20+ Tracks & 85+ Sessions!
CommunicationAutomation AssetsSharePoint Lists
InformationSourceData [List]
-SourceMetadata
-SourceMetrics
Policy Rules [List]
-Expressions
($sourcedata.variable –operator ‘value’)
Owner Mailbox
-Policy Exception Notices
-Policy Title
-SourceLink
Check-SitePolicies [RunBook]
> For Each Site in SiteCatalog
> Process All Site PolicyExpressions
> Send Exception Message
Update-SourceData [RunBook]
For All Sites
Create/Update Site Details
Invoke Check-SitePolicies
Schedule : TwiceDaily_1100Hrs
Policy Log Mailbox
-Copy of all notices
Solution OverviewSolution Overview
IT Department/Policies Pages
-Policy Details
-search?policypages=policy title
7. Tulsa TechFest 2016 | Fri, Aug 5th, 2016 | OSU - Tulsa | 70+ Speakers, 20+ Tracks & 85+ Sessions!
• Add SharePoint PowerShell Support to Azure Automation Runbook
• Download the SharePoint Online Management Shell
• https://www.microsoft.com/en-us/download/details.aspx?id=35588
• Next Place it in a ZIP file and upload to your runbook Assets.
• All Client and Runtime Libraries are included
• All Assemblies are loaded automatically. So there is no need to add the types.
Setup and Configuration
8. Tulsa TechFest 2016 | Fri, Aug 5th, 2016 | OSU - Tulsa | 70+ Speakers, 20+ Tracks & 85+ Sessions!
• Runbook Assets are available at runtime including uploaded modules
• Initializing for runtime helps so that you can run the same scripts locally
• Schedules, Logs, Source Control are all available and easy to use
Azure Automation
$spurl = 'https://stmtrial01-admin.sharepoint.com'
$spsite = 'https://stmtrial01.sharepoint.com'
if($env:SESSIONNAME -eq 'Console'){
$creds = Get-Credential -UserName 'stmtrial01@stmtrial01.onmicrosoft.com' -Message 'Login'
Import-Module Microsoft.Online.SharePoint.PowerShell
$path = (Get-Module Microsoft.Online.SharePoint.PowerShell).ModuleBase
#[Void][System.Reflection.Assembly]::LoadFrom("$Path/Microsoft.SharePoint.Client.dll")
#[Void][System.Reflection.Assembly]::LoadFrom("$Path/Microsoft.SharePoint.Client.Runtime.dll")
connect-sposervice -url $spurl -credential $creds
$credential = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($creds.UserName, $creds.Password)
}
else{
$creds = get-AutomationPSCredential -name 'stmtrial'
connect-sposervice -url $spurl -credential $creds
$credential = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($creds.username, $creds.password)
}
9. Tulsa TechFest 2016 | Fri, Aug 5th, 2016 | OSU - Tulsa | 70+ Speakers, 20+ Tracks & 85+ Sessions!
What can runbooks automate?
Runbooks in Azure Automation are based on Windows PowerShell or Windows
PowerShell Workflow, so they do anything that PowerShell can do. If an
application or service has an API, then a runbook can work with it. If you have a
PowerShell module for the application, then you can load that module into Azure
Automation and include those cmdlets in your runbook. Azure Automation
runbooks run in the Azure cloud and can access any cloud resources or external
resources that can be accessed from the cloud. Using Hybrid Runbook Worker,
runbooks can run in your local data center to manage local resources.
From - https://azure.microsoft.com/en-us/documentation/articles/automation-intro/
Azure Automation
11. Tulsa TechFest 2016 | Fri, Aug 5th, 2016 | OSU - Tulsa | 70+ Speakers, 20+ Tracks & 85+ Sessions!
PowerShell Mapping Fields and Insert/Updating Items
$sitesdata = [System.Xml.XmlDocument]::new()
$listitem = $sitesdata.CreateElement('listitem')
$listitem.SetAttribute('rootsitecollection',$CatalogSite)
$listitem.SetAttribute('listname',$CatalogListName)
$listitem.SetAttribute('keyfield',$CatalogKey)
[void]$sitesdata.AppendChild($listitem)
$fields = $sitesdata.createelement('fields')
[void]$sitesdata.SelectSingleNode("//listitem").AppendChild($fields)
foreach ($site in $sites)
{
#Makesure fields element is clear...
$fields = $sitesdata.SelectSingleNode("//fields")
$fields.RemoveAll()
#Then add all relevant site fields...
#Field names are case sensitive... Use matching case when mapping
fields.
$field = $sitesdata.createelement('field')
$field.SetAttribute('name','Title')
$field.SetAttribute('type','TEXT')
$field.InnerText = $site.url
[void]$fields.AppendChild($field)
. . .
Set-SPOListItem -ListData $sitesdata -Credential $Credential
}
• Programmatically build an xml
representation of a list item.
• This xml is passed to the
set-spolistitem cmdlet which makes it
so.
12. Tulsa TechFest 2016 | Fri, Aug 5th, 2016 | OSU - Tulsa | 70+ Speakers, 20+ Tracks & 85+ Sessions!
Dynamic Script Evaluating Policy Rules
foreach($sitestatus in $SiteStatus.results.GetEnumerator()){
$Notices = @()
#Process all policy rules
foreach($policy in $Policies.results.GetEnumerator()){
$sb = [Scriptblock]::Create($policy.ExceptionExpression)
$Exception = $sb.invoke()
if($Exception){
$notice = New-Object System.Object
$notice | Add-Member -MemberType NoteProperty -Name 'Owner' -Value $SiteStatus.owner
$notice | Add-Member -MemberType NoteProperty -Name 'Source' -Value $SiteStatus.Title
$notice | Add-Member -MemberType NoteProperty -Name 'Policy' -Value $Policy.Title
$notices += $notice
}
} #End For Each Policy
if($notices){
$body=""
foreach ($notice in $notices){
$PolicyTitle = $notice.Policy
$Owner = $notice.Owner
$sourceref = $Notice.Source
$fromAddress = 'IT@stmtrial01.onmicrosoft.com'
$subject = 'Automated Policy Exception Notice'
$body += @"
. . .
"@
$creds = get-AutomationPSCredential -name 'stmtrial'
send-mailmessage -to $owner -from $FromAddress -subject $subject -body $body -usessl -port 587 -smtpserver 'smtp.office365.com' -credential $Creds -BodyAsHtml
}
}
} #End For Each Site Status
#TODO : tokenize and validate expressions rather than accept any
value from the outside. This is just a demo! I know the security
guys are heating up right now because I just accepted foreign
values in my code as dynamic script.
13. Tulsa TechFest 2016 | Fri, Aug 5th, 2016 | OSU - Tulsa | 70+ Speakers, 20+ Tracks & 85+ Sessions!
Loose Coupling – Search Based Policy Links
$body += @"
<h1>Automated Policy Audit Notice</h1>
Dear Information Owner,
<p/>Please review this notice and take corrective actions in an effort to comply with established electronic data policies.
<h2>Policy Detail</h2>
<blockquote>Policy Name: $policyTitle</blockquote>
<blockquote><a
href='https://stmtrial01.sharepoint.com/sites/it/_layouts/15/osssearchresults.aspx?u=https%3A%2F%2Fstmtrial01%2Esharepoint%2Ecom%2Fsites%2Fit&k=$policyTitle'
>Policy Details</a></blockquote>
<h3>Information Source</h3>
<blockquote><a href='$sourceref'>Information Source Link</a></blockquote>
<h3>Information Owner</h3>
<blockquote>$Owner</blockquote>
"@
'https://stmtrial01.sharepoint.com/sites/it/_layouts/15/osssearchresults.aspx?
u=https%3A%2F%2Fstmtrial01%2Esharepoint%2Ecom%2Fsites%2Fit&k=$policyTitle
14. Tulsa TechFest 2016 | Fri, Aug 5th, 2016 | OSU - Tulsa | 70+ Speakers, 20+ Tracks & 85+ Sessions!
Solution Walkthrough and Demo
Azure Automation Job
https://portal.azure.com/
SharePoint Site
https://stmtrial01.sharepoint.com
15. Tulsa TechFest 2016 | Fri, Aug 5th, 2016 | OSU - Tulsa | 70+ Speakers, 20+ Tracks & 85+ Sessions!
Add SiteSharing Policy Exception to the Policy list
https://stmtrial01.sharepoint.com/Lists/Policies
Restricted Intranet Site Sharing
($sitestatus.sharing -ne 'Disabled') -AND ($sitestatus.Template -like 'BLANKINTERNET#0')
Rerun the Compliance Script and notice the new email sent to:
stmtrial01@stmtrial01.onmicrosoft.com
https://outlook.office.com
Add a New Policy Expression
16. Tulsa TechFest 2016 | Fri, Aug 5th, 2016 | OSU - Tulsa | 70+ Speakers, 20+ Tracks & 85+ Sessions!
Session Objectives and Takeaways
Session Recap
• Demonstrated a practical automated audit solution for modern IT
• Discovered the features and capabilities of Azure Automation
• Illustrated the power of data driven automation using XML & PowerShell
• Performed CRU operations on SharePoint Data using the REST API
And… now you are thinking…
I can replace all human contact
with a Site and an Automation Job
17. Tulsa TechFest 2016 | Fri, Aug 5th, 2016 | OSU - Tulsa | 70+ Speakers, 20+ Tracks & 85+ Sessions!
Additional Resources
Free Microsoft eBook
Azure Automation
By Michael McKeown
Don’t forget the Module
Gallery. You may make
requests.
Office Dev Center
https://msdn.microsoft.com/en-us/library/office/dn531433.aspx
18. Tulsa TechFest 2016 | Fri, Aug 5th, 2016 | OSU - Tulsa | 70+ Speakers, 20+ Tracks & 85+ Sessions!
Please Complete An Evaluation Form
Your input is important!
You can access Evaluation Forms at:
http://TulsaTechFest.com