Pluralsight Course Overview

Robotic Process Automation (RPA) has been a top tech trend over the last few years, and we are seeing great interest in augmenting RPA with Artificial Intelligence (AI) to make automation more resilient. While Power Automate (previously called Flow) has been around for a while, RPA capabilities have been a recent addition, allowing you to automate all repetitive desktop processes. You can choose between prebuilt drag-and-drop actions or record your own desktop flows.

In this course, Intelligent Automation: RPA and Beyond with Power Automate, you will learn the skills you need to work effectively with Power Automate Desktop Flows and AI Builder.

  1. First, you will motivate the importance of intelligent automation with RPA and AI.
  2. Next, you’ll explore Power Automate capabilities.
  3. Finally, you will walk through the end-to-end example of an intelligent automation reference solution.

When you’re finished with this course, you will have the skills and knowledge necessary to use Power Automate to streamline desktop tasks for your organization.

START LEARNING ABOUT RPA
View the course, Intelligent Automation: RPA and Beyond with Power Automate, on Plursalsight.

Below is a short clip from the course:

About the Author

This course was authored by Vishwas Lele from AIS.

Vishwas would like to give a special thank you to AIS colleagues – Sanjeev Bhutt and Himani Talesara – for their assistance with this course.

Check out more courses from Vishwas:

Cloud Application development has blown up to the point that it has increased the vital need for enterprise mobility and security solutions to manage people, devices, apps, and data for all organizations’ sizes. Additionally, the pandemic has led to businesses’ need to increasingly offer remote working options that facilitate employees to use their personal or company-owned devices. Therefore, enterprise mobility management and security solutions will have a long-term impact in the future.

Governance and compliance regulations are the biggest challenges when choosing a suitable and sturdy solution. This is where Microsoft’s Enterprise Mobility and Security solution acts to provide a more significant transformation of the workloads with identity and access management, endpoint management, information protection, and security through various Microsoft 365 policies configurations. This article explains how these policies are scattered under Enterprise Mobility and Security solution as follows.

Microsoft 365 policies are continuously evolving to protect organization resources such as devices, apps, identities, and data. I categorize these policies into three significant blocks and refer to them as a whole as Microsoft 365 Policies Framework – MSPC. Let us walk through the unique features of all these components.

Microsoft Figure 1 MSPC

Management

The Management aspect of the Enterprise Mobility and Security solution provides easy and secure access of devices or apps to users with Microsoft 365 licenses when collaborating with people inside or outside the organizations, regardless of any locations or types of devices. It comes with a centralized place to Secure, deploy, and manage all users, apps, and devices called Microsoft Endpoint Manager.
Microsoft Endpoint Manager is designed to help administrators use Configuration Manager and Intune together with cloud-only or hybrid setup for devices and apps management. This management process comes with Microsoft Intune, which includes Mobile Device Management (MDM) and Mobile Application Management (MAM) providers with different policies to configure and control the devices and apps once they are enrolled as follows. MDM controls employees’ corporate and personal devices, while MAM manages data and privacy within the apps and devices.

Microsoft Endpoint Manager

MDM Policies

  1. Device Configuration Profiles: Devices profiles policies let you configure settings and then push these settings to devices in your organization. We can apply these settings to both devices and users. If settings are configured for devices, it remains with the device, regardless of who is signed in. If settings are configured for users, then it goes with the user when signed into their devices.
  2. Device Compliance policies: This policy provides rules and settings that users and devices must meet to be compliant with organization standards for the devices, such as OS platform or security feature in the device. When a compliance policy is deployed to a user, all the user’s devices are checked for compliance. And as an Administrator, you can remotely lock/retire the devices if a device is not compliant for the user or notify them.
  3. Device Conditional Access Policies: To enforce the access requirements of users, based on specific conditions such as unfamiliar sign-in, User or group, IP Location, Users with devices of particular platforms, conditional access policies are used. When these conditions are matched, conditional access policies direct users to perform certain actions such as password changes, multi-factor authentication, or as an administrator, you can block access or grant access.

MAM Policies

  1. App Configuration policy: It provides the ability to publish configuration settings for iOS/iPad and Android apps. For example, As an Administrator, you can change custom port numbers, Language settings, Security settings, Branding settings such as a company logo of the applications removes the user’s involvement to configure the application on their own.
  2. App Protection Policy: App protection policy is applied to the app, such as desktop/Mobile apps for any managed or unmanaged devices. This policy is used to ensure an organization’s data safety, making the app a managed app. It provides a rule that is enforced when the user attempts to access or move “corporate” data or a set of prohibited or monitored actions when the user is inside the app. For example, As an Administrator, you can restrict copy-paste action between certain apps or print organization data.
  3. Office App Policy: Many policies are meant for Office apps only to add to Microsoft Intune and apply to groups of end-users. For example, blocking add-ins in Excel, disabling the shortcut keys in Word, clearing cache on close, or even hyperlink color in documents. Currently, there are 2093 policies to apply across multiple platforms for office applications.

Try Quick Test Here

Security & Protection

“Security and Protection” is a crucial component of Microsoft 365 policies, configurable from the portals such as Microsoft Security Center, Microsoft Cloud App Security Center, Microsoft Defender Security Center, Microsoft Defender for Identity, and Azure Portal. These portals help detect, prevent, investigate, and respond across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Security and Protection M365 Framework

Microsoft Defender for Office 365

It is a place where you can see risky users. Incident reports such as impossible travel activity, security score with recommended actions, and the ability to create an advanced custom query to identify security breach activity against schema such as generated alerts/apps/identities/devices/threat activities. It safeguards the organization against malicious threats posed by email messages, links (URLs), and collaboration tools. Moreover, you can also create threat protections policies explained as follows:

  • Anti-malware policy: As an Administrator, you can quarantine the message for your review if malware is detected in an attachment. Thereby, you can block attachment types in an email that may harm the computer.
  • Anti-phishing Policy: This policy allows to configure anti-phishing protection settings for a specific group of users over emails to avoid malicious attacks based on impersonation to steal sensitive information from the messages. As an administrator, you can configure an action if a malicious email is found, such as redirecting the message to decision-makers or quarantine the message or delete the message.
  • Safe attachment policy: It is an extra layer of security on top of the Exchange online protection for the inbound messages as well as files residing in the SharePoint, OneDrive, and teams. Using this policy, administrators can investigate malicious attachments or files that could destroy user data/steal information.
  • Domain Keys Identified Mail: This policy configuration helps protect both senders and recipients from hackers to forge email in transit.

Further, you can also configure 29 default alert policies that help identify Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks.

Microsoft Cloud App Security (MCAS)

Cloud App Security portal is a comprehensive solution to investigate on-premises logs and cloud content such as files/user accounts. It provides a rich visibility control over data and sophisticated analytics to identify and resolve cyber threats across all cloud services. The whole office 365 usage logs are ingested in cloud app security for better visibility and alert configurations. Office 365 usage log activities are available based on conditional access and app configuration in the Cloud app security. At present, there are 75 inbuilt configurable alert policies to generate email notifications for specified users on suspicious activities. You can also investigate all security configuration gaps across multi-cloud platform such as AWS/Azure/Google. In the CAS portal, you can view recommended actions to improve the identity security posture, for example, stopping clear text credentials exposure. Additionally, as an Administrator, you can create policies as follows:

  1. Access policy: It generates an alert or grant access based on a match of certain devices/apps/users.
  2. Activity policy: It helps notify the concerned user on mass download, multiple failed user log-on/log on from risky machine/browser. It also allows to create an alert based on any usage activity occurred in Microsoft 365.For example, Notify decision makers by configuring an alert in the Activity policy, when DLP policy in Power Platform has changed.
  3. App discovery policy: It helps generate alerts when new apps are discovered in your organization.
  4. Cloud discovery anomaly detection policy: It creates an alert based on compliance, security, or general risk factors such as HIPAA, ISO 27001, data center, domain, GDPR, etc. and unusual increases in cloud application usage such as downloaded data, uploaded data, transactions, and users are considered for each cloud application. For example, trigger alert for the top three suspicious activities per 2,000 users per week.
  5. File policy: It generates an alert if the File is shared with a personal email or unauthorized domain. Based on this alert, the Administrator can further remove a user or apply a protection label or put the user in quarantine.
  6. Oauth app policy: This policy helps generate an alert if the app matches specific permission levels or permission requests. As an Administrator, you can also revoke permissions for the app user who authorized it. For example, you can automatically be alerted when apps require a high permission level and were authorized by more than 30 users.
  7. Session policy: Session policy provides real-time monitoring and control over user activity in the cloud apps. For example, As an Administrator, create a session policy to monitor Power BI activities.

Microsoft Defender for Endpoint (MDE)

Microsoft Defender for Endpoint is a complete solution to help enterprise networks monitor and respond to threat activity. It continuously discovers the threats and detects a vulnerability, and suggests remediation. It provides security configuration posture of organizations devices across OS, Application, Network, Accounts, and Security Controls. These activities are observed via the sensor installed in the domain controller. You can view a dashboard that summarizes threat activities such as the latest and positively impacted threats or threat impacts over the organization.

With Microsoft Defender for Endpoint, As an Administrator, you can assess your organization’s impact, review security resilience and posture – for example, charts that provide an overview of how resilient your organization is against a given threat. It also suggests the recommended actions that can help you increase your organizational resilience against the threat and eventually, the security posture.

Microsoft Defender for Identity (MDI)

Microsoft Defender for Identity is one of the Microsoft Defender suit components used to detect and investigate advanced threats, compromised user accounts, and malicious insider actions directed in the organization based on on-premises active directory activities.

MDI monitors and analyzes user activities and information across the enterprise network. It learns about user behavior by identifying user permissions and detects suspicious activities to provide deep insights. It helps to reveal the advanced threat activities, compromised user accounts, and insider threats facing your organization. It also helps to provide hybrid attacks on ADFS.

Azure Portal for Identity Protection

The Azure portal allows configuring policies for identity protections that help Automate the detection and remediation of identity-based risks such as leaked credentials, authentication by a different user, or unfamiliar activities such as accessing an anonymous app IP address, impossible travel, etc. These are the default policies that administrators can configure.

  1. Azure AD MFA registration policy: This policy act as a self-remediation method for risk events within Identity Protection. It is a process where a user is prompted at the sign-in process for an additional identification form. This could be to enter a code on their cellphone or to provide a fingerprint scan. It is also used to roll out Azure AD Multi-Factor Authentication (MFA) via Conditional Access policy.
  2. Sign-in risk policy: This policy block/allow access or allow access but require multi-factor authentication to users based on the user risk level. This risk level is analyzed from each sign-in, both real-time and offline. It is based on the sign-in activity only and analyses the probability that the user may not have performed the sign-in.
  3. User risk policy: This policy block/allow access or allow access but require a password reset to users based on the user risk level. This risk level is analyzed from each sign-in, both real-time and offline. It detects the probability that a user account has been compromised by detecting risk events that are atypical behavior of a user.

Try Quick Test Here

Compliance

Microsoft compliance manager helps to manage risks and protect data from aligning with industry standards. It also provides visibility on the current level of enterprise compliance posture and suggests recommended actions to improve. It is majorly used to classify and protect sensitive information and generates alerts if any compliance issues are detected. You can enable the auditing for entire Microsoft 365 workloads. There are three central policies that you can configure from the compliance manager as explained follows:

M365 Policies Framework Compliance

  1. Data loss prevention policy: DLP policy for Microsoft 365 workloads to help identify and protect the organization’s sensitive information. For example, as an administrator, you want to prevent users from sending email messages that contain specific credit card numbers or sensitive information about projects/businesses.
  2. Retention policy: with increasing data every day, governing data is a crucial task to comply with industry regulations and internal policies, reduce the security breach and improve productivity. As an administrator, you can retain the content forever or for a specified time or delete the content after a specified time by creating a retention policy.
  3. Audit log alert policy: As an administrator, you can create alerts based on user activities that match the alert policy’s condition. For example, you can create an alert when the user modifies the Power Platform’s DLP policy. There is almost 500+ activities based on which you can generate the alert and notify respective users.

Try Quick Test Here

In essence, Enterprise Mobility and Security is a foundation to keep organization assets safe, whether in the cloud, on-premises, or in a hybrid setup. Properly setting up this ecosystem of policies require a driven mindset and strong command of different tools and features. I hope this article helps to spark more ideas and interest to move forward to build a deeper understanding of mobility and security aspects and ultimately lead to more robust security postures.

To get started with Microsoft Mobility and Security learning, I suggest subscribing to the Microsoft 365 Development program and building the test environment to configure various Mobility and Security scenarios via Microsoft 365 policies. This would also provide experience towards earning “Microsoft 365 Certified Enterprise Administrator” certification. See the links below to get started:

Step 1:

Step 2:

Step 3:

Step 4:

Now available as a Visual Studio Code extension, Microsoft Edge Developer Tools lets you inspect network activity, view layout, and styling changes, and see runtime HTML, all without leaving VS Code. What prompted the Microsoft Edge Team to develop these tools? In their words:

Continuously switching between editor and browser adds cognitive load to your workflow throughout the day. You change from one environment to another – from development to debugging mode – and you need to switch back. That feedback is what prompted us to explore embedding the developer tools into an extension, thus allowing you to see what your code generates and debug it without leaving your “development” mindset. – Microsoft Blog

Do you want to take the leap and leave your traditional browser behind for good? Here are a few simple steps to help you get started with Microsoft Edge Developer Tools.

Step 1: Install the Microsoft Edge Browser

If you don’t already have the Microsoft Edge browser installed, you will need to install it. You can download the latest version here: Microsoft Edge.

Step 2: Install the Microsoft Edge Tools Extension

Open Visual Studio code and click on the extension’s icon on the left to load the extensions view.
Enter “Microsoft Edge” in the search box at the top, then click on “Microsoft Edge Tools…” to pull up the “Microsoft Edge Tools for VS Code” extension in the main window. Click “Install” to install the extension.

Install Microsoft Edge Tools Extension

Step 3: Choose Full-browser or Headless Mode and Enable the Network Panel

  • Full-browser Mode
    You can operate MS Edge Tools in two different modes, full-browser or headless. If you work it in full-browser mode, which is the default mode, the extension will launch a new browser window to view your web application, which will automatically update when you make changes to your code. It will also create a smaller, mirrored browser window within VS Code that you may close if you wish, although you will lose the power and functionality of having your browser window right next to your HTML. Full-browser mode is a good choice if your screen is small or wants to view your app at full screen. To use full-browser mode, do nothing.
  • Headless Mode
    If you would prefer to use only the browser window within VS Code and not have a new window pop up every time, choose the headless mode. This is the most seamless option. To enable headless mode, click on the small gear-shaped icon at the lower right of “Microsoft Edge Tools…”, click on “Extension Settings” in the dropdown, then check “Headless.”
  • Network Panel
    The network panel is another excellent function of Microsoft Edge Tools that gives you an extra tab to view your app’s network activity traffic. You can enable the network panel to enable headless mode by checking the “Enable Network” box. If you wish to use the network panel with full-browser mode, leave the “Headless” box unchecked.

Important: after you have enabled headless mode or the network panel, close VS Code and reopen it to apply your changes.

Microsoft Edge Tools

Step 4: Connect MS Edge to your Web Application

This step requires that you be serving your web application from a local web server and have an URL for that server, for example, “http://localhost:4200”. After you’ve made your changes from step 3 and relaunched Visual Studio Code, open your project folder. Click on the “Microsoft Edge Tools” icon on the left, then click on the plus sign next to the “MICROSOFT EDGE …” at the top. If you have chosen “headless” browser mode, you’ll see an “Edge DevTools” window appear in VS Code. Enter your URL in that window (where it says “about:blank”).

If you have chosen the default full-browser mode when you click on the plus sign, the Edge Tools will open a new browser window, and you should enter your URL in that browser window.

You will also see a browser window appear within VS Code; any change you make will be mirrored in the external browser window and vice versa. You may close the browser window within VS Code if you do not want it or if your screen size is too small to support it.

Start Development and Debugging

Conclusion

That’s it! You are now ready to start doing your development and debugging in one harmonious environment. To learn more about making the most of Microsoft Edge Developer Tools for VS Code, visit the extension documentation. It’s a great place to start.

In a previous article, I wrote about the Key Vault FlexVolume driver for Kubernetes. I demonstrated how to use it to mount an HTTPS certificate from Azure Key Vault onto Kubernetes pods. Since then, the FlexVolume driver has been deprecated in favor of the Container Storage Interface (CSI) secrets store driver and Azure Key Vault provider.

The CSI Standard

The Container Storage Interface (CSI) is the latest evolution in storage plugins for Kubernetes. It is defined by a standard design to overcome the shortcomings of the FlexVolume plugin. It is an “out of tree” plugin, meaning that it is decoupled from Kubernetes so that CSI drivers can be developed and versioned separately from Kubernetes.

The Secrets Store CSI Driver

This driver’s design is a “secrets driver + provider” model where the secrets store CSI driver provides the implementation for mounting a volume and delivering secrets to pods. Providers implement access to a particular secrets store. Currently, supported providers include:

  • Azure Key Vault
  • HashiCorp Vault
  • Google Secret Manager

Multiple providers can run in the same cluster simultaneously.

Besides mounting secrets to a pod volume, this driver also allows you to map from the secret store to Kubernetes secrets optionally. This is useful when instead of terminating TLS at the pod level, you are using an ingress controller such as NGINX that requires the HTTPS certificate to be a Kubernetes secret. Here is an example of using the Azure provider for this case.

The SecretProviderClass Resource

With the FlexVolume driver for Key Vault, all the Key Vault and secret settings were declared in the YAML defining the volume mount in a deployment.

The Secret Store CSI Driver uses a custom Kubernetes resource called a SecretProviderClass to define the secret store and secret mount settings. Then the volume mount definition refers to the SecretProviderClass name. This results in a much cleaner deployment YAML and a decoupling of the secrets provider configuration from a particular volume mount.

Installing with Helm

Installing the Secrets Store CSI Driver and Azure provider is straightforward with the Helm package manager and the provided Helm charts. This installs the driver as a Kubernetes daemonset that will be available on all nodes so that any pods can utilize it in the cluster.

Mounting a Certificate for HTTPS

In addition to secrets such as passwords and API keys, Azure Key Vault can securely store and provide private key certificates such as those used for HTTPS. As we demonstrated with the FlexVolume driver for Key Vault, we can mount a certification to our pods and use them to bootstrap Kestrel in ASP.NET Core for HTTPS.
Let’s look at how we would do the same thing with the CSI Secret Store Driver and Azure Provider. You can see the full working example in the aks-csi-keyvault-certs GitHub repo and see more detailed instructions in the README.

First, we create our SecretProviderClass resource definition:

apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
  name: azure-kvname
spec:
  provider: azure
  parameters:
    tenantId: "[*** YOUR KEY VAULT TENANT ID ***]"
    keyvaultName: "[*** YOUR KEY VAULT NAME ***]"
    objects:  |
      array:
        - |
          objectName: aks-https
          objectAlias: https.pfx.base64
          objectType: secret        # object types: secret, key or cert
          objectFormat: pfx         # for .NET Core 3.1 we want the PFX format
          objectVersion: ""         # [OPTIONAL] object versions, default to latest if empty

We name our class azure-kvname, which we will use in our volume definition. In the object property, we can define 1-N secrets to be mounted as files on the volume. In this case, our secret has these properties:

objectName The name of the certificate in Key Vault.
objectAlias This will be used as the file name on the volume.
objectType We use “secret”, which will get us the private key certificate.
objectFormat Unfortunately, even if we have stored the certificate in Key Vault as a PFX, Azure CSI provider will automatically convert it to PEM format. .NET Core 3.1 does not support PEM out of the box, so setting this to “pfx” ensures we get a PFX.

In our Kubernetes Deployment YAML, we then define our volume like so:

      volumes:
      - name: aks-keyvault-aspnetcore-httpscert
        csi:
          driver: secrets-store.csi.k8s.io
          readOnly: true
          volumeAttributes:
            secretProviderClass: "azure-kvname"
          nodePublishSecretRef:
            name: kvcreds

In this demo, we use an Azure Active Directory service principal to authenticate to Key Vault, whose credentials are stored as a Kubernetes secret. The nodePublishSecretRef option provides the name of the Kubernetes secret containing these credentials.

Then in our deployment YAML, we define the volume mount for our pods:

        volumeMounts:
        - name: aks-keyvault-aspnetcore-httpscert
          mountPath: /certs
          readOnly: true

Given our volume mountPath and the objectAlias in our SecretProviderClass, the certificate will be available in our pods using the path /certs/https.pfx.base64.

Keeping Secrets

The Secrets Store CSI Driver and Azure Key Vault provider for Kubernetes are a great way to deliver secrets to your containerized applications. If you are currently using the FlexVolume driver for Azure Key Vault, you should strongly consider updating to the CSI driver to take advantage of the latest innovations and features it provides.