Scenario:

If you need a distribution list in Exchange that includes both internal organization contacts and external contacts—without requiring external users to be invited as guest accounts—there’s a simple way to achieve this.

In Exchange Online, external contacts are referred to as Mail Contacts. These allow you to add external email addresses to your organization’s address book, making them available for inclusion in distribution lists. By leveraging Mail Contacts, you can create a fully functional distribution list that includes both internal users and external recipients while keeping everything manageable within Exchange.

Managing email distribution lists efficiently is crucial for organizations that need to communicate with both internal and external contacts. While Exchange Online allows us to create Mail Contacts programmatically using PowerShell scripts or the Exchange Online Management API, automating this process is key—especially when integrating it with Dynamics 365 Marketing Lists.

The Automation Challenge

In my case, I wanted to automatically add new contacts from a specific Dynamics 365 Marketing List to a corresponding Exchange Distribution List. Initially, I considered using Power Automate to invoke a PowerShell script, but that introduced additional complexities:

• Using Power Automate to trigger an Azure Automation Runbook
• Managing authentication and execution permissions
• Handling execution timing and monitoring

A More Efficient Approach: Logic Apps

Instead of relying on Power Automate, I found a better and more streamlined approach—using Azure Logic Apps. Unlike Power Automate, Logic Apps offer built-in functionality to create and execute Runbook Jobs directly within Azure Automation.

What This Blog Covers

In this post, I’ll walk you through:
Setting up an Azure Automation Account
Creating a Runbook to execute a PowerShell script that adds Mail Contacts
Using Azure Logic Apps to trigger the Runbook
Handling authentication across these services

By the end, you’ll have an end-to-end automation setup that seamlessly adds external contacts to Exchange Distribution Lists as soon as they join a Dynamics 365 Marketing List—without requiring manual intervention.

Let’s dive in!

Step 1: Set up the Azure Automation Account

1. Log in to Portal Azure https://portal.azure.com/ and in the search box, type Automation Accounts

2. Click on Create, Select your Subscription and Resource group, and type in the Automation Account Name

2. Then click the Advanced Tab, and on the Managed Identities, select User Assign; we will set up the User Managed Identity in the next steps.

3. Click Review and Create.

Step 2: Setup the User Managed Identity

A common challenge for developers is the management of secrets, credentials, certificates, and keys used to secure communication between services. Managed identities eliminate the need for developers to manage these credentials.

A common challenge for developers is the management of secrets, credentials, certificates, and keys used to secure communication between services. Managed identities eliminate the need for developers to manage these credentials.

While developers can securely store the secrets in Azure Key Vault, services need a way to access Azure Key Vault. Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication. Applications can use managed identities to obtain Microsoft Entra tokens without having to manage any credentials.

So Let’s see how to setup the account with the Required Permissions!

1. On the Search, Type Managed Identities

2. Click Create, Select the subscription, Resource group, and give it a name

3. Then Press Review and Create

4. Open the automation account that we have created in Step no. 1

5. Search for Identity, open the link, select user assigned, and click Add.

6. Add the managed identity that we have just created.

7. Next comes setting the Permissions for the Managed Identity, so go back and open the Managed Identity.

8. Go to Azure Role Assignments and add the Automation Contributor Role; this is required to enable the Logic app to execute the RunBook (we will be creating this in the next step) on the automation account.

9. Grant the Exchange.ManageAsApp API permission for the managed identity to call Exchange Online, Unfortunately, this step can’t be done through the Azure / Entra Portal, so we will be using Graphy API Explorer to achieve this.

Get the Managed Identity’s Object ID

Get Exchange Online Service Principal ID

Open Grap API Explorer, Login ,and run the below query and grap the Exchange online service Principal ID

Method: Get

https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '00000002-0000-0ff1-ce00-000000000000'

Assign the Exchange.ManageAsApp Permission

Using Graph Explorer API again, use the below to assign the Exchange.ManageAsApp Permission

POST https://graph.microsoft.com/v1.0/servicePrincipals/{MANAGED_IDENTITY_OBJECT_ID}/appRoleAssignments
Authorization: Bearer YOUR_ACCESS_TOKEN
Content-Type: application/json

{
  "principalId": "{MANAGED_IDENTITY_OBJECT_ID}",
  "resourceId": "{EXCHANGE_ONLINE_SERVICE_PRINCIPAL_ID}",
  "appRoleId": "dc50a0fb-09a3-484d-be87-e023b12c6440"
}

10. Assign Microsoft Entra roles to the managed identity; you will need to assign the Exchange Administrator Role

In the Search type role and select Microsoft Entra Roles and administrators

11. Open Exchange Administrator Assignments and add the user Managed Identity by clicking the Add Assignments Button .. Global administrator privileges will be required for this.

Step 4: Import Exchange Management Modules

1. Open the Automation Account that we have created in step 1
2. Navigate to Shared Resources -> Modules
3. Click Add Module

4. Click Browse from gallery

1. Open the Automation Account
2. Navigate to Process Automation -> Runbooks
3. Search for PackageManagement and select and choose the Runtime Version 5.1

4. Repeat for Add PowerShellGet and choose Runtime Version 5.1

5. Repeat for ExchangeOnlineManagement and choose Runtime Version 5.1

Step 5: Create a runbook in Azure Automation

1. Open the Automation Account
2. Navigate to Process Automation -> Runbooks
3. Click on Create a runbook. Make sure you are using Runtime Version 5.1 because PowerShell works only for this Version

4. Open the Run Book and click Edit in Portal.

5. Paste the below Powershell Script that connects to exchange

//The below piece of code sets parameters on the run book so that when called from a logic app we can pass these parameters to the run book.
param (
    [string]$MailContactName,
    [string]$MailContactEmail,
    [string]$DistributionList
)
// Connects to Exchange online via the managed Identity that have been setup in step 3
Connect-ExchangeOnline -ManagedIdentity -Organization Organisationdomain.onmicrosoft.com -ManagedIdentityAccountId {Managed Account Identity ID}

//Creates a mail contact in Exchange
New-MailContact -Name $MailContactName -ExternalEmailAddress $MailContactEmail

//Add mail Contact to the Distribution List
Add-DistributionGroupMember -Identity $DistributionList -Member $MailContactEmail

6. After that Click Save and Publish

7. You can then test the runbook by clicking the Test Pane on the Edit in Portal Screen of the runbook, entering the parameters and clicking start.

Step 5: Create the Logic App

So the Logic app will be created in a schedule and can query any enterprise connector like dataverse and then call the runbook that has been created in Step 5

1. From the Azure Portal , Look for Logic Apps and click Add
2. Choose the Hosting Plan, and here you can select the Consumption plan

3. Select the subscription, the Resource Group and add the logic app name

4. Click Review and Create and then Create

5. On the created Logic app, search for Identity, Navigate to user assigned and add the Managed identity created in step 2

5. Navigate to the Logic app designer. On the Add Trigger step, choose schedule and set the recurrence schedule. Then, add Action and look for Create Job and select the one under Azure Automation

6. Set the Connection Name and Choose the Authentication Type as Logic Apps Managed Identity

7. Select the Subscription, Resource Group, Automation Account, Run book and pass the required Parameters

8. Save and test the Logic App

Resources:

https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview

https://learn.microsoft.com/en-au/powershell/exchange/connect-exo-powershell-managed-identity?view=exchange-ps&WT.mc_id=M365-MVP-9501

Azure resources, like Azure Automation or Azure Virtual Machines, often need to have access to other resources. For example, when accessing the Azure AD from within a Runbook. To grant access, you usually need accounts, passwords, or certificates. But you don’t want to store this ... Read moreHow to use Azure Managed Identity

The post How to use Azure Managed Identity appeared first on LazyAdmin.

Quand on parle d’ebooks, il y a ceux qui détestent, préférant le contact du papier, et ceux qui sont convaincus et qui ne remplaceraient pour rien au monde leur Kindle ou autre liseuse. Pour ma part, je fais partie de la deuxième catégorie… n’ayant jamais autant lu de ma vie que depuis que j’ai un […]

L'article 5 sites pour trouver facilement des ebooks gratuits est apparu pour la première fois sur Byothe.fr.

Il existe parmi nous des personnes qui n’assument pas ou plus à 100% le profil Facebook. Photo de profil douteuse, souvenirs de soirées trop arrosées… En fonction des paramétrages de confidentialité que vous avez réglé sur votre compte, les gens qui ne sont pas vos amis, mais qui retrouvent votre profil Facebook sur Google peuvent […]

L'article Ne plus faire apparaître votre profil Facebook sur les moteurs de recherche est apparu pour la première fois sur Byothe.fr.

Ireland’s Data Protection Commission (DPC) has fined Meta a total of €390 million ($414 million) in a ruling against Facebook’s and Instagram’s use of targeted advertising. The ruling declared both subsidiaries’ method of furnishing user consent under its updated terms and service a violation of Article 6 of GDPR. The fines levied against Facebook and Instagram amount to €210 million ($225 million) and €180 million ($191 million), respectively. 

NOYB, a user privacy protection group, first lodged complaints against Meta’s subsidiaries in May 2018 — immediately after GDPR came into effect. Following this outcome, Meta and its subsidiaries won’t be able to rely on their terms of service as legal cover for obtaining user consent to process their information for personalized ads.

Authorities have repeatedly found Meta in violation of user privacy regulations in Europe, under the GDPR, and also in the US. Just last month, in the Cambridge Analytica settlement, authorities slapped Meta with a $725 million fine, the largest US data privacy class-action lawsuit ever.

The Basis for the $414 Million Fine against Meta

Article 6, under which this recent DPC ruling was made, allows data processing only when an entity complies with one of its six legal premises. In advance of the GDPR implementation in 2018, Meta — then Facebook — changed its terms of services. The company made consent to its processing of user information a precondition for its services. 

Arguing its case, representatives of Meta alluded to their terms of service as a legal contract. The “contract” allowed its subsidiaries to process customer data. However, the DPC disagreed and found it in violation of Article 6, and Articles 5 (1)(a), 12, and 13(1)(c) that concern data transparency. 

“In breach of its obligations in relation to transparency, information in relation to the legal basis relied on by Meta Ireland was not clearly outlined to users, with the result that users had insufficient clarity as to what processing operations were being carried out on their personal data, for what purpose(s), and by reference to which of the six legal bases identified in Article 6 of the GDPR,” read the DPC statement. 

Meta’s Subsidiaries Tried to Bypass GDPR

Max Schrems, who leads NOYB, claims that the prohibition of the use of personal data for targeted advertising is a win for individual privacy. According to NOYB, Meta hid the yes/no binary opt-in decision concerning targeted advertising in its terms and conditions. 

According to Schrems: “Instead of having a ‘yes/no’ option for personalized ads, they just moved the consent clause in the terms and conditions. This is not just unfair but clearly illegal. We are not aware of any other company that has tried to ignore the GDPR in such an arrogant way.”

Meta very nearly succeeded in its attempt to bypass GDPR as well. DPC’s original fine was €36 million. But when authorities referred the case to the European Data Protection Board (EDPB), it reversed DPC’s decision that Meta and its subsidiaries could use user information for targeted ad campaigns on a legal contract basis. Consequently, the fine was increased by over 1,000%, from €36 million to €390 million. 

Schrems has gone as far as to claim that the DPC colluded with Meta: “This case is about a simple legal question. Meta claims the ‘bypass’ happened with the DPC’s blessing. For years the DPC has dragged out the procedure and insisted that Meta may bypass the GDPR, but was now overruled by the other EU authorities. It is overall the fourth time in a row the Irish DPC got overruled.”

GDPR Affects More than Just Meta

The latest DPC fine puts Meta in a bind. It’ll be unable to operate, in the EU at least, under its current business model. This is especially the case because it’s also struggling to comply with the transatlantic data processing directives. EU authorities are tightening the screws on Big Tech companies. This is in an effort to rein them in and to ensure their compliance with the GDPR. 

Apple and Twitter have also recently found themselves in the line of fire. However, fines against Twitter are much less frequent and far lesser than those against Meta. Twitter is currently under a DPC investigation for a breach that could potentially affect 5.4 million users. Apple, meanwhile, has been fined $8 million by the French regulatory authority Commission Nationale de l’informatique et des Libertés (CNIL) for a non-consensual targeted ad campaign toward iOS 14.6 users. The authority leveled the fine under Article 82 of the French Data Protection Act. CNIL previously fined Google for a breach of the same article.

Small and medium-sized businesses are also subject to GDPR provisions, but these cases don’t make major news headlines. The enforcement tracker has a full list of GDPR cases. The tracker includes details such as entity name, fine amount, relevant GDPR provision, jurisdiction, decision date, and official press statement. 

To avoid GDPR fines, business owners should tread carefully when processing and using user data. In protecting user information, companies must ensure that their databases are secure. Implementing a combination of cybersecurity protocols, including powerful firewalls, multi-factor authentication, antivirus protection, malware scanners, email spam filters, and automated patch management, can help companies avoid violations. 

Implications for Big Tech 

For a long time, Big Tech has been operating above the law. This is even though its involvement in feeding deep analytics with user information is an open secret. All this seems to be changing, with the authorities, in Europe especially, calling for stricter GDPR compliance. These stricter user-privacy enforcement measures have led to Meta signaling its withdrawal from the EU. This is because its subsidiaries rely on the processing of user information to remain operational. 

Other social media and Big Tech platforms and companies also employ targeted advertising. Big Tech, with its use of sophisticated tracking and surveillance and cross-device, cross-platform monitoring, had eluded accountability for quite some time, with little transparency on how it uses user data. 

With GDPR and other directives curtailing Big Tech’s power and enforcing user privacy rights, the playing field is leveling. However, the dream of reclaiming user data and a more sovereign internet still seems distant. 

The post Irish DPC Fines Meta $414 Million for GDPR Violations concerning Targeted Ads appeared first on TechGenix.

Dernièrement Facebook a eu un incident majeur et a disparu du net pendant plusieurs heures.

Les réactions que cela a suscitées, dans la sphère technique, m’ont quelque peu surpris, donc nous allons parler dans ce billet des pannes chez les big tech.

Par big tech, j’entends ces boites que l’on pense bien trop grandes pour avoir le moindre incident visible de l’extérieur.

Facebook : Tu me vois, tu me vois plus !

Facebook a rencontré un incident réseau impressionnant et très simple en même temps. Une erreur de manipulation a conduit à la suppression des routes BGP vers Facebook.

Ce sont ces routes qui permettent d’indiquer à Internet comment arriver à Facebook.

L’incident peut sembler anodin, mais repropager des routes BGP peut prendre du temps, surtout pour une infrastructure de la taille de Facebook.

De manière visuelle, voici ce que ça a provoqué :

Visualization of Facebook withdrawing its ASN, made with https://t.co/REvbPepOHK and Yakety Sax. pic.twitter.com/aGVXOPtliu

— Steve Weis (@sweis) October 4, 2021

Point ayant empiré la situation : Facebook ayant perdu son réseau, il était nécessaire d’aller en datacenter pour accéder aux machines, datacenter qui était impossible d’accès vu qu’il nécessitait un accès réseau pour l’authentification.

C’est un point qui a été remonté par Facebook dans leur communiqué de presse :

We’ve done extensive work hardening our systems to prevent unauthorized access, and it was interesting to see how that hardening slowed us down as we tried to recover from an outage caused not by malicious activity, but an error of our own making.

AWS : Une erreur de configuration Kinesis plonge Internet dans le noir

J’en avais parlé sur ce blog à l’époque, AWS a rencontré en fin d’année dernière un incident majeur, suite à l’ajout de stockage sur leur moteur Kinesis, pour les usages internet (IAM notamment), un incident majeur a paralysé une énorme partie d’Internet pendant plusieurs heures.

Arretez Internet : AWS ne répond plus!

Il y a quelques jours, un incident impactant le fournisseur cloud AWS a eu un écho important chez beaucoup d’entreprises et de services, directement touchés par cette instabilité. J’ai vu sur les réseaux sociaux de nombreuses réactions, souvent à côté du sujet (malheureusement) et je me suis dit

TFerdinand.netTeddy FERDINAND

Une fois de plus, le communiqué de presse de l’entreprise est transparent sur la cause de l’incident :

The new capacity had caused all of the servers in the fleet to exceed the maximum number of threads allowed by an operating system configuration. As this limit was being exceeded, cache construction was failing to complete and front-end servers were ending up with useless shard-maps that left them unable to route requests to back-end clusters

Vu de l’extérieur, l’incident semble assez bête en fait, un problème de dimensionnement des machines qui a conduit à une indisponibilité mondiale.

Google GCP : Je ne te connais pas

Quelques semaines après l’incident AWS, Google rencontre aussi un incident majeur : l’authentification de l’ensemble de ses applications ne répond plus.

Que ce soit YouTube, GCP, Google Workspace, plus aucun utilisateur ne parvient à se connecter.

De par l’intégration des services de Google un peu partout, l’impact a été visible par beaucoup de monde.

Une fois de plus, l’entreprise a été transparente sur la cause de cet incident dans son communiqué de presse :

Google uses an evolving suite of automation tools to manage the quota of various resources allocated for services. […] An existing grace period on enforcing quota restrictions delayed the impact, which eventually expired, triggering automated quota systems to decrease the quota allowed for the User ID service and triggering this incident.

Azure AD et les incidents distribués

En septembre/octobre 2020, Azure AD a rencontré un incident rendant le service d’authentification de Microsoft inaccessible (en grosse partie).

La root cause : une double anomalie, un package en test (slow ring) déployé en production, et un déploiement en parallèle sur l’ensemble des serveurs au lieu de le déployer en rolling update.

Azure AD is designed to be a geo-distributed service deployed in an active-active configuration with multiple partitions across multiple data centers around the world, built with isolation boundaries. Normally, changes initially target a validation ring that contains no customer data, followed by an inner ring that contains Microsoft only users, and lastly our production environment. These changes are deployed in phases across five rings over several days.

In this case, the SDP system failed to correctly target the validation test ring due to a latent defect that impacted the system’s ability to interpret deployment metadata. Consequently, all rings were targeted concurrently. The incorrect deployment caused service availability to degrade.

Pourquoi tu me parles de ces incidents ?

La bienveillance : connait pas

Dans un premier temps, j’ai constaté que la bienveillance de beaucoup de communautés techniques disparaît lorsque l’on parle des GAFAM. Sans en être un grand fan, je n’oublie pas que ce sont des femmes et des hommes comme mes collègues et moi qui sont derrière. Beaucoup sont passionnés par leur travail et le niveau requis pour rentrer dans ces entreprises est loin d’être anodin.

Pour autant, nombre de messages sur les réseaux sociaux considéraient que c’était "amateur" que d’avoir ce type d’incident.

Pour avoir connu nombre d’incidents majeurs dans ma carrière, parfois, il ne s’agit pas d’incompétence, mais d’un concours de circonstances imprévu et difficilement prévisible !

Personne n’est too big to fall

Point intéressant à retenir, même des colosses comme les GAFAM rencontre des incidents impactant. La différence majeure pour moi reste le facteur d’échelle : chez les GAFAM, l’incident est directement très visible.

Personnellement, je trouve cela rassurant de se dire que même ces boites aussi énormes rencontre des incidents somme toute assez classiques.

Les entreprises valorisent leurs erreurs

Pour chacun de ses incidents, on a pu constater un post mortem clair et transparent sur ces derniers. Permettant ainsi de mieux appréhender la portée de ces anomalies et pourquoi leur résolution à parfois pris du temps.

Mais on voit aussi que les entreprises communiquent de suite sur la manière dont elles vont éviter que cela se reproduise.

Le poids du legacy

Le legacy, cette dette technique éternelle que l’on voit dans toutes les entreprises (ou presque). Il serait idiot de penser qu’il n’y a pas de legacy ou de manque de documentation chez les GAFAM.

Quand bien même ils ont des processus bien huilés (en tout cas en public), comme toutes les boites, ils ont un historique et des composants qui sont anciens et/ou mal documentés.

La différence majeure étant le facteur d’échelle, du legacy chez Microsoft n’a pas le même poids que chez une entreprise de taille plus modeste.

En conclusion

Ce billet a avant tout pour but de mettre un peu en avant ces incidents et la toxicité de certaines communautés Tech autour de ces derniers.

Les GAFAM ne sont pas invincibles et rencontre des incidents d’exploitation comme toutes les entreprises. D’un côté, je dirais même que c’est rassurant de se dire que cela leur arrive aussi !

Et vous, qu’en pensez-vous ?

There are many different visualizations in Azure Workbooks. A grid can be just a plain grid, or a grid with a parent/child relationship, or grouped by values in columns. This post will show you how to build the grid with a parent/child relationship. We want to group guest user activity for this scenario. We will be needing OfficeActivity logs to get the activity from guest users.

Setting up the Azure Workbook query

Build your own workbook and add a new query

Add query

Give it a name and go to settings

Fill in the query (you can copy/paste the JSON representation of this item below).

Query breakdown

First get the required information and place them in a variable

This will get all Office Activity where the UserID contains #ext# and we only need the operation, UserId and TimeGenerated.
Note that you need to end with “;”

Running only this will get us the below output.

The next bit will map the parent with the child.

First we project the columns IdField, Name, Parent, Count and Type. IdField is a concatenation of UserId and Operation. Project-away is used to remove the IdField from the output.
We will add additional rows with the union operator. These will have the same columns but the IdField is only filled with the UserId. This column is also removed from the output.
The output will be ordered by Count

Next we will also want to add a trend line. We will be using the join operator for this. The join operator will merge the rows of two tables to form a new table by matching values of the specified columns from each table.

It will count the number of occurrences and place it in the Trend variable

Look and feel

Customize the column settings

Hide Parent, Type and IdField and configure Count

Create a Heatmap with the above settings. Next configure the Trend column

Also change like above and configure the Tree / Group By Settings like below

Apply and close which should change the look and feel to

JSON representation

You can copy and paste the below code in the advanced editor for a query.

{
  "type": 3,
  "content": {
    "version": "KqlItem/1.0",
    "query": "let data = OfficeActivity \r\n| where UserId contains \"#ext#\"\r\n| project Operation, UserId, TimeGenerated;\r\ndata\r\n| summarize Count = count() by UserId, Operation\r\n| project IdField = strcat(UserId, '/', Operation), Name = Operation, Parent = UserId, Count, Type = 'Operation'\r\n| join kind = inner (data\r\n                    | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by UserId, Operation\r\n                    | project IdField = strcat(UserId, '/', Operation), Trend\r\n                    ) on IdField\r\n| project-away IdField\r\n| union (data\r\n    | summarize Count = count() by UserId\r\n    | project IdField = UserId, Name = UserId, Parent = '', Count, Type = 'UserId'\r\n    | join kind = inner (data\r\n                        | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by UserId\r\n                        | project IdField = UserId, Trend\r\n                        ) on IdField\r\n    | project-away IdField)\r\n| order by Count desc",
    "size": 0,
    "title": "Guest user activity",
    "timeContext": {
      "durationMs": 2592000000
    },
    "queryType": 0,
    "resourceType": "microsoft.operationalinsights/workspaces",
    "visualization": "table",
    "gridSettings": {
      "formatters": [
        {
          "columnMatch": "Parent",
          "formatter": 5
        },
        {
          "columnMatch": "Count",
          "formatter": 8,
          "formatOptions": {
            "min": 0,
            "palette": "turquoise"
          },
          "numberFormat": {
            "unit": 17,
            "options": {
              "style": "decimal"
            }
          }
        },
        {
          "columnMatch": "Type",
          "formatter": 5
        },
        {
          "columnMatch": "IdField1",
          "formatter": 5
        },
        {
          "columnMatch": "Trend",
          "formatter": 9,
          "formatOptions": {
            "min": 0,
            "palette": "turquoise"
          },
          "numberFormat": {
            "unit": 17,
            "options": {
              "style": "decimal"
            }
          }
        }
      ],
      "hierarchySettings": {
        "idColumn": "IdField1",
        "parentColumn": "Parent",
        "treeType": 0,
        "expanderColumn": "Name"
      }
    }
  },
  "name": "Guest user activity"
}