Author: Adam Fowler

MSPortals.io Analytics

I thought it might be interesting to share some stats/trends around https://msportals.io which currently uses Google Analytics. Most sites have a commercial aspect and don’t like to share this data, but as it’s purely community and no financial gain, let’s check out some stats:

Last 7 days from 31st May (Monday):

Last 28 days from 10th May:

Last 12 months:

All time – from October 2021 to June 2023.

Unsurprisingly, there is a constant peak/trough for weekdays and weekends. I’m not sure why it’s more evident over the ‘all time’ stats vs ‘last 12 months’, but ’28 days’ and ‘7 days’ show a good reflection of this. Those giant peaks on the ‘all time’ are from either a news article posting about the site, or someone having a very successful social media post bringing attention to msportals.io.

There is also a pretty steady user count between 1500 and 2000 a day, excluding weekends.

Where are users coming from? (last 90 days)

Another unsurprising statistic is that most users are coming from the US – UK is next, and probably more surprising is Australia being third – maybe because I have a wider audience and more connections here?

US is the first most common US city in 7th place, while London is 1st, which I’m sure matches the expected stats due to population distribution.

Which pages are most hit? (last 90 days)

Still more unsurprising stats, the main page accounts for the most hits, which contains the standard Microsoft Admin portals. Next up is the Government portals, which is only US Gov – so there is obviously fairly high usage of those; double the stats of the user page which I did think would be a bit more widespread – but I expect the waffle from office.com serves most users quite well.

How do users get to msportals.io? (last 90 days)

Most have the site bookmarked, or are typing the URL directly into their browser. The next most common is via search engine – testing via private browser mode, searching for ‘Microsoft Portals’ brings up msportals.io as the first result on both Bing and Google, but I can’t see any stats on what search terms refer people to my site the most.

Average Engagement Time (last 90 days)

If someone visits the main msportals.io site, the average engagement time is 36 seconds (based on the last 90 days). Most sites will want higher engagement times, but the point of this site is to get people to where they want to get to as quickly as possible, so I’m pretty happy with 36 seconds as an average. Other pages have similar times, although I have no idea how language conversion is happening, or why what I assume is the French language ‘Portails adminitraeur | Portails Microsoft’ has more than 2 minutes engagement time despite France not being in the top 7 countries (I’ll blame Canada – sorry).

Tech – Device, Platform (last 90 days)

These stats I find quite interesting. No surprise that Windows is vastly the main OS used to access msportals.io, with similar numbers of Macs vs iOS users, and slightly behind that, Android. There’s 90% desktop users vs 10% mobile users – rounding to nearest number and ignoring the 0.3% of tablet users.

Very similar browser stats on Edge vs Chrome (which compared to the stats for the sites’ entire life, Chrome has been used slightly over 2x as much as Edge, which shows Edge’s usage drastically increasing for at least my sites’ user base), and fair way behind are similar usage stats for Safari vs Firefox (and again comparing since the site launched, that’s been similar the whole way along with a tiny bit more Safari).

Screen resolutions I am happy to see the standard 1920 x 1080 being far ahead. Quad HD is second, with a bit of ultrawide 5th on the list. Again, historically 1920 x 1080 has always been far ahead, but 1366 x 768 makes up second place with half the amount of 1920 x 1080 hits – yet in the last 90 days, it’s not even top 7 so there must be a lot of monitor or laptop upgrades recently :)

I hope those stats gave you some insights into both what msportals.io sees, and also very easily what any site can learn about it’s visitors – this is using Google Analytics, without any costs involved.

Sync Photos from Canon Camera to OneDrive for Business

Getting files from A to B is sometimes easy, sometimes not so easy. As I’m writing a blog post on this topic, guess which category this falls into?

I recently purchased a Canon EOS R10 camera, and it’s been quite a while since I’ve done anything beyond a smartphone device in this space. It’s actually for my wife, but I still get to play with it.

Anyway, the simple concept of ‘I take photos on a camera and want them in OneDrive for Business the easiest and most automated way possible’ seems like it shouldn’t be a complicated ask, but the answers I’ve found aren’t as straight forward as I was expecting.

At a basic level, the camera takes photos and saves them onto a removable SD card (in this case, a Micro SD in a standard SD card adapter). Here’s the options that I found and didn’t like:

  • Remove the SD Card from the camera, put it into a computer, and copy the files off. This is the old school way and although not a terrible option, it’s rather manual and requires the steps to take the photos off each time, with another device handy. From the computer it’s quite easy to sync the files using the OneDrive client, as the destination of the copied files could be an already syncing folder.
  • Plug in the camera via USB to a computer and copy the files off. About as tedious as the first option, you’re still opening a flap on the camera, and doing all the heavy lifting on a computer.
  • Use the Canon Camera Connect app to connect a mobile phone to the camera, and download all the images to then sync up to OneDrive for Business. I was leaning this way until realising that it didn’t support resume – so if the camera went flat, or you took more photos before deleting, it would sync all the photos again.
  • On the camera itself, connect to Wi-Fi and then use the image.canon service. This will sync each photo to Canon’s cloud service. Free, but it’s for up to 30 days storage and max 10GB, and then there’s no easy way to get the files from image.canon to OneDrive for business. It is designed as a file transfer gateway to services, but those services are quite limited; Google Photos, Google Drive, YouTube, Adobe Photoshop Lightroom, Frame.io, and Flickr.|
    Frame.io was paid, Flickr wasn’t listed as a supported app on Power Automate, and Adobe I don’t want to even look at the price. If I was in the Google or Adobe ecosystem for file storage already I’d probably be happy, but I’m not.
    I first thought – after some investigation that there’s no support on Google Drive to detect a file creation on their APIs, so I can’t trigger a sync using something like Power Automate to take files from Google Drive and put them in OneDrive for business – but I then found this from the community that was close to what I wanted: Copy files from Google Drive to Onedrive on a daily basis

Using that solution and cutting it back a bit to an 8 hour sync and just deleting all the files found, I’ve now got a clunky but working solution:

1. Camera auto uploads to image.canon

2. image.canon syncs to Google Drive (free tier) as they come in

3. Power Automate checks every 8 hours for new files in Google Drive, copies to OneDrive for Business, deletes Google Drive files (and for 30 days I’ll still have a backup in image.canon, plus the files on the SD card in the camera until I delete them)

4. Synology NAS on-premises syncs files from OneDrive for Business to local storage

5. Plex locally scans the OneDrive for Business backup path and indexes images to play anywhere via Plex

I don’t like how many moving parts the solution has, plus the camera’s upload speed isn’t great (also a mid-range camera built in 2022 only has Wi-Fi 4 standards from what I’m seeing on my Ubiquiti equipment which is a bit disappointing), but it is an automated solution end to end. Sometimes the camera may go flat doing it’s long sync, but thankfully it keeps a record of where it was up to and continues on power on.

My Facebook Account Was Hacked Part 2 – I got it back!

Part 1 here

Continuing on from the Part 1 story, not long after I saw this story from Linus Tech Tips – they’d been hacked and although that’s on YouTube and I just lost my personal Facebook account, they sound like the same issue. This is worth a watch to understand what’s going on, if you think because you’ve got 2FA set up, you’re completely safe:

I still don’t know exactly what happened, but my cookie being hijacked made sense based on what I saw on the access logs – the same browser cookie used for auth that I’d used many months before, but no new login attempt, no MFA hacks etc.

Facebook have the same issue as YouTube – there is no MFA challenge when you change something major about your account, like your display name. It would make sense to do so when major profile changes are made, but they don’t.

Beyond that, logging onto Facebook today I saw an alert about my other profile – which was my taken over one but the browser was still aware (the account wasn’t deleted, purely completely blocked/disabled by Facebook). I’d also note here that I didn’t receive any email or other alert,

I thought I’d log back onto the account out of intertest, and was presented with a different screen:

This sounded like I might be able to get the old account back – so going through the process was purely a SMS code to type in based on my saved phone number, asking me if the phone number/email addresses were correct, then kicking of a bot who’s also a doctor seeing what actions might have been done under my account:

Strangely, this bot who I don’t believe actually is a qualified doctor, came back to tell me nothing was changed on my account:

Ah, I must have always been Lily and not realised it… even though the downloaded logs showed that was the last change on my Facebook account. If this system can’t detect that, it’s already failed.

Those Extra security settings were purely to get notifications and emails if my account is ever logged on at a new device – not a terrible thing, but probably not going to save me at 1am.

I really don’t want my old profile now anyway, but it has let me easily delete the Facebook Page I had for ‘Adam Fowler IT’ so that’s now gone.

I was considering maybe reviving the old account, but I couldn’t even change the name back because I’d changed it in the last 60 days.

Also, there might be something historical I want to get from the account, and although I have everything downloaded, it’s a bit of a pain to go through so rather than deleting the account, I changed the account profile photo to ‘do not use’ and deactivated it.

Overall, I’m still very unimpressed over the entire process, and the above continues to prove how even one of the most valuable companies in the world still gets this stuff so wrong.

My Facebook Account Was Hacked!

And I couldn’t recover it.

A few weeks ago, I woke up to look at my phone, opened the Facebook app and saw someone else’s account flash up, which then changed to a message saying that my account had been de-activated due to breaking community standards. I first thought ‘this isn’t even my account’ but upon logging out and in, I soon came to the realization that it was actually my account.

This also affected Facebook Messenger, which I could no longer access. Others could see my account in chats, with it’s new name ‘Lily’ and profile picture (which on doing a reverse Google Image search, I found was a very popular fashion influencer – and not the potentially breaking community standards type).

Facebook had an option on signing in for me to request the decision to be reviewed. As it seemed like it was a pretty cut and dry case where someone had somehow accessed my account, I followed that process. The process sounds like a scam in itself but is an actual thing they do – first I had to take a photo of myself and upload it, then take a photo of some sort of ID and upload that too. After that, the automated Facebook system told me to wait for the results of that review.

Only an hour or so later I logged back in to check, and saw this message:

I’m going to conclude that their review process isn’t very thorough, or they’ve automated it and it’s come back in the negative for some reason. Although I don’t expect much of Facebook, I did expect to get my account back, but that was a dead end. I didn’t really care about my Facebook account too much – I was really just using it for Messenger, as well as Facebook Marketplace and some local news/events stuff. Creating a new account didn’t take long and got me back to where I needed to be.

I was still curious on what happened – I was using a unique email address and password for Facebook, and 2FA was configured; any time I’d log onto a new device I’d get an existing device to prompt via the Facebook app to authenticate. I used the ‘Download Your Information’ button above, which took several hours to be ready and give me some download links.

The 3 ZIP files Facebook provided contained quite a large amount of information – it’s interesting to see how much data they actually keep about your activities – too many to list, but some examples:

Advertisers using your activity or information” (list of thousands)

Your off-Facebook activity” (thousands again, example – Menulog feeds back searches, purchases etc)

“IP Address Activity”

That’s when I became ‘Lily’.

Interestingly, “Authorised Logins” shows no logins from this IP, but there is a record under “Session updated

Unsurprisingly the IP appears to be a VPN endpoint. I’m no cyber expert, but appears someone potentially obtained a cookie off me to gain access judging by the first 4 characters, as the logs show I first used it in April 2022.

The other biggest ‘loss’ I had from losing this account was any other service I used that I’d done the lazy thing of using my Facebook account to set up access, rather than creating an individual account. One I knew I’d done this with, I could luckily follow a reset password process using the email address I used for Facebook.

I also lost control of my Facebook page where articles from here were posted – there’s probably a way to take this over, but having a quick read it requires uploading your ID, and that didn’t go to well so far.

I still haven’t been able to exactly work out how access was obtained, or what was actually done with the account to breach community guidelines (maybe just impersonating someone famous was enough) despite having all these logs. I’ve gone through chats, page likes etc and could not see anything suspicious.

The biggest lessons learned I can pass on from this is – realise that you may lose your Facebook account at any time, and despite doing the right thing and being able to prove you are you, not be able to recover it. Also, don’t be lazy and use that account to access other services if the other service can let you create an account in another way (ideally email + password + another authentication factor). If you are concerned about what Facebook might be gathering for you, follow their instructions on how to download your data – it gets presented in a nice HTML front page to dig through.

Also – if you post on social media about your account being hacked, a bunch of bots will respond and recommend services to get your account back. Ignore these.

Update: Check out Part 2 where I get the account back.

Azure AD Cross-Tenant Synchronization is now in Public Preview

For a long time, the methods of having two Azure AD tenants aware of each other’s users needed to be managed in either a manual, or scripted way; accessing the data of another tenant or using their configured Apps would require each user to enrol to the other tenant and be given default guest permissions; or an admin at the destination tenant would need to set things up, send invites out, or do something else creative to make the user experience better.

I was on board Azure AD B2B in the early days; as a Microsoft MVP I had the privilege of speaking to a product manager for it that one time I went to Redmond, talking about my use case and seeing if I was ‘doing it right’. A combination of Azure AD B2B and Azure App Proxy I’d set up for guest accounts to get into an internally hosted web based application, and it worked quite well. I had my own script going through a many step process to send out an invite to the user, add the user to multiple groups and whatever other trickery I needed at the time.

Cross-tenant synchronization however, takes a lot of that pain away. You can set up a trust between two Azure AD tenants (which can be a one way sync) to allow users in Tenant A to be automatically created and managed in Tenant B as a guest user. This is great for organisations who have to frequently work with another org – and even though it’s early days for cross-tenant sync, there’s some rather good controls already. You aren’t limited to a single relationship either; I can’t see any documented limits.

Attribute Mapping allows you to configure extra rules around the attributes that get passed on, allowing you to manipulate, add or remove certain attributes (you might want to remove an employee number from employeeid, or add an extra attribute to define what tenant they were synced from; or do something that will in turn match a dynamic security group rule to automatically add your synced users to be allowed to access an application.

I’d often step through how to set this up in one of these articles, but the documentation is already detailed with step-by-step screenshots and clear instructions. It worked exactly as described when I set this up between two test tenants I have, and took about 15 minutes beginning to end, which included reading the documentation a few times to make sure I was following it correctly. It’s also possible to do via Graph API, but I did not try this method.

There’s even detailed sync logs, troubleshooting tips, and detailed reporting.

One question I’ve seen multiple people already ask is how does this relate to the Global Address List (GAL) and People Search – which the documentation claims this isn’t on by default, but easy to enable. In my testing however, the accounts showed up in the GAL with the little ‘blue person in front of world’ symbol with no extra configuration. They didn’t turn up instantly and I waited overnight, then they were there. People Search was the same. If you want to investigate this for yourself, check out the showInAddressList attribute. Other documentation also says guest objects aren’t in the GAL by default too:

and here’s the instructions on how to “Add guests to the global address list“.

As always, be aware that this is Public Preview so has less guarantees than a fully launched feature. If you have any feedback or want to see what others might be saying/asking, check out the official feedback for Azure Active Directory.

Edit 10/02/2023

Worth mentioning licensing.

As per What is a cross-tenant synchronization in Azure Active Directory? (preview) – Microsoft Entra | Microsoft Learn:

In the source tenant: Using this feature requires Azure AD Premium P1 licenses. Each user who is synchronized with cross-tenant synchronization must have a P1 license in their home/source tenant. To find the right license for your requirements, see Compare generally available features of Azure AD.

In the target tenant: Cross-tenant sync relies on the Azure AD External Identities billing model. To understand the external identities licensing model, see MAU billing model for Azure AD External Identities

The MAU billing section:

In your Azure AD tenant, guest user collaboration usage is billed based on the count of unique guest users with authentication activity within a calendar month. This model replaces the 1:5 ratio billing model, which allowed up to five guest users for each Azure AD Premium license in your tenant. When your tenant is linked to a subscription and you use External Identities features to collaborate with guest users, you’ll be automatically billed using the MAU-based billing model.

Your first 50,000 MAUs per month are free for both Premium P1 and Premium P2 features. To determine the total number of MAUs, we combine MAUs from all your tenants (both Azure AD and Azure AD B2C) that are linked to the same subscription.

The pricing tier that applies to your guest users is based on the highest pricing tier assigned to your Azure AD tenant. For more information, see Azure Active Directory External Identities Pricing.

Then from Pricing – Active Directory External Identities | Microsoft Azure:

Each synced user needs an Azure AD Premium P1 or P2 license in their home tenant.

Each tenant receiving synced users has the Azure AD External Identities billing model which used to be a 1:5 model, but is now 50k users free, the rest a small charge per active user.

Does a synced account count as an active user? Unsure, I would guess it’s a ‘probably not’ since there’s no active login for just existing as a guest in another tenant, but verify that for yourself with your licensing reseller.