July’s call, hosted by Kim Brandl and Doug Mahugh, featured the following presenters and topics:
• Doug Mahugh, Senior Dev Writer, presented an overview of the Office Add-ins platform.
• Sohail Zafar, Senior Program Manager, covered what’s new in the Outlook JavaScript APIs.
• Yu Kaijun, Senior Program Manager, and Ruoying Liang, Senior Program Manager, talked about what’s new in the Excel JavaScript APIs.
• Anand Menon, Principal Program Manager Lead, presented about Microsoft 365 App Certification.
• Daniel Fylstra, President @ Frontline Systems Inc., presented about the Analytic Solver add-in for Excel, a complex and powerful analytics modeling tool that they’ve ported from a COM add-in to a JavaScript add-in.
2. • https://aka.ms/officeaddinscommunitycall
• Next call: Wednesday, August 14, 2019
• Meet the product teams behind Office Add-ins
• What’s new and coming soon
• Technical deep dives
• Customer presentations
• Q&A
About the community call
4. Presenters
Kim Brandl
Sr. Dev Writer
Daniel Fylstra
President
Frontline Systems, Inc.
Sohail Zafar
Principal Program Manager
Yu Kaijun
Sr. Program Manager
Anand Menon
Principal Program Manager Lead
Doug Mahugh
Sr. Dev Writer
Ruoying Liang
Sr. Program Manager
10. Requirement Set 1.7 (Released)
Feature API Brief Description Old
OWA
New
OWA
O2016
C2R
O2016
MSI
O2013 Mac iOS Android
Shared
Folders
From From value in Compose mode. Prod Prod Prod Not
Planned
Not
Planned
Prod TBD TBD
Shared
Folders
Organizer Organizer value in Compose mode. Prod Prod Prod Not
Planned
Not
Planned
Prod TBD TBD
Recurrence Recurrence Manage the recurrence pattern of an
appointment/ meeting item.
Not
Planned
Prod Prod Not
Planned
Not
Planned
Prod Calendar isn’t
supported
Calendar isn’t
supported
Recurrence SeriesId Adds a new property that gets the id of the
series an occurrence belongs to.
Not
Planned
Prod Prod Not
Planned
Not
Planned
Prod Calendar isn’t
supported
Calendar isn’t
supported
Events RecurrenceChanged Event that tells when meeting/ appointment
recurrence is changed
Not
Planned
Prod Prod Not
Planned
Not
Planned
Prod Calendar isn’t
supported
Calendar isn’t
supported
Events RecipientsChanged Event that tells when recipients are changed Not
Planned
Prod Prod Not
Planned
Not
Planned
Prod Compose isn’t
supported
Compose isn’t
supported
Events AppointmentTimeChanged Event that tells when meeting/ appointment
time is changed
Not
Planned
Prod Prod Not
Planned
Not
Planned
Prod Compose isn’t
supported
Compose isn’t
supported
Events addHandlerAsync Adds an event handler for a supported
event.
Not
Planned
Prod Prod Not
Planned
Not
Planned
Prod TBD TBD
Events removeHandlerAsync Removes the event handlers for a supported
event type.
Not
Planned
Prod Prod Not
Planned
Not
Planned
Prod TBD TBD
Update: July 2019 Red = Changes from past month
11. Requirement Set 1.8 (In Progress)
Feature API Brief Description Old
OWA
New
OWA
O2016
C2R
O2016
MSI
O2013 Mac iOS Android
Attachments addFileAttachmentFromBase64 Attach a file represented as a base64
encoded string to a message or appt.
Not
Planned
Prod Prod Not
Planned
Not
Planned
Insiders 20% TBD TBD
Attachments getAttachmentContent Get the content of a specific
attachment
Not
Planned
Prod Prod Not
Planned
Not
Planned
Insiders 20% TBD TBD
Attachments getAttachments Gets an item's attachments in compose
mode
Not
Planned
Prod Prod Not
Planned
Not
Planned
Insiders 20% TBD TBD
Attachments AttachmentChanged Event Event telling when an attachment is
added or removed
Not
Planned
Prod Prod Not
Planned
Not
Planned
Insiders 20% TBD TBD
Internet
Headers
Internet Headers Represents the internet headers of a
message item
Not
Planned
Prod Target
End of July
Prod Not
Planned
Not
Planned
Insiders 20% TBD TBD
Categories Categories Get/Set categories on an item Not
Planned
Prod Target
End of July
Prod Not
Planned
Not
Planned
Insiders 20% TBD TBD
Categories CategoryList Manage mailbox categories Not
Planned
Prod Target
End of July
Prod Not
Planned
Not
Planned
Insiders 20% TBD TBD
Resources Enhanced Location API Get/set room locations on a meeting/
appointment
Not
Planned
Prod Prod Not
Planned
Not
Planned
Prod Target
End of Sept
TBD TBD
Resources locationChanged Event Event telling when a location is changed Not
Planned
Prod Prod Not
Planned
Not
Planned
Insiders 20% TBD TBD
Shared
Folders
sharedProperties Represents the properties of an item in
a shared folder, calendar, or mailbox
Not
Planned
Prod Prod Not
Planned
Not
Planned
Insiders 20% TBD TBD
Block on
Send
OnSend event Allows an Add-in to block sending of a
message.
Prod Prod Target
July 18th
In insiders -
Prod by end
of July
Not
Planned
Not
Planned
Prod Target
End of Aug
TBD TBD
Update: July 2019 Red = Changes from past month
12. Additional Updates
• Thinking of picking up multiselect support in desktop.
• Auto-run add-ins for message tracking, OWA first.
• Block on Send: Currently 100% Insiders for Mac and Windows. On
new fixing the quick compose support for on-send.
14. onCalculated Event
The event will provide information about the ranges that raised the onCalculated event, which fires when
the calculation completes in a worksheet.
There are cells recalculated. But where?
15.
16.
17. Group/Ungroup JavaScript API
• Where are the Group/Ungroup Buttons location in the Ribbon?
• Outline (group) data in a worksheet
If you have a list of data that you want to group and summarize, you can create an outline of up to eight levels,
one for each group. Each inner level, represented by a higher number in the outline symbols, displays detail data
for the preceding outer level, represented by a lower number in the outline symbols. Use an outline to quickly
display summary rows or columns, or to reveal the detail data for each group. You can create an outline of rows,
an outline of columns, or an outline of both rows and columns..
20. • Spring 2017 – reports of election interference leveraging OAuth phishing attacks
targeting US and France by APT28
• May 2017 – ~1 million Gmail Users have data stolen by Fake Google Docs OAuth App
• Nov 2017 – reports of APT 32 intel gathering attack using OAuth phishing
• Mar 2018 - Cambridge Analytica data scandal exposed
• Dec 2018- bad 1st party app hygiene leads to publicly disclosed token hijacking attack
• March 2019- reports of Egyptian government using OAuth apps to phish activists
21. Impact on app ecosystem
• Enterprise customers are shutting down all 3rd party app installations
• Extensive app testing before letting any app in their ecosystem – n2 problem
• Microsoft IT – turned off capability for new apps until recently
• ISVs/Developers lose market share
22. Feedback
Customers Developers / ISVs
• I have to go to multiple portals to get the required
information, too many hoops to jump through for
compliance
• I do not have visibility into apps installed and used by
employees within my organization
• I do not have visibility into what apps are safe for my
organization, I do my own extensive security and
privacy reviews
• I want to know if an app exhibits malicious behavior
and want to prevent it before it does any damage
• I want to control deployment of an app to a certain set
of users or organization units
• I would like insights on app usage, app categorized
based on capabilities, complete app lifecycle view,
display the business owner of an app and keep it up-
to-date
• I can’t get in the door - Hard to drive adoption
• I want to work with Microsoft to build trust with
customers
• I want to co-sell with Microsoft
• I find it challenging to publish my apps to multiple
places
23. App protection – Focus areas
1. App verification & certification
2. Secure & compliant app development
3. App 3600 – Unified app governance experience
4. App detection and remediation
24. App verification and certification
Self Attestation M365 Certified
• Available today for Teams apps (http://aka.ms/appcertification)
• Based on Microsoft Cloud App Security (MCAS) catalog
• Developers/ISVs can build on the existing information in MCAS
• Leverage the publisher verification provided by Partner Center
• Certified by Microsoft
• App store badge
• Certification criteria is like self-attestation. This is a pathway for ISVs to move from self-
attestation to M365 certified.
• Includes security assessment
• Additional security checks for apps running in a “managed” Microsoft environment
25. Call to action
If you are interested in contributing towards the app verification and certification program or
have feedback:
Email: anandme@microsoft.com (please include details of your current app/add-in)
29. • Choosing Lowest Cost Shipping Routes
• Maximizing Returns from Stock Portfolios
• Scheduling Surgeons and Operating Rooms
• Minimizing Waste in Lumber/Paper Mills
• Choosing Products to Make in Oil Refineries
• Maximizing “Reach” of Advertising Dollars
• Choosing Paths for Internet Traffic
• Minimizing Damage from Radiation
Choosing, Scheduling,
Allocating
Maximizing
Minimizing
30. • User Interface: Ribbon Tab, Task Pane, Dialogs/Charts
• Custom Functions: Called During Excel Calculation
• Events: User Edits Cell, Inserts Row, Selects New Sheet
• Read/Write Cell Values and Formulas, Calculate
• Get Current Workbook Contents, Insert New Worksheet
31. Ribbon Tab
Task Pane
Custom Dialog
Custom Function
Read/Write Cells
Get Workbook Contents
User-Initiated Events
Insert New Worksheet
32. REST API
550,000+ Cloud Spreadsheet Analytics Users
Solver for Excel Online, Google Sheets
◦ Optimization Scalable to Largest Problems
Risk Solver for Excel Online, Google Sheets
◦ Monte Carlo Simulation and Risk Analysis
AnalyticSolver.com - Full End-User Analytics
◦ Forecasting, Data Mining, Text Mining
Rason.com – App Developer Portal
◦ Optimization, Simulation, Data Mining
Analytic Solver V2019 Cloud Version
Demo in Excel Online
33. Model Expressed in
Object API Code
User Application
(C++, C#, Java, R, Python)
Data in Custom
Application
PSI Interpreter:
Automatic Differentiation
High-Speed Simulation
Data Mining
Algorithms
Simulation
Algorithms
Optimization
Algorithms
In-Memory Object
API Read/Write
Calls
Optional Model in
Excel or RASON
34. Model in Excel
Workbook
Microsoft Excel
Desktop
Data in Excel
Workbook
PSI Interpreter:
Automatic Differentiation
High-Speed Simulation
Ribbon/Task
Pane/Function
Calls: C# and C++
Code
Data Mining
Algorithms
Simulation
Algorithms
Optimization
Algorithms
In-Memory COM,
XLL API Read/Write
Calls
35. Model in Excel
Workbook
Microsoft Excel
(Windows, Mac, Online)
Data in Excel
Workbook
PSI Interpreter:
Automatic Differentiation
High-Speed Simulation
Ribbon/Task
Pane/Function Calls:
JavaScript
Data Mining
Algorithms
Simulation
Algorithms
Optimization
Algorithms
JavaScript API
Read/Write Calls
RASON REST API
Server: Calls our SDKs
Excel Workbook
(Cached)
39. Learn
Engage
Developer resources
What Where
Office 365 Developer Program https://aka.ms/officedevprogram
Script Lab https://aka.ms/getscriptlab
Office Add-ins documentation https://aka.ms/office-add-ins-docs
Excel JS API Open spec https://aka.ms/excel-js-open-spec
Custom Functions https://aka.ms/customfunctions
What Where
Stack Overflow (questions) https://stackoverflow.com
office-js
outlook-web-addins
GitHub (issues) https://github.com/OfficeDev/office-js
UserVoice (feature requests) https://officespdev.uservoice.com
Send a Smile or Frown Inside Office
40. • Recording will be available soon on Office Developer YouTube
• https://aka.ms/OfficeDevYouTube
• Next call: Wednesday August 14th, 2019
• Submit your questions: https://aka.ms/officeaddinsform
• Add to your calendar: https://aka.ms/officeaddinscommunitycall
Thank you
Hinweis der Redaktion
Spring 2017 – reports of election interference: APT 28 - Fancy Bear (also known as Pawn Storm, Sofacy Group, Sednit and STRONTIUM) is a Russian cyber espionage group.
Democratic National Convention (DNC), German political party Christian Democratic Union (CDU), the parliament and government of Turkey, the parliament of Montenegro, the World Anti-Doping Agency (WADA), Al Jazeera, and many other organizations.
Fake Google Docs OAuth App : 0.1 percent of Gmail users were affected. The emails, at the outset, targeted journalists primarily and attempted to trick victims into granting the malicious application permission to access the user’s Google account. It’s unknown how many accounts were compromised, or whether other applications are also involved. Google advises caution in clicking on links in emails sharing Google Docs.
OceanLotus, also known as APT32, is believed to be a Vietnam-based APT group that has become increasingly sophisticated in its attack tactics, techniques, and procedures (TTPs)
Cambridge Analytica, a political data firm hired by President Trump’s 2016 election campaign, gained access to information on 50 million Facebook users as a way to identify the personalities of American voters and influence their behavior. Researchers in 2014 asked users to take a personality survey and download an app, which scraped some private information from their profiles and those of their friends, activity that Facebook permitted at the time and has since banned. The technique had been developed at Cambridge University’s Psychometrics Center. The center declined to work with Cambridge Analytica, but Aleksandr Kogan, a Russian-American psychology professor at the university, was willing. Dr. Kogan built his own app and in June 2014 began harvesting data for Cambridge Analytica.
He ultimately provided over 50 million raw profiles to the firm, said Christopher Wylie, a data expert who oversaw Cambridge Analytica’s data harvesting. Only about 270,000 users — those who participated in the survey — had consented to having their data harvested, though they were all told that it was being used for academic use.
Facebook said no passwords or “sensitive pieces of information” had been taken, though information about a user’s location was available to Cambridge.
Office Secret Activities API to aid in Business Email Compromise: few forensics firms they worked with possessed a secret tool that could pull extra activity details out of Office 365. These details were not accessible using the normal, published Office 365 query mechanisms. He said the tool was very secret and he wasn’t at liberty to share more.
We waved it off, figuring it was a marketing ploy. But over the next few months, rumors continued to circulate about a secret tool. A Microsoft programmer had left and joined a forensics firm, taking a secret internal Microsoft tool with him to his new employer, someone said. No one could confirm the rumors. https://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/
bad 1st party app hygiene leads to publicly disclosed Token Hijacking
Sahad Nk, an India-based bug hunter, discovered that a Microsoft subdomain, “success.office.com,” had not been properly configured, allowing him to take it over. He used a CNAME record, a canonical record used to link one domain to another, to point the unconfigured subdomain to his own Azure instance. In doing so, he controlled the subdomain — and any data sent to it, he said in a write-up shared with TechCrunch prior to publication.
That wouldn’t be much of a problem on its own, but Nk also found that Microsoft Office, Store and Sway apps could be tricked into sending their authenticated login tokens to his newly controlled domain after a user logs in through Microsoft’s Live login system.
That’s because the vulnerable apps use a wildcard regex, allowing all office.com — including his newly controlled subdomain — to be trusted.
March 2019- reports of Egyptian government using OAuth apps to phish activists
Victims would receive an email that looked like a legitimate Gmail security alert..