Hello there!


Last week, we announced new capabilities to Microsoft Teams to empower healthcare professionals . As we approach HIMSS 19, I wanted to take this opportunity to provide some additional information about the Microsoft Teams, and our support and implementation of the FHIR standard and share some exciting news about Partners that are going to enable the care coordination solution.
Care coordination and collaboration is one of the key pillars for our investments in Microsoft Teams in healthcare. The solution gives healthcare teams a secure hub for coordinating care across multiple patients. It provides for integration with electronic health records (EHR) systems and enables care providers to communicate about patient care in real-time within Teams’ secure platform. The key challenges that we aim to address are:

• Low efficiency in hand-offs and communication critical throughout the care continuum
• Siloed information that creates administrative burden in the healthcare system
• Growing dissatisfaction among clinicians with complex and fragmented collaboration tools
• Inefficient and in person care coordination that can burn too much clinical time and cost


desktop patient app.png


The care coordination solution in Microsoft Teams involves a first party tab app that integrates with electronic health record (EHR) systems via a FHIR (Fast Healthcare Interoperability Resources) interface to bring valuable medical information from the systems of record into Microsoft Teams. This enables clinical workers to collaborate and communicate across the care continuum. The care coordination solution can be enabled through partnerships with leading healthcare Independent Software Vendors (ISVs) that can connect the care coordination solution to your EHR systems and bridge the gap between existing health data standards like HL7v2 and FHIR.
As of today, we’re extremely proud to announce working partnerships with the following healthcare partners to establish electronic health record integration:
Datica (through their CMI offering)
Infor Cloverleaf (through the Infor FHIR Bridge)
Redox (through the R^FHIR server)
Dapasoft (through Corolar on FHIR)


So, why FHIR and what does Microsoft Teams do with it?
One of the key challenges to achieving coordinated care is the lack of interoperability between electronic systems in healthcare. Enabling interoperability through an industry backed standard like FHIR enables clinicians to have the best information available at the point of care when making diagnosis and treatment decisions.


The HL7 Fast Healthcare Interoperability Resources (FHIR) standard is rapidly gaining support in the healthcare community as the next generation standards framework for interoperability. HL7 FHIR is rapidly gaining support in the healthcare community as the next generation standards framework for interoperability, and it’s clear why. FHIR is an extensible and modern standard based on a web-based suite of API tech including HTTPS and RESTful protocols. In August 2018, Microsoft joined with Amazon, Google, IBM, and other companies in a commitment to remove barriers for the adoption of technologies that support healthcare interoperability, particularly those that are enabled through the cloud and AI. Supporting the FHIR standard and investing in open source to enable FHIR is core to that commitment for all product teams focused on healthcare within Microsoft and Microsoft Teams is no exception. In fact, the decision to leverage FHIR has been a key component of our architecture from the beginning of this journey.


So, tell me more about the features of the care coordination solution …
Today, the 1st party app (which sits in the general channel of a Team as a tab app) lets a care team – doctors, physician assistants, nurses, social workers, dietitians, case managers and more in a hospital unit or ward create lists of patients that they want to monitor to coordinate care.
The app has an underlying service layer with an operational FHIR client interface that can query relevant patient medical information, connected to underlying EHR systems deployed within a provider organization. Listed below are some of its key features:
• Ability to fetch latest patient data from the EHR systems
• Ability to create multiple patient lists within a single channel.
• Ability to view and sort information displayed about patients through configurable columns.
• Ability to auto-provision the application through a team template.
• Available on the Teams App for iOS and Android for mobile first healthcare workers.
• Support for FHIR DSTU2 and STU3 versions via parsing of conformance statement.

The services that power this aligned with the FHIR open source community by using an open source FHIR parser library from GitHub (which is maintained by several key members of the FHIR community) as a key component of our code base to parse FHIR objects. The Microsoft Teams FHIR implementation is also aligned with Project Argonaut (and follows the US Core Profiles) for all the FHIR resources it consumes.


What about HIPAA and storage of ePHI data within Microsoft Teams?
Microsoft Teams is Tier D compliant per the Office 365 compliance framework and boasts support for the HITRUST CSF and HIPAA BAA which allows a covered entity to sign a BAA (business associate agreement) per Microsoft Volume licensing and Online service Terms. Therefore Microsoft Teams can be used to store and share ePHI data. Learn more about Microsoft Teams security and compliance here.

As far as the care coordination solution goes, the data it pulls from EHR systems is not stored at rest. Also, there are 11 events for read actions performed by clinical users inside the Microsoft Teams care coordination solution that show up in the Security and Compliance audit logs.


patient app audit logs.png


How can my organization participate?
Since the Microsoft Teams Patients application is still in private preview, we’re looking to partner with customers who would like to model their care coordination scenarios on Microsoft Teams. If you’re interested in connecting your EHR system to Microsoft Teams for care coordination scenarios, please reach out to your Microsoft account team or partner. Additionally, our team will also be present at HIMSS19 at booth #2500, so please come visit us!


As always, we appreciate your feedback and participation in the private preview to help improve our product while driving positive outcomes for your healthcare organization. Thank you for reading and stay tuned for updates. We’re excited about bringing Microsoft Teams to the healthcare industry!
Please feel free to post questions and/or feedback about Microsoft Teams in healthcare on the Health and life sciences discussion board.

We are listening.


Recently on the OWASP DevSlop Show, Teri Radichel and I performed a security assessment of the Azure implementation for DevSlop.co. We did it based on my previous blog post, Pentesting Azure — Thoughts on Security in Cloud Computing. You may want to read that article before you continue.

You can watch the video of the security assessment here. Subscribe to the DevSlop YouTube Channel for more awesome content like this!

“Because you can’t always blame Canada” — Teri and I causing trouble at a karaoke bar in Seattle

The first step to any PenTest is setting your Scope, Goals and Rules of Engagement for yourself and your client. You would restate this in your findings report, and you should always have a signed agreement from the client before you test anything.


Below is the scope of the testing and assessment that we did on the DevSlop show.

Scope: https://DevSlop.co, the DevSlopPatty Resource Group, the TANYA Azure Subscription (my subscription ID would be included in the doc). Nothing more.

Rules of engagement: Do not attack other tenants, or the Azure Service Fabric (that’s Microsoft’s underlying infrastructure that makes Azure). Some manual testing, some scanning, but mostly using Azure Security Center. Also: dates and times for testing.

Goals: Lock down DevSlop.co and my entire subscription.

Inform: We informed Azure that we were going to be performing security testing activities, and received acknowledgement before starting. **


** It is not mandatory that you inform Microsoft in advance of a PenTest, but for most other cloud providers you must ask permission. Informing Azure in advance of your testing takes 2 minutes, and may simplify your testing. Definitely worth doing.**

I’ve greatly improved my score since the test.

Executive summary:

Turn on all the security features in Azure Security Center (app whitelisting, file integrity monitoring), select a network security model and apply it (use network security groups), fix your VM security misconfigurations and keep patching it, address the 2 database VA (Vulnerability Assessment scan) findings, and consider getting a WAF (Web Application Firewall).


Risk Summary:

This Azure implementation (application + network + infrastructure) is very secure from an outsider-threat, as the application has had regular security testing and is using only known-to-be-secure and up to date components and frameworks. The subscription itself is also very secure from outside threats, thanks to the usage of Azure Security Center, a security policy, and the tight controls over subscription Access (MFA+ Difficult password + excellent password hygiene).


This system is not very safe from an insider-threat, assuming the malicious actor could gain access to the subscription. As only this subscription, not the “top level subscription”, was in scope, this was not investigated.


If the application was compromised it appears that the threat protection could potentially stop some types of attacks (SQL Server or Storage attacks only), and report on the damage after, however the protections against malicious attacks is not as substantial as it could be; multiple tools would be better.

Ifyou want to learn about about what we did to get these results, read the previous article: Pentesting Azure — Thoughts on Security in Cloud Computing. If you prefer to see what we did and follow along with us, watch the video. Better yet: do both.


PenTest Report — The Findings

A “+” indicates a pass, while a “X” indicates a fail of the test. Multiple “+” were used when a defense offers protection in multiple ways.


  1. Azure Security Centre (ASC) is turned on, with the default security policy.++

  2. MFA (Multi-Factor Authentication) is enabled for subscription access, use of a 64-bit random character that is saved into a password manager is one of the factors, the other is Microsoft’s Authenticator app, which requires not only physical access to and unlocking of a second device, it also requires a finger print. It could be argued that 3 factor auth is being used. +++

  3. ASC has 100% coverage of all subscriptions that were in scope of this assessment. +

  4. TANYA subscription was *not* compliant with the Azure Policy, earning a secure score of 340/580. (points are removed for each item below)

  5. JIT was enabled on the one VM in the subscription, properly configured +

  6. Threat Protection was enabled on all possible resources, properly configured. +

  7. Regularly VAs are enabled and schedule for the one database (+), however the database is not in compliance with VA results (X).

  8. There is no network security plan or model in place. X

  9. There are no Network Security Groups (NSGs). X

  10. Adaptive Application Controls (Application Whitelisting) is not enabled. X

  11. File Integrity Monitoring is not enabled. X

  12. DevSlop.co is not protected by a WAF (web app fire wall). X

  13. DevSlop.co forces HTTPS only on the app service. +

  14. There are no other security tools installed, such as IPS/IDS (intrusion prevention and detection systems), SIEM, or any other products or tools. X

Score: 10/17

No one outside of the DevSlop project team has permission to do testing on our site, DevSlop.co. If you want to test it, you must reach out to us and *ask permission*.

Database Specific Findings:

  1. Firewall rules not restrictive enough/non-existant X

  2. Using DB Owner privilege for an app that definitely does not require it (apply least privilege) X

  3. Sensitive data columns are not labelled properly X

  4. Regular VAs configured +

  5. Threat Protection & Detection Enabled +

  6. JIT enabled +

  7. Auditing and logging enabled +

  8. Database not internet accessible. +



Compute-Specific Findings (on one single VM):

  1. Missing disc encryption on server X

  2. 66 Critical security misconfigurations X

  3. 28 Warning security misconfigurations X

  4. JIT Configured +

1/4 (note: it does not list all the things we did correctly in this section)

You may think from this report that the security of the DevSlop.co Azure implementation (network + app + infrastructure) is not very good, but it’s actually not that bad at all. This report is aiming for perfection, and we are actually doing “okay”, especially considering our app doesn’t carry any real-world value. This is definitely something that would require an in-depth discussion on risk to explain further; perhaps a future blog post.


If you want to know more about Teri Radichel and cloud security you should read her blog, or hire her. You can also see her on the conference circuit at events such as B-Sides Vancouver in March, 2019 (I  will be there too!).

Please follow me on Twitter, on LinkedIn, and subscribe to this blog, watch the DevSlop show on Mixer, Twitch or subscribe and watch the reruns on YouTube. Thanks for reading!


** Special thanks to @sigje and Teri for helping with this post. They both have great blogs that you should definitely follow. I do.


Surface Pro 6 is now supported on Microsoft Teams Rooms devices.  Check out specific SKU support by processor type, RAM, and storage size here.


One additional note – we’re now in the process of updating references to “Skype Room Systems v2” with the new “Microsoft Teams Rooms” product name on docs.microsoft.com.  Expect to see the change in the coming weeks.


I’ve also moved my MTR blog postings to the Teams page starting with this posting.


Dear Readers,


It’s been my pleasure to provide Skype Rooms Systems v2 updates and articles on the Skype for Business page.  I’ll now be posting article on Teams page to reflect the recent product name change to Microsoft Teams.  Check out my latest posting here.


See you on the Teams page!





This week Microsoft announced security notifications delivered in the Microsoft Authenticator app, the availability of Azure Data Explorer (Kusto) and the recently released Remote Autopilot Reset feature for Intune for Education.


 is our Member of the Week, an excellent contributor especially in the Microsoft Teams and Skype for Business IT Pro spaces.


View the Weekly Roundup for February 4 -8, 2019 in a Sway and attached Word document.





We’re excited to announce new improvements to the SharePoint Migration Tool for the month of February.


Designed to be used for migrations ranging from the smallest set of files to a large scale enterprise migration, the SharePoint Migration Tool will let you bring your information to the cloud and take advantage of the latest collaboration, intelligence, and security solutions with Office 365.


Over the past several months we’ve been continually working to add features to the SharePoint Migration Tool to help you accelerate your journey to Microsoft 365, from support for full site migrations, to incremental improvements to the user experience – the SharePoint Migration Tool is designed to support migrations of all sizes. This month we’re adding some exciting new improvements to help you on your journey to the cloud.


Improvements this month include:


Managed Metadata Service support

If you have an existing taxonomy in SharePoint Server 2013, the SharePoint Migration Tool can now migrate your content types and term stores to Office 365. Global term store migration requires global tenant admin permissions.


Web Parts Support, Site Navigation, and more…

The SharePoint Migration Tool has continuously improved to support more complex migration requirements. From a humble beginning of accelerating files migration to incremental improvements leading up to complete SharePoint 2013 site migrations. Now using the SharePoint Migration Tool you can migrate just about every element of SharePoint sites that you care most about including Web Parts, Pages, and site navigation!


For a detailed list of improvements in this release, refer to the release notes at https://docs.microsoft.com/en-us/sharepointmigration/new-and-improved-features-in-the-sharepoint-migration-tool.


If you’re new to the SharePoint Migration Tool, keep reading below to learn more about how you can transform your business by bringing it to the cloud.


About the SharePoint Migration Tool

The SharePoint Migration Tool is designed to simplify your journey to the cloud through a free, simple, and fast solution to migrate content from on-premises SharePoint sites and file shares to SharePoint or OneDrive in Office 365.  The SharePoint Migration Tool allows you to accelerate your journey to Office 365 overcoming obstacles typically associated with migration projects.  With the SharePoint Migration Tool you can evaluate and address the information that matters the most to your organization, the Libraries, and now Lists that form the foundation of the SharePoint experience.  Using the SharePoint Migration Tool you can start your migration today and take advantage of the full suite of features and security capabilities that Office 365 offers.


Keep reading to learn more about the SharePoint Migration Tool or download the latest version now at https://aka.ms/SPMT.


Getting Started

You can download the SharePoint Migration Tool at http://aka.ms/SPMT.  Through v3 of the SharePoint Migration Tool you’ll have available to you the innovation we’re delivering to help you bring your information to the cloud and take advantage of the latest collaboration, intelligence, and security solutions with Office 365.


What’s next…

Through continued innovation across migration scenarios we’ll be adding more capabilities over time to the SharePoint Migration Tool, including support for more SharePoint versions, site structure migrations, and more.  Subscribe here to stay up to date on future announcements for SharePoint and Office 365.


Wrapping Up…

Whether you’re looking to migrate from file shares on-premises to SharePoint or OneDrive or from on-premises versions of SharePoint, the SharePoint Migration Tool is designed to support the smallest of migrations to large scale migrations with support for bulk scenarios.


Learn more about migrating to Office 365 at https://resources.techcommunity.microsoft.com/cloud-migration/.

Learn more about the SharePoint Migration Tool at https://support.office.com/en-us/article/Introducing-the-SharePoint-Migration-Tool-9c38f5df-300b-4adc-8fac-648d0215b5f7.

Prepare your environment for migration using the SharePoint Migration Assessment Tool by learning more at https://www.microsoft.com/en-us/download/details.aspx?id=53598.


For over 10 years we have seen Yammer helping organizations everywhere connect and engage employees in lots of different ways, but the one consistent thing we’ve see is the ability Yammer has to create connections that form communities. Communities that host C-suite-to-employee conversations or HR voice-of-the-employee channels to communities of interest that drive change through inclusion and diversity to communities of practice that improve knowledge management. The power and impact of communities in the workplace is undeniable. Understanding and harnessing communities can quickly lead to impact.


org wide transparency.png


Jim Harter Ph.D., a chief scientist at Gallup Research and expert on the topic of employee engagement explained in an email interview in 2013 with the Harvard Business Review that “engaged employees are more attentive and vigilant. They look out for the needs of their coworkers and the overall enterprise, because they personally ‘own’ the result of their work and that of the organization.” 


And the same remains true today. We hear it from our customers all the time. The communities within their organizations are changing the way they work, challenging the status quo and chiming in to improve business processes that save time and money.


Our vision is to empower and connect every person across an organization to maximize their impact. Yammer’s core focus is to inform and engage, breaking down silos through multi-way conversations and non-invasive productivity.


open and inclusive.png


At Kimberly-Clark the impact of community was identified when a team of sales representatives, who were spread across a large geographical area, started sharing pictures on Yammer of in-store displays of stacked toilet paper. Soon after, they started asking each other questions. That resulted in the sales support team being tagged on more complex issues. They moved faster, crowdsourced solutions, and felt more connected as a team. Not only did this small community of sales people in New Zealand grow in value for these front-line employees, it became an example and a catalyst for a shift in the way Kimberly-Clark wants their people to engage.


Ernst and Young is a great example of how connection can positively impact employees. They are using communities of interest to connect people across their organization with Yammer groups dedicated to topics and movements such as Pride, a women’s leadership network, today’s family, working moms and wellness groups. Members offer up tips, ask questions, and share work-life perspectives that build bonds that help each other feel connected to a bigger purpose. Even though some of these are not directly work related, the value has come from the relationships that have been built that make this valuable in their company culture.


UNICEF has taken the impact of engagement to the next level. Paola Storchi stated that “Yammer has harnessed the power of the passion behind the people who work for the company.” Employees at UNICEF have used communities to show how deeply they care about the work they do. And what’s also amazing about this story is the technology is so light and easy to use it can engage employees wherever they are located, even in some of the most remote places in the world. By tapping into the local group members, UNICEF was able to triple the growth they saw in engagement in the network.


Yammer super hero.png


There is power in community. Some might even call it Yammer’s super power.


It can impact the bottom line through more engaged employees. The social foundation we provide our employees can be a platform that spans the organization and breaks down communication silos. We can create an inclusive and productive environment centered around our people and the value they bring.


Download the Yammer superhero infographic to see where Yammer can impact your company.