Rehngruppens information security work ensures that information is always reliable, accurate and complete. Our work ensures that information is available when it is needed in daily operations and that it is not disseminated to unauthorized persons.
The Swedish Civil Contingencies Agency (MSB) recommends continuous security checks throughout the development process; from requirements to implementation. Rehngruppen has implemented these guidelines by having a close collaboration in the development team. In this way, we ensure that all security requirements are taken into account from the very beginning of the project.
MSB also suggests using tools such as Microsoft Defender for Cloud and Azure security to identify and manage security threats. Rehngruppen has integrated these tools into our security check. Both to get a complete picture of the security situation and to be able to react quickly to any vulnerabilities.
Rehngruppen takes security seriously and works according to the recommendations and guidelines set by the Swedish Civil Contingencies Agency. They have a systematic approach to ensure that all their development projects are secure and meet the highest security requirements.
Rehngruppen takes security seriously. We work according to the recommendations and guidelines set by MSB. We have a systematic approach to ensure that all development projects are safe and meet the highest safety requirements.
Rehngruppen uses Microsoft Defender forCloud to ensure the security of Microsoft addinet 365 | Templates. Microsoft Defender for Cloud is an all-in-one security platform. The platform offers a wide range of tools and services to protect your organization's Microsoft365 environment.
With Microsoft Defender for Cloud, Rehngruppen can get information about potential security threats and fraud targeting add-ins. The platform uses advanced security scanning to detect and protect against; malicious files, emails, scripts, and programs. In addition, Microsoft Defender for Cloud offers insight into the latest security threats and provides information on how to address them.
Microsoft Defender for cloud offers detailed information on the security status of the development environment, such as information on security configurations, patch and update levels, and event logs. By following the recommendations provided by Microsoft Defender for Cloud, we at Rehngruppen can take the necessary steps to secure the development environment. Together with Azure security, Microsoft Defender for Cloud offers a comprehensive security solution for Rehngruppen Microsoft365 environment.
Azure security provides additional protection against fraud and cyber threats. They offer the ability to monitor and respond to security incidents.
In summary, Microsoft Defender for Cloud and Azure security provide the level of protection necessary for Rehngruppen. Both to ensure the security of Microsoft addinet 365|Templates and to prevent potential security threats.
Microsoft Office 365 Add-ins add more features to Office programs. For example in Word, Excel and PowerPoint. Add-ins are developed using web technologies, such as React and Typescript, and run in a native browser inside the Office programs.
Security is an important issue when it comes to add-ins. Microsoft Office 365 ensures that add-ins only have access to the features and data they need to work. Add-ins must also meet a variety of security requirements, such as authentication and encryption.
Rehngruppen add-ins are, according to Microsoft's recommendations, built using React and Typescript.
365 | Templates consists of two programs. An Office add-in is registered in Microsoft 365 for Word, PowerPoint and/or Excel. There will also be a web application, 365 | TemplatesAdmin portal at templateextender.com, where you can manage all office content.
Where are the servers located?
The servers are located in Amsterdam (Microsoft Azure West Europe).
Which platform does 365|TemplateExtender use?
It is a cloud-based solution. All our applications (web apps and APIs) are in Azure, so we have a 99.9% SLA on the Microsoft platform. The data center is Microsoft Western Europe. Only a few people in the development department have administrator rights to change and create new services in Azure. On all Azure services, we have turned on Defender and we do not open up more than necessary, we also have diagnostic logs enabled for our Azure apps.
How is the source code for 365|TemplateExtender handled?
We use DevOps with continuous integration. We have different deployment slots when we need to test code or when we need to do a bug fix. Only developers who work on the project have access to the source code, these users are protected with 2-factor authentication.In DevOps, backup and version management takes place.
What is logged on the servers?
What is logged on the servers is how many unique users start the panel each month. The users are saved in the form of their Microsoft ID. Thus, it is not traceable if you cannot log in to your Microsoft 365 environment with the right permissions.
How often is backup taken?
Backup of data (such as templates and images) takes place once an hour to an Azure storage.
Who, at Rehngruppen, accesses the information for a customer on the server? Can Rehngruppen subcontractors access the information?
At Rehngruppen there are two super administrators. The super administrators access the material as with you as a customer. They also have access to the servers and the technical environment. The super administrators can give access to others in the project who need it. If a user has the role of administrator, that user can also give access to other users.
Is TemplateExtender intended to be used for confidential information?
No. TemplateExtender is used for branded Office templates, as well as images and icons, which users can use repeatedly in their documents. Rehngruppen does not store any information about users. The personal information that can be used in Word templates is retrieved via Microsoft Graph. Rehngruppen never caches personal data. Rehngruppen does not write data into any other system. An administrator must authorize the system to read data retrieved from M365 via Graph.
Is data encrypted in TemplateExtender?
Template Extender works against https - HypertextTransfer Protocol Secure, TLS 1.2 regarding addin, portal and APIs. TemplateExtender uses MSAL and OAUTH2 to authenticate users and also sends HMAC SHA-256 encrypted keys in API calls.
Who administers the solution?
Template Extender is administered by one or more selected administrators at your customer. They have authorization to create more users in the portal, and also more administrators who have the right to administer users. Who gets access to the add-in is managed by the customer's Microsoft 365 administrator (under Settings/Integrated apps).
What happens to our data if we cancel the service?
After the subscription to the solution is terminated, all content is deleted in consultation with the customer, within 30 days.
Is it possible, in the portal, to upload viruses or malware that affect the organization's users of the Office add-in?
To upload material (such as templates, images and PowerPoint slides), an account with sufficient rights is needed in the portal (templateextender.com).
Only templates in docx, xlsx or pptx format and presentations (slides) in pptx format can be uploaded in the portal. When uploading, it is verified that the files are in the correct format and do not contain macros.
Contents in Word (contents) are uploaded from the Office add-in by users with permission to do so. This is done by selecting content in the active document and saving it. This markup is uploaded in the ooxml format, and cannot contain macros.
Is it possible to extract sensitive information from the organization's Microsoft 365 tenant - such as emails, documents or SharePoint content?
No. It is not. The add-in is registered with a manifest. The manifest defines how 365|TemplateExtender will communicate with the organization's Microsoft 365 tenant (through Microsoft Graph). When the manifest is registered by an administrator in Microsoft 365, it shows the permissions required to run the add-in. Two read permissions are mandatory to use 365|TemplateExtender; User.Read and Organization.Read.All. These are used to log in via oAuth2, using the user's Microsoft365 password. They are also used for the user to get the right templates, images, presentations, and so on.
If the organization wants members of different Microsoft 365 groups to access different content, the Group.Read.All permission also needs to be allowed. This is done by an administrator who is allowed to change the permission.
We do not store any sensitive information in our systems. If you choose to link content to a specific Microsoft group, we save the ID and name of the group. But we do not save who is in the group, or any other information. Similarly, we do not save any user data in our systems, but these are accessed through Microsoft's graph APIs.
Is it possible to create, edit or delete content in the organization's Microsoft 365 tenant - such as emails, documents or SharePoint content?
No. We only read data from User.Read. We only read data from User.Read, Organization.Read.All and if applicable Group.Read.All. It is only these parts that we have read rights to. We never have the right to create, edit or delete anything on the organization's Microsoft 365 tenant.
How do I know that the content uploaded by me is not available to another organization?
To identify who you are, we use OAuth2 and MSAL. You log in with your Microsoft 365 account. From your login we read which tenant you belong to. All calls you make contain this information encrypted. We check that your login is valid. The information about who you are is in your login. This means that other users do not have access to what you have uploaded to templateextender.com.
1. 365 | Templates requests a bootstrap token from the Office program.
2. If the user is not logged in, the Office client program opens a pop-up window for the user to log in.
3. If 365 | Templates is not registered as an enterprise application in the client's Azure AD, a pop-up window is displayed to consent to registration.
4. The Office client application requests a token from the Azure AD v2.0 endpoint for the current user.
5.Azure AD sends the add-in token to the Office client application.
6. The Office application returns the token to 365 | Templates.
7. The token is decoded to read information about the user.
8. The token is used to access the Microsoft Graph API.
The following data is always retrieved from the Microsoft Graph API at each login. The data is not stored outside the customer's tenant. The only two values sent are userPrincipalName and the default verified domain. These are sent encrypted and are only used to verify the user's identity.
User profile including profile picture (https://graph.microsoft.com/v1.0/me)
a. displayName
b. jobTitle
c. officeLocation
d. mail
e. mobilePhone
f. businessPhones
g. userPrincipalName
h. photo
Organization information from (https://graph.microsoft.com/v1.0/organization)
a. displayName
b. street
c. postalCode
d. city
e. state
f. country
g. businessPhones
h. verifiedDomains
Optional
It is possible to receive different content depending on which Office 365 groups the user is a member of. If this feature is enabled, a list of group IDs (unique identifiers) registered in the Rehn REST API is retrieved. The list is posted (https://graph.microsoft.com/v1.0/me/checkMemberGroups) to check if the user is a member of any of these groups.
Only group IDs and group names for groups selected by an administrator are stored outside the customer's tenant. This means that group members or other information is not stored in our environment.
The traffic between the API and the applications is encrypted. We use OAUTH2 and MSAL to authenticate the Microsoft 365 user. By reading the user profile, we can retrieve the default domain of the Microsoft 365 tenant to which the user belongs. The default domain is included (encrypted) in all requests to the API. This ensures that the user only receives data for the tenant to which the user belongs.
The content (such as templates, icons, images and presentations) is stored in the Rehn Group's Azure tenant. The Azure servers are located in the Western Europe region.
The Rehn Admin REST API works in the same way as the Rehn REST API. This API is mainly used by the admin portal to support users and domains. It uses a different encryption. All requests are identified with the user instead of the default domain of the tenant.
Why is my template button not working in Excel?
Ifyou have a template button in Excel that is not working, it may be due to a setting in your Group Policy called "Force file extension to match file type". This setting may prevent Excel from opening templates via your template button.
To ensure that Excel can open templates correctly, this policy should be set to one of the following options:
0- Allow different: Allow different file extensions without warning.
1- Allow different but warn: Allow different file extensions but display a warning.
If, on the other hand, the policy is set to "2 - Always match file type", Excel will block files where the file extension does not exactly match the file type. This can stop the template button from working properly.
To resolve this issue, contact your IT administrator and ask them to change this Group Policy to either "0" or "1".
Group Policy path: HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\extensionhardening
More information can be found here: Force file extension to match file type
