Check out our blog containing technical articles and commentary by our executives and staff members.

Workaround for SharePoint Add-In ChromeControl Theming Issue

Posted by on Aug 14, 2018 in From the Cloud, From the Lab, From the Mind | Comments Off on Workaround for SharePoint Add-In ChromeControl Theming Issue

In 2012, Microsoft released the Add-In model to allow for rich custom applications built on-top of SharePoint 2013 and SharePoint Online. A key part of this new model was for external web applications to be able to inherit much of SharePoint’s look-and-feel via a JavaScript toolset call the ChromeControl.

Unfortunately, this year (2018), the ChromeControl’s functionality became broken inside of SharePoint Online. While SharePoint administrators can elect to change the theming of their SharePoint sites, the ChromeControl started to only be able to bring in the default Blue theme. This is a tracked bug in GitHub:

Internal traction within Microsoft for fixing this bug in SharePoint Online has been challenging from what I understand. Yet deployed Production Add-Ins do depend on the ChromeControl to function. At EfficiencyNext, we’ve developed a workaround, involving a server-side class we’ve built called ThemeHelper. On the server-side, it downloads the theme colors and background image URL for a SharePoint site. Then, using a server-side generated CSS file, critical tag and class colors which are currently incorrectly specified by the ChromeControl’s CSS are overwritten by our CSS file. Here’s a video of this fix in action!

We hope Microsoft does get around to fixing this issue, as not all developers have the luxury of having both server-side code for their Add-Ins and the permission allowances for their Add-Ins to read the SharePoint site’s theme information. However, if your Add-In is fairly trusted in SharePoint environments, and you need coloring to be imported right, this is a way to go!

A link to our ThemeHelper class.

And an example of an ASP.NET generated CSS file that uses it with SharePoint’s style classes.

Need help implementing this fix or with SharePoint in general? Contact us! We’d love to see how we can help.

Our DC CyberWeek Event!

Posted by on Oct 2, 2017 in From the Cloud, From the Mind, Press Releases | Comments Off on Our DC CyberWeek Event!

We are excited to be taking part in this year’s DC CyberWeek, a DC area series of events focused on CyberSecurity. EfficiencyNext will hosting a limited seat round table with the topic of:

A Practical Discussion for Securing Your Accounts and Data

Maintaining a secure information environment is a challenge, particularly for companies and non-profits that are funded by grants, and do not have large security budgets. This roundtable will provide a venue for attendees to discuss how they have tackled this need, what tips they have to share, and what challenges they still face. A portion of the roundtable will be an open house presented by EfficiencyNext where we will discuss the tools we’ve utilized for account and data security, including multi-factor authentication, at-rest data protection, active data protection, API call limiters, firewalls, cloud services, proprietary technology, and locally encrypted devices. We hope everyone will come out of the discussion with new insights, methods, and tools to try.

You can sign-up for the event on DC CyberWeek’s calendar page.

EfficiencyNext ready to support orgs losing Microsoft Access Web Apps

Posted by on Aug 3, 2017 in From the Cloud, From the Mind, Press Releases, Uncategorized | Comments Off on EfficiencyNext ready to support orgs losing Microsoft Access Web Apps

Microsoft has recently announced it is axing its Microsoft Access Web Apps capability in Office 365 and SharePoint Online.

This capability allowed those who work with Microsoft Access the ability to publish database applications into SharePoint without code. While there are were technical ceilings for what the technology could do, it none the less is incredibly impressive and used by organizations. As of now, it is not possible to publish any new Access Web Apps, and inside of a year (April 2018), existing database applications that have been deployed to SharePoint will be shutdown.

We view the decision to discontinue Access Web Apps in Office 365 to be a tremendous mistake. When advocates of Office 365 demo neat features and then receive notice they will be killed with only three months notice, they look like fools, Microsoft looks like it can’t stick to its commitments, and customers are sent scurrying for replacements. It’s a lose/lose/lose.

What is perhaps most concerning is there is no obvious underlying technical justification for this move. Access Web Apps are Add-Ins, an extendable part of SharePoint that lives separately from the core code. Keeping the feature available (at least through Access 2016’s support life cycle) would not have been an undo burden. If nothing else, SharePoint Online’s infrastructure made such a thing very practical. While this is purely conjecture, the discontinuation of Access Web Apps feels like a way of pushing developers toward PowerApps, a no-code/low-code platform that is similar but definitely not at feature parity with Access Web Apps.

Please note this does not affect SharePoint 2013/2016 on-premise customers. If you are running Access Web Apps on premise, Microsoft has guaranteed they will continue to work, and that the next version of SharePoint on-premise will ship with the necessary services to continue that support.

So, turning off the rant now. If your organization had plans to implement Access Web Apps in its SharePoint Online environment, and no longer can, contact us! We have a platform called EfficiencySpring that provides relational database interfaces using the same Add-In approach Access Web Apps used. Supported data sources include SQL Azure and SQL Server. A video of this capability is below:

We stand ready to assist organizations that want scalable databases inside their SharePoint Online environments, and perhaps just lost what they had been planning to use.

Year In Review 2016 – EfficiencySpring Integration with SharePoint Online

Posted by on Jan 20, 2017 in From the Cloud, From the Lab, From the Mind, Uncategorized | Comments Off on Year In Review 2016 – EfficiencySpring Integration with SharePoint Online

Hello All!

With many of our clients adopting Office 365 and SharePoint Online, we wanted to step up our integration game. To that end, EfficiencySpring, the platform we build all of our custom systems on, can now integrate with SharePoint Online. Below is a video demo!

This integration takes the power of EfficiencySpring’s database and process management capabilities, and plugs it into SharePoint, complete with single sign-on, color/theme adoption, and document library saving.

If you’re looking to integrate a full-fledged relational database into your Intranets, along with dashboards and other goodies, give us a call! And if you’re looking for help with SharePoint Online adoption in general, we’re happy to help!

Year In Review 2016 – New Filtering Capability on Results Page

Posted by on Jan 9, 2017 in From the Cloud, From the Mind | Comments Off on Year In Review 2016 – New Filtering Capability on Results Page

One of the things we wanted to accomplish in 2016 was to make refinement of search results easier. To that end, it is now possible to configure lookup fields to be arrays of check boxes on results pages, which can filter the results in real time. This is now standard on every EfficiencySpring based system we build!

Year In Review 2016 – Adaptive Design in EfficiencySpring

Posted by on Jan 4, 2017 in From the Cloud, From the Lab, From the Mind | Comments Off on Year In Review 2016 – Adaptive Design in EfficiencySpring

Hi All!

Here is the first entry of  our “Year in Review 2016” video series. In this brief video, we focus on the new adaptive design capabilities in EfficiencySpring added in 2016. Adaptive Design is now standard on all new systems we build for our clients using this platform, which we provide at no additional cost.

A Take on Apple Vs FBI by EfficiencyNext’s President

Posted by on Feb 25, 2016 in From the Cloud, From the Mind, Uncategorized | Comments Off on A Take on Apple Vs FBI by EfficiencyNext’s President

Note: The opinion in this blog post is that of Paul Katz, President of EfficiencyNext LLC. There has and continues to be a vigorous debate among EfficiencyNext staff, with many going #teamfbi and others #teamapple.

The current Apple Vs FBI issue with regard to accessing a terrorist’s iPhone 5c has been a subject of active debate within technology and non-technology circles. The position held by many in technology is that Apple is correct in this specific matter. I, however, feel the FBI should prevail in this one specific case.

Detangling Things

There has been much talk about back doors and weakening encryption with regard to the court order for Apple to unlock the iPhone 5c used by Syed Farook, one of two the shooters in San Bernardino terror attack . The iPhone in question is owned by the San Bernardino County Department of Public Health, which has given complete consent for the FBI to access the phone.

The court order is not aimed at weakening the iPhone’s encryption. Instead, the court order requires Apple to build a custom operating system that can be installed on the specific iPhone involved, which will:

  1. Nullify the auto-wipe feature
  2. Remove delays between PIN code attempts
  3. Allow for PIN attempts to be conducted at a rate of 80 milliseconds per attempt

Apple, through signed encryption security, is the only party that can load a custom operating system on an iPhone, by their own design. This is why the FBI, through the court system, has compelled Apple to build the custom OS, and brute force determine the PIN to unlock the phone. The request is made under the authority of the All Writs Act to help service a valid search warrant.

Hence, this particular case is not about encryption, but rather having Apple create a technique they can run themselves (and only them) which bypasses login security mechanisms.

Why I Believe the FBI is Right

Apple’s Government Information Requests policy currently states “For all devices running iOS 8 and later versions, Apple will not perform iOS data extractions in response to government search warrants because the files to be extracted are protected by an encryption key that is tied to the user’s passcode, which Apple does not possess.”.

Apple failed to consider the possibility that the All Writs Act might be employed to compel them to unlock phones via their authentication mechanisms. In my opinion, (I’m not a lawyer BTW), the All Writs Act applies. Apple seems sufficiently related to to this matter, and building a custom modified OS for a company of their size and financial ability doesn’t seem an undue burden.

Under the current Law, I don’t see Apple having much of a case. And concern for precedents must cut both ways. If Apple, one of America’s most powerful corporations, is able to refuse to help service a court approved warrant, how many other companies can follow suit?


The Advice Apple Should And Can Give

Each iPhone has the ability to accept passwords and phrases far more complex than a four or six character numeric code; the option is there, just buried a little.

A six digit numeric pin has one million possible combinations (000,000 through 999,999). Brute force at about 12 attempts a second would take just under 24 hours. This is what the FBI is banking on.

That said, A six character password (alphanumeric + special characters) has over 281 trillion possible combinations (281,474,976,710,656) by my count. Presuming the password isn’t readily guessable, we are looking at 6,515,624,460 hours of bulk attempts to brute force the password.

Even sticking with numbers, a user can have a nine character numeric password with a possible one billion combinations (a thousand fold increase over a six character PIN). That would take 23,148 hours to brute force open, or 964 days. Multiply that by ten for every added number in the PIN.

In short, the ultimate security for users right now is right where it should be, in their hands. Apple can fight what they consider is a good fight if they want, but they should advise customers they might indeed lose, and that those who value privacy in the face of government warrants should consider using iOS’s complex password options. They could tell their customers this today.

In Summary

There are deep policy questions about encryption, master keys, key escrows, etc… None of that is before us today.

The circumstances of this one iPhone 5c allow the FBI to make what appears to be a reasonable request under the All Writs Act. Apple has the capability to do the work. They are related to this matter. And it does not impose an undue burden. Apple’s failure to consider the All Writs Act in 2014 when they started encrypting iPhone devices in a bid to not service government warrants ultimately is their responsibility. And if Apple truly is concerned about their customers’ security, they need to acknowledge they might not be above the law as they see it, and tell their customers to secure their phones with complex passwords accordingly.

Syed Farook did not do so. Under a valid government warrant and with Apple’s help, his phone should be accessed.


Microsoft Clarifies its Azure Support Options

Posted by on Jan 22, 2016 in From the Cloud, From the Mind | 1 comment

Microsoft has entered the new year with an updated Azure support page that greatly clarifies the support plans available under Azure ( Prior to this update, a “Free” support column was displayed on the page that included “Web Incident Submission”. This led some Azure customers to believe that when Azure has a technical problem, submission of them for support would be free. This turned out not to be the case; Free “Web Incident Submission” was generally only for billing issues.


With the new revision, the free tier is now gone, with the first support option listed now being “Developer” support, which costs $29 a month. Essentially, if you need to submit a technical ticket to Azure Support, you really need to purchase a plan. The @AzureSupport Twitter handle can receive outage info from customers, but fairly quickly, for specific help, they will advise you to open a ticket.

I’m happy that Microsoft made this change, and clarified its wording. The new page is much clearer that free technical support in general isn’t offered. On occasion, in the case of major outages, Microsoft has offered complimentary technical support, but it wouldn’t be prudent to bank on that being available for all scenarios.

Perhaps one thing to keep in mind is that support plans are purchased at the Microsoft Account level, and applies to all Azure Subscriptions under that account. If you are an IT firm, and setup Azure infrastructures for your customers, it might make sense to ask them if they can have their subscriptions setup on your Microsoft Account, instead of theirs, so that a singular support plan purchase goes farther.

Want to discuss Azure with someone? We’re always happy to help!

Recommendations for dealing with and planning for SAM Engagements

Posted by on Jan 1, 2016 in From the Cloud, From the Mind | Comments Off on Recommendations for dealing with and planning for SAM Engagements

In my last post, I actively protested against Microsoft’s bad behavior with how they execute their SAM Engagements. That said, I am a believer in properly licensing one’s software, and as such, EfficiencyNext operates out of an abundance of caution with regard to this. Here are my recommendations. Disclaimer: I am not a lawyer. This is not legal advice, but advice from someone who implements Microsoft technology.

Cooperate when You Are Contacted, but Verify

The SAM Engagement is a required process, no matter how much the initial contact tries to make it look like they are selling you something. It’s OK to be grumbly, but don’t block the process or try to hold it up. But, always demand they send you an email before giving any information over the phone. I have no doubt there are plenty of hackers pretending to be SAM Reviewers in order to get information they can use to break into networks.

Be Truthful

Don’t lie. In general, these SAM Engagements seem to be used by Microsoft as revenue optimizers. It’s about increasing revenue per customer, not necessarily anything punitive. If you execute the process in good faith, you might find out you need to buy more licensing, but in general, you shouldn’t find yourself being sued or being forced to pay costs in excess of actually buying the necessary licenses. Lying (or being uncooperative) is a road that actually can actually likely lead to legal action.

Understand the Limits of Volume Licensed Operating Systems and OEM Operating Systems

This is one of the Big Gotchas. Microsoft Operating Systems, licensed in Volume and Partner Programs, are Upgrade Licenses only. They do not include licensing for the base operating system, which must also be licensed for the computer the Upgrade License is installed on. These base licenses must be business class; that Windows Home license that comes with many PCs doesn’t cut it. That leaves two options:

  1. When you buy a computer, make sure it comes preinstalled (OEM) with a valid business-class operating system, such as Windows 10 Professional, and DO NOT LOSE THE RECEIPT FOR THE SYSTEM PURCHASE. Keep the physical copy, and also scan it into an online accounting system immediately. Without an invoice stating the computer originally came with the Windows license, the SAM Reviewer can make the case the OEM OS might have been installed after the computer’s sale, rendering the validity of the license unprovable. This is also a significant concern if your company buys PCs used; in such cases, you should insist on getting a copy of the original purchase receipt.
    • I would argue this is a strong case for buying Surface Pro hardware specifically, as the hardware itself should be considered proof of a valid license, as it always comes with a Professional copy of Windows and is manufactured by Microsoft itself. You shouldn’t be screwed if you lose the receipt or buy the Surface Pro 1/2/3/4 used. There’s simply no mechanism for how the computer wouldn’t have a valid OS installed. The fact that Surface Pro come with Windows 8/10 OEM Professional is actually a $140 value that many other machines you buy at retail don’t have.
  2. Purchase Full Retail Copies of a Microsoft Business Class OS, and insure each license is mapped to a computer running an Upgrade Volume License of Microsoft Windows. As of today, technically, even Vista for Business works for this purpose. I highly recommend purchasing current retail copies that are verifiably legitimate, as counterfeit retail software remains a problem today. That’s roughly $200 a pop, but at least with retail licenses, you can transfer them from one PC to another. You can’t do that with OEM licenses. And when you buy retail, KEEP ALL THE PACKAGING, INCLUDING THE COA STICKER AND MOST IMPORTANTLY THE PRODUCT KEY STICKER. Without retaining these, a SAM Reviewer will likely presume you don’t own the software. The EULAs that come with Windows require that you maintain proof of license. Lock up the materials above and DO NOT LOSE THEM.


In short, if you are a Volume Customer or Microsoft Partner sitting on Microsoft OS Volume Licenses, don’t go nuts and install them on machines that don’t have valid and verifiable underlying business licenses. This will come back to bite you during your SAM Engagement.

Understand the Limits of MSDN Operating System Licenses

Developers can download and install copies of Windows on many, many machines, both physical and virtual. Understand these installations can only be used to develop and test software. If a developer uses the Operating System for anything not related to software development, that is a license violation. So make sure all your developers, if you have any, are properly licensed at the OS level for non-development activities, should they use their PCs for such.

Think About Adopting Office 365 for Your Staff

Seriously, keeping track of every copy of Office by PC, all of its activations, and the original purchase dates and receipts is hard. And difficult to control, even when licensing through the Volume Channel. We have found licensing by user on a subscription basis and not by device much easier to manage and account for. Office 365 has its own deployment checks to insure staff members aren’t doing too many installations. This capacity is very handy, and the extra Microsoft services that come with Office 365 make this approach affordable in many ways (Exchange Email, Skype for Business, SharePoint Online included). The fact that each staff member gets up to five deployments of Office is also a plus, not to mention mobile device usage.

Use SharePoint Online and OneDrive for Business

The more servers you have, the more difficult a SAM Audit can be. Using OneDrive for Business, instead of dedicated file servers running Windows, reduces the complexity of your local environment, and thus the review. My only caveat is this; access to your files should require more than an email address and password. ALWAYS ALWAYS turn on Multi-Factor authentication for your Microsoft Organizational Accounts.

Use Azure Where You Can

Not only is Azure very flexible with regard to IaaS deployments, but the licensing generally comes bundled with the machines you provision. For each Windows Server, there is no per-user CAL charge.

And, for SQL Server, you also don’t need to worry about whether you are paying for the appropriate amount of cores; the licensing is cooked into the cost so long as you use one of Azure’s SQL Server images. The Enterprise version licensing isn’t cheap; running 4 cores will set your company back $12k a year, just for the licensing. Standard version licensing is about $3.6k a year for 4 cores. SQL Server Web, if the shoe fits, is very cheap at maybe around $290 a year.

If you need some Enterprise capability, such as Transparent Data Encryption for HIPPA compliance, and don’t want to be out $12k a year, looking at SQL Azure is also wise. TDE is a baked in capability that can easily be turned on, and databases can now be part of pools that you can purchase which share resources, as opposed to paying per database.

The bottom line is Azure can greatly reduce the footprint of licensing you specifically need to account for. And one could argue this is where the future lies anyway.


During a SAM Engagement, it’s best to work with the SAM Reviewer during the process, and be cooperative and honest. For the time being, put aside any potential unethical ways they represented themselves upfront. Also, before the process, have a good understanding of the common Gotchas.

In our experience, it is a good exercise to migrate to cloud oriented services, such as Office 365, SharePoint Online, OneDrive for Business, and Azure, where much of the license management is handled for you. Simplification is a great strategy when it comes to license management. For all your cloud accounts, however, don’t forget to turn on multi-factor authentication.

Frankly, similar to Office 365, I wish business class Windows could be licensed to users on a subscription basis, without having to worry about this whole “Upgrade Only” nonsense. It’s high time for Windows 365 as an additive option to the current Windows licensing options.

Microsoft’s Deeply Flawed SAM Engagement Process

Posted by on Jan 1, 2016 in From the Cloud, From the Mind, Uncategorized | Comments Off on Microsoft’s Deeply Flawed SAM Engagement Process

EfficiencyNext finished its first Microsoft SAM (Software Asset Management) Engagement this last  year, having been contacted by a SAM Engagement specialist contracted by Microsoft. This is a process Microsoft Volume Customers go through so Microsoft can check that customer deployments match the licensing they have purchased.

Let us first say, we are an absolute supporter of Microsoft in their desire to insure people are using their software by the rules. Volume Customers receive steep discounts over retail, so some form of review every so often seems a reasonable fair trade. That said, I was deeply disappointed with the unethical nature of the original contact by the SAM Reviewer, and Microsoft’s inability to make the process efficient. This post is a compilation of thoughts I have; I will leave out the names of the individuals I worked with; if anyone at Microsoft would like to DM me on Twitter for details, you can find me at @napkatz. Likewise, I have a sympathetic ear to anyone else who would like to vent/discuss about this process.

The way the SAM Reviewer Contacted Our Company and Represented Herself was Deceitful and Unethical

I took the initial call from the SAM Reviewer. She said that her company was “Offering a Free Software Asset Management Review” of our software environment, and asked for our IT Manager. The tone was clearly that of a sale. Given that tons of companies cold call us about IT services all the time, I started the usual “just send us something in the mail” line. At that point, the tone changed, and she said she was working with Microsoft and that the review was mandatory. I told her to email me, as I wouldn’t share information about our IT setup with a random caller over the phone. She did email me the formal Microsoft SAM materials, confirming who she said she was. And in the FAQ document she sent over, was this threat:

We hope that customers will work proactively with us to ensure they have a compliant licensing position.  However, given the great emphasis Microsoft places on protecting its intellectual property, for those organizations that don’t wish to engage in this process, a more formal communication may be made with respect to our licensing rights and your organization’s obligations under your Microsoft license agreements.

In short, the SAM Reviewer wasn’t offering or selling us anything; she was forcing our company into a Microsoft-driven audit, under the implied threat of legal action. There’s plenty of potential motivations to be deceitful upfront I suppose; the SAM Reviewer needs to reach a manager of some sort or perhaps the review can’t happen? So maybe she has to lie her way to get to a manager. I don’t know. Whatever the reason, there is no excuse for such unprofessional and unethical behavior. Microsoft should be ashamed of this practice, even if it is their contractors and not them lying and misrepresenting themselves.

In short, it is OK to be angry for how this initial contact works. I was, and to an extent, still am. Especially because at our company, we take great pains to make sure we license our software properly, paying Microsoft thousands of dollars a year. The SAM Engagement process ignores the cheaters who don’t have a Volume Agreements, and instead targets paying customers.

The SAM Reviewer Only Gives You Three Weeks and You Never See the Review Coming

I think this again cuts to how Microsoft doesn’t trust its customers. There’s no reason why these reviews can’t be presented clearly as a scheduled necessity that comes with the privileges of volume purchases at the inception of a Volume Agreement. And scheduled well in advance. These reviews smack of Surprise Inspection, which is too bad. Frankly, this, plus the initial deceit, made me want to run into the waiting arms of Google.

Microsoft Seems to Invest Almost Nothing in its SAM Process

The first step of the process is to complete a “Deployment Summary” workbook that the Microsoft contractor sends to you in “.xls” format (yes the old one that went out of style 8 years ago). It contains macros that are password protected, which generally falls into the category of things I don’t want on my network. That didn’t matter, as the workbook crashed on my computer within 10 seconds of opening it. I received an apology from the SAM National Manager, and another “.xls” Workbook that was Macro free. This one worked, but seriously, Microsoft could invest very little money here, and make the process much easier for its Volume Customers. How about a secure online portal? Or at least a modern version of the document? I don’t know why Microsoft continues to choose to waste their customers valuable time via an outdated and buggy process.

The SAM Reviewers Seem to Be Clueless About Recent Software Products and Azure

The Deployment Summary spreadsheet was missing Windows 10, Visual Studio 2015, and other products we were required to account for. Perhaps most importantly, it had zero recognition that Microsoft Azure, where many customers keep their servers and services, even exists. The SAM Reviewer kept pressing for how we were licensing SQL Server Web and Windows Server, despite the licensing coming from Azure. After a couple back-and-fourths with her team, things got straightened out. But it’s worth noting the Deployment Summary document makes no mention of Azure or how to account for servers there. Seems like disrespect to Microsoft’s CEO, Satya Nadella. Azure was (and probably to an extent still is) his baby.

The SAM Reviewers Have Little Knowledge about First-Party Microsoft Hardware

The SAM Reviewer insisted we provide a receipt for our Surface Pro 1 to validate it shipped with a valid OEM copy of Windows 8 Professional, a step generally required for non-Microsoft hardware when an OEM license is claimed by the company being audited. She seemed to be clueless to the idea that the Surface Pro 1 was actually made by Microsoft, and always shipped with a valid OEM license for Windows 8 Pro, installed by Microsoft itself.  I have the purchase receipt, but chose not to turn it over, as I wanted to see how far the SAM Reviewer would push this ridiculous point. A digital photo of the Serial Number underneath the kickstand turned out to be sufficient in this case, so apparently proof of possession of the hardware seems to be enough. Your Mileage may vary.

The Method for Transmitting the Deployment Summary to Microsoft Has Something to Be Desired, Security-Wise

The SAM Reviewer asks that the completed Deployment Summary file, which contains sensitive information about ones IT setup, be emailed to them, along with any proof of purchases. Yes, customers can place these files in a password protected ZIP or RAR file, but really, Microsoft should be providing the security solution here in the form of an SSL secured online drop-off location. Make no mistake, post-Snowden, most email providers have embraced opportunistic encryption, and by default, most of the emails you send should have sender-to-destination encryption. That said; email security isn’t perfect, and there’s still plenty of room for a person-in-the-middle attack (such as intercepting and removing the flag in an email header that indicates the email is looking for a method of encrypted transmission.

Microsoft operates a whole fleet of web-based portals that can accept file uploads over HTTPS. Using email for transmission of a document that contains sensitive IT information that hackers would love to have seems to me like a bad idea, even in today’s world of opportunistic email encryption. Microsoft should shoot for something that is guaranteed secure?

In Summary

This post focused on the unethical behavior, lack of competence, and arguably insecure approach Microsoft has taken with regard to their SAM Engagements, using contractors as proxies. Again, I believe there is room in this world for a competent, honestly presented SAM Process. Microsoft does the world an incredible amount of good, and the free products it offers enthusiasts, students, and even professionals starting out is wonderful. I admire Microsoft as a whole and feel obliged to call out this part of them that should and dare I say MUST be reformed.

We passed our SAM Engagement with flying colors, by the way. Which makes the whole thing a lose-lose. Microsoft spent money unnecessarily auditing us and came away with no new sales, and we spent valuable staff time that could have been spent servicing customers, and golly, selling Microsoft services. It’s an example of the many continuing ways Microsoft shoots itself in the foot.

Again, I welcome anyone from Microsoft to contact me about my concerns at @napkatz. I will update this post with any further conversations. Anyone who wishes to share their SAM experiences is welcome to contact me as well or comment below.

In my next blog post, I will share some recommendations you and/or your company should consider before and when your inevitable SAM Engagement comes.