diff options
author | Rich Lander <rlander@microsoft.com> | 2022-05-04 05:30:01 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-05-04 05:30:01 +0300 |
commit | 488c8436643a02d48109711dfa3551dd03742e02 (patch) | |
tree | 2ca3afb42f8a97d3e6249524a0492559160b65b2 /Documentation | |
parent | 350cd041d2c56b47f4be4f5783907b944e523e81 (diff) |
Update microsoft-team.md (#7418)
* Update microsoft-team.md
* Update microsoft-team.md
Diffstat (limited to 'Documentation')
-rw-r--r-- | Documentation/microsoft-team.md | 92 |
1 files changed, 33 insertions, 59 deletions
diff --git a/Documentation/microsoft-team.md b/Documentation/microsoft-team.md index 5467ad62..08f159cf 100644 --- a/Documentation/microsoft-team.md +++ b/Documentation/microsoft-team.md @@ -4,22 +4,43 @@ If you work on or with the .NET Team, you will need to onboard into various GitH ## Join .NET teams in dotnet and Microsoft orgs -You need to link your GitHub and @microsoft.com accounts. Click the link: +[Link your GitHub account](https://repos.opensource.microsoft.com/link) with Microsoft and then join our teams (in two organizations): -* [Link your GitHub account](https://repos.opensource.microsoft.com/link) +1. [Join the microsoft/dotnet team](https://repos.opensource.microsoft.com/Microsoft/teams/dotnet/join/) +1. [Join the dotnet/microsoft team](https://repos.opensource.microsoft.com/dotnet/teams/microsoft/join/) -You need to join teams in two organizations. Click the two links: +## Security best practices + +Bad actors try to break into our accounts all the time (see ["failed login attempts" on your account](https://github.com/settings/security-log?q=action%3Auser.failed_login)). You need to apply the following guidance to (A) stay secure, and (B) maintain access to your account. + +Register at least two of the following two-factor authentication methods: + +* [GitHub mobile app](https://github.blog/2022-01-25-secure-your-github-account-github-mobile-2fa/) +* [Hardware security key(s)](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-security-key) (also see [yubikey](https://www.yubico.com/works-with-yubikey/catalog/github/)) +* [TOTP with an Authenticator app](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-totp-mobile-app) + + +Additional guidance: -1. [Join the Microsoft org](https://repos.opensource.microsoft.com/orgs/microsoft/join) -2. [Join the dotnet team](https://repos.opensource.microsoft.com/Microsoft/teams/dotnet/join/) -3. [Join the dotnet org](https://repos.opensource.microsoft.com/orgs/dotnet/join) -4. [Join the microsoft team](https://repos.opensource.microsoft.com/dotnet/teams/microsoft/join/) +* Do not use [SMS](https://en.wikipedia.org/wiki/SIM_swap_scam) for 2FA or as a recovery fallback (disable those options). +* Store [recovery codes](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication-recovery-methods) in a safe place, like [OneDrive Vault](https://www.microsoft.com/microsoft-365/onedrive/personal-vault), 2FA-protected OneNote or in a password vault like 1Password. -After you join the teams: +Note: If you completely lose access to login to your account, GitHub support will not be able to recover your account. That's why all of these options are covered. + +A correctly configured account should look similar to the following: -* Users will be able to @mention you on [.NET Repos](https://github.com/dotnet/core/blob/main/Documentation/core-repos.md) -* You will be able to access to private repos we maintain -* You will get write access to a subset of repos +![image](https://user-images.githubusercontent.com/2608468/166490511-557e41e3-2fe0-45a6-a67b-425bf6800be1.png) + +Please test your security key to ensure it works. For example, on Windows, you should see a dialog similar to the following (that says "security key"): + +![image](https://user-images.githubusercontent.com/2608468/83581665-56980400-a4f4-11ea-8096-ddd553d28e18.png) + +A few more notes on hardware keys: + +* You should have at least one hardware key that does not travel with you, but is stored in a secure location (like at home) as a last resort in case you lose access to other factors. +* If you have a FIDO2 key, it can be used with [mysignins](https://mysignins.microsoft.com/). +* If you have USB-C and USB-A only devices, and want to use hardware keys for them, then you need [separate keys](https://www.yubico.com/works-with-yubikey/catalog/github/). This explains why the example below has multiple keys registered (for example, one securely stored at home, and two keys for daily use for USB-C and USB-A only devices). +* You can use Windows Hello to sign in as a hardware key. This is fine to use, but it doesn't replace the need for hardware key that you store in a secure location. Your Windows Hello key is not tied to you, but the machine. It won't survive hardware failures or re-installing Windows. ## Configure your GitHub account as a Microsoft employee (recommended) @@ -35,12 +56,7 @@ After you join the teams: * Set `@Microsoft` as your **Company**, * Upload your **picture**, ideally showing your face. * Hint: You can grab your GAL picture from <https://microsoft-my.sharepoint.com>. - -## Install Microsoft open source tools (recommended) - -The following tool makes it easier to use open source and participate in open-source projects: - -* [Browser Extension](https://docs.opensource.microsoft.com/tools/browser.html) -- Identifies Microsoft employees on GitHub. + * Easily identify other Microsoft employees with our [browser extension](https://docs.opensource.microsoft.com/tools/browser.html) ## Get write permissions to repos (optional) @@ -49,45 +65,3 @@ Join teams to gain write access to repos: * Request team membership via <https://repos.opensource.microsoft.com/teams>. * Ask someone if you don't know which team(s) to join. * Select `Request to join this team` on the right side - it will send email request to maintainers of the team. - -## Security best practices - -Enabling 2FA doesn't necessarily mean your account is secure. SMS (phone texts) is [not secure](https://en.wikipedia.org/wiki/SIM_swap_scam) as a 2FA method and should be avoided if possible. You can see [failed login attempts](https://github.com/settings/security-log?q=action%3Auser.failed_login) on your account to get some sense of the risk you have. - -The following best practices are required for org owners, and recommended for repo admins. - -* Do register a [security key(s)](https://www.yubico.com/works-with-yubikey/catalog/github/) as a two factor method. -* Do register an authenticator app -- registering a one-time-password with an app like 1Password is recommended (not tied to your phone). -* Do store recovery codes in a safe place, like [OneDrive Vault](https://www.microsoft.com/microsoft-365/onedrive/personal-vault), 2FA-protected OneNote or in a password vault like 1Password. -* Do register your GitHub account with your 2FA-protected Facebook account for GitHub account recovery. This is the absolute last recovery option and is considered secure (even if your Facebook account is breached). -* Do not use SMS for 2FA or as a recovery fallback. - -Note: If you completely lose access to login to your account, GitHub support will not be able to recover your account. That's why all of these options are covered. - -A few more notes on hardware keys: - -* You should have at least one hardware key that does not travel with you, but is stored in a secure location (like at home) as a last resort in case you lose access to other factors. -* If you have a FIDO2 key, it can be used with [mysignins](https://mysignins.microsoft.com/). -* If you have USB-C and USB-A only devices, and want to use hardware keys for them, then you need [separate keys](https://www.yubico.com/works-with-yubikey/catalog/github/). This explains why the example below has three keys registered (one securely stored at home, and two keys for daily use for USB-C and USB-A only devices). -* You can use Windows Hello to sign in as a hardware key. This is fine to use, but it doesn't replace the need for hardware key that you store in a secure location. Your Windows Hello key is not tied to you, but the machine. It won't survive hardware failures or re-installing Windows. - -A correctly configured account should look similar to the following: - -![image](https://user-images.githubusercontent.com/2608468/83581219-1421f780-a4f3-11ea-8f01-3a27afe4ddac.png) - -Please test your security key to ensure it works. You need to see a dialog similar to the following (that says "security key"): - -![image](https://user-images.githubusercontent.com/2608468/83581665-56980400-a4f4-11ea-8096-ddd553d28e18.png) - -Facebook-based account recovery registration will look similar to the following: - -![image](https://user-images.githubusercontent.com/2608468/83581770-965eeb80-a4f4-11ea-993d-ad39bae391c2.png) - -## Service Accounts - -Service accounts should also be linked. For more details, see [Service accounts for GitHub](https://docs.opensource.microsoft.com/github/service-accounts.html). - -## Guidelines - -* [Contributing to .NET](https://github.com/dotnet/runtime/blob/main/CONTRIBUTING.md) -* [What you can expect from Maintainers](https://github.com/dotnet/core/blob/main/Documentation/contributing/maintainers.md) |