News

Microsoft Adds AI, 'Service-Connected Code' Capabilities in Excel Preview

• By Kurt Mackie
• 05/14/2018

Microsoft announced new custom function capabilities coming to Excel at last week's Build developer conference.

Custom functions for Excel let organizations write their own additions to Excel's formula catalog using JavaScript. When written, they become available to end users within the formula catalog, just like other functions. This feature currently works with Excel Online, as well as Excel for Mac and Windows. Office 365 subscribers who are part of the Office Insiders Program can now try out a preview of custom functions for Excel, according to a Microsoft announcement.

Custom functions for Excel also can work with Azure Machine Learning services for forecasting outcomes and trends using artificial intelligence (AI) capabilities. It might be used by data scientists, for instance. However, while the Azure Machine Learning services capability was described at the Microsoft Ignite event back in September, the preview is still yet to come, although the Build announcement suggested it'll be coming "soon."

Developers also will be getting Power BI Custom Visuals, which will be arriving in preview "soon." Custom Visuals can be extended using "standard open source technologies like JavaScript and D3." Once created, Custom Visuals will work the same both in Excel and Power BI. They will get housed in the Microsoft Store, like Office add-ins. They can be invoked by end users from Excel's "Insert Chart" dialog process. Office 365 administrators will be able to deploy them "in the same way that Office add-ins are deployed."

The last bit of Build news about Excel is that Microsoft Flow, Microsoft's workflow automation solution, is getting integrated with the spreadsheet program. The Flow integration will show up as an Office Store add-in initially, but Microsoft plans to make it an "in-the-box component later this year." When Flow is integrated with Excel, end users will be able to port data across Microsoft applications. Here's how the announcement described that capability:

Via Flow, users will be able to send data from their spreadsheets hosted in SharePoint and OneDrive for Business to a wide range of services such as Teams, Dynamics 365, Visual Studio Online, Twitter, etc.

Custom Functions, AI and Service Connections
At Build Day 2, Yina Arenas, principal program manager for Microsoft Graph, described the overall vision for custom functions for Excel.

"I'm here to show how you can take your business logic and services and make it available to everyone in your organization using Excel," Arenas said. She added, "We are now enabling you to extend Excel to make it the most flexible tool for processing data, customized to your organizations. With the new support for custom functions in JavaScript, you can write custom JavaScript code that looks and behaves like any other function in Excel. You can empower every Excel user in your organization with artificial intelligence and service-connected code without having them leave the tools they already know and love."

She demonstrated a custom function that connects to a company's internal services, but she said it also can be designed to connect to the Web.

According to Microsoft's announcement, custom functions for Excel can calculate operations, "bring information from the Web" and "stream live data."

Security Implications
So far, custom functions for Excel are at the preview stage and aren't supposed to be used in production environments. However, some companies focused on security are already raising red flags about their use.

The potential problem appears to be the ability of custom functions for Excel to reach beyond an organization's computing environment. Here's how Justin Jett, director of Audit and Compliance at Kennebunk, Maine-based Plixer, described the issue.

"With Microsoft's added support for JavaScript in Excel, a new attack vector has also been added for malicious actors," Jett said in an e-mail. "By being able to insert malicious JavaScript into a file, cybercriminals will be able to make external connections to download malware, ultimately leading to further damage to servers and end systems. Security professionals need to understand this new risk and should use network traffic analytics to verify the connections that users are making on the network. Ideally, IT professionals will disable the JavaScript functionality entirely from the product."

Plixer makes a network traffic analysis system that's designed to provide information about cloud applications and security events, so Jett's emphasis on having traffic analytics in place is understandable. Microsoft hasn't really described the security associated with custom functions for Excel in great depth. However, Jett offered a few objections.

He noted that "because the functionality allows custom JSON inputs, there isn't much limit (at least at this point) to what malicious actors can do." Moreover, "the functionality does provide remote access," which could include activities like "connecting to external sites, downloading external content, or uploading stolen content."

Organizations should weigh the risks of using custom functions for Excel, he added.

"In this case, the risks are tremendous," Jett said. "For risk-averse organizations, the feature should not be allowed."

In general, Jett recommended that organizations have multilayered security in place, including network traffic analytics. He added that Plixer's product not only is designed to prevent bad incidents from happening, but that it also provides remediation help for organizations.

Microsoft has yet to describe the security aspects of custom functions for Excel. They will be Office add-ins, but it's not clear if they'll get vetted for security by Microsoft within the Office Store, for instance. Nonetheless, the custom functions for Excel feature can be disabled as add-ins.

"Add-ins (which is how these custom functions will be shipped) can be disabled across the board, or you can pick certain sources/catalogs to disable through Group Policy: see the templates under Security Settings > Trust Center > Trusted Catalogs," explained Michael Sanders of Microsoft in the comments section of Microsoft's "Create Custom Functions in Excel (Preview)" document.

Microsoft's Security Protections
Update 5/14: A Microsoft spokesperson responded via e-mail to questions regarding the security aspects of custom functions for Excel.

"We take the security of our customers seriously, and by design, only trusted logic can execute within the context of a custom function -- with appropriate controls to gate usage," the spokesperson stated.

Custom functions for Execl have the following protections, according to Microsoft:

• Custom functions are a feature of our existing add-ins platform. See this link for more information
• Untrusted code does not run automatically. Each add-in must be explicitly trusted before it can execute
• Code for a custom function is not stored in the workbook and can only be downloaded from trusted sources registered via either an enterprise-level catalog or AppSource
• User access to add-ins/custom functions can be managed by administrators
• If your organization builds custom functions for internal use -- they can distribute those functions through their trusted organizational catalog (specific to their tenant), which means the functions are only accessible to users signed-in on that tenant
• It's important to note that administrators can also restrict access to specific users/groups within their organization
• In addition, all custom functions in Excel run in a least-privilege environment and are subject to strict governance controls