Microsoft's Custom Functions for Excel Preview Adds AI and 'Service-Connected Code' Capability
Microsoft provided an update during this week's Build Conference event for developers regarding custom functions for Excel and related capabilities.
Custom functions for Excel also can work with Azure Machine Learning services for forecasting outcomes and trends using artificial intelligence (AI) capabilities. It might be used by data scientists, for instance. However, while the Azure Machine Learning services capability was described at the Microsoft Ignite event back in September, the preview is still yet to come, although this week's announcement suggested it'll be coming "soon."
The last bit of Build news about Excel is that Microsoft Flow, Microsoft's workflow automation solution, is getting integrated with the spreadsheet program. The Flow integration will show up as an Office Store add-in initially, but Microsoft plans to make it an "in-the-box component later this year." When Flow is integrated with Excel, end users will be able to port data across Microsoft applications. Here's how the announcement described that capability:
Via Flow, users will be able to send data from their spreadsheets hosted in SharePoint and OneDrive for Business to a wide range of services such as Teams, Dynamics 365, Visual Studio Online, Twitter, etc.
Custom Functions, AI and Service Connections
At Build on Tuesday, Yina Arenas, principal program manager for Microsoft Graph, described the overall vision for custom functions for Excel.
She demonstrated a custom function that connects to a company's internal services, but she said it also can be designed to connect to the Web.
According to Microsoft's announcement, custom functions for Excel can calculate operations, "bring information from the Web" and "stream live data."
So far, custom functions for Excel are at the preview stage and aren't supposed to be used in production environments. However, some companies focused on security are already raising red flags about their use.
The potential problem appears to be the ability of custom functions for Excel to reach beyond an organization's computing environment. Here's how Justin Jett, director of Audit and Compliance at Kennebunk, Maine-based Plixer, described the issue.
Plixer makes a network traffic analysis system that's designed to provide information about cloud applications and security events, so Jett's emphasis on having traffic analytics in place is understandable. Microsoft hasn't really described the security associated with custom functions for Excel in great depth. However, Jett offered a few objections.
He noted that "because the functionality allows custom JSON inputs, there isn't much limit (at least at this point) to what malicious actors can do." Moreover, "the functionality does provide remote access," which could include activities like "connecting to external sites, downloading external content, or uploading stolen content."
Organizations should weigh the risks of using custom functions for Excel, he added.
"In this case, the risks are tremendous," Jett said. "For risk-averse organizations, the feature should not be allowed."
In general, Jett recommended that organizations have multilayered security in place, including network traffic analytics. He added that Plixer's product not only is designed to prevent bad incidents from happening, but that it also provides remediation help for organizations.
Microsoft has yet to describe the security aspects of custom functions for Excel. They will be Office add-ins, but it's not clear if they'll get vetted for security by Microsoft within the Office Store, for instance. Nonetheless, the custom functions for Excel feature can be disabled as add-ins.
"Add-ins (which is how these custom functions will be shipped) can be disabled across the board, or you can pick certain sources/catalogs to disable through Group Policy: see the templates under Security Settings > Trust Center > Trusted Catalogs," explained Michael Sanders of Microsoft in the comments section of Microsoft's "Create Custom Functions in Excel (Preview)" document.
Microsoft's Security Protections
Update 5/14: A Microsoft spokesperson responded via e-mail to questions regarding the security aspects of custom functions for Excel.
"We take the security of our customers seriously, and by design, only trusted logic can execute within the context of a custom function -- with appropriate controls to gate usage," the spokesperson stated.
Custom functions for Execl have the following protections, according to Microsoft:
- Custom functions are a feature of our existing add-ins platform. See this link for more information
- Untrusted code does not run automatically. Each add-in must be explicitly trusted before it can execute
- Code for a custom function is not stored in the workbook and can only be downloaded from trusted sources registered via either an enterprise-level catalog or AppSource
- User access to add-ins/custom functions can be managed by administrators
- If your organization builds custom functions for internal use -- they can distribute those functions through their trusted organizational catalog (specific to their tenant), which means the functions are only accessible to users signed-in on that tenant
- It's important to note that administrators can also restrict access to specific users/groups within their organization
- In addition, all custom functions in Excel run in a least-privilege environment and are subject to strict governance controls