Category Archives: Uncategorized

Modern Office 365 Site Pages

SPO Modern Site Pages Enable Disable

If you are adding a page to your Office 365 site via gerbox->”Add a page”
and a “modern-style” SharePoint page is created, 
you still can have “classic” experience, i.e. Wiki pages or WebPart pages. 

Just go to your pages library via “Site Content” -> “Site Pages”, 
then click “Files” tab and select “New Document” with dropdown option,
and this is where you can choose what kind of page to create.

If you want to stick with classic pages permanently (disable modern site pages) – it’s done via
“Site settings” -> “Manage site Features” -> “Site Pages” Deactivate.
then from site pages library settings click “Change new button order and default content type” 
and deselect “Visible” at “Site pages”.

Modern Office 365 Site Pages

Anatoly Stishko. Анатолий Стишко – Джамбул Казахстан

“Радио Свобода”. Отрывок из передачи “Деревенская жизнь художника Анатолия Стишко”

… Мне было однажды лет 10 в Казахстане. Прихожу однаждя я на базар и рисую – лошадей и телеги… Туда … был воскресный день… съезжалися все, натуры – полно. Научится рисовать – это было самое лучшее место. Стали заглядывать люди, смотрят – себя узнают, коня узнают. Вдруг подходит милиционер, говорит
– Что ты здесь зарисовываешь, а ты разрешение имеешь?
[Это он у мальчика спрашивает, да]. Да, я говорю
– Какое разрешение, я посто рисую. – И меня берёт и уводит в милицейский участок. там начальник:
– Что он украл? – спрашивает. Тот говорит
– Да вот, на базаре что-то такое делал подозрительно. Какие-то записи, не положено. – тот говорит
– А ну, покажи, дай блокнот. – тот перед ним [кладёт]. Он начинает листать
– Так это же Пётр Иваныч, а это его конь…
Развеселилась атмосфера, из грозной превратилась в дружескую… Сказал
– Ты хороший молодец, только непонятно, почему ты на базаре рисуешь.
А я говорю
– В книгах написано, что художник должен идти в жизнь, там с натуры рисовать. Самая весёлая жизнь – на базаре. Здесь всё есть.
Он сказал – к нему больше не цепляйся. Тот сказал – будет сделано. А мне сказал
– Старайся, художником можешь стать.
Это было примерно в пятьдесят… пятьдесят втором году. Ещё Сталин был живой. Ну вот, стал художником.

How to remove service accounts from people search in SharePoint or Office 365

Update: for the same solution in modern search – please refer to “Hide non-personal accounts from modern Microsoft 365 search

The following solution is for Classic Search only. 

What I did is:

User profile services -> Manage User properties: create custom property like “HideFromPeopleSearch”, boolean, do not allow users to edit value, Indexed

Client-side PowerShell script using PnP library:
Connect-PnPOnline -Url

$nonPeople = Get-ADUser -filter … # based on what’s in your AD and how you separate people and non-people accounts
foreach($account in $nonPeople) {
  Set-PnPUserProfileProperty -Property ‘HideFromPeopleSearch’ -Value ‘True’ -Account $account.UserPrincipalName

SearchCenter -> Site Settings -> Search Schema: use any pre-created RefinableString managed property (e.g. RefinableString33), add mapping to crawled property people:HideFromPeopleSearch,

SearchCenter -> Site Settings -> Search Query rules: Local People Results, new Query rule, change ranked results by changing query, {searchTerms} -RefinableString33=True

should work

Microsoft SharePoint, Microsoft 365: studying, certification

Here are some resources to study, learn, improve your skills on Microsoft SharePoint, SQL, Office 365, Azure:

Officially free:

SharePoint gurus:

  • (Todd Klindt)
  • (Todd Klindt)
  • (Andrew Connell)
  • (Wictor Wilen)
  • (Srini Sistla)
  • (Sahil Malik)
  • (Spencer Harbar)
  • (Wictor Wilén)
  • (Bill Baer)
  •  (Christopher Harrison)
  • (Jeremy Thake)
  • (Brian Pendergrass aka bspender)
  •  (Gary Lapointe)
  • – SharePoint/Microsoft 365 study guide (Vlad Catrinescu)
  • – (Liam Cleary)
  • – (Stefan Gossner)
  • – Product Line Architecture (PLA) Team Blog
  • – Michel de Rooij with focus is on Exchange, Office 365, and PowerShell
  • – Elio Struyf
  • – Mikael Svenson – SharePoint and search

Courses on SharePoint (for money):

  • (3-month free subscription for free Visual Studio Dev Essentials members)

SharePoint Certification:

SharePoint career builder/study guides: – SharePoint/Microsoft 365 study guide (Vlad Catrinescu)


SharePoint Security and Penetration Testing

There is a course on Pluralsight: Penetration Testing SharePoint by Liam Cleary.

Here are some fundamentals every SharePoint architect should know on “how to protect SharePoint environment”, from this course and from my personal experience.

Security basics

  • audit environment, document it (annual, semi-annual)
  • permission matrix and authentication flow (semi-annual, monthly) – using 3-rd party tools
  • test environment security

Protect from the Scans

  • Monitoring
  • Access control (accounts, passwords, least permissions, audit)
  • Port restriction (enable only required ports and protocols)
  • Server firewall (including SQL, SharePoint, OOS, Workflow) + Isolation
  • Local Computer Policies
  • Network firewall (incl. edge firewall and internal firewall)

IIS – web.config

  • <authentication …>
  • <microsoft.identityModel>
  • <location path …><allow users …>
  • viewlsts.aspx – protect using <location path …><allow users …> on IIS level
  • … CallStack …
  • <CustomErrors …>
  • <appSettings>


  • Site – Authentication – Specific user
  • Certificates – Binding

Central administration

  • Web Applications – Web Application – User policies
  • Web Applications – Web Application – Anonymous policies
  • Web Applications – Web Application – Blocked file types
  • Service Applications – Service Application – Administrators/Permissions
  • Security – Farm Administrators


Architect, Support – should have farm-level access
Developer, Designer, End User, External – should not have farm-level access

Use personalized account for administration/support (do not use farm account or install account)

BTW, My opinion: Do not allow Developers any access to production farm.
The rights/responsibilities and dev workflow should be:

  • SharePoint Developer: Dev farm for development, Dev-Test farm for self-testing
  • SharePoint Tester: Test-farm for testing
  • SharePoint Administrator: Pre-production farm and Production farm

If somebody combine roles – use different accounts and separation of roles.

SharePoint updates

  • security updates
  • public updates, cumulative updates (download)
  • service packs, feature packs

Some useful PowerShell commands:

$subnet = "192.168.214"
$range = 223..225
$range | %{$ip = $subnet + '.' + $_; Test-Connection -Count 1 -ComputerName $ip -Quiet } | ?{$_ -eq $true} | %{Write-Host $ip " - Test OK"}

$port = 3389
foreach ($byte in $range) {
    $ip = "{0}.{1}" -F $subnet, $byte
    Write-Host "Testing NetConnection to $ip`:$port `- " -NoNewline
    $tnc = Test-NetConnection -ComputerName $ip -Port $port -ErrorAction SilentlyContinue -WarningAction SilentlyContinue
    Write-Host $tnc.TcpTestSucceeded



  • – network scanner
  • – free security scanner
  • – MS Sharepoint and Frontpage Auditing Tool
  • – Penetration Testing Software
  • – Common Vulnerabilities and Exposures


Project 2016

Project Server 2016

As you know, Project Server 2016 is actually a service application on SharePoint Server 2016.
Which means if you want Project Server 2016, you must have SharePoint 2016 first.
But if you have SharePoint 2016 farm, it’s much easier to get Project 2016. Moreover, once you build robust, scalable and high-available SharePoint, you get the same to you Project “for free”.
NB: Project is licensed separately.

Project 2016

Look at some PowerShell commands, which can help you provision Project 2016 Service Application on SharePoint 2016:

# Enable Project Server License
Enable-ProjectServerLicense -Key Y2WC2-K7NFX-KWCVC-T4Q8P-4RG9W

# Get Service Accounts
Add-WindowsFeature rsat-ad-powershell
Import-Module ActiveDirectory
Get-ADUser -Filter ‘Name -like “*project*”‘
Get-ADUser -Filter ‘SamAccountName -like “SP-Project*”‘ | ft DistinguishedName, SamAccountName

#Add managed accounts
$account = “ecm\SP-Project-Svc”
New-SPmanagedaccount -credential (Get-Credential -UserName $account -Message “type password”)
$SvcAppPlAccnt = Get-SPManagedAccount -Identity $account ; $SvcAppPlAccnt

# Service Application pool
$applPoolName = “Project Service Application Pool”
New-SPServiceApplicationPool -Name $applPoolName -Account $SvcAppPlAccnt
$ap = Get-SPServiceApplicationPool | ?{$_.Name -eq $applPoolName}

# Service Application
Get-SPServiceApplication | Sort-Object DisplayName | ft -AutoSize
$serviceTypeName = “Word Automation Services”
Get-SPServiceApplication | ? {$_.TypeName -eq $serviceTypeName} | ft -AutoSize
$saName = “Project service Application”
New-SPProjectServiceApplication -Name $saName -ApplicationPool $ap
$sa = Get-SPServiceApplication -Name $saName
$sa.Status; $sa.Name
$proxyName = $saName + ” ” + “Proxy”
New-SPProjectServiceApplicationProxy -Name $proxyName -ServiceApplication $sa

# instances
Get-SPServiceInstance | ft -AutoSize
$serviceTypeName = “Project Server Application Service”
Get-SPServiceInstance | ? {$_.TypeName -eq $serviceTypeName }
$serviceInstances = Get-SPServiceInstance | ? {$_.TypeName -eq $serviceTypeName }
$serviceInstance = $serviceInstances | ? {$_.Server.Address -eq $env:COMPUTERNAME}

# database
New-SPContentDatabase -Name “SP16_SSF2_Project” -DatabaseServer “SP16SQL” -WebApplication “”

# site
Get-SPManagedPath -WebApplication “”
New-SPSite -ContentDatabase “SP16_SSF2_Project” -URL “”  -Template pwa#0 -OwnerAlias “ecm\sp-adm”
Get-SPContentDatabase “SP16_SSF2_Project”
Set-SPContentDatabase “SP16_SSF2_Project” -MaxSiteCount 1 -WarningSiteCount 0
Enable-SPFeature pwasite -URL “”







Hybrid SharePoint 2013/2016

Step-by-step script of my recent Hybrid SharePoint 2016 – Office 365 implementation:


Office 365 Prerequisites

  • set and configure custom domain name
  • synchronize users (e.g. like this)
  • provide Office 365 licenses for hybrid users
  • (for hybrid search or Sharepoint 2016 DLP) provide license for farm account

On-Premises AD prerequisites

  • AD group “HybridUsers” for hybrid users

On-premises SharePoint Prerequisites

  • managed metadata service application
  • user profiles service application
    • user profiles are synchronized (incl. User Principal Name and Work email)
    • MySites
    • Audience for HybridUsers AD group
  • app management service application
  • subscription settings service application
  • secure store service application
  • SP1 + September 2015 CU

On-Premises AD prerequisites

  • AD group “HybridUsers” for hybrid users


  • certificate to replace the default SharePoint STS certificate
    • no special requirements for subject
    • self-signed (lab/test)
    • public authority (production)

If you plan for inbound search of hybrid BCS – there are some more requirements



Create S2S trust, i.e. trust relationship between on-premises SharePoint and Office 365.

  • replace default STS certificate
  • upload certificate to Office 365
  • add SPN to Azure AD
  • register SPO application principal
  • set authentication realm (align this with high-trusted app environment)
  • configure on-prem proxy for Azure AD



Hybrid Sites and Hybrid OnDrive for Business

  1. goto Office 365 admin center -> SharePoint admin
  2. copy mysites site collection name (
  3. goto on-prem SharePoint CA -> Office 365 -> Configure hybrid OneDrive…
    • enter “My Site URL” from “2” Office 365 mysites site collection name
    • (optional) enter specific audience – “hybrid users”
    • select hybrid features – “OneDrive only” or “OneDrive and Sites”

Hybrid Sites Hybrid OnDrive for Business warnings:

  • you cannot activate hybrid sites w/o activating hybrid OneDrive for Business
  • users need to re-follow migrated sites
  • custom profile properties require additional steps
  • existing mysites content will not be migrated – consider
    • 3-rd party tools or
    • PowerShell(?) or
    • manual “old sync->backup->.stop sync -> new sync -> restore from backup -> sync” for every user




SharePoint <-> Office 365 users synchronization, ADFS and WAP

Azure AD Connect


  • (existing) AD DC
  • (new) DirSync Server, joined to domain (e.g. ds.domain.local), OS = Windows Server 2012 R2
  • domain admin and local admin account
  • Office 365 global admin account


  • add your domain to your Office 365 environment in advance (it takes time)
  • add .net 3.5 and .net 4.5 features to the DirSync server
  • ensure your account is local admin and domain admin and Enterprise Admin
  • go to Office 365 admin center, Settings, Services and Add-Ins, Directory Synchronisation, Start Wizard and follow instructions (start check etc.)




  • (existing) AD DC
  • (new) ADFS Server, joined to domain (e.g. fs.domain.local), OS = Windows Server 2012 R2
  • (new) WAP Server (e.g. wap.domain.local)
  • (create new) account for ADFS (like domain\adfs-svc) and make it local admin on ADFS Server
  • let say our service name is “” ( server name is “fs.domain.local”), then we need to
    enroll a certificate for service name (i.e., not a wildcard

    • Subject name and subject alternative name must contain your federation service name, such as
    • Subject alternative name must contain the value enterpriseregistration followed by the UPN suffix of your organization, such as, for example,enterpriseregistration.domain.local
    • Subject alternative name must contain the value certauth followed by the adfs service name, e.g.
    • set private key as exportable
  • export this certificate (with password)
  • ensure A record in internal DNS for service name (i.e. points to ADFS server (“fs.domain.local”)



  1. create A-record for pointing to fs.domain.local
  2. (login on ADFS Server as adfs-svc), add (install) Active Directory Federation Services role
  3. Configure role
    1. choose “create the first…”
    2. provide domain admin account credentials
    3. choose SSL certificate ( and service name (same name),
      provide FS display name
    4. specify a domain user account (use an existing adfs-svc) and password
    5. create database (or use existing sql)
  4. Check configuration 
    1. go to “https://localhost/adfs/ls/idpinitiatedsignon.htm” (ignore certificate error, and do not login)




  1. Add role “Remote Access”, features by default, choose role services “Web Application Proxy”, add features.
  2. import certificate
  3. Configure role: enter FS name (, provide credentials (domain\adfs-svc)
  4. Create A-record on external DNS for FS name ( pointing to WAP external IP




Based on


Create New Performance Point Service Application failed

Create New Performance Point Service Application failed with “Address(int ) is an invalid or loopback address.  Specify a valid server address.”


$newServiceApplication = New-SPPerformancePointServiceApplication -Name $serviceName -ApplicationPool $applicationPool -DatabaseServer $dbServer -DatabaseName $serviceDB
New-SPPerformancePointServiceApplication : System.Object&, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089 Address(int ) is an invalid or loopback
address.  Specify a valid server address.
At line:1 char:26
+ $newServiceApplication = New-SPPerformancePointServiceApplication -Name $service …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (Microsoft.Perfo…viceApplication:NewSPPerformanc…viceApplication) [New-SPPerformancePointServiceApplication], ArgumentException
    + FullyQualifiedErrorId : Microsoft.PerformancePoint.Scorecards.NewSPPerformancePointMonitoringServiceApplication


Solytion: provide fixed sysadmin sql server role for the account you run script.