Tag Archives: Microsoft 365

Microsoft 365 Search: roadmap and announcements

updated: June 3, 2021

(Old) SharePoint Search: content-centric (SharePoint Search Center)
(New) Modern Search: people-centric (Teams, Office, OneDrive, Delve etc.)

Office graph = codename for collective set of services and insights we generate on top of the infrastructure that fast office graph group developed
= social Intel concepts (SharePoint home, Delve, OneDrive Discoverview) are derivatives of Office graph

Microsoft Graph = API ( including universal search API)
The Graph Search API went General Availability (GA):
– Microsoft Search API in Microsoft Graph
– Use the Microsoft Search API to query data

Microsoft Search API provides one unified search endpoint that you can use to query data in the Microsoft cloud – messages and events in Outlook mailboxes, and files on OneDrive and SharePoint – that Microsoft Search already indexes.

Turing technology – understands you, answers your question e.g. hover over doc -> doc summary (based on “deep speed” AI model)
announcement at Ignite23-pages blog

Modern Search: MS nailed the fundamentals, now start bringing it everywhere – to Teams first, then SharePoint (Nov 2020).

Modern Search Customizations – we’ll take the best from Classic SharePoint Search,
a lot will retire – investing in more flexibility

PnP modern Search
– custom result pages, webparts, branding theme; filters, refiners, scoping control )
pnp modern search – webparts (video)
https://microsoft-search.github.io/pnp-modern-search

Core idea behind Microsoft search is coherence

Bill Baer:
“People use search in a different ways
1) you have organisations who have a well-established intranet built around set of governance controls, a very clean architecture and they want to build a search into that intranet scenario; that’s why a lot of SharePoint capabilities are going to come along with Microsoft search for that particular endpoint
2) then you have other people who live their day in teams“

Shared search engine results page (developed once – transitioned everywhere)
Ctrl-F to search through teams (chats?) (contextual search)
Outlook search – more natural language
Image search (before eoy), +
teams chats, outlook groups conversations, yammer conversation -> bing, office.com, sharepoint
bookmarks (new promoted results)

Targeting bookmarks for the specific audience based on device/OS, region, security groups

SharePoint Search Admin Center -> will be migrated from SharePoint admin center to to Microsoft Search Admin Center transitioning (Search and Intelligence Admin Center) – long-running project custom dictionaries, spelling suggestions – will retire, (move to a graph-driven spellar)

promoted results -> bookmarks
acronyms
Q&A

Graph Connectors
Graph Connectors are generally available (Azure Data Lake Storage Gen2, Azure DevOps, Azure SQL and Microsoft SQL Server, Enterprise websites, MediaWiki, File share, Oracle SQL, Salesforce, ServiceNow + 100+ from partners; New connectors coming to Microsoft Search: Jira Graph connector, Confluence Graph connector).

Graph Connector allows to connect external source of information to Microsoft 365 and makes that data available across all m365 apps and services so you can find what you need wherever you’re working, whether in one of your favorite productivity apps or one of the many Microsoft 365 services such as SharePoint or Office.com

Actionable experiences
Search results on select Graph connectors will soon support actions that will allow users to interact with the result and perform changes to the Connector content within the Search application.

Results clusters
The results shown in a result cluster are grouped together based on the search vertical configuration.

Profile Query variables
Define any attribute from the user’s Profile, as a query variable and it would be resolved during query evaluation (This feature is currently in preview)

Profile enrichment with Graph connectors
…you will soon be able to enrich Microsoft 365 profile properties like Job title, Phone numbers, Skills etc. with data from HRMS systems using graph connectors. …then surface this rich profile information on people experiences like profile cards.

Search Federation
federation capabilities will allow enterprises build and integrate their custom LOB search experiences, customized search providers, into the overall Microsoft Search. With federated search, you can make information from systems where the data cannot leave the systems boundaries available to search across in Microsoft 365 productivity apps and services, without indexing its data with Microsoft Search.

Federation with Azure Cognitive Search

PowerBI search vertical

Custom verticals and custom refiners

Custom result templates – search layout designer – wysiwyg editor
– Manage search result layouts
– Microsoft Search Layout Designer

Standalone Search – AAD identity – Graph connector – Ingest your data – use Search = in Windows 10, Office.com ( e.g. for those who have their data in other productivity suite, have no intent to use m365, but want to search)

More info:

Office 365 Search scopes

References

Current state of SharePoint Search and Microsoft Search scopes

https://techcommunity.microsoft.com/t5/microsoft-search-blog/microsoft-search-at-ignite-2020/ba-p/1651098

https://techcommunity.microsoft.com/t5/microsoft-search-blog/what-s-new-for-microsoft-search-ignite-2020-edition/ba-p/1675291

Bill Baer: What’s new and what’s next for Microsoft Search (May 25, 2021)

Bill Baer on Search:

Microsoft 365 Search Roadmap

Authenticate to Microsoft Graph from PowerShell Interactively

Scenario

You are a developer or power user in a company with Microsoft 365 tenant.
You need to connect to Microsoft Graph and then call Microsoft Graph API to consume some MS Graph resources on behalf of authenticated user programmatically with PowerShell – e.g. add/remove documents or list items, search for sites or documents content etc. – whatever available with Graph API.

You do not have tenant admin permissions or any tenant-level admin permissions (SharePoint, Teams, Exchange etc. ). But you can register an Azure App and request tenant admin consent.

Solution

register an Azure App
under authentication blade – add platform – “Mobile and Desktop app”
add “http://localhost” (and select …/nativeclient Url ?)
under API permissions blade – add delegated permissions you need
(refer to specific API you’ll use)
install MSAL.PS PowerShell module
use the following code to get graph access token and call graph API

$AppId = ""
$TenantId = ""
$connectionDetails = @{
    'TenantId'    = $AppId
    'ClientId'    = $TenantId
    'Interactive' = $true
}

$token = Get-MsalToken @connectionDetails
# or 
$token = Get-MsalToken -TenantId $TenantId -ClientId $appId -Interactive 

$Headers = @{
    'Authorization' = "bearer $($token.AccessToken)"
}

Invoke-RestMethod -Uri 'https://graph.microsoft.com/v1.0/me' -Headers $Headers

You can find the code sample here: https://github.com/VladilenK/

Did not work:

Az PowerShell module did not work for me:

Connect-AzAccount -Tenant ""
$azAccessToken = Get-AzAccessToken -Resource "https://graph.microsoft.com" 

$Headers = @{
  'Authorization' = "$($azAccessToken.Type) $($azAccessToken.Token)"
}

Invoke-RestMethod -Uri 'https://graph.microsoft.com/v1.0/me' -Headers $Headers

As I understand we need somehow let Azure know API permissions we want (e.g. via app registerd)…

PnP did not work for me too:

$url = "https://orgname.sharepoint.com"
Connect-PnPOnline -ClientId "" -Url $url -Interactive 
$pnpToken = Get-PnPGraphAccessToken 
$Headers = @{
    'Authorization' = "bearer $($pnpToken)"
}
Invoke-RestMethod -Uri 'https://graph.microsoft.com/v1.0/me' -Headers $Headers

# did not work as well:
$pnpToken = Get-PnPAppAuthAccessToken
$pnpToken = Get-PnPAccessToken

the error message was (maybe I missed something – please let me know):

“code”: “InvalidAuthenticationToken”, “message”: “Access token validation failure. Invalid audience.”

References

Microsoft: How delegate and app permissions work with Azure AD

Access SPO Site Programmatically via MS Graph API and SharePoint API

Scenario

You are a software developer. Your company uses Microsoft Office 365 (SharePoint, Teams etc.). The need is to work with a specific site collection programmatically (from code – Python, C#, Java, PowerShell, JavaScript etc.) – e.g. upload/download documents, update list items, search etc. The code must run without user interaction (unattended, aka daemon app).

The solution is based on a new Graph API feature – Sites.Selected and a classic SP-Only app.

Solution

Register an Azure App
MS Graph API permissions: add -> Microsoft Graph -> Applications Permissions -> “sites.selected”
Ask SharePoint/Tenant admin run PowerShell code (e.g. this one) to assign proper permissions to your azure app for a specific site collection (consider site owner consent)
SharePoint API permissions:
Site Collection Owner/Admin – use
https://YourTenant.sharepoint.com/teams/YourSite/_layouts/15/appinv.aspx
to add SharePoint API permissions to your app.
Consider minimal permissions (e.g. as per Sumit)

Problem Solved

you get access to one and only one site collection (“least privilege” principal)
you get both – SharePoint API and Microsoft Graph API permissions to SharePoint
you can use app secret or certificate to authenticate – depending on what are your security requirements

References:

SharePoint sites shared with Everyone and Microsoft Delve issue

There is a known problem with Microsoft Delve.

We know SharePoint site permissions are not easy. You can break permissions inheritance at any level – subsite, library, list, folder, list item or specific document. Anybody with full permissions can do that. The worst thing is there is was ^(*1) no one place where site owner could get full permissions report to the site. We must have used third-party tools or PowerShell to have all permissions in one document.

So no wonder SharePoint sites were heavily over-exposed. Especially when a site owner tired with complexity of SharePoint permissions system decided to share resource with “Everyone”. That is the real issue.

Now, what happens when sites are migrated to Microsoft 365 SharePoint Online with Microsoft Delve enabled by default? Delve works as it should work – it suggests to you documents it believes related to you (based on Microsoft Graph insights) and you already have access to.

What happens is people start seeing documents they never new they have access to. Where these documents from? Of course from sites shared with Everyone.

So strictly says, it is not Delve’s problem. It’s more human problem than technological.
Delve just does it’s job, and does perfectly.

How do we solve the issue?

Disable Delve?
Disable search (stop sites crawling and remove results)?
Restrict access to Microsoft Graph ?
e.g. Microsoft KBA on how to disable MS Graph for a specific User

Those methods are half-measure. 1-2-3 methods are just hiding the problem – not solving it. Agree it helps stop the deterioration, bud does not fix the issue.

How do we solve the root cause of the issue?

Of course, we need remove incorrectly provided permissions. How?
Only site owner (data owner) knows which content should be shared with whom with which access rights. So we need to ask sites owners to review their permissions. How?
First, we need a list of over-exposed sites. How? There are two methods
(more details – check this article)
- Brute force – use PowerShell or 3-rd party tool to get permission report on all sites in tenant, select permissions provided for Everyone…
- Smart move – use Microsoft search. As search is security-trimmed, we can search for available content on behalf of a user with no permissions provided.
Then we need a list of sites and their owners. How?
1. tbp
Finally, we need to let every site owner know that his site is Open to everybody and ask to fix it. How?
1. tbp
2. inform the site owner how to get full permissions report to his site,
  e.g. KBA How To Get SPO Site Full Permissions Report
  and video “Full Permissions Report for a Team SPO Site Owner“

References

Office 365 Search scopes

Search is everywhere in Microsoft 365. You can search from SharePoint, Teams, Delve, Yammer etc.

But! From SharePoint you cannot search for Teams chats (*1).
From Teams you cannot search for regular (no-group) sites.
Sites descriptions are totally out of search (including Yammer groups, Teams and regular sites).

So, what are the scopes of each search entry point in Office 365 and is there an entry point you can search for everything?

Search scopes	SharePoint Search center	SharePoint home Office portal Office desktop app Delve	Teams	Bing
SharePoint content	Yes	Yes		Yes
Teams content	Yes	Yes	Yes	Yes
Teams chats		(*1)	Yes	Yes
Yammer content	Yes	Yes		Yes
Yammer chat		(*1)		Yes
User profiles	Yes	Yes
Email

(*1) Microsoft announced they are working on bringing conversations (both Teams chats and Yammer) to SharePoint landing page first, then to Office home page.

Detailed:

	Scope	Out of Scope
SharePoint Search Center	– all sites content (Teams, Yammer, regular), – user profiles – OneDrive	Teams chat Yammer chat
SharePoint Landing Page	same as SharePoint Search center but Teams chats and Yammer Conversations are coming	same as SharePoint Search Center
Office.com	same as SharePoint (Teams chats and Yammer Conversations are coming after SharePoint)	same as SharePoint
Delve
Teams	Teams content Teams chat	OneDrive Yammer User Profiles regular SharePoint sites
Bing	Everything*	* except people profiles content (e.g. about me)

Seems like the only tool you can search for EVERYTHING with is Microsoft Bing:

After Microsoft add Teams chats and Yammer conversations to SharePoint landing page search scope (then to Office home page) – it’ll be the best place to search from for everything.

More on Microsoft Search vs SharePoint Search and Microsoft Search RoadMap

Microsoft Office 365 Search: Find what you need with Microsoft Search in Bing

It is possible customize Modern Microsoft Search pages with PnP Modern Search