Tag Archives: SharePoint

Track Service Principals in Microsoft 365

Scenario

Developers in the organization use both – Azure Apps and SharePoint Apps to work with SharePoint sites in their “daemon” applications. You want to know – what are SharePoint Apps registered, who register SharePoint Apps.

One of the approaches – track Apps/Owners with Unified Audit Log

Use Unified Audit Logs

The following PowerShell code:

$operations = 'Add service principal.'
$recordType = 'AzureActiveDirectory'
Search-UnifiedAuditLog -StartDate $start -EndDate $end -ResultSize $resultSize -Formatted -Operations $operations -RecordType $recordType

returns events with operation = ‘Add service principal.’ Nice, but…
if an app was registered in Azure – event will contain user UPN under UserIds property:

Unfortunately, in case with registering app in SharePoint, an audit log event will be like:

i.e. UserId registerd is “spo_service@support.onmicrosoft.com”, so we do not know who registered a SharePoint-only app

I’m wondering – can we use events recorded immediately before and after “Add service principal” event to track a user who has registered a SharePoint-only app…

References

Connect-PnPOnline with a certificate stored in Azure Key Vault

Scenario

You need to run some PnP PowerShell code unattended (daemon app, with no user interaction) against SharePoint and/or Azure AD. PnP require authentication with a certificate. You want certificate stored securely in Azure Key Vault.

Solution

  • create a self-signed certificate
  • register an application in Azure
  • add API application permissions to the app
  • upload the certificate to the app
  • create an Azure Key Vault
  • provide permissions to the Key Vault for the user
  • run Connect-AzAccount
  • upload certificate to the Key Vault manually (with GUI)

now you can run this code and it will not ask you to login:

# set parameters:
$orgName = "orgname" 
$clientID = "" # Client ID
$VaultName = "" # Azure Key Vault Name
$certName = "" # Certificate Name as in Azure Key Vault
$tenant = "$orgName.onmicrosoft.com"
$adminUrl = "https://$orgName-admin.sharepoint.com"
# run the following
$secretSecureString = Get-AzKeyVaultSecret -VaultName $vaultName -Name $certName 
$secretPlainText = ConvertFrom-SecureString -AsPlainText -SecureString $secretSecureString.SecretValue
Connect-PnPOnline -Url $adminUrl -ClientId $clientID -CertificateBase64Encoded $secretPlainText -Tenant $tenant 

The same PowerShell code in GitHub: https://github.com/VladilenK/PowerShell/blob/main/PnP/Connect-PnPOnline-with-certificate.ps1

References:

https://docs.microsoft.com/en-us/powershell/module/az.keyvault/get-azkeyvaultcertificate?view=azps-5.3.0

https://stackoverflow.com/questions/43837362/keyvault-generated-certificate-with-exportable-private-key

SPO: Allow users to create modern pages

Microsoft: “Using modern pages in Microsoft SharePoint is a great way to share ideas using images, Office files, video, and more. Users can Add a page to a site quickly and easily, and modern pages look great on any device.
If you’re a global or SharePoint admin in Microsoft 365, you can allow or prevent users from creating modern pages. You can do this at the organization level by changing settings in the SharePoint admin center. If you allow the creation of site pages as the organization level, site owners can turn it on or off at the site level.

By default both
– Allow users to create new modern pages
– Allow commenting on modern pages
are turned on (enabled)

Tenant or SharePoint admin can find settings under
SharePoint Admin Center -> Settings -> Pages

How it looks like:

Site Pages are created under “Pages” Library.

Let us test it, with:
– (tenant-level) Allow users to create new modern pages: ON
– (tenant-level) Allow commenting on modern pages: ON
– web feature “Site Pages” – “Allows users to add new site pages to a site”: Activated

User
Permissions
can create Pagecan edit pagecan Enable/Disable
page comments
can comment on Page
Full Control (Owner)YesYesYesYes
Edit (Member)YesYesYesYes
Read (Visitor)NoNoNoYes

There is a web feature “Site Pages” – “Allows users to add new site pages to a site”.
The feature is activated by default:

What if we disable this feature?
“New -> Page” has disappeared from “New” menu under “Site Contents” for Owners and Members…
From “Home” and “Pages” you still can see “New -> Page” options.
You can still create a new page from but if you try to create a page from Pages – “Sorry, something went wrong” “Cannot create a Site Page. Please have your administrator enable the required feature on this site.” :

Office 365 behavior, with:
– (tenant-level) Allow users to create new modern pages: ON
– (tenant-level) Allow commenting on modern pages: ON
– web feature “Site Pages” – “Allows users to add new site pages to a site”: Deactivated

User
Permissions
can create Pagecan edit pagecan Enable/Disable
page comments
can comment on Page
Full Control (Owner)Yes,
but only from “Home”
not from “Site Contents” or “Pages”
YesYesYes
Edit (Member)Yes,
but only from “Home”
not from “Site Contents” or “Pages”
YesYesYes
Read (Visitor)NoNoNoYes


If we disable feature “Site Pages” – “Allows users to add new site pages to a site” on the root web – it does not affect subsites (subwebs).

Can we Activate/Deactivate the feature “Site Pages” using PowerShell?

PowerShell

(TBP)

References
– Microsoft “Allow users to create and comment modern pages

See also:
Allow commenting on modern pages

Office 365 Search scopes

Search is everywhere in Microsoft 365. You can search from SharePoint, Teams, Delve, Yammer etc.

But! From SharePoint you cannot search for Teams chats (*1).
From Teams you cannot search for regular (no-group) sites.
Sites descriptions are totally out of search (including Yammer groups, Teams and regular sites).

So, what are the scopes of each search entry point in Office 365 and is there an entry point you can search for everything?

Search scopesSharePoint
Search center
SharePoint home
Office portal
Office desktop app
Delve
TeamsBing
SharePoint contentYesYesYes
Teams contentYesYesYesYes
Teams chats(*1)YesYes
Yammer contentYesYesYes
Yammer chat(*1)Yes
User profilesYesYes
Email
(*1) Microsoft announced they are working on bringing conversations (both Teams chats and Yammer) to SharePoint landing page first, then to Office home page.

Detailed:

ScopeOut of Scope
SharePoint Search Center– all sites content
(Teams, Yammer, regular),
– user profiles
– OneDrive
Teams chat
Yammer chat
SharePoint Landing Pagesame as SharePoint Search center
but Teams chats and Yammer Conversations are coming
same as SharePoint Search Center
Office.comsame as SharePoint
(Teams chats and Yammer Conversations are coming after SharePoint)
same as SharePoint
Delve
TeamsTeams content
Teams chat
OneDrive
Yammer
User Profiles
regular SharePoint sites
BingEverything* * except people profiles content
(e.g. about me)

Seems like the only tool you can search for EVERYTHING with is Microsoft Bing:

After Microsoft add Teams chats and Yammer conversations to SharePoint landing page search scope (then to Office home page) – it’ll be the best place to search from for everything.

More on Microsoft Search vs SharePoint Search and Microsoft Search RoadMap

Microsoft Office 365 Search: Find what you need with Microsoft Search in Bing

It is possible customize Modern Microsoft Search pages with PnP Modern Search

SharePoint PnP roadmap

Good news!
On Sep, 18 during the SIG community call, PnP Team shared their plans on PnP Sites Core library and PnP Core SDK.
“PnP Sites Core v4” library and “PnP Core SDK v1” with .net core support (.net Standard 2.0) – expected in December 2020!

PnP PowerShell v4 for SPO library built for .Net Standard 2.0 / PowerShell 7 will be released in Dec 2020 as well.

How to create a Sub-Site if subsites creation is disabled

Microsoft recommend “flat structure”, i.e. no subsites. So SPO admins are disabling subsites creation at tenant level. Did you know that you still can create subsite? Let me explain how it is done.

If creation subsites is allowed, you should be able to see it like this:

But actually subsites are not always best practice. Microsoft recommend “flat structure”, i.e. instead of subsite you should have a separate site collection, and if you need a hierarchy and navigation – use Hub sites. So, in Office 365 SharePoint admins usually “disable” SubSites creation:

Now, you see, SubSites are not really disabled, but only the button to create subsites is hidden: “This controls whether the Subsite command appears on the New menu on the Site contents page”.

Anyway, the result is: you are not able to create a SubSite (web) in SharePoint Online:

Actually there are at least 3 options to create a SubSite:

Option 1. Create a SubSite in Classic mode.

Step 1: Select “Site Contents” page
Step 2: Click “Return to classic SharePoint”
Step 3: Create SubSite

Option 2. Create a SubSite from “Sites and Workspaces” page

Step 1: Go to “Site Settings”
Step 2: Select “Sites and Workspaces” page (site/_layouts/15/mngsubwebs.aspx)
Step 3: Create a SubSite

Option 3: use PowerShell PnP

Step 1: Install PowerShell PnP
Step 2: Connect to your site with PnP
Step 3: create a SubSite

Install-Module SharePointPnPPowerShellOnline
Connect-PnPOnline -Url <your site Url> -UseWebLogin
New-PnPWeb -Url "<new Web Url>" -Title "MySubSite" -Template "STS#3"

References:

See also: How to create a SharePoint Site in Office 365 if site creation is disabled

How to find a public team by name (in Microsoft Teams)

Quick and simple answer: use SharePoint Search center or Microsoft Search, (or Bing if it is integrated).

Detailed explanation on how to find a public Team

In Microsoft Office 365, under MS Teams, there are 3 team types:

  • Private team
  • Public team
  • Org-wide team

Private team: you can only join the team if you are invited or know the team code.
SharePoint site behind the private team is shared only to members – not for everyone. You cannot see team name or description or content until you are team member (details). You are not able to search for the team name or content.

Public team: you can join the public team if you wish. The site behind the public team is shared with everyone except external users, so you can see public team name and description, but from MS Teams (desktop or web application) you cannot see public team content until you are team member.

Org-wide team: you are joined the team automatically (details)

From Teams – you can click on “Join or create a team” and you should be able to see some public teams (but not all):

See how Microsoft describes it – Find and Join a team

There is a “Search teams” box at the top right,
so what if you are looking for a specific public team (not in the list) …

Scenario 1

You know exact team name or at least some first letters.
Solution: You are lucky. Just start typing team name in search bar at top right and hit “enter”- you will see shortened list of public teams matching your search criteria:

NB: do not use wildcards, it will not work:

NB: do not use top search bar, it will not work:

Scenario 2

You want to join a public team, but you do not know exact team name.
You know (or guess) something about the team, like

  • part of the team name
  • part of the team description
  • some keywords from team content files

Unfortunately, in this case both great Microsoft technologies – Search and Team – fail. You will not be able to find a public team:

Solution: use SharePoint search
SharePoint site is created once a team is created.

For public teams – SharePoint site has “Everyone except external users” by default in “Members” group:

which means literally “Everyone except external users” has access to the site with “Edit” permissions.

SharePoint search is security-trimmed, i.e. you will see the site content in search results only if you do have access to the site. So just go to the SharePoint or SharePoint search center and search for what you know or guess about the team:

You can use all the power of SharePoint search (wildcards, refiners, keyword query language KQL etc)

Once you found something – you can go to the SharePoint site:

Now from the site – look at the site name and hover the mouse over the site name – you’ll see pop-up window.
Now you know exact team name – and you can search for the team under Teams,
or, if you are so lucky you see “Join” button – just join the team.click site title or hove over the site title:

One moment – you cannot see team’s chat messages in SharePoint, as chats are kept in Azure. But you can search for chat content after you joint the team.

Somehow both – SharePoint Search and Teams Search are not working against site/team description. Hopefully this bug will be addressed.

You can also search for site Url in teams.
When you create a team – Office 365 generates a short team name (removes spaces and adds numbers if the team name is not unique; e.g. if the team name “Test” you might have “test381” as a short name, but if the team name is “This Is My Unique Team” – short name might be “ThisIsMyUniqueTeam”).
After you can change team name and/or SharePoint site name.
Team search under MS teams work for both names – short name initially assigned (kept as site specific Url) and new team name. But only starting with the beginning of the string.

Related articles:

p.s. Thanks to “Birds of Kazakhstan” for pictures

btw, there is a good video tutorial on how to find a public team in Office 365 using full-text search

Create a SharePoint Site in Office 365 when it is disabled

By default site creation is enabled and anybody can create a new site collection from SharePoint start page :

with two options: “Team site connected to an Office 365 group” and “Communication site”

SharePoint administrator might disable Sites creation. In Office 365 under SharePoint Admin Center -> Settings -> Site Creation there is “Let users create sites from the SharePoint start page and OneDrive”:

Under classic settings page -> Site Creation it is called “Show the Create site command” with explanation “Display the Create site command on the SharePoint home page and in the sites list in OneDrive so users can create new sites”:

If site creation is disabled, user will not see “+ Create site” in SharePoint landing page:

The fun part is users are still able to create a new Office-365 group based site collection
as “Let users create sites from the SharePoint start page and OneDrive” means literally “from the SharePoint start page and OneDrive” and does not mean you cannot create a site from other places. The same with “Show the Create site command” as it is literally about “Show…command” but not “disable … command”.

Option 1: from OneDrive, using “Create shared library”:


Option 2: using direct link:

Use Direct link: https://changeThisToYourTenantName.sharepoint.com/_layouts/15/CreateGroup.aspx
e.g.
https://contoso.sharepoint.com/_layouts/15/CreateGroup.aspx

Option 3: from teams:

and worth to mention that from Teams anybody can create a Team and a corresponding SharePoint site:

Unfortunately, if sites creation is disabled, you cannot create a communication site.

How to disable self-sites creation for real

The only way to limit self-site creation is using PowerShell:
– create a security group
– add to this group users who will be able to create sites
– via PowerShell Set-AzureADDirectorySetting command set “GroupCreationAllowedGroupId” property
Microsoft: “Manage who can create Groups

Office.com OneDrive icon

OneDrive vs OneDrive vs Personal Site

 

Microsoft sells OneDrive as a personal cloud storage service… But There are actually two separate products behind the service, and each product provides more than “personal cloud storage service”…

What is OneDrive? What is the difference between OneDrive and Personal SharePoint site? Let’s see…

When you login to Office.com, you can click on OneDrive icon:
Office.com OneDrive icon

and you will found yourself at OneDrive site, so

one OneDrive is a SharePoint Personal site:

OneDrive - SharePoint Personal Site

The other OneDrive is a desktop application

i.e. program that runs in the background and synchronizes files from your personal SharePoint site (“first OneDrive”) to your local machine and back:

OneDrive as a desktop application - installed

OneDrive as a desktop application - running OneDrive as a desktop application - running in the background

Below is OneDrive desktop application in Windows File Explorer. Please notice how “test 01.txt” file and “test 02” folder are synchronized to first OneDrive.

OneDrive desktop application syncs data from Personal SharePoint Site

Confused? No? Wanna more?

Here are some more confusing details…

Using OneDrive desktop application you can synchronize your regular SharePoint site library with your desktop computer.

Here is a regular SharePoint site (Test23) with a LibUnderSharePoint library. You can click on the “Sync” button:

SharePoint site Library - Synchronized to Onedrive

and see the magic! Now you have another folder on your local Windows machine:

OneDrive Syncs SharePoint site

– but this time OneDrive synchronizes it to regular SharePoint site.

 

There is also a “Personal OneDrive” – the same as regular OneDrive but free…
(again, do not be confused: initially there was just OneDrive – free personal version and OneDrive for Business – version you could have with Office 365 subscription; now they are Onedrive and Personal OneDrive 🙂 )

OneDrive is a Microsoft thing. 
Google has “Drive File Stream” (Google drive)
Dropbox – Dropbox sync