Folder Deletion with Items in Place Makes it Easier to Clean Out Old Material

In the past, SharePoint Online used to block deletion of files with retention labels. In late 2021, Microsoft decided to make the deletion behavior consistent across SharePoint Online and OneDrive for Business by allowing deletions to occur. Files with retention labels went into the site recycle bin and progressed into the preservation hold library until their retention period expired. After that point, a timer job finds and removes the expired files.

Another welcome change to SharePoint deletion behavior is now rolling out (MC791878, 11 May 2024, Microsoft 365 roadmap item 394689) and should be fully deployed worldwide around this time. The change allows users to delete folders in document libraries that aren’t empty in sites covered by a Purview retention policy.

Removing Old Material with Folder Deletion

This doesn’t sound important, but being able to delete folders without having first to open the folder and remove all the files stored there is the way things should have worked all along. A case can be argued that allowing people to delete folders without checking what’s stored in the folder could lead to inadvertent removal of information.

However, the case is undermined by the fact that the deleted folder (and its items) goes into the recycle bin from where it can be recovered. Even if the deleted folder passes through the normal SharePoint Online recycle bin cycle, administrators can still rescue the files from the site preservation hold library. When a deleted file is restored from the recycle bin, SharePoint Online recreates the folder in the original location if necessary.

The only problem I met testing deletions is when attempting to delete an empty folder and a non-empty folder together. For some bizarre reason, SharePoint Online used the old behavior and refused to remove the non-empty folder (Figure 1). SharePoint Online was quite happy to remove the same folder if processed individually.

Very importantly, after deleting a non-empty folder, OneDrive for Business will not attempt to synchronize the deleted folder back from its offline copy.

Checking Retention Status for SharePoint Sites

If a tenant uses multiple retention policies, it can be challenging to determine which policy governs an individual site or mailbox. To help, the Data lifecycle management section of the Purview compliance portal includes a policy lookup option. At first glance, the list of retention policies shown in Figure 2 seems overwhelming, but several different types of policy are present, including some to publish retention labels to the site and auto-label policies that use trainable classifiers to label files with certain characteristics.

Because multiple policies can have a specific site within their scope, it’s important to note the purpose of each policy in the description.

Why is it Important to have easier Folder Deletion?

Some people never delete any material from SharePoint Online. At least, they don’t until they’re forced to because the tenant storage quota is nearly exceeded, and they want to avoid purchasing some expensive additional storage. The problem here is that deleting non-empty folders in sites governed by retention policies won’t help with a storage quota issue because files retained in the preservation hold library count against the quota. In some cases, the preservation hold library can occupy 40% or more of the storage used by a site.

It’s wise to keep an eye on the storage consumed by sites and then investigate the sites where storage consumption seems excessive. I use a Graph-based PowerShell script to generate a report of individual files in a document library to help understand where storage is eaten up. Obviously, after identifying unwanted files and folders, being able to remove those files more easily is a good thing.

Another reason why it’s good to clean up document libraries is that it stops Artificial Intelligence tools like Copilot for Microsoft 365 using old, obsolete, and potentially inaccurate information. Removing digital debris is something I think we’re all going to become more serious about as the AI era unfolds.

Keep up to date with developments like the AI era for Microsoft 365 by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.

SharePoint Online is a Huge Success But Dark Clouds Lurk Ahead

March 27 marked the 23^rd anniversary of SharePoint Portal Server 2001, the forerunner of what we have today in SharePoint Server and SharePoint Online. The date in SharePoint history was marked by several tweets, including one from the urbane Mark Kashman, the well-known SharePoint marketeer. The tweet included an updated timeline for SharePoint (Figure 1), refreshed from an original version issued to celebrate the product’s 20^th anniversary.

I debate the accuracy of some of the dates listed in the SharePoint history. For instance, Delve and the original Office 365 Video solution are listed for 1 January 2024. My recollection is that these solutions were revealed at the first Ignite conference in May 2015 as part of the “next generation knowledge” portals promised by Microsoft at the time. As we know, marketing promises don’t always transfer into actual technology at the predicted date. Delve and Office 365 Video arrived, but the next generation knowledge portals never did. There’s also no mention of Office 365 Groups (now Microsoft 365 Groups), something that has had a huge impact on SharePoint Online.

Personal SharePoint History

Although I am probably better associated with Exchange, I have a long history with SharePoint going back to Portal Server 2001, which I had deployed at Compaq soon after its release in a nascent attempt to persuade technologists to share their knowledge with their peers. I even helped Microsoft Latin America launch SharePoint Portal Server 2001 at an event in Cancun.

SharePoint Portal Server 2001 worked well at a certain level and I took it forward into HP after the HP-Compaq merger in 2002 where it displaced a large UNIX cluster that HP Services used for document management.

As SharePoint Server developed I became exasperated at the development group’s attempts to build what seemed to be everything into a single server instead of focusing on document management. I thought that SharePoint Server 2007 was a mess and expressed that view quite strongly, something that didn’t make me many friends in Microsoft. The 2010 and 2013 release weren’t much better. The zenith of incompatability within the Office server lineup was reached when Microsoft tried to make Exchange and SharePoint work together in the ill-fated site mailbox project. Only 53 operations had to be carried out with absolute precision to make the two servers co-operate.

The Cloud Made the Difference

SharePoint achieved its full potential in the cloud. Administrators were freed from the task of looking after server farms and could concentrate on leveraging the product’s strengths in document management.

The introduction of Teams in 2017 helped enormously by providing a more user-friendly face for document storage. The growth in Teams usage to 320 million monthly active users propelled SharePoint Online usage into the stratosphere to a point where petabytes of data are added monthly.

The introduction of SharePoint Embedded as a platform for developers to build on is an interesting evolution to encourage even further usage. The Loop app is a good example of an app that uses SharePoint Embedded for storage with a UI that has no connection to what people might think of as traditional SharePoint.

Dark Clouds on the Horizon

Everything seems to be on the up in the SharePoint world, but I see some clouds on the horizon. The fact that Microsoft has been forced to introduce Restricted SharePoint Search to allow customers to progress Copilot for Microsoft 365 projects is an admission of failure in information governance.

Restricting users to searching 100 curated sites might seem like a good answer, but it admits that the tens of thousands of sites created by Teams are an unmanageable tangle. Inside those sites obsolete, misleading, and erroneous information might lurk in documents ready to corrupt the results generated by Copilot. It’s perhaps the greatest challenge faced by those considering Copilot deployments.

Digital debris is a big black cloud over SharePoint. Copilot is an accelerant that highlights the issue, but Microsoft 365 customers without Copilot should also focus on gaining control over the information held in SharePoint. This a wake-up call for tenants to ask questions about how they control the creation of sites (with or without Teams), how documents are stored and managed, how they use retention policies to remove old information, and so on. The issue won’t go away. It grows worse every day as users add petabytes of documents to SharePoint Online and OneDrive for Business.

The Microsoft 365 conference takes place in a month’s time. I’m sure that the SharePoint community will applaud the achievements and popularity of the platform. I hope that they take some time to address the information governance issue and that the current threat to continued success in SharePoint history abates.

Keep up to date with developments in SharePoint Online by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.

Sensitivity Label PDF Support Increases Coverage for Protection

In my review of sensitivity labels for 2023, I noted that the only way to apply a sensitivity label direct to a PDF was with:

• The paid-for versions of Adobe Acrobat.
• Generating PDFs from Office documents (subscription apps only).
• Applying a label through the unified labeling client.

Unlike retention labels, it wasn’t possible to apply a sensitivity label to a PDF using the SharePoint Online browser client. Now it is, and it’s an important update given the widespread use of PDFs within Microsoft 365. Between Office documents and PDFs, sensitivity labels can now protect over 90% (my estimate) of all files stored in SharePoint Online and OneDrive for Business. It’s another step to making PDFs a fully functional format within the Microsoft Information Protection ecosystem.

What Sensitivity Label PDF Support Means for SharePoint Online

In an update announced by principal program manager Sanjoyan Mustafi on LinkedIn, the preview of SharePoint Online support for PDFs is available to all commercial tenants worldwide. Support extends to sensitivity labels with predefined permissions. Labels with user-defined permissions or those that use Double Key Encryption (DKE) are unsupported.

Supporting sensitivity labels for PDFs means that people can use SharePoint Online and OneDrive for Business to:

• Apply sensitivity labels to PDFs through the browser interface (Figure 1) and amend or remove the label afterwards, including forcing the user to provide justification if required by policy. This includes applying the default sensitivity label defined for a document library to PDFs as users load them into the library (requires the SharePoint-Syntex advanced management license).
• Apply sensitivity labels to PDFs stored in SharePoint Online and OneDrive for Business through auto-label policies. This feature is covered in message center MC644060 (14 July, 2023).
• Apply sensitivity labels to PDFs using the assignSensitivityLabel Graph API (if your app has permission to do so).
• Display the names of sensitivity labels for protected PDFs in document libraries.
• Index the content of PDFs protected by sensitivity labels. This supports Microsoft Purview solutions like Data Loss Prevention, content searches, and eDiscovery.

Like Office documents protected by a sensitivity label with encryption, SharePoint Online can’t display a thumbnail of a protected PDF (Figure 2). I believe that this has something to do with the inability to fetch the necessary use license to decrypt the file. Thumbnails are shown for PDFs assigned a sensitivity label with no encryption. To open a document, use the Edge browser (which supports reading protected files) or download the file and use an app that understands how to open protected PDFs (like Acrobat).

I hear that Microsoft is working on the viewing issue and expects to have a fix by the end of 2023.

Enabling Sensitivity Label PDF Support for SharePoint Online

By default, SharePoint Online support for PDFs is disabled. To enable support, load the SharePoint Online administration PowerShell module and run the Set-SPOTenant cmdlet. You’ll need a recent version of the module (use this script to update your Microsoft 365 modules to the latest version):

Set-SPOTenant -EnableSensitivityLabelforPDF $True

To revert, run the command to update the setting to $False.

Set-SPOTenant -EnableSensitivityLabelforPDF $False

Disabling SharePoint support for PDFs has no effect on PDFs with sensitivity labels. It will stop users being able to assign or update labels through the SharePoint Online and OneDrive for Business browser interfaces and SharePoint Online will cease indexing protected PDF content.

If you don’t want to use PowerShell, check the Information protection section of the Purview compliance portal, and go to Auto-labeling. You might see a message inviting you to turn on support for PDFs. If you do, select Turn on now and the job is done.

More information about PDF support for sensitivity labels in SharePoint Online is available in Microsoft documentation.

Sensitivity Label PDF Support is an Important Step Forward

I don’t think it is an exaggeration to say that some organizations have been waiting years for PDF support to arrive in SharePoint Online. Given the widespread use of PDFs in many organizations, this is an important step forward for those wishing to protect their most sensitive information stored in SharePoint Online and OneDrive for Business.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Block Download Policy covered by Syntex-SharePoint Advanced Management License

Microsoft launched the Syntex-SharePoint Advanced Management license into preview in late January 2023. The license is now generally available and cost $3/user/month. Since news about the license emerged, people have been figuring out if the features covered by the license are worth the cost by examining details of the features it enables. Now a new block download file policy is available for Teams meeting recordings.

Blocking Downloads and Teams Meetings

In February, I covered the Block Download Policy for SharePoint Online, a feature in Syntex-SharePoint Advanced Management to limit users to browser access when interacting with content stored in sensitive sites. Blocking downloads for Teams recordings is a similar feature that’s now available in preview. The big difference is that the block download policy applies tenant-wide for all Teams recordings created after the block comes into force in both SharePoint Online sites (for channel meeting recordings) and OneDrive for Business (for personal meeting recordings).

Clearly Microsoft is responding to a customer need to make Teams meeting recording more secure. Blocking downloads removes the worry that someone with access to a recording of a sensitive meeting can download it before the meeting file automatically expires.

Site-Wide Block Download Policy Applied With PowerShell

As noted above, the block is tenant-wide. No GUI is currently available in the SharePoint Online admin center, so management of the block is by running the Set-SPOTenant cmdlet from the SharePoint Online management module.

Make sure that you run an up-to-date version of the module (I used 16.0.23408.12000) as otherwise the Set-SPOTenant won’t support the necessary parameters. Keeping modules like Exchange Online management, Teams, SharePoint Online, and the Microsoft Graph PowerShell SDK up to date is an important task. Ideally, you should check and update modules monthly. As it’s always nice when PowerShell looks after PowerShell, here’s a script to automate the process, including tidying up by removing old module files afterward.

To impose the block, use Set-SPOTenant to set these parameters:

• BlockDownloadFileTypePolicy from $False (the default) to $True.
• BlockDownloadFileTypeIds to “TeamsMeetingRecording.” This is the only value currently supported by the cmdlet.
• ExcludedBlockDownloadGroupIds to the identifiers of security groups whose members you want to exclude from the block download policy. You can’t use Microsoft 365 groups to exclude accounts. This parameter can be left blank if you want the policy to apply to all accounts. If you want to specify multiple security groups, do so in a comma-separated list.

Here’s the command I ran in my tenant to enable the block policy and check its settings afterward:

Set-SPOTenant -BlockDownloadFileTypePolicy $True -BlockDownloadFileTypeIds TeamsMeetingRecording -ExcludedBlockDownloadGroupIds "dc637020-4b0f-4f65-bdf0-3c7dbe8a83e7"

Get-SPOTenant | Format-List BlockDownLoadFile*, ExcludedBlock*

BlockDownloadFileTypePolicy   : True
BlockDownloadFileTypeIds      : {TeamsMeetingRecording}
ExcludedBlockDownloadGroupIds : {dc637020-4b0f-4f65-bdf0-3c7dbe8a83e7}

It can take up to a day before a policy update becomes effective across SharePoint Online. Before it is effective, anyone can download a Teams meeting recording (Figure 1).

When the block download policy is effective, users don’t see the download options for recordings created after the effective date (Figure 2).

It’s important for users to understand that they are only blocked for new recordings. At least, while the feature is in preview. However, when the block download policy is generally available, a background agent will search for older Teams meeting recordings stored in SharePoint Online and OneDrive for Business and mark the files as blocked for download. Although I can see why customers would want this to happen, the fact is that many of the Teams recordings will age out and disappear in a relatively short period unless users take explicit action to retain the files.

Available in Preview Now

SharePoint Online’s block download policy for Teams recordings is available in preview. After Microsoft makes the block download policy generally available, you’ll need to buy some Syntex-SharePoint Advanced Management licenses to continue using the policy or the block download policy will stop working (perhaps much to the relief of some users!).

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Azure AD B2B Collaboration and Guest Accounts for SharePoint Sharing

Two recent message center notifications highlight closer integration between SharePoint Online and Azure AD. MC526130 (11 March) says that new tenants created after March 31, 2023 will automatically enable the SharePoint Online integration with Azure B2B integration. Existing tenants aren’t impacted by this change. The associated update, also scheduled for roll-out in late March, is MC525663 (10 March). The news here is that SharePoint Online site sharing will use the Azure B2B Invitation manager instead of the legacy SharePoint Invitation Manager (Microsoft 365 roadmap item 117557).

Rationalization Around Azure AD

The two updates rationalize existing sharing methods with external users and focus on Azure AD as the driving force for managing invitations. The journey toward Azure AD B2B Collaboration started in 2021, so it’s been a while coming. The project makes a lot of sense for both customers and Microsoft (their gain is through reduced engineering expenses).

Ten years ago, it was reasonable for SharePoint to manage site sharing invitations. Today, when the site collection-based architecture is replaced by single-sites and most sharing occurs through Microsoft 365 groups and Teams, it’s illogical for SharePoint Online to have its own mechanism. 280 million monthly active Teams users create a lot of work for SharePoint.

Another factor is that site sharing with external users is a relatively uncommon action today. Most external users join groups or teams and gain access to the group-connected site. Although non-group connected sites do exist, they’re in the minority and some of those sites (like hub and communication sites) aren’t candidates for sharing with external people. And of course, even site owners might be blocked from sharing sites by a sensitivity label.

Time to Review Applicable Policies

Overall, I don’t think the change will disrupt many organizations. As Microsoft notes “You may want to review your Azure B2B Invitation Manager policies.” Two policies are worthy of note. The first is the Azure B2B Collaboration policy, which includes an allow or deny list (but not both) of domains.

The policy is now found under Collaboration restrictions in the External Identities section of the Azure AD admin center (Figure 1). It is commonly used to block sharing with consumer domains (deny list) or to restrict collaboration to a set of known domains belonging to partner organizations (allow list). If the organization already supports guest accounts, it’s likely that the collaboration policy already exists. Even so, changes like this are useful reminders of the need for regular review of any policy that affects how external people access tenant resources.

Azure AD cross-tenant access policies are a more powerful and flexible mechanism to control external access through both Azure B2B collaboration and Azure AD direct connect (used for Teams shared channels). Cross-tenant access policies are still relatively new and don’t need to be implemented unless required for a specific reason, so your tenant might not use them yet.

Although the Azure AD B2B Collaboration policy is likely to dominate for the immediate future, over time, I expect a slow transition to take advantage of the granular control available in cross-tenant access policies. When an organization changes over, SharePoint Online will take advantage. Leveraging advances made in Azure AD is an excellent reason for SharePoint Online to embrace Azure AD more fully.

Review Guest Accounts Too

Azure AD B2B collaboration works but that doesn’t mean that you don’t need to manage guest accounts. As more sharing happens, more guest accounts end up in your Azure AD. Some guest accounts are used once to share a document. Others are in ongoing use as guest members of groups and teams access shared documents. It’s a good idea to keep an eye on guest accounts and remove them as they become obsolete.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Syntex-SharePoint Advanced Management Covers Secure Collaboration for SharePoint Online

Updated 2 March 2022

I know that many Microsoft 365 organizations don’t use sensitivity labels, even if they have the necessary licenses to use labels to protect content. All Office 365 licenses allow users to read protected content, but you need Office 365 E3 or above to apply labels to files, and Office 365 E5 or Microsoft 365 Compliance E5 for auto-label processing. At least, that’s been the case up to now.

Applying a default sensitivity label for a SharePoint Online document library (Figure 1) counts as automatic processing. Apparently, Microsoft considers the fact that new and modified documents in the library pick up the sensitivity label (unless previously labeled) as reason enough. In late January 2023, Microsoft revealed that this feature was one of the set to be licensed through a new Microsoft Syntex-SharePoint Advanced Management license.

Features Enabled by the Microsoft Syntex-SharePoint Advanced Management License

The new license is in preview and includes other elements to improve secure collaboration based on SharePoint Online and OneDrive for Business, including:

• Using sensitivity labels with Azure AD authentication contexts to limit access to SharePoint Online sites. This feature has been in preview since 2021.
• Restricting access to a SharePoint Online site to members of a Microsoft 365 group. This restriction blocks users who have received access to a file in the site.
• Blocking the download of files from SharePoint Online sites or OneDrive for Business accounts without the need to use Azure AD conditional access policies. In other words, users are forced to use a browser to access the site or account and cannot download, print, or synchronize files. The restriction also blocks access to the Office desktop apps because these apps need to download files to work on them locally.

In addition, Syntex-SharePoint Advanced Management includes some management and governance features. The three examples cited appear to be instances where it’s possible for administrators to do the same thing with some effort. Microsoft is making it easier. For example, the ability to limit access to OneDrive for Business to those who are members of a specific security group stops people licensed to use OneDrive but who aren’t members of the security group from using the app. The same effect is possible by simply removing the OneDrive service plan from their assigned licenses.

I haven’t seen what actions are included in the feature to export recent SharePoint site actions, but it might be possible to replicate the functionality by fetching SharePoint management events from the unified audit log.

My assumption is that any user who takes advantage of a feature licensed by Syntex advanced management requires a license. For instance, site members of a site where a document library uses a default sensitivity label all require Syntex-SharePoint Advanced Management licenses.

I can’t find a public announcement by Microsoft about the Syntex-SharePoint Advanced Management license. Cynics will say that this is another example of how Microsoft creates licenses for new functionality to generate additional revenue from its installed base. A more benign view is that the new license allows people with Office 365 E3 licenses to use the security and governance features enabled by Syntex Advanced Management. When I find out more details about licensing, including if some features covered by Syntex Advanced Management are also available through other licenses, I shall share the information.

Viewing Metadata for Protected Files

On an associated topic, I was asked why the metadata of documents protected by sensitivity labels remains visible to people who have no right to access these files. It’s a good question because some get confused when they notice an interesting document in a library but can’t open it because they’re blocked by the rights assigned in the label. For instance, who wouldn’t want to open a document with a title like “Proposed Pay Rises for Staff”?

When you enable SharePoint Online and OneDrive for Business to support sensitivity labels, it allows the workloads to deal with protected (encrypted) content. SharePoint Online stores protected files in an unencrypted format to allow functions like indexing and data loss prevention policies to work. Any access to a document, such as a user opening or downloading a file, causes SharePoint Online to encrypt the document so that the application used to open the file (like Word) can apply the rights assigned to the user. Everything works very nicely and those who have access to files can work with that content and those who don’t cannot.

When browsing items in a document library, site members can see metadata like the titles and authors of protected documents. Attempts to open these documents fail if the user doesn’t have the necessary rights. Because SharePoint Online doesn’t encrypt or obscure the metadata, those users know that documents with potentially very interesting content are available.

How SharePoint Online Stores Documents

The reason why document metadata is visible to all site members is rooted in how SharePoint Online stores documents. SharePoint Online uses Azure SQL as its storage platform. Blob storage holds documents and other files while metadata is in a separate table (list). The Azure SQL data is heavily protected against illegal access. Once a user has access to a document library, the assumption is that SharePoint can show them all the items, which is what they see in the list shown in a browser or the Teams files channel tab. It’s only when a user attempts to access a protected document that SharePoint Online validates their right to open that content.

You can argue that SharePoint Online and OneDrive for Business should hide the existence of protected documents that the user can’t open, but this would require SharePoint Online to check that access before displaying documents in a library. Such a check would incur a huge performance penalty because SharePoint Online cannot assume that the rights assigned in a sensitivity label are the same as the last time it checked.

New Functionality, New Costs

Although the news about the Syntex-SharePoint Advanced Management license will disappoint some, it’s reasonable that Microsoft should charge extra for security and management features that not every Microsoft 365 tenant will want or need. Those that need the functionality will simply have to pay the $3/user monthly cost. Hasn’t that always been the way?

Stay updated with developments across the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. We do the research to make sure that our readers understand the technology.

Document Management Par Excellence

Browsing through Twitter (as some still do), I came across a “What is SharePoint” article. Given that I’ve used SharePoint since the initial release of SharePoint Portal Server in 2001, I opened and read the content. (Fun fact: SharePoint originally used the Exchange ESE database engine. The move to SQL happened with SharePoint 2003. Around the same time, the Exchange “Kodiak” project dabbled with the idea of moving to SQL. That project never proceeded).

In any case, the article sets out to explain what SharePoint is and how people use it, which is a worthy purpose. Some good points are made, especially about the transition from the old-style SharePoint to the new UX and architecture. Inevitably, a couple of points of contention exist, so here’s what I think about the role played by SharePoint Online today inside the Microsoft 365 ecosystem.

SharePoint Online Has Always Been Part of Office 365

First, the article asserts that SharePoint Online joined Office 365 in 2012 following the release of SharePoint 2013 Server. This is inaccurate. SharePoint Online has always been part of Office 365 and was included in the beta released in April 2011 and the initial version released on June 28, 2011. Microsoft based the initial release of SharePoint Online on SharePoint 2010 Server. There’s no doubt that the subsequent upgrade to the Wave 14 servers (Exchange 2013 and SharePoint 2013) helped Office 365 enormously, but that came later.

SharePoint’s Toolbox

The article covers the attempts of SharePoint to be all things to all customers by providing features like task management and conversations. One undoubted truth for SharePoint is that it failed to be the “Swiss army knife of collaboration.” That’s a good thing because we learn through failures, and I think SharePoint learned that its strengths are in content management and not collaboration or workflow.

Then again, you can argue a good case that other developments in the Microsoft 365 ecosystem left the capabilities available in SharePoint behind. The big difference between on-premises and the cloud is that on-premises servers are often the fulcrum of a complete ecosystem. Once servers like SharePoint and Exchange become part of a cloud solution, they are no longer at the center and must instead function as a productive part of the ecosystem. Teams, Yammer, and Outlook are better points for collaboration (each with its own strengths). Planner and Project are better at task management, and Power Automate offers better workflow capabilities. A common point is that all these apps contribute to and use services from other apps and Azure, including SharePoint Online. All contribute to the ecosystem, as does SharePoint Online.

Once Teams gathered speed, there was no stopping it, especially after the acceleration in demand for its services during the pandemic. SharePoint Online wisely dropped working on solutions that were never going anywhere and concentrated on what it does best, which is to deliver an enterprise-class document management service to Microsoft 365. After SharePoint focused, its developers were able to exploit other areas based on existing capabilities, like what is now Microsoft Lists.

SharePoint and Teams

I fundamentally disagree with the article’s assertion that SharePoint is the backbone of Microsoft Teams. You could say the same about Azure (Teams uses many Azure services, including Azure Cosmos DB for its message stores), or Exchange (Teams uses Exchange Online for its calendar and to store compliance records). It’s true that every new team comes complete with a new SharePoint Online site. The same is true for private and shared channels, each of which has a site associated with the site belonging to the host team. But this simply reflects an app’s use of SharePoint Online for document management. It’s just like the way Yammer stores documents for its communities.

This brings me to the true backbone of Teams: Microsoft 365 groups. Without the identity management, membership model, and resource provisioning of Groups, Teams wouldn’t work the way the app does today.

In December 2017, I wrote an opinion piece saying that Office 365 Groups saved SharePoint Online. I was wrong: although Outlook groups demonstrated how users could have easy access to SharePoint without having to navigate SharePoint’s browser interface, it was Teams saved SharePoint Online by providing users with a reason to use SharePoint Online. I said “People don’t think about using SharePoint. They think about using Teams, or Planner, or Yammer, or Outlook” and “if they have a file to store, they put it wherever the application dictates, like in the Files section of Teams. It is a natural and easy way for people to use document management and it is the engine driving SharePoint usage. That assertion is truer now than it was in 2017. Accessing SharePoint Online files through the Teams Files channel tab (Figure 1) is an area that Microsoft has improved over the years and is now as functional as the SharePoint browser interface in practical terms.

The growth in Teams to 270 million monthly active users (likely higher now because Microsoft hasn’t updated the figure since January 2022) propelled SharePoint usage to new heights. When Microsoft announced the new Syntex backup solution at Ignite 2022, they said that “Every workday, on average, our customers add over 1.6 billion documents to Microsoft 365.” Those documents go into SharePoint Online sites and OneDrive for Business accounts, and users create many of those files using the connection between Teams and SharePoint Online (here’s Microsoft’s description of that connection).

OneDrive for Business

SharePoint Online deals with business users. OneDrive for Business is the personal side of SharePoint Online. Microsoft uses the consumer version of OneDrive as the document management solution for consumer apps, including Teams Personal.

Microsoft didn’t break out the percentage of the 1.6 billion documents added daily so we don’t know how many ended up in OneDrive for Business. I suspect that the proportion is roughly half and half. OneDrive for Business stores files shared in Teams chat and Outlook messages, including Loop components. It stores user files created in the Documents folder on Windows desktops, and so on. OneDrive for Business is everywhere.

One of the reasons why OneDrive for Business does so well is its excellent sync client. I would not have said that some years ago because the original OneDrive sync client was awful. Synchronization challenges have been encountered and overcome since and the current sync client does a wonderful job of keeping files synchronized across devices. The addition od differential synchronization in 2020 was an important step in this process. I depend on OneDrive synchronization and document auto-save to preserve my work.

SharePoint is a Basic Microsoft 365 Workload

Microsoft considers three workloads to be the foundation of Microsoft 365: Exchange, SharePoint, and Teams. SharePoint Online is the critical document management service for Microsoft 365 and it fulfils that role extremely well. As time passes, the connections and dependencies between the base workloads grow and deepen, something that never happened in the on-premises world.

It’s been interesting to observe the development of SharePoint from a small department-level server to a massive worldwide service for hundreds of millions of users. Many people never realize that they use SharePoint Online because they interact through other apps. That’s just fine. No application is the center of anything these days. Services are what’s important and SharePoint Online delivers a great service, and that’s what’s important.

Custom Security Attributes Used for Conditional Access App Filters

In January 2022, I wrote about the introduction (in preview) of Azure AD custom security attributes. At the time, Microsoft positioned the new attributes as part of their Attribute-based Access Control initiative for Azure to give organizations the ability to manage resources at a fine-grained level. Not being an Azure expert, I tried the new custom security attributes out and felt that organizations would figure out ways to use them.

Lots of new stuff has happened recently with Azure AD conditional access policies, like the introduction of new checks for external user type and authentication strength. Now, Microsoft has added a filter for apps based on custom security attributes.

Mark Apps with Custom Security Attributes

The idea is simple. Organizations define custom security attributes to use to mark apps known to Azure AD. An app is an object and like any other Azure AD object, administrators can assign the app whatever custom attributes make sense. For instance, you could assign an attribute to indicate the department that uses an app or an attribute to mark an app as highly important. The point is that the custom attribute is then used by a filter (Figure 1) to identify apps that a conditional policy can allow or block access to.

For now, app filters in conditional access policies can only use string custom security attributes, but you can select attributes from any attribute set defined in the organization. The app filter can be combined with any of the other controls available in a conditional access policy.

The value in this approach is that you don’t need to amend a conditional access policy to accommodate new or additional apps. Simply update the app with an appropriate value for the custom security attribute used by the app filter and the app immediately becomes within the policy scope. That’s a big advantage in large organizations that might have to manage hundreds (or conceivably, thousands) of applications.

Graph X-Ray in Windows Store

In other Azure AD news, the Graph X-Ray tool that exposes the Graph API calls made by (some parts of) the Azure AD admin center is now available in the Windows Store (Figure 2). I recommend this tool to anyone who’s getting acquainted with the Graph API calls used for objects like users and groups.

The Graph X-Ray tool helped us enormously when we upgraded the PowerShell examples using the soon-to-be-deprecated Azure AD module to Graph API calls or Microsoft Graph PowerShell SDK cmdlets for the 2023 edition of the Office 365 for IT Pros eBook. Sometimes you need just a little hint to understand what approach to take and the Graph X-Ray tool delivers more than its fair share of hints.

Cmd.Ms

From the same fertile mind as Graph X-Ray comes Cmd.ms, an elegantly simple idea that delivers great value. Microsoft 365, as you might have observed, spans a bunch of administrative portals and consoles and it’s sometimes difficult to remember the URI for a specific portal. You can go to the Microsoft 365 admin center and rely on the shortcuts available there to get you to the Teams admin center, Exchange admin center, SharePoint Online admin center, and so on, but what happens if you haven’t loaded the Microsoft 365 admin center or need to go somewhere that isn’t available as a shortcut? That’s where Cmd.ms comes in.

Essentially, Microsoft has defined a set of web shortcuts to the admin centers (Figure 3). Entering teams.cmd.ms brings you to Teams while admin.cmd.ms loads the Microsoft 365 admin center. It’s tremendously useful.

Cmd.ms add-ons are available for Edge, Chrome, and Firefox to provide autocomplete suggestions in the browser address bar.

The only issue I have is that Microsoft chose to use ad.cmd.ms to bring you to the Entra admin center and azad.cmd.ms to the Azure Active Directory admin center. I know Microsoft wants to emphasize the Entra brand, but it would be nice to have aad.cmd.ms used for Azure AD rather than azad.cmd.ms. It’s a small buggette.

Continued Evolution of Conditional Access

Returning to the original topic, there’s no doubt that Microsoft is putting a great deal of effort into improving the functionality of Azure AD conditional access policies. The recent batch of announcements underline this point. It’s all about erecting more efficient barriers to unauthorized access. Hopefully attackers can’t get into an Azure AD tenant. If they do, conditional access policies can help restrict their ability to compromise resources. That’s the logic underpinning the deployment of conditional access.

Loss of Valuable Feature

In a surprising announcement, Microsoft said in MC394933 (June 24) that they plan to retire the SharePoint Inside Look part of the file preview card. Office 365 tenants will lose the feature starting in late July and the Inside Look will be gone by early August.

I think this is a pity. Inside Look estimates the time required to read a document and an extract of what it believes the author’s key points to be (at a glance – Figure 1). Some background process generated the key points and usually did a reasonable job, at least for documents written in English, which is all the feature supports.

Composing a Custom At a Glance

Sometimes, the process did not work so well, especially for larger documents and no inside look is available. Our main file for the Office 365 for IT Pros eBook is around 33 MB and SharePoint stays mute when it comes to the “at a glance” section. Fortunately, the option exists to create your own “at a glance” by composing three points of up to 100 characters each. The “Edit at a glance” option is available through the […] menu under “See details” in Figure 1, which and reveals an input form to compose the three points (Figure 2).

At a Glance Gone from Sharing Emails Too

In addition, Microsoft is retiring the insertion of the “at a glance” text in the email notification sent when someone shares a document (Figure 3). This is especially regrettable because the text gives recipients some immediate insight into the content within a document.

The Language Issue

Of course, I write documents in English and therefore get value from the feature. The problem might be because Microsoft says that the feature worked exclusively for Word documents written in English. This is surprising because Microsoft certainly has the translation capability to handle other languages. The obvious conclusion is that the issue lies in extracting the three “at a glance” points from the text of a document.

No doubt this is a machine learning task, probably based on something like creating points from sentences at the start of a document where summaries are most often located. I’m sure that scaling this capability up to handle the intricacies of non-English languages plus the resources needed to perform the processing are factors driving Microsoft’s decision to retire the Inside Look feature.

Removing Features is Hard

One thing that’s not clear is if the retirement covers the estimated time necessary to read a document. I’m unsure how Microsoft computes this number but can report that the Office 365 for IT Pros eBook (2022 edition) apparently takes 34 hours to read. Not all at one time, as that would leave you boggle-eyed and incapable of sensible conversation. I’m sure that the computation is based on factors such as the number of pages and words with other influences like the number of paragraphs and headings probably thrown in for good measure.

SharePoint Online has added some good features recently, like the document library drop-down menu and the ability to set a default sensitivity label for a document library (just like you can set a default retention label). It’s a pity to see something like the Inside Look disappear, even if it is English-only and only works for Word documents. Removing features is hard, but the cloud can take away functionality as quickly as new capabilities appear.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Change Reflects Increasing Importance of Web Apps

In a move that will be very popular with users, Microsoft announced a new account switcher for Microsoft 365 web apps in message center notification MC338712 on March 4. This is Microsoft 365 roadmap item 70801 and it’s due to land in tenants starting in early April, with deployment due to finish in late June.

Although Microsoft 365 users do a lot of work using desktop clients like Outlook and Teams, there’s no denying that browser clients have become increasingly important. Anyone who does administrative work with Microsoft 365 is probably signed into a bunch of different administrative portals like the:

• Microsoft 365 admin center.
• Microsoft 365 Defender portal.
• Microsoft 365 compliance center.
• Microsoft 365 security center.
• Azure AD admin center.
• Azure portal.
• Teams admin center.
• SharePoint Online (and OneDrive for Business) admin center.
• Microsoft Intune portal.

At the same time, many Microsoft 365 apps don’t have desktop clients, including SharePoint Online, Planner, Yammer, Bookings, OneDrive for Business, Delve, Stream, Power Automate, Forms, and Lists. Some apps behave perfectly well when installed as a desktop app (which is how I use OneDrive for Business, Planner, Yammer, Lists, and several SharePoint Online sites), but they’re still web pages.

Messy Multiple Browsers

The point is that much of the focus of Microsoft 365 activity is through the browser, so we all end up with multiple open browser apps or a browser cluttered with open tabs. This isn’t so bad until you complicate matters by wanting to sign into different tenants or the Microsoft consumer apps). Until now, switching context requires one of:

• Signing out and signing into the desired tenant.
• Using a second browser (or maybe even a third).
• Using private browser sessions.

When guest support for Teams first appeared, switching to use guest access in another tenant was slow and people worked around the problem by running a separate browser for each tenant they wanted to work in. The technique worked, but it’s an example of the lack of flexibility in credential management and data management in Microsoft 365 browser apps.

New Account Switcher

When the update rolls out, you’ll be able to sign into multiple Microsoft 365 tenants and MSA accounts and switch between the different accounts for Microsoft 365 web apps within the same browser session without having to sign out and in again. A new account manager capability (Figure 1) lists the current signed-in sessions and allows the user to “perform a one-click switch” to a chosen session. After an account switch, the app reloads the page using data from the selected account.

Microsoft says that the switch occurs “while maintaining data integrity and privacy across different account/tenant boundaries.” In other words, you can be signed into OWA in two Microsoft 365 tenants but won’t see data from one tenant appear in the other or vice versa.

If a user opens multiple tabs with different accounts, they’ll be told that they recently switched to the most recently opened account and asked to refresh the page to load data from that account.

Not All Apps Supported

The capability isn’t available for all apps. When released, it applies to:

• OWA.
• SharePoint Online browser client.
• OneDrive for Business.
• OneDrive consumer.
• Microsoft 365 admin center.
• Office.com.
• Office web apps.

Microsoft says more Microsoft 365 web apps will be added later. For now, Planner, Yammer, and Teams are the notable absences. Given the work ongoing to create the next generation of the Teams client, Microsoft might not want to add the capability to the current Teams browser client. We shall see in time.

No Admin Impact

User sign outs from browser sessions continue to work as before, as does the ability to block sign-ins and sign an account out of all sessions from the Microsoft 365 admin center. Azure AD continuous access evaluation (CAE) for critical events, which can force users to reauthenticate when events like password changes occur, is likewise unaffected. The only impact on tenant administrators is the opportunity to give some good news to users!

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

It’s All About the Substrate

I must be slowing down. At least, that’s the thought which ran through my mind as I tried to make sense of Microsoft’s post about SharePoint Online proxy addresses and Exchange Online mailboxes. Specifically, I couldn’t understand this sentence “To ingest SharePoint Online content into a mailbox, we establish SharePoint Online routing information to the mailbox.” This sounds awfully like the way site mailboxes worked, but thankfully those abominations are long gone. And then I realized that the text wasn’t as clear or precise as it could have been, despite discussing an interesting aspect of the Microsoft 365 ecosystem. Here’s what I think Microsoft meant to say.

The Microsoft Substrate and Digital Twins

As anyone who’s listened to Microsoft Fellow Jeffrey Snover talk about the Microsoft 365 substrate knows, the substrate plays a key role in making Microsoft 365 shared services work. The substrate is what captures compliance records for Teams, Planner, and Yammer. It handles the ingestion of audit records generated by multiple workloads. And the substrate creates “digital twins” of SharePoint Online and OneDrive for Business documents and lists. A digital twin is not necessarily a full copy of an item; it’s enough to allow shared processes to operate against the data. If access is required to the complete data, a link redirects to the owning workload.

The substrate does this work because assembling digital twins gathered from across Microsoft 365 workloads into one place makes it much easier for shared services like compliance processing or search to operate. Instead of a service needing to communicate with multiple repositories, it needs to deal with one. And the physical representation of that repository is a special form of Exchange Online mailboxes.

SharePoint Online Proxy Addresses

Which brings me back to the subject of the blog point: the SPO (SharePoint Online) proxy addresses stamped on user mailboxes. If you examine a mailbox, you see the proxy addresses assigned to the mailbox. For example, four proxy addresses exist for this mailbox:

DisplayName    : Steve Gippy (Operations)
EmailAddresses : {SPO:SPO_20876de2-3b1c-44ce-8773-34499caaa16c@SPO_a662313f-14fc-43a2-9a7a-d2e27f4f3478, 
SIP:steve.gippy@office365itpros.com, 
SMTP:Steve.Gippy@office365itpros.com, 
smtp:Steve.Gippy@office365itpros.onmicrosoft.com}

One is the primary SMTP address used for email routing (the one with capitalized SMTP), another is a secondary SMTP address belonging to the service domain for the tenant. Then there’s the SIP address used by Teams for calls and meetings. And finally, there’s SPO, the SharePoint Online proxy address, which means nothing to anyone because this address is created and maintained by background Microsoft 365 processes. The address includes a unique identifier for the user and the tenant identifier.

As the post says, administrators should leave the SPO addresses alone as “several internal cloud processes rely on them” not to mention that “Admins should never modify the SharePoint Online proxy address as it is an internal Microsoft service concept.” In other words, keep your greasy hands away from SPO proxy addresses. If you don’t, things break, and you won’t be able to fix them. In fact, you probably won’t know what broke and where it broke.

Without the SharePoint Online proxy address in place, the link between Exchange Online and SharePoint Online is broken, and the substrate can’t ingest digital twins from SharePoint Online into Exchange Online. In other words, the SharePoint Online proxy address stamped on user mailboxes is a connection back to SharePoint Online (and OneDrive for Business).

Hard and Soft Deletes

Now the opening of the post makes sense. It discusses why administrators see mailbox objects they believe are permanently removed (hard deleted) persist in a recoverable (soft deleted) state. After all, if you run the Remove-Mailbox cmdlet and use the PermanentlyDelete switch to tell Exchange Online to erase all trace of a mailbox, you’d like to think that the service would do your bidding.

But because Exchange Online is the foundation for the Microsoft 365 substrate, it has more to do than simply blow away a mailbox. In particular, because the search results generated by Microsoft search depend on mailbox content, some adjustment is necessary to reflect a mailbox deletion. That’s why Exchange Online signals SharePoint Online so that background processing can adjust the search results shown to users. While this processing proceeds, it’s possible to see erroneous results featuring a deleted user, but eventually processing completes and search is 100% accurate again.

Exchange Online keeps the mailbox in a soft-deleted state until the deleted mailbox retention period expires (183 days). By then, background processes have adjusted indexes and SharePoint Online is content. Exchange Online can then tidy up by hard-deleting the mailbox, unless of course it’s under the control of a retention hold (litigation hold or otherwise), in which case the mailbox is inactive and kept until all retention holds expire.

Life is More Complicated in the Cloud

All of this proves that cloud objects lead a more complicated existence than on-premises objects. The Microsoft 365 substrate connects objects together in a way that simply doesn’t exist on-premises, so when you remove an object, it might just have an effect elsewhere that must be dealt with. Which is why some mailboxes that you might want to hard delete have to stay soft-deleted until background processes can adjust connections.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Potentially a Play to Extract More Revenue from OneDrive Consumer

Being mostly concerned with the happenings in Office 365, our team doesn’t usually take much notice of developments in the consumer side of Microsoft. However, sometimes developments happen which are worth noting, especially when Microsoft marketing is excited about an announcement. Take January 31 for instance, when the avuncular Mark Kashman handcrafted text to announce the preview of Microsoft Lists for MSA. In other words, you can use your consumer Microsoft account to work with a “lightweight version of the Microsoft Lists app designed for small business and individual use.” All good, if you’re one of first 200,000 Microsoft account holders to head to the preview page to try out lightweight lists on a first-come, first-served basis.

Off I headed to lists.live.com to see what all the fuss was about. And I can report that it is possible to create a Microsoft list using a Microsoft Service account (Figure 1).

The process is painless, won’t kill any brain cells, and works like it does in the enterprise version. At least, it does from the user perspective. Those who do interesting and skillful things with Lists using Power Automate and other tools are likely underimpressed.

During the preview, Microsoft imposes a limit of 50 lists with up to 2,000 items per list. There’s also a 200 MB storage limit per list. That’s more than enough to test things out without doing anything more serious (always a bad idea with preview software).

The Teper View

On LinkedIn, Jeff Teper, who heads up ODSP (OneDrive, SharePoint, and Teams), had his say in another post. He asserts that making Lists available to consumer accounts is the next big technical bet for SharePoint. Under the covers, SharePoint has “user shards” (discrete segments of storage) to support consumer access and needed “a lot of engineering” to support authentication for MSA in addition to Azure AD. Lists for MSA uses a SharePoint MySite, which Teper notes is “just like we use in OneDrive for Business.” Microsoft suppresses the MySite UX, but the functionality is there, which Teper says “gives us a lot of flexibility for the future.”

A Premium Feature

Microsoft seldom undertakes large engineering efforts for zero return. In this case, I expect that, when it’s generally available, Lists for MSA will be a premium feature of OneDrive consumer, like the way that Outlook consumer is available in free and premium versions. In the same way, OneDrive consumers will use a common platform with some UX tweaking to hide or reveal features based on how much they pay. Lists is probably the first of these features, possibly coupled with Nucleus-powered offline capabilities and 100 GB storage (available today for $1.99/month).

Planner and Lists

In terms of Lists in SharePoint Online, an interesting post makes the case that Microsoft should replace Planner with Lists. Or perhaps, replace the underpinnings of Planner with Microsoft Lists (keeping the UX is easy). I don’t agree with the idea.

Planner and Lists are two different entities. In fact, Planner uses Tasks, one of the fundamental entities managed by the Microsoft 365 substrate shared across multiple applications. Lists are more complex objects, well suited for use as a development platform in many circumstances (including by Microsoft, such as the way Lists store Teams webinar information). Although a list can certainly manage a set of tasks, it’s a minor example of the kind of solutions people use Lists for today.

Moving Planner from Tasks (very simple items) to Lists is not straightforward, especially with the impact rippling across multiple applications and UIs. For instance, think of the way you can manage the same tasks through To Do, Tasks by Planner in Teams, and Outlook. If you moved Planner to use Lists, what impact would this have on To-Do and Outlook? The answer is “a lot.”

Over-engineering is as serious a problem as under-engineering, and it seems to me that any attempt to replace the fabric of Planner with Lists is an example of radical over-engineering.

Planner and Project – The One Development Group

There’s no doubt that Lists offers better support for customer-facing APIs today. The lack of application permissions for the Planner Graph API is regrettable, as is the slow pace of development in the Planner app overall when measured against the rest of Microsoft 365. That pace might be because the Project development team is responsible for Planner, and they want to keep clear blue water between Project and Planner.

Holding back Planner to enable Project to prosper might be regrettable but understandable in the context of the Microsoft 365 business. It’s no reason to jettison the Tasks underpinning for Planner and replace it with Lists.

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Feature Became Generally Available in July 2022

According to a LinkedIn post by Microsoft Principal Program Manager Sanjoyan Mustafi, administrators will soon be able to assign default sensitivity labels to document libraries in SharePoint Online and OneDrive for Business. The capability is in private preview at present, but Microsoft 365 tenants can sign up to join the preview here.

Update: According to message center notification MC391948 (June 13), rollout of the public preview of setting a default sensitivity label for a document library will roll out in late June. This is Microsoft 365 roadmap item 85621.

Update 2: On July 29, Microsoft announced that the roll-out for the public preview code had begun and that all tenants would receive the update within 90 days. The documentation is also available.

Today, you can require that users add a sensitivity label to documents and define a default label to use. This is done through settings of the sensitivity label publishing policy which makes labels available to users. Requiring documents to be labelled works, but you don’t know what labels users will choose. Sometimes, it might be necessary to ensure that every document in a library receives the same sensitivity label to reflect the level of confidentiality of the library, and that’s where the new capability comes in.

The Backend to Apply Sensitivity Labels

The preview includes the back-end code to define a default label and apply it to new Office documents uploaded or copied to or saved in a library. An asynchronous thread examines new items to check if they already have a sensitivity label. The stamping of the default sensitivity label on new items by the thread can take a few minutes.

If a new item already has a user-applied sensitivity label, the thread ignores the document based on the principle that explicit assignment by users always takes precedence over automatic assignment. If the item has a label of a lower priority (sensitivity labels have a priority order from 0 to n, with 0 being the lowest) received through automatic assignment (usually because a label publishing policy mandates the application of a default label), the thread replaces the label and applies the default label defined for the library.

For now, labeling only happens for new Office documents (support for PDFs will come later). Existing documents remain untouched, and you must apply labels manually if you want all documents to have the same label. However, in the future, Microsoft plans to update the code so that SharePoint will apply labels whenever a user opens an unlabeled document in a library with a default label.

Note that a user can remove the default label assigned for the library or replace it with a label of higher or lower sensitivity. In these cases, the user-assigned label remains, again following the principle of user precedence.

Update: Figure 1 shows the UX to configure a default sensitivity label for a document library. To access this screen, go to Library settings.

Configuring for Default Sensitivity Labels

Prior to Microsoft delivering the UX to configure a default sensitivity label for a document library, you had to update the configuration of the target document library using the SharePoint API. You can do this with Postman (the tool favored by Sanjoyan), but I prefer PowerShell, which is what I used. Sanjoyan explains the procedure in his post, but briefly is:

• Get a bearer token to authenticate with SharePoint Online. You can copy the token if you’re logged into SharePoint Online by using the developer tools (F12).
• Create a header structure to hold details of the transaction, including the bearer token.
• Create a body structure to define the GUID of the sensitivity label you want to add as the default for the library. Use Connect-IPPSSession to connect to the Compliance center endpoint and run Get-Label to find the list of labels. The GUID for each label is in the ImmutableId property.

Get-Label | Format-List DisplayName, ImmutableId

• POST to the URL for the document library using the header and body defined earlier.

The commands I used to update a document library were:

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Accept", "application/json;odata=verbose")
$headers.Add("Content-Type", "application/json;odata=verbose")
$headers.Add("X-HTTP-Method", "MERGE")
$headers.Add("If-Match", "*")
$headers.Add("Authorization", "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkRya21Mczl1akhnMkp1SE5CRm5vOERicXBJSSJ9.eyJhdWQiOiIwMDAwMDAwMy0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDBAYjY2MjMxM2YtMTRmYy00M2EyLTlhN2EtZDJlMjdmNGYzNDc4IiwiaXNzIjoiMDAwMDAwMDMtMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwIiwibmJmIjoiMTY0MzMxNTU5MiIsImV4cCI6IjE2NDMzMTkxOTIiLCJ1cG4iOiJ0b255LnJlZG1vbmRAcmVkbW9uZGFzc29jaWF0ZXMub3JnIiwicHVpZCI6IjEwMDNCRkZEODA1Qzg3QjAiLCJjYWNoZWtleSI6IjBoLmZ8bWVtYmVyc2hpcHwxMDAzYmZmZDgwNWM4N2IwQGxpdmUuY29tIiwidmVyIjoiYnJvd3NlciIsInRpZCI6ImI2NjIzMTNmLTE0ZmMtNDNhMi05YTdhLWQyZTI3ZjRmMzQ3OCIsImFwcGlkIjoiYzU4NjM3YmItZTJlMS00MzEyLThhMDAtMDRiNWZmY2QzNDAzIiwiYXBwX2Rpc3BsYXluYW1lIjoiU2hhcmVQb2ludCBPbmxpbmUgQ2xpZW50IEV4dGVuc2liaWxpdHkiLCJzY3AiOiJGaWxlcy5SZWFkV3JpdGUuQWxsIFNpdGVzLk1hbmFnZS5BbGwgU2l0ZXMuRnVsbENvbnRyb2wuQWxsIFRlcm1TdG9yZS5SZWFkV3JpdGUuQWxsIiwiaXBhZGRyIjoiNTEuMTcxLjIxMi4xMjkiLCJzZXNzaW9uaWQiOiIzYzdiMjUzYy0zNmJjLTQ1ZTctYmQ4OS1mNGRhZjdkZjZhNmEiLCJzaWduaW5fc3RhdGUiOiJbXCJrbXNpXCJdIn0.m0VNYiAPfu7GKuTcnAi0hc4ay7TAQ-KzlH1g3hRzRzJZccoLeRepey8k7ydNHsvdhO8N0E4mMEEz3dD8Tk-1qreBzNrqPkB6p2s8hGF1J04RaR6vkyTqJypFXLRXgmSsVrPsX1huNnkwZ0d_ShmPowUToZk_HN0MrDRIEleCks32pg1nQs2Umk63BkWAaUHJy_pLhYJOea0uzSc7iPeVpPaAQ8PbK8K4eRJX__DEByQueUSOd21V9O6KJ9ey-JasryPiqtncFUDGrofQ6EZztjwaCAjQubRv7RjOkMYeucgsgiI7cvfuvuCzcXjc6oqdosZwc-18Uurq_8r8ks9c4A")

$body = "{
`n `"__metadata`": {
`n `"type`": `"SP.List`"
`n },
`n `"DefaultSensitivityLabelForLibrary`": `"27451a5b-5823-4853-bcd4-2204d03ab477`"
`n}
`n"
$Uri = 'https://office365itpros.sharepoint.com/sites/Office365Adoption/_api/web/lists/GetByTitle(''Documents'')'
$Update = Invoke-RestMethod -Method 'Post' -Headers $Headers -Body $Body -Uri $Uri

Formatting of these commands must be precise, and the bearer token must be valid or the update will fail (I know, because I made many mistakes before doing it just right). The easiest way to make sure is to open the site you want to update in a private browser window to force a recent authentication and then copy the token (use F12 in Edge and access Local storage, then copy the value of the key for the identity for SharePoint Online as shown in Figure 2).

After configuring a default sensitivity label, it’s a good idea to change the default view for the library to include the sensitivity label to remind users that documents now have labels.

Steady Progress

Sensitivity Labels and SharePoint Online had a rocky start. There was a time when the content of protected Office documents was inaccessible to search and eDiscovery. That’s in the past (if you enable support) and Microsoft is busy filling out all the details that make software more useful. Adding a default sensitivity label to document libraries is a nice step forward but remember that using this capability will require Office 365 E5 or above, just like all the other auto-label application features in Microsoft 365.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Important Microsoft 365 Workloads Respond to Critical Azure AD Events

Microsoft made a critical announcement on January 10 when they revealed that the base Office 365 workloads support continual access evaluation (CAE) for specific Azure AD events. What’s more, Microsoft has enabled this capability for all Microsoft 365 tenants.

Exchange Online, SharePoint Online, and Teams can now accept signals from Azure AD when an administrator:

• Deletes or disables an Azure AD user account.
• Changes or resets the password for a user account.
• Explicitly revokes all refresh tokens for a user account.
• Enables multi-factor authentication for a user account.

The top three actions correspond to highlighted options available at the top of the user account management card in the Microsoft 365 admin center (Figure 1). Multifactor enablement is at the bottom of the card.

In addition, Exchange Online can respond when Azure AD Identity Protection detects that higher risk of compromise exists for a user account.

Administrators can see details of sign-ins which use continuous access evaluation by applying a filter of (Is CAE Token = Yes) in the Azure AD admin portal. Figure 2 shows details of a CAE-enabled session.

Browsing the Azure AD sign-in log is enlightening in terms of understanding the degree of application support for CAE. Although currently limited to applications like OWA and the SharePoint Online browser interface, you’d anticipate that Microsoft will increase coverage over time.

Enlightened Applications

Continuous access evaluation means that the “enlightened” applications learn about changes in user accounts in almost real-time. For instance, if an administrator deletes a user account, the applications remove access immediately instead of waiting for the access token granted as the result of the last successful authentication by the account to expire.

Microsoft says that the use of continuous access evaluation means that “authentication session lifespan now depends on session integrity rather than on a predefined duration.” For example, if an event like a password change occurs to affect the integrity of a browser session where a user is connected to SharePoint Online, instead of waiting for the access token to expire, SharePoint Online will immediately demand that the user re-establishes session integrity by proving their credentials are still valid.

The effect is that users affected by these critical events must either reauthenticate (for instance, using a new password), or lose access to email, documents, calendar, and Teams. This makes it much easier to manage the possibility of data loss in cases like account compromise or the departure of disgruntled employees.

A benefit of continuous access evaluation is that in the case of outages, extended session lifetimes enabled by removing the dependency on the access token as the sole control over accounts mean that people can continue working without needing to revert to Azure AD (see this note about Microsoft’s Azure AD backup service).

Conditional Access Policy Support

While response to critical Azure AD events is available for all Microsoft 365 tenants, those with Azure AD Premium licenses can include continuous access evaluation in the criteria used by conditional access policies to decide to grant or deny user access to applications based on conditions like network location.

Zero Trust in Action

Microsoft talks about the Zero Trust model a lot. An action like enabling continuous access evaluation for critical events in all Microsoft 365 tenants is a practical and useful example of the Zero Trust initiative. Even if you don’t use conditional access policies (something I think all tenants should consider to improve their security posture), the fact that the base Microsoft 365 workloads now respond to critical Azure AD events almost in real time is a very welcome advance.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant. We cover continuous access evaluation in the chapter on Microsoft 365 identities.

Now Available in SharePoint Online and OneDrive for Business

Message Center Notification MC302489 (December 8) brings news of yet another tweak made by Microsoft to the dialog used to create new Sharing Links. The update means that the settings for sharing links for “most video and audio” files now block download by default (Figure 1).

Previous tweaks to the dialog include making it easier to update sharing link settings and highlighting the edit setting. Because many workloads use the sharing link dialog, the benefit of the changes ripple across Microsoft 365.

Understandable Change in Line with Previous Updates

The change is understandable. Sharing a video or audio is often just an invitation to consume final content (using the recently-upgraded web viewer) and you don’t want people to be able to download the files. By comparison, sharing a document, spreadsheet, or presentation is often for review and editing purposes, and the recipient might need to download a local copy to edit the file offline.

Interestingly, Microsoft 365 roadmap item 82193 makes explicit reference to Microsoft Stream, probably reflecting the ongoing motion to move Stream away from its old Azure-based platform to storing videos in OneDrive for Business and SharePoint Online. This transition has already happened for Teams meeting recordings, and the migration for other Stream content is in preview. Teams meeting recordings restrict download access to the recording owner, so setting sharing links to no download by default is in line with that philosophy.

Not All Video or Audio Files

Noting the caveat that the change applies to most video and audio files, I checked the content of my OneDrive for Business account and discovered that OneDrive blocks downloads in sharing links created for Teams meeting recordings. The same doesn’t happen for other MP4 files that I uploaded to OneDrive where the download control is missing when creating sharing links (Figure 2).

The BlockDownloadLinksFileType setting for my tenant (managed through PowerShell with the Set-SPOTenant cmdlet) is WebPreviewableFiles, which means that download blocks are available for all supported files. Given that audio and video files are now in the supported category, something else is going on.

OneDrive recognizes both sets of files as MP4s, so the difference in behavior might be because the uploaded files didn’t have the same PROGID tags as the Teams recordings (these tags make it possible to apply an auto-label retention policy to Teams meeting recordings). Alternatively, it could be because some background job hasn’t yet processed the other MP4 files. Requiring extended periods to process files is not unknown in SharePoint Online and OneDrive for Business. In any case, I’ll keep an eye to see if things change.

Make sure that you’re not surprised about changes which appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Change Copy Link Settings Before Sending

Published in MC298387 (November 16, Microsoft 365 roadmap item 83728) and now rolling out to Office 365 tenants worldwide, Microsoft has updated the OneDrive for Business sharing link dialog to make it easier for users to change the sharing link settings before copying them to share with others. Roll out should complete between mid-December (targeted release tenants) and mid-January (standard release tenants).

Common Sharing Link

The sharing link dialog is used by both SharePoint Online and OneDrive for Business. The old version (recently refreshed to display the set of people with existing access to a file) has a Copy link button (Figure 1), which generates the link with its current settings in a form that the user can copy it (and then insert into email, a Teams chat, Yammer message, or web page as appropriate).

Everything works in the old dialog, but you’ve got to configure the link with the correct access and recipient settings before you generate the link. For instance, you might want to amend the link to allow sharees to edit a file or force users to access the content online by blocking downloads. The new approach removes the Copy link button and replaces it with a complete section where the user can configure the link settings before generating the link (Figure 2).

Once the link is configured, the (smaller) copy button works as before.

Better for Sending Sharing Links by Email Too

The new arrangement also makes the use of the email (Outlook) option clearer. In the old dialog, the Outlook and Copy link buttons are arranged in a line under the Send button. In a weird kind of way, you could imagine that the Send button would work for both options. Now there’s only an Outlook icon in a straight line with the Send button to make the connection between the two clear and obvious.

Paying attention to how the sharing link dialog functions might seem like small beer when compared to the other changes happening within the Microsoft 365 ecosystem (like the introduction of Loop components for Teams chat). That perspective is accurate because this is a small change. However, it can equally be argued that making sure that everything works as smoothly as possible is important, and when it comes to the mechanism used to share documents with people inside and outside the organization, it’s critical that the right settings are in place. For that reason, this is a good and useful change.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Knowing When Sharing Happens

A natural question flowing from the discussion about implementing the SharePoint Online expiring access policy for external users is how administrators know if people use the feature. Equally naturally, the first place to look is the Office 365 or “unified” audit log to see if SharePoint Online generates any helpful events when users extend sharing links.

Unhappily, although SharePoint Online captures a UserExpirationChanged audit event when someone extends a sharing link close to its expiration, the information stored in the event is not enough to easily identify the content the sharing link grants access to. If you look at the sample audit event shown below, the SiteUrl property tells us that this event relates to sharing some OneDrive for Business content. Apart from that, we can see:

• The user principal name of the user who extends the validity of the sharing link (Jane.Sixsmith@office365itpros.com).
• The user principal name of the target user being granted access (Jsmith_yandex.com#ext#@office365itpros.onmicrosoft.com). The form tells us that this is a guest account (JSmith@yandex.com).

It would be nice if the name of the actual folder or document being shared was captured, but that’s not the case.

RecordType   : SharePointSharingOperation
CreationDate : 15/11/2021 13:17:04
UserIds      : Jane.Sixsmith@office365itpros.com
Operations   : UserExpirationChanged
AuditData    : {
                 "AppAccessContext": {
                   "AADSessionId": "bfe559aa-a811-488b-828d-a1fa90062133",
                   "CorrelationId": "b45e03a0-50df-3000-73a8-a6b7cbd31cc0"},
                 "CreationTime": "2021-11-15T13:17:04",
                 "Id": "5ee7b4d0-97ca-476d-c7ef-08d9a83a37aa",
                 "Operation": "UserExpirationChanged",
                 "OrganizationId": "a562313f-14fc-43a2-9a7a-d2e27f4f3478",
                 "RecordType": "SharePointSharingOperation",
                 "UserKey": "i:0h.f|membership|1003bffd805c87b0@live.com",
                 "UserType": "Regular",
                 "Version": 1,
                 "Workload": "OneDrive",
                 "ClientIP": "51.171.212.129",
                 "ObjectId": "https://office365itpros-my.sharepoint.com/personal/jane_sixsmith_office365itpros_com",
                 "UserId": "jane.sixsmith@office365itpros.com",
                 "CorrelationId": "b45e03a0-50df-3000-73a8-a6b7cbd31cc0",
                 "EventSource": "SharePoint",
                 "ItemType": "Web",
                 "Site": "cc191cff-670a-4740-8458-e6067537c747",
                 "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.44",
"WebId": "551065f1-04a6-4979-8b19-2c8a0c16319f",
                 "TargetUserOrGroupType": "Guest",
                 "SiteUrl": "https://office365itpros-my.sharepoint.com/personal/jane_sixsmith_office365itpros_com",
                 "TargetUserOrGroupName": Jsmith_yandex.com#ext#@office365itpros.onmicrosoft.com

Investigating SharePoint Sharing Events

To see if it was possible to find some other information that would allow me to link the UserExpirationChanged events back to other sharing events, I wrote a script to extract the events from the audit log and parse their content. The results are not what I hoped. You can track the progress of sharing an item through:

• SharingSet: A user shares an item.
• SecureLinkCreated: A sharing link is created for the item. This is what is sent to the recipient.
• UserExpirationChanged: The expiration date for the sharing link is adjusted in line with policy.
• SecureLinkUsed: The recipient uses the sharing link to access the shared content.

The audit records for the first three events often have the same date and time because they occur close together (within milliseconds). For this reason, they can appear in a different order when viewing the report (Figure 1).

In due course, if the sharing link validity is extended further, SharePoint logs another UserExpirationChanged event. The cycle continues until the sharing link expires.

Download the Script

The script isn’t all that interesting. It finds the relevant audit events, extracts information, and reports its findings (you can download the script from GitHub). Unless you focus on UserExpirationChanged events which happen outside the initial creation of sharing links, I don’t think it helps much in terms of understanding the extent of sharing link extensions. However, someone who is smarter than I might be able to tweak the script to derive better results.

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

SharePoint Expiring Access Policy Controls Sharing Links Issued to Guests

In the summer, Microsoft introduced an expiring access policy for external users in SharePoint Online sites and OneDrive for Business accounts. In a nutshell, a tenant can set a policy to control the number of days a sharing link lasts after a user shares some content with an Azure AD guest account (created automatically when sharing with an external user). The expiring access policy doesn’t apply to guest accounts who access content through their membership of Microsoft 365 groups (teams). Their ability to work with content in SharePoint Online is controlled by the guest’s membership instead of a sharing link.

By default, the expiring access policy is not set. A tenant or SharePoint administrator must enable it and define the sharing period in the Sharing section of the SharePoint Online admin center (Figure 1). The period can be from 30 to 730 days.

Once set, the policy applies to new sharing links. It also applies retrospectively to old links. The policy defined in the SharePoint Online admin center applies to all SharePoint sites and OneDrive for Business accounts. You can override the expiration period on a per-site basis.

Unlike other expiration policies used in Microsoft 365, like the Teams meeting recording auto-expiration policy or even retention policies and labels, content remains unaffected when an expiration period lapses. The only effect is on the sharing link which becomes invalid and unusable for access.

What Happens When Sharing Links Expire

As sharing links approach expiration, users receive warnings through two means. First, a banner appears in OneDrive for Business (Figure 2). The text could be better as it’s a sharing link which expires rather than a user. The Azure AD guest account will remain and can be used for other purposes, such as other sharing links or as a member of a group or team. The logic here might be that people manage sharing access on a user-by-user basis, so it’s appropriate to refer to users expiring.

The second method is email. SharePoint sends a note to people to advise them when sharing links are within ten days of expiration (Figure 3). In both cases, the Manage (or Manage access) link allows the user to update the soon-to-expire sharing links.

Clicking the link brings up the Access Expiration fly-out pane (Figure 4), which lists all sharing links created by the user subject to the expiring access policy. As you can see, some of the links are quite a long way off because the tenant has a 120-day expiration policy.

To extend the validity of a sharing link, select a user and click Yes, extend (Figure 5). SharePoint Online will then extend the sharing link by the maximum period allowed, in this case 120 days from the current date. You can also remove a sharing link if it’s no longer needed.

Good Practice to Implement Expiring Access Policy

It’s good practice and makes good sense for Microsoft 365 tenants to implement an expiring access policy. Many expiring sharing links will need no intervention by content owners when they expire. Other links will need an extension, which is a quick and low friction action. Overall, there’s nothing much to dislike about implementing an expiring access policy where links expire after a reasonable period, like 90 to 120 days. Organizations which store more sensitive content in SharePoint could reduce the expiration period and couple expiration with the targeted availability to content available with sensitivity labels.

Learn how to exploit the Office 365 data available to tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

Joins the Controls for Teams Meeting Recordings

Now that Microsoft has created the transition of storage for Teams meeting recordings (TMRs) from Stream (classic) to OneDrive for Business and SharePoint Online (ODSP), attention is focused on how to manage these files. Microsoft plans to introduce an auto-expiration policy for TMRs in January 2022 to allow organizations dictate how long these files exist in ODSP. The auto-expiration policy will work for any Microsoft 365 tenant which has licenses for Teams.

If you have Office 365 E3, users can apply retention labels to TMRs to gain more control over their retention, and if you have Office 365 E5 or Microsoft 365 E5 licenses, you can deploy an auto-label retention policy to find and label TMRs (and track the success of the policy in finding and labeling TMRs). In short, over time, organizations are gaining ways to exert compliance control over TMRs.

Blocking Sharing with Data Loss Prevention

Data Loss Prevention (DLP) for SharePoint Online and OneDrive for Business is included in the Office 365 E3 SKU. The value of DLP is that you can use a policy to protect against inadvertent data leakage caused when someone shares a TMR outside the organization. Imagine what would happen if a competitor got hold of a recording of a discussion, complete with slides, about the development of a new product!

Using much the same approach as taken to identify TMRs for the auto-labeling retention policy, we can build a DLP policy for TMRs which looks for recording files and stamps them with metadata to stop sharing happening. The DLP policy to block external sharing for TMRs is very simple. It is a custom DLP policy (i.e., not created using a template) consisting of:

• A name and description.
• Target locations. For maximum coverage, choose all SharePoint Online sites and OneDrive for Business accounts. This will stop any sharing of TMRs created for personal meetings (OneDrive) and channel meetings (SharePoint).
• A single rule. The rule looks for any file with the property value ProgId:Media.Meeting that is shared with someone outside the organization. The rule action blocks sharing with people outside the organization. Figure 1 shows what the rule conditions look like. Optionally, the rule can allow users to override the block by providing a justification to explain why they need to share a recording with an external person.

Other rule settings which you might consider include creating a custom policy tip to explain why users can’t share TMRs externally or generating an incident report to alert administrators or other people when a rule violation occurs.

The Effect of DLP

It can take up to an hour before a new DLP policy is effective. When the policy is active, the indexing process for new files detects that TMRs come within the scope of a policy and applies the policy settings to block external sharing. There might be a few minutes before the block is effective for a new file during which it’s possible to create and send a sharing link. However, once the block is in place, the sharing link is nullified.

The effect of the policy is obvious because any document which matches the policy conditions now has a small icon (circle with a line in the middle). In Figure 2, the icon is shown alongside all the TMRs in the Recordings folder. Other video files that don’t have the property set are not marked. Hovering over a TMR reveals information about the file, including a link to a DLP policy tip if set. In this case, the link reveals some custom text to explain that external sharing is not permitted for TMRs.

If the user ignores the warning and goes ahead to try and share the recording anyway, they won’t be able to do this because OneDrive for Business blocks the attempt to create and send a sharing link (Figure 3).

Easy Update

Even if internal users don’t often go back to relisten to what was discussed in a conference call, there’s no doubt that some external people might find that content interesting, perhaps even to the detriment of your company. The time required to create and deploy a DLP policy to block external sharing of TMRs is roughly ten minutes (including a pause to drink coffee). It’s a quick and easy update to make it easier to manage the security of information contained inside these files. This is a good example of the value of DLP.

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Discovering Some Nuggets from Microsoft’s Coverage

It’s been a busy week for anyone following the Microsoft 365 ecosystem as Microsoft released a slew of blog posts and announcements to support keynotes and other sessions at the Microsoft Ignite Fall event. You could spend hours reading about new features and functionality and wonder when the code will appear in your Office 365 tenant and if any additional licenses are necessary.

This post captures notes about several features available now that I noticed as I perused Microsoft’s coverage. By themselves, each is not enough to warrant a separate post, but they’re interesting all the same. These changes are examples of the stuff we track to maintain the content of the Office 365 for IT Pros eBook. All our chapter authors have been busy this week.

SharePoint Online and OneDrive for Business

Sharing links show who you’ve shared a document with. This feature was announced in June but seems to have taken its time to roll out. The idea is simple. When you send a new sharing link, SharePoint Online and OneDrive for Business tell you who the document is already shared with (Figure 1), including a thumbnail of each person (if available in Azure AD). You can hover over a thumbnail to see who the person is. The number of active sharing links also appears. It’s a small but useful change.

Easy to overlook, the SharePoint Online admin center now displays connected channel sites when a site used by Teams creates private channels (Figure 2). If you can’t remember which sites have private channel sites, connect to SharePoint Online PowerShell and run:

Get-SPOSite -Limit All -Template TeamChannel#0 | ? {$_.TeamsChannelType -eq "PrivateChannel"}

If you click the channel sites link, the admin center displays details of those sites. Teams manages the settings for these sites, but it’s nice to be able to have easy access to the information. Shared channels, which are delayed until early 2022, also use channel sites.

OneDrive for Business supports Known Folder Move (KMF) and Files on Demand on MacOS, which is nice if you’ve invested in a brand-new M1-powered Mac.

If your tenant uses sensitivity labels and has SharePoint Syntex, you can apply sensitivity labels to protect the document understanding models. The application of a label in this manner flows through to protect individual documents identified by models. It’s another way of automatically applying labels to sensitive content.

Sensitivity label control over sharing capabilities of SharePoint Online sites is now generally available. In addition, co-authoring and autosave of protected documents is generally available in the Microsoft 365 apps for enterprise (Word, Excel, and PowerPoint). We use protected documents heavily to store chapter files for the Office 365 for IT Pros eBook, so this is a welcome advance.

Exchange Online

Microsoft Scheduler can now dynamically adjust the scheduling of recurring meetings. This is message center notification MC295855 (November 2) and it’s a great idea. Static recurring meetings are all too often cancelled or rescheduled because someone is sick or otherwise unavailable. After a recurring meeting finishes, Scheduler looks for the best time slot for the next instance and books that time.

Everyone’s probably familiar with the Exchange Online campaign to remove basic authentication for email connection protocols (that October 2022 date is getting nearer!). PowerShell is on the list of protocols to be blocked for basic authentication, but the Exchange Online management PowerShell module still uses basic authentication to communicate with WinRM on a local workstation. Work is under way to remove the need to use WinRM. Microsoft has released a preview version (2.0.6-3preview) of the module to demonstrate how they will remove the dependency by using a REST API in the background. Exchange Online has many cmdlets, not all of which have been converted to use the new mechanism, but you can test the preview now.

On the downside, Microsoft didn’t say anything at Ignite about the next version of on-premises Exchange. This is strange given the September 2020 announcement said the next version of Exchange Server would be available in the second half of 2021.

Microsoft 365

Microsoft says that Visio web app is rolling out to Microsoft 365 commercial tenants (all tenants with Office 365 enterprise plans). The rollout goes through to the end of January 2022, so keep an eye on the app launcher to see when Visio web app (aka Visio in Microsoft 365) shows up in your tenant.

Microsoft Cloud App Security (MCAS) is now Microsoft Defender for Cloud Apps (surely MDCA?). The app governance add-on is now generally available. It’s a good way to chase down apps registered in Azure AD that are over-permissioned or not being used. If you don’t have MDCA or don’t want to pay for the add-on, use our DIY audit method for Azure AD apps.

Access to the knowledge available in topic cards created by Viva Topics has been restricted to some lesser-used applications up to now. Things will change when topic cards appear in OWA and Teams. Apparently, this will happen soon and should be a game changer for the organizations who have invested in the work needed to harvest organizational knowledge through Viva Topics.

Teams

Microsoft prioritized Teams at Ignite as the center of a new way to work (see my practical365.com article), so there were lots of Teams-related developments discussed, most of which can be left until they appear in a tenant near you. One snippet in a blog post about improving meeting quality is that noise suppression in Teams meetings will be available for iOS soon. Microsoft claims that they saw a “31% decline in comments about background noise distractions” after the launch of noise suppression. This sounds like a good thing, but a single statistic provided without any further context or detail is worthless. We don’t know the sample size, whether the clients were Windows or Mac. What kind of meetings, and what is meant by “comments” (good, bad, or indifferent). Like many Microsoft statistics, there’s plenty of room for fudging an issue.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what’s happening.

Delving Into SharePoint’s Custom Properties

I’ve used SharePoint since the initial release of SharePoint Portal Server 2001, but I would never regard myself as being a SharePoint expert. I am perfectly happy to perform site management using the SharePoint Online PowerShell module or the admin center, but admit that the finer points of the client-side object module (CSOM) and the Patterns and Practice (PnP) library often surpass the limits of my knowledge. Given that much of SharePoint Online usage is generated by the sites used by Microsoft 365 Groups and Teams, less need exists to get down and dirty with CSOM or PnP than appears to be the case for SharePoint Server.

The Site Property Bag

However, sometimes no other option exists but to interact with SharePoint using PnP, which brings me neatly to the subject of the site property bag. This is a feature allowing the assignment of custom values to sites. If you come from the Exchange world, it’s analogous to being able to set custom properties for mailboxes. And just like custom properties are often used in Exchange as filters to identify specific mailboxes, the site property bag can refine searches by marking sites with custom values.

Custom values written into the site property bag are simple name/value pairs. For instance, the name might be “Test” and the value “Tony.” The idea is that users can then search for sites by looking for those where “Tony” is present in the “Test” property. Being able to find sites using a filter is important for functionality like adaptive scopes for Microsoft 365 retention policies. Custom values end up as crawled properties in the SharePoint Online search schema. The crawled properties can be linked to refinable strings to become searchable, which is how the property bag values can be used in filters.

Updating Values in the Site Property Bag

The standard Set-SPOSite cmdlet in the SharePoint Online management module doesn’t update the property bag, but cmdlets from the PnP PowerShell module do. To begin, I downloaded and installed V1.8.0 from the PowerShell gallery. The developers issue frequent updates for the module, so it’s wise to make sure that you use the latest (non-preview) version.

Before attempting to update the property bag for a site, you must disable the site’s DenyAddAndCustomizePages setting. By default, SharePoint Online blocks custom scripts, and to update the property bag, we need to lift the restriction temporarily. To do this, run the Set-SPOSite cmdlet to set DenyAddAndCustomizePages to 0 (zero). Before proceeding, make sure that the value of DenyAddAndCustomizePages is Disabled (the default is Enabled).

$Site = "https://office365itpros.sharepoint.com/sites/BallyconneelyBuglers"
Set-SPOSite -Identity $Site -DenyAddAndCustomizePages 0
Get-SPOSite -Identity $Site | Select DenyAddAndCustomizePages

DenyAddAndCustomizePages
------------------------
                Disabled

The updated setting is effective immediately. The next step is to connect to the site using the Connect-PnPOnline cmdlet. An account can connect to a site only if it has access to the site. In this instance, I used a global tenant administrator account.

Connect-PnPOnline -Url $Site -Credentials $O365Cred
Set-PnPPropertyBagValue -Key "OrgPrivacy" -Value "Restricted" -Indexed
Set-PnPPropertyBagValue : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) Site might have NoScriptenabled, this prevents setting some property bag values. At line:1 char:1

You’d imagine that a global tenant administrator can update site properties. After all, we’ve just used the same account to update the site customization setting with the Set-SPOSite cmdlet. However, the PnP module imposes its own rules. Everything looked good, but the error surfaced each time I attempted to write a new value into the site property bag.

After some debugging, I discovered that it is possible to update the site property bag only if you connect with a site administrator account. After adding the global administrator account as a site administrator, the Set-PnpPropertyBagValue cmdlet ran without a problem. If we examine the contents of the site property bag with the Get-PnPPropertyBag cmdlet, the custom value is present.

Get-PnpPropertyBag

Key                              Value
---                              -----
GroupId                          ff168380-8f71-4419-980c-7f1e8e6ea83a
vti_sitemasterid                 e2ea95e2-b7be-484f-bb63-e2b0fd4b38b6
vti_categories                   Travel Expense\ Report Business Competition Goals/Objectives Ideas Miscellaneous Waiting VIP In...
vti_createdassociategroups       3;4;5
vti_defaultlanguage              en-us
HomepageProvisioned              1
contenttypessynctimestampversion 1
vti_approvallevels               Approved Rejected Pending\ Review
taxonomyhiddenlist               73396654-2d02-47d9-a078-6f0ffe401097
vti_associategroups              5;4;3
profileschemaversion             6
GroupDocumentsListId             2825b7cc-43f3-4eef-b970-f9789082f70d
disabledhelpcollections
SiteNotebookGuid                 ddb569bc-70b8-4eae-8e02-cd221f11d5d2
GroupType                        Public
contenttypesusagebackfillversion 3
vti_associatevisitorgroup        4
vti_extenderversion              16.0.0.21409
OrgPrivacy                       Restricted
GroupAlias                       BallyconneelyBuglers
LastGroupSitePrivacyUpdated      637612064800877337
vti_associateownergroup          3
enabledhelpcollections           VGSEndUser
ProvCorrelationId                9462025b-ebf9-468c-bbde-3729d938bdbf
FollowLinkEnabled                TRUE
vti_associatemembergroup         5
GroupDocumentsUrl                Shared Documents
vti_indexedpropertykeys          TwByAGcAUAByAGkAdgBhAGMAeQA=|

After writing the custom values into the site property bag, make sure that you replace the block on custom scripts for the site:

Set-SPOSite -Identity $Site -DenyAddAndCustomizePages 1
Get-SPOSite -Identity $Site | Select DenyAddAndCustomizePages

DenyAddAndCustomizePages
------------------------
                Enabled

Checking Custom Scripting Status for Sites

Some blogs say that the DenyAddAndCustomizePages setting reverts to the default setting after a period. I have not seen this happen, but this could be simply a case of not waiting long enough for a SharePoint Online background Some blogs report that the DenyAddAndCustomizePages setting reverts to the default setting after a period. I have not seen this happen, but this could be simply a case of not waiting long enough for a SharePoint Online background process to work. In any case, it’s best to be proactive and leave sites in the correct state. A quick check with PowerShell will reveal any sites which need to be updated and correct the situation. In this example, we check only for group-enabled sites:

$ScriptingSites = 0
[array]$Sites = Get-SpoSite -Limit All -Template Group#0 | Sort Url
ForEach ($Site in $Sites)  {
   If ($Site.DenyAddAndCustomizePages -ne "Enabled") {
      $ScriptingSites++
      Write-Host ("Site {0} has scripting enabled, so now disabling scripting..." -f $Site.Url)
      Set-SPOSite -Identity $Site.Url -DenyAddAndCustomizePages 1 }
}
If ($ScriptingSites -gt 0) { Write-Host ("{0} sites found with scripting enabled - now disabled." -f $ScriptingSites) }

If you’ve added a tenant administrator account as a site administrator to update the property bag, make sure that you remove the account afterwards. It’s not good to allow access to site contents to tenant administrator accounts unless this is intended.

Moving Forward

As it turns out, updating SharePoint Online site property bags isn’t difficult. That is, if you satisfy all the requirements. In this case, making sure that you use a site administrator account is the important point. It’s something that I didn’t see covered in any of the blogs which describe how to update the property bag (I’m sure this is documented somewhere). Now that I know how to assign custom values to SharePoint sites, the road is clear to use these properties in adaptive scopes.

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Making Compliance Work Better

As discussed last week, Microsoft is simplifying how retention processing works for SharePoint Online and OneDrive for Business. It’s a good initiative because this topic is like a black box for many tenant administrators. The latest step comes in MC289965 (7 October – roadmap item 82063) to align how the SharePoint Online and OneDrive for Business browser interfaces deal with user requests to delete a file assigned a retention label configured to retain items for a specific period. For instance, a file might have a retention label with a retain action for seven years. (A retention label can be set to don’t delete or retain items, which makes it a visual marker).

Deleting Files in SharePoint Online and OneDrive for Business

Up to now, the following happens:

• OneDrive for Business: User deletes file with retention label. OneDrive for Business moves the file into the Recycle bin and captures a copy in the preservation hold library for the user’s account. A OneDrive account is a personal space and it’s reasonable to allow the account user to delete files if they wish. Note that you can’t delete a file assigned a record label. To create a retention label as a record, you need to use the Records Management solution in the Microsoft 365 compliance center (requires E5).
• SharePoint Online: User attempts to delete file with retention label but is blocked because of the presence of the retention label (Figure 1).

You can argue a case that SharePoint Online does the right thing. By not allowing the deletion to happen and keeping the file in place until its retention period expires, SharePoint Online demonstrates that the file has some importance.

The Problem for Compliance

However, the problem is that the current Microsoft 365 group model allows group members full control over most items in the SharePoint Online team sites used by Teams and Groups. Therefore, if SharePoint Online blocks a user from deleting a file because of a retention label, they can simply remove the label and then delete the file (unless the retention label is a record label). Although most users might not realize that they can remove a retention label to delete a file, the fact that they can is a big problem in terms of compliance. In that light, it’s better to allow the deletion to proceed. SharePoint Online will capture the file in the preservation hold library to ensure that its content remains indexed and discoverable for retention purposes.

Earlier Attempt to Change Ran into Problems

Last June, Microsoft published MC264360 to notify tenants that they planned to change the way the SharePoint Online browser interface worked to bring it in line with OneDrive for Business. In other words, users would be able to delete files even if a retention label with a retention period was present.

After pushback from customers, Microsoft withdrew the proposed change to do some additional work. The result of that work will roll out in early November for completion by the end of the month. SharePoint Online users will be able to delete labelled files like they can in OneDrive for Business unless the organization decides that this is a bad idea and updates the SharePoint Online configuration to retain the existing behavior. SharePoint Online will continue to block deletion of Items labelled as records.

Update January 11, 2022: The controls over deletion behavior are available in the Records management section of the Microsoft 365 compliance center (Figure 2).

Changing Things Back

If an organization decides that they’d like to keep things as they are, administrators will have to crack open the SharePoint Client Object Model (CSOM) and use the SetAllowFilesWithKeepLabelToBeDeletedSPO function in the SPPolicyStoreProxy class to set the value to False. Quite why Microsoft didn’t add a new parameter to the SPO-Tenant cmdlet to update this setting like all the other SharePoint Online organizational settings is beyond me. Microsoft says that when the feature rolls out, the ”configuration will be available within the Records Management solution settings.” That’s all fine and dandy, but Records management requires Office 365 E5 or Microsoft 365 Compliance E5 licenses, so many administrators might avoid it. This setting should be in the SharePoint Online admin center and settable through PowerShell.

No doubt someone who knows their way around CSOM will create and publish the code necessary to update the setting with PowerShell so that people without deep knowledge of SharePoint object models don’t have to, but I think it is unacceptable for Microsoft to push a change out that cannot be easily controlled by tenant administrators. On the bright side, I think most tenants will like the new delete behavior for files with retention labels and can therefore ignore grappling with CSOM.

Change Based on Experience

Changing the way SharePoint Online works when deleting files with retention labels with retention periods is the right thing to do. It will make compliance work better and is more logical for users. It’s just a pity that the opt-out control is hidden.

Keep up with the changing world of the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. Monthly updates mean that our subscribers learn about new development as they happen.

Making Retention More Efficient

Message center notification MC288633 (1 October) covers the topic of optimized behavior of file versions preserved in SharePoint Online and OneDrive for Business. It’s a title guaranteed to turn off most Office 365 administrators unless they’re interested in compliance. As it happens, I am, so I read the notification.

My reading of the situation is that Microsoft is replacing an old-fashioned implementation of the preservation hold library with a more modern approach. As you might know, the preservation hold library is the location used by SharePoint Online to keep information needed for retention purposes. It’s the equivalent of Exchange Online’s Recoverable Items structure, a place where updated and removed content stays until the retention period expires.

The Preservation Hold Library

Up to now, SharePoint Online has used the preservation hold library to retain multiple versions of changes made to documents and list items. If someone edits a document which comes within the scope of a retention policy, SharePoint captures a pre-change copy of the document in the library. If someone deletes a document that must be retained, it goes into the preservation hold library. The actual processing is more complicated, but that description is sufficient here.

The net effect is that a preservation hold library for a busy site can accumulate a bunch of items (Figure 1). Although users cannot access the preservation hold library, its content is indexed and discoverable and available for searching, which means that eDiscovery investigators can recover the full change record for documents and list items. Administrators can also recover files from the preservation hold library, so there’s lots of goodness available.

The Downsides of Retention

Except that a downside exists. Or rather, two significant downsides. The first is that capturing edits and deletions for a busy SharePoint Online site can consume a large percentage of the storage quota used for the site. The amount differs from site to site depending on the characteristics of site usage and the type of file stored. For instance, the site which I use to store the Word documents for blog posts has thousands of relatively small files (usually in the range of 1-5 pages), most of which are never edited after publication. The preservation hold library for the site holds 924 items of 292.6 MB, or 5.92% of the site storage.

The site used for the Office 365 for IT Pros book has completely different characteristics. The Word documents (and some Excel spreadsheets) are larger (some chapters are over 100 pages) and they receive frequent revisions. For example, according to its version history, the chapter covering Teams architecture and structure in the 2021 edition has 330 versions, most generated using the Office AutoSave feature. The combination of large files and multiple revisions drives storage consumption to 15.3 GB, or 21.8% of the site (Figure 2).

The problem is that SharePoint Online regards the storage consumed by the preservation hold library in the same manner as it treats other libraries. Everything counts against the tenant’s overall SharePoint storage quota, which seems a little unfair given that Exchange Online provides additional free storage per mailbox to handle retention. It’s easy to run a report to find the storage consumed by each site, but you’ll need to access the site to discover how much is consumed by the preservation hold library.

The second issue is that content searches find multiple copies of files stored in SharePoint Online sites. This might be what you want, but usually it’s confusing (Figure 3).

The Change

The change rolling out in mid-Novembers means that files with multiple versions deleted from a SharePoint Online site or OneDrive for Business account which must be retained will be preserved as a single file instead of multiple versions. Storing fewer versions should reduce the demand for storage, but I shall wait and see how things work before making a definitive statement on that point. Reducing the number of versions held for a file will also speed up deletions and eliminate errors caused when retained files had more than a hundred versions in the preservation hold library.

Existing files in the preservation hold library are not updated and behave as before. Eventually, after the retention period for items expire, the weekly background job to check and remove obsolete material from the preservation hold library will remove the older files and release storage.

The new approach applies to any file which ends up in the preservation hold library because of a retention policy or in-place eDiscovery hold.

Given the number of files now stored in SharePoint Online due to increased use by apps like Teams, the effect of AutoSave in generating multiple file versions, and the impact on tenant storage quota that retention can have, this is a good change. It also simplifies administration and might even make it easier for backup and restore scenarios (fewer files to deal with). Time will tell!

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Personal and Organization Document Management for Microsoft 365

I don’t know why Microsoft ever thought that it was wise or desirable to consider SharePoint Online and OneDrive for Business as two separate workloads. The decision might have made sense years ago, when Microsoft began to extract itself from the legacy of its on-premises servers and wanted to demonstrate that it had multiple services to offer within Office 365. It makes none in the context of today’s cloud services.

The simple fact is that OneDrive for Business is no longer an optional extra for Office 365 users. Teams uses OneDrive for Business to share files, including the components built using the Fluid framework, in chats. Recordings of Teams personal meetings also go into OneDrive for Business, and Whiteboard is about to make the transition to OneDrive storage too. If you save an email attachment from Outlook, OneDrive is the preferred target. Users are encouraged to move their files stored in well-known folders from local workstations to OneDrive for Business to take advantage of features like Autosave and differential synchronization.

Increasing Importance of OneDrive for Business

Microsoft makes large amounts of storage available to OneDrive for Business users to make it possible to store data online. All signs indicate that Microsoft will continue to move application and personal data to OneDrive for Business storage whenever possible because it makes it easier to index and search files, including eDiscovery support. In a nutshell, the central importance of OneDrive for Business to cloud users increases as time passes.

The Demise of the OneDrive Admin Center

Which brings me to the elimination of the OneDrive for Business admin center. Or at least, the move of OneDrive settings into the SharePoint Online admin center (Figure 1), which removes the need for the OneDrive admin center. The SharePoint Online admin center has always had settings which affected OneDrive for Business, like sharing controls. Now we have a single place to manage system and personal document and file management for Microsoft 365, which is what these products deliver.

Microsoft covered the move of the OneDrive settings in a July 2021 blog post. With so many blog posts, announcements, updates, and other information about different aspects of Microsoft 365 appearing each week, you might not have noticed the transition. If you go to the Settings section of the SharePoint Online admin center (Figure 2), you’ll find the OneDrive for Business controls.

Checking Sensitivity Labels and Sites

Another topic featured in Microsoft’s July blog is the new insight card to report the number of unlabeled sites. These are sites that don’t have an assigned sensitivity label. As you might notice from Figure 1, my tenant reports 128 of these sites. Given that I’ve invested lots of time working to implement sensitivity labels for container management, this seemed like a high number.

After checking the list of sites, I discovered that the set includes:

• Sites retained by a compliance policy after removal of the original Microsoft 365 group.
• System sites like the App Catalog site and the home site and its predecessor.
• Sites created for Yammer communities before the switch of the Yammer network to Microsoft 365 native mode.
• Teams created from a template (to close the gap, MC281936 describes an update rolling out soon to allow team owners to assign a sensitivity label when creating a new team from a template).
• The Viva Topics center site.
• The site created for the group used to control who can create custom templates for the Teams Approvals app.

In short, a bunch of sites turned up, some of which could do with a sensitivity label and others which don’t. In other words, a list that’s well worth reviewing.

Simplification is Goodness

I strongly approve of Microsoft’s move to incorporate OneDrive for Business management into the SharePoint Online admin center. There are still too many administrative consoles across Microsoft 365 and this step simplifies the tenant management landscape.

With the introduction of the new Exchange Online admin center and the transition of the old Security and Compliance Center to the Microsoft 365 compliance center, we’re also seeing rationalization of user interfaces. On the downside, the switchover from old to new consoles seems to be taking forever. Maybe it’s because it people need time to absorb change, but sometimes you’d wonder if it wouldn’t be better if Microsoft pulled the plaster off quickly and launched a family of new fully-functional administrative tools.

Make sure that you’re not surprised about changes which appear inside Office 365 applications (like updates to admin portals) by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Fixes a Very Old Bug First Reported in 2016

Updated: December 19, 2021

Every channel in a team has a folder in the default document library of the SharePoint Online team site associated with the team. When a new channel is created in Teams, SharePoint Online creates a new folder with the same name as the channel. The channel and folder continue to share the same name until you rename the channel, in which case the names of the channel and the folder diverge. Microsoft acknowledges that losing the naming connection between Teams and SharePoint is a problem.

The issue has existed since the earliest days of Teams. The first user voice request for Microsoft to remove confusion by making sure that the channel and folder continued to share the same name following a rename appeared on November 3, 2016. I wrote about the issue in June 2019, saying that renaming channels could be messy.

Microsoft says they will fix the problem (MC280294) and clean up the mess with an update in mid-September (Microsoft 365 roadmap item 72211). The heading for Microsoft’s is “Pairing naming convention between Teams channels and corresponding SharePoint folders,” which I think is a poor attempt at conveying the impression that the change is something good. It’s not. Instead, it’s a long (very long) overdue fix for something that Microsoft should have addressed in 2017.

Update: In message center notification MC306666 (December 18), Microsoft says that they will roll out the fix in “late February through late April (2022).” The delay in the roll-out is likely due to the need to fix bugs which came to light during testing.

The delay means that any channel renamed before the deployment of the fix will remain unpaired, unconnected, unsynchronized, and seemingly unrelated to its SharePoint folder. Given the massive growth in Teams to 250 million monthly active users and the consequent growth in SharePoint Online usage, one can only guess at how many disconnected channels exist.

One of Those Complex Software Engineering Problems

No one denies that Teams is a complex product. Teams has dependencies on and consumes many different Microsoft 365 services from Azure AD to Exchange Online. The Teams development group has done a terrific job in growing the feature set in the product and expanding its capabilities into areas like multi-geo support. As Teams development VP, Rish Tandon, explained to me last May, the engineers have faced and solved many challenging problems as they developed the product from initial idea to world-class service.

But from time to time, the Teams development group just doesn’t deliver detail as well as it should. The failure to fix the channel rename problem is a classic example. Rolling out version 2.5.0 of the Teams PowerShell module with a broken version of the New-Team cmdlet is another. Neither seem to appear to be one of the complex software engineering problems that slow products down.

The New Channel Rename

After Microsoft deploys the update to Office 365 tenants, performing channel name (Figure 1) updates the value in both Teams and SharePoint Online.

As you can see in Figure 2, the synchronization with SharePoint Online means that the channel folder has the same name as used in Teams. In the past, the folder would still be “Projects” instead of the new “Projects 2021” name.

The General channel is an exception because it cannot be renamed. This is because the General channel represents the team. In fact, because the General channel exists in every team, the Teams clients translate its name to show translated values. For instance, it’s called Général in French and Allgemein in German. The names given to other channels are not translated and keep whatever name is given when created or renamed.

Rename synchronization for channels and folders applies for standard, shared, and private channels. Channels renamed prior to the update are not adjusted. If you want the names of these channels to synchronize with SharePoint Online, you’ll need to rename them again in Teams.

Microsoft notes that the new channel name will not be used by the OneDrive sync client until the client fully processes the channel following the rename. This usually doesn’t take long.

The Long-Awaited Fix

It’s good that Teams and SharePoint are now on the same page when it comes to channel renaming. It’s taken too long to happen, but it’s better later than never.

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Highlighting Who Already Has Access to Shared Information

Message center notification MC263839 (updated August 6 – Microsoft 365 roadmap item 83725) is all about new “Shared with” information which now appears on the control used to create sharing links. Well, it will when the roll-out completes in mid-August. Although tagged for OneDrive for Business, this change applies to both OneDrive for Business and SharePoint Online.

The idea is that the control now lists the set of people whom a file, folder, or list is already shared with so that owners know (at a glance – if they bother) how many people already have access and who they are.

Viewing Sharing Information in Different Circumstances

Showing sharing information works better in some situations than others. For example, if you share a file from a site owned by a Microsoft 365 group (or team), the set of sharing information includes:

• The group
• Group owners
• Group members
• Group visitors

It seems like this information could be filtered so that only the group is shown. The full set (Figure 1) doesn’t add value as the three entries (for SharePoint groups used to manage access) are defunct in the context of a group-connected site.

The information is more valuable when sharing a file from a site that isn’t connected to a group or OneDrive for Business. For instance, Figure 2 shows that a file is shared with 2 sharing links plus five specific users (tenant and guest accounts). Although you can mouse over an avatar to see who has access, it’s obviously better if the tenant and guest accounts have photos as this allows the sharing dialog to include thumbnails for each person.

Several tests showed that up to six entries can appear in the dialog. If more people have access, you’ll see an ellipsis choice to go to the Manage Access menu to view full details of the existing sharing.

The mock-up used in MC263839 (Figure 3) uses larger thumbnails. It’s an interesting insight into the design decisions that must be taken to settle on the final look and feel for user interfaces.

Making Sharing More Transparent

This change is another to build out capabilities in the sharing control to make it more powerful and useful. Although some will probably say that it’s just window dressing or eye candy, I rather like seeing the set of people with access to a file, folder, or list highlighted in this manner. It’s the small things that often have the biggest impact!

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Only for Recordings of New Teams Meetings

Updated 21 May 2022

Announced in MC274188 (July 30), in late September, Microsoft planned to enable meeting recording auto-expiration for new Teams meeting recordings (TMRs) stored in SharePoint Online and OneDrive for Business (Microsoft 365 roadmap item 84580). The new feature will move the MP4 files used for TMRs to the site recycle bin when their expiration date lapses. For enterprise users, the expiration period is 120 days after the creation of the recording. A reduced period of 30 days applies for academic users with the Office 365 A1 license. Once in the recycle bin, the MP4 files follow the standard SharePoint file deletion cycle. Auto-expiration for TMRs is available for all Office 365 and Microsoft 365 licenses which contain Teams.

TMRs are the first workload to move video storage from the classic Stream Azure-based platform to SharePoint Online and OneDrive for Business (ODSP), From August 16, 2021, all new TMRs will be in ODSP. Even though tenants have a lot more storage quota available (especially in OneDrive for Business for recordings of personal meetings) than in Stream, the new policy aims to restrict the amount of storage occupied by TMRs (roughly 400 MB per hour).

Update: Following a series of earlier delays, on January 31, 2022, Microsoft pushed deployment out to late March 2022 to make sure that when they start to delete files, they remove the right files. At the same time, Microsoft increased the default retention period from 60 to 120 days for all tenants that haven’t configured a custom retention period. Eventually all the blocking factors were removed and Microsoft began to roll out the auto-expiration of Teams meeting recordings feature in early April.

Setting a New Expiration Period for TMRs

Microsoft says that 96% of TMRs are not watched again in the 60 days (and 99% after 110 days) following the original meeting, which is why they’ve chosen this to be the default expiration period. Users can change the expiration period for individual TMRs by updating file properties through the file details pane (selecting preset values of 14, 30, or 60 days, a custom date, or Never Expire). Organizations can set a default expiration period for newly created TMRs using the Teams meeting policy assigned to user accounts. For example, to set the default expiration period for recordings of meetings made by people assigned the VIP User Meeting Policy, run the command:

Set-CSTeamsMeetingPolicy -Identity "VIP User Meeting Policy" -NewMeetingRecordingExpirationDays 120

Originally, Microsoft’s documentation described a maximum expiration period is 99,999 days (273 years). Subsequently, problems emerged when tenants set such a high value and the safe limit was found to be 9,999 days, which should be more than enough to keep any normal recording (remember, you can apply a retention label to keep recordings for longer). The minimum is 1 day, and you can set the value (in PowerShell) to -1 to set meeting recordings to never expire. The expiration period for A1 users can only be reduced from the default 30 days.

You can also update the auto-expiration period for meeting policies through the Teams admin center (November 2021 update). Interestingly, the Teams admin center allows a range of between 1 and 99999 days! I’ve asked Microsoft to clarify whether the supported period is 9,999 or 99,999 days. If you want to go higher than 9,999 days, maybe the best approach is to set expiration to never expire.

Background processes run to evaluate TMRs in ODSP to check their expiration date. If the expiration process detects an expired file, the process moves the file into the recycle bin and clears the expiration date field. Recording owners receive email notifications when OneDrive moves expired recordings into the recycle bin (Figure 2). If necessary, they can rescue important recordings from the recycle bin for up to 90 days after deletion. Once moved back from the recycle bin, the recording has no retention date set and will therefore not be evaluated for deletion again.

To help users understand when a recording approaches expiration will see visual indications in:

• Beside the link to the meeting recording in the meeting chat. Anyone with view access to the recording sees the expiration notice.
• Two weeks before expiration, a red icon appears beside the MP4 files for TMRs in the Recordings folder of OneDrive for Business accounts (personal meetings) or SharePoint Online sites (channel meetings).

Auto-expiration applies only to new TMRs. Existing TMRs stored in either ODSP or Stream do not have an expiration period. Auto-expiration is only available for TMRs and cannot be used with other file types held in ODSP. Expiration dates are kept if users move recording files to a different site (it’s the same file). They are not when users copy recording files (it’s a different file). Downloading and uploading a recording creates a new file with no expiration date. If you want to be sure that the expiration process does not remove a Teams meeting recording, apply a retention label to the file.

Tenant administrators can track the creation of TMRs in OneDrive for Business and SharePoint Online by using PowerShell to extract and analyze audit events.

Auto-Expiration and Retention

Auto-expiration is a good housekeeping rather than a compliance feature. It will help organizations cope with a swelling collection of TMRs in user OneDrive for Business accounts and SharePoint Online sites but will do nothing to help with data governance. Two interesting developments due to arrive soon are automatic transcription for TMRs and indexing of transcripts. From a compliance perspective, this means that it will be possible to search for words spoken during a meeting and be able to put those words in the context they were spoken. Obviously, this is a big advance in compliance capabilities.

To take advantage of spoken word retrieval and make sure that transcripts and videos are available to eDiscovery investigators, you obviously need to retain TMRs. For this reason, a retention label on a TMR prevents the auto-expiration process removing recording files until the retention period assigned in the label lapses. Also, a retention label mandating deletion after a period takes precedence over auto-expiration, meaning that if the retention label has a shorter retention period than the auto-expiration date, that’s when SharePoint will remove the file.

Precedence applies for retention labels assigned manually or via an auto-label policy (available to tenants with Office 365 E5). Organizations which leverage retention labels to preserve the recordings of important Teams meetings might not see much change after Microsoft introduces the new auto-expiration feature.

Make sure that you’re not surprised about changes which appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Change to Remove Inconsistency

Retention policies and retention labels both make sure that workloads like SharePoint Online retain information needed by organizations. Retention policies are broader in scope and apply default retention to any location coming within their scope. For instance, if you apply a retention policy to a set of SharePoint sites, any file within those sites come within the scope of the policy. Retention labels are more granular and apply to individual items, whether assigned by users or through auto-label policies (like the example of using an auto-label policy to retain Teams meeting recordings). Because they are more specific, retention labels take precedence over retention policies.

It’s up to an application how to implement the application of retention labels to items. It’s also up to applications how to respect the fact that a retention label exists on an item. Different behaviors have existed in the SharePoint Online and OneDrive for Business browser interfaces since the introduction of retention labels in 2017. According to MC264360 (June 24) – Microsoft 365 roadmap item 82063, Microsoft is closing the inconsistency and SharePoint Online will adopt the OneDrive for Business approach.

Deleting SharePoint Online Items

Today, if you try and delete an item in a SharePoint Online document library, the UI prompts for the deletion to proceed and if confirmed, attempts to delete the item. If the item is labeled, the deletion fails (Figure 1) and the user sees that removal isn’t possible because of the label.

There’s nothing to stop the user removing the label and then deleting the file, unless it’s a record label (only a site administrator can change a record label).

By comparison, you can delete an item in a SharePoint Online document library which comes within the scope of a retention policy. Although seemingly inconsistent (because the organization wishes to retain the items by policy), SharePoint Online allows the deletion to proceed and moves the item into the site recycle bin. Eventually, when the item expires in the recycle bin, SharePoint Online moves it into the site’s Preservation Hold library where it stays until its retention period lapses.

OneDrive’s Streamlined Approach

OneDrive for Business takes a streamlined approach to item deletion and allows users to remove items as they wish (Figure 2).

Deleted items go into the OneDrive for Business recycle bin (Figure 3). Users can recover deleted files from there using the Restore your OneDrive feature.

After 90 days, deleted files leave the recycle bin for either permanent removal or retention. If a retention policy or label applies to an item, it moves to the Preservation Hold library (Figure 4) and stays there until its retention period lapses. Of course, retention can be a complex business and an item might come under the scope of a retention policy after retention due to a label lapses. In any case, once no further retention applies to an item, a background job removes the item. Removed items are irrecoverable unless a backup exists.

The Goodness of Consistency

You can argue that either approach makes sense. Some like it that SharePoint Online stops people deleting labeled items. It’s a form of affirmation that the file is important. On the other hand, allowing deletion to happen but preserving files needed for retention is a lower-friction method which prevents potential user confusion (why can I delete that file but not this one?). Overall, achieving consistency across OneDrive for Business and SharePoint Online is a good thing and lowering friction is also a good thing, especially if it stops some support calls. We’ll see how users react (or even notice) after Microsoft rolls out the change in August.

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

PSTs Should Never Be in Cloud Storage

Updated: July 14, 2021

On May 17, Microsoft published message center notification MC256835 to advise tenants about the introduction for what they call a “PST version retention policy.” This has nothing to do with retention labels or retention policies. Instead, it’s about controlling PST storage in SharePoint Online by limiting the number of versions kept for PST files stored in SharePoint Online and OneDrive for Business document libraries.

Versioning in SharePoint Online

Versioning is a SharePoint feature. In a nutshell, as users make changes to files in document libraries, they create versions of the files. In some cases, such as when editing Office documents using Autosave, a single edit session might generate twenty or thirty versions, depending on the number of changes made. The number of versions kept in a document library is defined in library settings (Figure 1) in a range of 300 to 50,000.

SharePoint keeps multiple versions of files to ensure that the user can go back to a previous version. To do this, select a document and then Version history. You can then select a version to restore (Figure 2).

Both SharePoint Online and OneDrive for Business also support options to restore a library to a point in time over the previous 30 days. Without versions, it would not be possible to do this.

Why PSTs End up in SharePoint and OneDrive

Versioning is good, so what’s the problem with PSTs? Before addressing that question, we should ask about why PST storage in SharePoint Online or OneDrive for Business comes about. A PST (Personal Storage Table) is for email storage. It is a container to allow users to store messages they wish to keep. People might have moved PSTs from network file shares into SharePoint, but it’s a bad idea to use PSTs in SharePoint.

• The PST file format is not intended for concurrent shared access. These are personal files. If a problem happens with a PST file stored in SharePoint, it might lead to data loss.
• Even though they are in SharePoint, the messages stored in PSTs are inaccessible for eDiscovery.
• Over the years, Microsoft consistently advised against the use of shared PSTs on network file shares because of the potential for corruption.

You might think the problem of concurrent access to a shared file is addressed by using the OneDrive sync client to have a local copy of PSTs synchronized with the master copy in SharePoint. But as pointed out in this post by a Microsoft support engineer, the way Outlook locks PST files for exclusive access creates many problems for the sync client (Figure 3). Basically, the sync client is frustrated by the lock taken out by Outlook and can’t process the PST.

People who replace local workstation storage with OneDrive for Business for well-known folders like Documents might end up with PSTs in OneDrive. To avoid problems, they should move these files out of a synchronized location.

The Impact of PST Storage in SharePoint Online

The problem now being addressed by Microsoft is that holding multiple PST versions can consume a huge amount of SharePoint storage quota. Remember, a PST is a container rather than an individual file, and if it’s in active use, Microsoft says this generates “multiple versions which leads to storage being quickly consumed.”

Because of the generous quotas available to OneDrive for Business users, consuming storage is less of an issue for OneDrive for Business than it is for SharePoint Online. Microsoft makes 1 TB plus 10 GB per licensed user available for the organization and charges extra if more storage is needed. Using retention labels and retention policies to ensure files cannot be removed from SharePoint can already consume large amounts of storage, so adding PSTs to the mix is like pouring fuel on a raging fire.

Microsoft’s solution is to retain no more than 30 days’ worth of PST versions. This is enough to ensure that the Restore library feature works, even when PSTs are in a library. While the best answer is not to allow users to store PSTs in SharePoint Online or OneDrive for Business, restricting versions for PSTs is an acceptable method to restrain storage demand. Organizations can block users from synchronizing PSTs by including the file type in the blocked files list defined in the Settings section of the SharePoint Online admin center (Figure 4). Given the impact this could have on users, it’s a good idea to communicate about the block before its implementation.

Microsoft Implements the New Policy

Starting June 28, organizations can use the Set-SPOTenant cmdlet from the SharePoint Online PowerShell module to control the new policy: By default, the policy will be on, meaning the permanent deletion of PST versions once they reach 30 days old. If you don’t want to restrict PST versions, you can opt-out from the policy by running:

Set-SPOTenant -DisableOutlookPSTVersionTrimming $True

The new switch for the Set-SPOTenant cmdlet is available in the 16.0.21411.12000 release of the SharePoint Online management shell (released on July 12). You can download the module from the PowerShell Gallery.

The opt-out command must be run by August 13, so organizations have roughly six weeks to decide to opt-out. The policy becomes effective on August 16 and running the command to opt-out afterwards will have no effect. The big caveat is that the opt-out applies only to existing libraries. Any new library created after August 13 will apply the 30-day retention for PST versions.

The Badness of PSTs

I’ve been trying to persuade organizations to stop using PSTs for years. They’re a 25-year-old answer to the problem of small server mailboxes which existed then and doesn’t now. PSTs are insecure, compromise the ability of organizations to search for information and apply compliance policies, and prone to failure. There is nothing to recommend their continued use and even less to think that it’s a good idea to store PSTs in SharePoint Online and OneDrive for Business. If you’re still unconvinced, listen to this on-demand webinar Why PSTs are Such a Bad Idea in the Cloud, where I try my very best to explain why.

Get straightforward and honest opinion about how to manage Office 365 tenants by subscribing to the Office 365 for IT Pros eBook. We think about managing tenants so you can learn from our experience and insight.

Two Notifications Mark a Special Update

A feature so good that it requires two identical message center notifications must be worthwhile. Such is the case for the ability of sensitivity labels container management to control the external sharing capability of SharePoint Online team sites, as announced in MC244217 and MC244216 on March 12. Both point to Roadmap item 70735.

Information Protection and Container Management

Sensitivity labels can include settings for information protection and container management. Information protection usually means that the assignment of a label to an Office document, Azure Purview data (preview), Power BI objects, or other files will encrypt the target content using Microsoft Information Protection (rights management). Container management means that labels impose settings on a Microsoft 365 group, including the team or SharePoint team site belonging to the group. A single label can include both information protection and container management settings and is therefore applicable to both files and containers, or the scope of the label can be one or the other use. I favor a restricted label scope because I think it makes labels easier to manage.

Container Management Settings

When Microsoft first introduced the ability of sensitivity labels to control container settings, a limited number of controls were available. You can configure a label to:

• Control access to the container to Azure B2B Collaboration guest accounts. Previously, this control over containers could only be set by updating the properties of the group with PowerShell. The options are to allow or block guest access.
• Set the access to be public or private. If a label is not present, the group owner can decide whether the group is public (available to any tenant user) or private (restricted to the group membership).
• Limit access to documents in a SharePoint when using unmanaged devices.

The set of available controls is useful and sensitivity labels are much better than the alternative (like text-based classifications), but Microsoft’s intention always was to expand the number of controls to make sensitivity labels a much more powerful policy-driven management method for containers. Adding control over the sharing capability for SharePoint sites is further evidence of their intent.

Controlling External Access to SharePoint Online Sites

Organizations often store confidential or sensitive documents in SharePoint sites. SharePoint Online supports four values for site sharing capability to control the degree of external sharing permitted for documents in a site:

• Disabled – allow no external sharing outside the organization.
• ExistingExternalUserSharingOnly – allow sharing only with the guest users already in your organization’s directory.
• ExternalUserSharingOnly – allow users to share documents with new external users, who must accept the sharing invitations and go through an authentication process to create a guest account.
• ExternalUserAndGuestSharing – allow sharing with all external users, and by using anonymous access links (Anyone links).

SharePoint Online administrators and site owners can set the sharing capability through:

• The SharePoint Online admin center.
• PowerShell, using the Set-SPOSite cmdlet to update the SharingCapability setting.
• And now, by assigning a sensitivity label which has the external sharing control configured.

Remember that SharePoint Online won’t allow you to assign a less restrictive access to a site than allowed by the tenant sharing setting. In other words, if the tenant explicitly blocks anyone access for all sites, assigning anyone access through a label will have no effect.

Setting External Sharing Capability in a Sensitivity Label

When editing a sensitivity label, administrators can define what sharing capability is set when an owner or administrator assigns the label to a site (Figure 1).

The Site Owner View

Not every site owner knows about admin tools, and a major benefit of controlling sharing capability with sensitivity labels is that it makes it easier for site owners to assign the appropriate level of sharing based on their knowledge of the content within the site. At least, that’s the theory, and a lot depends on the clarity of the names chosen for sensitivity labels. Ideally, the names should convey how sensitive the information stored in the site is (Figure 2).

Applying a sensitivity label to a group or team also applies it to the site and selecting a new sensitivity label for a site also applies it to the associated group and team.

PowerShell Support for Container Management

The PowerShell cmdlets to interact with sensitivity labels are available after connecting a session to the compliance endpoint. The easiest way to do this is to run the Connect-IPPSSession cmdlet from the Exchange Online management module.

Once connected, we can use the Get-Label cmdlet to find details of sensitivity labels and the Set-Label cmdlet to update their settings. For example, not all sensitivity labels are configured for container management, so to find the set of labels scoped for container management, run this code:

Connect-IPPSSession
$Labels = Get-Label
ForEach ($Label in $Labels) {
   If ($Label.ContentType -match "Site, UnifiedGroup") {
   Write-Host "Label" $Label.DisplayName "has container actions" }
}

Label Non-business use has container actions
Label General Access has container actions
Label Guest Access has container actions
Label Limited Access has container actions
Label Confidential Access has container actions

As an example of how to use Set-Label, here are two examples of updating labels to set different sharing capabilities.

Set-Label -Identity Confidential -AdvancedSettings @{sharingcapability="ExistingExternalUserSharingOnly"}
Set-Label -Identity Secret -AdvancedSettings @{sharingcapability="Disabled"}

After applying a label with a sharing capability setting configured to a site, SharePoint updates its sharing capability. You can check that the settings have changed with the Get-SPOSite cmdlet:

Get-SPOSite -Identity "https://office365itpros.sharepoint.com/sites/BlogsAndProjects/" | Select SharingCapability, SensitivityLabel

SharingCapability SensitivityLabel
----------------- ----------------
         Disabled 27451a5b-5823-4853-bcd4-2204d03ab477

Checking that Everything Works

Of course, it’s a good idea to check that the sharing capability set in a sensitivity label works after assigning the label to a site. Let’s assume that you assign a label which disables external sharing. The easy test is to see if sharing works. As Figure 3 shows, it is not allowed and you see one of SharePoint’s famous OSE errors.

Being able to control external sharing for SharePoint sites is just the latest control for sensitivity labels. Microsoft plans more in the future. With this in mind, if you haven’t already started using sensitivity labels, perhaps now is a good time to make a start?

Unlocking Protected SharePoint Documents

In my article about how to decrypt SharePoint Online documents with PowerShell, I explained how to use the Unlock-SPOSensitivityLabelEncryptedFile cmdlet to decrypt protected SharePoint files by removing the sensitivity labels protecting the files. The example script uses cmdlets from the SharePoint PnP module to return a set of files from a folder in a document library for processing, and the unlock cmdlet then removes protection from any file with a sensitivity label.

The script works, but it’s not as flexible as I would like. For instance, because PnP can’t distinguish files with labels, every document in the folder is processed whether it is labelled or not. This does no harm, but it’s not something that you might want to do in the case of something like a tenant-to-tenant migration where thousands of protected documents might need to be processed.

Update May 10, 2021: The latest version of the SharePoint Online PowerShell module contains the Get-FileSensitivityLabelInfo cmdlet. This can be run to return the label status of a file, including if the label assigned to the file encrypts the file. The existence of this cmdlet removes some of the need to use the Graph to find and remove labels from protected files, but the Graph is still the fastest way to get the job done.

Using the Sites Microsoft Graph API

Which brings me to an updated version of the script (available from GitHub), which uses the Sites API from the Microsoft Graph to navigate through SharePoint Online and find labelled documents to process. Apart from being able to search for documents with sensitivity labels, a Graph API is usually the fastest way to deal with large numbers of objects.

Because we’re making Graph calls from PowerShell, we need to create a registered app in Azure AD to use as the entry point to the Graph (the same steps as outlined in this post are used). The app needs to be able to read site data, so I assigned it Sites.Read.All and Sites.ReadWrite.All permissions (Figure 1).

Finding Protected Documents

The script accepts two parameters: the name of the site to search (not the URL) and an optional folder. If multiple matching sites are found, the user is asked to choose which one to search (Figure 2).

Once a target site is confirmed, the script figures out if a folder is specified and if that folder exists in the chosen site. In Graph terms, we’re now dealing with drive objects. The default drive is the root folder of a document library and each folder is a different drive. To find folders, we need to find the child objects in the root, identify the right folder, find its drive identifier, and use that to find the files in the folder. All good, clean Graph fun.

The Drive API returns a maximum of 200 items at a time, so some Nextlink processing is needed to fetch the complete set of files in a folder. Each file is examined to figure out if it has a sensitivity label with protection, and if so, the display name of the label. After processing all the files, we tell the user what we’ve found and ask permission to go ahead and decrypt the files (Figure 3). If the user chooses not to proceed, the script writes details of the protected files out to a CSV file.

Decrypting Files

Files are decrypted by calling the Unlock-SPOSensitivityLabelEncryptedFile cmdlet. There’s no native Graph API call to decrypt SharePoint documents. In any case, we’re running a PowerShell script so it’s easy to call the cmdlet.

An Example to Build On

The script is an example of what’s possible with a combination of PowerShell and Graph API calls. I’m sure that the code and the functionality can be improved (feel free to suggest changes and improvements via GitHub). I’m just happy to demonstrate how things work and how including the Graph enables some extra flexibility.

Read the Office 365 for IT Pros eBook to find much more information about how sensitivity labels work – and many PowerShell examples too!

Avoiding the Need to Remove and Recreate Guest Accounts

Microsoft 365 applications like Microsoft 365 Groups, Teams, SharePoint Online, and Planner use Entra ID B2B Collaboration to enable guest user access to their resources. The result is that many tenants have a proliferation of guest accounts to manage. I’ve written quite a few tools to help, including a report of guest accounts and their membership of Microsoft 365 Groups and a comprehensive report of tenant and guest members in Groups and Teams. Management can even be a challenge for guests who want to renounce their membership of a tenant.

In any case, the details of some guest accounts change over their lifetime. On March 2, Microsoft issued documentation for Reset redemption status for a guest user. This doesn’t sound very exciting, but it’s really very interesting because the feature allows tenant administrators to adjust how a guest account is signed into without using the previous technique of removing and recreating an account. The downside of that approach is that access is lost to all the resources available to the guest account like Teams, SharePoint sites, shares to individual documents, and so on. After recreating the account, access must then be regranted for each resource. This process is tedious, especially when the guest features in multiple groups.

Microsoft anticipates that the reset feature will be used in scenarios such as:

• The user wants to sign in using a different email and identity provider. In other words, they now have a different account. For instance, the user might have moved companies and wishes to continue working with your company (a common scenario for professionals like IT consultants and lawyers).
• The account for the user in their home tenant has been deleted and recreated. Entra ID won’t recognize the link between the guest account and the user’s new account.
• The user’s responsibilities have been passed along to another user and they want to assign access to the resources which supported those responsibilities to that user.

Part of the change is performed using the Entra ID admin center. The rest is done with PowerShell cmdlets from the AzureAD Preview module, which you can download from the PowerShell Gallery.

Change the Email (Sign-in) Address for a Guest Account

Unlike tenant accounts, guest users don’t use their user principal name to sign in. Instead, they use their email address. To work, the reset feature changes the sign-in name for the guest account and nothing else. The mail user object created in Exchange Online to allow guest users to receive email is also updated.

In this example, I have a guest account for Jacko Winters. The original email address for this account is Flayosc@outlook.com. The guest is a member of multiple teams and shares some SharePoint documents. I want to reassign access to all these resources to another account called Flayosc@yandex.com. It’s an example of the first scenario described above.

The first step is to update the Mail attribute (Email address) for the guest account with the email address you want to use. Do this through the Entra ID admin center (Figure 1). The new email address cannot belong to any other mail-enabled object in the tenant, such as another guest account. If it does, Entra ID won’t allow you to update the account.

Moving to PowerShell, connect to AzureAD and get the Entra ID account identifier for the guest account you want to replace.

Connect-AzureAD
$ObjectId = (Get-AzureADUser -SearchString “Jacko Winters”).ObjectId
$ObjectId
558d8cbb-a5a2-4ea1-b950-0d0748ca5634

Now create a new User object and populate it with the object identifier for the account.

$OldUser = New-Object Microsoft.Open.MSGraph.Model.User -ArgumentList $ObjectId
$OldUser

Id                                   OdataType
--                                   ---------
558d8cbb-a5a2-4ea1-b950-0d0748ca5634

Issuing a New Invitation

The next thing to do is check that the values returned from the two commands match. If they do, use the New-AzureADMSInvitation cmdlet to reissue an invitation to the new email address. The identifier for the guest user account is passed in the InvitedUser parameter. The myapps.microsoft.com landing page is a default site showing apps available to a user. Here’s the command I ran:

New-AzureADMSInvitation -InvitedUserEmailAddress Flayosc@yandex.com -SendInvitationMessage $True -InviteRedirectUrl "http://myapps.microsoft.com" -InvitedUser $OldUser -ResetRedemption $True

Update: Given the deprecation of the AzureAD module in March 2024 (and the disappearance of the ResetRedemption parameter from the New-AzureADMSInvitation cmdlet), you should switch to the Microsoft Graph PowerShell SDK. This code is the equivalent using the Get-MgInvitation cmdlet:

$User = Get-MgUser -Filter "startsWith(mail, 'Flayosc@yandex.com')"
New-MgInvitation `
    -InvitedUserEmailAddress 'Flayosc@yandex.com' `
    -InviteRedirectUrl "http://myapps.microsoft.com" `
    -ResetRedemption `
    -SendInvitationMessage `
    -InvitedUser $User

See this documentation for more information.

Entra ID creates a new invitation to access the resources currently available to the guest account and sends it to the new email address. You’ll see a response like this:

Id                      : 129c1c12-da99-4879-b258-d14b34601d46
InvitedUserDisplayName  :
InvitedUserEmailAddress : Flayosc@yandex.com
SendInvitationMessage   : True
InviteRedeemUrl         : https://login.microsoftonline.com/redeem?rd=https%3a%2f%2finvitations.microsoft.com%2fredeem%
2f%3ftenant%3db662313f-14fc-43a2-9a7a-d2e27f4f3478%26user%3d129c1c12-da99-4879-b258-d14b34601
d46%26ticket%3dLStZd8uAONAIbLNIZyfaUZ91VsRczLbzqbFOeHsonSE%253d%26ver%3d2.0
InviteRedirectUrl       : http://myapps.microsoft.com/
InvitedUser             : class User {Id: 558d8cbb-a5a2-4ea1-b950-0d0748ca5634
OdataType: }

InvitedUserMessageInfo  : class InvitedUserMessageInfo {
                            CcRecipients: System.Collections.Generic.List`1[Microsoft.Open.MSGraph.Model.Recipient]
                            CustomizedMessageBody:
                            MessageLanguage:
                          }

InvitedUserType         : Guest
Status                  : PendingAcceptance
ResetRedemption         : True

Accepting the Reissued Invitation

The invitation arrives at the email address (Figure 2) and the user can accept the invitation to confirm their credentials (set a password) and create an OAuth consent to allow the tenant to read details of the user’s account (Figure 3).

Once the user consents to the permissions, the user account is updated to set the UserState property to Accepted and write the date of the redemption in UserStateChangedOn. We now have a fully functional guest account again. The important point is that the object identifier and user principal name for the account do not change. The only thing which changes is the mail address associated with the account.

The Entra ID audit log contains details of the issue (Figure 4) and redemption of the invitation. While the activity tab confirms the target address for the invitation, the target tab confirms the guest account.

Accessing Resources

In this instance, the guest account has access to several teams and some SharePoint documents. SharePoint access is immediate, including the sites used by Teams. Guest access to Planner also works properly.

After testing that access worked for SharePoint and Planner, I turned to Teams. I expected access to the Teams app to take longer because of the need to complete the process which synchronizes Entra ID with the membership roster used to control access to individual teams. Until this happens, the user is refused access to Teams (Figure 5) and the old email address assigned to the guest account remains visible in Teams (Figure 6). [Note that the display name of the guest account has reverted to Flayosc instead of Jacko Winters]

Unsurprisingly, because the account information in Teams is now outdated, any attempt to add the guest account as a new member of a team also generates an error (Figure 7).

To try to force synchronization, I updated the display name and several other attributes of the account. This had no effect, so I added a couple of new users to the group using Teams to force Teams to refresh its membership roster. The updates flowed through to Entra ID, but nothing happened in Teams.

Get-AzureADGroupMember -ObjectId b647d5ff-3bda-4333-b768-7990084569b6

ObjectId                             DisplayName                   UserPrincipalName
--------                             -----------                   -----------------
cff4cd58-1bb8-4899-94de-795f656b4a18 Tony Redmond                  Tony.Redmond@office365itpros.com
b3eeaea5-409f-4b89-b039-1bb68276e97d Ben Owens (Business Director) Ben.Owens@office365itpros.com
a6bfb216-e88c-4f1f-86d7-04747e5fc686 Ben James                     Ben.James@Office365itpros.com
9ba20686-f869-46e8-85a2-00ec8a035e48 James Joyce                   James.Joyce@office365itpros.com
acb778e8-f587-45de-ae3a-e76007e043b2 Paul Howett                   Paul.Howett@office365itpros.com
98dda855-5dc3-4fdc-8458-cbc494a5a774 Sean Landy                    Sean.Landy@office365itpros.com
6b52fba5-349e-4624-88cd-d790883fe4c4 Ken Bowers                    Ken.Bowers@office365itpros.com
558d8cbb-a5a2-4ea1-b950-0d0748ca5634 Jacko Winters                 flayosc_outlook.com#EXT#@office365itpro

Get-AzureADuser -ObjectId 558d8cbb-a5a2-4ea1-b950-0d0748ca5634 | ft mail, displayname, objectid

Mail               DisplayName   ObjectId
----               -----------   --------
flayosc@yandex.com Jacko Winters 558d8cbb-a5a2-4ea1-b950-0d0748ca5634

The Original email address can’t be used to sign into Teams either. Eventually, after a couple of days, Teams synchronized with Entra ID and the updated account details became visible in Teams. However, the updated account could not sign into Teams.

Come Home to Teams

Working with the Entra ID development group, the problem was diagnosed to due to the way Teams tries its best to bring a user to their home tenant. In the case of guest users, Teams uses the sign in address to locate the tenant and headed off to the wrong place. When using an explicit redirect to the tenant identifier, like https://teams.microsoft.com/?tenantId=c662313f-14fc-43a2-9a7a-d2e27f4f3478, the user can connect.

Obviously, there’s some work for Teams to do to cope when administrators assign new email addresses to guest accounts, but at least the problem is known, and Microsoft will no doubt fix the issue soon.

All this work for a few lines in Chapter 13 of the Office 365 for IT Pros eBook. It just goes to prove how much work and effort the writing team puts in to keeping content accurate, refreshed, and updated. Subscribe now to receive monthly updates of goodness.

Azure AD Authentication Failure Stops Users Working

By now, you’ve probably heard about the second large Azure AD authentication outage since September. The March 15 incident calmed down after a few hours, but while it was ongoing users were unable to connect to Microsoft 365 applications when authentication was necessary. It wasn’t a happy experience. Microsoft plans to set a new SLA of 99.99% availability for Azure AD authentication on April 1, 2021. Perhaps they were making a few tweaks to the Azure AD infrastructure to prepare the ground for the upgraded SLA when things went wrong.

The current 99.9% SLA applies to the Azure AD tier for Office 365, but a Microsoft comment posted to the announcement for the new SLA said that the 99.99% level will only apply to those with Azure AD Premium licenses. I guess we shall have to wait and see the details of the SLA when Microsoft publishes the text of the agreement on April 1.

Microsoft 365 applications continued working during the outage unless authentication was necessary. Because they’re built on the Microsoft Graph APIs, the Teams clients authenticate hourly, so they were heavily affected. Outlook desktop stayed online throughout, and users reported varying degrees of useability for other apps.

Working in Word

While the outage progressed, I worked on a Word document for my blog post. All my Word documents are either in SharePoint Online document libraries or OneDrive for Business, so the OneDrive sync client is kept busy. The sync client is responsible for the differential synchronization of files up to the new 250 GB limit. Office apps autosave to capture changes. Not only does autosave ensure that you should never lose much if an app or workstation crashes, it’s also way changes get to other copies of Office documents open for co-authoring. And it’s why SharePoint Online keeps a minimum of 100 versions of documents. If you use the Office desktop apps heavily and store files online, the OneDrive sync client is busy.

OneDrive Sync Client Goes Nuts

Until that is, the OneDrive sync client decides that it should remove all the local copies of files from a SharePoint folder. This was a rather bizarre side effect of the Azure AD outage. At least, although I can’t prove that the outage caused the OneDrive sync client to do something very strange, the problem happened at the same time.

I noticed the issue when File Explorer reported nothing in the local folder which holds the synchronized copies of SharePoint files. The folder usually holds hundreds of files (423 as I write), so something had clearly happened. I opened the OneDrive sync client (build 21.041.0228.0001) and discovered that the client had removed the local files an hour ago (Figure 1), meaning that the client decided to remove the files at around 21:45 UTC, during the period when Microsoft was rolling out remediation for the Azure AD outage.

The problem was easily fixed by going to SharePoint Online and choosing to synchronize the folder again (Figure 2).

The OneDrive sync client started to download local copies immediately (Figure 3) and a full set of documents was soon on my local drive.

Curious and Problematic Synchronization

You can argue that all’s well that ends well, but no good reason exists for the OneDrive sync client to do what it did. Perhaps the Azure AD authentication problem caused the client to believe that it was no longer allowed to download files from the SharePoint site. If so, it would be better if the client issued a warning to say what’s about to happen and offered the user a chance to authenticate with their credentials rather than concluding that everything should be removed now.

Failure to authenticate is the logical root cause which lead to the mass deletion of local files. Every document in the folder has a retention label to stop SharePoint removing documents (set as a default label for the library). The normal course of events is that you can remove a local copy of a file from File Explorer only for the OneDrive sync client to restore the file once it discovers the deletion block imposed by the retention label. Despite the presence of the retention labels, the OneDrive sync client removed all the local files. If my theory holds, the OneDrive sync client concluded that the user had no access to SharePoint Online, so it should remove the local copies as this wouldn’t impact the retained file in SharePoint.

What’s also curious is that just one folder was affected. The OneDrive sync client left everything else alone. My conclusion is that the folder was in active use because I had a Word document stored in that folder open at the time, and autosaved changes were flowing back to SharePoint Online. No need existed for the OneDrive sync client to go near my other folders (like those holding files for the Office 365 for IT Pros eBook), so it left them alone.

It’s not just me who has encountered odd synchronization issues leading to mass removal of files. Fellow MVPs Vasil Michev and Paul Robichaux have also had difficulties. It seems like Microsoft has some work to do to smoothen how the OneDrive sync client handles what could be transient authentication issues.

Maybe I shouldn’t have disabled the new OneDrive sync client file delete warning!

Update March 18: Microsoft has two advisories linked to the problem. SP244708 (SharePoint) and OD244709 (OneDrive). The symptoms experienced by people are different, but the root cause is the same.

Understand How People Use Sensitivity Labels to Protect Office Documents

If you enable support for sensitivity labels in SharePoint Online and OneDrive for Business (and you should), most of the previous frustrations that organizations have experienced in dealing with protected go away. Protected (encrypted) content can be indexed and found by eDiscovery, co-authoring is supported (with Office Online), and so on. And very importantly, Office 365 captures audit events when people apply, remove, or change sensitivity labels with Office documents.

Originally, only sensitivity label actions performed by the Office Online apps were captured. This is fine, but most user interactions with Office documents occur through the desktop apps. The gap in coverage is closing and the latest versions of the Microsoft 365 apps for enterprise (aka Office click to run) now create audit records when they apply or remove labels from documents. I’m using version 2012 – current channel preview (build 13350.20316) as the basis for this article, but I can see that audit records have been generated since mid-December.

Although the latter part of December is a period of low work activity, the number of events captured since compared against previous months confirms the view that desktop apps are used more heavily to generate documents, spreadsheets, and presentations. At least, in my tenant.

Separate Audit Events

Nice as it is to have the additional insight into the use of sensitivity labels, it’s regrettable that Microsoft did not use the same operation names when generating audit records for the desktop apps as they do for the online apps. The operation is the name of an auditable action.

It’s possible that the logic here is that the actions originate in two different sources and the different operations mean that administrators can conduct precise audit searches to find records for either the desktop or online apps – or both.

The new operations are:

• SensitivityLabelApplied: A sensitivity label is applied to an Office document. This operation is also used when capturing a record for the application of a label to a SharePoint site. The two can be distinguished by the record type, which will be either SensitivityLabeledFileAction (for Office) or SharePoint. Events are recorded when users apply sensitivity labels to Outlook messages, but not for messages protected by OME. OWA and Outlook mobile clients don’t currently generate audit events when users label messages.
• SensitivityLabeledFileOpened: An Office document with a sensitivity label is opened by a desktop app.
• SensitivityLabelRemoved: A sensitivity label is removed from an Office document.
• SensitivityLabeledFileRenamed: An Office document with a sensitivity label is renamed to become a new file. This event is also logged when a labelled file stored on a local device (not a copy synchronized by OneDrive) is edited.

As in many cases with Office 365 audit log records, the new events need to be parsed out before they’re useful. This is reasonably easy to do with PowerShell, albeit at the need to examine and interpret the payload content of each type of event.

Reporting Audit Events

Seeing is believing and it’s always easier to understand how things work when you have a practical example. I’ve written a script to grab all the events for sensitivity labels for the last three months and create a report. Each of the event types is unpacked and interpreted to make it clear what the event means. The output is a CSV file which can be analyzed in whatever way you wish. Or you can examine the output on-screen through the Out-GridView cmdlet (Figure 1).

The script is available in GitHub. You’ll need to connect to the Exchange Online management module and the security and compliance endpoint to run the cmdlets in the script. The compliance endpoint is used to fetch the list of sensitivity labels defined in the organization and create a hash table of GUIDs/identifiers (the keys) and label names (values). Some audit events contain label names but it’s more typical to only find a label identifier recorded, so lookups against the hash table translate identifiers into label names.

As you can see from the output, in my tenant most audit records are recorded when an Office desktop app opens a protected file:

Job complete. 370 Sensitivity Label audit records found for the last 90 days

Labels applied to SharePoint sites:  51
Labels applied to new documents:     45
Labels updated on documents:         5
Labeled files renamed:               29
Labeled files opened (desktop):      200
Labels removed from documents:       40
Mismatches detected:                 0
----------------------

Report file written to C:\temp\SensitivityLabelsAuditRecords.csv

In this case, no mismatches are noted between the label applied to a site (container management) and those assigned to documents stored in the site. My users might just be learning how to label documents properly!

We write tons of PowerShell scripts to check out how Office 365 really works and understand where any fault lines might be. Our GitHub repository is available to all. Even better, we explain how to use our scripts and other PowerShell commands to manage Office 365 in the Office 365 for IT Pros eBook.

Google Chrome might still be the favorite browser in terms of usage, but there’s no doubt that Microsoft Edge is slowly gaining a following, especially since the decision to embrace Chromium. The latest data gives Chrome a massive 63.63% versus 3.24% lead, but I guess hope springs eternal within Microsoft that Edge will make more of an impact over time. I stopped using Chrome some time ago and use Brave or Edge instead.

In any case, after a series of experiments, Microsoft announced the beta for sleeping tabs in the Edge browser in December. Everything seemed to go well and Microsoft enabled the feature in version 88 and later of the stable channel (Edge production). On the surface, the idea is excellent. Microsoft points to an average reduction in memory usage of 32% and an increase in battery life as benefits of the approach. Sleeping taps are greyed out until you select them (Figure 1) after which they reawaken.

More Authentication Cycles for SharePoint Online Sites

If, like me, you keep tabs open for SharePoint Online sites and other Microsoft 365 apps, sleeping tabs might become an annoyance. I typically have tabs open for three SharePoint Online sites plus Planner, the Microsoft 365 admin center, perhaps another admin center, and OWA. Since the introduction of sleeping tabs, I have been forced to reauthenticate access to sites more often than before. The process is something like this:

• Access sleeping tab.
• SharePoint looks for credentials.
• User enters credentials.
• SharePoint displays home site – not the site which was originally open.

The behavior seems to arise because the access token used for SharePoint Online is no longer valid. When a tab is “awake,” it can use a refresh token to acquire a new access token when the current access token expires. When a tab is asleep, its tokens might expire without having a chance to go through the renewal process. When that happens and the tab awakes, its access is invalid and reauthentication is necessary. Unfortunately, after securing new tokens through reauthentication, SharePoint Online returns the user to the home site instead of the site they had open. It’s very frustrating.

Other Microsoft 365 Sites Behave Differently

By comparison to SharePoint Online, Yammer protests about the lack of a token (Figure 2) but goes back to the same place once reauthentication happens. This only happens with Yammer’s new UI. It does not with the old UI.

OWA sleeps peacefully. When its tab awakes, a slight delay ensues while OWA figures out if new messages need to be fetched. To-Do doesn’t protest when awoken and Planner is content to return to its home page.

The Solution: Change Edge Settings

By default, tabs go asleep after two hours. The available options range from 5 minutes to 12 hours. Fortunately, the solution is simple. Edge allows you to create a list of sites that you do not want to sleep. Through the system section of Edge settings (edge://settings/system). In Figure 3, you can see that I’ve entered details of the sites I want to stay away, including any SharePoint Online site in my tenant.

The fix works and the sites on my list have returned to a normal authentication cycle. All is well with the world and I can get back to work.

The Office 365 for IT Pros eBook doesn’t cover this kind of thing, maybe because Edge has such a low usage percentage. But some might find this interesting, so we publish here.

Teams Now the Major Influence on SharePoint Growth

Three years ago, I wrote an article about how Office 365 Groups saved SharePoint. A lot has changed since, not least because Microsoft has just announced that SharePoint Online has 200 million monthly active users. But the biggest transformation is that it turned out that Teams is the real strength behind SharePoint.

Office 365 Groups (now Microsoft 365 Groups) set the standard of provisioning a SharePoint Online team site for every group. Although Outlook groups are still popular within the email community, the role of Groups is now focused on membership services and Teams has taken center stage for Microsoft 365 collaboration. Teams uses Groups for its membership management and provisions a SharePoint Online team site too. Private Teams channels get their own SharePoint team site to ensure that file access is restricted to the members of the private channel.

Teams and the Files Channel Tab

The difference between Groups and Teams is that Teams is designed to make heavier use of SharePoint. Out of the box, Teams includes the Files channel tab in every channel to support file sharing between users. Each channel in a team has its own folder in the document library of the SharePoint site, and another folder is dedicated to storing email posted to channels. The Files channel tab was originally much simpler than the standard SharePoint browser interface, but the gap is much closer now and Microsoft has sorted out issues like respecting custom views.

The Microsoft Lists application is integrated into Teams and we’re at the beginning of the transition to storing Teams meeting recordings in SharePoint Online and OneDrive for Business. Driven by the OneDrive team, sharing has become consistent and predictable across Microsoft 365. Users have bought into the idea of sharing links and cloud attachments, driving SharePoint usage even more, including in Teams channels and personal chats.

Correlating Teams Growth and SharePoint Growth

Teams is on a roll. Its 115 million daily active users represent roughly half the active Office 365 accounts. Driven by the demand for better functionality to support online working due to the Covid-19 pandemic, as Teams added people attracted by its strong online meeting features, SharePoint usage increased in step. Put simply, as Teams usage grows, SharePoint usage grows.

The theory is easily proved by examining user activity statistics. A strong correlation exists between people who are active in Teams and those active in SharePoint. Run the user activity script to extract and report usage data from the Microsoft Graph and you’ll see few examples of people active in Teams who aren’t active in SharePoint or OneDrive for Business.

Microsoft’s own data tells the same tale. At the Ignite 2019 conference, Microsoft said that SharePoint Online had 100 million active users. The growth in about 13 months is 100 million users. In November 2019, Microsoft said that Teams had 20 million daily active users. The latest figure is 115 million, a growth of 95 million over the same 13 months. A certain symmetry exists between the growth of the two workloads, even if we’re not quite comparing the same data (monthly active users versus daily active users).

More Growth to Come

85 million SharePoint Online users have yet to embrace Teams and more will move from the declining number still using SharePoint on-premises. The net is that Teams will help SharePoint Online power ahead while SharePoint will provide a rich source of user growth for Teams, if only because people often find Teams a more approachable UI than the standard SharePoint browser interface (which only its creators could love). Either way, the two workloads will progress together, which is good news for the folks working in Microsoft’s ODSP (OneDrive and SharePoint Platform) organization.

Keep abreast of news about Office 365 applications like Teams and SharePoint Online by subscribing to the Office 365 for IT Pros eBook. The monthly updates ensure you don’t miss important developments.

New Label UI Rolling Out

Update: This capability is now Generally Available. See this post for more information.

Previewed earlier this year, Microsoft has extended the container management settings for sensitivity labels to include control over the external sharing setting for SharePoint Online team sites connected to Microsoft 365 Groups. As per Microsoft 365 roadmap item 68700, the updated user interface to allow tenants to choose the external sharing setting is now rolling out to the Microsoft 365 compliance center.

By default, sensitivity labels do not control external sharing, so if you intend using labels for this purpose, you need to edit the labels used for container management to choose the appropriate setting. To limit the choice available to users and to make label management simpler, my advice is to maintain separate sets of labels: one set for information protection and marking and the other for container management.

Options for External Sharing

SharePoint Online supports organization-level and site-level settings for external sharing. Site-level settings are often used to set a more restrictive level of sharing for sites containing important or confidential information.

The control available in sensitivity labels is over the site-level setting for external sharing. When you assign a sensitivity label to a site (Figure 1), SharePoint Online applies the container management settings to the site, including the external sharing setting.

As shown in Figure 2, the control in a sensitivity label offers the same four external sharing options as can be applied through the SharePoint admin center (see below) or PowerShell (the relevant value used with the Set-SPOSite cmdlet is in parenthesis):

• Anyone (ExternalUserAndGuestSharing): Sharing is allowed with all external users, and documents can be shared using anonymous access links (Anyone links).
• New and existing guests (ExternalUserSharingOnly): Sharing is allowed with new external users, who must accept a sharing invitation and go through an authentication process to create a guest account.
• Existing guests (ExistingExternalUserSharingOnly): Sharing is only allowed with the guest users already in an organization’s directory.
• Only people in your organization (Disabled): No sharing with external users is allowed.

When defined, the external sharing setting is stored in the externalsharingcontroltype value in the label. After connecting a PowerShell session to the compliance center endpoint, we can examine this setting:

$Settings = Get-Label "Confidential Access" | Select -ExpandProperty LabelActions | ConvertFrom-Json
$Settings | ?{$_.Type -eq "protectsite"} | Select -ExpandProperty Settings

Key                        Value
---                        -----
allowfullaccess            false
allowlimitedaccess         false
blockaccess                true
disabled                   false
externalsharingcontroltype Disabled

Label Settings and Tenant Settings

As noted above, the settings available in a sensitivity label match those available for SharePoint Online. Figure 3 shows the values as set in the SharePoint admin center. Remember that the external sharing setting applied to a site cannot be less restrictive than that allowed by the tenant. For instance, if the tenant doesn’t allow Anyone links, you can’t set that external sharing level for a site.

The compliance center GUI doesn’t validate the external sharing capability selected for a label against what’s allowed by the tenant. If a less restrictive external sharing capability is set in a label, SharePoint Online will ignore the setting when it applies container management settings to the site.

The Effect of Caching

SharePoint Online caches sensitivity label data. For this reason, if you update an existing label to add a setting for external sharing, it won’t be available to be applied to sites for 24 hours. On the other hand, if you create a new label with a setting for external sharing, it will be available within 15 minutes.

The Office 365 for IT Pros eBook is the only book covering the technology, deployment, and management of Office 365 apps which is updated monthly. Don’t you think you need to understand what’s going on inside Microsoft’s cloud office service? Subscribe today!

Managed Properties Allow Users to Search for a Sensitivity Label SharePoint Online

Sensitivity labels are on a roll at present with new developments coming along at a fast rate. A small, but important, recent update is to the SharePoint Online schema to allow users to find files stored in SharePoint Online and OneDrive for Business that are assigned a specific sensitivity label.

Sensitivity labels are often used to protect documents containing confidential or sensitive information. InformationProtectiondLabelId (Figure 1) is a managed property in the SharePoint schema that stores the GUID (identifier) for the sensitivity labels assigned to documents.

Search SharePoint Online for Documents Assigned Specific Sensitivity Labels

The presence of the managed property in the search schema means that you can search for documents stored in SharePoint Online and OneDrive for Business using the label identifier (GUID) of the sensitivity label assigned to documents. Figure 2 shows the result of a search using InformationProtectionLabelId:2fe7f66d-096a-469e-835f-595532b63560. Microsoft Search trims the search results to make sure that the user only sees documents they can access.

Although it’s absolutely the case that not everyone will know the GUID for a label (in this case, it’s the Public sensitivity label), I believe Microsoft is working on the ability to search by label name. For now, this facility is probably only useful to the curious who want to see what documents a label is applied to, or compliance administrators in Microsoft 365 tenants that don’t have the necessary licenses to use the data classification content explorer in the Microsoft Purview compliance center.

Search SharePoint Online for Container Labels

Sensitivity labels can be applied to “containers”: Microsoft 365 Groups, Teams, and SharePoint Online sites. In this case, the labels don’t protect the data stored in the containers but are used for classification (visual marking) and to control the access type and guest access for the container. For example, applying the “Confidential” label to a container might change its access type to Private and restrict guess access.

You can also search SharePoint Online for labels assigned to sites. The trick here is to create a new managed property in the schema (I called it SiteSensitivityLabelId) that’s mapped to the crawled property ows_IpLabelId (Figure 3). The new property needs to be searchable, queryable, and retrievable.

After updating the schema, the search index will pick up the new property the next time the sites are processed by the crawler. To make sure this happens quickly, you can force SharePoint to reindex the site (under Search and Offline Availability in Site Settings). When reindexing completes, the site will turn up in search results (Figure 4).

Again, this isn’t something that the average SharePoint Online user will probably do, but you never know when the feature might be useful to administrators who don’t want to use PowerShell to search for sites assigned a specific label.

The detail makes all the difference in many spheres of operations, and understanding detail like this is what the Office 365 for IT Pros eBook is all about. Subscribe today!

Sensitivity Label Support for SharePoint Online and OneDrive for Business

Updated August 15, 2022

Every Microsoft Purview sensitivity label has a priority order to indicate its level of sensitivity. A sensitivity label mismatch occurs when users upload Office documents or PDFs with sensitivity labels to SharePoint Online sites that have lower priority labels. Mismatches also occur when users update Office documents or PDFs stored in SharePoint Online and change the sensitivity label assigned to the files with one that has a higher priority than the label assigned to the site.

Microsoft recently made support for sensitivity labels in SharePoint Online and OneDrive for Business generally available. This is an important step forward because it allows SharePoint to index content protected by encryption applied by sensitivity labels. The indexed content then becomes available to Data Loss Prevention policies, content searches, and so on.

The integration of sensitivity labels with SharePoint Online is optional and must be enabled for a tenant on an opt-in basis, Afterwards, users can apply, remove, or change sensitivity labels to documents using the SharePoint Online and OneDrive for Business browser interface or through the Office Online apps. Sensitivity labels can be applied by users or by assigning default labels in label publishing policies or as a default sensitivity label assigned to a document library.

Audit Events Captured

Events for these actions are captured by SharePoint Online and ingested along with other SharePoint events into the Office 365 audit log. These events are:

• SensitivityLabelApplied: A label is applied to a SharePoint site.
• FileSensitivityLabelApplied: An Office Online app applies a label to an Office document.
• FileSensitivityLabelChanged: An Office Online app changed a label (upgrade or downgrade).
• FileSensitivityLabelRemoved: An Office Online app removed a label from a file.
• DocumentSensitivityMismatchDetected: A mismatch is detected because the sensitivity label applied to a document is higher than the level of sensitivity applied to the site where the document is stored. For instance, the site is labeled “Confidential” and a user uploads a document assigned the “Super Confidential” label to the site.

Currently, no events are captured when users apply sensitivity labels through other interfaces like Outlook or OWA.

Sensitivity Label Mismatch Email Notifications

When a mismatch occurs, SharePoint Online captures an audit record, and sends an Incompatible sensitivity label detected email notification to the person who uploaded the document. The notification contains details of the document which caused the problem and the label assigned to the document and to the site (Figure 1). It’s up to the person who receives the notification to resolve the issue. Given that they uploaded the document, they should know its true sensitivity. If necessary, they can change the sensitivity label assigned to the document and upload it again.

Handling Confidential Material

Even if it leads to a sensitivity label mismatch, it’s entirely possible that it’s OK to store a highly sensitive document in a site labelled with a lower level of sensitivity. Labels created to protect highly sensitive content usually restrict rights to interact with documents to a limited set of users. It might be desirable to not allow some people with access to the site (like guest accounts) to access a document assigned with a highly sensitive label. However, this should be an exception. It’s good practice to only store documents in sites that are accessible to all members of the site unless good reasons exist to restrict access to some documents to a subset of site members. In these situations, it’s best to store the sensitive material in another site with restricted membership such as a site belonging to a private Teams channel.

Mastering the detail of what happens inside Office 365 is important for tenant administrators. Shouldn’t you subscribe to the Office 365 for IT Pros eBook?

What Did Users Do with SharePoint Documents?

A question popped up in an online group: How can I create a report for each user detailing the interaction with documents stored in SharePoint Online libraries? The answer seems straightforward: search the Office 365 audit log for SharePoint document operations and create a report from the events found, outputting it in CSV or HTML format. Chapter 21 of the Office 365 for IT Pros eBook includes many examples of how to extract information from the audit log that could be used as the basis for a solution. The post covering how to answer the question of who updated a document is also helpful.

Often the reports generated from the audit log cover actions taken by multiple users. In this case, the request is to generate a report on a per-user basis. Possibly the desire is to email the report to the user, or maybe the feeling is that it is easier to review access to sites and documents on a personal level.

Generating a List of Users

The first thing to resolve is what’s intended by “user”? We need to know this to generate the reports. A user could mean:

• Someone with an account in a tenant.
• Both tenant and guest users.
• Just guest users.

From a PowerShell perspective, you can generate a list of mailbox owners with Get-ExoMailbox (people with mailboxes are likely to have SharePoint Online licenses).

$Users = Get-ExoMailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited | Select UserPrincipalName,DisplayName

Alternatively, if you want to include guest accounts, you can create a list with Get-AzureADUser and include accounts of type Member (tenant account) and Guest.

$Users = Get-AzureADUser -All $True -Filter ("UserType eq 'Guest' or UserType eq 'Member'") | Select UserPrincipalName, DisplayName

You could filter the list further by removing tenant accounts who aren’t licensed for SharePoint Online. This is easy to do, but it’s probably not necessary because the report is generated from audit events that won’t exist unless an account is licensed.

Searching the Office 365 Audit Log

We’re going to search the Office 365 audit log for events generated by all users. The other search parameters needed are:

The events to look for: Depending on the applications used in a tenant, the audit log could include up to 1,500 different events. In this case, we want to know about events which manipulate documents stored in SharePoint or OneDrive for Business. Five events should suffice:

• FileAccessed. A user opens a file but does not modify the content.
• FileDownloaded. A user downloads a file to their workstation.
• FileModified. A user updates the content of a file.
• FileDeleted. A user deletes a file.
• FileUploaded. A user uploads (creates) a new file.

Although you can input the events directly into the search command, it’s easier to declare the set of events in an array:

$Operations = @('FileAccessed', 'FileDownloaded', 'FileModified', 'FileDeleted', 'FileUploaded')

The start and end date for the search. SharePoint Online is a verbose application when it comes to the generation of audit log records. To make processing easier, restrict the date range as much as possible. You can go back 90 days for Office 365 E3 accounts and 365 days for Office 365 E5 accounts.

Handling Large Quantities of Audit Records

In large tenants, consider splitting the processing up over several batches as otherwise the script will likely take a long time to complete. The easiest way to do this is to amend the script to create a filtered set of users and use the filtered list as input to the audit log search. This example uses the Get-ExoMailbox cmdlet with a filter applied to the CustomAttribute1 property to find a set of users:

$Users = Get-ExoMailbox -Filter {CustomAttribute1 -eq "Sales"} | Select -ExpandProperty UserPrincipalName 
Search-UnifiedAuditLog -Operations $Operations -UserIds $Users -StartDate $StartDate -EndDate $EndDate -ResultSize 5000

The Search-UnifiedAuditLog cmdlet is restricted to returning a maximum of 5,000 audit records at one time. More records might exist, and in this case, you must run the cmdlet until all available data is retrieved. Search-UnifiedAuditLog supports the retrieval of large amounts of data (up to 50,000 records) by allowing you to declare a session identifier (a value to link calls together) together with the ReturnLargeSet parameter. The data is unsorted when fetched, so it must be sorted for reporting purposes. If more than 50,000 audit records are available, you’ll have to divide processing up across multiple runs.

Processing Audit Data

It’s possible to take the raw data from audit records and output the records to a CSV file. However, I like to process Office 365 audit records to make more sense of what they contain. In this case, the script does the following:

• Format the timestamp so that it’s something like 4-May-2020 18:56.
• Drop a bunch of unneeded audit records generated by SharePoint Online for access to different graphic elements used by pages, records for background processing (app@sharepoint), and records with blank user agent information.
• Extract a human-friendly client identifier from the UserAgent property. For example, take a string like “Microsoft Office Word/16.0.12730.20144 (Windows/10.0; Desktop WOW64; en-IE; Desktop app; Microsoft Corporation/Surface Book 2)” and make it “Microsoft Word (desktop)” or “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4121.0 Safari/537.36 Edg/84.0.495.2” and make it “Microsoft Edge” (yes, there is a misspelling in the information written into the audit log. The version information is also extracted.

The processed audit records go into a PowerShell list object. This is much more efficient than adding records to an array. And we can do some rudimentary processing to generate some insight into what’s happening. For example, what kind of file operations are performed:

$Report | Group Operation | Format-Table Name, Count   

Name           Count
----           -----
FileAccessed    3594
FileUploaded     341
FileModified    3186
FileDownloaded    86
FileDeleted      327

Or the people who are creating documents:

$Report | Group UPN | Sort Count -Descending | Format-Table Name, Count                     

Name                                                                           Count
----                                                                           -----
tony.redmond@office365itpros.com                                                5669
michael.van.horenbeeck_thecollective.eu#ext#@office365itpros.onmicrosoft.com     690
jcgonzalez_itechcs.onmicrosoft.com#ext#@office365itpros.onmicrosoft.com          374

Generating the Per-User Reports

To create a report for each active user, we can loop through the set of users we created beforehand and extract the records for the selected user and write them out to a CSV file:

$UserRecords = $Report | ? {$_.UPN -eq $U.UserPrincipalName} 
    If ($UserRecords) {  
       $UserReports++  
       Write-Host "Writing out data for" $U.DisplayName
       $FileName = "c:\Temp\AuditHistory" + $U.UserPrincipalName + ".csv"
       $UserRecords | Export-CSV -NoTypeInformation $FileName }

Figure 1 shows what the contents of a CSV file looks like:

The per-user CSV files are created in the c:\temp\ directory (Figure 2), so it would be easy to find them and email them to the users… But that’s another day’s work.

In the meantime, the complete script containing everything described above is available for download from GitHub. Happy PowerShell!

Important to Apply Updates for PowerShell Modules

Some important changes are available in recent refreshes for the Exchange Online and SharePoint Online PowerShell modules. In general, it’s good practice to download and use the latest available module to take advantage of bug fixes and new functionality. The problem is knowing when these updates are available as few of us have the time to check.

The latest versions of these modules are:

• Exchange Online PowerShell V2: 0.4578.0.
• SharePoint Online: 16.0.19927.0.

Exchange Online PowerShell V2 is the module containing the new-REST based cmdlets (like Get-ExoMailbox). The module also includes access to the older Remote PowerShell cmdlets (like Get-Mailbox). You should be using this module whenever possible, especially when needing to deal with large sets of mailboxes or mailbox-associated objects.

Over time, as Microsoft removes the ability to connect to PowerShell with basic authentication (along with ActiveSync, IMAP4, POP3, and SMTP), the V2 module will become the only way to access Exchange Online with PowerShell.

Updates in Exchange Online PowerShell

Notable updates in the current Exchange Online PowerShell V2 module are:

• Support to allow tenants to enable and disable Cortana Daily briefing emails (the Get-UserBriefingConfig and Set-UserBriefingConfig cmdlets). This feature is in preview.
• A new Disconnect-ExchangeOnline cmdlet to break the link between Exchange Online and PowerShell. This cmdlet removes the access token from the workstation’s cache and is intended for use in situations where a long-running session connects and disconnects from Exchange Online periodically

The Connect-IPPSSession Cmdlet and the Compliance Center Cmdlets

Version 0.4368.1 introduced the Connect-IPPSSession cmdlet as a way to connect to the Compliance Center endpoint. There’s no logic behind the name, which some speculate means Information Protection PowerShell (IPPS). The cmdlet has been around for a while and now joins the Exchange Online management module.

For the moment, I don’t recommend that you use the Connect-IPPSSession cmdlet. Although it does load the Compliance Center cmdlets into a session, it does so by removing any previous session connected to Exchange Online, which means that you end up in a situation where you can’t use the two sets of cmdlets in the same session. This problem has been around since 2017 and Microsoft didn’t fix it when the cmdlet transitioned to the Exchange Online management module.

The older approach supports the use of both sets of cmdlets, even if cmdlets with the same names exist in the two sets using the AllowClobber parameter to import the cmdlets with Import-PSSession. A great example of how this is done is in Michel de Rooij’s mega-script to connect to Office 365 services with PowerShell. You can also use a prefix to identify the cmdlets from the different sets.

Issues Installing Update for SharePoint Online PowerShell

Version 16.0.19927.0 of the SharePoint Online PowerShell module supports some new functionality with Conditional Access policies. Normally, updating this module is a matter of downloading the latest version from Microsoft’s site and installing it on a workstation.

In this case, my PC had version 16.0.19418.12000 installed and after the update, I was puzzled that PowerShell continued to load that version. I blamed a bad download, so I downloaded and installed the new module again. Version 19418.12000 persisted. And persisted.

Even a cycle of removing the module, rebooting the PC, and installing the new module refused to dislodge 19418.12000. Eventually, I discovered that the files for this version were in C:\Program Files\WindowsPowerShell\Modules\Microsoft.Online.SharePoint.PowerShell while those for 16.0.19927.0 were installed into C:\Program Files\SharePoint Online Management Shell. After I deleted the older files, PowerShell picked up the new version.

This is obviously not the way that things should work. Microsoft is investigating… In the meantime, I’m chalking these problems down to yet another event along my rich voyage among PowerShell modules, just like the issue I had with OneDrive’s known folders and the Active Directory module.

Interrogating SharePoint and OneDrive Document Version History

A recent question asked how to use the SharePoint Online PnP PowerShell module to extract the version history of a document. The PnP (Patterns and Practices) module contains cmdlets to handle complex SharePoint provisioning and management scenarios. If you get to know PnP, you probably like it because it can handle actions from update a SharePoint document to create a new folder. However, the nature of PnP is that its interaction with objects is more complicated than other PowerShell modules.

The usual reason why people want to look at the version history for a document is to know who made a change to its content. Given how autosave captures document updates, the number of versions available for a document stored in SharePoint Online or OneDrive for Business can be large (Figure 1).

Office 365 Audit Log is an Alternative

If you’re not used to PnP, you might find it easier to extract information about events to update a SharePoint document from the Office 365 audit log. Every time a document is uploaded or updated in a SharePoint Online or OneDrive for Business document library, SharePoint creates an audit event that is later ingested into the Office 365 audit log (the event should be available about 15 minutes after the update). If we know the name of a document, it’s easy to search the audit log with the Search-UnifiedAuditLog cmdlet and find its audit records.

Searching for Document Change Audit Events

The PowerShell script below uses the $FileName variable to hold the name of the document to search for. If events occurred for this document over the last 90 days, the search should find events to record the initial upload of the document to the library (FileUploaded) and subsequent updates (FileModified) and views (FileAccessed). If the AutoSave feature is enabled for the document, multiple update records can accumulate over a short period. As is normal with audit records, a lot of interesting information is found in the AuditData property.

$FileName = (Read-Host "Enter file name to search")
$Records = (Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date).AddDays(+1)  -Operations FileModified, FileAccessed, FileUploaded -ObjectIds $FileName -ResultSize 1000)
If ($Records.Count -eq 0) {
   Write-Host "No audit records found for file names beginning with" $FileName }
 Else {
   Write-Host "Processing" $Records.Count "audit records..."
   $Report = [System.Collections.Generic.List[Object]]::new()
   ForEach ($Rec in $Records) {
      $AuditData = ConvertFrom-Json $Rec.Auditdata
      $ReportLine = [PSCustomObject]@{
           TimeStamp   = $Rec.CreationDate
           User        = $AuditData.UserId
           Action      = $AuditData.Operation
           SiteUrl     = $AuditData.SiteUrl
           Site        = $AuditData.SourceRelativeUrl
           File        = $AuditData.SourceFileName
           IpAddress   = $AuditData.ClientIP
           App         = $AuditData.UserAgent  }
      $Report.Add($ReportLine) }}

Listing the Results

After analyzing the audit records, we can list the set of actions found for the document:

$Report | Select Timestamp, User, Action

TimeStamp            User                               Action
---------            ----                               ------
22 Apr 2020 14:40:41 Jane.Maloney@office365itpros.com   FileModified
21 Apr 2020 15:19:03 Jane.Maloney@office365itpros.com   FileModified
21 Apr 2020 15:02:34 Kim.Akers@office365itpros.com      FileModified
21 Apr 2020 15:01:39 Jane.Maloney@office365itpros.com   FileUploaded

To distribute the report, you could simply print it or create a CSV file. Other distribution methods include:

• Format the content in HTML and send it via email (see this article for details).
• Create the report in a SharePoint document library (the basics of how to do this is explained here; the scenario is a script running in a Azure Automation runbook but the technique of using PnP cmdlets is the same in “regular” PowerShell).
• Post the report to a Teams channel or post a link to it in a message card created in a Teams channel using the inbound webhook connector. See this article for more information.

Is Ninety Days Enough?

If your accounts have Office 365 E5 or Microsoft 365 E5 compliance licenses, audit records are available for 365 days. However, 90 days is usually enough to find out who made a change to an important document. Unless the change was overlooked and has only just been noticed!

Practical information about using PowerShell to solve common Office 365 administrative problems is a hallmark of the Office 365 for IT Pros eBook. Subscribe today and learn from our experience!

Not a Word Expert By Any Means

I am a dedicated rather than expert Word user. The editor is something I’ve used most days since I first opened Word 2.0 in 1993 and concluded it was a better word processor than DECwrite, an editor that ran on VAX workstations at the time. Word 2.0 ran on a 286 PC with 4 MB of memory, so it’s fair to say that it was a lot cheaper to use than its VMS counterpart.

Word is Like an Old Slipper

Over the best part of three decades I have grown comfortable with Word. Most of the time, I use the same features and don’t go looking for new functionality unless I need to perform a task. Recently, I found that Word (click to run or Office 365 ProPlus, now horribly renamed as Microsoft 365 Enterprise Apps suite) combines @mentions in comments with the ability to share documents. The feature is useful when you collaborate to create documents, which I need to do often.

Comment or @Mention

Using version 2004 (build 12730.20150) of Word, I noticed that the old insert comment command is now Comment or @Mention. Clicking the command brings up the usual dialog to enter a comment (for example, “what horrible text – you need to change this!”) with the added option to insert an @mention.

Type @ and the first few characters of someone’s display name. Word checks to find the person to mention. It looks like Word uses Outlook’s auto-complete list of email addresses because I noticed names from outside the tenant that I had previously emailed (Figure 1).

You can also add an @mention comment from the right-click insert menu. 

Sharing for @Mentions

For good reason, @mentioning someone only works for documents stored in SharePoint Online or OneDrive for Business. After selecting the name, you can enter the comment. If that person doesn’t currently have access to the document, Word offers to give them access (share) so that they can open and view the comment and the associated text (Figure 2).

The standard sharing mechanism available in OneDrive for Business or SharePoint Online is used, so the document must be stored in Office 365. If you open the document properties, you can see the share access granted to the @mentioned person (Figure 3).

Email Notifications for @Mentions

People @mentioned in a comment receive an email notification to tell them that they should go to the document to respond. The notifications sent by Office 365 applications are becoming smarter. OWA users can respond to Yammer conversations without leaving the client, and the Teams missed activity messages are a different take on the same idea. @Mention notifications contain information to help the recipient decide how quickly they need to respond by including the context of the comment (Figure 4). And when the time comes to respond, the link opens the document in the browser positioned at the comment.

Updated Comments

Once you involve other people in a document, it is likely that multiple people will edit the document concurrently. Collaborative co-authoring is not new, but I was pleased to see how responses to comments appeared in documents soon after they were added. Updates are not immediate because they depend on the autosave mechanism to capture and distribute changes to everyone who has a document open, but responses show up quicker than they would in a document circulated by email.

@Mentions for All

According to this Microsoft support article, PowerPoint, Word, and Excel are supposed to have the same @mention capabilities. This is certainly true of the online versions of the apps, but I only see @mentions in the desktop versions of Word and PowerPoint. Adding the feature to the desktop version of Excel might be a little more complicated.

The Office 365 for IT Pros eBook does not cover the desktop or online apps. However, we use Word to write the book and this feature exploits the Office 365 sharing mechanism, so we thought you’d like to know about it.

Swap the Root Site for SharePoint Online Tenants

In August 2019, Microsoft started to roll out the SharePoint Online site swap feature. The functionality swaps out the tenant’s root site and replaces it with another site, usually a communications site. When a root site swap happens, the old root site is archived and remains available for administrative access while user traffic is directed to the site that’s swapped in.

The root site is automatically provisioned for all SharePoint Online tenants and has a URL of https://tenantname.sharepoint.com/, so it’s something like https://office365itpros.sharepoint.com/. The root site is typically the starting point for a company’s intranet, so it’s important that the site works well.

Interfaces to Swap Sites

Originally sites swaps were only possible by using the Invoke-SPOSiteSwap cmdlet. In November 2019, Microsoft updated the SharePoint Admin Center to include the Replace site option, which is only exposed when the current root site is selected (Figure 1).

Small Tenants Only

With just a few details to worry about, like choosing the right type of site to become the new root (it can’t be connected to an Office 365 group), the technology worked well. However, Microsoft restricted site swaps to Office 365 tenants with fewer than 1,000 seats. The reason for the restriction is that Microsoft wanted to be sure that everything about site swaps worked perfectly. After all, if a tenant loses access to its root site because of a bug, it will affect a lot of functionality.

Gradually Microsoft eased back the restriction to make site swap available to more tenants until they reached the 10,000 seat level and then halted. As announced in Office 365 notification MC204488 on February 22, they’re now ready to let the largest tenants go ahead and swap root sites.

Make Sure with Page Diagnostics

Large tenants often have the same kind of SharePoint activity as small tenants do; the difference is that the traffic generated by large tenant tends to expose any flaw in a process. For this reason, it’s important to do some up-front planning to make sure that the replacement root site is ready before it is swapped in.

Microsoft recommends that administrators use the Page Diagnostics tool for SharePoint Online to check replacement root sites before proceeding with a swap. This tool is an add-in for Chrome or Edge that analyzes page components to identify potential issues. For instance, if some graphics used by the page are large files, they might slow page loading. This is a bigger issue for larger sites because the higher traffic volume will accentuate the effect of the larger files.

Warnings and Errors

The page diagnostics tool reports warnings and errors. It’s up to administrators if they want to heed the warnings before proceeding (an automated checker might miss something a human knows, or humans just know best), but they can’t go ahead with a site swap if errors exist. Those errors must be fixed before a site swap is possible.

Swapping Sites in Large Tenants Needs PowerShell

When everything is ready, you can run the Invoke-SPOSiteSwap cmdlet (support in the SharePoint Admin Center for site swaps in large tenants is coming). You must update the SharePoint Online PowerShell module to version16.0.19807.1200 or higher to be able to execute a site swap in a large tenant. The easiest way to do this is by updating the module from the PowerShell Gallery:

Update-Module Microsoft.Online.Sharepoint.PowerShell -Force

The upgraded version of the cmdlet includes an integrated page diagnostic check for errors and warnings plus a new Force parameter to allow administrators to override warnings (but never errors). To perform a site swap, the command format is:

Invoke-SPOSiteSwap`
-SourceURL https://office365itpros.sharepoint.com/sites/NewMarketingComms ` 
-TargetURL https://office365itpros.sharepoint.com `
-ArchiveURL https://office365itpros.sharepoint.com/sites/OldMarketingComms -Force

As with anything in large organizations, it’s usual to plan operations like site swaps well ahead of time (so there’s no reason not to run page diagnostics) and to schedule the event for a period of low user activity, like a weekend. This avoid any user issues like 404 errors when the page swap is in flight.

Happy swapping!

Good SharePoint Online management is essential to the overall health of an Office 365 tenant. The Office 365 for IT Pros eBook reflects this and includes a ton of interesting and useful advice about how to work with SharePoint Online.

SharePoint Online PowerShell Module Helps Automate Common Tasks

The SharePoint Online Management Shell is a Windows PowerShell module designed for command-line operations and inclusion in PowerShell scripts. The module makes it possible to perform batch processing for tasks like reports and is the only way to achieve some management tasks in SharePoint and OneDrive.

Like with many other cloud components, Microsoft updates the SharePoint Online Management Shell almost every month to align with the release cadence of the SharePoint Client-Side Object Model (CSOM) API libraries. The updates include new cmdlets, new parameters for cmdlets, and other tweaks. If you use PowerShell to work with SharePoint Online, it’s important that you use the latest module.

Installing the Latest SharePoint Online Module

You can download an MSI (installable package) for the latest SharePoint Online Management Shell module. Once downloaded, you run the executable to install the module, remembering to uninstall any previous version first. The MSI version is the traditional method to distribute updated modules, but since Microsoft released the Microsoft.Online.SharePoint.PowerShell module in the PowerShell Gallery, it’s more convenient to install it from there.

To install the SharePoint Online module, run PowerShell as an administrator and run this command:

Install-Module -Name Microsoft.Online.SharePoint.PowerShell

To update to the latest version, run:

Update-Module -Name Microsoft.Online.SharePoint.PowerShell

Connecting to SharePoint Online with PowerShell

The Connect-SPOService cmdlet is used to connect to the SharePoint administration endpoint for a tenant. (the same as used for the SharePoint Admin Center) To build the endpoint, take the normal SharePoint root for your tenant (like https://office365itpros.sharepoint.com/) and insert an “-admin” after the tenant name. For example:

# Connect to SharePoint Online administration endpoint
Connect-SPOService -URL "https://office365itpros-admin.sharepoint.com"

The SharePoint Online module is designed for administrative tasks, so you should always connect with an account that has Global Administrator or SharePoint Administrator rights for the tenant.

As part of the connection to the administration endpoint, the SharePoint Online module is loaded into your PowerShell session and you can check the version of the installed module installed:

Get-Module |? {$_.Name -eq "Microsoft.Online.SharePoint.PowerShell"}| Format-Table Name, Version   

Name                                   Version
----                                   -------
Microsoft.Online.Sharepoint.PowerShell 16.0.19724.12000

In your scripts, it’s a good idea to include a test to make sure that a connection is available to SharePoint Online before running any other code. Here’s a very simple test for a connection:

Try {
    $TestSPO = Get-SPOTenant }
Catch
    { Write-Host "Error accessing SharePoint Online - please connect to the service before retrying"; break } 

Basic SharePoint PowerShell Cmdlets

To see the available SharePoint Online cmdlets, run:

Get-Command -Module "Microsoft.Online.SharePoint.PowerShell"

The current SharePoint Online Management Shell module includes 179 cmdlets. Theses cmdlets can be divided into several types, including:

• Tenant-Level cmdlets like Get-SPOTenant and Set-SPOTenant.
• Site-Level cmdlets like Get-SPOSite and Set-SPOSite.
• Cmdlets for specific operations like Start-SPOSiteRename and Test-SPOSite.

It’s very common to want to retrieve information about the sites in a tenant. To do this, run the Get-SPOSite cmdlet. The Limit parameter specifies that all sites are to be returned.

Get-SPOSite -Limit All 

Note that this command returns all types of sites found in the tenant, including redirect sites (created because of site URL renames), hub sites, the app catalog, and sites used by Teams private channels. In most cases, it is best to be more precise when using Get-SPOSite to find sites by specifying the template for the type of sites you want to process. For instance, this command only returns the sites used by Teams private channels.

Get-SPOSite -Limit All -Template "TEAMCHANNEL#0"

SharePoint and Other Office 365 Elements

Sometimes you need to retrieve information about a SharePoint Online site for use elsewhere inside Office 365. For example, if you want to include a document library belonging to an Office 365 group, team, or team private channel on an eDiscovery case or content search, you need to specify the site’s URL as a search location.

If you use PowerShell to examine the properties of an Office 365 group, you will see three SharePoint Online URLs returned for the site, the document library, and the shared OneNote notebook. The value returned in SharePointSiteUrl property is the one needed when you wish to add a site to content searches, found using the Get-UnifiedGroup PowerShell cmdlet:

Get-UnifiedGroup –Identity "Office 365 for IT Pros" | Format-List Share*Url

SharePointSiteUrl	: https://Office365ITPros.sharepoint.com/sites/O365ITPros
SharePointDocumentsUrl	: https://Office365ITPros.sharepoint.com/sites/O365ITPros/Shared Documents
SharePointNotebookUrl	: https://Office365ITPros.sharepoint.com/sites/O365ITPros/SiteAssets/Office 365 for IT Pros Notebook

The URL retrieved from the Office 365 Group can be used with Get-SPOSite to find further information about the site belonging to the group.

It’s also possible to discover what Office 365 Group a site belongs to by using the GroupId property stored for the site. For example:

Get-UnifiedGroup -Identity (Get-SPOSite -id https://office365itpros.sharepoint.com/sites/O365ExchPro).GroupId.Guid  | Format-Table DisplayName, SharePointSiteURL                 
  
DisplayName            SharePointSiteUrl
-----------            -----------------
Office 365 for IT Pros https://office365itpros.sharepoint.com/sites/O365ITPros

SharePoint PnP Module

The functionality available through the SharePoint Online PowerShell module is limited and restricted to basic administration tasks performed by a SharePoint Online administrator, such as managing sites and tenant settings. To get extra functionality, use the cmdlets available in the SharePoint PnP PowerShell cmdlets project in GitHub, part of the Patterns & Practices community initiative. To go further and be able to access all the aspects of SharePoint, you will need to use the CSOM API in your PowerShell scripts. To install the PnP PowerShell module, run this command:

Install-Module SharePointPnPPowerShellOnline -Force

Many good examples of using the SharePoint PnP cmdlets are available on the web.

This information is an example of the kind of text you’ll find in the Office 365 for IT Pros eBook. Don’t you think you should be a subscriber?

Old Approach Should be Replaced by Sensitivity Labels

With support for Office 365 sensitivity labels is available in SharePoint Online and the Office Online apps (in preview, expected to be generally available very soon), it’s a good opportunity to consider how you should protect SharePoint Online content in the future. The choice is to continue by applying Information Rights Management (IRM)-based protection to document libraries so that documents are encrypted when downloaded or to go all in with sensitivity labels.

IRM-based protection requires a tenant to enable rights management for SharePoint Online before libraries can be protected. Once this is done, you can go to the Information Rights Management section of library settings and configure protection (Figure 1).

After IRM is enabled for a library, any PDF or Office document file will be encrypted when downloaded. The encryption uses rights management to ensure that only people with access to the library can open the downloaded files.

Only One Go-Forward Option

Office 365 sensitivity labels are the preferred way to protect content stored in SharePoint Online and OneDrive for Business. They are more flexible and powerful than the traditional approach of protecting SharePoint libraries with IRM. The advantages of sensitivity labels include:

• Support for labels in a wide range of clients including desktop, browser, and mobile apps. Figure 2 shows how to apply a sensitivity label to a document through Word Online.
• Labels can apply visual markings to content in addition to protection.
• Because rights management underpins labels, granular control is available to determine who can do what with a file.
• Labels become part of the metadata of files and messages and protection travels with content as it moves between libraries or in and out of Office 365.
• Labels can be applied to email and documents automatically (by label policy, Data Loss Prevention policies or transport rules) or manually (by users).
• Labels can be used to assign classifications to Office 365 Groups, Teams, and SharePoint containers.
• Documents protected by sensitivity labels support advanced features like co-authoring (with Office online apps).
• SharePoint Online populates a sensitivity column to show the label applied to files (the column is not available in OneDrive for Business).
• Documents and messages protected by sensitivity labels are indexed by Office 365. This means that protected content can be found by Office 365 content searches and eDiscovery.

Some of these features are still in preview, like the support in SharePoint Online, but they are coming and will be generally available very soon.

The benefit of traditional SharePoint “protection on download” is that encryption is automatically applied when files are downloaded from a library, meaning that users don’t have to think about applying a label to documents. Only people with access to the library can access the files.

The long-term strategy for any Office 365 tenant should be to phase out the traditional SharePoint IRM-based protection and replace it with Office 365 sensitivity labels as soon as business requirements and user training allows.

Confused about encryption and rights management in Office 365? Look no further than Chapter 24 of the Office 365 for IT Pros eBook. It’s all explained there.

Files Channel Tab Loses Connection to SharePoint

Being able to rename the URLs for SharePoint sites was one of the most popular features shipped by Microsoft in 2019. Site renames work and SharePoint makes sure that old links work too by creating redirects for the old URLs, but there are some known side-effects of a site rename that should be considered before proceeding. Losing the connection between the Files channel tab in Teams and the underlying SharePoint document library is one of the known problems. Figure 1 shows the error that you see if Teams can’t connect to SharePoint.

Microsoft’s documentation notes that the “issue is actively being worked on and will be addressed soon.” The problem has been known for several months and Microsoft rolled out a fix in mid-November. The original fix made sure that site renames no longer affected Teams and a backfill process run by SharePoint corrected the link in any sites that had been renamed to that point. At least, that was the plan. And like any good plans, it survived until the first hiccup, which was when some renamed sites stubbornly refused to cooperate.

A new fix takes care of the recalcitrant sites and restores the connection between Teams and SharePoint. The fix will roll out over the coming weeks.

MVPs and Microsoft Development Groups

Part of the unique joy of being a Microsoft MVP is the opportunity to work with development groups to test new features (always interesting) or chase down problems (maybe not as interesting, but often more valuable). I’ve been helping the Teams developers figure out what went wrong and how to fix the problem for a while. The process was slowed by the holidays, but everything clicked in the new year, meaning that the Files channel tab started to display the right information (Figure 2).

You might consider that Microsoft was slow in fixing a problem affecting two major Office 365 applications. It’s true that solving the issue took more time than predicted or desired, but that’s probably due to the nature of cloud software distributed across multiple Office 365 datacenter regions and SharePoint Online farms, the need to gather and analyze logs and run tests, and so on. The other point is that this issue only affected a small number of renamed sites which have a mixture of upper and lowercase letters in the new site URL. In any case, the bug is now squashed and we can now rename sites happily in no danger that Teams will be affected (the other side effects still remain).

The writing team for the Office 365 for IT Pros eBook are all MVPs, which explains where we get some of our information and insight that we share in the book. But of course, we can’t tell you the really interesting stuff… If we did, we’d lose our MVP status.

A Team is Tightly Connected to its SharePoint Site

Last year, I wrote an article about the ways you can publish SharePoint news items to Teams. One of the methods is to use the SharePoint tab to link to the News page in the site belonging to the team. This works well and I called it the “nicest approach to publish news into Teams.”

The downside is that the SharePoint tab only supports the publication of pages or lists from the site belonging to the team (Figure 1). This is fine if you want to publish news to something like an org-wide team (for tenants with fewer than 5,000 accounts), but it’s problematic if you want to bring content like a news item with important information from another site into a team.

The Workaround

If you examine news items, you’ll find that each item is a separate page. The workaround to bring content from a different site into a team is to publish the page using the website tab. The website tab supports the publication of content from any URL, assuming that the reader has access to that content. In the case of a SharePoint page, we need a URL that tells Teams to fetch and display the content.

The first thing to do is to open the page we want to display in a browser and copy its URL. For example:

https://office365itpros.sharepoint.com/sites/BlogsAndProjects/SitePages/Microsoft-Launches-New-Teams-Exploratory-Experience.aspx

This URL is enough for SharePoint to render the content, but Teams is a different context and the URL we need is slightly different. The amended format is:

https://office365itpros.sharepoint.com/sites/BlogsAndProjects/_layouts/15/teamslogon.aspx?spfx=true&dest=/sites/BlogsAndProjects/SitePages/Microsoft-Launches-New-Teams-Exploratory-Experience.aspx

The important bit is the inclusion of a command to force Teams to authenticate with SharePoint before displaying the page.

Working Example

Figure 2 shows a news item created and published in SharePoint as viewed through the browser interface. The first thing to do is to copy the URL for the item from the browser and adjust it as described above.

Next, go to Teams and select the channel in the team you want the content to appear. Click Add a tab and select the website tab. Input a unique name for the tab and the amended URL for the content you want to display (Figure 3).

After the tab is created, it should display the content. As you can see from Figure 4, the formatting and layout is rendered properly by the tab.

Avoid Spinning Wheels

Some people have great success with this workaround, others find that it leads to spinning wheels and nothing being displayed. If you’re in the latter category, consider exploring the solution proposed by Yannick Reekmans. It’s a nice example of thinking outside the box to fix a problem.

Need more information about how Teams and SharePoint Online work together? Peruse the chapters in the Office 365 for IT Pros eBook to get a better understanding of how these important parts of Office 365 work together.

New Feature Now Rolling Out to Office 365 Tenants

Microsoft’s OneDrive for Business November 2019 Roundup includes news of the Save for Later feature (Office 365 roadmap item 49095). Although I haven’t seen an Office 365 notification to announce its rollout, Save for Later has turned up in both SharePoint Online and OneDrive for Business in my (targeted release) tenant. The feature description is:

“Save for Later will allow you to bookmark files and folders from your OneDrive, files shared to you and those in Shared Libraries to a “Saved for Later” list that you’ll be able to easily access.”

Delve’s Recent Documents List

Humans love to build to-do lists and Save for Later is no more than that: a way to build a list of items stored in SharePoint Online and OneDrive for Business that you need to go back to, maybe to work on and complete, perhaps to remind yourself of something. Although the idea is simple, it’s very useful. Two simple facts underline why. First, more files are stored in cloud repositories. Second, those files are stored in an ever-growing number of sites. The mission of SharePoint Online is to be the document management service for Office 365 and the popularity of Teams and other group-enabled applications, all of which come with a SharePoint site, mean that users have more sites to work with. Put another way, there’s more cloud places to store files than ever before (SharePoint Online now supports two million sites per tenant). Some help to keep track of important files is appreciated.

Delve (introduced in 2015) is an earlier attempt to solve the problem. Delve has a recent document view (Figure 1) to remind users of what they’ve been working on, and it allows users to associate files with “boards” (collections). A board can hold documents drawn from multiple sites and is a useful way to track ongoing work.

Delve seems to have fallen out of favor recently. It’s a first-generation Graph application that was never developed past the work done in the first couple of years, possibly because customers didn’t react to Delve in quite the positive way that Microsoft expected. The announcement of Project Cortex at the Microsoft Ignite 2019 conference removed the remaining oxygen for Delve. I would not be surprised if Microsoft deprecates Delve soon after Project Cortex becomes generally available sometime in the second half of 2020.

Saving Files for Later in SharePoint and OneDrive for Business

Marking files to save for later is easy. Simply select Save for later in the menu (Figure 2). The same option is available to mark either individual files or complete folders in both SharePoint Online and OneDrive for Business. Once chosen for an item, the saved indicator shows that it’s marked. You can also click the saved indicator beside a file or folder to change it from blank (not saved) to filled (saved).

SharePoint Online and OneDrive for Business share a common list of saved for later files. You can see the list in two places. First, the list appears at the bottom of the SharePoint Online home page (Figure 3).

Second, you can access the list through the option in the OneDrive for Business menu (Figure 4). This version of the list is more informative because it includes details of the location and how recently an item was accessed.

In either app, you can open an item by clicking on it. OneDrive for Business includes a menu of other options such as delete, rename, and share. You can also remove an item from the saved for later list. In SharePoint Online, click the indicator to turn it from filled to blank. In OneDrive for Business, select the Remove from saved option in the menu.

It would be nice if Office 365 didn’t change for a while. But this is the cloud and stuff keeping on evolving. That’s why the Office 365 for IT Pros eBook exists to track and analyze about how Office 365 changes over time.

Customized Anyone Sharing Links on a Site-by-Site Basis

Office 365 notification MC186627 (roadmap item 53748) covers the introduction of a Per-Site Anyone Link Expiration Policy for SharePoint Online sites. A clearer description might say that you can now configure different expiration dates for Anyone Sharing Links on a site-by-site basis, but only in PowerShell as there’s no GUI to assign a custom expiration period to a site. This functionality is available worldwide now.

Two things are at play here. First, the default period for sharing links. This setting applies to all sites in a tenant and is set in the Sharing section of the OneDrive for Business Admin portal (Figure 1).

Second, Anyone links. These sharing links are used to allow anyone (hence the name) who has the link to access files or folders in SharePoint Online or OneDrive for Business sites. Links like this are typically used to allow broad access to content that doesn’t need to be restricted, such as sharing publicity material with customers.

The Issue Being Addressed

The problem with a one-size fits all link expiration period is that it works perfectly well for some sites but not for others. Setting a 365-day expiration period is great for links used to access unrestricted content; it’s not so good if the link is used to give access to confidential material. Although these links are likely to be restricted to specific people, you still might want to have the links expire sooner than a year.

Set-SPOSite Has the Solution

To solve the problem, connect to SharePoint Online with PowerShell (using the latest available module). Find the URL for the site for which you want to set a custom Anyone link expiration period. You can run the Get-SPOSite cmdlet to return a list of sites or access the site and copy the URL from the browser address bar.

Now run the Set-SPOSite cmdlet to set the policy (Figure 2).

For example, this command sets a 10-day Anyone link expiration period for the https://Office365itpros.sharepoint.com/sites/Confidential site:

# Set Anyone link expiration period for the site
Set-SPOSite -Identity https://Office365itpros.sharepoint.com/sites/Confidential -AnonymousLinkExpirationInDays 10 -OverrideTenantAnonymousLinkExpirationPolicy $True 

OneDrive for Business Sites

The SPO-Site cmdlet in the current build of the SharePoint Online PowerShell module doesn’t support the AnonymousLinkExpirationInDays parameter for OneDrive for Business sites.

Set-SPOSite -id https://office365itpros-my.sharepoint.com/personal/tony_redmond_redmondassociates_org -AnonymousLinkExpirationInDays 10 -OverrideTenantAnonymousLinkExpirationPolicy  $True                                                                                          set-sposite :
https://redmondassociates-my.sharepoint.com/personal/john_redmond_office365itpros_com is a OneDrive for Business site collection. The only valid parameters for this type of site collection are '-Identity', '-AllowDownloadingNonWebViewableFiles', '-AllowEditing', '-ConditionalAccessPolicy', '-DefaultLinkPermission', '-DefaultSharingLinkType', '-DisableCompanyWideSharingLinks', '-LimitedAccessFileType', '-LockState', '-Owner', '-SharingAllowedDomainList', '-SharingBlockedDomainList', '-SharingCapability', '-SharingDomainRestrictionMode', '-ShowPeoplePickerSuggestionsForGuestUsers', '-StorageQuota',
and '-StorageWarningLevel'. At line:1 char:1
+ set-sposite -id https://office365itpros-my.sharepoint.com/personal/ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Set-SPOSite], ServerException    + FullyQualifiedErrorId : Microsoft.SharePoint.Client.ServerException,Microsoft.Online.SharePoint.PowerShell.SetSite

Need more information about managing SharePoint Online and OneDrive for Business? The Office 365 for IT Pros eBook is bursting out with ideas!

Protected Content, Information Barriers, and More

Following up on yesterday’s report that Office 365 Groups will soon support sensitivity labels, more details emerged at Microsoft Ignite about how this support will flow through to group-enabled SharePoint Online sites. This is part of a big set of new features coming to improve the capabilities of SharePoint Online in the compliance space.

SharePoint Embraces Protection

From a SharePoint perspective, the big news is that SharePoint will soon be able to deal with encrypted content more elegantly than is possible today. After applying sensitivity labels with an Office app (desktop, mobile, or online – see Figure 1), SharePoint Online can index document content protected with a sensitivity label that invokes encryption (through rights management). Support for sensitivity labels in the Office Online apps also co-authoring of protected content.

Being able to index protected content is a big change. Up to now, SharePoint could only index the document metadata (like the subject or topic fields) of protected documents and the content remained inaccessible. Now, administrators will be able to search protected documents using Office 365 content searches (just like they can search protected email today). Naturally, users will also be able to search sites for protected content, but only content they have permission to access.

Protected documents downloaded from SharePoint sites retain their protection because the protection settings are part of the document metadata that apps respect inside or outside Office 365.

DLP and Protected Content

Along with search, Office 365 Data Loss Prevention policies will be able to examine protected content and apply policies to content found to violate policies because of the presence of sensitive data such as credit card or social security numbers.

Sensitivity Labels and Document Properties

One thing you won’t be able to do (for now) is apply a sensitivity label by editing document properties in the same way you can apply a retention label today. SharePoint’s new functionality concentrates on the storage and management of content marked with sensitivity labels instead of the direct application of the labels. However, you can expose a new Sensitivity column in document views to highlight protected documents (Figure 2).

SharePoint Online and Information Barriers

Most of what’s described above will be in public preview from November 20. Private previews are spinning up for more advanced functionality, like the ability to auto-apply sensitivity labels to documents based on their content. Also in private preview is SharePoint Online support for Office 365 Information Barriers. In this implementation, SharePoint will block sharing of documents with people inside the organization if mandated by an information barrier policy.

Expiring External Access

Finally, SharePoint is introducing new controls to allow organizations to set expiration periods for external access to content. You’ll be able to define how long a sharing link should last for external people. Once the period elapses, they lose access to the shared content. Lots of good stuff!

Stay up-to-date with developments in compliance across Office 365 with the Office 365 for IT Pros eBook.

URLs Needed for Office 365 Content Searches

The topic of how best to find the URL of someone’s OneDrive for Business account arose in the context of Office 365 content searches. You need to know the URL of any SharePoint Online site or OneDrive for Business account before you can include it in the locations scanned by a content search (Figure 1), eDiscovery case, or Office 365 retention policy.

Finding URLs for SharePoint Sites

Finding the URL of a SharePoint site is straightforward, especially if the site is connected to an Office 365 Group (team). You can:

• Open the SharePoint site from the group or Teams and note the URL.
• Run PowerShell to find the URL.
• Look at the site details in the SharePoint Admin Center to find the URL (Figure 2).

We can find the URL with the SharePoint Online PowerShell module or the Exchange Online module. First, here’s SharePoint Online where we use the filter parameter with the Get-SPOSite cmdlet to find all sites containing “Ben” in the URL:

# Find SPO Sites with Ben in the URL
Get-SPOSite -Filter "URL -like 'Ben'"

Url                                                         Owner Storage Quota
---                                                         ----- -------------
https://tenant.sharepoint.com/sites/benowensteam            26214400

The Get-UnifiedGroup cmdlet in the Exchange Online module can return details of any group-enabled site:

# Get SPO details from group
Get-UnifiedGroup -Identity "Ben Owens Team" | Format-list share*

SharePointSiteUrl      : https://tenant.sharepoint.com/sites/benowensteam
SharePointDocumentsUrl : https://tenant.sharepoint.com/sites/benowensteam/Shared
                         Documents
SharePointNotebookUrl  :

Finding URLs for OneDrive for Business Accounts

The OneDrive for Business Admin Center doesn’t list OneDrive accounts: neither does the SharePoint Admin Center. However, we can find the URLs as follows:

• By accessing a user’s Delve profile and following the link to their OneDrive account.
• With PowerShell.

PowerShell is probably the easiest method because you can create a list of all OneDrive for Business accounts in the tenant and keep it for easy reference. After connecting to the SharePoint Online PowerShell module with an administrator account, run this command to generate a CSV file with all the links. Figure 3 shows an example of what the CSV file contains.

# Get list of OneDrive for Business accounts and export them to CSV file
Get-SPOSite -IncludePersonalSite $true -Limit all -Filter "Url -like '-my.sharepoint.com/personal/'" | Select Owner, URL | SOrt Owner | Export-CSV c:\temp\OneDriveSites.csv -NoTypeInformation

Apart from being a useful reference, generating a list of OneDrive accounts also allows you to identify any accounts belonging to long-deleted accounts that should no longer be online (I found a couple from 2013).

Tracking down tips like this can be very time-consuming. Wouldn’t it be much better to be able to consult a comprehensive, always up-to-date manual. Something like the Office 365 for IT Pros eBook?

Greater Fidelity and Ability to Work with Content

The original file viewing capability in the Teams desktop and browser client was relatively basic. To improve the situation, Microsoft is rolling out a set of new file viewers for OneDrive for Business, SharePoint Online, and Teams. The OneDrive for Business development group leads this work to build out the number of supported file types (now over 300 and growing).

A picture tells the story better than words. Teams uses file viewers to display content when users click on documents in the Files channel tab. Figure 1 shows Teams displaying a PowerShell script that I uploaded to a SharePoint document library. The file is simple text, but the viewer is intelligent enough to understand the .PS1 extension and highlight different elements of the script. You can’t edit PowerShell scripts through the viewer.

Viewing and Editing Office Documents

Because the viewer launches the online version of the Office apps, you can edit Office documents in the viewer. Figure 2 shows a Word document being edited. This replaces the previous options to edit in Teams or edit online. If the desktop version of the app is available, you can choose to open the file in that.

The new viewers make it easier to work with documents in Teams. However, when working with documents in Teams, you work with online files stored in SharePoint. Often it’s easier to synchronize the document libraries belonging to a team with the OneDrive client and work with local copies of the files. If you’re traveling and have to deal with flaky Wi-Fi networks, local copies are the only way to go…

For more information about working with Teams, read the Office 365 for IT Pros eBook. It’s packed full of useful information!

Swap Old Sites for New With the Invoke-SPOSiteSwap PowerShell Cmdlet

Office 365 Notification MC187289 posted on August 5 told us that Microsoft has started the roll-out of the SharePoint “site swap” feature described in Office 365 roadmap item 51259. The original plan for the roll-out called for a measured deployment (some would say “slow”) across different categories of tenants and is due to complete in October 2019. On September 6, Microsoft issued notification MC189866 with news that they had started to deploy to to Office 365 tenants with less than 10,000 tenants. Larger tenants will still have to wait for a further update. Fortunately, my tenant was updated in the first part of the deployment and I could swap sites to my heart’s content.

The new feature uses the Invoke-SPOSiteSwap PowerShell cmdlet (part of the SharePoint Online PowerShell module from version 16.0.8812.1200 on). The latest version is 16.0.9119.1200, but I used the cmdlet with version 16.0.9021.1201. The cmdlet swaps an entire site collection.

Old SharePoint Site

I’ve been using SharePoint Online since 2011 and my root site was a very old page (Figure 1) that I put together years ago when sites could still be accessed by external users. I haven’t paid any attention to the page for a long time.

To replace the root page, I created a new SharePoint communications site and made some minor changes to it. I then ran the Invoke-SPOSiteSwap cmdlet to swap the new communications site to become the root site using this command:

# Swap a SharePoint site
Invoke-SPOSiteSwap -SourceURL https://office365itpros.sharepoint.com/sites/NewMarketingComms -TargetURL https://office365itpros.sharepoint.com -ArchiveURL https://office365itpros.sharepoint.com/sites/OldMarketingComms

Invoke-SPOSiteSwap starts off a background job to move things around. In this case, it took the old root site (https://office365itpros.sharepoint.com) and moved it to an archived site (https://office365itpros.sharepoint.com/sites/OldMarketingComms) and replaced the root site with the new communications site that I had updated (https://office365itpros.sharepoint.com/sites/NewMarketingComms). After a few minutes (you’ll see a 404 error while the moving around happens), the new root site was available (Figure 2). It was all very easy.

Audit Records

Office 365 captures audit records when you run Invoke-SPOSiteSwap to start the background job (SiteSwapScheduled) and when the job completes (SiteSwapped). These records are visible through the Audit log search in the Security and Compliance Center. They can also be found with the Search-UnifiedAuditLog cmdlet using a command like:

# Find records for SharePoint site swaps
Search-UnifiedAuditLog -Operations SiteSwapped, SiteSwapScheduled -StartDate 7-Aug-2019 -EndDate 8-Aug-2019

Some Restrictions

Some restrictions exist. The source or target sites can’t be associated with an Office 365 Group (team) or a hub site. The target site can only be the root site or the search center. There’s several other notes to read up on in the documentation. Basically, this is a focused cmdlet that does what it says: Invokes a job to swap the location of a site with another site while archiving the original site.

Read more about managing SharePoint Online in the Office 365 for IT Pros eBook, including many other PowerShell examples.

Stop Unwanted People Using Sharing Links Sent for Documents

Announced at session BRK3100 at the Ignite 2018 conference last September and then included in the OneDrive for Business Roadmap update for June 2019, password-protected sharing links are now available across Office 365.

Only for Anyone Links

Before getting too excited, let’s reflect that this feature only work for Anyone sharing links. These are the links that can be used by anyone who has them. Many Office 365 tenants tune the sharing controls for SharePoint Online and OneDrive for Business to prohibit the use of Anyone links because they consider them a security risk. But if your tenant allows Anyone links, you can now protect them with custom passwords. The password protected sharing link feature is available in the SharePoint Online and OneDrive for Business web clients. Block download is available in the OneDrive mobile client.

Sending Password-Protected Links

To begin, select a document and share it. Select “Anyone with the link” as the share. Click Anyone with the link to change the settings. In Figure 1 you can see that a password has been entered and we’ve also selected the option to block the recipient from downloading the document. This forces Office 365 to call the online app to display the content, so it only works for Office documents.

When you’ve updated the settings, click Apply. You should now see that the icons under the link have changed to include a padlock (password protected) and download barrier (Figure 2).

If a sharing link has already been created with a password, you’ll have the chance to update the link with a new password or use the existing password (Figure 3). It’s not a good idea to replace a password on a sharing link unless you update previous recipients with the new password.

Click Send to tell Office 365 to create and send the message with the sharing information. You’ll find the message in the Sent Items folder of your Exchange Online mailbox. When the recipient opens the message, they’ll see that the link will work for anyone with the password. Before they can open the content, you’ll need to give them the password through email, a voice message, SMS, Teams personal chat, or other method. Once they have the password, they can click the link, input the password (Figure 4) and see the content.

Limited Access to Content

In our case, the link we sent was both password-protected and blocked for download. As noted above, if the document is an Office file, Office 365 calls the relevant online app to open it. As you can see in Figure 5, the user is blocked from downloading and printing the file.

Modify Links

If necessary, you can use SharePoint’s Modify Access feature to update sharing links, including the ability to reset passwords in links. You can’t remove a password from a link once it is present.

Password-protected sharing links are straightforward to use. The sole difficulty might be for organizations to embrace the idea that they can permit Anyone links. After all, even if you decide that it’s OK to allow these links, there’s no way to force users to add passwords to the links every time. Perhaps that might be a future feature.

For more information about managing SharePoint Online and OneDrive for Business, read the chapter in the Office 365 for IT Pros eBook.

How to Check That You’re Sharing with the Right People

If you’re not a SharePoint professional, the permissions to allow people to access files can be confusing. The advent of Office 365 Groups and Teams makes it much easier because everyone in a group has the same level of access to data (and you should resist the temptation to mess with the permissions for a group-enabled SharePoint site).

The permissions assigned to group members give them direct access. You can also give access to other people inside and outside the tenant by sharing files or folders with them. Unless they know about user sharing, owners of a site can lose sight of the access non-site members have to content, and that’s a bad thing. Fortunately, SharePoint Online now has a Manage Access option to help.

Managing Access

To access the Manage Access (or manage permissions) panel, select a document and open the details pane (the pane that shows you the document title and other properties and allows you to assign a retention label). Click Manage access and you’ll see something like what’s shown in Figure 1, which comes from a document stored in the site we use to build Office 365 for IT Pros.

The Direct Access section lists the permissions granted through the Office 365 Group that owns the site. You can change these by clicking the Advanced link, which brings you to the old-style permissions management screen (Figure 2). Don’t make changes here. As noted above, it can lead to a world of hurt.

Above Direct Access, we see any sharing links that exist for the document. In this case, there’s just one. If you click […] beside the link, SharePoint shows you details of the link. You can edit the link settings to add people, remove people, change what the link allows (from view only to edit or vice versa), or remove the link entirely (Figure 3).

Remember to Save when you’re finished changing permissions. It’s amazing how often people don’t and then can’t understand why the permissions they set aren’t active!

For more information about how to manage SharePoint Online, read the riveting chapter in Office 365 for IT Pros.

SharePoint Online Storage Protected by Keys Upon Keys Upon Keys

Updated 19 February 2023

One of the interesting aspects of how Microsoft 365 has developed over the past few years is the increasing use of SharePoint Online. Some of the use comes from organizations migrating on-premises SharePoint to the cloud, but the biggest factor driving SharePoint usage for many tenants is the growth in Teams. (in January 2023, Microsoft reported that Teams had 280 million monthly active users).

If you’re a Microsoft 365 tenant administrator, apart from making sure that you have enough SharePoint storage and what sites are using the storage, you probably don’t think too much about where that storage is and how it’s organized. SharePoint aficionados know that Azure SQL is the basic platform and that SharePoint organizes itself into server farms, but after that, knowledge soon runs out. This is typical of cloud systems: all you care about is the functionality delivered by an application, you don’t need to know its internal architecture and the details of how the application stores objects like documents and lists.

Microsoft Documents Protection for SharePoint Online Storage

Microsoft’s online documentation for Microsoft 365 is getting better and better. Among the recent jewels I found is a Microsoft article published on March 1, 2019 covering the encryption used to protect data used by Microsoft 365 applications like Exchange Online and SharePoint Online. Many interesting facts about SharePoint storage are revealed in the discussion including:

• How Microsoft manages the encryption keys used to secure SharePoint Online and OneDrive for Business data.
• How SharePoint splits data up into chunks, each encrypted with its own unique AES 256-bit key.
• The chunks (files, pieces of files, and update deltas) are held in multiple Azure storage accounts where they are stored as encrypted blobs.
• How an SQL database tracks the different chunks of data so that they can be assembled and provided to clients. The database also holds the keys needed to decrypt the content.
• How three keys are used to access data and that data is useless unless all the keys are available. As the document says: ” Without access to all three, it is impossible to retrieve the keys to the chunks, decrypt the keys to make them usable, associate the keys with their corresponding chunks, decrypt each chunk, or reconstruct a document from its constituent chunks “

Microsoft’s description emphasizes the complex network of protection they use to protect customer information. Even if a hacker managed to penetrate a Microsoft 365 datacenter, they would face considerable challenges to figure out what data is present and how to access that data. This is why it’s important to protect against account compromise because the easiest way for a hacker to gain access to confidential customer data is to use compromised account credentials.

Sensitivity Labels Delivers More Protection

The page is full of interesting information that should assuage any doubts that security personnel have about sharing confidential information in the cloud. And remember, this scheme applies to all content in SharePoint Online storage. If you want to have an even greater level of security, you can use Microsoft Purview sensitivity labels to apply rights management-based encryption to protect your most valuable documents.

It’s amazing what exists in Microsoft’s documentation, if only we had the time to read it all. I guess that’s why books exist to distil and explain the most important items tenant administrators need to understand about managing the Microsoft 365 applications.

SharePoint Online and Purview Sensitivity Labels are covered in the Office 365 for IT Pros eBook. We don’t get down into the weeds of how SharePoint Online storage is protected in Microsoft datacenters, but we do cover a lot of other valuable stuff.

Changes to Avoid Inadvertent SharePoint Data Loss

Office 365 Notification MC182494 (Figure 1) informs us about some important changes coming to the SharePoint Online Preservation Hold Library. The changes relate to Office 365 Roadmap item 52431 to address an issue where data loss can occur when a retention policy is removed from SharePoint sites.

Office 365 Retention Policies Keep Data Until They’re Removed

Office 365 retention policies put holds on data to stop information being removed. SharePoint stores modifications and deleted content in the Preservation Hold Library of sites within scope of retention policies. At the end of the retention period (for example, 5 years), content is moved to the first-stage recycle bin and stays there for the 93-day retention period. After this period elapses, the content is permanently removed and becomes irrecoverable.

The problem is that an administrator might inadvertently remove a retention policy from one or more sites. The hold on content in the Preservation Hold Library is removed and the content can be immediately purged by background processes because it’s likely that the files were originally deleted more than 93 days ago. Administrators can’t stop the purge happening, and if they don’t notice that the retention policy was removed, data loss can happen. In fact, even if someone does notice that the retention policy was removed and reapplies the policy, the time needed to reimplement the policy on affected sites could still leave a gap (from when the policy was removed) when data loss can occur.

New 30-Day Grace Period

To fix the problem, starting in August 2019, Microsoft will change what happens when a retention policy was removed from a site. The new behavior is that a 30-day grace period starts when a retention policy is removed from a site to stop the release of the hold on the site. During the grace period, any item in the Preservation Hold Library is kept because the hold is still in place. Once the 30-day grace period elapses, the hold is released, and SharePoint goes ahead and deletes the items. Another change now kicks in to put items deleted from the Preservation Hold Library into the second-stage recycle bin instead of being purged. Items stay in the second-stage recycle bin for up to 93 days after their deletion before they are permanently removed. During this time, items can be recovered by site administrators.

Need to Keep an Eye on Retention Policies

The combination of 30-day grace period before purges occur and the ability to recover purged content from the Preservation Hold Library and second-stage recycle bin before irrecoverable deletion gives administrator the ability to avoid data loss. That is, if someone notices that a retention policy has been removed from SharePoint. We all check retention policies and the locations that come within their scope on an ongoing basis, don’t we?

Question to Microsoft: Wouldn’t an Automated Process Have Been Better?

Hot on the heels of the news of Microsoft’s somewhat strange plans for Yammer data residency in the European Union, we have an Office 365 notification MC181531 to tell us about the storage of new files posted in Yammer groups in SharePoint.

Slow Progress Getting to SharePoint

Progress to this point has been slow. Microsoft announced that Yammer groups would use the Office 365 Groups service to manage membership in 2017 including a closer link with SharePoint. Roll forward to Ignite 2018, and the new GM for Yammer confirmed that Yammer would soon make SharePoint its default location for file storage. Everything would happen by the end of Q4 2018.

Microsoft dutifully began to make the changeover to SharePoint in December 2018, but must have met problems as the project seemed to go into a black hole for several months. Now we’re being told that the roll-out will begin in mid-June and be complete worldwide by the end of July 2019.

Manual File-by-File Migration

There’s no migration for existing files. This data will stay in a read-only state in Yammer cloud storage and if you want to move files to SharePoint to take advantage of Office 365 data governance functionality like Data Loss Prevention, retention policies, and so on, you must download files and upload them to SharePoint, which sounds like a wonderful way to spend a wet Sunday afternoon.

On the upside, Microsoft promises “When Yammer files are stored in SharePoint, you can organize the files into folders, change access permissions on files, and have additional revision tracking and version control options.” In other words, it’s all good news and nothing whatsoever to worry about.

ISVs Apps Might Break Too

Further brightening the mood, MC181531 also tells us that the changeover might break third-party apps that use the Yammer APIs “because the Yammer OAuth token does not include claims from Azure Active Directory, which is required for accessing files stored in SharePoint.”

Could Software Engineering Help?

Perhaps I am ultra-critical by imagining that some of these issues could have been solved by software engineering before being inflicted on Office 365 tenants, but I think not. The switchover seems to be good for Microsoft because they can look forward to consolidating Yammer storage in SharePoint while delivering poor a user experience for customers.

Compared to other Office 365 apps, the feature gap in Yammer and the way that it sometimes behaves makes Yammer less attractive than it should be. That’s been the situation since 2014 or thereabouts and it doesn’t seem that Microsoft wants to change a winning formula.

For many reasons, we don’t cover Yammer much in the Office 365 for IT Pros eBook. A Yammer pro once offered to write a chapter for us, but that never happened. You’ll just have to read about other interesting information, like Office 365 Groups, Teams, Planner, Azure Active Directory, and so on.

Files Tab Now Close to Functionality Available in SharePoint Browser UI

On May 20, Microsoft posted Office 365 notification MC180213 to let tenants know that a refreshed version of the Files channel tab is now rolling out. Commercial Office 365 tenants should see the new functionality in June, but there’s no news when it might be available for GCC tenants. Meeting the commitment in Office 365 Roadmap item 51234, Microsoft says that the Files tab has a new look and “many new features,” which might assuage those who didn’t like the simplified version previously used by Teams (I thought that the design of Files had advantages and disadvantages).

Using the New Files Tab

You don’t have to do anything to see the new UI as it is enabled automatically. When you open Files, you’ll see that new views are available, including any customized view created for a document library. The set of options available are more extensive and now include the ability to check-out documents (Figure 1). You can also pin documents to the top of the library, just like you can do inside SharePoint.

You can now set up the synchronization of libraries (with the OneDrive client) from within Teams. and use custom filters and views, all of which makes the Files channel tab more useful.

What’s Missing

Although more functional than the last iteration, the new Files channel tab does omit some options available in SharePoint. For instance, you can’t access the version history of a document, so you can’t restore back to a previous version. You can’t attach a Flow to a document or create an alert. Finally, you can’t access and update document properties. This means that users can’t select retention labels (or sensitivity labels, when Microsoft supports these in the SharePoint user interface), or custom properties such as the “publication date” and “publication” shown in Figure 2.

Although an easy workaround for the issue exists (coach users to open the library with SharePoint Online when they want to perform these actions), it does seem strange that Microsoft didn’t include document properties in the new Files channel tab. Perhaps they’ll do so in the next iteration.

One final point. If you create a SharePoint Document Library tab in a channel, it uses the old Files view rather than the new. This is a little confusing (or at least, it was to me…).

For more information about Teams, read Chapter 13 in the Office 365 for IT Pros eBook. You can find out lots of tips and techniques for SharePoint Online too; it’s in Chapter 8.

Teams Group Chat Limits

Office 365 Message Center Update MC179396 (Roadmap item 51235) brings the news that Teams group chats now support an increased limit of 100 participants (from the previous 50). The roll-out of the new limit starts in June and should be complete by the end of July, except for GCC tenants.

Group chats are a useful way of getting together a set of people to discuss and refine an issue before bringing it for wider debate (or announce a decision) in a channel or via email. Unlike a team channel, where any member can see anything, a chat is limited to those invited to join. Chats don’t have owners, and anyone in a chat has the same rights as others, including the ability to remove someone else from the conversation. Files shared in a group chat are stored in the OneDrive for Business account of the sharer instead of a SharePoint site.

It’s good practice to give a name to a group chat. This allows participants to identify the chat in their chat list and it’s also helpful if you ever need to look for something with eDiscovery as the chat name appears in the compliance items captured in Exchange mailboxes of the chat participants.

Teams Shareable File Links with Permissions

Teams has always had the ability to generate links to files stored in its SharePoint sites. Message Center update MC179400 (Roadmap item 51230) tells us that the shareable links created by Teams for posting into channel conversations and chats will now hold permissions in much the same way as the links generated by SharePoint and OneDrive for Business. As shown in Figure 2, you can assign permissions (including the ability to edit) to:

• Anyone with the link (if allowed by the tenant sharing settings for SharePoint Online).
• Tenant users with the link.
• People with existing access (members of the team).
• Specific people.

Once Teams generates a link, you can copy it into a channel conversation or chat. This action converts the link (something like https://tenant.sharepoint.com/:w:/s/O365ExchPro/ER3RMYkKBUBGiPXVqXQFgdkBK-rOsJHA6FSmqrr_75iaeQ?e=jGsU8C ) into a “file chiclet object” (a new term to me).

The new form of shareable links are rolling out to Office 365 tenants in May 2019 and should be available worldwide by the end of June.

These small but important changes are the kind of stuff we track on a daily basis to make sure that the Office 365 for IT Pros eBook is as up-to-date as we can make it. Read Chapter 13 for the latest information about Teams.

A Profusion of Teams Can Consume Storage

When Teams creates a new team, it provisions a SharePoint Online team site along with other resources like a shared notebook and wiki. All of this is goodness, unless you like managing SharePoint storage manually.

SharePoint Site Storage Management

By default, SharePoint Online uses a central pool of storage that all sites draw upon on an as-needed automatic basis up to a maximum of 25 TB per site. Sounds good, because who wants to keep a close eye on site storage quotas to adjust them whenever sites need more space to allow users to store documents and do other useful work. But the downside is that if you allow free creation of Office 365 groups and teams, the central pool can be absorbed quicker than you anticipate and force the tenant to buy more storage from Microsoft just to keep operations running.

Enterprise tenants get 1 TB of SharePoint storage plus 10 GB per licensed Office 365 account. The new SharePoint Online Admin Center makes it easy to see how much storage the tenant has and what sites are consuming most storage. You can also export details of sites to a CSV file to dice and slice the data as you want.

If you use Office 365 retention policies to make sure that documents are kept for specific periods, you’ll discover that more storage is consumed because SharePoint must keep copies of deleted files. In any case, most tenants are happy to leave SharePoint to manage site storage automatically, which is the default management setting for Office 365 tenants. You only need to change the Site storage limits setting to Manual in the SharePoint Admin Center if you want to control the storage allocation for individual sites.

Controlling Individual Site Storage

One reason why you might want to control storage for individual sites is when a tenant makes extensive use of Teams and you don’t want the sites created for teams to be able to grow to 25 TB. In this scenario, you can switch the Site storage limit setting to Manual and then:

• Edit the storage quota for each site through the SharePoint Admin Center, or
• Use PowerShell to set a storage quota for every site associated with Teams and then adjust the quota upwards as necessary for individual sites.

Given the number of sites that you might need to process, the second option (PowerShell) is best.

Setting Storage Quotas for SharePoint Sites with PowerShell

The only complication we face is that the cmdlets needed for the job are spread across three modules: Teams, Exchange Online, and SharePoint Online. Once you’ve loaded the modules and connected to the three endpoints with a tenant administrator account, the code to update sites is pretty simple:

• Find all teams.
• Find the SharePoint site URL for each time (already covered in a previous post).
• Update the storage quota for the site.

Here’s some code to do the work. In this example, we set a 20 GB quota for each site with a warning limit at 98% of quota:

# SetTeamsSitesStorage.PS1
# Set the storage for the SharePoint sites belonging to Teams to a certain storage value
#
# Find Teams
Write-Host "Finding Teams in the Tenant..."
$Teams = (Get-Team -Visibility Public | Select DisplayName, GroupId)
ForEach ($T in $Teams) {
    $SPOUrl = (Get-UnifiedGroup -Identity $T.GroupId | Select -ExpandProperty SharePointSiteURL)
    If ($SPOUrl -ne $Null) {
       Write-Host "Setting SharePoint Site quota to 20 GB for" $T.DisplayName
       # Set storage value for SharePoint site
       Set-SPOSite -Identity $SPOUrl -StorageQuota 20480 -StorageQuotaWarningLevel 20070 }
    Else {Write-Host "Can't Process storage update for" $T.DisplayName "- Please check SharePoint site" -ForegroundColor Red}}}

After you’ve set the storage quotas for the sites owned by Teams, you can set the Site storage limits setting back to Automatic to allow SharePoint to manage storage for the sites that don’t belong to Teams.

Of course, the problem with any procedure like this is that you need to periodically rerun the code to deal with newly-created sites. To avoid reprocessing sites, you could update one of the 15 customized attributes available for Office 365 groups when you set the storage for a site and check if the attribute is set the next time the script runs.

—————————————

For more on managing Teams with PowerShell, read Chapter 14 of the Office 365 for IT Pros eBook.

Rename SharePoint Site Address Answers a Long-Overdue Customer Request

Refreshed on 14 November to reflect new UI in SharePoint Admin Center.

Site owners have been able to change many properties of their sites (like logos, display names, and so on), but they haven’t been able to change site URLs. But now, the modern SharePoint Admin Center includes the ability to update the address (URL) and display name for a site. You still can’t change the tenant’s domain name (the tenant.sharepoint.com part of the URL); only the site name part can be renamed.

SharePoint administrators can rename on-premises sites with PowerShell (here’s one example). One workaround used is to create a new site and copy everything from the old to the new. This works, but it isn’t a recommended approach when sites belong to Office 365 Groups (including Teams) because the properties of the group objects include pointers to the SharePoint sites. For example:

Get-UnifiedGroup -Identity "Marketing Gurus" | Format-List SharePoint*

SharePointSiteUrl      : https://tenant.sharepoint.com/sites/marketinggurus
SharePointDocumentsUrl : https://tenant.sharepoint.com/sites/marketinggurus/Shared Documents
SharePointNotebookUrl 

The SharePointNotebookURL is blank if the shared OneNote notebook has never been used by the group.

Renaming a site is Office 365 roadmap item 56205. It first appeared as a preview feature in May 2019. Office 365 notification MC193275 on 16 October revealed that the feature rolled out to customers in mid-October 2019.

Different Nature of SharePoint Online

All of this proves that SharePoint Online is a more complex environment than SharePoint on-premises. Apart from working inside the multi-tenant Office 365 ecosystem, SharePoint Online is a provider of document management services to other apps while on-premises SharePoint Server is the center of its own ecosystem.

Office 365 tenants have asked Microsoft to allow the rename of sites for many years. When an Office 365 group or team is created, the SharePoint site is named after the group or team. You can rename an Office 365 group or team later to reflect changing circumstances (for example, a project used to be called “Alpha Contoso” and now is “Better Products”), but you couldn’t rename the site.

Rename SharePoint Site Address – SharePoint Admin Center

To rename a site, log on as a tenant global administrator, launch the SharePoint Admin Center, go to Active Sites, and select the site you want to rename, and open the properties pane. If you see the banner in Figure 1, it means that the selected site comes within the scope of an Office 365 retention policy or eDiscovery hold. You can’t change the site URL if these conditions exist. If you decide that you really need to change the URL, you’ll have to remove the site from the policy or hold.

Click the Edit link under the URL to begin the rename process. Now overtype the current name of the site to enter a new name. SharePoint checks that the new name is available and if everything’s OK, click Save to rename the site. SharePoint also asks if you want to rename the site (to keep it aligned with the new site URLs). You don’t have to do this, but it is a good idea.

After saving the new site address, you’ll be asked if you want to update the display name for the site too. Although this isn’t mandatory, it’s wise to have the display name match the new site address.

Processing the request to update the site address takes a little time to complete and the site is locked during this period. Once done, SharePoint returns to the Active Sites list. To check that everything works as expected, you can select the site, open the properties pane, and click on the site URL. If the site is connected to an Office 365 group, you can also run the Get-UnifiedGroup cmdlet to check that the URLs are adjusted as expected.

It’s important to understand that renaming a group-connected site does not affect any of the other group properties such as its display name, alias, or email address. If you want to change these properties, do this by running the Set-UnifiedGroup cmdlet.

Sharing Links are Upgraded after Rename

Sharing links are sent by site members to share documents with other people. The sharing links contain a reference to the site. Testing reveals it takes SharePoint a couple of minutes to create a redirection site in its namespace (you see a Server 500 error during this time). Once the redirect is in place, old sharing links work and bring users to the newly renamed site. OneDrive synchronization also continues to work after site renames.

See this page to learn how to query the redirects known to SharePoint and remove them if necessary.

Rename SharePoint Site Address – PowerShell

The latest version of the PowerShell module for SharePoint Online includes the Start-SPOSiteRename cmdlet. Here’s an example of renaming a site with PowerShell:

# Rename a SharePoint Site
Start-SPOSiteRename -Identity https://tenant.sharepoint.com/sites/europeanoffice365engage -NewSiteUrl https://tenant.sharepoint.com/sites/euroOffice365Engage

Confirm
Are you sure you want to perform this action?
This operation will change the URL for site
https://tenant.sharepoint.com/sites/europeanoffice365engage to
https://tenant.sharepoint.com/sites/euroOffice365Engage. Do you want to continue? Y/N
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y

CurrentSiteUrl : https://tenant.sharepoint.com/sites/europeanoffice365engage
NewSiteUrl     : https://tenant.sharepoint.com/sites/euroOffice365Engage
NewSiteTitle   :
RenameID       : bad6b1ae-8995-77ae-9d01-2cac19bfb7bd
State          : InProgress
TriggeredBy    : SPO-administrator@office365itpros.com

Audit Records Generated for Rename SharePoint Site Addresses

When you rename a site, SharePoint captures details of the action in a SiteRenameScheduled audit record. After a short period, the audit record is ingested into the Office 365 audit log and is available for review (Figure 3).

The Search-UnifiedAuditLog cmdlet can also be used to find these records:

# Look for SharePoint Site Rename Records
Search-UnifiedAuditLog -Operations SiteRenameScheduled -StartDate 1-May-2019 -EndDate 10-May-2019 -SessionControl ReturnLargeSet -ResultSize 5000 | Format-Table Creationdate, Operations, Userids

CreationDate        Operations          UserIds
 ------------        ----------          -------
 8 May 2019 18:08:42 SiteRenameScheduled SPO-Administrator@office365itpros.com
 3 May 2019 11:05:04 SiteRenameScheduled Jan.Smith@office365itpros.com
 2 May 2019 12:33:40 SiteRenameScheduled Alan.Smith@Office365itpros.com
 2 May 2019 12:24:58 SiteRenameScheduled Ian.Best@Office365itpros.com
 1 May 2019 13:53:57 SiteRenameScheduled Jan.Akers@office365itpros.com

The information about the site being renamed and its new name are found in the AuditData property of the audit records. This property is in JSON format and must be unpacked to extract the information. You can learn how in Chapter 21 of the Office 365 for IT Pros eBook.

Understand the Side Effects of Rename SharePoint Site Address

Before rushing to rename a site, make sure that you read and understand the side effects of the action documented by Microsoft. Some of these, like losing items in the site recycle bin, are quite destructive.

Update: January 2, 2020: Renaming a site used to have an effect on the connection between Teams (via the Files channel tab) and SharePoint. Microsoft has fixed the problem and you shouldn’t have any problems with Teams now.

One side effect that isn’t documented is that if you have explicitly included or excluded a site in an Office 365 retention policy or eDiscovery hold, you should remove the site reference from the policy or hold before you update the URL. The reason is that the URLs of included or excluded sites are stored in the properties of the policy or hold. If you rename the site, the properties of the policy or hold are not changed to reflect the new URL, which then causes errors when Office 365 tries to apply the policy or hold against the old URL.

We cover SharePoint Online in Chapter 8 of the Office 365 for IT Pros eBook. We also cover a lot of PowerShell for Office 365 Groups and Teams in Chapter 14!

Sometimes Office 365 is Infuriating

On March 19, I woke up to discover that all the retention labels assigned to documents in the SharePoint Online sites and OneDrive for Business accounts in my Office 365 tenant had disappeared. No trace of any label existed and you couldn’t assign a label to any document.

What was also weird was that the Security and Compliance Center reported “no data” when I went to look at the retention labels, a fact confirmed by PowerShell as the code below (to list retention labels) returned a big fat nothing.

Get-ComplianceTag | Format-Table Name, IsRecordLabel, HasRetentionAction, RetentionDuration, RetentionAction, Mode –AutoSize

Meltdown in the SCC

As it happened, the week when the problem happened was the annual MVP Summit in Redmond, so I was pretty busy. I pinged a couple of my Microsoft contacts and learned that the Security and Compliance Center was having some problems. So much so that engineers had to disable the ability to edit or delete objects. Later, I discovered that an incident (FO176096) was in progress as some Information Protection labels had gone missing. Now, retention labels could be called Information Protection labels, but they are more likely sensitivity labels (a surplus of labels is always a bad thing). In any case, something screwy was clearly going on.

The incident report promised that data would be restored, so I decided to wait. And wait, and wait… but the retention labels still haven’t turned up in SharePoint Online. On March 26, I thought that something was stirring when I noticed retention labels appear in one or two sites, but that was only the effect of auto-label policies, as confirmed by the Label Explorer in the SCC. You can confirm the same by looking at the Office 365 audit records created when retention labels are applied to documents (the system rather than a user applies the labels).

Return of the Labels

Retention labels first reappeared in the SCC on March 25, which meant that I could once again assign retention labels to SharePoint and OneDrive for Business documents, but the labels assigned to SharePoint documents beforehand remained invisible. Or missing. Or lost. Or in an unknown state. The retention labels were available and persistent in Exchange and Office 365 Groups.

As mentioned above, labels started to reappear in SharePoint due to auto-label policies on March 26. However, the retention labels assigned explicitly to documents did not come back until April 2, two full weeks after I reported the initial issue. Microsoft hasn’t shared a reason with me yet as to why the problem occurred or what they did to recover the labels. For all I know, the labels went into a black hole, stayed there for a while, and then ambled back out into the sunshine.

Problems for Microsoft

There’s a number of very bad things here. First, losing retention labels is a big no-no in terms of compliance. I do not know whether the temporary black-out has affected the retention period for these items. I also don’t know how many other Office 365 tenants were affected by the problem.

Second, although I learned about similar symptoms from other tenants, Microsoft never posted an incident notification in the Service Health Dashboard (SHD) of my tenant. Discovering a major loss of functionality through users is not the way things should work, especially considering all the telemetry Microsoft gathers about Office 365.

Third, the tardiness in restoring SharePoint back to full working condition is regrettable. You could say that I am not amused. It’s a sad example of a quality failure inside Office 365.

The Office 365 for IT Pros eBook can’t explain what SharePoint Online did with those pesky retention labels. But we can explain how retention labels should work, which is covered in Chapter 19.

Any Member of a Team Can Delete a Channel

By default, any member of a team can delete a channel. The sole restriction is the General channel, which cannot be removed. If you want to stop team members deleting channels, edit the team settings and uncheck the box to “allow members to delete and restore channels.”

When a channel is deleted, Teams hides the messages that make up channel conversations and starts a 21-day countdown. During this period, a team owner (or a member, if allowed), can restore the channel. Once the period elapses, Teams permanently removes the conversations and they become irrecoverable. However, Teams leaves any data accessed through the channel tabs alone. Although this might surprise some, “Do No Evil” is the right approach.

SharePoint Folders and Teams Channels

Every channel in a team has a folder in the document library in the SharePoint Online site created by Office 365 when it provisions the Office 365 group belonging to a new team. When you create a new channel in a team, Teams creates a folder with the same name in the document library to store files uploaded to the channel. The folder is accessed through the Files tab in the channel (or the SharePoint browser interface). Because Teams creates a folder when it creates a channel, you might think that Teams should remove the channel folder from SharePoint when a channel is deleted. However, this doesn’t happen.

The fundamental reason why the folder is left is that Teams and SharePoint Online have a close but loose relationship. Creating a folder does no harm, but deleting a folder can be very destructive. Teams stores files in the folder, but other applications can store files there too, and users are able to access the folder to work with its content through the SharePoint browser interface. It’s therefore possible that some extra content might be uploaded to the folder that isn’t associated with channel conversations. If Teams deleted the folder along with channel conversations, it would remove that information too. As the support article for the topic notes, the folder also holds some OneNote sections that you might want to keep.

Retention Might Prevent Deletion

Another reason is that Teams cannot assume that it can remove content from SharePoint. The site, document library, or individual files might come within the scope of an Office 365 retention policy, or individual files might be assigned a retention label. In either case, the presence of retention settings can prevent the removal of SharePoint content.

Examine All Channel Tabs

If you want to clean up all traces of a channel, you must first remove it from Teams (and wait for the 21-day countdown to finish) and then remove any other content associated with the channel. The most obvious content is in SharePoint, but there might be other content linked to tabs like plans, forms, and so on. For this reason, before you delete a channel, check out the tabs to understand what content is linked to the channel and then decide what should be removed and when.

For more information about Teams, see Chapter 13 of the Office 365 for IT Pros eBook. Office 365 retention policies and labels are explained in Chapter 19.

Every Team has a SharePoint Site (Collection)

Updated: 15 February 2021

As you probably all know, Office 365 provisions every the group created for each team with a SharePoint site collection. Or rather site, because Microsoft seems to be moving away from referring to collections, possibly because the vast majority of collections created today come from Microsoft 365 Groups and Teams and therefore hold just one site.

In any case, a question posed by Syskit asked how to retrieve the associated SharePoint URLs for teams-enabled Microsoft 365 Groups. The article offered the suggestion that you could run the Get-UnifiedGroup cmdlet as follows:

Get-UnifiedGroup | Select DisplayName, SharePointSiteUrl

The big downside with this approach is that a) Get-UnifiedGroup is an “expensive” (slow) cmdlet and b) you return all Microsoft 365 Groups and not the ones enabled for Teams.

Using Get-Team to Find Teams

To be fair, the article was written in November 2018 and doesn’t reflect the state of the art ever since Microsoft delivered Version 0.9.5 of the Teams PowerShell module (the latest version is 1.1.16). The Get-Team cmdlet is the way to return the set of known teams in a tenant. Here’s what we can do:

$Teams = (Get-Team |Select GroupId, DisplayName, Alias)
ForEach ($T in $Teams) {
   $SPOURl = (Get-UnifiedGroup -Identity $T.GroupId | Select -ExpandProperty SharePointSiteURL)
   Write-Host "URL for the" $T.DisplayName "team is" $SPOURL "and the group mailbox alias is" $T.Alias "with email address" $T.PrimarySmtpAddress }

The code is simple. Create a set of teams and loop through the set to retrieve the SharePointSiteURL for each team. In fact, Get-UnifiedGroup returns three URLs for SharePoint:

• SharePointSiteURL: The root of the site.
• SharePointDocumentsURL: The URL for the default document library created in the site. Each channel in the team has a folder in this library, starting with General for the default channel.
• SharePointNotebookURL: The URL for the shared OneNote notebook belonging to the Office 365 Group/team. Some organizations prefer to replace the Teams Wiki with OneNote.

Even Faster Code

Time moves on and we have better ways of reporting the information. As described in this article, here’s how we could do the job by using a single call to the Get-UnifiedGroup cmdlet.

$Groups = Get-UnifiedGroup -Filter {ResourceProvisioningOptions -eq "Team"} -ResultSize Unlimited | Select ExternalDirectoryObjectId, DisplayName, SharePointSiteURL, Alias, PrimarySmtpAddress
ForEach ($T in $Groups) {
  Write-Host "URL for the" $T.DisplayName "team is" $T.SharePointSiteURL "group mailbox alias is" $T.Alias "and email address" $T.PrimarySmtpAddress }

Why Not Use the New SharePoint Admin Center?

Some have suggested that you can use the new SharePoint Admin Center to find the URLs. Well, the Admin Center certainly displays the URLs, but it doesn’t distinguish between team sites that belong to Microsoft Teams (team-enabled) or those used by an Office 365 Group that isn’t team-enabled (an Outlook or Yammer group). Although you can certainly generate and download a CSV file from the Admin Center containing the site URL (along with other details) for all the active sites in the tenant, you still must isolate which sites belong to Teams and which don’t. Using the technique above starts with a list of Teams and doesn’t go near the non-team enabled sites.

The set of PowerShell modules used with Office 365 change all the time. That’s a good reason to keep up with change by subscribing to the Office 365 for IT Pros eBook. Chapter 13 tells all about how to manage Office 365 Groups and Teams with PowerShell.

Easy Sharing with Your LinkedIn Connections

Office 365 Message Center notification MC175683 tells us that Microsoft is “rolling out a new feature to OneDrive, SharePoint, Word, PowerPoint, and Excel Online powered by LinkedIn to enhance the way users connect and collaborate with people outside their organization.” Sounds good, but what does it mean?

First, it’s all about first-degree LinkedIn connections. In other words, people that you have connected with because you accepted their invitation to connect or they accepted your invitation.

Second, your Office 365 tenant must be configured to support connectivity with LinkedIn. And once the tenant is configured, users must connect their Office 365 account with their LinkedIn account. If they don’t, Office 365 won’t have the rights to retrieve information about contacts from LinkedIn.

People Suggestions

With everything in place, Office 365 loads first-degree connections into the “people suggestions” list used by SharePoint Online and OneDrive for Business to respond to names typed in by a user when they share a document. The idea is that by including LinkedIn contacts in the suggestions list, it will be easier for Office 365 users to collaborate with those contacts.

Sharing a SharePoint Document with a LinkedIn Contact

Take the example below where I want to share a document from a SharePoint Online library. In the past, if I wanted to share it with a LinkedIn contact, I would need to know their email address to send a sharing invitation. With the LinkedIn contacts loaded into the people suggestions list, all I do is type in the first few characters of the name (in this case “Shane”) to see an integrated set of contacts built from my Office 365 tenant directory (including guest users), LinkedIn contacts, and email contacts (including the auto-complete list used by Outlook and OWA). It’s a smooth and easy experience.

Perhaps the most important thing about the new point of integration between Office 365 and LinkedIn is that including the LinkedIn contacts in the suggested people list means that Office 365 sends the sharing invitation to their latest email address (as in their LinkedIn profile). Hopefully, contacts keep their email addresses updated, which means that there’s a higher chance that the invitation will arrive in the right place.

Sharing in Office Online Apps

The same kind of sharing works with OneDrive for Business and with the online versions of Word, Excel, and PowerPoint (but not the desktop versions).

The feature is now rolling out within Office 365 and is available to targeted release users. Microsoft expects the rollout (except to Government customers) to be complete by the end of April 2019.

For more information about sharing Office 365 documents, read Chapter 8 of the Office 365 for IT Pros eBook.

One of the cool features we have in SharePoint Online (SPO) when working with news in modern SPO sites is the ability to create and distribute a news digest after publishing five or more news items in a site (or in the sites associated with a hub site). To access the News digest feature, click the See all link in the News web part placed in a modern page in a SPO site:

Once we click that link, a SPO application page with the list of all the news published is shown. In this page we will see in the actions bar a “Email a news digest” action:

When we click that action, we will be able to select the news we want to include in the digest. To go ahead with the digest definition, click Next:

Next we can do is just to configure the Digest in regards of the people we want to send it and also a short explanation about the digest. To send the digest, click on “Send news digest”:

All the recipients of the news digest will receive an e-mail with the following look & feel:

Additionally, the news digest we have just created is stored as SPO page in the Site Pages library so we can view it anytime we want:

Office 365 Removes Some Work

One point I often make at conferences is that on-premises administrators do have a job after work moves to the cloud, but they have to change their work habits and focus to ensure continued employment.

Take an on-premises Exchange administrator who is suddenly deprived of the joy of applying cumulative updates and other patches to servers, navigating the details of the preferred architecture, and figuring out the massive spreadsheet that is the Exchange Server Role Requirements Calculator. Once mailboxes have moved to Office 365, what will fill the gaping void in each day?

There’s only a limited amount of your favorite beverage that can be consumed. And anyway, a better use of time is to explore some of the less well-known corners of Office 365 to expand your horizons, gain some knowledge, and support your program for paycheck renewal.

Thinking About SharePoint

Which of course is why I found myself looking at SharePoint Document Identifiers recently. I had no great need to assign server-generated unique identifiers to documents. No one was bashing down my door to demand that they should be allowed to refer to documents using truly memorable terms like PRJ0-1974991961-29. But I have been interested in records management for a long time and the assignment of unique identifiers has been an ongoing and persistent need since the dawn of word processing.

In any case, the results of my labor are that several of my SharePoint sites now boast document identifiers and seem no worse for it. Whether or not I ever make real use of these identifiers is still a point to be considered, but that doesn’t take away from the learning gained from exploring the details of the feature and its implementation in a product that, at times, baffles me.

Learning is Good

All learning is good and Office 365 is full of interesting places to find things to investigate. Old Exchange administrators can learn all about SharePoint and old SharePoint administrators can learn about Exchange. And everyone can learn about the newer bits of Office 365 like Office 365 Groups, Teams, Planner, and Yammer. And then we throw in the ever-interesting areas of compliance and eDiscovery and a smidgen of programming with PowerShell and the Graph. It’s enough to fill anyone’s day.

The wide spectrum of topics to master is why I think that administrators should have no worry about their jobs. If you keep on learning, you’ll keep on being valuable to your company.

It can be hard to know where to look for information about new technology inside Office 365. If you want a guide, why not consider subscribing to the Office 365 for IT Pros eBook? You won’t read it from cover to cover (well, you can, but most don’t), but it’s a great way to discover new things to learn about within Office 365.

MyAnalytics in More Office 365 Plans

By now, you’ll probably have read the news that Microsoft is making MyAnalytics available to any Office 365 user with an Exchange Online license (essentially, almost every Office 365 user). That’s good, and it’s what most commentators have focused on when writing on the issue.

But the more important strategic change is the announcement that Microsoft will soon include signals from Teams, SharePoint Online, and OneDrive for Business in the MyAnalytics analysis and dashboard. The reason why this is important is that it moves MyAnalytics from taking an Exchange-centric view of a user’s Office 365 activity to a more comprehensive and valuable view of their work.

We can speculate what has delayed Microsoft in taking this step. No doubt technology got in the way (for instance, lack of suitable APIs), but I think that the more interesting and challenging reason is the need to figure out what to measure and what’s important.

Chatty Teams Versus More Formal Email

Take Teams for instance. You might assume that Microsoft could use a variation of the same approach they use to measure email activity. You read an email and read a Teams conversation (in a channel or personal chat). You create and send an email and create and post a message to Teams conversation. Both seem much the same kind of activity. But subtle and important differences exist.

Think about how you read Teams conversations in a channel. Instead of opening and reading many unread messages in the Inbox to view their full content to see previous replies, attachments, and so on, you might be able to quickly scan all the messages in a conversation because Teams doesn’t include previous replies, attachments, and the contributions tend to be much shorter. For this reason, the MyAnalytics developers can’t simply apply the same kind of “5 minutes to create and send a message, 2.5 minutes to read a message” logic as they do for email.

More Challenges with Documents

Working with documents, spreadsheets, and presentations also poses challenges which are possibly even harder to crack. How do you estimate the work done when reviewing content versus writing content? Tracking autosaves might help to understand when a file is being actively edited, but users can disable autosave.

I imagine that the debate about what signals (from the Microsoft Graph) to use and how to interpret those signals occupied many hours before the developers moved on to the challenge of how to display the results in the MyAnalytics dashboard. It will be interesting to see how the Teams and SharePoint/OneDrive data shows up in the dashboard and the conclusions (working hints) Microsoft derives from the data after the changes roll out sometime in January 2019.

We cover MyAnalytics in depth in Chapter 6 of the companion volume for the Office 365 for IT Pros eBook. We’ve lived with MyAnalytics since its debut and will continue to cover it as the application evolves in the future.

SharePoint Column Formatting Made Easy

Microsoft has provided a design mode to make it easy to apply column formatting to SharePoint (SPO) list and document libraries with no code. The change means that it is no longer necessary to deal with JSON code when basic formatting is needed:

• To access the Design mode for a list / document library column, just clic on Column settings –> Format this colummn so the Column formatting panel is shown:

• In the Column formatting panel click on Switch to design mode:

• Once you are in Design mode, you can choose between applying the default template or Edit the template and choose the background colors to be used in the column.

For more information about SharePoint Online and OneDrive For Business, see Chapter 8 in Office 365 for IT Pros

SharePoint Save For Later

One very useful feature that has been available for some time in SharePoint Online (SPO) is the ability to save news and documents for later just in case some information published in our Intranet is important and we don’t have time now to read it in detail, but we can do it later. The “Save for later” feature allows to bookmark news and documents and we can easily browse them later from the SharePoint Home page and the SharePoint Mobile App

How the Save for Later Feature Works in SharePoint Online

The “Save for later” feature gives users a way to bookmark news and documents that can be easily browsed later from the SharePoint Home page and the SharePoint Mobile App.

Once you click on “Save for later”, the notation for this action will change to “Saved for later”. If you click again, a panel with the list of news and documents saved for later is displayed.

From this panel, you can access to all the saved news and documents you have saved in the tenant. Note all of them are conveniently displayed as cards.

Saving for later news and documents from the SharePoint Mobile App

The SharePoint Mobile App is the natural environment to mark news and documents for later reading. As soon as you are in the App, you will get familiar with this feature by clicking on the “dots” menu you have for every news and document can access.

Conclusions

In the same way you can create bookmarks in the browser or shortcuts in your desktop, you can “Save for later” news and documents in SPO in the browser or in the mobile app so to never miss important information.

For more information about SharePoint Online and OneDrive For Business, see Chapter 8 in Office 365 for IT Pros

Glitches Removed and Smoother Operation

Following October’s preview of a joint effort between Microsoft and Adobe to support Azure Information Protection for PDF files, the integration reached General Availability on December 11. As you’d expect, some of the glitches observed in the preview have been cleaned up and the integration seems pretty solid, like better visibility of Microsoft Information Protection (MIP) label information in protected files.

I tested the integration with the latest version of Adobe Acrobat DC. First, I removed all traces of the preview integration, including an older version of the Unified Labeling client, Acrobat DC, and the AIP plug-in. I then rebooted my PC and installed the latest version of the Unified Labeling client, Acrobat DC, and the plug-in. Everything worked as expected.

PowerShell Protection

Cmdlets to work with Microsoft Information Protection labels are included in the AIPService PowerShell module. You can use these cmdlets to protect PDFs in bulk. Before starting, you need to know the GUID for the label you want to apply. You can get this by running the Get-Label cmdlet in the Exchange Online Management module (use the Connect-IPSSession cmdlet to connect to the compliance endpoint first). Equipped with the label GUID, we can construct some code to find a set of files and apply the label to each file. Here’s a quick example that you can easily customize by setting the target location and target files variables to point to the files you want to process.

$TargetLocation = “c:\Temp\”
$TargetFiles = “*.pdf”
$Files = (Get-ChildItem ($TargetLocation + $TargetFiles) -File -Recurse)
ForEach ($F in $Files) {
   $FileName = $TargetLocation + $F.Name
   $FileStatus = (Get-AipFileStatus -Path $FileName)  
   If ($FileStatus.IsLabeled -eq $False) {
      Set-AIPFileLabel -Path $FileName -Label $LabelId }
}

Protected PDFs in Office 365

The current integration works with both the older AIP and Office 365 sensitivity labels labels and is designed to operate with files stored in Windows. PDFs are very popular in Office 365 environments, so it’s likely that protected PDFs will end up inside Office 365 as email attachments or stored in SharePoint Online and OneDrive for Business.

If you upload a protected PDF to a SharePoint Online document library and then try to open it, SharePoint can use the browser or an online viewer. If you use the Edge browser, it supports protected documents. Other browsers will use the viewer which doesn’t work with protected PDFs. You’ll have to download the PDF to a PC that has a supported PDF reader (like the Azure Information Protection viewer or Acrobat DC with the plug-in)  installed to be able to read the content.

Future Integration with Office 365?

It’s possible that Microsoft and Adobe will work together to enhance the integration by extending it into Office 365 so that access to protected PDFs is smoother and that users can use Office 365 sensitivity labels to protect PDFs in addition to AIP labels. 

For more information about Microsoft Information Protection and rights management protection, read Chapter 24 of the Office 365 for IT Pros eBook.

Getting a Global View of Retention

A questioner asked how to find out how which Office 365 retention policies process different SharePoint sites in their tenant. This is a reasonable ask because the Security and Compliance Center (SCC) focuses on managing policies on an individual basis and doesn’t present an overall view of retention across the tenant.

Finding Policies

Because there’s no GUI option to present a global view of how a set of retention policies apply to a workload like SharePoint, we have to roll our own solution. PowerShell is often the best tool in these circumstances because it’s reasonably quick to develop in and Office 365 publishes a very large set of cmdlets, albeit spread over multiple modules.

In this case, the first step is form a collection of the retention policies in the tenant by running the Get-RetentionCompliancePolicy cmdlet. This cmdlet is part of the compliance set, which are available when you connect to that endpoint. The easiest way to do this is by running the Connect-IPPSSession cmdlet from the Exchange Online Management module. Your account must hold either the Exchange Online administrator or Global administrator role to run the commands described in this article.

The critical point when working with retention locations is to include the DistributionDetail parameter when calling Get-RetentionCompliancePolicy as this forces the SCC to return details of the locations to which each policy applies. The set of returned policies is further refined by excluding those that don’t process SharePoint and any defined for Teams (retention policies for Teams only process Teams locations).

Interpreting Policies

After figuring out the set of retention policies for SharePoint, we can examine the policies to extract details of the SharePoint locations that they process. A policy will tell us that the location is:

• Null: SharePoint is not processed by the policy.
• All: The policy processes all SharePoint sites.
• All with exclusions: The policy processes all SharePoint sites except those listed in the SharePointLocationException property.
• Some: The policy processes only the SharePoint sites listed in the SharePointLocation property.

The only slightly tricky thing is to handle when sites are individually included or included. This is done by expanding the property to extract all the listed sites and then processing the details for site.

Putting everything together, we end up with a script.

Connect-IPPSSession
$Report = [System.Collections.Generic.List[Object]]::new() 
[array]$Policies = (Get-RetentionCompliancePolicy -ExcludeTeamsPolicy -DistributionDetail | ? {$_.SharePointLocation -ne $Null})
ForEach ($P in $Policies) {
        If ($P.SharePointLocation.Name -eq "All") {
            $ReportLine = [PSCustomObject]@{
              PolicyName = $P.Name
              SiteName   = "All SharePoint Sites"
              SiteURL    = "All SharePoint Sites" }
            $Report.Add($ReportLine) } 
            If ($P.SharePointLocationException -ne $Null) {
               $Locations = ($P | Select -ExpandProperty SharePointLocationException)
               ForEach ($L in $Locations) {
                  $Exception = "*Exclude* " + $L.DisplayName
                  $ReportLine = [PSCustomObject]@{
                    PolicyName = $P.Name
                    SiteName   = $Exception
                    SiteURL    = $L.Name }
               $Report.($ReportLine) }
        }
        ElseIf ($P.SharePointLocation.Name -ne "All") {
           $Locations = ($P | Select -ExpandProperty SharePointLocation)
           ForEach ($L in $Locations) {
               $ReportLine = [PSCustomObject]@{
                  PolicyName = $P.Name
                  SiteName   = $L.DisplayName
                  SiteURL    = $L.Name }
               $Report.Add($ReportLine)  }                    
          }
}

Much the same approach can be used to extract information about the other locations supported by Office 365 retention policies (Exchange, Office 365 Groups, OneDrive for Business).

The output is an ordered array, which we can look at in different ways. Here’s how to list it by policy order:

$Report | Sort PolicyName, SiteUrl

PolicyName                               SiteName                     SiteURL
----------                               --------                     -------
Company Confidential Policy              All SharePoint Sites         All SharePoint Sites
Formal Company Records                   All SharePoint Sites         All SharePoint Sites
GDPR Personal Data                       All SharePoint Sites         All SharePoint Sites
GDPR Personal Data                       *Exclude* PL Test Group      https://office365itpros.sharep
Management Preservation Policy           Projects                     https://office365itpros.sharep
Office 365 for IT Pros eBook Content     All SharePoint Sites         All SharePoint Sites
Preservation Lock - Mailboxes and Sites  PL Test Group                https://office365itpros.sharep
Preserve Office 365 for IT Pros Files    Company Communications       https://office365itpros.sharep
Preserve Office 365 for IT Pros Files    GDPR Planning Mark II        https://office365itpros.sharep
Preserve Office 365 for IT Pros Files    Office 365 for IT Pros       https://office365itpros.sharep
Senior Leadership Team (SLT) Policy      SLT                          https://office365itpros.sharep
SharePoint Online Retention Policy       All SharePoint Sites         All SharePoint Sites

Of course, we can export the array to a CSV file and look at the data with Excel or import it into Power BI for more heavy-duty analysis and graphing.

$Report | Export-Csv -NoTypeInformation c:\temp\RetentionSites.csv

PowerShell to the rescue once again!

For more information about Office 365 retention policies, read Chapter 19 of the Office 365 for IT Pros eBook.

Embedding external content in modern SharePoint Online (SPO) pages is a really easy task using Microsoft’s out of the box Embed webpart.

In the WebPart settings panel we can add the external content URL (such as a YouTube video) or by using the standard <iFrame> HTML tag:

In the event we want to add a reference to external content not allowed by default in SPO, we will need to add the domain URL in the “HTML Field Security” setting that can be found in the site settings page:

Once we browse that configuration page, we need simply to add the new domain / URL in case is not there yet.

We cover SharePoint Online in Chapter 9 for the Office 365 for IT Pros eBook.

Simplifying the Creation of JSON

Site Designs and Site Scripts provide one of the mechanisms we have today to extend modern SharePoint Online Sites (Modern Team Sites, Communication Sites and Hub Sites). Site Scripts are  JSON files using a specific JSON schema as documented by Microsoft.

The task to create a Site Script should not be complex… but in case you don’t like working with JSON files or just because you are used to work with visual tools, there is a visual tool that simplifies the process to create a site script. The tool created by Mikko Punamäki is available online and does a good job of generating a JSON file for a configuration created visually in the JSON visual designer.

We cover Site Designs and Site Scripts in Chapter 9 for the Office 365 for IT Pros eBook.

Where’s My Wiki?

A couple of day ago, I was asked where Teams Wiki data was stored. The question came about because the Wiki wasn’t searchable in Teams, which seemed odd for an Office 365 component. The idea behind the Wiki is that it’s a place where team members can share notes in a somewhat more structured way than exists in channel conversations. You can discuss Wiki contents in conversations by either including @ mentions in the body of its text or by starting a conversation linked to the Wiki.

The Wiki is a default tab that’s added to every channel after it is created. You can rename or remove the tab if you don’t want it, which often happens when an organization uses OneNote for note-taking.

Teams Wiki Data

Some quick investigation revealed that Teams stores wiki content in a document library of the SharePoint team site belonging to the team where the content is created. Although each channel in a team gets a wiki tab,  Teams doesn’t create anything in SharePoint until the first time that someone opens the wiki. At this point, Teams creates a folder named after the channel in the Teams Wiki Data document library in the team site, which you can see through Site Contents (Figure 1).

If you open Teams Wiki Data, you’ll see the folders for the channels in the team where wiki content has been created.

Wiki Sections and Pages

Within the channel, a Teams Wiki is composed of sections and pages, just like OneNote. You can insert text (with a limited set of styles, images (from Teams, OneDrive, one of the cloud storage locations configured for the team, or your workstation), hyperlinks, or a table. You can also create bulleted and numbered lists and highlight text.

Overall, text formatting for wiki content is limited too and is like the editor used to compose messages in Teams. You won’t write War and Peace in the wiki, but the editor is perfectly adequate for simple composition.

Wiki Files in SharePoint

Each page in the wiki is represented as an MHT file stored in the document library. The saving mechanism for the wiki is interesting because the files stored in SharePoint don’t report updates. At least, their modified date doesn’t change and the reported timestamp is when the page is created. All of the sections in a page are in the same MHT file.

It’s possible to add multiple Wiki tabs to a channel (to confuse users). All the pages for all the wiki tabs end up in the same folder for the channel.

Error opening Wiki Files

If you try to open a Wiki MHT from SharePoint, Word Online is the suggested application. But if you proceed, you see the error:

This page is automatically updated from the Wiki in Microsoft Teams. Any changes made here will be overwritten. To edit this page, open it in Microsoft Teams.

The reason why this block on edit exists is that the MHT files are just pointers to items in a hidden SharePoint list (Figure 4) where the actual content is stored. You can find this list through Site Contents. When the wiki opens a page or section it fetches the content from the list (you can see the HTML formatted text in the wikicontent field shown in Figure 3).

No Search

To come back to the original question, any content you enter into a Teams Wiki is invisible for search purposes. You can’t find it in Teams or by using Microsoft 365 Search or Delve. This is rather a mystery because Microsoft makes a big thing of being able to search for content across Office 365, but perhaps it’s a feature that’s “coming soon.”

To learn more about Teams and the tabs you can create for channels, read the chapter covering Teams architecture in the Office 365 for IT Pros ebook.

In the same way Microsoft is introducing a new modern search experience in modern SharePoint Online (SPO) sites, the same strategy is being applied to search in Office 365. In this article we take a look at the modern search features you can find in Office 365.

This article was published on Petri.com on September 27, 2018. For more information about SharePoint Online and OneDrive for Business, see Chapter 8 in Office 365 for IT Pros

A very common question when discussing modern SharePoint is why Microsoft has not modernized the creation of subsites to give Office 365 tenants the ability not only to create a modern site, but also to create modern subsites. Fortunately, Microsoft has finally released a modern subsite template to allow any organization still using subsites to create modern subsites and not get stuck with classic subsites created under a modern site.

You can find a quick sample about modern subsite creation in this link. For more information about SharePoint Online and OneDrive for Business, see Chapter 8 in Office 365 for IT Pros

Finally, Office 365 administrators will  have the ability to manage Office 365 Groups from the SharePoint Online Admin Center. The news came in a recent message (MC147409) published in the Microsoft 365 Messages Center:

We’re updating Office 365 Group management capabilities in the SharePoint Online admin center. We’ll begin rolling this feature out soon. In the current SharePoint Online admin center experience, the following Microsoft 365 admin roles can manage Office 365 Groups: global administrator, user administrator, and Exchange administrator. In response to customer feedback, we will provide SharePoint Online administrator permissions to manage Office 365 Groups in the new SharePoint Online admin center.

This new capability to manage Office 365 Groups directly in the SharePoint Online Admin Center is associated with Office 365 Roadmap ID: 32864.

Implications of the change
The implications of this change is that SharePoint Online Admins will also be able to perform Office 365 Groups management tasks from the Admin Center: create, delete, restore and change Owners of a group. Given the importance of Office 365 Groups to SharePoint Online, it’s a good change.

Microsoft is expecting to roll out this change in early September and it should be completed worldwide by the end of January

Best-Effort Email Notifications for Mass Deletions

On August 28, Microsoft published MC147280 in the Office 365 Message Center to inform tenants that they’re about to introduce “best-effort” email notifications to users when “a higher than usual number of files are deleted per hour“. Microsoft doesn’t say what criteria they use to calculate a higher than usual number of deleted files in an hour.

For OneDrive for Business, the email notification will tell the account owner about the deleted files and how to recover the files from the Recycle Bin. For SharePoint Online, the person who deleted the files (a site owner or a member) gets the same kind of email.

The interesting thing about Office 365 updates like this is to ponder why Microsoft feels that they should introduce such a feature. Have we seen a rash of users deleting every file to hand in their OneDrive account, or site members going crazy in SharePoint? Has Microsoft come to the conclusion that they need to step in based on the data gathered about usage patterns in the Microsoft Graph?

Reducing Support Calls

The answer is likely more prosaic. I think this is another attempt by Microsoft to proactively reduce support costs by telling users when they might have made a mistake and deleted files that they shouldn’t – and the support call comes in to ask Microsoft where the files have gone and how to recover them.

Support is expensive and it makes sense for Microsoft to take steps to reduce the number of potential calls in this manner. Users are also likely to be happier if they get a note to inform them that they might have made a mistake. Let’s face it, avoiding the opportunity to log a support call for Office 365 is always a pleasure.

On the other hand, users might be annoyed when they receive email about a perfectly legitimate action that they deliberately and purposefully set out to accomplish. It smacks a little of “Big Brother is Watching” when email arrives out of the blue to say something like “We’ve noticed that you’ve just deleted a lot of files…”  Clippy for the cloud?

Retention Labels

Although you might not be able to stop users deleting files from their OneDrive for Business account (they are, after all, personal files), you can easily stop users removing documents from SharePoint Online libraries by assigning labels to individual documents or Office 365 retention policies to sites. For instance, if you assign a label called “Important” to a document, and that label has a retention period of five years, then site members won’t be able to delete it until the retention period expires.

Auto-label policies (part of Office 365 E5 and the advanced data governance add-on) can be deployed to find and label documents based on sensitive data types or keyword queries, so you can make sure that the most important files in an organization are retained.

More Detail to Follow

Microsoft says that they are rolling out the new feature to targeted release tenants now and will continue the roll-out for standard release tenants in late September, following the normal 30-day delay between targeted and standard deployments.

Earlier today I deleted 40 documents from my OneDrive for Business account to try and provoke a mass delete notification. Typically, I might delete one or two items a day, so 40 seemed to comfortably be in the zone for OneDrive to notice and react. So far, several hours later, no message has arrived. Maybe the feature hasn’t reached my targeted release tenant yet. Now how do I recover those blasted documents?

For more information about managing SharePoint Online and OneDrive for Business, see Chapter 8 of Office 365 for IT Pros. For information about creating, deploying, and managing Office 365 retention policies and labels, see Chapter 19.

As announced in this post in the Microsoft Tech Community, the ability to add a new Office 365 Group to an existing SharePoint Online (SPO) site is finally available to Office 365. You will be able to connect existing classic SPO sites to new Office 365 Groups by means of two possible mechanisms:

• PowerShell (first mechanism available after the official announcement of this feature)
• The “Connect to new Office 365 Group” option available in the site settings menu

This article was published on Petri.com on July 20, 2018. For more information about SharePoint Online and OneDrive for Business, see Chapter 8 in Office 365 for IT Pros

Search in SharePoint Online (SPO) is an area that we will see change in the future. Indeed, you might have already seen some of the new search experiences in your modern SPO sites. In this article, I introduce you to some of the new search features trhat have almost arrived (any day now) in your SPO sites.

This article was published on Petri.com on August 17, 2018. For more information about SharePoint Online and OneDrive for Business, see Chapter 8 in Office 365 for IT Pros

A New Attack

Avanan is an Israeli security company that has a track record of pointing to Office 365 security and saying that it could be improved. In some cases, like their criticism of MTA-based email scanning a la Mimecast, I think they have a point. In others, I’m not so sure.

Take the “PhishPoint” episode, reported by Avanan to affect 10% of the Office 365 customers they work with. Avanan duly scales this number up to estimate that the problem affects the same percentage globally, or 13.5 million of the 135 million active Office 365 users (the last official number – likely higher by about 15 million now). I must be missing something here, because if 13.5 million Office 365 users had been attacked through a malicious SharePoint document, I think Twitter and other social media would be in global meltdown. And they’re not.

The attack involves an embedded URL in an email that leads to a real SharePoint document (presumably in an Office 365 tenant owned by the attacker) that invites the victim to sign into Office 365 to read the content of another document that’s shared in OneDrive for Business. The result is a dummy sign-in screen that looks like the regular Azure Active Directory sign-in, which is where the attacker gathers user credentials, presumably for later use to compromise their account, perhaps in a Business Email Compromise attack.

Will Users Notice the Flaws in the Attack?

I’m sure some people will be deceived by the scheme, but I’ve got to hope that the majority will notice signals like being taken from one document to another (odd when you think about how sharing works inside Office 365), followed by a sign-in screen whose URL has no connection to Office 365 and, in Avanan’s posted example, is flagged as “dangerous.”  Perhaps the Office 365 customers that Avanan deals with are less well-trained, which is why 10% of them have been affected.

Joking apart, the report does highlight that malicious code can be introduced through infected documents. Solid user training to warn people about how attackers work should be given on an ongoing basis. Threats evolve all the time, so training needs to keep pace.

Read, Understand, Decide

Avanan’s business is based on convincing people that they need extra layers of security to keep Office 365 safe. Some of the reasons they advance are good, some are FUD (I thought this example was in 2016). The articles that they write about Office 365 security are worth reading (like “8 Security considerations when moving to Office 365“), if only to cause you to pause for thought and consider whether you need to do more to secure your tenant. But don’t take everything in face value. You understand your tenant better than anyone else, so always put the information presented by a third party into that context and then make decisions.

For more information about SharePoint Online and OneDrive for Business, read Chapter 8 in Office 365 for IT Pros. For more information about Advanced Threat Protection and Exchange Online Protection, see Chapter 17.

Title

Minimum Versioning Coming Soon

In Office 365 Message Center MC146556, Microsoft announced today how organizations can avoid using the new minimum of one hundred versions for files stored in SharePoint Online and OneDrive for Business libraries.

The new feature comes into effect on September 30, 2018. Before then, if you want to avoid using the feature, you must download and install the latest version of the PowerShell module for SharePoint Online (make sure that you have version 16.0.7918.1200 or better). After updating the module, run the command:

Set-SPOTenant -EnableMinimumVersionRequirement $False

If you don’t do this before September 30, Microsoft will enable minimum versioning for all SharePoint Online and OneDrive for Business libraries. To configure versioning for a site, access the library settings page for a document library (Figure 1) and set the value for major versions to anything between 100 and 50,000.

Customer Pushback

Microsoft originally announced that this feature would be enabled for all sites, but they obviously received some pushback from customers who don’t want to keep so many versions. This might have been an acceptable position in the on-premises world when you’d be worried about the storage consumed to keep so many versions, but it really doesn’t make much sense in the cloud. The storage used to keep versions is not charged against your tenant quota and Microsoft takes care of providing the physical storage that’s needed.

AutoSave and Restore Need Versions

Another reason why minimum versioning is a good thing to have is that features like AutoSave of Office documents (needed for co-authoring) and the ability of OneDrive and SharePoint Online to restore files to a point in time within the last 30 days depend on versions being available. If you don’t have the versions, you can’t recover files.

For more information about SharePoint Online and OneDrive for Business, see Chapter 8 in Office 365 for IT Pros.