Thursday, December 14, 2017

Automatic Azure AD B2B redemption is not feasible

Azure AD Business-2-Business is the enterprise-ready and secure new approach to enable SharePoint Online external sharing. In this approach, externals are added as guest users in the Azure AD of the inviting company. The guest account in the host Azure AD functions as placeholder to the actual account of the invited guest in external identity administration. Azure AD B2B is an implementation of federated Identity Management.
The process to authorize an external person for access in shared SharePoint Online site consists of 2 steps:
  1. First, Azure AD admin (or anyone who has the “Guest Inviter” role) has to add a guest account to the host Azure AD
  2. Next, site owner can invite the guest account to the external shared site
However, it turns out that there is some usage unclarity and sequence dependency in this process:
  • Usage unclarity: For the first step, the guest receives invite in mailbox to accept / redempt the invite. But next the guest user is redirected to empty Apps page in the tenant of inviting organization ==> no authorizations are granted yet;
  • Sequence dependency: The site owner cannot execute the 2nd step until the Azure AD invite is redempted ==> 'Sharing failed: Sharing to external users is not supported' (which is a misleading / incorrect error message; sharing is supported, yet not to the particular guest account as long (s)he has not redempt the invitation to the hosting Azure AD)
To address the first drawback, which may result in negative first impression with the invited guest ("I only see an empty Apps page, cannot do anything"), you can utilize the PowerShell Azure AD cmdlet 'New-AzureADMSInvitation' with '-SendInvitationMessage' parameter set to false. The result is that the invited guest is not informed yet of the invite to Azure AD, that from the perspective of the guest user is useless anyhow: one can only do something after authorized to a SharePoint site. But the indirect result is that the Azure AD invite is not redeemed - the guest is not made aware nor asked to perform the redemption -, and this results that the site owner cannot add the guest user. A catch22 situation.
A potential way out would be to automatic redempt the Azure AD invitation on behalf of the invited guest. However, this is only possible in case the organization of invited guest itself has an Azure AD tenant. Although the usage of Azure is growing in the market, there is and will remain a large set of organizations that have not themselves an Azure subscription + tenant. And then the automatic redemption on behalf of guest users is not possible.

Thursday, December 7, 2017

How-to identify faulty webpart on SharePoint (Online) page

Today business called in distress: they made a change in the start page of an important business site (solution) in SharePoint Online; and next on opening the page in browser it remained loading / spinning.
To support, I was temporary granted contributor authorization, and then applied the following steps to analyze + identify:
  • Step 1: very important, determine whether you can reproduce yourself;
  • Step 2: (answer was yes) Open the page in webpart maintenance mode, by adding "?contents=1" to query string;
  • Identify in the set of webparts on page which one could potential cause a problem; e.g. ImageViewer webpart is very unlikely; but anything that adds content can be;
  • Step 4: Close first of the potential suspect webparts;
  • Step 5: Reopen the page in normal mode, and verify whether it now can load;
  • Step 6: Continue with 4 and 5, until finally the page loads successful again;
  • Step 7: Once the faulty webpart identified, re-add the other ones: open page in edit mode, insert webpart, and select the closed webparts from webpart category 'Closed Parts'
  • Fix the faulty webpart, or delete it from the page.
In this particular situation, a Content Editor WebPart was added to the page that contained script with self-reference to reload the page; resulting in endless loop. This cannot be fixed, best option is to delete from page, and re-code the client script (but make sure to avoid the self-reloading...)

Friday, December 1, 2017

2 approaches to enable MFA for Azure AD B2B guest accounts

Element of Azure AD B2B SharePoint External Sharing, is to enforce multi-factor authentication for the external guest accounts. Documentation how-to enable is a bit difficult to find. Also in my search I encountered that there are actually 2 approaches to enable MFA condition for guest accounts.

Option 1: Direct enable on Azure AD user level

This is the option I first trembled into, due (my) inability to find proper documentation how to enforce the MFA rule. Approach here is to open Azure AD Admin, open 'All Users', click 'multi-factor authentication' in the top bar, and select the (guest) user accounts for which to enable MFA. Frankly I have the suspicion that this approach is there by accident. Motivation for that thought is that I only could enable MFA for guest users via a trick: selecting only guest users does not offer the enable/disable MFA option. However if you also select a regular account, the menu option becomes visible and the execution is applied to all selected accounts, including the guests. Not direct logical, may very well be a functional bug.



Option 2: Indirect enable via Azure AD Conditional Access

This approach appears to be the more structural, with management on higher level as individual guest users. Approach consists of following steps:
  • Create in Azure AD 'groups and users' a new group with dynamic membership, and rule equal to "userType Equals Guest"
  • Create in Azure AD Conditional Access a new policy, as membership include the just created group (of external accounts), as App select Office 365 SharePoint Online, and as Control select 'Grant Access under condition of Conditional Access.
These 2 configuration steps ensure that MFA is immediate applied for all guest accounts, without need to maintain this on the individual user account.



Friday, November 17, 2017

Convenient delete a single document from large list

SharePoint Lists and Libraries can store large amounts of (document) items. This does complicate the management of the stored items: before you can edit or delete the item, you need to find it in the large list storage. As result of the listview threshold max 5000 items are displayed, and you will therefore likely spend a lot of time navigating page-wise through the list/library before you eventually find the item you want to manage. When it concerns a regular list, you can automate this item-search via "search in 'this list'" (<site-url>/_layouts/OSSSearchResults.aspx?cs=This%20List&u=<list-url>); however for managing document items this does not help: the searchresult does not display the document library ribbon, and thus you cannot activate for instance the 'Delete Document' action. But the SharePoint toolbox has more to offer: setup an interactive listview search experience by combining it with a connected TextFilter webpart. For the how-to I refer to Connect a Filter Web Part to a List View Web Part on a classic page.
Screen impression of the convenience result:

Tuesday, November 7, 2017

Retrieve data from a large list via REST

The infamous ´5000´ listview threshold, we all have encountered that limit at least once in utilizing SharePoint as data backend. This time I was consulted by a business user that utilized SharePoint´s data management capabilities for storage of above 135,000 listitems. Wrt storage this amount is not an issue, but for retrieving it can be due the listview threshold. The advised approach to deal with that is via indexed columns, and tabbed/indexed views. That is for retrieving + viewing the big amount of listitems in the standard SharePoint UI. But what about requesting the data via SharePoint REST service? The REST protocol promises to support a similar navigation/tabbed experience via $top and $skip parameters. However, here SharePoint (2010) demonstrates to be not a fully compliant REST citizen. The $top parameters works fine on indexed large list, but usage of $skip results in an HTTP 500; and in ULS the error "Throttled:Big list slow query. List item query elapsed time: 0 milliseconds" is logged.
Also here it turns out that the '5000 threshold' is such a common encountered SharePoint issue. Internet search within a few hits leads to the helpful Stackoverflow resource: SharePoint 2010 REST top, skip fails on large list:
$skip query option is not supported, but $top is. Workaround, use a mix of $orderby on ID, $filter on ID and $top x items, and loop
Pseudo-code to loop through the entire big SharePoint List:
var nextId = 0;
WHILE TRUE DO
    var getData = $.getJson(“<site-collection url>/_vti_bin/listdata.svc/LargeList"
          + "?$select=Id,Name&$top=1000&&orderby=id&$filter=Id gt " + nextId);
    if (getData is not empty) {
        nextId = getData(last)[id];
    } else {
        break;
    }
END DO

Tuesday, October 31, 2017

Microsoft security (tools) landscape

Microsoft as platform vendor takes information security and protection very serious. It delivers a diverse set of tools and services to help enterprises protect the valuable resources. The protection differentiates on 4 layers:
  1. Devices
  2. Apps
  3. Files
  4. Identity
In below diagram, the palette of tools are displayed in their mutual relationships in the full Microsoft security landscape (with thanks to Peter van Leeuwen / Microsoft):
Legenda:

AbbreviationExplanation
AADAzure Active Directory
ADFSActive Directory Federation Services
MAMMobile Application Management
MDMMobile Device Management
MFAMulti-Factor Authentication
MIMMicrosoft Identity Manager
NDESNetwork Device Enrollment Service
PIMPrivileged Identity Management
RMSRights Management Services
SCCMSystem Center Configuration Manager
SSOSingle Sign-On
WIPWindows Information Protection

Thursday, October 19, 2017

Tip: code-snippet to enlarge image in context of SharePoint page

Requested Web Content Management (WCM) capability: include smaller / shrinked version of an image in the body of a page, and enlarge it on user click while remaining within the context of the page.

The rich SharePoint platform enables this with a small code snippet, via re-use of the standard SP.UI.ModalDialog.showModalDialog function. Reusable code-snippet:

<div>
   <script type="text/javascript">  
       function EnlargeImageInDialog(elem) {
           var imgUrl = $(elem).find("img").attr("src");
           imgUrl = imgUrl.replace("/_w/", "/").replace("_png.jpg", ".png”);
           var popupImg= 
                 "<div id='enlargeImg'><img src='" + 
                 imgUrl + 
                 "' style='margin: 5px; width:1200px;'/></div>";
           $(elem).append(popupImg);     
 
           SP.UI.ModalDialog.showModalDialog({
              html: document.getElementById('enlargeImg'),
              title: "...",
              allowMaximize: false,
              showClose: true,
              autoSize: true
           });
       }
    </script>   
    <a onclick="EnlargeImageInDialog(this); return false;" href="">
        <img src="/.../PublishingImages/_w/..._png.jpg" alt="" style="margin: 5px;"/>
    </a>
</div>
Example of the effect:
Smaller image (reference) in the web content page
Enlarged image displayed within context of the webpage via a SharePoint UI modal dialog popup