Contents tagged with Office 365

  • SharePoint Framework and Microsoft Graph access – convenient but be VERY careful

    Tags: SharePoint Framework, Office 365, Azure AD, Microsoft Graph, SharePoint Online, Security

    SharePoint Framework (SPFx) is a fantastic development model on top of (modern) SharePoint, for user interface extensibility, and it have evolved tremendously over the last year since it became general available. The framework is based on JavaScript extensibility in a controlled manner, compared to the older JavaScript injection mechanisms we used to extend (classic) SharePoint, that comes with a lot of power.

    Using SharePoint Framework our JavaScript has access to the whole DOM in the browser, meaning that we can do essentially what we want with the user interface – however, of course, we shouldn’t, only certain parts of the DOM are allowed/supported for modification. These areas are the custom client-side Web Parts we build (that squared box) or specific place holders (currently only two of them; top and bottom). For me that’s fine (although there’s a need for some more placeholders), but if you want to destroy the UX it is all up to you.

    In our client-side solutions we can call out to web services and fetch data and present to the user and even allow the end-user to manipulate this data. For a while now we’ve had limited access to Microsoft Graph, where Microsoft has done the auth plumbing for us, and now in the latest version (1.4.1) a whole new set of API’s to both call Microsoft Graph, with our own specified permission scopes, and even custom web services protected by Azure AD. Very convenient and you can build some fantastic (demo) solutions with this to show the power of UX extensibility in SharePoint Online.

    However – there are some serious security disadvantages that you probably don’t think or even care of if you’re a small business, a happy hacker or just want to build stuff. For me – designing and building solutions for larger enterprises this scares me and my clients…a lot!

    castle-1461009_640

    Some perspective

    Let’s take a step back and think about JavaScript injections (essentially SPFx is JavaScript injections – just with a fancier name and in a somewhat controlled way). It’s all very basic things, but from recent “social conversations” it seems like “people” forget.

    JavaScript running on a web page, has all the power that an end-user has, one could say even more power, since it can do stuff the user doesn’t see or is aware of. I already mentioned that JavaScript can modify the DOM – like hiding, adding or moving elements around. But it can also execute code, that is not necessarily visible. A good example is for instance to use Microsoft Application Insights to log the behavior of the user or the application – seems like a good thing in most cases (although I don’t think that many users of AppInsights understand how GDPR affects this – but that’s another discussion). We could also use JavaScript to call web services, using the information we have on the page to manipulate the state of the page, and also send data from our page to another page. All without the user noticing it. For good or for bad…let’s come back to the latter in a minute or so.

    No Script sites and the NoScript flag

    Before SharePoint Framework Microsoft introduced “No Script” sites to mitigate the issue with arbitrary JavaScript running in sites and pages. All modern Team sites, based on Office 365 Groups, and OneDrive sites are No Script sites. You can as an admin control the behavior of newly created SharePoint Sites using the settings in the SharePoint admin center (under settings):

    Bad settings for this...

    Depending on when your tenant was created (before or after the addition of this setting) your default settings may be different. My recommendation is, of course, to Prevent users from running custom scripts, to ensure that you don’t get some rogue scripts in there (see below).

    This setting can also be set on individual sites using the following SharePoint Online PowerShell command:

    Set-SPOsite https://contoso.sharepoint.com/sites/site 
    -DenyAddAndCustomizePages 0
    

    More information here: “Allow or prevent custom script

    This setting on a site not only affects JavaScript injections it also prohibits the use of Sandbox solutions and the use of SharePoint Designer – all good things!

    Script Editor Web Part – the wolf in sheep clothes

    “Our favorite” SharePoint extensibility mechanism, specifically for the citizen developers (or whatever you prefer calling them), has been the Script Editor Web Part (SEWP). As an editor of a site in SharePoint we can just drag the SEWP onto a page and add arbitrary scripts to get our job done and we’re done.

    The aforementioned No Script setting will make the Script Editor Web Part unavailable on these sites.

    The Script Editor Web Part does not exist in modern SharePoint. The whole idea with modern SharePoint and SPFx is that we (admins/editors) should have a controlled and managed way to add customizations to a site – and of course SEWP is on a collision course with that. Having that option would violate the whole idea.

    You can read much more about this in the SharePoint Patterns and Practices article called “Migrate existing Script Editor Web Part customizations to the SharePoint Framework”.

    But, there is now a “modern” version of the Script Editor Web Part available as a part of the SharePoint Patterns and Practices samples repository (which is a bit of a shocker to me). This solution is bypassing the whole idea of SharePoint Framework – controlled and governed JavaScript in SharePoint Online. And of course this is being used by a lot of users/tenants – since it’s simple and it works. If  you do use this solution you really should continue reading this…

    SharePoint Framework and Microsoft Graph = power?

    How does this relate to SharePoint Framework then? As I said, with SharePoint Framework we now have a very easy way to access the Microsoft Graph (and other Azure AD secured end-points) with pre-consented permission scopes. As a developer when you build a SharePoint Framework solution you can ask to be granted permissions to the Microsoft Graph and other resources. The admin grants these permissions in the new SharePoint Online admin center under API management.

    API Management in new SPO admin center

    For instance you want to build a Web Part that shows the e-mail or calendar on your portal page, you might want to have access to read and write information to tasks. The possibilities are endless and that is great, or is it?

    I think this is a huge area of concern. Imagine these user stories:

    As a user I would like to see my calendar events on my Intranet” – pretty common request I would say. This requires the SPFx Web Part developer to ask for permissions to read the users calendar.

    “As a user I would like to see and be able to update my Planner tasks” – another very common request. This requires the SPFx Web Part developer to ask for Read and Write access to all Groups (that’s just how it is…).

    Both these scenarios opens up your SharePoint Online solution for malicious attacks in a very severe way. Of course the actual permission has to be approved by an admin – but how many admins do really understand what’s happening when the business cries “we need this feature”.

    Note: this is not just a SharePoint Framework issue, but SPFx makes it so easy that you probably don’t see the forest for the trees. And this is also true for many of these “Intranet-in-a-box” vendors that has made their similar service to access mail/calendars etc from the Graph. It’s still JavaScript and if you allow a single user to add a script it can be misused.

    Rogue scripts

    Once you have granted permissions to the Microsoft Graph, by a single request from that fancy calendar Web Part, all other scripts in the whole tenant has those permissions. So your seemingly harmless Web Part has suddenly exposed your calendar for reading to any other Web Part. Assume that now the admin installs a weather Web Part (downloaded or acquired from a third party). This weather Web Part is now also allowed to read the users e-mail, even though it did not request it. And if that vendor goes rogue or already is, he or she can without the users knowing send all the calendar or e-mail details away to a remote server, while just displaying the weather. This requires some social engineering of course to make the admin install this Web Part. But what about allowing the modern Script Editor Web Part! And you piss an employee off…with just some simple JavaScript knowledge this user can then create a sweet looking cat-of-the-day web part or even a hidden one with the Modern Script Editor Web Part. Then send the boss to that page, and read all the bosses calendar events or e-mails, sending them to some random location somewhere…

    You still think this is a good idea?

    activist-anonymous-ddos-attack-38275

    And what about the second user story; where we need full read and write to all the groups, just to be able to manipulate tasks in Planner. It’s not much you can do, if you’re building this web part – you are opening up for so many more possibilities for “working with” groups and its associated features. This is not a SharePoint Framework thing, but a drawback in how Microsoft Graph works with permissions and the lack of contextual or fine-grained scopes in Azure AD. Same goes for reading/writing data from SharePoint sites – Azure AD/Microsoft Graph cannot restrict you to a single site or list – you have access to all of them.

    Remember how SharePoint Add-ins have Site Collection or list scoped permissions. I guess you all remember how we complained back then as well. That was some sweet days and we really want those features back. Well, we still have them – SharePoint add-ins are probably the best way to protect the users and your IP still…

    As I stated above, of course all SPFx solutions has to be added to the tenant app catalog – but, we also have the option of a site collection scoped catalog. So that’s another vector for insertion of seemingly nice solutions that can take advantage of the permissions you granted on a tenant level.

    The grey area between modern and classic sites

    Currently most SharePoint Online tenants is in a transition period between classic and modern sites. That is, they have built their SharePoint Online environment based on the “classic way” of building stuff, most often requiring script enabled sites. And now they want to transition to modern sites, without these scripting capabilities. Should they just add the new modern Script Editor Web Part or should they turn of scripting for all sites?

    If you turn this off I can almost guarantee that a lot of your sites will be useless. And in many cases your whole Intranet – specifically this happens with many of the “Intranet-in-a-box” vendor solutions. So be careful.

    So, what should I do?

    If you still think it is very valuable to build solutions with SPFx and Microsoft Graph the first thing you MUST do is to ensure that there is not a single site in your tenant with scripting enabled. You can do a quick check for this with this sample PowerShell command:

     get-sposite | 
      ?{$_.DenyAddAndCustomizePages -eq 'Disabled'}

    This will list all the site collections which still allow JavaScript execution using the Script Editor Web Part for instance. If there’s a single site in here, stop what you’re doing and don’t even consider granting SPFx any permissions.

    I wish we had this kind of notification and warning in the permission grant page in the new SharePoint Admin center. To make it very obvious for admins.

    Secondly, be very thoughtful on what solutions you are installing in your app catalog. Do you know the vendor, do you know their code, is their code hosted in a vendor CDN (warning signs – since they can update this without you knowing) etc? Do you have multiple vendors? Who have access to do this?

    So, you really need to do a proper due diligence of the code you let into your SharePoint Online tenant.

    A note on the CDN issue; when you add a SPFx solution to the app catalog all “registered” external script locations are listed. But this is not a guarantee. It’s only those that are registered in the manifest. As a developer you can request other resources dynamically without having them show up on this screen.

    Summary

    I hope that this gave you the chills, and that you start reflecting on these seemingly harmless weather web parts that you install. You as an admin, developer or purchaser of SharePoint Online customizations MUST think this over.

    1. Do we have a plan to move from script enabled sites to ALL sites with no custom scripts enabled
    2. Do we have the knowledge and skill to understand what our developers and vendors are adding to our SharePoint Online tenant
    3. Do we understand the specific permission requirements needed

    I also hope (and know) that the SharePoint Framework product team listens, this is an area which needs to be addressed. We want to build these nicely integrated solutions, but we cannot do it on behalf of security concerns. And it’s NOT about security in SharePoint or SharePoint Framework it is about how web browsers work. What we need is:

    1. Visibility – make it visible to the admins what is really happening in their tenant; script enabled sites, SEWP instances etc.
    2. Isolation – we need to be able to isolate our web parts, so that they and their permissions scopes cannot be intercepted or misused. In the web world I guess that Iframes is the only solution
    3. Granularity - Azure AD permission granularity – it’s not sustainable to give your applications these broad permissions (Group Write All). I want to give my app access to write in one Planner plan only and not in all groups.

    Thanks for reaching the end! I oversimplified some parts, but if you have any concerns, questions or issues with my thinking – don’t hesitate to debate, confront, question or agree with this post.

  • yo teams: a full Microsoft Teams extensibility Yeoman generator

    Tags: Microsoft Teams, Bot Framework, TypeScript, Yeoman, Office 365, Gulp, Git

    A couple of weeks back I published a Yeoman generator to build Tabs for Microsoft Teams. Since then I've continued to add stuff to it as the Teams team has continued to add features to their extensibility story. So, this generator is not only for creating Tabs, but now also for adding Bots and Custom Bots to Microsoft Teams. With that I decided to rename the generator to yo teams (generator name is generator-teams).

    I'm very thankful to the over 600 downloads within less of a month, and all the positive feedback, the issues and PR created. Keep it coming.

    What's new?

    The two big new features of the generator is the ability to add either a reference to an existing bot that you want to use (your own, or any bot in the Bot Framework directory) or to create a bot from scratch, using the Bot Framework. You can also add a custom bot, which is a Microsoft Teams specific webhook that acts like a bot, which can be used by specific Teams only and you don't have to add it to the Bot Framework - perfect for those internal smart bots you want to build.

    yo teams

    The source code has also gone through some heavy refactoring with sub-generators and all. There's more to come…

    Both the Bot and Custom bot uses the JavaScript/TypeScript implementations of the Bot Framework and you have some boilerplate code to get started, including readme files of the essentials.

    If you have any issues, or feedback, or problem or just feeling chatty, then use the Issues list on Github.

    What do I need to do?

    If you already used the old generator, uninstall it with npm uninstall generator-teams-tab --global and then install the new generator with npm install generator-teams --global. All your current solutions will work, but I recommend you to, if you feel like it, to "move" all your code over to a newly created project.

    The old npm package is deprecated and you will get a warning if you try to install it.

    The Github repository has been renamed, but the old one will still redirect you to the correct location. You can find it here: https://github.com/wictorwilen/generator-teams

  • Congratulations to the Microsoft Teams team on an excellent delivery

    Tags: Microsoft Teams, Office 365

    A big round of applause for Microsoft and the team behind Microsoft Teams for now being general available (GA) worldwide. Today, they lit up the Teams icon in the Office 365 waffle for all tenants (unless your admins are being boring and has turned it off).

    image

    It's been awesome to be a part of this preview journey, which started last summer. Avanade was selected as one of the TAP members, in a preview program shrouded in a secrecy I've not seen at Microsoft before. Our IT department slowly trickled it out, so that we had a chance of learning how Microsoft Teams could fit into our organization and our way of working. A big thanks to David who have mastered the preview program internally.

    When Microsoft Teams was unveiled to the public, back in November, we did our first point-of-view based on our experience so far. Since then I would say that the way we work has changed dramatically. Many of our teams and interest groups has quickly adopted this new chat-based workspace - not just for chatting but as the preferred channel for communication and collaboration. It fits our style of work perfectly, given how spread out our teams are and the different time zones we're working in.

    Personally I've been way more effective in my work since we started to adopt Microsoft Teams. The number of unnecessary e-mails has gone done dramatically, my inbox is not flooded with simple questions, or links, or things that can more easily be expressed through a chat. One thing that has surprised me is how much more we use the ad-hoc chats compared to what I've expected, we don't all have to be online at the same time - you can easily go back and see what's been discussed while you were away or in a meeting. Sharing of files and notes is so much easier now and it allows us to have an ongoing discussion about them.

    It's been a blast discussing Microsoft Teams with my clients. And I'm thrilled that some of them now are leading with "Teams first" - that is you create a Team, not a SharePoint team site, not an Office 365 Group. You get them for free with Teams anyways. This will change the way collaboration is done for enterprises going forward, without doing trade offs for compliance, governance and security.

    This is the first release of many to come. And they number of features that has popped up over the last few months are incredible. And I'm sure we will see some more productivity enhancers going forward.

    Once again, thank you to the team behind Microsoft Teams.

  • yo teams-tab: A Microsoft Teams Tabs Yeoman generator

    Tags: Microsoft Teams, Office 365, Yeoman, Git, Gulp

    I'm happy to announce that today at SharePoint Saturday Munich I presented a new Yeoman generator for building Microsoft Teams Tabs projects. Tabs in Microsoft Teams is a great way to extend the user interface and to do integrations to other systems and provide visualizations. Tabs are based on a JavaScript framework, a set of web pages and a manifest describing the Tab. It requires a set of manual steps to both build out the pages, configuring CSS, hooking up the JavaScripts, deploying it all to a web site hosted in the cloud, writing the manifest, packaging the manifest into a zip file and more.

    With the Teams Tab generator you can in an easy manner scaffold out the project and get a build and deployment pipeline, and be up and running in a few minutes.

    yo teams-tab

    The project that will be created is a TypeScript based project with a set of Gulp tasks to build the project and package the manifest, and optionally a built-in Express server to host the web sites and configuration so that you can with a simple command deploy your project to an Azure Web App.

    How to get it

    The generator is published as an npm package and you use npm to install it. The following command will install it as a global package for you to scaffold your Teams tabs.

    npm install generator-teams-tab --global

    How to use it

    To create a new Teams Tab all you need to do is open up a command prompt and use Yeoman to create the project. The generator will ask you a set of questions and your project will configured based on those.

    yo teams-tab

    How to use the project

    The project contains all source code you need to build and deploy tabs. Use Visual Studio Code or whatever text editor you prefer. The source code is divided into two areas. The first one being the actual tabs (pages and scripts), located in ./src/app You will find one folder called web which contains the web pages required for a tab; such as the actual tab page, the configure page and remove page. In the scripts folder you will have the TypeScripts file in which you build the logic for your tabs. For instance the actual main tab page, tab.html, has a corresponding tab.ts TypeScript file. You'll get it…

    In the ./src/app folder there is also a TypeScript file called server.ts. Note, this file only exists if you answers yes to the question on using Express to host the Tab. This file is the server side node.js web server. If you need to modify the paths or want it to do fancier stuff than just client-side scripting this is where you start hacking.

    There's also a folder calle ./src/manifest which contains the Tab manifest. A json file you might want to configure. And that folder also contains the two images you need to have for a Tab.

    The tab project

    How to build it

    You build the tab by using a simple Gulp task that will transpile and bundle your TypeScript into JavaScript and sets up the web server. Just use the following command to build it

    gulp build

    Once you've built it you can follow the instructions in the README.md file to deploy it to an Azure Web App.

    The manifest for the tab is created by using another Gulp task:

    gulp manifest

    This task will create a zip file that you use to upload to your Teams team and it references the specified web site hosting the tabs. The file being created is located at ./package/tab.zip

    This is great, but I want to…

    I know, you want to have more stuff in the generator. It's all available on Github for you to grab and hopefully come back with suggestions. Go git it here: https://github.com/wictorwilen/generator-teams-tab

    I'm looking forward to feedback and I'll keep updating the generator in line with what the Teams team are doing with their JavaScript framework, which is currently at 0.4.

    glhf

  • SharePoint Framework has now reached General Availability - such a great journey

    Tags: SharePoint Framework, Office 365, SharePoint

    Let me start with congratulating the SharePoint Framework team on an amazing job and an amazing journey reaching this GA milestone.

    The SharePoint Framework plays a significant part of the SharePoint future, yes - this is only the first version with a lot of new features on the way, and it is a part of the new SharePoint wave. I've haven't seen this interest in SharePoint for many years and I'm glad I'm still in this business. Delivering top notch collaboration solutions for our clients at Avanade. The SharePoint Framework will make it easier for us to customize SharePoint and it will also bring a lot more value for our clients in the end allowing them to stay evergreen and not being tied into "workarounds" and pesky SharePoint Designer hacks or arbitrary JavaScript snippets.

    I'm extremely glad that I've been a part of this journey, seeing the team making the awesome stuff they've done. For me it started back in the fall of 2015 when we we're shown some very early ideas on where to go next and also some whiteboard sessions where we had an open and frank discussion about what the requirements were from the field. This openness is something that I think has made the difference this time and made the SharePoint Framework into what it is. All discussions was kept very secret and I'll tell you it was hard not to cry out to everyone how excited I was on the progress.

    Early 2016 I was part of the first DevKitchen, where we had the opportunity to use SharePoint Framework for the first time. The team had only in a couple of months created something that actually worked! It was very satisfying to build that first web part (I do think that I was the first outside of Microsoft that actually built a client-side Web Part!).  The framework had its quirks and issues back then, but they kept the speed up and delivered. A few more DevKitchens were hosted and finally in May they revealed the SharePoint Framework to the public.

    Just after the summer everyone could get their hands on the first public release of the SharePoint Framework and the SPFx Team opened the floodgates of feedback through their Github repository. It has been fantastic to see all the support, wishes, bugfixes, samples and documentation that the public (and specifically Waldek) has produced to support the SharePoint Framework. And how fast and agile the team has responded to all the requests and issues. This is how Microsoft should build more stuff!

    I've tried to do my best giving feedback as a consultant, developer and things my clients need. I'm particular proud of the enterprise guidance documentation that I've helped with. I absolutely love being part of this community.

    Now, we're here, within a few weeks all tenants in Office 365 should be able to use the SharePoint Framework to build great stuff and awesome client-side Web Parts. We're already in the midst of porting our solutions to take advantage of the SharePoint Framework and getting it in the hands of our clients.

    Thank you to the SharePoint Framework Team - I'm so looking forward to what's happening next. See you in a few weeks in Redmond ;-).

    Let's make SharePoint great again!

  • Configuring Office 365 Groups creation the right way

    Tags: Office 365, Office 365 Groups, Azure AD

    Over the last few days the issue on how to prevent users to create Office 365 Groups has popped up in all sorts of conversations. This blog post will show you how to do it in the correct way, and serve as a future reference. I'm not the only one who have blogged about this, it's in many places including official documentation. But in many places both scripts and some caveats are either wrong or outdated. One post covers this topic really well, and in a good and correct way and it's this post by John P. White - Disable Office 365 Groups, part 2. Read it! This post however will show you how to do it in a more direct way, using PowerShell.

    Background

    We used to prevent end-users from creating Office 365 Groups (from now on referred to as only Groups) using an OWA Mailbox policy. Even I have a blog post on that topic. But this way to do it is outdated. That mailbox policy only applies to Groups being created from OWA (Outlook Web Access, Outlook on the web…whatever) and Outlook. It did not prevent people from creating Groups using Microsoft Teams, Planner, StaffHub, PowerBI, Dynamics 365 and what not.

    How to do it properly

    Instead of continuing to building the settings on the Mailbox policy setting, this setting has now moved to Azure AD. You can even see it in the "new" Azure Portal, although it doesn't really reflect the real settings and not all settings.

    Azure AD Settings for Office 365 Groups

    The way to do it is to use PowerShell and essentially follow the official documentation. The problem with that article however is that it contains a few errors, is not updated, has some weird scripts and is just to darn long to read through. So, here's a my PowerShell for this. You can find the complete script in this Gist.

    Prerequisites

    To be able to run the PowerShell you need to install some stuff

    • The Microsoft Online Services Sign-in assistant
    • The Windows Azure Active Directory Module for PowerShell - and here's a big thing. You MUST (at the time of writing) only use the preview version, with version number 1.1.130.0-preview found here. Do not try to download the higher version with version number 1.1.166.0 - it will not work.

    Now, we got that out of the way, let's get to the fun stuff.

    Scripting FTW

    First we need to log in to our tenant using an admin account. I prefer to use a the Get-Credential method over the dialog option, makes everything more smoother.

    # Store the credentials in a variable
    $creds = Get-Credential
    
    # Connect to the Microsoft Online services
    Connect-MsolService -Credential $creds 
    
    

    The next thing is to make sure that users are allowed to create Groups, we'll limit it later. Make sure you use the script below and not the one in the official article as they have spelling errors on the variable.

    # Get tenant setting (misspelled in official docs)
    Get-MsolCompanyInformation | Format-List UsersPermissionToCreateGroupsEnabled
    
    # If false, then use the following
    Set-MsolCompanySettings -UsersPermissionToCreateGroupsEnabled $true
    
    

    To limit the users allowed to create Groups we need to have a security group with members in Azure AD. And we need the Id of that group, so we'll grab it with some PowerShell:

    # Retrieve ID of Group that should have the option to create groups
    $group = Get-MsolGroup -SearchString "Group creators" 
    
    

    The settings we need to set are contained in an Azure AD object, created from a template. We retrieve that template using the following command and create our settings object like this:

    # Retrieve the Group.Unified settings template (assuming you have not done this before)
    $template = Get-MsolAllSettingTemplate | Where-Object {$_.DisplayName -eq "Group.Unified"}
    
    # Create the settings object from the template
    $settings = $template.CreateSettingsObject()
    
    

    Once we have the settings object, we can start setting properties.

    • EnableGroupCreation - should be set to false. We negate the tenant setting here, and we'll override it soon again for the specific security group
    • GroupCreationAllowedGroupId - this is the Id of the security group that are allowed to create Groups
    • UsageGuidelinesUrl - a URL pointing to your usage guidelines. Optional, but recommended
    • GuestUsageGuidelinesUrl - a URL pointing to usage guidelines for external users. This link will be shown in the external sharing e-mails and should of course be on a public available location. Optional, but recommended
    • ClassificationList - a comma separated list with your classification labels. Optional. Currently the first one in the list will be the default one. (does not work in all tenants at the time of writing)

    There's some more properties that you can take a look at, and over the last few weeks even some more popped up (without any documentation).

    # Use this settings object to prevent others than specified group to create Groups
    $settings["EnableGroupCreation"] = $false
    $settings["GroupCreationAllowedGroupId"] = $group.ObjectId
    
    # (optional) Add a link to the Group usage guidelines
    $settings["UsageGuidelinesUrl"] = 
      "https://contoso.sharepoint.com/Pages/GroupUsageGuidelines.aspx"
    
    # (optional) Add a link to Guest usage guidelines
    $settings["GuestUsageGuidelinesUrl"] = 
      "http://contoso.com/usageguidelines"
    
    # (optional) Add classifications to be used for Groups
    $settings["ClassificationList"] = "Public,Internal,Top Secret"
    
    # Verify
    $settings.Values
    
    

    Now we have the settings and all we need to do is to add them to Azure AD:

    # Add the settings to Azure AD
    New-MsolSettings -SettingsObject $settings
    
    

    And from now on, only members of the security group can create Office 365 Groups using all endpoints such as Planner, Teams, PowerBI, Microsoft Graph REST etc. BUT StaffHub still ignores this setting!!!!! Aaargh!

    Need to update the settings?

    If you need to update the settings, or there are new properties that you want to configure, then use the PowerShell below. The one(s) in the official documentation is really weird written…

    # Retrieve settings
    $settings = Get-MsolAllSettings | Where-Object {$_.DisplayName -eq "Group.Unified"}
    
    # Check the values
    $settings.Values
    
    # Update a property
    $settings["GuestUsageGuidelinesUrl"] = "http://www.wictorwilen.se"
    
    # Save the updates
    Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $settings.GetSettingsValue()
    
    

    Summary

    That's it. It's not rocket science. Looking forward to further settings and also a proper UI in the Azure portal for the lazy people.

    The PowerShell is a bit weird though, should have had a review by the PowerShell team before going into the production in my opinion.

  • The end of my Office 365 Roadmap updates

    Tags: Office 365

    As many of you have noticed I have not been posting my What's new on the Office Roadmap updates. Well, I've been on a vacation not trying to think of Office 365 to start with, and then also, I'm ending my series of these posts. Sorry.

    I have to start with saying that I love the amount of changes we see now in the Office 365 service. The team(s) is/are doing an amazing job with kicking out new features and updates in some areas. Our favorite SharePoint is killing it with features at the moment, and more is to come. And do believe this will continue for the foreseeable future.

    Why? Why, do you do this? There's plenty of reasons for me ending this series. It's been going on now since March last year (which is way longer than I expected) and it was exactly 50 posts! So plenty of updates has been going on.

    First of all it still takes me humongous amounts of time compiling each post, figuring out what's changed, what each change actually means, filtering out false changes, going back to my old change posts, coping with errors in the changes etc etc.

    But most importantly the reason I stop doing this is that the Roadmap does not really reflect the changes going on (yea I know, Roadmap and changes are not the same). Using the Roadmap as a guide on what's to come is not that accurate that I hoped, sorry. And the #1 reason that I started this series was to get the Office 365 team to understand that we need a Roadmap where one can see changes, one that you understand the changes and one that you can trust, otherwise there's no point! There's no point giving you examples, there's to many. After a year and half very little has happened…

    I'm going to miss it though. I've had some fantastic online and offline support of these posts and I enjoyed adding some personal touch to my "analysis". Some liked it, and some despised it to the extent that I'm actually persona non grata in some "communities". I'm probably to close to the truth and far to many people have hard to understand irony…

    Nevertheless…if you still want to find out what's happening on the Office Roadmap site, the PowerShell script I had scheduled is available as a Gist on Github.

    Thanks for all the support!

  • What's new on the Office Roadmap - 2016-05-20 - SharePoint Saturday Stockholm Edition

    Tags: Office 365

    Happy Friday and welcome back to another Office Roadmap update. This time the day before the big SharePoint Saturday, here in beautiful Stockholm, where we all are going to indulge on the goodness that was announced a couple of weeks back at the SharePoint Futures event.

    Lot of new stuff in the mobile space this time around.

    Changes 2016-05-20

    Launched

    • Windows Universal App: OneDrive UWP (Universal Windows App) are now launched and live (new)
    • User Activity Reports: Compliance center improvements for OneDrive/SharePoint on document views/edits/downloads etc (from in development)
    • Intelligent Discover for Android: Discover (Office Graph) view in the Android OneDrive app (new)
    • Mobile Access to SharePoint Online for iOS: Access your SharePoint files from the OneDrive app (new)
    • Office 365 Groups: easily add users from a distribution list to a group: this is cool, now you can add all members from a DL to an O365 Group instead of one user at a time (new)
    • Self-service NGSC setup and goove.exe takeover: Simplified setup for NGSC (Next Gen Sync Client). Finally. Goove.exe (giggles) (new)

    Rolling out

    • Office 365 Groups: scripts to migrate Distribution Lists (DLs) to Groups: Some sweet scripts for migrating DL's to O365 Groups (new). Funny it's listed as rolling out, the script is there! What's missing.
    • Project Online - Developer Samples: Project Online goes Github: http://aka.ms/pppmapisamples (new)
    • Project Online - OData performance improvements: and when they have some sample code, they of course want it to perform (new)
    • SharePoint home in Office 365: the new SharePoint Home tile is being rolled out. Check /_layouts/SharePoint.aspx in your tenant. (from in development).
    • Office integration added back to NGSC: improved office integration in the NGSC (Next Gen Sync Client) (new)
    • Improved image attachment viewing in Outlook on the web: Always nice to see improvements to the web client, it's now way ahead of the desktop one, this time big thumbnails and side by side view (new)

    In Development

    • Annotating and inking for Mac: Draw using your mouse on you Mac - cause you suck and don't have touch on that shiny thing (new)
    • Copy and move to SharePoint:
    • Intelligent Discovery for iOS: Discover (Office Graph) for the iOS OneDrive app (new)
    • Intelligent Discovery for Windows Phone: Discover (Office Graph) for the Windows Phone OneDrive app (new). Anybody want to buy a couple of Lumias, I have several as paper weights.
    • Mobile Access to SharePoint Online for Android: Access SharePoint files and not only OneDrive on your Android OD4B app. (new)
    • Mobile Access to SharePoint Online for Windows Phone: Access SharePoint files and not only OneDrive on your WP OD4B app (new)
    • Office 365 Groups: Exchange Admin Center (EAC) UI for migrating Distribution Lists (DLs) to Groups: Evolution of the migration scripts mentioned above. You will soon be able to migrate from DL's to Groups using a single button in the Exchange Admin Center. Nice! (new)
    • OneDrive for Business Shared folder Sync: this is a nice new feature. If someone shares a folder with you from their OneDrive you will be able to sync them (new)

  • What's new on the Office Roadmap - 2016-05-13

    Tags: Office 365

    imageHey, happy Friday the 13th! Here's a small Office Roadmap update for all of you Jason fans!

    Not that many changes this time around, but still interesting, and a lot of Outlook 2016 for Mac releases.

     

    Changes 2016-05-13

    Now Launched

    • eDiscovery Case Management, Hold & Permissions: the new eDiscovery features are now fully rolled out (from in development)
    • Enter full screen view in Outlook 2016 for Mac: the full screen view for Mac Outlook as announced in January are now out. (new)
    • Find a meeting room in Outlook 2016 for Mac: and so is the possibility to find a meeting room on your Mac (new)
    • Office 365 Groups: ability to update privacy type: you can now as a Group owner change the privacy type of your Groups (public or private) (from rolling out)
    • One-click Archive: The on-click archive feature in Outlook on Mac are now also fully rolled out (from rolling out)
    • Outlook 2016 for Mac two step authentication: And you can also log in using two factor authentication on your Mac (new)

    Rolling out

    • New editor for Outlook 2016 for Mac: And if you're lucky you might even be getting the new editor in Mac so you can use "more fonts and colors". (new)
    • Project Online - Removing the upper limit on number of PWA instances per tenant: after this update you will be able to have unlimited number of PWA instances, was previously only 7. (new)
    • Right to Left language support in Outlook 2016 for Mac: and if you write your stuff from right to left you can now use Outlook 2016 on your Mac, without writing backwards (new)

    In Development

    • FastTrack | Dropbox to OneDrive for Business Migration: If you are using Dropbox you can soon get help from the FastTrack center to get yer files out of there (new)
    • New usage reports for SharePoint, OneDrive and Mailbox Storage: the new admin UI will get better and improved reports for storage usage in SharePoint and Exchange. (new)
    • Office 365 Usage Reporting APIs: and not only that, you can suck that data into your own apps as well (new)
    • SharePoint mobile app for iOS: Nothing new here, it's just a rename from "The new SharePoint mobile app" to "SharePoint mobile app"

  • What's new on the Office Roadmap - 2016-05-06 (Future of SharePoint edition)

    Tags: Office 365, SharePoint Framework

    The Office Roadmap updates with the new announcements from the Future of SharePoint event has arrived (they arrived May the 4th to be precise). I'm back from the event and San Francisco and I'm full of the energy that the SharePoint team transmitted.

    You should specifically take a look at the In Development part here. That's where we got the new and fresh stuff from the Future of SharePoint event.

    Changes 2016-06-06

    Now Launched

    • Delve Analytics: Do you want all the details on how and when you work Delve Details and an E5 subscription is all you need (from in development)
    • Drive Shipping and Network Based Data Import for Office 365: Fast Track is getting more and more mature with import options (from in development)
    • FastTrack | Box to OneDrive for Business Migration: Still using Box? Get your files over to OneDrive with Fast Track (from in development)
    • FastTrack | Expanded language support: More languages available in the FastTrack (new)
    • FastTrack | Power BI onboarding support: And Fast Track Power BI is now live (from in development)
    • Multiple timeline bars in Project Online: This must be one of the features that's been jumping back and forth the most on the roadmap (from rolling out)
    • Office 365 Groups: multi-domain support: This is one of the most important feature releases of Groups. Read this article for full details and configuration options. (from in development)
    • Office 365 Reporting Dashboard: Better reporting in the admin center (from rolling gout)
    • OneDrive for Business Recent Files to Sway: Easier access to your OneDrive docs in Sway (from in development)
    • Skype for Business App SDK: Get your coding skills on and build some Skype Apps (from in development)
    • Skype for Business Mac Preview 1: The long awaited Skype Mac client is not out. Feedback on it has been moderate at best though (from in development)
    • Updated people profile experience in Office 365: The Delve profile page is now fully rolled out. I wonder if Delve will stay as the document discovery feature or if it just will be renamed to "My Profile" or "People" or something, which would make total sense(new)
    • Yammer user profile update from Azure AD: The one-time sync from Azure AD is now launched. Wonder if we ever will see a proper sync? (from in development)

    Rolling out

    • Basic Chat: Basic Skype chat from the Skype icon in mail - it doesn't say that it's web based, but I guess it is(new)
    • Office 365 Groups: usage guidelines: A very important update, this allows you to modify the usage guidelines for Groups (another feature copied from Yammer) (from in development)
    • SharePoint Online - modern document library experience: The new doc lib experience, mayhaps rolled out a bit early and without any guidance (new)

    In Development

    • eDiscovery Case Management, Hold & Permissions: more permissions control for eDiscovery and compliance stuff (from rolling out)
    • New AutoCAD file format support in Visio: AutoCAD file support in Visio… (from rolling out)
    • Office 365 Groups: search Groups files using Office Delve: Searching should now show documents from Groups (new)
    • SharePoint home in Office 365: Finally Office 365 and SharePoint will get a proper home page. The Sites tile will be renamed and now point to this page. You can read more about this feature here. (New)
    • SharePoint Online – Client-side Web Part for Existing SharePoint Pages: The new customization features announced at the Future of SharePoint Event. Client-side Web Parts created using the new SharePoint Framework on existing SharePoint pages. Read my post about it here (new)
    • SharePoint Online - modern lists experience: A new lists experience, very similar to the new doc lib experience. A great and modern looking UX. (new)
    • SharePoint Online - SharePoint Framework: The new client-side framework that will be used to make the future customizations and development of SharePoint. This is the Framework that Microsoft will build the new "NextGen" portals and the one we will use. There's much more to read about this here. (new)
    • SharePoint Online - Site activity and insights on the Site Contents page: Each site will get its own set of statistics that shows you how the site is used and what activities are going on (new)
    • SharePoint Online – Webhooks on SharePoint Document Libraries: One of the first new extensions to the SharePoint APIs. I'm glad they are using standardized Webhooks, instead of some weird remote event receivers. Hopefully we'll get the same for lists (new)
    • The new SharePoint mobile app for iOS: Announced as the "Intranet in your Pocket". The new SharePoint App will first come for iOS (actually I'm already using it) and then later for Android, and if Windows Phone is still alive by the end of this year those two users might get it as well (new)

    Cancelled

    • Class Notebook: limit sharing and deletion of section groups: This is just weird, this was rolled out the other week and is now all of a sudden cancelled (from rolling out)

About Wictor...

Wictor Wilén is the Nordic Digital Workplace Lead working at Avanade. Wictor has achieved the Microsoft Certified Architect (MCA) - SharePoint 2010, Microsoft Certified Solutions Master (MCSM) - SharePoint  and Microsoft Certified Master (MCM) - SharePoint 2010 certifications. He has also been awarded Microsoft Most Valuable Professional (MVP) for seven consecutive years.

And a word from our sponsors...