Wednesday, 15 February 2017

MMS hybrid between SP2013 and O365 and SP2016 farms

Problem:  A lot of large enterprise customers have the Management Meta Data Service including the Content Type Hub that SharePoint farms subscribe to.  You are on-prem. with this centralised MMS and CTH.  Now you want search to work on your O365 public tenant and to use SP2016 on-prem.  It may even be more complicated with SP2016 installed on Azure and there is no direct access onto the on-prem SP2013 CTH.

Initial Hypothesis:  You want to have a central production MMS service that all SP farms subscribe to,  You can't subscribe from a SP2016 farm to the SP2013 central MMS service.  O365 can't subscribe to a different MMS, you need to use the MS MMS and sync the term store using CSOM or a tool that shall use CSOM.  Crossing domains such as in a DMZ that does not allow inbound connections look at chaining for CTHub solutions.

Restoring MMS to another farm also see moving the MMS database (think Prod for development workstations) is straight forward if you merely want another copy of the MMS, use the Export-SPMetadataWebServicePartitionData to get the MMS info and then import the MMS proxy using the PS Import-SPMetadataWebServicePartitionData.  Best post is here on exporting and importing ensuring GUIDs are maintained.  Andrew Connell has a great series on MMS and one of his post looks at the Copying the MMS instance from Prod to Development.

In Progress....

Sunday, 11 December 2016

Extranet Authentication Options for SharePoint 2013

Overview: Most large enterprises using SharePoint have implement Extranet solutions and these vary in complexity greatly.  Many implementation I have seen have morphed into bazaar solutions generally due to the tactical solutions implemented over time and were not caused by poor architecture.  It is the nature of these projects to get something out and with the rapid change in authentication over the past 5 years tons of business have landed in complex scenarios.

Office 365 has grown quickly and using Office 365 is generally a good idea however a lot of organisations still are resistant due to a variety of concerns such as regulatory compliance and trust.  Microsoft is definitely removing these barriers and I'd lean towards hosting the SharePoint Extranet in the cloud in the majority of situations.  The biggest barriers to moving to the cloud are Executive level buy in followed by senior IT folks that are bias to sticking to what they knew 10 years ago.   So a lot of the change is around education and providing a clear road-map.  The biggest technical hurdle will be around identify management.

Pretty much every organisation I deal with used Active Directory and then you may have a Federation Service normally ADFS.  You may have you external users in the same AD, a dedicate DMZ AD, or any other user directory including SQL or other LDAP provider.

Using Office 365/SharePoint Online I need to get both my internal and external users to be work with Office 365 and depending on the client setup I need to work thru both scenarios and think about the ramifications.

Note:  Ramifications are: resetting user passwords, does search work for all users and where does the data reside.

Possible Options:

  • AzureAD - Azures ACS for user accounts
  • Federated Identifies - use ADFS and build trust with ACS, identity and password is under our company control
  • AD sync to AzureAD - Think DirSyng, tooling is ADConnect


Sunday, 23 October 2016

South Africa Compliance & O365

Yesterday, (22 Oct 2016) I presented at SharePoint Saturday Cape Town on securing your Data on O365 and SharePoint. I believe that South Africa is going to have massive requirement around compliance and here and e a few reasons why:
  1. POPI
  2. FSR bill in parliament at moment, this will enable twin peaks
  3. National credit amendment act regulates credit institutions
  4. Fic amendment bill also in parliament to govern anti money laundering
  5. Banks act governs bank
  6. Long term and short term insurance act
  7. Consumer protection act
Additionally, all of the big 4 are viewing big data and compliance as mega trends.

If you understand O365 security at the authentication level and application level you are well placed for the future.

Note: By application level I am referring to things like DLP, EMS, retention policy, ,,,

Friday, 12 August 2016

Mobile Platform Development for SharePoint 2016

Overview:  There are various options for building Mobile applications.  The simplest answer is to have a fully responsive designed web page and mobile users interact with the application using the mobile devices browser. Another option is to write code for each platform so for example write and iOS application what would be loaded in the AppStore, this requires multiple source codes to be maintained.  An improvement on this approach is to use a tool that creates a version from a single source for multiple stores.  So write once deploy to MS, Android and Apples store; PhoneGap and Xamarin are examples.

Xamarin uses C# code and compiles executable applications for each target mobile store such as iOS, Windows and Android.  Xamerin uses it's own IDE or a add-in for Visual Studio.

PhoneGap is also refereed to as Cordova.  PhoneGap creates the web application using HTML5, CSS & JS and wraps this web application in a plaform control/container.  In effect, the html page is hosted in each platforms executable within a web control.  The exe can interact with the web pages:  

Unity is another development platform probably the 3rd biggest and generally favored for gaming.

Summary:  Responsive Web Design works on the mobile device as a native html app using the mobile browser.  If you need to interact with he phones features and you need to write an application for the platforms store, rather use Cordova/PhoneGap where you write once and distribute to each desired platform.

Updated: 29 August 2016
More Info:

Tuesday, 7 June 2016

Excel Services REST API - SP2013 Notes

"Excel Services is a service application that enables you to load, calculate, and display Microsoft Excel workbooks on Microsoft SharePoint 2013. Excel Services was first introduced in Microsoft Office SharePoint Server 2007."  MSDN

There are 4 ways to interact with Excel using Excel Services, this article only looks at utilisting the REST API.  The figure below provide context showing an Excel file with a list of countries with 3 digit ISO codes.

Work in Progress...

Excel Services REST API - SP2013 Notes

"Excel Services is a service application that enables you to load, calculate, and display Microsoft Excel workbooks on Microsoft SharePoint 2013. Excel Services was first introduced in Microsoft Office SharePoint Server 2007."  MSDN

There are 4 ways to interact with Excel using Excel Services, this article only looks at utilisting the REST API.  The figure below provide context showing an Excel file with a list of countries with 3 digit ISO codes.

Work in Progress...

Monday, 6 June 2016

Hybrid SharePoint and Office 365 Authentication Thoughts

Overview: Hybrid scenarios allow enterprise users to seamlessly interact between SP Online and SP on-prem instances, provide search across on-prem and online sites, access dat on-prem. while using Office365/SP Online, use Office 365 apps like Flow, Video, Graph and utilise OneDrive.  Picking the right authentication allows users to have a seamless high value experience bringing together secure access quickly.  Pretty important and to make this happen you need to deal with access.

Organisations have internal authentication mechanisms such as Microsoft's Active Directory.  Large organisations have a tough time migrating to the cloud and with the rapid changes in Security and the cloud this post aims to broadly define paths or options for architects such as myself to follow.

Options 1. Do nothing.
The 1st option is to ignore the cloud but I am going to presume you want to take advantage of Office 365.

Options 2.  Only use the cloud/O365.
Office 365 is huge and for a small or new business I would strongly look at only using O365 using Azure AD (AAD) credentials.  This means no or little management of Active Directory (AD) and you can pretty much connect to the whole Microsoft SaaS offering quickly.  Most large SaaS offering can work with Microsoft AAD.  Generally this option is not suitable for large enterprises.

Option 3.  Internal AD and externally use Office 365 Azure AD.
Easy to implement as the internal and external credentials do not link.  Your users do not get a single sign-on (SSO) experience.  Users use the Azure AD credentials when working with Office 365 and your internal credentials when working on the internal network.  User needs 2 accounts and to know when to use them.

Option 4.  Internal AD synchronized and creates similar accounts on Azure AD.
Pretty much the same option as option 3 but the usernames appear to be the same to the end users. Their are a few variations in this space, you can simply create the accounts with the same name either manually, using an CSV import or using Directory Sync (DirSync).  At this stage, the passwords and accounts are managed separately, the DirSync reduces effort and provisions and removes accounts in Azure AD to match the companies on-prem. AD.  DirSync will reach end of support in April 2017.

Option 5.  Internal AD automatically syncronises with Azure AD including password sync.
You still have 2 accounts but the accounts on both sides are kept aligned using DirSync and password synchronization.  The same password is stored both in your on-prem. AD and in Microsoft's Azure AD for each user.  The advantage here is that the user name and password for a user is the same if using internal or external applications secured by on-prem. AD or AAD.  This is not SSO enabled, the user needs to login to both AD's separately.

Option 6.  Azure Active Directory Connect.
Similar to option 5 but the Azure AD Connect tooling does all the synchronization of accounts between on-prem. AD and AAD.  Method is easier than option 5 and the latest approach but fundamentally it is the same approach with 2 identical accounts for each user.

Options 7.  Federate (ADFS)
Active Directory Federation Service (ADFS) provides an Identify Provider and can pass claims based authentication between trusted Identity Provider.  This post does not explain passive Identity authentication but this is the more advance option.  There are a lot of federation services but ADFS tends to be the most common (ThinkTexture, Ping, SiteMinder).