Sunday, 11 December 2016

Extranet Authentication Options for SharePoint 2013

Overview: Most large enterprises using SharePoint have implement Extranet solutions and these vary in complexity greatly.  Many implementation I have seen have morphed into bazaar solutions generally due to the tactical solutions implemented over time and were not caused by poor architecture.  It is the nature of these projects to get something out and with the rapid change in authentication over the past 5 years tons of business have landed in complex scenarios.

Office 365 has grown quickly and using Office 365 is generally a good idea however a lot of organisations still are resistant due to a variety of concerns such as regulatory compliance and trust.  Microsoft is definitely removing these barriers and I'd lean towards hosting the SharePoint Extranet in the cloud in the majority of situations.  The biggest barriers to moving to the cloud are Executive level buy in followed by senior IT folks that are bias to sticking to what they knew 10 years ago.   So a lot of the change is around education and providing a clear road-map.  The biggest technical hurdle will be around identify management.

Pretty much every organisation I deal with used Active Directory and then you may have a Federation Service normally ADFS.  You may have you external users in the same AD, a dedicate DMZ AD, or any other user directory including SQL or other LDAP provider.

Using Office 365/SharePoint Online I need to get both my internal and external users to be work with Office 365 and depending on the client setup I need to work thru both scenarios and think about the ramifications.

Note:  Ramifications are: resetting user passwords, does search work for all users and where does the data reside.

Possible Options:

  • AzureAD - Azures ACS for user accounts
  • Federated Identifies - use ADFS and build trust with ACS, identity and password is under our company control
  • AD sync to AzureAD - Think DirSyng, tooling is ADConnect

Notes:
http://www.sharepointeurope.com/blog/2015/10/identity-management-in-a-saas-based-world

Sunday, 23 October 2016

South Africa Compliance & O365

Yesterday, (22 Oct 2016) I presented at SharePoint Saturday Cape Town on securing your Data on O365 and SharePoint. I believe that South Africa is going to have massive requirement around compliance and here and e a few reasons why:
  1. POPI
  2. FSR bill in parliament at moment, this will enable twin peaks
  3. National credit amendment act regulates credit institutions
  4. Fic amendment bill also in parliament to govern anti money laundering
  5. Banks act governs bank
  6. Long term and short term insurance act
  7. Consumer protection act
 
Additionally, all of the big 4 are viewing big data and compliance as mega trends.

If you understand O365 security at the authentication level and application level you are well placed for the future.

Note: By application level I am referring to things like DLP, EMS, retention policy, ,,,

Friday, 12 August 2016

Mobile Platform Development for SharePoint 2016

Overview:  There are various options for building Mobile applications.  The simplest answer is to have a fully responsive designed web page and mobile users interact with the application using the mobile devices browser. Another option is to write code for each platform so for example write and iOS application what would be loaded in the AppStore, this requires multiple source codes to be maintained.  An improvement on this approach is to use a tool that creates a version from a single source for multiple stores.  So write once deploy to MS, Android and Apples store; PhoneGap and Xamarin are examples.

Xamarin uses C# code and compiles executable applications for each target mobile store such as iOS, Windows and Android.  Xamerin uses it's own IDE or a add-in for Visual Studio.

PhoneGap is also refereed to as Cordova.  PhoneGap creates the web application using HTML5, CSS & JS and wraps this web application in a plaform control/container.  In effect, the html page is hosted in each platforms executable within a web control.  The exe can interact with the web pages:  


Unity is another development platform probably the 3rd biggest and generally favored for gaming.

Summary:  Responsive Web Design works on the mobile device as a native html app using the mobile browser.  If you need to interact with he phones features and you need to write an application for the platforms store, rather use Cordova/PhoneGap where you write once and distribute to each desired platform.

Updated: 29 August 2016
More Info:
http://magenic.com/documents/Xamarin_PhoneGap_eBook.pdf?EBookTest



Tuesday, 7 June 2016

Excel Services REST API - SP2013 Notes

"Excel Services is a service application that enables you to load, calculate, and display Microsoft Excel workbooks on Microsoft SharePoint 2013. Excel Services was first introduced in Microsoft Office SharePoint Server 2007."  MSDN

There are 4 ways to interact with Excel using Excel Services, this article only looks at utilisting the REST API.  The figure below provide context showing an Excel file with a list of countries with 3 digit ISO codes.



Work in Progress...

Excel Services REST API - SP2013 Notes

"Excel Services is a service application that enables you to load, calculate, and display Microsoft Excel workbooks on Microsoft SharePoint 2013. Excel Services was first introduced in Microsoft Office SharePoint Server 2007."  MSDN

There are 4 ways to interact with Excel using Excel Services, this article only looks at utilisting the REST API.  The figure below provide context showing an Excel file with a list of countries with 3 digit ISO codes.



Work in Progress...

Monday, 6 June 2016

Hybrid SharePoint and Office 365 Authentication Thoughts

Overview: Hybrid scenarios allow enterprise users to seamlessly interact between SP Online and SP on-prem instances, provide search across on-prem and online sites, access dat on-prem. while using Office365/SP Online, use Office 365 apps like Flow, Video, Graph and utilise OneDrive.  Picking the right authentication allows users to have a seamless high value experience bringing together secure access quickly.  Pretty important and to make this happen you need to deal with access.

Organisations have internal authentication mechanisms such as Microsoft's Active Directory.  Large organisations have a tough time migrating to the cloud and with the rapid changes in Security and the cloud this post aims to broadly define paths or options for architects such as myself to follow.

Options 1. Do nothing.
The 1st option is to ignore the cloud but I am going to presume you want to take advantage of Office 365.

Options 2.  Only use the cloud/O365.
Office 365 is huge and for a small or new business I would strongly look at only using O365 using Azure AD (AAD) credentials.  This means no or little management of Active Directory (AD) and you can pretty much connect to the whole Microsoft SaaS offering quickly.  Most large SaaS offering can work with Microsoft AAD.  Generally this option is not suitable for large enterprises.

Option 3.  Internal AD and externally use Office 365 Azure AD.
Easy to implement as the internal and external credentials do not link.  Your users do not get a single sign-on (SSO) experience.  Users use the Azure AD credentials when working with Office 365 and your internal credentials when working on the internal network.  User needs 2 accounts and to know when to use them.

Option 4.  Internal AD synchronized and creates similar accounts on Azure AD.
Pretty much the same option as option 3 but the usernames appear to be the same to the end users. Their are a few variations in this space, you can simply create the accounts with the same name either manually, using an CSV import or using Directory Sync (DirSync).  At this stage, the passwords and accounts are managed separately, the DirSync reduces effort and provisions and removes accounts in Azure AD to match the companies on-prem. AD.  DirSync will reach end of support in April 2017.

Option 5.  Internal AD automatically syncronises with Azure AD including password sync.
You still have 2 accounts but the accounts on both sides are kept aligned using DirSync and password synchronization.  The same password is stored both in your on-prem. AD and in Microsoft's Azure AD for each user.  The advantage here is that the user name and password for a user is the same if using internal or external applications secured by on-prem. AD or AAD.  This is not SSO enabled, the user needs to login to both AD's separately.

Option 6.  Azure Active Directory Connect.
Similar to option 5 but the Azure AD Connect tooling does all the synchronization of accounts between on-prem. AD and AAD.  Method is easier than option 5 and the latest approach but fundamentally it is the same approach with 2 identical accounts for each user.

Options 7.  Federate (ADFS)
Active Directory Federation Service (ADFS) provides an Identify Provider and can pass claims based authentication between trusted Identity Provider.  This post does not explain passive Identity authentication but this is the more advance option.  There are a lot of federation services but ADFS tends to be the most common (ThinkTexture, Ping, SiteMinder).














Monday, 23 May 2016

How the Recycle bin works


Problem:  A common misunderstanding with technical and business folks is the details of how the recycle bin works.  I missed some of the finer points so I thought I'd record my note.

First stage recycle Bin - User deletes a document and the document goes to the user's recycle bin/1st stage recycle bin.  The 1st stage recycle bin retention period is 30 days by default.  Items in the first stage recycle bin are moved to the second stage recycle bin after the retention period is over or the user chooses to delete the item from their 1st stage recycle bin.

Second stage recycle bin or Site Collection recycle bin - where documents go after they are removed from the 1st stage recycle bin.  SCA can restore or permanently delete the documents from the 2nd stage recycle bin.

Recycle bin explained for Office 365 - as of May 2016
Note:  The views change between the SharePoint versions but the functionality remains the same.
Note:  An item that I have not understood for multiple years is that the retention period for recycle bins applies to both the 1st and 2nd stage recycle bin.  If the recycle bin retain content for 30 days and the user deletes a document, then 22 days later they delete the document from their own 1st stage recycle bin.  The document only stays in the 2nd stage/site collection recycle bin for 8 days.  From Nik Patel's site "In other words, total time spent by the item in both recycle bins".
Note:  If you do not have access to the farm settings, you can see how long the retention period for the recycle bin is by deleting a document/item from the 2nd stage recycle bin, you get a confirmation box that let's you know the setting.   This approach allows me to see that Office365 SharePoint sites hold recycle bin items for 93 days.
In the Site Collection Admin (2nd Stage) recycle bin delete an item to see how long the retention period is set to.
To Access the Recycle bins: Site Collection administrators page > Site Settings > Site Collection Admin > Site Collection

More Info:
Basics of Recycle bins from Microsoft
Nik Patel has a good article on how the recycle bin works

Wednesday, 18 May 2016

Microsoft Graph Simplified

Overview: Microsoft Graph provides an API to allow search to bring back data stored in Office 365 (email/Exchange Online, SharePoint, and others).  The centralized search provides the data source to query and adds a ranking engine on top to allow for easy access to data.

Overview of Office Graph
A more formal description: "The Office Graph is a collection of content and activity and links the relationships between people and this active content.  Any activity in the entire Office suite online is pushed into Office Graph such as e-mail including attachments, conversations, to documents in SharePoint and OneDrive.  The Office Graph maps the relationships among people and information, and acts as the foundation for Office experiences that are more relevant and personalized to each individual."

The Microsoft Graph is a single queryable API endpoint for accessing data, intelligence and insights coming from the Microsoft Cloud. 

More Info:
A great article on Graph is here.  NB!

Screenshot from my iPhone 6 using the Microsoft's Delve iOS app with my own Office 365 E3 tenant.



Sunday, 10 April 2016

Co-authoring on SharePoint 2013


Overview:  Co-authoring has been around awhile and I haven't paid it any attention in a long time.  The idea is multiple authors can edit the same document at the same time.  

Notes
  1. Word and PowerPoint use to be the only supported files for co-authoring.  SharEPoint 2013 supports co-authoring in word 2013, PowerPoint, OneNote and visio 2013 as of 20April 2016.  
  2. Excel does not provide co-authoring unless you use Office Web Apps or excel services.  More info
WIP  -Versioning issues with Word....

Article describes nicely what applications work with co-authoring  https://technet.microsoft.com/en-us/library/ff718249.aspx

Sunday, 20 March 2016

Hacking SharePoint input field Validation


Problem: Here is an easy way to step around SharePoint 2013's input field validation for a drop down list.  Any list contains a drop-down list (configured to only allowed to chose values from the drop down list), using Internet Explorer (IE) developer tools and amending the DOM, when posting the form, the change value is inserted into the list.
Replication Steps:
  1. Open IE go to the list to add a new list item (the list must have a drop down field column), hit Fn+F12 to open the IE Dev toolbar.
  2. In the "DOM Explorer" tab select the "Select element" icon (top left).
  3. Click on the drop down control i.e. "Primary/Secondary" input control as shown below.
  4. Edit the DOM value for the item selected to some crazy text and save the form.
  5. Open the item in view mode and you will see the crazy data as shown below circled in red in the bottom picture.  


Project Server 2013 Overview Notes

Project Server 2013 is a Service Application and part of SharePoint Server 2013.  You install the on-prem. version on a SP2013 farm and need to follow the best practices for your SharePoint farm.
  • A Project Web Application (PWA) is a a single site collection.  
  • Consider storing each PWA in it's own content database.
  • Each PWA site collection is made up of multiple projects (each project has it's own SharePoint sub site).
  • Project 2013 online or a project server 2013 on-prem are the hosting options.
  • OData services for reporting, Excel can be used to create and view reports.  This is the approach to use on Project Server Online.  Each PWA instance on-prem. can add OLAP cubes from the PWA manage SSAS screen, once the default cubes are generated, it easy to query using Excel or SSRS (assuming you have the infrastructure). 
  • A single Project Web App database for each Project Server 2013 instance whereas in Project Server 2010, each instance had 4 Project Server databases (Draft, Publish, Reporting, and Archive).
  • Upgrade to Project Server 2016 from Project Server 2013 only.
  • PWA manages security and WSSSync manages the security syncronisation with the SharePoint project sub sites.
  • No user management in PWA, now all done in SharePoint assuming SharePointPermissionMode.  SharePointPermissionMode done in SP not in PWA (What ProjectPermsissionMode), pref SharePoint permissions mode.  oldproj server guys prefer ProjectPermissionMode say it gives more fine grained security control.
  • PWA Security explained https://technet.microsoft.com/en-gb/library/fp161361.aspx
  • To access Project Server 2013 with the Project Server client application (desktop software) you can't use the Standard edition but need the pro edition (Microsoft Project Server professional 2013).
FluentBooks from FluentPro looks good for ALM between environments and PWA instances:
  • Desktop tool - Offline Management - download configuration & then uploads configuration to the new PWA
  • Is there anything to install on the farm? No
  • Ports needed? 80 or 443 Uses web Services (PSI & CSOM when uploading change).
  • Highly configurable such as mapping account between domains as we move environments.


Archiving between 2 PWA instances using FluentBooks
================================

  1. Download/Export projects into a FBB file(s), new project professional client.  Gets the Project data.
  2. Download SharePoint sub sites
  3. Upload FBB file to archive PWA 
  4. Upload sub-sites into the archive PWA


More Info:
https://technet.microsoft.com/en-us/library/ff631142.aspx  Project Server 2013 and SharePoint Security
https://www.fluentpro.com/productsfluentbooks.htmll  FluentBooks website

Alternative:  
Bamboo Solutions appear to have a good Project Management Solution that has gone thru several iterations.  Project Manager Central sits on SharePoint 2007, SP2010 or SP2013.  Similar concept to Project Server, Portfolio site is a site collections and then project sites are sub-sites.  There is also an option to have Department sites whereby a sub site is created that subscribes to multiple project sites.

Sunday, 13 March 2016

How Browser Cookies work in SharePoint

Overview:  SharePoint by default uses disk based persistence using a FedAuth Cookie.  In most enterprise clients there are multiple different application and authentication providers.  Cookies can be set for session persistence in multiple ways and as the application world is walking toward SSO is becoming even more prevalent for unexpected behavior to happen with cookies.

Thoughts:
  • Cookies that keep are responsible for authentication can be stored for the browser sessions eithe ron Disk or in session.
  • By default SharePoint uses disk based authentication for the users session using the FedAuth cookie.  Switching to session based persistence should not be undertaken without considerable forethought.
  • Watch out for IE's odd behavior relating to session whereby domain level permissions are passed down to sub-domains.


More Info:
http://erik.io/blog/2014/03/04/definitive-guide-to-cookie-domains 
http://blogs.msdn.com/b/ieinternals/archive/2009/08/20/wininet-ie-cookie-internals-faq.aspx
https://blogs.msdn.microsoft.com/ie/2009/05/06/session-cookies-sessionstorage-and-ie8-or-how-can-i-log-into-two-webmail-accounts-at-the-same-time/

Sunday, 28 February 2016

What makes Successful SharePoint projects

Overview:  There tend to be characteristics of successful SharePoint projects and if the majority of these are in place for SharePoint or any IT  project for that matter, the project tends to be successful.

High Level:

  1. The project has a clear vision that engages and inspires everyone.  Do we know what we are building and why.  Do some or most team members have a strong feeling of ownership. Strong decision makers or a product owner is SCRUM parlance is essential.  This crazy idea of all inclusive decisions and management by committee (“I was elected to lead not read”, Simpson movie) wastes time, leads to an incomplete vision and often worse decisions are made.  The business must pick a leader or 2 and let them get on with it.  Rather get a product owner that makes decisions and is periodically wrong, these changes can be fixed easily when it becomes clear they are wrong.  Only decisions that are not easy to change should go to review and generally there are not many of these.
  2. People - The team members select is the most important factor in successful projects.  Encourage an open respectful collaborative team with mixed talents and strong skills at the right time.   Note: Leave you ego at the door.  There will and should be arguments.  Don't let the arguments become personal in nature and find people that will get over minor squabble.
  3. Delivery Focused.  Each team member needs to know his/her deliverables are.  Methodologies like SCRUM are useful to make this happen.  Build a product backlog and prioritize, but fundamentally it’s building the right piece at the right time.  High standards must be set (review broken window principle), each member of the team must be professional and deliver quality.
Team Structures:
My preference on complex projects is a small teams of hard working problem solving individuals that take pride in their work and have a history of delivering successful projects.   In short, there are a lot of people that talk the talk but don't walk the walk (aka they are lousy) in IT projects.  Someone who is referred to you by someone I trust as a general rule works out brilliantly, people I have worked with in successful projects are the 1st people i look for.  You can't always get who you want but you sure can try aim for the stars and get a great team together.  The difference between the best and worst developer on my teams tends to be a factor of 8 so I recon the most productive person delivers 8 times the value of the least productive.  Try skip the bottom folks, the top folks don't get paid 8 times as much....

The formula to High performing teams is a varied group of committed zealous people, collective in a shared idea.  I’m looking for people that want to be successful, others in our team to be successful and people like.  Team members must have strong skills, the ability to listen and stand-up for what they believe and play well in a group.  I try exceed my clients expectations continuously and if I can get a critical mass on my team that do the same….  Actually the word "formula " is misleading as is too strong a word, it's simple: get smart, hard working, experience people that are nice.

Fundamentally, the goal is to build a cohesive team, it's also worth reading Patrick Lencioni's book "The Advantage" and in "The Five Dysfunctions of a Team", the 5 factors to a successful teams are listed as:

  1. Trust one another and be prepared to show your vulnerability/lack of expertise/be prepared to apologies if you get something wrong.
  2. Conflict is good and productive, argument is needed to get the best solution
  3. Commit to getting the project right/take ownership and agree to decisions collectively
  4. Accept accountability/take ownership/each team member should try exceed client expectations continuously
  5. Focus on results - as a team what we deliver needs to work and be a success.
All pretty obvious but the number of teams and projects that fail and don't follow these basic guiding principles is staggering.

Sunday, 14 February 2016

Notes on Compliance in Office365 & SharePoint

Also see: Data Protection Using SharePoint

Data Loss Prevention (DLP)
Historically used for email to identify, monitor and protect data.  This is the next step on from email policies/IT Policies where sent around and signed with the hope users would behave and only send appropriate information along.   DLP ensure that sensitive information such as patents, financial information, Payment Card Industry Data Security Standard (PCI DSS) , personally identifiable information (PII), or intellectual property (IP) are accidentally shared with external parties.  DLP can inform users before they send email or open access to OneDrive or SharePoint document libraries that the information being shared violates company policy (as configured in the DLP template).
https://blogs.office.com/2013/10/28/office-365-compliance-controls-data-loss-prevention/
https://blogs.office.com/2014/08/27/search-sensitive-content-sharepoint-onedrive-documents/

Information Rights Management (IRM)
IRM-Protect document libraries prevents sensitive information being copied, forwarded, printed

eDiscovery
Find related content with SharePoint, Exchange & files shares to assit with litigation and determining info on a topic ata point in time.

Records Management
Manage a documents life-cycle, stop key docs being amended or edited.

Information management policies
Enforce compliance such as expired content, usage auditing & retention policies

Office 365
All data is encrypted on the servers (encryption at rest) and TLS/SSL on all communications.

Other
DocAve can enhance IRM and archieving & they have a SharePoint Monitoring and Policy Enforcement module.

Reference:
https://support.office.com/en-us/article/Use-Office-365-to-help-comply-with-legal-regulatory-and-organizational-compliance-requirements-ce773cec-2151-4d06-9a4e-2818613bd7e0

Wednesday, 13 January 2016

Debug SharePoint ClientContext using IE Developer tools

Overview:  I have a redirect that looks at my client context and performs a redirect.  Fiddler is a good option for viewing JS and debugging but as IE developer tools is not my normal tool for JS debugging, I thought I'd try use it to debug my issue.  I need to debugging a JavaScript redirect (302) using IE Developer Tools and breakpoints.

Steps:
1. Fn + F12 to get the IE Developer Tools
2. Enter the redirection url https://demo.dev/sites/demo/SitePages/Redirection.aspx in IE
3. As the page is running hit the "Esc" key to stop the browser (I need it to get the js files in the redirection page).

4. The Folder Icon mark as point 1 in red on the diagram is used to find the js file to debug.
5. Open the js file step 2 and step 3 in the red annotation above.
6. Set break point as shown below
7. A watch windows is provided. Variables are easy to follow.
8. When you refresh if the breakpoints are set, you will get stopped at the break points you previously setup in the steps above for subsequent runs.


Sunday, 3 January 2016

Azure Virtual Machine Basics

Azure Virtual Machine Basics
Windows Azure Virtual Machines
  • Azure charges per minute pro-rated
  • Disks explained:
    • C: OS disk
    • D: Temp Cache such as Page File (won't be persisted in a disaster)
    • F: ... Persist disk storage (Add disks as shown below)
  • Access the VM by default RDP sessions and remote PS are allowed.  








  • Need to add endpoints to allow other means of access e.g. 443 for https traffic.







  • Availability Sets are used to to load balance with more than 1 VM
  • Add a new F drive to the VM