One the known issue (not disclosed by MS) is default OOB three state workflow won't work in SharePoint Online for some the tenants. We had this issue in one of the sub site which is under the root site collection of our SharePoint online tenant, initially when the workflow wasn’t working, we couldn’t really understand the cause of this issue, and we tried re-creating the WF multiple times without knowing the root cause.

Finally, we managed investigate this case further and here are our findings and fix.

As a first step, we started collecting the LOGS using fiddler, and after analyzing the log carefully we identified the following errors that were seen repeatedly:

The schema for field with this id is wrong or missing. Field '{7d95d1f4-f5fd-4a70-90cd-b35abc9b5bc8}'

- We checked and found that this is a hidden field on the top level site.

• 7d95d1f4-f5fd-4a70-90cd-b35abc9b5bc8 --  All Day Event --  fAllDayEvent --  fAllDayEvent

- Using the SharePoint Online Client browser tool, we checked root site and determined the SchemaXML of this field as below:

SchemaXML:

 <Field ID="{7D95D1F4-F5FD-4a70-90CD-B35ABC9B5BC8}" Type="AllDayEvent" Name="fAllDayEvent" DisplayName="All Day Event" Sealed="TRUE" SourceID="http://schemas.microsoft.com/sharepoint/v3/fields" StaticName="fAllDayEvent" Group="_Hidden" >   <FieldRefs>     <FieldRef ID="{64cd368d-2f95-4bfc-a1f9-8d4324ecb007}" Name="EventDate" RefType="StartDate" />     <FieldRef ID="{2684F9F2-54BE-429f-BA06-76754FC056BF}" Name="EndDate" RefType="EndDate" />     <FieldRef ID="{6CC1C612-748A-48d8-88F2-944F477F301B}" Name="TimeZone" RefType="TimeZone" />     <FieldRef ID="{C4B72ED6-45AA-4422-BFF1-2B6750D30819}" Name="XMLTZone" RefType="XMLTZone" />   </FieldRefs> </Field>

With these details we involved MS and they investigated the Root site more from the backend and found a lot more inconsistencies regarding certain Site columns that are responsible for the three-state workflow to fail.

They found that the issues with the below Fields that are responsible for the working of the Three-state workflow:

System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.ArgumentException: Invalid field name. {17ca3a22-fdfe-46eb-99b5-9646baed3f16}  /XXXX/Temp/Lists/Tasks   

Using CSOM, they checked and found that this OOD hidden field “form_URN” was missing on our root site.

They checked a working site and got the schemaXML of the missing field. Created a new field with the working schema on our root site using CSOM.

But, this didn’t help too and when investigated further they found out that, a lot of such hidden column was missing.

Here are the list of hidden fields which were missing:

· Name="FormURN" ; ID= 17ca3a22-fdfe-46eb-99b5-9646baed3f16

· Name="SendEmailNotification" ; ID= CB2413F2-7DE9-4afc-8587-1CA3F563F624

· Name=”HasCustomEmailBody” ; ID= 47f68c3b-8930-406f-bde2-4a8c669ee87c

· Name="WorkflowLink" ; ID= 58DDDA52-C2A3-4650-9178-3BBC1F6E36DA

· Name="ExtendedProperties" ; ID= 1C5518E2-1E99-49FE-BFC6-1A8DE3BA16E2

· Name="EmailBody" ; ID= 8CBB9252-1035-4156-9C35-F54E9056C65A

· Name="Completed" ; ID= 35363960-D998-4aad-B7E8-058DFE2C669E

CSOM used to create these hidden fields:

Sample CSOM code used:

 #Install SharePoint online client SDK before you run the below  [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.SharePoint.Client') [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.SharePoint.Client.Runtime') [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.SharePoint.Client.UserProfiles') [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.SharePoint.Client.Taxonomy')  ##Get GA credentials. $username = Read-Host -Prompt "GA username" $password = Read-Host -Prompt "password? " -AsSecureString  ##URL of the Site Collection: $url = "https://consoto.sharepoint.com/sites/site1"  #Connect/authenticate to SharePoint Online and get ClientContext object..  $credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($username, $password) $ctx = New-Object Microsoft.SharePoint.Client.ClientContext($url)  $ctx.Credentials = $credentials    if (!$clientContext.ServerObjectIsNull.Value)  {      Write-Host "Connected to SharePoint Online site: '$Url'" -ForegroundColor Green  }   ############################################################# #To load the root site $rootweb = $ctx.Web   $ctx.Load($rootweb) $ctx.ExecuteQuery()  #To get the lists on the site: $lists = $rootweb.lists $ctx.Load($lists) $ctx.ExecuteQuery()   $lists | select title  #Get the  List: $list_problem = $lists.GetByTitle("Workflow Tasks") #Name of a working lib. $ctx.Load($list_problem) $ctx.ExecuteQuery()   ############################################################# #To get the Fields of the top level web: $webfields = $rootweb.Fields $ctx.Load($webfields) $ctx.ExecuteQuery()   foreach($webfdtop in $webfields) {     Write-Host $webfdtop.Id  "-- " $webfdtop.Title "-- " $webfdtop.staticname "-- " $webfdtop.InternalName } #############################################################  ############################################################# #Get Fields of the list: $listfields = $list_problem.Fields $ctx.Load($listfields) $ctx.ExecuteQuery()   #See all fields of working list foreach($fd1 in $listfields) {     Write-Host $fd1.Id  "-- " $fd1.Title "-- " $fd1.InternalName } #############################################################  ############################################################# #To load a specific web field field by ID $webfd = $webfields.GetById(‘17ca3a22-fdfe-46eb-99b5-9646baed3f16') $ctx.load($webfd) $ctx.ExecuteQuery() $webfd.SchemaXml $webfd | fl 

This is one of many Known issue in SharePoint online, my following articles will also talk more on other known issue in SharePoint online, which aren’t disclosed by MS.

This calendar overlay issue in SharePoint Online crops up when a target site is created based on a site template which has a calendar overlay as a part of the template. This issue can be reproduced by following the below steps and later in this article we can see how to fix this issue.

Reproducing step:

1.  Browse to a office365 site with team site  collection .

2. Add  an App , Add 3 calendar lists named  "Cal1”  “Cal2”  and “CalOverlay”

3. In List Cal1, add some events.

4. In List Cal2 add some events.

5. In List CalOverlay -> go to ribbon -> Calendar -> Calendars Overlay -> NewCalendar -> Give a Name (Test)  -> Select Type ->SharePoint  -> Click on Resolve (Web URL:) -> list: Cal1 -> list View "Calendar" ->Ok

6 Similarly  add Cal2  as per  step 5 & now 2  Additional Calendars would show up  as below

7.  Select the “CalOverlay”  list in Left Navigation  & you would be able to see events from both calendars(Cal1 and Cal2)

8. Save the site as template With content  & it will be saved to Solution gallery

9.  Go to Site Content , create a New Subsite  using the saved  Template  with Same Permissions as parent site .

10. Browse to CalOverlay list . go to ribbon -> Calendar -> Calendars Overlay

Actual :   The Overlay Calendar Configuration  done in Source Site is  missing  on the subsite

Expected : The Overlay Calendar settings exists as per Source site collection .

Workaround :

=============================

Recreate the Overlay whenever you create a  site from the used Template .

Technical Analysis by MS:

=============================

# Once the Overlay settings are Configured on a Calendar  List , they are stored SPView - specifically the calendar view we are creating the Overlay on the attribute  CalendarSettings  which has aggregation data for the Calendars  we  are pulling the data from .  Spview.CalendarSettings

# Here is how this property bag looks like , Notice how  the URL’s are hardcoded there  to the Calendar List

CalendarSettings 

 <AggregationCalendars>   <AggregationCalendar Id="{afab1af1-2b01-4298-903a-aba90cec5e0e}"         Type="SharePoint" Name="cal1_overlay" Description="" Color="1" AlwaysShow="True"         CalendarUrl="/sites/calendarsource/Lists/cal1/calendar.aspx">     <Settings                             WebUrl="http://demotenant/sites/calendarsource"                             ListId="{66415e43-681f-421f-a507-f442c41236c2}"                             ViewId="{f3ffaf2a-8a28-4fc1-9cfa-bf39328111fb}"                             ListFormUrl="/sites/calendarsource/Lists/cal1/DispForm.aspx"                             />   </AggregationCalendar>   <AggregationCalendar                             Id="{f3acee40-f5c8-48fb-81e5-c10ef470ffce}" Type="SharePoint" Name="cal2_overlay"                             Description="" Color="1" AlwaysShow="True"                             CalendarUrl="/sites/calendarsource/Lists/cal2/calendar.aspx">     <Settings                             WebUrl="http://demotenant /sites/calendarsource"                             ListId="{736e55e2-1158-4d8a-bd17-e64f31892af4}"                             ViewId="{d04a9d85-94da-4cd3-8b0e-a7547bc2d90e}"                             ListFormUrl="/sites/calendarsource/Lists/cal2/DispForm.aspx"                             />   </AggregationCalendar> </AggregationCalendars>

#  MS  Looked  into the Site template they are creating, they don't see this data.

# So it seems that they are not exporting this configuration  while the Site template is created .

This is a continuation of my previous article on Office 365 Calendar overlay issue. Calendar web part won't work as expected when it is created from a site template as its reference would be broken at the time of creation of template.

Let us see what happens to my source site with a CALENDAR WEBPART in it;

I’m saving this site as a template to re-use this site template in one my site collection or a sub site, when I do so, I get the following error

Solution:

We have got only 2 working solution (which are temporary) to fix this issue;

1. Either remove from web part in the source site and save that site as template or

2. Remove the web part from the destination site and re-add it.

As of now, OneDrive for business (ODFB) get provisioned Just In time, but our requirement is to get that pre-provisioned. Follow the below steps to pre-provision ODFB for specific accounts.

Steps

A PowerShell command-let for SharePoint is available to do this, but before executing this command-let  verify the following:

1. Does the user exists in SharePoint tenant and it’s active
2. Verify whether a valid 0365 license is associated to the user.

Once verified, follow the below Steps

1. Install SharePoint management shell.
http://www.microsoft.com/en-in/download/details.aspx?id=35588

2. Execute command

 Connect-sposervice Url: https://domain-admin.SharePoint.com Enter GA credential $emails = "user1@contoso.com,user2@contoso.com" Request-SPOPersonalSite -UserEmails $emails

Limitations

This command-let will not show a success/failure error message
Will take a maximum of 30 min to provision an ODFB.
We can provision ODFB for 200 users in one go (but nothing more)

Verification

Please execute the script, to verify whether ODFB provisioning.

 #Specify tenant admin $User = "" $Log = "c:\Log.csv" $Users = Get-Content D:\Users.txt  #Add references to SharePoint client assemblies and authenticate to Office 365 site - required for CSOM Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll" Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll" Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.UserProfiles.dll" $Password = Read-Host -Prompt "Please enter your password" -AsSecureString $Creds = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($User,$Password)  #Configure MySite Host URL $SiteURL = "https://tenant-my.sharepoint.com"  #Bind to Site Collection $Context = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL) $Context.Credentials = $Creds   #Create People Manager object to retrieve profile data $PeopleManager = New-Object Microsoft.SharePoint.Client.UserProfiles.PeopleManager($Context) Foreach ($User in $Users)     {     $UserProfile = $PeopleManager.GetPropertiesFor("i:0#.f|membership|" + $User.Split(" ")[2])     $Context.Load($UserProfile)     $Context.ExecuteQuery()     ($User.Split(" ")[2]) + "," + $UserProfile.UserProfileProperties.'SPS-PersonalSiteCapabilities' | Out-File -Encoding Default -FilePath $Log -Append     If ($UserProfile.UserProfileProperties.'SPS-PersonalSiteCapabilities' -eq "0")         {              Write-Host "i:0#.f|membership|" - ($User.Split(" ")[2]) -ForegroundColor Red         }     }

We were seeing increased number of issue with Microsoft Word and Excel crashing while using with SharePoint online. Most of user community uses SharePoint for collaborative work on Word/Excel document within their team. When they open document from SharePoint Online they get message “Word has stopped working” or “Excel has stopped working” and application crashes. This is issue has increased in the recent weeks.

Initial analysis/solution
I tried clearing the Upload Centre Cache and set the upload centre to delete the document as soon as those are closed. This work as miracle for some cases not exactly sure why this happens or gets resolves. But today had an instance even the above solution is not working. I tried clearing cache of Upload Centre and the browser but no luck.  Then we took this issue to MS to understand the root cause.

Fix

As per MS, this is a known issue and scheduled to be resolved in subsequent updates.
As a temporary fix, MS has provided Critical on Demand (COD) patch

X86
http://download.microsoft.com/download/8/9/7/89722193-72DA-4BFD-8C09-8EF03604720A/mso2010-kb3015656-fullfile-x86-glb.exe
 
X64
http://download.microsoft.com/download/B/D/8/BD86ECC3-751F-4044-89D8-A4BA6886A8D0/mso2010-kb3015656-fullfile-x64-glb.exe

Simultaneous upload to different document libraries in SharePoint Online may lead to failure of upload in most cases. In this article we can see how to reproduce and fix this Open With Explorer issue in a Windows 7, 64 bit machine with IE 11.

Scenario and steps to re-produce

We have multiple SharePoint Online sites and and we are using the "Open with Explorer" option for managing files in our SPO Team site libraries. We face intermittent upload issues in these sites and upon investigation we came to know that this is related to issue related to legacy WebDav protocol.
To reproduce the issue,

Open  two different SPO libraries in two different "Open with Explorer" windows on your PC and copy/paste of files between these two windows.
Copy/ Paste works sometimes but drag/drop fails with the below Windows Security Message

These files might be harmful to your computer.
Your Internet Security Settings suggest that one or more files may be harmful. Do you want to use it anyway ?
URL
->You Click "Ok" and see the below error:
Error:  "Move: Can't read from source file or disk."
It Doesn't work even after "Try again" is clicked.

Fix for this issue
Add the following sites to Internet Explorer Trusted Sites list:
https://login.microsoft.com
https://*.sharepoint.com
https://portal.office.com
 
Ensure all the O365 Endpoints are opened in your network as mentioned in the article:
https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-IN&ad=IN
 
Ensure the "Webclient" windows service is ENABLED and is set to start automatically every time a PC starts.
 
The UsePersistentCookiesForExplorerView parameter for the Set-SPOTenant cmdlet that's used in the SharePoint Online management shell lets SharePoint issue a special cookie that will allow this feature to work even when Keep Me Signed In isn't selected.
After this parameter is enabled, you are prompted when you click Open with Explorer in SharePoint Online by a dialog box. After you click "This is a private computer", the persistent cookie is stored.

Issue with respect to Drag and Drop
The error message what we get is a generic error, it is not the exact message what we receive from the failed component.Currently the legacy WebDAV protocol is not capable of doing such operations and communications.

Intermittent Copy / Paste behaviour
MS is not recommending to use OPEN WITH EXPLORER to move the content as it uses legacy protocol in the background and also it depends on user’s cookie information. The alternative is to use One drive

Sometime back, we were discussing about the Variation Sites, and the User Preferred Languages etc., All those stuff will not help, if we did not modify the Language Settings in Site Settings. A small tip, but a bit useful.

Hope we remember, we modified the preferred language as Hindi. Once, we modify that, all the content will be displayed in Hindi with respect to the DELVE, OneDrive etc.,

Even the Admin page will be displayed in Hindi.

But, when I go to the Site Collection, Still the site collection is in English.

To display the Site Collection in Hindi, we need to change the Language Settings under Site Settings.

Let me go to Site Settings.

Under Site Administration, Click on Language Settings.

Click the required alternative languages from the list provided.

Let me Select Hindi and Click OK.

Now, while coming back to Site Home page, except the content, all other default lables were turned into Hindi.

Happy Coding,

Sathish Nadarajan.

Patterns and Practices – a very powerful tool to provision the site templates, Create Sites, Site Columns, Content Types etc., Now, in this example, let us start with how to create the Site Column and Content Type using PNP Provisioning Template.

Let me use a console application for this demo.

Create the console application and add the NuGet Packages as shown here.

Add a new folder called Template and Add an XML File inside the template and name the XML as ProvisioningTemplate.xml. We can have the name as anything. In this case, I have taken it as ProvisioningTemplate.xml

The Solution will look like below.

On the ProvisioningTemplate.xml, paste the content as below.

 <?xml version="1.0"?> <pnp:ProvisioningTemplate ID="SharePointPalsDemo" Version="1" xmlns:pnp="http://schemas.dev.office.com/PnP/2015/12/ProvisioningSchema">          <pnp:SiteFields>           <Field ID="{793F0419-9A72-48D9-B983-91BD359E5387}" Name="MyCustomPNPField" StaticName="MyCustomPNPField" DisplayName="My Custom PNP Field" Type="Note" Required="FALSE" RichText="FALSE" Group="My Custom PNP Fields" />        </pnp:SiteFields>    <pnp:ContentTypes>      <!-- Bookmark ContentTypes -->     <pnp:ContentType ID="0x010500C562BA980E1C457B97298CA27EC2C843" Name="MyCustomContentType" Description="Test Description" Group="Custom Group">       <pnp:FieldRefs>         <pnp:FieldRef ID="793F0419-9A72-48D9-B983-91BD359E5387" Name="MyCustomPNPField" />       </pnp:FieldRefs>     </pnp:ContentType>    </pnp:ContentTypes>    </pnp:ProvisioningTemplate> 

Here, I am trying to Create a Site Column and a Content Type.

The below method will provision the site columns and content types mentioned in the XML.

 private static void ProvisioningDemo()         {             OfficeDevPnP.Core.AuthenticationManager authMgr = new OfficeDevPnP.Core.AuthenticationManager();             string siteURL = "https://sppals.sharepoint.com/sites/VariationPublishingSite";             string userName = "sathish@sppals.onmicrosoft.com";             string password = "***********";             string file = "ProvisioningTemplate.xml";              string directory = "D:\\PRACTICE SOURCE CODE\\PNP\\Provisioning.Console\\Provisioning.Console\\Template";             var provisioningProvider = new XMLFileSystemTemplateProvider(directory, string.Empty);             var provisioningTemplate = provisioningProvider.GetTemplate(file);             provisioningTemplate.Connector.Parameters[FileConnectorBase.CONNECTIONSTRING] = directory;              using (var ctx = authMgr.GetSharePointOnlineAuthenticatedContextTenant(siteURL, userName, password))             {                 ctx.Load(ctx.Web);                 ctx.ExecuteQueryRetry();                 ctx.Web.ApplyProvisioningTemplate(provisioningTemplate);                 ctx.ExecuteQueryRetry();             }              System.Console.ReadLine();         } 

With the one line, the entire Site Columns can be provisioned to the Site specified. In the upcoming articles, let us have a look at how to create the entire components like provisioning master pages, site assets, etc., But one thing is sure like, by using PNP, we can provision the sites from the remove machine without even a single minute of down time.

Happy Coding,

Sathish Nadarajan.

The new SharePoint home page web experience enables us to easily get to, find and discover important sites and portals throughout your intranet – online, on-premises and everything in-between. Today, many Office 365 users use the "Sites" page – the 4th most clicked tile in the Office 365 app launcher. MS is working hard to modernize this experience and transforming it into a true home for SharePoint. What was the 'Sites' page is now the 'SharePoint home' and the “Sites” tile becomes the “SharePoint” tile - same logo, redesigned for a modern, responsive user experience. Clicking into the SharePoint Home displays the recent sites and portals you are most active in and following, recommended sites per the Office Graph, plus company-wide sites promoted by your company. From the SharePoint home, you, too, can create new sites - simple and fast.

Here comes our next question, what is Office Graph? Before we get to know about it we should also know something called MICROSOFT Graph.. The terminology looks very similar isn’t… MS is not that good at naming convention as we all know

In a typical layman term;

Microsoft Graph: Power of Microsoft Graph, a unified API endpoint, for accessing data, intelligence, and insights coming from the Microsoft cloud.

Office Graph: The Office Graph computes insights across Office 365 and makes these insights available through the Microsoft Graph, the single endpoint that you can use to access a number of Microsoft's cloud technologies.

As we all know both MS graph and office graph is still in its early phase and we might see some issue in the way it’s functioning. Let me take you all through the MS graph stuff in a separate article, here I would like to talk more on office graph part. As mentioned earlier, clicking on the SharePoint link lists all the site which I’m following, sometimes the data that shows there is kind of different that the actual. In my case, I was able to see very limited site than I actually follow.

Here are steps which you can try to make sure that is this showing the actual site which I’m following:

1. https://<tenant>.sharepoint.com/_layouts/15/sharepoint.aspx?v=following.

a. Check the count if it’s different go to step 2

2. Try unfollowing and following the site (Which I know it’s tedious) but you can give it a try.

3. Else the last option;

This script below displays the items that are being followed in SharePoint online, which in turn we can use for comparison.

 <html> <head>     <script type="text/javascript"   src="https://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script>     <script type="text/javascript">             var followingManagerEndpoint;             var followedCount;             var followingEndpoint;             var URL;             var website;             var clientContext;              SP.SOD.executeFunc('sp.js', 'SP.ClientContext', loadWebsite);             function loadWebsite() {                clientContext = SP.ClientContext.get_current();                website = clientContext.get_web();                clientContext.load(website);                clientContext.executeQueryAsync(onRequestSucceeded, onRequestFailed);             }              function onRequestSucceeded() {               URL = website.get_url();               followingManagerEndpoint = decodeURIComponent(URL) + "/_api/social.following";               getMyFollowedContent();            }             function onRequestFailed(sender, args) {              alert('Error: ' + args.get_message());            }             // Get the content that the current user is following.            // The "types=14" parameter specifies all content types            // (documents = 2 + sites = 4 + tags = 8).           function getMyFollowedContent() {             $.ajax( {                  url: followingManagerEndpoint + "/my/followed(types=14)",                  headers: {                      "accept": "application/json;odata=verbose"                  },                  success: followedContentRetrieved,                  error: requestFailed            });         }          // Parse the JSON data and iterate through the collection.         function followedContentRetrieved(data) {             var stringData = JSON.stringify(data);             var jsonObject = JSON.parse(stringData);             var types = {               1: "document",               2: "site",               3: "tag"            };             var followedActors = jsonObject.d.Followed.results;            var followedList = "You're following items:";             for (var i = 0; i < followedActors.length; i++) {               var actor = followedActors[i];               followedList += "<p>" + (i + 1) + ". The " + types[actor.ActorType] + ": \"" +   actor.Name + "\"</p>" + "<p>Site URL " + ": \"" +               actor.Uri + "\"</p>";            }            $("#Follow").html(followedList);         }          function requestFailed(xhr, ajaxOptions, thrownError) {           alert('Error:\n' + xhr.status + '\n' + thrownError + '\n' + xhr.responseText);         }      </script> </head> <body>     <div id="Follow"></div> </body> </html>  

Conclusion:

Though we couldn’t fix it but on a whole we at least have a mechanism to compare

Overview

• eDiscovery: Process of identifying and delivering electronic information that can be used as an evidence
• eDiscovery Center: New type of site collection that serves as a portal for managing eDiscovery cases
• eDiscovery Cases: A collaboration site (sub site) that can be used to organize information related to eDiscovery requests (list items)
• From this central location (eDiscovery Center) we can create cases to identify, hold, search and export content from SharePoint sites, Exchange mail boxes and searchable file shares
• The hold ensures that a copy of the content is preserved, while still allowing users to work with their content (Preservation Hold Library)

Get Started

• Microsoft recommends to create a security group that contains the legal team members
• To discover Exchange mailboxes, authentication between Exchange and SharePoint needs to be configured (area that needs to be explored)
• Grant legal users appropriate permissions for site collections (SCA) and exchange mail boxes that they must perform eDiscovery actions on.

Managing an eDiscovery case:

The two primary components of an eDiscovery case are

eDiscovery sets

• To find and preserve content, create an eDiscovery set (SP List Item) and it contains the following,
• Sources – Location to be searched (Exchange Mailbox, SPO or File Shares)
• Filter – Search criteria (search terms, date range and authors name)
• An option for In-Place hold

queries

• To find and export content, create an query (SP List Item) and it contains the following,
• Sources – Location to be searched (Exchange Mailbox, SPO, eDiscovery sets or File Shares)
• Filter – Search criteria, resembles a filter in an eDiscovery set, however in a query it can also use stemming

After running an query we can

• See the statics about the items that were found
• Preview the results
• Filter the results by message type (Exchange) or by file type (SharePoint)
• Export the results of query
• The content that you export by using a query is formatted according to the Electronic Data Reference Model (EDRM) specification so that it can be imported into a review tool. An export can include the following:
• Documents
• Lists
• Pages
• Exchange objects
• Crawl log errors

An XML manifest that provides an overview of the exported information

How eDiscovery works:

• The Search Service Application is a key component of the search system in SPO
• eDiscovery center can be associated with a SSA
• Any content that’s indexed by the Search service application can be discovered from the eDiscovery Center
• If SSA is configured to crawl file shares then eDiscovery center can discover content from file shares
• If Exchange mail box is added as a result source to SSA, then Exchange mail boxes can be discovered from eDiscovery center and can be put on hold

In-Place Holds:

• When an in-place hold is applied to a site (sub sites included), content in the site remains in its original location
• Users can still work with the content, but a copy of the content as it was at the time that you initiated the hold is preserved
• Any new content that’s created or added to the site after it was put on hold will be discoverable, and will be preserved if it’s deleted
• By using in-place holds in SPO, users do not even have to know that their content is on hold
• When a hold is placed on a SharePoint site, a preservation hold library is created, if one does not already exist
• A user will receive an error if they try to delete a library, list, or site collection that’s on hold
• The Information Management Retention timer job cleans up the preservation hold library

Limitations:

• Once content sources or queries are added to an eDiscovery case, changing the regional settings for the site is not supported
• Adding a large distribution group (of 100 names or larger) as a content source may time out or take a long time to process. Distribution groups of 1,500 or more users cannot be added. The workaround is to identify other ways to find the content involved with the distribution group’s mailbox, such as keywords or the author or sender of the item
• In order for content to be discovered, it must be crawled by search

Lifecycle of an eDiscovery case:

• Create the site to manage a case
• Add sources
• Place sources on hold
• Create queries
• Export case content
• Close case

My Next article would talk about placing office 365 group in to Legal hold.

The Patterns and Practices JavaScript Core Library is an open source project which helps the developers to simplify the code instead of writing multiple lines of code for the common SharePoint operations. It was written in typescript; we can use this to develop the application using typescript / JavaScript

To know more about the PNP JS core https://github.com/OfficeDev/PnP-JS-Core

Before starting the code and we should have the below JS Files.

Fetch.js https://github.com/github/fetch/blob/master/fetch.js

es6-promise.js https://github.com/stefanpenner/es6-promise/blob/master/dist/lib/es6-promise.js

pnp.js https://github.com/OfficeDev/PnP-JS-Core/blob/master/dist/pnp.js

angular JS.

Alternatively, we can use npm package “npm install sp-pnp-js --save-dev”

Angular Service (PNP)

 (function () {     app.service('appService', ['$http','$q',function ($http,$q) {         function getUrlParamByName(name) {             name = name.replace(/[\[]/, "\\[").replace(/[\]]/, "\\]");             var regex = new RegExp("[\\?&]" + name + "=([^&#]*)");             var results = regex.exec(location.search);             return results === null ? "" : decodeURIComponent(results[1].replace(/\+/g, " "));         }         var appWebUrl =getUrlParamByName("SPAppWebUrl");         var hostWebUrl =getUrlParamByName("SPHostUrl");          this.getProjects=function() {             var d = $q.defer();             $pnp.sp.crossDomainWeb(appWebUrl, hostWebUrl).lists.getByTitle('Projects').items.get().then(function(response) {                 d.resolve(response);             });           return d.promise;         }           this.addProject=function(project) {             var d = $q.defer();             $pnp.sp.crossDomainWeb(appWebUrl, hostWebUrl).lists.getByTitle('Projects').items.add(project).then(function(response) {                 d.resolve(response);             });             return d.promise;         }          this.deleteProject=function(id) {             var d = $q.defer();             $pnp.sp.crossDomainWeb(appWebUrl, hostWebUrl).lists.getByTitle('Projects').items.getById(id).delete().then(function (response) {                 d.resolve(response);             });             return d.promise;          }          this.updateProject = function(project) {             var d = $q.defer();             $pnp.sp.crossDomainWeb(appWebUrl, hostWebUrl).lists.getByTitle('Projects').items.getById(project.Id).update({Technology:project.Technology}).then(function (response) {                 d.resolve(response);             });             return d.promise;         };     }]); })();

Angular Controller

 (function () {     app.controller('projectCtrl', ['$scope', 'appService', function ($scope, appService) {         $scope.title = "test";                  $scope.getProjects = function () {             appService.getProjects().then(function(response) {                 $scope.title = "welcome";                 $scope.projects = response;             });         };          $scope.addProject = function() {             appService.addProject($scope.project).then(function(response) {                 $scope.getProjects();                 $scope.project = {};             });         };          $scope.deleteProject=function(id) {             appService.deleteProject(id).then(function(response) {                 $scope.getProjects();             });         }          $scope.updateProject = function(project) {             appService.updateProject(project).then(function(response) {                 $scope.getProjects();             });         };          $scope.getProjects();      }]); })();

Default.aspx

 <asp:Content ContentPlaceHolderID="PlaceHolderAdditionalPageHead" runat="server">     <script type="text/javascript" src="../Scripts/jquery-1.9.1.min.js"></script>     <meta name="WebPartPageExpansion" content="full" />     <link href="../Content/bootstrap.css" rel="stylesheet" />     <script src="../Scripts/angular.min.js"></script>     <script src="../Scripts/fetch.js"></script>     <script src="../Scripts/es6-promise.min.js"></script>     <script src="../Scripts/pnp.js"></script>     <script src="../App/app.module.js"></script>     <script src="../App/app.service.js"></script>     <script src="../App/project.ctrl.js"></script> </asp:Content> <asp:Content ContentPlaceHolderID="PlaceHolderPageTitleInTitleArea" runat="server"> </asp:Content>  <asp:Content ContentPlaceHolderID="PlaceHolderMain" runat="server">     <div data-ng-app="projectApp">         <div data-ng-controller="projectCtrl">             <table class="table table-bordered">                 <thead>                     <tr>                         <th>Project</th><th>Client</th><th>Technology</th>                     </tr>                 </thead>                 <tbody>                     <tr ng-repeat="project in projects">                         <td>{{project.Title}}</td><td>{{project.Client}}</td>                                         <td>                             <div class="col-sm-6">                                 <input type="text" ng-model="project.Technology" class="form-control" /></div>                             <button type="button" class="col-sm-2 btn-default" ng-click="updateProject(project)">Update</button>                             <button type="button" class="col-sm-2 btn-default" ng-click="deleteProject(project.Id)">Delete</button>                         </td>                     </tr>                 </tbody>                 <tfoot>                     <tr>            <td><input type="text" class="form-control" ng-model="project.Title" /></td>            <td><input type="text" class="form-control" ng-model="project.Client" /></td>            <td><div class="col-sm-10">            <input type="text" class="form-control" ng-model="project.Technology" />                             </div>          <button type="button" class="col-sm-2 btn-default" ng-click="addProject()">Add</button>                         </td>                     </tr>                 </tfoot>             </table>         </div>     </div> </asp:Content>

The site created for Office 365 group can be put on hold. Any content deleted shall be moved to Preservation Hold Library. But, accessing “Preservation Hold Library “from UI is currently a challenge since site contents page redirects users to the document library again. This seems to be expected since adding new lists such as document library is not allowed in this site. To ensure this, the site contents seems to have been blocked and instead redirects to document library again.

I would appreciate everyone to read my previous article to know about e-Discovery, this article would be a continuation of that.

Here are the list of workarounds that can be done to access the contents

1. We can use SharePoint designer to access this contents. We can browse to the library and copy the contents from SharePoint designer

2. We can open the site in explorer view and copy the content.

3. Following PowerShell script that browses to the library and downloads the file in mentioned location.

 $loadInfo1 = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client") $loadInfo2 = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.Runtime")  $webUrl = Read-Host -Prompt "HTTPS URL for your SP Online 2013 site"  $username = Read-Host -Prompt "Email address for logging into that site" $password = Read-Host -Prompt "Password for $username" -AsSecureString  $ctx = New-Object Microsoft.SharePoint.Client.ClientContext($webUrl)  $ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($username, $password) $ctx.RequestTimeout = [System.Threading.Timeout]::Infinite  $web = $ctx.Web $ctx.Load($web); $ctx.ExecuteQuery();  $list=$web.Lists.GetByTitle("Preservation Hold Library"); $ctx.Load($list); $ctx.ExecuteQuery();  $query=new-object Microsoft.SharePoint.Client.CamlQuery $query.ViewXml="<View><Query><Where></Where></Query></View>"; $items=$list.GetItems($query); $ctx.Load($items); $ctx.ExecuteQuery();  $destinationPath = "" #Enter location within quotes  function recur_folder($item,$destinationPath) { if($item.FileSystemObjectType -ne "File")     {         $folderName = $item["FileLeafRef"];         $folderPath1 = $item["FileRef"];         $pathOfFolder=$destinationPath+$folderName         New-Item -ItemType directory -Path $pathOfFolder;         $folderQuery=New-Object Microsoft.SharePoint.Client.CamlQuery;         $folderQuery.ViewXml="<View><Query><Where></Where></Query></View>";         $folderQuery.FolderServerRelativeUrl=$folderPath1;         $folderItems=$list.GetItems($folderQuery);         $ctx.Load($folderItems);         $ctx.ExecuteQuery();         $pathOfFolder= $pathOfFolder+"\"         foreach($folderItem in $folderItems)         {             recur_folder $folderItem $pathOfFolder           }     }     else     {          Write-Host "Saving " $item["FileRef"]          $fileRef = $item["FileRef"]          $fileInfo = [Microsoft.SharePoint.Client.File]::OpenBinaryDirect($ctx,$fileRef.ToString())          $new = $destinationPath + $item["FileLeafRef"]           [byte]$byte = ""          $list = New-Object System.Collections.Generic.List[byte]          try {          while(($byte = $fileInfo.Stream.ReadByte()) -ne -1)          {           $list.Add($byte)          }          } catch [Exception] {          }          [System.IO.File]::WriteAllBytes($new, $list.ToArray());          $fileInfo.Dispose()           }             }                foreach($item in $items) { recur_folder $item $destinationPath }   

Conclusion:

MS is the process of fixing this issue with the new Security and compliance roadmap…

We will all get in to situation to know the list of external users that we have in our SharePoint Online tenant. Usually , Get-spoexternaluser is the command that is used to fetch the list of external users. But this has a hard limit of fetching max of 1000 users.

Reason

The Get-spoexternaluser uses .Net DirectorySearcher class to get the Guest users from the Tenant. The reason that it can get only 1000 users is due to the fact the limit about the Directory Searcher is 1000.

Options

If your tenant has large number users ( >1000) the list of external users  can be fetched using the  following method

Get-MsolUser -All | ? {$_.usertype -eq "Guest"}

For getting the list of unlicensed users please use the below command:

Get-MsolUser -UnlicensedUsersOnly -All | ? {$_.usertype -eq "Guest"}

Additional Information can be fetched using the Examples in the KB

Some users of our SharePoint Online environment were not able to see their profile Photo displayed in DELVE and SharePoint. As this seems to be a common problem with most of the users, this article explains you how to fix this profile picture issue.

In SharePoint:

Delve:

How to get the photo updated:

In SharePoint Online, we have got 2 scenarios to get the Photo updated for the user.

1. Users with Exchange online license and

2. Users without.

First let’s talk about the users with exchange online license:

To start with, user need to visit the below url: https://outlook.office.com/owa/?path=/options/myaccount/action/photo and upload their photo’s there. But, still if they get in to SharePoint online they won’t be seeing their updated photo in the Top bar, they need to perform an another action.

The user should browse to their DELVE profile page, please refer to get in to DELVE. A set of action gets triggered when they do so;

· During the page load of Me.aspx, a request is made for the large thumbnail photo. This generates a call to Exchange Online for the user’s profile picture.

· If the user has an Exchange Online mailbox, and the mailbox contains a profile picture for the user, SharePoint Online will request the picture from Exchange Online.

· SharePoint Online creates a small, medium, and large thumbnail photo from the picture that was returned from Exchange Online. The photos are saved in a folder in the User Photos Library for the My Site Host site collection. The name of the folder will vary, depending on what the My Site Host root web locale is set to at the time of photo upload or synchronization.

· The Picture Timestamp, Picture Placeholder State and the Picture Exchange Sync State profile properties for the user are set or updated to reflect the profile picture synchronization state

Pictorial Representation:

SharePoint Online picture synchronization for users without an Exchange Online mailbox

Let’s see what we need to do for users without Exchange online license:

The user should browse to their DELVE profile page, please refer to get in to DELVE. A set of action gets triggered when they do so;

Note When a user doesn't have an Exchange Online license, the Picture property will have an Upload picture button. The Picture Exchange State Property is set to 0

1.Click the Basic Information tab, and then click Upload picture. The Choose a picture dialog box is displayed.

2.The user uploads a picture to SharePoint Online from the Choose a picture dialog box.

3.SharePoint Online creates a small, medium, and large thumbnail photo from the uploaded picture. The photos are saved in a folder in the User Photos Library for the My Site Host site collection. The name of the folder will vary, depending on what the My Site Host root web locale is set to at the time of photo upload or synchronization.

4.The Picture Timestamp, Picture Placeholder State and the Picture Exchange Sync State profile properties for the user are set or updated to reflect the profile picture synchronization state

NOTE: if the picture exchange sync state property doesn’t get reflected, please set it to 1 manually. By setting this as 1 we’re informing the SYNC that we have got an update profile Photo for the users that needs to be synced.

Some of the facts to keep in mind:

•Guest user profile pictures aren't synced to SharePoint Online.

•By default, SharePoint Online will provide three placeholder pictures (SThumb.jpg, MThumb.jpg, and LThumb.jpg) for the user.

•Each user profile has a property named Picture (PictureUrl) that points to the medium file (MThumb.jpg) that's located in the My Site Host site collection.

•By default, the Picture property in the user profile application is editable. The property setting has to be editable for picture synchronization and for a user profile picture upload to be successful.

•The picture is synced down from Exchange Online only once every 72 hours.

•The My Site Host site collection must have available quota in order to store new pictures.

To put in one line, Office 365 Groups is a platform that is integrated across 0365, be it outlook SharePoint site (group site), Planner in one single place.In this article let us see how to create an Office 365 group

Login to Office 365 Admin Portal: https://portal.office.com/AdminPortal/Home?switchtomoderndefault=true#/groups

Click the group option in the left tree view:

Click ADD Group button in the next screen:

Provide the respective details in the upcoming screen:

Assume we have created a Group by Name Today’s Task, as I told you earlier a Planner and a SharePoint site (Called a group site) gets created but here comes the news, you can’t find planner directly and with respect to the SharePoint site, you can’t find it anywhere J will talk more on that.

How to see the planner:

You can get in to planner from the Top Bar (If you don’t see it, it may be probably because you don’t have a PLANNER License)

By clicking on PLANNER, you will see all the planner which are been created; in our case we should be seeing our Planner which is TODAY’S TASK

To know more about Planner, please refer

Now let’s see how to find the SharePoint site that gets created:

By all means you can’t find the SharePoint site from ADMIN CENTER

1. As of now there are only 2 ways to find the Group Site url once the groups are created:

a. PowerShell – Get-UnifiedGroups command: (This is an exchange command let)

b. Get in to OWA(Outlook webAPP)

All the group (Assigned to you) would display under the GROUP Link in OWA, click the group Today’s Tasks

Click the FILE link in the TOP Ribbon:

This would take you the SharePoint site, which is called a GROUP SITE, this would just have an DOCUMENT LIBRARY in it (Looks more like a One Drive)

Note:

If you have an Outlook 2016 would see the group TAB in it as well.

Here comes the next surprise, as I already told we can’t see the SharePoint Office group site anywhere in the OFFICE ADMIN CENTER (But looks like, even from SharePoint API is hidden), here is what happens if you happen to create site collection with the same name of Office group site.

Let’s create a site collection with the same name TODAY’s TASK.

You will end up seeing the error that “SITE ALREADY EXISTS”

Conclusion: MS is working on showing up the OFFICE GROUP SITE in the Office ADMIN Centre soon.

Future: Office 365 group site is getting changed to TEAM site, please refer

In one of my earlier article we have discussed about setting up SQL in IAAS and PAAS, now let’s talk about consuming them in SharePoint Online Using BCS. This document explains the steps to configure BCS using Office 365 that can pull data from Azure PaaS SQL DB and also to configure firewall IP ranges and network possibilities.

Note: Please make sure to set an AZURE PAAS SQL before proceeding further.

Once you have AZURE SQL in place, the next is to set the secure store.

Create Secure Store Token ID

· Go to Admin site of the O365 tenant and open secure store tab

· Create a new secure store token ID with user name as SQL server username and password and SQL server password, as shown below in the image.

· Make a note of the secure store token ID.

Configure in SharePoint Designer 2013

· Create an external content type with external system as shown in the below image.

· While connecting to Azure PaaS SQL DB in the external System screen, switch to Open network. (If you’re corporate, may be your internal firewall might block the traffic)

· In the add connection wizard provide Azure SQL DB related field values along with secure store token as shown below in the image

· On click of ok button, error popup will be shown up, but this pop up is specific to your network.

· As a onetime activity add the IP specified in the popup to the firewall settings of the Azure SQL server firewall settings page. Along with that add 11 more IP ranges to the firewall settings page in Azure SQL server as shown below.

IP Ranges table

The above IP ranges may be updated based on Microsoft updates. This updates needs to be periodically checked across in this site.

· Next go back to SharePoint designer and click ok, now the connection will be stablished and DB will be created.

· Select any DB and create all operations, set parameters, filters and click finish

·

· Click the save button at the top left of the designer to save the connection to external content type.

· Now navigate to the O365 admin site > BCS tab > click Manage BDC models and external content types.

· Newly created content type will be reflected there in the bcs screen. Select the content type and “set object permissions” and “set metadata store permissions” as shown below

ADD BDC Web part or External List in O365

· Create new web page and add Business Data List web Part as shown below

· Edit the web part and configure the external content type to the above created one as shown below

· BCS is configured and shown as below

I ended up spending too many hours in demystifying how SharePoint online works in a federated environment but apparently I didn’t get many details, though I got few but it wasn’t in one location. I thought let me put all the information I collected here.

Let’s start with some basic; As we all know SharePoint online is a SAAS offering (Software As A Service) and for user to consume this service their account should be present somewhere for the system to authenticate them.

As of now we have got 3 identity models:

Let’s see in detail about each one of them at a very high level:

Cloud Identities:

To put it simple, these are the account which gets created in cloud.

Go to https://portal.office.com/adminportal/home#/users

Click Users Tab in the left side navigation and select ACTIVE users in it

Click ADD user in the right side:

You will see the list of domain associated for your tenant under Domain Drop down and in that, one of domain would like something like this YOURTENANTNAME.Onmicrosoft.com

Create an account with this Domain been selected, eventually you will see that those users created with this domain will be showed as CLOUD account in the active user’s page

The major benefit of the cloud identity model is that you do not need to make any changes or deploy any new servers in the on-premises infrastructure.

Synchronized Identities:

The second identity model is synchronized identities, where the existing users in the on-premises Active Directory are synchronized to the AAD/Office 365 tenant using a directory synchronization tool.

In this case any account created in on-prem would get synced with Office 365 and any account that syncs like this would look like this in ACTIVE users page.

The major benefit of using this identity model over the cloud identities is that users will be provisioned automatically using the directory synchronization tool and will be able to use the same set of credentials as they already use in their on-premises Active Directory resulting in not a “single sign-on” but “same sign-on” scenario where the user object and passwords are managed in the on-premises Active Directory. In a “same sign-on” scenario, the end user will, as mentioned, be able to use his existing credentials but needs to authenticate when accessing an Office 365 workload.

it’s important to note that the end user passwords will not be stored in the AAD/Office 365 tenant. It will be a hash of a hash of the on-premises Active Directory password that will be stored there and the password itself cannot be retrieved through the hash of the hash of the password by a malicious user.

Let’s talk more on Federation model and also on the modern authentication in the next blog post.

Let’s talk more on Federation model and also on the modern authentication for SharePoint online  now. In the case of federated environment, once you sign with your organization account to SharePoint online and if your account is federated, Web client redirects the request from login.microsoft.com to On-premises ADFS/other 3^rd party federation engine.

The Azure AD authentication endpoint will detect if the particular account is federated if so, does another redirection to the internal federation service (which can be either ADFS or anything) Federation service requires the client to authenticate. Once authenticated, federation services will retrieve the necessary claims related information from Active Directory and provide the web client with a token holding the claims about the user. The client will present the token to Azure AD and after successful authentication, the web client will be redirected back to Microsoftonline.com.

To understand more on how user profile synchronization works, please refer

Now let’s see what is modern authentication is all about:

Though this has got nothing to do in SharePoint online, this is mainly for office 365 Apps.

Modern authentication brings Active Directory Authentication Library (ADAL)-based sign-in to Office client apps across platforms. This enables sign-in features such as Multi-Factor Authentication (MFA), SAML-based third-party Identity Providers with Office client applications, smart card and certificate-based authentication, and it removes the need for Outlook to use the basic authentication protocol.

By enabling ADAL for Office client applications, they will use an in-application browser control to render the Azure AD sign in experience in the same fashion as browser-based Office 365 clients like the Outlook on the Web (OotW). ADAL based OAuth authentication works for federated as well as non-federated scenarios.

To know more on session timeout for office 365 services please refer (this might differ based on our organization internal federation system setting)

I am writing this post from my experiences “As on Today” about the evergreen platforms O365 and Azure which may change in the future.

I had a situation where my organization was planning to avoid users from directly creating the O365 Groups as part of our O365 Governance Strategy.

So, we had planned to automate the creation of O365 groups using a workflow or service for our internal customers based on request and approval process.

Finally, I ended with the Idea of creating a remote workflow app to automate the O365 Group Creation.

The Content in the post is not specific to a workflow implementation and can be used in any remote app to create the O365 Groups.

A remote app which runs external to O365 can be any one of the below

1. Standalone Asp.net or client side app using frameworks like React or AngularJS.

2. Workflow running on an environment external to O365.

3. Console/background job running in a Non-Microsoft platform

O365 groups can be created using Graph Api. I hope this has been explained in numerous articles on how Graph Api it could be used to perform operations on most of O365 objects. (https://graph.microsoft.io).

To create an O365 group or to perform any other operations using the Graph Api, you should register the remote app in the Azure AD connected to the O365 Portal and provide the required permissions for the remote app.

Below are the steps required to create an Office365 Group from a Remote App.

1. Register the APP in Azure AD

2. Get Company Administrator Authorization Consent for the App

3. Get Access Token using the App ID and App Secret

4. Create a O365 Group or perform operations using Graph Api with Authorization Token

Step 1: Register the App in Azure AD

To communicate with any of the Microsoft services such as Graph Api you may have to register an app in Azure AD.

Use any of the below link to Register the app in Azure AD connected to your O365 Portal. Sign in with your O365 account

https://apps.dev.microsoft.com– App Registration Portal

https://portal.azure.com– New Portal for Admins

https://manage.windowsazure.com– Classic Portal for Admins

1. From the App Registration Portal, Click on Register an App.

2. Provide a Name for your app

3. Note the Application ID of the App which will be used further.

4. Create an Application Secret by “Generate a new Password” button. Make sure you copy the Password and store it as you cannot retrieve once you move out of the screen. This secret will never expire and you can also generate a password if you would like it to expire a year or 2 from the Azure Portal.

5. Click on Add Platform to add “Web” Platform. Add a dummy Redirect URI which is not required for service app scenario.

6. Add the required permissions for the Microsoft Graph.

There are 2 types of permissions. Application and Delegated Permissions.

We only need to specify Application permissions as we are not going to have the code performing any operation on behalf of the user.

7. Selected Group.ReadWriteAll Application permissions for my app to create groups.

8. Save the Changes.

Understanding Grant Flows in OAuth 2.0

The key challenge here is to authenticate the Rest call from your remote app using OAuth without an O365 account.

Azure supports all 4 different access grant types in OAuth model for applications.

1. Authorization Code Grant Flow

For Apps (Native or Web Apps) that run-on servers and require user to be authenticated to create a O365 group and Apps that have outsourced the authentication to Azure AD can use Authorization Code Grant Flow.

2. Implicit Code Grant Flow

For Apps that are browser based like Single page applications built using Client Side Frameworks like AngularJS, ReactJs. This Require user to sign in to Azure and get the access token to further call Graph Api from the Browser.

3. Resource Owner Password Credentials Grant Flow

This can be used in a windows application/service which is on the Azure domain with or without user logged in. This is least used which allows resource owners to send their Username and password over http and opens a Potential Security Risk.

4. Client Credential Grant Flow

The Client Credential flow is primarily used when the remote app which works as background job/services without user intervention.

I chose the Client Credential flow as I planned to use a workflow to create the O365 group from my On-Prem SharePoint environment So, there will be no user authentication and no account will be used to perform the call to graph Api from the workflow.

Client Credential Flow

Step 2: Get Company Administrator Authorization Consent for the App

Build the below URL and provide the URL to your company administrator of the Azure/O365 Portal.

https://login.microsoftonline.com/<TenantID/Common>/adminconsent?client_id=<Application ID>&state=12345&redirect_uri=<redirect_Uri>

In the above Url, replace the below values with the values you got while registering the application in Azure.

<TenantID/Common> - If you have a single tenant use the tenant Id of your O365 portal or if you have a multi-tenant specify “Common” instead of the tenant id.

<Application ID> - Use the App ID of the app you registered in the Azure Portal.

<redirect_Uri> - This is not required for Client Credentials flow. You can use the same dummy redirect Uri which was created during Azure App Registration. This is only used in Authorization Code Grant Flow and Implicit Grant Flow

The Company Administrator should authenticate to the URL to provide a one-time consent on granting the permissions required for the app to perform operations on the Azure/O365 tenant using the Graph Api.

Step 3. Request an Access token from OAuth Token Endpoint.

Once the consent is given by the company administrator, you can now use any of the Azure Active Directory Authentication Libraries(ADAL) depending upon the type of remote app you develop to authenticate against the Azure and perform the Graph Api operations. Please refer here for ADAL Libraries https://azure.microsoft.com/en-in/documentation/articles/active-directory-authentication-libraries/

Under the hood, these libraries Support all the 4 OAuth grant flows, from Requesting, Caching and managing the access tokens for your application to use. The ADAL libraries encapsulates the calls to the OAuth endpoints so developers do not need to worry about authorization, acquiring and managing access tokens

Since I used a Workflow, I could not use any of these ADAL libraries and had to make a direct call to these OAuth Token endpoint to acquire an access token.

An access token which is a Base64 Encoded string of a JWT (JSON Web Token) is required to be sent along with a HTTP call to the Graph Api as an Authorization Header to create the O365 group.

I had to perform a REST call to the OAuth Token Endpoint to get an access token

Build the Rest URL using the below format to get the access token.

 POST URL :  https://login.windows.net/<TenantID/Common>/oauth2/token  Request Header :  Content-Type: application/x-www-form-urlencoded  Request Body: grant_type=client_credentials &client_id=<App Id from App Registration> &client_secret=<App Secret from App Registration> &resource=https://graph.microsoft.com  Response: {    "token_type": "Bearer",   "expires_in": "3599",   "scope": "User.Read",   "expires_on": "1449685363",   "not_before": "1449681463",   "resource": "https://graph.microsoft.com",   "access_token": "<access token>" } 

Step 4: Create a O365 Group or perform operations using Graph Api with Access Token

Once you have the Access Token from the Response content of the previous request, you can create a O365 Group using the Graph Api from your remote/workflow app.

For Creating the O365 Group, you can refer the link here at Graph Api documentation(http://graph.microsoft.io/en-us/docs/api-reference/v1.0/api/group_post_groups)

 POST  Url: https://graph.microsoft.com/v1.0/groups  Request Headers: Authorization: Bearer <access token> Content-type: application/json Content-length: 244  Request Body:  {   "description": "My O365 Group,   "displayName": "O365 Test Group",   "groupTypes": [     "Unified"   ],   "mailEnabled": true,   "mailNickname": "O365TestGroup",   "securityEnabled": false } 

With that I conclude the topic of O365 group creation in an automated way from a Service or workflow app.

At some point in time we might have ended up or will end up in a situation like this in Office 365, where in a site collection where Auditing is enabled but still in the report nothing shows up.

In my case I did had a site collection in which I have enabled Auditing on September and by October 1 I couldn’t see the data for September… It looks 2 days for me to identify what have gone wrong!!!

Here are my findings

· We confirmed that we could generate audit log reports in site collection on any date after 1st of October

· The above behaviour is seen since the logs gets deleted after each month if “Automatically trim the audit log for this site?" is set to No.

Background

The behaviour is expected, this means the default setting for retaining audit log data is zero days. That means if you don't specify a different retention period, all audit log entries are deleted at the end of the month. Please refer

· We changed the “Automatically trim the audit log for this site?" to yes and number of days to be retained would be 100 now.

MS as enabled to pull the audit report from security and compliance portal too.

At a very high level, you can use the Reports page in the Office 365 Security & Compliance Centre to quickly access audit reports for your SharePoint Online and Exchange Online organizations. Please refer