What is Customer Lock box in Office 365?

1.png“Customer Lock box” –This terminology was something new to me until I heard it at Microsoft Tech Summit this year .There was one of these sessions which I was attending on Office 365 and the speaker was talking about this feature .Sadly only few folks in the room were aware of it and I was one among those folks who haven’t heard that terminology before.

Anyways, now that I’m aware of it I decided to write an article on it so that my readers get to understand about this cool feature in Office 365 and they can start using it in their Office 365 tenants.

So what is Customer Lockbox? To put it in simple words, it’s a feature that’s available in Office 365 to ensure that there’s zero interaction by Microsoft on your contents that’s saved in Office 365(i.e. SharePoint Online, Exchange Online, Skype for Business Online etc…)

Roughly around couple of years back Microsoft has come up with this feature to maximize the data security and privacy for Office 365 customers by ensuring that there’s zero interaction with the customer’s content by Microsoft engineers.

Almost all the service operations performed by Microsoft are either fully automated so there is no human interaction, or the human involvement is abstracted away from the customer’s content that’s stored in Office 365.

Only during some circumstances where something is broken in your tenant and you raised a support case for that , Microsoft engineers will access your content to fix it .So with this feature  Microsoft enforces access control through multiple levels of approval, providing just-in-time access with limited and time-bound authorization. In addition to that all access control activities performed by the Microsoft engineer does gets logged and audited.

The below mentioned image depicts the complete approval process:

2.png

So with this feature Microsoft has given their assurance to its customers that their content will not be accessed by Microsoft employees without their explicit approval. It brings customers into the access approval process, requiring the customer to provide explicit approval of access to their content by a Microsoft employee for service operations.

Now that we have understood about this feature lets take a look on how this complete process works ….

3.png

Let’s consider a scenario where-in something is broken in SharePoint Online or Exchange Online and you raised a support case for that. The engineer upon reviewing your request feels that he/she might need access to your Exchange/SharePoint Online content to fix it .So this is how the process flows when you have Customer Lock box turned on in your tenant.

  1. Administrators in the customer’s Office 365 environment are notified via email that there is a request for access as shown in the image below.

4.png

2. In addition to this the Office 365 Admin Center portal will also display requests that have been submitted to the customer for approval as shown in the image below.

5.png

3. You as an Office 365 administrator can approve or reject Customer Lock box requests. Check the image below where you get the option to approve or reject a request.

6.png

4. Microsoft can only proceed following approval of a Customer Lock box request. See the image below where the customer has approved a request by the engineer.

7.png

5. If a customer rejects a Customer Lock box request, no access to customer content will occur.

Note: Customer Lock box requests have a default lifetime of 12 hours; after which they expire. Expired requests do not result in access to customer content.

Enabling Customer Lockbox in the Office 365 admin center:

  1. Sign in to Office 365 admin center
  2. Go to the Office 365 admin center.
  3. Navigate to Settings > Security & privacy and scroll to locate Customer Lock box

8.png

4. Click Edit and move the toggle on or off to turn lock box requests on or off.

9.pngApprove or deny a Customer Lock box request in the Office 365 admin center:

  1. Sign in to Office 365 admin center
  2. Go to the office 365 admin center
  3. Navigate to Settings > Support > Service requests.

10.png

4. Select a customer lock box request, and then select Approve or Reject.

5. This is how the view looks in the new Office 365 admin center .Check the image below.

11.png

12.png

How to avail Customer Lock box for Office 365?

Customer Lock box for Office 365 will be available as part of a new premium Office 365 Enterprise Suite called E5

Thanks for reading this post ….I hope you will enable this feature in your Office 365 admin center which gives an extra layer of security to your contents in Office 365.

Webinar on Getting started with Office 365 :

 

Office 365 pic 2.png

Hi All ,

On behalf of C Sharp corner Chennai chapter I’ll be delivering a session on “Getting started with Microsoft Office 365 “ . The details about the session as well as the registration link can be found below . Please make yourself available for the session and try to gain some insights on Office 365 .

Registration link :_ http://www.c-sharpcorner.com/events/getting-started-with-microsoft-office-365

Agenda:
  • Introduction to Office 365
  • Understanding the Office 365 features and services.
  • Touring the Office 365 Admin center
  • What’s new in Office 365?
  • Recap
  • Conclusion

Workflow Manager configuration for SharePoint Server 2013:

a.png

This article will give you a detailed explanation on how to configure Workflow manager for SharePoint Server 2013. Unlike SharePoint 2010, we don’t get the SharePoint 2013 workflows with the SharePoint 2013 product itself. We need to install and configure “Workflow Manager” which is a standalone product that was introduced along with SharePoint 2013 to get SharePoint 2013 workflows.  However, you would still get SharePoint 2010 workflows by default in SharePoint 2013. If you need to avail SharePoint 2013 workflows, then we need to install Workflow manager for SharePoint 2013 and configure a workflow farm with service bus farm.

Note: All your workflows that were built by using SharePoint Server 2010 will continue to work in SharePoint Server 2013.

The SharePoint 2013 Workflow platform uses the new Workflow Manager Service. Workflow Manager is built on top of Windows Workflow Foundation. Windows Workflow Foundation is part of the .NET Framework 4.5.

Architectural changes in SharePoint Workflow:

b.png

Installation and Configuration of Workflow Manager in SharePoint 2013:

Alright, now let’s look on how to install and configure Workflow Manager

Once configured, we need to register our SharePoint web application with the workflow farm. Once the SharePoint farm is registered with Workflow farm, SharePoint 2013 workflows will be available and we can use them in SharePoint sites.

Note: You can install Workflow manager on the SharePoint server itself or you can have separate environment for Workflow manager and attach your SharePoint 2013 farm to the Workflow manager farm

Prerequisites for Workflow manager:

If you want install workflow manager 1.0, here are the pre-requisites:

  • .NET Framework 4 Platform Update 3 or .NET Framework 4.5
  • Service Bus 1.0
  • Workflow Client 1.0
  • PowerShell 3.0

The following are the pre-requisites to configure Workflow Manager 1.0

  • Instance of SQL Server 2008 R2 SP1, SQL Server Express 2008 R2 SP1, or SQL Server 2012.
  • TCP/IP connections or named pipes must be configured in SQL Server.
  • Windows Firewall must be enabled. [Windows Firewall is Off on target server]
  • Ports 12290 and 12291 must be available.

Installation steps:

To install Workflow Manager, we need to first install Windows Platform Installer 5.0 x64 bit.

  1. Download Windows Platform Installer x64 bit version 5.0 from the link
  2. Run Windows Platform Installer
  3. Select the “I accept the terms in the License Agreement” and click Ok.

c.png

4. It’ll take some time to install Windows Platform Installer.

d.png

5. Once WEB PLATFORM INSTALLER is installed, go to start and search for “Web Platform Installer”, and then click on the “Web Platform Installer” icon.

e

6. The application will load all the required files.

f.png

9. Once done, you would get this screen as shown in the image below.

g.png

10. In this screen, go to the “Products” tab

h.png

11. Click on Add button for the below products:

  1. Workflow Manager 1.0
  2. Service Bus 1.o
  3. Workflow Client 1.0
  4. Workflow Manager 1.0 Refresh (CU2)

i.png11. Now, click on install.

j.png12. Click on “I Accept”

k.png

13. You may see a prompt as shown below, don’t worry and just click Ok

l.png

14. Now, the WEB PLATFORM INSTALLER will start installation process and may take some time to install the selected products.

m.png

15. After the installation of the selected products the wizard will tell you that some of the products require some additional configuration. Click on the:” Continue” button as shown in the image below.

n.png

Alright, so now we’re done with installing the workflow manager, let’s look on how to configure it.

Configuring Workflow Manager:

  1. Open Workflow manager and select “Configure Workflow Manager Farm using Custom Settings” option as shown in the image below.

o.png

2. For Farm Management Database, provide the SQL instance name and the database name. Click on “Test Connection” button. It will take some time to verify and show the green tick mark symbol once the connection is verified as shown in the image below.

1.png

3. Follow the same steps for “Instance Management Database” and “Resource Management Database”.

2.png

b3.png

4. Provide the service account and password which you want to use for Workflow manager configuration.

 

Note: Please bear in mind that you need to use a separate service account for Workflow manager configuration and not the same farm account. Else, you would get errors during the configuration.

3.png

5. Also, please note that this account should be part of the local administrators group on server(s) where you are going to configure Workflow Manager and should also have “Sysadmin” permissions on the SQL Instance

6. Next, you need to provide Certificate generation key. This is same as the “Passphrase” which we create while configuring SharePoint server farm. For adding new Workflow Host or Service Bus Host, you will need to provide the same key.

4.png

7. After setting certificate generation key, we need to configure ports for communication between workflow farm and SharePoint farm. Below are the ports we need to configure:

a) Workflow Manager Management Port for HTTPS – Default port is 12290 for HTTPS.

b) Workflow Manager Management Port for HTTP – Default port is 12291 for HTTP. If you want to use HTTP protocol for using Workflow management service, we need to select the checkbox “Allow Workflow management over HTTP on this computer”.

5.png

To open the ports, we need to create appropriate inbound rules in firewall. This wizard provides an option to create the firewall rules automatically. Select the check box to create firewall rules.

8. At this point, specify admin group for Workflow management farm. This means we need to specify the domain or local group whose members should be treated as administrators. By default, “BUILTIN\Administrators:” group is added as administrator group for the Workflow farm.

9.png

9. Click next [right arrow] at bottom of the dialog box. It will take some time to validate the configuration settings and save the same.

x.png

10. Now, it’s time to provide required details such as database info, service account and certificate generation key for Service Bus Farm.

10.png

11.png

11. If you want to use the same service account which you provided for Workflow Manager Farm in the previous window, you can select the check box “Use the same service account credentials as provided for Workflow Manager”.

12. For certificate generation, select the select the check box “Auto generate”.

13. If you want to use the same certificate generation key which you provide for Workflow Management Farm in the previous window, you can select the check box “Use the same certificate generation key as provided for Workflow Manager”.

13.png

14.Configure required ports for communication.

14.png

15. Enable firewall rules and provide Admin group.

15.png

16. After providing all the information, click on next step. Wizard will show you summary of the configuration you have provided. At this point, review the settings and if you want to change something, go back and make the required changes and then come back to summary page.

16.png

17. Now start configuring the farm.

17.png

18.png

b4.png

b5.png

17. It will take around 10 minutes to configure the Workflow Manager and Service Bus farm.

18. Once the processing completes, close the window.

b6.png

19. Now, browse the URL https://workflowhostserver.domain.com:12290 or https://localhost:12290, (if you receive certificate warning, click on continue option) this should display XML schema related to the Workflow farm.

a7.png

a8.png

20. Click on Certificate Icon in the address bar. Now, click on “View Certificate”.

a9

21. Navigate to details tab and click on “Copy to file” option.

a10.png

22. You will see Certificate Export Wizard. Click Next.

a11.png

23. Select Base x64 type.

a12.png

24. Select the directory and give a file name. Click on Save button.

a13.png

25. Click on Next button.

a14

26. Finally, click on Finish.

b7.png

27. Once the certificate is exported, you will get below message. Click Ok.

a15

28. Now copy the certificate file to the SharePoint server and paste it there. Once done, open SharePoint PowerShell using the Farm Service Account and run the below command to Add the certificate to SharePoint Trusted Root Authority.

$cert = Get-PfxCertificate <path of the certificate file with extension>

New-SPTrustedRootAuthority -Name “Workflow Farm Certificate” -Certificate $cert

  1. Next, register the web application to consume workflow service.

Register-SPWorkflowService -SPSite ‘https://webapp.domain.com/managedpath/sitecollection&#8217; -WorkflowHostUri ‘http://workflowhost.domain.com:12991&#8217; –AllowOAuthHttp

  1. Finally, navigate to Central Administration à Manage Service Applications à Workflow Service Application Proxy and verify that it says “Workflow is connected”.

b8

31. To verify if the SharePoint 2013 Workflow Template is now available, open SharePoint designer 2013, open the SharePoint site, go to workflows and click on New. In drop down, it should show you “SharePoint 2013 Workflow Template”.

b9.png

 

Common Issues and Solutions that you might encounter while configuring workflow manager:

Issue #1:

System.Management.Automation.CmdletInvocationException: The remote server returned an error: (400) Bad Request. The api-version in the query string is not supported. Either remove it from the Uri or use one of ‘2012-03’..TrackingId:0aef4968-6974-41db-bf43-fecd4fda4a38_GDS-SP2013-VM,TimeStamp:5/15/2014 1:27:51 PM —> System.ArgumentException: The remote server returned an error: (400) Bad Request. The api-version in the query string is not supported. Either remove it from the Uri or use one of ‘2012-03’..TrackingId:0aef4968-6974-41db-bf43-fecd4fda4a38_GDS-SP2013-VM,TimeStamp:5/15/2014 1:27:51 PM —> System.Net.WebException: The remote server returned an error: (400) Bad Request.

Cause: Service Bus version is not appropriately installed.

Solution:

Remove the server from SB Farm and WF Farm.

Delete the SB and WF databases from SQL instance.

Uninstall Workflow Manager and Service Bus applications.

Install appropriate versions using Windows Platform Installer. Workflow Manager Refresh 1.0 and servicebus 1.0 CU.

Issue #2:

System.Management.Automation.CmdletInvocationException: The token provider was unable to provide a security token while accessing ‘https://sharepoint0120.secam.sa.net:9355/WorkflowDefaultNamespace/$STS/Windows/&#8217;. Token provider returned message: ‘<Error><Code>400</Code>

Solution:

Make sure CU 2 for Workflow Manager is installed. The Workflow service account has dbo permission on SB and WF databases.

Issue #3:

Add-WFHost : The remote server returned an error: (401) Unauthorized. Manage claim is required for this operation.

Cause: Workflow service account is not part of ManageUsers group for WorkflowDefaultNamespace

Solution:

To find if service account is part of ManageUsers group or not, run below command

PS > Get-SBNamespace -Name WorkflowDefaultNamespace

SubscriptionId        : 00000000000000000000000000000000

State                 : Active

Name                  : WorkflowDefaultNamespace

AddressingScheme      : Path

CreatedTime           : 17-02-2015 14:31:09

IssuerName            : WorkflowDefaultNamespace

IssuerUri             : WorkflowDefaultNamespace

ManageUsers           : {srv_sp_test_admin@domain.com}

DnsEntry              :

PrimarySymmetricKey   : ******************************

SecondarySymmetricKey :

Since workflow account “srv_sp_workflow” is not listed here, we need to add it. For that, run below command.

Set-SBNamespace -Name WorkflowDefaultNamespace -ManageUsers @(‘srv_sp_workflow@domain.com’, ‘srv_sp_test_admin@domain.com’)

Now you can try to add the server using “Join the existing Workflow Farm” option. Or you may run Add-WFHost command.

Happy SharePointing!!!  Thanks for reading this post.

 

 

 

 

Terminologies one must be aware of in Office 365:

Listed below are the few important topologies one must be aware of while working on Office 365.Office 365

  1. Active Directory Federated Services (AD FS):

On-premises security token service (STS) that provides simplified, secure identity federation and Web single sign-on (SSO) capabilities for users who want to access applications within an AD FS-secured enterprise, in federation partner organizations, or in the cloud. Federated identities with Modern Authentication-enabled clients interoperate with EvoSTS, which is the Azure AD STS.

AD FS indirectly supports CA scenarios, as it offers a set of controls known as client access filtering that allow the creation of perimeter network-based policies for IP range filtering, accessed workload, or client type (browser vs rich client).

  1. Multi-Factor Authentication (MFA):

Protects access to data and applications by requiring a second form of authentication. Strong authentication is available through a range of verification options.

  1. Azure Active Directory Premium:

All CA scenarios that leverage Azure AD require Azure AD Premium. Azure AD Premium adds feature-rich enterprise-level identity management capabilities and enables hybrid users to seamlessly access on-premises and cloud capabilities. It includes everything you need for information worker and identity administrators in hybrid environments across application access, self-service identity and access management, identity protection and security in the cloud.

  1. Azure Rights Management Services (RMS):

Uses encryption, identity, and authorization policies to protect files and email. Information protection that is applied by using Azure RMS stays with the files and emails independently of the location, allowing customers to remain in control of their data even when this data is in motion.

  1. Conditional Access (CA):

CA allows customers to selectively allow or disallow access to Office 365 based on attributes such as device enrollment, network location, group membership, etc.

  1. Device-based CA restricts access to devices that are managed by the organization and are in a healthy state. Device-based CA is a feature of Intune. Users must enroll their devices in Intune and validate that the device meets the organization’s access rules regarding device health and security.
  2. There are other CA scenarios that do not require device enrollment, such as restrict access only from specific locations. These scenarios do not require Intune and are provided through Azure AD Premium access control features.
  1. Data Loss Prevention (DLP):

Helps identify and monitor sensitive information, such as private identification numbers, credit card numbers, or standard forms used in your organization. DLP Policies enable you to notify users that they are sending sensitive information and to block the transmission of sensitive information.

  1. Microsoft Enterprise Mobility + Security (EMS):

Provides identity and access management, MDM, MAM and Azure RMS. Intune is a part of EMS.

  1. Microsoft Intune (Intune):

Intune is a cloud-based service that helps you manage Windows PCs, and iOS, Android, and Windows mobile devices. Intune also helps protect corporate applications and data. You can use Intune alone or you can integrate it with Microsoft System Center Configuration Manager 2012 R2 to extend your management capabilities.

  1. Mobile Application Management (MAM):

Controls how corporate-managed applications work and interact with other managed applications and unmanaged applications (e.g., provides the ability to restrict user actions such as copy, paste, download, etc.). Available through Intune.

  1. Mobile Device Management (MDM):

Provides the ability to configure mobile device policies, such as enforcing complex PINs or passwords, blocking devices that have been jail broken or rooted from syncing email, disabling Bluetooth, etc. Available through Office 365 MDM and Intune.

  1. Modern Authentication:

Provides OAuth-based authentication for Office clients against Office 365 using Active Directory Authentication Library (ADAL). Replaces the Microsoft Office Sign-In Assistant. Allows for CA policies, so administrators can define granular applications and device-based controls for corporate resources.

Thanks for reading this post ….Good luck with Office 365 !!!

 

 

Report on external users in SharePoint Online:

SP Online image

Alright in this post I’m going to introduce you all to a small PowerShell script which will help you in getting the list of all the external users in your SharePoint Online tenant. Unlike the “Get-SPOExternalUser” PowerShell command  this will display the list of all sites in SharePoint Online , the external sharing status of those sites as well as with whom the sites are shared with externally . This can be used handy by Offic6 365 global admins or SharePoint Online admins to get a report of external sharing/users in their tenant.

Let’s take a look at the script now …

Step1:

Run this command in the SharePoint online management shell to connect to your tenant.

Connect-SPOService -Url https://office365admin123-admin.sharepoint.com-credential $credentials 

Step 2 :

Once done with the first command run the below mentioned command to get the report.

$i = 0

ForEach ($site in Get-SPOSite) {

$i++

    Write-Host “*********”

    Write-Host “Site number: ” $i

    $site.Url

    $site.Owner

    $site.SharingCapability

    Get-SPOExternalUser -SiteUrl $site.Url

 

}

This is how the result of this script will look like, check the image below ….

Result 2

I hope this helps you to get the report may be once in a week or a month. Thanks for reading this post…Happy SharePointing !!!

Extending the Retention period of orphaned personal site collections up to a year:

One drive 1.png

Alright , I guess you might have figured out what this post is going to be about by seeing the title .So yes , I’m going to show you how to extend the retention period of the One Drive for business content up to a year even after the user has left the company .

So I guess all the Office 365 folks as well as SharePoint folks out there would be aware of the “My site cleanup policy” that runs in SharePoint once a user’s account has been deleted in AD. If you’re not aware of this yet, please check my article on that. Also to understand how this works on SharePoint Online, you can take a look at the link below. Microsoft has did an awesome job on writing a detailed article about this and hence I’m not going to spend my time writing a detailed article explaining the same stuff once again .

https://support.microsoft.com/en-in/help/3042522/onedrive-for-business-retention-and-deletion

So here in this article I’m going to introduce you to a PowerShell command that will extend the retention period of the contents in the personal site (i.e. One Drive for Business) up to a year so that you have a year’s time to copy the contents from a user’s One Drive for business folder even after he/she has left the company.

I guess scenario’s like this are quite possible when a user has been terminated and his account has been deleted or may be a user left the company and the default retention period was not sufficient for you to copy the important contents from his One Drive for business folder .

So here’s the PowerShell command for that ….

Set-SPOTenant -OrphanedPersonalSitesRetentionPeriod 365

You need to run this as a SharePoint Online command as shown in the image below.

one drive 2.png

Once done it will update the retention policy for all the orphaned One Drive for Business sites in your tenant. The other way to do this is by putting a hold on the user’s One Drive for Business as a part of an eDiscovery case and the site won’t get deleted until the hold is removed. But this command will make your life even easier by making the change for the entire tenant.

Happy SharePointing …..I hope this helps someone. Thanks to Chris Bortlik for showing this to us.

 

 

 

 

SharePoint Online -Sync button missing issue on Project sites is fixed .

So couple of days back , I blogged about an issue on SharePoint Online where the “Sync” button in SharePoint Online document library went missing in Project sites and this was identified as a bug by MS and the Product Group team was working on it . So initially we were told by MS that it would take at least 3 to 6 months to get this fixed and there was also a notification on the Service Health dashboard yesterday about this issue (please check the screenshot below ….)

Sync issue.png

But the PG team was quite ahead of their schedule as always and they managed to fix this so soon. Today we got an update from the support engineer that the issue was fixed. This is really super-fast and kudos to MS and the PG team for this quick turnaround. So this issue is fixed now on all the tenants which were having this issue.

I verified this now and I can see the Sync button now on the document library on a SharePoint Online Project site. So please pass the word to all your end users now if your tenant had this issue .

Happy SharePointing…..Thanks for reading this post.

Sync button missing in SharePoint Online doc library -Project site template:

Alright, so this article is going to be a simple one where I’ll be sharing my recent experience with SharePoint Online where the ‘’Sync Button “which you see on the document library went missing all of a sudden. If you’re not sure about what I’m talking, this image below should help you understand.

Sync 1.pngSo couple of days back ,  a user  who’s always known for finding bugs in SharePoint called me and said , ‘”Hey the Sync button is missing in SharePoint Online doc library ….” . I felt like, that’s not possible and I wanted to double check that. So I went ahead and took a look at the document library on a SharePoint Online team site and found that nothing is wrong with the “Sync button” and it was showing up perfectly fine.

So I took a look at the URL which he was referring to and found that it was missing which was really bizarre to me. Upon digging further I found that the site which he was referring to was a “Project Site “and the one which I tried first was a “Team site”. Now things got really interesting and I did some testing to isolate this issue. I tried reproducing this issue in different site templates and found that this was something specific to “Project site “(top level sites as well as subsites that make use of Project site template) alone. As this is on SharePoint Online I raised a premier support case to know what Microsoft had to say about this. The support engineer checked with the product group team and informed that this is a bug which was caused post the “New Experience” rollout which was released by MS few months back and it seems that many customers have already reported this issue to them.

If you’re hearing this for the first time, please take a look at this link below to understand this feature named “New Experience”.

https://support.office.com/en-us/article/Switch-the-default-experience-for-lists-or-document-libraries-from-new-or-classic-66dac24b-4177-4775-bf50-3d267318caa9?ui=en-US&rs=en-US&ad=US

Finally, based on my testing what I identified is listed below:

  1. On SharePoint Online Team sites, I don’t see this issue. Please check the image below …

Sync 1.png

2. On SharePoint Online Project sites, I can see this issue .Please check the image below (the sync button is missing)….

Sync 2.png

Note: MS has checked and confirmed that this issue is a known bug and will take at-least 3 to 6 months to get this fixed. Also as per MS it seems that this issue persists on other site templates also apart from “Project sites “.However, I didn’t get a chance to try them yet. So just in case you get a call or may be an email from users about this issue, please be informed that this is a known bug at the moment and will be fixed in 3 to 6 months’ time.

Workaround:  The workaround for this is to…. Go to the library settings –> Go to advanced settings –>Change the option in the list experience from New to Classic experience as shown in the image below. By doing so you’re switching back to previous document library experience.

Sync 4.png

Once you do that, you will notice the “Sync button” on a SharePoint Online Project site document library as shown in the image below.

Sync 3.png

Thanks for reading this post…. I hope this would save your time in troubleshooting this issue.  Happy SharePointing!!!

 

Resolving “Sorry this site hasn’t been shared with you…” SharePoint site error:

Alright .I’ve had a pretty tedious week with SharePoint search were all of sudden the “SharePoint Enterprise search “  site collection started throwing an error stating  “ Sorry this site hasn’t been shared with you “ as shown in the image below .

1.png

Every time any user made an attempt to execute a search query on the search box in the SharePoint site , they got this annoying error stating the “ Sorry this site hasn’t been shared with you “ and it was the same for everyone .I tried  accessing  the Search center using the farm account and it still threw the same error . So in this article I’ll be taking about what this error is all about, what are the troubleshooting steps we did to fix and how we finally managed to fix it.

Initial troubleshooting steps performed to fix this issue:

Since this was on PROD and we had a lot of users who were impacted by this issue and hence we initially decided to create a new search center site collection under a different web application so that for the time being users can live with that .Meaning , we initially had the “SharePoint enterprise search center “ URL  configured and running under web application A and after we encountered this issue we removed that and created a new enterprise search center site collection under web application B so that we can figure out what’s wrong with the previous search center without having any business impact . The image below should help you understand what I’m talking about.

qGosn.png

After making the change here, please go ahead and update the new search center URL in site settings as shown in the image below.

272861.jpg

So after doing that we did the below mentioned steps in sequential manner as suggested in some forums to get rid of the issue….

  1. We thought of clearing IE cache: Open a new browser window –> Go to Internet options –>In the general tab, click the Delete button –>Make sure that passwords and temporary Internet files are selected. Try different browser such as Firefox! ( But doing this wouldn’t make sense in our scenario as the issue was only limited to one site collection in the entire farm .However , we tried this but it didn’t help )
  2. If you didn’t run product and configuration wizard after installation/patch, you may get this error even if you are a site collection administrator. Run it once and get rid of this issue. ( Even this was not quite convincing as the issue was just with one site collection( i.e. SharePoint enterprise search ) in the farm )
  3. Stop and Start “Microsoft SharePoint Foundation Web Application” service from Central Admin –>Application Management–> Manage services on server ( We did try this as well bearing the risk of losing all the sites for quite some time but even that didn’t help .For those who are not aware of what this steps does , it stops and recreates the SharePoint web application sites in IIS )
  4. If the SharePoint farm was migrated from SharePoint 2010, or backup-restore/import-exported: If your source site collection is in classic windows authentication mode and target is in claims authentication, you must change classic mode authentication to claims-based authentication. ( This was not applicable in our case as the sites were working perfectly fine for years after the migration )
  5. Try clearing the Distribution Cache. Do the IIS reset (We did this and it didn’t help either).

6. We also verified whether “NT Authority\Authenticated users” group has enough permissions on the search center and it was positive.

7. Of course we also checked the site collection administrators for the “SharePoint Enterprise Search site collection “and it was perfectly fine.

8. We also took a look at all the Search service application in SharePoint 2013 to verify the settings and they were pretty good.

Also, let me tell you that the issue this issue was reported to us the second time within a month .The first time it was with a different site collection on the same web application and this time it was on the SharePoint search center site collection that’s under the same web application. When it was reported the first time we just did an app pool recycle and also checked out and checked in the master page and that fixed it .But this time nothing was accessible in the Search center site collection.

So finally with no much steps left to do we decided to open a Sev A case with Microsoft and started working with them on this issue.

Listed below is what MS did to fix the issue:

  1. I shared the ULS logs as well as fiddler logs with the MS engineer by reproducing the error and after reviewing the logs he was able to identity that the “super user “ and “super reader “ account which takes care of object cache got corrupted in our environment which lead to this outage .

What’s the super user and super reader account?

The below mentioned link should give you a detailed explanation on the super user and super reader account. It’s very important that any SharePoint environment should have these accounts configured properly for optimal performance and it’s mostly utilized by sites which have the publishing feature enabled.

https://technet.microsoft.com/en-us/library/ff758656.aspx

Ideally, the Portal Super User account must be an account that has Full Control access to the web application and the Portal Super Reader account must be an account that has Full Read access to the web application.

Also, you need to make sure that these accounts are discrete and they should never be used to login to the site and also it shouldn’t be used to to login to the SharePoint servers also as mentioned in the TechNet article that I highlighted above.

3.png

But in our scenario it’s exactly that part which was wrong .The “super user” and “super reader” account was the farm administrator service account and we often use that account for accessing the sites .This was configured mistakenly when the farm was initially configured and it eventually got corrupted which lead to this outage .However, we were not able to identify how it got corrupted all of a sudden and how it managed to run safely for all these years( might be one of those SharePoint mysteries ) . So we went ahead and changed that account and updated that for all the web applications in the farm using the below mentioned PowerShell command

$wa = Get-SPWebApplication -Identity “<WebApplication>”

$wa.Properties[“portalsuperuseraccount”] = “<SuperUser>”

$wa.Properties[“portalsuperreaderaccount”] = “<SuperReader>”

$wa.Update()

Lessons learned:

Please ensure that your SharePoint farm has the “super user” and “super reader” configured correctly for optimal performance and do check and ensure that they are discrete and those accounts are not being used to access SharePoint sites . If by any chance you’re facing this issue for a different site collection and not for SharePoint search the steps which I discussed above would still remain the same except for the “SharePoint search” part.

Also once you’re done reading this post, please ensure that you take a closer look at your web application properties and ensure that these accounts are configured correctly so that you don’t end up seeing surprises like me.Adding these accounts will also kick start a search full crawl .

Thanks for reading this post ….I hope this will help you fix this issue if you happen to come across this in your environment.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

http://sharepoint.stackexchange.com/questions/110417/sorry-this-site-hasnt-been-shared-with-you-when-trying-to-access-mysite

Microsoft Teams in Office 365

1.png

I hope everyone would agree to the fact that Office 365 has been one among the best products Microsoft has delivered till date and it’s good to see Microsoft adding a lot of new features and functionalities to the Office 365 suite every now and then. Today many organizations have started choosing Office 365 over on-premises Microsoft products as they’re easy to use and manage and in addition to that you get to remain up to date with all the latest updates.

  1. SharePoint provides intranets and content management solutions to more than 200,000 organizations and 190 million people.
  2. Yammer is the social network for work, enabling cross-company discussions for 85 percent of the Fortune 500.
  3. Skype for Business provides real-time voice, video and conferencing and hosts more than 100 million meetings a month.
  4. Office 365 Groups is our cross-application membership service that makes it easy for people to move naturally from one collaboration tool to another.

Today in this article, we will be discussing about “Microsoft Teams “, the new chat-based workspace in Office 365 that has built-in access to SharePoint Online, OneNote & Skype for Business Online. It was recently introduced by Microsoft couple of months back and acts as a hub for team chats, calls, meetings, and private messages.

Microsoft Teams mainly focuses on these four areas ….

  1. Chat for today’s teams
  2. A hub for teamwork
  3. Customizable for each team
  4. Security teams trust

Let’s look on all these areas and understand how Microsoft teams is built to support all these four areas that can enhance business as well as user experience.

  1. Chat for today’s teams:

It provides a modern conversation experience for today’s teams. Microsoft Teams supports not only persistent but also threaded chats to keep everyone engaged. Team conversations are, by default, visible to the entire team, but there is of course the ability for private discussions. Skype is deeply integrated, so teams can participate in voice and video conferences. You can also add emoji’s, stickers, GIFs and custom memes to make it their own.

  1. A hub for teamwork:

Microsoft Teams is built on Office 365 Groups and is backed by Microsoft Graph. So, it brings together the full breadth and depth of Office 365 to provide a true hub for teamwork. Word, Excel, PowerPoint, SharePoint, OneNote, Planner, Power BI and Delve are all built into Microsoft Teams so people have all the information and tools they need at their fingertips.

  1. Customizable for each team:

Since all teams are unique, Microsoft has invested deeply in ways for people to customize their workspace, with rich extensibility and open APIs available at general availability. For example, Tabs provides quick access to frequently used documents and cloud services. Microsoft Teams also shares the same Connector model as Exchange, providing notifications and updates from third-party services like Twitter or GitHub. In addition to that Microsoft has also included full support for the Microsoft Bot Framework to bring intelligent first- and third-party services into your team environment

  1. Security teams trust:

Microsoft Teams is designed in such a manner that it provides the advanced security and compliance capabilities that our Office 365 customers expect. Data is encrypted in transit and at rest. Like all other commercial services, Microsoft has implemented a transparent operational model with no standing access to customer data. Microsoft Teams will support key compliance standards including EU Model Clauses, ISO 27001, SOC 2, HIPAA and more. In addition to that, Microsoft Teams is served out of our hyper-scale global network of data centers, automatically provisioned within Office 365 and managed centrally, just as any other Office 365 service.

Availability of Microsoft Teams:

As of now Microsoft Teams is on preview mode and its general availability details can be found below.

2.png

Subscription details for Microsoft Teams:

If you have a personal Office 365 subscription, you won’t be able to access Microsoft Teams. To access the app, you need one of the following Office 365 license plans:

  1. Business Essentials
  2. Business Premium
  3. Enterprise E1, E3, or E5
  4. Enterprise E4 (for anyone who purchased this plan prior to its retirement)

Note: If you’re licensed for a suite plan like Office 365 Education or a non-suite plan like Skype for Business Online Plan 2, then you won’t be able to get the app. You need to change your license or purchase additional licenses for your company.

Alright, I guess we have now see enough about Microsoft teams. So, let’s see how to enable this in your Office 365 tenant so that your end users in your organization can start using this.

Note: I’ve chosen India in the county field while signing up for Office 365 and I’m able to see Microsoft teams in my tenant. If you’re not seeing that in your tenant it could be because you’re choosing a country where this feature is not available yet.

Turning on Microsoft teams in Office 365 tenant:

  1. Sign in to Office 365 with your work or school account.
  2. Go to the Office 365 admin center as shown in the image below and click on the app launcher. You can optionally click on “Admin” option as shown below.

3.png

 

3. Click on “Admin” as shown in the image below.

4.png

4. Navigate to Settings and click on “Services & add-ins” as shown below.

5.png

5. On the Services & add-ins home page, choose Microsoft Teams as shown in the image below.

6.png

6. On the Microsoft Teams settings page that opens, click or tap to switch the toggle to the on position to turn on Teams for your organization, and then choose Save.Once you’re done you will be redirected to the Microsoft teams home page as shown in the image below and this where you need to enable the features specific to Microsoft teams.

7.png

7. On the Microsoft Teams settings page, in the General section, you can choose if you want to show an organization chart in user profiles. By default, this setting is turned on. To change this setting, click or tap to switch the toggle next to Show organization chart in personal profile to Off or On, and then choose Save.

8.png

8. In the Teams & Channel section you can manage team owners and members by using the Groups control panel in the Office 365 admin center portal. At this time, you cannot create teams from the Groups control panel – teams must be created by using the Microsoft Teams desktop client or web app which we will be discussing later in his article.

9.png

9. In the Calls & Meetings section, you can choose if users can use video and screen sharing during calls and meetings as shown in the image below.

10.png

10. In the Messaging section, you can turn on or turn off media content such as animated images, memes, and stickers etc.

11.png

Note: To turn on or turn off animated images, click or tap the toggle switch next to Add fun animated images to the conversations, and then choose Save. When animated images are turned on, you can apply a content rating to restrict the type of animated images that can be displayed in conversations. You can set the Content Rating to be one of the following:

  1. Strict
  2. Moderate
  3. No restriction

To turn on or turn off custom memes, click or tap the toggle switch next to Add customizable images from the Internet, and then choose Save.

To turn on or turn off stickers, click or tap the toggle switch next to Add editable images to the conversations, and then choose Save.

  1. The Tabs section, let you customize a channel to include content and capabilities your team needs every day. They provide quick access to frequently used documents and cloud services. In the preview release, there are several built-in tabs such as Files and Notes. In the Microsoft Teams client, at the top of the channel, users can add tabs for Word documents, PowerPoint presentations, Excel spreadsheets, OneNote notebooks, Power BI reports, and plans from Planner.
  2. You can turn on Tabs as shown in the image below.

12.png

Please check the Tabs section in my “Microsoft teams” desktop client below.

13.png

13. Finally, you can enable Bots as shown in the image below

14.png

Note: Using Bots, Microsoft Teams users can complete tasks such as querying information and performing commands by using bots. Users can also integrate your existing LOB applications with Microsoft Teams by using a bot.

To prevent or allow side-loading of proprietary bots, click or tap to switch the toggle next to Enable side loading of external Bots, and then choose Save.

Finally, once all the features are enabled this is how the Microsoft teams home page will look like…

15.png

16.png

Point to Note:

Although the Office 365 Global administrator has turned on this feature in the tenant end users may not see the Microsoft Teams app tile in the app launcher after an admin turns on Microsoft Teams for an organization. Admins can direct end users to go to https://teams.microsoft.com/downloads to get the desktop apps. To access the web client, users can go to https://teams.microsoft.com. For mobile apps, go to the relevant mobile store for Google Play, Apple App Store, and Microsoft Store.

Desktop client for Microsoft teams:

The below mentioned image depicts the desktop client for Microsoft teams using which I can create my team. You can do the same using web client as well.

Desktop client for Microsoft teams:

You need to sign in with your Office 365 credentials in the desktop client.

17.png

Web client for Microsoft teams:

You can check the web client below which opens on a browser and you can also notice that I’ve created my team in the image below.

18.png

 

Creating a team:

You need to use the Create Team on the bottom left of your screen as shown in the image below to create teams. In addition to you also have a “settings” option on the left corner which can help you turn on and off certain features.

19.png

20.png

Conversations in Microsoft Teams:

You can notice some conversations happening between the users in my team in the image below. You can mention a user, reply to a message and like a conversation or a reply.

21.png

In addition to that as mentioned earlier, you can add emoji’s to your conversations, attach files and also use the video camera icon to create new video meetings.

Adding a Tab:

Finally, you can add tabs using the “+” symbol as shown in the image below to add documents & One Note files to your conversations. You can notice that I’ve added a One Note file to my conversations in the image below

22.png

23.png

Microsoft teams is truly phenomenal and is a great way for users to communicate within themselves in a team . Please turn this on for your users so that they can enjoy this great application.

Thanks for reading this post …. Good luck with Microsoft teams in Office 365!!!