Friday, 1 September 2017

SharePoint Online - Share or Copy Link Button Defaulting to 'GuestAccess' Link

What
Ever tried to copy or share a link in SharePoint Online and it defaults to providing you with a Guest Link that is 'accessible to anyone in the organization'?

It's a really good option for staff that want to quickly share a document without having to understand SharePoint Permissions.

Unfortunately, the Guest Access Link forces the user to open up the document In-Browser using Office Online.  I personally can't abide this until the functionality between Online & Client are 1-to-1.



How to Fix
SharePoint Online defaults the Sharing settings for copying & sharing links to "Internal - People in the Organization Only' , which basically means 'Guest Link that opens in browser'.

To change this you just need to go to:

  • SharePoint Administration Center
  • Sharing Tab
  • Change the 'Default Link Type' setting from 'Internal' to 'Direct - Only people who have permission'
  • Done!  No more links with 'guestaccess.aspx' in them.

Thursday, 27 July 2017

SharePoint Online - Hide External Users from Global Search Results

Had a problem where external users (people outside our organisation who had been provided with an anonymous link to OneDrive/SharePoint Documents) were showing up in SharePoint's People Search Results.

This article explains how to fix: https://englando.wordpress.com/2015/07/24/hiding-users-from-office-365-sharepoint-global-search-results/

Basically you need to add a Query Rule to SharePoint's 'Local People Results' Search Query to block out results that contain the external users.

I personally filtered out all results where a persons Username contained '#EXT#', which is what gets appended in Office 365 whenever an external user is given access to a document.


Friday, 9 June 2017

SharePoint Online - Automate Site & Group Creation with Nintex Workflow O365

What
Nintex Workflow for O365 has an action to create a site automatically in SharePoint, but it's functionality is quite limited.  You can't create groups and you can't add staff to those groups.  This tutorial shows you how to create a Nintex workflow to automate the whole process using SharePoint Web Services.

Even better, we are going to create the ability to automate Site Creation across multiple Site Collections.

If you're looking for a tutorial on how to do this in Nintex Workflow 2010/2013, I've written an article here: SharePoint 2010 - Automate Site & Group Creation with Nintex Workflow 2010

Why
As most SharePoint administrators are aware, it's ALWAYS a bad idea to give staff the ability to create SharePoint sites.  They will end up creating them for the wrong purposes, will not maintain them, no retention policies will get assigned to them, etc.

However, you don't want to restrict your users creative freedom.  You want to govern it in a manageable way.

In order to keep track of all your SharePoint sites, we need to ensure that when we allow staff to create sites/content, it is being properly tagged with the right information.  As long as you are logging & tagging sites with extra data, you can easily govern and manage those sites far into the future.

This tutorial isn't simply how to automate a process that SharePoint already does.  It's automating that process while enforcing that users to tag their sites with data that will help you manage SharePoint easier.

We are going to use the example of Project Sites.  Project sites have a known lifespan, usually between 1 month & 2 years depending on size.  We want to capture that information so the sites don't hang around for too long.

How
There are 6 steps in my workflow, they are:
  • 1. Set Variables
  • 2. Create Site
  • 3. Create Group
  • 4. Add Group to Site
  • 5. Add Members to Group
  • 6. Send Emails

First:  Create a custom list with the following columns (depending on your needs):
  • Project Name
  • Site Description
  • Site URL
  • Site Owner
  • Site Type:  Project / Team
  • Department
  • Project Sponsor
  • Project Manager
  • Project #
  • Estimated Completion Date

1. Set Variables
I created & set the following variables so that the Web Services would run with the correct information:
Site Collection URL - used if you are planning to allow this workflow to create sites on multiple site collections
Site Template - If you want different site templates to be used on different types of sites
setting variables based on 'Site Type' (using Switch Action and Set Variable Actions)

2. Create Site
Use the following Nintex Action to create a site and add all the data you will collect from your list: Office 365 Create Site
Create Site Settings


3. Create Group
Use the following Action to query a Web Service:  Web Request

If you're wondering how I figured out what to input, this guide explains how to get SOAP Web Service Information perfectly: https://community.nintex.com/community/tech-blog/blog/2015/01/22/web-request-action-for-o365

Insert these values to create an 'Owners' Group on your Site Collection without access to anything:
  • URL: ‍{Variable:Site Collection URL}‍_vti_bin/UserGroup.asmx
  • Method: SOAP 1.1
  • Soap Action: http://schemas.microsoft.com/sharepoint/soap/directory/AddGroup
  • Body: Content
Body:

<?xml version="1.0" encoding="utf-8"?> 
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">   
<soap:Body>     
<AddGroup xmlns="http://schemas.microsoft.com/sharepoint/soap/directory/">       <groupName>‍{Current Item:Site Name}‍ Owners</groupName>       
<ownerIdentifier>‍{Current Item:Site Owner}‍</ownerIdentifier>    
<ownerType>user</ownerType>       
<defaultUserLoginName>‍{Current Item:Site Owner}‍</defaultUserLoginName>       
<description>Used to manage permissions on this site: ‍{Variable:Site Collection URL}‍‍{Current Item:Site URL}‍</description>     
</AddGroup>  
</soap:Body> 
</soap:Envelope>


4. Add Group to Site
the hard part...

Now we need to give the group access to your newly created site.  Create another Web Request Action.

The picture will explain most things, however, to get the PermissionMask value (a value assigned to a permission level like Contribute,Read Only, etc), you need to run the following Powershell script on your server: SharePoint Online - Retrieve the Permission Mask Values for a Site using Powershell

FYI: For Owner access with Full Control, the permissionMask is always -1.

Once you have that, Insert these values
  • URL: ‍‍{Variable:Site Collection URL}‍‍{Current Item:Site URL}‍/_vti_bin/permissions.asmx
  • Method: SOAP 1.1
  • Soap Action: http://schemas.microsoft.com/sharepoint/soap/directory/AddPermission
  • Body: Content
Body: <?xml version="1.0" encoding="utf-8"?> 
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">   
<soap:Body>     
<AddPermission xmlns="http://schemas.microsoft.com/sharepoint/soap/directory/">       
<objectName>‍{Current Item:Site Name}‍</objectName>       
<objectType>web</objectType>       
<permissionIdentifier>‍{Current Item:Site Name}‍ Owners</permissionIdentifier>       
<permissionType>group</permissionType>       
<permissionMask>-1</permissionMask>     
</AddPermission>   
</soap:Body> 
</soap:Envelope>

Running the AddPermission Web Method through the Permissions.asmx web service

5. Add Members to Group
You don't need to do this, but if you're feeling keen you can also run a web service to add a user to the newly created group.  Same setup as Step 4, just use the following settings:
  • URL: ‍‍{Variable:Site Collection URL}‍‍{Current Item:Site URL}‍/_vti_bin/UserGroup.asmx
  • Method: SOAP 1.1
  • Soap Action: http://schemas.microsoft.com/sharepoint/soap/directory/AddUserToGroup
  • Body: Content
Body:
<?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">   
<soap:Body>     
<AddUserToGroup xmlns="http://schemas.microsoft.com/sharepoint/soap/directory/">       
<groupName>‍{Current Item:Site Name}‍ Owners</groupName>       
<userName></userName>       
<userLoginName>‍{Current Item:Project Manager}‍</userLoginName>       
<userEmail></userEmail>       
<userNotes></userNotes>     
</AddUserToGroup></soap:Body></soap:Envelope>

6. Send Emails
Of course now you want to send a nice customised email to your user with all the information they need!

Thoughts?
This saves our team so much time, while allowing us to govern site creation and ensure that all sites have metadata tagged against them !

Have you got any cool tricks to help automate governance that you'd like to share?

If you liked this post:
Credit where it's due
  • https://community.nintex.com/community/tech-blog/blog/2015/01/22/web-request-action-for-o365

Thursday, 8 June 2017

SharePoint Online - Retrieve the Permission Mask Values for a Site using Powershell

This article stems from another article explaining how to [[Automate Site & Group Creation with Nintex Workflow O365]] - Coming Soon

What
Use Powershell to retrieve detailed data about the permission levels on a particular site

Why
I had previously created a Nintex Workflow to Automate Site & Group creation using nintex workflow on SharePoint 2010.  I needed to recreate the same workflow in SharePoint Online / Nintex Workflow O365, however the SharePoint 2010 script for retrieving Permission Mask values did not work.

How
Using Powershell 3.0 or later, and SharePoint Online Powershell Module.  Open up the SharePoint Online Powershell Module and paste the following code (after updating the variables at the top for your site and admin details):

# SharePoint Online - Retrieve the Permission Mask Values for a Site using Powershell

# Specifies variable
$AdminURI = "https://company-admin.sharepoint.com"
$RootSiteCollection="https://company.sharepoint.com/"
$TargetSiteCollection="https://company.sharepoint.com/subsite"
$LogFile = "C:\Temp\GetSitePermissions.xml"

# Specifies the User account for an Office 365 global admin in your organization
$AdminAccount = "the.baretta@company.com.au"
$AdminPass = ""

# Begin the process
$loadInfo1 = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client")
$loadInfo2 = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.Runtime")
$loadInfo3 = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.UserProfiles")

# Convert the Password to a secure string, then zero out the cleartext version ;)
$sstr = ConvertTo-SecureString -string $AdminPass -AsPlainText -Force
$AdminPass = ""

# Take the AdminAccount and the AdminAccount password, and create a credential
$creds = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($AdminAccount, $sstr)

# Add the path of the User Profile Service to the SPO admin URL, then create a new webservice proxy to access it====================================================
$proxyaddr = $TargetSiteCollection+ "/_vti_bin/Permissions.asmx?wsdl"
#====================================================
$UserProfileService= New-WebServiceProxy -Uri $proxyaddr -UseDefaultCredential False
$UserProfileService.Credentials = $creds

# Set variables for authentication cookies
$strAuthCookie = $creds.GetAuthenticationCookie($RootSiteCollection)
$uri = New-Object System.Uri($RootSiteCollection)
$container = New-Object System.Net.CookieContainer
$container.SetCookies($uri, $strAuthCookie)
$UserProfileService.CookieContainer = $container

[System.Xml.XmlNode]$xmlNode=$UserProfileService.GetPermissionCollection("yxd","Web")

Write-Host "Starting- This could take a while."
$output = New-Object -TypeName System.IO.StreamWriter -ArgumentList $LogFile, $false
$output.WriteLine("<?xml version=""1.0"" encoding=""utf-8"" ?>")
$output.WriteLine($xmlNode.OuterXml)
$output.WriteLine() 
$output.Dispose()
Write-Host "Done!"


Thanks
Thank you to the Microsoft Support team that assisted in the process of building this script!