SharePoint on-prem. using Active Directory Federation Services (AD FS)
Also see: Azure B2C SaaS Authentication
Also see: Azure B2C SaaS Authentication
Friday, 25 January 2019
Sunday, 13 January 2019
Using Box.com Pragmatically
Overview: In the SaaS Document Management space Box.com is a competitor to SharePoint Online. A medium size client request recently came into integrate with a client and deliver files into Box.com, as it is something I have not done before I was eager to see how easy it is.
Requirement:
Box.com has several was to problematically connect and to test the API's. For my PoC I used the Developer Token approach. We should switch this over to the JWT OAuth approach but for the PoC and working with the API's I used the Developer Token approach.
1. Once you tenant is setup and you have configured your client, set the developer Token that last for 1 hrs as shown in the screen above.
2. Create a new C# console and add the Box C# SDK reference as shown below.
3. You will need to add the Developer Token, Client Secret and ClientId in order to programtically connect from the console. Below is my app.config.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />
</startup>
<appSettings>
<add key="ClientId" value="f9y555fiqwqcbv555lst88dmzbxzqa7n"/>
<add key="ClientSecret" value="CoTT555U7oN555wKF555aPYz5555"/>
<add key="DeveloperToken" value="TjxJh555ivvW555EE555NTerb555"/>
</appSettings>
4. Connect to your tenant using Box.com's API's/ SDK
5. Run the Console and the console looks as follows:
6. Code the file upload logic:
Final Thoughts:
Requirement:
- I merely need to create folders within the clients tenant if needed and drop files into specific folders from a scheduled job that runs every 5 minutes.
- Box.com has API similar to SharePoint CSOM to pragmatically work with your Box tenant.
- Box.com functionality is specific to Documents so the API is really small and easy to learn.
- There are multiple ways to pragmatically authenticate to you Box.com tenant, PoC keeps it simple. Actual must use JWT for the connecting service account.
Box.com has several was to problematically connect and to test the API's. For my PoC I used the Developer Token approach. We should switch this over to the JWT OAuth approach but for the PoC and working with the API's I used the Developer Token approach.
2. Create a new C# console and add the Box C# SDK reference as shown below.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />
</startup>
<appSettings>
<add key="ClientId" value="f9y555fiqwqcbv555lst88dmzbxzqa7n"/>
<add key="ClientSecret" value="CoTT555U7oN555wKF555aPYz5555"/>
<add key="DeveloperToken" value="TjxJh555ivvW555EE555NTerb555"/>
</appSettings>
4. Connect to your tenant using Box.com's API's/ SDK
5. Run the Console and the console looks as follows:
Final Thoughts:
- Overall I think Box.com is a good option if you don't already have O365. It's pretty expensive for a small feature set but it is a valid option for clients.
- The search indexing is ridiculously slow so very hard to build search based solutions using the API.
- Microsoft Flow has connectors for Box.com before developing, check if Flow can meet your migration, moving requirement.
Part 2 of using Box.com programmatically, I discuss using JWT for access.
Troubleshooting Box.com issues
Troubleshooting Box.com issues
Thursday, 10 January 2019
NoSQL Document Database options on Azure - CosmosDB
Overview: Azure has a plethora of options for using NoSQL, I have used RavenDB and DocumentDB a couple of years back. Both are easy and great tools for the right situation, DocumentDB now falls under CosmosDB as a product at Microsoft. However, I feel that CosmosDB would be anyone's default choice today on Azure as DocumentDB is really a feature subset of CosmosDB.
CosmosDB: "Azure Cosmos DB is a global distributed, multi-model database (db) that is used in a wide range of applications and use cases. It is a good choice for any serverless application that needs low order-of-millisecond response times, and needs to scale rapidly and globally." CosmosDB is used by Microsoft's Skype, MSN, Xbox, Office 365, Azure products.
Def: CosmosDB is a Planet scalable NoSQL JSON database that has multiple API support (including SQL(Core)). Multiple copies/instance around the world (think SQL AOAG).
More Info:
NoSQL options - https://www.nebbiatech.com/2017/02/09/exploring-the-nosql-options-on-azure/
CosmosDB: "Azure Cosmos DB is a global distributed, multi-model database (db) that is used in a wide range of applications and use cases. It is a good choice for any serverless application that needs low order-of-millisecond response times, and needs to scale rapidly and globally." CosmosDB is used by Microsoft's Skype, MSN, Xbox, Office 365, Azure products.
Def: CosmosDB is a Planet scalable NoSQL JSON database that has multiple API support (including SQL(Core)). Multiple copies/instance around the world (think SQL AOAG).
- Encrypted on Azure at Rest and in Motion.
- Multiple API's supported including SQL API (DocumentDB) and multiple other JavaScript and Table.
- A logical breakdown of CosmosDB API
- Partitions are managed transparently and users are routed based on geographic location and usage.
- One write db and multiple reads. Or can setup multitple write databases Can set automatic failover so if the write db is unavailable, one of the read db's becomes the write db.
- CosmosDB Migration tool is great at bringing in data from JSON, SQL, CSV, MongoDB, Amazon DynamoDB.
- Determinant geo-replication - Use to be 1 master and multiple read copies of the data. Not all copies can be written to but if you have country data residency rules you can't configure data to be within specific regions. I.e. I can't specify certain bits of data are only stored in a specific region. You can specify a region/location for a container, but not split a container. : Check! Not a fact.
- Backup and Recovery - Point in time recovery and MS ticket needs to be raised. Can't structure complex backup plans. Take it or leave it approach.
- Limited LINQ support
- SQL API is very limited compared to SQL relational databases, offering no joins or aggregation capability such as GROUP BY.
- Temporal Tables don't exist, there are good auditing options such as the "Change Feed" where all changes can be streamed into an external database/system.
- Entity Framework support is limited. Consider a PoC before using.
- Consistency (copy data to other read-only debs) 5 options: "Strong" (commit to all dbs and acknowledge state, so slow to align but all reading same data but it may be stale. "Eventual", reads what is in the local db you are going to. The default is "Session". As always, it depends on the requirement.
Tip: Amazon DynamoDB is AWS's equivilant to Azures CosmosDB
NoSQL options - https://www.nebbiatech.com/2017/02/09/exploring-the-nosql-options-on-azure/
Sunday, 16 December 2018
SharePoint Online Property Bag SPWeb Properties are not indexed by default
Problem: Moving an on-prem SharePoint solution to SPO, I realised that SPO does not automatically index property bag values.
Initial Hypothesis: The Search schema looks correct and automatically created the correct Managed Properties. Asked our Microsoft representative and they sent us a link to enable property bag values in the search index.
Resolution: Be aware that you need to do some Powershell commands on your tenant and site collections when using SharePoint Online to make property bag settings appear in the search results.
More Info:
https://blog.kloud.com.au/2018/04/26/how-to-make-property-bag-values-indexed-and-searchable-in-sharepoint-online/
Initial Hypothesis: The Search schema looks correct and automatically created the correct Managed Properties. Asked our Microsoft representative and they sent us a link to enable property bag values in the search index.
Resolution: Be aware that you need to do some Powershell commands on your tenant and site collections when using SharePoint Online to make property bag settings appear in the search results.
More Info:
https://blog.kloud.com.au/2018/04/26/how-to-make-property-bag-values-indexed-and-searchable-in-sharepoint-online/
Saturday, 15 December 2018
ShareGate User Migration Gotcha
Problem: Migrated an Extranet site with a large user base, and multiple users have the same name. When a user is removed from AD, and running migration to the new farm, the AD automatically picks a different user and gives them the user that lefts permissions.
Example:
John Smith (john.smith@contoso.com) has been added to a site collection.
John Smith (@contoso) is removed from AD but still exists in the site collection permissions.
Ran Sharegate to move the content including user permissions to a new farm.
John Smith is added to the same SharePoint groups however, it has added john_smith@clientA.com
Initial Hypothesis: Sharegate tries to resolve the user and is incorrectly resolving the user's name and not the name in AD. As the user has left the firm, the other user is being resolved and we end up with permission inconsistency.
I got this reply from Sharegate and can see that my issue happens at step 8.
"How Sharegate resolves users
from the source to the destination"
Somewhat related:
https://sharegate.com/blog/unresolved-user-when-preserving-created-modified-sharepoint-migration
Example:
John Smith (john.smith@contoso.com) has been added to a site collection.
John Smith (@contoso) is removed from AD but still exists in the site collection permissions.
Ran Sharegate to move the content including user permissions to a new farm.
John Smith is added to the same SharePoint groups however, it has added john_smith@clientA.com
Initial Hypothesis: Sharegate tries to resolve the user and is incorrectly resolving the user's name and not the name in AD. As the user has left the firm, the other user is being resolved and we end up with permission inconsistency.
I got this reply from Sharegate and can see that my issue happens at step 8.
"How Sharegate resolves users
from the source to the destination"
"We look at the whole account name available, for matches to
users at the destination through the SharePoint people picker.
Once we have a list of potential matches for your user, we go
through the list of values below (in the specified order). We consider the
account a match when we find the same values for one of these properties:
1.
Exact same account
name
2.
Same normalized
account name (without claims header)
3.
Same login and domain
4.
Same login
5.
Same login and domain
(source login read from display name - this can happen when importing from file
system because the account name is set as the display name)
6.
Same login (source
login read from display name - this can happen when importing from file system
because the account name is set as the display name)
7.
Same email address
8.
Same display name
9.
PrincipalType is not
set or is a Security Group and same display name without domain"
Somewhat related:
https://sharegate.com/blog/unresolved-user-when-preserving-created-modified-sharepoint-migration
Monday, 3 December 2018
SharePoint Online Geo-Replication SPO/O365
Geo-replication/Multi-tenancy
Mid 2018 I outlined the state of Multi-geo on O365, the easier parts of Geo-Replication are already well handled and the changes are discussed in the the link. This post focuses on SSO options today and the likely road-map.
O365 is moving towards multi-tenancy that will allow multinational companies to store data in compliance with country rules. For instance EU data may not be allowed to be stored outside the EU but you already have your O365 tenancy based in the US.
Historically, most larger companies have chosen either the US or EU to base their data storage in. If you wanted data to be stored in another region you had to buy another tenant with Microsoft strongly discouraged.
Microsoft, are working towards supporting O365 in multi geo-locations. Basically, their are 2 parts: 1) User specific data (email, OneDrive) where we know where a user is based and their data is encrypted and stored in that country. and 2) group/team/country specific data (SharePoint) where the data itself may have residency rules.
This post looks at SharePoint data that is required to be stored in a specific country.
Options today:
1. On-Prem. : Have a SharePoint farm in each geo location, this requires a fair amount of thought to deal with SSO, Search, MMS, Content Types and UPA.
2. O365: Have multiple tenants (non are connected) in each location and connect your authentication up to each tenant. The problem with option 2 is that each O365 tenant requires a separate Azure Active Directory. This means that you will need to hook each O365 tenant up to a single MMS, Search service and poly-fill in the SSO process. Imaging if you have 8 regional tenants for regulatory purposes. To achieve SSO, you will need to create a central AAD, then connected each regional AAD to the central AAD. Azure directory sync is needed, inviting members and guests, other companies AAD becomes and issue. The image below outlines a possible pattern to solve this complex problem.
Coming Q1 2019 : Multi Geo tenant, that shall be the answer. A lot of the multi-tenant is still in preview so I shall be interesting to see mutil-geo tenancy when it goes into General Availability (GA) next year (+-Feb/March 2019).
MSIgnite tour London updates 27-Feb-19:
Mid 2018 I outlined the state of Multi-geo on O365, the easier parts of Geo-Replication are already well handled and the changes are discussed in the the link. This post focuses on SSO options today and the likely road-map.
O365 is moving towards multi-tenancy that will allow multinational companies to store data in compliance with country rules. For instance EU data may not be allowed to be stored outside the EU but you already have your O365 tenancy based in the US.
Historically, most larger companies have chosen either the US or EU to base their data storage in. If you wanted data to be stored in another region you had to buy another tenant with Microsoft strongly discouraged.
Microsoft, are working towards supporting O365 in multi geo-locations. Basically, their are 2 parts: 1) User specific data (email, OneDrive) where we know where a user is based and their data is encrypted and stored in that country. and 2) group/team/country specific data (SharePoint) where the data itself may have residency rules.
This post looks at SharePoint data that is required to be stored in a specific country.
Options today:
1. On-Prem. : Have a SharePoint farm in each geo location, this requires a fair amount of thought to deal with SSO, Search, MMS, Content Types and UPA.
2. O365: Have multiple tenants (non are connected) in each location and connect your authentication up to each tenant. The problem with option 2 is that each O365 tenant requires a separate Azure Active Directory. This means that you will need to hook each O365 tenant up to a single MMS, Search service and poly-fill in the SSO process. Imaging if you have 8 regional tenants for regulatory purposes. To achieve SSO, you will need to create a central AAD, then connected each regional AAD to the central AAD. Azure directory sync is needed, inviting members and guests, other companies AAD becomes and issue. The image below outlines a possible pattern to solve this complex problem.
Coming Q1 2019 : Multi Geo tenant, that shall be the answer. A lot of the multi-tenant is still in preview so I shall be interesting to see mutil-geo tenancy when it goes into General Availability (GA) next year (+-Feb/March 2019).
MSIgnite tour London updates 27-Feb-19:
Brent Alinger
Sovereign geos:
US Gov
China (21Vianet)
Germany
Coming new geos: South Africa, UAE, Norway o365 data regions coming soon. See office.com/datamaps
UK: Cardiff, London, Durham are 3 data centres in the UK.
Note: some services such as AAD, planner, yammer, Sway are not uk based either Europe or US based.
US has 8 data centres
Can get default region moved, it’s difficult.
Phase 1: oneDrive and exchange April 2018 delivered
Phase 2: o365groups and SharePoint private preview Oct 2018. Good feedback so far. Keen ferry, Cott dimension data.
Multi-geo is not for solving:
GDPR
PERFORMANCE enhancer - rather align with MS Global Network.
pining data to a specific country
Cost: $2 per month extra per user in satellite locations, go thru account manager to set it up. Once approved shows in admin centre and provisioned, take less than 30 days but can be 2 days.
Need a domain name per geo location for OneDrive and SPO e.g. https://emeia-radimaging.sharepoint.com
Preferred Data Location (PDL) - used to specify in AAD to show where a user is stored. Not for travelling user but long term office assignment. Users of exchange online are seemlessly moved. ODfB requires a PS cod to move the user data.
Phase 2: SPO March into GA by 30 March 2019 confirmed. DLP per satellite geo. Hub sites can span multi geos.
Aka.ms/multi-geo
Update: 2020-06-30. Multi-geo is available in
Australia,
Asia Pacific,
Canada,
European Union,
France,
India,
Japan,
Korea,
United Kingdom,
United States,
United Arab Emirates,
South Africa, and
Switzerland.
Update: 2020-06-30. Multi-geo is available in
Australia,
Asia Pacific,
Canada,
European Union,
France,
India,
Japan,
Korea,
United Kingdom,
United States,
United Arab Emirates,
South Africa, and
Switzerland.
Sunday, 2 December 2018
O365 AAD - Federation B2B options
Problem: Using O365 as an Extranet. A basic analysis before starting is a minimal requirement. The existing Extranet will make a lot of the questions fairly easy to clarify. You can cover this in tremendous detail but to avoid information paralysis, I recommend a decision maker, and preferably someone that already works on Extranet. A committee is cool if you have the cash but it's so hard to guess at the future, my preference is to get the broad strokes right and amended once we are in the weeds. These four points can be answered with the right people in a meeting or may take months for complex organisations especially if there is no clear leader to make decisions.
Consideration Point:
1. Who is using the Extranet? Clients, partners, vendors, ..., or Client Users
2. How will Client and Company users authenticate? O365 options including ADFS, another federation service e.g. Ping, Passport/Live, Google, Facebook,...
3. Self-registration or known approved Client Users? Try to figure out what the process for on-boarding your Client User will be.
4. Client User Profile Usage? Will the client users amend content, have the ability to share permissions or old school, they will read web published pages (read-only). Will client users have OneDrive, use teams, only SharePoint or other O365 applications.
2.> O365 authentication
The most basic option is to allow O365 to have client users (guests), as long as a user has an O365 account they can be a Client User. You can also use any Microsoft account for a client user.
Azure has a service that allows for you to connect users as guests, the user shall use their own AAD or ADFS or any federation service including Google and Facebook to authenticate. Microsoft allows 5 guest accounts on AAD for every 1 member (licence user).
4.> Client Usage Profiles
O365 can share a document anonymously in a link within an email. Obviously, this means anyone can potentially access the file. However, to replace attachment in an email and wide distribution this is a great step forward, as you can control versions and retract the access at any point. Additionally, the link settings can be customised to control who can use the link. For example, you can set the specific people who get the link or you could specify only internal people get the link. Once it is set to "Anyone" the email or link can be forwarded and literally anyone can get access.
Governance: Manage O365 to apply the businesses rules so users comply with governance. O365 has an easy straight forward configuration to make this happen. When configuring sharing governance you need to ensure it is done at the O365, SharePoint Admin and Site Admin levels. If 1 of these says no external sharing you can't share so it is a fairly granular approach. This allows Extranet and Intranet to live on the same O365 tenant.
Licensing: As a general rule, there tends to be no cost for External users, as 5 client Users for every internal O365 user is allowed for the O365 extranet scenario. Check with Microsoft as business scenarios play out differently.
Thoughts:
Consideration Point:
1. Who is using the Extranet? Clients, partners, vendors, ..., or Client Users
2. How will Client and Company users authenticate? O365 options including ADFS, another federation service e.g. Ping, Passport/Live, Google, Facebook,...
3. Self-registration or known approved Client Users? Try to figure out what the process for on-boarding your Client User will be.
4. Client User Profile Usage? Will the client users amend content, have the ability to share permissions or old school, they will read web published pages (read-only). Will client users have OneDrive, use teams, only SharePoint or other O365 applications.
2.> O365 authentication
The most basic option is to allow O365 to have client users (guests), as long as a user has an O365 account they can be a Client User. You can also use any Microsoft account for a client user.
Azure has a service that allows for you to connect users as guests, the user shall use their own AAD or ADFS or any federation service including Google and Facebook to authenticate. Microsoft allows 5 guest accounts on AAD for every 1 member (licence user).
4.> Client Usage Profiles
O365 can share a document anonymously in a link within an email. Obviously, this means anyone can potentially access the file. However, to replace attachment in an email and wide distribution this is a great step forward, as you can control versions and retract the access at any point. Additionally, the link settings can be customised to control who can use the link. For example, you can set the specific people who get the link or you could specify only internal people get the link. Once it is set to "Anyone" the email or link can be forwarded and literally anyone can get access.
Governance: Manage O365 to apply the businesses rules so users comply with governance. O365 has an easy straight forward configuration to make this happen. When configuring sharing governance you need to ensure it is done at the O365, SharePoint Admin and Site Admin levels. If 1 of these says no external sharing you can't share so it is a fairly granular approach. This allows Extranet and Intranet to live on the same O365 tenant.
Licensing: As a general rule, there tends to be no cost for External users, as 5 client Users for every internal O365 user is allowed for the O365 extranet scenario. Check with Microsoft as business scenarios play out differently.
Thoughts:
- O365 uses Azure Active Directory (B2C), there is a 1-to-1 relationship between your tenant AAD and you O365 instance.
- External accounts can be connect as guests e.g. Another AAD tenant, Micsrosoft accounts (passport), ADFS or any auth provider (SAML), Facebook, Google+, AAD B2C (separate service from AAD). There is also a One Time Passcode option.
Subscribe to:
Posts (Atom)