SharePoint (2003 thru Online): June 2019

Thursday, June 27, 2019

Go Local India

Updated Feature: Live events in GCC, Go Local India, Go Local Japan and Go Local Australia
MC183452, Stay Informed, Published On : June 27, 2019

We’re updating regional availability of live events in Microsoft Teams. These features will be rolling out in late July 2019. Live events in US Government Community Cloud (GCC), Live events in Go Local India, Japan and Australia.

This message is associated with Office 365 Roadmap ID 24216.

How does this affect me?
We will be gradually rolling out availability of live events in GCC, Go Local India, Go Local Japan and Go Local Australia in late July, 2019 and the roll out will be completed by the end of August, 2019.

What do I need to do to prepare for this change?
The live events feature is on by default for the users. There are administrative controls to enable and disable the feature for selected set of users. Please click Additional information to learn more. 

  • Users in GCC will be able to schedule and host a new live event in Microsoft Teams and Microsoft Stream.
  • Microsoft Teams users who are in Go Locals India, Japan and Australia (customers defined as those with Tenant sign up country = India, Japan or Australia) will be able to schedule and host a new live event in Microsoft Teams with the live events data stored in-country. Please see Get started with Microsoft Teams live events for more information.

  • India, Japan or Australia customers or tenants who are not in Go Locals & have their data in-region i.e. in APAC will continue to create live events in-region.
Please note live events are already available in Go Local Canada. Support for live events in GCC-High, GCC-DoD, Go Locals UK, Go Local France and other countries will be added in the future.

Additional Information

Monday, June 24, 2019

NintexWorkflowID error


One fine day, when I tried to save the newly created Workflow, I saw the below error. We searched many Site, Forums, blogs, but was unable to find the Solution for this.
Issue:
Server was unable to process request. ---> Could not find field NintexWorkflowID on NintexWorkflows library.


We retracted the Nintex Solution and Redeployed. We also de-activated the Feature on both Site Collection and Site. Uh.....didn't work. Finally found the Solution.


Solution: 

We found that few fields are missing in the Nintex WorkFlows Library.

To go to Nintex Workflows Library, add NintexWorkflows/Forms/AllItems.aspx to your site as shown in below example.

For Ex: The URL would be http://devtest.dev.com/sites/devtest/NintexWorkflows/Forms/AllItems.aspx

Go to Document Library Settings
I don't know how and why, but found the below fields were missing. 

We need few Tools from Nintex to verify the usage of Nintex and find if we have any duplicate fields.


NOTE: Use this URL at the Site level to view all Nintex Wokflows available in the site >> http://devtest.dev.com/sites/devtest/_layouts/NintexWorkflow/WorkflowGallery.aspx

Friday, June 21, 2019

OneDrive Quota options

1. Set default storage limit for all users.
2. Set specific storage limit for selected users.

1. Set default storage limit for all users.1TB is the default tenant-wide setting for a user’s OneDrive for Business storage quota. Following your Office 365 plan, find your eligibility max storage per user. To increase the quota tenant-wide for every user, go to OneDrive Admin Center. Enter Default storage in GB and click Save.

Set the default OneDrive storage using PowerShell

Set-SPOTenant -OneDriveStorageQuota 2097152

We updated the OneDriveStorageQuota to 2097152 (2 TB). Use Get-SPOTenant to verify the update.

2. Set specific storage limit for selected users.

First, check if a user has the default storage limit or a specific limit. Sign in to https://admin.microsoft.com as a global or SharePoint admin. (If you see a message that you don't have permission to access the page, you don't have Office 365 administrator permissions in your organization.)
[Note: If you have Office 365 Germany, sign in at https://portal.office.de. If you have Office 365 operated by 21Vianet (China), sign in at https://login.partner.microsoftonline.cn/. Then select the Admin tile to open the admin center.]

In the left pane, select Users >> Active users >> Select the user >> Select the OneDrive tab.Next to "Storage used," look at the max value. (For example, 0 MB of 1024 GB)


To use several different storage settings for individual users’ OneDrives instead of using a tenant-wide option, we can run the following from PowerShell (inserting the target user’s OneDrive location and specifying the desired quota in MB):


Note: To perform the steps below you will need to have the SharePoint Online Management Shell installed. If you have issues with SharePoint Online Management Shell, try to install SharePoint Online Client Components SDK

(Windows 10 is recommended OS for using SharePoint Online Management Shell. You might see more issues with Windows 7.)

1. Open PowerShell as Administrator
2. Connect to the service: Connect-SPOService -Url <https://yourdomain-admin.sharepoint.com>
3. Sign in with SharePoint administrator credentials


Set-SPOSite -Identity https://gurram-my.sharepoint.com/personal/tone_gurram_onmicrosoft_com -StorageQuota 5242880


NOTE: Based on your license, you can increase up to 5 TB only. You need to contact MSFT Support for more than 5 TB.

Use Get-SPOSite -Identity https://gurram-my.sharepoint.com/personal/tone_gurram_onmicrosoft_com to verify the update.






Wednesday, June 19, 2019

SharePoint Online - Permission Levels

Below is a complete list of the permission levels, what they do and who they are for:
Full Control: By default, this permission level is assigned to the Owners group. 
Contains all available SharePoint permissions. It can't be customized or deleted. 

Design: Create lists and document libraries, edit pages and apply themes, borders, and style sheets on the site.  


Edit: By default, this permission level is assigned to the Members group.

Add, edit, and delete lists; view, add, update, and delete list items and documents. 

Contribute: View, add, update, and delete list items and documents. 


Read: By default, this permission level is assigned to the Visitors group.

View pages and items in existing lists and document libraries and download documents. 

View Only: View pages, items, and documents. Any document that has a server-side file handler can be viewed in the browser but not downloaded. File types that do not have a server-side file handler (cannot be opened in the browser), such as video files, .pdf files, and .png files, can still be downloaded. 


Approve: Edit and approve pages, list items, and documents. By default, the Approvers group has this permission. 


Manage Hierarchy: Create sites and edit pages, list items, and documents. By default, this permission level is assigned to the Hierarchy Managers group. 


Restricted Read: View pages and documents, but not historical versions or user permissions. 


Restricted Interfaces for Translation: Can open lists and folders, and use remote interfaces.


Limited Access:  Enables a user or group to browse to a site page or library to access a specific content item when they do not have permissions to open or edit any other items in the site or library. This level is automatically assigned by SharePoint when you provide access to one specific item. You cannot assign Limited Access permissions directly to a user or group yourself. Instead, when you assign edit or open permissions to the single item, SharePoint automatically assigns Limited Access to other required locations, such as the site or library in which the single item is located. 


Lockdown mode

Limited-access user permission lockdown mode is a site collection feature that you can use to secure published sites. When lockdown mode is turned on, fine-grain permissions for the limited access permission level are reduced. The following table details the default permissions of the limited access permission level and the reduced permissions when the lockdown mode feature is turned on.


Site Settings >> Site Collection features

PermissionLimited access - defaultLimited access - lockdown mode
List permissions: View Application Pages 
Site permissions: Browse User Information 
Site permissions: Use Remote Interfaces 
Site permissions: Use Client Integration Features 
Site permissions: Open 

Lockdown mode is on by default for all publishing sites, including if a legacy publishing site template was applied to the site collection. Lockdown mode is the recommended configuration if greater security on your sites is a requirement.

If you disable the limited-access user permission lockdown mode site collection feature, users in the "limited access" permissions level (such as Anonymous Users) can gain access to certain areas of your site.

Roles and administrators - O365 vs Azure Active Directory

(Note: New Roles are marked below)


Roles in O365 Roles in Azure Active Directory Roles Description
Application Administrator Users in this role can add, manage, and configure enterprise applications, app registrations and manage on-premises like app proxy.
Application Developer Users in this role will continue to be able to register app registrations even if the Global Admin has turned off the tenant level switch for "Users can register apps".
Authentication administrator Has access to view, set, and reset authentication method information for any non-admin user.
Azure Information Protection administrator Users with this role have user rights only on the Azure Information Protection service. They are not granted user rights on Identity Protection Center, Privileged Identity Management, Monitor Office 365 Service Health, or Office 365 Security & Compliance Center. They can configure labels for the Azure Information Protection policy, manage protection templates, and activate protection.
B2C IEF Keyset administrator User can create and manage policy keys and secrets for token encryption, token signatures, and claim encryption/decryption. By adding new keys to existing key containers, this limited administrator can rollover secrets as needed without impacting existing applications. This user can see the full content of these secrets and their expiration dates even after their creation. This is a sensitive role. The Keyset administrator role should be carefully audited and assigned with care during preproduction and production.
B2C IEF Policy administrator Users in this role have the ability to create, read, update, and delete all custom policies in Azure AD B2C and therefore have full control over the Identity Experience Framework in the relevant Azure AD B2C tenant. By editing policies, this user can establish direct federation with external identity providers, change the directory schema, change all user-facing content (HTML, CSS, JavaScript) , change the requirements to complete an authentication, create new users, send user data to external systems including full migrations, and edit all user information including sensitive fields like passwords and phone numbers.    Conversely, this role cannot change the encryption keys or edit the secrets used for federation in the tenant. The B2C IEF Policy Administrator is a highly sensitive role, which should be assigned on a very limited basis for tenants in production.  Activities by these users should be closely audited, especially for tenants in production.
B2C user flow administrator Users with this role can create and manage B2C User Flows (aka "built-in" policies) in Azure Portal. By creating or editing user flows, these users can change the html/CSS/javascript content of the user experience, change MFA requirements per user flow, change claims in the token and adjust session settings for all policies in the tenant. On the other hand, this role does not include the ability to review user data, or make changes to the attributes that are included in the tenant schema. Changes to Identity Experience Framework (aka Custom) policies is also outside the scope of this role.
B2C user flow attribute administrator Users with this role add or delete custom attributes available to all user flows in the tenant. As such, users with this role can change or add new elements to the end user schema and impact the behavior of all user flows and indirectly result in changes to what data may be asked of end users and ultimately sent as claims to applications. This role cannot edit user flows.
Billing administrator Billing administrator Makes purchases, manages subscriptions, manages support tickets, and monitors service health.
Cloud application administrator Users in this role can add, manage, and configure enterprise applications, app registrations but will not be able to configure or manage on-premises like app proxy.
Cloud device administrator A User in this role has the ability to read directory information (including devices details), manage devices, delete devices, read and manage group memberships, view BitLocker keys.
Compliance administrator Compliance administrator Users with this role have management permissions within in the Office 365 Security & Compliance Center and Exchange Admin Center.
Compliance data administrator Users with this role have permissions to protect and track data in the Microsoft 365 compliance center, Microsoft 365 admin center, and Azure. Users can also manage all features within the Exchange admin center, Compliance Manager, and Teams & Skype for Business admin center and create support tickets for Azure and Microsoft 365.
Conditional access administrator Users with this role have the ability to manage Azure Active Directory conditional access settings. Note: To deploy Exchange ActiveSync conditional access policy in Azure, the user must also be Global Administrator.
Customer Lockbox access approver Customer LockBox access approver User in this role can login to the Office Admin Center and view/approve/reject data access requests.
Desktop Analytics administrator Users in this role will have access to manage Desktop Analytics and Office Customization & Policy Services. For Desktop Analytics, this includes the ability to view asset inventory, create deployment plans, and view deployment and health status. For Office Customization & Policies Services, this role will enable users to manage Office polices.
Dynamics 365 service administrator Dynamics 365 administrator Users with this role have global permissions within Microsoft CRM Online, when the service is present, as well as the ability to manage support tickets and monitor service health.
Exchange administrator Exchange administrator  Users with this role have global permissions within Microsoft Exchange Online, when the service is present.
External Identity Provider administrator This administrator manages federation between Azure Active Directory tenants and external identity providers. With this role, users can add new identity providers and configure all available settings (e.g. authentication path, service id, assigned key containers). This user can enable the tenant to trust authentications from external identity providers. The resulting impact on end user experiences depends on the type of tenant: (1) Azure Active Directory tenants for employees and partners: The addition of a federation (e.g. with Gmail) will immediately impact all guest invitations not yet redeemed. (2) Azure Active Directory B2C tenants: The addition of a federation (e.g. with Facebook, or with another Azure Active Directory) does not immediately impact end user flows until the identity provider is added as an option in a user flow (aka built-in policy). To change user flows, the limited role of “B2C User Flow Administrator” is required.
Global administrator Global administrator Users with this role have access to all administrative features in Azure Active Directory, as well as services that federate to Azure Active Directory like Exchange Online, SharePoint Online, and Skype for Business Online. The person who signs up for the Azure Active Directory tenant becomes a global administrator. Only global administrators can assign other administrator roles. There can be more than one global administrator at your company. Global admins can reset the password for any user and all other administrators. Note: In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Company Administrator". It is "Global Administrator" in the Azure portal.
Guest inviter Users in this role can manage Azure Active Directory B2B guest user invitations when the "Members can invite" user setting is set to No. It does not include any other permissions.
Helpdesk administrator Helpdesk (password) administrator Users with this role can change passwords, manage service requests, and monitor service health. Helpdesk administrators can change passwords only for users and other Helpdesk administrators. Note: In Microsoft Graph API, Azure AD Graph API and Azure AD PowerShell, this role is identified as "Helpdesk Administrator". It is "Password Administrator" in the Azure portal.
Information Protection administrator Users with this role have user rights only on the Azure Information Protection service. They are not granted user rights on Identity Protection Center, Privileged Identity Management, Monitor Office 365 Service Health, or Office 365 Security & Compliance Center. They can configure labels for the Azure Information Protection policy, manage protection templates, and activate protection.
Intune administrator Users with this role have global permissions within Microsoft Intune Online, when the service is present. Additionally, this role contains the ability to manage users and devices in order to associate policy, as well as create and manage groups.
Kaizala administrator Kaizala administrator Users with this role have global permissions to manage settings within Microsoft Kaizala, when the service is present, as well as the ability to manage support tickets and monitor service health. Additionally, the user can access reports related to adoption & usage of Kaizala by Organization members and business reports generated using the Kaizala actions.
License administrator License administrator Users in this role can assign licenses, remove licenses and manage group license assignments.
Message center privacy reader Users in this role can monitor all notifications in the Message Center, including data privacy messages. Message Center Privacy Readers get email notifications including those related to data privacy and they can unsubscribe using Message Center Preferences. Only the Global Administrator and the Message Center Privacy Reader can read data privacy messages. Additionally, this role contains the ability to view groups, domains, and subscriptions. This role has no permission to view, create, or manage service requests.
Message Center reader Message Center reader User in this role can read messages and updates for their organization in Office 365 Message Center only.
Power BI service administrator Power BI administrator Users with this role have global permissions within Microsoft Power BI, when the service is present, as well as the ability to manage support tickets and monitor service health.
Privileged authentication administrator Users with this role can view the current authentication method information and set or reset non-password credentials for all users, including global administrators. Privileged Authentication Administrators can force users to re-register against existing non-password credential (e.g. MFA, FIDO) and revoke 'remember MFA on the device', prompting for MFA on the next login of all users.
Privileged role administrator Users with this role can manage role assignments in Azure Active Directory, as well as within Azure AD Privileged Identity Management. In addition, this role allows management of all aspects of Privileged Identity Management.
Reports reader Reports reader Users with this role can view usage reporting data and the reports dashboard in Office 365 admin center and the adoption context pack in PowerBI. Additionally, the role provides access to sign-on reports and activity in Azure AD and data returned by the Microsoft Graph reporting API. A user assigned to the Reports Reader role can access only relevant usage and adoption metrics. They don't have any admin permissions to configure settings or access the product specific admin centers like Exchange.
Search administrator Search administrator Users in this role have full access to all Microsoft Search management features in the Microsoft 365 admin center. Search Administrators can delegate the Search Administrators and Search Editor roles to users, and create and manage content, like bookmarks, Q&As, and locations. Additionally, these users can view the message center, monitor service health, and create service requests.
Search editor Search editor Users in this role can create, manage, and delete content for Microsoft Search in the Microsoft 365 admin center, including bookmarks, Q&As, and locations.
Security administrator Users with this role have all of the read-only permissions of the Security reader role, plus the ability to manage configuration for security-related services: Azure Active Directory Identity Protection, Azure Information Protection, Privileged Identity Management, and Office 365 Security & Compliance Center.
Security Operator Creates and manages security events.
Security reader Users with this role have global read-only access, including all information in Azure Active Directory, Identity Protection, Privileged Identity Management, as well as the ability to read Azure Active Directory sign-in reports and audit logs. The role also grants read-only permission in Office 365 Security & Compliance Center
Service administrator Service administrator Users with this role can open support requests with Microsoft for Azure and Office 365 services, and views the service dashboard and message center in the Azure portal and Office 365 admin portal.
SharePoint administrator SharePoint administrator Users with this role have global permissions within Microsoft SharePoint Online, when the service is present, as well as the ability to manage support tickets and monitor service health.
Skype for Business administrator Skype for Business administrator Users with this role have global permissions within Microsoft Skype for Business, when the service is present, as well as manage Skype-specific user attributes in Azure Active Directory. Additionally, this role grants the ability to manage support tickets and monitor service health. Note: In Microsoft Graph API, Azure AD Graph API and Azure AD PowerShell, this role is identified as "Lync Service Administrator". It is "Skype for Business Service Administrator" in the Azure portal.
Teams Communications Administrator  Teams Communications Administrator  Users in this role can manage aspects of the Microsoft Teams workload related to voice & telephony. This includes the management tools for telephone number assignment, voice and meeting policies, and full access to the call analytics toolset.
Teams Communications Support Engineer  Teams Communications Support Engineer  Users in this role can troubleshoot communication issues within Microsoft Teams & Skype for Business using the user call troubleshooting tools in the Microsoft Teams & Skype for Business admin center. Users in this role can view full call record information for all participants involved.
Teams Communications Support Specialist  Teams Communications Support Specialist  Users in this role can troubleshoot communication issues within Microsoft Teams & Skype for Business using the user call troubleshooting tools in the Microsoft Teams & Skype for Business admin center. Users in this role can only view user details in the call for the specific user they have looked up.
Teams Service Administrator  Teams Service Administrator  Users in this role can manage all aspects of the Microsoft Teams workload via the Microsoft Teams & Skype for Business admin center and the respective PowerShell modules. This includes, among other areas, all management tools related to telephony, messaging, meetings, and the teams themselves. This role also grants the ability to manage O365 groups.
User management administrator User administrator Users with this role can create and manage all aspects of users and groups. Additionally, this role includes the ability to manage support tickets and monitors service health. Some restrictions apply. For example, this role does not allow deleting a global administrator. User Account administrators can change passwords for users, Helpdesk administrators, and other User Account administrators only