The blog of Wictor Wilén

  • Finally! Proper custom themes in SharePoint Online!

    Tags: SharePoint Online

    Microsoft Ignite is just around the corner and the sheer number of new announcements for SharePoint and SharePoint Online has been almost overwhelming. The team is making such a tremendous job right now!

    One of my favorite features, that I have requested both privately and openly with Microsoft, is the ability to have custom themes for SharePoint. Yes, we had the old “look and feel” thing, custom CSS thing, Office 365 suite bar branding, but there has never been a good way of using this in Modern sites or even the possibility to turn of the default themes. And now, last week, Microsoft announced a new set of features that can do all of this for us – create custom themes, a nice theme designer and the ability to hide the default themes.

    Let’s go through how this works (note that the feature is not currently available in all tenants)…

    How to add your own themes

    By default in Modern sites (Teams, Communications and Hub sites) in SharePoint Online you are given a set of default themes (Blue, Orange, Red, Purple, Green and Gray), which can be changed through the cog wheel settings menu in the suite bar and then choose Change the look.Default Themes

    In order to create your own Theme, you go to the theme builder at aka.ms/spthemebuilder. Using this tool you can create a theme visually and then get a set of snippets to be used in PowerShell to add the theme to your tenant.

    The Theme Builder

    Once you have created your theme, all you need to do is to fire up your SharePoint Online PowerShell window and start writing some PowerShell. Make sure that you have the latest version of the SharePoint Online Management Shell.

    First of all you need to connect to your SPO tenant:

    Connect-SPOService -Url https://contoso-admin.sharepoint.com
    

    While the theme builder has a great feature that allows you to export the PowerShell settings required to create your theme, it does not really work (at least not in the builder and the shell versions that exists at the time of writing this blog post). The theme builder PowerShell generates a Hashtable but the PowerShell command requires a Dictionary object, so here's a quick way to do that conversion (until they fix the builder and/or the cmdlet).

    $builder = [past the PowerShell code from the builder here]
    $theme = New-Object "System.Collections.Generic.Dictionary``2[System.String,System.String]"
    $builder.Keys | %{$theme.Add($_, $builder[$_])}
    

    Now, that we have a PowerShell variable with our Theme we can use the Add-SPOTheme cmdlet to add our theme, like this:

    Add-SPOTheme -Name "Contoso Purple" -Palette $theme -IsInverted:$false

    And voilá! We have a new custom theme available:

    Oh, looky - a custom theme

    We can in the same way add more themes, and when we don’t want them anymore we can use the Remove-SPOTheme cmdlet. There’s also a Get-SPOTheme cmdlet that allows you to get a theme by name, unfortunately it is not possible to use that cmdlet without any parameters and list all available ones (feedback SP Team, feedback).

    The IsInverted flag is used for dark theme (true) and light theme (false9, so SharePoint knows when to render light text on top of dark and vice versa.

    Hide the default ones

    An almost as cool feature is that you can actually hide the default themes. Using the Set-HideDefaultThemes cmdlet you can turn the default themes on or off (oh, and I don’t know why this cmdlet is not prefixed with SPO!?)

    Set-HideDefaultThemes -HideDefaultThemes:$true
    

    And now you should only see your themes:

    No default stinkin stuff here...

    If you want the default ones back you just fire off this:

    Set-HideDefaultThemes -HideDefaultThemes:$false
    

    More options

    [Added] Vesa Juvonen pointed out so correctly that you can do this programmatically as well. You can check the full documentation of this feature here with REST and CSOM options for ya devs.

    Summary

    The new themes features in SharePoint Online will make it easier to have a consistent look and feel in all your Modern SharePoint sites, and will be a feature that your communications and marketing departments will love.

  • Using Device Codes to authenticate Bots with Azure AD

    Tags: Bot Framework, Microsoft Teams, npm, Microsoft Azure, Microsoft Graph, Azure AD

    I’ve been building chat-bots for a while now and I’m seeing more and more requests of building these bots for enterprises. For bots targeted at the enterprise, perhaps being hosted in Microsoft Teams, one of the first requirements is that they should get data from their internal systems and most specifically from Office 365, through the Microsoft Graph. The problem here is that we need to authenticate and authorize the user, through Microsoft Azure AD, to be able to access these resources. A Microsoft Bot Framework bot, does not inherit the credentials or security tickets from the application the bot is being invoked from, so we need handle this ourselves. For instance, even though you have logged in to Microsoft Teams, or Skype for Business or your Intranet – your security token cannot (and should not) be passed to the Bot.

    This is not mission impossible, and there are multiple ways of implementing this. For instance if you’re building Bot Framework bots using .NET you can use the AuthBot and with node.js there’s the botauth module. There’s also other (a bit weird and specialized) ways of doing this by using the backchannel.

    All of these are custom implementations with either sending an already existing access token to the bot or using home brewed magic number generators. But, there’s a much simpler way of doing this – using the native and built-in features of the Azure Active Directory Authentication Library (ADAL), specifically using the OAuth 2.0 Device Flow.

    In this post I will demonstrate how to create a bot from scratch and use the device flow to sign in and get data from Microsoft Graph. It will all be built using node.js and TypeScript – but the procedure is the same for any kind of environment.

    Creating the bot

    First of all we need to create a bot using the Bot Framework portal. Give the bot a name, handle, description and specify the messaging endpoint. You can use localhost for testing but in the end you should have a publically available URL to be able to use it in the different Bot channels. In this sample we need to make sure that the messaging endpoint ends with /api/messages. Then you need to create a Microsoft App ID and a password – just follow the wizard and copy and take a note of the ID and specifically the password – you will only see it once. Once you’re done, save your bot.

    Configuring the App platform for the bot

    The bot created in the Bot Framework portal, is essentially an Application in the Microsoft Application Registration Portal. In order to use this Application ID with Azure AD and Microsoft Graph, we need to log in to that portal and find our newly registered bot and then add a platform for it. In this case let’s add a Native Application. You don’t have to configure it or anything, it just needs to have a platform.

    Setting the platform for the App

    In this portal you can also add the delegated permissions for your bot, under Microsoft Graph Permissions. For the purpose of this demo we only need the User.Read permissions.

    Let’s write some code

    Next step is to actually start writing some code. This will be done in node.js, using TypeScript and a set of node modules. The most important node modules used in this demo are:

    • webpack – bundles our TypeScript files
    • ts-loader – webpack plugin that transpiles TypeScript to JavaScript
    • express – node.js webserver for hosting our Bot end-point
    • adal-node – ADAL node.js implementation
    • @microsoft/microsoft-graph-client – a Microsoft Graph client
    • botbuilder – Bot Framework bot implementation

    All code in this sample are found in this Github repo: https://github.com/wictorwilen/device-code-bot. To use it, just clone the repo, run npm install. Then to be able to run it locally or debug it you can add a file called .env and in that file add your Application ID and password as follows:

    MICROSOFT_APP_ID=fa781336-3114-4aa2-932e-44fec5922cbd
    MICROSOFT_APP_PASSWORD=SDA6asds7aasdSDd7

    The hosting of the bot, using express, is defined in the /src/server.ts file. For this demo this file contains nothing specific, part from starting the implementation of the bot – which is defined in /src/devicecodebot.ts.

    In the bot implementation you will find a constructor for the bot that creates two dialogs; the default dialog and a dialog for sign-ins. It will also initialize the ADAL cache.

    constructor(connector: builder.ChatConnector) {
        this.Connector = connector;
        this.cache = new adal.MemoryCache()
    
        this.universalBot = new builder.UniversalBot(this.Connector);
        this.universalBot.dialog('/', this.defaultDialog);
        this.universalBot.dialog('/signin', this.signInDialog)
    }

    The implementation of the default dialog is very simple. It will just check if we have already logged in, but in this demo we will not set that value, so a login flow will always be started by starting the sign-in dialog.

    The sign-in dialog will create a new ADAL AuthenticationContext and then use that context to acquire a user code.

    var context = new AuthenticationContext('https://login.microsoftonline.com/common', 
      null, this.cache);
        context.acquireUserCode('https://graph.microsoft.com', 
          process.env.MICROSOFT_APP_ID, '', 
          (err: any, response: adal.IUserCodeResponse) => {
            ...
    });

    The result from this operation (IUserCodeResponse) is an object with a set of values, where we in this case should pay attention to:

    • userCode – the code to be used by the user for authentication
    • message – a friendly message containing the verification url and the user code
    • verificationUrl – the url where the end user should use the user code (always aka.ms/devicelogin)

    We use this information to construct a Bot Builder Sign-In Card. And send it back to the user:

    var dialog = new builder.SigninCard(session);
    dialog.text(response.message);
    dialog.button('Click here', response.verificationUrl);
    var msg = new builder.Message();
    msg.addAttachment(dialog);
    session.send(msg);

    This allows us to from Bot Framework channel invoke the authorization flow for the bot. The end-user should click on the button, which opens a web browser (to aka.ms/devicelogin) and that page will ask for the user code. After the user entered the user code, the user will be asked to authenticate and if it is the first time also consent to the permissions asked for by the bot.

    In our code we then need to wait for this authorization, authentication and consent to happen. That is done as follows:

    context.acquireTokenWithDeviceCode('https://graph.microsoft.com',
       
    process.env.MICROSOFT_APP_ID, response, 
      (err: any, tokenResponse: adal.IDeviceCodeTokenResponse) => {
        if (err) {
          session.send(DeviceCodeBot.createErrorMessage(err));
          session.beginDialog('/signin')
        } else {
            session.userData.accessToken = tokenResponse.accessToken;
            session.send(`Hello ${tokenResponse.givenName} ${tokenResponse.familyName}`);
            ...
        }
    });	

    The result from this operation can of course fail and we need to handle that, in this case just sending the error as a message and restart the sign-in flow. If successful we will get all the data we need to continue (IDeviceCodeTokenResponse) such as access-token, refresh-token, user-id, etc. In a real world scenario you should of course store the refresh token, in case the access token times out. And it is also here that we potentially tells our bot that the user is signed in redirects subsequent dialogs to what we want to do.

    Now we can use this access token to grab some stuff from the Microsoft Graph. The following code, with a very simplistic approach, where wo do not handle timed out access tokens, we just grab the title of the user and sends it back to the user.

    const graphClient = MicrosoftGraph.Client.init({
        authProvider: (done: any) => {
            done(null, session.userData.accessToken);
        }
    });
    graphClient.
        api('/me/jobTitle').
        version('beta').
        get((err: any, res: any) => {
            if (err) {
                session.send(DeviceCodeBot.createErrorMessage(err));
            } else {
                session.endDialog(`Oh, so you're a ${res.value}`);
            }
        });
        }
    });

    Run the application

    To run the application first we need to transpile and bundle it using webpack like this:

    npm run-script build

    The we start the express server like this:

    npm run-script run

    To test it locally we need to use the Bot Framework emulator. Download it, run it and configure it to run at http://localhost:3007/api/messages. Type anything in the emulator to start the sign-in experience

    Testing the bot with the Bot Framework emulator

    As soon as you’ve written something the Sign-In card will be displayed. When you click on the button a browser window will open and you will be asked to type the code. When you’ve done that you will be asked to sign-in and consent. And shortly after that the bot will come alive again and type the users name and if all works well, also the job title of the user.

    Consenting the device code bot

    If you decide to publish your bot (for instance to Azure, all the necessary files are in the Github repo to Git publish it to Azure) you can also use the bot in other channels, for instance Skype:

    The device code bot in Skype

    Summary

    As you’ve now seen. It is very easy to create a simple and elegant sign-in flow for your bots, without sacrificing any security, and all using standard features of ADAL and OAuth. This will nicely work with any Azure AD accounts, with MFA or not.

  • Re-awarded as Microsoft MVP for the 8th year

    Tags: MVP, Personal

    Today is the day where the Microsoft community officially award the community with the Microsoft MVP award. We will all receive some new friends and old friends and also we loose some dear friends (that we of course hope to see back into the program again). I’ve been fortunate to be re-awarded with the Office Servers and Services Microsoft MVP award, for the 8th consecutive year. Thank you Microsoft!

    MVP Award e-mail

    As usual, being an MVP is not something you can take for granted  and you have to work hard to stay in the program. But all you can do is have fun and share your joy with the rest of the Microsoft community. I really would like to thank my peer MVPs, the community and the Microsoft product teams – specifically the SharePoint and Teams teams. I’ve had tons of fun this year and I’m looking forward to an exciting new year ahead.

  • yo teams have a new home, and officially backed by Microsoft

    Tags: Microsoft Teams, Yeoman, Npm, Git

    A couple of months back I started creating a Yeoman generator to make it easier for me to scaffold, build and deploy the Microsoft Teams extensions (now apps). I’ve received very good feedback on it and had some very nice contributions to the project, which was hosted on my public Github account.

    To really make this available for everyone to use I’ve been discussing this project with the Microsoft Teams team about having it “officially backed” by the real team and nut just me as an individual. After some interesting discussions the Microsoft Teams generator now have a new home.

    The Microsoft Teams Yeoman generator are now transferred to the OfficeDev organization on Github and lives in this repository: https://github.com/OfficeDev/generator-teams

    I think this is great and it will allow more organizations to actually use the generator. We’ve switched to MIT licensing and we added some contribution guidelines to be able to do this move. The rest is intact. All the old links to the repo will now redirect to the new one and you still use npm to install it in the same way.

    We have some nice updates coming shortly to it, of which some you can see in the preview branch, that uses all the latest and greatest features of Microsoft Teams Apps.

    A big thank you to Bill Bliss who set things in motion and did all the heavy lifting, and of course to all the contributors to the generator and to the great Microsoft Teams team!

    #yoteams

  • How to generate SharePoint Framework bundles for multiple tenants

    Tags: SharePoint Framework, npm, SharePoint

    If you are an ISV or SI with multiple clients and are interested in building SharePoint Framework (SPFx) solutions that you would like to re-use you will face a huge issue when it comes to reference SharePoint JavaScript files and reference your SharePoint Framework bundles. All these URL's are hardcoded into your solution configuration files and requires you to update these files and rebuild for each and every client environment. And not only that even in your own development team this will cause issues if you don't have a shared development environment.

    This causes a lot of issues and headaches. Each and every developer needs to update the configuration files in the SharePoint Framework - meaning that they will check-out the files and then eventually check them back in with their specific tenant information, which will break the solution for another developer. Same goes if you want to deploy a solution to another client; you check the files out update with the new client information and the more clients you have the worse it gets.

    The SharePoint Framework is essentially built so that you should NOT reference any SharePoint JavaScript files (think CSOM/JSOM) and always host your bundled SPFx files in a public CDN. In practice this doesn't work. There are tons of features in JSOM that you would like to use, such as managed metadata. Also very few clients really want their JavaScripts to be hosted in a location they don't own or have control of.

    So, SharePoint Framework as of now is very limited and it is a mess for you as a developer, SI or ISV. I know, that's exactly where I've been, until now!

    Introducing the spfx-build-url-rewrite node package

    To sort this issue out I've built a node.js package called spfx-build-url-rewrite that helps you re-write those URLs at build time. All it requires is that you in your config files use a specific URL that the package knows about (currently it's contoso.sharepoint.com - I know, I'll make it configurable/better later) and when building you specify the URL you want to replace it with, and voila - you can now automate builds for any number of clients/environments.

    How it works

    First of all you need to install the node module into your SPFx solution using npm:

    npm install spfx-build-url-rewrite --save

    Then you need to modify the gulpfile.js to use this module. Just before the initialize method you need to add two lines so it looks like this:

    const rewrite = require('spfx-build-url-rewrite');
    rewrite.config(build);
    
    build.initialize(gulp);

    Whenever you want to reference a script inside SharePoint, such as the JSOM files or you want the SPFx CDN to be in SharePoint you modify the config.json or write-manifest.json files to use https://contoso.sharepoint.com instead of your tenant URL.

    config.json

    externals in config.json

    write-manifest.json

    cdn base path in write-manifest.json

    Now when you build the solution you append the argument --target-cdn <url> to replace the URLs in your solution, as follows:

    gulp build --target-cdn https://fabrikam.sharepoint.com
    gulp bundle --target-cdn https://fabrikam.sharepoint.com
    gulp package-solution

    If you don't want to specify this for each and every command you can create an empty file called .env and specify the substitution URL in it like this:

    TargetCdn=https://fabrikam.sharepoint.com

    Summary

    I hope this small node package makes your life easier, it sure makes mine! If you have any feedback please use the Github repository.

    And as a final note, even though it is supported to extend the build pipeline of SPFx this is possibly in the grey zone - but it works…on my machine.

  • yo teams: a full Microsoft Teams extensibility Yeoman generator

    Tags: Microsoft Teams, Bot Framework, TypeScript, Yeoman, Office 365, Gulp, Git

    A couple of weeks back I published a Yeoman generator to build Tabs for Microsoft Teams. Since then I've continued to add stuff to it as the Teams team has continued to add features to their extensibility story. So, this generator is not only for creating Tabs, but now also for adding Bots and Custom Bots to Microsoft Teams. With that I decided to rename the generator to yo teams (generator name is generator-teams).

    I'm very thankful to the over 600 downloads within less of a month, and all the positive feedback, the issues and PR created. Keep it coming.

    What's new?

    The two big new features of the generator is the ability to add either a reference to an existing bot that you want to use (your own, or any bot in the Bot Framework directory) or to create a bot from scratch, using the Bot Framework. You can also add a custom bot, which is a Microsoft Teams specific webhook that acts like a bot, which can be used by specific Teams only and you don't have to add it to the Bot Framework - perfect for those internal smart bots you want to build.

    yo teams

    The source code has also gone through some heavy refactoring with sub-generators and all. There's more to come…

    Both the Bot and Custom bot uses the JavaScript/TypeScript implementations of the Bot Framework and you have some boilerplate code to get started, including readme files of the essentials.

    If you have any issues, or feedback, or problem or just feeling chatty, then use the Issues list on Github.

    What do I need to do?

    If you already used the old generator, uninstall it with npm uninstall generator-teams-tab --global and then install the new generator with npm install generator-teams --global. All your current solutions will work, but I recommend you to, if you feel like it, to "move" all your code over to a newly created project.

    The old npm package is deprecated and you will get a warning if you try to install it.

    The Github repository has been renamed, but the old one will still redirect you to the correct location. You can find it here: https://github.com/wictorwilen/generator-teams

  • Congratulations to the Microsoft Teams team on an excellent delivery

    Tags: Microsoft Teams, Office 365

    A big round of applause for Microsoft and the team behind Microsoft Teams for now being general available (GA) worldwide. Today, they lit up the Teams icon in the Office 365 waffle for all tenants (unless your admins are being boring and has turned it off).

    image

    It's been awesome to be a part of this preview journey, which started last summer. Avanade was selected as one of the TAP members, in a preview program shrouded in a secrecy I've not seen at Microsoft before. Our IT department slowly trickled it out, so that we had a chance of learning how Microsoft Teams could fit into our organization and our way of working. A big thanks to David who have mastered the preview program internally.

    When Microsoft Teams was unveiled to the public, back in November, we did our first point-of-view based on our experience so far. Since then I would say that the way we work has changed dramatically. Many of our teams and interest groups has quickly adopted this new chat-based workspace - not just for chatting but as the preferred channel for communication and collaboration. It fits our style of work perfectly, given how spread out our teams are and the different time zones we're working in.

    Personally I've been way more effective in my work since we started to adopt Microsoft Teams. The number of unnecessary e-mails has gone done dramatically, my inbox is not flooded with simple questions, or links, or things that can more easily be expressed through a chat. One thing that has surprised me is how much more we use the ad-hoc chats compared to what I've expected, we don't all have to be online at the same time - you can easily go back and see what's been discussed while you were away or in a meeting. Sharing of files and notes is so much easier now and it allows us to have an ongoing discussion about them.

    It's been a blast discussing Microsoft Teams with my clients. And I'm thrilled that some of them now are leading with "Teams first" - that is you create a Team, not a SharePoint team site, not an Office 365 Group. You get them for free with Teams anyways. This will change the way collaboration is done for enterprises going forward, without doing trade offs for compliance, governance and security.

    This is the first release of many to come. And they number of features that has popped up over the last few months are incredible. And I'm sure we will see some more productivity enhancers going forward.

    Once again, thank you to the team behind Microsoft Teams.

  • yo teams-tab: A Microsoft Teams Tabs Yeoman generator

    Tags: Microsoft Teams, Office 365, Yeoman, Git, Gulp

    I'm happy to announce that today at SharePoint Saturday Munich I presented a new Yeoman generator for building Microsoft Teams Tabs projects. Tabs in Microsoft Teams is a great way to extend the user interface and to do integrations to other systems and provide visualizations. Tabs are based on a JavaScript framework, a set of web pages and a manifest describing the Tab. It requires a set of manual steps to both build out the pages, configuring CSS, hooking up the JavaScripts, deploying it all to a web site hosted in the cloud, writing the manifest, packaging the manifest into a zip file and more.

    With the Teams Tab generator you can in an easy manner scaffold out the project and get a build and deployment pipeline, and be up and running in a few minutes.

    yo teams-tab

    The project that will be created is a TypeScript based project with a set of Gulp tasks to build the project and package the manifest, and optionally a built-in Express server to host the web sites and configuration so that you can with a simple command deploy your project to an Azure Web App.

    How to get it

    The generator is published as an npm package and you use npm to install it. The following command will install it as a global package for you to scaffold your Teams tabs.

    npm install generator-teams-tab --global

    How to use it

    To create a new Teams Tab all you need to do is open up a command prompt and use Yeoman to create the project. The generator will ask you a set of questions and your project will configured based on those.

    yo teams-tab

    How to use the project

    The project contains all source code you need to build and deploy tabs. Use Visual Studio Code or whatever text editor you prefer. The source code is divided into two areas. The first one being the actual tabs (pages and scripts), located in ./src/app You will find one folder called web which contains the web pages required for a tab; such as the actual tab page, the configure page and remove page. In the scripts folder you will have the TypeScripts file in which you build the logic for your tabs. For instance the actual main tab page, tab.html, has a corresponding tab.ts TypeScript file. You'll get it…

    In the ./src/app folder there is also a TypeScript file called server.ts. Note, this file only exists if you answers yes to the question on using Express to host the Tab. This file is the server side node.js web server. If you need to modify the paths or want it to do fancier stuff than just client-side scripting this is where you start hacking.

    There's also a folder calle ./src/manifest which contains the Tab manifest. A json file you might want to configure. And that folder also contains the two images you need to have for a Tab.

    The tab project

    How to build it

    You build the tab by using a simple Gulp task that will transpile and bundle your TypeScript into JavaScript and sets up the web server. Just use the following command to build it

    gulp build

    Once you've built it you can follow the instructions in the README.md file to deploy it to an Azure Web App.

    The manifest for the tab is created by using another Gulp task:

    gulp manifest

    This task will create a zip file that you use to upload to your Teams team and it references the specified web site hosting the tabs. The file being created is located at ./package/tab.zip

    This is great, but I want to…

    I know, you want to have more stuff in the generator. It's all available on Github for you to grab and hopefully come back with suggestions. Go git it here: https://github.com/wictorwilen/generator-teams-tab

    I'm looking forward to feedback and I'll keep updating the generator in line with what the Teams team are doing with their JavaScript framework, which is currently at 0.4.

    glhf

  • SharePoint Framework has now reached General Availability - such a great journey

    Tags: SharePoint Framework, Office 365, SharePoint

    Let me start with congratulating the SharePoint Framework team on an amazing job and an amazing journey reaching this GA milestone.

    The SharePoint Framework plays a significant part of the SharePoint future, yes - this is only the first version with a lot of new features on the way, and it is a part of the new SharePoint wave. I've haven't seen this interest in SharePoint for many years and I'm glad I'm still in this business. Delivering top notch collaboration solutions for our clients at Avanade. The SharePoint Framework will make it easier for us to customize SharePoint and it will also bring a lot more value for our clients in the end allowing them to stay evergreen and not being tied into "workarounds" and pesky SharePoint Designer hacks or arbitrary JavaScript snippets.

    I'm extremely glad that I've been a part of this journey, seeing the team making the awesome stuff they've done. For me it started back in the fall of 2015 when we we're shown some very early ideas on where to go next and also some whiteboard sessions where we had an open and frank discussion about what the requirements were from the field. This openness is something that I think has made the difference this time and made the SharePoint Framework into what it is. All discussions was kept very secret and I'll tell you it was hard not to cry out to everyone how excited I was on the progress.

    Early 2016 I was part of the first DevKitchen, where we had the opportunity to use SharePoint Framework for the first time. The team had only in a couple of months created something that actually worked! It was very satisfying to build that first web part (I do think that I was the first outside of Microsoft that actually built a client-side Web Part!).  The framework had its quirks and issues back then, but they kept the speed up and delivered. A few more DevKitchens were hosted and finally in May they revealed the SharePoint Framework to the public.

    Just after the summer everyone could get their hands on the first public release of the SharePoint Framework and the SPFx Team opened the floodgates of feedback through their Github repository. It has been fantastic to see all the support, wishes, bugfixes, samples and documentation that the public (and specifically Waldek) has produced to support the SharePoint Framework. And how fast and agile the team has responded to all the requests and issues. This is how Microsoft should build more stuff!

    I've tried to do my best giving feedback as a consultant, developer and things my clients need. I'm particular proud of the enterprise guidance documentation that I've helped with. I absolutely love being part of this community.

    Now, we're here, within a few weeks all tenants in Office 365 should be able to use the SharePoint Framework to build great stuff and awesome client-side Web Parts. We're already in the midst of porting our solutions to take advantage of the SharePoint Framework and getting it in the hands of our clients.

    Thank you to the SharePoint Framework Team - I'm so looking forward to what's happening next. See you in a few weeks in Redmond ;-).

    Let's make SharePoint great again!

  • Configuring Office 365 Groups creation the right way

    Tags: Office 365, Office 365 Groups, Azure AD

    Over the last few days the issue on how to prevent users to create Office 365 Groups has popped up in all sorts of conversations. This blog post will show you how to do it in the correct way, and serve as a future reference. I'm not the only one who have blogged about this, it's in many places including official documentation. But in many places both scripts and some caveats are either wrong or outdated. One post covers this topic really well, and in a good and correct way and it's this post by John P. White - Disable Office 365 Groups, part 2. Read it! This post however will show you how to do it in a more direct way, using PowerShell.

    Background

    We used to prevent end-users from creating Office 365 Groups (from now on referred to as only Groups) using an OWA Mailbox policy. Even I have a blog post on that topic. But this way to do it is outdated. That mailbox policy only applies to Groups being created from OWA (Outlook Web Access, Outlook on the web…whatever) and Outlook. It did not prevent people from creating Groups using Microsoft Teams, Planner, StaffHub, PowerBI, Dynamics 365 and what not.

    How to do it properly

    Instead of continuing to building the settings on the Mailbox policy setting, this setting has now moved to Azure AD. You can even see it in the "new" Azure Portal, although it doesn't really reflect the real settings and not all settings.

    Azure AD Settings for Office 365 Groups

    The way to do it is to use PowerShell and essentially follow the official documentation. The problem with that article however is that it contains a few errors, is not updated, has some weird scripts and is just to darn long to read through. So, here's a my PowerShell for this. You can find the complete script in this Gist.

    Prerequisites

    To be able to run the PowerShell you need to install some stuff

    • The Microsoft Online Services Sign-in assistant
    • The Windows Azure Active Directory Module for PowerShell - and here's a big thing. You MUST (at the time of writing) only use the preview version, with version number 1.1.130.0-preview found here. Do not try to download the higher version with version number 1.1.166.0 - it will not work.

    Now, we got that out of the way, let's get to the fun stuff.

    Scripting FTW

    First we need to log in to our tenant using an admin account. I prefer to use a the Get-Credential method over the dialog option, makes everything more smoother.

    # Store the credentials in a variable
    $creds = Get-Credential
    
    # Connect to the Microsoft Online services
    Connect-MsolService -Credential $creds 
    
    

    The next thing is to make sure that users are allowed to create Groups, we'll limit it later. Make sure you use the script below and not the one in the official article as they have spelling errors on the variable.

    # Get tenant setting (misspelled in official docs)
    Get-MsolCompanyInformation | Format-List UsersPermissionToCreateGroupsEnabled
    
    # If false, then use the following
    Set-MsolCompanySettings -UsersPermissionToCreateGroupsEnabled $true
    
    

    To limit the users allowed to create Groups we need to have a security group with members in Azure AD. And we need the Id of that group, so we'll grab it with some PowerShell:

    # Retrieve ID of Group that should have the option to create groups
    $group = Get-MsolGroup -SearchString "Group creators" 
    
    

    The settings we need to set are contained in an Azure AD object, created from a template. We retrieve that template using the following command and create our settings object like this:

    # Retrieve the Group.Unified settings template (assuming you have not done this before)
    $template = Get-MsolAllSettingTemplate | Where-Object {$_.DisplayName -eq "Group.Unified"}
    
    # Create the settings object from the template
    $settings = $template.CreateSettingsObject()
    
    

    Once we have the settings object, we can start setting properties.

    • EnableGroupCreation - should be set to false. We negate the tenant setting here, and we'll override it soon again for the specific security group
    • GroupCreationAllowedGroupId - this is the Id of the security group that are allowed to create Groups
    • UsageGuidelinesUrl - a URL pointing to your usage guidelines. Optional, but recommended
    • GuestUsageGuidelinesUrl - a URL pointing to usage guidelines for external users. This link will be shown in the external sharing e-mails and should of course be on a public available location. Optional, but recommended
    • ClassificationList - a comma separated list with your classification labels. Optional. Currently the first one in the list will be the default one. (does not work in all tenants at the time of writing)

    There's some more properties that you can take a look at, and over the last few weeks even some more popped up (without any documentation).

    # Use this settings object to prevent others than specified group to create Groups
    $settings["EnableGroupCreation"] = $false
    $settings["GroupCreationAllowedGroupId"] = $group.ObjectId
    
    # (optional) Add a link to the Group usage guidelines
    $settings["UsageGuidelinesUrl"] = 
      "https://contoso.sharepoint.com/Pages/GroupUsageGuidelines.aspx"
    
    # (optional) Add a link to Guest usage guidelines
    $settings["GuestUsageGuidelinesUrl"] = 
      "http://contoso.com/usageguidelines"
    
    # (optional) Add classifications to be used for Groups
    $settings["ClassificationList"] = "Public,Internal,Top Secret"
    
    # Verify
    $settings.Values
    
    

    Now we have the settings and all we need to do is to add them to Azure AD:

    # Add the settings to Azure AD
    New-MsolSettings -SettingsObject $settings
    
    

    And from now on, only members of the security group can create Office 365 Groups using all endpoints such as Planner, Teams, PowerBI, Microsoft Graph REST etc. BUT StaffHub still ignores this setting!!!!! Aaargh!

    Need to update the settings?

    If you need to update the settings, or there are new properties that you want to configure, then use the PowerShell below. The one(s) in the official documentation is really weird written…

    # Retrieve settings
    $settings = Get-MsolAllSettings | Where-Object {$_.DisplayName -eq "Group.Unified"}
    
    # Check the values
    $settings.Values
    
    # Update a property
    $settings["GuestUsageGuidelinesUrl"] = "http://www.wictorwilen.se"
    
    # Save the updates
    Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $settings.GetSettingsValue()
    
    

    Summary

    That's it. It's not rocket science. Looking forward to further settings and also a proper UI in the Azure portal for the lazy people.

    The PowerShell is a bit weird though, should have had a review by the PowerShell team before going into the production in my opinion.

About Wictor...

Wictor Wilén is the Nordic Digital Workplace Lead working at Avanade. Wictor has achieved the Microsoft Certified Architect (MCA) - SharePoint 2010, Microsoft Certified Solutions Master (MCSM) - SharePoint  and Microsoft Certified Master (MCM) - SharePoint 2010 certifications. He has also been awarded Microsoft Most Valuable Professional (MVP) for seven consecutive years.

And a word from our sponsors...