Saturday, July 25, 2020

Beware: Request SharePoint Root Certificate as administrator

On trying the Microsoft advised workaround 1 in situation in which in the SharePoint 2016 central admin server every hour a 'Critical Error' is logged on 'A certificate validation operation took milliseconds and has exceeded the execution time threshold', I initial failed as Get-SPCertificateAuthority returned Null for RootCertificate. The trick / requirement here is to invoke the cmdlet from PowerShell runas administrator:
at 3:51 PM 0 comments
Labels: , ,

Friday, July 10, 2020

MS Teams capabilities and external access

MS Teams as collaboration hub exhibits in its total set of capabilities differences wrt external access; some minor, some significant. Overview of my current understanding:
Teams capabilityExternal access options
Chat and Calls
Meeting
  • Anyone can be invited on own email
  • Lobby function for controlled entrance in the meeting
Live Event; audience
  • Teams Federation
  • Teams Guest Access
  • Full anonymous
Live Event; presenter
Teams instance
  • Teams Guest Access
at 9:20 PM 0 comments
Labels: ,

Wednesday, July 1, 2020

How-to enable for mobile device the seamless consumption of embedded Microsoft Stream on SharePoint page

SharePoint Online Modern Sites/Pages are by-design prepared for mobile / on-the-go consumption. An use case is to embed a Stream video on a page - either on-demand or live event -, and the audience then has the freedom to consume on regular workplace, or via their own mobile device.
However, be aware that in the latter case for seamless Stream behavior it is required that the mobile browser is set to 'Allow All Cookies / Block No Cookies'. Without this, typical the mobile browser fails from within the authenticated SharePoint Online context, next implicit logon the user to the embedded Stream service. The SharePoint Online Product Group confirmed this: To enable in Edge on mobile device seamless MS Stream behavior when embedded on SharePoint Online [modern] page, then infra prerequisite is that mobile Edge is configured to ‘Not block cookies’. The subject is current missing from the requirements stated on Microsoft official Knowledge Base. The Engineering Team will add this to the documentation for further clarity in the future.
at 11:00 PM 0 comments
Labels: , , , ,

Sunday, June 7, 2020

Tip: for customizing on Modern Site shared with B2B guests, use SPFx and not PowerApps

In Modern SharePoint, the citizen-developer way for page customization is through PowerApps (instead of the dreaded InfoPath approach). This works out fine..., unless your site is shared with external Azure AD B2B guests. A condition for PowerApps usage is namely that the logged-on user is licensed for a PowerApps Plan. For regular member accounts this license is typical provisioned on onboarding time. For guest accounts you cannot trust that each of them has a PowerApps license already themselves, and then access to use the PowerApps customization requires that a license is assigned in the inviting tenant. But probably you do not want to assign licenses in the inviting tenant to Azure AD B2B guests. After all, one of the charms of the Azure AD B2B model is that for each paid Azure AD license the organization is entitled to invite up to 5 guest accounts without additional costs.
The result for guests that do not have a PowerApps license themselves, is a broken user experience. Instead of a working custom control / form in the SharePoint page, the guest site visitors are confronted with a notification about need for PowerApps Plan license:
A minimal approach to at least avoid the broken UI experience would be to hide the PowerApps control for guest accounts. But also this is not possible: audience targeting on arbitrary webparts is not supported in Modern Pages, see Overview of audience targeting in modern SharePoint sites.
In a SPFx control you can utilize an alternative for audience check, by check on permission group, or check on account type (member or guest). A code example of this approach: Show and hide SPFx Webpart Content based on user permission.
However, when using SPFx for page customization then you’re not subject to additional licensing on top of SharePoint license. So it would not even be needed to hide the control in case logged-on user is a guest account....
Conclusion: if you plan to share a Modern SharePoint site with external guests, then better not use PowerApps for customizing a page that is accessible for guest accounts. Better approach is via SPFx, and accepts this requires coding skills iso no/low-code.
at 11:35 PM 0 comments
Labels: , , , ,

Saturday, June 6, 2020

Be aware: Azure AD Hybrid-Join requires Chromium Edge sign-in

Microsoft is loudly promoting and actively pushing upgrade from classic Edge browser to the new Chromium Edge. One thing to be aware of for organizations that utilize Azure AD Hybrid Join for conditional access to enterprise applications, is that Chromium Edge requires user sign-in with Azure AD account. Without the Azure AD sign-in, Chromium Edge does not enroll in hybrid join, and the remote user is denied access to the company enterprise resources (such as Office 365 services, but also any other enterprise application that have Single Sign-On with Azure AD).
at 5:56 PM 0 comments
Labels: , ,

Sunday, May 31, 2020

How-To include an external as presenter in Yammer Live Event

After I earlier this week did the pleasant discovery that and how-to an external can be involved as presenter in a Teams Live Event, I decided to test whether same is possible within Yammer Live Event production. That could work, as Yammer Live Event production can be via Teams. The short report out: Yes, also this proofs possible!
The enabling preconditions (external known as Azure AD B2B guest in organizing Teams, and switched in Teams App to the organizing tenant) and steps are comparable with involving an external in Teams Live Event presentation, although few significant differences:
  1. In the organizing tenant, schedule in producer / organizer role within Yammer a new Live Event. Crucial also here is to select that the production will be done 'via Teams', not 'via External app or device'. In this step in Yammer UI, do not try to invite the external as presenter as that fails: Yammer does not allow the external to be resolved (unless you have enabled external access of the Yammer channel itself)
  2. In Yammer of the organizing tenant, navigate to the scheduled Live Event and click on "Produce (Open in Teams)". After the Yammer Live Event is opened in Teams App, click 'Join now'.
  3. Crucial step: in the internal Teams meeting of the Live Event, click on the button 'Show participants'. And in the Teams meeting context, invite the external person via his/her external guest identity;
  4. Under the preconditions that the external person is active in Teams, and switched there to the organizing tenant, (s)he receives a request notification to join in the internal Teams meeting of the Yammer Live Event
  5. The invited external accepts the invite to join this active Teams Meeting, and can then share content + video in the meeting context of the Yammer Live Event;
  6. The Yammer Live Event producer waits in the Teams Live Event production room until the external person has joined, and shares content in the internal meeting of the Live Event. When visible, the producer is in control to select content and/or video of this external presenter in the queue;
  7. The producer pushes from the queue to live, and starts the Live Event;
  8. The audience of the Yammer Live Event see the content and/or video of the external presenter;
  9. And audience on-the-go can watch the external presenter in the Yammer Mobile App;

at 12:25 AM 0 comments
Labels: , , , ,

Saturday, May 30, 2020

How-To include an external as presenter in Teams Live Event

When it comes to organizing a webcast, Microsoft 365 offers multiple options: Teams Meeting, Stream Live Event, Teams Live Event, Yammer Live Event. Each with their own differentiating characteristics, and you can select which best fits the specifics of your planned event. A significant differentiator of Teams Live Event is that you can extend beyond internal audience only. Either full public open, or still restricted audience by inviting externals as authorized via Azure AD B2B in your tenant. In the B2B guest model, the external access into the Live Event can then be secured by multi-factor authentication (MFA), to protect the company information shared for external access only in trusted context.
A pleasant discovery I did this week is that the authorized external involvement also extends to the Presenter role: you can include in the set of event presenters also identified people from outside your own organization.
The enabling conditions:
  1. The Live Event must be produced via Teams itself, not produced by External app or device. Reason is that the latter delegates to MS Stream for processing and delivery, and that Microsoft 365 service up today sadly still does not support external access;
  2. The external person must be known in your tenant, either as Azure AD B2B guest or via Teams Federation;
  3. The Live Event organizer / producer must invite the external person via his/her external guest identity in the Presenter role;
  4. The external person must be authorized as member to a Teams instance in your tenant
  5. And as first crucial: to be allowed in the Live Event as presenter, the external person must at the presentation time switch in Teams to your tenant. Without this step, the external person sees in own Teams calendar the Live Event as meeting; but when trying to join that from own tenant will be blocked with notification
    "This event is in <external-tenant>. To join, you'll need to be in that org,too."
    If the organizing tenant has enabled MFA as conditional access rule, the external person will be challenged for that before secure and governed allowed access in the organizing tenant.
  6. And second crucial: to actively join the live event the external person cannot go from Teams calendar once switched to the organizing tenant as it is not administrated there for the external person. Workaround is to join the 'external live event' via the invitation mail that the external person received in the own mail inbox when the Live Event organizer identified the external as an event presenter. Click on 'Join Live Event' seamless opens the Teams App of the external person in the internal producer/presenter meeting of the Teams Live Event within the organizing tenant. As result of the tenant-switch (previous step), the external person is now namely already authenticated and known in the organizing tenant.
After following the above steps, the external person is from perspective of the Teams Live Event organization just another presenter, who is authorized and enabled to share video and content in the event. And can communicate with the producer + other presenters in the chat of the internal Teams meeting to align on the event production.
From the perspective of the organizing producer, (s)he remains in control to determine which content of the presenters included in the Teams Live Event production to actual put live for the audience. The final control remains thus within the organization hosting the live event to its invited audience - internals, potential authorized guests, or full public-open.
at 12:09 AM 0 comments
Labels: , , ,
Subscribe to: Comments (Atom)