Understand Why Unlicensed OneDrive Accounts Exist

At the end of July, I reported Microsoft’s plan to charge for unlicensed OneDrive for Business accounts. The idea is simple. Ninety days after a OneDrive for Business account enters an unlicensed state, SharePoint Online will move the account into Microsoft 365 Archive. The tenant must then decide what to do with the accounts with the options being to manage the accounts or leave accounts to rot in the archive. Unlicensed accounts arise when an account no longer has access to a service plan for OneDrive (see the product names and service plans reference). Usually, an account enters the unlicensed state for OneDrive when an administrator deletes an account or removes a license like Office 365 E3 or E5 from the account.

Managing accounts requires the tenant to link Microsoft 365 Archive to an Azure subscription to pay for ongoing storage and restore operations. Storage costs $0.05 per month per gigabyte while retrieval costs $0.60 per gigabyte. Restored accounts remain accessible for 30 days. During this time, someone has to review the material in the account and move it to another repository, such as a different OneDrive for Business account or a SharePoint Online site. Once the 30-day period lapses, SharePoint Online archives the account again.

The OneDrive Report

So good, so far. Archiving old OneDrive accounts that clutter up storage is a good idea. It stops artificial intelligence tools like Copilot for Microsoft 365 using the content held in the obsolete accounts in its response to users and helps to better manage information belonging to ex-employees.

When Microsoft issued MC836942 on July 26, they said that by August 16, 2024, SharePoint administrators would be able to access a new report detailing unlicensed OneDrive for Business accounts. The OneDrive report should now be available through the Reports section of the SharePoint admin center in all tenants (Figure 1).

Note the warning that if accounts are left in Microsoft 365 Archive for more than 180 days after becoming unlicensed and the tenant does not take out an Azure subscription to pay for the Microsoft 365 Archive storage costs, SharePoint Online can delete the accounts. No documentation is currently available to cover this point, but it seems reasonable that Microsoft should remove old and unwanted OneDrive accounts if the owning tenant is unwilling to pay the storage costs to keep them in the archive.

Four Categories of Unlicensed OneDrive Accounts

Unlicensed OneDrive accounts fall into four categories:

• Retention period: The owning account is unlicensed but SharePoint Online has retained the OneDrive account because the retention period configured in the SharePoint admin center has not expired.
• Retention policy: A Microsoft 365 retention policy or retention labels prevent the deletion of an unlicensed OneDrive account. It is quite common for tenants to apply a blanket retention policy to all SharePoint Online sites and OneDrive accounts to retain information for multiple years. If this happens, the unlicensed OneDrive accounts cannot be removed until the retention period defined by the policy lapses.
• Active user with no license: The account that owns the OneDrive account is still active (is not deleted), but no longer has access to a service plan for OneDrive.
• Duplicate accounts: The account that owns the OneDrive account has several OneDrive accounts. This used to happen more often several years ago when account provisioning was not as good as it is now. I have not seen a duplicate account created in the recent past.

Figure 1 shows that my tenant has 34 unlicensed OneDrive accounts held by a retention policy. This is expected because I use a broad retention policy to govern removal of material from SharePoint Online and OneDrive for Business. Currently, you cannot see details of the accounts within each of the four categories on-screen. Instead, you must download the CSV file containing the details. In their documentation, Microsoft promises that an interactive UI will be available from January 2025, saying that “You can select a username to view the details.” Presumably, this means that the various sections in the on-screen report will expand to show usernames, and you can then expand a username to see its details, such as those available in the CSV file (Figure 2).

Time to Review Unlicensed OneDrive Account Information

Now that information about unlicensed OneDrive accounts is available in the SharePoint admin center, tenant administrators should check the report and review its content to determine if anything unexpected is present. I don’t imagine that anything strange will turn up, but you never know. Following the review, administrators might decide to adjust retention periods and policies to allow the removal of OneDrive accounts belonging to deleted Entra ID accounts or prepare for long-term storage in Microsoft 365 Archive.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Microsoft 365 Archive Takes On Unlicensed OneDrive Sites

What are we to make of the announcement in message center notification MC836942 (26 July 2024) that Microsoft plans to charge for storing unlicensed OneDrive for Business sites through Microsoft 365 Archive?

Slipped into the newsfeed late on a Friday afternoon (the recommended way to share bad news), Microsoft’s announcement is both unexpected and entirely predictable. It’s unexpected because Microsoft hadn’t communicated their intention of doing this during high-profile conference keynotes (perhaps because of the bad news element). It’s predictable because Microsoft hadn’t the tool to handle unlicensed OneDrive sites until Microsoft 365 Archive (Figure 1) came along. Archiving unlicensed sites makes a ton of sense.

An unlicensed OneDrive site can exist for several reasons. The most common is that the site comes within the scope of a retention policy (or items within the site have retention labels). In this situation, OneDrive must retain the sites even after the retention period configured for deleted OneDrive accounts (by default 30 days) elapses. It’s also possible that the owner’s account no longer has a OneDrive license.

The simplest reading for this story is that Microsoft wants organizations to clean up (remove) unlicensed OneDrive sites. It could also be a step to help organizations manage the removal of OneDrive sites belonging to ex-employees better. These reasons are valid, but as often the case with Microsoft, some other influences might also contribute to the decision.

Helping Copilot for Microsoft 365

Copilot for Microsoft 365 might be another factor in this story. By their very nature, unlicensed OneDrive sites are unmanaged and prone to contain obsolete and unwanted information. Keeping the obsolete sites online and available for Copilot to access increases the chances that Copilot will reuse some of the material contained in the sites in its responses to user prompts. That’s obviously a bad thing.

As I noted on May 20, archiving obsolete material can help organizations deal with the digital debris found in obsolete SharePoint Online sites. The same applies to obsolete OneDrive sites.

Payment for Archived OneDrive Sites

Like SharePoint Online sites managed by Microsoft 365 Archive, Microsoft will charge to archive unlicensed OneDrive sites. The charge is minimal ($0.05/GB per month) with a $0.60/GB fee to reactivate an archived site. Like other Microsoft 365 Archive operations, payments must be made through an Azure subscription.

The interesting thing is that reactivation lasts 30 days after which the site becomes archived again. It seems like this is a strong hint for someone to use the time to extract any required information from the reactivated OneDrive site before removing the account.

One thing that’s unclear is what happens if you don’t set up an Azure subscription. From the text, it seems like OneDrive will automatically move the unlicensed sites into Microsoft 365 Archive and the sites will remain there in an inaccessible (can’t be reactivated) state until the organization creates an Azure subscription and links the subscription to Microsoft 365 Archive. However, even when an Azure subscription is not present, archived sites remain indexed and available to Purview compliance solutions like eDiscovery, so administrators can still run content searches to find and export content from the archived sites.

I don’t think archiving unlicensed OneDrive sites will be a huge revenue generator for Microsoft. But what it might do is bring Microsoft 365 Archive to the attention of organizations that have not used it before who might then start to use the product to archive obsolete SharePoint Online sites. The big attraction here is that moving SharePoint Online sites to Microsoft 365 Archive frees up expensive SharePoint storage.

Next Steps

To help tenant administrators understand how many unlicensed OneDrive sites are present, Microsoft plans to introduce a new report for OneDrive in the SharePoint Online admin center. The new report should be available in all tenants worldwide by August 16, 2024. The report notes why OneDrive accounts are unlicensed. Tenant administrators can’t do much about sites required for retention, but they can remove the other sites.

January 27, 2025, marks the point when Microsoft moves unlicensed OneDrive sites into Microsoft 365 Archive and Azure subscriptions are required to reactivate sites. The six-month period before automatic archiving of OneDrive sites in an unlicensed state for 90 days begins should be enough time to discuss and decide how to accommodate this new aspect of OneDrive management.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Pondering the Right Way to Delete OneDrive for Business Accounts

The July 22 article about choosing between shared and inactive mailboxes to preserve ex-employee content created a lot of discussion. I guess the possibility of exposing PII data inadvertently through access to mailboxes converted to shared mailboxes hadn’t been considered by many. In any case, this is a real concern because no organization wants to open itself up to potential lawsuits.

As I chatted with people, it became clear that some tenants don’t have an automated account preservation process. It might be acceptable in a small organization to rely on the account deletion wizard in the Microsoft 365 admin center (Figure 1) because it takes care of the essentials, like offering the option to convert the deleted user’s mailbox into a shared mailbox and giving another user access to their OneDrive for Business account.

The Other Bits Surrounding Microsoft 365 Account Deletion

Deleting a user account through the Microsoft 365 admin center is a swift and certain way to stop access. However, sometimes a little more subtly is needed. For instance, you might want to:

• Add the user to a special retention policy so that their mailbox becomes inactive rather than being made shared.
• Force sign-outs from the account by revoking access. Instead of immediately deleting an account, I usually revoke access, disable the account, and change its password. All are continual access evaluation (CAE) events monitored by Entra ID that cause a user to loose access to apps.
• Issue wipe commands to mobile devices. The process depends on the devices in use and the management software with the aim to remove corporate data from the devices. For instance, if you use Exchange Online mobile device management, Outlook clients support a Wipe Only command, meaning that only mailbox data is covered. Other clients use the Account Only Remote Wipe Device command to do the same thing. Don’t use a Wipe Only command with something like the Apple iOS mail client, as this will wipe all device data.

All these steps are very scriptable. The basics of revoking access from an account are covered in this article and you can find an example account removal script in GitHub to use as the basis for development to cover the requirements of your organization.

The OneDrive for Business Account Deletion Issue

Dealing with OneDrive for Business accounts owned by deleted users pose two issues. First, OneDrive for Business is the designated repository for personal information, so the likelihood of PII data being present is very high. Microsoft has done as much as possible to force applications to save files in OneDrive for Business. The upshot is that files containing personal information are now more likely to be in the cloud than on a local hard drive.

Second, the sheer volume of files stored in OneDrive for Business grows steadily. Office documents, PDFs, Loop components shared in Teams and OneDrive, Teams meeting records, Whiteboards, Stream videos, and even PowerShell modules can end up in a person’s OneDrive for Business account. Parsing out what’s there and what needs to be recovered for future use by the business is a difficult task.

Organizations can configure automatic access delegation, which means that a user’s manager is automatically made a site administrator of the user’s OneDrive for Business account when a user is deleted. A secondary owner can also be defined in case a manager is not defined for the account (Figure 2).

I don’t think I have changed the settings shown in Figure 2 for years. Nominating the Global tenant administrator account as a secondary owner is not a great idea. It’s better to use a designated account with no administrative roles to act as the backstop for access to the OneDrive for Business accounts owned by deleted users.

Two other questions arise here. First, it’s important to keep manager information updated and accurate to have any chance that access delegation will work. Some form of automated processing is likely required on a periodic basis to ensure that user accounts are linked to the correct managers. Second, even if the right person is known, will 30 days be enough to review and extract all the relevant information from the OneDrive for Business account?

Thirty days is the default, and you can set a tenant-wide retention period of up to 10 years through the settings section of the SharePoint admin center (Figure 3).

The Time Conundrum

Thirty days is too short to allow a stressed manager the time to conduct a full review of what could be gigabytes of data created by multiple applications. Ten years is obviously too long to keep the OneDrive for Business account for a deleted user in place. Somewhere in the middle might suit, but the organization still depends on the manager to perform a full review of the account contents before the retention period ends.

The trick is to have enough time use the 30-day default retention period for a quick review of contents and then store the OneDrive for Business account somewhere safe from where information can be retrieved if necessary. I already mentioned adding the user’s mailbox to a special retention policy before deletion to force Exchange Online to make it into an inactive mailbox. I also add the OneDrive for Business account to the same retention policy. The retention period is six months, which is enough to allow information recovery by running an eDiscovery content search against the account and exporting the results. Yes, it’s a pain to ask the compliance team to run a search, but this approach avoids problems with PII because the organization can demonstrate controlled access to the data and the retention period can be as long as required.

This issue is not going to get any easier. Microsoft designed the current OneDrive for Business retention and deletion implementation years ago (just look at the old-style UI in Figure 2). OneDrive for Business was simple then. It’s not now. The basic idea about keeping an account around for a period after the deletion of its user’s account is fine. It’s determining what’s in the account and what needs to be kept that’s the most difficult task, even with a nice print-out of the account’s files.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Controlling Stream Video Versions Designed to Consume Less Disk Storage

Microsoft 365 message center notification MC797116 (30 May 2024, Microsoft 365 Roadmap item 395380) addresses the question of storage consumption in SharePoint Online and OneDrive for Business for videos managed by Stream. The issue is simple. Any time a video owner updates the non-video content, Stream creates a brand-new version of the video that consumes the same amount of storage as the original.

Many reasons exist to change something for a video, like editing the metadata (title, description (Figure 1), or chapters), editing the transcript to correct flaws in the automatic text generated by the transcription bot, adding callouts through the interactivity feature, and so on.

Many Stream Video Versions

Behind the scenes, SharePoint Online or OneDrive for Business treat changes to non-video content in the same way as they handle changes made to Word documents or Excel spreadsheets and create new versions. The impact on storage is obvious if you look at the version history for a video. Figure 2 shows the version history for a 402 MB video that consumes 5,226 MB for the 13 versions stored by OneDrive.

Usually, this method of storing versions doesn’t affect OneDrive for Business accounts. Given that most videos are likely Teams meeting records, few videos are updated, and the version count remains small. In addition. The large storage quotas assigned to OneDrive for Business accounts accommodate a few extra versions without a problem.

The issue is more obvious in SharePoint Online where the tenant-wide storage quota comes under pressure from user demand for document storage, retention processing, and versioning. Buying additional SharePoint Online storage is expensive, and few tenants want to go down that route.

Microsoft announced intelligent versioning for SharePoint Online in July 2023, but according to Microsoft 365 roadmap item 145802, the rollout won’t happen until August 2024. Good things take time to get right.

The Change in the Creation of Stream Video Versions

The change Microsoft is introducing to Stream starting mid-July 2024 with the intention to complete worldwide deployment by late August 2024 is to stop generating new versions of videos for changes that do not affect video content. This is a reasonable approach, and it will prevent the kind of video version sprawl seen in the past (as obvious in Figure 2).

The downside is that metadata changes made to Stream videos are irrecoverable. If you restore a version of a video, you get the metadata available at that time. Any subsequent changes made to video metadata are ignored.

These actions no longer create a new version:

• Editing the title or description from within the Stream browser client.
• Adding or editing chapters, transcripts, captions, or interactivity (callouts or forms).
• Toggling media settings (show/hide about video, chapters, interactivity, comments, analytics, etc.).
• Adding audio tracks.

Any change that affects the video content, like trimming some seconds from the start or end of a video, will force Stream to generate a new version of the video. Once the change reaches your tenant, it goes into effect and cannot be reverted to the previous behavior. The change has no effect on existing videos and will not remove any versions that are already being stored. Microsoft says that if you want to remove extraneous versions, you’ll need to wait for SharePoint Intelligent versioning to appear in your tenant and use that to clean up unwanted video versions stored in SharePoint sites.

Storage is Not a Pressing Problem for OneDrive

At this point, I am unsure if the same approach can be taken to clean up video versions in OneDrive for Business accounts. However, given that storage is much less of an issue in OneDrive than it is in SharePoint Online, and that Teams meeting recordings age out over time, this is probably not a big problem. If you’re worried about OneDrive, run the OneDrive for Business account storage and quota report and see if any account needs attention. I bet hardly any will.

Make sure that you’re not surprised about changes that appear inside Microsoft 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Support for Sharing Links Expiration Added for Company-wide and Specific People Links

The change announced in message center notification MC799277 (6 June 2024) to make expiration dates available for all types of sharing links should now have reached targeted release tenants. General availability will follow soon afterwards.

Until now, SharePoint Online and OneDrive for Business have supported expiration dates for anyone sharing links. Microsoft was correct to start with these links because they are transferable. In other words, anyone in possession of the link can access the file or folder pointed to by the link.

Although anyone links are revocable and therefore can be annulled if a link becomes too widely available, making them the first sharing link to support expiration was a good thing. Even with expiration dates, many organizations prohibit anyone links because they consider these links to be too dangerous. Users forget to set expiration dates, the links circulate in email and can easily escape outside the organization, and so on.

Company-wide and Specific People Sharing Links

Company-wide (aka people in your organization) and specific people links deliver tighter control over sharing because SharePoint Online validates the account that attempts to redeem and use a link to make sure that they meet the sharing criteria. For example, if you’re not signed into a tenant account, SharePoint Online won’t allow you to use a company-wide link.

Specific people links are usable with people inside and outside an organization. External people must have a guest account in the tenant to authenticate, either an account created to access other resources like Teams (or most recently, Microsoft Loop), or an account created during the process of gaining access to the shared content. During this process, depending on the conditional access policies active in the tenant, an external person might be asked to configure multi-factor authentication to protect their account.

All of this sounds good, and it means that specific people links are usually a safe way to share externally, especially if coupled with a sensitivity label with encryption to stop any inadvertent leakage of confidential information.

Sharing Links Expiration for All

Using a sharing link that SharePoint Online imposes controls over who can use the link can sometimes do with a little extra help and that’s where the expiration controls come in. You can now set a date (Figure 1) for company-wide and specific people sharing links to expire.

When a link expires, it can no longer be used to access the shared content. The owner of the content must then reshare the content if they wish.

It seems like Microsoft has some loose ends to clean up before you could consider this feature to be complete. For instance, although SharePoint Online shows the expiration date after copying a link (Figure 2), the Manage access dialog for an item doesn’t display expiration dates. This might be due to an incomplete software deployment and the missing bits for an updated Manage access dialog might be still on the way.

More importantly, the SharePoint Online admin center has a setting for Anyone links to set a maximum expiration length in days (Figure 3). However, similar controls aren’t yet available for company-wide and specific people links. That seems like an oversight.

Being picky, I could also point out that setting an expiration period for a sharing link does not affect the SharingSet audit record generated when SharePoint Online or OneDrive for Business configure a sharing link. This is a pity. Microsoft needs to improve the information captured in audit records for sharing events to make them more administrator friendly. For instance, a value like “EventData    : <PermissionsGranted>Contribute</PermissionsGranted><MembersCanShareApplied>False</MembersCanShareApplied>” is meaningful to a computer but less so to a human. If you’re interested in learning how to interpret audit records for sharing events, try this script from GitHub.

Sharing Links Expiration for All Link Types is a Good Change

Even though I think Microsoft has some things to work on to complete the feature, I like that SharePoint Online supports expiration dates for all types of sharing links. It’s a good change and one that should be popular with users, even if administrators can’t find out the kind of usage the feature gets because of the lack of detail in audit records. According to MC799277, Microsoft is due to refresh the documentation, but that hasn’t happened yet. More bits lost in transit!

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

SharePoint Online Storage, OneDrive for Business, and SharePoint Embedded

Given the vast numbers of files created in SharePoint Online daily (Jeff Teper cited 2.3 billion in December 2023), it must be the case that the storage quotas assigned to tenants are being consumed at an alarming rate. However, I suspect that a large proportion of the files end up in OneDrive for Business and don’t impact storage so much.

These thoughts came to mind when I perused the OneDrive files report for my account to discover just how many applications now store their data in OneDrive for Business. Microsoft has truly made OneDrive for Business the personal storage system for Microsoft 365 holding anything from Office documents to Teams meeting recordings and transcripts to Whiteboards.

But coming back to storage, I often hear confusion in how Microsoft charges for SharePoint storage. Let’s review the current situation.

Three Major Storage Partitions

SharePoint Online covers three major storage partitions:

• SharePoint Online sites.
• SharePoint Embedded applications, like Loop and Designer.
• OneDrive for Business accounts.

The SharePoint Online storage quota assigned to a tenant (1 TB plus 10 GB per licensed user) covers only the first category. The storage consumed by SharePoint sites is well understood because it’s highlighted in the SharePoint admin center and is easy to report with PowerShell. A Graph usage API is also available for SharePoint Online, but currently suffers from a longstanding data issue that prevents site URLs from being shown.

Understanding the storage consumption of SharePoint Embedded applications is less clear. These applications use file storage containers (like document libraries). First-party applications like Loop charge their storage against the tenant storage quota for SharePoint Online. If the applications support SharePoint Online PowerShell or another API to report storage, it’s possible to generate a report about the storage consumed by an app.

Third-party apps built on top of SharePoint Embedded are billed separately through an Azure subscription using a pay-as-you-go metered model. Charges are accrued for API calls and the storage consumed.

OneDrive for Business Storage

The OneDrive service description says that “the default storage space for each user’s OneDrive is 1 TB. Depending on your plan and the number of licensed users, you can increase this storage up to 5 TB.” The default storage assigned to OneDrive for Business accounts is defined through the Settings section in the SharePoint Online admin center (Figure 1).

In a Microsoft 365 enterprise tenant, the storage for OneDrive can be increased to more than 5 TB. The documentation states: “Before requesting an increase you need at least five licenses that include OneDrive Plan 2, you must assign at least one license to a user, and a single user must have already filled 90% of their 5 TB storage.”

The problem here is that Microsoft stopped offering OneDrive Plan 2 in August 2023, apparently to stop offering the “unlimited storage capacity” that was once available for licenses like Office 365 E3 and E5. No official notice was given, and the plan slipped away. Office 365 and Microsoft 365 licenses no longer include a OneDrive service plan.

In any case, if you want to keep an eye on OneDrive storage consumption, it’s easy to generate a report with PowerShell.

Microsoft 365 Archive

Microsoft 365 Archive is a solution that moves SharePoint Online sites from “hot” storage (immediate access) to “cold” storage. The idea is that organizations can keep data online in a form that’s available for eDiscovery but not for user access. Archiving sites also helps to remove information from consumption by AI solutions like Copilot for Microsoft 365 to stop the results generated by AI being affected by old and possibly obsolete information.

Organizations pay for the storage consumed by archived sites through an Azure subscription. The cost per GB is much less than having to pay for regular SharePoint storage and Microsoft doesn’t charge for archive storage if the tenant has regular storage available. If the tenant runs out of regular storage, Microsoft 365 archive switches to its pay-as-you-go model.

Retention Storage

Microsoft 365 Retention Policies and Retention Labels can dictate how long content stored in SharePoint Online (including OneDrive for Business and SharePoint Embedded) is kept before it can be deleted. If files coming within the scope of retention are deleted by users, SharePoint Online keeps them in the site’s preservation hold library. Depending on the settings of retention policies and labels, it’s possible that preservation hold libraries can consume a large amount of storage (Figure 2).

Retained content can be easy to overlook. Microsoft plans to introduce intelligent versioning (originally planned for November 2023), which should help.

Summarizing SharePoint Online Storage

In summary, traditional SharePoint site storage is only one of the ways that tenant storage quota can be consumed. OneDrive for Business stores more data than ever before, but Microsoft has renounced unlimited storage. New applications and retention can consume storage unexpectedly, and Microsoft 365 Archive can help by moving data to cheaper cold storage. What could be easier to understand?

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Much Faster to Create OneDrive Storage Report from Usage Data

Nearly five years ago, I wrote an article about a PowerShell script to report OneDrive for Business storage consumption. The script works well but it’s slow because it uses the Get-SPOSite cmdlet from the SharePoint Online management module. Everything is fine when running in a tenant with less than five hundred accounts. Past this point and you might have plenty of time for coffee.

That’s where the Graph usage reports API comes in handy. Despite being two or so days behind in terms of absolute accuracy for storage consumption, the usage reports API is extremely fast because it reads from a data warehouse populated with information by background processes running in the Microsoft datacenters. In this case, we need the OneDrive account detail report, which can cover usage from 7 to 180 days.

Including User Data in the OneDrive Storage Report

As noted previously, an ongoing issue affects usage reports for SharePoint Online data and prevents the population of site URLs in the reports. The same issue exists for OneDrive for Business data. This is a pain, but there’s often a silver lining in a bug. In this case, I decided to incorporate some user data into the report to make it possible for tenant administrators to sort by city, country, or department.

Outline of the Script to Create the OneDrive Storage Report

Here’s what the script does:

• Runs Connect-MgGraph to connect to the Graph. This report only needs the User.Read.All and Reports.Read.All permissions.
• Checks if the tenant obscures user data in reports. If this is true, the script updates the setting to allow it to fetch unobscured data.
• Runs Get-MgUser to fetch details of all licensed member accounts in the tenant.
• Populates a hash table. The key is the user principal name and the value is an array of user properties. Looking up a hash table to find user details is quicker than running Get-MgUser for each account or reading an array.
• Use the Invoke-MgGraphRequest cmdlet to fetch the OneDrive account detail data for the last seven days. The data is loaded into an array.
• Loop through the array to extract storage information for a user’s OneDrive for Business account and report what’s found. Included in the report is the information found by looking up the hash table for user details.
• Export the report data to a CSV file.
• Reset the tenant obscured report data setting if necessary.

Figure 1 shows an example of the OneDrive storage report generated by the script. When Microsoft fixes the Site URL problem for usage reports, I’ll update the script to include that property, but for now the script does a nice job of reporting OneDrive storage consumed by user accounts. And the script runs much faster than the older version based on the SharePoint Online management cmdlets.

Two Things to Learn About Reporting Microsoft 365 Data

This script demonstrates two things about reporting Microsoft 365 data. First, don’t assume that you need 100% up-to-date information about usage. The point is that data in reports might be accurate immediately after the generation of the report but degrades thereafter. There’s no great difference between an account that’s used 91.01% of its storage quota and 91.11%. The information available through the usage reports API gives as accurate a picture about usage in 99% of cases.

Second, don’t assume that the data returned by a cmdlet limit what you can use in a report. Properties like user identifiers (GUIDs) and user principal names enable matches for data drawn from multiple sources. Using hash tables to store information fetched from different sources is an excellent and fast way to create lookup tables for reports.

You can download the script from GitHub. Normal caveats apply. Don’t assume that the script has bulletproof error handling (it doesn’t) nor that a bug isn’t lurking somewhere. Test the script and have some fun chasing bugs if there are any.

Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

Sensitive by Default Blocks External Access Pending DLP Scanning

The ability to mark documents as “sensitive by default” achieved general availability in July 2020. Despite covering the topic in the DLP chapter of the Office 365 for IT Pros eBook, I never paid the feature much attention because sensitivity labels are often a better way to protect confidential material.

Not every tenant deploys sensitivity labels. Sometimes this is because they want to avoid the complications that can come when dealing with encrypted information, such as how to move encrypted documents between tenants during a migration. And sometimes it’s because the work to prepare to deploy and manage sensitivity labels is incomplete and pending completion. These are the kind of circumstances when the sensitive by default control is useful for tenants that have the necessary Office 365 E3 (or above) licenses to use Data Loss Prevention (DLP) policies with SharePoint Online.

The idea is simple. SharePoint Online uses background processes to implement the instructions in DLP to detect sensitive information in documents and take whatever action the policy settings dictate, such as to block sharing. Because DLP processing does not happen immediately for new files uploaded to to SharePoint Online and OneDrive for Business libraries, a short period exists when it’s possible for users to share sensitive data outside the tenant and inadvertently leak data. The sensitive by default control stops this happening by forcing SharePoint Online to consider all files as sensitive until DLP processes their content.

In effect, this means that SharePoint Online blocks external access to documents until DLP scans the contents. If external users, including guest members of a team, attempt to access a document before DLP scans its content, they see a page to tell them that scanning is in progress (Figure 1). After a few minutes, the scan should complete and access is possible.

Implementing Sensitive by Default

To implement the Sensitive by default control, you:

• Implement at least one DLP policy to scan the SharePoint Online sites that store information intended for external access.
• Run the Set-SPOTenant cmdlet in the SharePoint Online PowerShell module to block access to new files. It can take up to 15 minutes before the change is effective. The block applies to all sites in the tenant and you can’t exclude sites from its effect.

Here’s the command to implement the sensitive by default control:

Set-SPOTenant –MarkNewFilesSensitiveByDefault BlockExternalSharing

With the block in place, users can still share documents externally (if not blocked by the tenant’s sharing settings). However, external people with a sharing link cannot access the content until the document is scanned by a DLP policy.

To revert the block, run Set-SPOTenant to allow sharing without waiting for DLP processing:

Set-SPOTenant -MarkNewFilesSensitiveByDefault AllowExternalSharing

DLP Processing for Sensitive by Default

Any DLP policy that has a “contents contains” condition to process information in SharePoint Online sites can perform the check and release the block. Normally, DLP scanning either passes the document for external access (because DLP doesn’t detect a policy violation) or blocks it (because DLP detects some content that violates the policy if shared externally).

The Microsoft documentation for the feature discusses creating a form of “catch-all” DLP policy to cover all SharePoint Online sites and OneDrive for Business accounts in a tenant. The policy contains a rule to check new content for some arbitrary value. As shown in Figure 2, I use a check for the blood test sensitive information type.

It doesn’t matter that DLP is unlikely to detect this data in my tenant. Apart from that, the DLP policy doesn’t perform any action or notify anyone if it matches content. The sole purpose of the policy is to make sure that DLP processes every file uploaded to SharePoint Online and OneDrive for Business. Other DLP policies handle any problems lurking in documents.

Sensitive by Default and Sensitivity Labels

Applying the sensitive by default control is an effective way to stop external sharing from SharePoint Online and OneDrive for Business. However, it’s a broad-brush policy that covers the entire tenant. Using sensitivity labels to restrict access to documents containing important information might be a better approach, especially when auto-label policies are used to find and apply labels to documents at rest. The two approaches are not mutually exclusive and it’s a good idea to use sensitivity labels to control access to an organization’s most confidential information, including documents shared with external guests in Teams.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

FileRecycled Audit Event Replaces FileDeleted

In December 2021, I wrote about using events captured in the unified audit log to analyze file deletion activity in SharePoint Online and OneDrive for Business. Recently, some readers complained that the script (available from GitHub) wasn’t finding events for file deletions. A major advantage of PowerShell is that you see all the code and can modify the code to meet your needs. This also means that you can debug the code. My usual response to people who report problems with scripts is to prompt them to do some basic debugging by running the code line-by-line until the problem becomes apparent. Apart from learning how the script works, debugging is a great way to improve PowerShell skills.

In any case, a quick check revealed the problem. Microsoft changed the name of the operation captured in file deletion audit events from FileDeleted to FileRecycled. The change seems to have come into force in March 2023. At least, that’s the date of the first FileRecycled audit event generated by SharePoint Online I can find in my tenant. Microsoft didn’t say anything about the change. It just happened without warning.

File Deletion or Recycling

A case can be argued that FileRecycled is a more accurate description of the action than FileDeleted is (see this documentation update request from August 2022). SharePoint Online doesn’t actually delete an item until it goes through the two-stage recycle bin and exceeds the 93-day retention period that items remain in the recycle bin. The initial action is to move an item from a document library to the site recycle bin, hence the justification to use the FileRecycled name in audit records.

I wouldn’t have a problem if Microsoft told people about the change. Not everyone scans the documentation to detect name changes for audit log activities. Unless you checked the data returned by the Search-UnifiedAuditLog cmdlet or noticed the details for file deletions (or rather “recycled file”) operations returned by the audit log search in the Purview compliance portal (Figure 1), the change would probably have escaped undetected.

Microsoft also changed the UI of the audit search solution so that if you select “Deleted file” from the list of activities to search for, you’ll find events logged when SharePoint Online removes files from the recycle bin.

The Impact of Unannounced Changes

The problem here is that when Microsoft makes unannounced changes to audit data, it potentially affects scripts written by organizations to move data from the audit log to an external repository like Splunk. Among the reasons why organizations populate external repositories with audit data are:

• Long-term retention of audit data. Until recently, Microsoft only kept audit data for 90 days. On July 19, 2023, Microsoft announced a doubling of the audit data retention period to 180 days for Audit standard (Office 365 E3) customers. Audit premium customers have a 365-day audit data retention period with an optional add-on license available to increase the period to 10 years.
• Better search and investigation facilities. Although organizations have built tools to interrogate the unified audit log, the fact remains that the contents of audit log entries often need processing to extract useful information (like this example of extracting information about changes made to Entra ID account properties).

Obviously, if a new name is introduced for a common auditable activity like file deletion, it’s likely that processes to export audit data will ignore these events. I haven’t found any other activity renames but suspect that some might be lurking in the audit log.

Updates without Warning Reduce Confidence

The bottom line is that reliable audit data is an important part of a compliance ecosystem. If audit data is missing or becomes difficult to interrogate, those who work with audit data lose a little faith because it isn’t as comprehensive and accurate as they expect. And that’s a great pity.

Making Sharing of Files and Folders Easier

Apart from Microsoft 365 roadmap item 124933, I can’t find a formal announcement about the Simplified Sharing Experience, but I have been aware that Microsoft recently updated the share dialog used by Microsoft 365 apps to make it easier and more straightforward to use. According to a LinkedIn post, (Figure 1) Microsoft ran an A/B experiment to test the new dialog. I guess I was one of the testers! In any case, the new sharing dialog is now available in all Microsoft 365 tenants. Users of OneDrive consumer will see the upgraded dialog in the second half of 2023.

The Role of the Share Dialog

The share dialog is what people see when they share a document or folder with others inside or outside their organization. According to Microsoft, the dialog is used over 800 million times monthly across 52 different Microsoft 365 experiences (desktop, browser, and mobile). In other words, Microsoft 365 apps offer users the opportunity to share in 52 different places across the suite. The most common of the experiences are likely in SharePoint Online, OneDrive for Windows, and Teams.

Microsoft says that they focused on creating a dialog that makes it simpler for users to perform core sharing tasks. When someone invokes the new screen (Figure 2) to share a file or folder, they see a simpler layout pre-populated with the default sharing link as specified by the tenant or site policy (in this case, the sharing link allows access to people within the organization). The name of the sensitivity label assigned to the document is also shown to provide a visual indicator about its relative confidentiality.

To complete the link, add the people to notify and enter a note to tell them what to do, and click Send to have the message sent by email or Copy link to copy the sharing link to the clipboard.

If you need to change the type of sharing link, select the cogwheel to expose the link settings (Figure 3). Again, everything is very straightforward and simple. If you choose a link that allows external sharing, I’m told that the new design “makes users more comfortable with sharing.” I’m not quite sure what this means, but any of the sharing that I’ve done with people outside the organization has worked smoothly.

Microsoft has also overhauled the Manage access dialog to help people manage the set of users and groups that have access to a file or folder (Figure 4).

Microsoft says that customer feedback about the new dialog is very positive. It’s worth noting that this is not the first time that Microsoft has revamped the sharing dialog. The last major overhaul was in 2020-21 when Microsoft rationalized on a common sharing dialog for all apps, notably for Teams.

The Importance of Sharing

Getting sharing right is clearly important. When Microsoft launched the Delve app in 2015, it resulted in a crescendo of protest from tenants who suddenly found that Delve suggested documents to users when the organization thought that Delve should not. Of course, the software did nothing wrong. Delve respected the access rights given to users when it computed the set of interesting documents to suggest (using an early version of Graph document insights). The problem was entirely down to poor management and access control, often at the level of complete SharePoint Online sites. Users might not have realized that they had access to the documents in poorly-protected sites, but software can’t be blamed if it goes looking for documents to suggest to a user and finds some that are available.

We’re heading for a similar situation with Microsoft 365 Copilot. The Copilot software depends on finding information with Graph queries to help satisfy user prompts. Like Delve, Copilot will find files that are available to the user who prompts for help, and the results generated for the user might include some confidential. And if the user doesn’t bother to check the content generated by Copilot, the information might then be revealed with people who shouldn’t have it. This is the danger of oversharing, and it’s certainly an issue for organizations contemplating Microsoft 365 Copilot need to resolve before implementation.

Simplified Sharing Experience One Step Along the Path

The new sharing dialog won’t solve oversharing. It’s just one step along the path to help users share information with the right people in the right way.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

OneDrive File Type Exclusions Control Synchronization for Sync Clients

Microsoft 365 message center notification MC597037 (updated June 27, 2023) brings news that the OneDrive sync client will display information about files blocked by synchronization by tenant administrators. Worldwide deployment of the updated sync client should finish by mid-July. In the past, users have been left in the dark when they discovered that some files wouldn’t synchronize, but now they can go to the Advanced settings section of the client to see what file types the tenant doesn’t allow them to synchronize.

Oddly, the description for Microsoft 365 roadmap item 124868 takes a different perspective and says:

“This feature will allow you to configure OneDrive Sync Setting to exclude selected files and selected file types from syncing to OneDrive. When available the configuration settings will be located in the OneDrive admin center.”

It seems like a little copy and pasting mistake because it’s long been possible for tenants to exclude file types from synchronization. Microsoft’s documentation explains how to achieve the goal using group policy. It’s also possible to impose a block by running the Set-SPOTenantSyncClientRestriction cmdlet from the SharePoint Online administration module. For example, this command blocks three file types:

Set-SPOTenantSyncClientRestriction  -ExcludedFileExtensions "mp4;rar;zip"

TenantRestrictionEnabled   : False
AllowedDomainList          : {}
BlockMacSync               : False
ExcludedFileExtensions     : {mp4, rar, zip}
OptOutOfGrooveBlock        : True
OptOutOfGrooveSoftBlock    : True
DisableReportProblemDialog : False

Running the Set-SPOTenantSyncClientRestriction cmdlet is the same as blocking file types through the Settings section of the SharePoint Online admin center (Figure 1). Both update the same configuration, which the OneDrive for Business sync client downloads and applies when it synchronizes files from the user’s OneDrive for Business account and whatever SharePoint Online document libraries are synchronized locally.

The Effect of OneDrive File Type Exclusions on Synchronization

Introducing a block on a file type isn’t something to do without thinking. After I ran the cmdlet to block the MP4 file type, my OneDrive for Business client complained bitterly because it could no longer synchronize any Teams meeting recordings and other videos stored in OneDrive (Figure 2).

Teams meeting recordings are possibly a bad example. According to Microsoft, few people go back and view a meeting recording after it is made, which is the reason why Teams applies an expiration tag to recordings after creating the files in OneDrive for Business or SharePoint Online. But I have many other MP4 files for which I want to keep a local copy, so maybe MP4 shouldn’t be on the file exclusion list.

It took the OneDrive for Business sync client several days to recover after updating the SharePoint policy to allow the synchronization of MP4 files, but eventually everything settled down and the client is now happy to process MP4 files again.

OneDrive File Type Exclusions for Personal Sync Client

In any case, file exclusions for OneDrive for Business are old news. What’s new is that Microsoft allows OneDrive Personal users to set their own exclusion list in the latest version of the client (I am using version 23.124.0613.0001). Because the client is for personal use, there’s no system-provided values. Instead, it’s up to the user to input the set of file types they want to exclude through the Advanced Settings section of the client (Figure 3).

File type exclusions are specific to a device rather than an account. You’ll find the information you enter in the client in a text file at

c:\users\<user>\AppData\Local\Microsoft\OneDrive\settings\Personal>odignore.txt.

If you run OneDrive Personal on multiple workstations, you’ll need to configure the settings on all workstations.

OneDrive FIle Type Exclusions are Client-Specific and Don’t Affect the Browser

Th summary is that both the OneDrive for Business and OneDrive Personal sync clients now display details about file types excluded from synchronization. OneDrive for Business users can’t do anything to affect the set of excluded files (except persuade an administrator to change the tenant configuration) while OneDrive Personal users can make their own minds up. In both cases, remember that these settings only affect the OneDrive sync clients. They have no effect on the OneDrive browser client, meaning that users can upload and download whatever OneDrive content they like using a browser.

Learn about using OneDrive for Business and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.

Managing OneDrive Storage Quotas Through Groups

A reader asked if it is possible to control the assignment of OneDrive for Business storage quotas using groups using a mechanism like group-based license management. The simple answer is that Microsoft 365 doesn’t support such a feature, but like many administrative operations, it’s relatively easy to automate with PowerShell.

Another article covers the basics of reporting and assigning OneDrive storage. OneDrive for Business accounts are personal SharePoint Online sites. Assigning a new storage quota to a user’s OneDrive account is done using the Set-SPOSite cmdlet from the SharePoint Online administration module. This is one of the Microsoft 365 modules that receives frequent updates, so make sure that you use the most recent version. It’s a good idea to check for updates monthly, either manually or using a PowerShell script to process the Microsoft 365 modules typically used by tenant administrators.

Creating a Script to Update OneDrive Storage Quotas

The steps required in the script to update OneDrive storage quotas based on group membership are:

• Connect to SharePoint Online and the Microsoft Graph PowerShell SDK.
• Read information about the target OneDrive storage allocations from some source. I used a CSV file with columns for the group name, group identifier, and storage allocation in megbytes, The names of the columns are group, groupid, and allocation.
• Figure out the service domain for the tenant to calculate the root of OneDrive account URLs. This will be something like: https://office365itpros-my.sharepoint.com/personal/. Later, we combine a modified version of user principal names (replacing dot and @ characters with underscores) to form the URL for each account. An example is https://office365itpros-my.sharepoint.com/personal/James_Ryan_office365itpros_com.
• For each group, get the group members. For each member, figure out the user’s OneDrive account URL and run the Get-SPOSite cmdlet to check its current storage quota. You can use any of the group types supported by Entra ID including dynamic Microsoft 365 groups. With some adjustments to the code, it would also be possible to use an Exchange Online dynamic distribution list.
• If the assigned quota is less than the desired quota, run the Set-SPOSite cmdlet to increase the quota.
• Create a report about what happened (Figure 1).

The script includes nothing complicated in terms of code. You can download the script I wrote from GitHub. Remember that the script is not bulletproof in terms of error handling. Its intention is to prove the principle of what is possible. The script should run without a problem if you sign in with a tenant administrator account. I have not tested the code in an Azure Automation runbook (to run the script on a schedule), but I think that adapting the code for Azure Automation would not be difficult.

Use Azure AD Administrative Units Instead of Groups

Azure AD administrative units are the current flavor of the month in Microsoft Purview with many solutions, including Data loss prevention (DLP) and Data lifecycle management (retention) supporting the use of administrative units to scope policies. If you have the necessary Azure AD Premium licenses, you could use administrative units as the basis for storage assignment.

This article explains how to use PowerShell to retrieve information from administrative units. Instead of fetching a set of user principal names for group members, you’d fetch the same information for the members of an administrative unit, like this:

[array]$GroupMemberUPN = (Get-MgBetaAdministrativeUnitMember -AdministrativeUnitId 150dccad-f8b8-4e54-9246-89834b8b5a25).AdditionalProperties.userPrincipalName

PowerShell Automation Scores Again

It would be nice if Microsoft included group-based OneDrive storage management in SharePoint Online. However, this functionality is probably not high on their priority list for new development. This is yet another example of how PowerShell fills in the cracks and gaps left in Microsoft 365 management and underscores why tenant administrators should have the ability to perform at least simple tasks with PowerShell.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Similar but Different to Request Files in OneDrive for Business

In January 2020, I wrote about the feature that allows OneDrive for Business users to ask people to upload files to a folder. Time moves on and message center MC495329 (7 January 2023) announced the arrival of a similar feature for SharePoint Online document libraries. According to Microsoft 365 roadmap it 103625, rollout started in February. It’s taken a while for it to show up in my tenant, or maybe I just haven’t looked hard enough.

In any case, Microsoft says that the feature is “an easy and secure way to request and obtain files from anyone.” Essentially, you select a folder in a document library that you want to use as a target for uploads. You then create a request files link that you give to the people who have the information you want. For instance, these might be professional advisors working on some documents relating to a project. They use the link to upload the files to the target folder, which site members can then interact with as normal.

Any site member can generate a link by selecting the target folder and choosing the Request files option from the […] menu. SharePoint Online generates a link (Figure 1), which the user can share using whatever method they like.

People who upload files don’t have any visibility into site contents and can’t see the files once they upload them to the site. This is a one-way transmission.

Getting SharePoint Online Ready for Request Files

The support documentation for the Request Files feature is available online. I don’t intend to repeat it here. However, some points from the feature documentation deserve emphasis.

First, the Request Files feature depends on Anyone sharing links. If your tenant doesn’t allow people to create Anyone links, they won’t be able to request external people to upload files to a folder. The permissions allowed for the link must include upload rather than just view and edit.

Second, Microsoft checks if Anyone links are enabled in a tenant when they deploy the software update for the Request files feature. If the tenant allows Anyone links, Microsoft enables all sites to support the feature. Originally, my tenant blocked Anyone links, which meant that the default condition applied (disabled) for all sites. After enabling Anyone links, I had to explicitly enable Request files for sites to make the option available.

Other restrictions can interfere with the ability of users to create Request Files links. For example, if you apply the file download block policy to a site, the option to request a link is unavailable.

Apart from enabling Anyone links (through the SharePoint Online admin center), control over how the Request files work is via PowerShell. The Set-SPOTenant cmdlet enables or disables the feature across the entire tenant. This command makes sure that the feature is enabled for the tenant and sets the expiration for request files links to seven days:

Set-SPOTenant -CoreRequestFilesLinkEnabled $False -CoreRequestFilesLinkExpirationInDays 7

While this command disables the feature for a specific site:

$SiteURL = "https://office365itpros.sharepoint.com/sites/SecureSite"
Set-SPOSite -Identity $SiteURL -RequestFilesLinkEnabled $False 

To check the site settings, run:

Get-SPOSite -Identity $SiteURL -Detailed | Select-Object Request*

RequestFilesLinkEnabled RequestFilesLinkExpirationInDays
----------------------- --------------------------------
                  False                                7

Like any change to SharePoint Online settings, it can take up to a day before updates are effective.

By default, the site inherits the value for the link expiration setting from the tenant configuration, but you can define a more restrictive expiration period if you like. You can’t override the tenant configuration and define a less restrictive expiration period for a site. The link expiration period can be anything from 0 (zero) to 730 days (two years). Usually, the more secure the site, the lower the link expiration period.

OneDrive for Business Settings

As noted above, OneDrive for Business also supports the Request Files feature. The OneDriveRequestFilesLinkEnabled setting in the tenant configuration controls if the feature is available in OneDrive for Business accounts while the OneDriveRequestFilesLinkExpirationInDays sets the expiration period for the sharing links. You can’t prohibit Request Files for selected OneDrive for Business accounts. The feature is either enabled or disabled for all.

Set-SPOTenant -OneDriveRequestFilesLinkEnabled $True –OneDriveRequestFilesLinkExpirationInDays 7

Using Request Files

When someone uses a Request Files link, SharePoint redirects them to a special page where they can select files to upload together with some personal details (First and Last Name) to let the requestor know who uploaded files to the folder (Figure 2).

The person who created the request files link receives email from SharePoint when someone uses the link to successfully upload files to the document library (Figure 3).

Figure 4 shows a set of files uploaded to a folder in a document library. SharePoint Online doesn’t validate the details of a person who uploads a file, so the name recorded as a prefix for the filename could be incorrect or false. That’s not important because it’s assumed that the person who requests file uploads will process whatever comes in afterward to decide what’s useful (or not), rename files, and so on.

In terms of tracking the use of the Files Request feature, SharePoint Online captures when a link is used and a file is uploaded in the audit log. This PowerShell code finds the events for the last 14 days and reports them.

Connect-ExchangeOnline
[array]$Records = (Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-14) -EndDate (Get-Date) -Operations FileRequestUsed, FileUploaded -ResultSize 1000)
If (!($Records)) {Write-Host "No File upload records found - exiting" ; break}

$Report = [System.Collections.Generic.List[Object]]::new()
Write-Host "Processing" $Records.Count "audit records..."
ForEach ($Rec in $Records) {
  $AuditData = ConvertFrom-Json $Rec.Auditdata
  Switch ($AuditData.Operation) {
    "FileUploaded" {
       $FileName  = $AuditData.SourceFileName.SubString(7,($AuditData.SourceFileName.Length-7))
    }
    "FileRequestUsed" {
       $FileName = $Null 
    }
  } # End Switch
  $ReportLine = [PSCustomObject]@{
      TimeStamp    = Get-Date $AuditData.CreationTime -format g
      UploadedBy   = $AuditData.UserId
      Action       = $AuditData.Operation
      ClientIP     = $AuditData.ClientIP
      Folder       = $AuditData.SourceRelativeUrl.Split("/")[1] 
      FileName     = $FileName
      SiteURL      = $AuditData.SiteURL
      Site         = $AuditData.SiteURL.Split("/")[4]           }
  $Report.Add($ReportLine)
  
} #End Foreach Record

# Remove normal uploads
$Report = $Report | Where-Object {$_.UploadedBy -notlike "*@*"}
$Report | Select-Object Timestamp, Site, Folder, FileName  -Unique

Control Over Files Request

Some people might be cautious about using a feature that allows external people to upload files to SharePoint Online. It could, after all, be a vector that an attacker could abuse to upload infected files. On the other hand, is it any more dangerous than asking external people to email attachments to an internal user so that they can upload the files to SharePoint Online.

Control is available by

• Limiting the number of sites that support Files request.
• Limiting the validity of file request links.
• Training users to use the Files Request feature sparingly, and if they use it, they should take the responsibility of restricting access to the upload link and checking whatever files external people upload before making those files available more broadly within the tenant.

Like any new feature, it will take time for tenants to operationalize Files Request. Happy uploading!

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Syntex-SharePoint Advanced Management Covers Secure Collaboration for SharePoint Online

Updated 2 March 2022

I know that many Microsoft 365 organizations don’t use sensitivity labels, even if they have the necessary licenses to use labels to protect content. All Office 365 licenses allow users to read protected content, but you need Office 365 E3 or above to apply labels to files, and Office 365 E5 or Microsoft 365 Compliance E5 for auto-label processing. At least, that’s been the case up to now.

Applying a default sensitivity label for a SharePoint Online document library (Figure 1) counts as automatic processing. Apparently, Microsoft considers the fact that new and modified documents in the library pick up the sensitivity label (unless previously labeled) as reason enough. In late January 2023, Microsoft revealed that this feature was one of the set to be licensed through a new Microsoft Syntex-SharePoint Advanced Management license.

Features Enabled by the Microsoft Syntex-SharePoint Advanced Management License

The new license is in preview and includes other elements to improve secure collaboration based on SharePoint Online and OneDrive for Business, including:

• Using sensitivity labels with Azure AD authentication contexts to limit access to SharePoint Online sites. This feature has been in preview since 2021.
• Restricting access to a SharePoint Online site to members of a Microsoft 365 group. This restriction blocks users who have received access to a file in the site.
• Blocking the download of files from SharePoint Online sites or OneDrive for Business accounts without the need to use Azure AD conditional access policies. In other words, users are forced to use a browser to access the site or account and cannot download, print, or synchronize files. The restriction also blocks access to the Office desktop apps because these apps need to download files to work on them locally.

In addition, Syntex-SharePoint Advanced Management includes some management and governance features. The three examples cited appear to be instances where it’s possible for administrators to do the same thing with some effort. Microsoft is making it easier. For example, the ability to limit access to OneDrive for Business to those who are members of a specific security group stops people licensed to use OneDrive but who aren’t members of the security group from using the app. The same effect is possible by simply removing the OneDrive service plan from their assigned licenses.

I haven’t seen what actions are included in the feature to export recent SharePoint site actions, but it might be possible to replicate the functionality by fetching SharePoint management events from the unified audit log.

My assumption is that any user who takes advantage of a feature licensed by Syntex advanced management requires a license. For instance, site members of a site where a document library uses a default sensitivity label all require Syntex-SharePoint Advanced Management licenses.

I can’t find a public announcement by Microsoft about the Syntex-SharePoint Advanced Management license. Cynics will say that this is another example of how Microsoft creates licenses for new functionality to generate additional revenue from its installed base. A more benign view is that the new license allows people with Office 365 E3 licenses to use the security and governance features enabled by Syntex Advanced Management. When I find out more details about licensing, including if some features covered by Syntex Advanced Management are also available through other licenses, I shall share the information.

Viewing Metadata for Protected Files

On an associated topic, I was asked why the metadata of documents protected by sensitivity labels remains visible to people who have no right to access these files. It’s a good question because some get confused when they notice an interesting document in a library but can’t open it because they’re blocked by the rights assigned in the label. For instance, who wouldn’t want to open a document with a title like “Proposed Pay Rises for Staff”?

When you enable SharePoint Online and OneDrive for Business to support sensitivity labels, it allows the workloads to deal with protected (encrypted) content. SharePoint Online stores protected files in an unencrypted format to allow functions like indexing and data loss prevention policies to work. Any access to a document, such as a user opening or downloading a file, causes SharePoint Online to encrypt the document so that the application used to open the file (like Word) can apply the rights assigned to the user. Everything works very nicely and those who have access to files can work with that content and those who don’t cannot.

When browsing items in a document library, site members can see metadata like the titles and authors of protected documents. Attempts to open these documents fail if the user doesn’t have the necessary rights. Because SharePoint Online doesn’t encrypt or obscure the metadata, those users know that documents with potentially very interesting content are available.

How SharePoint Online Stores Documents

The reason why document metadata is visible to all site members is rooted in how SharePoint Online stores documents. SharePoint Online uses Azure SQL as its storage platform. Blob storage holds documents and other files while metadata is in a separate table (list). The Azure SQL data is heavily protected against illegal access. Once a user has access to a document library, the assumption is that SharePoint can show them all the items, which is what they see in the list shown in a browser or the Teams files channel tab. It’s only when a user attempts to access a protected document that SharePoint Online validates their right to open that content.

You can argue that SharePoint Online and OneDrive for Business should hide the existence of protected documents that the user can’t open, but this would require SharePoint Online to check that access before displaying documents in a library. Such a check would incur a huge performance penalty because SharePoint Online cannot assume that the rights assigned in a sensitivity label are the same as the last time it checked.

New Functionality, New Costs

Although the news about the Syntex-SharePoint Advanced Management license will disappoint some, it’s reasonable that Microsoft should charge extra for security and management features that not every Microsoft 365 tenant will want or need. Those that need the functionality will simply have to pay the $3/user monthly cost. Hasn’t that always been the way?

Stay updated with developments across the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. We do the research to make sure that our readers understand the technology.

Another Functionality Gap Plugged

Microsoft 365 notification MC400977 (updated August 31) covers the introduction of the Recording video feature in the Stream for SharePoint browser client (Microsoft 365 roadmap item 88522). This is part of the work to replace the old Stream classic browser interface by introducing a new Stream portal. In this instance, the upgrade allows users to create 15-minute videos by recording themselves or their screen.

Users in targeted release tenants should now have this functionality. General availability roll-out is ongoing and should be complete by the end of October.

In passing, it’s worth noting that the beta version of the Stream 2.0 for iOS and Android apps (Figure 1) are available for testing. This version allows users to play videos stored in Stream Classic and Stream for SharePoint. Although, the app doesn’t yet support recording, it’s good to see the ecosystem building out.

Recording a Stream Video

Getting back to the Stream for SharePoint browser client, Microsoft says “Users will now be able to use the new Stream camera to record their webcam, record their screen, add edits (think ink, text, backgrounds, and filters) and upload to their OneDrive. Future iterations of the camera will include more features, such as adding music clips.”

Update: the Stream browser app now offers two options for recording: camera and screen.

In other words, Stream can use the technologies built into a workstation to record video (webcam) and screen, and then do some basic editing (some applied before recording starts), before storing everything in OneDrive for Business.

To begin, select the big New recording button in the Stream client. This launches a new browser tab ready to record video. Like Teams, Stream supports background effects (referred to as a backdrop), and offers the set of default background images available in Teams along with background blur and the ability to upload an image. Unfortunately, there doesn’t seem to be a way to save a custom background the way you can with Teams, nor does Stream offer the chance to use any custom background images you’ve already uploaded for Teams. As shown in Figure 2, the same green-screen technique is used to place the user in front of the background image. Interestingly, grab handles are available for the user image to allow the user to drag and place their image anywhere on the recording canvas. They can also resize their image to make it larger or smaller as appropriate to the content being recorded.

You can have great fun playing with the effects built into the Stream camera. Anyone who’s accustomed to working with video apps on mobile phones or other platforms will find nothing challenging here. In my case, I limited myself to moving my picture to the bottom right of the backdrop and inserting some text (Figure 3).

When everything’s ready, click the big round record button. Stream starts a three-second countdown (to settle your nerves) and then starts to record. When you’re finished (or come to the end of the 15 minute maximum supported for recordings), hit the stop button. You now have an opportunity to review what Stream captured (Figure 4). If you’re happy to keep the content, click Publish.

If you have an app like OBS VirtualCam or Snap camera that appears as a valid device camera, you can use these devices instead of a standard webcam.

Recording Files

When it publishes a video, Stream writes it into the top-level of the user’s OneDrive for Business account. It would be nice if Stream allowed you to defined a folder to store these recordings. The files are named after the date and time of the recording, so you end up with files like 20220913_203811 (recorded on 13 September, 2022 at 20:38:11). Files have a .wbem extension, indicating that the files are saved in the WebM format.

Updating Recordings

Once stored in OneDrive for Business, you can update the properties of recordings to generate a transcript and captions, add some text to describe what the video is about, and allow or disable comments (Figure 5), or share the recording with other people.

One thing I do is rename the file to give the recording a title that’s more appropriate to its content. Renaming has a consequence. The Stream client caches information about videos and will continue to display the old file name for a while after the rename happens. Any attempt to access the video at this point will fail because Stream tries to open the file with the old name. However, after a few minutes (or a browser refresh), the cache should catch up with actuality and display the new name.

Relationship with Clipchamp

Microsoft acquired Clipchamp in late 2021. Since then we’ve been waiting to see how Microsoft will make Clipchamp available to Microsoft 365 commercial customers (it’s already included in the Microsoft 365 family and personal plans). It seems reasonable to assume that Microsoft will include Clipchamp Essentials in Office 365 SKUs at some point in the future to allow users to edit the videos they record with Stream (the trim feature available in Stream classic is unavailable for the new Stream) or import from other sources, or indeed stitch segments captured in individual files together to create a longer video.

Stream Continuing to Evolve

Microsoft is making steady progress on the transition to Stream on SharePoint. The new web player is 100% deployed to Office 365 commercial tenants (not yet GCC) to play videos stored in Teams, SharePoint Online, and OneDrive for Business. Being able to record videos is another important part of the puzzle and it’s nice to see that it’s available now.

Keep up to date with developments like the transition from Stream Classic to Stream for SharePoint by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.

Fills Gap in Current Implementation

Updated: August 15, 2022

Message center notification MC393822 (18 June – Microsoft 365 roadmap item 93209, and updated in MC412375 on August 11, 2022) informs tenants about an important change to the way sensitivity label policies apply default sensitivity labels. Up to now, if you define a default label in a policy to apply to documents (Figure 1), SharePoint Online and OneDrive for Business assign the label to new documents created in sites that come within the scope of the policy. MC412375 says that the public preview for the change will roll-out in late August and be available everywhere by mid-October.

Change Applies to Modified Files

The change Microsoft is rolling out in public preview from mid-June is to make sure that when people edit unlabeled (existing) Word, PowerPoint, or Excel files, SharePoint and OneDrive stamp the default label on the file. The functionality already works for the Office web applications and is now extending to Office on Windows and macOS.

Obviously, this is a good change for organizations that want to ensure that all documents have at least a default sensitivity label. Until now, the default label guaranteed that new documents received sensitivity labels, but this left a huge gap in terms of all the files created prior to the implementation of sensitivity labels.

Auto-label policies help close the gap because background processes can scan sites for documents and apply labels to the files if they don’t already have a label. The problem is that auto-label policies are a premium feature. However, if you have the necessary licenses, auto-label policies are a good way to achieve coverage of a large number of preexisting files.

Another change that’s coming soon is the ability to configure a default sensitivity label for a document library, much like you can do with retention labels. Again, this is a premium feature and it’s likely to require Office 365 E5 or Microsoft 365 Compliance E5 licenses.

API to Bulk Apply Sensitivity Labels

One missing piece in the puzzle is the lack of an API to allow organizations and ISVs to create applications to apply sensitivity labels in bulk. Microsoft’s AIP Scanner is an example of such an application. The scanner can apply sensitivity labels to protect information found on file shares or SharePoint on-premises sites. Other use cases include tenant-to-tenant migrations where the need might exist to apply sensitivity labels to a set of documents inherited from a tenant belonging to a company being acquired. There’s nothing off-the-shelf that can handle such a scenario today, and the prospect of having to apply labels manually is unattractive.

Apparently, an API is coming, but it will be a paid-for consumption-based API like that available for Teams Export. In other words, you’ll be able to build an application to apply sensitivity labels to a bunch of files (probably throttled at a certain level to reduce strain on the service), providing you have an Azure subscription to pay the bills.

Making Sensitivity Labels Mainstream

Sensitivity labels are still relatively uncommon inside Office 365 tenants. Microsoft is the only source that can definitively say what percentage of tenants use sensitivity labels or how much of their content have labels. Changes to allow tenants apply sensitivity labels more effectively by default, or to spread sensitivity label support more widely (like the work done to make it easier to protect PDFs) help to encourage more organizations to consider sensitivity labels to be a mainstream part of their overall information protection strategy. However, it’s still going to take time before sensitivity labels become the norm inside Microsoft 365.

Stay updated with developments across the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. We do the research to make sure that our readers understand the technology.

But Only for New Content

Earlier this week, I wrote about updating the Stream tile in the Microsoft 365 app launcher to point to the preview version of the new Steam client (aka Steam on SharePoint) instead of Steam classic. Since then, I’ve been exercising the new client to understand its strengths and weaknesses. In fact, the new Stream client is a composite of the browser interface to manage videos and the web player to play videos and control their settings. If you play a video from the OneDrive for Business or SharePoint Online clients, those clients launch the same player.

The first question I received after the original post was, “can I access my old videos in the new client?” Alas, the answer is no. At least, not until Microsoft delivers the migration capability to move videos out of the old Azure blob storage to OneDrive for Business and SharePoint Online (ODSP). For now, the only videos you can access through the new client are:

• Teams meeting recordings (both your recordings and ones shared with you).
• Videos that you upload to the new client (or OneDrive for Business). This includes video files uploaded through applications like Yammer and Teams.
• Videos shared with you.
• Videos attached to emails in your Exchange Online mailbox. I don’t know if Microsoft Search is clever enough to find videos in Exchange on-premises hybrid mailboxes.

There are not many user settings to tweak for the new Stream client. You can change to dark mode, and that’s about all.

Using Graph Insights

The first thing I found is that the new Stream client is smarter than the old one. Take the set of videos highlighted at the top of the video list. The far-left video is tagged “this may relate to a recent meeting.”

I’d used another new feature – Add to a calendar item – to include a link to a video in a meeting invitation. Stream calls the OWA create meeting screen (Figure 2) to set up the meeting, complete with an embedded link to the video and the ability to adjust sharing to accommodate all the meeting participants. Because I sent the invitation, Stream figured that I maybe should review the video myself before the call. It’s a nice use of the Graph Meeting Insights API.

The Add to options for videos also includes To Do. It’s not a very exciting option because it creates a very bare-bones personal task in To Do. I assume the purpose is that the task will remind you to do something with the video, but if you want a full reminder of what you need to do, you’ll need to open the task and add a note to yourself. And who remembers to do that…

Share to Teams

Seeing that the new Stream client is essentially OneDrive for Video, sharing is a strength. The old client was very inward-focused, but the new client allows users to share videos with anyone they can send an email to. You can also share to Teams, using the same functionality that’s available in Outlook, to post a message containing a video link to a person, group, or channel.

Transcripts

For a long time, Stream classic generated transcripts for uploaded videos (it also had a people view where you could find places where someone appeared in a video). In August 2021, Microsoft decided to reduce the amount of data involved in the Stream 2.0 migration by removing some transcripts. The new Stream doesn’t generate a transcript when it uploads videos. Instead, if the spoken language in the video is English, Steam can generate an automatic transcript. Otherwise, you’ll need to create your own transcript.

A transcript is a collection of time-coded text snippets (the same text is used for closed captions) in the VTT format. Figure 3 shows a video playing with both the transcript and captions on display.

You can download the automatically-generated transcript file and amend it with a text editor (or even better, a VTT editor – here’s a free online version). This allows you to correct phrases or even add speaker attribution to indicate who’s speaking. When you’re ready, you delete the existing transcript and upload your version for Stream to use.

Updating Video Details

Different capabilities (to the classic client) are available to amend or interact with videos. For instance, there’s no way to trim a video (remove some content from the start and end of a video). This might well come in time, or perhaps Microsoft will deploy their Clipchamp acquisition for this purpose.

The options available in video settings are:

• Choose your preferred thumbnail image for a video. You can move a slider through the video to find the frame you want and use that.
• Publish details of a video. The editor is basic but good enough, and it’s more than sufficient to compose the text to give users information about the content (Figure 4). Regretfully, the filtering capability in the Stream client doesn’t use the descriptive text entered for videos, but the search (SharePoint search) does. The video owner can decide to turn the description on or off.
• Ability to turn on comments for the video. The commenting engine is the same used for Office documents. The owner can allow or disable comments for a video, and they can also delete all existing comments for a video.
• Ability to break large videos up into smaller chunks with chapter marks. Think of a chapter as a scene within a larger play. The chapter marks on the video timeline allows a user to navigate to the point they’re interested in.
• Turn noise suppression on by default (a good thing if a video has a lot of background noise).

Missing Pieces

I’ve already mentioned video trimming as a useful capability that’s not currently available in the new Stream client. Among the other missing features I’ve noticed are:

• Replace a video.
• Screen capture.
• Organize videos into channels with Microsoft 365 groups.
• Highlighting selected corporate videos managed at the organization level.

There’s bound to be other features that I haven’t picked up yet, and some older features are redundant in the world of ODSP. For instance, the new Stream client uses the standard recycle bin and doesn’t need its own recovery mechanism.

Finally, the Stream mobile apps currently only access classic Stream files. So maybe that’s the trick until Microsoft completes the migration. Use the browser interface to work with new video content and revert to the mobile client to get to old files. It couldn’t be simpler!

Learn more about how the Office 365 applications really work on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Update the App Tile to Point to the New Stream

Message center notification MC381948 appeared on May 18, but I confess to not having paid much attention to it due to other more important topics. In any case, the notification informs tenants that they can configure the target for the Stream tile in the Office 365 app launcher to direct users to Stream powered by SharePoint rather than the classic Stream. Targeted release tenants should have the update now, with standard release tenants getting it in early July. By late August, all tenants should be able to update the app tile.

Classic Stream stores its video files in Azure blob storage. The plan of record is to move everything to SharePoint-based storage. Personal videos will be in OneDrive for Business while shared (group videos) will be in the document libraries of the SharePoint Online team sites belonging to Microsoft 365 groups (teams). Progression is already obvious as all newly-created Teams meeting recordings are now in the new location. Using SharePoint-based storage means that many features become available for videos, like the application of expiry dates for meeting recordings. In addition, OneDrive for Business offers a lot more storage quota for videos.

Migration a Work in Progress

The big piece of work remaining for Microsoft to do is the migration of old video content from classic Stream. The latest information is that Microsoft has the migration tool in private preview with some customers. Dates for when the migration tool will become generally available are unavailable.

Diverting the App Tile to the New Stream

In the interim, tenants might find it useful to divert users away from the old Stream and have them upload any new video content into OneDrive for Business. And that’s where MC381948 comes in. A new setting is available in the SharePoint admin center to control the behavior of the app tile for Stream. Three values are available

• The default option is to Automatically switch to Stream (on SharePoint). Microsoft controls this option and will set it after the migration of existing Stream content is complete.
• Stream (on SharePoint) directs users to the preview GUI for the new Stream. The user can switch to the classic Stream GUI if they want.
• Stream (Classic) forces people to use the classic Stream GUI.

In Figure 1, I chose to switch to the new Stream. After saving the choice, it takes about ten minutes for the option to ripple across the tenant (and maybe a browser refresh, just in case).

In effect, the target URI for the app tile changes from https://web.microsoftstream.com/ to https://www.office.com/launch/stream. The new GUI (Figure 2) displays any video files found in the user’s OneDrive for Business plus any video attachments for Outlook messages. This ability to highlight video attachments leverages the new messages search vertical and highlights the role of the new Stream in managing video content stored anywhere in Microsoft 365 instead of just in a dedicated repository.

Feel the Power of an Updated App Tile

There’s not much more to say about the new option (nor any nuggets to glean from the Microsoft documentation). On the one hand, it makes sense to begin using the new video storage and management platform for new content. On the other hand, you can argue that it’s best to keep all video content in one place until the migration is ready. The fatal flaw in that argument is the storage of Teams meeting recordings in OneDrive for Business. I switched to embrace change. What will you do with your app tile?

Keep up with the changing world of the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. Monthly updates mean that our subscribers learn about new developments as they happen.

OneDrive for Business is Popular Storage for Microsoft 365 Applications

Microsoft 365 applications use OneDrive for Business for all kinds of purposes apart from being the place for users to store personal files. Whiteboards, Team meeting recordings, and Loop components are three application usages of its storage, including being deleted through the OneDrive for Business Recycle Bin. The net takeaway is that Microsoft 365 treats OneDrive for Business as a great location to hold many types of application data.

One big reason why is that once data is in OneDrive for Business instead of other repositories like the Azure-based blob storage originally used by Stream, the information is fully exposed to all the Microsoft 365 compliance, data governance, and lifecycle management functionality. Microsoft Search indexes the files stored in OneDrive for Business to make the content discoverable, and functionality like Microsoft Purview core and premium eDiscovery can interrogate the information when the need arises for an investigation.

Odd Statement in Microsoft Documentation

All of which then means that the statement in Microsoft documentation (Figure 1) saying “The Recycle Bin is not indexed and therefore searches do not find content there. This means that an eDiscovery hold can’t locate any content in the Recycle Bin in order to hold it” will probably come as an unpleasant surprise to compliance administrators.

In a nutshell, Microsoft’s text implies that people can hide information they don’t want eDiscovery searches to find or hold by keeping it in the OneDrive for Business Recycle Bin. This might happen serendipitously (the user doesn’t realize that data governance oversight doesn’t apply to files in the OneDrive recycle bin) or deliberately (they do and want to take advantage of the fact). Either way, it’s not a good situation.

OneDrive Data Found by Content Searches

Such an assertion caused me to test if Microsoft 365 content searches (separate or as part of a standard eDiscovery case) can find items stored in the OneDrive for Business Recycle Bin. All my efforts to uncover a situation where a content search couldn’t find an item failed. Holds appear to work as well, and a retention label (a form of hold) doesn’t disappear when an item moves into the Recycle Bin.

I have no idea what Microsoft’s text means in practice. Perhaps some condition exists to prevent Microsoft Purview from placing a hold on items found in OneDrive’s recycle bin, but one thing is for sure, contrary to the documentation, searches can find items in OneDrive’s recycle bin (Figure 2).

To test retention, I deleted an item from the first- and second-stage recycle bin. The item ended up in the OneDrive preservation hold library (select Site Contents from the cogwheel menu and you can open the library), and the item was there, waiting for its hold to expire.

Indexing of the Recycle Bin

It’s possible that the statement saying, “The Recycle Bin is not indexed” is accurate. It could be that the items in the recycle bin are in the index because Microsoft Search processed them in their original location. The OneDrive for Business browser interface doesn’t offer an option to create a file in the recycle bin, and while it might be possible to do such a thing using an API (those working on PnP might have a view on this), it would be an unusual thing to do. Maybe even a suspicious action too because what logical reason exists to create a file in a recycle bin?

Documentation Isn’t Always Accurate

This experience underlines once again that you cannot assume that documentation is 100% accurate, even if published with Microsoft’s imprimatur. It all depends on the knowledge and experience of the writer, especially their familiarity with the topic. And even people with bags of experience with a specific technology can screw up when it comes to describing how something works. A slip of the finger on the keyboard, a badly phrased sentence, or just an error in writing are all part and parcel of the writer’s life.

Make sure that you’re not surprised about changes that appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

View Teams and Outlook Messages in Search Results

Microsoft Search and the results it delivers to users are in a state of constant flux. This is usually a good thing because it means that Microsoft is upgrading search capabilities to help users find information more effectively. Sometimes, things get out of step, and you can see extra results in one place that don’t appear in another. A little consideration usually comes up with a reason why this is so.

Take the example of the Messages vertical that Microsoft has added to Office.com. When you search from Office.com, the results include Teams and Outlook messages (Figure 1). In search parlance, the set of results exposed by the messages tab is referred as a “search vertical.” You can add custom search verticals to SharePoint search, but not to Office.com.

The Teams messages come from both chats and channel conversations. Selecting a Teams or Outlook message uses a deeplink to bring you to the source loaded in the Teams client or OWA.

Microsoft Search trims the search results so that users only see information from resources they have permission to access.

Why Messages from Deleted Teams Appear in Search Results

Sometimes search results resurrect messages from deleted groups. Take the second message listed in Figure 1, which comes from a conversation in the Project Athena group (a team). Selecting this message does nothing because it doesn’t have a deeplink to bring it to the source conversation.

Some investigation found that the team doesn’t exist anymore. I deleted the team since the conversation happened in 2018. However, the messages persist because the team came within the scope of a hold imposed by a retention policy. Microsoft Search relies on the compliance records the Microsoft 365 substrate captures for Teams chats and channel conversations, and these records remain in mailboxes until the retention period for the policy lapses. Therefore, the conversation remains available for search to find while the deeplink pointing to the source conversation is unavailable.

Microsoft Search in Bing

The interesting thing is that the ability to return messages in search results isn’t available in SharePoint search. You might expect this to happen because it’s a search for Microsoft 365 data. However, it’s a search of SharePoint resources, so the results only cover the information available to SharePoint Online and OneDrive for Business. Personally, I think Search should deliver the same results in SharePoint Search as it does in Office.com, even if SharePoint Online doesn’t manage the items found. The lines between applications continue to blur and it seems strange to have artificial barriers where they’re not needed.

Where messages do turn up is in search results from Bing.com if you configure Microsoft search in Bing through the Search & Intelligence section of Org settings in the Microsoft 365 admin center. In effect, when you do this, you connect Microsoft 365 content to Bing to expose “work” results alongside results for internet sources. Accessing the work tab exposes results from different Microsoft 365 sources, including messages (Figure 2).

This capability has been available for at least six months. At least, we updated the coverage about Microsoft Search in the Office 365 for IT Pros eBook about six months ago to report its availability!

Loop Components in Search Results

While looking at the various results now available through Microsoft Search, I noticed that Loop components show up. I probably missed this in the past but felt that it’s worth noting that even though Loop components pose some eDiscovery challenges, the information in the components is fully indexed and discoverable as evident in the first two search results shown in Figure 3.

There’s nothing surprising here because the Loop components in Teams chats (and soon in OWA messages) exist as files in OneDrive for Business.

Nice to See Messages in Search

Given the amount of data people now store in the cloud, effective search facilities are increasingly important. Adding the new search vertical for messages to Office.com is very useful. It’s just a pity that the same capabilities aren’t available elsewhere.

Just in Time for Outlook

Updated: March 22, 2023

Microsoft Loop components have been available in Teams chat since November 2021. I haven’t heard about widespread usage, but that might be because people need time to adjust their collaboration habits. Access to Loop components in other applications is also a gating factor, but availability in OWA and Outlook for Windows (current channel preview) should help to address this concern. According to MC360766 (April 18, Microsoft 365 roadmap item 93234), Microsoft will roll out this feature to tenants configured for targeted release in early May.

Update: It took a little longer than predicted, but Loop components are now available in OWA.

So far, there’s no sign of Loop components in Outlook desktop, but I’m sure the components will arrive in my email any day now to deliver the same kind of functionality as available in Teams chat (Figure 1). In a nutshell, if an email contains a loop component, it exists as a file in the sender’s OneDrive for Business account that is shared with the email’s recipients. We’ll report more when the software is available.

IsLoopEnabled

This brings me to MC371268 (May 2), where Microsoft announces that “in response to customer feedback,” they’re retiring the existing settings to control the availability of Loop components and introducing a new control called IsLoopEnabled.

The control is part of the SharePoint Online tenant configuration and is set using the Set-SPOTenant cmdlet. You’ll need to upgrade the SharePoint Online management module to version 16.0.22413.12000 or later. Microsoft posted this version in the PowerShell Gallery five days ago. You can install or update the module from the PowerShell gallery or download an MSI file from Microsoft.

The replaced control is IsFluidEnabled, which enables the Fluid Framework within a tenant. Microsoft plans to retire the IsFluidEnabled setting on November 25, 2022. Going forward, the relevant settings in the SharePoint Online configuration are:

• IsLoopEnabled: Controls if Teams can use Loop components. The default is True (Enabled).
• IsCollabMeetingNotesFluidEnabled: Controls if fluid components are available in OneNote collaborate meeting notes.

Update: Following the availability of the preview version of the Loop app, the control for the Loop app, Outlook, Whiteboard, and the Office Online apps is via settings in the Cloud policy.

eDiscovery and Compliance Issues

Although eDiscovery searches can find Loop component files stored in OneDrive for Business, Microsoft acknowledges “limited eDiscovery workflow support.” With the additional of Loop support in Outlook, this aspect might become more problematic. For example, today, the preview feature for search results can render the full content of emails. This isn’t possible when an email contains a loop component because the preview window needs a software upgrade to fetch the content from OneDrive and display it inline within a message.

Another issue is with exports of search results. Today, Microsoft Purview can export emails (and the compliance records captured for Teams chats) found by searches as individual message files or in PST files. Microsoft says that the export format is “not consumable by existing tools,” and that they’re working on “an offline consumable export format.” Taken together, these statements make me think that the exported emails contain references (links) to OneDrive files that aren’t accessible to investigators working offline or independent experts who review eDiscovery results without access to the source tenant.

Making the content of search results available offline probably involves replacing the embedded link in messages containing Loop components with a static version of the content extracted from OneDrive.

This topic deserves a more comprehensive test, which I will get to once Outlook support for Loop components is available. In the meantime, organizations that don’t want to run into potential eDiscovery problems should strongly consider disabling Loop components for both Teams and Outlook by setting the IsLoopEnabled control to False.

Set-SPOTenant -IsLoopEnabled $False

Stay updated with developments across the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. We do the research to make sure that our readers understand the technology.

Updated Clients and Sharing with External Users in Meetings Coming

As you probably know, as part of a major revamp for the application, Whiteboard is moving its storage for its boards from Azure to OneDrive for Business. According to Microsoft 365 roadmap item 66767, general availability happened in December 2021. This refers to tenants who decided to opt-in early, or for tenants who decide to switch through the Whiteboard settings in the Microsoft 365 admin center.

OneDrive became the default for storage of new boards in January 2022. According to Message center notification MC275235, the updates for Whiteboard clients that can’t yet support OneDrive should be available by the end of March. Once the updated clients are deployed, the transition should complete.

Sharing Whiteboard with External Users

Further good news comes in Microsoft 365 roadmap item 66759, which says that external participants in Teams meetings will be able to share boards. A dependency exists on OneDrive for Business as the new feature only works when the board being shared is in OneDrive. If not, Teams displays the polite but extremely frustrating error message shown in Figure 1. People just love being locked out of collaboration, so it’s good that Microsoft is fixing this problem.

The Sad State of Whiteboard PowerShell

You might not know that Whiteboard supports PowerShell. Well, it does, but only just. A bare-bones module (WhiteboardAdmin) is available in the PowerShell gallery, but it doesn’t contain many cmdlets.

Get-Command -Module WhiteboardAdmin

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Get-Whiteboard                                     1.5.0      WhiteboardAdmin
Function        Get-WhiteboardOwners                               1.5.0      WhiteboardAdmin
Function        Get-WhiteboardSettings                             1.5.0      WhiteboardAdmin
Function        Get-WhiteboardsForTenant                           1.5.0      WhiteboardAdmin
Function        Invoke-TransferAllWhiteboards                      1.5.0      WhiteboardAdmin
Function        Remove-Whiteboard                                  1.5.0      WhiteboardAdmin
Function        Set-WhiteboardOwner                                1.5.0      WhiteboardAdmin
Function        Set-WhiteboardSettings                             1.5.0      WhiteboardAdmin

Not many people have downloaded the module either, possibly because they don’t know of its existence. I’ve used the Invoke-TransferAllWhiteboards cmdlet in the past to transfer ownership of boards from one user account to another (a task sometimes necessary if someone leaves the organization), but I have not played with the other cmdlets.

Reporting Whiteboards with PowerShell

That is, until I noticed a tweet about a new script available in the PnP Script Samples gallery to create a report about all the boards and their owners in a tenant. The script uses the old Microsoft Online Services (MSOL) module to retrieve user information. Microsoft plans to deprecate the MSOL module at the end of 2022, so it’s a good example of a script that needs to be updated to use either Microsoft Graph queries or cmdlets from the Microsoft Graph PowerShell SDK.

Upgrading the script didn’t take much time because the only calls are to load the module and retrieve details of user accounts. My version of the code is shown below. Apart from using the Microsoft Graph PowerShell SDK, the only changes I made replaced output arrays with PowerShell lists to improve performance.

ReportWhiteBoardInfo.PS1
# Import the WhiteboardAdmin module
Import-Module WhiteboardAdmin
# Connect to the Microsoft Graph
Connect-MgGraph -TenantId $TenantId -Scope "Directory.Read.All, User.Read.All"

try {
	$dateTime = (Get-Date).toString("dd-MM-yyyy")
	$fileName = "WhiteboardReport-" + $dateTime + ".csv"
	$outputView = "c:\temp\" + $fileName
	
	# The geography to look for board owners in. Accepted values are: Europe, Australia, or Worldwide (all boards not in australia or europe).
	$supportedGeographies = @("Europe", "Australia", "Worldwide")
	
	# Array to hold Whiteboard owners
	$WhiteboardOwners = [System.Collections.Generic.List[Object]]::new(); $i=0

	foreach ($geography in $supportedGeographies) {
		Write-Host "Getting Whiteboard owners for geography: $($geography)..."
		$GeographyOwners = Get-WhiteboardOwners -Geography $Geography		
		
		foreach ($UserId in $GeographyOwners.items) {	
              $User = Get-MgUser -UserId $UserId
              $i++
              $ReportLine  = [PSCustomObject][Ordered]@{
                DisplayName     = $User.DisplayName
                UPN             = $User.UserPrincipalName 
                Geography       = $Geography
                UserId          = $UserId
               }
            $WhiteboardOwners.Add($ReportLine) 

		} # End ForEach Owner
		
		Write-Host "Total whiteboard owners found so far $($i)"
	} # EndForEach Geography
	
	# Array to hold Whiteboard details
	$Whiteboards = [System.Collections.Generic.List[Object]]::new()
	
	# Get whiteboards from the Microsoft Whiteboard service by owners
	foreach ($Owner in $WhiteboardOwners) {
		Write-Host "Getting Whiteboards for owner: $($Owner.UPN) ..."
		$whiteboardInfo = Get-Whiteboard -UserId $Owner.UserID
		
		foreach ($whiteboardInstance in $whiteboardInfo) {   
              $ReportLine  = [PSCustomObject][Ordered]@{
                User            = $Owner.DisplayName
                UPN             = $Owner.UPN
                WhiteboardId    = $whiteboardInstance.Id
                Title           = $whiteboardInstance.Title
                IsShared        = $whiteboardInstance.IsShared
                Created         = Get-Date($whiteboardInstance.CreatedTime) -format g
                Modified        = Get-Date($whiteboardInstance.LastModifiedTime) -format g
                Geography       = $Owner.Geography
                UserId          = $Owner.UserId
               }
           $Whiteboards.Add($ReportLine)             
       } #End Foreach Whiteboards
    	
	    Write-Host "Found $($whiteboards.Count) Whiteboards owned by: $($Owner.UPN)"
	} # End Foreach Whiteboard owners
	
	Write-Host "Found $($whiteboards.Count) Whiteboards in the tenant."

# Export the results to a CSV file and Out-GridView
	$Whiteboards | Export-CSV -Path $outputView -Force -NoTypeInformation
$Whiteboards | Out-GridView	
	Write-Host "Finished"
}
catch {
    Write-Host -f Red "Error:" $_.Exception.Message
}

You can download the script from GitHub. I’ll update the code there when I see a fix for the problem I’m just about to describe.

No Trace of Boards Stored in OneDrive

All worked well and the script generated a report (Figure 2 shows some of the report data viewed through the Out-GridView cmdlet).

The problem is that the report doesn’t include any whiteboard stored in OneDrive for Business. Microsoft released Version 1.5 of the WhiteboardAdmin module a month ago, but it’s obvious that the cmdlets only work against the Azure storage and ignore the transition to OneDrive.

Microsoft’s documentation doesn’t cover migration of old boards from Azure to OneDrive. However, Microsoft 365 roadmap item 66763 covers migration of previously created boards with general availability in April 2022. The text says: “Tenants in locations that are currently storing new whiteboards in European datacenters will have previously created whiteboards migrated to European datacenters.”

This masterpiece of obfuscation implies that Microsoft plans to migrate old boards currently stored in U.S. datacenters to European datacenters, where hopefully the data will end up in OneDrive for Business. Perhaps this is a pointer to a more widespread migration. Let’s hope that this happens, and that Microsoft upgrades the WhiteboardAdmin module to deal with OneDrive.

Learn more about how the Office 365 applications really work on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Perhaps Not the Biggest Problem for OneDrive to Solve

Featured in the set of OneDrive announcements at the Microsoft Ignite conference in November 2021, the ability to move a OneDrive shortcut from the Files root to a public or shared folder is now rolling out. The change is described in message center notification MC316147, first published on January 19 and updated on March 4.

The original announcement limited movement to private folders, and this is also the case in Microsoft 365 roadmap item 82166. However, something obviously changed since November because MC317147 explicitly states “when moving a shortcut to a folder into a shared folder, the short cut does not change its sharing permissions. People who don’t currently have access to the shortcut won’t be able to access its content but can rename or remove the shortcut.”

OneDrive Shortcuts

Originally launched in 2020, OneDrive shortcuts are a useful way to add pointers to folders that users commonly access so that they appear in OneDrive for Business. The shortcuts might be to folders in SharePoint Online document libraries or other OneDrive folders. When OneDrive shortcuts first appeared, I thought they were pretty good and used them for a while, but then I ran into a problem that still lingers today.

The OneDrive sync client is a critical component for users who keep files in the cloud. The sync client synchronizes files from cloud folders to local copies, and that updates made to the local copies synchronize back to the cloud. The original OneDrive sync client (Groove.exe) wasn’t very good, but a rewrite to create a new client fixed the problems and the current client is very stable. Interestingly, while the OneDrive sync client takes care of synchronization for non-Office files, to enable features like autosave and co-authoring, the Office apps perform the synchronization when actively working on documents.

The Office 365 for IT Pros eBook team depend heavily on the OneDrive sync client to synchronize changes made to the source Word documents used for book chapters. These and other files for the book are stored in a SharePoint Online document library. The OneDrive sync client makes sure that changes made by authors on Windows and Mac workstations synchronize with SharePoint Online.

Synchronization Problems with OneDrive Shortcuts

Which brings me to the synchronization problem with OneDrive shortcuts which stop me using shortcuts. Everything works well if you create OneDrive shortcuts and then set up synchronization with SharePoint Online. However, if you use the OneDrive sync client to synchronize both OneDrive for Business and SharePoint Online folders and then add a OneDrive shortcut to a folder in the same document library, it creates a sync issue.

Figure 1 shows a SharePoint Online folder in a document library. I don’t synchronize this folder to my workstation because it contains large book files. However, I synchronize other folders from the library. I also synchronize my OneDrive for Business account.

If I take the option to add a shortcut to OneDrive, SharePoint Online creates the shortcut and adds it to OneDrive for Business (Figure 2). Everything looks good and I can use the shortcut to access the files in the SharePoint Online folder.

However, the OneDrive sync client reports that it has a sync issue (Figure 3) saying that it cannot sync the shortcut because it conflicts with other folders. The client reports that the fix is to stop syncing two folders, both of which come from the same SharePoint Online document library.

The sync client offers to fix the problem by unsynchronizing the conflicting folder. Do not do this. The action breaks the connection between the local copy on the workstation and the cloud files, which means that you’ll have to re-establish synchronization afterwards, which could involve a lot of work to make sure that local copies are accurate.

However, the issue is only a warning about a single file (the OneDrive shortcut) and doesn’t affect synchronization for any other file. Changes made locally continue to upload to the cloud and updates made to cloud files by other workstations flow down to the local copy on my workstation.

The solution is simple. Go back to OneDrive for Business and remove the offending shortcut. The sync client is happy immediately and the warning disappears.

The problem doesn’t occur if you create a OneDrive shortcut to a SharePoint Online folder when no folders from that document library are synchronized. However, if you attempt to synchronize a folder from the document library, OneDrive fails and says that it can’t synchronize the folder because you’re already syncing a shortcut to a folder from this shared library (Figure 4).

I can’t imagine that this is the kind of experience that Microsoft would design into OneDrive shortcuts. What’s more, the problem has been in place since the introduction of shortcuts, so perhaps no one has complained too much.

Moving of Shortcuts Not The Biggest Problem

The clash between OneDrive synchronization and OneDrive shortcuts is the reason why I won’t use shortcuts. Although it’s great that Microsoft has done the work to make it possible to move shortcuts, it’s odd that they haven’t sorted out the obvious clash between two OneDrive components. When they do, I’ll consider using shortcuts again.

Make sure that you’re not surprised about changes which appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Feature Became Generally Available in July 2022

According to a LinkedIn post by Microsoft Principal Program Manager Sanjoyan Mustafi, administrators will soon be able to assign default sensitivity labels to document libraries in SharePoint Online and OneDrive for Business. The capability is in private preview at present, but Microsoft 365 tenants can sign up to join the preview here.

Update: According to message center notification MC391948 (June 13), rollout of the public preview of setting a default sensitivity label for a document library will roll out in late June. This is Microsoft 365 roadmap item 85621.

Update 2: On July 29, Microsoft announced that the roll-out for the public preview code had begun and that all tenants would receive the update within 90 days. The documentation is also available.

Today, you can require that users add a sensitivity label to documents and define a default label to use. This is done through settings of the sensitivity label publishing policy which makes labels available to users. Requiring documents to be labelled works, but you don’t know what labels users will choose. Sometimes, it might be necessary to ensure that every document in a library receives the same sensitivity label to reflect the level of confidentiality of the library, and that’s where the new capability comes in.

The Backend to Apply Sensitivity Labels

The preview includes the back-end code to define a default label and apply it to new Office documents uploaded or copied to or saved in a library. An asynchronous thread examines new items to check if they already have a sensitivity label. The stamping of the default sensitivity label on new items by the thread can take a few minutes.

If a new item already has a user-applied sensitivity label, the thread ignores the document based on the principle that explicit assignment by users always takes precedence over automatic assignment. If the item has a label of a lower priority (sensitivity labels have a priority order from 0 to n, with 0 being the lowest) received through automatic assignment (usually because a label publishing policy mandates the application of a default label), the thread replaces the label and applies the default label defined for the library.

For now, labeling only happens for new Office documents (support for PDFs will come later). Existing documents remain untouched, and you must apply labels manually if you want all documents to have the same label. However, in the future, Microsoft plans to update the code so that SharePoint will apply labels whenever a user opens an unlabeled document in a library with a default label.

Note that a user can remove the default label assigned for the library or replace it with a label of higher or lower sensitivity. In these cases, the user-assigned label remains, again following the principle of user precedence.

Update: Figure 1 shows the UX to configure a default sensitivity label for a document library. To access this screen, go to Library settings.

Configuring for Default Sensitivity Labels

Prior to Microsoft delivering the UX to configure a default sensitivity label for a document library, you had to update the configuration of the target document library using the SharePoint API. You can do this with Postman (the tool favored by Sanjoyan), but I prefer PowerShell, which is what I used. Sanjoyan explains the procedure in his post, but briefly is:

• Get a bearer token to authenticate with SharePoint Online. You can copy the token if you’re logged into SharePoint Online by using the developer tools (F12).
• Create a header structure to hold details of the transaction, including the bearer token.
• Create a body structure to define the GUID of the sensitivity label you want to add as the default for the library. Use Connect-IPPSSession to connect to the Compliance center endpoint and run Get-Label to find the list of labels. The GUID for each label is in the ImmutableId property.

Get-Label | Format-List DisplayName, ImmutableId

• POST to the URL for the document library using the header and body defined earlier.

The commands I used to update a document library were:

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Accept", "application/json;odata=verbose")
$headers.Add("Content-Type", "application/json;odata=verbose")
$headers.Add("X-HTTP-Method", "MERGE")
$headers.Add("If-Match", "*")
$headers.Add("Authorization", "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkRya21Mczl1akhnMkp1SE5CRm5vOERicXBJSSJ9.eyJhdWQiOiIwMDAwMDAwMy0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDBAYjY2MjMxM2YtMTRmYy00M2EyLTlhN2EtZDJlMjdmNGYzNDc4IiwiaXNzIjoiMDAwMDAwMDMtMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwIiwibmJmIjoiMTY0MzMxNTU5MiIsImV4cCI6IjE2NDMzMTkxOTIiLCJ1cG4iOiJ0b255LnJlZG1vbmRAcmVkbW9uZGFzc29jaWF0ZXMub3JnIiwicHVpZCI6IjEwMDNCRkZEODA1Qzg3QjAiLCJjYWNoZWtleSI6IjBoLmZ8bWVtYmVyc2hpcHwxMDAzYmZmZDgwNWM4N2IwQGxpdmUuY29tIiwidmVyIjoiYnJvd3NlciIsInRpZCI6ImI2NjIzMTNmLTE0ZmMtNDNhMi05YTdhLWQyZTI3ZjRmMzQ3OCIsImFwcGlkIjoiYzU4NjM3YmItZTJlMS00MzEyLThhMDAtMDRiNWZmY2QzNDAzIiwiYXBwX2Rpc3BsYXluYW1lIjoiU2hhcmVQb2ludCBPbmxpbmUgQ2xpZW50IEV4dGVuc2liaWxpdHkiLCJzY3AiOiJGaWxlcy5SZWFkV3JpdGUuQWxsIFNpdGVzLk1hbmFnZS5BbGwgU2l0ZXMuRnVsbENvbnRyb2wuQWxsIFRlcm1TdG9yZS5SZWFkV3JpdGUuQWxsIiwiaXBhZGRyIjoiNTEuMTcxLjIxMi4xMjkiLCJzZXNzaW9uaWQiOiIzYzdiMjUzYy0zNmJjLTQ1ZTctYmQ4OS1mNGRhZjdkZjZhNmEiLCJzaWduaW5fc3RhdGUiOiJbXCJrbXNpXCJdIn0.m0VNYiAPfu7GKuTcnAi0hc4ay7TAQ-KzlH1g3hRzRzJZccoLeRepey8k7ydNHsvdhO8N0E4mMEEz3dD8Tk-1qreBzNrqPkB6p2s8hGF1J04RaR6vkyTqJypFXLRXgmSsVrPsX1huNnkwZ0d_ShmPowUToZk_HN0MrDRIEleCks32pg1nQs2Umk63BkWAaUHJy_pLhYJOea0uzSc7iPeVpPaAQ8PbK8K4eRJX__DEByQueUSOd21V9O6KJ9ey-JasryPiqtncFUDGrofQ6EZztjwaCAjQubRv7RjOkMYeucgsgiI7cvfuvuCzcXjc6oqdosZwc-18Uurq_8r8ks9c4A")

$body = "{
`n `"__metadata`": {
`n `"type`": `"SP.List`"
`n },
`n `"DefaultSensitivityLabelForLibrary`": `"27451a5b-5823-4853-bcd4-2204d03ab477`"
`n}
`n"
$Uri = 'https://office365itpros.sharepoint.com/sites/Office365Adoption/_api/web/lists/GetByTitle(''Documents'')'
$Update = Invoke-RestMethod -Method 'Post' -Headers $Headers -Body $Body -Uri $Uri

Formatting of these commands must be precise, and the bearer token must be valid or the update will fail (I know, because I made many mistakes before doing it just right). The easiest way to make sure is to open the site you want to update in a private browser window to force a recent authentication and then copy the token (use F12 in Edge and access Local storage, then copy the value of the key for the identity for SharePoint Online as shown in Figure 2).

After configuring a default sensitivity label, it’s a good idea to change the default view for the library to include the sensitivity label to remind users that documents now have labels.

Steady Progress

Sensitivity Labels and SharePoint Online had a rocky start. There was a time when the content of protected Office documents was inaccessible to search and eDiscovery. That’s in the past (if you enable support) and Microsoft is busy filling out all the details that make software more useful. Adding a default sensitivity label to document libraries is a nice step forward but remember that using this capability will require Office 365 E5 or above, just like all the other auto-label application features in Microsoft 365.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Whiteboard Latest Consumer of OneDrive for Business

As first described in message center notification MC282992 (September 3, updated December 7), many whiteboard clients can now store and access files in OneDrive for Business instead of the original Azure data store. Given the popularity of whiteboard sharing in Teams meetings and the support of the new whiteboard storage in Teams, it’s likely that many files are now in OneDrive for Business (Figure 1), even if their owners don’t realize that the transition has happened.

Whiteboard isn’t the only Teams application which stores its files in OneDrive for Business. Others include:

• Loop components shared in Teams chat.
• Recordings of Teams personal meetings.
• Files shared in Teams chats.

This trend isn’t surprising. By design, Teams uses other Microsoft 365 components rather than creating its own, and responsibility for OneDrive for Business and SharePoint Online roll up under the same Microsoft executive (Jeff Teper). It’s natural for Teams-enabled applications to look to OneDrive as a natural target for file storage, especially as Microsoft makes liberal storage quotas available (here’s a script to report the storage used by OneDrive for Business accounts)

Administrative Challenge

Storing data in OneDrive for Business makes eminent sense. The challenge for administrators occurs when the time comes to delete a user account. By default, Microsoft 365 keeps the OneDrive for Business account for a deleted account for 30 days. You can increase this period to up to ten years (3650 days) by updating the retention setting in the SharePoint Online admin center (Figure 2).

During the retention period, anyone granted access to the OneDrive account can retrieve files. Once the retention period expires, Microsoft 365 removes the account permanently and the files become irretrievable. The exception being if the account or any of the files come under the control of a retention policy or label, in which case they remain in place until all retention controls expire.

The administrative challenge is to decide how to handle the OneDrive content for deleted accounts. One approach is to use the mechanism available to assign access to a deleted user’s OneDrive for Business account to another user (Figure 3). In essence, this makes the designated user the administrator of the OneDrive for Business account and allows them full control over anything stored in the account.

The intention is to give the designated user some time to review the information held in the deleted user’s account so that they can retrieve anything valuable from the account and store it somewhere else, like their own OneDrive for Business account or an appropriate SharePoint Online site. The mechanism works, but the obvious flaw is that once you move files out of their original location, you break the connection between Teams and objects. It’s possible to preserve sharing links when moving files from a OneDrive for Business account, but the link in chats will point to the wrong place and make attachments and loop components in Teams chats unusable, meeting recordings and whiteboards unavailable, and any “cloudy attachments” shared in email inaccessible. In short, users won’t be happy campers because they can’t get at information and help desks will be frustrated because they can’t do much about the underlying problem.

Retention a Better Answer

Instead of asking someone to go through the OneDrive for Business account of deleted users (a dispiriting job), a better approach is to use Microsoft 365 retention policies to retain information in OneDrive for Business accounts for an extended period. Unlike SharePoint Online, where storage quotas are more restrictive and expensive than OneDrive for Business, the effect of long-term retention isn’t a concern. With retention in place, after deleting user accounts, their documents and other files remain in place until the retention period expires. Assuming that the retention period is several years (after creation), this should be sufficient for people to recover copies of information or finish up working with objects like whiteboard or Loop components. At the same time, if someone needs to access the OneDrive account to remove or move files, they can, assuming everyone understands the consequences which ensure.

Of course, retention policies are only available if your organization has Office 365 E3 or better licenses. Organizations with licenses which don’t include retention policies are limited to harvesting information from deleted accounts before they disappear. However, there’s nothing to stop organizations using poor man’s retention by setting the retention period for OneDrive for Business to the maximum 3650 days. After all, ten years after the deletion of an account, who’s going to want to access a document, whiteboard, or loop component from such an antiquated repository?

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Now Available in SharePoint Online and OneDrive for Business

Message Center Notification MC302489 (December 8) brings news of yet another tweak made by Microsoft to the dialog used to create new Sharing Links. The update means that the settings for sharing links for “most video and audio” files now block download by default (Figure 1).

Previous tweaks to the dialog include making it easier to update sharing link settings and highlighting the edit setting. Because many workloads use the sharing link dialog, the benefit of the changes ripple across Microsoft 365.

Understandable Change in Line with Previous Updates

The change is understandable. Sharing a video or audio is often just an invitation to consume final content (using the recently-upgraded web viewer) and you don’t want people to be able to download the files. By comparison, sharing a document, spreadsheet, or presentation is often for review and editing purposes, and the recipient might need to download a local copy to edit the file offline.

Interestingly, Microsoft 365 roadmap item 82193 makes explicit reference to Microsoft Stream, probably reflecting the ongoing motion to move Stream away from its old Azure-based platform to storing videos in OneDrive for Business and SharePoint Online. This transition has already happened for Teams meeting recordings, and the migration for other Stream content is in preview. Teams meeting recordings restrict download access to the recording owner, so setting sharing links to no download by default is in line with that philosophy.

Not All Video or Audio Files

Noting the caveat that the change applies to most video and audio files, I checked the content of my OneDrive for Business account and discovered that OneDrive blocks downloads in sharing links created for Teams meeting recordings. The same doesn’t happen for other MP4 files that I uploaded to OneDrive where the download control is missing when creating sharing links (Figure 2).

The BlockDownloadLinksFileType setting for my tenant (managed through PowerShell with the Set-SPOTenant cmdlet) is WebPreviewableFiles, which means that download blocks are available for all supported files. Given that audio and video files are now in the supported category, something else is going on.

OneDrive recognizes both sets of files as MP4s, so the difference in behavior might be because the uploaded files didn’t have the same PROGID tags as the Teams recordings (these tags make it possible to apply an auto-label retention policy to Teams meeting recordings). Alternatively, it could be because some background job hasn’t yet processed the other MP4 files. Requiring extended periods to process files is not unknown in SharePoint Online and OneDrive for Business. In any case, I’ll keep an eye to see if things change.

Make sure that you’re not surprised about changes which appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Change Copy Link Settings Before Sending

Published in MC298387 (November 16, Microsoft 365 roadmap item 83728) and now rolling out to Office 365 tenants worldwide, Microsoft has updated the OneDrive for Business sharing link dialog to make it easier for users to change the sharing link settings before copying them to share with others. Roll out should complete between mid-December (targeted release tenants) and mid-January (standard release tenants).

Common Sharing Link

The sharing link dialog is used by both SharePoint Online and OneDrive for Business. The old version (recently refreshed to display the set of people with existing access to a file) has a Copy link button (Figure 1), which generates the link with its current settings in a form that the user can copy it (and then insert into email, a Teams chat, Yammer message, or web page as appropriate).

Everything works in the old dialog, but you’ve got to configure the link with the correct access and recipient settings before you generate the link. For instance, you might want to amend the link to allow sharees to edit a file or force users to access the content online by blocking downloads. The new approach removes the Copy link button and replaces it with a complete section where the user can configure the link settings before generating the link (Figure 2).

Once the link is configured, the (smaller) copy button works as before.

Better for Sending Sharing Links by Email Too

The new arrangement also makes the use of the email (Outlook) option clearer. In the old dialog, the Outlook and Copy link buttons are arranged in a line under the Send button. In a weird kind of way, you could imagine that the Send button would work for both options. Now there’s only an Outlook icon in a straight line with the Send button to make the connection between the two clear and obvious.

Paying attention to how the sharing link dialog functions might seem like small beer when compared to the other changes happening within the Microsoft 365 ecosystem (like the introduction of Loop components for Teams chat). That perspective is accurate because this is a small change. However, it can equally be argued that making sure that everything works as smoothly as possible is important, and when it comes to the mechanism used to share documents with people inside and outside the organization, it’s critical that the right settings are in place. For that reason, this is a good and useful change.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Knowing When Sharing Happens

A natural question flowing from the discussion about implementing the SharePoint Online expiring access policy for external users is how administrators know if people use the feature. Equally naturally, the first place to look is the Office 365 or “unified” audit log to see if SharePoint Online generates any helpful events when users extend sharing links.

Unhappily, although SharePoint Online captures a UserExpirationChanged audit event when someone extends a sharing link close to its expiration, the information stored in the event is not enough to easily identify the content the sharing link grants access to. If you look at the sample audit event shown below, the SiteUrl property tells us that this event relates to sharing some OneDrive for Business content. Apart from that, we can see:

• The user principal name of the user who extends the validity of the sharing link (Jane.Sixsmith@office365itpros.com).
• The user principal name of the target user being granted access (Jsmith_yandex.com#ext#@office365itpros.onmicrosoft.com). The form tells us that this is a guest account (JSmith@yandex.com).

It would be nice if the name of the actual folder or document being shared was captured, but that’s not the case.

RecordType   : SharePointSharingOperation
CreationDate : 15/11/2021 13:17:04
UserIds      : Jane.Sixsmith@office365itpros.com
Operations   : UserExpirationChanged
AuditData    : {
                 "AppAccessContext": {
                   "AADSessionId": "bfe559aa-a811-488b-828d-a1fa90062133",
                   "CorrelationId": "b45e03a0-50df-3000-73a8-a6b7cbd31cc0"},
                 "CreationTime": "2021-11-15T13:17:04",
                 "Id": "5ee7b4d0-97ca-476d-c7ef-08d9a83a37aa",
                 "Operation": "UserExpirationChanged",
                 "OrganizationId": "a562313f-14fc-43a2-9a7a-d2e27f4f3478",
                 "RecordType": "SharePointSharingOperation",
                 "UserKey": "i:0h.f|membership|1003bffd805c87b0@live.com",
                 "UserType": "Regular",
                 "Version": 1,
                 "Workload": "OneDrive",
                 "ClientIP": "51.171.212.129",
                 "ObjectId": "https://office365itpros-my.sharepoint.com/personal/jane_sixsmith_office365itpros_com",
                 "UserId": "jane.sixsmith@office365itpros.com",
                 "CorrelationId": "b45e03a0-50df-3000-73a8-a6b7cbd31cc0",
                 "EventSource": "SharePoint",
                 "ItemType": "Web",
                 "Site": "cc191cff-670a-4740-8458-e6067537c747",
                 "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.44",
"WebId": "551065f1-04a6-4979-8b19-2c8a0c16319f",
                 "TargetUserOrGroupType": "Guest",
                 "SiteUrl": "https://office365itpros-my.sharepoint.com/personal/jane_sixsmith_office365itpros_com",
                 "TargetUserOrGroupName": Jsmith_yandex.com#ext#@office365itpros.onmicrosoft.com

Investigating SharePoint Sharing Events

To see if it was possible to find some other information that would allow me to link the UserExpirationChanged events back to other sharing events, I wrote a script to extract the events from the audit log and parse their content. The results are not what I hoped. You can track the progress of sharing an item through:

• SharingSet: A user shares an item.
• SecureLinkCreated: A sharing link is created for the item. This is what is sent to the recipient.
• UserExpirationChanged: The expiration date for the sharing link is adjusted in line with policy.
• SecureLinkUsed: The recipient uses the sharing link to access the shared content.

The audit records for the first three events often have the same date and time because they occur close together (within milliseconds). For this reason, they can appear in a different order when viewing the report (Figure 1).

In due course, if the sharing link validity is extended further, SharePoint logs another UserExpirationChanged event. The cycle continues until the sharing link expires.

Download the Script

The script isn’t all that interesting. It finds the relevant audit events, extracts information, and reports its findings (you can download the script from GitHub). Unless you focus on UserExpirationChanged events which happen outside the initial creation of sharing links, I don’t think it helps much in terms of understanding the extent of sharing link extensions. However, someone who is smarter than I might be able to tweak the script to derive better results.

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

SharePoint Expiring Access Policy Controls Sharing Links Issued to Guests

In the summer, Microsoft introduced an expiring access policy for external users in SharePoint Online sites and OneDrive for Business accounts. In a nutshell, a tenant can set a policy to control the number of days a sharing link lasts after a user shares some content with an Azure AD guest account (created automatically when sharing with an external user). The expiring access policy doesn’t apply to guest accounts who access content through their membership of Microsoft 365 groups (teams). Their ability to work with content in SharePoint Online is controlled by the guest’s membership instead of a sharing link.

By default, the expiring access policy is not set. A tenant or SharePoint administrator must enable it and define the sharing period in the Sharing section of the SharePoint Online admin center (Figure 1). The period can be from 30 to 730 days.

Once set, the policy applies to new sharing links. It also applies retrospectively to old links. The policy defined in the SharePoint Online admin center applies to all SharePoint sites and OneDrive for Business accounts. You can override the expiration period on a per-site basis.

Unlike other expiration policies used in Microsoft 365, like the Teams meeting recording auto-expiration policy or even retention policies and labels, content remains unaffected when an expiration period lapses. The only effect is on the sharing link which becomes invalid and unusable for access.

What Happens When Sharing Links Expire

As sharing links approach expiration, users receive warnings through two means. First, a banner appears in OneDrive for Business (Figure 2). The text could be better as it’s a sharing link which expires rather than a user. The Azure AD guest account will remain and can be used for other purposes, such as other sharing links or as a member of a group or team. The logic here might be that people manage sharing access on a user-by-user basis, so it’s appropriate to refer to users expiring.

The second method is email. SharePoint sends a note to people to advise them when sharing links are within ten days of expiration (Figure 3). In both cases, the Manage (or Manage access) link allows the user to update the soon-to-expire sharing links.

Clicking the link brings up the Access Expiration fly-out pane (Figure 4), which lists all sharing links created by the user subject to the expiring access policy. As you can see, some of the links are quite a long way off because the tenant has a 120-day expiration policy.

To extend the validity of a sharing link, select a user and click Yes, extend (Figure 5). SharePoint Online will then extend the sharing link by the maximum period allowed, in this case 120 days from the current date. You can also remove a sharing link if it’s no longer needed.

Good Practice to Implement Expiring Access Policy

It’s good practice and makes good sense for Microsoft 365 tenants to implement an expiring access policy. Many expiring sharing links will need no intervention by content owners when they expire. Other links will need an extension, which is a quick and low friction action. Overall, there’s nothing much to dislike about implementing an expiring access policy where links expire after a reasonable period, like 90 to 120 days. Organizations which store more sensitive content in SharePoint could reduce the expiration period and couple expiration with the targeted availability to content available with sensitivity labels.

Learn how to exploit the Office 365 data available to tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

Joins the Controls for Teams Meeting Recordings

Now that Microsoft has created the transition of storage for Teams meeting recordings (TMRs) from Stream (classic) to OneDrive for Business and SharePoint Online (ODSP), attention is focused on how to manage these files. Microsoft plans to introduce an auto-expiration policy for TMRs in January 2022 to allow organizations dictate how long these files exist in ODSP. The auto-expiration policy will work for any Microsoft 365 tenant which has licenses for Teams.

If you have Office 365 E3, users can apply retention labels to TMRs to gain more control over their retention, and if you have Office 365 E5 or Microsoft 365 E5 licenses, you can deploy an auto-label retention policy to find and label TMRs (and track the success of the policy in finding and labeling TMRs). In short, over time, organizations are gaining ways to exert compliance control over TMRs.

Blocking Sharing with Data Loss Prevention

Data Loss Prevention (DLP) for SharePoint Online and OneDrive for Business is included in the Office 365 E3 SKU. The value of DLP is that you can use a policy to protect against inadvertent data leakage caused when someone shares a TMR outside the organization. Imagine what would happen if a competitor got hold of a recording of a discussion, complete with slides, about the development of a new product!

Using much the same approach as taken to identify TMRs for the auto-labeling retention policy, we can build a DLP policy for TMRs which looks for recording files and stamps them with metadata to stop sharing happening. The DLP policy to block external sharing for TMRs is very simple. It is a custom DLP policy (i.e., not created using a template) consisting of:

• A name and description.
• Target locations. For maximum coverage, choose all SharePoint Online sites and OneDrive for Business accounts. This will stop any sharing of TMRs created for personal meetings (OneDrive) and channel meetings (SharePoint).
• A single rule. The rule looks for any file with the property value ProgId:Media.Meeting that is shared with someone outside the organization. The rule action blocks sharing with people outside the organization. Figure 1 shows what the rule conditions look like. Optionally, the rule can allow users to override the block by providing a justification to explain why they need to share a recording with an external person.

Other rule settings which you might consider include creating a custom policy tip to explain why users can’t share TMRs externally or generating an incident report to alert administrators or other people when a rule violation occurs.

The Effect of DLP

It can take up to an hour before a new DLP policy is effective. When the policy is active, the indexing process for new files detects that TMRs come within the scope of a policy and applies the policy settings to block external sharing. There might be a few minutes before the block is effective for a new file during which it’s possible to create and send a sharing link. However, once the block is in place, the sharing link is nullified.

The effect of the policy is obvious because any document which matches the policy conditions now has a small icon (circle with a line in the middle). In Figure 2, the icon is shown alongside all the TMRs in the Recordings folder. Other video files that don’t have the property set are not marked. Hovering over a TMR reveals information about the file, including a link to a DLP policy tip if set. In this case, the link reveals some custom text to explain that external sharing is not permitted for TMRs.

If the user ignores the warning and goes ahead to try and share the recording anyway, they won’t be able to do this because OneDrive for Business blocks the attempt to create and send a sharing link (Figure 3).

Easy Update

Even if internal users don’t often go back to relisten to what was discussed in a conference call, there’s no doubt that some external people might find that content interesting, perhaps even to the detriment of your company. The time required to create and deploy a DLP policy to block external sharing of TMRs is roughly ten minutes (including a pause to drink coffee). It’s a quick and easy update to make it easier to manage the security of information contained inside these files. This is a good example of the value of DLP.

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Discovering Some Nuggets from Microsoft’s Coverage

It’s been a busy week for anyone following the Microsoft 365 ecosystem as Microsoft released a slew of blog posts and announcements to support keynotes and other sessions at the Microsoft Ignite Fall event. You could spend hours reading about new features and functionality and wonder when the code will appear in your Office 365 tenant and if any additional licenses are necessary.

This post captures notes about several features available now that I noticed as I perused Microsoft’s coverage. By themselves, each is not enough to warrant a separate post, but they’re interesting all the same. These changes are examples of the stuff we track to maintain the content of the Office 365 for IT Pros eBook. All our chapter authors have been busy this week.

SharePoint Online and OneDrive for Business

Sharing links show who you’ve shared a document with. This feature was announced in June but seems to have taken its time to roll out. The idea is simple. When you send a new sharing link, SharePoint Online and OneDrive for Business tell you who the document is already shared with (Figure 1), including a thumbnail of each person (if available in Azure AD). You can hover over a thumbnail to see who the person is. The number of active sharing links also appears. It’s a small but useful change.

Easy to overlook, the SharePoint Online admin center now displays connected channel sites when a site used by Teams creates private channels (Figure 2). If you can’t remember which sites have private channel sites, connect to SharePoint Online PowerShell and run:

Get-SPOSite -Limit All -Template TeamChannel#0 | ? {$_.TeamsChannelType -eq "PrivateChannel"}

If you click the channel sites link, the admin center displays details of those sites. Teams manages the settings for these sites, but it’s nice to be able to have easy access to the information. Shared channels, which are delayed until early 2022, also use channel sites.

OneDrive for Business supports Known Folder Move (KMF) and Files on Demand on MacOS, which is nice if you’ve invested in a brand-new M1-powered Mac.

If your tenant uses sensitivity labels and has SharePoint Syntex, you can apply sensitivity labels to protect the document understanding models. The application of a label in this manner flows through to protect individual documents identified by models. It’s another way of automatically applying labels to sensitive content.

Sensitivity label control over sharing capabilities of SharePoint Online sites is now generally available. In addition, co-authoring and autosave of protected documents is generally available in the Microsoft 365 apps for enterprise (Word, Excel, and PowerPoint). We use protected documents heavily to store chapter files for the Office 365 for IT Pros eBook, so this is a welcome advance.

Exchange Online

Microsoft Scheduler can now dynamically adjust the scheduling of recurring meetings. This is message center notification MC295855 (November 2) and it’s a great idea. Static recurring meetings are all too often cancelled or rescheduled because someone is sick or otherwise unavailable. After a recurring meeting finishes, Scheduler looks for the best time slot for the next instance and books that time.

Everyone’s probably familiar with the Exchange Online campaign to remove basic authentication for email connection protocols (that October 2022 date is getting nearer!). PowerShell is on the list of protocols to be blocked for basic authentication, but the Exchange Online management PowerShell module still uses basic authentication to communicate with WinRM on a local workstation. Work is under way to remove the need to use WinRM. Microsoft has released a preview version (2.0.6-3preview) of the module to demonstrate how they will remove the dependency by using a REST API in the background. Exchange Online has many cmdlets, not all of which have been converted to use the new mechanism, but you can test the preview now.

On the downside, Microsoft didn’t say anything at Ignite about the next version of on-premises Exchange. This is strange given the September 2020 announcement said the next version of Exchange Server would be available in the second half of 2021.

Microsoft 365

Microsoft says that Visio web app is rolling out to Microsoft 365 commercial tenants (all tenants with Office 365 enterprise plans). The rollout goes through to the end of January 2022, so keep an eye on the app launcher to see when Visio web app (aka Visio in Microsoft 365) shows up in your tenant.

Microsoft Cloud App Security (MCAS) is now Microsoft Defender for Cloud Apps (surely MDCA?). The app governance add-on is now generally available. It’s a good way to chase down apps registered in Azure AD that are over-permissioned or not being used. If you don’t have MDCA or don’t want to pay for the add-on, use our DIY audit method for Azure AD apps.

Access to the knowledge available in topic cards created by Viva Topics has been restricted to some lesser-used applications up to now. Things will change when topic cards appear in OWA and Teams. Apparently, this will happen soon and should be a game changer for the organizations who have invested in the work needed to harvest organizational knowledge through Viva Topics.

Teams

Microsoft prioritized Teams at Ignite as the center of a new way to work (see my practical365.com article), so there were lots of Teams-related developments discussed, most of which can be left until they appear in a tenant near you. One snippet in a blog post about improving meeting quality is that noise suppression in Teams meetings will be available for iOS soon. Microsoft claims that they saw a “31% decline in comments about background noise distractions” after the launch of noise suppression. This sounds like a good thing, but a single statistic provided without any further context or detail is worthless. We don’t know the sample size, whether the clients were Windows or Mac. What kind of meetings, and what is meant by “comments” (good, bad, or indifferent). Like many Microsoft statistics, there’s plenty of room for fudging an issue.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what’s happening.

Making Compliance Work Better

As discussed last week, Microsoft is simplifying how retention processing works for SharePoint Online and OneDrive for Business. It’s a good initiative because this topic is like a black box for many tenant administrators. The latest step comes in MC289965 (7 October – roadmap item 82063) to align how the SharePoint Online and OneDrive for Business browser interfaces deal with user requests to delete a file assigned a retention label configured to retain items for a specific period. For instance, a file might have a retention label with a retain action for seven years. (A retention label can be set to don’t delete or retain items, which makes it a visual marker).

Deleting Files in SharePoint Online and OneDrive for Business

Up to now, the following happens:

• OneDrive for Business: User deletes file with retention label. OneDrive for Business moves the file into the Recycle bin and captures a copy in the preservation hold library for the user’s account. A OneDrive account is a personal space and it’s reasonable to allow the account user to delete files if they wish. Note that you can’t delete a file assigned a record label. To create a retention label as a record, you need to use the Records Management solution in the Microsoft 365 compliance center (requires E5).
• SharePoint Online: User attempts to delete file with retention label but is blocked because of the presence of the retention label (Figure 1).

You can argue a case that SharePoint Online does the right thing. By not allowing the deletion to happen and keeping the file in place until its retention period expires, SharePoint Online demonstrates that the file has some importance.

The Problem for Compliance

However, the problem is that the current Microsoft 365 group model allows group members full control over most items in the SharePoint Online team sites used by Teams and Groups. Therefore, if SharePoint Online blocks a user from deleting a file because of a retention label, they can simply remove the label and then delete the file (unless the retention label is a record label). Although most users might not realize that they can remove a retention label to delete a file, the fact that they can is a big problem in terms of compliance. In that light, it’s better to allow the deletion to proceed. SharePoint Online will capture the file in the preservation hold library to ensure that its content remains indexed and discoverable for retention purposes.

Earlier Attempt to Change Ran into Problems

Last June, Microsoft published MC264360 to notify tenants that they planned to change the way the SharePoint Online browser interface worked to bring it in line with OneDrive for Business. In other words, users would be able to delete files even if a retention label with a retention period was present.

After pushback from customers, Microsoft withdrew the proposed change to do some additional work. The result of that work will roll out in early November for completion by the end of the month. SharePoint Online users will be able to delete labelled files like they can in OneDrive for Business unless the organization decides that this is a bad idea and updates the SharePoint Online configuration to retain the existing behavior. SharePoint Online will continue to block deletion of Items labelled as records.

Update January 11, 2022: The controls over deletion behavior are available in the Records management section of the Microsoft 365 compliance center (Figure 2).

Changing Things Back

If an organization decides that they’d like to keep things as they are, administrators will have to crack open the SharePoint Client Object Model (CSOM) and use the SetAllowFilesWithKeepLabelToBeDeletedSPO function in the SPPolicyStoreProxy class to set the value to False. Quite why Microsoft didn’t add a new parameter to the SPO-Tenant cmdlet to update this setting like all the other SharePoint Online organizational settings is beyond me. Microsoft says that when the feature rolls out, the ”configuration will be available within the Records Management solution settings.” That’s all fine and dandy, but Records management requires Office 365 E5 or Microsoft 365 Compliance E5 licenses, so many administrators might avoid it. This setting should be in the SharePoint Online admin center and settable through PowerShell.

No doubt someone who knows their way around CSOM will create and publish the code necessary to update the setting with PowerShell so that people without deep knowledge of SharePoint object models don’t have to, but I think it is unacceptable for Microsoft to push a change out that cannot be easily controlled by tenant administrators. On the bright side, I think most tenants will like the new delete behavior for files with retention labels and can therefore ignore grappling with CSOM.

Change Based on Experience

Changing the way SharePoint Online works when deleting files with retention labels with retention periods is the right thing to do. It will make compliance work better and is more logical for users. It’s just a pity that the opt-out control is hidden.

Keep up with the changing world of the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. Monthly updates mean that our subscribers learn about new development as they happen.

Personal and Organization Document Management for Microsoft 365

I don’t know why Microsoft ever thought that it was wise or desirable to consider SharePoint Online and OneDrive for Business as two separate workloads. The decision might have made sense years ago, when Microsoft began to extract itself from the legacy of its on-premises servers and wanted to demonstrate that it had multiple services to offer within Office 365. It makes none in the context of today’s cloud services.

The simple fact is that OneDrive for Business is no longer an optional extra for Office 365 users. Teams uses OneDrive for Business to share files, including the components built using the Fluid framework, in chats. Recordings of Teams personal meetings also go into OneDrive for Business, and Whiteboard is about to make the transition to OneDrive storage too. If you save an email attachment from Outlook, OneDrive is the preferred target. Users are encouraged to move their files stored in well-known folders from local workstations to OneDrive for Business to take advantage of features like Autosave and differential synchronization.

Increasing Importance of OneDrive for Business

Microsoft makes large amounts of storage available to OneDrive for Business users to make it possible to store data online. All signs indicate that Microsoft will continue to move application and personal data to OneDrive for Business storage whenever possible because it makes it easier to index and search files, including eDiscovery support. In a nutshell, the central importance of OneDrive for Business to cloud users increases as time passes.

The Demise of the OneDrive Admin Center

Which brings me to the elimination of the OneDrive for Business admin center. Or at least, the move of OneDrive settings into the SharePoint Online admin center (Figure 1), which removes the need for the OneDrive admin center. The SharePoint Online admin center has always had settings which affected OneDrive for Business, like sharing controls. Now we have a single place to manage system and personal document and file management for Microsoft 365, which is what these products deliver.

Microsoft covered the move of the OneDrive settings in a July 2021 blog post. With so many blog posts, announcements, updates, and other information about different aspects of Microsoft 365 appearing each week, you might not have noticed the transition. If you go to the Settings section of the SharePoint Online admin center (Figure 2), you’ll find the OneDrive for Business controls.

Checking Sensitivity Labels and Sites

Another topic featured in Microsoft’s July blog is the new insight card to report the number of unlabeled sites. These are sites that don’t have an assigned sensitivity label. As you might notice from Figure 1, my tenant reports 128 of these sites. Given that I’ve invested lots of time working to implement sensitivity labels for container management, this seemed like a high number.

After checking the list of sites, I discovered that the set includes:

• Sites retained by a compliance policy after removal of the original Microsoft 365 group.
• System sites like the App Catalog site and the home site and its predecessor.
• Sites created for Yammer communities before the switch of the Yammer network to Microsoft 365 native mode.
• Teams created from a template (to close the gap, MC281936 describes an update rolling out soon to allow team owners to assign a sensitivity label when creating a new team from a template).
• The Viva Topics center site.
• The site created for the group used to control who can create custom templates for the Teams Approvals app.

In short, a bunch of sites turned up, some of which could do with a sensitivity label and others which don’t. In other words, a list that’s well worth reviewing.

Simplification is Goodness

I strongly approve of Microsoft’s move to incorporate OneDrive for Business management into the SharePoint Online admin center. There are still too many administrative consoles across Microsoft 365 and this step simplifies the tenant management landscape.

With the introduction of the new Exchange Online admin center and the transition of the old Security and Compliance Center to the Microsoft 365 compliance center, we’re also seeing rationalization of user interfaces. On the downside, the switchover from old to new consoles seems to be taking forever. Maybe it’s because it people need time to absorb change, but sometimes you’d wonder if it wouldn’t be better if Microsoft pulled the plaster off quickly and launched a family of new fully-functional administrative tools.

Make sure that you’re not surprised about changes which appear inside Office 365 applications (like updates to admin portals) by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Partnership with Microsoft Lists Does the Trick

In an earlier article, we cover how Microsoft makes the spoken words in Teams meeting recording transcripts available to Microsoft Search. A similar approach is used to make the attendance for Teams webinars available to Search. Here’s what happens.

Webinars are calendar events, so their existence is recorded in the meeting organizer’s Exchange Online calendar. Also, The Microsoft 365 substrate captures meeting details in items in a hidden folder called 93c8660e-1330-4e40-8fda-fd27f9eafe10AttendanceReportV3Collection in the non-IPM part of the organizer mailbox, including JSON-formatted information about meeting participants captured in the ArtifactEntriesJsonBlob property (Figure 1).

This information is captured for all meetings (including webinars) and is used to display the attendance report for the event in the Teams calendar app. Figure 2 shows the attendance report based on the information captured in the record shown in Figure 1.

Webinars receive special handling, and this is where Microsoft Lists come into play. The connection between Teams and the content held in Lists is via the ThreadId property, a value which points to the Teams meeting space (the identifier is also used in the Teams webinar URL) used for the event. A thread ID looks like this:

19:meeting_MjE2Mjg0OGEtMGViMi00OGNhLTg3ODQtMWE3NjE2MDAzNzli@thread.v2

Exposing Teams Webinar Information for eDiscovery

To make the webinar information available for eDiscovery, Teams creates three lists per webinar in the in the meeting organizer’s OneDrive for Business account. This is the reason why Microsoft makes access to Microsoft Lists one of the prerequisites for organizing Teams webinars. Lists are only created for webinar events.

The lists for an individual event share a unique identifier (GUID) which Teams uses as a suffix to associate the lists for an individual event (for example, de93882234fb418fb3fd5ef7048026d4). The lists are:

• Event: Stores event information such as its start and end time and webinar description and title. The ThreadId for the webinar is stored in this list. The webinar title and description can be edited in the list but the information created by Teams for the meeting cannot.
• Questionnaire: Stores the attendance records for individual webinar attendees. The information about attendee details (like name and email address) can be edited in the list but information relating to the Teams meeting (like its URI) cannot.
• Speakers: Stores details of the speakers such as their names and bios. This information can be edited in the list.

Updates made to list data are reindexed and available for search.

The webinar lists are hidden from the normal My Lists view shown to users when they open the Microsoft Lists app. To access the webinar information, go to OneDrive’s Site Settings and navigate to the Site Libraries and Lists page (Figure 3), where you can see the lists used by Teams along with other lists used by OneDrive like the site’s preservation hold library.

As an example, this is the URL for the site settings and list page for the KimAkers@office365itpros.com account.

https:// office365itpros-my.sharepoint.com/personal/kim_akers_office365itpros_com/_layouts/15/mcontent.aspx

If you choose to customize a list, you see the list settings, including its URL. For instance, the speaker list for an event has a URL like:

https:// office365itpros-my.sharepoint.com/personal/kim_akers_office365itpros_com/Lists/Speaker_de93882234fb418fb3fd5ef7048026d4/AllItems.aspx

Using the URL, we can open the chosen list in a browser. Figure 4 shows the speaker list for a Teams webinar.

Microsoft Search indexes the Information stored in OneDrive for Business. You can therefore search for someone’s involvement in a webinar by inputting their email address into SharePoint Search. The Digiform entries shown in Figure 5 are for the attendance rosters for two webinars.

Even better, the indexed information for the speaker, attendance, and event lists is available for eDiscovery. In Figure 6, we see some webinar items listed in a sample preview for a Core eDiscovery search. The items relate to speaker bios (highlighted in Figure 1), webinar description, and email addresses in the attendance report. Again, the Digiform entries found by the search point to lists stored in OneDrive for Business.

The Many Moving Parts of Microsoft 365

The way Microsoft 365 captures, stores, and indexes webinar attendance data is a good example of the Microsoft 365 substrate and ecosystem in action. Although many moving parts are involved, administrators and end users don’t see any of the complexity or connections involved. Some might be bothered by the ability of end users to update some webinar information stored in lists, but if you don’t tell them that the information is there, they might never discover where it’s stored.

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Search for What Participants Say During Teams Meetings

Microsoft message center notification MC260749 (last updated August 12) titled Microsoft Search: Find a meeting recording based on what was said is both technically interesting and important. Described in Microsoft 365 roadmap item 82003, the roll-out was delayed several times, but the way is now clear for Office 365 tenants to be able to search videos using spoken text along with a bunch of other changes to make Teams meeting recordings more accessible and useful. While it’s hard to say exactly when individual tenants will have all the functionality described here, I expect worldwide deployment to be complete by the end of October 2021.

Everything in OneDrive

Exposing the content of meeting recordings for search is important because it starts the process to close a major compliance gap. Up to now, transcripts for online meetings have not been searchable. The problem first surfaced when Teams stored its recordings in Stream. When the meeting finished, Stream processed the recording and created the transcript. However, the transcript remained in the Stream Azure service and was inaccessible to Microsoft Search. If something can’t be indexed by Microsoft Search, its content cannot be found by a search.

Microsoft completed the migration the storage of Teams meeting recordings from Stream to OneDrive for Business or SharePoint Online (ODSP) on August 16, 2021. All new meeting recordings from that date are in ODSP with the migration of older content from Stream to ODSP happening later. Microsoft is busy building out the rest of the Stream 2.0 platform to handle videos which don’t come from Teams. For instance, they’ve released a preview of the new Stream browser interface which supports access to videos stored in both ODSP and the original Stream store.

The move to ODSP removed the ability to create and replay transcripts for meeting recordings which exists in Stream classic. Starting September 20, Microsoft plans to remove some of the automatically-generated transcripts from older videos in Stream classic to prepare for the migration to Stream 2.0.

To fill the functionality gap, Microsoft introduced a transcription capability for Teams meeting recordings (a recent update means that if you record a Teams meeting now, you generate a transcript automatically). However, the issue of searchability remained. Because ODSP stores the recording files, Search could index file metadata like the name of the recording, but that’s about all.

The gap in indexing and searchability is now closed. Teams stores the spoken text captured during a meeting (including speaker attribution so you know who said what) and meeting metadata in the Exchange Online mailbox of the meeting organizer. Capturing the spoken text in mailboxes allows Microsoft Search to index the data and therefore makes it possible for searches to find this information. And as we’ll see, ODSP also holds a copy of the transcript to allow the words in the transcript to connect with segments in a meeting recording.

Exchange Mailbox Storage for Transcript Information

Teams stores transcript information in a folder called ApplicationDataRoot/93c8660e-1330-4e40-8fda-fd27f9eafe10/MeetingTranscriptCollection in the non-IPM part of the mailbox. Hidden means that the folder isn’t available to users through clients like Outlook, but its contents are available to administrative interfaces like Microsoft Search and programs like MFCMAPI.

Transcripts are captured as mail items. Examining the captured items with MFCMAPI, it looks like two properties for are most interesting:

• TranscriptJsonBlob: stores the spoken text captured during the meeting. In Figure 1, you can see some captured text, including the name of the speaker. When users view the transcript in Teams, the information is displayed in a nicer format. It’s also possible to download transcripts in VTT or Word (DOCX) format.
• TranscriptMetadataJsonBlob: stores metadata about the call.

Linking Words to Videos

The original implementation for Teams meeting recordings stored in Stream classic supported transcription, including the ability to edit the transcript to correct obvious errors. To allow Microsoft Search to find the MP4 file for a meeting recording based on words spoken during a meeting, a background process copies the transcript data captured in Exchange Online and indexes it against the recording to match segments of the video with the spoken words.

Replication of transcript data from Exchange Online to ODSP can take anything from 15 minutes to a day after the meeting ends. Once the process completes, you can search for text spoken in meetings and find recordings using the transcript (Figure 2).

Transcript Playback

Matching words in the transcript with meeting recordings (and eventually, any video stored in ODSP) allows concurrent playback for the two elements. Microsoft 365 roadmap item 82057, rolling out in September 2021, delivers a transcript pane for video playback (Figure 3). No ability is yet available for a video owner to edit the transcript.

Curiously, closed captions are available for only 60 days from the date of recording. In addition, Microsoft says that “Closed captions aren’t fully supported” if you move or copy a recording from its original location. Presumably, this is because the move might affect the link to the transcript data.

Making Transcription Available to More Teams Users

The option to transcribe meetings used to be restricted to accounts with enterprise E3/E5 and Business Premium/Standard. In early July, Microsoft made live transcription available (MC260564) for other licenses, including the E1, F1, academic, and Business basic SKUs, noting that this step improves the accessibility of Teams and makes meetings more inclusive for those who are hard of hearing. Microsoft followed up with MC280258 (August 24), to announce support for transcripts and captions in 27 additional languages (Figure 4) to join the previous support for U.S. English.

Another Compliance Gap Nearly Closed

All the information shared during Teams meetings is gradually coming within the scope of compliance policies. eDiscovery can already find chat, presentations, and documents, and the advent of indexed speech means that spoken comments should soon come within the scope of eDiscovery searches. This hasn’t happened yet, probably because of the work needed to export transcripts and videos in eDiscovery cases, but I am sure this capability is high on Microsoft’s agenda.

Although the captured text is sometimes inaccurate, capturing any record of spoken comments is better than nothing. As time goes by, the artificial intelligence technology used to analyze speech to create the transcript will improve in terms of accuracy and ability to handle accents.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what’s happening.

Cleanout Starts on September 20

As we all know, Stream is in the middle of a migration from its old platform based on Azure storage to ODSP (OneDrive for Business and SharePoint Online). All new Teams meeting recordings are now stored in ODSP and Microsoft is preparing for the next phase, which is to migrate videos stored in Stream classic to ODSP. A bunch of work is going on to prepare the way, like a new web player for video content (MC261352, last updated August 10, due for a complete deployment by the end of September) and a new way of viewing the transcript of Teams meeting recordings (MC274185, July 30). In other words, things seem to be progressing nicely on the Stream 2.0 front.

Clearing Out Old Video Transcripts

That is until you read MC279467 (published August 20. At first glance, the text seems inconsistent with the generally positive progress of Stream. The notification says that starting September 20, Stream users will be unable to access (view, search, or edit) the transcripts automatically generated by Stream for:

• New videos uploaded to Stream. However, transcripts will be generated once the newly uploaded video receives one view.
• Older videos which have not been uploaded or edited (for instance, to trim a video) in the last 3 months (U.S. East datacenter region) or 6 months (for other regions hosting Stream services like the other U.S. regions and EMEA).

In other words, Microsoft is stopping the automatic generation of transcripts for new videos and removing transcripts previously generated for some older videos. This doesn’t affect the storage of videos; it is all to do with their transcripts, which are a significant accessibility feature for people to follow what’s happening in a video. Figure 1 shows an example of the transcript viewed alongside a video recording for my “Talking Teams” interview with Rish Tandon, Microsoft VP for Teams Development.

If someone views an older video, Stream will regenerate the transcript. The same will happen if an owner edits video details and chooses to regenerate the captions (Figure 2) which make up the transcript.

Microsoft will not remove transcripts for videos when:

• The transcript has been edited (for example, to correct some of the phrasing generated by automatic transcription). Although the automatic transcript is OK for most videos, it can have problems with idioms, unclear speech, and when people talk over each other.
• Transcripts are uploaded manually.
• Videos are active. To qualify, videos are uploaded, edited, or viewed in the last six months.

Interestingly, closed captions remain available for all videos.

Why is this Happening?

It’s reasonable to ask why Microsoft is cleaning out old Stream transcripts. Cynics will say that it’s a cost-saving measure to drive profits and point to the recent announcement about increased monthly fees for Office 365 plans. I think the answer is a little more prosaic. Microsoft is preparing for a migration. The nature of migrations is that they are often painful, complex operations. Removing data that doesn’t need to be migrated makes sense, so the possible reason is that Microsoft wants to clean out transcripts for videos which haven’t been watched or edited in a while so that they don’t need to migrate the data to ODSP. Given that transcripts probably need some massaging on ODSP to be indexed and become searchable there, this is a plausible driver.

Microsoft isn’t saying why the clean-out is happening but given that the migration is expected sometime early in 2022, it really doesn’t matter. After all, if someone notices that a transcript is missing for an antique video, it’s easy to regenerate it.

Nucleus Roll-Out Delayed

In June 2021, Microsoft published message center notification MC261538 to announce that the addition of Microsoft Nucleus to the OneDrive sync app. Nucleus is a sync engine for data-oriented information like Microsoft Lists and complements the differential synchronization that’s so effective for files. Users can add, remove, and update list items when working offline and Nucleus (or rather, Microsoft Nucleus.exe) synchronizes the changes with the cloud.

As often happens, Microsoft delayed the release of Nucleus. According to the latest update (July 9), roll-out starts sometime in August with a target completion in September 2021. At the time of writing, despite the presence of what seem to be required files on my PC, the update is not active in my tenant. At least, my lists do not display the syncing symbol. I’m sure things will start to work soon.

The Nucleus Service Plan

On August 11, Microsoft published MC277196 to announce the introduction of a Nucleus service plan to roll-out in September 2021 (Microsoft 365 roadmap item 68809). A service plan is a non-saleable license within a product (SKU) like Office 365 E3. The purpose of a service plan is to allow the licensing of specific features. In this case, the new service plan governs the ability of accounts to work with Lists offline and won’t cost anything additional for the plans Microsoft adds it to. Another recent example is the introduction of the Teams Pro service plan to enable Microsoft to restrict availability of certain high-end Teams features to enterprise SKUs.

When the Nucleus service plan is available, it will be listed in the set of features available to SKUs like Office 365 E3 and Office 365 E5. You will be able to disable access to Nucleus by removing the service plan from the set of features available to individual accounts. See this article for more information about how to remove a service plan from a set of target Microsoft 365 accounts using PowerShell.

Keep up to date with developments like Project Nucleus by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.

Removing Friction from Sharing

External sharing of SharePoint Online and OneDrive for Business elements like documents, list items, and folders uses a technology called ad-hoc external sharing. When users share items with external recipients, SharePoint Online and OneDrive for Business use a one-time passcode to allow that person to verify their identity. A one-time passcode (OTP) is a way to authenticate the identity of people outside your Microsoft 365 tenant when Azure AD cannot verify their accounts using another method.

The ad-hoc sharing mechanism works but requires several steps before the user can open the shared item.

• User receives the email telling them that someone has shared an item with them.
• User attempts to access the item. SharePoint Online detects that it must verify their identity, so sends an 8-digit OTP to their email address.
• The user receives the email (or finds it in their Junk Email folder) and enters the code (or cuts and pastes the code) into the form (Figure 1). Passcodes are valid for 30 minutes. The Keep me signed in checkbox controls the saving of the authentication cookie to disk to allow the user to reuse it for authentication until the cookie expires.
• SharePoint Online verifies the code and if correct, allows access.

Integrating SharePoint External Sharing with Azure AD B2B

To improve external sharing, in October 2021, Microsoft plans to turn on Email one-time passcode authentication for Azure AD by default for all tenants. Like the current ad-hoc sharing, the new mechanism features one-time passcodes. The big difference is that successful authentication results in the automatic creation of Azure AD guest accounts for external users.

Microsoft is making the change because it will enable new functionality for external recipients. Among the advantages cited are:

• Because they will have Azure AD guest accounts, external recipients who redeem one-time passcodes won’t need to create a Microsoft (MSA) account.
• Administrators can manage details of guest accounts, such as assigning them user-friendly display names or photos.
• Other Microsoft 365 features, such as team membership or sharing of other SharePoint Online and OneDrive for Business resources, can take advantage of the guest accounts.
• Guest accounts are subject to conditional access policies.
• Tenants that configure Google Cloud federation with Azure AD can share resources with federated accounts.
• The Azure AD B2B Collaboration policy controls external sharing. In other words, you can whitelist or blacklist domains that you want to limit sharing with or stop sharing with (a tenant can choose to deploy either a whitelist or blacklist, but not both).

Configuring Email OTP Authentication for Azure AD

While they can wait until Microsoft enables Email OTP authentication for Azure AD in October (or opt to disable the capability), tenants can choose to use email OTP authentication for Azure AD today. To enable the feature, go to the identity providers section and configure the email one-time passcode provider as shown in Figure 2.

As you can see, this is where you can disable the feature, if that’s what you want to do.

Some configuration is necessary for SharePoint Online to integrate with Azure AD B2B and use email OTP authentication (or as Microsoft says in its documentation, Azure B2B Invitation Manager). Do this with the SharePoint Online management module by connecting and running the Set-SPOTenant cmdlet to update the necessary settings:

Set-SPOTenant -EnableAzureADB2BIntegration $True
Set-SPOTenant -SyncAadB2BManagementPolicy $True

Bizarrely, while you can use the Get-SPOTenant cmdlet to retrieve the value of the EnableAzureADB2BIntegration setting, it doesn’t report a value for SyncAadB2BManagementPolicy.

Using Email OTP Authentication for Azure AD

With Email OTP authentication for Azure AD enabled and connected to SharePoint Online, the following happens for external sharing.

The user creates a sharing link as usual (existing sharing links continue to work and there’s no need to recreate links).

• Azure AD checks the directory and creates a guest account if an account doesn’t already exist for the external recipient.
• The external recipient receives the email notification of sharing and clicks the sharing link.
• Azure AD enters a validation process. Users with Azure AD or MSA accounts enter their email address and, if this is valid for the sharing link, the Azure AD Invitations service invokes the consent process to allow it to sign in the new guest account (Figure 3). Users without Azure AD or MSA accounts sign in using the one-time passcode authentication procedure to validate their identity.
• If the external recipient grants consent, Azure AD signs them in and allows access to the shared resource.

The external recipient now has a guest account in the tenant. They can use this account to access other resources shared with them. And if the authentication token granted through a sign-in is still valid, they won’t have to sign in again to open other shared resources. When the guest account accesses tenant resources, Azure AD captures audit records (Figure 4).

The tenant can manage the guest account like any other account, including imposing conditional access policies to restrict access where necessary, like confidential sites marked with an authentication context with a sensitivity label.

Guest Accounts Need Management

Using guest accounts to manage external access to SharePoint Online and OneDrive for Business resources is a sensible move. It’s a lower friction mechanism for external people that’s easier for tenants to operate. That being said, guest accounts do need to be managed as it is all too easy to allow obsolete or unused accounts accumulate in Azure AD. Microsoft doesn’t provide any tools to clean up old guest accounts, but you can do the job with PowerShell.

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Highlighting Who Already Has Access to Shared Information

Message center notification MC263839 (updated August 6 – Microsoft 365 roadmap item 83725) is all about new “Shared with” information which now appears on the control used to create sharing links. Well, it will when the roll-out completes in mid-August. Although tagged for OneDrive for Business, this change applies to both OneDrive for Business and SharePoint Online.

The idea is that the control now lists the set of people whom a file, folder, or list is already shared with so that owners know (at a glance – if they bother) how many people already have access and who they are.

Viewing Sharing Information in Different Circumstances

Showing sharing information works better in some situations than others. For example, if you share a file from a site owned by a Microsoft 365 group (or team), the set of sharing information includes:

• The group
• Group owners
• Group members
• Group visitors

It seems like this information could be filtered so that only the group is shown. The full set (Figure 1) doesn’t add value as the three entries (for SharePoint groups used to manage access) are defunct in the context of a group-connected site.

The information is more valuable when sharing a file from a site that isn’t connected to a group or OneDrive for Business. For instance, Figure 2 shows that a file is shared with 2 sharing links plus five specific users (tenant and guest accounts). Although you can mouse over an avatar to see who has access, it’s obviously better if the tenant and guest accounts have photos as this allows the sharing dialog to include thumbnails for each person.

Several tests showed that up to six entries can appear in the dialog. If more people have access, you’ll see an ellipsis choice to go to the Manage Access menu to view full details of the existing sharing.

The mock-up used in MC263839 (Figure 3) uses larger thumbnails. It’s an interesting insight into the design decisions that must be taken to settle on the final look and feel for user interfaces.

Making Sharing More Transparent

This change is another to build out capabilities in the sharing control to make it more powerful and useful. Although some will probably say that it’s just window dressing or eye candy, I rather like seeing the set of people with access to a file, folder, or list highlighted in this manner. It’s the small things that often have the biggest impact!

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Switchover Coming in October 2021

Updated March 9, 2022

Message center notification MC275235 (August 3, updated on December 7, 2021) says that Microsoft is rebuilding the Whiteboard app on top of OneDrive for Business (Microsoft 365 roadmap item 66767). Whiteboard will use OneDrive for Business as its default storage starting in January 2022 (previously October), but tenants can opt-in now through the Whiteboard settings in the Microsoft 365 admin center (Figure 1) to use OneDrive-based storage for Whiteboard when the feature becomes available at the end of October. The opt-in period will last until mid-November. Opting in affects the storage of whiteboards for every user in the tenant. The latest news is that Microsoft will complete the transition to OneDrive when it delivers updates to several clients during March 2022.

The trade-off is that only certain Whiteboard clients currently support OneDrive-based storage:

• Whiteboard browser client.
• Whiteboard for Teams meetings (including Teams mobile apps).
• Whiteboard on Android.

Microsoft will deliver support for the other whiteboard clients (Windows 10/11), Surface Hub, the Whiteboard channel tab app for Teams, and iOS by October. Until then, if you choose to use OneDrive for Business, these apps will be unable to create or display whiteboards stored in OneDrive. Whiteboards created earlier and stored in Azure will remain accessible.

Solid Plan for Long-Term Whiteboard Storage

The switchover is like that done for Stream, which is also moving off Azure storage to OneDrive for Business and SharePoint Online (the final switchover for Teams meeting recordings is August 16, 2021). The new live (fluid) components which surface in applications like Teams chat, Outlook, and Whiteboard are also kept in OneDrive for Business. Moving off application-specific Azure storage to the more general-purpose storage managed by OneDrive for Business is a good idea for many reasons, including:

• OneDrive for Business is a well-understood storage platform with APIs: Utilities like reports of files in OneDrive accounts will include whiteboards along with other files.
• Available Storage: Although Microsoft doesn’t place any quota restrictions on the current Whiteboard Azure-based storage, OneDrive for Business offers very generous storage quotas which won’t be affected by the need to store a few whiteboards.
• Sharing: Whiteboards can be shared like any other OneDrive for Business file. Users sent a sharing link for a whiteboard will open the file in the browser client.
• Auditing: OneDrive for Business will log audit events for file operations against whiteboards.
• Information governance and compliance: Like any other file in OneDrive for Business, retention policies and labels are applicable to whiteboards. It’s not obvious yet if the content of whiteboards is indexed and available for eDiscovery.
• Tenant to tenant migration: Most tenant-to-tenant migration toolsets are very good at moving OneDrive for Business files around. Adding whiteboards to the mix gives them a little extra work to do but makes sure that these files end up in the right place in the target tenant.
• Backup: ISV backup products are well used to dealing with OneDrive for Business, so having some extra whiteboard files to include in the mix will cause no problems.
• User deletion: The Microsoft 365 workflow process for user account deletion allows another user to be assigned access to the deleted user’s OneDrive for Business account to copy important files before Microsoft 365 removes the account. The user assigned access can now rescue any important whiteboards from the deleted user’s account.

The Next Microsoft 365 App to Move is?

Moving storage to OneDrive for Business seems to be becoming a trend, which then poses the question of which will be the next Microsoft 365 app to move off Azure storage? Given the set which exists, Planner might be a candidate, but given its connection to Microsoft 365 Groups, the storage target is likely SharePoint Online instead of OneDrive for Business. We shall wait and see.

Make sure that you’re not surprised about changes which appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Only for Recordings of New Teams Meetings

Updated 21 May 2022

Announced in MC274188 (July 30), in late September, Microsoft planned to enable meeting recording auto-expiration for new Teams meeting recordings (TMRs) stored in SharePoint Online and OneDrive for Business (Microsoft 365 roadmap item 84580). The new feature will move the MP4 files used for TMRs to the site recycle bin when their expiration date lapses. For enterprise users, the expiration period is 120 days after the creation of the recording. A reduced period of 30 days applies for academic users with the Office 365 A1 license. Once in the recycle bin, the MP4 files follow the standard SharePoint file deletion cycle. Auto-expiration for TMRs is available for all Office 365 and Microsoft 365 licenses which contain Teams.

TMRs are the first workload to move video storage from the classic Stream Azure-based platform to SharePoint Online and OneDrive for Business (ODSP), From August 16, 2021, all new TMRs will be in ODSP. Even though tenants have a lot more storage quota available (especially in OneDrive for Business for recordings of personal meetings) than in Stream, the new policy aims to restrict the amount of storage occupied by TMRs (roughly 400 MB per hour).

Update: Following a series of earlier delays, on January 31, 2022, Microsoft pushed deployment out to late March 2022 to make sure that when they start to delete files, they remove the right files. At the same time, Microsoft increased the default retention period from 60 to 120 days for all tenants that haven’t configured a custom retention period. Eventually all the blocking factors were removed and Microsoft began to roll out the auto-expiration of Teams meeting recordings feature in early April.

Setting a New Expiration Period for TMRs

Microsoft says that 96% of TMRs are not watched again in the 60 days (and 99% after 110 days) following the original meeting, which is why they’ve chosen this to be the default expiration period. Users can change the expiration period for individual TMRs by updating file properties through the file details pane (selecting preset values of 14, 30, or 60 days, a custom date, or Never Expire). Organizations can set a default expiration period for newly created TMRs using the Teams meeting policy assigned to user accounts. For example, to set the default expiration period for recordings of meetings made by people assigned the VIP User Meeting Policy, run the command:

Set-CSTeamsMeetingPolicy -Identity "VIP User Meeting Policy" -NewMeetingRecordingExpirationDays 120

Originally, Microsoft’s documentation described a maximum expiration period is 99,999 days (273 years). Subsequently, problems emerged when tenants set such a high value and the safe limit was found to be 9,999 days, which should be more than enough to keep any normal recording (remember, you can apply a retention label to keep recordings for longer). The minimum is 1 day, and you can set the value (in PowerShell) to -1 to set meeting recordings to never expire. The expiration period for A1 users can only be reduced from the default 30 days.

You can also update the auto-expiration period for meeting policies through the Teams admin center (November 2021 update). Interestingly, the Teams admin center allows a range of between 1 and 99999 days! I’ve asked Microsoft to clarify whether the supported period is 9,999 or 99,999 days. If you want to go higher than 9,999 days, maybe the best approach is to set expiration to never expire.

Background processes run to evaluate TMRs in ODSP to check their expiration date. If the expiration process detects an expired file, the process moves the file into the recycle bin and clears the expiration date field. Recording owners receive email notifications when OneDrive moves expired recordings into the recycle bin (Figure 2). If necessary, they can rescue important recordings from the recycle bin for up to 90 days after deletion. Once moved back from the recycle bin, the recording has no retention date set and will therefore not be evaluated for deletion again.

To help users understand when a recording approaches expiration will see visual indications in:

• Beside the link to the meeting recording in the meeting chat. Anyone with view access to the recording sees the expiration notice.
• Two weeks before expiration, a red icon appears beside the MP4 files for TMRs in the Recordings folder of OneDrive for Business accounts (personal meetings) or SharePoint Online sites (channel meetings).

Auto-expiration applies only to new TMRs. Existing TMRs stored in either ODSP or Stream do not have an expiration period. Auto-expiration is only available for TMRs and cannot be used with other file types held in ODSP. Expiration dates are kept if users move recording files to a different site (it’s the same file). They are not when users copy recording files (it’s a different file). Downloading and uploading a recording creates a new file with no expiration date. If you want to be sure that the expiration process does not remove a Teams meeting recording, apply a retention label to the file.

Tenant administrators can track the creation of TMRs in OneDrive for Business and SharePoint Online by using PowerShell to extract and analyze audit events.

Auto-Expiration and Retention

Auto-expiration is a good housekeeping rather than a compliance feature. It will help organizations cope with a swelling collection of TMRs in user OneDrive for Business accounts and SharePoint Online sites but will do nothing to help with data governance. Two interesting developments due to arrive soon are automatic transcription for TMRs and indexing of transcripts. From a compliance perspective, this means that it will be possible to search for words spoken during a meeting and be able to put those words in the context they were spoken. Obviously, this is a big advance in compliance capabilities.

To take advantage of spoken word retrieval and make sure that transcripts and videos are available to eDiscovery investigators, you obviously need to retain TMRs. For this reason, a retention label on a TMR prevents the auto-expiration process removing recording files until the retention period assigned in the label lapses. Also, a retention label mandating deletion after a period takes precedence over auto-expiration, meaning that if the retention label has a shorter retention period than the auto-expiration date, that’s when SharePoint will remove the file.

Precedence applies for retention labels assigned manually or via an auto-label policy (available to tenants with Office 365 E5). Organizations which leverage retention labels to preserve the recordings of important Teams meetings might not see much change after Microsoft introduces the new auto-expiration feature.

Make sure that you’re not surprised about changes which appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Change to Remove Inconsistency

Retention policies and retention labels both make sure that workloads like SharePoint Online retain information needed by organizations. Retention policies are broader in scope and apply default retention to any location coming within their scope. For instance, if you apply a retention policy to a set of SharePoint sites, any file within those sites come within the scope of the policy. Retention labels are more granular and apply to individual items, whether assigned by users or through auto-label policies (like the example of using an auto-label policy to retain Teams meeting recordings). Because they are more specific, retention labels take precedence over retention policies.

It’s up to an application how to implement the application of retention labels to items. It’s also up to applications how to respect the fact that a retention label exists on an item. Different behaviors have existed in the SharePoint Online and OneDrive for Business browser interfaces since the introduction of retention labels in 2017. According to MC264360 (June 24) – Microsoft 365 roadmap item 82063, Microsoft is closing the inconsistency and SharePoint Online will adopt the OneDrive for Business approach.

Deleting SharePoint Online Items

Today, if you try and delete an item in a SharePoint Online document library, the UI prompts for the deletion to proceed and if confirmed, attempts to delete the item. If the item is labeled, the deletion fails (Figure 1) and the user sees that removal isn’t possible because of the label.

There’s nothing to stop the user removing the label and then deleting the file, unless it’s a record label (only a site administrator can change a record label).

By comparison, you can delete an item in a SharePoint Online document library which comes within the scope of a retention policy. Although seemingly inconsistent (because the organization wishes to retain the items by policy), SharePoint Online allows the deletion to proceed and moves the item into the site recycle bin. Eventually, when the item expires in the recycle bin, SharePoint Online moves it into the site’s Preservation Hold library where it stays until its retention period lapses.

OneDrive’s Streamlined Approach

OneDrive for Business takes a streamlined approach to item deletion and allows users to remove items as they wish (Figure 2).

Deleted items go into the OneDrive for Business recycle bin (Figure 3). Users can recover deleted files from there using the Restore your OneDrive feature.

After 90 days, deleted files leave the recycle bin for either permanent removal or retention. If a retention policy or label applies to an item, it moves to the Preservation Hold library (Figure 4) and stays there until its retention period lapses. Of course, retention can be a complex business and an item might come under the scope of a retention policy after retention due to a label lapses. In any case, once no further retention applies to an item, a background job removes the item. Removed items are irrecoverable unless a backup exists.

The Goodness of Consistency

You can argue that either approach makes sense. Some like it that SharePoint Online stops people deleting labeled items. It’s a form of affirmation that the file is important. On the other hand, allowing deletion to happen but preserving files needed for retention is a lower-friction method which prevents potential user confusion (why can I delete that file but not this one?). Overall, achieving consistency across OneDrive for Business and SharePoint Online is a good thing and lowering friction is also a good thing, especially if it stops some support calls. We’ll see how users react (or even notice) after Microsoft rolls out the change in August.

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Opening the Black Box

My article about how to create an auto-label policy to apply retention labels to Teams meeting recordings resulted in several questions. As I noted in the article, tracking the progress of auto-labeling can be challenging due to the black-box nature of the background processes which search for recording files to label. One suggestion was to use the technique explained in this blog post to use the SharePoint Online PnP PowerShell module to connect to sites and retrieve information about retention job activity. For example:

$SiteURL = "https://office365itpros.sharepoint.com/sites/Office365Adoption/"
Connect-PnPOnline -Url $SiteURL -Interactive
get-pnppropertybag -key "dlc_policyupdatelastrun"
get-pnppropertybag -key "dlc_expirationlastrunv2"
2/23/2021 11:18:42 PM
2/2/2021 8:02:41 PM

The first value (dlc_PolicyUpdateLastRun) is the date when the background job to evaluate retention dates for items last ran. The second (dlc_ExpirationLastRunv2) tells you the last time the background job ran to execute the retention action defined in labels when retention periods expire.

The background jobs which evaluate retention dates and execute actions are not directly connected to auto-label processing, but they give an insight into how SharePoint Online processes sites. In a nutshell, if a site is active, the background jobs process its content. If not, the site is ignored. This makes a lot of sense because it avoids SharePoint doing a bunch of work to check items in sites where no work is necessary. I don’t know if another value stores a date when action must be taken to process expired items, but it would make sense if it did.

These values date back to legacy management processing in SharePoint on-premises and while they still work, Microsoft introduced a new retention processing engine last year which might eventually nullify their use.

Off to the Audit Log

Interesting as these values are, they don’t tell us anything about the application of labels. In the last article, I mentioned that the Office 365 audit log captures the TagApplied event when a person or policy applies a retention label to an item. The audit events are available roughly 15 minutes after they occur, so this source seemed like a good place to investigate.

I ended up writing a script to do the following:

• Find audit records for the TagApplied event in the last 14 days.
• Filter the records to find those which apply the retention label used by the auto-label policy. The same filter makes sure to only select records for policy rather than user application.
• Find the date of the recording from the file name generated by Teams. For instance, a recording named Call with James Ryan-20210217_141123-Meeting Recording.mp4 started at 14:11 on 17 February 2021.
• Calculate how long it took to auto-label the recording file (the difference between the date the call started and the audit record).
• Write the details to a SharePoint list to make the data available for additional analysis.

Here’s the main loop of the code to process the audit records. You can download the complete script from the Office 365 for IT Pros GitHub repository.

[array]$Records = (Search-UnifiedAuditLog -Operations TagApplied -StartDate $StartDate -EndDate $EndDate -Formatted -ResultSize 2000)
$TaggedRecordings = [System.Collections.Generic.List[Object]]::new() 
ForEach ($Rec in $Records) {
   $AuditData = $Rec.AuditData | ConvertFrom-Json
   If (($AuditData.DestinationLabel -eq $RetentionLabel) -and ($AuditData.UserType -eq "CustomPolicy")) { 
      $RecordingFileName = $AuditData.DestinationFileName
      $DateLoc = ($RecordingFileName.IndexOf("-202")+1)
      $RDate = $RecordingFileName.SubString($DateLoc,8)
      $TimeLoc = $DateLoc + 9
      $RTime = $RecordingFileName.SubString($TimeLoc,4)
      $RecordingDateTime = $RDate + $RTime
      [datetime]$RecordingDate = [datetime]::ParseExact($RecordingDateTime,"yyyyMMddHHmm",$null)
      [datetime]$TaggingDate = Get-Date($AuditData.CreationTime)
      $TimeToTag = ($TaggingDate - $RecordingDate)
      $TotalSeconds = $TotalSeconds + $TimeToTag.TotalSeconds
      $TimeToTagFormatted = "{0:dd}d:{0:hh}h:{0:mm}m" -f $TimeToTag
# Add the data about our record          
      $DataLine = [PSCustomObject] @{
         Workload            = $AuditData.Workload
         Recording           = $AuditData.DestinationFileName
         "Retention Label"   = $AuditData.DestinationLabel
         "Tagging Date"      = Get-Date($AuditData.CreationTime) -format g
         "Recording date"    = Get-Date($RecordingDate) -format g
         "Days to label"     = $TimeToTagFormatted
         Site                = $AuditData.SiteURL
         FullURL             = $AuditData.ObjectId }
    $TaggedRecordings.Add($DataLine) 
   } # End if
} # End ForEach

The Final Answer

After processing all the audit records, I know what Teams meeting recordings the auto-label policy has labelled and how long it took on average for an item to receive a label.

25 audit records found for auto-applying the Teams recordings retention label between 09/06/2021 19:36:43 and 23/06/2021 19:36:43
Average elapsed time to auto-label recordings: 02d:13h:28m
The report file is available in C:\temp\TaggedTeamsRecordings.csv.

The average time between creation and labeling depends on the gap between the meeting and when the labeling job runs. This seems to be on a weekly workcycle and usually runs over the weekend, so labeling a recording can take anything up to a week. An average of between two and four days is normal given that Teams captures new meeting recordings over the work week.

The same technique can be applied to track the progress of any auto-label policy.

Keep up with the changing world of the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. Monthly updates mean that our subscribers learn about new development as they happen.

Just Another Meeting Option

Message Center notification MC263666 published on June 22 discusses the introduction of Teams meeting auto recording. This topic surfaced in May when TechRadar reported that “The video conferencing service will soon automatically record all Microsoft Teams meetings at the start of a call for the first time, adding a function that has been strangely absent.” As reported, the implication was that tenant administrators could enable automatic meeting recording to start at the commencement of each call, which created a bunch of adverse feedback from those worried about the prospect of every Teams meeting being recorded, not least because of the retention challenge of managing so many recording files in OneDrive for Business.

Microsoft didn’t do anything to tone down the coverage or say what will really happen until now. The real story is:

• Automatically recording a meeting is a new meeting option, just like the options which control if meeting attendees can turn on their cameras or chat during the meeting.
• The meeting organizer must set the option for each meeting. It’s not something which will be the default for every meeting.

In effect, the new option preconfigures an action that a meeting organizer can take today after they join their meeting. The new option simply ensures that the organizer doesn’t forget to start recording for important meetings.

The new option will appear in meeting options in late June to complete in late July. GCC High and DOD tenants will see the feature in late July.

Obviously, the meeting policy assigned to users must allow them to use cloud recording before they can initiate either manual or automatic recording. In addition, the tenant must have switched recording storage from Stream to OneDrive for Business (ODSP), a process which is now approaching completion. The option isn’t available to users with Office 365 A1 licenses.

Setting the Option to Auto-Record a Teams Meeting

There’s no way to configure a policy to set auto record for every meeting. There might be a way to do this programmatically using the Graph API, but I can’t find a suitable call (the update meeting call doesn’t allow access to meeting options). For now, if you want automatic recording to happen, you’ll have to select meeting options and set the checkbox (Figure 1).

Recording the Teams Meeting

When a meeting with auto-recording set starts, a short delay occurs between the organizer (or the first user holding the presenter role from the home tenant) starting the meeting and the recording beginning. This allows the recording bot to join the meeting.

As is the norm for personal meetings recording stored in OneDrive for Business, Teams creates the recording file in the OneDrive for Business account of the person who starts the recording. With automatic recording enabled, if someone other than the organizer starts the meeting, the recording is in their OneDrive for Business account rather than the organizer’s. However, the organizer has edit access to the recording while other people from the tenant invited to the meeting have read access. Obviously, organizers need to be sure to join their meetings first if they want full control over the recording file.

Recordings for channel meetings are stored in the Recordings folder for the channel in the document library of the team site. Anyone in the team has access to the recording. Everything works as expected when automatic recording is enabled for a channel meeting, with the exception that if the first person to join the meeting isn’t a member of the team. In this case, Teams records the meeting but can’t post the recording to SharePoint. Instead, the recording is available in meeting chat and can be uploaded to SharePoint by a team member.

Value in the New Option

Allowing organizers to set up meeting recording ahead of time is a good thing. I’ve been in the situation where I failed to record a meeting that I should have and regretted the lack of a recording afterwards. Whether I remember to update meeting options before important meetings in the future is entirely debatable, but at least I now can.

Make sure that you’re not surprised about changes which appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Make Web Sites into Apps

I confess to have been a little underwhelmed by Microsoft’s June 11 announcements (MC261535 and MC261537) that it will soon be possible to install OneDrive for Business and Microsoft Lists as Progressive Web Apps (PWAs). The relevant Microsoft 365 roadmap items are 80240 (OneDrive) and 80241 (Lists).

I should explain that I’m not so impressed as others might be because I’ve been installing various Office 365 web pages as apps in Edge for months (any Chromium-based browser works, Safari doesn’t). OWA works well as an app. The basic idea is that you use the Apps option in the browser to install a site as an app. Figure 1 shows what happens when you install OneDrive for Business as an app.

The only other thing to do is to name the app (Figure 2).

The web pages installed as apps show up in the Windows start menu (Figure 3) and can be pinned to the taskbar.

All About Access

The big advantage gained by installing web pages as apps is access. For instance, given the number of SharePoint sites in use today (many created by Teams), it’s often convenient to have an app pointing to a document library you use frequently. When an app starts, it has its own window. However, the functionality of the web page works in an app exactly like it does when it runs in a browser tab. As I said, it’s all about access, or rather, making information you use frequently more accessible.

If you can make Office 365 web pages into apps today, what’s Microsoft doing in MC261535 and MC261537? I think a couple of reasons exist:

• Make people aware that they can access OneDrive for Business and Lists as apps.
• Tune the pages so that they work well as PWAs.

Project Nucleus Arrives

Nice as it is to make OneDrive and Lists into apps, I’m much more impressed by the news in MC261538, which covers the introduction of a new general-purpose synchronization engine to the OneDrive sync client (Microsoft 365 roadmap item 68809).

Microsoft discussed Project Nucleus at the Ignite 2020 conference and said that they would use it to make Lists available offline (Figure 4). That’s what is being delivered with roll-out beginning in early July and due for completion in early August. Initially, Nucleus is only available for Windows 10 workstations.

A separate Microsoft Nucleus.exe runs to synchronize Lists. According to Microsoft, “the sync process begins when a user first navigates to any list or to the Lists web app. All eligible lists that are visible from the Lists app will be synced. Common operations on lists, such as changing list views, sorting, filtering, and grouping happen locally and finish quickly even on very large lists. All of these operations continue to work offline. Edits sync between your device and the cloud and you can resolve merge conflicts if there are any.”

Microsoft has done a lot of work over the years to improve the OneDrive sync client by adding features like differential synchronization to make it capable of dealing with large files. Nucleus takes on the job of dealing with the synchronization of large and complex datasets, apparently using SQL Lite as a metadata store to allow users to continue working during network outages or when the network connection is flaky. Microsoft says that “requests are handled through a secure localhost HTTP server” and that complete documentation covering the management of Nucleus is on the way.

Two Sides of the Same Coin

PWAs and Nucleus are linked in the grand plan to make ODSP information more accessible. Web sites installed as apps need offline capability and Nucleus provides this ability for OneDrive for Business and SharePoint (ODSP) apps in the same way as other local stores deliver for apps like OWA and Teams.

Keep up to date with developments like Project Nucleus by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.

PSTs Should Never Be in Cloud Storage

Updated: July 14, 2021

On May 17, Microsoft published message center notification MC256835 to advise tenants about the introduction for what they call a “PST version retention policy.” This has nothing to do with retention labels or retention policies. Instead, it’s about controlling PST storage in SharePoint Online by limiting the number of versions kept for PST files stored in SharePoint Online and OneDrive for Business document libraries.

Versioning in SharePoint Online

Versioning is a SharePoint feature. In a nutshell, as users make changes to files in document libraries, they create versions of the files. In some cases, such as when editing Office documents using Autosave, a single edit session might generate twenty or thirty versions, depending on the number of changes made. The number of versions kept in a document library is defined in library settings (Figure 1) in a range of 300 to 50,000.

SharePoint keeps multiple versions of files to ensure that the user can go back to a previous version. To do this, select a document and then Version history. You can then select a version to restore (Figure 2).

Both SharePoint Online and OneDrive for Business also support options to restore a library to a point in time over the previous 30 days. Without versions, it would not be possible to do this.

Why PSTs End up in SharePoint and OneDrive

Versioning is good, so what’s the problem with PSTs? Before addressing that question, we should ask about why PST storage in SharePoint Online or OneDrive for Business comes about. A PST (Personal Storage Table) is for email storage. It is a container to allow users to store messages they wish to keep. People might have moved PSTs from network file shares into SharePoint, but it’s a bad idea to use PSTs in SharePoint.

• The PST file format is not intended for concurrent shared access. These are personal files. If a problem happens with a PST file stored in SharePoint, it might lead to data loss.
• Even though they are in SharePoint, the messages stored in PSTs are inaccessible for eDiscovery.
• Over the years, Microsoft consistently advised against the use of shared PSTs on network file shares because of the potential for corruption.

You might think the problem of concurrent access to a shared file is addressed by using the OneDrive sync client to have a local copy of PSTs synchronized with the master copy in SharePoint. But as pointed out in this post by a Microsoft support engineer, the way Outlook locks PST files for exclusive access creates many problems for the sync client (Figure 3). Basically, the sync client is frustrated by the lock taken out by Outlook and can’t process the PST.

People who replace local workstation storage with OneDrive for Business for well-known folders like Documents might end up with PSTs in OneDrive. To avoid problems, they should move these files out of a synchronized location.

The Impact of PST Storage in SharePoint Online

The problem now being addressed by Microsoft is that holding multiple PST versions can consume a huge amount of SharePoint storage quota. Remember, a PST is a container rather than an individual file, and if it’s in active use, Microsoft says this generates “multiple versions which leads to storage being quickly consumed.”

Because of the generous quotas available to OneDrive for Business users, consuming storage is less of an issue for OneDrive for Business than it is for SharePoint Online. Microsoft makes 1 TB plus 10 GB per licensed user available for the organization and charges extra if more storage is needed. Using retention labels and retention policies to ensure files cannot be removed from SharePoint can already consume large amounts of storage, so adding PSTs to the mix is like pouring fuel on a raging fire.

Microsoft’s solution is to retain no more than 30 days’ worth of PST versions. This is enough to ensure that the Restore library feature works, even when PSTs are in a library. While the best answer is not to allow users to store PSTs in SharePoint Online or OneDrive for Business, restricting versions for PSTs is an acceptable method to restrain storage demand. Organizations can block users from synchronizing PSTs by including the file type in the blocked files list defined in the Settings section of the SharePoint Online admin center (Figure 4). Given the impact this could have on users, it’s a good idea to communicate about the block before its implementation.

Microsoft Implements the New Policy

Starting June 28, organizations can use the Set-SPOTenant cmdlet from the SharePoint Online PowerShell module to control the new policy: By default, the policy will be on, meaning the permanent deletion of PST versions once they reach 30 days old. If you don’t want to restrict PST versions, you can opt-out from the policy by running:

Set-SPOTenant -DisableOutlookPSTVersionTrimming $True

The new switch for the Set-SPOTenant cmdlet is available in the 16.0.21411.12000 release of the SharePoint Online management shell (released on July 12). You can download the module from the PowerShell Gallery.

The opt-out command must be run by August 13, so organizations have roughly six weeks to decide to opt-out. The policy becomes effective on August 16 and running the command to opt-out afterwards will have no effect. The big caveat is that the opt-out applies only to existing libraries. Any new library created after August 13 will apply the 30-day retention for PST versions.

The Badness of PSTs

I’ve been trying to persuade organizations to stop using PSTs for years. They’re a 25-year-old answer to the problem of small server mailboxes which existed then and doesn’t now. PSTs are insecure, compromise the ability of organizations to search for information and apply compliance policies, and prone to failure. There is nothing to recommend their continued use and even less to think that it’s a good idea to store PSTs in SharePoint Online and OneDrive for Business. If you’re still unconvinced, listen to this on-demand webinar Why PSTs are Such a Bad Idea in the Cloud, where I try my very best to explain why.

Get straightforward and honest opinion about how to manage Office 365 tenants by subscribing to the Office 365 for IT Pros eBook. We think about managing tenants so you can learn from our experience and insight.

Whiteboard Joins the OneDrive Fold

Message center notification MC253185 published on April 28 gives advance notice that Microsoft is changing the storage location for the Whiteboard app from Azure to OneDrive for Business.  The switchover will happen in October 2021 with tenants given the opportunity to opt-in to use OneDrive for Business earlier. The move addresses several management, compliance and governance issues which exist for Whiteboard today.

According to Microsoft, Whiteboard is “the collaborative canvas in Microsoft 365.” This claim is largely based on using whiteboard to share ideas during Teams meetings. Other applications might claim to cover the same ground as it’s possible to collaborate in a document, spreadsheet, presentation, or other files shared during meetings. The canvas moniker could also be called a blank sheet of paper, which is what Whiteboard looks like when it starts up, ready to be drawn upon by the pens and other tools available in the app (Figure 1).

Problems Solved by OneDrive for Business

Problems addressed by moving away from storing Whiteboard data in the current Azure-based service include:

• Retention policies and labels can govern whiteboard files. The files can also be restored if deleted in error using the Restore your OneDrive feature.
• OneDrive for Business is a core Office 365 workload and available in all datacenters. Whiteboard’s data is not currently distributed outside the U.S. Data stored in OneDrive meets customer data residency requirements through go-local Office 365 datacenter regions and multi-geo deployments.
• Sharing with internal and external users is much easier using OneDrive for Business.
• Data in OneDrive for Business is indexed and available for searching, including eDiscovery. In the case of Whiteboard, it’s probable that file metadata will be searchable. We will have to wait to see if the actual whiteboard content is searchable.
• Storage is more manageable as tenants can report on how much storage is used for whiteboards along with other files held in OneDrive for Business. Given that Microsoft allows OneDrive for Business users to have as much storage as they need, running out of quota isn’t a problem.
• Whiteboard content will be accessible to ISV products which support OneDrive for Business. For instance, backup products can include Whiteboard in the files they copy.

These reasons are the same as those which underpin the move by Stream to embrace ODSP (OneDrive for Business and SharePoint Online) for video storage, initially for Teams meeting recordings and eventually all video content.

The person who creates a new whiteboard is its owner and the file is in that user’s OneDrive account. This applies both for whiteboards created in Teams and in the standalone browser or Windows applications. The dependency on OneDrive for Business means that people need to have a OneDrive account provisioned to store whiteboards. Given the emphasis on moving away from local to cloud storage for documents and other business information, I don’t think this should be an issue.

Migration is a Developing Story

For the moment, existing whiteboards will remain in Azure and can be accessed there. MC253185 says that Microsoft will share more details in October about how to migrate existing content to OneDrive for Business. They also say that tenants might be able to opt-in to use OneDrive before October, which is the same tactic used to allow tenants to move the storage of Teams meeting recordings early.

Controlling Whiteboard

You might be in the position where you don’t want to use Whiteboard or want to restrict its use to certain people. To disable or enable Whiteboard for the entire tenant, go to the Org settings section of the Microsoft 365 admin center and select Whiteboard. Then turn the setting on or off (Figure 2).

To disable Whiteboard for an individual user, access their account and uncheck Whiteboard in the set of apps. For example, Office 365 E3 and E5 plans include the Whiteboard (Plan 2) service plan.

Whiteboard’s move to embrace ODSP warrants just a few words in the Office 365 for IT Pros eBook. The other 625,000 words cover many more topics.

Making Sure the Right Permissions are Set

Message Center notification MC244885 of March 17 covers the topic of “Adding Quick Permissions to the OneDrive/SharePoint Share Control” (Microsoft 365 roadmap item 70806). It all sounds very impressive, but really, it’s just a tweak to the control used when sharing documents from SharePoint Online and OneDrive for Business.

Microsoft has made many changes to the sharing control over the last few years. The most important initiative has been to impose consistency across Microsoft 365, with Teams the final workload to pick up the new control. Lately, Microsoft has been tweaking the sharing control to improve how it works, with the latest attempt being an ill-advised proposal to remove the share by Outlook option. Thankfully, Microsoft dropped that idea.

Permissions Front and Center

The latest change is more positive. It improves the usability of the option to control if a recipient of a sharing link can edit the shared file by making permissions front and center (Figure 1) instead of a behind-the-scenes option. That’s the beginning and end of the change. Whether this kind of change justifies a separate roadmap item and message center notification could be debated, but as it does affect what end users see in front of them, it’s probably warranted.

As it was before, the default in the new control is that a recipient cannot edit a shared file.

Available Now

The new control is available now for both SharePoint Online and OneDrive for Business if your tenant is configured for targeted release. General availability will follow in early April. Teams has not yet picked up the new control, but that’s OK because in most cases, people share documents in personal chats when everyone in the chat gets the same permission.

Azure AD Authentication Failure Stops Users Working

By now, you’ve probably heard about the second large Azure AD authentication outage since September. The March 15 incident calmed down after a few hours, but while it was ongoing users were unable to connect to Microsoft 365 applications when authentication was necessary. It wasn’t a happy experience. Microsoft plans to set a new SLA of 99.99% availability for Azure AD authentication on April 1, 2021. Perhaps they were making a few tweaks to the Azure AD infrastructure to prepare the ground for the upgraded SLA when things went wrong.

The current 99.9% SLA applies to the Azure AD tier for Office 365, but a Microsoft comment posted to the announcement for the new SLA said that the 99.99% level will only apply to those with Azure AD Premium licenses. I guess we shall have to wait and see the details of the SLA when Microsoft publishes the text of the agreement on April 1.

Microsoft 365 applications continued working during the outage unless authentication was necessary. Because they’re built on the Microsoft Graph APIs, the Teams clients authenticate hourly, so they were heavily affected. Outlook desktop stayed online throughout, and users reported varying degrees of useability for other apps.

Working in Word

While the outage progressed, I worked on a Word document for my blog post. All my Word documents are either in SharePoint Online document libraries or OneDrive for Business, so the OneDrive sync client is kept busy. The sync client is responsible for the differential synchronization of files up to the new 250 GB limit. Office apps autosave to capture changes. Not only does autosave ensure that you should never lose much if an app or workstation crashes, it’s also way changes get to other copies of Office documents open for co-authoring. And it’s why SharePoint Online keeps a minimum of 100 versions of documents. If you use the Office desktop apps heavily and store files online, the OneDrive sync client is busy.

OneDrive Sync Client Goes Nuts

Until that is, the OneDrive sync client decides that it should remove all the local copies of files from a SharePoint folder. This was a rather bizarre side effect of the Azure AD outage. At least, although I can’t prove that the outage caused the OneDrive sync client to do something very strange, the problem happened at the same time.

I noticed the issue when File Explorer reported nothing in the local folder which holds the synchronized copies of SharePoint files. The folder usually holds hundreds of files (423 as I write), so something had clearly happened. I opened the OneDrive sync client (build 21.041.0228.0001) and discovered that the client had removed the local files an hour ago (Figure 1), meaning that the client decided to remove the files at around 21:45 UTC, during the period when Microsoft was rolling out remediation for the Azure AD outage.

The problem was easily fixed by going to SharePoint Online and choosing to synchronize the folder again (Figure 2).

The OneDrive sync client started to download local copies immediately (Figure 3) and a full set of documents was soon on my local drive.

Curious and Problematic Synchronization

You can argue that all’s well that ends well, but no good reason exists for the OneDrive sync client to do what it did. Perhaps the Azure AD authentication problem caused the client to believe that it was no longer allowed to download files from the SharePoint site. If so, it would be better if the client issued a warning to say what’s about to happen and offered the user a chance to authenticate with their credentials rather than concluding that everything should be removed now.

Failure to authenticate is the logical root cause which lead to the mass deletion of local files. Every document in the folder has a retention label to stop SharePoint removing documents (set as a default label for the library). The normal course of events is that you can remove a local copy of a file from File Explorer only for the OneDrive sync client to restore the file once it discovers the deletion block imposed by the retention label. Despite the presence of the retention labels, the OneDrive sync client removed all the local files. If my theory holds, the OneDrive sync client concluded that the user had no access to SharePoint Online, so it should remove the local copies as this wouldn’t impact the retained file in SharePoint.

What’s also curious is that just one folder was affected. The OneDrive sync client left everything else alone. My conclusion is that the folder was in active use because I had a Word document stored in that folder open at the time, and autosaved changes were flowing back to SharePoint Online. No need existed for the OneDrive sync client to go near my other folders (like those holding files for the Office 365 for IT Pros eBook), so it left them alone.

It’s not just me who has encountered odd synchronization issues leading to mass removal of files. Fellow MVPs Vasil Michev and Paul Robichaux have also had difficulties. It seems like Microsoft has some work to do to smoothen how the OneDrive sync client handles what could be transient authentication issues.

Maybe I shouldn’t have disabled the new OneDrive sync client file delete warning!

Update March 18: Microsoft has two advisories linked to the problem. SP244708 (SharePoint) and OD244709 (OneDrive). The symptoms experienced by people are different, but the root cause is the same.

Possible to Protect Sensitive Meeting Recordings with Some Downsides

Although it’s listed as one of the applications which support sensitivity labels, the only way that Stream uses sensitivity labels is when it creates a new Microsoft 365 group. At that point, you can assign a sensitivity label with container management settings to the new group. Container management is good, but it doesn’t protect the data owned by the group.

This situation creates the question of how best to protect confidential videos. Because sensitivity labels control access to files using fine-grained rights management, they are an attractive choice. Stream “classic” doesn’t support the option to protect files in this manner, but the transition of Stream storage to SharePoint Online and OneDrive for Business creates a potential solution. As we’ll discuss, the basic technology works, but some implementation issues generate more friction than you’d like, possibly because Microsoft hasn’t figured out how the components should work together.

Unified Labeling Client and OneDrive

Microsoft touts the ability of SharePoint and OneDrive to store just about any type of file up to 250 GB, which makes it easy to store recordings of even the longest meeting. However, no user interface exists in the browser interface for SharePoint or OneDrive to assign sensitivity labels to files. Office (online, desktop, and mobile) applications can apply sensitivity labels, including encryption if needed. Exchange Online mail flow rules can also assign sensitivity labels to messages. Outside these implementations, writing some PowerShell or Microsoft Graph code or using Microsoft’s unified labeling client are the only ways to assign sensitivity labels to files.

The unified labeling client runs only on Windows workstations. It integrates with File Explorer to add a Classify and protect option to make it simple to add protection to any file which File Explorer can access. Applying protection to PDF files is a popular use case for the unified labeling client.

The OneDrive sync client can synchronize online folders and files to local copies, so it doesn’t take much lateral thinking to put two and two together and conclude it should be possible to assign sensitivity labels to meeting recordings stored in OneDrive. And as it turns out, it’s true. The only downside is that the unified labeling client requires Azure Information Protection P1 licenses. These licenses are part of the Enterprise Mobility and Security suite, but not bundled in any Office 365 plans.

Protecting Meeting Recordings

Figure 1 shows a set of MP4 video files (and a Word document) in the Recordings folder of my OneDrive for Business account. This is the location where Teams stores its meeting recordings. A label already protects one of the recordings (bottom right), as shown by the Azure Information Protection padlock icon. To protect another file, select it, and choose File Explorer’s Classify and protect option.

The unified labeling client launches to allow the user to select the sensitivity label they wish to apply. Some sensitivity labels apply markings to files without encryption, but as the MP4 format doesn’t support headers, footers, and watermarks like those used in Office documents, the only labels offered for selection in Figure 2 are those which encrypt content.

After selecting the label to apply, click Save to allow the client to encrypt the file. On my i7 Surface Book 2, the client took twelve seconds to process the 358 MB recording (for a meeting lasting 46 minutes). The size of the file is in line with the expected storage consumption for Teams recordings.

Downsides

We now have a protected MP4 file. The downsides are:

• The link posted in Teams for the recording as part of the meeting resources breaks. The recording is still listed as a resource, but the link points to the original MP4 file which no longer exists because it is replaced by the encrypted file (which has a .pfile extension). Protecting the recording also removes the sharing links for the file, so even if you reverse course and remove the label, Teams can’t access the file.
• Because the encryption process creates a new file without sharing links, the owner of the file must share the file with those permitted to view the recording.
• The OneDrive MP4 file viewer can’t open the protected file.
• The only way to view the protected video recording is through the Azure Information Protection viewer (part of the unified labeling client), meaning that those who want to view the recording must install the unified labeling client. Their account also needs an Azure Information Protection license.

In a nutshell, the unified labeling client treats Teams meeting recordings like any other MP4 file it protects. Encryption breaks any special connection between Teams to OneDrive for Business. The result is a protected recording, but the file owner needs to allow access to those to view the recording.

Maybe Not Completely Ready

Just because you can do something doesn’t mean that you should do something. Although you can protect Teams meeting recordings with sensitivity labels, the downsides indicate that the Microsoft engineering teams involved (Teams, SharePoint, Stream, and Microsoft Information Protection) have not yet worked through the issues to come up with a more seamless implementation. To be fair, Stream is in the middle of its switchover from Azure to SharePoint storage, and Microsoft might work through this point as that process unfolds. Service encryption with customer key is one of the work items listed for the migration to the New Stream, but support for sensitivity labels isn’t mentioned.

Until a more seamless integration is available, it’s reasonable to conclude that using sensitivity labels to protect Teams meeting recordings stored in OneDrive is possible with downsides.

Information protection is an important topic covered by the Office 365 for IT Pros eBook. That’s why we think about and test this kind of stuff. Benefit from our work by subscribing to the book. Its monthly updates keep everyone informed about what’s happening inside Office 365.

Switching Storage from Stream to ODSP

Following on from the change in timing for the general switchover of Teams meeting recordings from Stream Classic to OneDrive for Business and SharePoint Online (ODSP for short) to July 2021, Microsoft is leveraging SharePoint permissions to have better control access to recordings. This wasn’t possible in Stream Classic, but it is now that Teams is adopting SharePoint-based sharing.

After you switch Teams meeting recordings to ODSP, new meeting recordings are not stored in Stream. Instead:

• Recordings for personal and group chats and personal (private) meetings are stored in the OneDrive for Business account of the user who starts the recording. This user is the owner of the recording.
• Recordings for channel meetings are stored in the channel folder of the document library in the SharePoint team site owned by the team.

In both cases, the MP4 files for the recordings are in the Recordings folder.

No Downloads Please

In message center MC230505 (updated February 18), Microsoft makes the important clarification that the only person allowed to download a recording for a personal chat or meeting is the owner. Everyone else is assigned view-only permission to the file.

A change due to roll out in early April and finish in June will block users with view-only permission from downloading the file. Only those with edit access to recordings can change the permissions to allow others to download the files. The change is described in Microsoft 365 roadmap 70543. Organizations cannot override the assignment of permissions to meeting recordings or the way the permissions work.

Channel Meetings are Different

Channel meetings are treated differently. Once someone uses the Teams calendar app or the channel calendar app to create a channel meeting, the team which owns the channel becomes the owner of the event. The person who schedules the meeting can still update meeting settings, but they are not the owner.

This is important because the Microsoft 365 Groups access model which underpins Teams dictates that team members have equal access to group resources. The simplicity of the Groups membership model makes it easy to understand, but sometimes its lack of granularity is regrettable and forces change, such as the introduction of private channels in Teams to support confidential access to resources for a subset of team members. Because team members enjoy the same level of access to group resources, they have edit permission for meeting recordings stored in the document library of the SharePoint site owned by the team.

Don’t Discuss Sensitive Information in Channel Meetings

The devil is always in the detail. In this case, Microsoft recommends that organizations do not use channel meetings to discuss confidential or sensitive information. The reason why is simple: if you do, any team member can access files shared in the meeting or download the meeting recording, which is probably not what you want to happen with sensitive material.

Instead, use private meetings when you need control over who can join the meeting and who will be able to access information shared in the meeting. Recent changes to meeting settings allow precise control over who can join a meeting automatically, meaning that you can be sure that someone can’t sneak in using a meeting link shared by another participant.

So much change, so much detail. Stay abreast of developments by subscribing to the Office 365 for IT Pros eBook and receive monthly updates (a completely new book). It’s the best value in IT!

Teams and DLP (and now OneDrive too)

Updated February 24, 2021

Almost two years ago, Microsoft added Teams to the workloads supported by Data Loss Prevention (DLP) policies (Figure 1). For Teams, DLP checking occurs after users send messages to chats or channels. Offending messages are blocked, sometimes after a short delay. The system works well, but whether it is worth spending extra for Office 365 E5 licenses is debatable (DLP checking for Exchange Online and SharePoint Online is covered in Office 365 E3).

In any case, message center update MC234475 published on January 15 says that “DLP for Microsoft Teams will soon support security groups and distribution lists as part of the Teams location picker.” (Microsoft 365 roadmap item 68874). Rollout is scheduled for mid-February with completion worldwide in mid-March.

Upgrading the Teams Location Picker

The title used for MC234475 is a tad obscure for even those accustomed to working with DLP policies. The Teams location picker is a Microsoft term for the UI component used to select the Teams user accounts to include or exclude in a DLP policy. Teams shares its location picker with Exchange Online while SharePoint and OneDrive for Business, which operate based on site URLs, have a different picker. Many DLP policies operate on a whole organization basis, meaning that no accounts are explicitly included or excluded as the DLP policy applies to every channel and every user in the organization. In these cases, you don’t worry about the location picker because it’s not used.

Things are more problematic when different policies are deployed to different user groups within an organization. Now the location picker is used to select which accounts come within the scope of a DLP policy. Exchange Online has always used distribution lists to select accounts to set the scope for policies, but up to now compliance administrators were forced to select individual accounts for Teams DLP policies (the Teams locations). The change being made in the Teams location picker allows administrators to select distribution lists and mail-enabled security groups instead of individual accounts (Figure 2).

Because distribution lists and mail-enabled security groups can contain more than accounts, Teams applies a filter to select only Teams-enabled accounts from the membership.

DLP Used in Large Organizations

Being able to use distribution lists and security groups to select the target accounts for DLP policies is a welcome update because it is much easier to add one or two distribution lists to a policy instead of finding and adding potentially hundreds of individual accounts. In addition, being able to specify distribution lists and mail-enabled security groups instead of individual accounts removes the previous limit of 1,000 individual accounts that could be added to a Teams DLP policy.

Microsoft said that Teams is used by 93 of the Fortune 100 in March 2020. Given that Teams had 44 million active users then and the latest data (October 2020) says Teams has 115 million daily active users, it’s obvious that a bunch of large organizations use Teams. Those are exactly the kind of tenants likely to use DLP to help control the sharing of confidential data. It’s also reasonable to assume that these tenants will be interested in granular control over policy scope (for instance, to apply a policy on a country or department-level basis) and therefore use the Teams location picker. Being able to use distribution lists or security groups reduces administrator workload and avoid the need to use PowerShell to update the Teams location in DLP policies when large number of accounts need to be added.

List and Group Updates Handled

Even better, if you use a distribution list or security group to define the scope of a Teams DLP policy, a background process keeps an eye on the membership of the list or group so that if accounts are added to or leave the list or group, the DLP policy is automatically adjusted to reflect the membership changes.

Picker for OneDrive for Business Accounts

Microsoft 365 notification MC241352 published on February 24 brought further good news in that the picker for OneDrive accounts in DLP policies will support distribution lists and security groups from March 2021 (Microsoft 365 roadmap item 70708). Exactly the same reasons exist why this is a welcome update.

DLP is covered in Chapter 22 of the Office 365 for IT Pros eBook. It’s not the most compelling topic we cover, but it is technically challenging and interesting in its own right.

Teams Meeting Recordings a Big Demand on the System

Microsoft is in the middle of building Stream for SharePoint (the new Stream). Part of the transition is to move video storage away from a dedicated Stream repository in Azure to SharePoint Online and OneDrive for Business. Office 365 tenants can move recordings of new Teams meetings to OneDrive for Business now with the transition of existing videos to the new Stream when it becomes available during 2021.

Update: Migration from Stream Classic to Stream based on SharePoint is still not generally available.

Because it has its own repository, the classic Stream controls its storage. Tenants receive a base amount of 500 GB plus 0.5 GB per licensed user (all Office 365 enterprise users are licensed for Stream). A tenant with 1,000 users therefore receives 1.5 TB of Stream storage. If more storage is needed, it can be bought from Microsoft.

Teams Recordings Drive Stream Storage

According to Microsoft sources, a large percentage of Stream storage is consumed by Teams meeting recordings. With over 500,000 users, Accenture runs the world’s largest Teams deployment, consuming 350 million minutes of audio meetings and 90 million minutes of video meetings monthly. Heavily influenced by the change of working habits due to the Covid-19 pandemic, the growth in online meetings is representative of many organizations, and 115 million monthly active Teams users generate lots of meetings. Many meetings are recorded, and the amount of Stream storage used by Teams continues to grow. This is one of the reasons why Microsoft chose to move Teams recordings to OneDrive for Business as the first step in the transition to the new Stream.

Removing Old Recordings

Meeting recordings are most useful soon after an event. Once people have had a chance to review a recording, the value of keeping most recordings declines over time. Classic Stream has no way to age out old recordings, and while Microsoft is working on a policy to expire Teams meetings automatically after a set period, that feature isn’t yet available.

The net result is that quota consumption continues unabated unless meeting organizers (the owners of the recordings) proactively remove old recordings. This doesn’t happen in the real world.

Quota Management in Stream for SharePoint

In Stream for SharePoint, recordings are stored in the OneDrive for Business account of the person who initiates the recording. The question then arises about what happens to the storage quota assigned to tenants for classic Stream?

The answer is that the quota doesn’t transfer. Videos stored in SharePoint Online or OneDrive for Business count against the tenant’s SharePoint storage quota (for videos owned by a Microsoft 365 group) or an individual’s OneDrive storage quota. Although this seems unfair, it’s not in practice because Microsoft makes large amounts of storage available to OneDrive for Business accounts, including “beyond 1 TB, to unlimited” for enterprise users. Given that most Stream storage is consumed by Teams recordings and these files will now be in OneDrive for Business, no need exists to transfer the classic Stream quota.

You might still want to run reports to check on OneDrive for Business storage, just in case some users need an increase in their assigned quota. The demand on quota should reduce after Microsoft introduces the policy to age out old recordings. In the interim, you can make sure that everyone can store all the meeting recordings they need by bumping the default OneDrive storage quota from 1 TB to 5 TB by editing the setting in the SharePoint admin center (Figure 1).

Keep up-to-date with the transition from Classic Stream to Stream for SharePoint by subscribing to the Office 365 for IT Pros eBook. We make sure that you master the detail.

Teams Now the Major Influence on SharePoint Growth

Three years ago, I wrote an article about how Office 365 Groups saved SharePoint. A lot has changed since, not least because Microsoft has just announced that SharePoint Online has 200 million monthly active users. But the biggest transformation is that it turned out that Teams is the real strength behind SharePoint.

Office 365 Groups (now Microsoft 365 Groups) set the standard of provisioning a SharePoint Online team site for every group. Although Outlook groups are still popular within the email community, the role of Groups is now focused on membership services and Teams has taken center stage for Microsoft 365 collaboration. Teams uses Groups for its membership management and provisions a SharePoint Online team site too. Private Teams channels get their own SharePoint team site to ensure that file access is restricted to the members of the private channel.

Teams and the Files Channel Tab

The difference between Groups and Teams is that Teams is designed to make heavier use of SharePoint. Out of the box, Teams includes the Files channel tab in every channel to support file sharing between users. Each channel in a team has its own folder in the document library of the SharePoint site, and another folder is dedicated to storing email posted to channels. The Files channel tab was originally much simpler than the standard SharePoint browser interface, but the gap is much closer now and Microsoft has sorted out issues like respecting custom views.

The Microsoft Lists application is integrated into Teams and we’re at the beginning of the transition to storing Teams meeting recordings in SharePoint Online and OneDrive for Business. Driven by the OneDrive team, sharing has become consistent and predictable across Microsoft 365. Users have bought into the idea of sharing links and cloud attachments, driving SharePoint usage even more, including in Teams channels and personal chats.

Correlating Teams Growth and SharePoint Growth

Teams is on a roll. Its 115 million daily active users represent roughly half the active Office 365 accounts. Driven by the demand for better functionality to support online working due to the Covid-19 pandemic, as Teams added people attracted by its strong online meeting features, SharePoint usage increased in step. Put simply, as Teams usage grows, SharePoint usage grows.

The theory is easily proved by examining user activity statistics. A strong correlation exists between people who are active in Teams and those active in SharePoint. Run the user activity script to extract and report usage data from the Microsoft Graph and you’ll see few examples of people active in Teams who aren’t active in SharePoint or OneDrive for Business.

Microsoft’s own data tells the same tale. At the Ignite 2019 conference, Microsoft said that SharePoint Online had 100 million active users. The growth in about 13 months is 100 million users. In November 2019, Microsoft said that Teams had 20 million daily active users. The latest figure is 115 million, a growth of 95 million over the same 13 months. A certain symmetry exists between the growth of the two workloads, even if we’re not quite comparing the same data (monthly active users versus daily active users).

More Growth to Come

85 million SharePoint Online users have yet to embrace Teams and more will move from the declining number still using SharePoint on-premises. The net is that Teams will help SharePoint Online power ahead while SharePoint will provide a rich source of user growth for Teams, if only because people often find Teams a more approachable UI than the standard SharePoint browser interface (which only its creators could love). Either way, the two workloads will progress together, which is good news for the folks working in Microsoft’s ODSP (OneDrive and SharePoint Platform) organization.

Keep abreast of news about Office 365 applications like Teams and SharePoint Online by subscribing to the Office 365 for IT Pros eBook. The monthly updates ensure you don’t miss important developments.

Update Rolling Out to Remove EEEU from pre-August 2019 Accounts

Everyone except external users (EEEU) is an internal SharePoint group automatically populated with all tenant users. The intent behind the group was to facilitate easy internal sharing. The need to share still exists, but a good case can be argued that better methods exist to achieve the need today, whether it’s something like an org-wide team or a Microsoft 365 dynamic group.

In August 2019, Microsoft implemented new default settings for OneDrive for Business accounts which meant that accounts created after this point do not include EEEU in OneDrive site permissions. For instance, my Office 365 account was created in 2011. OneDrive shows read access for EEEU in the list of permissions assigned to the account. You can check permissions through the site permissions section of site settings.

Note: The fact that EEEU permission is included in site permissions does not mean that everyone in the organization has access to the account owner’s OneDrive for Business document library. It’s there to enable access to items stored in OneDrive, not to grant general access to everything.

EEEU Removed from Older Accounts

What’s changing is that Microsoft is rolling out an update to these older accounts to align them with the settings used for accounts created since August 2019. As described in Office 365 notification MC225111, published on October 26, the update will remove EEEU from site permissions and perform a full permissions reset on any personal list stored in OneDrive. Microsoft says that “the result will be that any users that these personal lists were previously shared with will be unable to view the list until the list owner reinstates the sharing permissions.”

The change is due to start rolling out in early November and will continue through the end of 2020.

It’s hard to gauge how much effect this change will have. Microsoft has tweaked the sharing arrangements in OneDrive for Business before when they stopped creating a Shared with Everyone folder in all accounts in 2017. That didn’t cause too much fuss, but many fewer people were using OneDrive for Business at that time, and Lists have received new life with the launch of the Microsoft Lists app.

No Method Available to Analyze Tenant

Microsoft isn’t providing a method to allow tenant administrators understand which accounts are affected and how many lists are involved. The exact number affected comes down to people with older accounts who exploit the permission to share personal lists with internal users, and that’s going to be different from tenant to tenant. Clearly, the change will have zero impact on accounts created since August 2019 because these users have had to set explicit permissions to share personal lists with internal users.

If your tenant uses a lot of lists stored in OneDrive (not SharePoint), you might want to create a list of accounts created before August 2019 and check with these users to understand if they have lists in active use that depend on the EEEU permission.

For more interesting and useful information about SharePoint Online and OneDrive for Business, read Chapter 8 of the Office 365 for IT Pros eBook.

Include Important SharePoint Online Folders in OneDrive

First announced in public preview in June as the “Add to OneDrive” or OneDrive shortcut feature, the Add shortcut to OneDrive option is now showing up in SharePoint Online sites in Microsoft 365 tenants worldwide (Figure 1). The documentation is here. This feature is covered in message center notification MC217339 and Microsoft 365 roadmap item 56384.

Update (December 2, 2020): After some delays, the OneDrive shortcut feature is now generally available everywhere.

Shortcuts to Important Folders

In a nutshell, when you use the option for a selected folder (rather than an individual file), it creates a shortcut link or pointer in your OneDrive for Business My files view. The idea is that you can use OneDrive for Business to assemble links for the SharePoint Online folders and other folders shared with you by other users to make them more easily accessible. In my case, my work tends to focus on a small number of folders spread across different sites for chapter and book files for the Office 365 for IT Pros eBook, blog posts like this, and billing for consulting engagements. Figure 2 shows my setup. Note the different folder icon used for the shortcuts. Selecting a shortcut opens the folder in the My Files view.

Shortcuts Prove to Be Really Useful Feature

Creating shortcuts to folders in SharePoint Online document libraries is a simple but incredibly effective idea. Given the number of Microsoft 365 Groups and Teams in use today, Microsoft 365 users might have access to hundreds of different sites, which creates the challenge of how to quickly access the files most important to you, or the “where’s my stuff syndrome.” Opening the SharePoint or Teams app to navigate to the files is one way to accomplish the goal as is using Microsoft Search to find individual files.

And then there’s Delve. Once the poster child for the Microsoft Graph and the preferred access point to documents created within Office 365 but lately ignored in the rush to Project Cortex (now available as Viva Topics and SharePoint Syntex) and its offshoots, Delve is still offers an effective way to assemble sets of documents by adding them to one of its boards (Figure 3).

At this point, given that many have forgotten that Delve exists, adding shortcuts to OneDrive for Business is the most useful way of assembling pointers to the SharePoint Online folders you use most often. It’s just a pity and a little curious that Microsoft hasn’t told more people about shortcuts.

Disabling OneDrive Shortcuts

If you decide that you don’t like shortcuts, you can disable them by running the Set-SPOTenant cmdlet to set the DisableAddShortCutsToOneDrive switch to $True. Make sure that you update the SharePoint Online PowerShell module before attempting to run Set-SPOTenant to ensure that the switch is available.

Set-SPOTenant -DisableAddShortCutsToOneDrive $True
WARNING: Users in your organization will no longer be able to add new shortcuts to their OneDrive while the
feature is in Public Preview. However, existing shortcuts will remain functional.

The warning still applies even though OneDrive shortcuts are generally available. In December 2020, Microsoft said that administrators would be able to block OneDrive shortcuts “for the next few months” to “drive any required change management.” Microsoft plans to remove this option in the future (no timeframe has been announced).

If you disable OneDrive shortcuts, the Add shortcut to OneDrive command is removed from SharePoint Online document libraries. Existing shortcuts remain in place. Some people would like to keep the option to disable shortcuts. If you share this view, you can vote for this SharePoint User Voice request.

The world of Office 365 is full of detail. Stay acquainted with what’s happening by subscribing to the Office 365 for IT Pros eBook. Monthly updates ensure that we keep you in the loop about the important changes in Microsoft’s cloud office service.

Same Sharing Experience Used Across Microsoft 365

Microsoft originally announced that Teams would gain a new file sharing experience in Office 365 notification MC218732 on 16 July 2020 (Microsoft 365 roadmap item 51230). As is sometimes the case, the roll-out was delayed:

Update (September 3): Microsoft report that they have paused the roll-out of the feature to make some additional code changes. They will issue a further update when the roll-out resumes.

Update (February 18): Microsoft is ready to restart the roll-out in mid-March with the goal of completing it by mid-April.

Referring to the update as a new file sharing experience is a stretch. What’s really happening is that Teams is adopting the common file sharing dialog that’s already used in OneDrive for Business, SharePoint Online, and OWA. It’s part of an effort to achieve consistency in sharing behavior across Office 365 announced at the Microsoft Ignite 2019 conference.

In other words, Teams now generates a sharing link when users share files. The sharing link defines who can access the file and what level of access they have to the file (read-only or edit). Teams respects the SharePoint sharing policy for the organization, which dictates the range of sharing links that can be used in an Office 365 tenant. Settings for individual sites can downgrade sharing to a more restrictive level.

Sharing in a Channel

Sharing files in Teams differs between channel conversations and personal chats. When a team member uploads a file to a channel, all team members automatically have access to the file, which is stored in the folder for the channel in the team’s SharePoint document library. There’s usually no need to edit the permissions on a file shared within a channel. You can use a private channel if you want to restrict access to a specific subset of team members and upload the files to that channel.

Alternatively, you can apply a sensitivity label with encryption to confidential information to restrict access to people with the right to view the content. This is sometimes done to restrict access to specific information to the tenant members of a team where guest members are present. Remember that even though guests won’t be able to access the content of protected documents, they’ll be able to see document metadata such as titles.

Sharing in a Chat

When a chat participant uploads a file, the file is stored in the Microsoft Teams Chat Files folder in their OneDrive for Business account and view-only access is granted to the chat participants. People who join the chat later aren’t included in the sharing link and you need to add them to the list of people with permissions (Figure 1).

It’s easy to open the file in OneDrive for Business and amend its sharing permissions to add new chat participants (Figure 2).

However, if you know that multiple people will join a chat in the future and you want them to have access to the files shared in the chat, you can amend the sharing link before posting the file. In Figure 3 we see that the link chosen allows access to everyone in the tenant. This might be appropriate in some situations, but most commonly you’ll probably want to add specific people to the link, especially if some guest users or federated users in other tenants are included in the chat.

Sorry – No Access

When Teams uploads a file to a chat, it evaluates if the participants will be able to access the file in OneDrive for Business. It’s unlikely that you will see this when sharing files in chats with other tenant users, but it can happen when chatting with people from other tenants. To solve the problem, edit the sharing link for the file to ensure that the person has access before completing the upload (or adjust sharing in OneDrive for Business afterwards).

When sharing a file in a personal chat, you’ll be reminded that people who join the chat afterwards will need permission to access shared files. You will need to select each file and update the sharing link to add the new chat participant (this can also be done in OneDrive for Business).

Federated Sharing

I’ve also seen some reports that the attach file icon is not shown in some chats, usually those with federated users in other Office 365 tenants. If this happens, try opening the chat in a separate window as the icon seems to be available on a consistent basis there. Because Teams now uses the Office 365 sharing model, if you share a document in a chat with a federated user, Teams creates a new Azure AD guest account for that person, which is then used to access the document. A bug appears to stop the new guest account opening the document from Teams, but if they copy the link it will work in SharePoint Online. Chasing down bugs is common when new mechanisms are introduced, and I am sure that Microsoft will fix this problem soon.

Consistency Across Microsoft 365

Support for sharing links inside Teams means that Microsoft 365 now has a consistent approach to file sharing across its major apps. Like OWA, Teams adjusts the sharing model to meet its needs, but it’s still the same mechanism underneath.

Need to know more about how Office 365 sharing works? It’s all explained in chapter 8 of the Office 365 for IT Pros eBook.

Use PowerShell to Assign New Users to Orphaned OneDrive Accounts

Given the growing importance of OneDrive for Business and user acceptance of features like Known Folder Move, which redirects well-known Windows folders like Documents and Pictures to OneDrive for Business, lots of data ends up in user OneDrive accounts. And when those users leave the company, some action is usually needed to check the information in the account and recover anything which needs to be kept.

Making Sure OneDrive for Business Files are Kept

One way to do this is to assign another user access to the ex-employee’s OneDrive for Business account during the workflow to remove their Office 365 account (Figure 1). After they gain access, the user can move or copy information from the ex-employee’s files to their OneDrive for Business account or SharePoint Online sites.

If you don’t delete the ex-employee’s account to regain the Office 365 license, you can create a link to access their OneDrive account by accessing the account in the Microsoft 365 admin center and going to the OneDrive tab in user properties (Figure 2). Again, once access is secured, you can review the files in the account and retrieve whatever needs to be kept.

Recovering OneDrive Accounts with PowerShell

Once an account is deleted, Office 365 keeps it for 30 days to allow mistaken deletions to be reversed. After this period elapses, the account is deleted, and workloads remove the information belonging to the account, such as the mailbox. Workloads have the liberty of processing deletions in their own ways, so it is possible to recover a OneDrive for Business account using PowerShell in the period between 30 and 93 days after deletion because this is how the two-phase recycle bin process works.

The Influence of Retention Policies

If the ex-employee’s account comes within the scope of a retention policy, their OneDrive for Business account can be kept for even longer because the retention policy will kick in when OneDrive for Business tries to remove the account after 93 days. And as the years go by, it’s possible that a set of orphaned accounts might accumulate if retention policies keep accounts for a long time or do not delete the accounts after the retention period elapses.

Processing Orphan OneDrive for Business Accounts

To know if any orphan OneDrive for Business accounts exist, we can run some PowerShell to find OneDrive sites that aren’t connected by comparing the registered site owner to a hash table of Azure Active Directory accounts. If a match doesn’t exist, we have an orphan site. We can then add a user to orphan sites, perhaps a compliance administrator, to allow the contents of the sites to be examined. A complete script can be downloaded from GitHub, but here’s the core code:

# Find Azure AD accounts
# Find OneDrive for Business accounts
$ODSites = Get-SPOSite -IncludePersonalSite $True -Limit All -Filter "url -like '-my.sharepoint.com/personal/'"
# Find Azure AD Accounts and create hash table for lookup
$AADUsers = Get-AzureADUser -All $True -Filter "Usertype eq 'Member'" |Select UserPrincipalName, DisplayName
$AADAccounts = @{} 
$AADUsers.ForEach( {
       $AADAccounts.Add([String]$_.UserPrincipalName, $_.DisplayName) } )
# Process the sites
ForEach ($Site in $ODSites) {
      If (!($AADAccounts.Item($Site.Owner))) { #Allocate a new owner to the OneDrive site
      Write-Host "Adding user to" $Site.URL
      $Status = $Null
      Try {
         $Status = Set-SPOUser -Site $Site.URL -LoginName $NewSiteAdmin -IsSiteCollectionAdmin $True }
      Catch {
         Write-Host "Couldn't add" $NewSiteAdmin "to" $Site.URL }
      If ($Status) { #Update output report file
         $i++
         $ReportLine = [PSCustomObject]@{  #Update with details of what we have done
           Site             = $Site.URL
           "Previous Owner" = $Site.Title
           OwnerUPN         = $Site.Owner
           "New Owner"      = $NewSiteAdmin
           LastModified     = Get-Date($Site.LastContentModifiedDate) -format g
           StorageUsage     = $Site.StorageUsageCurrent } 
         $Report.Add($ReportLine) } # End If
      } #End If
} # End ForEach
If ($i -gt 0) {
   Write-Host $NewSiteAdmin "added to" $i "OneDrive for Business accounts - details in c:\temp\OrphanOneDrive.csv"
   $Report | Export-CSV -NoTypeInformation c:\temp\OrphanOneDrive.csv }
Else {
   Write-Host "No orphan OneDrive for Business accounts found" }

If any orphan OneDrive sites are found, the script generates a CSV file. The account added to the sites can be used to access the sites that seem to be of interest to check if any valuable information exists there. If nothing is found, or after anything interesting is retrieved, the site can then be removed.

The Office 365 for IT Pros eBook contains many valuable tips and insights into how to manage tenants more effectively. Best of all, it’s updated monthly to make sure that you keep pace with the cloud.

Restoring Files from OneDrive, Finder, and File Explorer

I’m used to being disappointed by technology. At least, I should be, for that’s been my experience over the last 40 years. Old dogs don’t easily learn new tricks. My latest disappointment came when I finally got around to checking out Office 365 notification MC205517 from March (updated in April) which announced that the OneDrive sync history would be available in more clients.

The notification explains: “You will now be able to view and restore previous versions of your files directly in your desktop via your File Browser or Mac Finder.” The explanation in Microsoft 365 Roadmap item 61527 is: “Users will see a new entry in the context menu in Finder, File Explorer, and OneDrive Activity Feed. Version history will allow users to download previous versions of a file as well restore or delete previous versions.”

Useful to Restore Versions

Being able to access the version history for a file and restore a previous version is very useful. If you open the OneDrive Sync client, the available file options are shown when you click the menu on the right hand side (Figure 1).

The feature has been available in the OneDrive and SharePoint Online browser clients for several years and is also available in the Office desktop apps (Figure 2).

When autosave is used with Office files, new versions are captured automatically during edit sessions. The development of a reasonably complex document can generate hundreds of versions. OneDrive consumer stores up to 25 versions of a document while OneDrive for Business and SharePoint Online can store hundreds of versions.

I’ve had occasion to restore files in both SharePoint Online and OneDrive for Business to rescue the situation after some botched changes were made to documents. Although Microsoft posted the update for OneDrive (both Business and Consumer), my naïve assumption was that it would work for documents in SharePoint libraries synchronized to a PC by the OneDrive Sync client. Well, it didn’t – on one of my two PCs. And this is the root of my disappointment.

Different OneDrive Versions Different Outcomes

I recently bought a new Surface Book 3 and installed the Microsoft 365 Enterprise apps on the PC. The software installed includes the OneDrive Sync client, which reports version 20.084.0426.0007. Everything works very nicely on this PC. I can select a document with File Explorer or in the OneDrive Sync client, choose version history and I see a screen like Figure 3.

But when I switch to the older Surface Book 2, where version 20.114.0607.0001 of the OneDrive Sync client is installed, version history is only available for files stored in OneDrive for Business. Attempts to see the version history of any file stored in SharePoint Online generate a “couldn’t load versions” error (Figure 4), even for files that the client handles perfectly well on the other PC.

Of course, two different versions of the client are involved here. The PC which works runs 20.084.0426.0007, released to the production ring on June 11, 2020. The PC which doesn’t runs 20.114.0607.0001, released to the production ring on July 1, 2020 and now rolling out (see this page for information about OneDrive releases). Normally problems are solved by installing the most recent update, but apparently not in this case.

PC Failure Interrupts OneDrive Happiness

As far as I can tell, everything else is much the same on the two PCs. Both are up to date with patches. Surface Book 2 runs Windows 10 Pro while the Surface Book 3 runs Windows 10 Home. At least, it did until it experienced a failure and entered an Automatic Repair loop and wouldn’t restart. Resisting the temptation to rebuild a brand-new PC from scratch, I returned it to Microsoft, and I’m left with the Surface Book 2 where OneDrive doesn’t work as it should. Can you see why some disappointment has clouded my life?

Fortunately, working on the Office 365 for IT Pros eBook soon restores my good humor. Lots to do, lots to document, lots of change to analyze – some of which even works properly all the time.

Managed Properties Allow Users to Search for a Sensitivity Label SharePoint Online

Sensitivity labels are on a roll at present with new developments coming along at a fast rate. A small, but important, recent update is to the SharePoint Online schema to allow users to find files stored in SharePoint Online and OneDrive for Business that are assigned a specific sensitivity label.

Sensitivity labels are often used to protect documents containing confidential or sensitive information. InformationProtectiondLabelId (Figure 1) is a managed property in the SharePoint schema that stores the GUID (identifier) for the sensitivity labels assigned to documents.

Search SharePoint Online for Documents Assigned Specific Sensitivity Labels

The presence of the managed property in the search schema means that you can search for documents stored in SharePoint Online and OneDrive for Business using the label identifier (GUID) of the sensitivity label assigned to documents. Figure 2 shows the result of a search using InformationProtectionLabelId:2fe7f66d-096a-469e-835f-595532b63560. Microsoft Search trims the search results to make sure that the user only sees documents they can access.

Although it’s absolutely the case that not everyone will know the GUID for a label (in this case, it’s the Public sensitivity label), I believe Microsoft is working on the ability to search by label name. For now, this facility is probably only useful to the curious who want to see what documents a label is applied to, or compliance administrators in Microsoft 365 tenants that don’t have the necessary licenses to use the data classification content explorer in the Microsoft Purview compliance center.

Search SharePoint Online for Container Labels

Sensitivity labels can be applied to “containers”: Microsoft 365 Groups, Teams, and SharePoint Online sites. In this case, the labels don’t protect the data stored in the containers but are used for classification (visual marking) and to control the access type and guest access for the container. For example, applying the “Confidential” label to a container might change its access type to Private and restrict guess access.

You can also search SharePoint Online for labels assigned to sites. The trick here is to create a new managed property in the schema (I called it SiteSensitivityLabelId) that’s mapped to the crawled property ows_IpLabelId (Figure 3). The new property needs to be searchable, queryable, and retrievable.

After updating the schema, the search index will pick up the new property the next time the sites are processed by the crawler. To make sure this happens quickly, you can force SharePoint to reindex the site (under Search and Offline Availability in Site Settings). When reindexing completes, the site will turn up in search results (Figure 4).

Again, this isn’t something that the average SharePoint Online user will probably do, but you never know when the feature might be useful to administrators who don’t want to use PowerShell to search for sites assigned a specific label.

The detail makes all the difference in many spheres of operations, and understanding detail like this is what the Office 365 for IT Pros eBook is all about. Subscribe today!

OneDrive Storage for All

The OneDrive for Business service description (13 May 2020) lays out how much OneDrive storage Microsoft makes available to users based on their license type. In a nutshell:

• Frontline users (Office 365 F3):2 GB
• Small to medium plans (like Microsoft 365 Business Premium): 1 TB
• SharePoint Online Plan 1 and OneDrive for Business Plan 1: 1 TB
• Enterprise E1: 1 TB.
• Other enterprise plans and SharePoint Online Plan 2: “Beyond 1 TB, to unlimited”

Promising unlimited OneDrive storage is interesting because it implies that Microsoft will allow a properly licensed user to consume as much OneDrive for Business storage as they want, with the caveats that OneDrive “is designed to serve the needs of individual users” and “storage of data other than an individual user’s work files, including system back-ups and departmental and organizational level data, is not supported, nor is the assignment of a per user license to a bot, department, or other non-human entity.”

Update (March 2022): the latest OneDrive for Business service description moves the storage discussion to a document called Modern Work Plan Comparison which confirms unlimited OneDrive storage in the SharePoint Plan 2 service plan (part of Office 365 E3 and E5).

Setting a Default Storage Quota for OneDrive

Documents, files, and photos can certainly occupy a lot of storage, but “unlimited” really doesn’t mean what normal human beings might think. It’s more like an all-you-can-eat buffet where the physical capacity of the human stomach will eventually impose a practical limit. OneDrive’s unlimited quota is practically limited by being doled out in chunks as users need storage.

When someone’s Office 365 account is provisioned and the account has a OneDrive license, the account is assigned the default storage quota set by the tenant. The quota can be set in the Settings section of the SharePoint Online admin center (Figure 2) or PowerShell.

The minimum default storage quota is 1024 GB (1 TB). As Figure 1 shows, you can increase it to 5120 GB (5 TB). You can go higher, but rather bizarrely, the OneDrive admin center doesn’t confirm that a new value is set, nor does it signal an error if you insert a higher value (like 10240 GB). Instead, perhaps because it doesn’t want to offend, OneDrive simply ignores the attempt to set a new storage quota and reverts to the highest possible value for the default (5 TB).

One thing to be careful about is that the OneDrive admin center uses gigabytes to set storage quotas while the Set-SPOTenant cmdlet uses megabytes. To set a 5 TB default storage limit in PowerShell, we run:

# Update SharePoint default storage quota
Set-SPOTenant -OneDriveStorageQuota 5242880

Don’t bother trying to go past 5 TB. OneDrive will blithely ignore your request and the limit will stay at 5 TB.

Assigning New Quotas to Existing Accounts

The default storage quota is assigned to new accounts. If the account doesn’t have a license which supports the assigned quota, OneDrive will automatically downgrade the available quota to the maximum allowed by the license. With that in mind, we can assign the new 5 TB storage quota to accounts like this:

# Assign storage quota to OneDrive sites
[array]$ODSites = Get-SPOSite -IncludePersonalSite $true -Limit all -Filter "Url -like '-my.sharepoint.com/personal/'" | Select-Object URL, Title, StorageQuota, StorageUsageCurrent
ForEach ($Site in $ODSites) {
   If ($Site.StorageQuota -ne 5242880) {
      Write-Host "Setting Quote for OneDrive account:" $Site.Title
      Set-SPOSite -Identity $Site.URL -StorageQuota 5242880 }
}

To report on the current OneDrive storage use and quota, you could use a modified version of our Report SharePoint Site Storage script after connecting to the SharePoint administration module:

# Get all OneDrive sites
Write-Host "Fetching OneDrive site information..."
[array]$Sites = Get-SPOSite -IncludePersonalSite $true -Limit all -Filter "Url -like '-my.sharepoint.com/personal/'"  | Sort-Object StorageUsageCurrent -Descending
$TotalOneDriveStorageUsed = [Math]::Round(($Sites.StorageUsageCurrent | Measure-Object -Sum).Sum /1024,2)
$Report = [System.Collections.Generic.List[Object]]::new() 
ForEach ($Site in $Sites) {
  $SiteOwners = $Null ; $Process = $True; $NoCheckGroup = $False
  $SiteNumber++
  $SiteStatus = $Site.Title + " ["+ $SiteNumber +"/" + $Sites.Count + "]"
  $UsedGB = [Math]::Round($Site.StorageUsageCurrent/1024,2)         
# And write out the information about the site
  If ($Process -eq $True) {
      $ReportLine = [PSCustomObject]@{
         URL           = $Site.URL
         Owner         = $Site.Title
         QuotaGB       = [Math]::Round($Site.StorageQuota/1KB,0) 
         UsedGB        = $UsedGB
         PercentUsed   = ([Math]::Round(($Site.StorageUsageCurrent/$Site.StorageQuota),4).ToString("P")) }
     $Report.Add($ReportLine)}}

# Now generate the report
$Report | Export-CSV -NoTypeInformation c:\temp\OneDriveConsumption.CSV

Moving Past Towards Unlimited

Five terabytes are nice, but it’s not unlimited. Possibly because of the bad experience of when OneDrive consumer supported unlimited storage (think of large movie libraries being uploaded), Microsoft forces tenants to go through support to have their storage boosted. You’ll have to:

• Have at least one account in the tenant get within 10% of the 5 TB limit (being at 90% of quota is explicitly mentioned in the OneDrive service description).
• Create a support request for OneDrive for Business through the Microsoft 365 admin center.
• Tell the support agent that you want the quota increased from 5 TB to 25 TB.
• Expect some backwards and forwards while Microsoft support digests the request. Point to the “unlimited” statement in the OneDrive service description and be politely insistent if necessary.

Eventually Microsoft will enable a storage quota increase behind the scenes. The increase enables a new 25 TB limit for all accounts, and you will be able to set the new limit by running Set-SPOSite to set a quota of 26214400 (25 TB).

If someone reaches 90% of 25 TB, a further support request will result in single-user SharePoint Online team sites with 25 TB quota.

Tracking down nuggets of information about how Office 365 works in practice is hard. Stay updated with the Office 365 for IT Pros eBook and let us do the work for you.

Interrogating SharePoint and OneDrive Document Version History

A recent question asked how to use the SharePoint Online PnP PowerShell module to extract the version history of a document. The PnP (Patterns and Practices) module contains cmdlets to handle complex SharePoint provisioning and management scenarios. If you get to know PnP, you probably like it because it can handle actions from update a SharePoint document to create a new folder. However, the nature of PnP is that its interaction with objects is more complicated than other PowerShell modules.

The usual reason why people want to look at the version history for a document is to know who made a change to its content. Given how autosave captures document updates, the number of versions available for a document stored in SharePoint Online or OneDrive for Business can be large (Figure 1).

Office 365 Audit Log is an Alternative

If you’re not used to PnP, you might find it easier to extract information about events to update a SharePoint document from the Office 365 audit log. Every time a document is uploaded or updated in a SharePoint Online or OneDrive for Business document library, SharePoint creates an audit event that is later ingested into the Office 365 audit log (the event should be available about 15 minutes after the update). If we know the name of a document, it’s easy to search the audit log with the Search-UnifiedAuditLog cmdlet and find its audit records.

Searching for Document Change Audit Events

The PowerShell script below uses the $FileName variable to hold the name of the document to search for. If events occurred for this document over the last 90 days, the search should find events to record the initial upload of the document to the library (FileUploaded) and subsequent updates (FileModified) and views (FileAccessed). If the AutoSave feature is enabled for the document, multiple update records can accumulate over a short period. As is normal with audit records, a lot of interesting information is found in the AuditData property.

$FileName = (Read-Host "Enter file name to search")
$Records = (Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date).AddDays(+1)  -Operations FileModified, FileAccessed, FileUploaded -ObjectIds $FileName -ResultSize 1000)
If ($Records.Count -eq 0) {
   Write-Host "No audit records found for file names beginning with" $FileName }
 Else {
   Write-Host "Processing" $Records.Count "audit records..."
   $Report = [System.Collections.Generic.List[Object]]::new()
   ForEach ($Rec in $Records) {
      $AuditData = ConvertFrom-Json $Rec.Auditdata
      $ReportLine = [PSCustomObject]@{
           TimeStamp   = $Rec.CreationDate
           User        = $AuditData.UserId
           Action      = $AuditData.Operation
           SiteUrl     = $AuditData.SiteUrl
           Site        = $AuditData.SourceRelativeUrl
           File        = $AuditData.SourceFileName
           IpAddress   = $AuditData.ClientIP
           App         = $AuditData.UserAgent  }
      $Report.Add($ReportLine) }}

Listing the Results

After analyzing the audit records, we can list the set of actions found for the document:

$Report | Select Timestamp, User, Action

TimeStamp            User                               Action
---------            ----                               ------
22 Apr 2020 14:40:41 Jane.Maloney@office365itpros.com   FileModified
21 Apr 2020 15:19:03 Jane.Maloney@office365itpros.com   FileModified
21 Apr 2020 15:02:34 Kim.Akers@office365itpros.com      FileModified
21 Apr 2020 15:01:39 Jane.Maloney@office365itpros.com   FileUploaded

To distribute the report, you could simply print it or create a CSV file. Other distribution methods include:

• Format the content in HTML and send it via email (see this article for details).
• Create the report in a SharePoint document library (the basics of how to do this is explained here; the scenario is a script running in a Azure Automation runbook but the technique of using PnP cmdlets is the same in “regular” PowerShell).
• Post the report to a Teams channel or post a link to it in a message card created in a Teams channel using the inbound webhook connector. See this article for more information.

Is Ninety Days Enough?

If your accounts have Office 365 E5 or Microsoft 365 E5 compliance licenses, audit records are available for 365 days. However, 90 days is usually enough to find out who made a change to an important document. Unless the change was overlooked and has only just been noticed!

Practical information about using PowerShell to solve common Office 365 administrative problems is a hallmark of the Office 365 for IT Pros eBook. Subscribe today and learn from our experience!

PowerShell in OneDrive Isn’t a Great Idea

The OneDrive Known Folder Move feature has been around for a couple of years. Basically, this allows you to redirect common (well-known) folders from your PC to OneDrive so that anything created in Documents, Pictures, and the desktop is automatically saved in your OneDrive for Business account. Generally, everything works well, and I have been very happy.

Except until the time came to update the Azure Active Directory preview module from 2.0.2.77 to 2.0.2.89.

Problems Updating PowerShell Module

I followed my normal routine of upgrading the module from the PowerShell Gallery, but things didn’t work. And no combination of removing and reinstalling modules worked either, despite setting a required version for the Install-Module cmdlet. Each time I started PowerShell and connected to Azure Active Directory, version 2.0.2.78 was used.

Eventually I discovered that the 2.0.2.77 files were installed in OneDrive by examining the module properties:

>Get-Module -Name AzureADPreview | Format-List

Name              : AzureADPreview
Path              : C:\Redmond\OneDrive – Office365ITPros\Documents\WindowsPowerShell\Modules\AzureADPreview\2.0.2.77\ Microsoft.Open.AzureAD16.Graph.PowerShell.dll

My speculation is that PowerShell installed the 2.0.2.77 files in OneDrive the last time I updated the module.

Clean up OneDrive and Reinstall

To clean up the mess, I uninstalled the module and then deleted all the files from OneDrive. A retention label stopped OneDrive deleting the files, so it was a matter of removing the retention label and then deleting the files and folders.

I then reinstalled the module, making sure to select the correct version and to install the module for everyone who uses the PC.

Install-Module AzureADPreview -RequiredVersion "2.0.2.89" -Scope AllUsers

After the installation, the module files are in:

Get-Module -Name AzureADPreview | fl                                                       

Name              : AzureADPreview
Path              : C:\Program Files\WindowsPowerShell\Modules\AzureADPreview\2.0.2.89\ Microsoft.Open.AzureAD16.Graph.PowerShell.dll

The next time I started a PowerShell session and ran the Connect-AzureAD cmdlet, I got the right version.

All of which goes to prove that you should pay attention to how you install PowerShell modules, just in case the files end up in OneDrive. PowerShell works when modules are installed to OneDrive, but upgrades become a little more interesting.

Differential Sync Great for Large Files

Last September, the OneDrive developers announced that they were rolling out differential sync for all file types. Differential sync means that instead of having to upload complete files, even if just one word changes, OneDrive can synchronize just the changed bits. As files become larger, the advantage of differential synchronization becomes more important.

This facility had been available for Office files for some time, but not everything stored in OneDrive (consumer and business) is an Office file. The update means that all the other file types that people want to store in OneDrive and SharePoint Online now support differential sync, including PDFs, graphic files, audio recordings, and even PSTs. Obviously, some of these files are very large, so being able to synchronize just the changed bits reduces a lot of network traffic and makes the synchronization process much faster.

Slow Deployment Now Complete

Good intentions don’t always turn into immediate deployments and the roll-out has been slower than anticipated by Microsoft. However, on April 24, Microsoft announced on OneDrive User Voice that roll-out was complete for both commercial and consumer versions of OneDrive.

I am on the OneDrive Insider Ring, so the current version of the OneDrive sync client running on my PC is 20.064.0329.005 (Figure 1 – see this blog for information about OneDrive versions).

Version History

Speaking of versions, a feature that isn’t working so well yet is the OneDrive sync client’s ability to access the version history for documents. Apparently, the development group is working to resolve the reported issues and we might have a solution in mid-May.

Version history depends on the versions kept for documents in SharePoint Online and OneDrive for Business and the client should have the same functionality as available in the browser clients. For instance, you’ll be able to restore a document back to a previous version.

For more information about OneDrive for Business and other Office 365 applications, subscribe to the Office 365 for IT Pros eBook and stay updated about new developments.

Apply Microsoft 365 Sensitivity Labels at Scale to at-rest Data

Office 365 sensitivity labels are used to mark messages and Office documents with visual indicators of the importance or sensitivity of an item. Optionally, a sensitivity label can also invoke rights-management based encryption to protect labeled items.

Manual application of sensitivity labels is a good way to protect new messages and documents but does nothing to deal with the mass of documents and messages that already exist inside Office 365. To address the issue, Microsoft is running a preview program for auto-labeling Word, Excel, and PowerPoint files stored in SharePoint Online sites and OneDrive for Business accounts (Exchange Online will come later). The solution is intended to allow Office 365 tenants to protect existing content at scale without needing anyone to review large quantities of documents.

Microsoft’s Information Protection team recently hosted a Teams Live Event (Figure 1) to discuss what they’re working on in the preview and hope to make generally available later this year. The event recording (in Stream) is available to all (via anonymous join) and is a good example of how Teams can host product briefings if you’ve never used this technology. Further information is in the Yammer Information Protection community (also open)

Auto-Label Policies for Sensitivity Labels

Auto-label policies are configured with rules that look for at-rest (closed) documents containing Office 365 sensitive data types (such as bank account details). For example, a policy might include rules to detect documents with two or more instances of passport or personal identity card numbers and protect matching documents with a sensitivity label called Personal Information. Apart from the hundred-plus standard sensitive data types defined by Microsoft, auto-label policies also support custom sensitive data types defined by the tenant, meaning that you could scan for documents relating to a sensitive project and auto-label those files.

The source documents are examined by a background process capable of applying sensitivity labels to up to 25,000 documents per tenant daily (so it might take some time to process all content in the target sites). The process scans files to find instances of sensitive data types that match the rules set in auto-label policies. When a match is detected, the process applies the sensitivity label unless a user has already applied a sensitivity label (explicit assignment always beats auto-assignment). Labels applied automatically remain with documents if they are moved out of a site or account processed by an auto-label policy.

Preview Limits

The preview allows tenants to have up to ten auto-label policies (these limits might be upgraded when auto-label policies reach general availability). During the preview, each policy can cover up to ten sites or accounts. When generally available, the load imposed on the service needed to process files means that it’s likely that a limit for scanned sites will still exist. This will force tenants to select sites where sensitive data needing protection is most likely to be found. Office 365 E5 or Microsoft 365 E5 licenses are needed for all accounts that contribute files to the sites scanned by auto-label policies.

Test Mode

Auto-labels have a test mode, meaning that you can discover what files in a target location match the rules set in a policy. The idea is to allow administrators to tune policy rules by seeing what effect changes to rule conditions have. Another interesting feature is the content explorer, which displays lists of files containing sensitive data types in the scanned sites. Again, the idea is that admins can use this information to fine-tune auto-label policy settings.

If the preview progresses as expected, auto-label policies should be generally available in the Microsoft 365 compliance portal in the March-April 2020 timeframe. If you want to join the preview, you can register your tenant details here.

We have a complete chapter about protecting Office 365 content in the Office 365 for IT Pros eBook. We’ve been tracking the progress of sensitivity labels since their first introduction, so our coverage is pretty good.

Mastering the Breadth of Office 365

As some of you might know, my background lies in email. I’ve been working with email systems since 1982 and with Exchange since 1995. It’s been quite a ride. But time moves on and being a specialist in one area is not a great career strategy, even in an area that’s quite broad, like email. Technology moves so quickly today that it’s important to acquire a spectrum of knowledge.

Working with Office 365, I think it’s wise to have a solid grounding in the two basic workloads (Exchange and SharePoint) with a major in one. At the same time, you need to have knowledge of at least two of the other Office 365 apps, like Teams, Yammer, and Planner together with some capability in automation (PowerShell or Power Platform). To complete the package, you should have knowledge of Azure Active Directory with added credits for associated technologies like conditional access policies, information protection, and so on.

In short, despite Microsoft taking care of many mundane operations previously handled by on-premises administrators, there’s lots of work to do in the cloud.

Acquiring Knowledge

Acquiring knowledge is hard. You can read all of Microsoft’s documentation (which has become much better over the last few years) plus roadmap updates and blogs. You then add the independent commentary and opinion from non-Microsoft sources like MVP blogs and vendor sites, and suddenly there’s a ton of detail to master on an ongoing basis. It’s possible to read all this content, but do you really master it?

Some have questioned the value of technology conferences in the world of the cloud. Critics say that sessions delivered by vendors are marketing pitches about features that might or might not be delivered. They point to the same old faces appearing at every technology conference with the same decks, and probably the same bad jokes.

There’s some truth in these assertions. Even major events like the Microsoft Ignite conference have their fair share of bad sessions delivered by people who don’t understand their material or can’t connect with their audience. Even so, that’s no reason to discount conferences. The value I find in conferences is twofold. First, I like listening to sessions about topics that I really know nothing about. These sessions force me to think about what I do know and how to relate the new information, which might lead to further investigation. Second, there’s no better way to meet people who write and contribute to the community than at a conference.

SharePoint History

I have a long history with SharePoint going back to the original SharePoint Portal Server 2001. I have discussed the (woeful) SharePoint administration tools with Bill Gates in 2007. And I write more about SharePoint Online more now than at any time in the past. All of which brings me to a decision to attend and present at the SharePoint Conference in Las Vegas in May 2020.

Off to Vegas

I’ve attended the European SharePoint conference for the last few years, most recently in Prague last December. These events are high-quality and well-run. The SharePoint development group supports the conference and it’s an event that I recommend. With that in mind, why incur the jet lag penalty by traveling from Ireland to Las Vegas for three days?

It’s obviously not gambling because I don’t. Over twenty or more visits to Vegas, I think I might have lost the grand sum of 25 cents on a slot machine. It’s not the shows, even if Vegas has some incredible shows to see. And it’s not the restaurants either, even in the delightful surroundings of the MGM Grand. Instead, it’s the people and the technology that attract me to Vegas.

I also want to encourage attendees to expand their vision and think about Office 365 from a different perspective. SharePoint is important to Office 365, but it’s important as the provider of document management services to Office 365 instead of being the center of an ecosystem, which is the case for SharePoint server on-premises.

Vegas SharePoint Sessions

In any case, if you’d like to join me in Vegas in May, consider using this code to get a $50 reduction on the conference fee. I’ll be talking about Teams, doing an updated and revamped version of my Things you never knew about Teams that might be useful someday talk plus a new session about the ins and outs of Office 365 sensitivity labels and their use to protect Exchange Online, SharePoint Online, and OneDrive for Business content, control settings for Office 365 Groups, Teams, and SharePoint Online sites, including using PowerShell to work with labels. I haven’t built the deck yet, but I know it’s going to be an interesting talk.

Hopefully, I will come back from Vegas with a few new ideas and insights. At least, that’s the plan. And if you’re at the SharePoint Conference 2020, come by and share your views.

The Office 365 for IT Pros eBook covers the important stuff about SharePoint Online in-depth. If you can’t get to the SharePoint Conference in Las Vegas, perhaps you should subscribe to the book.

New Feature Now Rolling Out to Office 365 Tenants

Microsoft’s OneDrive for Business November 2019 Roundup includes news of the Save for Later feature (Office 365 roadmap item 49095). Although I haven’t seen an Office 365 notification to announce its rollout, Save for Later has turned up in both SharePoint Online and OneDrive for Business in my (targeted release) tenant. The feature description is:

“Save for Later will allow you to bookmark files and folders from your OneDrive, files shared to you and those in Shared Libraries to a “Saved for Later” list that you’ll be able to easily access.”

Delve’s Recent Documents List

Humans love to build to-do lists and Save for Later is no more than that: a way to build a list of items stored in SharePoint Online and OneDrive for Business that you need to go back to, maybe to work on and complete, perhaps to remind yourself of something. Although the idea is simple, it’s very useful. Two simple facts underline why. First, more files are stored in cloud repositories. Second, those files are stored in an ever-growing number of sites. The mission of SharePoint Online is to be the document management service for Office 365 and the popularity of Teams and other group-enabled applications, all of which come with a SharePoint site, mean that users have more sites to work with. Put another way, there’s more cloud places to store files than ever before (SharePoint Online now supports two million sites per tenant). Some help to keep track of important files is appreciated.

Delve (introduced in 2015) is an earlier attempt to solve the problem. Delve has a recent document view (Figure 1) to remind users of what they’ve been working on, and it allows users to associate files with “boards” (collections). A board can hold documents drawn from multiple sites and is a useful way to track ongoing work.

Delve seems to have fallen out of favor recently. It’s a first-generation Graph application that was never developed past the work done in the first couple of years, possibly because customers didn’t react to Delve in quite the positive way that Microsoft expected. The announcement of Project Cortex at the Microsoft Ignite 2019 conference removed the remaining oxygen for Delve. I would not be surprised if Microsoft deprecates Delve soon after Project Cortex becomes generally available sometime in the second half of 2020.

Saving Files for Later in SharePoint and OneDrive for Business

Marking files to save for later is easy. Simply select Save for later in the menu (Figure 2). The same option is available to mark either individual files or complete folders in both SharePoint Online and OneDrive for Business. Once chosen for an item, the saved indicator shows that it’s marked. You can also click the saved indicator beside a file or folder to change it from blank (not saved) to filled (saved).

SharePoint Online and OneDrive for Business share a common list of saved for later files. You can see the list in two places. First, the list appears at the bottom of the SharePoint Online home page (Figure 3).

Second, you can access the list through the option in the OneDrive for Business menu (Figure 4). This version of the list is more informative because it includes details of the location and how recently an item was accessed.

In either app, you can open an item by clicking on it. OneDrive for Business includes a menu of other options such as delete, rename, and share. You can also remove an item from the saved for later list. In SharePoint Online, click the indicator to turn it from filled to blank. In OneDrive for Business, select the Remove from saved option in the menu.

It would be nice if Office 365 didn’t change for a while. But this is the cloud and stuff keeping on evolving. That’s why the Office 365 for IT Pros eBook exists to track and analyze about how Office 365 changes over time.

Customized Anyone Sharing Links on a Site-by-Site Basis

Office 365 notification MC186627 (roadmap item 53748) covers the introduction of a Per-Site Anyone Link Expiration Policy for SharePoint Online sites. A clearer description might say that you can now configure different expiration dates for Anyone Sharing Links on a site-by-site basis, but only in PowerShell as there’s no GUI to assign a custom expiration period to a site. This functionality is available worldwide now.

Two things are at play here. First, the default period for sharing links. This setting applies to all sites in a tenant and is set in the Sharing section of the OneDrive for Business Admin portal (Figure 1).

Second, Anyone links. These sharing links are used to allow anyone (hence the name) who has the link to access files or folders in SharePoint Online or OneDrive for Business sites. Links like this are typically used to allow broad access to content that doesn’t need to be restricted, such as sharing publicity material with customers.

The Issue Being Addressed

The problem with a one-size fits all link expiration period is that it works perfectly well for some sites but not for others. Setting a 365-day expiration period is great for links used to access unrestricted content; it’s not so good if the link is used to give access to confidential material. Although these links are likely to be restricted to specific people, you still might want to have the links expire sooner than a year.

Set-SPOSite Has the Solution

To solve the problem, connect to SharePoint Online with PowerShell (using the latest available module). Find the URL for the site for which you want to set a custom Anyone link expiration period. You can run the Get-SPOSite cmdlet to return a list of sites or access the site and copy the URL from the browser address bar.

Now run the Set-SPOSite cmdlet to set the policy (Figure 2).

For example, this command sets a 10-day Anyone link expiration period for the https://Office365itpros.sharepoint.com/sites/Confidential site:

# Set Anyone link expiration period for the site
Set-SPOSite -Identity https://Office365itpros.sharepoint.com/sites/Confidential -AnonymousLinkExpirationInDays 10 -OverrideTenantAnonymousLinkExpirationPolicy $True 

OneDrive for Business Sites

The SPO-Site cmdlet in the current build of the SharePoint Online PowerShell module doesn’t support the AnonymousLinkExpirationInDays parameter for OneDrive for Business sites.

Set-SPOSite -id https://office365itpros-my.sharepoint.com/personal/tony_redmond_redmondassociates_org -AnonymousLinkExpirationInDays 10 -OverrideTenantAnonymousLinkExpirationPolicy  $True                                                                                          set-sposite :
https://redmondassociates-my.sharepoint.com/personal/john_redmond_office365itpros_com is a OneDrive for Business site collection. The only valid parameters for this type of site collection are '-Identity', '-AllowDownloadingNonWebViewableFiles', '-AllowEditing', '-ConditionalAccessPolicy', '-DefaultLinkPermission', '-DefaultSharingLinkType', '-DisableCompanyWideSharingLinks', '-LimitedAccessFileType', '-LockState', '-Owner', '-SharingAllowedDomainList', '-SharingBlockedDomainList', '-SharingCapability', '-SharingDomainRestrictionMode', '-ShowPeoplePickerSuggestionsForGuestUsers', '-StorageQuota',
and '-StorageWarningLevel'. At line:1 char:1
+ set-sposite -id https://office365itpros-my.sharepoint.com/personal/ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Set-SPOSite], ServerException    + FullyQualifiedErrorId : Microsoft.SharePoint.Client.ServerException,Microsoft.Online.SharePoint.PowerShell.SetSite

Need more information about managing SharePoint Online and OneDrive for Business? The Office 365 for IT Pros eBook is bursting out with ideas!

Block Introduced in October; Available Everywhere Now

In September, I wrote about a problem inherited from an on-premises setting for OneDrive for Business sites. In a nutshell, because OneDrive sites are personal, their owners are the site administrators. And because they’re site administrators, a user can update the site settings to exclude the content of their OneDrive for Business site from searches (Figure 1). The upshot is that someone with bad stuff in their OneDrive site can stop Office 365 content searches finding and exporting that information. I’m not sure that people set on doing something dubious would keep information in OneDrive as they’re far more likely to keep it hidden safely away in a repository that only they can access, but it’s the principle that counts here.

Microsoft Engineering Responds

In any case, I took the problem to the SharePoint Online and OneDrive for Business product group. They acknowledged the problem and addressed it with some alacrity by removing the ability to exclude site contents from searches from the Site Settings page for OneDrive for Business sites. If you go to Site Settings for a OneDrive site now, you should find that the Search and Offline Availability settings are no longer available (Figure 2).

Some Lingering Issues

Although OneDrive for Business site owners can no longer find the option to remove their site from search results in site settings, a couple of issues still remain.

• If they know what they’re looking for, site owners can navigate to the .aspx page with the option and set it there.
• The option to exclude a site from search results is also available to people who know how to use the client side object model (CSOM).

It’s also true that administrators of SharePoint Online sites belonging to Teams and Office 365 Groups still see the Search and Offline Availability link in Site Settings and can, if they want to, remove the site from search results. In an era when compliance is critical for many organizations, it seems like allowing site owners to remove their information from searching shouldn’t be allowed inside Office 365.

Read the Office 365 for IT Pros eBook for more tips and techniques about managing OneDrive for Business.

After years of ignoring the issue, Microsoft has finally started rolling out the External sharing report feature for OneDrive for Business. The rollout is still not 100% complete, so the feature might not be available in your tenant just yet, but it should be coming soon.

Generating a Sharing Report

To generate the External sharing report, open your OneDrive for Business site, go to Settings on top (cog wheel), OneDrive settings, More settings and finally under the Manage access section, click Run sharing report. You will then be asked to select where to store the report (Figure 1).

After you select a folder and hit Save, the report is generated in a manner of a minute or two. You will be alerted by an email notification once the report is available, or you can look into the folder you selected for the output.

The report is a CSV file based on your Display name, followed by the date and time of its generation. The file is viewable in the browser or can be downloaded and opened with Excel. The latter option might be better for non-English users, as the columns and values of the generated CSV file will reflect the locale selected (in my case, Bulgarian), which resulted in an illegible mess because of the encoding, as shown in Figure 2.

Examining OneDrive for Business Sharing Data

Downloading the file and importing the data to an Excel worksheet, while simultaneously adjusting the encoding to UTF-8, produced a much more pleasant version (Figure 3). From left to right, you will see the Path to the item, its type, the permissions given, the user(s) which the item is shared with (one entry per line), user’s email where applicable, the User or Group type, Sharing Link ID, Sharing Link Type and AccessViaLinkID. Some of those fields might be empty, depending on the type of sharing, and the screenshot below only reflects External sharing (read below). Do note that the labels and values used are my own translation from the Bulgarian strings used in original, so there might be slight disconnect with what you see.

Despite what the feature name suggests, the report includes both internally and externally shared items, but more on that below. The items themselves are alphabetically sorted based on the full item’s path. As already mentioned above, each line represents a single permission entry, meaning you will see multiple entries for items that have more than one sharing link or direct permission, or any combination of those. Nested folders and items stored within them are covered, with some important omissions discussed below.

Comparing a Graph-Based Report

I took the liberty of comparing this report to the one generated with the Graph API based script I published over at Practical 365 a while back. Overall, you can expect to see very similar data, however there are some interesting differences. For example, the built-in report includes the default Web permissions, as well as permissions from other Lists/Libraries in your ODFB, while the script report focuses only on the default /Documents library. It’s also interesting to note that the Microsoft-generated report does not include information about permissions given to any secondary site collection owners, although they are readily available from the Graph endpoints.

The biggest difference between the two files is the sheer number of entries missing from the downloadable report. As an example, I sync the Camera roll from my mobile device to OneDrive for Business and have shared some of the images from OneDrive. This results in few hundred entries in the report just for the Photos folder, whilst the built-in report only lists a single entry for the folder. Trimming the entries makes sense, as all the items have the same set of permissions. However, the fact that trimming happens is not mentioned in the official documentation, so make sure to keep this aspect in mind when determining the actual number of shared items.

Similarly, there seems to be a bit of a gray area in the definition of internal vs external sharing. While the built-in report often seems to exclude entries that have additional permission entries that are considered internal only, it still lists other items even when they do not have any additional sharing links configured.

Administrative Challenges

Probably the major drawback for admins is the fact that there isn’t any easy way to run the report on behalf of a given user. Technically, you can add yourself as a secondary site collection admin for users’ ODFB drives, and you can then use those permissions to access the settings page of their sites and generate the report. However, this method is hardly manageable for anything but a handful of users.

Among other things worth mentioning is that the built-in report does not include information about link expiration, or additional link settings such as the Block download controls. Lastly, if you want to list all externally shared items, make sure to include the SharePointGroup value in addition to the External one when selecting a filer for the User or Group Type column. With all those adjustments in mind, the results from both files match perfectly, so whichever method you choose to use is entirely up to you.

Office 365 for IT Pros has lots of useful insight like this covering different aspects of the ecosystem. Our subscribers have the chance to download an updated book monthly. Shouldn’t you be one of them?

Now Much Easier to Find OneDrive for Business Sites with PowerShell

A couple of years ago, retrieving information about OneDrive for Business sites with PowerShell usually involved some gyrations. Then Microsoft updated the Get-SPOSite cmdlet with the IncludePersonalSite switch and things became easier. For instance, a reader asked if it was possible to generate a report listing all the OneDrive for Business sites in a tenant with the storage allocated and used for each site.

No problem, we thought, as we scanned the internet to see if people had already solved the problem. As it happens, several example scripts are available, but we ended up writing our own because it was possible to simplify the code . We also store the output in a CSV file as it’s a very flexible format for reporting or further analysis (like importing into Power BI).

PowerShell Report for OneDrive Storage

You need to connect to SharePoint Online in a PowerShell session with an admin account. The connection process imports the SharePoint cmdlets from the module. Once a connection is made, you can retrieve the storage data. The basic steps are:

• Create an array of the OneDrive for Business sites in the tenant.
• Select useful properties for each site.
• Calculate the total OneDrive storage used for the tenant.
• Write the information for each OneDrive site into a PowerShell list.
• Write the list out as a CSV file.

Here’s the code:

# Get a list of OneDrive for Business sites in the tenant sorted by the biggest consumer of quota
Write-Host "Finding OneDrive sites..."
[array]$ODFBSites = Get-SPOSite -IncludePersonalSite $True -Limit All -Filter "Url -like '-my.sharepoint.com/personal/'" | Select Owner, Title, URL, StorageQuota, StorageUsageCurrent | Sort StorageUsageCurrent -Descending
If (!($ODFBSites)) { Write-Host "No OneDrive sites found (surprisingly...)" ; break }
# Calculate total used
$TotalODFBGBUsed = [Math]::Round(($ODFBSites.StorageUsageCurrent | Measure-Object -Sum).Sum /1024,2)
# Create list to store report data
$Report = [System.Collections.Generic.List[Object]]::new()
# Store information for each OneDrive site
ForEach ($Site in $ODFBSites) {
      $ReportLine   = [PSCustomObject]@{
        Owner       = $Site.Title
        Email       = $Site.Owner
        URL         = $Site.URL
        QuotaGB     = [Math]::Round($Site.StorageQuota/1024,2) 
        UsedGB      = [Math]::Round($Site.StorageUsageCurrent/1024,4)
        PercentUsed = [Math]::Round(($Site.StorageUsageCurrent/$Site.StorageQuota * 100),4) }
      $Report.Add($ReportLine) }
$Report | Export-CSV -NoTypeInformation c:\temp\OneDriveSiteConsumption.CSV
# You don't have to do this, but it's useful to view the data via Out-GridView
$Report | Sort UsedGB -Descending | Out-GridView
Write-Host "Current OneDrive for Business storage consumption is" $TotalODFBGBUsed "GB. Report is in C:\temp\OneDriveSiteConsumption.CSV"

Figure 1 shows an example of the CSV file generated by the script. Because the information is in a CSV file, you can sort and organize it in whatever way makes sense for you. Some organizations like to grab information like this and store it in a repository to track the growth in storage consumption over time.

The public health warning is that we’ve not tested the script on very large tenants. It might take some time to run in those conditions, in which case you could break up processing. For instance, you could filter for sites starting with each letter of the alphabet and then combine the results for each letter into a single file.

Need more information about managing OneDrive for Business? Because the same general approach can usually be taken for both SharePoint Online and OneDrive for Business, we cover that topic in the chapter that deals with SharePoint Online management in the Office 365 for IT Pros eBook.

URLs Needed for Office 365 Content Searches

The topic of how best to find the URL of someone’s OneDrive for Business account arose in the context of Office 365 content searches. You need to know the URL of any SharePoint Online site or OneDrive for Business account before you can include it in the locations scanned by a content search (Figure 1), eDiscovery case, or Office 365 retention policy.

Finding URLs for SharePoint Sites

Finding the URL of a SharePoint site is straightforward, especially if the site is connected to an Office 365 Group (team). You can:

• Open the SharePoint site from the group or Teams and note the URL.
• Run PowerShell to find the URL.
• Look at the site details in the SharePoint Admin Center to find the URL (Figure 2).

We can find the URL with the SharePoint Online PowerShell module or the Exchange Online module. First, here’s SharePoint Online where we use the filter parameter with the Get-SPOSite cmdlet to find all sites containing “Ben” in the URL:

# Find SPO Sites with Ben in the URL
Get-SPOSite -Filter "URL -like 'Ben'"

Url                                                         Owner Storage Quota
---                                                         ----- -------------
https://tenant.sharepoint.com/sites/benowensteam            26214400

The Get-UnifiedGroup cmdlet in the Exchange Online module can return details of any group-enabled site:

# Get SPO details from group
Get-UnifiedGroup -Identity "Ben Owens Team" | Format-list share*

SharePointSiteUrl      : https://tenant.sharepoint.com/sites/benowensteam
SharePointDocumentsUrl : https://tenant.sharepoint.com/sites/benowensteam/Shared
                         Documents
SharePointNotebookUrl  :

Finding URLs for OneDrive for Business Accounts

The OneDrive for Business Admin Center doesn’t list OneDrive accounts: neither does the SharePoint Admin Center. However, we can find the URLs as follows:

• By accessing a user’s Delve profile and following the link to their OneDrive account.
• With PowerShell.

PowerShell is probably the easiest method because you can create a list of all OneDrive for Business accounts in the tenant and keep it for easy reference. After connecting to the SharePoint Online PowerShell module with an administrator account, run this command to generate a CSV file with all the links. Figure 3 shows an example of what the CSV file contains.

# Get list of OneDrive for Business accounts and export them to CSV file
Get-SPOSite -IncludePersonalSite $true -Limit all -Filter "Url -like '-my.sharepoint.com/personal/'" | Select Owner, URL | SOrt Owner | Export-CSV c:\temp\OneDriveSites.csv -NoTypeInformation

Apart from being a useful reference, generating a list of OneDrive accounts also allows you to identify any accounts belonging to long-deleted accounts that should no longer be online (I found a couple from 2013).

Tracking down tips like this can be very time-consuming. Wouldn’t it be much better to be able to consult a comprehensive, always up-to-date manual. Something like the Office 365 for IT Pros eBook?

Now Available for the Semi-Annual Update Channel

First announced in Office 365 notification MC172548 in January, MC188516 (published August 21) brings the news that users of the Semi-Annual Channel for Office ProPlus (click to run) will see that “save to cloud” is now the default. In other words, instead the default being to save to a local PC folder, Word, PowerPoint, and Excel will opt to save to OneDrive or SharePoint. Tenants running targeted release can expect to see the change show up in September while those using standard release will see it in January 2020.

Easier for Cloud Collaboration

With just a hint of marketing hyperbole, Microsoft says that changing the default save location will “make it easier for your users to take advantage of the rich cloud collaboration capabilities in Office 365.” Although it’s true that putting files in cloud repositories makes it easier to exploit Office 365, some will still regret that Microsoft doesn’t give organizations the chance to control the default save location.

You’ve always been able to save Office documents to cloud locations, albeit if the navigation to the desired site or OneDrive folder was sometimes a little “interesting.” Making Office 365 the default save location simplifies the process, but only if Office includes the desired SharePoint or OneDrive location in the list suggested to the user. If not, you must hunt for the location as before.

Saving to the Cloud

I use the monthly update channel for Office ProPlus and have therefore had the cloud as the default location for months. In truth, it doesn’t make much difference in the way I save files because I typically need to save into a location that Office doesn’t show in its list. It would be nice if Office paid more attention to the most frequently used save location.

For instance, Figure 1 shows what I see when I saved a Word document this morning. The default save location is my personal OneDrive for Business account in my Office 365 tenant. You’d expect this because your OneDrive for Business account is the cloud replacement for “My Documents” on a PC. Clicking the down arrow exposes a list of other locations. The Documents folder is from my OneDrive personal account, while the other five locations are made up of two OneDrive for Business folders, a folder in a SharePoint Online document library, and two local folders.

What’s odd is that the SharePoint Online location I use most (where I keep drafts of blog posts) is not in the suggested save list. I don’t know why this is so because Office uses a MRU (most recently used) service to track this kind of detail. In addition, there’s no way to mark a cloud folder as a preferred save location, which I think would be a good change.

It remains to be seen how much this change will affect users. Some will no doubt be disturbed, but most will see this as just another step along the path to the cloud.

For more information about Office ProPlus and how the update channels work, plus a pile of other information about SharePoint Online and OneDrive for Business, read the Office 365 for IT Pros ebook.

Stop Unwanted People Using Sharing Links Sent for Documents

Announced at session BRK3100 at the Ignite 2018 conference last September and then included in the OneDrive for Business Roadmap update for June 2019, password-protected sharing links are now available across Office 365.

Only for Anyone Links

Before getting too excited, let’s reflect that this feature only work for Anyone sharing links. These are the links that can be used by anyone who has them. Many Office 365 tenants tune the sharing controls for SharePoint Online and OneDrive for Business to prohibit the use of Anyone links because they consider them a security risk. But if your tenant allows Anyone links, you can now protect them with custom passwords. The password protected sharing link feature is available in the SharePoint Online and OneDrive for Business web clients. Block download is available in the OneDrive mobile client.

Sending Password-Protected Links

To begin, select a document and share it. Select “Anyone with the link” as the share. Click Anyone with the link to change the settings. In Figure 1 you can see that a password has been entered and we’ve also selected the option to block the recipient from downloading the document. This forces Office 365 to call the online app to display the content, so it only works for Office documents.

When you’ve updated the settings, click Apply. You should now see that the icons under the link have changed to include a padlock (password protected) and download barrier (Figure 2).

If a sharing link has already been created with a password, you’ll have the chance to update the link with a new password or use the existing password (Figure 3). It’s not a good idea to replace a password on a sharing link unless you update previous recipients with the new password.

Click Send to tell Office 365 to create and send the message with the sharing information. You’ll find the message in the Sent Items folder of your Exchange Online mailbox. When the recipient opens the message, they’ll see that the link will work for anyone with the password. Before they can open the content, you’ll need to give them the password through email, a voice message, SMS, Teams personal chat, or other method. Once they have the password, they can click the link, input the password (Figure 4) and see the content.

Limited Access to Content

In our case, the link we sent was both password-protected and blocked for download. As noted above, if the document is an Office file, Office 365 calls the relevant online app to open it. As you can see in Figure 5, the user is blocked from downloading and printing the file.

Modify Links

If necessary, you can use SharePoint’s Modify Access feature to update sharing links, including the ability to reset passwords in links. You can’t remove a password from a link once it is present.

Password-protected sharing links are straightforward to use. The sole difficulty might be for organizations to embrace the idea that they can permit Anyone links. After all, even if you decide that it’s OK to allow these links, there’s no way to force users to add passwords to the links every time. Perhaps that might be a future feature.

For more information about managing SharePoint Online and OneDrive for Business, read the chapter in the Office 365 for IT Pros eBook.

Color, Fonts, and Softer Looks inOneDrive for iOS

You’ve got to love the phrases Microsoft comes up with to describe changes made to their software. On July 17, they announced a redesigned OneDrive mobile app for iOS that includes a “splash of color” in the header and changes to font sizes and colors to make lists of files more legible. Lastly, the “command sheet” (options available from the […] menu) has a softer look and a draggable surface.

All of this brings joy to the hearts of graphic designers, but the single biggest joy in OneDrive for iOS is its ability annotate and add notes to PDFs. Although the refresh promises to make things even easier, the functionality is pretty good in version 10.75.9 (updated on July 18).

PDF Markup and Notation

To test things out, I opened the PDF for the sample chapter for the Office 365 for IT Pros (2020 Edition) eBook from a folder synchronized with a SharePoint document library and scrawled “Sample” across the front cover (Figure 1). You can also see a note added to highlight something in the PDF. You can download the sample chapter here.

Apart from my appalling inability to write “sample” in a legible manner, the interaction is smooth and easy. As always, the larger the screen, the easier it is to mark up documents, but OneDrive for iOS is more than acceptable.

I do wonder how many people know that they can markup PDFs with OneDrive for iOS like this. It’s the kind of feature that you’d expect in the SharePoint mobile app, which doesn’t yet support it.

Microsoft and PDFs

Microsoft is making PDFs easier to work with in other ways. A recent Petri.com article explains how you can use a new file handler to avoid the need to download PDFs from SharePoint document libraries before you can work with them. The file handler redirects the PDFs to the Adobe Document Cloud where you can annotate and mark them up them in a similar manner to OneDrive for iOS.

Teams Group Chat Limits

Office 365 Message Center Update MC179396 (Roadmap item 51235) brings the news that Teams group chats now support an increased limit of 100 participants (from the previous 50). The roll-out of the new limit starts in June and should be complete by the end of July, except for GCC tenants.

Group chats are a useful way of getting together a set of people to discuss and refine an issue before bringing it for wider debate (or announce a decision) in a channel or via email. Unlike a team channel, where any member can see anything, a chat is limited to those invited to join. Chats don’t have owners, and anyone in a chat has the same rights as others, including the ability to remove someone else from the conversation. Files shared in a group chat are stored in the OneDrive for Business account of the sharer instead of a SharePoint site.

It’s good practice to give a name to a group chat. This allows participants to identify the chat in their chat list and it’s also helpful if you ever need to look for something with eDiscovery as the chat name appears in the compliance items captured in Exchange mailboxes of the chat participants.

Teams Shareable File Links with Permissions

Teams has always had the ability to generate links to files stored in its SharePoint sites. Message Center update MC179400 (Roadmap item 51230) tells us that the shareable links created by Teams for posting into channel conversations and chats will now hold permissions in much the same way as the links generated by SharePoint and OneDrive for Business. As shown in Figure 2, you can assign permissions (including the ability to edit) to:

• Anyone with the link (if allowed by the tenant sharing settings for SharePoint Online).
• Tenant users with the link.
• People with existing access (members of the team).
• Specific people.

Once Teams generates a link, you can copy it into a channel conversation or chat. This action converts the link (something like https://tenant.sharepoint.com/:w:/s/O365ExchPro/ER3RMYkKBUBGiPXVqXQFgdkBK-rOsJHA6FSmqrr_75iaeQ?e=jGsU8C ) into a “file chiclet object” (a new term to me).

The new form of shareable links are rolling out to Office 365 tenants in May 2019 and should be available worldwide by the end of June.

These small but important changes are the kind of stuff we track on a daily basis to make sure that the Office 365 for IT Pros eBook is as up-to-date as we can make it. Read Chapter 13 for the latest information about Teams.

Sometimes Office 365 is Infuriating

On March 19, I woke up to discover that all the retention labels assigned to documents in the SharePoint Online sites and OneDrive for Business accounts in my Office 365 tenant had disappeared. No trace of any label existed and you couldn’t assign a label to any document.

What was also weird was that the Security and Compliance Center reported “no data” when I went to look at the retention labels, a fact confirmed by PowerShell as the code below (to list retention labels) returned a big fat nothing.

Get-ComplianceTag | Format-Table Name, IsRecordLabel, HasRetentionAction, RetentionDuration, RetentionAction, Mode –AutoSize

Meltdown in the SCC

As it happened, the week when the problem happened was the annual MVP Summit in Redmond, so I was pretty busy. I pinged a couple of my Microsoft contacts and learned that the Security and Compliance Center was having some problems. So much so that engineers had to disable the ability to edit or delete objects. Later, I discovered that an incident (FO176096) was in progress as some Information Protection labels had gone missing. Now, retention labels could be called Information Protection labels, but they are more likely sensitivity labels (a surplus of labels is always a bad thing). In any case, something screwy was clearly going on.

The incident report promised that data would be restored, so I decided to wait. And wait, and wait… but the retention labels still haven’t turned up in SharePoint Online. On March 26, I thought that something was stirring when I noticed retention labels appear in one or two sites, but that was only the effect of auto-label policies, as confirmed by the Label Explorer in the SCC. You can confirm the same by looking at the Office 365 audit records created when retention labels are applied to documents (the system rather than a user applies the labels).

Return of the Labels

Retention labels first reappeared in the SCC on March 25, which meant that I could once again assign retention labels to SharePoint and OneDrive for Business documents, but the labels assigned to SharePoint documents beforehand remained invisible. Or missing. Or lost. Or in an unknown state. The retention labels were available and persistent in Exchange and Office 365 Groups.

As mentioned above, labels started to reappear in SharePoint due to auto-label policies on March 26. However, the retention labels assigned explicitly to documents did not come back until April 2, two full weeks after I reported the initial issue. Microsoft hasn’t shared a reason with me yet as to why the problem occurred or what they did to recover the labels. For all I know, the labels went into a black hole, stayed there for a while, and then ambled back out into the sunshine.

Problems for Microsoft

There’s a number of very bad things here. First, losing retention labels is a big no-no in terms of compliance. I do not know whether the temporary black-out has affected the retention period for these items. I also don’t know how many other Office 365 tenants were affected by the problem.

Second, although I learned about similar symptoms from other tenants, Microsoft never posted an incident notification in the Service Health Dashboard (SHD) of my tenant. Discovering a major loss of functionality through users is not the way things should work, especially considering all the telemetry Microsoft gathers about Office 365.

Third, the tardiness in restoring SharePoint back to full working condition is regrettable. You could say that I am not amused. It’s a sad example of a quality failure inside Office 365.

The Office 365 for IT Pros eBook can’t explain what SharePoint Online did with those pesky retention labels. But we can explain how retention labels should work, which is covered in Chapter 19.

Easy Sharing with Your LinkedIn Connections

Office 365 Message Center notification MC175683 tells us that Microsoft is “rolling out a new feature to OneDrive, SharePoint, Word, PowerPoint, and Excel Online powered by LinkedIn to enhance the way users connect and collaborate with people outside their organization.” Sounds good, but what does it mean?

First, it’s all about first-degree LinkedIn connections. In other words, people that you have connected with because you accepted their invitation to connect or they accepted your invitation.

Second, your Office 365 tenant must be configured to support connectivity with LinkedIn. And once the tenant is configured, users must connect their Office 365 account with their LinkedIn account. If they don’t, Office 365 won’t have the rights to retrieve information about contacts from LinkedIn.

People Suggestions

With everything in place, Office 365 loads first-degree connections into the “people suggestions” list used by SharePoint Online and OneDrive for Business to respond to names typed in by a user when they share a document. The idea is that by including LinkedIn contacts in the suggestions list, it will be easier for Office 365 users to collaborate with those contacts.

Sharing a SharePoint Document with a LinkedIn Contact

Take the example below where I want to share a document from a SharePoint Online library. In the past, if I wanted to share it with a LinkedIn contact, I would need to know their email address to send a sharing invitation. With the LinkedIn contacts loaded into the people suggestions list, all I do is type in the first few characters of the name (in this case “Shane”) to see an integrated set of contacts built from my Office 365 tenant directory (including guest users), LinkedIn contacts, and email contacts (including the auto-complete list used by Outlook and OWA). It’s a smooth and easy experience.

Perhaps the most important thing about the new point of integration between Office 365 and LinkedIn is that including the LinkedIn contacts in the suggested people list means that Office 365 sends the sharing invitation to their latest email address (as in their LinkedIn profile). Hopefully, contacts keep their email addresses updated, which means that there’s a higher chance that the invitation will arrive in the right place.

Sharing in Office Online Apps

The same kind of sharing works with OneDrive for Business and with the online versions of Word, Excel, and PowerPoint (but not the desktop versions).

The feature is now rolling out within Office 365 and is available to targeted release users. Microsoft expects the rollout (except to Government customers) to be complete by the end of April 2019.

For more information about sharing Office 365 documents, read Chapter 8 of the Office 365 for IT Pros eBook.

Preparing for Office 365 Sensitivity Labels

Microsoft’s 15 February announcement (MC173614) that they are updating the Office 365 E3, E5, and Advanced Protection and Compliance SKUs to include new Information Protection service plans might have surprised some. After all, Office 365 E3 and E5 tenants are already automatically enabled for rights management and can use the feature to protect email and documents.

What’s happening is that Microsoft is clearing the decks to prepare for the general availability of Office 365 sensitivity labels and the predictable rise in interest about protecting Office 365 content, especially that stored in Exchange Online, SharePoint Online, and OneDrive for Business. It’s also likely that Microsoft will extend the reach of sensitivity labels to other Office 365 apps, including Teams.

Azure Information Protection Licenses

Today, a lacuna exists in licensing terms. Azure Information Protection (AIP) is the technology built on top of rights management. AIP labels can apply protection (encryption) or just mark content (for instance, with a footer). AIP labels can be used to protect content stored inside Office 365, but no integration exists between these labels and Office 365 apps because the predominant use of AIP labels is to mark content stored outside Office 365.

To use AIP labels to protect content, you need an AIP license. The license comes in two forms – standard and premium. The premium license covers automatic labeling, where applications like Word and Excel can apply labels based on content detected in files. Sensitivity labels support automatic labeling (enabled in the latest preview of the AIP client), and I anticipate that this will be a premium feature.

Clarifying Office 365 Licensing

Up to now, it has been assumed that because Office 365 E3 and E5 tenants are automatically enabled for rights management, their existing licenses cover protection applied by sensitivity labels. The new service plans clarify the matter. Although Microsoft’s announcement isn’t clear on the point, it seems logical that Office 365 E3 will include Information Protection for Office 365 – Standard in its list of service plans and Office 365 E5 will include Information Protection for Office 365 – Premium. This approach clarifies the licensing issue and allows for premium features like automatic labeling to be restricted to the higher Office 365 E5 SKU.

Because Information Protection is a separate service plan within a SKU (like Yammer or To-Do), you will be able to selectively enable or disable it for users. For instance, you might not want some people to apply sensitivity labels until they receive training and understand how protection works.

You don’t have to do anything to prepare for the change. The new service plans will turn up in March and once they appear in your tenant, you can enable or disable Information Protection for accounts through the Office 365 Admin Center or PowerShell.

For more information about Information Protection, read Chapter 24 of the Office 365 for IT Pros eBook. There’s lots of stuff there about encryption, rights management, templates, and AIP.

The advent of sensitivity labels within Office 365 should lead to more use of rights management to protect email and documents. Rights management uses encryption to enforce the permissions assigned to those who receive information. Microsoft automatically enables rights management for Office 365 E3 and E5 tenants and email can be protected without making any further changes using the Encrypt-Only and Do Not Forward templates.

The downside of using rights management to protect documents stored in SharePoint Online and OneDrive for Business libraries is that indexing cannot process encrypted content. The metadata (properties) of encrypted documents are processed and included in the indexes, but the actual content inside the Word, Excel, PowerPoint, or PDF files are not.

Encryption Blocks Some Office 365 Features

The lack of indexing means that any Office 365 feature which depends on the SharePoint indexes don’t work with encrypted documents. You can’t find documents using SharePoint or Delve searches, and you can’t find them with Office 365 content searches. That is, unless the metadata of the encrypted files contains the keyword you use for the search. If this is the case, the search succeeds because the metadata is included in the index.

The situation is different with Exchange email because Exchange is able to decrypt protected messages and include them in the index.

A Search Example

Take the example where we have:

• A protected email sent to one other recipient in the tenant. The search keyword is in the body of the message.
• A protected Word document with the search keyword in the body of the file.
• A protected Word document with the search keyword in the body of the file and in one of the document properties (like the Title or Comments).

When we search, we should find two copies of the message (from the mailboxes of the sender and the recipient) and the second Word document (based on the metadata). The first Word document remains invisible to search because the information we search for is in the encrypted body. The content search shown below illustrates the point. We can see the two messages and single document.

If you do unearth some encrypted content  in a content search, you can decrypt protected email during the export process, but encrypted documents are exported intact. This means that you must decrypt those files to allow investigators to review their content (I describe how in this Petri.com article).  

Microsoft to Improve Situation?

Microsoft is doing a great deal to make encrypted content easier to generate within Office 365. It will take time for tenants to understand and adopt functionality like sensitivity labels, but it will happen. Hopefully, we’ll see an improvement in the discoverability of protected documents in SharePoint and OneDrive. 

For more information about sensitivity labels, see Chapter 24 of the Office 365 for IT Pros eBook. Content searches are covered in Chapter 20, and Delve is in Chapter 9.

OneDrive For Business (ODFB) is a core Office 365 workload that is continuously evolving and adding new features to increase user productivity. As disclosed at Microsoft Ignite 2018, Microsoft is now rolling out a new “Recent view” in OneDrive For Business (ODFB) to expose the recent documents we have been working on and also last time we accessed them:

Depending on the context and the permissions we have on the selected document, the user has different options to interact with the document.

We cover OneDrive For Business in Chapter 9 for the Office 365 for IT Pros eBook.

The Golden Keys to User Data

Administrators have always had the ability to access user data and Office 365 is no different. This Petri.com article explains the situation and look at two methods administrators can use to retrieve content. One is the famous (or infamous) Search-Mailbox cmdlet and the other is Office 365 content searches.

Both actions are captured in the Office 365 Audit log, but how many people actually check that log regularly to pick up odd administrator activity? Of course, because it’s usually the administrators who look at the audit log, they already know what they’ve done.

But the advent of regulations like GDPR means that Office 365 tenants need to pay a lot more attention to the protection of personal data, so isn’t it time that your company had a policy to cover how and when administrators are allowed to retrieve user data?

See Chapter 6 of Office 365 for IT Pros for more information about the Search-Mailbox cmdlet and Chapter 20 for information about using content searches. And then follow up by reviewing Chapter 21 to learn about the Office 365 audit log and how to analyze its contents.

Best-Effort Email Notifications for Mass Deletions

On August 28, Microsoft published MC147280 in the Office 365 Message Center to inform tenants that they’re about to introduce “best-effort” email notifications to users when “a higher than usual number of files are deleted per hour“. Microsoft doesn’t say what criteria they use to calculate a higher than usual number of deleted files in an hour.

For OneDrive for Business, the email notification will tell the account owner about the deleted files and how to recover the files from the Recycle Bin. For SharePoint Online, the person who deleted the files (a site owner or a member) gets the same kind of email.

The interesting thing about Office 365 updates like this is to ponder why Microsoft feels that they should introduce such a feature. Have we seen a rash of users deleting every file to hand in their OneDrive account, or site members going crazy in SharePoint? Has Microsoft come to the conclusion that they need to step in based on the data gathered about usage patterns in the Microsoft Graph?

Reducing Support Calls

The answer is likely more prosaic. I think this is another attempt by Microsoft to proactively reduce support costs by telling users when they might have made a mistake and deleted files that they shouldn’t – and the support call comes in to ask Microsoft where the files have gone and how to recover them.

Support is expensive and it makes sense for Microsoft to take steps to reduce the number of potential calls in this manner. Users are also likely to be happier if they get a note to inform them that they might have made a mistake. Let’s face it, avoiding the opportunity to log a support call for Office 365 is always a pleasure.

On the other hand, users might be annoyed when they receive email about a perfectly legitimate action that they deliberately and purposefully set out to accomplish. It smacks a little of “Big Brother is Watching” when email arrives out of the blue to say something like “We’ve noticed that you’ve just deleted a lot of files…”  Clippy for the cloud?

Retention Labels

Although you might not be able to stop users deleting files from their OneDrive for Business account (they are, after all, personal files), you can easily stop users removing documents from SharePoint Online libraries by assigning labels to individual documents or Office 365 retention policies to sites. For instance, if you assign a label called “Important” to a document, and that label has a retention period of five years, then site members won’t be able to delete it until the retention period expires.

Auto-label policies (part of Office 365 E5 and the advanced data governance add-on) can be deployed to find and label documents based on sensitive data types or keyword queries, so you can make sure that the most important files in an organization are retained.

More Detail to Follow

Microsoft says that they are rolling out the new feature to targeted release tenants now and will continue the roll-out for standard release tenants in late September, following the normal 30-day delay between targeted and standard deployments.

Earlier today I deleted 40 documents from my OneDrive for Business account to try and provoke a mass delete notification. Typically, I might delete one or two items a day, so 40 seemed to comfortably be in the zone for OneDrive to notice and react. So far, several hours later, no message has arrived. Maybe the feature hasn’t reached my targeted release tenant yet. Now how do I recover those blasted documents?

For more information about managing SharePoint Online and OneDrive for Business, see Chapter 8 of Office 365 for IT Pros. For information about creating, deploying, and managing Office 365 retention policies and labels, see Chapter 19.

A New Attack

Avanan is an Israeli security company that has a track record of pointing to Office 365 security and saying that it could be improved. In some cases, like their criticism of MTA-based email scanning a la Mimecast, I think they have a point. In others, I’m not so sure.

Take the “PhishPoint” episode, reported by Avanan to affect 10% of the Office 365 customers they work with. Avanan duly scales this number up to estimate that the problem affects the same percentage globally, or 13.5 million of the 135 million active Office 365 users (the last official number – likely higher by about 15 million now). I must be missing something here, because if 13.5 million Office 365 users had been attacked through a malicious SharePoint document, I think Twitter and other social media would be in global meltdown. And they’re not.

The attack involves an embedded URL in an email that leads to a real SharePoint document (presumably in an Office 365 tenant owned by the attacker) that invites the victim to sign into Office 365 to read the content of another document that’s shared in OneDrive for Business. The result is a dummy sign-in screen that looks like the regular Azure Active Directory sign-in, which is where the attacker gathers user credentials, presumably for later use to compromise their account, perhaps in a Business Email Compromise attack.

Will Users Notice the Flaws in the Attack?

I’m sure some people will be deceived by the scheme, but I’ve got to hope that the majority will notice signals like being taken from one document to another (odd when you think about how sharing works inside Office 365), followed by a sign-in screen whose URL has no connection to Office 365 and, in Avanan’s posted example, is flagged as “dangerous.”  Perhaps the Office 365 customers that Avanan deals with are less well-trained, which is why 10% of them have been affected.

Joking apart, the report does highlight that malicious code can be introduced through infected documents. Solid user training to warn people about how attackers work should be given on an ongoing basis. Threats evolve all the time, so training needs to keep pace.

Read, Understand, Decide

Avanan’s business is based on convincing people that they need extra layers of security to keep Office 365 safe. Some of the reasons they advance are good, some are FUD (I thought this example was in 2016). The articles that they write about Office 365 security are worth reading (like “8 Security considerations when moving to Office 365“), if only to cause you to pause for thought and consider whether you need to do more to secure your tenant. But don’t take everything in face value. You understand your tenant better than anyone else, so always put the information presented by a third party into that context and then make decisions.

For more information about SharePoint Online and OneDrive for Business, read Chapter 8 in Office 365 for IT Pros. For more information about Advanced Threat Protection and Exchange Online Protection, see Chapter 17.

Title

Minimum Versioning Coming Soon

In Office 365 Message Center MC146556, Microsoft announced today how organizations can avoid using the new minimum of one hundred versions for files stored in SharePoint Online and OneDrive for Business libraries.

The new feature comes into effect on September 30, 2018. Before then, if you want to avoid using the feature, you must download and install the latest version of the PowerShell module for SharePoint Online (make sure that you have version 16.0.7918.1200 or better). After updating the module, run the command:

Set-SPOTenant -EnableMinimumVersionRequirement $False

If you don’t do this before September 30, Microsoft will enable minimum versioning for all SharePoint Online and OneDrive for Business libraries. To configure versioning for a site, access the library settings page for a document library (Figure 1) and set the value for major versions to anything between 100 and 50,000.

Customer Pushback

Microsoft originally announced that this feature would be enabled for all sites, but they obviously received some pushback from customers who don’t want to keep so many versions. This might have been an acceptable position in the on-premises world when you’d be worried about the storage consumed to keep so many versions, but it really doesn’t make much sense in the cloud. The storage used to keep versions is not charged against your tenant quota and Microsoft takes care of providing the physical storage that’s needed.

AutoSave and Restore Need Versions

Another reason why minimum versioning is a good thing to have is that features like AutoSave of Office documents (needed for co-authoring) and the ability of OneDrive and SharePoint Online to restore files to a point in time within the last 30 days depend on versions being available. If you don’t have the versions, you can’t recover files.

For more information about SharePoint Online and OneDrive for Business, see Chapter 8 in Office 365 for IT Pros.