SharePoint Online Storage, OneDrive for Business, and SharePoint Embedded

Given the vast numbers of files created in SharePoint Online daily (Jeff Teper cited 2.3 billion in December 2023), it must be the case that the storage quotas assigned to tenants are being consumed at an alarming rate. However, I suspect that a large proportion of the files end up in OneDrive for Business and don’t impact storage so much.

These thoughts came to mind when I perused the OneDrive files report for my account to discover just how many applications now store their data in OneDrive for Business. Microsoft has truly made OneDrive for Business the personal storage system for Microsoft 365 holding anything from Office documents to Teams meeting recordings and transcripts to Whiteboards.

But coming back to storage, I often hear confusion in how Microsoft charges for SharePoint storage. Let’s review the current situation.

Three Major Storage Partitions

SharePoint Online covers three major storage partitions:

• SharePoint Online sites.
• SharePoint Embedded applications, like Loop and Designer.
• OneDrive for Business accounts.

The SharePoint Online storage quota assigned to a tenant (1 TB plus 10 GB per licensed user) covers only the first category. The storage consumed by SharePoint sites is well understood because it’s highlighted in the SharePoint admin center and is easy to report with PowerShell. A Graph usage API is also available for SharePoint Online, but currently suffers from a longstanding data issue that prevents site URLs from being shown.

Understanding the storage consumption of SharePoint Embedded applications is less clear. These applications use file storage containers (like document libraries). First-party applications like Loop charge their storage against the tenant storage quota for SharePoint Online. If the applications support SharePoint Online PowerShell or another API to report storage, it’s possible to generate a report about the storage consumed by an app.

Third-party apps built on top of SharePoint Embedded are billed separately through an Azure subscription using a pay-as-you-go metered model. Charges are accrued for API calls and the storage consumed.

OneDrive for Business Storage

The OneDrive service description says that “the default storage space for each user’s OneDrive is 1 TB. Depending on your plan and the number of licensed users, you can increase this storage up to 5 TB.” The default storage assigned to OneDrive for Business accounts is defined through the Settings section in the SharePoint Online admin center (Figure 1).

In a Microsoft 365 enterprise tenant, the storage for OneDrive can be increased to more than 5 TB. The documentation states: “Before requesting an increase you need at least five licenses that include OneDrive Plan 2, you must assign at least one license to a user, and a single user must have already filled 90% of their 5 TB storage.”

The problem here is that Microsoft stopped offering OneDrive Plan 2 in August 2023, apparently to stop offering the “unlimited storage capacity” that was once available for licenses like Office 365 E3 and E5. No official notice was given, and the plan slipped away. Office 365 and Microsoft 365 licenses no longer include a OneDrive service plan.

In any case, if you want to keep an eye on OneDrive storage consumption, it’s easy to generate a report with PowerShell.

Microsoft 365 Archive

Microsoft 365 Archive is a solution that moves SharePoint Online sites from “hot” storage (immediate access) to “cold” storage. The idea is that organizations can keep data online in a form that’s available for eDiscovery but not for user access. Archiving sites also helps to remove information from consumption by AI solutions like Copilot for Microsoft 365 to stop the results generated by AI being affected by old and possibly obsolete information.

Organizations pay for the storage consumed by archived sites through an Azure subscription. The cost per GB is much less than having to pay for regular SharePoint storage and Microsoft doesn’t charge for archive storage if the tenant has regular storage available. If the tenant runs out of regular storage, Microsoft 365 archive switches to its pay-as-you-go model.

Retention Storage

Microsoft 365 Retention Policies and Retention Labels can dictate how long content stored in SharePoint Online (including OneDrive for Business and SharePoint Embedded) is kept before it can be deleted. If files coming within the scope of retention are deleted by users, SharePoint Online keeps them in the site’s preservation hold library. Depending on the settings of retention policies and labels, it’s possible that preservation hold libraries can consume a large amount of storage (Figure 2).

Retained content can be easy to overlook. Microsoft plans to introduce intelligent versioning (originally planned for November 2023), which should help.

Summarizing SharePoint Online Storage

In summary, traditional SharePoint site storage is only one of the ways that tenant storage quota can be consumed. OneDrive for Business stores more data than ever before, but Microsoft has renounced unlimited storage. New applications and retention can consume storage unexpectedly, and Microsoft 365 Archive can help by moving data to cheaper cold storage. What could be easier to understand?

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Sensitivity Label PDF Support Increases Coverage for Protection

In my review of sensitivity labels for 2023, I noted that the only way to apply a sensitivity label direct to a PDF was with:

• The paid-for versions of Adobe Acrobat.
• Generating PDFs from Office documents (subscription apps only).
• Applying a label through the unified labeling client.

Unlike retention labels, it wasn’t possible to apply a sensitivity label to a PDF using the SharePoint Online browser client. Now it is, and it’s an important update given the widespread use of PDFs within Microsoft 365. Between Office documents and PDFs, sensitivity labels can now protect over 90% (my estimate) of all files stored in SharePoint Online and OneDrive for Business. It’s another step to making PDFs a fully functional format within the Microsoft Information Protection ecosystem.

What Sensitivity Label PDF Support Means for SharePoint Online

In an update announced by principal program manager Sanjoyan Mustafi on LinkedIn, the preview of SharePoint Online support for PDFs is available to all commercial tenants worldwide. Support extends to sensitivity labels with predefined permissions. Labels with user-defined permissions or those that use Double Key Encryption (DKE) are unsupported.

Supporting sensitivity labels for PDFs means that people can use SharePoint Online and OneDrive for Business to:

• Apply sensitivity labels to PDFs through the browser interface (Figure 1) and amend or remove the label afterwards, including forcing the user to provide justification if required by policy. This includes applying the default sensitivity label defined for a document library to PDFs as users load them into the library (requires the SharePoint-Syntex advanced management license).
• Apply sensitivity labels to PDFs stored in SharePoint Online and OneDrive for Business through auto-label policies. This feature is covered in message center MC644060 (14 July, 2023).
• Apply sensitivity labels to PDFs using the assignSensitivityLabel Graph API (if your app has permission to do so).
• Display the names of sensitivity labels for protected PDFs in document libraries.
• Index the content of PDFs protected by sensitivity labels. This supports Microsoft Purview solutions like Data Loss Prevention, content searches, and eDiscovery.

Like Office documents protected by a sensitivity label with encryption, SharePoint Online can’t display a thumbnail of a protected PDF (Figure 2). I believe that this has something to do with the inability to fetch the necessary use license to decrypt the file. Thumbnails are shown for PDFs assigned a sensitivity label with no encryption. To open a document, use the Edge browser (which supports reading protected files) or download the file and use an app that understands how to open protected PDFs (like Acrobat).

I hear that Microsoft is working on the viewing issue and expects to have a fix by the end of 2023.

Enabling Sensitivity Label PDF Support for SharePoint Online

By default, SharePoint Online support for PDFs is disabled. To enable support, load the SharePoint Online administration PowerShell module and run the Set-SPOTenant cmdlet. You’ll need a recent version of the module (use this script to update your Microsoft 365 modules to the latest version):

Set-SPOTenant -EnableSensitivityLabelforPDF $True

To revert, run the command to update the setting to $False.

Set-SPOTenant -EnableSensitivityLabelforPDF $False

Disabling SharePoint support for PDFs has no effect on PDFs with sensitivity labels. It will stop users being able to assign or update labels through the SharePoint Online and OneDrive for Business browser interfaces and SharePoint Online will cease indexing protected PDF content.

If you don’t want to use PowerShell, check the Information protection section of the Purview compliance portal, and go to Auto-labeling. You might see a message inviting you to turn on support for PDFs. If you do, select Turn on now and the job is done.

More information about PDF support for sensitivity labels in SharePoint Online is available in Microsoft documentation.

Sensitivity Label PDF Support is an Important Step Forward

I don’t think it is an exaggeration to say that some organizations have been waiting years for PDF support to arrive in SharePoint Online. Given the widespread use of PDFs in many organizations, this is an important step forward for those wishing to protect their most sensitive information stored in SharePoint Online and OneDrive for Business.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Managing OneDrive Storage Quotas Through Groups

A reader asked if it is possible to control the assignment of OneDrive for Business storage quotas using groups using a mechanism like group-based license management. The simple answer is that Microsoft 365 doesn’t support such a feature, but like many administrative operations, it’s relatively easy to automate with PowerShell.

Another article covers the basics of reporting and assigning OneDrive storage. OneDrive for Business accounts are personal SharePoint Online sites. Assigning a new storage quota to a user’s OneDrive account is done using the Set-SPOSite cmdlet from the SharePoint Online administration module. This is one of the Microsoft 365 modules that receives frequent updates, so make sure that you use the most recent version. It’s a good idea to check for updates monthly, either manually or using a PowerShell script to process the Microsoft 365 modules typically used by tenant administrators.

Creating a Script to Update OneDrive Storage Quotas

The steps required in the script to update OneDrive storage quotas based on group membership are:

• Connect to SharePoint Online and the Microsoft Graph PowerShell SDK.
• Read information about the target OneDrive storage allocations from some source. I used a CSV file with columns for the group name, group identifier, and storage allocation in megbytes, The names of the columns are group, groupid, and allocation.
• Figure out the service domain for the tenant to calculate the root of OneDrive account URLs. This will be something like: https://office365itpros-my.sharepoint.com/personal/. Later, we combine a modified version of user principal names (replacing dot and @ characters with underscores) to form the URL for each account. An example is https://office365itpros-my.sharepoint.com/personal/James_Ryan_office365itpros_com.
• For each group, get the group members. For each member, figure out the user’s OneDrive account URL and run the Get-SPOSite cmdlet to check its current storage quota. You can use any of the group types supported by Entra ID including dynamic Microsoft 365 groups. With some adjustments to the code, it would also be possible to use an Exchange Online dynamic distribution list.
• If the assigned quota is less than the desired quota, run the Set-SPOSite cmdlet to increase the quota.
• Create a report about what happened (Figure 1).

The script includes nothing complicated in terms of code. You can download the script I wrote from GitHub. Remember that the script is not bulletproof in terms of error handling. Its intention is to prove the principle of what is possible. The script should run without a problem if you sign in with a tenant administrator account. I have not tested the code in an Azure Automation runbook (to run the script on a schedule), but I think that adapting the code for Azure Automation would not be difficult.

Use Azure AD Administrative Units Instead of Groups

Azure AD administrative units are the current flavor of the month in Microsoft Purview with many solutions, including Data loss prevention (DLP) and Data lifecycle management (retention) supporting the use of administrative units to scope policies. If you have the necessary Azure AD Premium licenses, you could use administrative units as the basis for storage assignment.

This article explains how to use PowerShell to retrieve information from administrative units. Instead of fetching a set of user principal names for group members, you’d fetch the same information for the members of an administrative unit, like this:

[array]$GroupMemberUPN = (Get-MgBetaAdministrativeUnitMember -AdministrativeUnitId 150dccad-f8b8-4e54-9246-89834b8b5a25).AdditionalProperties.userPrincipalName

PowerShell Automation Scores Again

It would be nice if Microsoft included group-based OneDrive storage management in SharePoint Online. However, this functionality is probably not high on their priority list for new development. This is yet another example of how PowerShell fills in the cracks and gaps left in Microsoft 365 management and underscores why tenant administrators should have the ability to perform at least simple tasks with PowerShell.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Syntex-SharePoint Advanced Management Covers Secure Collaboration for SharePoint Online

Updated 2 March 2022

I know that many Microsoft 365 organizations don’t use sensitivity labels, even if they have the necessary licenses to use labels to protect content. All Office 365 licenses allow users to read protected content, but you need Office 365 E3 or above to apply labels to files, and Office 365 E5 or Microsoft 365 Compliance E5 for auto-label processing. At least, that’s been the case up to now.

Applying a default sensitivity label for a SharePoint Online document library (Figure 1) counts as automatic processing. Apparently, Microsoft considers the fact that new and modified documents in the library pick up the sensitivity label (unless previously labeled) as reason enough. In late January 2023, Microsoft revealed that this feature was one of the set to be licensed through a new Microsoft Syntex-SharePoint Advanced Management license.

Features Enabled by the Microsoft Syntex-SharePoint Advanced Management License

The new license is in preview and includes other elements to improve secure collaboration based on SharePoint Online and OneDrive for Business, including:

• Using sensitivity labels with Azure AD authentication contexts to limit access to SharePoint Online sites. This feature has been in preview since 2021.
• Restricting access to a SharePoint Online site to members of a Microsoft 365 group. This restriction blocks users who have received access to a file in the site.
• Blocking the download of files from SharePoint Online sites or OneDrive for Business accounts without the need to use Azure AD conditional access policies. In other words, users are forced to use a browser to access the site or account and cannot download, print, or synchronize files. The restriction also blocks access to the Office desktop apps because these apps need to download files to work on them locally.

In addition, Syntex-SharePoint Advanced Management includes some management and governance features. The three examples cited appear to be instances where it’s possible for administrators to do the same thing with some effort. Microsoft is making it easier. For example, the ability to limit access to OneDrive for Business to those who are members of a specific security group stops people licensed to use OneDrive but who aren’t members of the security group from using the app. The same effect is possible by simply removing the OneDrive service plan from their assigned licenses.

I haven’t seen what actions are included in the feature to export recent SharePoint site actions, but it might be possible to replicate the functionality by fetching SharePoint management events from the unified audit log.

My assumption is that any user who takes advantage of a feature licensed by Syntex advanced management requires a license. For instance, site members of a site where a document library uses a default sensitivity label all require Syntex-SharePoint Advanced Management licenses.

I can’t find a public announcement by Microsoft about the Syntex-SharePoint Advanced Management license. Cynics will say that this is another example of how Microsoft creates licenses for new functionality to generate additional revenue from its installed base. A more benign view is that the new license allows people with Office 365 E3 licenses to use the security and governance features enabled by Syntex Advanced Management. When I find out more details about licensing, including if some features covered by Syntex Advanced Management are also available through other licenses, I shall share the information.

Viewing Metadata for Protected Files

On an associated topic, I was asked why the metadata of documents protected by sensitivity labels remains visible to people who have no right to access these files. It’s a good question because some get confused when they notice an interesting document in a library but can’t open it because they’re blocked by the rights assigned in the label. For instance, who wouldn’t want to open a document with a title like “Proposed Pay Rises for Staff”?

When you enable SharePoint Online and OneDrive for Business to support sensitivity labels, it allows the workloads to deal with protected (encrypted) content. SharePoint Online stores protected files in an unencrypted format to allow functions like indexing and data loss prevention policies to work. Any access to a document, such as a user opening or downloading a file, causes SharePoint Online to encrypt the document so that the application used to open the file (like Word) can apply the rights assigned to the user. Everything works very nicely and those who have access to files can work with that content and those who don’t cannot.

When browsing items in a document library, site members can see metadata like the titles and authors of protected documents. Attempts to open these documents fail if the user doesn’t have the necessary rights. Because SharePoint Online doesn’t encrypt or obscure the metadata, those users know that documents with potentially very interesting content are available.

How SharePoint Online Stores Documents

The reason why document metadata is visible to all site members is rooted in how SharePoint Online stores documents. SharePoint Online uses Azure SQL as its storage platform. Blob storage holds documents and other files while metadata is in a separate table (list). The Azure SQL data is heavily protected against illegal access. Once a user has access to a document library, the assumption is that SharePoint can show them all the items, which is what they see in the list shown in a browser or the Teams files channel tab. It’s only when a user attempts to access a protected document that SharePoint Online validates their right to open that content.

You can argue that SharePoint Online and OneDrive for Business should hide the existence of protected documents that the user can’t open, but this would require SharePoint Online to check that access before displaying documents in a library. Such a check would incur a huge performance penalty because SharePoint Online cannot assume that the rights assigned in a sensitivity label are the same as the last time it checked.

New Functionality, New Costs

Although the news about the Syntex-SharePoint Advanced Management license will disappoint some, it’s reasonable that Microsoft should charge extra for security and management features that not every Microsoft 365 tenant will want or need. Those that need the functionality will simply have to pay the $3/user monthly cost. Hasn’t that always been the way?

Stay updated with developments across the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. We do the research to make sure that our readers understand the technology.

Updated Clients and Sharing with External Users in Meetings Coming

As you probably know, as part of a major revamp for the application, Whiteboard is moving its storage for its boards from Azure to OneDrive for Business. According to Microsoft 365 roadmap item 66767, general availability happened in December 2021. This refers to tenants who decided to opt-in early, or for tenants who decide to switch through the Whiteboard settings in the Microsoft 365 admin center.

OneDrive became the default for storage of new boards in January 2022. According to Message center notification MC275235, the updates for Whiteboard clients that can’t yet support OneDrive should be available by the end of March. Once the updated clients are deployed, the transition should complete.

Sharing Whiteboard with External Users

Further good news comes in Microsoft 365 roadmap item 66759, which says that external participants in Teams meetings will be able to share boards. A dependency exists on OneDrive for Business as the new feature only works when the board being shared is in OneDrive. If not, Teams displays the polite but extremely frustrating error message shown in Figure 1. People just love being locked out of collaboration, so it’s good that Microsoft is fixing this problem.

The Sad State of Whiteboard PowerShell

You might not know that Whiteboard supports PowerShell. Well, it does, but only just. A bare-bones module (WhiteboardAdmin) is available in the PowerShell gallery, but it doesn’t contain many cmdlets.

Get-Command -Module WhiteboardAdmin

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Get-Whiteboard                                     1.5.0      WhiteboardAdmin
Function        Get-WhiteboardOwners                               1.5.0      WhiteboardAdmin
Function        Get-WhiteboardSettings                             1.5.0      WhiteboardAdmin
Function        Get-WhiteboardsForTenant                           1.5.0      WhiteboardAdmin
Function        Invoke-TransferAllWhiteboards                      1.5.0      WhiteboardAdmin
Function        Remove-Whiteboard                                  1.5.0      WhiteboardAdmin
Function        Set-WhiteboardOwner                                1.5.0      WhiteboardAdmin
Function        Set-WhiteboardSettings                             1.5.0      WhiteboardAdmin

Not many people have downloaded the module either, possibly because they don’t know of its existence. I’ve used the Invoke-TransferAllWhiteboards cmdlet in the past to transfer ownership of boards from one user account to another (a task sometimes necessary if someone leaves the organization), but I have not played with the other cmdlets.

Reporting Whiteboards with PowerShell

That is, until I noticed a tweet about a new script available in the PnP Script Samples gallery to create a report about all the boards and their owners in a tenant. The script uses the old Microsoft Online Services (MSOL) module to retrieve user information. Microsoft plans to deprecate the MSOL module at the end of 2022, so it’s a good example of a script that needs to be updated to use either Microsoft Graph queries or cmdlets from the Microsoft Graph PowerShell SDK.

Upgrading the script didn’t take much time because the only calls are to load the module and retrieve details of user accounts. My version of the code is shown below. Apart from using the Microsoft Graph PowerShell SDK, the only changes I made replaced output arrays with PowerShell lists to improve performance.

ReportWhiteBoardInfo.PS1
# Import the WhiteboardAdmin module
Import-Module WhiteboardAdmin
# Connect to the Microsoft Graph
Connect-MgGraph -TenantId $TenantId -Scope "Directory.Read.All, User.Read.All"

try {
	$dateTime = (Get-Date).toString("dd-MM-yyyy")
	$fileName = "WhiteboardReport-" + $dateTime + ".csv"
	$outputView = "c:\temp\" + $fileName
	
	# The geography to look for board owners in. Accepted values are: Europe, Australia, or Worldwide (all boards not in australia or europe).
	$supportedGeographies = @("Europe", "Australia", "Worldwide")
	
	# Array to hold Whiteboard owners
	$WhiteboardOwners = [System.Collections.Generic.List[Object]]::new(); $i=0

	foreach ($geography in $supportedGeographies) {
		Write-Host "Getting Whiteboard owners for geography: $($geography)..."
		$GeographyOwners = Get-WhiteboardOwners -Geography $Geography		
		
		foreach ($UserId in $GeographyOwners.items) {	
              $User = Get-MgUser -UserId $UserId
              $i++
              $ReportLine  = [PSCustomObject][Ordered]@{
                DisplayName     = $User.DisplayName
                UPN             = $User.UserPrincipalName 
                Geography       = $Geography
                UserId          = $UserId
               }
            $WhiteboardOwners.Add($ReportLine) 

		} # End ForEach Owner
		
		Write-Host "Total whiteboard owners found so far $($i)"
	} # EndForEach Geography
	
	# Array to hold Whiteboard details
	$Whiteboards = [System.Collections.Generic.List[Object]]::new()
	
	# Get whiteboards from the Microsoft Whiteboard service by owners
	foreach ($Owner in $WhiteboardOwners) {
		Write-Host "Getting Whiteboards for owner: $($Owner.UPN) ..."
		$whiteboardInfo = Get-Whiteboard -UserId $Owner.UserID
		
		foreach ($whiteboardInstance in $whiteboardInfo) {   
              $ReportLine  = [PSCustomObject][Ordered]@{
                User            = $Owner.DisplayName
                UPN             = $Owner.UPN
                WhiteboardId    = $whiteboardInstance.Id
                Title           = $whiteboardInstance.Title
                IsShared        = $whiteboardInstance.IsShared
                Created         = Get-Date($whiteboardInstance.CreatedTime) -format g
                Modified        = Get-Date($whiteboardInstance.LastModifiedTime) -format g
                Geography       = $Owner.Geography
                UserId          = $Owner.UserId
               }
           $Whiteboards.Add($ReportLine)             
       } #End Foreach Whiteboards
    	
	    Write-Host "Found $($whiteboards.Count) Whiteboards owned by: $($Owner.UPN)"
	} # End Foreach Whiteboard owners
	
	Write-Host "Found $($whiteboards.Count) Whiteboards in the tenant."

# Export the results to a CSV file and Out-GridView
	$Whiteboards | Export-CSV -Path $outputView -Force -NoTypeInformation
$Whiteboards | Out-GridView	
	Write-Host "Finished"
}
catch {
    Write-Host -f Red "Error:" $_.Exception.Message
}

You can download the script from GitHub. I’ll update the code there when I see a fix for the problem I’m just about to describe.

No Trace of Boards Stored in OneDrive

All worked well and the script generated a report (Figure 2 shows some of the report data viewed through the Out-GridView cmdlet).

The problem is that the report doesn’t include any whiteboard stored in OneDrive for Business. Microsoft released Version 1.5 of the WhiteboardAdmin module a month ago, but it’s obvious that the cmdlets only work against the Azure storage and ignore the transition to OneDrive.

Microsoft’s documentation doesn’t cover migration of old boards from Azure to OneDrive. However, Microsoft 365 roadmap item 66763 covers migration of previously created boards with general availability in April 2022. The text says: “Tenants in locations that are currently storing new whiteboards in European datacenters will have previously created whiteboards migrated to European datacenters.”

This masterpiece of obfuscation implies that Microsoft plans to migrate old boards currently stored in U.S. datacenters to European datacenters, where hopefully the data will end up in OneDrive for Business. Perhaps this is a pointer to a more widespread migration. Let’s hope that this happens, and that Microsoft upgrades the WhiteboardAdmin module to deal with OneDrive.

Learn more about how the Office 365 applications really work on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Feature Became Generally Available in July 2022

According to a LinkedIn post by Microsoft Principal Program Manager Sanjoyan Mustafi, administrators will soon be able to assign default sensitivity labels to document libraries in SharePoint Online and OneDrive for Business. The capability is in private preview at present, but Microsoft 365 tenants can sign up to join the preview here.

Update: According to message center notification MC391948 (June 13), rollout of the public preview of setting a default sensitivity label for a document library will roll out in late June. This is Microsoft 365 roadmap item 85621.

Update 2: On July 29, Microsoft announced that the roll-out for the public preview code had begun and that all tenants would receive the update within 90 days. The documentation is also available.

Today, you can require that users add a sensitivity label to documents and define a default label to use. This is done through settings of the sensitivity label publishing policy which makes labels available to users. Requiring documents to be labelled works, but you don’t know what labels users will choose. Sometimes, it might be necessary to ensure that every document in a library receives the same sensitivity label to reflect the level of confidentiality of the library, and that’s where the new capability comes in.

The Backend to Apply Sensitivity Labels

The preview includes the back-end code to define a default label and apply it to new Office documents uploaded or copied to or saved in a library. An asynchronous thread examines new items to check if they already have a sensitivity label. The stamping of the default sensitivity label on new items by the thread can take a few minutes.

If a new item already has a user-applied sensitivity label, the thread ignores the document based on the principle that explicit assignment by users always takes precedence over automatic assignment. If the item has a label of a lower priority (sensitivity labels have a priority order from 0 to n, with 0 being the lowest) received through automatic assignment (usually because a label publishing policy mandates the application of a default label), the thread replaces the label and applies the default label defined for the library.

For now, labeling only happens for new Office documents (support for PDFs will come later). Existing documents remain untouched, and you must apply labels manually if you want all documents to have the same label. However, in the future, Microsoft plans to update the code so that SharePoint will apply labels whenever a user opens an unlabeled document in a library with a default label.

Note that a user can remove the default label assigned for the library or replace it with a label of higher or lower sensitivity. In these cases, the user-assigned label remains, again following the principle of user precedence.

Update: Figure 1 shows the UX to configure a default sensitivity label for a document library. To access this screen, go to Library settings.

Configuring for Default Sensitivity Labels

Prior to Microsoft delivering the UX to configure a default sensitivity label for a document library, you had to update the configuration of the target document library using the SharePoint API. You can do this with Postman (the tool favored by Sanjoyan), but I prefer PowerShell, which is what I used. Sanjoyan explains the procedure in his post, but briefly is:

• Get a bearer token to authenticate with SharePoint Online. You can copy the token if you’re logged into SharePoint Online by using the developer tools (F12).
• Create a header structure to hold details of the transaction, including the bearer token.
• Create a body structure to define the GUID of the sensitivity label you want to add as the default for the library. Use Connect-IPPSSession to connect to the Compliance center endpoint and run Get-Label to find the list of labels. The GUID for each label is in the ImmutableId property.

Get-Label | Format-List DisplayName, ImmutableId

• POST to the URL for the document library using the header and body defined earlier.

The commands I used to update a document library were:

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Accept", "application/json;odata=verbose")
$headers.Add("Content-Type", "application/json;odata=verbose")
$headers.Add("X-HTTP-Method", "MERGE")
$headers.Add("If-Match", "*")
$headers.Add("Authorization", "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkRya21Mczl1akhnMkp1SE5CRm5vOERicXBJSSJ9.eyJhdWQiOiIwMDAwMDAwMy0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDBAYjY2MjMxM2YtMTRmYy00M2EyLTlhN2EtZDJlMjdmNGYzNDc4IiwiaXNzIjoiMDAwMDAwMDMtMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwIiwibmJmIjoiMTY0MzMxNTU5MiIsImV4cCI6IjE2NDMzMTkxOTIiLCJ1cG4iOiJ0b255LnJlZG1vbmRAcmVkbW9uZGFzc29jaWF0ZXMub3JnIiwicHVpZCI6IjEwMDNCRkZEODA1Qzg3QjAiLCJjYWNoZWtleSI6IjBoLmZ8bWVtYmVyc2hpcHwxMDAzYmZmZDgwNWM4N2IwQGxpdmUuY29tIiwidmVyIjoiYnJvd3NlciIsInRpZCI6ImI2NjIzMTNmLTE0ZmMtNDNhMi05YTdhLWQyZTI3ZjRmMzQ3OCIsImFwcGlkIjoiYzU4NjM3YmItZTJlMS00MzEyLThhMDAtMDRiNWZmY2QzNDAzIiwiYXBwX2Rpc3BsYXluYW1lIjoiU2hhcmVQb2ludCBPbmxpbmUgQ2xpZW50IEV4dGVuc2liaWxpdHkiLCJzY3AiOiJGaWxlcy5SZWFkV3JpdGUuQWxsIFNpdGVzLk1hbmFnZS5BbGwgU2l0ZXMuRnVsbENvbnRyb2wuQWxsIFRlcm1TdG9yZS5SZWFkV3JpdGUuQWxsIiwiaXBhZGRyIjoiNTEuMTcxLjIxMi4xMjkiLCJzZXNzaW9uaWQiOiIzYzdiMjUzYy0zNmJjLTQ1ZTctYmQ4OS1mNGRhZjdkZjZhNmEiLCJzaWduaW5fc3RhdGUiOiJbXCJrbXNpXCJdIn0.m0VNYiAPfu7GKuTcnAi0hc4ay7TAQ-KzlH1g3hRzRzJZccoLeRepey8k7ydNHsvdhO8N0E4mMEEz3dD8Tk-1qreBzNrqPkB6p2s8hGF1J04RaR6vkyTqJypFXLRXgmSsVrPsX1huNnkwZ0d_ShmPowUToZk_HN0MrDRIEleCks32pg1nQs2Umk63BkWAaUHJy_pLhYJOea0uzSc7iPeVpPaAQ8PbK8K4eRJX__DEByQueUSOd21V9O6KJ9ey-JasryPiqtncFUDGrofQ6EZztjwaCAjQubRv7RjOkMYeucgsgiI7cvfuvuCzcXjc6oqdosZwc-18Uurq_8r8ks9c4A")

$body = "{
`n `"__metadata`": {
`n `"type`": `"SP.List`"
`n },
`n `"DefaultSensitivityLabelForLibrary`": `"27451a5b-5823-4853-bcd4-2204d03ab477`"
`n}
`n"
$Uri = 'https://office365itpros.sharepoint.com/sites/Office365Adoption/_api/web/lists/GetByTitle(''Documents'')'
$Update = Invoke-RestMethod -Method 'Post' -Headers $Headers -Body $Body -Uri $Uri

Formatting of these commands must be precise, and the bearer token must be valid or the update will fail (I know, because I made many mistakes before doing it just right). The easiest way to make sure is to open the site you want to update in a private browser window to force a recent authentication and then copy the token (use F12 in Edge and access Local storage, then copy the value of the key for the identity for SharePoint Online as shown in Figure 2).

After configuring a default sensitivity label, it’s a good idea to change the default view for the library to include the sensitivity label to remind users that documents now have labels.

Steady Progress

Sensitivity Labels and SharePoint Online had a rocky start. There was a time when the content of protected Office documents was inaccessible to search and eDiscovery. That’s in the past (if you enable support) and Microsoft is busy filling out all the details that make software more useful. Adding a default sensitivity label to document libraries is a nice step forward but remember that using this capability will require Office 365 E5 or above, just like all the other auto-label application features in Microsoft 365.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Whiteboard Latest Consumer of OneDrive for Business

As first described in message center notification MC282992 (September 3, updated December 7), many whiteboard clients can now store and access files in OneDrive for Business instead of the original Azure data store. Given the popularity of whiteboard sharing in Teams meetings and the support of the new whiteboard storage in Teams, it’s likely that many files are now in OneDrive for Business (Figure 1), even if their owners don’t realize that the transition has happened.

Whiteboard isn’t the only Teams application which stores its files in OneDrive for Business. Others include:

• Loop components shared in Teams chat.
• Recordings of Teams personal meetings.
• Files shared in Teams chats.

This trend isn’t surprising. By design, Teams uses other Microsoft 365 components rather than creating its own, and responsibility for OneDrive for Business and SharePoint Online roll up under the same Microsoft executive (Jeff Teper). It’s natural for Teams-enabled applications to look to OneDrive as a natural target for file storage, especially as Microsoft makes liberal storage quotas available (here’s a script to report the storage used by OneDrive for Business accounts)

Administrative Challenge

Storing data in OneDrive for Business makes eminent sense. The challenge for administrators occurs when the time comes to delete a user account. By default, Microsoft 365 keeps the OneDrive for Business account for a deleted account for 30 days. You can increase this period to up to ten years (3650 days) by updating the retention setting in the SharePoint Online admin center (Figure 2).

During the retention period, anyone granted access to the OneDrive account can retrieve files. Once the retention period expires, Microsoft 365 removes the account permanently and the files become irretrievable. The exception being if the account or any of the files come under the control of a retention policy or label, in which case they remain in place until all retention controls expire.

The administrative challenge is to decide how to handle the OneDrive content for deleted accounts. One approach is to use the mechanism available to assign access to a deleted user’s OneDrive for Business account to another user (Figure 3). In essence, this makes the designated user the administrator of the OneDrive for Business account and allows them full control over anything stored in the account.

The intention is to give the designated user some time to review the information held in the deleted user’s account so that they can retrieve anything valuable from the account and store it somewhere else, like their own OneDrive for Business account or an appropriate SharePoint Online site. The mechanism works, but the obvious flaw is that once you move files out of their original location, you break the connection between Teams and objects. It’s possible to preserve sharing links when moving files from a OneDrive for Business account, but the link in chats will point to the wrong place and make attachments and loop components in Teams chats unusable, meeting recordings and whiteboards unavailable, and any “cloudy attachments” shared in email inaccessible. In short, users won’t be happy campers because they can’t get at information and help desks will be frustrated because they can’t do much about the underlying problem.

Retention a Better Answer

Instead of asking someone to go through the OneDrive for Business account of deleted users (a dispiriting job), a better approach is to use Microsoft 365 retention policies to retain information in OneDrive for Business accounts for an extended period. Unlike SharePoint Online, where storage quotas are more restrictive and expensive than OneDrive for Business, the effect of long-term retention isn’t a concern. With retention in place, after deleting user accounts, their documents and other files remain in place until the retention period expires. Assuming that the retention period is several years (after creation), this should be sufficient for people to recover copies of information or finish up working with objects like whiteboard or Loop components. At the same time, if someone needs to access the OneDrive account to remove or move files, they can, assuming everyone understands the consequences which ensure.

Of course, retention policies are only available if your organization has Office 365 E3 or better licenses. Organizations with licenses which don’t include retention policies are limited to harvesting information from deleted accounts before they disappear. However, there’s nothing to stop organizations using poor man’s retention by setting the retention period for OneDrive for Business to the maximum 3650 days. After all, ten years after the deletion of an account, who’s going to want to access a document, whiteboard, or loop component from such an antiquated repository?

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Now Available in SharePoint Online and OneDrive for Business

Message Center Notification MC302489 (December 8) brings news of yet another tweak made by Microsoft to the dialog used to create new Sharing Links. The update means that the settings for sharing links for “most video and audio” files now block download by default (Figure 1).

Previous tweaks to the dialog include making it easier to update sharing link settings and highlighting the edit setting. Because many workloads use the sharing link dialog, the benefit of the changes ripple across Microsoft 365.

Understandable Change in Line with Previous Updates

The change is understandable. Sharing a video or audio is often just an invitation to consume final content (using the recently-upgraded web viewer) and you don’t want people to be able to download the files. By comparison, sharing a document, spreadsheet, or presentation is often for review and editing purposes, and the recipient might need to download a local copy to edit the file offline.

Interestingly, Microsoft 365 roadmap item 82193 makes explicit reference to Microsoft Stream, probably reflecting the ongoing motion to move Stream away from its old Azure-based platform to storing videos in OneDrive for Business and SharePoint Online. This transition has already happened for Teams meeting recordings, and the migration for other Stream content is in preview. Teams meeting recordings restrict download access to the recording owner, so setting sharing links to no download by default is in line with that philosophy.

Not All Video or Audio Files

Noting the caveat that the change applies to most video and audio files, I checked the content of my OneDrive for Business account and discovered that OneDrive blocks downloads in sharing links created for Teams meeting recordings. The same doesn’t happen for other MP4 files that I uploaded to OneDrive where the download control is missing when creating sharing links (Figure 2).

The BlockDownloadLinksFileType setting for my tenant (managed through PowerShell with the Set-SPOTenant cmdlet) is WebPreviewableFiles, which means that download blocks are available for all supported files. Given that audio and video files are now in the supported category, something else is going on.

OneDrive recognizes both sets of files as MP4s, so the difference in behavior might be because the uploaded files didn’t have the same PROGID tags as the Teams recordings (these tags make it possible to apply an auto-label retention policy to Teams meeting recordings). Alternatively, it could be because some background job hasn’t yet processed the other MP4 files. Requiring extended periods to process files is not unknown in SharePoint Online and OneDrive for Business. In any case, I’ll keep an eye to see if things change.

Make sure that you’re not surprised about changes which appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Change Copy Link Settings Before Sending

Published in MC298387 (November 16, Microsoft 365 roadmap item 83728) and now rolling out to Office 365 tenants worldwide, Microsoft has updated the OneDrive for Business sharing link dialog to make it easier for users to change the sharing link settings before copying them to share with others. Roll out should complete between mid-December (targeted release tenants) and mid-January (standard release tenants).

Common Sharing Link

The sharing link dialog is used by both SharePoint Online and OneDrive for Business. The old version (recently refreshed to display the set of people with existing access to a file) has a Copy link button (Figure 1), which generates the link with its current settings in a form that the user can copy it (and then insert into email, a Teams chat, Yammer message, or web page as appropriate).

Everything works in the old dialog, but you’ve got to configure the link with the correct access and recipient settings before you generate the link. For instance, you might want to amend the link to allow sharees to edit a file or force users to access the content online by blocking downloads. The new approach removes the Copy link button and replaces it with a complete section where the user can configure the link settings before generating the link (Figure 2).

Once the link is configured, the (smaller) copy button works as before.

Better for Sending Sharing Links by Email Too

The new arrangement also makes the use of the email (Outlook) option clearer. In the old dialog, the Outlook and Copy link buttons are arranged in a line under the Send button. In a weird kind of way, you could imagine that the Send button would work for both options. Now there’s only an Outlook icon in a straight line with the Send button to make the connection between the two clear and obvious.

Paying attention to how the sharing link dialog functions might seem like small beer when compared to the other changes happening within the Microsoft 365 ecosystem (like the introduction of Loop components for Teams chat). That perspective is accurate because this is a small change. However, it can equally be argued that making sure that everything works as smoothly as possible is important, and when it comes to the mechanism used to share documents with people inside and outside the organization, it’s critical that the right settings are in place. For that reason, this is a good and useful change.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Knowing When Sharing Happens

A natural question flowing from the discussion about implementing the SharePoint Online expiring access policy for external users is how administrators know if people use the feature. Equally naturally, the first place to look is the Office 365 or “unified” audit log to see if SharePoint Online generates any helpful events when users extend sharing links.

Unhappily, although SharePoint Online captures a UserExpirationChanged audit event when someone extends a sharing link close to its expiration, the information stored in the event is not enough to easily identify the content the sharing link grants access to. If you look at the sample audit event shown below, the SiteUrl property tells us that this event relates to sharing some OneDrive for Business content. Apart from that, we can see:

• The user principal name of the user who extends the validity of the sharing link (Jane.Sixsmith@office365itpros.com).
• The user principal name of the target user being granted access (Jsmith_yandex.com#ext#@office365itpros.onmicrosoft.com). The form tells us that this is a guest account (JSmith@yandex.com).

It would be nice if the name of the actual folder or document being shared was captured, but that’s not the case.

RecordType   : SharePointSharingOperation
CreationDate : 15/11/2021 13:17:04
UserIds      : Jane.Sixsmith@office365itpros.com
Operations   : UserExpirationChanged
AuditData    : {
                 "AppAccessContext": {
                   "AADSessionId": "bfe559aa-a811-488b-828d-a1fa90062133",
                   "CorrelationId": "b45e03a0-50df-3000-73a8-a6b7cbd31cc0"},
                 "CreationTime": "2021-11-15T13:17:04",
                 "Id": "5ee7b4d0-97ca-476d-c7ef-08d9a83a37aa",
                 "Operation": "UserExpirationChanged",
                 "OrganizationId": "a562313f-14fc-43a2-9a7a-d2e27f4f3478",
                 "RecordType": "SharePointSharingOperation",
                 "UserKey": "i:0h.f|membership|1003bffd805c87b0@live.com",
                 "UserType": "Regular",
                 "Version": 1,
                 "Workload": "OneDrive",
                 "ClientIP": "51.171.212.129",
                 "ObjectId": "https://office365itpros-my.sharepoint.com/personal/jane_sixsmith_office365itpros_com",
                 "UserId": "jane.sixsmith@office365itpros.com",
                 "CorrelationId": "b45e03a0-50df-3000-73a8-a6b7cbd31cc0",
                 "EventSource": "SharePoint",
                 "ItemType": "Web",
                 "Site": "cc191cff-670a-4740-8458-e6067537c747",
                 "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.44",
"WebId": "551065f1-04a6-4979-8b19-2c8a0c16319f",
                 "TargetUserOrGroupType": "Guest",
                 "SiteUrl": "https://office365itpros-my.sharepoint.com/personal/jane_sixsmith_office365itpros_com",
                 "TargetUserOrGroupName": Jsmith_yandex.com#ext#@office365itpros.onmicrosoft.com

Investigating SharePoint Sharing Events

To see if it was possible to find some other information that would allow me to link the UserExpirationChanged events back to other sharing events, I wrote a script to extract the events from the audit log and parse their content. The results are not what I hoped. You can track the progress of sharing an item through:

• SharingSet: A user shares an item.
• SecureLinkCreated: A sharing link is created for the item. This is what is sent to the recipient.
• UserExpirationChanged: The expiration date for the sharing link is adjusted in line with policy.
• SecureLinkUsed: The recipient uses the sharing link to access the shared content.

The audit records for the first three events often have the same date and time because they occur close together (within milliseconds). For this reason, they can appear in a different order when viewing the report (Figure 1).

In due course, if the sharing link validity is extended further, SharePoint logs another UserExpirationChanged event. The cycle continues until the sharing link expires.

Download the Script

The script isn’t all that interesting. It finds the relevant audit events, extracts information, and reports its findings (you can download the script from GitHub). Unless you focus on UserExpirationChanged events which happen outside the initial creation of sharing links, I don’t think it helps much in terms of understanding the extent of sharing link extensions. However, someone who is smarter than I might be able to tweak the script to derive better results.

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

SharePoint Expiring Access Policy Controls Sharing Links Issued to Guests

In the summer, Microsoft introduced an expiring access policy for external users in SharePoint Online sites and OneDrive for Business accounts. In a nutshell, a tenant can set a policy to control the number of days a sharing link lasts after a user shares some content with an Azure AD guest account (created automatically when sharing with an external user). The expiring access policy doesn’t apply to guest accounts who access content through their membership of Microsoft 365 groups (teams). Their ability to work with content in SharePoint Online is controlled by the guest’s membership instead of a sharing link.

By default, the expiring access policy is not set. A tenant or SharePoint administrator must enable it and define the sharing period in the Sharing section of the SharePoint Online admin center (Figure 1). The period can be from 30 to 730 days.

Once set, the policy applies to new sharing links. It also applies retrospectively to old links. The policy defined in the SharePoint Online admin center applies to all SharePoint sites and OneDrive for Business accounts. You can override the expiration period on a per-site basis.

Unlike other expiration policies used in Microsoft 365, like the Teams meeting recording auto-expiration policy or even retention policies and labels, content remains unaffected when an expiration period lapses. The only effect is on the sharing link which becomes invalid and unusable for access.

What Happens When Sharing Links Expire

As sharing links approach expiration, users receive warnings through two means. First, a banner appears in OneDrive for Business (Figure 2). The text could be better as it’s a sharing link which expires rather than a user. The Azure AD guest account will remain and can be used for other purposes, such as other sharing links or as a member of a group or team. The logic here might be that people manage sharing access on a user-by-user basis, so it’s appropriate to refer to users expiring.

The second method is email. SharePoint sends a note to people to advise them when sharing links are within ten days of expiration (Figure 3). In both cases, the Manage (or Manage access) link allows the user to update the soon-to-expire sharing links.

Clicking the link brings up the Access Expiration fly-out pane (Figure 4), which lists all sharing links created by the user subject to the expiring access policy. As you can see, some of the links are quite a long way off because the tenant has a 120-day expiration policy.

To extend the validity of a sharing link, select a user and click Yes, extend (Figure 5). SharePoint Online will then extend the sharing link by the maximum period allowed, in this case 120 days from the current date. You can also remove a sharing link if it’s no longer needed.

Good Practice to Implement Expiring Access Policy

It’s good practice and makes good sense for Microsoft 365 tenants to implement an expiring access policy. Many expiring sharing links will need no intervention by content owners when they expire. Other links will need an extension, which is a quick and low friction action. Overall, there’s nothing much to dislike about implementing an expiring access policy where links expire after a reasonable period, like 90 to 120 days. Organizations which store more sensitive content in SharePoint could reduce the expiration period and couple expiration with the targeted availability to content available with sensitivity labels.

Learn how to exploit the Office 365 data available to tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

Joins the Controls for Teams Meeting Recordings

Now that Microsoft has created the transition of storage for Teams meeting recordings (TMRs) from Stream (classic) to OneDrive for Business and SharePoint Online (ODSP), attention is focused on how to manage these files. Microsoft plans to introduce an auto-expiration policy for TMRs in January 2022 to allow organizations dictate how long these files exist in ODSP. The auto-expiration policy will work for any Microsoft 365 tenant which has licenses for Teams.

If you have Office 365 E3, users can apply retention labels to TMRs to gain more control over their retention, and if you have Office 365 E5 or Microsoft 365 E5 licenses, you can deploy an auto-label retention policy to find and label TMRs (and track the success of the policy in finding and labeling TMRs). In short, over time, organizations are gaining ways to exert compliance control over TMRs.

Blocking Sharing with Data Loss Prevention

Data Loss Prevention (DLP) for SharePoint Online and OneDrive for Business is included in the Office 365 E3 SKU. The value of DLP is that you can use a policy to protect against inadvertent data leakage caused when someone shares a TMR outside the organization. Imagine what would happen if a competitor got hold of a recording of a discussion, complete with slides, about the development of a new product!

Using much the same approach as taken to identify TMRs for the auto-labeling retention policy, we can build a DLP policy for TMRs which looks for recording files and stamps them with metadata to stop sharing happening. The DLP policy to block external sharing for TMRs is very simple. It is a custom DLP policy (i.e., not created using a template) consisting of:

• A name and description.
• Target locations. For maximum coverage, choose all SharePoint Online sites and OneDrive for Business accounts. This will stop any sharing of TMRs created for personal meetings (OneDrive) and channel meetings (SharePoint).
• A single rule. The rule looks for any file with the property value ProgId:Media.Meeting that is shared with someone outside the organization. The rule action blocks sharing with people outside the organization. Figure 1 shows what the rule conditions look like. Optionally, the rule can allow users to override the block by providing a justification to explain why they need to share a recording with an external person.

Other rule settings which you might consider include creating a custom policy tip to explain why users can’t share TMRs externally or generating an incident report to alert administrators or other people when a rule violation occurs.

The Effect of DLP

It can take up to an hour before a new DLP policy is effective. When the policy is active, the indexing process for new files detects that TMRs come within the scope of a policy and applies the policy settings to block external sharing. There might be a few minutes before the block is effective for a new file during which it’s possible to create and send a sharing link. However, once the block is in place, the sharing link is nullified.

The effect of the policy is obvious because any document which matches the policy conditions now has a small icon (circle with a line in the middle). In Figure 2, the icon is shown alongside all the TMRs in the Recordings folder. Other video files that don’t have the property set are not marked. Hovering over a TMR reveals information about the file, including a link to a DLP policy tip if set. In this case, the link reveals some custom text to explain that external sharing is not permitted for TMRs.

If the user ignores the warning and goes ahead to try and share the recording anyway, they won’t be able to do this because OneDrive for Business blocks the attempt to create and send a sharing link (Figure 3).

Easy Update

Even if internal users don’t often go back to relisten to what was discussed in a conference call, there’s no doubt that some external people might find that content interesting, perhaps even to the detriment of your company. The time required to create and deploy a DLP policy to block external sharing of TMRs is roughly ten minutes (including a pause to drink coffee). It’s a quick and easy update to make it easier to manage the security of information contained inside these files. This is a good example of the value of DLP.

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Discovering Some Nuggets from Microsoft’s Coverage

It’s been a busy week for anyone following the Microsoft 365 ecosystem as Microsoft released a slew of blog posts and announcements to support keynotes and other sessions at the Microsoft Ignite Fall event. You could spend hours reading about new features and functionality and wonder when the code will appear in your Office 365 tenant and if any additional licenses are necessary.

This post captures notes about several features available now that I noticed as I perused Microsoft’s coverage. By themselves, each is not enough to warrant a separate post, but they’re interesting all the same. These changes are examples of the stuff we track to maintain the content of the Office 365 for IT Pros eBook. All our chapter authors have been busy this week.

SharePoint Online and OneDrive for Business

Sharing links show who you’ve shared a document with. This feature was announced in June but seems to have taken its time to roll out. The idea is simple. When you send a new sharing link, SharePoint Online and OneDrive for Business tell you who the document is already shared with (Figure 1), including a thumbnail of each person (if available in Azure AD). You can hover over a thumbnail to see who the person is. The number of active sharing links also appears. It’s a small but useful change.

Easy to overlook, the SharePoint Online admin center now displays connected channel sites when a site used by Teams creates private channels (Figure 2). If you can’t remember which sites have private channel sites, connect to SharePoint Online PowerShell and run:

Get-SPOSite -Limit All -Template TeamChannel#0 | ? {$_.TeamsChannelType -eq "PrivateChannel"}

If you click the channel sites link, the admin center displays details of those sites. Teams manages the settings for these sites, but it’s nice to be able to have easy access to the information. Shared channels, which are delayed until early 2022, also use channel sites.

OneDrive for Business supports Known Folder Move (KMF) and Files on Demand on MacOS, which is nice if you’ve invested in a brand-new M1-powered Mac.

If your tenant uses sensitivity labels and has SharePoint Syntex, you can apply sensitivity labels to protect the document understanding models. The application of a label in this manner flows through to protect individual documents identified by models. It’s another way of automatically applying labels to sensitive content.

Sensitivity label control over sharing capabilities of SharePoint Online sites is now generally available. In addition, co-authoring and autosave of protected documents is generally available in the Microsoft 365 apps for enterprise (Word, Excel, and PowerPoint). We use protected documents heavily to store chapter files for the Office 365 for IT Pros eBook, so this is a welcome advance.

Exchange Online

Microsoft Scheduler can now dynamically adjust the scheduling of recurring meetings. This is message center notification MC295855 (November 2) and it’s a great idea. Static recurring meetings are all too often cancelled or rescheduled because someone is sick or otherwise unavailable. After a recurring meeting finishes, Scheduler looks for the best time slot for the next instance and books that time.

Everyone’s probably familiar with the Exchange Online campaign to remove basic authentication for email connection protocols (that October 2022 date is getting nearer!). PowerShell is on the list of protocols to be blocked for basic authentication, but the Exchange Online management PowerShell module still uses basic authentication to communicate with WinRM on a local workstation. Work is under way to remove the need to use WinRM. Microsoft has released a preview version (2.0.6-3preview) of the module to demonstrate how they will remove the dependency by using a REST API in the background. Exchange Online has many cmdlets, not all of which have been converted to use the new mechanism, but you can test the preview now.

On the downside, Microsoft didn’t say anything at Ignite about the next version of on-premises Exchange. This is strange given the September 2020 announcement said the next version of Exchange Server would be available in the second half of 2021.

Microsoft 365

Microsoft says that Visio web app is rolling out to Microsoft 365 commercial tenants (all tenants with Office 365 enterprise plans). The rollout goes through to the end of January 2022, so keep an eye on the app launcher to see when Visio web app (aka Visio in Microsoft 365) shows up in your tenant.

Microsoft Cloud App Security (MCAS) is now Microsoft Defender for Cloud Apps (surely MDCA?). The app governance add-on is now generally available. It’s a good way to chase down apps registered in Azure AD that are over-permissioned or not being used. If you don’t have MDCA or don’t want to pay for the add-on, use our DIY audit method for Azure AD apps.

Access to the knowledge available in topic cards created by Viva Topics has been restricted to some lesser-used applications up to now. Things will change when topic cards appear in OWA and Teams. Apparently, this will happen soon and should be a game changer for the organizations who have invested in the work needed to harvest organizational knowledge through Viva Topics.

Teams

Microsoft prioritized Teams at Ignite as the center of a new way to work (see my practical365.com article), so there were lots of Teams-related developments discussed, most of which can be left until they appear in a tenant near you. One snippet in a blog post about improving meeting quality is that noise suppression in Teams meetings will be available for iOS soon. Microsoft claims that they saw a “31% decline in comments about background noise distractions” after the launch of noise suppression. This sounds like a good thing, but a single statistic provided without any further context or detail is worthless. We don’t know the sample size, whether the clients were Windows or Mac. What kind of meetings, and what is meant by “comments” (good, bad, or indifferent). Like many Microsoft statistics, there’s plenty of room for fudging an issue.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what’s happening.

Making Compliance Work Better

As discussed last week, Microsoft is simplifying how retention processing works for SharePoint Online and OneDrive for Business. It’s a good initiative because this topic is like a black box for many tenant administrators. The latest step comes in MC289965 (7 October – roadmap item 82063) to align how the SharePoint Online and OneDrive for Business browser interfaces deal with user requests to delete a file assigned a retention label configured to retain items for a specific period. For instance, a file might have a retention label with a retain action for seven years. (A retention label can be set to don’t delete or retain items, which makes it a visual marker).

Deleting Files in SharePoint Online and OneDrive for Business

Up to now, the following happens:

• OneDrive for Business: User deletes file with retention label. OneDrive for Business moves the file into the Recycle bin and captures a copy in the preservation hold library for the user’s account. A OneDrive account is a personal space and it’s reasonable to allow the account user to delete files if they wish. Note that you can’t delete a file assigned a record label. To create a retention label as a record, you need to use the Records Management solution in the Microsoft 365 compliance center (requires E5).
• SharePoint Online: User attempts to delete file with retention label but is blocked because of the presence of the retention label (Figure 1).

You can argue a case that SharePoint Online does the right thing. By not allowing the deletion to happen and keeping the file in place until its retention period expires, SharePoint Online demonstrates that the file has some importance.

The Problem for Compliance

However, the problem is that the current Microsoft 365 group model allows group members full control over most items in the SharePoint Online team sites used by Teams and Groups. Therefore, if SharePoint Online blocks a user from deleting a file because of a retention label, they can simply remove the label and then delete the file (unless the retention label is a record label). Although most users might not realize that they can remove a retention label to delete a file, the fact that they can is a big problem in terms of compliance. In that light, it’s better to allow the deletion to proceed. SharePoint Online will capture the file in the preservation hold library to ensure that its content remains indexed and discoverable for retention purposes.

Earlier Attempt to Change Ran into Problems

Last June, Microsoft published MC264360 to notify tenants that they planned to change the way the SharePoint Online browser interface worked to bring it in line with OneDrive for Business. In other words, users would be able to delete files even if a retention label with a retention period was present.

After pushback from customers, Microsoft withdrew the proposed change to do some additional work. The result of that work will roll out in early November for completion by the end of the month. SharePoint Online users will be able to delete labelled files like they can in OneDrive for Business unless the organization decides that this is a bad idea and updates the SharePoint Online configuration to retain the existing behavior. SharePoint Online will continue to block deletion of Items labelled as records.

Update January 11, 2022: The controls over deletion behavior are available in the Records management section of the Microsoft 365 compliance center (Figure 2).

Changing Things Back

If an organization decides that they’d like to keep things as they are, administrators will have to crack open the SharePoint Client Object Model (CSOM) and use the SetAllowFilesWithKeepLabelToBeDeletedSPO function in the SPPolicyStoreProxy class to set the value to False. Quite why Microsoft didn’t add a new parameter to the SPO-Tenant cmdlet to update this setting like all the other SharePoint Online organizational settings is beyond me. Microsoft says that when the feature rolls out, the ”configuration will be available within the Records Management solution settings.” That’s all fine and dandy, but Records management requires Office 365 E5 or Microsoft 365 Compliance E5 licenses, so many administrators might avoid it. This setting should be in the SharePoint Online admin center and settable through PowerShell.

No doubt someone who knows their way around CSOM will create and publish the code necessary to update the setting with PowerShell so that people without deep knowledge of SharePoint object models don’t have to, but I think it is unacceptable for Microsoft to push a change out that cannot be easily controlled by tenant administrators. On the bright side, I think most tenants will like the new delete behavior for files with retention labels and can therefore ignore grappling with CSOM.

Change Based on Experience

Changing the way SharePoint Online works when deleting files with retention labels with retention periods is the right thing to do. It will make compliance work better and is more logical for users. It’s just a pity that the opt-out control is hidden.

Keep up with the changing world of the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. Monthly updates mean that our subscribers learn about new development as they happen.

Making Retention More Efficient

Message center notification MC288633 (1 October) covers the topic of optimized behavior of file versions preserved in SharePoint Online and OneDrive for Business. It’s a title guaranteed to turn off most Office 365 administrators unless they’re interested in compliance. As it happens, I am, so I read the notification.

My reading of the situation is that Microsoft is replacing an old-fashioned implementation of the preservation hold library with a more modern approach. As you might know, the preservation hold library is the location used by SharePoint Online to keep information needed for retention purposes. It’s the equivalent of Exchange Online’s Recoverable Items structure, a place where updated and removed content stays until the retention period expires.

The Preservation Hold Library

Up to now, SharePoint Online has used the preservation hold library to retain multiple versions of changes made to documents and list items. If someone edits a document which comes within the scope of a retention policy, SharePoint captures a pre-change copy of the document in the library. If someone deletes a document that must be retained, it goes into the preservation hold library. The actual processing is more complicated, but that description is sufficient here.

The net effect is that a preservation hold library for a busy site can accumulate a bunch of items (Figure 1). Although users cannot access the preservation hold library, its content is indexed and discoverable and available for searching, which means that eDiscovery investigators can recover the full change record for documents and list items. Administrators can also recover files from the preservation hold library, so there’s lots of goodness available.

The Downsides of Retention

Except that a downside exists. Or rather, two significant downsides. The first is that capturing edits and deletions for a busy SharePoint Online site can consume a large percentage of the storage quota used for the site. The amount differs from site to site depending on the characteristics of site usage and the type of file stored. For instance, the site which I use to store the Word documents for blog posts has thousands of relatively small files (usually in the range of 1-5 pages), most of which are never edited after publication. The preservation hold library for the site holds 924 items of 292.6 MB, or 5.92% of the site storage.

The site used for the Office 365 for IT Pros book has completely different characteristics. The Word documents (and some Excel spreadsheets) are larger (some chapters are over 100 pages) and they receive frequent revisions. For example, according to its version history, the chapter covering Teams architecture and structure in the 2021 edition has 330 versions, most generated using the Office AutoSave feature. The combination of large files and multiple revisions drives storage consumption to 15.3 GB, or 21.8% of the site (Figure 2).

The problem is that SharePoint Online regards the storage consumed by the preservation hold library in the same manner as it treats other libraries. Everything counts against the tenant’s overall SharePoint storage quota, which seems a little unfair given that Exchange Online provides additional free storage per mailbox to handle retention. It’s easy to run a report to find the storage consumed by each site, but you’ll need to access the site to discover how much is consumed by the preservation hold library.

The second issue is that content searches find multiple copies of files stored in SharePoint Online sites. This might be what you want, but usually it’s confusing (Figure 3).

The Change

The change rolling out in mid-Novembers means that files with multiple versions deleted from a SharePoint Online site or OneDrive for Business account which must be retained will be preserved as a single file instead of multiple versions. Storing fewer versions should reduce the demand for storage, but I shall wait and see how things work before making a definitive statement on that point. Reducing the number of versions held for a file will also speed up deletions and eliminate errors caused when retained files had more than a hundred versions in the preservation hold library.

Existing files in the preservation hold library are not updated and behave as before. Eventually, after the retention period for items expire, the weekly background job to check and remove obsolete material from the preservation hold library will remove the older files and release storage.

The new approach applies to any file which ends up in the preservation hold library because of a retention policy or in-place eDiscovery hold.

Given the number of files now stored in SharePoint Online due to increased use by apps like Teams, the effect of AutoSave in generating multiple file versions, and the impact on tenant storage quota that retention can have, this is a good change. It also simplifies administration and might even make it easier for backup and restore scenarios (fewer files to deal with). Time will tell!

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Personal and Organization Document Management for Microsoft 365

I don’t know why Microsoft ever thought that it was wise or desirable to consider SharePoint Online and OneDrive for Business as two separate workloads. The decision might have made sense years ago, when Microsoft began to extract itself from the legacy of its on-premises servers and wanted to demonstrate that it had multiple services to offer within Office 365. It makes none in the context of today’s cloud services.

The simple fact is that OneDrive for Business is no longer an optional extra for Office 365 users. Teams uses OneDrive for Business to share files, including the components built using the Fluid framework, in chats. Recordings of Teams personal meetings also go into OneDrive for Business, and Whiteboard is about to make the transition to OneDrive storage too. If you save an email attachment from Outlook, OneDrive is the preferred target. Users are encouraged to move their files stored in well-known folders from local workstations to OneDrive for Business to take advantage of features like Autosave and differential synchronization.

Increasing Importance of OneDrive for Business

Microsoft makes large amounts of storage available to OneDrive for Business users to make it possible to store data online. All signs indicate that Microsoft will continue to move application and personal data to OneDrive for Business storage whenever possible because it makes it easier to index and search files, including eDiscovery support. In a nutshell, the central importance of OneDrive for Business to cloud users increases as time passes.

The Demise of the OneDrive Admin Center

Which brings me to the elimination of the OneDrive for Business admin center. Or at least, the move of OneDrive settings into the SharePoint Online admin center (Figure 1), which removes the need for the OneDrive admin center. The SharePoint Online admin center has always had settings which affected OneDrive for Business, like sharing controls. Now we have a single place to manage system and personal document and file management for Microsoft 365, which is what these products deliver.

Microsoft covered the move of the OneDrive settings in a July 2021 blog post. With so many blog posts, announcements, updates, and other information about different aspects of Microsoft 365 appearing each week, you might not have noticed the transition. If you go to the Settings section of the SharePoint Online admin center (Figure 2), you’ll find the OneDrive for Business controls.

Checking Sensitivity Labels and Sites

Another topic featured in Microsoft’s July blog is the new insight card to report the number of unlabeled sites. These are sites that don’t have an assigned sensitivity label. As you might notice from Figure 1, my tenant reports 128 of these sites. Given that I’ve invested lots of time working to implement sensitivity labels for container management, this seemed like a high number.

After checking the list of sites, I discovered that the set includes:

• Sites retained by a compliance policy after removal of the original Microsoft 365 group.
• System sites like the App Catalog site and the home site and its predecessor.
• Sites created for Yammer communities before the switch of the Yammer network to Microsoft 365 native mode.
• Teams created from a template (to close the gap, MC281936 describes an update rolling out soon to allow team owners to assign a sensitivity label when creating a new team from a template).
• The Viva Topics center site.
• The site created for the group used to control who can create custom templates for the Teams Approvals app.

In short, a bunch of sites turned up, some of which could do with a sensitivity label and others which don’t. In other words, a list that’s well worth reviewing.

Simplification is Goodness

I strongly approve of Microsoft’s move to incorporate OneDrive for Business management into the SharePoint Online admin center. There are still too many administrative consoles across Microsoft 365 and this step simplifies the tenant management landscape.

With the introduction of the new Exchange Online admin center and the transition of the old Security and Compliance Center to the Microsoft 365 compliance center, we’re also seeing rationalization of user interfaces. On the downside, the switchover from old to new consoles seems to be taking forever. Maybe it’s because it people need time to absorb change, but sometimes you’d wonder if it wouldn’t be better if Microsoft pulled the plaster off quickly and launched a family of new fully-functional administrative tools.

Make sure that you’re not surprised about changes which appear inside Office 365 applications (like updates to admin portals) by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Partnership with Microsoft Lists Does the Trick

In an earlier article, we cover how Microsoft makes the spoken words in Teams meeting recording transcripts available to Microsoft Search. A similar approach is used to make the attendance for Teams webinars available to Search. Here’s what happens.

Webinars are calendar events, so their existence is recorded in the meeting organizer’s Exchange Online calendar. Also, The Microsoft 365 substrate captures meeting details in items in a hidden folder called 93c8660e-1330-4e40-8fda-fd27f9eafe10AttendanceReportV3Collection in the non-IPM part of the organizer mailbox, including JSON-formatted information about meeting participants captured in the ArtifactEntriesJsonBlob property (Figure 1).

This information is captured for all meetings (including webinars) and is used to display the attendance report for the event in the Teams calendar app. Figure 2 shows the attendance report based on the information captured in the record shown in Figure 1.

Webinars receive special handling, and this is where Microsoft Lists come into play. The connection between Teams and the content held in Lists is via the ThreadId property, a value which points to the Teams meeting space (the identifier is also used in the Teams webinar URL) used for the event. A thread ID looks like this:

19:meeting_MjE2Mjg0OGEtMGViMi00OGNhLTg3ODQtMWE3NjE2MDAzNzli@thread.v2

Exposing Teams Webinar Information for eDiscovery

To make the webinar information available for eDiscovery, Teams creates three lists per webinar in the in the meeting organizer’s OneDrive for Business account. This is the reason why Microsoft makes access to Microsoft Lists one of the prerequisites for organizing Teams webinars. Lists are only created for webinar events.

The lists for an individual event share a unique identifier (GUID) which Teams uses as a suffix to associate the lists for an individual event (for example, de93882234fb418fb3fd5ef7048026d4). The lists are:

• Event: Stores event information such as its start and end time and webinar description and title. The ThreadId for the webinar is stored in this list. The webinar title and description can be edited in the list but the information created by Teams for the meeting cannot.
• Questionnaire: Stores the attendance records for individual webinar attendees. The information about attendee details (like name and email address) can be edited in the list but information relating to the Teams meeting (like its URI) cannot.
• Speakers: Stores details of the speakers such as their names and bios. This information can be edited in the list.

Updates made to list data are reindexed and available for search.

The webinar lists are hidden from the normal My Lists view shown to users when they open the Microsoft Lists app. To access the webinar information, go to OneDrive’s Site Settings and navigate to the Site Libraries and Lists page (Figure 3), where you can see the lists used by Teams along with other lists used by OneDrive like the site’s preservation hold library.

As an example, this is the URL for the site settings and list page for the KimAkers@office365itpros.com account.

https:// office365itpros-my.sharepoint.com/personal/kim_akers_office365itpros_com/_layouts/15/mcontent.aspx

If you choose to customize a list, you see the list settings, including its URL. For instance, the speaker list for an event has a URL like:

https:// office365itpros-my.sharepoint.com/personal/kim_akers_office365itpros_com/Lists/Speaker_de93882234fb418fb3fd5ef7048026d4/AllItems.aspx

Using the URL, we can open the chosen list in a browser. Figure 4 shows the speaker list for a Teams webinar.

Microsoft Search indexes the Information stored in OneDrive for Business. You can therefore search for someone’s involvement in a webinar by inputting their email address into SharePoint Search. The Digiform entries shown in Figure 5 are for the attendance rosters for two webinars.

Even better, the indexed information for the speaker, attendance, and event lists is available for eDiscovery. In Figure 6, we see some webinar items listed in a sample preview for a Core eDiscovery search. The items relate to speaker bios (highlighted in Figure 1), webinar description, and email addresses in the attendance report. Again, the Digiform entries found by the search point to lists stored in OneDrive for Business.

The Many Moving Parts of Microsoft 365

The way Microsoft 365 captures, stores, and indexes webinar attendance data is a good example of the Microsoft 365 substrate and ecosystem in action. Although many moving parts are involved, administrators and end users don’t see any of the complexity or connections involved. Some might be bothered by the ability of end users to update some webinar information stored in lists, but if you don’t tell them that the information is there, they might never discover where it’s stored.

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Search for What Participants Say During Teams Meetings

Microsoft message center notification MC260749 (last updated August 12) titled Microsoft Search: Find a meeting recording based on what was said is both technically interesting and important. Described in Microsoft 365 roadmap item 82003, the roll-out was delayed several times, but the way is now clear for Office 365 tenants to be able to search videos using spoken text along with a bunch of other changes to make Teams meeting recordings more accessible and useful. While it’s hard to say exactly when individual tenants will have all the functionality described here, I expect worldwide deployment to be complete by the end of October 2021.

Everything in OneDrive

Exposing the content of meeting recordings for search is important because it starts the process to close a major compliance gap. Up to now, transcripts for online meetings have not been searchable. The problem first surfaced when Teams stored its recordings in Stream. When the meeting finished, Stream processed the recording and created the transcript. However, the transcript remained in the Stream Azure service and was inaccessible to Microsoft Search. If something can’t be indexed by Microsoft Search, its content cannot be found by a search.

Microsoft completed the migration the storage of Teams meeting recordings from Stream to OneDrive for Business or SharePoint Online (ODSP) on August 16, 2021. All new meeting recordings from that date are in ODSP with the migration of older content from Stream to ODSP happening later. Microsoft is busy building out the rest of the Stream 2.0 platform to handle videos which don’t come from Teams. For instance, they’ve released a preview of the new Stream browser interface which supports access to videos stored in both ODSP and the original Stream store.

The move to ODSP removed the ability to create and replay transcripts for meeting recordings which exists in Stream classic. Starting September 20, Microsoft plans to remove some of the automatically-generated transcripts from older videos in Stream classic to prepare for the migration to Stream 2.0.

To fill the functionality gap, Microsoft introduced a transcription capability for Teams meeting recordings (a recent update means that if you record a Teams meeting now, you generate a transcript automatically). However, the issue of searchability remained. Because ODSP stores the recording files, Search could index file metadata like the name of the recording, but that’s about all.

The gap in indexing and searchability is now closed. Teams stores the spoken text captured during a meeting (including speaker attribution so you know who said what) and meeting metadata in the Exchange Online mailbox of the meeting organizer. Capturing the spoken text in mailboxes allows Microsoft Search to index the data and therefore makes it possible for searches to find this information. And as we’ll see, ODSP also holds a copy of the transcript to allow the words in the transcript to connect with segments in a meeting recording.

Exchange Mailbox Storage for Transcript Information

Teams stores transcript information in a folder called ApplicationDataRoot/93c8660e-1330-4e40-8fda-fd27f9eafe10/MeetingTranscriptCollection in the non-IPM part of the mailbox. Hidden means that the folder isn’t available to users through clients like Outlook, but its contents are available to administrative interfaces like Microsoft Search and programs like MFCMAPI.

Transcripts are captured as mail items. Examining the captured items with MFCMAPI, it looks like two properties for are most interesting:

• TranscriptJsonBlob: stores the spoken text captured during the meeting. In Figure 1, you can see some captured text, including the name of the speaker. When users view the transcript in Teams, the information is displayed in a nicer format. It’s also possible to download transcripts in VTT or Word (DOCX) format.
• TranscriptMetadataJsonBlob: stores metadata about the call.

Linking Words to Videos

The original implementation for Teams meeting recordings stored in Stream classic supported transcription, including the ability to edit the transcript to correct obvious errors. To allow Microsoft Search to find the MP4 file for a meeting recording based on words spoken during a meeting, a background process copies the transcript data captured in Exchange Online and indexes it against the recording to match segments of the video with the spoken words.

Replication of transcript data from Exchange Online to ODSP can take anything from 15 minutes to a day after the meeting ends. Once the process completes, you can search for text spoken in meetings and find recordings using the transcript (Figure 2).

Transcript Playback

Matching words in the transcript with meeting recordings (and eventually, any video stored in ODSP) allows concurrent playback for the two elements. Microsoft 365 roadmap item 82057, rolling out in September 2021, delivers a transcript pane for video playback (Figure 3). No ability is yet available for a video owner to edit the transcript.

Curiously, closed captions are available for only 60 days from the date of recording. In addition, Microsoft says that “Closed captions aren’t fully supported” if you move or copy a recording from its original location. Presumably, this is because the move might affect the link to the transcript data.

Making Transcription Available to More Teams Users

The option to transcribe meetings used to be restricted to accounts with enterprise E3/E5 and Business Premium/Standard. In early July, Microsoft made live transcription available (MC260564) for other licenses, including the E1, F1, academic, and Business basic SKUs, noting that this step improves the accessibility of Teams and makes meetings more inclusive for those who are hard of hearing. Microsoft followed up with MC280258 (August 24), to announce support for transcripts and captions in 27 additional languages (Figure 4) to join the previous support for U.S. English.

Another Compliance Gap Nearly Closed

All the information shared during Teams meetings is gradually coming within the scope of compliance policies. eDiscovery can already find chat, presentations, and documents, and the advent of indexed speech means that spoken comments should soon come within the scope of eDiscovery searches. This hasn’t happened yet, probably because of the work needed to export transcripts and videos in eDiscovery cases, but I am sure this capability is high on Microsoft’s agenda.

Although the captured text is sometimes inaccurate, capturing any record of spoken comments is better than nothing. As time goes by, the artificial intelligence technology used to analyze speech to create the transcript will improve in terms of accuracy and ability to handle accents.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what’s happening.

Highlighting Who Already Has Access to Shared Information

Message center notification MC263839 (updated August 6 – Microsoft 365 roadmap item 83725) is all about new “Shared with” information which now appears on the control used to create sharing links. Well, it will when the roll-out completes in mid-August. Although tagged for OneDrive for Business, this change applies to both OneDrive for Business and SharePoint Online.

The idea is that the control now lists the set of people whom a file, folder, or list is already shared with so that owners know (at a glance – if they bother) how many people already have access and who they are.

Viewing Sharing Information in Different Circumstances

Showing sharing information works better in some situations than others. For example, if you share a file from a site owned by a Microsoft 365 group (or team), the set of sharing information includes:

• The group
• Group owners
• Group members
• Group visitors

It seems like this information could be filtered so that only the group is shown. The full set (Figure 1) doesn’t add value as the three entries (for SharePoint groups used to manage access) are defunct in the context of a group-connected site.

The information is more valuable when sharing a file from a site that isn’t connected to a group or OneDrive for Business. For instance, Figure 2 shows that a file is shared with 2 sharing links plus five specific users (tenant and guest accounts). Although you can mouse over an avatar to see who has access, it’s obviously better if the tenant and guest accounts have photos as this allows the sharing dialog to include thumbnails for each person.

Several tests showed that up to six entries can appear in the dialog. If more people have access, you’ll see an ellipsis choice to go to the Manage Access menu to view full details of the existing sharing.

The mock-up used in MC263839 (Figure 3) uses larger thumbnails. It’s an interesting insight into the design decisions that must be taken to settle on the final look and feel for user interfaces.

Making Sharing More Transparent

This change is another to build out capabilities in the sharing control to make it more powerful and useful. Although some will probably say that it’s just window dressing or eye candy, I rather like seeing the set of people with access to a file, folder, or list highlighted in this manner. It’s the small things that often have the biggest impact!

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Switchover Coming in October 2021

Updated March 9, 2022

Message center notification MC275235 (August 3, updated on December 7, 2021) says that Microsoft is rebuilding the Whiteboard app on top of OneDrive for Business (Microsoft 365 roadmap item 66767). Whiteboard will use OneDrive for Business as its default storage starting in January 2022 (previously October), but tenants can opt-in now through the Whiteboard settings in the Microsoft 365 admin center (Figure 1) to use OneDrive-based storage for Whiteboard when the feature becomes available at the end of October. The opt-in period will last until mid-November. Opting in affects the storage of whiteboards for every user in the tenant. The latest news is that Microsoft will complete the transition to OneDrive when it delivers updates to several clients during March 2022.

The trade-off is that only certain Whiteboard clients currently support OneDrive-based storage:

• Whiteboard browser client.
• Whiteboard for Teams meetings (including Teams mobile apps).
• Whiteboard on Android.

Microsoft will deliver support for the other whiteboard clients (Windows 10/11), Surface Hub, the Whiteboard channel tab app for Teams, and iOS by October. Until then, if you choose to use OneDrive for Business, these apps will be unable to create or display whiteboards stored in OneDrive. Whiteboards created earlier and stored in Azure will remain accessible.

Solid Plan for Long-Term Whiteboard Storage

The switchover is like that done for Stream, which is also moving off Azure storage to OneDrive for Business and SharePoint Online (the final switchover for Teams meeting recordings is August 16, 2021). The new live (fluid) components which surface in applications like Teams chat, Outlook, and Whiteboard are also kept in OneDrive for Business. Moving off application-specific Azure storage to the more general-purpose storage managed by OneDrive for Business is a good idea for many reasons, including:

• OneDrive for Business is a well-understood storage platform with APIs: Utilities like reports of files in OneDrive accounts will include whiteboards along with other files.
• Available Storage: Although Microsoft doesn’t place any quota restrictions on the current Whiteboard Azure-based storage, OneDrive for Business offers very generous storage quotas which won’t be affected by the need to store a few whiteboards.
• Sharing: Whiteboards can be shared like any other OneDrive for Business file. Users sent a sharing link for a whiteboard will open the file in the browser client.
• Auditing: OneDrive for Business will log audit events for file operations against whiteboards.
• Information governance and compliance: Like any other file in OneDrive for Business, retention policies and labels are applicable to whiteboards. It’s not obvious yet if the content of whiteboards is indexed and available for eDiscovery.
• Tenant to tenant migration: Most tenant-to-tenant migration toolsets are very good at moving OneDrive for Business files around. Adding whiteboards to the mix gives them a little extra work to do but makes sure that these files end up in the right place in the target tenant.
• Backup: ISV backup products are well used to dealing with OneDrive for Business, so having some extra whiteboard files to include in the mix will cause no problems.
• User deletion: The Microsoft 365 workflow process for user account deletion allows another user to be assigned access to the deleted user’s OneDrive for Business account to copy important files before Microsoft 365 removes the account. The user assigned access can now rescue any important whiteboards from the deleted user’s account.

The Next Microsoft 365 App to Move is?

Moving storage to OneDrive for Business seems to be becoming a trend, which then poses the question of which will be the next Microsoft 365 app to move off Azure storage? Given the set which exists, Planner might be a candidate, but given its connection to Microsoft 365 Groups, the storage target is likely SharePoint Online instead of OneDrive for Business. We shall wait and see.

Make sure that you’re not surprised about changes which appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Only for Recordings of New Teams Meetings

Updated 21 May 2022

Announced in MC274188 (July 30), in late September, Microsoft planned to enable meeting recording auto-expiration for new Teams meeting recordings (TMRs) stored in SharePoint Online and OneDrive for Business (Microsoft 365 roadmap item 84580). The new feature will move the MP4 files used for TMRs to the site recycle bin when their expiration date lapses. For enterprise users, the expiration period is 120 days after the creation of the recording. A reduced period of 30 days applies for academic users with the Office 365 A1 license. Once in the recycle bin, the MP4 files follow the standard SharePoint file deletion cycle. Auto-expiration for TMRs is available for all Office 365 and Microsoft 365 licenses which contain Teams.

TMRs are the first workload to move video storage from the classic Stream Azure-based platform to SharePoint Online and OneDrive for Business (ODSP), From August 16, 2021, all new TMRs will be in ODSP. Even though tenants have a lot more storage quota available (especially in OneDrive for Business for recordings of personal meetings) than in Stream, the new policy aims to restrict the amount of storage occupied by TMRs (roughly 400 MB per hour).

Update: Following a series of earlier delays, on January 31, 2022, Microsoft pushed deployment out to late March 2022 to make sure that when they start to delete files, they remove the right files. At the same time, Microsoft increased the default retention period from 60 to 120 days for all tenants that haven’t configured a custom retention period. Eventually all the blocking factors were removed and Microsoft began to roll out the auto-expiration of Teams meeting recordings feature in early April.

Setting a New Expiration Period for TMRs

Microsoft says that 96% of TMRs are not watched again in the 60 days (and 99% after 110 days) following the original meeting, which is why they’ve chosen this to be the default expiration period. Users can change the expiration period for individual TMRs by updating file properties through the file details pane (selecting preset values of 14, 30, or 60 days, a custom date, or Never Expire). Organizations can set a default expiration period for newly created TMRs using the Teams meeting policy assigned to user accounts. For example, to set the default expiration period for recordings of meetings made by people assigned the VIP User Meeting Policy, run the command:

Set-CSTeamsMeetingPolicy -Identity "VIP User Meeting Policy" -NewMeetingRecordingExpirationDays 120

Originally, Microsoft’s documentation described a maximum expiration period is 99,999 days (273 years). Subsequently, problems emerged when tenants set such a high value and the safe limit was found to be 9,999 days, which should be more than enough to keep any normal recording (remember, you can apply a retention label to keep recordings for longer). The minimum is 1 day, and you can set the value (in PowerShell) to -1 to set meeting recordings to never expire. The expiration period for A1 users can only be reduced from the default 30 days.

You can also update the auto-expiration period for meeting policies through the Teams admin center (November 2021 update). Interestingly, the Teams admin center allows a range of between 1 and 99999 days! I’ve asked Microsoft to clarify whether the supported period is 9,999 or 99,999 days. If you want to go higher than 9,999 days, maybe the best approach is to set expiration to never expire.

Background processes run to evaluate TMRs in ODSP to check their expiration date. If the expiration process detects an expired file, the process moves the file into the recycle bin and clears the expiration date field. Recording owners receive email notifications when OneDrive moves expired recordings into the recycle bin (Figure 2). If necessary, they can rescue important recordings from the recycle bin for up to 90 days after deletion. Once moved back from the recycle bin, the recording has no retention date set and will therefore not be evaluated for deletion again.

To help users understand when a recording approaches expiration will see visual indications in:

• Beside the link to the meeting recording in the meeting chat. Anyone with view access to the recording sees the expiration notice.
• Two weeks before expiration, a red icon appears beside the MP4 files for TMRs in the Recordings folder of OneDrive for Business accounts (personal meetings) or SharePoint Online sites (channel meetings).

Auto-expiration applies only to new TMRs. Existing TMRs stored in either ODSP or Stream do not have an expiration period. Auto-expiration is only available for TMRs and cannot be used with other file types held in ODSP. Expiration dates are kept if users move recording files to a different site (it’s the same file). They are not when users copy recording files (it’s a different file). Downloading and uploading a recording creates a new file with no expiration date. If you want to be sure that the expiration process does not remove a Teams meeting recording, apply a retention label to the file.

Tenant administrators can track the creation of TMRs in OneDrive for Business and SharePoint Online by using PowerShell to extract and analyze audit events.

Auto-Expiration and Retention

Auto-expiration is a good housekeeping rather than a compliance feature. It will help organizations cope with a swelling collection of TMRs in user OneDrive for Business accounts and SharePoint Online sites but will do nothing to help with data governance. Two interesting developments due to arrive soon are automatic transcription for TMRs and indexing of transcripts. From a compliance perspective, this means that it will be possible to search for words spoken during a meeting and be able to put those words in the context they were spoken. Obviously, this is a big advance in compliance capabilities.

To take advantage of spoken word retrieval and make sure that transcripts and videos are available to eDiscovery investigators, you obviously need to retain TMRs. For this reason, a retention label on a TMR prevents the auto-expiration process removing recording files until the retention period assigned in the label lapses. Also, a retention label mandating deletion after a period takes precedence over auto-expiration, meaning that if the retention label has a shorter retention period than the auto-expiration date, that’s when SharePoint will remove the file.

Precedence applies for retention labels assigned manually or via an auto-label policy (available to tenants with Office 365 E5). Organizations which leverage retention labels to preserve the recordings of important Teams meetings might not see much change after Microsoft introduces the new auto-expiration feature.

Make sure that you’re not surprised about changes which appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Change to Remove Inconsistency

Retention policies and retention labels both make sure that workloads like SharePoint Online retain information needed by organizations. Retention policies are broader in scope and apply default retention to any location coming within their scope. For instance, if you apply a retention policy to a set of SharePoint sites, any file within those sites come within the scope of the policy. Retention labels are more granular and apply to individual items, whether assigned by users or through auto-label policies (like the example of using an auto-label policy to retain Teams meeting recordings). Because they are more specific, retention labels take precedence over retention policies.

It’s up to an application how to implement the application of retention labels to items. It’s also up to applications how to respect the fact that a retention label exists on an item. Different behaviors have existed in the SharePoint Online and OneDrive for Business browser interfaces since the introduction of retention labels in 2017. According to MC264360 (June 24) – Microsoft 365 roadmap item 82063, Microsoft is closing the inconsistency and SharePoint Online will adopt the OneDrive for Business approach.

Deleting SharePoint Online Items

Today, if you try and delete an item in a SharePoint Online document library, the UI prompts for the deletion to proceed and if confirmed, attempts to delete the item. If the item is labeled, the deletion fails (Figure 1) and the user sees that removal isn’t possible because of the label.

There’s nothing to stop the user removing the label and then deleting the file, unless it’s a record label (only a site administrator can change a record label).

By comparison, you can delete an item in a SharePoint Online document library which comes within the scope of a retention policy. Although seemingly inconsistent (because the organization wishes to retain the items by policy), SharePoint Online allows the deletion to proceed and moves the item into the site recycle bin. Eventually, when the item expires in the recycle bin, SharePoint Online moves it into the site’s Preservation Hold library where it stays until its retention period lapses.

OneDrive’s Streamlined Approach

OneDrive for Business takes a streamlined approach to item deletion and allows users to remove items as they wish (Figure 2).

Deleted items go into the OneDrive for Business recycle bin (Figure 3). Users can recover deleted files from there using the Restore your OneDrive feature.

After 90 days, deleted files leave the recycle bin for either permanent removal or retention. If a retention policy or label applies to an item, it moves to the Preservation Hold library (Figure 4) and stays there until its retention period lapses. Of course, retention can be a complex business and an item might come under the scope of a retention policy after retention due to a label lapses. In any case, once no further retention applies to an item, a background job removes the item. Removed items are irrecoverable unless a backup exists.

The Goodness of Consistency

You can argue that either approach makes sense. Some like it that SharePoint Online stops people deleting labeled items. It’s a form of affirmation that the file is important. On the other hand, allowing deletion to happen but preserving files needed for retention is a lower-friction method which prevents potential user confusion (why can I delete that file but not this one?). Overall, achieving consistency across OneDrive for Business and SharePoint Online is a good thing and lowering friction is also a good thing, especially if it stops some support calls. We’ll see how users react (or even notice) after Microsoft rolls out the change in August.

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Make Web Sites into Apps

I confess to have been a little underwhelmed by Microsoft’s June 11 announcements (MC261535 and MC261537) that it will soon be possible to install OneDrive for Business and Microsoft Lists as Progressive Web Apps (PWAs). The relevant Microsoft 365 roadmap items are 80240 (OneDrive) and 80241 (Lists).

I should explain that I’m not so impressed as others might be because I’ve been installing various Office 365 web pages as apps in Edge for months (any Chromium-based browser works, Safari doesn’t). OWA works well as an app. The basic idea is that you use the Apps option in the browser to install a site as an app. Figure 1 shows what happens when you install OneDrive for Business as an app.

The only other thing to do is to name the app (Figure 2).

The web pages installed as apps show up in the Windows start menu (Figure 3) and can be pinned to the taskbar.

All About Access

The big advantage gained by installing web pages as apps is access. For instance, given the number of SharePoint sites in use today (many created by Teams), it’s often convenient to have an app pointing to a document library you use frequently. When an app starts, it has its own window. However, the functionality of the web page works in an app exactly like it does when it runs in a browser tab. As I said, it’s all about access, or rather, making information you use frequently more accessible.

If you can make Office 365 web pages into apps today, what’s Microsoft doing in MC261535 and MC261537? I think a couple of reasons exist:

• Make people aware that they can access OneDrive for Business and Lists as apps.
• Tune the pages so that they work well as PWAs.

Project Nucleus Arrives

Nice as it is to make OneDrive and Lists into apps, I’m much more impressed by the news in MC261538, which covers the introduction of a new general-purpose synchronization engine to the OneDrive sync client (Microsoft 365 roadmap item 68809).

Microsoft discussed Project Nucleus at the Ignite 2020 conference and said that they would use it to make Lists available offline (Figure 4). That’s what is being delivered with roll-out beginning in early July and due for completion in early August. Initially, Nucleus is only available for Windows 10 workstations.

A separate Microsoft Nucleus.exe runs to synchronize Lists. According to Microsoft, “the sync process begins when a user first navigates to any list or to the Lists web app. All eligible lists that are visible from the Lists app will be synced. Common operations on lists, such as changing list views, sorting, filtering, and grouping happen locally and finish quickly even on very large lists. All of these operations continue to work offline. Edits sync between your device and the cloud and you can resolve merge conflicts if there are any.”

Microsoft has done a lot of work over the years to improve the OneDrive sync client by adding features like differential synchronization to make it capable of dealing with large files. Nucleus takes on the job of dealing with the synchronization of large and complex datasets, apparently using SQL Lite as a metadata store to allow users to continue working during network outages or when the network connection is flaky. Microsoft says that “requests are handled through a secure localhost HTTP server” and that complete documentation covering the management of Nucleus is on the way.

Two Sides of the Same Coin

PWAs and Nucleus are linked in the grand plan to make ODSP information more accessible. Web sites installed as apps need offline capability and Nucleus provides this ability for OneDrive for Business and SharePoint (ODSP) apps in the same way as other local stores deliver for apps like OWA and Teams.

Keep up to date with developments like Project Nucleus by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.

PSTs Should Never Be in Cloud Storage

Updated: July 14, 2021

On May 17, Microsoft published message center notification MC256835 to advise tenants about the introduction for what they call a “PST version retention policy.” This has nothing to do with retention labels or retention policies. Instead, it’s about controlling PST storage in SharePoint Online by limiting the number of versions kept for PST files stored in SharePoint Online and OneDrive for Business document libraries.

Versioning in SharePoint Online

Versioning is a SharePoint feature. In a nutshell, as users make changes to files in document libraries, they create versions of the files. In some cases, such as when editing Office documents using Autosave, a single edit session might generate twenty or thirty versions, depending on the number of changes made. The number of versions kept in a document library is defined in library settings (Figure 1) in a range of 300 to 50,000.

SharePoint keeps multiple versions of files to ensure that the user can go back to a previous version. To do this, select a document and then Version history. You can then select a version to restore (Figure 2).

Both SharePoint Online and OneDrive for Business also support options to restore a library to a point in time over the previous 30 days. Without versions, it would not be possible to do this.

Why PSTs End up in SharePoint and OneDrive

Versioning is good, so what’s the problem with PSTs? Before addressing that question, we should ask about why PST storage in SharePoint Online or OneDrive for Business comes about. A PST (Personal Storage Table) is for email storage. It is a container to allow users to store messages they wish to keep. People might have moved PSTs from network file shares into SharePoint, but it’s a bad idea to use PSTs in SharePoint.

• The PST file format is not intended for concurrent shared access. These are personal files. If a problem happens with a PST file stored in SharePoint, it might lead to data loss.
• Even though they are in SharePoint, the messages stored in PSTs are inaccessible for eDiscovery.
• Over the years, Microsoft consistently advised against the use of shared PSTs on network file shares because of the potential for corruption.

You might think the problem of concurrent access to a shared file is addressed by using the OneDrive sync client to have a local copy of PSTs synchronized with the master copy in SharePoint. But as pointed out in this post by a Microsoft support engineer, the way Outlook locks PST files for exclusive access creates many problems for the sync client (Figure 3). Basically, the sync client is frustrated by the lock taken out by Outlook and can’t process the PST.

People who replace local workstation storage with OneDrive for Business for well-known folders like Documents might end up with PSTs in OneDrive. To avoid problems, they should move these files out of a synchronized location.

The Impact of PST Storage in SharePoint Online

The problem now being addressed by Microsoft is that holding multiple PST versions can consume a huge amount of SharePoint storage quota. Remember, a PST is a container rather than an individual file, and if it’s in active use, Microsoft says this generates “multiple versions which leads to storage being quickly consumed.”

Because of the generous quotas available to OneDrive for Business users, consuming storage is less of an issue for OneDrive for Business than it is for SharePoint Online. Microsoft makes 1 TB plus 10 GB per licensed user available for the organization and charges extra if more storage is needed. Using retention labels and retention policies to ensure files cannot be removed from SharePoint can already consume large amounts of storage, so adding PSTs to the mix is like pouring fuel on a raging fire.

Microsoft’s solution is to retain no more than 30 days’ worth of PST versions. This is enough to ensure that the Restore library feature works, even when PSTs are in a library. While the best answer is not to allow users to store PSTs in SharePoint Online or OneDrive for Business, restricting versions for PSTs is an acceptable method to restrain storage demand. Organizations can block users from synchronizing PSTs by including the file type in the blocked files list defined in the Settings section of the SharePoint Online admin center (Figure 4). Given the impact this could have on users, it’s a good idea to communicate about the block before its implementation.

Microsoft Implements the New Policy

Starting June 28, organizations can use the Set-SPOTenant cmdlet from the SharePoint Online PowerShell module to control the new policy: By default, the policy will be on, meaning the permanent deletion of PST versions once they reach 30 days old. If you don’t want to restrict PST versions, you can opt-out from the policy by running:

Set-SPOTenant -DisableOutlookPSTVersionTrimming $True

The new switch for the Set-SPOTenant cmdlet is available in the 16.0.21411.12000 release of the SharePoint Online management shell (released on July 12). You can download the module from the PowerShell Gallery.

The opt-out command must be run by August 13, so organizations have roughly six weeks to decide to opt-out. The policy becomes effective on August 16 and running the command to opt-out afterwards will have no effect. The big caveat is that the opt-out applies only to existing libraries. Any new library created after August 13 will apply the 30-day retention for PST versions.

The Badness of PSTs

I’ve been trying to persuade organizations to stop using PSTs for years. They’re a 25-year-old answer to the problem of small server mailboxes which existed then and doesn’t now. PSTs are insecure, compromise the ability of organizations to search for information and apply compliance policies, and prone to failure. There is nothing to recommend their continued use and even less to think that it’s a good idea to store PSTs in SharePoint Online and OneDrive for Business. If you’re still unconvinced, listen to this on-demand webinar Why PSTs are Such a Bad Idea in the Cloud, where I try my very best to explain why.

Get straightforward and honest opinion about how to manage Office 365 tenants by subscribing to the Office 365 for IT Pros eBook. We think about managing tenants so you can learn from our experience and insight.

Whiteboard Joins the OneDrive Fold

Message center notification MC253185 published on April 28 gives advance notice that Microsoft is changing the storage location for the Whiteboard app from Azure to OneDrive for Business.  The switchover will happen in October 2021 with tenants given the opportunity to opt-in to use OneDrive for Business earlier. The move addresses several management, compliance and governance issues which exist for Whiteboard today.

According to Microsoft, Whiteboard is “the collaborative canvas in Microsoft 365.” This claim is largely based on using whiteboard to share ideas during Teams meetings. Other applications might claim to cover the same ground as it’s possible to collaborate in a document, spreadsheet, presentation, or other files shared during meetings. The canvas moniker could also be called a blank sheet of paper, which is what Whiteboard looks like when it starts up, ready to be drawn upon by the pens and other tools available in the app (Figure 1).

Problems Solved by OneDrive for Business

Problems addressed by moving away from storing Whiteboard data in the current Azure-based service include:

• Retention policies and labels can govern whiteboard files. The files can also be restored if deleted in error using the Restore your OneDrive feature.
• OneDrive for Business is a core Office 365 workload and available in all datacenters. Whiteboard’s data is not currently distributed outside the U.S. Data stored in OneDrive meets customer data residency requirements through go-local Office 365 datacenter regions and multi-geo deployments.
• Sharing with internal and external users is much easier using OneDrive for Business.
• Data in OneDrive for Business is indexed and available for searching, including eDiscovery. In the case of Whiteboard, it’s probable that file metadata will be searchable. We will have to wait to see if the actual whiteboard content is searchable.
• Storage is more manageable as tenants can report on how much storage is used for whiteboards along with other files held in OneDrive for Business. Given that Microsoft allows OneDrive for Business users to have as much storage as they need, running out of quota isn’t a problem.
• Whiteboard content will be accessible to ISV products which support OneDrive for Business. For instance, backup products can include Whiteboard in the files they copy.

These reasons are the same as those which underpin the move by Stream to embrace ODSP (OneDrive for Business and SharePoint Online) for video storage, initially for Teams meeting recordings and eventually all video content.

The person who creates a new whiteboard is its owner and the file is in that user’s OneDrive account. This applies both for whiteboards created in Teams and in the standalone browser or Windows applications. The dependency on OneDrive for Business means that people need to have a OneDrive account provisioned to store whiteboards. Given the emphasis on moving away from local to cloud storage for documents and other business information, I don’t think this should be an issue.

Migration is a Developing Story

For the moment, existing whiteboards will remain in Azure and can be accessed there. MC253185 says that Microsoft will share more details in October about how to migrate existing content to OneDrive for Business. They also say that tenants might be able to opt-in to use OneDrive before October, which is the same tactic used to allow tenants to move the storage of Teams meeting recordings early.

Controlling Whiteboard

You might be in the position where you don’t want to use Whiteboard or want to restrict its use to certain people. To disable or enable Whiteboard for the entire tenant, go to the Org settings section of the Microsoft 365 admin center and select Whiteboard. Then turn the setting on or off (Figure 2).

To disable Whiteboard for an individual user, access their account and uncheck Whiteboard in the set of apps. For example, Office 365 E3 and E5 plans include the Whiteboard (Plan 2) service plan.

Whiteboard’s move to embrace ODSP warrants just a few words in the Office 365 for IT Pros eBook. The other 625,000 words cover many more topics.

Possible to Protect Sensitive Meeting Recordings with Some Downsides

Although it’s listed as one of the applications which support sensitivity labels, the only way that Stream uses sensitivity labels is when it creates a new Microsoft 365 group. At that point, you can assign a sensitivity label with container management settings to the new group. Container management is good, but it doesn’t protect the data owned by the group.

This situation creates the question of how best to protect confidential videos. Because sensitivity labels control access to files using fine-grained rights management, they are an attractive choice. Stream “classic” doesn’t support the option to protect files in this manner, but the transition of Stream storage to SharePoint Online and OneDrive for Business creates a potential solution. As we’ll discuss, the basic technology works, but some implementation issues generate more friction than you’d like, possibly because Microsoft hasn’t figured out how the components should work together.

Unified Labeling Client and OneDrive

Microsoft touts the ability of SharePoint and OneDrive to store just about any type of file up to 250 GB, which makes it easy to store recordings of even the longest meeting. However, no user interface exists in the browser interface for SharePoint or OneDrive to assign sensitivity labels to files. Office (online, desktop, and mobile) applications can apply sensitivity labels, including encryption if needed. Exchange Online mail flow rules can also assign sensitivity labels to messages. Outside these implementations, writing some PowerShell or Microsoft Graph code or using Microsoft’s unified labeling client are the only ways to assign sensitivity labels to files.

The unified labeling client runs only on Windows workstations. It integrates with File Explorer to add a Classify and protect option to make it simple to add protection to any file which File Explorer can access. Applying protection to PDF files is a popular use case for the unified labeling client.

The OneDrive sync client can synchronize online folders and files to local copies, so it doesn’t take much lateral thinking to put two and two together and conclude it should be possible to assign sensitivity labels to meeting recordings stored in OneDrive. And as it turns out, it’s true. The only downside is that the unified labeling client requires Azure Information Protection P1 licenses. These licenses are part of the Enterprise Mobility and Security suite, but not bundled in any Office 365 plans.

Protecting Meeting Recordings

Figure 1 shows a set of MP4 video files (and a Word document) in the Recordings folder of my OneDrive for Business account. This is the location where Teams stores its meeting recordings. A label already protects one of the recordings (bottom right), as shown by the Azure Information Protection padlock icon. To protect another file, select it, and choose File Explorer’s Classify and protect option.

The unified labeling client launches to allow the user to select the sensitivity label they wish to apply. Some sensitivity labels apply markings to files without encryption, but as the MP4 format doesn’t support headers, footers, and watermarks like those used in Office documents, the only labels offered for selection in Figure 2 are those which encrypt content.

After selecting the label to apply, click Save to allow the client to encrypt the file. On my i7 Surface Book 2, the client took twelve seconds to process the 358 MB recording (for a meeting lasting 46 minutes). The size of the file is in line with the expected storage consumption for Teams recordings.

Downsides

We now have a protected MP4 file. The downsides are:

• The link posted in Teams for the recording as part of the meeting resources breaks. The recording is still listed as a resource, but the link points to the original MP4 file which no longer exists because it is replaced by the encrypted file (which has a .pfile extension). Protecting the recording also removes the sharing links for the file, so even if you reverse course and remove the label, Teams can’t access the file.
• Because the encryption process creates a new file without sharing links, the owner of the file must share the file with those permitted to view the recording.
• The OneDrive MP4 file viewer can’t open the protected file.
• The only way to view the protected video recording is through the Azure Information Protection viewer (part of the unified labeling client), meaning that those who want to view the recording must install the unified labeling client. Their account also needs an Azure Information Protection license.

In a nutshell, the unified labeling client treats Teams meeting recordings like any other MP4 file it protects. Encryption breaks any special connection between Teams to OneDrive for Business. The result is a protected recording, but the file owner needs to allow access to those to view the recording.

Maybe Not Completely Ready

Just because you can do something doesn’t mean that you should do something. Although you can protect Teams meeting recordings with sensitivity labels, the downsides indicate that the Microsoft engineering teams involved (Teams, SharePoint, Stream, and Microsoft Information Protection) have not yet worked through the issues to come up with a more seamless implementation. To be fair, Stream is in the middle of its switchover from Azure to SharePoint storage, and Microsoft might work through this point as that process unfolds. Service encryption with customer key is one of the work items listed for the migration to the New Stream, but support for sensitivity labels isn’t mentioned.

Until a more seamless integration is available, it’s reasonable to conclude that using sensitivity labels to protect Teams meeting recordings stored in OneDrive is possible with downsides.

Information protection is an important topic covered by the Office 365 for IT Pros eBook. That’s why we think about and test this kind of stuff. Benefit from our work by subscribing to the book. Its monthly updates keep everyone informed about what’s happening inside Office 365.

Teams and DLP (and now OneDrive too)

Updated February 24, 2021

Almost two years ago, Microsoft added Teams to the workloads supported by Data Loss Prevention (DLP) policies (Figure 1). For Teams, DLP checking occurs after users send messages to chats or channels. Offending messages are blocked, sometimes after a short delay. The system works well, but whether it is worth spending extra for Office 365 E5 licenses is debatable (DLP checking for Exchange Online and SharePoint Online is covered in Office 365 E3).

In any case, message center update MC234475 published on January 15 says that “DLP for Microsoft Teams will soon support security groups and distribution lists as part of the Teams location picker.” (Microsoft 365 roadmap item 68874). Rollout is scheduled for mid-February with completion worldwide in mid-March.

Upgrading the Teams Location Picker

The title used for MC234475 is a tad obscure for even those accustomed to working with DLP policies. The Teams location picker is a Microsoft term for the UI component used to select the Teams user accounts to include or exclude in a DLP policy. Teams shares its location picker with Exchange Online while SharePoint and OneDrive for Business, which operate based on site URLs, have a different picker. Many DLP policies operate on a whole organization basis, meaning that no accounts are explicitly included or excluded as the DLP policy applies to every channel and every user in the organization. In these cases, you don’t worry about the location picker because it’s not used.

Things are more problematic when different policies are deployed to different user groups within an organization. Now the location picker is used to select which accounts come within the scope of a DLP policy. Exchange Online has always used distribution lists to select accounts to set the scope for policies, but up to now compliance administrators were forced to select individual accounts for Teams DLP policies (the Teams locations). The change being made in the Teams location picker allows administrators to select distribution lists and mail-enabled security groups instead of individual accounts (Figure 2).

Because distribution lists and mail-enabled security groups can contain more than accounts, Teams applies a filter to select only Teams-enabled accounts from the membership.

DLP Used in Large Organizations

Being able to use distribution lists and security groups to select the target accounts for DLP policies is a welcome update because it is much easier to add one or two distribution lists to a policy instead of finding and adding potentially hundreds of individual accounts. In addition, being able to specify distribution lists and mail-enabled security groups instead of individual accounts removes the previous limit of 1,000 individual accounts that could be added to a Teams DLP policy.

Microsoft said that Teams is used by 93 of the Fortune 100 in March 2020. Given that Teams had 44 million active users then and the latest data (October 2020) says Teams has 115 million daily active users, it’s obvious that a bunch of large organizations use Teams. Those are exactly the kind of tenants likely to use DLP to help control the sharing of confidential data. It’s also reasonable to assume that these tenants will be interested in granular control over policy scope (for instance, to apply a policy on a country or department-level basis) and therefore use the Teams location picker. Being able to use distribution lists or security groups reduces administrator workload and avoid the need to use PowerShell to update the Teams location in DLP policies when large number of accounts need to be added.

List and Group Updates Handled

Even better, if you use a distribution list or security group to define the scope of a Teams DLP policy, a background process keeps an eye on the membership of the list or group so that if accounts are added to or leave the list or group, the DLP policy is automatically adjusted to reflect the membership changes.

Picker for OneDrive for Business Accounts

Microsoft 365 notification MC241352 published on February 24 brought further good news in that the picker for OneDrive accounts in DLP policies will support distribution lists and security groups from March 2021 (Microsoft 365 roadmap item 70708). Exactly the same reasons exist why this is a welcome update.

DLP is covered in Chapter 22 of the Office 365 for IT Pros eBook. It’s not the most compelling topic we cover, but it is technically challenging and interesting in its own right.

Teams Meeting Recordings a Big Demand on the System

Microsoft is in the middle of building Stream for SharePoint (the new Stream). Part of the transition is to move video storage away from a dedicated Stream repository in Azure to SharePoint Online and OneDrive for Business. Office 365 tenants can move recordings of new Teams meetings to OneDrive for Business now with the transition of existing videos to the new Stream when it becomes available during 2021.

Update: Migration from Stream Classic to Stream based on SharePoint is still not generally available.

Because it has its own repository, the classic Stream controls its storage. Tenants receive a base amount of 500 GB plus 0.5 GB per licensed user (all Office 365 enterprise users are licensed for Stream). A tenant with 1,000 users therefore receives 1.5 TB of Stream storage. If more storage is needed, it can be bought from Microsoft.

Teams Recordings Drive Stream Storage

According to Microsoft sources, a large percentage of Stream storage is consumed by Teams meeting recordings. With over 500,000 users, Accenture runs the world’s largest Teams deployment, consuming 350 million minutes of audio meetings and 90 million minutes of video meetings monthly. Heavily influenced by the change of working habits due to the Covid-19 pandemic, the growth in online meetings is representative of many organizations, and 115 million monthly active Teams users generate lots of meetings. Many meetings are recorded, and the amount of Stream storage used by Teams continues to grow. This is one of the reasons why Microsoft chose to move Teams recordings to OneDrive for Business as the first step in the transition to the new Stream.

Removing Old Recordings

Meeting recordings are most useful soon after an event. Once people have had a chance to review a recording, the value of keeping most recordings declines over time. Classic Stream has no way to age out old recordings, and while Microsoft is working on a policy to expire Teams meetings automatically after a set period, that feature isn’t yet available.

The net result is that quota consumption continues unabated unless meeting organizers (the owners of the recordings) proactively remove old recordings. This doesn’t happen in the real world.

Quota Management in Stream for SharePoint

In Stream for SharePoint, recordings are stored in the OneDrive for Business account of the person who initiates the recording. The question then arises about what happens to the storage quota assigned to tenants for classic Stream?

The answer is that the quota doesn’t transfer. Videos stored in SharePoint Online or OneDrive for Business count against the tenant’s SharePoint storage quota (for videos owned by a Microsoft 365 group) or an individual’s OneDrive storage quota. Although this seems unfair, it’s not in practice because Microsoft makes large amounts of storage available to OneDrive for Business accounts, including “beyond 1 TB, to unlimited” for enterprise users. Given that most Stream storage is consumed by Teams recordings and these files will now be in OneDrive for Business, no need exists to transfer the classic Stream quota.

You might still want to run reports to check on OneDrive for Business storage, just in case some users need an increase in their assigned quota. The demand on quota should reduce after Microsoft introduces the policy to age out old recordings. In the interim, you can make sure that everyone can store all the meeting recordings they need by bumping the default OneDrive storage quota from 1 TB to 5 TB by editing the setting in the SharePoint admin center (Figure 1).

Keep up-to-date with the transition from Classic Stream to Stream for SharePoint by subscribing to the Office 365 for IT Pros eBook. We make sure that you master the detail.

Update Rolling Out to Remove EEEU from pre-August 2019 Accounts

Everyone except external users (EEEU) is an internal SharePoint group automatically populated with all tenant users. The intent behind the group was to facilitate easy internal sharing. The need to share still exists, but a good case can be argued that better methods exist to achieve the need today, whether it’s something like an org-wide team or a Microsoft 365 dynamic group.

In August 2019, Microsoft implemented new default settings for OneDrive for Business accounts which meant that accounts created after this point do not include EEEU in OneDrive site permissions. For instance, my Office 365 account was created in 2011. OneDrive shows read access for EEEU in the list of permissions assigned to the account. You can check permissions through the site permissions section of site settings.

Note: The fact that EEEU permission is included in site permissions does not mean that everyone in the organization has access to the account owner’s OneDrive for Business document library. It’s there to enable access to items stored in OneDrive, not to grant general access to everything.

EEEU Removed from Older Accounts

What’s changing is that Microsoft is rolling out an update to these older accounts to align them with the settings used for accounts created since August 2019. As described in Office 365 notification MC225111, published on October 26, the update will remove EEEU from site permissions and perform a full permissions reset on any personal list stored in OneDrive. Microsoft says that “the result will be that any users that these personal lists were previously shared with will be unable to view the list until the list owner reinstates the sharing permissions.”

The change is due to start rolling out in early November and will continue through the end of 2020.

It’s hard to gauge how much effect this change will have. Microsoft has tweaked the sharing arrangements in OneDrive for Business before when they stopped creating a Shared with Everyone folder in all accounts in 2017. That didn’t cause too much fuss, but many fewer people were using OneDrive for Business at that time, and Lists have received new life with the launch of the Microsoft Lists app.

No Method Available to Analyze Tenant

Microsoft isn’t providing a method to allow tenant administrators understand which accounts are affected and how many lists are involved. The exact number affected comes down to people with older accounts who exploit the permission to share personal lists with internal users, and that’s going to be different from tenant to tenant. Clearly, the change will have zero impact on accounts created since August 2019 because these users have had to set explicit permissions to share personal lists with internal users.

If your tenant uses a lot of lists stored in OneDrive (not SharePoint), you might want to create a list of accounts created before August 2019 and check with these users to understand if they have lists in active use that depend on the EEEU permission.

For more interesting and useful information about SharePoint Online and OneDrive for Business, read Chapter 8 of the Office 365 for IT Pros eBook.

OneDrive Storage for All

The OneDrive for Business service description (13 May 2020) lays out how much OneDrive storage Microsoft makes available to users based on their license type. In a nutshell:

• Frontline users (Office 365 F3):2 GB
• Small to medium plans (like Microsoft 365 Business Premium): 1 TB
• SharePoint Online Plan 1 and OneDrive for Business Plan 1: 1 TB
• Enterprise E1: 1 TB.
• Other enterprise plans and SharePoint Online Plan 2: “Beyond 1 TB, to unlimited”

Promising unlimited OneDrive storage is interesting because it implies that Microsoft will allow a properly licensed user to consume as much OneDrive for Business storage as they want, with the caveats that OneDrive “is designed to serve the needs of individual users” and “storage of data other than an individual user’s work files, including system back-ups and departmental and organizational level data, is not supported, nor is the assignment of a per user license to a bot, department, or other non-human entity.”

Update (March 2022): the latest OneDrive for Business service description moves the storage discussion to a document called Modern Work Plan Comparison which confirms unlimited OneDrive storage in the SharePoint Plan 2 service plan (part of Office 365 E3 and E5).

Setting a Default Storage Quota for OneDrive

Documents, files, and photos can certainly occupy a lot of storage, but “unlimited” really doesn’t mean what normal human beings might think. It’s more like an all-you-can-eat buffet where the physical capacity of the human stomach will eventually impose a practical limit. OneDrive’s unlimited quota is practically limited by being doled out in chunks as users need storage.

When someone’s Office 365 account is provisioned and the account has a OneDrive license, the account is assigned the default storage quota set by the tenant. The quota can be set in the Settings section of the SharePoint Online admin center (Figure 2) or PowerShell.

The minimum default storage quota is 1024 GB (1 TB). As Figure 1 shows, you can increase it to 5120 GB (5 TB). You can go higher, but rather bizarrely, the OneDrive admin center doesn’t confirm that a new value is set, nor does it signal an error if you insert a higher value (like 10240 GB). Instead, perhaps because it doesn’t want to offend, OneDrive simply ignores the attempt to set a new storage quota and reverts to the highest possible value for the default (5 TB).

One thing to be careful about is that the OneDrive admin center uses gigabytes to set storage quotas while the Set-SPOTenant cmdlet uses megabytes. To set a 5 TB default storage limit in PowerShell, we run:

# Update SharePoint default storage quota
Set-SPOTenant -OneDriveStorageQuota 5242880

Don’t bother trying to go past 5 TB. OneDrive will blithely ignore your request and the limit will stay at 5 TB.

Assigning New Quotas to Existing Accounts

The default storage quota is assigned to new accounts. If the account doesn’t have a license which supports the assigned quota, OneDrive will automatically downgrade the available quota to the maximum allowed by the license. With that in mind, we can assign the new 5 TB storage quota to accounts like this:

# Assign storage quota to OneDrive sites
[array]$ODSites = Get-SPOSite -IncludePersonalSite $true -Limit all -Filter "Url -like '-my.sharepoint.com/personal/'" | Select-Object URL, Title, StorageQuota, StorageUsageCurrent
ForEach ($Site in $ODSites) {
   If ($Site.StorageQuota -ne 5242880) {
      Write-Host "Setting Quote for OneDrive account:" $Site.Title
      Set-SPOSite -Identity $Site.URL -StorageQuota 5242880 }
}

To report on the current OneDrive storage use and quota, you could use a modified version of our Report SharePoint Site Storage script after connecting to the SharePoint administration module:

# Get all OneDrive sites
Write-Host "Fetching OneDrive site information..."
[array]$Sites = Get-SPOSite -IncludePersonalSite $true -Limit all -Filter "Url -like '-my.sharepoint.com/personal/'"  | Sort-Object StorageUsageCurrent -Descending
$TotalOneDriveStorageUsed = [Math]::Round(($Sites.StorageUsageCurrent | Measure-Object -Sum).Sum /1024,2)
$Report = [System.Collections.Generic.List[Object]]::new() 
ForEach ($Site in $Sites) {
  $SiteOwners = $Null ; $Process = $True; $NoCheckGroup = $False
  $SiteNumber++
  $SiteStatus = $Site.Title + " ["+ $SiteNumber +"/" + $Sites.Count + "]"
  $UsedGB = [Math]::Round($Site.StorageUsageCurrent/1024,2)         
# And write out the information about the site
  If ($Process -eq $True) {
      $ReportLine = [PSCustomObject]@{
         URL           = $Site.URL
         Owner         = $Site.Title
         QuotaGB       = [Math]::Round($Site.StorageQuota/1KB,0) 
         UsedGB        = $UsedGB
         PercentUsed   = ([Math]::Round(($Site.StorageUsageCurrent/$Site.StorageQuota),4).ToString("P")) }
     $Report.Add($ReportLine)}}

# Now generate the report
$Report | Export-CSV -NoTypeInformation c:\temp\OneDriveConsumption.CSV

Moving Past Towards Unlimited

Five terabytes are nice, but it’s not unlimited. Possibly because of the bad experience of when OneDrive consumer supported unlimited storage (think of large movie libraries being uploaded), Microsoft forces tenants to go through support to have their storage boosted. You’ll have to:

• Have at least one account in the tenant get within 10% of the 5 TB limit (being at 90% of quota is explicitly mentioned in the OneDrive service description).
• Create a support request for OneDrive for Business through the Microsoft 365 admin center.
• Tell the support agent that you want the quota increased from 5 TB to 25 TB.
• Expect some backwards and forwards while Microsoft support digests the request. Point to the “unlimited” statement in the OneDrive service description and be politely insistent if necessary.

Eventually Microsoft will enable a storage quota increase behind the scenes. The increase enables a new 25 TB limit for all accounts, and you will be able to set the new limit by running Set-SPOSite to set a quota of 26214400 (25 TB).

If someone reaches 90% of 25 TB, a further support request will result in single-user SharePoint Online team sites with 25 TB quota.

Tracking down nuggets of information about how Office 365 works in practice is hard. Stay updated with the Office 365 for IT Pros eBook and let us do the work for you.

Interrogating SharePoint and OneDrive Document Version History

A recent question asked how to use the SharePoint Online PnP PowerShell module to extract the version history of a document. The PnP (Patterns and Practices) module contains cmdlets to handle complex SharePoint provisioning and management scenarios. If you get to know PnP, you probably like it because it can handle actions from update a SharePoint document to create a new folder. However, the nature of PnP is that its interaction with objects is more complicated than other PowerShell modules.

The usual reason why people want to look at the version history for a document is to know who made a change to its content. Given how autosave captures document updates, the number of versions available for a document stored in SharePoint Online or OneDrive for Business can be large (Figure 1).

Office 365 Audit Log is an Alternative

If you’re not used to PnP, you might find it easier to extract information about events to update a SharePoint document from the Office 365 audit log. Every time a document is uploaded or updated in a SharePoint Online or OneDrive for Business document library, SharePoint creates an audit event that is later ingested into the Office 365 audit log (the event should be available about 15 minutes after the update). If we know the name of a document, it’s easy to search the audit log with the Search-UnifiedAuditLog cmdlet and find its audit records.

Searching for Document Change Audit Events

The PowerShell script below uses the $FileName variable to hold the name of the document to search for. If events occurred for this document over the last 90 days, the search should find events to record the initial upload of the document to the library (FileUploaded) and subsequent updates (FileModified) and views (FileAccessed). If the AutoSave feature is enabled for the document, multiple update records can accumulate over a short period. As is normal with audit records, a lot of interesting information is found in the AuditData property.

$FileName = (Read-Host "Enter file name to search")
$Records = (Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date).AddDays(+1)  -Operations FileModified, FileAccessed, FileUploaded -ObjectIds $FileName -ResultSize 1000)
If ($Records.Count -eq 0) {
   Write-Host "No audit records found for file names beginning with" $FileName }
 Else {
   Write-Host "Processing" $Records.Count "audit records..."
   $Report = [System.Collections.Generic.List[Object]]::new()
   ForEach ($Rec in $Records) {
      $AuditData = ConvertFrom-Json $Rec.Auditdata
      $ReportLine = [PSCustomObject]@{
           TimeStamp   = $Rec.CreationDate
           User        = $AuditData.UserId
           Action      = $AuditData.Operation
           SiteUrl     = $AuditData.SiteUrl
           Site        = $AuditData.SourceRelativeUrl
           File        = $AuditData.SourceFileName
           IpAddress   = $AuditData.ClientIP
           App         = $AuditData.UserAgent  }
      $Report.Add($ReportLine) }}

Listing the Results

After analyzing the audit records, we can list the set of actions found for the document:

$Report | Select Timestamp, User, Action

TimeStamp            User                               Action
---------            ----                               ------
22 Apr 2020 14:40:41 Jane.Maloney@office365itpros.com   FileModified
21 Apr 2020 15:19:03 Jane.Maloney@office365itpros.com   FileModified
21 Apr 2020 15:02:34 Kim.Akers@office365itpros.com      FileModified
21 Apr 2020 15:01:39 Jane.Maloney@office365itpros.com   FileUploaded

To distribute the report, you could simply print it or create a CSV file. Other distribution methods include:

• Format the content in HTML and send it via email (see this article for details).
• Create the report in a SharePoint document library (the basics of how to do this is explained here; the scenario is a script running in a Azure Automation runbook but the technique of using PnP cmdlets is the same in “regular” PowerShell).
• Post the report to a Teams channel or post a link to it in a message card created in a Teams channel using the inbound webhook connector. See this article for more information.

Is Ninety Days Enough?

If your accounts have Office 365 E5 or Microsoft 365 E5 compliance licenses, audit records are available for 365 days. However, 90 days is usually enough to find out who made a change to an important document. Unless the change was overlooked and has only just been noticed!

Practical information about using PowerShell to solve common Office 365 administrative problems is a hallmark of the Office 365 for IT Pros eBook. Subscribe today and learn from our experience!

PowerShell in OneDrive Isn’t a Great Idea

The OneDrive Known Folder Move feature has been around for a couple of years. Basically, this allows you to redirect common (well-known) folders from your PC to OneDrive so that anything created in Documents, Pictures, and the desktop is automatically saved in your OneDrive for Business account. Generally, everything works well, and I have been very happy.

Except until the time came to update the Azure Active Directory preview module from 2.0.2.77 to 2.0.2.89.

Problems Updating PowerShell Module

I followed my normal routine of upgrading the module from the PowerShell Gallery, but things didn’t work. And no combination of removing and reinstalling modules worked either, despite setting a required version for the Install-Module cmdlet. Each time I started PowerShell and connected to Azure Active Directory, version 2.0.2.78 was used.

Eventually I discovered that the 2.0.2.77 files were installed in OneDrive by examining the module properties:

>Get-Module -Name AzureADPreview | Format-List

Name              : AzureADPreview
Path              : C:\Redmond\OneDrive – Office365ITPros\Documents\WindowsPowerShell\Modules\AzureADPreview\2.0.2.77\ Microsoft.Open.AzureAD16.Graph.PowerShell.dll

My speculation is that PowerShell installed the 2.0.2.77 files in OneDrive the last time I updated the module.

Clean up OneDrive and Reinstall

To clean up the mess, I uninstalled the module and then deleted all the files from OneDrive. A retention label stopped OneDrive deleting the files, so it was a matter of removing the retention label and then deleting the files and folders.

I then reinstalled the module, making sure to select the correct version and to install the module for everyone who uses the PC.

Install-Module AzureADPreview -RequiredVersion "2.0.2.89" -Scope AllUsers

After the installation, the module files are in:

Get-Module -Name AzureADPreview | fl                                                       

Name              : AzureADPreview
Path              : C:\Program Files\WindowsPowerShell\Modules\AzureADPreview\2.0.2.89\ Microsoft.Open.AzureAD16.Graph.PowerShell.dll

The next time I started a PowerShell session and ran the Connect-AzureAD cmdlet, I got the right version.

All of which goes to prove that you should pay attention to how you install PowerShell modules, just in case the files end up in OneDrive. PowerShell works when modules are installed to OneDrive, but upgrades become a little more interesting.

Not a Word Expert By Any Means

I am a dedicated rather than expert Word user. The editor is something I’ve used most days since I first opened Word 2.0 in 1993 and concluded it was a better word processor than DECwrite, an editor that ran on VAX workstations at the time. Word 2.0 ran on a 286 PC with 4 MB of memory, so it’s fair to say that it was a lot cheaper to use than its VMS counterpart.

Word is Like an Old Slipper

Over the best part of three decades I have grown comfortable with Word. Most of the time, I use the same features and don’t go looking for new functionality unless I need to perform a task. Recently, I found that Word (click to run or Office 365 ProPlus, now horribly renamed as Microsoft 365 Enterprise Apps suite) combines @mentions in comments with the ability to share documents. The feature is useful when you collaborate to create documents, which I need to do often.

Comment or @Mention

Using version 2004 (build 12730.20150) of Word, I noticed that the old insert comment command is now Comment or @Mention. Clicking the command brings up the usual dialog to enter a comment (for example, “what horrible text – you need to change this!”) with the added option to insert an @mention.

Type @ and the first few characters of someone’s display name. Word checks to find the person to mention. It looks like Word uses Outlook’s auto-complete list of email addresses because I noticed names from outside the tenant that I had previously emailed (Figure 1).

You can also add an @mention comment from the right-click insert menu. 

Sharing for @Mentions

For good reason, @mentioning someone only works for documents stored in SharePoint Online or OneDrive for Business. After selecting the name, you can enter the comment. If that person doesn’t currently have access to the document, Word offers to give them access (share) so that they can open and view the comment and the associated text (Figure 2).

The standard sharing mechanism available in OneDrive for Business or SharePoint Online is used, so the document must be stored in Office 365. If you open the document properties, you can see the share access granted to the @mentioned person (Figure 3).

Email Notifications for @Mentions

People @mentioned in a comment receive an email notification to tell them that they should go to the document to respond. The notifications sent by Office 365 applications are becoming smarter. OWA users can respond to Yammer conversations without leaving the client, and the Teams missed activity messages are a different take on the same idea. @Mention notifications contain information to help the recipient decide how quickly they need to respond by including the context of the comment (Figure 4). And when the time comes to respond, the link opens the document in the browser positioned at the comment.

Updated Comments

Once you involve other people in a document, it is likely that multiple people will edit the document concurrently. Collaborative co-authoring is not new, but I was pleased to see how responses to comments appeared in documents soon after they were added. Updates are not immediate because they depend on the autosave mechanism to capture and distribute changes to everyone who has a document open, but responses show up quicker than they would in a document circulated by email.

@Mentions for All

According to this Microsoft support article, PowerPoint, Word, and Excel are supposed to have the same @mention capabilities. This is certainly true of the online versions of the apps, but I only see @mentions in the desktop versions of Word and PowerPoint. Adding the feature to the desktop version of Excel might be a little more complicated.

The Office 365 for IT Pros eBook does not cover the desktop or online apps. However, we use Word to write the book and this feature exploits the Office 365 sharing mechanism, so we thought you’d like to know about it.

Differential Sync Great for Large Files

Last September, the OneDrive developers announced that they were rolling out differential sync for all file types. Differential sync means that instead of having to upload complete files, even if just one word changes, OneDrive can synchronize just the changed bits. As files become larger, the advantage of differential synchronization becomes more important.

This facility had been available for Office files for some time, but not everything stored in OneDrive (consumer and business) is an Office file. The update means that all the other file types that people want to store in OneDrive and SharePoint Online now support differential sync, including PDFs, graphic files, audio recordings, and even PSTs. Obviously, some of these files are very large, so being able to synchronize just the changed bits reduces a lot of network traffic and makes the synchronization process much faster.

Slow Deployment Now Complete

Good intentions don’t always turn into immediate deployments and the roll-out has been slower than anticipated by Microsoft. However, on April 24, Microsoft announced on OneDrive User Voice that roll-out was complete for both commercial and consumer versions of OneDrive.

I am on the OneDrive Insider Ring, so the current version of the OneDrive sync client running on my PC is 20.064.0329.005 (Figure 1 – see this blog for information about OneDrive versions).

Version History

Speaking of versions, a feature that isn’t working so well yet is the OneDrive sync client’s ability to access the version history for documents. Apparently, the development group is working to resolve the reported issues and we might have a solution in mid-May.

Version history depends on the versions kept for documents in SharePoint Online and OneDrive for Business and the client should have the same functionality as available in the browser clients. For instance, you’ll be able to restore a document back to a previous version.

For more information about OneDrive for Business and other Office 365 applications, subscribe to the Office 365 for IT Pros eBook and stay updated about new developments.

New Feature Now Rolling Out to Office 365 Tenants

Microsoft’s OneDrive for Business November 2019 Roundup includes news of the Save for Later feature (Office 365 roadmap item 49095). Although I haven’t seen an Office 365 notification to announce its rollout, Save for Later has turned up in both SharePoint Online and OneDrive for Business in my (targeted release) tenant. The feature description is:

“Save for Later will allow you to bookmark files and folders from your OneDrive, files shared to you and those in Shared Libraries to a “Saved for Later” list that you’ll be able to easily access.”

Delve’s Recent Documents List

Humans love to build to-do lists and Save for Later is no more than that: a way to build a list of items stored in SharePoint Online and OneDrive for Business that you need to go back to, maybe to work on and complete, perhaps to remind yourself of something. Although the idea is simple, it’s very useful. Two simple facts underline why. First, more files are stored in cloud repositories. Second, those files are stored in an ever-growing number of sites. The mission of SharePoint Online is to be the document management service for Office 365 and the popularity of Teams and other group-enabled applications, all of which come with a SharePoint site, mean that users have more sites to work with. Put another way, there’s more cloud places to store files than ever before (SharePoint Online now supports two million sites per tenant). Some help to keep track of important files is appreciated.

Delve (introduced in 2015) is an earlier attempt to solve the problem. Delve has a recent document view (Figure 1) to remind users of what they’ve been working on, and it allows users to associate files with “boards” (collections). A board can hold documents drawn from multiple sites and is a useful way to track ongoing work.

Delve seems to have fallen out of favor recently. It’s a first-generation Graph application that was never developed past the work done in the first couple of years, possibly because customers didn’t react to Delve in quite the positive way that Microsoft expected. The announcement of Project Cortex at the Microsoft Ignite 2019 conference removed the remaining oxygen for Delve. I would not be surprised if Microsoft deprecates Delve soon after Project Cortex becomes generally available sometime in the second half of 2020.

Saving Files for Later in SharePoint and OneDrive for Business

Marking files to save for later is easy. Simply select Save for later in the menu (Figure 2). The same option is available to mark either individual files or complete folders in both SharePoint Online and OneDrive for Business. Once chosen for an item, the saved indicator shows that it’s marked. You can also click the saved indicator beside a file or folder to change it from blank (not saved) to filled (saved).

SharePoint Online and OneDrive for Business share a common list of saved for later files. You can see the list in two places. First, the list appears at the bottom of the SharePoint Online home page (Figure 3).

Second, you can access the list through the option in the OneDrive for Business menu (Figure 4). This version of the list is more informative because it includes details of the location and how recently an item was accessed.

In either app, you can open an item by clicking on it. OneDrive for Business includes a menu of other options such as delete, rename, and share. You can also remove an item from the saved for later list. In SharePoint Online, click the indicator to turn it from filled to blank. In OneDrive for Business, select the Remove from saved option in the menu.

It would be nice if Office 365 didn’t change for a while. But this is the cloud and stuff keeping on evolving. That’s why the Office 365 for IT Pros eBook exists to track and analyze about how Office 365 changes over time.

Customized Anyone Sharing Links on a Site-by-Site Basis

Office 365 notification MC186627 (roadmap item 53748) covers the introduction of a Per-Site Anyone Link Expiration Policy for SharePoint Online sites. A clearer description might say that you can now configure different expiration dates for Anyone Sharing Links on a site-by-site basis, but only in PowerShell as there’s no GUI to assign a custom expiration period to a site. This functionality is available worldwide now.

Two things are at play here. First, the default period for sharing links. This setting applies to all sites in a tenant and is set in the Sharing section of the OneDrive for Business Admin portal (Figure 1).

Second, Anyone links. These sharing links are used to allow anyone (hence the name) who has the link to access files or folders in SharePoint Online or OneDrive for Business sites. Links like this are typically used to allow broad access to content that doesn’t need to be restricted, such as sharing publicity material with customers.

The Issue Being Addressed

The problem with a one-size fits all link expiration period is that it works perfectly well for some sites but not for others. Setting a 365-day expiration period is great for links used to access unrestricted content; it’s not so good if the link is used to give access to confidential material. Although these links are likely to be restricted to specific people, you still might want to have the links expire sooner than a year.

Set-SPOSite Has the Solution

To solve the problem, connect to SharePoint Online with PowerShell (using the latest available module). Find the URL for the site for which you want to set a custom Anyone link expiration period. You can run the Get-SPOSite cmdlet to return a list of sites or access the site and copy the URL from the browser address bar.

Now run the Set-SPOSite cmdlet to set the policy (Figure 2).

For example, this command sets a 10-day Anyone link expiration period for the https://Office365itpros.sharepoint.com/sites/Confidential site:

# Set Anyone link expiration period for the site
Set-SPOSite -Identity https://Office365itpros.sharepoint.com/sites/Confidential -AnonymousLinkExpirationInDays 10 -OverrideTenantAnonymousLinkExpirationPolicy $True 

OneDrive for Business Sites

The SPO-Site cmdlet in the current build of the SharePoint Online PowerShell module doesn’t support the AnonymousLinkExpirationInDays parameter for OneDrive for Business sites.

Set-SPOSite -id https://office365itpros-my.sharepoint.com/personal/tony_redmond_redmondassociates_org -AnonymousLinkExpirationInDays 10 -OverrideTenantAnonymousLinkExpirationPolicy  $True                                                                                          set-sposite :
https://redmondassociates-my.sharepoint.com/personal/john_redmond_office365itpros_com is a OneDrive for Business site collection. The only valid parameters for this type of site collection are '-Identity', '-AllowDownloadingNonWebViewableFiles', '-AllowEditing', '-ConditionalAccessPolicy', '-DefaultLinkPermission', '-DefaultSharingLinkType', '-DisableCompanyWideSharingLinks', '-LimitedAccessFileType', '-LockState', '-Owner', '-SharingAllowedDomainList', '-SharingBlockedDomainList', '-SharingCapability', '-SharingDomainRestrictionMode', '-ShowPeoplePickerSuggestionsForGuestUsers', '-StorageQuota',
and '-StorageWarningLevel'. At line:1 char:1
+ set-sposite -id https://office365itpros-my.sharepoint.com/personal/ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Set-SPOSite], ServerException    + FullyQualifiedErrorId : Microsoft.SharePoint.Client.ServerException,Microsoft.Online.SharePoint.PowerShell.SetSite

Need more information about managing SharePoint Online and OneDrive for Business? The Office 365 for IT Pros eBook is bursting out with ideas!

Block Introduced in October; Available Everywhere Now

In September, I wrote about a problem inherited from an on-premises setting for OneDrive for Business sites. In a nutshell, because OneDrive sites are personal, their owners are the site administrators. And because they’re site administrators, a user can update the site settings to exclude the content of their OneDrive for Business site from searches (Figure 1). The upshot is that someone with bad stuff in their OneDrive site can stop Office 365 content searches finding and exporting that information. I’m not sure that people set on doing something dubious would keep information in OneDrive as they’re far more likely to keep it hidden safely away in a repository that only they can access, but it’s the principle that counts here.

Microsoft Engineering Responds

In any case, I took the problem to the SharePoint Online and OneDrive for Business product group. They acknowledged the problem and addressed it with some alacrity by removing the ability to exclude site contents from searches from the Site Settings page for OneDrive for Business sites. If you go to Site Settings for a OneDrive site now, you should find that the Search and Offline Availability settings are no longer available (Figure 2).

Some Lingering Issues

Although OneDrive for Business site owners can no longer find the option to remove their site from search results in site settings, a couple of issues still remain.

• If they know what they’re looking for, site owners can navigate to the .aspx page with the option and set it there.
• The option to exclude a site from search results is also available to people who know how to use the client side object model (CSOM).

It’s also true that administrators of SharePoint Online sites belonging to Teams and Office 365 Groups still see the Search and Offline Availability link in Site Settings and can, if they want to, remove the site from search results. In an era when compliance is critical for many organizations, it seems like allowing site owners to remove their information from searching shouldn’t be allowed inside Office 365.

Read the Office 365 for IT Pros eBook for more tips and techniques about managing OneDrive for Business.

Videoed for Your Viewing Pleasure

Lots of new announcements were made by Microsoft and other vendors at the Microsoft Ignite 2019 conference in Orlando last week. The nice people from Quadrotech, who sponsor the Office 365 for IT Pros eBook, asked me to tape a short video for each of the first four days at the Microsoft Ignite 2019 conference. The basic idea was to chat about interesting news that I had learned from attending keynotes or other sessions. They’ve put the videos together into a YouTube playlist.

The videos covered:

• Office 365, Exchange Online, and Outlook news.
• All about the Office 365 substrate and why it makes sense to look at Office 365 through the lens of an operating system (according to Jeffrey Snover).
• What’s happening in Microsoft Stream, including a new AI-powered ability to suppress background noise and how Stream is going to embrace Office 365 Data Governance functionality.
• Why the new common sharing control introduced by OneDrive and surfaced across multiple Office 365 applications makes a heap of sense and makes a switch to “cloudy attachments” much more feasible.

Enjoy the videos!

After years of ignoring the issue, Microsoft has finally started rolling out the External sharing report feature for OneDrive for Business. The rollout is still not 100% complete, so the feature might not be available in your tenant just yet, but it should be coming soon.

Generating a Sharing Report

To generate the External sharing report, open your OneDrive for Business site, go to Settings on top (cog wheel), OneDrive settings, More settings and finally under the Manage access section, click Run sharing report. You will then be asked to select where to store the report (Figure 1).

After you select a folder and hit Save, the report is generated in a manner of a minute or two. You will be alerted by an email notification once the report is available, or you can look into the folder you selected for the output.

The report is a CSV file based on your Display name, followed by the date and time of its generation. The file is viewable in the browser or can be downloaded and opened with Excel. The latter option might be better for non-English users, as the columns and values of the generated CSV file will reflect the locale selected (in my case, Bulgarian), which resulted in an illegible mess because of the encoding, as shown in Figure 2.

Examining OneDrive for Business Sharing Data

Downloading the file and importing the data to an Excel worksheet, while simultaneously adjusting the encoding to UTF-8, produced a much more pleasant version (Figure 3). From left to right, you will see the Path to the item, its type, the permissions given, the user(s) which the item is shared with (one entry per line), user’s email where applicable, the User or Group type, Sharing Link ID, Sharing Link Type and AccessViaLinkID. Some of those fields might be empty, depending on the type of sharing, and the screenshot below only reflects External sharing (read below). Do note that the labels and values used are my own translation from the Bulgarian strings used in original, so there might be slight disconnect with what you see.

Despite what the feature name suggests, the report includes both internally and externally shared items, but more on that below. The items themselves are alphabetically sorted based on the full item’s path. As already mentioned above, each line represents a single permission entry, meaning you will see multiple entries for items that have more than one sharing link or direct permission, or any combination of those. Nested folders and items stored within them are covered, with some important omissions discussed below.

Comparing a Graph-Based Report

I took the liberty of comparing this report to the one generated with the Graph API based script I published over at Practical 365 a while back. Overall, you can expect to see very similar data, however there are some interesting differences. For example, the built-in report includes the default Web permissions, as well as permissions from other Lists/Libraries in your ODFB, while the script report focuses only on the default /Documents library. It’s also interesting to note that the Microsoft-generated report does not include information about permissions given to any secondary site collection owners, although they are readily available from the Graph endpoints.

The biggest difference between the two files is the sheer number of entries missing from the downloadable report. As an example, I sync the Camera roll from my mobile device to OneDrive for Business and have shared some of the images from OneDrive. This results in few hundred entries in the report just for the Photos folder, whilst the built-in report only lists a single entry for the folder. Trimming the entries makes sense, as all the items have the same set of permissions. However, the fact that trimming happens is not mentioned in the official documentation, so make sure to keep this aspect in mind when determining the actual number of shared items.

Similarly, there seems to be a bit of a gray area in the definition of internal vs external sharing. While the built-in report often seems to exclude entries that have additional permission entries that are considered internal only, it still lists other items even when they do not have any additional sharing links configured.

Administrative Challenges

Probably the major drawback for admins is the fact that there isn’t any easy way to run the report on behalf of a given user. Technically, you can add yourself as a secondary site collection admin for users’ ODFB drives, and you can then use those permissions to access the settings page of their sites and generate the report. However, this method is hardly manageable for anything but a handful of users.

Among other things worth mentioning is that the built-in report does not include information about link expiration, or additional link settings such as the Block download controls. Lastly, if you want to list all externally shared items, make sure to include the SharePointGroup value in addition to the External one when selecting a filer for the User or Group Type column. With all those adjustments in mind, the results from both files match perfectly, so whichever method you choose to use is entirely up to you.

Office 365 for IT Pros has lots of useful insight like this covering different aspects of the ecosystem. Our subscribers have the chance to download an updated book monthly. Shouldn’t you be one of them?

Now Much Easier to Find OneDrive for Business Sites with PowerShell

A couple of years ago, retrieving information about OneDrive for Business sites with PowerShell usually involved some gyrations. Then Microsoft updated the Get-SPOSite cmdlet with the IncludePersonalSite switch and things became easier. For instance, a reader asked if it was possible to generate a report listing all the OneDrive for Business sites in a tenant with the storage allocated and used for each site.

No problem, we thought, as we scanned the internet to see if people had already solved the problem. As it happens, several example scripts are available, but we ended up writing our own because it was possible to simplify the code . We also store the output in a CSV file as it’s a very flexible format for reporting or further analysis (like importing into Power BI).

PowerShell Report for OneDrive Storage

You need to connect to SharePoint Online in a PowerShell session with an admin account. The connection process imports the SharePoint cmdlets from the module. Once a connection is made, you can retrieve the storage data. The basic steps are:

• Create an array of the OneDrive for Business sites in the tenant.
• Select useful properties for each site.
• Calculate the total OneDrive storage used for the tenant.
• Write the information for each OneDrive site into a PowerShell list.
• Write the list out as a CSV file.

Here’s the code:

# Get a list of OneDrive for Business sites in the tenant sorted by the biggest consumer of quota
Write-Host "Finding OneDrive sites..."
[array]$ODFBSites = Get-SPOSite -IncludePersonalSite $True -Limit All -Filter "Url -like '-my.sharepoint.com/personal/'" | Select Owner, Title, URL, StorageQuota, StorageUsageCurrent | Sort StorageUsageCurrent -Descending
If (!($ODFBSites)) { Write-Host "No OneDrive sites found (surprisingly...)" ; break }
# Calculate total used
$TotalODFBGBUsed = [Math]::Round(($ODFBSites.StorageUsageCurrent | Measure-Object -Sum).Sum /1024,2)
# Create list to store report data
$Report = [System.Collections.Generic.List[Object]]::new()
# Store information for each OneDrive site
ForEach ($Site in $ODFBSites) {
      $ReportLine   = [PSCustomObject]@{
        Owner       = $Site.Title
        Email       = $Site.Owner
        URL         = $Site.URL
        QuotaGB     = [Math]::Round($Site.StorageQuota/1024,2) 
        UsedGB      = [Math]::Round($Site.StorageUsageCurrent/1024,4)
        PercentUsed = [Math]::Round(($Site.StorageUsageCurrent/$Site.StorageQuota * 100),4) }
      $Report.Add($ReportLine) }
$Report | Export-CSV -NoTypeInformation c:\temp\OneDriveSiteConsumption.CSV
# You don't have to do this, but it's useful to view the data via Out-GridView
$Report | Sort UsedGB -Descending | Out-GridView
Write-Host "Current OneDrive for Business storage consumption is" $TotalODFBGBUsed "GB. Report is in C:\temp\OneDriveSiteConsumption.CSV"

Figure 1 shows an example of the CSV file generated by the script. Because the information is in a CSV file, you can sort and organize it in whatever way makes sense for you. Some organizations like to grab information like this and store it in a repository to track the growth in storage consumption over time.

The public health warning is that we’ve not tested the script on very large tenants. It might take some time to run in those conditions, in which case you could break up processing. For instance, you could filter for sites starting with each letter of the alphabet and then combine the results for each letter into a single file.

Need more information about managing OneDrive for Business? Because the same general approach can usually be taken for both SharePoint Online and OneDrive for Business, we cover that topic in the chapter that deals with SharePoint Online management in the Office 365 for IT Pros eBook.

URLs Needed for Office 365 Content Searches

The topic of how best to find the URL of someone’s OneDrive for Business account arose in the context of Office 365 content searches. You need to know the URL of any SharePoint Online site or OneDrive for Business account before you can include it in the locations scanned by a content search (Figure 1), eDiscovery case, or Office 365 retention policy.

Finding URLs for SharePoint Sites

Finding the URL of a SharePoint site is straightforward, especially if the site is connected to an Office 365 Group (team). You can:

• Open the SharePoint site from the group or Teams and note the URL.
• Run PowerShell to find the URL.
• Look at the site details in the SharePoint Admin Center to find the URL (Figure 2).

We can find the URL with the SharePoint Online PowerShell module or the Exchange Online module. First, here’s SharePoint Online where we use the filter parameter with the Get-SPOSite cmdlet to find all sites containing “Ben” in the URL:

# Find SPO Sites with Ben in the URL
Get-SPOSite -Filter "URL -like 'Ben'"

Url                                                         Owner Storage Quota
---                                                         ----- -------------
https://tenant.sharepoint.com/sites/benowensteam            26214400

The Get-UnifiedGroup cmdlet in the Exchange Online module can return details of any group-enabled site:

# Get SPO details from group
Get-UnifiedGroup -Identity "Ben Owens Team" | Format-list share*

SharePointSiteUrl      : https://tenant.sharepoint.com/sites/benowensteam
SharePointDocumentsUrl : https://tenant.sharepoint.com/sites/benowensteam/Shared
                         Documents
SharePointNotebookUrl  :

Finding URLs for OneDrive for Business Accounts

The OneDrive for Business Admin Center doesn’t list OneDrive accounts: neither does the SharePoint Admin Center. However, we can find the URLs as follows:

• By accessing a user’s Delve profile and following the link to their OneDrive account.
• With PowerShell.

PowerShell is probably the easiest method because you can create a list of all OneDrive for Business accounts in the tenant and keep it for easy reference. After connecting to the SharePoint Online PowerShell module with an administrator account, run this command to generate a CSV file with all the links. Figure 3 shows an example of what the CSV file contains.

# Get list of OneDrive for Business accounts and export them to CSV file
Get-SPOSite -IncludePersonalSite $true -Limit all -Filter "Url -like '-my.sharepoint.com/personal/'" | Select Owner, URL | SOrt Owner | Export-CSV c:\temp\OneDriveSites.csv -NoTypeInformation

Apart from being a useful reference, generating a list of OneDrive accounts also allows you to identify any accounts belonging to long-deleted accounts that should no longer be online (I found a couple from 2013).

Tracking down tips like this can be very time-consuming. Wouldn’t it be much better to be able to consult a comprehensive, always up-to-date manual. Something like the Office 365 for IT Pros eBook?

Stop Unwanted People Using Sharing Links Sent for Documents

Announced at session BRK3100 at the Ignite 2018 conference last September and then included in the OneDrive for Business Roadmap update for June 2019, password-protected sharing links are now available across Office 365.

Only for Anyone Links

Before getting too excited, let’s reflect that this feature only work for Anyone sharing links. These are the links that can be used by anyone who has them. Many Office 365 tenants tune the sharing controls for SharePoint Online and OneDrive for Business to prohibit the use of Anyone links because they consider them a security risk. But if your tenant allows Anyone links, you can now protect them with custom passwords. The password protected sharing link feature is available in the SharePoint Online and OneDrive for Business web clients. Block download is available in the OneDrive mobile client.

Sending Password-Protected Links

To begin, select a document and share it. Select “Anyone with the link” as the share. Click Anyone with the link to change the settings. In Figure 1 you can see that a password has been entered and we’ve also selected the option to block the recipient from downloading the document. This forces Office 365 to call the online app to display the content, so it only works for Office documents.

When you’ve updated the settings, click Apply. You should now see that the icons under the link have changed to include a padlock (password protected) and download barrier (Figure 2).

If a sharing link has already been created with a password, you’ll have the chance to update the link with a new password or use the existing password (Figure 3). It’s not a good idea to replace a password on a sharing link unless you update previous recipients with the new password.

Click Send to tell Office 365 to create and send the message with the sharing information. You’ll find the message in the Sent Items folder of your Exchange Online mailbox. When the recipient opens the message, they’ll see that the link will work for anyone with the password. Before they can open the content, you’ll need to give them the password through email, a voice message, SMS, Teams personal chat, or other method. Once they have the password, they can click the link, input the password (Figure 4) and see the content.

Limited Access to Content

In our case, the link we sent was both password-protected and blocked for download. As noted above, if the document is an Office file, Office 365 calls the relevant online app to open it. As you can see in Figure 5, the user is blocked from downloading and printing the file.

Modify Links

If necessary, you can use SharePoint’s Modify Access feature to update sharing links, including the ability to reset passwords in links. You can’t remove a password from a link once it is present.

Password-protected sharing links are straightforward to use. The sole difficulty might be for organizations to embrace the idea that they can permit Anyone links. After all, even if you decide that it’s OK to allow these links, there’s no way to force users to add passwords to the links every time. Perhaps that might be a future feature.

For more information about managing SharePoint Online and OneDrive for Business, read the chapter in the Office 365 for IT Pros eBook.

Color, Fonts, and Softer Looks inOneDrive for iOS

You’ve got to love the phrases Microsoft comes up with to describe changes made to their software. On July 17, they announced a redesigned OneDrive mobile app for iOS that includes a “splash of color” in the header and changes to font sizes and colors to make lists of files more legible. Lastly, the “command sheet” (options available from the […] menu) has a softer look and a draggable surface.

All of this brings joy to the hearts of graphic designers, but the single biggest joy in OneDrive for iOS is its ability annotate and add notes to PDFs. Although the refresh promises to make things even easier, the functionality is pretty good in version 10.75.9 (updated on July 18).

PDF Markup and Notation

To test things out, I opened the PDF for the sample chapter for the Office 365 for IT Pros (2020 Edition) eBook from a folder synchronized with a SharePoint document library and scrawled “Sample” across the front cover (Figure 1). You can also see a note added to highlight something in the PDF. You can download the sample chapter here.

Apart from my appalling inability to write “sample” in a legible manner, the interaction is smooth and easy. As always, the larger the screen, the easier it is to mark up documents, but OneDrive for iOS is more than acceptable.

I do wonder how many people know that they can markup PDFs with OneDrive for iOS like this. It’s the kind of feature that you’d expect in the SharePoint mobile app, which doesn’t yet support it.

Microsoft and PDFs

Microsoft is making PDFs easier to work with in other ways. A recent Petri.com article explains how you can use a new file handler to avoid the need to download PDFs from SharePoint document libraries before you can work with them. The file handler redirects the PDFs to the Adobe Document Cloud where you can annotate and mark them up them in a similar manner to OneDrive for iOS.

SharePoint Online Storage Protected by Keys Upon Keys Upon Keys

Updated 19 February 2023

One of the interesting aspects of how Microsoft 365 has developed over the past few years is the increasing use of SharePoint Online. Some of the use comes from organizations migrating on-premises SharePoint to the cloud, but the biggest factor driving SharePoint usage for many tenants is the growth in Teams. (in January 2023, Microsoft reported that Teams had 280 million monthly active users).

If you’re a Microsoft 365 tenant administrator, apart from making sure that you have enough SharePoint storage and what sites are using the storage, you probably don’t think too much about where that storage is and how it’s organized. SharePoint aficionados know that Azure SQL is the basic platform and that SharePoint organizes itself into server farms, but after that, knowledge soon runs out. This is typical of cloud systems: all you care about is the functionality delivered by an application, you don’t need to know its internal architecture and the details of how the application stores objects like documents and lists.

Microsoft Documents Protection for SharePoint Online Storage

Microsoft’s online documentation for Microsoft 365 is getting better and better. Among the recent jewels I found is a Microsoft article published on March 1, 2019 covering the encryption used to protect data used by Microsoft 365 applications like Exchange Online and SharePoint Online. Many interesting facts about SharePoint storage are revealed in the discussion including:

• How Microsoft manages the encryption keys used to secure SharePoint Online and OneDrive for Business data.
• How SharePoint splits data up into chunks, each encrypted with its own unique AES 256-bit key.
• The chunks (files, pieces of files, and update deltas) are held in multiple Azure storage accounts where they are stored as encrypted blobs.
• How an SQL database tracks the different chunks of data so that they can be assembled and provided to clients. The database also holds the keys needed to decrypt the content.
• How three keys are used to access data and that data is useless unless all the keys are available. As the document says: ” Without access to all three, it is impossible to retrieve the keys to the chunks, decrypt the keys to make them usable, associate the keys with their corresponding chunks, decrypt each chunk, or reconstruct a document from its constituent chunks “

Microsoft’s description emphasizes the complex network of protection they use to protect customer information. Even if a hacker managed to penetrate a Microsoft 365 datacenter, they would face considerable challenges to figure out what data is present and how to access that data. This is why it’s important to protect against account compromise because the easiest way for a hacker to gain access to confidential customer data is to use compromised account credentials.

Sensitivity Labels Delivers More Protection

The page is full of interesting information that should assuage any doubts that security personnel have about sharing confidential information in the cloud. And remember, this scheme applies to all content in SharePoint Online storage. If you want to have an even greater level of security, you can use Microsoft Purview sensitivity labels to apply rights management-based encryption to protect your most valuable documents.

It’s amazing what exists in Microsoft’s documentation, if only we had the time to read it all. I guess that’s why books exist to distil and explain the most important items tenant administrators need to understand about managing the Microsoft 365 applications.

SharePoint Online and Purview Sensitivity Labels are covered in the Office 365 for IT Pros eBook. We don’t get down into the weeds of how SharePoint Online storage is protected in Microsoft datacenters, but we do cover a lot of other valuable stuff.

Teams Group Chat Limits

Office 365 Message Center Update MC179396 (Roadmap item 51235) brings the news that Teams group chats now support an increased limit of 100 participants (from the previous 50). The roll-out of the new limit starts in June and should be complete by the end of July, except for GCC tenants.

Group chats are a useful way of getting together a set of people to discuss and refine an issue before bringing it for wider debate (or announce a decision) in a channel or via email. Unlike a team channel, where any member can see anything, a chat is limited to those invited to join. Chats don’t have owners, and anyone in a chat has the same rights as others, including the ability to remove someone else from the conversation. Files shared in a group chat are stored in the OneDrive for Business account of the sharer instead of a SharePoint site.

It’s good practice to give a name to a group chat. This allows participants to identify the chat in their chat list and it’s also helpful if you ever need to look for something with eDiscovery as the chat name appears in the compliance items captured in Exchange mailboxes of the chat participants.

Teams Shareable File Links with Permissions

Teams has always had the ability to generate links to files stored in its SharePoint sites. Message Center update MC179400 (Roadmap item 51230) tells us that the shareable links created by Teams for posting into channel conversations and chats will now hold permissions in much the same way as the links generated by SharePoint and OneDrive for Business. As shown in Figure 2, you can assign permissions (including the ability to edit) to:

• Anyone with the link (if allowed by the tenant sharing settings for SharePoint Online).
• Tenant users with the link.
• People with existing access (members of the team).
• Specific people.

Once Teams generates a link, you can copy it into a channel conversation or chat. This action converts the link (something like https://tenant.sharepoint.com/:w:/s/O365ExchPro/ER3RMYkKBUBGiPXVqXQFgdkBK-rOsJHA6FSmqrr_75iaeQ?e=jGsU8C ) into a “file chiclet object” (a new term to me).

The new form of shareable links are rolling out to Office 365 tenants in May 2019 and should be available worldwide by the end of June.

These small but important changes are the kind of stuff we track on a daily basis to make sure that the Office 365 for IT Pros eBook is as up-to-date as we can make it. Read Chapter 13 for the latest information about Teams.

Sometimes Office 365 is Infuriating

On March 19, I woke up to discover that all the retention labels assigned to documents in the SharePoint Online sites and OneDrive for Business accounts in my Office 365 tenant had disappeared. No trace of any label existed and you couldn’t assign a label to any document.

What was also weird was that the Security and Compliance Center reported “no data” when I went to look at the retention labels, a fact confirmed by PowerShell as the code below (to list retention labels) returned a big fat nothing.

Get-ComplianceTag | Format-Table Name, IsRecordLabel, HasRetentionAction, RetentionDuration, RetentionAction, Mode –AutoSize

Meltdown in the SCC

As it happened, the week when the problem happened was the annual MVP Summit in Redmond, so I was pretty busy. I pinged a couple of my Microsoft contacts and learned that the Security and Compliance Center was having some problems. So much so that engineers had to disable the ability to edit or delete objects. Later, I discovered that an incident (FO176096) was in progress as some Information Protection labels had gone missing. Now, retention labels could be called Information Protection labels, but they are more likely sensitivity labels (a surplus of labels is always a bad thing). In any case, something screwy was clearly going on.

The incident report promised that data would be restored, so I decided to wait. And wait, and wait… but the retention labels still haven’t turned up in SharePoint Online. On March 26, I thought that something was stirring when I noticed retention labels appear in one or two sites, but that was only the effect of auto-label policies, as confirmed by the Label Explorer in the SCC. You can confirm the same by looking at the Office 365 audit records created when retention labels are applied to documents (the system rather than a user applies the labels).

Return of the Labels

Retention labels first reappeared in the SCC on March 25, which meant that I could once again assign retention labels to SharePoint and OneDrive for Business documents, but the labels assigned to SharePoint documents beforehand remained invisible. Or missing. Or lost. Or in an unknown state. The retention labels were available and persistent in Exchange and Office 365 Groups.

As mentioned above, labels started to reappear in SharePoint due to auto-label policies on March 26. However, the retention labels assigned explicitly to documents did not come back until April 2, two full weeks after I reported the initial issue. Microsoft hasn’t shared a reason with me yet as to why the problem occurred or what they did to recover the labels. For all I know, the labels went into a black hole, stayed there for a while, and then ambled back out into the sunshine.

Problems for Microsoft

There’s a number of very bad things here. First, losing retention labels is a big no-no in terms of compliance. I do not know whether the temporary black-out has affected the retention period for these items. I also don’t know how many other Office 365 tenants were affected by the problem.

Second, although I learned about similar symptoms from other tenants, Microsoft never posted an incident notification in the Service Health Dashboard (SHD) of my tenant. Discovering a major loss of functionality through users is not the way things should work, especially considering all the telemetry Microsoft gathers about Office 365.

Third, the tardiness in restoring SharePoint back to full working condition is regrettable. You could say that I am not amused. It’s a sad example of a quality failure inside Office 365.

The Office 365 for IT Pros eBook can’t explain what SharePoint Online did with those pesky retention labels. But we can explain how retention labels should work, which is covered in Chapter 19.

Easy Sharing with Your LinkedIn Connections

Office 365 Message Center notification MC175683 tells us that Microsoft is “rolling out a new feature to OneDrive, SharePoint, Word, PowerPoint, and Excel Online powered by LinkedIn to enhance the way users connect and collaborate with people outside their organization.” Sounds good, but what does it mean?

First, it’s all about first-degree LinkedIn connections. In other words, people that you have connected with because you accepted their invitation to connect or they accepted your invitation.

Second, your Office 365 tenant must be configured to support connectivity with LinkedIn. And once the tenant is configured, users must connect their Office 365 account with their LinkedIn account. If they don’t, Office 365 won’t have the rights to retrieve information about contacts from LinkedIn.

People Suggestions

With everything in place, Office 365 loads first-degree connections into the “people suggestions” list used by SharePoint Online and OneDrive for Business to respond to names typed in by a user when they share a document. The idea is that by including LinkedIn contacts in the suggestions list, it will be easier for Office 365 users to collaborate with those contacts.

Sharing a SharePoint Document with a LinkedIn Contact

Take the example below where I want to share a document from a SharePoint Online library. In the past, if I wanted to share it with a LinkedIn contact, I would need to know their email address to send a sharing invitation. With the LinkedIn contacts loaded into the people suggestions list, all I do is type in the first few characters of the name (in this case “Shane”) to see an integrated set of contacts built from my Office 365 tenant directory (including guest users), LinkedIn contacts, and email contacts (including the auto-complete list used by Outlook and OWA). It’s a smooth and easy experience.

Perhaps the most important thing about the new point of integration between Office 365 and LinkedIn is that including the LinkedIn contacts in the suggested people list means that Office 365 sends the sharing invitation to their latest email address (as in their LinkedIn profile). Hopefully, contacts keep their email addresses updated, which means that there’s a higher chance that the invitation will arrive in the right place.

Sharing in Office Online Apps

The same kind of sharing works with OneDrive for Business and with the online versions of Word, Excel, and PowerPoint (but not the desktop versions).

The feature is now rolling out within Office 365 and is available to targeted release users. Microsoft expects the rollout (except to Government customers) to be complete by the end of April 2019.

For more information about sharing Office 365 documents, read Chapter 8 of the Office 365 for IT Pros eBook.

OneDrive For Business (ODFB) is a core Office 365 workload that is continuously evolving and adding new features to increase user productivity. As disclosed at Microsoft Ignite 2018, Microsoft is now rolling out a new “Recent view” in OneDrive For Business (ODFB) to expose the recent documents we have been working on and also last time we accessed them:

Depending on the context and the permissions we have on the selected document, the user has different options to interact with the document.

We cover OneDrive For Business in Chapter 9 for the Office 365 for IT Pros eBook.

Best-Effort Email Notifications for Mass Deletions

On August 28, Microsoft published MC147280 in the Office 365 Message Center to inform tenants that they’re about to introduce “best-effort” email notifications to users when “a higher than usual number of files are deleted per hour“. Microsoft doesn’t say what criteria they use to calculate a higher than usual number of deleted files in an hour.

For OneDrive for Business, the email notification will tell the account owner about the deleted files and how to recover the files from the Recycle Bin. For SharePoint Online, the person who deleted the files (a site owner or a member) gets the same kind of email.

The interesting thing about Office 365 updates like this is to ponder why Microsoft feels that they should introduce such a feature. Have we seen a rash of users deleting every file to hand in their OneDrive account, or site members going crazy in SharePoint? Has Microsoft come to the conclusion that they need to step in based on the data gathered about usage patterns in the Microsoft Graph?

Reducing Support Calls

The answer is likely more prosaic. I think this is another attempt by Microsoft to proactively reduce support costs by telling users when they might have made a mistake and deleted files that they shouldn’t – and the support call comes in to ask Microsoft where the files have gone and how to recover them.

Support is expensive and it makes sense for Microsoft to take steps to reduce the number of potential calls in this manner. Users are also likely to be happier if they get a note to inform them that they might have made a mistake. Let’s face it, avoiding the opportunity to log a support call for Office 365 is always a pleasure.

On the other hand, users might be annoyed when they receive email about a perfectly legitimate action that they deliberately and purposefully set out to accomplish. It smacks a little of “Big Brother is Watching” when email arrives out of the blue to say something like “We’ve noticed that you’ve just deleted a lot of files…”  Clippy for the cloud?

Retention Labels

Although you might not be able to stop users deleting files from their OneDrive for Business account (they are, after all, personal files), you can easily stop users removing documents from SharePoint Online libraries by assigning labels to individual documents or Office 365 retention policies to sites. For instance, if you assign a label called “Important” to a document, and that label has a retention period of five years, then site members won’t be able to delete it until the retention period expires.

Auto-label policies (part of Office 365 E5 and the advanced data governance add-on) can be deployed to find and label documents based on sensitive data types or keyword queries, so you can make sure that the most important files in an organization are retained.

More Detail to Follow

Microsoft says that they are rolling out the new feature to targeted release tenants now and will continue the roll-out for standard release tenants in late September, following the normal 30-day delay between targeted and standard deployments.

Earlier today I deleted 40 documents from my OneDrive for Business account to try and provoke a mass delete notification. Typically, I might delete one or two items a day, so 40 seemed to comfortably be in the zone for OneDrive to notice and react. So far, several hours later, no message has arrived. Maybe the feature hasn’t reached my targeted release tenant yet. Now how do I recover those blasted documents?

For more information about managing SharePoint Online and OneDrive for Business, see Chapter 8 of Office 365 for IT Pros. For information about creating, deploying, and managing Office 365 retention policies and labels, see Chapter 19.

A New Attack

Avanan is an Israeli security company that has a track record of pointing to Office 365 security and saying that it could be improved. In some cases, like their criticism of MTA-based email scanning a la Mimecast, I think they have a point. In others, I’m not so sure.

Take the “PhishPoint” episode, reported by Avanan to affect 10% of the Office 365 customers they work with. Avanan duly scales this number up to estimate that the problem affects the same percentage globally, or 13.5 million of the 135 million active Office 365 users (the last official number – likely higher by about 15 million now). I must be missing something here, because if 13.5 million Office 365 users had been attacked through a malicious SharePoint document, I think Twitter and other social media would be in global meltdown. And they’re not.

The attack involves an embedded URL in an email that leads to a real SharePoint document (presumably in an Office 365 tenant owned by the attacker) that invites the victim to sign into Office 365 to read the content of another document that’s shared in OneDrive for Business. The result is a dummy sign-in screen that looks like the regular Azure Active Directory sign-in, which is where the attacker gathers user credentials, presumably for later use to compromise their account, perhaps in a Business Email Compromise attack.

Will Users Notice the Flaws in the Attack?

I’m sure some people will be deceived by the scheme, but I’ve got to hope that the majority will notice signals like being taken from one document to another (odd when you think about how sharing works inside Office 365), followed by a sign-in screen whose URL has no connection to Office 365 and, in Avanan’s posted example, is flagged as “dangerous.”  Perhaps the Office 365 customers that Avanan deals with are less well-trained, which is why 10% of them have been affected.

Joking apart, the report does highlight that malicious code can be introduced through infected documents. Solid user training to warn people about how attackers work should be given on an ongoing basis. Threats evolve all the time, so training needs to keep pace.

Read, Understand, Decide

Avanan’s business is based on convincing people that they need extra layers of security to keep Office 365 safe. Some of the reasons they advance are good, some are FUD (I thought this example was in 2016). The articles that they write about Office 365 security are worth reading (like “8 Security considerations when moving to Office 365“), if only to cause you to pause for thought and consider whether you need to do more to secure your tenant. But don’t take everything in face value. You understand your tenant better than anyone else, so always put the information presented by a third party into that context and then make decisions.

For more information about SharePoint Online and OneDrive for Business, read Chapter 8 in Office 365 for IT Pros. For more information about Advanced Threat Protection and Exchange Online Protection, see Chapter 17.

Title

Minimum Versioning Coming Soon

In Office 365 Message Center MC146556, Microsoft announced today how organizations can avoid using the new minimum of one hundred versions for files stored in SharePoint Online and OneDrive for Business libraries.

The new feature comes into effect on September 30, 2018. Before then, if you want to avoid using the feature, you must download and install the latest version of the PowerShell module for SharePoint Online (make sure that you have version 16.0.7918.1200 or better). After updating the module, run the command:

Set-SPOTenant -EnableMinimumVersionRequirement $False

If you don’t do this before September 30, Microsoft will enable minimum versioning for all SharePoint Online and OneDrive for Business libraries. To configure versioning for a site, access the library settings page for a document library (Figure 1) and set the value for major versions to anything between 100 and 50,000.

Customer Pushback

Microsoft originally announced that this feature would be enabled for all sites, but they obviously received some pushback from customers who don’t want to keep so many versions. This might have been an acceptable position in the on-premises world when you’d be worried about the storage consumed to keep so many versions, but it really doesn’t make much sense in the cloud. The storage used to keep versions is not charged against your tenant quota and Microsoft takes care of providing the physical storage that’s needed.

AutoSave and Restore Need Versions

Another reason why minimum versioning is a good thing to have is that features like AutoSave of Office documents (needed for co-authoring) and the ability of OneDrive and SharePoint Online to restore files to a point in time within the last 30 days depend on versions being available. If you don’t have the versions, you can’t recover files.

For more information about SharePoint Online and OneDrive for Business, see Chapter 8 in Office 365 for IT Pros.