TODD KLINDT todd@toddklindt.com @toddklindt www.toddklindt.com - - PowerPoint PPT Presentation

TODD KLINDT

 

todd@toddklindt.com @toddklindt www.toddklindt.com

www.toddklindt.com/OmahaSPUG

AGENDA

       

  8 – 5ish  Breaks once an hour or so  Lunch noon-ish   Name  Company  What do you do?  What are you looking for?

WHAT’S NEW IN SHAREPOINT 2019?

 All Modern

 Sites  Lists & Libraries

 SharePoint Home Page  15 GB Upload limit  Fast Site Creation  OneDrive Sync Client  Recycle Bin for other users

TOPOLOGIES

  

THREE TIERS OF SHAREPOINT

 Web Front End (WFE)

 Front of the house server  Hosts web apps and replies to user

requests

 Load balancing is not included

 Application Servers

 Back of the house  Catch all for non WFE boxes  Very flexible  Internally load balanced

 Search requires more hand holding

DATABASE TIER

     ConfigDB can be on one  Content DBs on another  Service App DBs  BI on another, even a different version

SINGLE

DOUBLE

TRIPLE

MORE TRIPLE

SCALING SEARCH - 2016

HYBRID SEARCH - 2016

2016 FULL MINROLE

2016 FULL MINROLE FP1

SHAREPOINT 2016 / 2019 PRODUCTION HARDWARE MINIMUMS

80 GB C: Drive

 Windows  SharePoint root (16 hive)  Windows and all its patches for the next 5

years

 SharePoint uses this as temp

100 GB Second Drive

(required)

 Move everything you can here (logs,

inetpub)

 All servers must have the same letters

 4 cores  Memory

 16 GB Production server in 3 tier  24 GB All-in-one dev or eval  12 – 16 GB limited dev

 Gigabit Ethernet - 1 ms latency

SQL (PHYSICAL OR VIRTUAL)

SharePoint performance comes from here IOPS are king, nothing fixes bad IOPS 0.05 to 0.2 IOPS per GB for content Using SQLIO or SQLIOSim to measure Ask your DBAs, they’re good people SQL RAM



8 GB minimum



16 GB realistic



32 GB < 2 TB

FOUR STEPS TO A GOOD INSTALL

 Prerequisite Installer (prerequisiteinstaller.exe)

 Don’t forget any forgotten prereqs

 Install SharePoint bits

 setup.exe  Patches and language packs

 Configure the bits

 Grey Wizard  PowerShell if you’re fancy

 Configure the Farm

 White Wizard  Central Admin  PowerShell

LET’S START INSTALLING

 Log in as sp_install

 Must be local admin  Go ahead and do SQL permissions now too  Service account guidelines at

https://www.toddklindt.com/SP2013ServiceAccounts

 Can run on one or many servers at once

PREREQUISITE INSTALLER

 Splash Screen  prerequisiteinstaller.exe in SharePoint Download  Configures necessary Windows Features  Downloads and installs necessary software

 Can be installed locally and offline  Can be scripted  /? For details  Remember forgotten patches

 Run the wizard at the end, no matter what

SHAREPOINT 2016 SPLASH

SHAREPOINT 2016 PREREQS

FINALLY!

WHAT NOW?

 Language packs  Patches that weren’t slipstreamed  Getting excited about creating the farm!

CREATE THE FARM

 Do this on Central Admin server  Open SharePoint Management Shell

 Log in as sp_install  Run as Administrator  Local Windows Admin and SQL dbcreator and securityadmin

 PowerShell!

 New-SPConfigurationDatabase -DatabaseName SharePoint_Config

• DatabaseServer <your SQL Server> -

AdministrationContentDatabaseName SharePoint_Admin_Content

 2016 / 2019

 -ServerRoleOptional  -LocalServerRole

 Enter Farm Account when prompted

 Use Domain\username  sp_farm only needs to be a domain member

 Farm Passphrase

 Secures inter-farm communication and encrypts passwords  Used when adding or removing servers from farm  Can be changed later  Can be added to New-SPConfigurationDatabase  -Passphrase (ConvertTo-SecureString “pass@word1" -

AsPlainText -force)

CONFIG WIZARD

 The Grey Wizard  Finishes up Farm creation  Creates Central Admin

 Pick an easy port like 5555  NTLM, always! No exceptions!

 When your browser opens Central Admin you’re done!  Pat yourself on the back  Can all be done in PowerShell

 https://www.toddklindt.com/createfarm

ADDITIONAL SERVERS

 Wait until Central Admin pops on first server  Run Grey Wizard  Enter Passphrase  Finish Wizard  You can run as many as you want simultaneously

CONFIGURE THE FARM

 Slow down there, partner!

SERVICE APPLICATIONS NOTES

 Create them in alphabetical order  Use PowerShell where necessary to avoid GUIDs 

Search https://www.toddklindt.com/createsearch2013

 Don’t create ones you don’t need

RANDOM SERVICE APP STUFF

 They use Claims to communicate under the hood  PowerShell allows you to go another layer deep with most  For optimal performance all Service Applications should run in the

same application pool

 You should use a dedicated Service Application account

ACCOUNTS

 SharePoint loves service accounts  SP_Install

 Local Administrator on all SharePoint Servers  Dbcreator, securityadmin, public roles in SQL Server

 All other accounts SharePoint will configure for you for the most part  SP_Farm

 Entered when creating farm  Central admin app pool  SharePoint timer service run as this identity

 SP_ServiceApp

 Used for the application pool identity for your service applications

 SP_Webapp

 Used for your SharePoint web applications application pool

MORE ACCOUNTS

 SP_UserProfile



Used to sync info from AD to SharePoint



Needs lots of crazy permissions that are covered in User Profile module

 SP_Content



Used by Search as the default content access account

 SP_SuperUser



Used for the SharePoint publishing cache



Will manually need to give full control of web applications (policy) and run PowerShell

 SP_SuperReader



Used for the SharePoint publishing cache



Will manually need to give read for web applications (policy) and run PowerShell

 Keep them under 20 characters  Use different accounts for each farm  Cheat sheet



https://www.toddklindt.com/SP2013ServiceAccounts

PATCHING

 Always be aware of the latest Security and Cumulative Updates

even though you aren’t installing as you go

 Remember on old platforms a lot of the updates are around making

your migrations go smoother

 https://www.toddklindt.com/sp2016builds  https://www.toddklindt.com/sp2019builds

 Start finding your rhythm for keeping up with the changes for

SharePoint Online

HOW DO I GET TO IT?

THREE MAIN WAYS

 Web Browser  Rich Clients  Mobile Clients

YOUR BROWSER

 Any browser

 no really  Chrome  IE  Edge (barf!)  Sleipnir, etc.

 Any device

 Windows desktop  Mac desktop  Linux  Phones  Toasters…

EMAIL

CALENDAR

I’LL NEVER REMEMBER ALL OF THIS!!

 Office.com to the rescue

WEB CLIENTS

RICH CLIENTS

 Outlook

 Email  Calendar  Contacts  Tasks

 Skype for Business  Teams  Content Apps

 Word  Excel  PowerPoint  OneNote

 OneDrive Sync Client

THE SHAREPOINT INTERFACE

SHAREPOINT

TEAM SITE

FILES AND SHAREPOINT

WHAT ABOUT ONEDRIVE?

ONEDRIVE

 OneDrive is many things

 A consumer product (we don’t care about that)  Your personal site in Office 365  The client that syncs to your desktop

ON THE GO

MOBILE CLIENTS

 Outlook  SharePoint  OneDrive  Word  Excel  PowerPoint  OneNote  Skype for Business  Teams  Planner  Flow  Stream  Powerapps  Office 365 Admin  Dynamics  Azure Admin  Intune  StaffHub  Power BI

BORING SECURITY STUFF

SHARING EMAILS

PHONIES?

GROUPS

 Security construct in Office 365  Public or Private  Used to bundle permissions across products

 SharePoint  Teams  Planner  Exchange  Power BI

 By default, anyone in your tenant can create a Group  When you delete the group, everything goes bye-bye

HUBS

 The cure to what ails us

 No more need for subwebs

 Consistent experience

 Navigation  Search  Look and feel

 How?

 Create a modern site  Set it as a hub  Customize to taste  Assign other sites to the Hub Family

HYBRID

Chocolate and Peanut Butter

PLAN FOR SHAREPOINT ONLINE

 This is for future you  Even if you aren’t on SPO yet you will be (scary Yoda voice)  Try to start making decisions that will translate well

 Branding  Customizations  Information architecture (Site collections people)

HYBRID

 Direct from SharePoint

 Search Service Application  OneDrive for Business  Logging  Managed Metadata  The Waffle

 On-Prem Data Gateway

 Expose SharePoint, SQL, File shares and more to:  PowerApps, Power BI, Microsoft Flow, Azure Logic Apps

EMBRACE THE ECOSYSTEM

 Not saying to abandon SharePoint but time to augment your skills  Take a look at one of the Online bolt-ons

 PowerApps – Replace InfoPath and Access web apps with this tool  Power BI – Finally, the BI tool we have all been looking for with

Kerberos

 Microsoft Flow – Workflows and then about a million things more

 All of these tools integrate with SharePoint well and let you build

and expand what you can do by starting in a familiar place

AUTHENTICATION

AZURE ACTIVE DIRECTORY

 If you are going to do anything with Office 365 this is step one  This is a very valuable skill set to add to the resume  Stop reinventing the authentication wheel  Walk through guide

 https://www.youtube.com/watch?v=duYYmqzx0Rc

IDENTITY BRIDGE

Active Directory LDAP Azure AD Connect

(sync + sign on)

DEFINING TERMINOLOGY

 (Windows) Active Directory  User Principal Name (UPN)  Azure Active Directory (AAD)  Identity as a Service  Hybrid  DirSync  ADFS  Azure AD Connect (AADC)  SSO  The other SSO

TOPOLOGY & SECURITY

 ADFS vs DirSync vs Pass-Through

 Federation starts with synchronization  Pass-through, best of both worlds?

 Multifactor Auth

 Yours or theirs  Flip of a switch

SAME SIGN ON SCENARIO

SINGLE SIGN ON SCENARIO

PASS-THROUGH AUTH

ACTIVE DIRECTORY CORE CONCEPTS AND CONCERNS

 FSMO roles, AD DNS, WINS, etc  Dirty Directories  2003 Everyone group -> 2008 Authenticated Users group  IsCriticalSystemObject objects are not synced

 I’m looking at you Domain Users

 UPN issues  Schema Extensions

ON-PREM SERVER, CLOUD AUTH

 Azure AD with your on-prem SharePoint Server

 Get Azure AD set up  Set up SSL  Create new Enterprise Application in Azure AD  Configure new Trusted ID in SharePoint 2016  Set permissions on SharePoint 2016  Enable SAML 1.1 token in Azure AD  Verify provider  Some cleanup

 Kirk’s Instructions here

SECURITY STUFFS

AZURE IDENTITY MANAGEMENT SECURITY OVERVIEW

 Single sign-on  Reverse proxy  Multi-factor authentication  Security monitoring, alerts, and machine learning-based reports  Consumer identity and access management  Device registration  Privileged identity management  Identity protection  Hybrid identity management  https://docs.microsoft.com/en-us/azure/security/security-identity-

management-overview

WHAT’S IN EMS E5?

AZURE AD CONNECT WALKTHROUGH

ASSUMPTIONS

 Windows Active Directory Domain

 It works  Forest and Domain Windows 2003 functional level or higher  Not Single Level or dotted

 AD Connect Server

 Windows 2008 or greater

 Own an Internet domain and control DNS  Have an Azure or Office 365 Tenant  Domain admin and tenant admin creds

BEFORE PICTURE

ADD INTERNET DOMAIN

VERIFY DOMAIN

TXT RECORD SHUFFLE

YOUR DNS HOST

THE EASY WAY

VERIFYING…

WITH POWERSHELL

 V1  New-MSOLDomain  Get-MsolDomainVerificationDns  Confirm-MsolDomain  Set-MsolDomain  V2  New-AzureADDomain  Get-AzureADDomainVerificationDnsRecord  Confirm-AzureADDomain  Set-AzureADDomain

NOW, ANOTHER WORD ABOUT DNS

DIY

FUNCTION CHECK

FUNCTION CHECK

START SYNCING

IS DIRECTORY SYNC RIGHT FOR YOU?

STEP 1

MORE CHECKING…

STEP 2 - HRC

MORE DNS DRAMA

STEP 3 – IDFIX AND AADC

MORE FIXIN’

HOUSTON, WE HAVE A PROBLEM…

ON TO AADC

INSTALL AND CONFIG

ALMOST THERE

THE PUDDING

ADVANCED MOVES

VIEWING AADC

CUSTOMIZING AADC

MIISCIENT

POWERSHELL

ONEDRIVE

ONEDRIVE (CONSUMER) (FOR PLEASURE)

 White Cloud  Free

 Storage only  5 GB

 $2 a month

 Storage only  50 GB

 Office 365 Personal $70 a year

 Storage and Office 365 clients for 1 person  1 TB

 Office 365 Home $100 a year

 Office 365 Personal for 5 people

ONEDRIVE FOR BUSINESS

 Blue Cloud  SharePoint on premises



Fancy name for My Site

 SharePoint Online / Office 365



Fancy name for My Site

 Uses same sync client



Sometimes…



Sometimes same functionality

 Which OneDrive?



www.whichonedrive.com

A SLIDE TODD DIDN’T WANT TO TITLE

 https://admin.onedrive.com  All your settings in one place

 Sharing  Syncing  Device Access

MIGRATION

AGENDA

 Figure out where you are going  Evaluate your content  What tools are available to get there  Go deeper on the built in tools

WHERE DO YOU WANT TO GO?

 Save the drama: The default answer is SharePoint Online

 This is hard to say

 Even if you decide to go On-Prem have an eye out for what does

Online look like

 You are going to end up there sooner or later  Look out for future you  Stop sinning

WHAT DOES YOUR DATA LOOK LIKE?

 Did you commit sins in your past?  The Fab 40 templates and the evil they delivered (2007)  Bucket webs (2003)  Blogs, wikis, anonymous sites and a host of buzz words concepts

(all)

 Mega Site Collection (all)  SharePoint Designer is Free (OMG)

WHAT SHOULD YOUR DATA LOOK LIKE?

 Lots and lots of Site Collections

 Webs are now naughty

 No Broken Inheritance (Permissions)  Be as out of the box as possible

HELPING HANDS

 Document your farm with PowerShell

 https://technet.microsoft.com/en-us/library/ff645391.aspx

 Upgrade Planning Worksheet

 http://go.microsoft.com/fwlink/p/?LinkId=256659

 SPDocKit

 https://www.spdockit.com/  Also good for periodic reviews

MICROSOFT’S TOOL

 Start with SharePoint Migration Assessment Tool (SMAT)

 https://www.microsoft.com/en-us/download/details.aspx?id=53598  Not required but if you are moving to online it catches common

• issues. If you are moving to on-prem and like to know as much as

possible it doesn’t hurt.

 Command line tool

DOCUMENT, DOCUMENT, DOCUMENT

 Any and all settings in ConfigDB  Farm

 AAMs, Managed Paths, Solutions, Security

 Service Apps  Web Apps

 Recycle Bin, Auth providers, Policies, File Upload

 IIS

 Host Headers, certs, web.config

 Customizations

GO 3RD PARTY

 Lots of partner solutions that give you a drag and drop

experience

 Great if you are breaking up a lot of Site Collections

POWERSHELL

 Thanks to PNP you can move a lot with PowerShell

 Lots of control but very manual  Video – Moving file shares to SharePoint Online using PowerShell  https://www.youtube.com/watch?v=PbusAK1tMjU

SHAREPOINT MIGRATION TOOL

 Headed to the cloud? This is interesting

 https://docs.microsoft.com/en-us/sharepoint/migrate-to-sharepoint-

• nline/introducing-the-sharepoint-migration-tool

 Works with on-prem data and file shares  Seems to get better all of the time

ON-PREM TO ON-PREM

 Our old friend Database Attach

YOU AREN’T ONE OF THE 3 MUSKETEERS

 It isn’t all for one, and one for all  Mix and match tools as you see fit

UPGRADE PATH

 No shortcuts  Upgrade 2007 (SP2 or later) to 2010  Upgrade 2010 (RTM or later) to 2013  Upgrade 2013 (RTM or later) to 2016  Upgrade 2016 (RTM or later) to 2019  Or do it by hand

UPGRADE PROCESS

 Make Read-Only  Detach from old farm



Don’t delete

 Backup in SQL  Restore to new SQL instance  Fix permissions (different service accounts, right?)  Make Writeable  Do Service Apps first  Attach Content Databases

NEW TO SHAREPOINT 2019

 Classic Team sites are not upgraded to Modern Team sites  Lists and Libraries will get Modern experience  Must create Modern Team site and migrate  Requires Windows 2016 and SQL 2016

NEW TO SHAREPOINT 2016

 Mostly the same as SharePoint 2010 to SharePoint 2013  Database attach via PowerShell

 Central Admin does not upgrade the database

 Don’t copy your SharePoint 2013 topology

 Look at MinRole  Look at other MinRole  Avoid CustomRole  Hybrid scenarios  Project Server is built in

 Excel Services is replaced by Excel OOS

SHAREPOINT 2016

 Find 2010 (14.5) mode site collections

 Get-SPSite -ContentDatabase <database name> -Limit All | Where-

Object { $_.CompatibilityLevel -eq 14 }

 Site Collections are Upgraded on Mount

 -skipsiteupgrade  Upgrade-SPSite  Upgraded at first browse by Site Admin

SHAREPOINT SEARCH

 Are you using Cloud Search?  Affects hardware topology  Licensing  Cannot be converted, must be created new  https://www.toddklindt.com/happycssa

SUPPORTED DATABASES

 All Content Databases

 More on MySites later

 Service Apps

 BCS  Managed Metadata  PerformancePoint  Secure Store (need passphrase)  User Profile  Search Administration (not index or property dbs)

 Analytics

MYSITES AND ONEDRIVE FOR BUSINESS

 Should you upgrade them at all?  Time to try out that cloud

 RTM for 2016 or 2019, Service Pack 1 for 2013  Office 365 licenses  Authentication must be in place

 Not migrated automatically

 User can do it  Third party tool ☺

TEST DATABASES

 PowerShell to the rescue

 Test-SPContentDatabase –name <DBName> -webapplication

https://sp2016.contoso.com

 Look at fancy switches

 -ShowLocation  -ShowRowCounts

 Works the same in 2010, 2013, and 2016  Video walk through:

 https://www.youtube.com/watch?v=OzetC1OMFOA

THINGS WE’VE SCREWED UP

 Add Managed Paths before mounting databases  Upgrade web app root site collection first  Use the same URLs  14 = SharePoint 2010

15 = SharePoint 2013

 16 = SharePoint 2016

16 = SharePoint 2019

OFFICE ONLINE SERVER

 They are awesome and you need them  The must be on their own servers  They require Claims authentication  Require licenses, and downloads are hidden  OOS is required for Excel Services in 2016

SPEAKING OF CLAIMS

 Claims is the word  Classic is only for migration  Migrate to 2016, then convert

 Coke v. Pepsi  Makes two changes

 Start thinking about Azure AD

FEATURES AND SOLUTIONS

 Good time to look at the App Model, Add-ins, SharePoint

Framework, whatever it’s called today

 2010 and 2013 stuff mostly just works  Hopefully you were a good boy or girl and did everything as

WSPs

 Old blog post for getting WSP out of the database

 http://msmvps.com/blogs/shane/archive/2011/05/05/using-

powershell-to-export-all-solutions-from-your-sharepoint-2010-farm- and-other-fun

UPGRADE A DATABASE

 Test-SPContentDatabase –Name WSS_Content_Upgrade –

WebApplication http://upgrade.contoso.com

 Ignore any bad news

 Mount-SPContentDatabase –Name WSS_Content_Upgrade –

WebApplication http://upgrade.contoso.com

TESTING…

UPGRADING…

THINGS THAT ARE THE SAME

 The commands we just ran  One upgrade log file per upgrade  One upgrade error log file per upgrade  ..\15\logs (\16\logs)  Still mount multiple databases at same time  Look and feel are upgraded automatically in SharePoint 2016

POWERSHELL

AGENDA

Talk about Microsoft’s PowerShell Talk about PNP Look at some kick *** scripts

OFFICIAL CMDLETS

THERE ARE 4 THINGS TO INSTALL

 Microsoft Official Office 365 PowerShell cmdlets  Install Sign-in Assistant – 64bit  Install MSOnline Module (v1) – GA  Install Azure AD Module (v2) (Release or Preview)  Install SharePoint Online Module  Install Skype for Business Online Module  Connect to all Office 365 Services

BEFORE YOU CONNECT

 Have to be able to Run PowerShell as an Administrator  Have to be an Office 365 Global Administrator

 Except Exchange

 Should be running PowerShell 3.0 or later

 $PSVersionTable.PSVersion

 Recommend 5.1 on your Windows desktop

 Also consider adding PSReadLine if you are not on Win10  Video walkthrough

 Execution policy needs to be RemoteSigned

TANGENT: TALK ABOUT PASSWORDS

 You will need your O365 username and password a lot so you have good and bad

• ptions:

 Annoying but secure

$MyAccount = Get-Credential

 Less annoying and way, way less secure

$username = admin@company.onmicrosoft.com $password = “RightHereInPlainText” $secure = $password | ConvertTo-SecureString -AsPlainText –Force $MyAccount = New-Object System.Management.Automation.PSCredential ($username, $secure)

 Use an encrypted file

CREDENTIAL MANAGER

 Use Credential Manager  Install-Module credentialmanager -Scope CurrentUser  New-StoredCredential -Target O365 -UserName admin@tkdemo.com

• Password Password2 -Persist LocalMachine

CONNECT TO YOUR AZURE AD TENANT

 MSOnline (v1)

# $MyAccount = Get-Credential $MyAccount = Get-StoredCredential -Target O365 Connect-MsolService -Credential $MyAccount Get-MsolUSer Get-Command -Module msonline

 AzureAD (v2)

$MyAccount = Get-Credential Connect-AzureAD -Credential $MyAccount Get-AzureADUser Get-Command -Module AzureAD

 Install-Module azuread

FUN GOTCHAS

DON’T TRY THIS AT HOME

CONNECT TO SKYPE FOR BUSINESS

$Skype = New-CsOnlineSession -Credential $MyAccount Import-PSSession $Skype Get-CsOnlineUser Remove-PSSession $Skype

 This one can be confusing. Remember that Skype for Business, Lync, and

Communication Server are all the same thing. The cmdlets and documentation tend to use them interchangeably. 

CONNECT TO EXCHANGE

$Exchange = New-PSSession -ConfigurationName Microsoft.Exchange - ConnectionUri "https://outlook.office365.com/powershell-liveid/" - Credential $MyAccount -Authentication "Basic" -AllowRedirection Import-PSSession $Exchange Get-Mailbox Remove-PSSession $Exchange

 Skype and Exchange are limited to 3 sessions so always end your session.

EXCHANGE ONLINE

 Just a little different

 No cmdlets, uses Remoting  Limited to three sessions  Requires port 80  Close out gracefully

 Remove-PSSession $Session

 Supports MFA

New-Mailbox -Alias jill -Name jill -FirstName Jill -LastName Klindt - DisplayName "Jill Klindt" -MicrosoftOnlineServicesID jill@tkclass.onmicrosoft.com -Password (ConvertTo-SecureString -String 'P@ssw0rd' -AsPlainText -Force) -ResetPasswordOnNextLogon $true

LICENSE UP THAT NEW MAILBOX

Set-MsolUser -UserPrincipalName jill@tkclass.onmicrosoft.com – UsageLocation "US" Get-MsolAccountSku Set-MsolUserLicense -UserPrincipalName jill@tkclass.onmicrosoft.com

• AddLicenses "tkclass:O365_BUSINESS_PREMIUM"

POWERSHELL WITH SHAREPOINT ONLINE

 Be prepared for disappointment  Allows basic manipulation of SharePoint Online

 Users and groups  Tenants  Site Collections  Hub Sites  Multi-Geo

 Download here  Install-Module -Name Microsoft.Online.SharePoint.PowerShell

USEFUL SHAREPOINT THINGS WITH ALL OF THAT

<This Slide Intentionally Left Blank>

CONNECT TO SHAREPOINT ONLINE

Connect-SPOService -URL https://Tenant-admin.sharepoint.com

• Credential $MyAccount

Get-SPOSite Get-Command -Module Microsoft.Online.SharePoint.PowerShell

EXAMPLE SCRIPT

REAL WORLD EXAMPLE

Param( [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [string] $User ) # Add the Active Directory bits and not complain if they're already there Import-Module ActiveDirectory -ErrorAction SilentlyContinue # Add the Azure Active Directory module Import-Module AzureAD # Import-Module MSOnline

# Define AD group that is synced to AAD and is used for ODFB audience $syncgroupname = "CloudSync" $syncgroup = Get-ADGroup $syncgroupname # First, add the user to the group Add-ADGroupMember -Identity $syncgroupname -Members $User # Remind them to recompile their SharePoint audience Write-Host "You'll need to recompile your SharePoint audience to reflect the group change" # Sync up to Azure AD Start-ADSyncSyncCycle

# Now tweak the user in Azure AD, First connect # Connect-MsolService Connect-AzureAD # Azure AD domain suffix # $aadsuffix = “tkdemo.com“ $aadsuffix = (Get-AzureADDomain | Where-Object -Property IsDefault

• Value $true -EQ).name

# Get the user $aaduser = "$user@$aadsuffix"

# Set the user's location. Without that the license will fail Set-AzureADUser -UserPrincipalName $aaduser -UsageLocation “US" # Set-MsolUser # Name of the Azure License to apply # $license = "tkdemo:O365_BUSINESS_PREMIUM“ # Get-AzureADSubscribedSku $LicensedUser = Get-AzureADUser -ObjectId "TemplateUser@$aadsuffix" $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense $License.SkuId = $LicensedUser.AssignedLicenses.SkuId

$Licenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses $Licenses.AddLicenses = $License $User = Get-AzureADUser -ObjectId $aaduser Set-AzureADUserLicense -ObjectId $User.ObjectId -AssignedLicenses $Licenses # Set-MsolUserLicense -UserPrincipalName $aaduser -AddLicenses $license

TEAMS, FLOW, AND POWERAPPS

 Teams

 For automating all those Teams Admin Tasks  Install-Module MicrosoftTeams  Read all about it

 Flow and PowerApps

 For both creators and Admins  Get list of all Flows and PowerApps  Kind of a janky install

ALTERNATIVE #1

THE SNEAKY WAY: CSOM WITH POWERSHELL

 Can use the Client Side Object Model with PowerShell to do more  Developery, be afraid  Copy DLLs from server  Or download SharePoint 2016

Client SDK

TOP OF SCRIPT

GET-SPOWEB

 Examples from:  http://www.sharepointnutsandbolts.com/2013/12/Us

ing-CSOM-in-PowerShell-scripts-with-Office365.html

MORE EXAMPLES

ALTERNATIVE #2

PATTERNS AND PRACTICES POWERSHELL (PHEW!)

 More scary developer stuff  Hidden in Github

 https://github.com/SharePoint/PnP-PowerShell

 Adds 250 more cmdlets  Install-Module SharePointPnPPowerShellOnline  Get-Command -Module

SharePointPnPPowerShellOnline

 Works with all the SharePoints  Scoped at Site Collection

FAVORITES

 PnPFile

 Add-PnPFile , Copy-PnPFile, Find-PnPFile, Get-PnPFile, Move-PnPFile, Remove-PnPFile, Rename-

PnPFile, Set-PnPFileCheckedIn, Set-PnPFileCheckedOut

 PnPList

 Add, Get, Set, Remove

 Get-PnPListItem  Set-PnPGroupPermissions  Add-PnPView  Get-PnPField  Provisioning

 Get-Command -Module SharePointPnPPowerShellOnline -Noun "*Provisioning*"

BUT MY BOSS HATES PNP POWERSHELL!

 Your boss is misinformed ☺  Vesa Juvonen, Senior Program Manager from SharePoint Engineering and MCM for

SharePoint, is one of the main project owners

 Is scanned the same as any PowerShell Gallery Module (not at all)  Erwin van Hunen works at RenCore

 Exceptions are approved by SharePoint Engineering team

 Will be signed with Microsoft’s key starting November 2017  Uses the same API as web parts and other SharePoint code  It’s Open Source  Respects SharePoint security

 Can be more secure, as it can be more fine grained

 PnP PowerShell hits the Office 365 API a billion times a month

SAMPLES

GET ALL FLOWS

 Get-AdminFlow | ForEach-Object { $ownername = (Get-

MsolUser -ObjectId $_.CreatedBy.userId).DisplayName ; $owneremail = (Get-MsolUser -ObjectId $_.CreatedBy.userId).UserPrincipalName ; Write-Host $_.DisplayName, $ownername, $owneremail }

GET INTERNAL SHARED FILES

Connect-PnPOnline -Url $url -Credentials "tkc admin" $doclibs = Get-PnPList -Includes DefaultViewUrl,IsSystemList | Where-Object - Property IsSystemList -EQ -Value $false | Where-Object -Property BaseType -EQ - Value "DocumentLibrary" Foreach ($doclib in $doclibs) { $docs = Get-PnPListItem -List $DocLib foreach ($doc in $docs) { if (($doc.FieldValues).SharedWithUsers -ne $null) { foreach ($user in (($doc.FieldValues).SharedWithUsers)) { Write-Output "$(($doc.FieldValues).FileRef) - $($user.email)" } } } }

GET EXTENDED FILE INFO

Connect-PnPOnline -Url $url -Credentials "tkc admin" $doclibs = Get-PnPList -Includes DefaultViewUrl,IsSystemList | Where-Object - Property IsSystemList -EQ -Value $false | Where-Object -Property BaseType -EQ - Value "DocumentLibrary“ Foreach ($doclib in $doclibs) { $doclibTitle = $doclib.Title $docs = Get-PnPListItem -List $DocLib $docs | ForEach-Object { Get-PnPProperty -ClientObject $_ -Property File, ContentType, ComplianceInfo} foreach ($doc in $docs) { [pscustomobject]@{Library= $doclibTitle;Filename = ($doc.File).Name;ContentType = ($doc.ContentType).Name;Label = ($doc.ComplianceInfo).ComplianceTag} }

QUESTIONS?

todd@toddklindt.com