Montag, 24. Dezember 2018

SharePoint Conference 2019 – Las Vegas

SharePoint Conference 2019 – Las Vegas

I am proud and honored to be selected as a speaker at SPC2019 in Las Vegas!

If you are working with SharePoint Online & Office 365 or Microsoft SharePoint Server, you need to attend this event!
SharePoint Server 2019 has been announced – you are interested in the latested news about SharePoint 2019? That see you in May in fabulous Las Vegas. We from atwork will be part of the conference and we are looking forward to it.

As shown on the conference website, SharePoint Conference is organized by the SharePoint Conference team and co-produced by Microsoft. They put together an amazing line up of international speakers and Microsoft employees to show you the latest technologie updates and news around Microsoft 365 and SharePoint.

The session I present is about a real-world scenario: From fragmented services to a modern intranet.
It is about the project I did together with atwork GmbH. The crew from atwork will also be part of the conference and presenting session:

In the session Real world: From fragmented services to a modern intranet we will talk about a large enterprise customer in steel industry and its journey to SharePoint. Klöckner & Co started from a mixed environment using classic file shares, DropBox, Slack and even an OpenText-based Intranet solution. Learn how this customer moved from independent disconnected services to an integrated, company-wide service landscape based on SharePoint, Yammer & Office 365.
In detail the session agenda and topics are:
  • Project overview: where we came from
  • Starting with Yammer
  • Design patterns in the project like using standard where it is possible
  • Live Demos
  • Implementation: technical goals, technical parameters, organization of the project using Microsoft Team & Planer
  • Migration
  • Structure of the new Intranet called DigiDesk
  • Prototyping
  • Taxonomy and search customization
  • Rollout planning
  • User adoption & Training
  • Mobile use of DigiDesk
  • Microsoft Stream integration
  • Custom Apps in the App Launcher
  • Integration of additional services
  • Why the Marketing department of Klöckner directly switched from Slack to Microsoft Teams
  • Custom Development

See you in our session at SharePoint Conference MAY 21 - 23, 2019 ,MGM Grand, Las Vegas.

My tips and recommendations for the conferment

Sessions at SharePoint Conference 2019

Watch as much session as you can. But definitely watch the keynotes. Other hot topics, workshops, speaker and sessions are:
  • Microsoft Search in your Organization and Everything you wanted to know about Microsoft Search by Agnes Molnar
  • Workshops: Becoming a Master Power User in Office 365 by Benjamin Niaulin
  • Mixed reality in Office 365 with SharePoint spaces by Bill Baer
  • Become a Microsoft Teams Rockstar by Gokan Ozcifci
  • Office 365 Application Security by Liam Cleary
  • What Options do you have to govern the lifecycle of Office 365 Groups and Teams? by Mikael Svenson

My hot topics are:

  • New Microsoft Search
  • New features in OneDrive for Business, SharePoint and SharePoint Hub Sites
  • Updates and News about Communication Sites
  • Compliance & Security

To get the most out of attending SharePoint Conference 2019:

  • Set your expectations and plan what session do you attend and which you download afterword
  • Stay connected on Social Media with the conference and the speaker using @SPConf and #SPC18
  • Participate in SharePoint Conference 2019 social events, parties and Meetups
  • Have Fun!

Sonntag, 25. November 2018

Office 365 Message Encryption (OME) vs. Azure Information Protection

Main difference from a security perspective is, that OME is encrypting the transport and not the attached content over its lifetime.
All feature like IRM, AIP and OEM are based on the Azure RMS Service. The overall architecture looks like this:

Comparison of OME, IRM, and new OME capabilities


  • If you want to protect documents attached to an E-Mail only on the transport layer or if you want to use the “Do not forward” feature OME is the way to do it.
  • If you want to protect the document also after the E-Mail is received and the document is downloaded etc. then you need AIP.

Bothe features are good to protect E-Mails and attachments for internal use and for sharing them with externals. In OME you can send protected E-Mails to external receptions with out configuring anything special. The recipients received an HTML message that they downloaded and opened in a browser or downloaded mobile app:
To make the functionally available with AIP you need to add the external domain to you AIP label:

Protecting an E-Mail with AIP or OME in Outlook



Freitag, 12. Oktober 2018

Security & Compliance sucks...not anymore

Deutsche Version: LINK
Finally, the General Data Protection Regulation (GDPR) forces companies to think about which data is accessible and editable by whom. With the recent data protection scandals on major platforms such as Facebook etc. the protection of data is not only a very topical issue, but also a very topical business model.
Microsoft offers its customers functions and license models to monitor and secure access to their data and systems. In the end it is a complex story to find out which functions and which licenses are required to implement Security & Compliance requirements in your company. The whole story is further complicated by different license models and feature-sets focusing on Security & Compliance.
At the Ignite 2018 improvements around Security & Compliance were announced. Office 365 becomes Microsoft 365, Azure Information Protection becomes Microsoft Information Protection and so on. But what does this mean for customers, partners and especially the users?
Actually quite a lot. Microsoft services getting more and more aligned to the operational processes and users needs. In the future, management portals, for example, will be grouped and accessed according to their use:
  • => Admin Center
  • => Security Settings
  • => Compliance
Data classification and encryption is an important requirement for storing sensitive content in SaaS solutions. Azure Information Protection Labels, Site Classifications and Office 365 Labels are now standardized in the Office 365 Security & Compliance Center and does no longer exist separately from each other. This makes the use of these techniques much more efficient.
These are just two examples on how Microsoft Cloud Services successively merge what belongs together.
Microsoft Information Protection or the Microsoft Intune feature for managing devices and apps are focusing explicit scenarios. However, security & compliance projects often do not start with these specific requirements. Starting an Office 365 project the requirement is more about providing basic protection level and setup. Based on this basic configuration further requirements are then successively defined and implemented in the company.
A new provisioned Office 365 Tenant is very open. Basically, every user can share all the data he has access to with anyone. Users can invite external partners to collaborate with them in a SharePoint site or in Teams and anyone can connect to Office 365 using any device by entering his username and password.
This liberal setup of Office 365 is very good for collaboration and communication in the company and with partners and customers. But it is risky in terms of Security & Compliance.
In Microsoft Internet Explorer we could configure the security of the browser with a simple slider. If there is the need to adjust special settings, this was also possible. Unfortunately, it is not quite that easy with Office 365 or Microsoft 365. A slider like we have in the Internet Explorer is unfortunately missing here.
But the whitepaper "A quick guide to secure Office 365" offers something similar. Based on a matrix with the levels StandardMediumHigh and Very High, it gives you an overview how Office 365 can be secured. The whitepaper also describes the effects on user-friendliness and the required licenses for setting up the various scenarios.
The whitepaper outlines a clear overview of the Microsoft technologies and functions for securing Office 365. Covered technologies are:
  • Office 365 Secure Score
  • Cloud App Security
  • Intune & Office 365 MDM
  • Azure AD Premium Features
  • Office 365 Advanced Threat Protection
  • Office 365 Threat Intelligence
  • Security & Compliance Reports.
And another tip from me: If a user wants to save a file in his private DropBox folder, then he has a reason for it. Nobody does this accidentally or by mistake. If we don't know this reason and don't respect it, the whole Security & Compliance project will go wrong. Because of so many options that Shadow-IT offers to users today it is no longer possible to enforce security. The goal must is to understand which challenges and processes an employee faces in his daily work. A security and compliance setup must be based on this and acknowledges these factors.
Link to the white paper and my presentation at Ignite 2018 on this topic: LINK

Dienstag, 9. Oktober 2018

Usage Report, AIP Scanner UI and Data Discovery for Azure Information Protection

Microsoft is enrolling new Azure Information Protection features and a new AIP scanner UI including status of the scanner machine and some statistics like scan rate, version etc.

AIP scanner UI

This new scanner UI feature will include the capability to start the scan on the remote scanner without a need to login to the scanner machine.
We can access this new preview feature using this link:
Latest GA or public preview version of AIP Client is needed in order to see your scanner machines connected to the Azure portal and be able to manage them.

Usage Report

AIP Usage report is showing labels, protected item count and users & computers who are interacting with AIP. We will also get an overview about used labels and about used clients to label content.

Data Discovery

Data Discovery is showing an overview about used Labels, detected Information Types, locations,
labeled and protected files etc.

Usage Report and Data Discovery are based on Azure Log Analytics.

Mittwoch, 3. Oktober 2018

A quick guide to secure Office 365 - UPDATE

Microsoft is investing a lot in security & compliance. At the end it is a complex story to figure out which feature and which license is needed to fulfill your security & compliance needs.

“A quick guide to secure Office 365” is a Whitepaper based on simple tiers like Default, Medium, High and Very High. The matrix shows the usability impact and the needed licenses to setup the different scenarios.

You get a clear overview about the options and the impact of each scenario. In addition, the Whitepaper gives you an overview of Microsoft technologies and features to secure your Office 365 tenant. Covered technologies are Office 365 Secure Score, Cloud App Security, Intune & Office 365 MDM, Azure AD Premium features, Office 365 Advanced Threat Protection & Office 365 Threat Intelligence and the Security & Compliance Reports.

Here you can download the complete Whitepaper:

Watch this video of my session at Microsoft Ignite 2018 about “How to deal with external sharing” covering most if the topics in the Whitepaper:

Here you can download a Sketchnote by Luise Freese based on my session at Ignite 2018 also covering these topics: LINK

Montag, 13. August 2018

Azure Information Protection Part V – advanced features & scenarios

Label an Office document by using an existing custom property

This option allows us to reflect on existing metadata values for example coming from SharePoint or other solutions like for example Secure Islands (which was acquire by Microsoft in 2015).
As a result of this, when a document without an Azure Information Protection label is opened and saved by a user, the document is then labeled to match the corresponding property value.
This configuration requires two settings in the advanced client settings section. The first is named SyncPropertyName, which is the custom property name that has been set from the other classification solution, or a property that is set by SharePoint. The second is SyncPropertyState and must be set to OneWay:
  • Key 1: SyncPropertyName
  • Key 1 Value: <property name>
  • Key 2: SyncPropertyState
  • Key 2 Value: OneWay

Keys and corresponding values are good for one custom property.
We have a SharePoint column named Classification. Possible values are: Public, Internal and Confidential. SyncPropertyName value is then: Classification.
To make this feature work we need labels with the same name (Public, Internal and Confidential) in AIP. Now, when an Office documents from this SharePoint library is opened and saved and this document is labeled as Public, Internal or Confidential in SharePoint Azure Information Protection applies the corresponding AIP label. If no label with a corresponding name exists in AIP, the document remains unlabeled.

Convert Templates to Labels

When you create a label in AIP under the hood also a new custom template is created. This new template can then be accessed by services and applications also using Rights Management templates. The new template is not shown in Azure AIP portal but can be managed by using PowerShell.
If you delete the label the template will still exists and is then shown in Azure AIP portal. In Azure AIP portal you can convert a template to a label:
If you change the protection settings in this newly created label, you're changing them in the template and any user or service that uses this template will get the new protection settings with the next template refresh.

Cloud App Security to auto apply Labels for scenario / location

Microsoft Cloud App Security lets you apply AIP labels as part of a CAS policies. You can also investigate files by filtering for the applied classification label within Cloud App Security.
  • Apply classification labels as a governance action to files that match specific policies
  • View all classified files in a central location
  • Perform investigation according to classification level
  • Create policies to make sure classified files are being handled properly

More details:

Encrypting Emails using Exchange Mail Flow Rule

Exchange Mail Flow Rule can be used to automatically apply AIP labels:
This is based on the RMS template associated to the AIP label.
A step-by-step documentation on how to configure a mail flow rule using a RMS template can be found here:

Decommissioning and deactivating protection

If AIP is no longer needed you can deactivate it. Make sure that you have a copy of your Azure Information Protection tenant key before you deactivate the Azure Rights Management service. If you deactivate AIP make sure, that you won’t be locked out of content that was previously protected.
You have the following options to deactivate AIP:
  • PowerShell cmdlet Disable-Aadrm to deactivate Rights Management
  • Deactivate Rights Management from Office 365:
    • Go to the Rights Management page for Office 365 administrators
    • On the Rights Management page click deactivate
  • Deactivate Rights Management from the Azure portal
    • On Azure Information Protection blade => Protection activation blade, select Deactivate

Further details about deactivating AIP:

Related posts:

Mittwoch, 8. August 2018

Summary about Modern Team Sites, Communication Sites & Hub Sites

Modern Team Sites, Communication Sites & Hub Sites

Modern Team Sites, Communication Sites & Hub Sites are available in SharePoint Online and SharePoint 2019. A modern Site is created from the SharePoint Home App:

Common Stuff

In modern Sites we have a bunch of new Webparts:

One of the initial questions is about using a modern Team Site or a Communication Site. At the end it all about the focus of the site and the question about the usecase for this site. Susan Hanley provides a brilliant overview and matrix to find out what is best for your scenario:
In addition, Mark Kashman also provides a good overview picture about modern Team Site and Communication Site:

Modern Team Site

About Modern Team Site:
  • Focus: Connect, Collaborate, Create
  • Connected to O365 Groups: Creates group email address
  • Privacy settings: Private by default and can be changed to public

In modern Sites we have a so called “New” Dropdown to easy create new objects:
It is also very easy to modify the Quick Launch Navigation based on the modern canvas:

A new feature for modern Team Sites is the Site Info Hover Panel. You can access this panel by mouseover the Site name:

The panel gives you an overview about the site and direct links to the associated resources like the Planer, the Group Calendar etc.

Communication Site

About Communication Sites:
  • Fokus: Showcase, Share Services, Story (broadcast information)
  • 3 different type of a Communication Site are available out-of-the-box:
    • Topic: Designed to present large amount of information such as news, events and other content
    • Showcase: Designed to showcase a product, team, or event using images
    • Blank: Start from scratch

Modern Sites Pros and Cons

  • Easy to use
  • Modern canvas
  • Modern branding & responsive design
  • Modern Web Parts
  • Easy to use/configure web parts
  • Connected to a Group
  • Extend using the SharePoint Framework

  • Only created as a site collection and no modern sub-sites available
  • No variations until now
  • No extensibility for modern search until now
  • Not all Lists, Libraries and website types have a modern design already (Blogs, Tasks, Calendars, Discussions)
Complete list and further details:

Things to think about when moving from classic to modern SharePoint Site
Moving from classic SharePoint Online Sites or from SharePoint on-prem Sites to modern Sites sound easy but can get tricky. There are several pros and cons coming from classic Sites and now plan to use modern Sites. The following to table shows the pros and cons and the topics you have to think about when planning a migration:

Hub Sites

Common info about Hib Sites:
  • Linked sites
  • Consistent branding across all sites
  • Top navigation
  • Search within the hub site will also search all linked sites.
  • Aggregate news from linked sites. This can take 5–15 minutes.
  • Flexible attach & detach a site from a hub
  • Sites can only be associated with one hub site.
  • Hubs can’t be nested
  • Limited to 50 hub sites
  • Association with a hub does not change the permissions on a site
  • A site can only be associate with one hub

Webparts for Hub Sites:
  • News roll-up: News published on a hub site and on any associated sites is automatically aggregated and shown on the home page of the hub site.
  • Associated sites: Display the most active sites associated with the hub site.
  • Highlighted content: Use the Highlighted content web part to dynamically display content from sites associated with the hub.

Admin Stuff

Manage site creation in SharePoint Online Admin:

Subsite Creation in SharePoint Online Admin:

Office 365 Groups Connection Setting in SharePoint Online Admin:

To allow only specific users to create groups, use the PowerShell cmdlet GroupCreationAllowedGroupId or change setting in Azure AD

Connect to a new office 365 group:
Ability to connect existing SharePoint team sites to Office 365 Groups is coming later this year

Branding SharePoint Modern Sites

Out of the box themes, configuration option and custom site themes:
  • The following predefined themes are available by default: Blue, Orange, Red, Purple, Green, Gray, Dark Yellow, Dark Blue
  • Each theme can be customized by selecting “Customize theme”
  • Custom themes can be created and uploaded. To create a custom theme a online theme generator tool is available:
  • Classic themes can still be used by choosing the link under the modern themes listed.
    • Because the modern SharePoint UI differs from the classic UI, however, some limitations apply when you use classic themes with modern pages.

Themes are defined in a JSON schema that stores color settings and related metadata for each theme. These capabilities are available to administrators via PowerShell cmdlets, and to developers via the SharePoint client-side object model (CSOM) or the SharePoint REST API.

PNP Starter Kit & Fantastic 40 Web Parts

What is the SharePoint Starter Kit:
  • SharePoint Starter Kit demonstrates how you can extend modern sites.
  • Currently included in the package:
    • Tenant level provisioning logic using PnP Provisioning Engine
    • 3 site collections. One assigned to be a hub site and two associate to the hub site automatically from the provisioning script
    • Contoso Site Designs for group associated team site and communication site
    • 17 client-side web parts demonstrating different capabilities
    • 7 SharePoint Framework extensions
    • Sample LOB service to be hosted in Azure
    • Sample content on the portal to demonstrate news and article capabilities
Source and further details:

What is the Fantastic 40 Web Parts:
It is a sample kit of 40 web parts for example visual web parts as carousel, images galleries, custom editors, polls, charts, map, animations, etc. These web parts are free and open source. The webparts are available: English, French, Spanish, German. IMPORTANT NOTE: These web parts are not officially supported by Microsoft.

Montag, 6. August 2018

Things to think about when moving from classic to modern SharePoint Site

Moving from classic SharePoint Online Sites or from SharePoint on-prem Sites to modern Sites sound easy but can get tricky. There are several pros and cons coming from classic Sites and now plan to use modern Sites. Also, some features that we know from classic sites are no longer available in modern Sites. In addition, some features we have in SharePoint on-prem are deprecated in SharePoint online. This is also a topic to think about when planning a migration.
The following to tables showing the pros and cons and the topics you have to think about when planning a migration:

Pros and Cons about modern Sites focusing a migration scenario

Mapping of deprecated / new features und functions

Dienstag, 31. Juli 2018

A quick guide to secure Office 365

“A quick guide to secure Office 365” is a Whitepaper based on simple tiers like Default, Medium, High and Very High. The matrix shows the usability impact and the needed licenses to setup the different scenarios. 
You get a clear overview about the options and the impact of each scenario. In addition the Whitepaper gives you an overview of Microsoft technologies and features to secure your Office 365 tenant. Covered technologies are Office 365 Secure Score, Cloud App Security, Intune & Office 365 MDM, Azure AD Premium features, Office 365 Advanced Threat Protection & Office 365 Threat Intelligence and the Security & Compliance Reports.

Download a free copy of A quick guide to secure Office 365

A quick guide to secure Office 365 ist ein Whitepaper, das auf einfachen Stufen aufbaut: Standard, Medium, High und Very High. Die Matrix zeigt die Auswirkungen auf die Useability und die benötigten Lizenzen, um die verschiedenen Szenarien umzusetzen.
Sie erhalten einen klaren Überblick über die Möglichkeiten und Auswirkungen der einzelnen Szenarien. Darüber hinaus gibt Ihnen das Whitepaper einen Überblick über Microsoft Technologien und Features die zur Absicherung Ihres Office 365 Tenants zur Verfügung stehen. Im Einzelne werden die Technologien Office 365 Secure Score, Cloud App Security, Intune & Office 365 MDM, Azure AD Premium Features, Office 365 Advanced Threat Protection & Office 365 Threat Intelligence und die Security & Compliance Reports beschrieben.

Laden Sie sich eine kostenlose Kopie von A quick guide tosecure Office 365 herunter.

Donnerstag, 19. Juli 2018

Azure Information Protection Part IV - Work with AIP

Azure Information Protection is a cloud-based solution that can be used to classify, label and protect data and e-mails. The nice thing about it is that depending on the implementation, this works without the user's intervention. Rules are automatically applied based on metadata, storage location, template on which a document was created or on the content of the document.
Of course, users can also assign classification manually. A combination of both, whereby proposals are displayed to the user based on administrative specifications, can also be implemented.
AIP integrates into the Office Client applications Word, Excel and PowerPoint from version 2010 in the Enterprise or Office ProPlus version. With this integration, files can be classified and protected directly from Office applications. Word, Excel and PowerPoint also display the classification of a file directly:
The AIP Client is used to protect and classify non-Office files. This free software is used to classify and protect e.g. PDF documents and other files. The AIP Viewer is also used to open protected non-Office files. This tool is available free of charge for the iOS, Android, macOS and Windows platforms. Details on supported platforms and Office versions can be found here:  

Overview of the features of AIP

The AIP feature essentially works with 2 objects:
  • A label is used for classification; e.g. CONFIDENTIAL
  • A label can contain encryption, but can also be used for classification purposes only
  • The following rights can be assigned during encryption: View, Open, Read (VIEW) | View Rights (VIEWRIGHTSDATA) | Edit Content, Edit (DOCEDIT) | Save (EDIT) | Print (PRINT) | Copy (EXTRACT) | Reply (REPLY) | Reply All (REPLY ALL) | Forward (FORWARD) | Change Rights (EDITRIGHTSDATA) | Save As, Export (EXPORT) | Allow Macros (OBJMODEL) | Full Control (OWNER)

  • Policies determine which users/groups have which labels available
  • Policies also regulate administrative options such as whether a standard label is assigned

Due to the integration into the Outlook client, labels can also be assigned directly when writing an email. The classification then affects documents that are sent as attachments to the mail and the e-mail itself.

In addition to labels and policies there is another useful function. The "Protect with user-defined permissions" function is used to encrypt files individually and make them available with explicit rights for certain users (including external users). This feature can be used in both the AIP Client and Office integration. The following individual options can be configured per file:
  • Displaying user: Display only
  • Check: Display, Edit
  • Co-author: view, edit, copy, print
  • Co-owner: All rights
  • Only for me
  • User / Group: Users or groups by e-mail address, who should have access with the selected right
  • Expiration of the access: Date how long the access for the selected users / groups with the configured right should exist

Details on the individual functions of AIP can be found here:

Typical scenarios

Scenario 1: A user creates a document. The user knows which category the document must be assigned to and is responsible for assigning the corresponding label.

Scenario 2: In addition to scenario 1, automatic classification can be used. To do this, we need to define or create own information types. Microsoft provides standard information types such as credit card number, driver's license number, etc. A complete list of standard information types can be found here:

Scenario 3: Classification Based on location. The AIP scanner, which is part of the AIP client, is used to do this. The scanner can encrypt NTFS shares and SharePoint libraries. Example: all files that are stored in a specific folder or in a specific SharePoint library always get the label "Confidential - Contract". The AIP scanner runs as a service on a Windows server. Using PowerShell and a parameterized call, the scanner then checks and encrypts contents in the defined storage locations with the specified label.


Microsoft Azure Information Protection is available as a standalone solution or as part of the Enterprise Mobility + Security Suite, Microsoft 365 Enterprise and Office 365 E5.
AIP is available in three different versions: AIP for Office 365, AIP P1 and AIP P2 Details on the different versions can be found here:
Only the user who protects content needs a license. External users or users who only consume do not need to be licensed.


Definition and dependencies:
  • RMS: The Azure Right Management Service is the basic instance for encryption and rules. Word, Excel, PowerPoint, Outlook and the Office Server SharePoint and Exchange provide native support for Azure Rights Management and provides document and email protection.
  • AIP: Azure Information Protection is based on RMS and requires the RMS service in the background. With AIP, files can be individually encrypted and classified. File tracking and detailed reporting show who opened an AIP-protected file, when and from where.
  • IRM: Information Rights Management is required to connect RMS to Exchange or SharePoint. If we need to connect the on-prem versions of Exchange or SharePoint or an NTFS file server, an RMS Connector is required. IRM integrates seamlessly into Exchange and SharePoint.

IRM with Exchange and SharePoint:
  • To protect an e-mail with the "Do not forward" restriction, the Information Rights Management options for Exchange is required. With IRM in Exchange features like DLP can also be used.
  • IRM integration can be used to encrypt files stored in SharePoint. This integration does not offer the flexibility and functionality of AIP. Documents in SharePoint are not encrypted until they are downloaded for example. IRM does not provide an option to classify files and permissions must be assigned by an administrator at the site or library level.

Depending on the detailed scenario, either AIP or IRM can be used. Both functions require the RMS service in the background.
Details about RMS, IRM and the limitations with SharePoint are described in this article:

Related posts: