Azure SharepointSharepoint

New Expiring Access Policy to Control Guest Access to SharePoint Online Sites


SharePoint Sharing Involved Only – Not Microsoft 365 Groups

Sometimes Microsoft publishes text in message center notifications that is, to be blunt, misleading. Such is the case for MC220791 published August 21, 2020, updated May 7, 2021 (Microsoft 365 Roadmap item 43797). You can see from the dates that this change has been bubbling up for a long time. It is now available in Office 365 tenants, and it’s a good change because it allows organizations to control how long people outside their tenant can access content in SharePoint Online sites and OneDrive for Business accounts after gaining that access. In other words, you can cut off everlasting access.

Explaining the Guest Expiration Policy

Here’s how Microsoft explains the change:

@In order to better manage sharing, tenant admins will be able to create a policy to revoke guest access to SPO sites and individual OneDrives after a defined period of time. With this policy, you can limit guest user access; thus guests who are no longer active partners will not retain indefinite access to documents and files.

  • This policy is not retroactive; it does not apply to guests who already have access to sites, documents and files.
  • The policy applies to a user’s access to a given SPO site or individual OneDrive. When the access period reaches your policy threshold, such as 10 days, then the guest loses access to all content in that site. Guest access expires on a site-by-site basis, determined by when the guest was granted access to each site, whether that is an SPO site or an individual OneDrive.
  • After a guest loses access to a site, any user with the ability to share content externally can re-invite the guest to each document or item as needed.”

The first thing that came into my head after reading MC220791 was “what about guest access to SharePoint Online files gained through membership of Microsoft 365 groups and teams?”

The only documentation I could find said:

“Guest membership applies at the Microsoft 365 group level, therefore guests who have permission to view a SharePoint site or use a sharing link may have also access to a Microsoft Teams team or security group. Therefore, when SharePoint site or sharing link access expires, some guest users may still have access to a Team or security group elsewhere. 

The guest expiration policy only applies to guests who use sharing links or guests who have direct permissions to a SharePoint site after the guest policy is enabled. The guest policy does not apply to guest users that have pre-existing permissions or access through a sharing link before the guest expiration policy is applied.

Guest user expiration policy applies to guest users only. Standard user expiration can be set manually on any user in a site collection, and any user with an expiration value will be removed when the expiration passes unless they are site admins, in which case the expiration will be deferred until they are no longer site admins, or expiration value is cleared for them.”

The text isn’t very clear, but it can be read to imply that guest members of group-enabled SharePoint Online sites are affected by the guest expiration policy. Thankfully, the policy is not retrospective, but if guest members of groups and teams are within scope, the implementation of a guest expiration policy for a tenant could have an unexpected side-effect.

No Effect on Microsoft 365 Groups and Teams

I checked with Microsoft, and they confirmed that the guest expiration policy has no effect on guests belonging to Microsoft 365 groups and teams. The policy is directed solely at:

  • Sharing links created to allow guest access to documents, folders, and lists.
  • Changes made to SharePoint group membership for a site (not Microsoft 365 group membership).
  • Direct permission changes made to allow access to content for guest users.

If your usage of SharePoint Online is mainly for document management for Microsoft 365 groups and teams, you probably never update the SharePoint group membership for a site or add a direct permission for a guest, so sharing links might be the only element affected if the tenant implements a guest expiration policy.

Implementing Guest Expiration for SharePoint Online Sites

As is usual for SharePoint Online settings, the guest expiration policy comes in a general tenant setting which can be overridden on a site-by-site basis. To create the tenant-wide policy, go to the Policies section of the SharePoint Online admin center, select Sharing, and open More external sharing settings. You’ll then see the option to enable the policy to control Guest access to a site or OneDrive will expire automatically after this many days. To enable the policy, set the checkbox and select an expiration period of between 30 and 730 days.

Configuring the tenant-wide guest expiration policy for SharePoint Online and OneDrive for Business
Figure 1: Configuring the tenant-wide guest expiration policy for SharePoint Online and OneDrive for Business

The new policy applies to any new sharing links, group changes, or direct permissions made afterwards. You can also use PowerShell to control the policy. This command sets the policy for a 60-day period:

Make sure that you download and use the latest version of the SharePoint Online management module from the PowerShell gallery. At the time of writing, the latest version is 16.0.21411.12000, which is what I used for testing.

Site-Specific Expiration Settings

Global and SharePoint administrators can change the policy for an individual site through the SharePoint Online admin center (select the site and update its policy settings as shown in Figure 2). The guest expiration settings only appear if the sharing setting for the site allows external sharing.

Configuring the guest expiration policy for a specific SharePoint Online site
Figure 2: Configuring the guest expiration policy for a specific SharePoint Online site

Alternatively, you can use PowerShell to apply a site-specific guest expiration setting. This command updates a site to set the maximum expiration period:

During testing, I noted that the SharePoint admin center and individual site settings sometimes didn’t synchronize after making changes with PowerShell. This is likely to be due to cached data. Things will settle down eventually and all components will agree about the expiration period.

Changes made to apply guest expiration at the tenant or site levels apply only to new sharing after the policy becomes effective. Sharing expiration never applies to tenant accounts.

What Site Administrators Do

Site administrators cannot change the tenant-wide guest expiration settings and are limited to managing the extension or removal of access for guests, accessed through Site permissions and then Guest expiration. If a previous tenant-wide policy was in place which might have affected guest access, you’ll see a warning to that effect (Figure 3). A site administrator can extend guest access at any time up to the point it expires. Once expiration happens, it happens, and the guest will need a new permission to access whatever content you want to share with them.

Where you manage guest expiration for a site
Figure 3: Where you manage guest expiration for a site

Value Depends on Your Perspective

If you’re used to traditional SharePoint and operate sites for more than Microsoft 365 groups and teams, you’ll probably find value in the guest expiration policy. It’s certainly something worth considering in a data governance strategy. But if SharePoint Online activity in your tenant is driven by Microsoft 365 groups and teams, then guest access to information remains unaffected by this policy and you can probably ignore it or go ahead and set a long expiration period (like 730 days) for the tenant. Which is what I ended up doing.

Source Practical365

read more
Active DirectoryAzure ADAzure App ServiceAzure BackupAzure MediaAzure NetworkAzure SQLOffice 365Sharepoint

Attend TEC 2021 and Learn from the Very Best


TEC 2021 (The Experts Conference) takes place as a free virtual event on September 1-2. has a close relationship with TEC as many of our writers are TEC speakers, so I thought that I’d highlight some of the sessions I am looking forward to. Many other sessions covering different topics are on the TEC agenda, so you’re sure to find something interesting to attend.

Please register for TEC to access the sessions. Even if you can’t attend on the day, you’ll be able to use your registration link to access recordings afterwards. Of course, attending live is best because you’ll then have the chance to participate in the live Q&A following the recorded segment of each session. Be nice to the presenters and don’t throw too many curve balls… With that said, here’s my curated list of TEC 2021 sessions. All times are in U.S. eastern time.

Artificial Intelligence and Microsoft 365

Some excellent Microsoft speakers are going to share their unique perspectives on different aspects of Microsoft 365 technology. At 10:30AM on September 2, Jeffrey Snover, the CTO for Modern Workplace Transformation (a fancy name for making stuff work across Microsoft 365) will deliver a keynote covering the use of artificial intelligence within Microsoft 365. Sometimes people get worried about the use of machine learning and AI within Microsoft 365 as they see features like insights and suggested responses turn up in email and meeting requests. I’m more focused on the use of AI in applications like Viva Topics. Jeffrey says that AI will make features more intelligent and easier to use. Turn up and see what you think!

Protecting Office 365 Against Attack

Practical365 traffic spiked in March when the Hafnium attack exploded and many Exchange on-premises administrators discovered just how exposed their servers were to attack. Alex Weinert, Director of Identity Security, is going to improve our knowledge about how attacks develop, the techniques used to penetrate systems, and how Microsoft and other security companies work to mitigate and close off vulnerabilities. Specifically, he’s going to analyze the Nobelium (SolarWinds) attack in December 2020 during his 1:30PM session on September 1.

Using Sensitivity Labels with SharePoint Online

Sensitivity labels are a great way to apply rights management-based encryption to Office documents. They can also be used to protect containers (Teams, Groups, and Sites). I can’t think of a better person to come along and talk about how to protect SharePoint Online and OneDrive for Business with sensitivity labels than Sanjoyan Mustafi, a Principal Product Manager who’s one of my go-to people whenever I have a question about the inner workings of sensitivity labels for SharePoint content. Sanjoyan speaks at 1:30PM on September 2. Apparently, he might even drop some hints about some new features due to appear soon.

Collaborating Teams Channels

A conference would be a pretty bland affair if only Microsoft people spoke, so TEC has many other experts come along to talk about different aspects of technology. MVP Curtis Johnstone talks at 12:45PM on September 1 about the different types of channels used in Teams, including the new shared channels first revealed in March and now getting close to public preview. Curtis plans to cover how shared channels work, differences with private channels, and how organizations can govern channel use.

Power Automate and Teams

Microsoft spends a lot of time banging the publicity drum for Teams and Power Automate. MVP Christina Wheeler brings some practical advice (always appreciated at at 1:30PM on September 1 to show how to connect the two technologies to get real work done by exploring how to launch a flow from a Teams bot.

Go to OneDrive

At 12:45PM on September 2, MVP Andy Huneycutt dives into the topic of moving people off network drives to OneDrive for Business. Many good business and technology reasons exist for this transition. Better data governance, more stable infrastructure, more visibility over content, better sharing, and so on. And of course, the simple fact that Office 365 and Microsoft 365 apps are built to use OneDrive for Business (Stream and Whiteboard are both moving their storage to OneDrive for Business). Why anyone would stay on old-fashioned network drives is beyond me…

Manage Exchange Online at Massive Scale

SAP is a very large software company that also uses Exchange at massive scale. MVP Ingo Gegenwarth gets lots of practice running PowerShell scripts to process tens of thousands of objects, and he’s going to share his experience and give some tips and techniques for how to approach the problem of dealing with so many objects at 2:30PM on September 1. I suspect Ingo might even say that it’s a good idea to use the Microsoft Graph API with PowerShell to get data about service incidents or interrogate Azure AD.

Removing the last Exchange On-Premises Server

After the Hafnium exploit in March, some organizations started to look more closely at the question of removing the last Exchange on-premises server. This has been a hotly debated topic for years, with some people saying that it’s easy to do (by performing brain surgery with ADSIEdit) and Microsoft continually saying that they are seeking a more graceful solution. Steve Goodman takes on the challenge of reporting the current situation at 12:45PM on September 2.

Group Policies Are Dead: Long Live Intune

I hate Group Policy Objects (GPOs). For years, they’ve been a necessary evil to enable workstation and server management. Intune is a better solution, especially in the world of Microsoft 365 where the PC is not the sole focus. Paul Robichaux covers this topic at 11:45AM on September 2 with a real focus on making management easier for your Microsoft 365 tenant.

Leveraging the Graph to Manage Microsoft 365

Finally, if you have time, you could attend my session at 11:45AM on September 1 where I’ll discuss how to use the Microsoft Graph APIs to manage Microsoft 365 tenants and applications. This is not a session for programmers. It’s focused on tenant administrators who automate processes with PowerShell today and want (or need) to use some Graph APIs with PowerShell. Maybe it’s just to get work done faster (like when you need to process thousands of mailboxes) or it’s because a Graph API is the only way to change a tenant setting.

Many articles cover different aspects of using the Graph APIs from reporting the storage used by Teams channels to updating tenant privacy controls. It should be a fun session (for me anyway!).

Enjoy TEC 2021. I plan to and hope that you’ll come along and have a terrific time sharing knowledge with some excellent speakers.

Source Practical365

read more
SharepointSharePoint Document Management

How Throttling Impacts Tenant-to-Tenant SharePoint Online Content Migrations


Every organization faced with a large tenant-to-tenant migration is concerned about how quickly they can migrate their content. Inevitably, these organizations will raise concerns about being throttled during their SharePoint Online (SPO) content migration.

Administrators accustomed to Exchange Online throttle policies are often surprised with the limitations they encounter during an SPO migration.

What’s the Problem with Throttling Anyway?

Basically, throttling slows down the content migration process based on external limitations. A good way to think about throttling is that it’s a bit like the restrictor plate used on NASCAR race cars during selected races. The restrictor plate effectively limits the top speed of the race car, as speeds higher than 190 mph may result in cars flipping over which can cause crashes.

By controlling the migration pace and keeping a minimum threshold flow for content, throttling maintains the stability and usability of the customer’s tenants. This not only protects the content migration process, but also enables users to continue using the tenant.

How Does Throttling Work?

Each tenant implements throttling at the service level. The service throttles the Client Side Object Model (CSOM) calls and the Graph API calls. The service throttling rules, and the migration API self-throttling rules are based on the Compute and SQL availability. The migration API also adjusts how many tasks run in a tenant based on the availability of the backend resources.

Microsoft does not explicitly state exactly what the throttling rules are. Nor is there an official or unofficial policy by which Microsoft will remove throttling from a tenant. However, Microsoft can and will monitor a tenant if there are concerns about heavy throttling.

When all goes well, throttling maintains a smooth flow of traffic for all SPO tenants.

What Do Throttling Errors Look Like?

When migration tools use the CSOM calls or the REST API that exceeds usage limits, the migration service throttles any further request from the user for a time. You can still be throttled when using the Graph API, and the throttling occurs when uploading batches to a public or private Azure storage container.

Below are some examples of common throttling errors:

429 Error: Too Many Requests

What you will see in response to the throttling on HTTP Request calls is a high volume of HTTP 429 errors (“Too Many Requests”), HTTP 503 errors (“Server Too Busy”), and/or HTTP 500 errors (“Operation Timeout”). Specifically, an HTTP 429 error displays as follows:

Retry-After Value

The Retry-After value is an integer value indicating the number of seconds after which the request can be resent. If you send a request before the retry value has elapsed, your request is not processed, and a new Retry-After value is returned. There’s a possibility that several asynchronous calls will receive a Retry-After value if they are processed in proximity of the retry value. Thus, repeatedly sending a request while still receiving a 429 error is futile.

503 Error: Server Too Busy

The Retry-After value used with 503 errors indicates in seconds how long the service is expected to be unavailable. You may see a 503 error with the message “Server Too Busy.” This error will likely appear when you are uploading a lot of content to an Azure storage container. Like 429 errors, repeatedly sending a request while still receiving a 503 error is futile.

500 Error: Operation Timeout

The 500 error is a very general HTTP status code that means something has gone wrong on the website’s server, but the internal server could not be more specific on what the exact problem is. Sometimes, the 500 error is due to an incorrect permission on one or more files or folders.

Other times, an application is shutting down or restarting on the server. It’s difficult to know exactly what is happening, and there is no Retry-After value provided. In fact, this error usually has nothing to do with throttling, but it can be an indicator that the service is having trouble keeping up with demand.

What does Microsoft Recommend?

Per their general migration performance guidance:

  1. Use app-based authentication (OAuth).
  2. Try to migrate during off-peak business hours.
    1. Business week evenings are obviously better than business daytime hours.
    1. Business weeknights and weekends are the best.
  3. Do not submit more than 5,000 migration jobs/requests at one time; over-queuing the network will create an extra load on the database and slow migration down.
  4. Implement Microsoft’s guidance and best practices on the back off and retry code
    1. Good practice is to implement an exponential back off and retry – delay each following request exponentially to allow the migration service to “catch up.”

What Happens When the Migration is Throttled?

In real life, throttling looks a bit like ramp meters placed on highway onramps. Ramp meters are used to control when and how often vehicles can enter the highway, and the goal is to keep traffic moving on the highway. As a result, movement on the onramps may be slower at times.

This is the same experience with throttling and migrating SPO content. The content will move smoothly until heavy congestion is detected in the backend of the tenant. Then you will start seeing 429 errors returned with Retry-After values. The Retry-After values will force new content submissions to back off and wait until the backend congestion is reduced.

Can Microsoft Turn Off Throttling to Help You with Your SPO Migration?

Officially…No. Throttling rules cannot be disabled or suspended and opening a support ticket will not lift throttle. In a previous version of the same guidance document, Microsoft states, “throttling is implemented to ensure the best user experience and reliability of SharePoint Online. [Throttling] is primarily used to load balance the database and can occur if you misconfigure migration settings, such as migrating all your content in a single task or attempting to migrate during peak hours.”

In my experience I’ve never heard of an instance where Microsoft has lifted the throttling rules for content migration for a customer, including Microsoft Consulting Services. Microsoft’s migration tools do not have preferred App IDs that bypass throttling, and there’s no secret back entrance to avoid throttling.

What Would Happen if Throttling Was Lifted?

In the grand scheme of things, this would be bad for your tenant. Unrestricted migration of content to a tenant significantly increases the amount of content moving to the services, and the services could eventually fail due to the heavy load. The virtual network adapters could fail, or the SQL Server could stop responding to requests. Users on the tenant would see a significant drop in performance of online services – possibly a complete failure.

Of course, this situation can quickly deteriorate even more so. Tenants that share hardware environments are impacted by the heavy load placed on any one of the tenants. Each tenant will experience a degradation in performance. Thus, the problem of one tenant becomes the problem of many tenants.

What Can You Do?

Back Off and Retry Code
For starters – the migration software you chose will certainly have an impact on migration throughput. The software must implement back off and retry code as recommended by Microsoft.

The migration software should also use OAuth authorization, an App ID, app-based authentication, as well as the Import API to create migration jobs in the target tenant and the Export API for reading from source tenants. The use of CSOM should be limited to features that are not supported by the migration API or the Graph API – and that can happen.

Migration Windows
Second, understand that the best times to write content to the target tenant is during off-peak times. Business daytime hours will generally see a higher probability of throttling as the SPO tenant is trying to maintain stability for M365 users.

Business week evenings are good times to migrate since there are fewer M365 users online. However, there may be backend processes running in M365 during these times. These processes may trigger throttling rules to ensure that they can complete successfully without interference from heavy migration processing.

However, the best times to migrate are business weeknights and weekends as there should be almost no M365 users online and fewer backend processes running. Weekends should be the primary target for scheduling content migrations.

Weekly Migration Throughput
Third, plan for a total weekly migration throughput based on the amount of content that can be migrated at different hours during the week. For example, a sample content migration throughput plan for OneDrive might appear as below, and you can see that the throughput during business weekday hours is only 1TB. However, the non-business weekday hours throughput is higher at 3TB, and the weekend throughput is much higher:

How Throttling Impacts Tenant-to-Tenant SharePoint Online Content Migrations

This is typical for large migrations, but you must consider the following factors:

  1. Not every migration is typical.
  2. The type of content being migrated has a significant influence on throughput.
  3. The throughput plan should indicate whether other content migrations are taking place at the same time.
    1. You cannot exclude other migrations to SPO, OneDrive or Teams in the same target tenant just because a different team is running a migration process, or a different migration tool is being used.
    2. What matters is that the content is migrating to the same tenant.

Another consideration is when the source and target tenants are in different geographical regions, as this may reduce the total amount of non-business hours available to your migration. Consider the following example: an organization is migrating content from New York, USA to Berlin, Germany. At 6PM on a Friday evening in Berlin, the migration window is open for the weekend. However, it is still 12PM in New York. The source tenant may still throttle on reads to maintain stability for users, and the rules may stay in effect for another 6 hours.

At the other end of the weekend, the throttling rules on the target tenant can start at 6AM in Berlin. However, it is only midnight in New York, and it will be another 6 hours until throttling rules take effect to protect the source tenant. Thus, your total potential migration throughput for this scenario can be reduced by 12 hours on the weekend. The same limitation exists for your evening and night-time processing.

Set Appropriate Expectations on Migration Throughput
Fourth, it’s important to set realistic expectations with your customer on what to expect for migration throughput. Factors that impact throttling include:

  • Multiple migration workloads
  • Lots of small items in lists and small files in libraries
  • Lots of permissions and metadata
  • File versions
  • Can be throttled on both source and target tenants

For example, imagine driving on a highway where there is little traffic. Some trucks are carrying large loads, but not necessarily heavy loads – this is akin to carrying large files. Their throughput can be very high, but they can load and unload quickly.

Another type of truck is carrying a load of sugar beets. The load is like migrating thousands of small files, and this truck cannot go as fast as the other trucks. It’s on the same highway; but it is heavier, needs more time to load, travels at a slower speed, and needs more time to unload. It also takes more time to process all the sugar beets at the factory after they are unloaded.

With these two different scenarios, different expectations should be made. First, no two migration loads are the same. Second, even when the total migration sizes are equal, large files will move and process faster than small files. Thus, the expectation that measuring migration throughput performance based on size is false.

Try to Avoid Throttling by Not Following Best Practices
Fifth, try to avoid throttling with inventive solutions because you heard from someone or read online somewhere about a “recommended” approach. Here are a couple of my favorites:

  • Running multiple migration solutions concurrently. Deemed to be faster because each migration solution uses OAuth authorization and has its own App ID; thus, each migration solution will not be throttled, and you can push as much content as possible.
    • This is false – throttling is managed at the service level, not the individual migration solutions. Using OAuth and App ID allows for more throughput in comparison to CSOM, but they can still be throttled by the service.
  • Running a content migration with multiple apps installed in Azure AD. Each app uses a different App ID and service principal, and the migration solution uses every app to send content migrations through. The likelihood of being throttled is greatly reduced because multiple service principals are being used, and each service principal is seen as a unique migration process and the throttling will be determined uniquely by the service. Thus, your throughput will increase!
    • This is false – and not a best practice supported by Microsoft.
    • In fact, Microsoft will warn you if they determine you’ve implemented this solution and will ask you to remove it.

Do Not Panic Over Throttling Errors
Lastly, do not panic if you see throttling errors. This is normal and is usually an indicator that your content migration solution is pushing content to the limit of what the migration service can support. You should reduce the requests being submitted if you see warnings regarding CSOM or the Rest API.

Just like racing a car, there are times where you want to see the RPMs close to the red zone, but you don’t exactly want to see the needle in the red zone for too long. It’s not good for the engine – it could cease. For migrations, this could mean the migration service will lock you out and you’ll have to wait a few days for the service to let you back in again.


First recourse should not be to look for ways to bypass throttling, as it maintains the stability of your tenants. Removal of throttling is not possible and would likely result in your tenant crashing anyway.

When looking for ways to expedite a tenant-to-tenant content migration, there are several actions you can take to absorb this extra time without extending deadlines. These include planning to migrate at off-peak times; setting appropriate expectations with customers; and avoiding inventive solutions that do not follow best practices.

Source Practical365

read more
Office 365Sharepoint

Office 365 10-Year Anniversary Series: SharePoint Online Reflections


The Beginning of My Journey into the Cloud

In June 2011, I was a consultant with EMC Consulting focused on migrating customers’ legacy Notes applications to SharePoint and moving SharePoint 2003, 2007, and 2010 customers to SharePoint 2013. That same month, Office 365 reached general availability, and I wondered how long it would be until there was an offering for SharePoint to be included in Microsoft’s cloud offering.

In July of 2012, a public beta of SharePoint Online was made available, and in February 2013, Office 365 SharePoint Online was released, adding a whole new dynamic for SharePoint migration planning.

I looked at this release as being the first of many releases. This was an online version of what was available in the on-premises product – with some limitations. While the feature set in the online version lagged the on-premises version, I knew this would change over time.

Changing the Conversation

Most of my conversations with customers with regards to Office 365 centered around SharePoint migrations and custom applications. Third-party application providers were quickly moving to provide SharePoint Online migration tools. As a result, all the conversations that I had with customers and other consultants changed.

I started to pitch SharePoint Online as a new and better target for migrations. It was an easy pitch, too:

  • Migrate once to the cloud and stay there
  • No hardware purchases
  • Sell or repurpose your existing hardware
  • Lower administration costs
  • No planning for upgrades or installing fixes
  • Keep on-premises any applications that are complex and cannot run in SharePoint Online

With regards to custom applications, this was a big concern for customers and consultants looking to maximize their SharePoint investment. These concerns extended even more to SharePoint Online. But I saw an opportunity to standardize and simplify most of the applications, and there were some good third-party form and workflow applications available to support my view.

Pitching to Cloud-Weary Skeptics

Of course, in those early days, there were still a lot of customers not ready to buy into the cloud. I explained that they may be able to justify staying on-premises this year. But the argument for going to the cloud would get stronger every year until they would eventually not be able to refute it. Eventually, I believed, changes would happen faster in the cloud than on-premises.

There were usually three types of customers who were ready to make the move:

  1. Moving content from a legacy platform (e.g., Lotus Notes) and starting over on SharePoint Online
  2. Ready to move from SharePoint 2007 or 2010 to the cloud – at least with some of their collaboration applications
  3. Introducing SharePoint Online as the new collaboration solution

The first and second sets of customers had a better chance at adopting SharePoint Online as their users were forced to use it. Both sets struggled with migrating custom applications. The third set of customers managed adoption issues with their users.

Fast Forward to the Present!

In an amazing and fortunate turn of events, I now manage the same migration products I used to recommend as a consultant in my role at Quest! We’ve seen tremendous growth in the number of Microsoft 365 users over the past ten years. We’ve all seen the SharePoint Online platform add many new and amazing features over the past ten years. One of the most popular Office applications ever (Microsoft Teams) uses SharePoint Online for storing most of its content.

10 years later and instead of an on-premises migration, you now have a tenant-to-tenant Office 365 migration. Check out this e-book to learn the Top Five Ways to Prepare for Your Next Office 365 Tenant Migration.

Source Practical 365

read more
SharepointSharePoint Document Management

Hands-on SharePoint Syntex: Part 2


In part 1 of this series, we introduced you to SharePoint Syntex, Microsoft’s new service, which brings the power of automation to content processing and transforms your content into knowledge. We explained the licensing requirements for SharePoint Syntex and showed how to license and set up SharePoint Syntex in your Microsoft 365 environment.

In part two, we look at adding document understanding models into our newly created Syntex Content Center and how to add, classify, and train documents with SharePoint Syntex.

Finally, in part three, we consider creating forms processing models from SharePoint document libraries by using AI Builder, a feature of Microsoft PowerApps.

Setting up a Document understanding model in SharePoint Syntex

With SharePoint Syntex licensed and set up in a tenant, we can explore its real value by adding a Document understanding model and then training some documents to extract the information we want.

To create a Document understanding model within SharePoint Syntex, open the Syntex Content Center created in part one and complete the following steps.

  1. Click on New, and select Document understanding model:
Graphical user interface, application, PowerPoint

Description automatically generated

Figure 1 – Creating a Document understanding model

  • For this example, I will use PDF files of my payslips. So, I will name this model Payslips.  The first step is to create a new content type. A content type in SharePoint Online is a reusable collection of metadata (columns), workflow, behavior, and other settings for a category of items or documents in a SharePoint list or document library. You may also select existing content types. For more information on content types, please refer to this Microsoft article.  I will also choose to apply a Retention label to any content to which this model is used.  My retention label is set to trigger a compliance administrator’s Disposition review at the end of the retention period (Figure 2). Click Create when the required settings for the model are complete.
Graphical user interface, text, application, email

Description automatically generated

Figure 2 – Naming the document understanding model, creating a content type, and assigning a retention label

  • The model creation wizard takes you to the next step, where you will see four key actions to develop your newly created model (Figure 3).
Graphical user interface, website

Description automatically generated

Figure 3 – Key actions are shown in the document understanding model

  • Now that we have our new model, we should add some example files.  To do this, click on Add files.

The example files are used to train the model.  You may upload either files or folders. We must upload at least 5 files of the same (positive) type and 1 file of a different (negative) type.  In this instance, I have chosen to upload 5 of my payslip PDFs as positive examples and 1 negative example, a PDF of my Microsoft certification transcript (Figure 4).  Once the example files are uploaded, click Add.

Graphical user interface, table

Description automatically generated

Figure 4 – Adding positive and negative example files

  • This takes you back to the main key actions page for your model.  Next, we need to classify our files and run training.  To do this, select the option to Train the classifier.

From the classifier screen, we need to select each of the documents we uploaded to our model in the left pane, then on the preview pane to the right, we choose yes or no to the question Is this file an example of Payslips? (Figure 5).

**Note that I have redacted information displayed in my preview pane in the examples that follow to protect my confidential details.

Graphical user interface, application, website

Description automatically generated

Figure 5 – Labelling files as positive or negative examples

  • Make your selection against each file, and then move onto the next one by clicking on the Next file.

Figure 6 shows that I have labeled all the payslip files as positive examples and my Microsoft transcript file as the one required negative example.

An important consideration here is that ideally, a negative file should be as close an example as possible to the positive file examples.  In this case, my negative example is a completely different format to that of the positive.  Whilst this does work, it is not the best real-world example, but it does show you how the process works.

Graphical user interface, table

Description automatically generated with medium confidence

Figure 6 – All upload example files have been labeled

  • Now we need to run the training on our files.  Click on the Train tab, and you will be prompted to add an explanation that is required to help the model distinguish this type of document from others or identify the information to extract.  Click on Add explanation as shown in Figure 7.
Graphical user interface, text, application, chat or text message

Description automatically generated

Figure 7 – Add an explanation

  • For our explanation, we will give it the name of Payslips and choose the Phrase list option, where we may enter words or phrases that will be used to identify the information we wish to extract.  All my payslips contain the phrase PRIVATE & CONFIDENTIAL, so I have used this as my phrase (Figure 8).  I have also selected the checkbox to match exact capitalization.  With our explanation details completed, we may now click on Save.
Graphical user interface, text, application, email

Description automatically generated

Figure 8 – Choose a name and type for your explanation, and add a list of phrases

  • Click on Train Model. If successful, you will see a Match against your files, as shown in Figure 9.  However, if you see a Mismatch, you will need to add further explanations to provide more information and rerun the training.
Graphical user interface, text, application

Description automatically generated

Figure 9 – File matching completed successfully

  1. In the preview pane against each file, we can see where a file has been Correctly predicted as a positive example. Similarly, we can see where a file has been Correctly predicted as a negative example (Figure 10).
Graphical user interface, website

Description automatically generated

Figure 10 – Correctly predicted negative example

  1. Click on the Test tab within your classifier, and you may add and train further files if you wish or need to (Figure 11).  Then click on Exit Training.
Graphical user interface, application

Description automatically generated

Figure 11 – Add further files if required and exit the training

  1. Next, back on the key actions page, we have an optional stage where we can create extractors that will extract specific information from our positively matched documents and display these as columns in the SharePoint document libraries to which our model is applied.  Click on Create extractor.

I want to extract the date from each of my payslips, so I will create an extractor named Paid Date (Figure 12).  Click on Create.

Graphical user interface, application

Description automatically generated

Figure 12 – Creating a new entity extractor

  1. From the Label tab of our new extractor, we need to scroll through each example file again and highlight the required information, which is the date from each payslip (Figure 13).
Graphical user interface, application

Description automatically generated

Figure 13 – Highlight the required information to extract

  1. Once a file has been appropriately labeled, click on Next file to move to the next one.  When reaching the last file, which is my negative example, I need to click on No label for this one and then click on Save.

Next, I will click on the Train tab to train my extractor.  I will need to add an explanation for the extractor at this point by clicking on Add explanation (Figure 14)

Graphical user interface, text, application, chat or text message

Description automatically generated

Figure 14 – Adding an explanation for the extractor

  1. I will name this explanation as Date Paid, and this time I will choose Pattern list as the type.  As the pattern list will reference a date, I can choose to add a list of patterns from a template (Figure 15).
Graphical user interface, text, application, email

Description automatically generated

Figure 15 – Add and name and type to your explanation, and add a list of patterns from a template

  1. You will now see a list of the available explanation templates.  Here I will choose the Date (Numeric) option below and click Add (Figure 16).
Graphical user interface, application, email

Description automatically generated

Figure 16 – Add the chosen explanation template

  1. The template patterns for the date format are added (Figure 17), and we may now click on Save.
Graphical user interface, text, application, email

Description automatically generated

Figure 17 – Save the pattern list

  1. Now we need to click on Train Model for our new extractor, and hopefully, we will see a match as shown in Figure 18.
Graphical user interface, application

Description automatically generated

Figure 18 – Training the model for the extractor

  1. The creation of the extractor is now complete. Click the Test tab to complete further training if required, and then Exit Training when we are satisfied that the extractor will match the content we wish to be shown in a column in our document libraries (Figure 19).
Graphical user interface, text, application

Description automatically generated

Figure 19 – Click to exit the training of the extractor

  • The final step is to apply the model to any chosen document libraries within SharePoint Online.  To do this, return to the key actions page, and click on Apply model.

Select the required document library, then click Add. The Payslips model was now applied to my chosen document library.  To open this document library, click on Go to the library.

You can immediately see that the document library shows some extra columns related to our newly applied document model.  These include our extractor column of Paid Date and the Retention label column. The document model will automatically run against any new files added to this document library, or we can select files and then choose Classify and extract.

The result is that my payslips are all now shown with a Content-Type of Payslips, and extracted Paid Date value, a Retention label of Disposition Review Label, a Confidence Score, and a Classification Date (Figure 20).

Figure 20 Document model shown applied to document library with added columns

Our Document understanding model is set up, complete with some compliance in the form of retention labels, and an extractor applied which shows extracted information in a column in the document libraries to which our model is applied.


This post showed you how SharePoint Syntex could be used to create document understanding models in the SharePoint Syntex Content Center.  We learned how to add, classify and train documents with SharePoint Syntex, how to extract information from the documents that you mark as positive examples, and how to apply a document model to a SharePoint document library.

In part three of this blog series, we look at how forms processing models may be created from SharePoint document libraries using the AI Builder feature of Microsoft PowerApps.

Source Practical365

read more

Hands-on SharePoint Syntex Blog Series – Part I


This blog series will examine and test-drive SharePoint Syntex, a powerful new Microsoft 365 service announced by Microsoft at Ignite 2020.

SharePoint Syntex consists of content understanding, processing, and compliance services that provide the ability to capture and scale expertise using advanced AI and machine learning.

SharePoint Syntex brings the power of automation to content processing and transforms your content into knowledge.

The features included with SharePoint Syntex are shown in the image below, taken from the Microsoft SharePoint Syntex overview page:


Description automatically generated

In Part I, we explain the licensing requirements for SharePoint Syntex and then show you how to license and set up SharePoint Syntex in your Microsoft 365 environment.

Part II will explore adding document understanding models into our newly created Syntex Content Center and then show you how to add, classify and train documents with SharePoint Syntex.

Lastly, in Part III, we look at creating forms processing models from SharePoint document libraries using AI Builder, a feature of Microsoft PowerApps.

Setting up the licenses for SharePoint Syntex

To set up SharePoint Syntex within your Microsoft 365 tenant, you will first need to acquire the required licenses by completing the following steps:

  • Log in to the Microsoft 365 admin center at as a Global Administrator, User Administrator, or Billing Administrator, and navigate to Billing | Purchase services as shown below:
Graphical user interface, application

Description automatically generated
  • From the right-hand pane of the Purchase services section, go to the search box as shown below, type in “syntax,” and hit enter:
  • The following process shows options where you can either click on ‘Next’ to purchase the required number of SharePoint Syntex licenses, or you can choose the option of ‘Start a free trial,’ which provides 25 SharePoint Syntex licenses you can use for 30 days:
  • For the purposes of demonstrating SharePoint Syntex in this article, we chose the free trial option.  Once completed, you can view the licenses in the Microsoft 365 admin center under Billing | Your products, as shown below:
Graphical user interface, application

Description automatically generated
  • The 25 SharePoint Syntex Trial licenses can be seen in the image below:
Graphical user interface, application

Description automatically generated
  • Next, we must assign a SharePoint Syntex license to each Microsoft 365 user who will be using any SharePoint Syntex features.  This can be done from the Microsoft 365 admin center under Users | Active Users:
Graphical user interface, text, application

Description automatically generated
  • Select the required user(s) and choose the Licenses and apps tab:
Graphical user interface, application

Description automatically generated
  • Scroll through the list of available licenses and check the box next to SharePoint Syntex.  Scroll down further, and under Apps, choose the dropdown under Show apps for, and select SharePoint Syntex.  Ensure that the checkboxes for Common Data Service for SharePoint SyntexSharePoint Syntex, and SharePoint Syntex – SPO type are all selected, and then click on Save changes:
Graphical user interface, text, application

Description automatically generated

Now that we’ve secured the licenses needed to use SharePoint Syntex, we can set up the program accordingly in our Microsoft 365 environment.

Setting up SharePoint Syntex in Microsoft 365

To setup SharePoint Syntex, we need to complete the following steps:

  • Log in to the Microsoft 365 admin center at as a Global Administrator or SharePoint Administrator, and navigate to Setup:
Graphical user interface

Description automatically generated with medium confidence
  • Scroll down to the Files and content section and click on Automate content understanding:
Graphical user interface, text, application, Teams

Description automatically generated
  • Below you’ll see the At a glance and User impact information for Automating content understanding:
Graphical user interface, text, application, email

Description automatically generated
  • Scroll down, and you will see further information About content understanding, which explains the three main functions: Image taggingForm processing, and Document understanding:
Graphical user interface, text, application, email

Description automatically generated
  • Scroll back to the top and click on Get started:
Graphical user interface, text, application, email

Description automatically generated
  • The Content understanding setup begins, and the first step is to select your preferred settings for form processing.  You may choose to Select SharePoint Libraries to enable for form processing.  We will leave the default option selected, Libraries in all SharePoint sites, and then click Next:
Graphical user interface, text, application, email

Description automatically generated
  • The Document understanding function of SharePoint Syntex requires creating a Content center.  In this example, we will start our content center with Syntex Content Center’s name, which automatically generates a site name for the content center, shown below. Click Next:
Graphical user interface, text, application

Description automatically generated
  • Under the Review section of the setup process, you have the option to make any last-minute edits.  When you are happy with your chosen settings, click Activate:
  • The setup may take a few minutes to complete, and you should see the notification below:
  • When the setup is completed, click Done:
Graphical user interface, text, application, email

Description automatically generated
  • You will then be routed back to the Automate content understanding page, where you’ll click on Manage:
Graphical user interface, text, application, email

Description automatically generated
  • Clicking on Manage will allow you to edit the settings you completed in the initial setup for both Form processing and Document understanding:
  • If you scroll further down the Automate content understanding page, you will see the option to Manage this feature.  Click on Content understanding settings:
Graphical user interface, text, application

Description automatically generated
  • Content understanding settings will take you into your newly created Syntex Content Center, as shown below.  **At this point, it is also important to point out that it is possible to create multiple content centers for SharePoint Syntex within Microsoft 365:
Graphical user interface, text, website

Description automatically generated
  • It is also possible to locate your SharePoint Syntex Content centers by searching for them from the SharePoint admin center, as shown below. The SharePoint admin center is accessed from the bottom left of the Microsoft 365 admin center under Admin centers | SharePoint, or by navigating to in your browser:
Graphical user interface

Description automatically generated with medium confidence

And that’s it! SharePoint Syntex is now licensed (albeit with a trial for now) and configured correctly in our Microsoft 365 tenant.


In this post, we introduced you to the principles of SharePoint Syntex within Microsoft 365.  We showed you how to acquire licenses to use SharePoint Syntex in your environment and how to assign these to your users.

In Part II of this blog series, you’ll learn how to configure and use the Document understanding feature of SharePoint Syntex.  This will involve adding a Document understanding model to your SharePoint Syntex Content center; adding example files; classifying your files, running training; optionally creating and training extractors for the information needed within columns in your SharePoint libraries; and lastly, how to apply your Document understanding model to selected libraries within SharePoint Online.

Source Practical365

read more

SharePoint Online Roadmap Points to Deeper Microsoft 365 Integration


Microsoft says there are a load of SharePoint Online features in the pipeline, including how the tool integrates with Microsoft 365. The good news is many of the improvements will be in the form of real new features for users.

Microsoft says many tools could arrive as early as December, but some are extending further into the SharePoint Online roadmap.

Perhaps the most noteworthy addition is a new site performance page. Available to editors and owners of SharePoint websites, the page provides a ranking system based on color (red to green like traffic lights) to show the “health” of a page.

“Page health measures page performance which impacts the viewing experience and the page’s ability to engage viewers and serve its purpose.”

Microsoft is also adding a “My Feed” section to Web Part on SharePoint Online. This taps into Microsoft Graph to show data on chats and videos from Microsoft 365. Each user sees an individual customized feed based on their documents.

“This web part shows a mix of content from across Microsoft 365, based on what’s likely to be most relevant to the current user at any given time.”

Sticking with Microsoft Graph, Microsoft has released new connectors for SharePoint Online sites. This allows users to search connections across software, including solutions not from Microsoft. Ten new connectors are available:

  • Azure Data Lake Storage Gen2
  • Azure DevOps
  • Azure SQL
  • Enterprise Web sites
  • MediaWiki
  • Microsoft SQL Server
  • File share
  • Oracle (preview)
  • Salesforce (preview)
  • ServiceNow

More Microsoft 365 Tools

Microsoft wants users to see information more easily in emails with attachments. As such, the company now summarizes Word attachments in three bulleted paragraphs. This allows users to see the relevance before needing to open the file.

Source Vanguard

read more
Microsoft TeamsOffice 365Sharepoint

Using sensitivity labels with SharePoint sites, Microsoft Teams, and M365 groups – Part 1


Sensitivity labels in Microsoft 365 have been around for quite some time. Essentially they enable users to apply protection to emails and documents that they’re working on by assigning a label to that content.

The purpose of this ensures that only people authorized to view or consume that content do so. You can configure sensitivity labels to apply encryption and content marking to specific emails and documents, which you assign to users or groups with varying permissions levels using labeling policies.

Depending on the level of Microsoft 365 licensing in place, these labels can be either manually applied by the end-users themselves, or automatically based on built-in sensitive information types.  You can read more about the licensing requirements for Microsoft Information protection here.

Upcoming Webinar: How to Prepare for Office 365 License Renewal – September 21 – 10:30 AM ET / 15:30 PM BST / 16:30 PM CEST. Hosted by Microsoft MVP Paul Robichaux.

The evolution of sensitivity labeling can be traced back to Information Rights Management within Office 365, then Azure Information Protection in the Azure portal, and finally, Unified labeling via the Microsoft 365 Security and Compliance Center.

Up until recently, however, it was only possible to apply sensitivity labels to emails or documents. Microsoft has now introduced the ability to use sensitivity labeling at a ‘container level’, which means that you can apply for labels’ protection at a higher level than the document or email. In Microsoft 365, when we refer to containers, this currently relates to the following three features or services.

  • SharePoint Online Sites
  • Microsoft Teams
  • Microsoft 365 Groups

This blog series will show you how sensitivity labeling works at the container level and configure existing labels. We’ll also show how this relates to any existing labeling applied at the document level and some useful tips on the M365 audit logs’ auditing capabilities.

We will start in the M365 Compliance Center, enabling some existing labels for use with containers.

Microsoft 365 Compliance Center

Over the past couple of years, the Microsoft 365 Security and Compliance Center has been my go-to portal for information governance and protection. Whist this portal remains available, the evolution of so many features relating to both Security and Compliance has led Microsoft to provide specific outlets to administer these functions. Therefore, we now have the separate Security Center and Compliance Center.   

To demonstrate Sensitivity labeling at the container level, I will be working from the Compliance Center by completing the following steps.

  1. Log on to the Compliance Center as a Global Administrator, Compliance Data Administrator, Compliance Administrator or a Security Administrator. This will take you to the portal as shown below.

2. Next, click on Solutions > Catalog > Information protection > View.

3. Now click on Open solution.

4. In the example below, we can see many of the labels and sub-labels already available in my tenant, currently providing encryption and content marking to emails and documents.

5. If we select the General / HR sub-label, we can note its existing settings as below.

6. If you are already familiar with Sensitivity labels, you will note a newer section in this dialog called Site and group settings. Click on Edit label, and this will open the label wizard in the following image.

7. Keep clicking Next until you reach the Site and Group settings.

8. Move the slider to the on position, and this will present you with the options to configure the Site and Group settings.

9. You can choose some privacy options from the dropdown menu to access the Site or Group where this label will be applied. These options are shown in the following table.

Public This will allow anyone in the organization to access the Site or Group where this label is applied.
Private This setting restricts access to only approved members in your organization
None This setting will allow the user to decide who can access the Site when the label is applied.

10. In this example, we will set this label to be applied privately, meaning that only members will access the Site.

11. We can also choose whether we want Sites and Groups protected by this label to be accessed by people outside of the organization.  In this example, we will leave this option unchecked.

12. Finally, we have some controls to address which allow us to choose how any unmanaged devices when they attempt to access Sites or Groups protected by this label.

Note: To use this option, you will also need to configure the SharePoint feature, which uses Azure AD Conditional Access to block or limit access to SharePoint Online and OneDrive content from unmanaged devices.  Further guidance on how you can configure this feature may be found here.

13. Now that you have configured the Site and group settings for your label, click through the wizard, and on the Review your settings page, click Save label.

So, that’s how you can set up an existing label to be Site and Group ready.  Now, let’s take a look at how this works in the first of our three M365 containers, which are SharePoint sites.

Applying sensitivity labels to SharePoint sites

Now that we have a configured label for use with sites and groups, we can apply that label to an existing SharePoint site within our M365 tenant, or whilst creating a new site.  In the following example, I will choose to create a new Team Site to demonstrate how this can be done.

We need to complete the following steps.

  1. Logon to the SharePoint Admin Center and navigate to Sites > Active Sites.  Please refer to my previous blog series How to create Modern SharePoint Online Team Sites for instructions on how to connect to the SharePoint Admin Center. Click on Create.

2. Click on Team site.

3. Enter the details to create your Team Site as shown below. In this example, we will create a site called Human Resources. Under the Sensitivity setting, we will select the General \ HR label, which we created earlier.  Note that this selection results in the Privacy settings field is greyed out. This is because we set the chosen label as Private – only members can see this Site. Therefore, the privacy method is automatically applied.

4. Complete through the wizard to finish creating the Team site, and then open the Team site by searching for it in the SharePoint Admin Center. As you can see below, we now have our new Team site ready, and it is appropriately labeled under the Site name as Private group | General \ HR.

5. This label setting’s effect is that the Site is accessible only to members of the Site, and the Site cannot be shared externally as per the label settings. To demonstrate this, I will try and add an external email address as a member of the Site. I do this by clicking on the cogwheel and selecting Site permissions.

6. Next, I click on Invite people > Add members to Group.

7. Now, I will click on Add members.

8. Here I will add my own Gmail email account, then click Save.

9. What happens is that you can’t add my Gmail account as a member due to the settings we defined in the General / HR label.

So, that’s how sensitivity labeling works with Site and Group settings within a SharePoint Online team site.


In this post, we’ve explained the principles of applying sensitivity labels at the container level within Microsoft 365. We showed you that there are currently three containers to which sensitivity labels can be applied.  These are SharePoint Sites, Microsoft Teams, and M365 groups.

We demonstrated how you could modify an existing sensitivity label in the M365 Compliance Center and enable it for Site and group settings. We also explained you can configure this when setting up any new labels from scratch.

Finally, we showed how to apply the sensitivity label to the first of these three containers by setting up a new SharePoint Online Team Site.

In part two of this blog series, we will show you how to apply the sensitivity label to the two other container options: Microsoft Teams and M365 groups.

Source Practical365

read more

How to create Modern SharePoint Online Team Sites – Part Two


In part one of this blog series, we showed you how to create a new SharePoint Online Team Site to serve as a collaborative space for an Operations Team.

We ran through how to build the site from the SharePoint admin center, an associated Microsoft 365 group, how to provision three default SharePoint Online permissions groups during the process, and how to access the new Team site from the SharePoint Admin center.

In part two of this blog series, we’ll show you how to register a Hub Site and associate the new Team site with it. We’ll also portray how to add a link to your Team site on your intranet landing page and how to use the Audience targeting feature to ensure that your SharePoint Online users only see the content they are authorized for via group memberships.

Registering a Hub site in SharePoint Online

A Hub site in SharePoint Online is a means of connecting and organizing the sites in your SharePoint Online environment, and making it easier to apply standard navigation and site structure across associated sites. It also promotes efficient search across sites that are linked by Hub association and discover related content.

You can find more information on Hub sites here.

To register your SharePoint site as a Hub site, you’ll need to access the SharePoint admin center from the Microsoft 365 Admin Center. You’ll either need to be a Global Administrator or SharePoint Administrator (you can view a reminder of how to access the Admin center in part one of this blog series).

  1. Once you’ve logged in, you’ll again need to navigate to Admin centers > SharePoint. Then navigate to Active sites, and in the search bar, enter the name of the site you wish to register as your Hub site.
  2.  My landing page site is named H U B 3 6 5, and when I select it, I can click on Hub from the top menu and choose the option to Register as hub site.
Active Sites

3. This takes me to the following screen. The Hub name field is pre-populated, and I can choose which groups are authorized to associate sites with our new Hub.  In this example, I will assign this permission to the Practical 365 Members group as shown below.

Register as a hub site

4. For this scenario, I have named it H U B 3 6 5, and when selected, you can see your Hub name and group selections completed as shown in the following image, click Save.

People who can associate sites with this hub

5. You will then see the following screen. The Hub name field is pre-populated, and you can choose which groups are authorized to associate sites with our new Hub. In this example, you can assign this permission to the Practical 365 Members group.

Active sites

Now that we have set our Hub site, let’s associate our Team site with it.

Associating your Team site to the Hub site

To associate a Team site to our newly registered Hub site, we need to remain in the section of the SharePoint Admin center‘s Active site and complete the following steps.

  1. First, we need to search for our Team site, which we named Operations.

2. From the top menu, we again need to select the Hub option, and this time choose Associate with a hub.

Edit hub association

3. In the Select a hub dropdown, we’ll choose the H U B 3 6 5 hub we created earlier. We can then click Save, and we will see that our Team site is now associated with H U B 3 6 5 as intended.

Active SharePoint Online Team Sites

4. If we click on the Operations site again from the Active sites list, we can view the site’s properties. As shown below, this will display the current Hub association for the site, and if you click Edit, you may change your Hub selection.


To recap, we’ve now set our landing page to be a registered Hub site, and then put our Team site to be associated with the new Hub site. Next, we can take a look at the Hub site navigation options and configure Audience targeting.

Adding a link to the Hub site navigation and setting audience targeting options

One of the useful features of Hub sites is being able to set a consistent Navigation bar at the top of any Site pages, which are either the Hub site itself, or Site pages which are associated with the Hub site. We’ll walk you through how to achieve this in the following steps:

  1. Firstly, please navigate to the Hub site, our H U B 3 6 5 intranet landing page.  You will see in the following image that the page now includes a H U B 3 6 5 top link navigation and an Add link option.
SharePoint Online team site audience targeting options

2. Clicking on Add link will first show you the option to Enable site navigation for audience targeting, so we will move the slider to On for this setting. Simultaneously, the Add link options will also appear. To add our Operations Team site as a link to the Hub navigation, we will complete the settings.

Edit hub navigation SharePoint Online Teams Sites

The fields that we need to complete within the Add link option are as follows;

Field Purpose
Choose an option Choose between adding a Link or a Label
Address Enter the URL if adding a Link – this option will be greyed out of selecting a label
Display name Enter a description for the Link or Label that you are adding
Audience targeting Choose up to 10 groups for which audience targeting will be applied.  This means that only members of the selected groups will see this navigation item within the Hub menu.

3. Click on OK to complete the creation of the new link or label.  It will now appear in the Hub navigation menu.

New operations for SharePoint Online Teams Sites

4. Clicking on the new Operations link will take you directly to the new Team site, shown as follows. You will note that the Hub navigation top menu is also present within our Team site.

Operations SharePoint Online Teams Sites

So, now that we have the Hub site navigation working let’s take a more detailed look at the Audience targeting feature in action.

Audience targeting in action

Audience targeting, as described by Microsoft, “helps the most relevant content get to the right audiences. By enabling audience targeting, specific content will be prioritized to specific audiences through SharePoint web parts, page libraries, and navigational links”.

You can learn more about the capabilities of audience targeting here.

Earlier in this post, we enabled audience targeting to add a link to our Operations Team site in the Hub site navigation menu. You will recall that we assigned the user named Jane Bloggs as a member of the Operations Team site.

To show you more audience targeting principles, I’ve created another Team site called Procurement, associated it with the H U B 3 6 5 Hub site, and made a Hub site navigation link for the new site. I’ve also assigned a user named James Smith as a member of the new Procurement Team site group. However, Jane Bloggs will not be a member of this group.

So, what is the outcome here? The first thing you’ll notice is that the Procurement site link now appears on the Hub site navigation bar. You will see the below screenshot when logged into SharePoint Online as the Site Administrator, who is also in the Site Owners group.

Operations News

However, if we log in to SharePoint Online as James Smith, we can access only the Procurement site link from the Hub site navigation bar shown below from the Intranet landing page.  This is because James Smith is not a member of the Operations Team site group.

James Smith Example

The same principle applies when James opens the Procurement Team site. The Hub site navigation pulls through, and Audience targeting settings mean that James once again has no visibility of the Operations Team site link.

Procurement private group

At the time of writing this blog, Audience targeting in SharePoint Online may only be active in the following content.

  • Navigational links – promote links to specific audiences across a site’s navigation, including hub and footer navigation.

Important: Starting in April 2020, audience targeting for navigational links will be introduced to organizations opted in to the Targeted release program. This means you may be unable to see this feature yet, or it may look different than the description in the help articles. Eventually, this feature will be available across all cloud environments.

  • Pages – target specific site pages to specific audiences in a page library
  • News web part – push specific news posts to specific audiences on the start page, in the mobile app, and in News web parts that have audience targeting enabled.
  • Highlighted content web part– dynamically display relevant content from a list or library to a page, site, or site collection.

Note: The above bullet points are as described in the following Microsoft web page on audience targeting.

So, what does this mean exactly? As an example, if we add a Quick Links section to the top of our landing page containing links to our Operations and Procurement Team sites, then Audience targeting won’t take effect. All members and visitors to the Intranet page would be able to see both of these links.

Example of SharePoint Online Team Sites look

Importantly, however, permissions to these Team sites will, of course, still be applied. Therefore, should our user James Smith click on the Operations tile, he will be unable to access and instead will see the following.

I would expect that as Microsoft continue to improve and refine the Audience targeting feature, more SharePoint Online web parts (such as the Quick links) will become Audience targeting enabled.


In this post, we’ve taken you through the steps to register a Hub Site in the SharePoint Admin Center and associate a Team site with it. You were also shown how to use the Hub Site Navigation menu to add links to your Team site on your Intranet landing page, and how to use the Audience targeting feature to ensure that your SharePoint Online users will only see content which they are specifically authorized with their group memberships.

Source Practical365

read more

How to create Modern SharePoint Online Team Sites


In this article, we’ll demonstrate how to create SharePoint Online Team Sites. This has stemmed from our recent blog series, How to Create a SharePoint Online Intranet, where we showed you how to create an Intranet landing page in SharePoint Online based on a Modern Communication site.

The site included a company logo and a site title. We also uploaded a custom theme to the site using the Microsoft Theme generator tool and the SharePoint Online Management shell.

We then built our landing page by adding sections and a Hero web part to make our highlighted content prominent. Finally, we added some further web parts, including a News Feed, some Quick Links, a Weather widget, and an Image Banner. Here’s how the finished page looked:

SharePoint Online Teams Sites

Another element to include on an Intranet Landing page is a tile grid that links to individual Share/Point Team sites. Team sites (not to be confused with Microsoft Teams) are collaborative SharePoint Online sites where groups of people can work together on shared content in Document Libraries. They differ from Communication Sites, which are informative as opposed to collaborative.

You can find more information on SharePoint Online Team sites here.

During this article we’ll show you how to:

  • Create Time Sites in SharePoint Online, and assign the correct permissions to your Microsoft 365 users and groups
  • Grasp the concept of Hub Sites, which allows you to “Apply common navigation, branding, and site structure across associated sites”
  • Use the Audience Targeting feature to ensure that your content is only visible to authorized users and groups
  • Link to your Team Sites from your Intranet landing page
  • Save your Team site as a template so you may use it to create further Team Sites with the same settings for other departments in your organization

Creating a SharePoint Team site

To create your new Team site, you’ll need to access the SharePoint admin center, which you can access from the Microsoft 365 Admin Center. You’ll either need to be a Global Administrator or SharePoint Administrator role.

  1. Once you’ve logged in, you’ll need to navigate to Admin centers > SharePoint (you may also need to click on“Show all”before you see the SharePoint admin center in the menu).
SharePoint Admin Center

2. This will take you into the SharePoint admin center.

SharePoint Admin Center screenshot

3. Click on Active sites, and you’ll see the list of sites that are already present within your Microsoft 365 tenant.

Active Sites

4. To create your new Team site, click Create. This will give you options about the sites you can create

Next, we’ll look at the choices you have by examining the available site types and when to use them.

Site types

The following site types are available within SharePoint Online.

Team site You typically use a Team site to share documents within a team. When you create a Team site, you’ll see a Microsoft 365 group is also set up automatically. This is the option to select to establish your new SharePoint Online site.
Communication site You’ll design a Communication site to publish content to your organization to keep them informed. As Communication sites are informative as opposed to collaborative, they don’t have a Microsoft 365 group associated with them initially.
Other options Under Other options, you may choose from additional templates such as Document Center, Enterprise Wiki, and Publishing Portal.

5. The primary purpose of this page is to share documents within a team, so we need to create a Team site. Select the Team site option from the Create a site page, and we’ll see the following options for choosing the design for our site.

Create a team site

6. We need to complete the following information to provision our Communication site:

  • Site name
  • Group email address
  • Site address
  • Group owner
  • Preferred language

You can see my setup in the following image, where I have named my new Team site ‘Operations’ and assigned myself as the Group Owner for the associated Microsoft 365 group.

Get a team site connected to Office 365 groups

7. If we drill down into Advanced settings, we can also set additional options for the site, including Sensitivity, Time zone, and the Site description. When you’re happy with your settings, click Next.

Team site advanced settings

8. Next, you may add any additional owners requiring responsibility for managing the Team site, and you may also add some members to the Team site. In the example below, I’ve added one more owner and a single member to the site.

Add Microsoft 365 group members

9. Now that we have completed the required fields, we can click Finish to create our new Team site.

10. This takes you back to the Active sites list in the SharePoint Admin center, and if we enter the name of our newly created site and press enter, we’ll see our site displayed as follows.

Active sites operations

11. Clicking on the new site will display information relating to the site.


12. Under the URL section, click on the link, and this will take you to the new Team site.


Now that we have our new Team site, let’s double-check some of the permissions and group settings.

Checking the site permissions

To check the site permissions for our new Team site, we need to carry out the following steps.

  1. Make sure that you have the Team site page open, then click on the cogwheel at the top right of the screen and select Site permissions.
SharePoint settings

2. All SharePoint Online Team sites have three default SharePoint Online groups set up as default. These are:

  • Site Owners – Members of this group have Full control
  • Site Members – Members of this group have Edit permissions
  • Site Visitors – Members of this group have Read permissions
Permission - Invite people

3. By clicking on Advanced permission settings, we can take a more detailed look at these permissions groups.

SharePoint permissions

4. For example, if we click into Operations Members, then we will see the following.

5. What this shows, is that the Operations Members Microsoft 365 group (which was created when we set up the site), has been automatically added to our Operations Members SharePoint Online group.

6. If we navigate to the Microsoft 365 Admin Center and select Groups, we can search for our Operations Microsoft 365 group.


7. Clicking to open the group enables you to view the permissions tab.

Operations Members

Here, we can see the created group with two Owners (who are also members by default) and one member. Members will also be in the SharePoint Online Operations Members group.


In this post, we’ve taken you to create a new SharePoint Online Team Site, which will serve as a collaborative space for an Operations Team within an organization. We demonstrated how to create the site from the SharePoint admin center, create a Microsoft 365 group and SharePoint Online permissions groups as part of this process, and access the new site from the SharePoint Admin center.

In part two of this blog series, we’ll show you how to create a Hub Site and associate the new Team site to it, add a link to your Team site on your Intranet landing page, and how to use the Audience targeting feature to ensure that your SharePoint Online users will only see content which they are authorized for.

Source Practical365

read more
1 2 3 5
Page 1 of 5