SharePoint’s Transformation
Compared to on-premises deployments, SharePoint administration has undergone a significant transformation with the advent of SharePoint Online. SharePoint Server requires administrators to manage and maintain physical servers, handle software updates, and ensure infrastructure scalability, often demanding substantial time and resources. With SharePoint Online, Microsoft now manages the underlying infrastructure. SharePoint Administrators can now focus on managing core services, such as site management, permissions, search, taxonomy, and supporting the end-user experience for content management. The cloud-based model also includes continuous updates and new features, enabling organizations to leverage the latest advancements without requiring extensive upgrade projects. The new model offers updates and features more quickly and efficiently to organizations. However, this also means that SharePoint Administrators now need to spend time evaluating, tracking changes, and understanding if the organization needs these enhancements and deciding when to implement them. Many of the SharePoint Online services also rely on other Microsoft 365 services and are either connected to or solely rely on them to work. For instance, although created in SharePoint, a Microsoft 365 group site comprises various components such as an Entra ID security group, an Exchange Online mailbox, and a SharePoint site. SharePoint Administrators must also understand how these components interconnect, even if they do not have administrative access to manage these features themselves. Overall, SharePoint Administration is now simplified allowing organizations to adopt a more agile and responsive approach to collaboration and information management, with SharePoint Administrators taking more of an integral role in how SharePoint should be used.
A Series to Help You Administer SharePoint Online
Managing SharePoint Online efficiently is essential for any organization. This series is designed for newcomers to SharePoint Online administration and those looking to improve their skills. It offers practical knowledge and valuable insights to streamline tasks and optimize the overall environment for enhanced productivity and seamless collaboration. The emphasis is on the relevance and usefulness of the content.
This series will explore various aspects of SharePoint Online management. We will focus on leveraging PowerShell for administrative tasks, exploring advanced management capabilities, and implementing strong access control. By following the series, you will gain an understanding of these critical areas, to help you manage SharePoint Online effectively in your organization.
Managing Common SharePoint Tasks Using PowerShell
As a SharePoint Administrator, it is essential to learn PowerShell to manage a SharePoint Online tenant efficiently. PowerShell offers automation capabilities that streamline everyday administrative tasks, including user and site management, permissions configuration, and data manipulation. By utilizing PowerShell, you can perform bulk operations, automate repetitive tasks, and execute complex commands that are not feasible through the SharePoint Online user interface alone. For example, you can easily create Sites, assign permissions, and upload files using PowerShell, allowing you to automate everyday tasks. The following example creates a communication site within SharePoint Online and then uploads files from a local folder directly into the Document Library of the newly designed site. Now, you could have completed that using the user interface, which works well; however, sometimes, when integrating other applications or running the same task repeatedly, PowerShell works well. To create sites this way, you need to know the SharePoint Admin Center endpoint URL and authenticate, which provides the required permissions for making the site:
Connect-PnPOnline -Url "https://<tenant>-admin.sharepoint.com" $params = @{ Url = "https://<tenant>.sharepoint.com/sites/<site>" Title = "Communication Site" Type = "CommunicationSite" } New-PnPSite @params Connect-PnPOnline -Url @params.Url $folder = "C:\Files" $files = Get-ChildItem -Path $folder -Recurse -Force $library = "https://<tenant>.sharepoint.com/sites/<site>/Shared Documents" foreach($file in $files) { Add-PnPFile -Path "$($file.Directory)\$($file.Name)" -Folder $library -Values @{"Title" = $($file.Name)} }
For SharePoint Online administrators, proficiency in PnP.PowerShell, Microsoft Graph PowerShell SDK, and Microsoft Graph are essential for advanced administration and automation. PnP.PowerShell is an open-source and community-provided library. It is not a Microsoft-provided module, so no service level agreement (SLA) or direct support exists. However, it provides cmdlets that simplify complex tasks, such as site provisioning, content management, and customization, which standard SharePoint cmdlets do not cover. Microsoft Graph, on the other hand, provides a unified API endpoint to access a wide array of Microsoft 365 services, enabling administrators to integrate and automate workflows across the entire suite. The Microsoft Graph PowerShell SDK is the PowerShell wrapper around the Microsoft Graph, making it easier to use without needing to know the intricacies of the graph itself. Learning these tools enhances efficiency, flexibility, and the ability to implement sophisticated solutions within SharePoint Online.
For SharePoint Online administrators, PowerShell is invaluable for automating and managing everyday tasks such as:
- Creating, updating, and deleting sites.
- Adding or removing users, assigning permissions, and managing security groups.
- Bulk uploading or migrating documents and managing document libraries.
- Configuring and auditing permissions, managing sharing settings, and setting up access policies.
- Generating reports on site usage, storage metrics, and user activities.
These tasks benefit from PowerShell’s automation and batch processing capabilities, ensuring efficiency and consistency in administration. PowerShell facilitates time savings and minimizes the probability of human error, providing a more consistent and dependable management process. PowerShell provides administrators the tools to address administrative hurdles and accurately implement modifications across their SharePoint environment, enabling practical and proactive administration.
Advanced Management for SharePoint Online
SharePoint Advanced Management (SAM) provides features to enhance governance and security within SharePoint Online and OneDrive. Adding the SharePoint Advanced Management (SAM) license enables advanced access policies, lifecycle management, and comprehensive reporting capabilities for SharePoint administrators. These features help manage site access, enforce conditional policies, and easily monitor content lifecycle. By leveraging SharePoint Advanced Management (SAM), administrators can ensure secure collaboration, prevent unauthorized access, and maintain compliance, streamlining administrative tasks and improving the overall governance of the SharePoint environment. For example, you can use the “Block download policy for SharePoint sites and OneDrive,” which blocks the download of files from SharePoint sites or OneDrive without using Microsoft Entra Conditional Access policies, as seen in the script below:
$settings = @{ Identity = "https://site.sharepoint.com" BlockDownloadPolicy = $true ReadOnlyForBlockDownloadPolicy = $true } Set-SPOSite @settings
Users have browser-only access and cannot download, print, or sync files. They also won’t be able to access content through apps, including the Microsoft Office desktop apps. There are many other options available to ensure the security of SharePoint Online, such as:
- Restrict SharePoint site access with Microsoft 365 groups and Entra security groups.
- Restrict OneDrive content and service access.
- Conditional access policies for SharePoint sites and OneDrive.
Controlling Access to SharePoint Online
Controlling access to SharePoint Online is crucial to protect sensitive information and comply with organizational policies. Understanding that the broader permissions within Microsoft 365 Tenants play a pivotal role within SharePoint Online is essential. For example, their account must reside within Entra ID to access a SharePoint Online site as an employee or external user. Without that, they will not be able to access the sites. Entra ID also provides advanced permission and access controls such as multi-factor authentication (MFA) and conditional access policies, which impact a user’s ability to access SharePoint Online. As a SharePoint Administrator, you control access to the Sites for internal and external users by assigning them to groups within the sites or to Microsoft Teams groups if the site connects to a Team or Group. The external sharing policies defined for external users will dictate if they can access the sites.
Conditional access policies can severely impact access to SharePoint sites, whether through multi-factor authentication (MFA) enforcement or even down to location or client application restrictions limiting users’ access. Figure 1 displays examples of conditional access policies that could impact users’ access to SharePoint Online.
SharePoint Administrators and Security Teams must work closely to provide the best security controls.
It is essential to continuously monitor and audit access activities to identify and respond to potential security incidents. You can use the user interface to manually check log entries, such as the sign-in and audit logs, and access the reports available directly within the Microsoft 365 Admin Center or each Site in the SharePoint Admin Center. PowerShell can also retrieve this information automatically and email it to you regularly. The following PowerShell searches the audit logs within Microsoft 365 and retrieves SharePoint site access for a specific site:
$siteUrl = "https://<tenant>.sharepoint.com/sites/<site>" $startDate = (Get-Date).AddDays(-30) $endDate = Get-Date $auditLogs = Search-UnifiedAuditLog ` -StartDate $startDate ` -EndDate $endDate ` -RecordType SharePoint ` -Operations "FileAccessed", "FileDownloaded", "FilePreviewed", "FileSyncDownloaded" ` -ResultSize 5000 $siteAccessLogs = $auditLogs | ` Where-Object { $_.ObjectId -like "*$siteUrl*" } $siteAccessLogs | ` Select-Object CreationDate, UserId, Operation, ObjectId, ClientIP
To effectively implement these best practices, SharePoint Administrators must collaborate closely with Security Teams and Global Administrators. This collaboration aligns security measures with broader organizational strategies and leverages the expertise of dedicated security professionals. By working together, these teams can implement the most secure and efficient practices, enhancing the organization’s overall security posture and ensuring that SharePoint Online remains a safe and reliable platform for collaboration and data management.
Where Do We Go from Here?
This series will help SharePoint administrators enhance their skills in managing SharePoint Online. By understanding and applying the concepts discussed, you can streamline administrative tasks, ensure robust security, and optimize your SharePoint environment. The next article will discuss managing everyday SharePoint Online tasks using PowerShell. Feel free to share your challenges and insights in the comments and stay tuned for the next article.
There are several challenges that I see with sharepoint. 1. Duplicate file – On premise world there is many ways to get duplicate files. I have not found an easy and fast way to do it with sharepoint online. 2. Termed user clean up how do I properly get a list of files /sites the user had access to and then properly remove that access. I have currently setup a legacy acs auth app registration that allows me to get to all sites via powershell but I am concerned about long term as this auth method will be deprecated. Thanks