Apple MDM Push certificate is the key element for Microsoft EndPoint Manager to manage iOS/iPadOS and macOS devices in the MEM portal. After you add the certificate to EndPoint Manager, your users can enroll their devices using: The Company Portal app or Apple’s bulk enrollment methods such as the Device Enrollment Program (a.k.a DEP), Apple School Manager, or Apple Configurator.
This renewal is crucial: Ensure that you take necessary actions before the expiry date as revoking or allowing this certificate to expire will require existing devices to be re-enrolled with a new push certificate.
Navigate to Devices blade from the left panel and go to Apple iOS/iPadOS enrolment section as shown below and then click on ‘apple MDM Push Certificate’ widget
From the screen popped up, simply click on download CSR file on the 2nd option. Save it to a secure/temporarily location as we will delete this after the renewal.
Let’s now switch in to Apple Identity portal. This is where you need the original credentials which was used to setup the integration with Intune. Login from that account to this site – https://identity.apple.com/pushcert/
You can avoid MFA using other options but this may not be the same in your case. Hence make sure you have the device associated to the account to receive the MFA code. Hit ‘Continue“’ to enter the code or go to ‘other options’ to avoid it.
Highly recommended to associate a mobile device for MFA if you haven’t already, or, chose ‘don’t upgrade’ option to avoid it.
Once logged in, you will see all your certificates listed with the expiry date stated.
That little ‘i” button will show you more details of each certificate if you have multiple (mostly used for different tenancies under a single account). Serial Number is the key to identity which is which from the Intune portal. Ensure that you are renewing the correct certificate by cross-checking the Serial No here againts Intune. Once confirmed, simply click on that ‘Renew” button above and you should see a new dialog box prompting.
Add a note to indicate who renew it which might be useful in a organization this will be done by another person next year.
And now choose the CSR file you downloaded from Intune and hit ‘Upload’
That’s it and you can see the green tick indicates everything went well. Simply download the certificate and store in the same secure location you store CSR previously.
You should see the new expiry date for this certificate now.
Let’s head back to MEM (Intune) portal now and upload the new certificate file there. You should also provide the original Apple ID which was used to create the MDM push cert. Once done, hit ‘Upload’ button.
That’s about it and now you will see a green status prompts indicates it went well.
Certificate should now be valid for another year !
If you remember classic SharePoint, it had that nice looking (and yet unreliable sometimes) feature called “SharePoint Site Structure” which was eventually deprecated as move & copy functions were introduced. This was very insightful to understand the site and content hierarchy across the entire SharePoint farm.
However, let’s assume you want to review your modern day SharePoint Online hierarchy every once in a while, and make sure your sites, libraries and lists are aligning to best practices as far as the depth of the site levels? Or, you just want to know what sort of sites exist in your site collection, we still have a manual way of getting those information out using a simple PowerShell script. This may not be the best sophisticated way of getting a handy report which can probably be obtained using a 3rd party tool.
Unless its a test environment, we rarely notice any Office 365 tenant without MFA enabled, so this script is Modern-Auth friendly and supports MFA. You can generate a basic report of all sites, libraries and lists in a specific site collection by defining the site collection name and CSV path to save it.
###Function to Get Lists and Libraries of a web
Write-host -f Yellow "Getting Lists and Libraries from site:" $Web.URL
###Get all lists and libraries
$Lists= Get-PnPList -Web $Web
foreach ($List in $Lists)
$Data = new-object PSObject
$Data | Add-member NoteProperty -Name "Site Name" -Value $Web.Title
$Data | Add-member NoteProperty -Name "Site URL" -Value $Web.Url
$Data | Add-member NoteProperty -Name "List Title" -Value $List.Title
$Data | Add-member NoteProperty -Name "List URL" -Value $List.RootFolder.ServerRelativeUrl
$Data | Add-member NoteProperty -Name "List Item Count" -Value $List.ItemCount
$Data | Add-member NoteProperty -Name "Last Modified" -Value $List.LastItemModifiedDate
$SiteInventory += $Data
###Get All Subwebs
$SubWebs = Get-PnPSubWebs -Web $Web
Foreach ($Web in $SubWebs)
$SiteInventory+= Get-SPOSiteInventory -Web $Web
$SiteURL = "https://sitename.sharepoint.com/sites/PWA"
$CSVFile = "C:\temp\filename.csv"
###Get Credentials to connect
#Connect to PNP Online
Connect-PnPOnline -Url $SiteURL -UseWebLogin
###Get the Root Web
$Web = Get-PnPWeb
###Call the function and export results to CSV file
Get-SPOSiteInventory -Web $Web | Export-CSV $CSVFile -NoTypeInformation
write-host "Error: $($_.Exception.Message)" -foregroundcolor Red
As you execute it, you’ll be prompted for credentials and the report will be generated (duration might depend on the number of site collections and the weight of each)
Yes you are right!. Setting this access right organization-wide is surely raises a major privacy concern specially when it comes to personal details (such as HR and Operation related events) in employee’s calendars.
However, there can be exceptional scenarios where business decides what they need, such as the pandemic situation the whole world face right now (COVID-19) as every organization prepares to work from home and allow people to interact online in more efficient and effective ways. In my case, one of our top level client badly needed to enable everyone’s calendar visible to everyone in the company to allow people to efficiently get in touch.
This is possible and exchange online has the capability to do it, but, make sure you do it for an absolute purpose. In Exchange online, you can set the default internal sharing policy for Office 365 user’s calendars using PowerShell. You may decide to set the default for all current users to Limited Details, then add exceptions for users whose calendar is to be kept to Availability (Free/Busy) only. There are various roles to define as per your need.
The AccessRights parameter in the PS command below specifies the permissions that you want to modify for the user on the mailbox folder. The values that you specify replace the existing permissions for the user on the folder.
You can specify individual folder permissions or roles, which are combinations of permissions. You can specify multiple permissions and roles separated by commas.
I am emphasizing again, DO NOT DO THIS Unless there is an absolute necessity.
For None-MFA environment (even though MFA is a fundamental and very common security requirement, there can be exceptional cases) – Amend the AccessRights parameter accordingly
Now let’s see how this works after changing the permissions. Details wise, this is how it shown now (looking at Chnau’s Calendar from Manoj’s Mailbox)
Private Events in Chanu’s Calendar (Only the date/time and Subject)
None Private Events in the Chanu’s Calendar (Shown Items in detail)
Attendees and response status
Item opened in full window
Here’s the full list of roles available to set. You can specify individual folder permissions or roles, which are combinations of permissions. You can specify multiple permissions and roles separated by commas.
CreateItems: The user can create items in the specified folder.
CreateSubfolders: The user can create subfolders in the specified folder.
DeleteAllItems: The user can delete all items in the specified folder.
DeleteOwnedItems: The user can only delete items that they created from the specified folder.
EditAllItems: The user can edit all items in the specified folder.
EditOwnedItems: The user can only edit items that they created in the specified folder.
FolderContact: The user is the contact for the specified public folder.
FolderOwner: The user is the owner of the specified folder. The user can view the folder, move the folder, and create subfolders. The user can’t read items, edit items, delete items, or create items.
FolderVisible: The user can view the specified folder, but can’t read or edit items within the specified public folder.
ReadItems: The user can read items within the specified folder.
The roles that are available, along with the permissions that they assign, are described in the following list:
Recently I noticed at one of our major client’s Teams Voice setup that on hold music never played for queues when agents put callers on hold, instead it goes silent which makes callers wondering what’s going on with the call.
This is a vital feature specially for a call queue as it gives clarity for callers to understand the status of the call. Agents mostly put callers on hold to get things done offline to meet callers requirements so the music of course make the caller relaxed while agent helping them out behind the scene.
First thing I had to check is, if the feature is enabled from the Teams Admin Centre –> Call Queues –> Choose the affected queue –> Of course it has
However, it seemed the file hasn’t recognized by Teams or probably the file is faulty which could have caused the silence during hold. Till I locate the original file, I added a temporary classic music clip to verify if that picks by Teams. And it did ! Hold music played like charm when the agent put me on hold.
Part of a moderation feature enablement request, one of my clients was very keen to have deletion option for Microsoft Teams channel owners. This is a fair request as some channels would require control on end-user actions, specially in EDU sector scenarios.
Even though this sounds like moderation feature, deletion of sent messages is a separate feature which is beyond the moderation options in Teams. If you are looking to enable moderation in Teams, have a quick look at my post here on how to that – Configuring Channel Moderation for Microsoft Teams
Enable the functionality (Globally enabled, No Team/channel level option unless you create a custom policy for group-wise rollout)
Login to your Office 365 tenant as an administrator and navigate to Teams Admin center
From Teams Admin center, navigate to Messaging Policies
Click on the default messaging policy (Global-wide). This change affects globally across the entire tenant. However, you can switch it OFF again whenever you think it is inappropriate.
And, simply switch ON the “Owners can delete sent messages” option there.
Owners should now be able to delete the sent messages by users which may be inappropriate as per organization/policy guidelines.
Error “Connect-MicrosoftTeams : The term ‘Connect-MicrosoftTeams’ is not recognized as the name of a cmdlet”
Root cause – Obviously because of the PowerShell module availability in the machine you are trying to connect from. Every module needs its presence in the local machine to be able to work with PowerShell properly so, installing it and keeping it up to date is vital for commands to execute against the target workload (like Teams, SharePoint or Exchange etc..)
Let’s get through the basics of installing Microsoft Teams PowerShell module. Ensure you launch the native PowerShell from your machine, not Exchange Online PowerShell or SharePoint ones.
Type PowerShell in the start menu and –> right click on the native PowerShell tool and run as Admin
Type this in PowerShell and Enter
Find-Module -Name MicrosoftTeams
Now let’s install this. Type this in PowerShell and Enter
Find-Module -Name MicrosoftTeams | Install-Module
Type “Y” to continue
Now let’s run the connect command to interact with the Office 365 tenant
And this should prompt you for authentication where you will provide the Admin credentials to connect
Once done, you will get connected to the tenant as below
Now, let’s just verify the functionality by running a simple Teams command. If this succeeds, you have installed PowerShell module for Microsoft Teams properly!
In my previous article, we saw how we can add a button in to SharePoint online list or library to trigger a flow in place. We are continuing with this article on how we can customize the newly added button to change its appearance (Well, let’s make it look like a button).
Changing the appearance:
Go to the format mode from the target button column. And we can use the following parameters to change the look and feel. My button here looks good as it stands out from the rest of the content in this space.
txtContent: “Define your button text”
color: “set a button text color code”
border: “set a border to the button”
background-color: “set a button background color”
Applying a condition to the button:
Further more, you can customize the button to apply when a condition is true (e.g. – show a button only when the Flow have not started).
In this case, I’m going to tweak my approval Flow a little bit to maintain the status of the library items. The purpose here is to update the status of a item which is initiate for approval but still “Pending” as we using a custom status column here.
By modifying the Approval Flow, I am adding a new step (SharePoint Update item action) to my existing flow. This new step has to be placed before the starting the start. At this stage, I have to set the status as “Pending” (static string).
Then the same action added to both ending paths in order to update the status column up on “Rejection” or “Approval”. At this stage I can simply use the “Response” variable to pick up the current status value and update the “Status” column.
Once added, it’s position looks like below.
Define the Site URL, Choose the target library, pick the ID attribute and Responsevariable as shown below. Repeat the same for “No” path as well and that’s all we need to do here.
That’s it from the Flow and we can head back to the Library to do the appearance tweaking. Go the column format mode and notice the changes I have done here. Apart from the color and background changes which I did to the button earlier, I have added a condition to display the button only when its true. Under this logic, the button would only appear when the status column = empty (“”), meaning the Flow have not started for a respective item in this library.
And, as expected ! the logic is right therefore the condition perfectly applies. I have few documents in this library with mixed statuses (Rejected, Approved, Pending and of course some are not started yet). The button only showed for the items which are not gone through the Flow.
Microsoft reference for JSON based column formatting is here. This article has covered many perspectives of column formatting.
And ! here’s the full JSON code of this customization which you can reuse if you have a similar use case.
After the last step in the part 01 of this article series, we are resuming with this flow. We now can save this, and quickly give it a test run if it delivers what we need.
Hit “Save” button and check the flow for any errors from “Flow Checker” option on the top right corner. Also, you can test any flow straightaway from here.
Let’s do a dry run here. You have two options to test it out. Use data from the last run or trigger as a new instance. Hit “Save and Test” to begin.
And hit “Continue” to start it.
Inputs to be done here for the metadata fields we mapped and then simply hit “Run”
Flow also has an wonderful activity tracker. A cool new interface allows you to monitor your Flow activities from a one place.
Click on “See flow run activity” to find out the status of this instance. This run has been succeeded.
We can go back to the library and open up the document to see if our Quick Parts have been updated as per this run. Bare in mind that Word Online might have an issue when you open this kind of a document. Quick parts are working well with Office Desktop Application and Word online Preview Mode but, unfortunately having some issues in Word Online in edit mode. Therefore, make sure you test it with Word Application before you wonder where it went wrong as quick parts may still show empty in online mode even after running the Flow successfully.
Here’s how it should look like after the execution.
Sending Email Alerts up on completion
After composing of the document, we can configure the flow to send out email alerts. In this scenario, I’m going to send alerts to the person who triggered this flow, alerting him with the composed document as an attachment.
Let’s go ahead and add a new step as usual.
Search for “Get file content” SharePoint action
We have to rename it as “Get file content new” so it makes better sense as we already have a step with the default name.
Next up, parameters. Choose the appropriate site URL from the drop down and file identified has to be the ID. Leave the “Infer Content Type” with its default and that’s it.
Now, add another new step which we will be using to configure the email alert. search for “Send an email” and select the “Send an email (V2) (Preview)”
Parameters to be configured as shown below. search for “User email” attribute for Receiver field and choose it.
My subject line will be “Text: customer name field” concatenated. Feel free to have your own here. Type the text and look for “Customer Name” attribute and place it next to the text in the subject line as shown below.
The Body will be just a plain text which indicates the purpose of this mail. Again, it’s all up to you to insert anything here.
For the attachment name, use File name with extension, from the Update file properties section. For the File Content, get that from the Get file content new file section.
You can extend the content section by adding more attachment/content but that’s optional. just leave the “Importance” as normal here which depends on your situation though. Feel free to adjust these parameters as required.
Now the exciting part !. We can run our full flow to see if everything works as expected. So I will go ahead and kick it.
Click on “see flow run activity” to see the status of this instance.
And click again on the latest instance from the history of this flow.
You will see the entire history of the instance selected. And best of all, in just a simple click you can see the action result in a handy dandy UI ! Isn’t this amazing ?
Now let’s switch to our outlook account. In my case it’s my account which was used to kick the Flow. And, I can see the latest item with all our parameters including the attachment which means the hard works have paid off !!
In addition to that, Flow Dashboard is a great place to keep up with all your things around Flows across the entire tenant. You can turn on/off a flow with just a button swipe!. Statuses and other handy dandy stuff all brought in to a one place to make your life more easier.
Microsoft Office365 is doubtlessly a sophisticated collection of Microsoft tools which has an immense value for business. As you will store data across many of these applications such as Outlook, SharePoint, OneDrive etc.. It’s nice to have a single interface to see the spotlight of your collaboration activities and items you have been dealing with. Delve in Office365 helps us with this vital role, however, there are some scenarios people prefer to hide some content from Delve no matter how clear the approach is to them, and I believe that’s a fair requirement.
With this post we are going to learn how to hide a specific SharePoint content from Delve. There are several options as documented below.
You can restrict a specific record
Or restrict a library
Or the entire SharePoint site from Delve
Before you start with this, it’s important to ensure whether you really need to do this. Ensure you have defined permissions in your environment appropriately so that it only allows authorized users to engage with content. Even after doing so, if you still want to restrict content appearing on Delve, there are few ways to get it done. Some of these approaches impacts on search results so do this with caution.
Option1: Restrict one or more records in a library
Note: This options wont hide content from search results, just in Delve. A hidden property in SharePoint called “HideFromDelve” can be used in this case.
Add a column to your library with the exact name (no spaces or special characters) – Add a Boolean field (“Yes/No“) and name it “HideFromDelve”
For the items you wish to hide from delve, set the property value as “Yes” and “No” to those you want to be appeared.
If you wish to hide all content of a document library, set the automatically default value as “Yes”
Select the particular item and go to details. Tap the button to “Yes” it.
Option2: Restrict a library
This option hides the target document library from both Delve and SharePoint search. TO do this simply head on to Document library’s advanced settings and set the “Search” to “No”
Option3: Hide a site
Note: This option will hide the entire SharePoint site’s content from both Search results and Delve at one go so beware of doing this.
Head on to target SharePoint site and look for “Search and offline availability“, under “Indexing Site Content” set “Allow this site to appear in search results” to “No“. Simple as that and the whole site will be hidden from Delve thereon.
Again, I would like to emphasize that you should be aware of some downfalls this approach. If you have chosen to exclude some content form Delve appearance, there are other interconnected tools that may impact from this (Search is one as documented, and DLP [Data Loss Prevention] too). DLP heavily depends on the search index to apply its conditions and rules so if you are adding exclusions to a library or site from search, DLP will not be able to detect and eventually protect these content. Hence be very cautious.
OneDrive and OneDrive for business, both these usage types are now been centralized with a single sync (Known as NGSC-Next Generation Sync Client or simply ONEDRIVE) client. Microsoft is actively working on improving OneDrive offerings to give its users a better next level collaboration experience. Nevertheless, there can be some scenarios when you want the link between your local and OneDrive folders and you may decide to keep the file offline instead (this could happen due to various reasons). With this post I’m going to demonstrate how to properly stop syncing OneDrive folders and keep a local copy instead without any data loss.
Step1: First and foremost, you have to ensure that the entire target folder structure including its files are properly synced to your local drives.
To do that ,click on OneDrive icon from your task bar and hit on “Open Folder”
Now your local folders will be opened. You must ! Ensure that you have enabled “Always available on this device” option for all necessary folders as this option will store a copy of your OneDrive files/folders locally on your device/s. Do not proceed to unlinking without having this enabled across all your folders which you plan to stop sync.
If you have not done this yet, you must do that before you stop syncing. To do that, simply right click on the desired folder and hit “Always available on this device“. With this option you will notice that your local drives getting filled as the files are downloaded to the device.
No we can stop the linking. Head back to your task bar and click on “OneDrive” icon. Hit “More” and go to “Settings” from there.
Direct to “Account tab” and hit “Stop Sync” on the desired location.
Note the message prompt. And hit “Stop Sync” to proceed.
That’s all ! you now have properly stopped syncing your desired location, yet, you have a local copy of your OneDrive location. You can head back to local folder to check if everything is there. I have tried this several times and its proven to work. Nevertheless, feel free to try it with a test location.files first before you do it for real ones.
DISCLAIMER NOTE: This is an enthusiast post and is not sponsored by Microsoft or any other vendor.