Removing orphaned OneDrive secondary site collection admins

This is a scenario where, the user was deleted from Azure AD months ago but the OneDrive secondary site collection administrator permission assignments (OneDrive secondary admin) were intact as a thumbprints. This target account  supposed to be a service account utilized during a file server migration project and apparently assigned with OneDrive secondary site collection admin permission across all users in the tenancy.

Screenshot 2020-11-29 002255

The generic SharePoint Online commands did not do the job because “The user account does not exists in the AD” hence the identity validation fails at the first place. The OneDrive admin UI will do the job for a single OneDrive account but doesn’t help much in bulk operation scenarios like the one I dealt with.

Workaround: To remove this I used SharePoint PnP PowerShell command which was the only way around it.

Add yourself first in to one of the site collections (OneDrive accounts) before running the command so that you can verify the status ‘before’ and the result ‘after’.

For a single site collection (OneDrive Personal site in this case), run PowerShell as admin and execute these lines after customizing with your tenant, URL and user details. For this case, we will be using ‘Span ID’ to point to the abandoned account which usually goes as follows i:0#.f|membership|service.svc@tenant.onmicrosoft.com

#Config Variables - Customize this to match yours 
$SiteURL = "https://mantoso-my.sharepoint.com/personal/manoj_karunarathne_mantoso_com"
$UserID="i:0#.f|membership|account@tenant.onmicrosoft.com"
 
#Connect to PnP Online Service MFA
Connect-PnPOnline -Url $SiteURL -UseWebLogin
 
#sharepoint online powershell delete user from site collection
Remove-PnPUser -Identity $UserID -Force

If your result is similar to below, the command has done its job ! now go check that permission box and you should not see that account anymore.

Screenshot 2020-11-29 001807

Error when trying to open a OneDrive uploaded file from Outlook client application: The page that you are trying to access cannot be loaded

From the first look this error definitely sounds like “Office 365 ATP Safe links or Safe attachments” policy components blocking the files behind the scenes, but it’s not !. Well, it could be the same error in such scenarios but in my case, Safe Link or Safe Attachment policies were not the issue.

clip_image001

Scenario: Users trying to share content within the organization by uploading them to a OneDrive/SharePoint location chosen from the dropdown as attached to the Outlook email on the go.

Attach a file to email and upload it to OneDrive/SharePoint

clip_image002

Attach a file from SharePoint/OneDrive

clip_image003

Once added the cloud based file to the mail, this is how it looks. Then send it out

clip_image004

Emails are smoothly delivered to the recipients however, when they try to open them (by simply clicking on the URL), recipients get the above error (The page that you are trying to access cannot be loaded)

This happens only when:

  • Users use desktop application of Outlook (not happening in OWA, files are accessed in OWA without an issue)
  • Or, Attached the file in to OneDrive or SharePoint as shown below (not happening when file URL is pasted to Outlook email)

The environment had Office 365 ATP safe link and Safe attachment policies implemented properly. And the exceptions are added to trusted partners across the globe for this company (as a multi-national)

clip_image005

clip_image006

clip_image007

clip_image008

Resolution: Due to the criticality of this organization-wide behavior, I worked with Microsoft Support team towards a fix and here’s what we did.

We ran a fiddler session while opening the file from both OWA and Client App and reviewed the recording – OWA is working fine while outlook not able to access the wrapped URL. It looked like outlook API used for calling ATP is not functioning well.

Microsoft further analyzed by collecting below information and then engaged the Product Group:

  • Collect fiddler trace for both OWA and Outlook to make comparison
  • Copy the Wrapped URL from OWA and Outlook
  • Collect the corresponding message sample

As of now, Microsoft Product Group for ATP have not identified if it is a misconfiguration or product related bug, however, I receive constant responses stating that they are actively working towards a resolution. I will update this space as soon as I hear anything applicable towards a resolution/ETA.

Workaround: The only workaround for this is to request users to make use of Outlook Web whenever a file needs to be opened that is received via an email.

OneDrive sync error: ‘You are already syncing this account’

This message appeared on plenty of end user devices across many of my clients when they try to synchronize their SharePoint Libraries using OneDrive sync client (Not OneDrive library itself though), no big deal, it was all about browser in our case (could differ in some case as well, I presume). The exact error is ‘You’re already syncing this account’. Open your OneDrive – Your Organization Name folder or sign in with a different account

OneDrive error

A common nature of the scenario was that, everyone got this error was using either Microsoft Edge or Internet Explorer. The immediate solution was using an alternative browser instead, we tried Chrome and it worked like charm.

When Chrome prompted options, choose: ‘Open URL : OneDrive client protocol

And, you can now start syncing the library

Sync start



Get End User OneDrive URL with PowerShell

This minor task was part of a major activity I carried out for one of the clients recently here in Australia. Used the SharePoint PnP PowerShell to do this, pretty simple with the commands and controls it offers.

conecting

SharePoint PnP cmdlets reference – https://github.com/SharePoint/PnP-PowerShell

First and foremost, ensure you have installed the latest PnP module in your machine. Run this cmdlet to get the latest bits installed

Update-Module SharePointPnPPowerShell*

pnpmodule1

pnpmodule2

Now verify the version by running this

Get-Module SharePointPnPPowerShell* -ListAvailable | Select-Object Name,Version | Sort-Object Version -Descending

Firstly you must connect to SharePoint Online using Connect-PnPOnline cmdlet (none MFA environments)

$cred = Get-Credential
Connect-PnPOnline -Url https://<tenant>-admin.sharepoint.com/ -Credentials $cred

image

If your Office 365 Environment is MFA enabled, use this instead (Notice the login is different to the traditional method)

Connect-PnPOnline -Url https://sitename-admin.sharepoint.com -UseWebLogin

weblogin

Now we can run the Get-PnPUserProfileProperty cmdlet to get the information about the user’s profile and select only the PersonalUrl which is the URL of that user’s OneDrive for Business.

$username = "<UserName>"
$OneDriveUrl = Get-PnPUserProfileProperty -Account $username | select PersonalUrl
$OneDriveUrl
$username = "<UserName>" $OneDriveUrl = Get-PnPUserProfileProperty -Account
$username | select PersonalUrl

GetOneDrive

There is it ! that’s the ultimate end user URL of OneDrive

Fixed: End users redirected to their Delve profile when clicked on OneDrive in Office 365

AppLaunch

Problem: You are redirected to Delve profile when clicked on OneDrive for Business icon in Office 365 instead of opening the OneDrive portal.

Delve Home

To ensure if this is related to Office 365, try to access the OneDrive directly using the link (replace the domain name/user ID to match your environment)

https://mantoso-my.sharepoint.com/personal/manoj_mantoso_onmicrosoft_com/_layouts/15/onedrive.aspx

https://domain-my.sharepoint.com/personal/user_domain_onmicrosoft_com/_layouts/15/onedrive.aspx

If it prompts an error saying you do not have enough permissions. You are reading the right post. This is a well-known reaction of OneDrive when you haven’t configured permissions for end user OneDrive provisioning. So let’s find out how we can make it normal.

Launch Office 365 as an Global Admin (or SharePoint admin) and direct to SharePoint Admin panel –> Classic features (if you are on the modern experience) –> click on “User profiles”

06

07

User profiles will be launched in a familiar SharePoint Central Administration page (classic indeed!). From the People section there, click on “Manage User Permissions

01

Pick the relevant group (perhaps everyone in most cases) and click “Add” it

02

Select the newly added group and let’s grant the permissions by checking the tick boxes –> hit “Ok” to complete. 

03

Try to open it again and verify if the changes are applied properly. Sometimes could left empty even after the change.

Finally try to open a fresh browser session and log in as an end user to Office 365. Click on OneDrive app from the App Launcher and it should smoothly start provisioning the space for you. In a few minutes time your OneDrive is ready for your content.

08

If everything went well, go ahead and inform everyone to start using OneDrive!

Root cause: This problem occurs when the user’s personal site isn’t created and the user doesn’t have permissions to create the site. The site is usually provisioned the first time that a user browses to the page.

Office 365 Multi-Geo Part01 (Get Started)

Brief of the concept – The name of the feature says it all. Multi-Geo capability of Microsoft Office 365 allows you to have multiple geographical locations (based on Microsoft Data centers) for your Office 365 data other than having everything in one place for everyone in the company.

1

With this latest capability, your organization will now be able to expand the Office 365 presence to various countries/geographical locations using the existing tenant/subscription and as a result, you can give your users the ability to store their OneDrive, SharePoint and Outlook data in their preferred location.

Technically, this means, your Office 365 tenant consists of main central location and multiple other satellite locations across the globe. This is centrally managed via Azure active directory because your tenant information such as geographical locations, groups, user information are mastered in Azure active Directory (AAD).

So, Why you should/shouldn’t go Multi-Geo?

You don’t have to enable it just because its a buzzword or others are using. Multi-geo is not designed to meet performance optimization requirements but to comply with industry compliance requirements (such as GDPR), primarily. Therefore, you have to set/understand the business objective clearly before you start doing it. You may really need it or you may not.

Technical Eligibility

Doubtlessly, any Office 365 customer who operates across multiple countries/regions would like to have this functionality due to compliance (such as GDPR). However, currently there is an arbitrary limit for this feature where small organizations with less than 2500 seats can’t use it. So, yes ! you need more than 2500 licenses in office 365 to have this enabled.

It surely doesn’t make sense to decide the enablement based on the number of users. What matters is, whether you have the need or not. Small organizations even though they are small in number, they can be multi-national. This is a serious point where Microsoft need to act promptly. Small companies with global presence should not be limited on GDPR compliance (e.g. European multinational companies). Community is already raising the voice requesting Microsoft to bring this up for all and here’s the user voice item if you would like to vote. When there is strong amount of votes, Microsoft is well-known to take it to considerations so go ahead and vote/comment if you are in need of this function.

Available Locations

This is the list of all locations available as of now for you to add as a satellite location when you configure Multi-Geo.

Important: Not all locations are supported to add as an Multi-geo location (e.g. South America). And not all Office 365 workloads are supported to set a multi-geo in user level.

2

Key terms of Multi-Geo

Tenant – or Subscription in business terms, is the top level. A tenant represents an organization uniquely within Office 365 umbrella usually attached to one or more domain name/s (e.g. mantoso.com)

Geo Locations – Geographical locations (Microsoft Data center locations) available to host an Office 365 tenant’s data.

Satellite Locations – Other locations (e.g. North America, Australia) that you have added to the tenant apart from the Initial (Central) location (India)

Central Location – Where your tenant was originally provisioned

PDL (Preferred Data Location) – Location where a user prefers to store his data. Admins can set this to any location within the configured geos. Important: if you change the PDL for a user who utilizes OneDrive, his OneDrive content will not be automatically moved to the new Preferred Location (PDL). Yes it means you have to manually move them using this method. Exchange mailbox of the same user however, will be automatically moved to the new PDL.

Geo Admin – An administrator who can manage more than one defined geo locations in your tenant

Geo Code – a 3 letter code identifies a particular geo location (e.g. AUS, CAN)

Initial Steps (Fundamental) to get started

There are a few things need to be in place before you get started with Multi Geo. First and foremost, this is an organizational level major change. Therefore you can only go ahead if your senior level have advised to carry out the change so ensure if it comes from the correct authorities.

  1. You need to work with the accounts team to add Office 365 Multi Geo in to your service plan. This is something you have to do offline as only the account team can guide you when it comes to licenses and commercials. So meet the right person who handles your Microsoft contract internally.
  2. Then, discuss and finalize the Satellite locations with the respective authorities of your organization and add them to your tenant.

  3. Set preferred  Data Location (PDL) for every user in the organization. When a OneDrive or Exchange mailbox is created, it resides in their PDL.

  4. Migrate OneDrive content of the users you have moved to the new PDL manually using these steps. Nothing to worry on Exchange mailboxes here as they will be moved automatically.

Detailed technical steps are demonstrated in the part 02 of this series

DISCLAIMER NOTE: This is an enthusiast post and is not sponsored by Microsoft or any other vendor. Please do not copy/duplicate the content of the post unless you are authorized by me to do so.

How to Make Microsoft Teams Content Available Offline

Microsoft Teams is rapidly becoming the most popular app for corporate collaboration due to the simplicity and the bunch of capabilities it offers for Office365 users. As you work with Teams, it brings an document library for content sharing which looks like it self-contained within but it’s actually relies on Office 365 Groups and Back-ended by a SharePoint Library.

When you submit a file in to a Teams channel window, that file is uploaded to a document library within the main Group.

clip_image001

It’s great that I can share files like everyone else in the conversation but what if I need it later ? Especially when I don’t have Internet connection on my device? Well, that happens ! To me very often.

clip_image002

However, not to worry anymore because synchronizing the files from Teams is similar to synchronizing your OneDrive for business or SharePoint Library content which simply means you can synchronize Teams files with OneDrive. But how ?

Let’s find out. Open up your target Team channel and hit “Files” tab. You will see the files that you have there.

clip_image003

Now, you will be redirected to the following screen on the browser. This is the ultimate SharePoint library (Backend) which holds all your Teams channel files. Now, hit the “Sync” button here.

clip_image004

You will be prompted with app switching screen. Say “Yes‘ here.

clip_image005

That’s it and you will receive a notification immediately saying that your library is now synching. Great !

clip_image006

If you open it from the Windows explorer, you will see the new folder created under your organization icon and all files are synchronized to your local device perfectly.

clip_image007

DISCLAIMER NOTE: This is an enthusiast post and is not sponsored by Microsoft or any other vendor.

OneDrive Important Folder Protection

OneDrive moves ahead in a rapid pace when it comes to usability and features and it only gets better and better. The brand-new option called “Folder Protection (Protection for Important Folders)” lets you enable auto backup your local folders so that they are backed up to OneDrive online libraries and more importantly will be available across all your devices allows you to access from anywhere anytime. As a result Desktop, Documents and Pictures folders can now be backed up with latest OneDrive sync client.

Usually how OneDrive function is, you go to your online library and hit “Sync” to synchronize online folders to a device (PC or mobile) or choose the libraries or folders to sync as you sign in to OneDrive client as you set it up first time. Now with this latest option you have the ability to protect your local folders with auto sync to OneDrive.

Let’s see this in action now. You need latest OneDrive Sync Client to be able to get this. Login to your OneDrive portal and you can download it there or simply head on to your OneDrive or SharePoint document library and try to SYNC it and it will suggest you the client download right there.

Once you have the client installed, go ahead and click on the icon to start it out. Or if you already have it, simply right click on the blue cloud icon.

clip_image001

Click on “More” –> Settings

clip_image002

Head on to “Auto Save” tab and click on “Update folders”

clip_image003

Give it a moment

clip_image004

clip_image005

And you are all done !

When the files finish syncing to OneDrive, they’re protected and you can access them from anywhere in Documents, Desktop, or Pictures. When you protect your Desktop folder, the items on your desktop roam with you to your other PC desktops where you’re running OneDrive.

You can protect up to 5 GB of files in OneDrive for free, or up to 1 TB with an Office 365 subscription.

clip_image006

Common Errors:

This Message clearly says the problem we have here. I have chosen a custom location to sync my files earlier. It isn’t going to work with this function. We have to revert it back to default location as it suggest. That can be simply done by resyncing this device.

clip_image007

To do that, go to Settings –> Account Tab and click on “Unlink this PC”. Give it a moment.

clip_image008

And now you can sign in again after unlinking

clip_image009

Provide the Password

clip_image010

Let it be with the default location (C: Drive) this time and hit “Next”

clip_image011

Now let’s go ahead and try to enable the protection.

Change Folder Protection

If you decide to stop protecting or start protecting an important folder in OneDrive, you can update your folders in OneDrive Settings.

Important: When you stop protecting a folder, the files that were already protected by OneDrive stays in OneDrive. If you no longer need those files in OneDrive, you’ll have to to move them to a local folder on your PC by yourself. Any new files you add to that folder on your PC won’t be protected by OneDrive.

To stop protection:

  1. Open OneDrive Settings (select the white or blue cloud icon in your notification area, and then select More > Settings.)
  2. In Settings, select Auto Save > Update folders.

  3. To stop protecting a folder, select Stop protecting and then confirm that you want to stop protection in the Turn off protection dialog box.

image

OneDrive Quick Tip: How To Properly Stop OneDrive Syncing (Unlink)

OneDrive and OneDrive for business, both these usage types are now been centralized with a single sync (Known as NGSC-Next Generation Sync Client or simply ONEDRIVE) client. Microsoft is actively working on improving OneDrive offerings to give its users a better next level collaboration experience. Nevertheless, there can be some scenarios when you want the link between your local and OneDrive folders and you may decide to keep the file offline instead (this could happen due to various reasons). With this post I’m going to demonstrate how to properly stop syncing OneDrive folders and keep a local copy instead without any data loss.

Step1: First and foremost, you have to ensure that the entire target folder structure including its files are properly synced to your local drives.

To do that ,click on OneDrive icon from your task bar and hit on “Open Folder

onedrive-a

Now your local folders will be opened.  You must ! Ensure that you have enabled “Always available on this device” option for all necessary folders as this option will store a copy of your OneDrive files/folders locally on your device/s. Do not proceed to unlinking without having this enabled across all your folders which you plan to stop sync.

stopOnedrive0

If you have not done this yet, you must do that before you stop syncing. To do that, simply right click on the desired folder and hit “Always available on this device“. With this option you will notice that your local drives getting filled as the files are downloaded to the device.

stopOnedrive

No we can stop the linking. Head back to your task bar and click on “OneDrive” icon. Hit “More” and go to “Settings” from there.

latest

Direct to “Account tab” and hit “Stop Sync” on the desired location.

stopOnedrive2

Note the message prompt. And hit “Stop Sync” to proceed.

stopOnedrive3

That’s all ! you now have properly stopped syncing your desired location, yet, you have a local copy of your OneDrive location. You can head back to local folder to check if everything is there. I have tried this several times and its proven to work. Nevertheless, feel free to try it with a test location.files first before you do it for real ones.

DISCLAIMER NOTE: This is an enthusiast post and is not sponsored by Microsoft or any other vendor.

Configure OneDrive access delegation up on account removal

When you remove a user from Office 365 or Active Directory, you can decide what to do with this user’s content, e-mail account and related product licenses. For more information on this refer to my previous article- Things to consider when deleting a user account from an Office 365 subscription.

Access%20Delegation-01

With this article, we will discover how we can configure OneDrive to automatically delegate access to someone else up on a user’s departure (after the removal of the account). In simple terms, let’s configure delegation.

Default setting for a deleted user is- the access granted to the Manager of the particular user for 30 days period (unless you have customized the retention period). But, what if a user has no Manager defined and access delegation is disabled, too ? In that case, OneDrive will follow the steps described in my previous article (Things to consider when deleting a user account from Office 365). So make sure you read through that, too.

Here are the steps:

Sign in to Office 365 Admin Center as an Global Admin. If you are prompted with a Access message, probably you do not have Global Admin rights. You may either have to request or perhaps you may not be the right person to do this task in your organization so refer to the right guy.

Next up, Expand the navigation with “Show all” option.

clip_image002_thumb[2]

Head on to “All admin centers

clip_image003_thumb[2]

And choose “SharePoint Admin Center

1

From here let’s head on to Classic SharePoint Admin site because these settings we are going to manage are not yet available in Modern SharePoint Admin Interface.

2

Once you are in the classic page, go to “User profiles” tab.

4 

Then “Setup My Sites” from My Site Settings tab.

3

Now scroll down to the bottom of Setup My Sites page till you see the following screen.

Enable the access delegation here and define a secondary owner as well. As it described well in the description:

  • Access delegation option allows OneDrive to automatically delegate the control to Manager up on any user identity removal.
  • If you define a secondary owner, that might be useful in a scenario where the Manager of a particular user is unavailable but OneDrive is still delegated to the secondary owner.

5

Additionally, you can enable this option as well. It simply means that you can have a one person who is the secondary owner of all user’s Mysite/OneDrive content.

6

Read my previous post to understand the fundamental things to be considered when deleting a user account from Office 365 and Customize OneDrive retention period article to set your own retention period for OneDrive accounts.

DISCLAIMER NOTE: This is an enthusiast post and is not sponsored by Microsoft or any other vendor.