The influence of Activating SharePoint Server Publishing Infrastructure on Security Trimmed Navigation

Security and Navigation, it’s something we need to be really careful with. it’s really frustrating seeing navigation items where you don’t have access to and it’s even more annoying to not see your navigation even though you have access to the library or to one of the items in it. According to the technet article giving access to an item is a SharePoint Library for a certain user will result in the assignment of Limited Access on the top levels to

“is to allow enough access to the object hierarchically above the uniquely permissioned item so that the Object Model (OM), master pages, and navigation can display when the user attempts to navigate to the item. Without the Limited Access permissions at the parent scopes, the user wouldn’t be able to successfully browse to or open the item that has unique permissions.”

This results in:

IIustrates object hierarchy for a document library, in which all objects but one inherit their scope from their parents.


IIustrates how the hierarchical depth of scopes can affect the amount of work required to add Limited Access users to parent scopes.

Let me transform this into a Real Case Scenario:

We have a Document Library Finance where only the CFO and his team have access to. In the current navigation (left side menu) only the CFO and his team will see the Document Library Finance. Every other employee will not see it since they don’t have access to the Library or to any document in that Library.

One document Expenses.xlsx must be editable for every user since they have to add their expenses in that spreadsheet. So the CFO assigns everyone with Contribute rights. As mentioned in the technet article everyone will receive Limited Access rights on the Library. In SharePoint 2013 limited access rights are not shown in the Permission Overview to avoid any confusion like we had in SharePoint 2010. So Far So Good, everyone can see the library Finance.

Since we want to incorporate some publishing features like Master Pages, Page Layouts, … we need to activate SharePoint Server Publishing Infrastructure. At that exact moment the library Finance disappears from the Current Navigation. It is only visible to the CFO and his team. The document Expenses.xlsx is only available through a direct link or when used by the WebPart/AppPart Finance. 

Deactivating the feature doesn’t rollback the damage. So Be Very Careful. Since it occurs in SP On Premises & Online I doubt it that it’s a bug but a change/feature/opportunity in the platform. In my humble opinion a bad one. I’m still hoping it’s a bug. I’m also hoping pigs can fly and hell freezes over, …

I’ve made a screen cast of a similar process which you can find on YouTube : ..


Resources/Room mailboxes, automatically decline meeting if there is a conflict

When we create a room mailbox, we can define if the room uses delegates or does an auto accept when possible. We can define a basic setting during the creating of the room mailbox. Do to define a resource mailbox, go to Admin > Exchange > Recipients > Resources  and click on the +


When we edit the Room mailbox we have more settings.


But there is one little caveat. In this scenario every conflict will result in a Tentative instead of a Rejected meeting. The reason for this behavior is a little parameter called: AllRequestOutOfPolicy. By default this parameter is true. This effectively treats all conflicts as “Out Of Policy” and requires delegate approval for the meeting to be scheduled. This causes the “Tentative” email response.

You can only change this by using PowerShell.

Set-CalendarProcessing “Name of Room” -AllRequestOutOfPolicy $False

This sets it to false and automatically sends a declined email to the meeting requestor for all “Out of Policy” Meeting requests, which includes conflicts.

SharePoint Designer Workflow Move Document with Rest API

One of the things that are missing in SharePoint Designer is an action to Move a document from one location to another. There are a lot of awesome articles out there to get started with SPD and Rest API’s. I personally had a lot of Fabian Williams his posts. .. Paolo Prialorsi has a WSP with a custom move action:

I wanted it to do with REST to check out the possibilities. Workflows run under the credentials & user permissions of the one who initiates the request. So if we want to run the the workflow using different rights we need to use a App Step. Read more on:

In my case I need to call {currentWebUri}/_api/web/lists/GetById(guid'{ListId}’)/Items({sourceItemID})/File/MoveTo(newUrl='{targetFolder}’,flags=’1′) .

When I translate this to SPD I’ll get:


A REST API Call has also a Request Header. This we need to fill up with the necessary parameters. To see what your parameters need to be, use fiddler to simulate your Rest API Call. I urge you to check Fabian’s blog for detailed information about how to do this. In my case I need one parameter Accept. If I want to provide this to my Rest API Call, I need to add it to a Dictionary.


When we combine these things together we’ve got:


If you move the file/item that this workflow was running on outside it’s document library/list, the workflow will become disassociated. The workflow will keep on being in a running state but it will have no document/item that it can attach to.

Manage your retention policy

In the previous tip we talked about how to use your archive mailbox, using the retention and archiving tips. But not every business has the same needs, not every company is using the same retention & archiving time, …

So in some point in time we want to customize or even make our own retention & archive policy. Some basics: a retention policy consists of or or multiple retention tags. A user gets a retention policy assigned to him or her.

Step 1 Create your own Retention Tag

Go to Admin > Exchange > Compliance Management > Retention Tags

When we create a new tag we have to chose if that tag is going to be assigned automatically to the entire mailbox, a default folder or you can also decide to let the end user decide.

Screen Shot 2013-12-29 at 17.08.04

In this example we create a Personal assignable Retention Tag: 6 months move to Archive.

Screen Shot 2013-12-29 at 17.13.02

Step 2: Add Retention Tag to Retention Policy

Edit the Retention Policy.

Screen Shot 2013-12-29 at 17.17.55

Click on + and select the retention tag we just created, followed by a click on Add

Screen Shot 2013-12-29 at 17.18.32

Click on Save to make it final. Now you can use this new retention tag in your archiving strategy.


If you’ve created a new policy, you need to assign this to the users. Go to recipients, open the user you want to give the new retention policy and assign the new policy.

Screen Shot 2013-12-29 at 17.21.24


How to use the archiving mailbox?

One of the features of Exchange Online within Office 365 I like a lot is the use of the archiving mailbox. I see still people using pst’s for archiving. Well in this post I’m going to show how interesting the archiving mailbox actually is.

When we have a “ordinary” mailbox this will look like this in Outlook.


The first thing we need to do is active our archive mailbox. Out of the box your archive mailbox is not activated. We’ll do that in our Exchange Admin …


When we open Outlook again (you might want to wait a few minutes) you’ll see that a new mailbox has been attached to your outlook profile. You’ll have the same experience in Outlook Web App


We’ll see that we don’t have a button to assign retention policies yet. The reason for that behavior is that a specific Exchange Job ManagedFolderAssistant hasn’t run yet. And it is configured to process all mailboxes in a work cycle (7 days). If we want to accelerate this process we need to use PowerShell. I need to run Start-ManagedFolderAssistant –Identity<mailbox>

After running this cmdlet we’ll see this button:


Depending on what you select. A Mailbox, a folder or a mail you’ll get different options. You can use the Assign Policy button to set different policies.

You’ll have to differentiate between Retention Tags & Archiving Tags. The first keeps the mails for X amount of time and will delete (with the option to recovery) afterwards. The last will move the mail to the online archive.

A few advantages of the online archive:

  1. It will available in every Outlook Profile where that mailbox is attached in
  2. It will be available in Outlook Web Access
  3. It will take the folder structure of the Active Mailbox and reproduce it in the Archive Mailbox so you’ll have the same folder structure.

What with our pst’s?

You can import them into your archive.


One additional tip: if you want the archiving/retention policy to deal with your “old” mails and you don’t want to wait for 7 days, you might want to run this cmdlet again: Start-ManagedFolderAssistant –Identity<mailbox>

How to allow DirSync to synchronize a .local domain

DirSync = the magic tool that synchronizes your local Active Directory -users, groups & contacts- with Windows Azure Active Directory -the identity system of Office 365.

We know that DirSync has some requirements to make the installation a success. But DirSync is more than a Synchronization Tool, it’s an enabler for a kind of single/same sign in experience. It will sync the user’s User Principle Name and a double hash of his or her’s password which allows the user the work with the credentials that he’s familiar with.

But there is a catch. The user’s UPN consists of 2 parts divided by the magic @ sign. The first part represents the user, the second part is the domain where the user resides (often referred to as the DNS Suffix). In case of .local domain this means that this could be doctor.who@littlebluebox.local . Now here comes the catch:

attention DirSync will only sync DNS suffix that are available on your WAAD as a verified domain. When we look at the verification process, it shows us that in either case -with TXT or MX- we need to add a record to the public available DNS for that domain. Back to our .local – this means that we cannot do this for a .local domain or any other non public routable domain, since they don’t have a public DNS. DirSync will replace the unknown dns suffix and replace it by the primary domain of your WAAD. By default this is set to your tenant domain e.g. This can be changed through the Azure Management Portal.

So Solution 1 to deal with .local … Change your primary domain to e.g., so every user that has littlebluebox.local as a upn suffix will get a There is no possibility to differentiate between domains.

Solution 2 is to register one -or more if needed- new DNS suffixes on your Active Directory. This can be done through Server Manager > Tool > Active Directory Domains and Trusts


Right click on Active Directory Domains and Trust and chose Properties


Enter your Alternative UPN Suffixes and click on Add


Click on Apply if you want to add more or on OK when you are done.

When we look at the Account Tab of a test user we’ll see that we have a new UPN suffix available to chose from.


We change every UPN that has .local suffix to our new suffix.

If we need to alter a lot of users, we might chose to do this through Powershell. First thing of the PS command is to get our users who have an invalid UPN:

Get-ADUser -Filter {userprincipalname -like ‘*tardis.local’} -Properties userPrincipalName

The second part is to set the new UPN .. the 2 parts combined makes:

Get-ADUser -Filter {userprincipalname -like ‘*tardis.local’} -Properties userPrincipalName | foreach { Set-ADUser $_ -UserPrincipalName (“{0}@{1}” -f $,””)}

Check out if you want to get more details about the PowerShell line.

Multi Factor Authentication with Office Clients

In one of my blog post I talked about Multi Factor Authentication and how to set it up.

One of the limitations of multi factor authentication was, that it couldn’t be used with Outlook & Lync, today we have to announce that this limitation is solved. To make this available we need to generate an application app.

To configure the multi factor, go to the Microsoft Online Portal. When you’ve entered the correct credentials you need to chose an additional security verification:


Configure the Mobile App, Mobile phone, Office phone, … what type of verification you like best. Read more on


Click on verify now, your selected verification option will ask you to verify your credentials.


Enter you mobile number.



Click on Generate app password.


It’s this password that we’re going to use in our outlook profile. When you create a new profile and you need to enter a password, you chose the app password that the portal has generated for you.



Office 365 – 2013 Recap by the Office 365 FM Radio Show

It’s almost over, the year 2013. And what a year it’s been for the Cloud Service Office 365. A year with migrations, new features, new storage, …

But who’s better in telling the story than 5 of the leading Office 365 MVPs & Community Leaders in the world.

These 5 experts do a full recap of 2013 divided into 2 episodes of each 45 minutes:

Episode 1:

In this episode they talk about:

– The launch of Wave 15 (aka “the new Office 365″
– Integration with Yammer
– Lync integration with Skype
– Beta of PowerBI
– Size increases in Exchange Online mailboxes, SkyDrive Pro storage spaces, upload limitations, and general service maturity
– PowerShell capabilities in Lync Online and SharePoint Online
– DirSync with Password Sync
– The recently released Windows Azure Active Directory connector for Forefront Identity Manager (FIM) to provide mutli-forest support
– The Message Center and what it does
– The recently released Tool Center and how you can use it

Episode 2:

In these episodes they talk about:

– The new Office 365 Beta Exams
– Namespace changes and DNS changes for Office 365 services
– The migration from Live@Edu to Office 365
– Security improvements (Multi-Factor Authentication, DLP, etc.)

Meet the Experts:







What are the limits on SharePoint Online Search?

Have you ever wondered why a certain document, item is not retrieved by the Search of SharePoint Online? We all know that the “Shared” Search Environment of SharePoint Online limits us in a number of functionalities but there are also some “hidden” limitations.

For example, there are limits to the number of entries you can have in a custom search dictionary or the number of rows that are returned as part of a search.

First of all we need to separate 2 types of limitations:

  • Boundary A number that can’t be exceeded.
  • Supported A recommended number, based on testing that Microsoft has done, that shouldn’t be exceeded. If you don’t respect the supported number it might cause a decrease in performance.
Limit Maximum value Limit type Notes
Size of document that can be downloaded by the crawl components 64 MB, 3MB for Excel documents Boundary Search downloads metadata and content from a document until it reaches the maximum document size. The rest of the content is not downloaded.
Parsed content size 2 million characters Boundary Search stops parsing an item after it has parsed up to 2 million characters of content from it, including the item’s attachments. The actual amount of parsed characters can be lower than this limit because search uses a maximum of 30 seconds on parsing a single item and its attachments. When search stops parsing an item, the item is marked as partially processed. Any unparsed content isn’t processed and therefore isn’t indexed.
Tokens produced by the word breaker 30,000 Boundary Search breaks content into individual words (tokens) and produces up to 30,000 tokens from a single item.

The actual amount of tokens can be lower than this limit because search uses a maximum of 30 seconds on word breaking. Any remaining content isn’t processed.

Indexed managed property size 512 KB per managed property that is set to either “searchable” or “queryable” Boundary
Retrievable managed property size 16 KB per managed property Boundary
Sortable and refinable managed property size 16 KB per managed property Boundary
Token size Variable – the size depends on the word breaker, and the word-breaker is language-dependent. Boundary Search can index tokens of any length but the word breaker that is used to produce tokens can limit the token length. Word breakers are language-aware components that break content into single words (tokens).
Number of entries in a custom search dictionary 5,000 terms per tenant Boundary This limits the number of terms allowed for inclusions and exclusions dictionaries for query spelling correction and company extraction. You can store more terms than this limit in the term store, but search only uses 5,000 terms per tenant.
Managed property mappings 100 per managed property Supported Crawled properties can be mapped to managed properties. Exceeding this limit may decrease crawl speed and query performance.
Values per managed property 1,000 Boundary A managed property can have multiple values of the same type. This is the maximum number of values per managed multi-valued managed property per document. If this number is exceeded, the remaining values are discarded.
Unique contexts used for ranking 15 unique contexts per rank model Boundary
Authoritative pages 1 top level and minimal second- and third-level pages per tenant Supported Use as few second- and third-level pages as possible while still achieving the desired relevance.

If you add additional pages you may not achieve the desired relevance. Add the key site to the first relevance level. Add more key sites at either second or third relevance levels, one at a time. Evaluate relevance after each addition to ensure that you have achieved the desired relevance effect.

Text length for queries using Keyword Query Language 4 KB Boundary For Discovery queries the maximum text length is 16 KB.
Number of rows in a result set 500 Boundary To display the entire result set, issue more paging queries.

For Discovery queries the maximum number of rows in a result set is 10,000.

Ranking models 1,000 per tenant Boundary Approaching this limit can have negative effect on the overall system performance.
User-defined full-text indexes 3 Boundary