From f9355df12e7b68527b28e48926f000dbd2794ccc Mon Sep 17 00:00:00 2001 From: Yvan Duhamel Date: Tue, 2 Oct 2018 16:05:19 +0200 Subject: [PATCH 01/11] Initial commit - still draft --- ...-server-to-server-authentication-in-sharepoint.md | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md b/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md index 13e59ebca2..2256876dae 100644 --- a/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md +++ b/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md @@ -13,11 +13,11 @@ ms.assetid: c77f5006-d023-463f-8256-e4570d32dd1e description: "Summary: Learn how to configure server-to-server authentication when you share service applications across SharePoint Server 2016 and SharePoint 2013 publishing and consuming farms." --- -# Configure server-to-server authentication between publishing and consuming farms +# Configure OAuth when User Profile Service Application is published - **Summary:** Learn how to configure server-to-server authentication when you share service applications across SharePoint Server 2016 and SharePoint 2013 publishing and consuming farms. + **Summary:** Learn how to configure OAuth when you share service applications across SharePoint Server 2016 and SharePoint 2013 publishing and consuming farms. -To enable a web application or an application service to request a resource from a web application on another farm on behalf of a user, you must configure server-to-server authentication between the farms. A few examples of SharePoint Server processes that use server-to-server authentication are as follows: +When a farm consumes the User Profile Service Application of another farm, it will issue requests using OAuth protocol on behalf of the user for some features: - Follow a document on a Team Sites web application when a user's personal site is located on a My Sites web application. The Team Sites web application makes a request of the My Sites web application on behalf of the user. @@ -37,10 +37,6 @@ To understand the procedures in this article, you should be familiar with the ba [Plan for server-to-server authentication in SharePoint Server](../security-for-sharepoint-server/plan-server-to-server-authentication.md) -> [!IMPORTANT] -> If your consuming farm has web applications that are configured or registered to a Workflow Manager, when you set a Realm value, you will need to register the Workflow Manager with the SharePoint farm. Use the PowerShell [Register-SPWorkflowService](https://docs.microsoft.com/en-us/powershell/module/sharepoint-server/register-spworkflowservice?view=sharepoint-ps) cmdlet to do this. - -> For more information about setting a Realm value and registering a Workflow Manager with a SharePoint farm, see [Fix the HTTP 401 error with provider-hosted add-ins and issues with workflow and cross farm trust scenarios in SharePoint](https://support.microsoft.com/en-us/help/4010011/provider-hosted-add-ins-stop-working-and-http-401-error) and [Move Workflow Manager to a new farm in a new domain](https://sharepoint.stackexchange.com/questions/132524/move-workflow-manager-to-new-farm-in-a-new-domain). ## Configure server-to-server authentication between publishing and consuming farms @@ -48,8 +44,6 @@ To understand the procedures in this article, you should be familiar with the ba The following procedure describes how to configure server-to-server authentication between the publishing and consuming farms. **To configure server-to-server authentication between publishing and consuming farms** - -1. Choose a realm name that will be common to both farms. 2. Verify that you are a member of the Administrators group on the server on which you are running PowerShell cmdlets. From 608c6ff2273b3f8f8286d0183e0276e6633c96c5 Mon Sep 17 00:00:00 2001 From: Yvan Duhamel Date: Thu, 4 Oct 2018 15:19:12 +0200 Subject: [PATCH 02/11] Updated documentation The original article configures all SharePoint farms to use the same authentication realm, which is bad as it may cause issues with over workloads that rely on OAuth (e.g. add-ins, Workflow Manager, Office Online Server). I reviewed the procedure to not modify the authentication realm if any farm which eliminates issue above, and I just set the permissions actually required for the OAuth requests to work (versus full trust when authentication realm is unique across farms). --- ...-to-server-authentication-in-sharepoint.md | 169 ++++++++---------- 1 file changed, 71 insertions(+), 98 deletions(-) diff --git a/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md b/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md index 2256876dae..1873bb6f51 100644 --- a/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md +++ b/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md @@ -10,42 +10,34 @@ ms.prod: sharepoint-server-itpro localization_priority: Normal ms.collection: IT_Sharepoint_Server_Top ms.assetid: c77f5006-d023-463f-8256-e4570d32dd1e -description: "Summary: Learn how to configure server-to-server authentication when you share service applications across SharePoint Server 2016 and SharePoint 2013 publishing and consuming farms." +description: "Summary: Learn how to configure server-to-server authentication when you share User Profile service application across SharePoint Server 2016 and SharePoint 2013 publishing and consuming farms." --- -# Configure OAuth when User Profile Service Application is published +# Configure Server-to-Server authentication between publishing and consuming farms - **Summary:** Learn how to configure OAuth when you share service applications across SharePoint Server 2016 and SharePoint 2013 publishing and consuming farms. + **Summary:** Learn how to configure Server-to-Server authentication when you share the User Profile service application across SharePoint Server 2016 and SharePoint 2013 publishing and consuming farms. -When a farm consumes the User Profile Service Application of another farm, it will issue requests using OAuth protocol on behalf of the user for some features: +When a farm consumes the User Profile service application of a publishing farm, SharePoint issues requests using Server-to-Server authentication on behalf of the user for some features: -- Follow a document on a Team Sites web application when a user's personal site is located on a My Sites web application. The Team Sites web application makes a request of the My Sites web application on behalf of the user. +- Follow a document on a content web application when a user's personal site is located on a web application in an external farm. The content web application makes a OAuth request to the My Sites web application on behalf of the user. -- Create or reply to a site feed post for a site that is located on a Team Sites web application but performed through the user's My Site Newsfeed on the My Sites web application. The My Sites web application will make a request of the Team Sites web application on behalf of the user to write the post or the reply. +- Create or reply to a site feed post for a site that is located on a content web application but performed through the user's My Site Newsfeed on the My Sites web application. The My Sites web application will make a request of the Team Sites web application on behalf of the user to write the post or the reply. - A User Profile Service application task to repopulate the feed cache has to read from the personal site or team site. If the User Profile Service application is running in a different farm, the User Profile Service application sends a request to the My Sites web application or Team Sites web application to read the user or site feed data into the cache. - -> [!NOTE] -> Web applications or application services that request resources from an application service on another farm do not require server-to-server authentication. + ## Before you begin +This article requires that you already shared the User Profile service application between a consuming and a publishing farm. If you haven't done so, see [Share service applications across farms in SharePoint Server](/share-service-applications-across-farms) first to share the User Profile service application. + To understand the procedures in this article, you should be familiar with the basic concepts in the following articles: - + [Authentication overview for SharePoint Server](../security-for-sharepoint-server/authentication-overview.md) - -[Plan for server-to-server authentication in SharePoint Server](../security-for-sharepoint-server/plan-server-to-server-authentication.md) - -## Configure server-to-server authentication between publishing and consuming farms - +[Plan for server-to-server authentication in SharePoint Server](../security-for-sharepoint-server/plan-server-to-server-authentication.md) -The following procedure describes how to configure server-to-server authentication between the publishing and consuming farms. - - **To configure server-to-server authentication between publishing and consuming farms** - -2. Verify that you are a member of the Administrators group on the server on which you are running PowerShell cmdlets. +Verify that you are a member of the Administrators group on the servers on which you are running PowerShell cmdlets. - **Securityadmin** fixed server role on the SQL Server instance. @@ -55,83 +47,69 @@ The following procedure describes how to configure server-to-server authenticati > [!NOTE] > If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see [Add-SPShellAdmin](http://technet.microsoft.com/library/2ddfad84-7ca8-409e-878b-d09cb35ed4aa.aspx). - -3. In the SharePoint Server environment on both the publishing and consuming farms, start the SharePoint Management Shell. - -4. To configure the publishing farm for the common realm name, type the following command at the PowerShell command prompt on a server in the publishing farm: - - ``` - Set-SPAuthenticationRealm -realm - ``` - Where: - - _RealmName_ is the name that you chose in step 1. - -5. To configure the Name ID for the SharePoint Security Token Service (STS) on the publishing farm to include the common realm name, type the following commands at the PowerShell command prompt on a server in the publishing farm: - - ``` - $sts=Get-SPSecurityTokenServiceConfig - $Realm=Get-SpAuthenticationRealm - $nameId = "00000003-0000-0ff1-ce00-000000000000@$Realm" - Write-Host "Setting STS NameId to $nameId" - $sts.NameIdentifier = $nameId - $sts.Update() - ``` - -6. To configure the consuming farm for the common realm name, type the following command at the PowerShell command prompt on a server in the consuming farm: - - ``` - Set-SPAuthenticationRealm -realm - ``` +## Configure server-to-server authentication between publishing and consuming farms + - Where: - - _RealmName_ is the name that you chose in step 1. - -7. To configure the Name ID for the SharePoint STS on the consuming farm to include the common realm name, type the following commands at the PowerShell command prompt on a server in the consuming farm: - - ``` - $sts=Get-SPSecurityTokenServiceConfig - $Realm=Get-SpAuthenticationRealm - $nameId = "00000003-0000-0ff1-ce00-000000000000@$Realm" - Write-Host "Setting STS NameId to $nameId" - $sts.NameIdentifier = $nameId - $sts.Update() - ``` - -8. To configure the publishing farm for server-to-server authentication with the consuming farm, type the following command at the PowerShell command prompt on a server in the publishing farm: - - ``` - New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https:///_layouts/<15or16>/metadata/json/1" -Name "" - ``` +The following procedure describes how to configure server-to-server authentication and just grant the required permissions to allow workloads to work. Each farm will keep its own authentication realm. - Where: - - - _ConsumeHostName_ is the name and port of any SSL-enabled web application of the consuming farm. - - - _15or16_ is the directory for the SharePoint Server version. - - - _ConsumeFriendlyName_ is a friendly name for the consuming farm. - - This creates the server-to-server authentication trust with the consuming farm. - -9. To configure the consuming farm for server-to-server authentication with the publishing farm, type the following command at the PowerShell command prompt on a server in the consuming farm: - - ``` - New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https:///_layouts/<15or16>/metadata/json/1" -Name "" - ``` +### Authorize consuming farm to send OAuth requests to the publishing farm + +1. In a SharePoint server in the publishing farms, start the SharePoint Management Shell. + +2. Register the consuming farm as a trusted issuer: +```powershell +New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https:///_layouts/<15or16>/metadata/json/1" -Name "" +``` + + > [!NOTE] + > This assumes that you already added the root certificate of the consuming farm to the trusted root authorities as explained in article [Exchange trust certificates between farms in SharePoint Server](/exchange-trust-certificates-between-farms). + +3.Get the app principal and set required authorizations: + +```powershell +# Get the app principal and set required authorizations +$centralAdminWeb = Get-SPWeb "http:///" +$appPrincipal = Get-SPAppPrincipal -Site $centralAdminWeb -NameIdentifier $trustedIssuer.NameId + +# Grant app only permission and Read on the SiteSubscription +Set-SPAppPrincipalPermission -EnableAppOnlyPolicy -AppPrincipal $appPrincipal -Site $centralAdminWeb -Scope SiteSubscription -Right Read + +# Grant permissions Manage on the PrivateAPI +$privateAPITypeId = New-Object -TypeName System.Guid ("a2ccc2e2-1703-4bd9-955f-77b2550d6f0d") +$mgr = New-Object -TypeName Microsoft.SharePoint.SPAppPrincipalPermissionsManager ($centralAdminWeb) +$mgr.AddSiteSubscriptionPermission($appPrincipal, $privateAPITypeId, [Microsoft.SharePoint.SPAppPrincipalPermissionKind]::Manage) +``` + +### Authorize publishing farm to send OAuth requests to the consuming farm + +1. In a SharePoint server in the publishing farms, start the SharePoint Management Shell. + +2. Register the farm running User Profile service application as a trusted issuer: + +```powershell +$trustedIssuer = New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https:///_layouts/<15or16>/metadata/json/1" -Name "" +``` + + > [!NOTE] + > This assumes that you already added the root certificate of the consuming farm to the trusted root authorities as explained in article [Exchange trust certificates between farms in SharePoint Server](/exchange-trust-certificates-between-farms). + +3.Get the app principal and set required authorizations: + +```powershell +# Get the app principal +$centralAdminWeb = Get-SPWeb "http://sp:5000/" +$appPrincipal = Get-SPAppPrincipal -Site $centralAdminWeb -NameIdentifier $trustedIssuer.NameId + +# Grant app only permission and Read on the SiteSubscription +Set-SPAppPrincipalPermission -EnableAppOnlyPolicy -AppPrincipal $appPrincipal -Site $centralAdminWeb -Scope SiteSubscription -Right Read + +# Grant permissions Manage on the PrivateAPI +$privateAPITypeId = New-Object -TypeName System.Guid ("a2ccc2e2-1703-4bd9-955f-77b2550d6f0d") +$mgr = New-Object -TypeName Microsoft.SharePoint.SPAppPrincipalPermissionsManager ($centralAdminWeb) +$mgr.AddSiteSubscriptionPermission($appPrincipal, $privateAPITypeId, [Microsoft.SharePoint.SPAppPrincipalPermissionKind]::Manage) +``` - Where: - - - _PublishHostName_ is the name and port of any SSL-enabled web application of the publishing farm. - - - _15or16_ is the directory for the SharePoint Server version. - - - _PublishFriendlyName_ is a friendly name for the publishing farm. - - This creates the server-to-server authentication trust with the publishing farm. - ## See also @@ -139,10 +117,5 @@ The following procedure describes how to configure server-to-server authenticati [Share service applications across farms in SharePoint Server](share-service-applications-across-farms.md) #### Other Resources - -[Get-SPAuthenticationRealm](http://technet.microsoft.com/library/7ec6c10c-283e-4533-addf-6bdd2d804c28.aspx) - -[Set-SPAuthenticationRealm](http://technet.microsoft.com/library/d3d60059-4883-4591-a3a7-d3002c999e68.aspx) [New-SPTrustedSecurityTokenIssuer](http://technet.microsoft.com/library/9ab7aac9-4c9a-4cba-8dd6-ffead217c2fa.aspx) - From df2c7e5e7a7747896d57fdd3bc256d3a57959d30 Mon Sep 17 00:00:00 2001 From: Yvan Duhamel Date: Thu, 4 Oct 2018 16:18:28 +0200 Subject: [PATCH 03/11] Replaced wrong script --- ...erver-to-server-authentication-in-sharepoint.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md b/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md index 1873bb6f51..1144c38820 100644 --- a/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md +++ b/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md @@ -69,16 +69,18 @@ New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https:///_l ```powershell # Get the app principal and set required authorizations -$centralAdminWeb = Get-SPWeb "http:///" -$appPrincipal = Get-SPAppPrincipal -Site $centralAdminWeb -NameIdentifier $trustedIssuer.NameId +$mySiteHost = Get-SPSite "http:// Date: Thu, 4 Oct 2018 16:24:46 +0200 Subject: [PATCH 04/11] Fixed syntax --- ...-to-server-authentication-in-sharepoint.md | 26 +++++++++---------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md b/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md index 1144c38820..510983cec8 100644 --- a/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md +++ b/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md @@ -20,11 +20,10 @@ description: "Summary: Learn how to configure server-to-server authentication wh When a farm consumes the User Profile service application of a publishing farm, SharePoint issues requests using Server-to-Server authentication on behalf of the user for some features: - Follow a document on a content web application when a user's personal site is located on a web application in an external farm. The content web application makes a OAuth request to the My Sites web application on behalf of the user. - + - Create or reply to a site feed post for a site that is located on a content web application but performed through the user's My Site Newsfeed on the My Sites web application. The My Sites web application will make a request of the Team Sites web application on behalf of the user to write the post or the reply. - -- A User Profile Service application task to repopulate the feed cache has to read from the personal site or team site. If the User Profile Service application is running in a different farm, the User Profile Service application sends a request to the My Sites web application or Team Sites web application to read the user or site feed data into the cache. +- A User Profile Service application task to repopulate the feed cache has to read from the personal site or team site. If the User Profile Service application is running in a different farm, the User Profile Service application sends a request to the My Sites web application or Team Sites web application to read the user or site feed data into the cache. ## Before you begin @@ -38,13 +37,10 @@ To understand the procedures in this article, you should be familiar with the ba [Plan for server-to-server authentication in SharePoint Server](../security-for-sharepoint-server/plan-server-to-server-authentication.md) Verify that you are a member of the Administrators group on the servers on which you are running PowerShell cmdlets. - - - **Securityadmin** fixed server role on the SQL Server instance. - - - **db_owner** fixed database role on all databases that are to be updated. - - An administrator can use the **Add-SPShellAdmin** cmdlet to grant permissions to use SharePoint Server cmdlets. - + + - **Securityadmin** fixed server role on the SQL Server instance. + - **db_owner** fixed database role on all databases that are to be updated. + An administrator can use the **Add-SPShellAdmin** cmdlet to grant permissions to use SharePoint Server cmdlets. > [!NOTE] > If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see [Add-SPShellAdmin](http://technet.microsoft.com/library/2ddfad84-7ca8-409e-878b-d09cb35ed4aa.aspx). @@ -58,6 +54,7 @@ The following procedure describes how to configure server-to-server authenticati 1. In a SharePoint server in the publishing farms, start the SharePoint Management Shell. 2. Register the consuming farm as a trusted issuer: + ```powershell New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https:///_layouts/<15or16>/metadata/json/1" -Name "" ``` @@ -65,7 +62,7 @@ New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https:///_l > [!NOTE] > This assumes that you already added the root certificate of the consuming farm to the trusted root authorities as explained in article [Exchange trust certificates between farms in SharePoint Server](/exchange-trust-certificates-between-farms). -3.Get the app principal and set required authorizations: +3. Get the app principal and set required authorizations: ```powershell # Get the app principal and set required authorizations @@ -96,7 +93,7 @@ $trustedIssuer = New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https:// [!NOTE] > This assumes that you already added the root certificate of the consuming farm to the trusted root authorities as explained in article [Exchange trust certificates between farms in SharePoint Server](/exchange-trust-certificates-between-farms). -3.Get the app principal and set required authorizations: +3. Get the app principal and set required authorizations: ```powershell # Get the app principal @@ -115,9 +112,10 @@ $mgr.AddSiteSubscriptionPermission($appPrincipal, $privateAPITypeId, [Microsoft. ## See also -#### Concepts +### Concepts [Share service applications across farms in SharePoint Server](share-service-applications-across-farms.md) -#### Other Resources + +### Other Resources [New-SPTrustedSecurityTokenIssuer](http://technet.microsoft.com/library/9ab7aac9-4c9a-4cba-8dd6-ffead217c2fa.aspx) From 0baaf94f1b4ded6f059bfcfdff77e05aa528d2eb Mon Sep 17 00:00:00 2001 From: Yvan Duhamel Date: Thu, 4 Oct 2018 16:31:23 +0200 Subject: [PATCH 05/11] Simplified script --- ...igure-server-to-server-authentication-in-sharepoint.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md b/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md index 510983cec8..ccabe320b3 100644 --- a/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md +++ b/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md @@ -66,16 +66,16 @@ New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https:///_l ```powershell # Get the app principal and set required authorizations -$mySiteHost = Get-SPSite "http:// Date: Thu, 4 Oct 2018 16:38:40 +0200 Subject: [PATCH 06/11] Improved text --- ...configure-server-to-server-authentication-in-sharepoint.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md b/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md index ccabe320b3..704644e033 100644 --- a/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md +++ b/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md @@ -47,11 +47,11 @@ Verify that you are a member of the Administrators group on the servers on which ## Configure server-to-server authentication between publishing and consuming farms -The following procedure describes how to configure server-to-server authentication and just grant the required permissions to allow workloads to work. Each farm will keep its own authentication realm. +The following procedure describes how to configure server-to-server authentication and grant just the necessary permissions to allow social features to work. Each farm keeps its own, unique authentication realm. ### Authorize consuming farm to send OAuth requests to the publishing farm -1. In a SharePoint server in the publishing farms, start the SharePoint Management Shell. +1. In a SharePoint server in the publishing farm, start the SharePoint Management Shell. 2. Register the consuming farm as a trusted issuer: From 588e763a003a403f20a7dff3b595b65692551118 Mon Sep 17 00:00:00 2001 From: Yvan Duhamel Date: Thu, 4 Oct 2018 16:41:09 +0200 Subject: [PATCH 07/11] Updated text --- .../configure-server-to-server-authentication-in-sharepoint.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md b/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md index 704644e033..ee7e602515 100644 --- a/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md +++ b/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md @@ -82,7 +82,7 @@ $mgr.AddSiteSubscriptionPermission($appPrincipal, $socialPermissionProviderId, [ ### Authorize publishing farm to send OAuth requests to the consuming farm -1. In a SharePoint server in the publishing farms, start the SharePoint Management Shell. +1. In a SharePoint server in the consuming farm, start the SharePoint Management Shell. 2. Register the farm running User Profile service application as a trusted issuer: From 7198122cb8796a13c75fc1d2f3aca589b0c0635f Mon Sep 17 00:00:00 2001 From: Yvan Duhamel Date: Thu, 4 Oct 2018 17:21:38 +0200 Subject: [PATCH 08/11] Updated text --- ...configure-server-to-server-authentication-in-sharepoint.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md b/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md index ee7e602515..357f881783 100644 --- a/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md +++ b/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md @@ -56,7 +56,7 @@ The following procedure describes how to configure server-to-server authenticati 2. Register the consuming farm as a trusted issuer: ```powershell -New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https:///_layouts/<15or16>/metadata/json/1" -Name "" +New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https:///_layouts/<15or16>/metadata/json/1" -Name "" ``` > [!NOTE] @@ -87,7 +87,7 @@ $mgr.AddSiteSubscriptionPermission($appPrincipal, $socialPermissionProviderId, [ 2. Register the farm running User Profile service application as a trusted issuer: ```powershell -$trustedIssuer = New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https:///_layouts/<15or16>/metadata/json/1" -Name "" +$trustedIssuer = New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https:///_layouts/<15or16>/metadata/json/1" -Name "" ``` > [!NOTE] From a3dd67cb61eefc1176ca567bcd283e31e1f8ff21 Mon Sep 17 00:00:00 2001 From: Kaarin Shumate Date: Thu, 4 Oct 2018 11:31:24 -0700 Subject: [PATCH 09/11] Updated build info to clarify (customer feedback) --- OneDrive/use-group-policy.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/OneDrive/use-group-policy.md b/OneDrive/use-group-policy.md index 3e3462e236..1093775baf 100644 --- a/OneDrive/use-group-policy.md +++ b/OneDrive/use-group-policy.md @@ -213,6 +213,9 @@ Enabling this policy sets the following registry key. This setting displays the "Set up protection of important folders" window that prompts users to move their Documents, Pictures, and Desktop folders to OneDrive. + +> [!NOTE] +> This setting is available in the OneDrive sync client build 18.111.0603.0004 or later. ![OneDrive folder protection start panel](media/ebf0a858-d89f-47f0-8f78-4192a95944f0.png) @@ -229,9 +232,10 @@ Enabling this policy sets the following registry key: ### Silently move Windows known folders to OneDrive -In the sync client build 18.171.0823.0001 or later, this setting lets you redirect and move your users' Documents, Pictures, and Desktop folders to OneDrive without user interaction. +Use this policy to redirect your users' Documents, Pictures, and Desktop folders to OneDrive without any user interaction. This setting is available in the OneDrive sync client build 18.111.0603.0004 or later. Before sync client build 18.171.0823.0001, this policy redirected only empty known folders to OneDrive. Now, it redirects known folders that contain content and moves the content to OneDrive. -For previous sync client builds, this setting lets you silently redirect the folders to OneDrive, but not move any folder contents. In these previous builds, the setting works only when all known folders are empty, and on folders redirected to a different OneDrive account. We therefore recommend using this setting together with "Prompt users to move Windows known folders to OneDrive" for previous builds. +> [!NOTE] +> If you're using this setting with a build earlier than 18.171.0823.0001, we recommend also enabling "Prompt users to move Windows known folders to OneDrive." If you enable this setting and provide your tenant ID, you can choose whether to display a notification to users after their folders have been redirected. @@ -253,6 +257,9 @@ Setting this value to 1 displays a notification after successful redirection. This setting forces users to keep their Documents, Pictures, and Desktop folders directed to OneDrive. + +> [!NOTE] +> This setting is available in the OneDrive sync client build 18.111.0603.0004 or later. If you enable this setting, the "Stop protecting" button in the "Set up protection of important folders" window will be disabled and users will receive an error if they try to stop syncing a known folder. From de3285e142bf31741eacb958b81483f5f44af6fc Mon Sep 17 00:00:00 2001 From: Kaarin Shumate Date: Thu, 4 Oct 2018 18:02:35 -0700 Subject: [PATCH 10/11] Updates for new features in Targeted Release --- .../what-s-new-in-admin-center.md | 27 +++++++++---------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/SharePoint/SharePointOnline/what-s-new-in-admin-center.md b/SharePoint/SharePointOnline/what-s-new-in-admin-center.md index 73dbf2a599..c8405c493c 100644 --- a/SharePoint/SharePointOnline/what-s-new-in-admin-center.md +++ b/SharePoint/SharePointOnline/what-s-new-in-admin-center.md @@ -3,7 +3,6 @@ title: "What's new in the SharePoint admin center" ms.author: kaarins author: kaarins manager: pamgreen -ms.date: 6/1/2018 ms.audience: Admin ms.topic: reference ms.service: sharepoint-online @@ -14,7 +13,7 @@ search.appverid: - BSA160 - MET150 ms.assetid: 317eed2b-d266-4c4c-9a37-1aceed9db567 -description: "We're continuously adding new features to the new SharePoint admin center (preview) and fixing issues we learn about. Here's a summary of what's included, and what's coming up. You can help us improve the admin center by sending us your suggestions and reporting bugs you encounter. In the lower-right corner of the admin center, click the Feedback button." +description: "Learn about the features currently in the new SharePoint admin center, and those coming soon." --- # What's new in the SharePoint admin center @@ -32,11 +31,11 @@ We're continuously adding new features to the new SharePoint admin center (previ - Links to the Microsoft 365 admin center for detailed reports, message center posts, and service health info -- Links to the OneDrive admin center and classic SharePoint admin center +- Links to the OneDrive admin center, SharePoint Migration Tool, and classic SharePoint admin center - A geo location selector for organizations that have set up Multi-Geo in OneDrive and SharePoint - **Site management page** + **Active sites page** - A list that includes the new types of sites that users create: team sites that belong to Office 365 groups and communication sites @@ -56,15 +55,19 @@ We're continuously adding new features to the new SharePoint admin center (previ - The ability to select multiple sites and email site admins - **Recycle bin page** + **Deleted sites page** - A list of deleted sites with time deleted -- The ability to restore sites individually +- The ability to restore sites (except those connected to an Office 365 group) individually **Settings page** - Settings for list and library experience, sync (if your organization used the previous sync client), and notifications + + **API management page** + +- The ability to view pending and approved web API permissions and approve or reject access requests ## Coming soon @@ -74,25 +77,21 @@ Here's a short list of some of the larger features we're working on. Use the Fee - Improved design for mobile - **Site management page** + **Active sites page** - Grouping - More batch operations -- The ability to specify the primary admin when creating communication sites and sites that belong to an Office 365 group - - The ability to view and update Office 365 group owners, and delete sites that belong to an Office 365 group -- The ability to delete sites created by another admin - - **Recycle bin page** + **Deleted sites page** - Batch restore -- The ability to delete (purge) +- The ability to permanently delete sites - **Sharing and device access** + **Sharing and Access control** - New pages for organization-wide settings From e13faaa586eb92f0408c7b3b7c5106372092d8ba Mon Sep 17 00:00:00 2001 From: Kaarin Shumate Date: Thu, 4 Oct 2018 18:04:46 -0700 Subject: [PATCH 11/11] One more I missed --- SharePoint/SharePointOnline/what-s-new-in-admin-center.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/SharePoint/SharePointOnline/what-s-new-in-admin-center.md b/SharePoint/SharePointOnline/what-s-new-in-admin-center.md index c8405c493c..b64a4e1e81 100644 --- a/SharePoint/SharePointOnline/what-s-new-in-admin-center.md +++ b/SharePoint/SharePointOnline/what-s-new-in-admin-center.md @@ -44,6 +44,8 @@ We're continuously adding new features to the new SharePoint admin center (previ - Extensive site info and insights such as site name, template, file and sharing info, and date created and modified - The ability to sort, filter, and customize columns, as well as search by all text fields + +- The ability to view and filter by hub site association - Built-in views and the ability to create custom views