Service | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
SharePoint | Change History Report | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/change-history-report.md | Previously updated : 02/14/2024 Title: "Create change history reports for SharePoint sites" Last updated : 03/12/2024 + Title: "Create change history reports" recommendations: true-# Create change history reports for SharePoint sites +# Create change history reports [!INCLUDE[Advanced Management](includes/advanced-management.md)] -You can create change history reports in the [SharePoint admin center](get-started-new-admin-center.md) to review SharePoint site property changes made within the last 180 days. +You can create custom change history reports in the [SharePoint admin center](get-started-new-admin-center.md) to review CSV reports of site actions or organization setting changes made within the last 180 days. -Create up to five reports for a given date range and filter by sites and users. You can download the report as a .csv file to view the site property changes. +Change history reports can increase visibility and let you monitor changes made to the SharePoint configuration across various levels of your organization. +Create up to 10 reports that track what changed, when it happened, and who initiated the change across the site and organization settings. -> [!TIP] -> You can export data for up to 180 days with a change history report depending on the user license. The report may contain data for users that go back 180 days as well as data for others that donΓÇÖt. Since the type of user license isnΓÇÖt shown on the report, it may appear as if data is missing for some users. --> [!NOTE] -> Admins assigned the [global reader role](/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide&preserve-view=true%3Do365-worldwide) do not have the permissions to create or delete a report but can download to review the changes. ## Requirements To access and use this feature, your organization must have the following subscr ## Create a change history report -1. To create a change history report, go to the **Change history** page and select **Create new report**. +1. To create a change history report, go to the **Change history** page and select **New report**. -2. A panel appears where you can specify the type of information you want to include in your change history report. Select **Create report** to generate a new report. +2. Choose the type of report you want to generate and select **Site settings/Organization settings**. -3. The new report is listed on the change history page. Select the report to open the change history report panel and monitor its status. +3. A panel appears where you can specify the type of information you want to include in your change history report. Select **Create report** to generate a new report. -4. Once the report is created, select **Download report** to export the data as a .csv file. The **Create a copy** button allows you to create more reports with similar parameters. +4. The new report is listed on the change history page. Select the report to open the change history report panel and monitor its status. - :::image type="content" source="media/4-change-history-report-downloaded.png" alt-text="Screenshot of a change report downloaded as .csv file."::: +5. Once the report is created, select **Download report** to export the data as a CSV file. The **Create a copy** button allows you to create more reports with similar parameters. > [!NOTE]-> The report will take hours to generate depending on the search criteria selected when creating the report. +> The report will take a few hours to generate depending on the search criteria selected when creating the report. ## View a change history report To view change history reports, expand **Reports** and select **Change history**. -You can create new reports, delete, and refresh their statuses from the change history page. This page can only show five reports at a time. The best practice is to delete a previous report before creating a new one. +You can create new reports, delete, and refresh their statuses from the change history page. This page can only show 10 reports at a time. The best practice is to delete a previous report before creating a new one. +++## Reporting ++### Site settings report ++Generate a site settings report for a given date range and filter by sites and users. You can download the report as a CSV file to view the site property changes. All site actions performed by Site administrators, Global administrators, and SharePoint administrators are captured in the report. ++### Audited organization settings (preview) ++> [!NOTE] +> Audited organization settings reports are available in public preview. The trackable [organizations settings table](#organization-settings) is listed further in this article. ++You can also generate an organization settings report to track changes made to organization settings from the SharePoint Admin Center. You can generate these reports for custom date ranges while filtering for specific users of interest. A best practice is to review the downloaded reports to ensure there are no deviations in settings from the desired state. ++Any changes made to the following organization settings are reflected in the reports. We're continuously working to bring more settings under the ambit of these reports. ++> [!TIP] +> You can export data for up to 180 days with a change history report depending on the user license. The report may contain data for users that go back 180 days as well as data for others that donΓÇÖt. Since the type of user license isnΓÇÖt shown on the report, it may appear as if data is missing for some users. ++> [!NOTE] +> Admins assigned the [global reader role](/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide&preserve-view=true%3Do365-worldwide) do not have the permissions to create or delete a report, but can download to review the changes. ++#### Organization settings ++The table lists the latest set of supported settings found under the **Settings** node: ++|Name|Description| +||| +|**SharePoint Pages**|Allow commenting on modern pages| +|**SharePoint Site creation**|Users can create SharePoint site, Create teams sites under, Default time zone| +|**OneDrive Sync**|Show Sync button on the OneDrive website| +|**SharePoint Version history limits**|Set version history limits| ++#### Access control settings ++The table lists the latest set of supported settings found in **Policies** under the **Access control** node: ++|Name|Description| +||| +|**Unmanaged devices**|Restrict access from devices that arenΓÇÖt compliant or joined to a domain| +|**Idle session sign out**|Automatically sign out users from inactive browser sessions| +|**Network location**|Allow access only from specific IP addresses| +|**Apps that don't use modern authentication**|Block access from Office 2010 and other apps that can't enforce device-based restrictions| +|**OneDrive access restriction**|Restrict access to OneDrive content by security group| ++#### Sharing settings ++The table lists the latest set of supported settings found in **Policies** under the **Sharing** node: +|Name|Description| +||| +|**External Sharing**|Content can be shared with, more external sharing settings| +|**File and folder settings**|Choose the type of link selected by default when users share files and folders in SharePoint and OneDrive, Choose the permission selected by default for sharing links, Choose who can access files with the URL to a file copied from the browser address bar| -## Related articles +## Related topics [Microsoft Syntex - SharePoint Advanced Management overview](advanced-management.md) |
SharePoint | Sharepoint Copilot Best Practices | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/sharepoint-copilot-best-practices.md | +- m365copilot - Tier2 - seo-marvel-apr2020 Microsoft Copilot for Microsoft 365 provides value by connecting Large Language Copilot for Microsoft 365 only surfaces organizational data to which individual users have *at least view permissions*. It's important to use the permission models in SharePoint to ensure the right users or groups have the right access to the right content within your organization. This article provides guidance and best practices that you, as a SharePoint administrator, can take control of the SharePoint permissions model before your organization [enable Copilot for Microsoft 365 for your users](/microsoft-365-copilot/microsoft-365-copilot-enable-users). - ## Before enabling Copilot for Microsoft 365 Organizations operate at various levels of maturity in governing SharePoint data. While some enterprises strictly monitor permissions and oversharing of content, others don't. The situation is further complicated because many enterprises have legitimate reasons to share "some" data widely within the organization. Sometimes, end users in your organization make choices that result in the oversharing of SharePoint content. As an example, it's noticed that end users don't always pay attention to the permissions of the site/library/folder where they're uploading files. They may end up uploading or saving business critical content in locations where other users may have access and may include external users. It's also observed that some end users tend to prefer sharing files in SharePoint with large groups rather than with individuals. This practice can result in oversharing. Copilot for Microsoft 365 utilizes all data that a user has access to, which may include broadly shared files that the user is unaware of. As a result, users might see Copilot for Microsoft 365 as exposing content that was overshared.-To identify and remediate overshared content in SharePoint, follow these best practices: +To identify and remediate overshared content in SharePoint, follow these best practices. > [!Note] > To identify and remediate overshared content in SharePoint, follow these best pr - Consider hiding broad-scope permissions from your end users to reduce risks around accidental misuse. [This example](/powershell/module/sharepoint-online/set-spotenant#example-2) hides the "Everyone Except External Users" in the People Picker control so that no end user can use it. - Consider [adopting sharing best practices](/microsoft-365/solutions/microsoft-365-limit-sharing) like changing sharing link defaults from companywide sharing to specific people links. -### Step 2: Identify inactive sites, then restrict access or delete +### Step 2: Identify inactive sites, then restrict access or delete -Reduce your surface area for potentially overshared content by identifying SharePoint sites that have been inactive for a long time. See how you can easily do that via the [Inactive Site Policies](/sharepoint/site-lifecycle-management#create-an-inactive-site-policy) in SharePoint Advanced Management. +Reduce your surface area for potentially overshared content by identifying SharePoint sites that have been inactive for a long time. See how you can easily do that via the [Inactive Site Policies](/sharepoint/site-lifecycle-management#create-an-inactive-site-policy) in SharePoint Advanced Management. You can then lock down permissions on these sites via the Restricted Access Control policy. You can also consider deleting these sites. ### Step 3: Identify potentially overshared content You can then lock down permissions on these sites via the Restricted Access Cont A SharePoint admin can run reports in the SharePoint Admin Center to discover broad sharing activity happening over the last month. [SharePoint Advanced Management’s](/sharepoint/advanced-management) new [data access governance reports](/sharepoint/data-access-governance-reports) can help here. A SharePoint admin can run reports on: - Usage of "Everyone Except External Users" in the last 28 days-- Usage of 'broad organization-wide sharing links' in the last 28 days-- Usage of "Everyone" sharing links in the last 28 days+- Usage of broad org-wide "People in \<your organization\>" sharing in the last 28 days +- Usage of "Anyone" sharing links in the last 28 days These reports can be downloaded as CSV files. You can also build your own report by using [Microsoft Graph Data Connect for SharePoint](/graph/data-connect-datasets#onedrive-and-sharepoint-online). +> [!Note] +> +> Reports on "Everyone Except External Users" is currently (March 2024) in private preview.Use [this link](https://aka.ms/DAGPreviewSignUp) to sign up. ### Step 4: Take remediation actions to address oversharing Once you have identified the SharePoint sites with potential oversharing issues, - Use [Restricted Access Control](/sharepoint/restricted-access-control) to proactively protect against oversharing. -- Consider blocking downloads from selected sites via [a block download policy](/sharepoint/block-download-from-sites). Or specifically block the download of [Teams meetings recordings](/microsoftteams/block-download-meeting-recording). +- Consider blocking downloads from selected sites via [a block download policy](/sharepoint/block-download-from-sites). Or specifically block the download of [Teams meetings recordings](/microsoftteams/block-download-meeting-recording). - Finally, consider applying encryption action with "extract rights" enforced on business-critical office documents. Learn more [here](/purview/ai-microsoft-purview). |
SharePoint | Configure Ocv | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/administration/configure-ocv.md | Title: "Configure the One Customer Voice (OCV) feedback" -+ Last updated 6/14/2023 audience: ITPro description: "Learn how to configure the One Customer Voice (OCV) feedback." [!INCLUDE[appliesto-xxx-xxx-xxx-SUB-xxx-md](../includes/appliesto-xxx-xxx-xxx-SUB-xxx-md.md)] +> [!Note] +> The One Customer Voice (OCV) feature is now available in the SharePoint Server Subscription Edition Version 24H1 feature update. This feature is only available in the *Early release* feature release ring. For more information, see [Feature release rings](feature-release-rings.md). + Microsoft aspires to bring the best possible experiences for users around the world through its innovative product offerings. Play a key role in helping Microsoft build the features that you need as we develop our products or services. -SharePoint Server uses One Customer Voice (OCV) as our 1st-party solution to collect customer feedback from the farm administrators. Your feedback goes directly to our engineers and helps us shape the future of SharePoint Server and services for our users. +SharePoint Server uses One Customer Voice (OCV) as our 1st-party solution to collect customer feedback from the farm administrators. The SharePoint Server asks farm administrators to provide feedback through an OCV pop-up dialog when each admin launches the Central Administration page either locally or remotely through a browser. Your feedback goes directly to our engineers and helps us shape the future of SharePoint Server and services for our users. ++As of now, this survey is a two question survey, which automatically shows up based on the following rules: ++- The first survey pops up every two weeks after a farm administrator visits the Central Administration site for the first time after the update is installed. The admin sees the following survey dialog: ++ :::image type="content" source="../media/feedback-microsoft-ocv.png" alt-text="Screenshot that shows the feedback to Microsoft survey."::: ++- The survey shows up again after six months, if the administrator completes the survey. +- The survey pops up every two weeks until it's completed by the administrator. ++> [!Note] +> By default, this feature is enabled. ++For more information on how to disable this feature for the farm administrators or specific users, see: ++- [To disable OCV feedback for current Farm Administrator](#to-disable-ocv-feedback-for-current-farm-administrator) +- [To disable OCV feedback for current Farm](#to-disable-ocv-feedback-for-current-farm) You can disable or enable the OCV feedback function using one of the following options: -## To disable OCV feedback for current Farm Administrator +## To disable OCV feedback for current Farm Administrator 1. Use the following cmdlet in SharePoint Management Shell to get to the current admin Sid: You can disable or enable the OCV feedback function using one of the following o $user = Get-SPUser -Identity 'contoso\domain_admin' -Web http://spse-sps:5000 ``` - 2. Use the following cmdlet to disable the OCV for current admin: + 2. Use the following cmdlet to disable the OCV for current admin: ```- Disable-OCVForUser -UserSid $user.Sid + Disable-SPCustomerFeedbackForUser -UserSid $user.Sid ``` -This `$user` is obtained from Step 1. +This `$user` is obtained from Step 1. ## To enable OCV feedback for current Farm Administrator This `$user` is obtained from Step 1. 2. Use the following cmdlet to enable the OCV for current admin: ```- Enable-OCVForUser -UserSid $user.Sid + Enable-SPCustomerFeedbackForUser -UserSid $user.Sid ``` This `$user` is obtained from Step 1. This `$user` is obtained from Step 1. Use the following cmdlet to disable OCV feedback for current farm: ```- Disable-OCVForFarm + Disable-SPCustomerFeedbackForFarm ``` ## To enable OCV feedback for current Farm Use the following cmdlet to disable OCV feedback for current farm: Use the following cmdlet to enable OCV feedback for current farm: ```- Enable-OCVForFarm - ``` - - - - - - + Enable-SPCustomerFeedbackForFarm + ``` |
SharePoint | How To Add A Custom Search Vertical To Your Search Results Page | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/search/how-to-add-a-custom-search-vertical-to-your-search-results-page.md | description: "Learn how to add a custom search vertical to your results page in # How to add a custom search vertical to your search results page in SharePoint Server [!INCLUDE[appliesto-2013-2016-2019-SUB-xxx-md](../includes/appliesto-2013-2016-2019-SUB-xxx-md.md)] ++> [!NOTE] +> Custom search verticals are available in both the modern search result experience and the classic search result experience, starting with SharePoint Server Subscription Edition Version 24H1. In previous versions of SharePoint Server, custom search verticals were only available in the classic search result experience. -In the previous article in this series, [How to add refiners to your search results page in SharePoint Server](how-to-add-refiners-to-your-search-results-page.md), we showed you how to add and configure refiners for your classic search results page. In this article you'll learn: +In the previous article in this series, [How to add refiners to your search results page in SharePoint Server](how-to-add-refiners-to-your-search-results-page.md), we showed you how to add and configure refiners for your search results page. In this article you'll learn: - [Using a search vertical in an everyday situation](how-to-add-a-custom-search-vertical-to-your-search-results-page.md#BKMK_UsingaSearchVerticalinanEverydaySituation) Suppose you enjoy skiing, so you often search for ski-related content. When you ![Search Vertical Web](../media/OTCSP_WebSki.png) -You are delighted to see there is much information out there about skiing, but in this case, you are just looking for great ski pictures. This is where search verticals can be used. +You're delighted to see there's much information out there about skiing, but in this case, you're just looking for great ski pictures. This is where search verticals can be used. -On the same search results page, you click **IMAGES**, and in an instant your screen is filled with images of people in colorful clothing, racing down white slopes while bathing in sunshine from a clear blue sky. Wow! +On the same search results page, you select **IMAGES**, and in an instant your screen is filled with images of people in colorful clothing, racing down white slopes while bathing in sunshine from a clear blue sky. Wow! ![Search Vertical Images](../media/OTCSP_ImagesSki.png) -When you click **IMAGES**, you are using a search vertical. Bing has five search verticals: **WEB**, **Images**, **VIDEOS** **Maps**, and **NEWS**. +When you select **IMAGES**, you're using a search vertical. Bing has five search verticals: **WEB**, **Images**, **VIDEOS** **Maps**, and **NEWS**. ![Five Search Verticals](../media/OTCSP_BingVerticals.png) In SharePoint Server, search verticals are displayed in the **Search Navigation ![Four Default Search Verticals](../media/OTCSP_DefaultSPSearchVerticals.png) -When users click one of these search verticals, it will in fact move to a new page. For example, the default search results page, the **Everything** search vertical, uses the **results.aspx** page. +When users select one of these search verticals, it will in fact move to a new page. For example, the default search results page, the **Everything** search vertical, uses the **results.aspx** page. ![Everything Page](../media/OTCSP_EverythingPage.png) -When a user clicks on the **People** search vertical, they navigate to the **peopleresults.aspx** page. +When a user selects the **People** search vertical, they navigate to the **peopleresults.aspx** page. ![People Page](../media/OTCSP_PeoplePage.png) The default vertical pages all use these Web Parts: 4. Search Results Web Part -The difference between these pages is how the **Search Results Web Part** is configured. To be specific: the Web Parts are configured to use different *result sources* . +The difference between these pages is how the **Search Results Web Part** is configured. To be specific: the Web Parts are configured to use different *result sources*. ## Result sources - why setting limits is a good thing <a name="BKMK_ResultSourcesWhySettingLimitsisaGoodThing"> </a> In our internal search center scenario, all search results are list items that r But, before we could begin to create these search verticals, we had to create one result source for each custom search vertical. We showed you how to create a result source in [How to create a result source](how-to-configure-the-search-results-web-part-to-use-a-new-result-source.md#BKMK_HowtoCreateaResultSource). -This is how we defined the *Art result source* . +This is how we defined the *Art result source*. ![Art Result Type Query](../media/OTCSP_ArtResultTypeQuery.png) Remember, `{searchTerms?}(contentclass:sts_listitem) path:http://<path>` was the query text of the Article result source that we created earlier. To this, we added `AND ContentType:Art` -In our lists, we use the site column *Content Type* to specify the different media files. For example, all images have the value *Art* for *Content Type* . +In our lists, we use the site column *Content Type* to specify the different media files. For example, all images have the value *Art* for *Content Type*. ![Content Type:Art](../media/OTCSP_ContentTypeArt2.png) When you create a custom search vertical, the first thing that you must do is to ![Create Page](../media/OTCSP_NewArtPage.png) -5. Click **Create**. +5. Select **Create**. Your new page is displayed in your **Pages** library. When you create a custom search vertical, the first thing that you must do is to Now that you have a page for your custom search vertical, you can begin to create the actual search vertical. Here's what you should do: -6. On the **Site Settings** page, click **Search Settings**. +6. On the **Site Settings** page, select **Search Settings**. ![Search Settings](../media/OTCSP_SearchSettings.png) -7. On the **Search Settings** page, in the **Configure Search Navigation** section, click **Add Link**. +7. On the **Search Settings** page, in the **Configure Search Navigation** section, select **Add Link**. ![Configure Search Navigation](../media/OTCSP_AddLink.png)++ > [!IMPORTANT] + > Deleting default search navigation items will only take effect in the classic search results page, but not in the modern search results page. 8. In the **Navigation Link** dialog, in the **Title** field, enter the search vertical title. This text will appear as the "tab" name on your search results page. - In our scenario, we entered *Art* . + In our scenario, we entered *Art*. ![Navigation Title](../media/OTCSP_NavigationTitle.png) When you create a custom search vertical, the first thing that you must do is to ![URL Art](../media/OTCSP_URLArt.png) -10. Click **OK** to close the **Navigation Link** dialog. +10. Select **OK** to close the **Navigation Link** dialog. -11. On the **Search Settings** page, in the **Configure Search Navigation** section, select the search verticals that you don't want to display, and then click **Delete**. +11. On the **Search Settings** page, in the **Configure Search Navigation** section, select the search verticals that you don't want to display, and then select **Delete**. In our scenario, we deleted the **People**, **Conversations**, and **Videos** verticals so that we were only left with the **Everything** and the **Art** search vertical. ![Two Verticals](../media/OTCSP_TwoVerticals.png) -12. Click **OK** to save all changes. +12. Select **OK** to save all changes. 13. In your Search Center, enter a query. On your search results page, your newly created search vertical is displayed. When you create a custom search vertical, the first thing that you must do is to ![New Art Vertical](../media/OTCSP_NewArtVertical.png) -14. On your search results page, click on your newly created search vertical, and verify that the URL is the same as you specified in step 4. +14. On your search results page, select on your newly created search vertical, and verify that the URL is the same as you specified in step 4. - In our scenario, we clicked *Art* , and verified that the URL was *\<site\>/articles/Pages/art.aspx* . We also noticed that 13 search results were displayed. + In our scenario, we clicked *Art*, and verified that the URL was *\<site\>/articles/Pages/art.aspx*. We also noticed that 13 search results were displayed. ![Query Art Vertical](../media/OTCSP_QueryArtVertical.png) 15. On your new search vertical page, select to edit the page, and then to edit the **Search Results Web Part**. -16. In the Web Part tool page, click **Change query**. This opens a dialog. +16. In the Web Part tool page, select **Change query**. This opens a dialog. ![Change Query](../media/OTCSP_ChangeQuery.png) When you create a custom search vertical, the first thing that you must do is to ![Select a Query](../media/OTCSP_SelectAQuery.png) -18. Click **OK** and save the page. +18. Select **OK** and save the page. On your new search vertical page, enter a query to verify that the correct search results are displayed. When you create a custom search vertical, the first thing that you must do is to ![Final Art Vertical Result](../media/OTCSP_FinalArtVerticalResult.png) - In our scenario, we added two more search verticals, *Video* and *Interop* . And with that, we had completed the Search Center set up. + In our scenario, we added two more search verticals, *Video* and *Interop*. And with that, we had completed the Search Center set up. ![All Search Verticals](../media/OTCSP_AllSearchVerticals.png) ## What you can do after you have successfully set up a Search Center+ <a name="BKMK_WhatYouCanDoAfterYouHaveSuccessfullySetUpaSearchCenter"> </a> When you have successfully set up a Search Center, the first thing that you should do is congratulate yourself on a job well done! Nice job! |
SharePoint | Oidc 1 0 Authentication | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/security-for-sharepoint-server/oidc-1-0-authentication.md | description: "Learn how to set up OIDC authentication in SharePoint Server." [!INCLUDE[appliesto-xxx-xxx-xxx-SUB-xxx-md](../includes/appliesto-xxx-xxx-xxx-SUB-xxx-md.md)] -OpenID Connect (OIDC) 1.0 is a modern authentication protocol that seamlessly integrates applications and devices with the identity and authentication management solutions to keep pace with the -evolving security and compliance needs of your organization. +OpenID Connect (OIDC) 1.0 is a modern authentication protocol that seamlessly integrates applications and devices with identity and authentication management solutions to keep pace with the evolving security and compliance needs of your organization. In SharePoint 2019 and prior versions, SharePoint Server supported three types of authentication methods: In SharePoint 2019 and prior versions, SharePoint Server supported three types o 2. Forms-based authentication 3. Security Assertion Markup Language (SAML) 1.1-based authentication -SharePoint Server Subscription Edition now supports OIDC 1.0 authentication protocol. With this new capability, you can now set up an OIDC-enabled `SPTrustedIdentityTokenIssuer` that works with a remote identity provider to enable OIDC authentication. +OIDC 1.0 authentication protocol only supports SharePoint Server Subscription Edition. With this capability, you can set up an OIDC-enabled `SPTrustedIdentityTokenIssuer` that works with a remote identity provider to enable OIDC authentication. ++The OIDC 1.0 authentication protocol integrates with SharePoint Certificate Management to manage the nonce (number used once) cookie certification. The nonce cookie certificate ensures that OIDC authentication tokens are secure. ++Prior to OIDC 1.0 authentication integration with SharePoint Certificate Management, the administrators used the Certificate snap-in in Windows to check the status of the nonce certificate. In a multi-server farm, the administrators needed to manually export certificates, import certificates, and grant permissions on each server individually. When administrators enable OIDC for a new web application using a new application pool account, the administrators had to remember to grant permissions for the account. ++Farm administrators can use the following command to establish or replace the nonce certificate at the farm level. This command can be used regardless of the fact if it's being done during the initial configuration or during replacement of an existing nonce certificate. ++```powershell +# Use one of the commands to acquire the nonce cookie certificate if it's already imported: +$nonceCert = Get-SPCertificate -DisplayName <the certificate name> +$nonceCert = Get-SPCertificate -Thumbprint <thumbprint> ++# Update +$farm = Get-SPFarm +$farm.UpdateNonceCertificate($nonceCert, $true) +``` You can set up OIDC authentication in SharePoint Server with either of these options: |
SharePoint | Set Up Oidc Auth In Sharepoint Server With Msaad | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-msaad.md | description: "Learn how to set up OIDC authentication in SharePoint Server with ## Prerequisites -When you configure OIDC with Microsoft Entra ID, you need the following resources: +When you configure OpenID Connect (OIDC) with Microsoft Entra ID, you need the following resources: 1. A SharePoint Server Subscription Edition farm 2. Microsoft Entra Global Administrator role of the M365 tenant This article uses the following example values for Microsoft Entra OIDC setup: Perform the following steps to set up OIDC with Microsoft Entra ID: -1. Browse to the [Entra ID admin portal](https://entra.microsoft.com/), and log in with an account with the Global Administrator role. +1. Browse to the [Entra ID admin portal](https://entra.microsoft.com/), and sign in with an account with the Global Administrator role. 1. Under Applications, select App Registrations. 1. Select **New Registration**. 2. Go to the **Register an application** page `https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps`. Perform the following steps to set up OIDC with Microsoft Entra ID: :::image type="content" source="../media/register-an-app.PNG" alt-text="Register an application"::: -1. Save the **Directory (tenant) ID** value, as the tenant ID will be used in subsequent steps. Also save the **Application (client) ID,** which we'll use as **DefaultClientIdentifier** in the SharePoint setup. +1. Save the **Directory (tenant) ID** value, as the tenant ID is used in subsequent steps. Also save the **Application (client) ID,** which we use as **DefaultClientIdentifier** in the SharePoint setup. :::image type="content" source="../media/sharepoint-onprem-oidc-connection.png" alt-text="Save Application"::: -1. After you register the application, go to the **Authentication** tab, select the **ID tokens** check box and select **Save**. +1. After you register the application, go to the **Authentication** tab, select the **ID tokens** check box, and select **Save**. :::image type="content" source="../media/sharepoint-oidc-authentication.png" alt-text="Enable ID Tokens"::: -1. Go to the **API permissions** tab and click Add a Permission. Choose **Microsoft Graph**, then **Delegated permissions.** Select the add **email** and **profile** permissions, and click **Add permissions.** +1. Go to the **API permissions** tab and select Add a Permission. Choose **Microsoft Graph**, then **Delegated permissions.** Select the add **email** and **profile** permissions, and select **Add permissions.** :::image type="content" source="../media/sharepoint-oidc-api-permissions.png" alt-text="API Permissions"::: -1. Go to the **Token configuration** tab and click **Add optional claim**. For each token type (ID, Access, SAML), add **email**, and **upn** claims. +1. Go to the **Token configuration** tab and select **Add optional claim**. For each token type (ID, Access, SAML), add **email**, and **upn** claims. -1. Also on the **Token configuration** tab, click **Add groups claim**. Security Groups is the most common, but the group types you select depends on which types of groups you want to use to give access to the SharePoint web application. See [Configure groups optional claims](/entra/identity-platform/optional-claims#configure-groups-optional-claims) and Configure group claims for applications by using Microsoft Entra ID for more information. +1. Also on the **Token configuration** tab, select **Add groups claim**. Security Groups is the most common, but the group types you select depends on which types of groups you want to use to give access to the SharePoint web application. For more information, see [Configure groups optional claims](/entra/identity-platform/optional-claims#configure-groups-optional-claims) and Configure group claims for applications by using Microsoft Entra ID. :::image type="content" source="../media/sharepoint-oidc-token-configuration.png" alt-text="Token Configuration"::: 8. Go to the **Manifest** tab, and manually change **replyUrlsWithType** from `https://spsites.contoso.local/` to `https://spsites.contoso.local/*`. Then select **Save**. Open jwks_uri (`https://login.microsoftonline.com/common/discovery/keys`) and sa ## Step 2: Change SharePoint farm properties -In this step, you'll need to modify the SharePoint Server farm properties. Start the SharePoint Management Shell as a Farm Administrator, and run the following script: +In this step, you need to modify the SharePoint Server farm properties based on the version of your SharePoint Server. ++> [!Note] +> Start the SharePoint Management Shell as a farm administrator to run the following script. Read the instructions mentioned in the following PowerShell script carefully, and you will need to enter your own environment-specific values in certain places. ++- For more information on configuring SharePoint farm properties for SharePoint Server Subscription Edition Version 24H1, see [Configure SPSE Version 24H1 or higher version](#configure-sharepoint-server-subscription-edition-version-24h1-or-higher-versions). +- For more information on configuring SharePoint farm properties for SharePoint Server Subscription Edition Version preceding 24H1, see [Configure SPSE prior to Version 24H1](#configure-sharepoint-server-subscription-edition-prior-to-version-24h1). ++#### Configure SharePoint Server Subscription Edition Version 24H1 or higher versions ++Starting with SharePoint Server Subscription Edition Version 24H1, you can configure SharePoint Server farm properties by employing SharePoint Certificate Management to manage the nonce cookie certificate. The nonce cookie certificate is part of the infrastructure to ensure OIDC authentication tokens are secure. Run the following script to configure: -> [!NOTE] -> Read the instructions mentioned in the following PowerShell script carefully. You will need to enter your own environment-specific values in certain places. ```powershell-# Setup farm properties to work with OIDC +# Set up farm properties to work with OIDC # Create the Nonce certificate $cert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -Subject "CN=SharePoint Cookie Cert"++# Import certificate to Certificate Management +$certPath = <path to save the exported cert> +$certPassword = ConvertTo-SecureString -String <password> -Force -AsPlainText +Export-PfxCertificate -Cert $cert -FilePath $certPath -Password $certPassword +$nonceCert = Import-SPCertificate -Path $certPath -Password $certPassword -Store "EndEntity" -Exportable:$true ++$farm = Get-SPFarm +$farm.UpdateNonceCertificate($nonceCert,$true) +``` ++#### Configure SharePoint Server Subscription Edition prior to Version 24H1 ++```powershell +# Set up farm properties to work with OIDC +$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -Subject "CN=SharePoint Cookie Cert" $rsaCert = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($cert) $fileName = $rsaCert.key.UniqueName -# If you have multiple SharePoint servers in the farm, you need to export certificate by using Export-PfxCertificate and import the certificate to all other SharePoint servers in the farm by using Import-PfxCertificate. +# If you have multiple SharePoint servers in the farm, you need to export the certificate by Export-PfxCertificate and import the certificate to all other SharePoint servers in the farm by Import-PfxCertificate. -# After the certificate is successfully imported to SharePoint Server, we will need to grant access permission to certificate's private key. +# After the certificate is successfully imported to SharePoint Server, we will need to grant access permission to the certificate's private key. $path = "$env:ALLUSERSPROFILE\Microsoft\Crypto\RSA\MachineKeys\$fileName" $permissions = Get-Acl -Path $path -# Grant your app pool account permission to the private key -# Please replace the <web application pool account> with real application pool account of your SharePoint web application +# Replace the <web application pool account> with the real application pool account of your web application $access_rule = New-Object System.Security.AccessControl.FileSystemAccessRule(<Web application pool account>, 'Read', 'None', 'None', 'Allow') $permissions.AddAccessRule($access_rule) Set-Acl -Path $path -AclObject $permissions -# Update the farm properties to use the Nonce cert -$f = Get-SPFarm -$f.Farm.Properties['SP-NonceCookieCertificateThumbprint']=$cert.Thumbprint -$f.Farm.Properties['SP-NonceCookieHMACSecretKey']='seed' -$f.Farm.Update() +# Then we update farm properties +$farm = Get-SPFarm +$farm.Properties['SP-NonceCookieCertificateThumbprint']=$cert.Thumbprint +$farm.Properties['SP-NonceCookieHMACSecretKey']='seed' +$farm.Update() ``` ## Step 3: Configure SharePoint to trust the identity provider You can configure SharePoint to trust the identity provider in either of the fol - Configure SharePoint to trust Microsoft Entra ID as the OIDC provider **manually**. - Configure SharePoint to trust Microsoft Entra ID as the OIDC provider by using the **metadata endpoint**.- - By using the metadata endpoint, a lot of parameters you need in 'Configure SharePoint to trust Microsoft Entra ID as the OIDC provider manually' can be automatically retrieved by metadata endpoint. + - By using the metadata endpoint, several parameters you need in 'Configure SharePoint to trust Microsoft Entra ID as the OIDC provider manually' is automatically retrieved by metadata endpoint. > [!NOTE] > Follow either the manual configuration steps or the metadata endpoint steps, but not both.- + ### Configure SharePoint to trust Microsoft Entra ID as the OIDC provider manually -In this step, you create a `SPTrustedTokenIssuer` that will store the configuration that SharePoint needs to trust Microsoft Entra OIDC as the OIDC provider. Start the SharePoint Management Shell as a Farm Administrator, and run the following script to create it: +In this step, you create a `SPTrustedTokenIssuer` that stores the configuration that SharePoint needs to trust Microsoft Entra OIDC as the OIDC provider. Start the SharePoint Management Shell as a farm administrator, and run the following script to create it: > [!NOTE] > Read the instructions mentioned in the following PowerShell script carefully. You will need to enter your own environment-specific values in certain places. For example, replace \<tenantid\> with your own Directory (tenant) ID. Here, `New-SPTrustedIdentityTokenIssuer` PowerShell cmdlet is extended to suppor ||-| |Name | Gives a name to the new token issuer. | |Description | Gives a description to the new token issuer. |-|ImportTrustCertificate | Imports a list of X509 Certificates, which will be used to validate `id_token` from OIDC identifier. If the OIDC identity provider (IDP) uses more than one certificate to digital sign the `id_token`, import these certificates and SharePoint will then validate `id_token` by matching the digital signature generated by using these certificates. | -| ClaimsMappings | A `SPClaimTypeMapping` object, which will be used to identify which claim in the `id_token` will be regarded as identifier in SharePoint. | +|ImportTrustCertificate | Imports a list of X509 Certificates, which is used to validate `id_token` from OIDC identifier. If the OIDC identity provider (IDP) uses more than one certificate to digital sign the `id_token`, import these certificates and SharePoint validates `id_token` by matching the digital signature generated by using these certificates. | +| ClaimsMappings | A `SPClaimTypeMapping` object, which is used to identify which claim in the `id_token` is regarded as identifier in SharePoint. | | IdentifierClaim | Specifies the type of identifier. |-| RegisteredIssuerName | Specifies the issuer identifier, which issues the `id_token`. It will be used to validate the `id_token`. | +| RegisteredIssuerName | Specifies the issuer identifier, which issues the `id_token`. It's used to validate the `id_token`. | | AuthorizationEndPointUrl | Specifies the authorization endpoint of the OIDC identity provider. |-| SignoutUrl | Specifies the sign-out endpoint of the OIDC identity provider. | -| DefaultClientIdentifier | Specifies the `client_id` of SharePoint server, which is assigned by OIDC identity provider. This will be validated against aud claim in `id_token`. | -| ResponseTypesSupported | Specifies the response type of IDP, which can be accepted by this token issuer. It can accept two strings: `id_token` and `code id_token`. If this parameter isn't provided, it will use `code id_token` as default. | +| SignoutUrl | Specifies the sign out endpoint of the OIDC identity provider. | +| DefaultClientIdentifier | Specifies the `client_id` of SharePoint server, which is assigned by OIDC identity provider. This is validated against aud claim in `id_token`. | +| ResponseTypesSupported | Specifies the response type of IDP, which is accepted by this token issuer. It can accept two strings: `id_token` and `code id_token`. If this parameter isn't provided, it uses `code id_token` as default. | > [!IMPORTANT] > The relevant certificate must be added to the SharePoint root authority certificate store: Here, `New-SPTrustedIdentityTokenIssuer` PowerShell cmdlet is extended to suppor SharePoint Server Subscription Edition now supports OIDC metadata discovery capability during configuration. -By using the metadata endpoint provided by the OIDC identity provider, some of the configuration will be retrieved from the OIDC provider metadata endpoint directly, including: +When you use the metadata endpoint provided by the OIDC identity provider, some of the configuration is retrieved from the OIDC provider metadata endpoint directly, including: 1. Certificate 2. Issuer New-SPTrustedIdentityTokenIssuer -Name "contoso.local" -Description "contoso.loc ||-| |Name | Gives a name to the new token issuer. | |Description | Gives a description to the new token issuer. |-|ImportTrustCertificate | A certificate that will be used to validate `id_token` from OIDC identifier. | -| ClaimsMappings | A `SPClaimTypeMapping` object, which will be used to identify which claim in the `id_token` will be regarded as identifier in SharePoint. | +|ImportTrustCertificate | A certificate that is used to validate `id_token` from OIDC identifier. | +| ClaimsMappings | A `SPClaimTypeMapping` object, which is used to identify which claim in the `id_token` is regarded as identifier in SharePoint. | | IdentifierClaim | Specifies the type of identifier. |-| DefaultClientIdentifier | Specifies the `client_id` of SharePoint server, which is assigned by OIDC identity provider. This will be validated against aud claim in `id_token`. | +| DefaultClientIdentifier | Specifies the `client_id` of SharePoint server, which is assigned by OIDC identity provider. This is validated against aud claim in `id_token`. | | MetadataEndPoint | Specifies the well-known metadata endpoint from OIDC identity provider, which can be used to retrieve latest certificate, issuer, authorization endpoint, and sign out endpoint. | ## Step 4: Configure the SharePoint web application -In this step, you'll configure a web application in SharePoint to be federated with the Microsoft Entra OIDC, using the `SPTrustedIdentityTokenIssuer` created in the previous step. +In this step, you configure a web application in SharePoint to be federated with the Microsoft Entra OIDC, using the `SPTrustedIdentityTokenIssuer` created in the previous step. > [!IMPORTANT] > To create a new web application, do the following: $trustedAp = New-SPAuthenticationProvider -TrustedIdentityTokenIssuer $sptrust ``` - 2. Follow [Create a web application in SharePoint Server](/sharepoint/administration/create-a-web-application) to create a new web application enabling HTTPS/Secure Sockets Layer (SSL) named SharePoint - OIDC on contoso.local. + 2. Follow [Create a web application in SharePoint Server](../administration/create-a-web-application.md) to create a new web application enabling HTTPS/Secure Sockets Layer (SSL) named SharePoint - OIDC on contoso.local. 3. Open the SharePoint Central Administration site. 4. Open the web application you created and pick **contoso.local** as **Trusted Identity Provider**. Since OIDC 1.0 authentication can only work with HTTPS protocol, a certificate m ## Step 6: Create the site collection -In this step, you'll create a team site collection with two administrators: One as a Windows administrator and one as a federated (Microsoft Entra ID) administrator. +In this step, you create a team site collection with two administrators: One as a Windows administrator and one as a federated (Microsoft Entra ID) administrator. 1. Open the SharePoint Central Administration site. 2. Navigate to **Application Management** > **Create site collections** > **Create site collections**. In this step, you'll create a team site collection with two administrators: One 11. Go to the account and select **OK** to close the People Picker dialog. 12. Select **OK** again to create the site collection. -Once the site collection is created, you will be able to sign-in using either the Windows or the federated site collection administrator account. +Once the site collection is created, you're able to sign-in using either the Windows or the federated site collection administrator account. ## Step 7: Set up People Picker To do this, perform the following steps: ### 1. Create a new claim provider -In the [previous step](#step-3-configure-sharepoint-to-trust-the-identity-provider), you've already created an OIDC `SPTrustedIdentityTokenIssuer` by using `New-SPTrustedIdentityTokenIssuer` PowerShell cmdlet. In this step, you'll use the following PowerShell cmdlet to create a claim provider, which uses the User Profile Application service to search and resolve users and groups in the People Picker and specifies to use the OIDC `SPTrustedIdentityTokenIssuer`: +In the [previous step](#step-3-configure-sharepoint-to-trust-the-identity-provider), you already created an OIDC `SPTrustedIdentityTokenIssuer` by using `New-SPTrustedIdentityTokenIssuer` PowerShell cmdlet. In this step, you use the following PowerShell cmdlet to create a claim provider, which uses the User Profile Application service to search and resolve users and groups in the People Picker and specifies to use the OIDC `SPTrustedIdentityTokenIssuer`: ```powershell $claimprovider = New-SPClaimProvider -AssemblyName "Microsoft.SharePoint, Version=16.0.0.0, Culture=neutral, publicKeyToken=71e9bce111e9429c" -DisplayName 'OIDC Claim Provider' -Type "Microsoft.SharePoint.Administration.Claims.SPTrustedBackedByUPAClaimProvider" -TrustedTokenIssuer $tokenissuer -Description ΓÇ£OIDC Claim ProviderΓÇ¥ -Default:$false Specify the following parameters: ||-| | AssemblyName | To be specified as `Microsoft.SharePoint, Version=16.0.0.0, Culture=neutral, publicKeyToken=71e9bce111e9429c`. | | Type | To be specified as `Microsoft.SharePoint.Administration.Claims.SPTrustedBackedByUPAClaimProvider` so that this command creates a claim provider, which uses UPA as the claim source. |-| TrustedTokenIssuer | To be specified as the OIDC `SPTrustedIdentityTokenIssuer` created in the [previous step](#step-3-configure-sharepoint-to-trust-the-identity-provider), which will use this claim provider. This is a new parameter the user needs to provide when the type of the claim provider is `Microsoft.SharePoint.Administration.Claims.SPTrustedBackedByUPAClaimProvider`. | -| Default | As we've created a claim provider by using this cmdlet, this cmdlet can only work with `SPTrustedIdentityTokenIssuer` and `Default` parameter must be set to false so that it wonΓÇÖt be used by any other authentication method assigned to the web application by default. | +| TrustedTokenIssuer | To be specified as the OIDC `SPTrustedIdentityTokenIssuer` created in the [previous step](#step-3-configure-sharepoint-to-trust-the-identity-provider), which uses this claim provider. This is a new parameter the user needs to provide when the type of the claim provider is `Microsoft.SharePoint.Administration.Claims.SPTrustedBackedByUPAClaimProvider`. | +| Default | As we create a claim provider by using this cmdlet, this cmdlet can only work with `SPTrustedIdentityTokenIssuer` and `Default` parameter must be set to false so that it won't be used by any other authentication method assigned to the web application by default. | ### 2. Connect `SPTrustedIdentityTokenIssuer` with `SPClaimProvider` Specify the following parameters: ||-| | token issuer name | The token issuer this People Picker will use. | | -ClaimProvider | The `SPClaimProvider`, which will be used to generate claim. |-| -IsOpenIDConnect | Required when `SPTrustedIdentityTokenIssuer` is OIDC `SPTrustedIdentityTokenIssuer`. Without this parameter, OIDC `SPTrustedIdentityTokenIssuer` configuration will fail. | +| -IsOpenIDConnect | Required when `SPTrustedIdentityTokenIssuer` is OIDC `SPTrustedIdentityTokenIssuer`. Without this parameter, OIDC `SPTrustedIdentityTokenIssuer` configuration fails. | An example of this command is: Now, customers can start to synchronize profiles into the SharePoint user profil There are two ways to synchronize user profiles into the SharePoint UPSA: -- Create a new SharePoint Active Directory Import (AD Import) connection with **Trusted Claims Provider Authentication** as the **Authentication Provider Type** in the connection setting. To utilize AD Import, see [Manage user profile synchronization in SharePoint Server](/sharepoint/administration/manage-profile-synchronization).+- Create a new SharePoint Active Directory Import (AD Import) connection with **Trusted Claims Provider Authentication** as the **Authentication Provider Type** in the connection setting. To utilize AD Import, see [Manage user profile synchronization in SharePoint Server](../administration/manage-profile-synchronization.md). :::image type="content" source="../media/add-new-sync-connection-2.png" alt-text="Add New Synchronization Connections"::: -- Use Microsoft Identity Manager (MIM). To utilize MIM, see [Microsoft Identity Manager in SharePoint Servers 2016 and 2019](/sharepoint/administration/microsoft-identity-manager-in-sharepoint-server-2016).+- Use Microsoft Identity Manager (MIM). To utilize MIM, see [Microsoft Identity Manager in SharePoint Servers 2016 and 2019](../administration/microsoft-identity-manager-in-sharepoint-server.md). - There should be two agents inside the MIM Synchronization Service Manager UX after MIM is set up. One agent is used to import user profiles from the source IDP to the MIM database. The other agent is used to export user profiles from the MIM database to the SharePoint UPSA. During the synchronization, the following three properties must be provided to the UPSA: During the synchronization, the following three properties must be provided to t 1. `SPS-ClaimID` - During the synchronization, you must pick which unique identity property in the source will be mapped to the `SPS-ClaimID` property in the UPSA. We suggest using **Email** or **User Principal Name** for the `SPS-ClaimID`. The corresponding **IdentifierClaim** value needs to be set when token issuer is created from the [New-SPTrustedIdentityTokenIssuer](/powershell/module/sharepoint-server/new-sptrustedidentitytokenissuer) cmdlet. + During the synchronization, you must pick which unique identity property in the source is mapped to the `SPS-ClaimID` property in the UPSA. We suggest using **Email** or **User Principal Name** for the `SPS-ClaimID`. The corresponding **IdentifierClaim** value needs to be set when token issuer is created from the [New-SPTrustedIdentityTokenIssuer](/powershell/module/sharepoint-server/new-sptrustedidentitytokenissuer) cmdlet. - For AD Import synchronization, **Central Administration > Application Management > Manage service applications > User Profile Service Application > Manage User Properties** will allow administrators to edit the `SPS-ClaimID` to indicate which property in the source identity provider should be synchronized to `SPS-ClaimID`. (The display name of this property is **Claim User Identifier** and it can be customized to other display names by the administrator.) For example, if email is to be used as the `SPS-ClaimID`, **Claim User Identifier** should be set to **Email**. + For AD Import synchronization, **Central Administration > Application Management > Manage service applications > User Profile Service Application > Manage User Properties** allows administrators to edit the `SPS-ClaimID` to indicate which property in the source identity provider should be synchronized to `SPS-ClaimID`. (The display name of this property is **Claim User Identifier** and it can be customized to other display names by the administrator.) For example, if email is to be used as the `SPS-ClaimID`, **Claim User Identifier** should be set to **Email**. :::image type="content" source="../media/SPS-ClaimID-1.png" alt-text="SPS-ClaimID"::: :::image type="content" source="../media/SPS-ClaimID-2.png" alt-text="SPS-ClaimProviderID"::: Perform the following steps to enable the People Picker control to work with gro This sample cmdlet first creates a `claimmap` object of type `groupsid` and indicates that it works with the `SID` property of the group and then creates a new identity issuer, which can understand this mapping. 2. Synchronize `SID` property of groups from the identity provider to the `SID` property in UPSA.- 1. For AD Import synchronization, `SID` will be synchronized automatically without additional setup from the source identity provider to the SharePoint UPSA. + 1. For AD Import synchronization, `SID` is synchronized automatically without other setup from the source identity provider to the SharePoint UPSA. 2. For MIM synchronization, the property mapping needs to be taken from the identity provider to MIM and then from MIM to the SharePoint UPSA so that MIM can synchronize the group `SID` from the identity provider to the SharePoint UPSA. This is similar to how we do user profile synchronization for the `SPS-ClaimID` property for user profiles. 1. For MIM synchronization, `sAMAccountName` should also be mapped to `accountName` from MIM to the SharePoint UPSA. If it doesnΓÇÖt exist, admin should create mapping pair from `sAMAccountName` to `accountName` in MIM manually. |
SharePoint | Custom Branding In Suite Bar | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/sites/custom-branding-in-suite-bar.md | description: "Learn about the Custom Branding feature, which is one of the newly This article describes the "Custom branding in Suite Navigation Bar" feature, which is one of the new features introduced in the SharePoint Server Subscription Edition Version 23H2 feature update. +> [!NOTE] +> Custom branding in the Suite Navigation Bar was first introduced in SharePoint Server Subscription Edition Version 23H2, but it was initially available only for SharePoint farms in Early release. Starting with SharePoint Server Subscription Edition Version 24H1, it's available regardless of whether your SharePoint farm is in Early release or Standard release. ++ ## Custom branding in the Suite Navigation Bar The SharePoint Server modern UX provides a powerful yet intuitive user interface that scales from desktop to mobile devices. However, the architecture of the modern UX limited the opportunities for organizations to apply custom branding to the Suite Navigation Bar, which is the global navigation bar that provides access to the App Launcher, contextual settings menu, and user welcome control in SharePoint sites. SharePoint Server Subscription Edition Version 23H2 introduces the ability for o ### Example 1 -1. Set the feature release ring to **Early release** for your farm to make this feature available in the SharePoint Server Subscription Edition version 23H2. For more information, see -[Feature release rings](../administration/feature-release-rings.md). --2. Enable a web application to allow custom branding by setting the **SuiteNavAllowCustom** web application-level property to **true**. This property must be set to **true** for any of the other properties to take effect. +1. Enable a web application to allow custom branding by setting the **SuiteNavAllowCustom** web application-level property to **true**. This property must be set to **true** for any of the other properties to take effect. ```PowerShell $webapp = Get-SPWebApplication http://spwfe SharePoint Server Subscription Edition Version 23H2 introduces the ability for o $webapp.Update() ``` -3. Set all the options, as shown in the following command-syntax example: +2. Set all the options, as shown in the following command-syntax example: ```PowerShell $webapp.SuiteNavBrandingText = "Suite Bar Branding" |
SharePoint | Sharepoint Health Analyzer Rules Reference | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/technical-reference/sharepoint-health-analyzer-rules-reference.md | The following Health Analyzer rules relate to performance for SharePoint Server: ## Configuration The following Health Analyzer rules relate to configuration of SharePoint Server.- - [Alternate access URLs have not been configured (SharePoint Server)](alternate-access-urls-have-not-been-configured.md) - [The Application Discovery and Load Balancer Service is not running in this farm (SharePoint Server)](the-application-discovery-and-load-balancer-service-is-not-running-in-this-farm.md) The following Health Analyzer rules relate to configuration of SharePoint Server - [The Machine Translation Service is not running when it should be running (SharePoint Server)](the-machine-translation-service-is-not-running-when-it-should-be-running.md) - [XLIFF translations for the Machine Translation Service is disabled (SharePoint Server)](xliff-translations-for-the-machine-translation-service-is-disabled.md)++- [Certificate Management is not managing the nonce cookie certificate (SharePoint Server)](the-nonce-cookie-certificate-is-not-imported.md) ## Availability |
SharePoint | The Nonce Cookie Certificate Is Not Imported | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/technical-reference/the-nonce-cookie-certificate-is-not-imported.md | + + Title: "Certificate Management is not managing the nonce cookie certificate (SharePoint Server)" +++ Last updated : 03/08/2024+audience: ITPro +f1.keywords: +- NOCSH +++ms.localizationpriority: medium ++- IT_Sharepoint_Server +- IT_Sharepoint_Server_Top +description: "Learn to ensure proper management and notification of the certificate expiration to avoid issues with the Web Application Pool account while enabling OIDC in a web application." +++# Certificate Management is not managing the nonce cookie certificate (SharePoint Server) +++**Rule Name:** SharePoint Server doesn't manage the nonce cookie certificate. ++**Summary:** OpenID Connect (OIDC) authentication is configured in your SharePoint Server farm, but the certificate used to generate the nonce cookie isn't managed by the Certificate Management of SharePoint Server. As a result, you don't receive any system notification if that certificate is close to expiration, which would lead to farm service outage. In this case, SharePoint Server doesn't automatically grant required permissions of nonce cookie certificate to the Web Application Pool account if you enable OIDC for web applications, and you need to do it manually. ++**Cause:** SharePoint Server farm currently uses the certificate that is used to generate the nonce cookie but doesn't manage it. ++**Resolution:** **Import the nonce cookie certificate** ++Ensure proper management and notification of the certificate expiration by following the steps to avoid issues with Web Application Pool account while enabling OIDC in web application: ++1. Import nonce cookie certificate in Certificate Management of SharePoint Server. +1. Start SharePoint Management Shell and run the following script to update the certificate property. ++ ```powershell + # Use one of the commands to acquire nonce cookie certificate imported: + $nonceCert = Get-SPCertificate -DisplayName <the certificate name> + $nonceCert = Get-SPCertificate -Thumbprint <thumbprint> ++ # Update + $farm = Get-SPFarm + $farm.UpdateNonceCertificate($nonceCert, $true) + ``` ++For more information, see [Change SharePoint farm properties](../security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-msaad.md#step-2-change-sharepoint-farm-properties). |
SharePoint | New And Improved Features In Sharepoint Server Subscription Edition 24H1 Release | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/what-s-new/new-and-improved-features-in-sharepoint-server-subscription-edition-24h1-release.md | + Last updated : 09/06/2023 + Title: "New and improved features in SharePoint Server Subscription Edition Version 24H1" +++++audience: ITPro +f1.keywords: +- NOCSH +++ms.localizationpriority: high ++- IT_Sharepoint_Server +- IT_Sharepoint_Server_Top +- Strat_SP_server ++description: "Learn about the new features and updates to existing features in SharePoint Server Subscription Edition Version 24H1." +++# New and improved features in SharePoint Server Subscription Edition Version 24H1 +++Learn about the new features and updates introduced in the SharePoint Server Subscription Edition Version 24H1 feature update. ++## Summary of the features ++The following table provides a summary of the new features introduced in the SharePoint Server Subscription Edition Version 24H1 feature update. ++|**Feature**|**Release ring**|**More information**| +|:--|:--|:--| +| **Custom branding in the Suite Bar** | Standard release | For more information, see [Custom branding in the Suite Bar](new-and-improved-features-in-sharepoint-server-subscription-edition-23h2-release.md#custom-branding-in-the-suite-bar).<br> <br>This was part of *Early release* in the Version 23H2 feature update. <br/> | +| **Search vertical customization in modern search results** | Early release | For more information, see [Search vertical customization in modern search results](#search-vertical-customization-in-modern-search-results). | +| **OpenID Connect (OIDC) integration with SharePoint certificate management** | Early release | For more information, see [OpenID Connect (OIDC) integration with SharePoint certificate management](#openid-connect-oidc-integration-with-sharepoint-certificate-management). | +| **Customer feedback experience in Central Administration** |Early release |For more information, see [Customer feedback experience in Central Administration](#customer-feedback-experience-in-central-administration).| ++## Detailed description of features ++This section provides detailed descriptions of the new and updated features in SharePoint Server Subscription Edition Version 24H1. ++> [!NOTE] +> Features previously introduced in the Version 23H2 feature update will not be described here. For more information on Version 23H2, see [New and improved features in SharePoint Server Subscription Edition Version 23H2](new-and-improved-features-in-sharepoint-server-subscription-edition-23h2-release.md). ++### Search vertical customization in modern search results ++SharePoint Server Subscription Edition Version 24H1 introduces search vertical customization to the modern search experience, previously available only in the classic search experience. This customization feature allows users to add a custom search vertical to their search results page at the site and organizational levels. ++The configuration of this feature is based on the same architecture as the existing classic UI, so the steps to configure this feature in the modern UI are similar to the classic UI. ++For more information, see [How to add a custom search vertical to your search results page in SharePoint Server.](../search/how-to-add-a-custom-search-vertical-to-your-search-results-page.md) ++### OpenID Connect (OIDC) integration with SharePoint certificate management ++OpenID Connect (OIDC) is a modern authentication protocol that seamlessly integrates applications and devices with identity and authentication management solutions to keep pace with the evolving security and compliance needs of your organization. ++SharePoint Server Subscription Edition Version 24H1 allows administrators to manage OIDC nonce cookie certificates via SharePoint Certificate Management. The nonce cookie certificate is part of the infrastructure that ensures OIDC authentication tokens are secure. ++SharePoint farm administrators can now use the SharePoint Certificate Management feature to manage the full lifecycle of the OIDC nonce cookie certificate. This will automatically deploy the OIDC nonce cookie certificate to all servers in the farm and automatically configure the necessary permissions. A new SharePoint Health Analyzer health rule has been added to notify administrators if the nonce cookie certificate is not managed through SharePoint Certificate Management. ++For more information, see [Set up OIDC authentication in SharePoint Server with Microsoft Entra ID.](../security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-msaad.md) ++### Customer feedback experience in Central Administration ++SharePoint Server Subscription Edition Version 24H1 introduces One Customer Voice (OCV) into the SharePoint Central Administration site to collect customer feedback from the SharePoint farm administrators. The feedback goes directly to the SharePoint Server product team at Microsoft to help us to continue to improve the product to meet customer needs. ++The OCV experience currently offers a two-question survey, which automatically appears in SharePoint Central Administration based on these rules: ++1. The first survey appears two weeks after a farm administrator visits the Central Admin site after the update is installed. +1. The second survey will appear after six months if the SharePoint farm administrator completes the first survey. +1. If the SharePoint Administrator chooses to skip the survey, it will appear again every two weeks until the survey is completed. ++For more information, see [Configure the One Customer Voice (OCV) feedback.](../administration/configure-ocv.md) |
SharePoint | What S New | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/what-s-new/what-s-new.md | Articles contain an overview of new and improved product features, updates, depr |**Content**|**Description**| |:--|:--|+|[New and improved features in SharePoint Server Subscription Edition Version 24H1](new-and-improved-features-in-sharepoint-server-subscription-edition-24h1-release.md) <br/> |Learn about the new features and updates to existing features in SharePoint Server Subscription Edition Version 24H1. <br/> | |[New and improved features in SharePoint Server Subscription edition](new-and-improved-features-in-sharepoint-server-subscription-edition.md) <br/> |Learn about the new features and updates to existing features in SharePoint Server Subscription edition. <br/> | |[What's deprecated or removed from SharePoint Server Subscription edition](what-s-deprecated-or-removed-from-SharePoint-Server-Subscription-Edition.md) <br/> |Learn about the features and functionality that are deprecated or removed in SharePoint Server Subscription edition. <br/> | |[New and improved features in SharePoint Server 2019](new-and-improved-features-in-sharepoint-server-2019.md) <br/> |Learn about the new features and updates to existing features in SharePoint Server 2019. <br/> | Articles contain an overview of new and improved product features, updates, depr |[New features in November 2016 PU for SharePoint Server 2016 (Feature Pack 1)](new-features-november-2016.md) <br/> |Learn about the new features that are included in the November 2016 Public Update for SharePoint Server 2016 (Feature Pack 1). <br/> | |[New features in September 2017 PU for SharePoint Server 2016 (Feature Pack 2)](new-feature-in-feature-pack-2.md) <br/> |Learn about the new features that are included in the September 2017 Public Update for SharePoint Server 2016(Feature Pack 2). <br/> | |[What's deprecated or removed from SharePoint Server 2016](what-s-deprecated-or-removed-from-sharepoint-server-2016.md) <br/> |Learn about the features and functionality that are deprecated or removed in SharePoint Server 2016. <br/> |++ ## See also |