-If you have subsidiaries in different regions that have thei\nr own branding and navigation, an option for you is to create a hub site for each region.

-To make sure that users sync OneDrive files only on managed computers, you can configure OneDrive to sync only on PCs that are joined to specific domains. for more information, see [Allow syncing only on computers joined to specific domains](/onedrive/allow-syncing-only-on-specific-domains).

-description: "Learn about how to plan a new SharePoint intranet with focus on bringing sites online quickly and getting a return on your investment"

-Microsoft SharePoint offers a wide variety of options and tools to create intranet sites for your organization. Moving your intranet to SharePoint in Microsoft 365 might take a while, particularly if you already have extensive intranet content. In this article, we'll look at how to plan a new SharePoint intranet with a focus on quickly bringing sites online and getting a return on your investment.

-We'll cover how to:

-If you're currently using SharePoint Server for your intranet, you'll find SharePoint in Microsoft 365 to be much easier to work with. Responsive, dynamic pages are easy for anyone to create, and the requirements for IT to build and maintain custom solutions are much less.

-As a first step, to see examples of what's possible with SharePoint, we recommend that you review the [SharePoint look book](https://aka.ms/sharepointlookbook). The look book provides a variety of examples about how to include news, events, resources, and personalized content in SharePoint sites that anyone can create and maintain.

-The most successful intranets donΓÇÖt just look good, they are primarily focused on helping people get work done and often on promoting engagement. The look book can help inspire you to think about how your content might appear, but your business outcome goals are important to understand what content and functionality are most important for your users and your organization.

-All organizations have important strategic goals that drive behavior and investments. If you want to be sure that your intranet is successful ΓÇô and gets the right level of funding ΓÇô you need to ensure that it is aligned with these goals. You can also use these goals to help prioritize your intranet initiatives. Unlike many technology projects, an intranet project is never ΓÇ£doneΓÇ¥ because your organization priorities and interests will change over time. But, at any given time, you want to focus on the intranet initiatives that are most closely aligned with your organizational priorities and key business stakeholders.

-In addition, take a look at recent employee satisfaction survey data. A good way to become more informed about the information and tools that your employees need is to look at the pain points identified in these surveys.

-A good place to start thinking about your new intranet is what it will be like when the intranet is in place. What will people be able to accomplish? How will they start their day? What will people say about the intranet? One potentially helpful exercise to frame the overall objectives for the intranet is to engage your key intranet stakeholders in a [cover story](https://gamestorming.com/cover-story/) exercise. This is an exercise in imagination. The purpose is to think broadly about an ideal future state by imagining a magazine cover story about the new intranet, including the key headlines, sidebars, and quotes from users.

-With the end in mind, it can also be helpful to create [personas](https://www.nngroup.com/articles/persona/) for your key users. A persona is a fictional but realistic description of a typical intranet user (for example, new starter/new employee, knowledge worker, field worker, sales rep, people manager, or content author). YouΓÇÖll want to do some research to engage with people who represent these different personas to understand their information requirements. You canΓÇÖt build an intranet without an understanding of the people for whom you are building it. Site owners alone are not enough ΓÇô their perspective is what they want to publish. That is often not the same thing as what their users want to consume.

-If your users complain that search is not successful because too much irrelevant content is discovered, this can indicate a governance problem. Before you think about your new intranet project, think about how you will govern the architecture and the content. These are decisions that are a lot easier to make and enforce if they are decided early in your intranet project. For example, you will want to think about:

-You do not need to make every governance decision up front, but if you donΓÇÖt have a plan for how you will govern your new, intelligent intranet, it can quickly become a wasteland of information that fails to achieve your critical business goals.

-Your current intranet may be composed of sites from different business groups, such as HR, IT, Facilities, Engineering, and others. As a first step to planning your new SharePoint intranet, we recommend taking an inventory of your existing sites and meeting with the owners of each to determine their business outcome goals for new sites. Take stock of where your content is located and how much content you would need to move when creating a new intranet site. Look at your current content to understand if it is current or needs to be updated prior to moving to a new site. ItΓÇÖs not unusual to find a migration strategy where existing content is left behind. You donΓÇÖt have to migrate anything ΓÇô you may find that it is more effective to create new content that is optimized for the modern SharePoint experience rather than migrate existing, out-of-date content to the new location.

-Think of this step as an opportunity to learn. You are learning about what is important to your users and to the business. You will use this information to identify initiatives for your intranet.

-Using the information you gathered during your research, work with your key intranet stakeholders to identify initiatives that reflect your organizational priorities ΓÇô as well as any barriers that might exist when you are implementing them.

-|Foster positive employee agreement about company strategy (Executive Leadership Viva Engage Community)|News posts <br> - Streaming events <br> - Viva Engage conversations|HR|Ongoing monthly activity posts by leadership and comments by employees|- Viva Engage conversations show positive sentiment <br> - Comments addressed within 24 hours ΓÇô ΓÇ£no question/comment left behindΓÇ¥ <br> - x% increase in employee satisfaction scores for executive communications|

-SharePoint offers a variety of building blocks that you can use to create an intranet:

-At this stage, we recommend that you involve your help desk so that they are prepared to answer questions after the site rolls out to a larger audience.

-When the prototype has evolved to a point where you want to share it more broadly, you can roll it out to a pilot group, or even to the whole organization. User adoption is a critical part of success for a new intranet site. To drive site usage, we recommend that you use both a top down and bottom up approach:

-As the site rolls out and more users engage, watch your success metrics and make adjustments as needed to drive additional engagement and user satisfaction.

-## Related topics

-description: "Use the guidance in this document to help you create the right navigation for your organization"

-The fundamental principles and practices for site and page navigation apply to classic and modern SharePoint architectures. However, your options for implementing navigation differ based on the framework for your sites and intranet. For example, the default navigation experiences available in classic SharePoint site hierarchies - sites with subsites - are not available in the modern experience.

-Instead, [hubs](https://support.office.com/article/fe26ae84-14b7-45b6-a6d1-948b3966427f) provide a great way to achieve the cross-site navigation features previously available in managed navigation and site hierarchies in classic SharePoint. No matter which framework you are using, you can use the guidance in this document to help you create the right navigation for your organization.

-*"When we're observing customers carrying out tasks on websites we notice certain common patterns. For example, we find that when people arrive at a particular site they start by **navigating about 70% of the time**. When people get stuck navigating they may resort to using site search."* -- Gerry McGovern

-Page navigation and site navigation display differently. The links that you see in site navigation are static on every page in the site. The navigation links on individual pages are accessed only when the viewer lands on the page. A benefit to on-page links is that they can be different from page to page. Both types of navigational links guide your viewers by providing *wayfinding* experiences.

-The key advantage of site navigation links is that they are always visible in the context of the site. Because site navigation links are persistent, they provide an opportunity to provide significant value for site viewers as they traverse the site and address their goals: to find and do what they came for. Hub navigation links extend this wayfinding experience to other sites in the hub ΓÇ£family.ΓÇ¥ This supports navigating to related content not just on the site, but on related sites as well. Setting site navigation links to open in a new tab can help site viewers find the information they want, without navigating away from the current page that they are on.

-Planning site and page navigation involves thinking about:

-There is no one right way to organize your navigation links. You will make different choices based on the type of site you are creating and your viewers. Organizing concepts might include:

-The default navigation for all SharePoint sites primarily includes *type* of content. For [**communication sites**](https://support.office.com/article/94A33429-E580-45C3-A090-5512A8070732), the default navigation includes Documents, Pages, and Site Contents. These categories are helpful as you are building your site, but they are not typically going to add value to your viewers once your site is ready to launch.

-This is because the consumer of a communication site typically doesn't care about the *type* of content ΓÇô they care about the *purpose* or *subject* of the content. For communication sites, plan to delete the "out of the box" navigation when you are ready to launch and replace it with something that aligns with the guidance provided in the local navigation section of this guide.

-Both cascading and mega menus support up to three levels of navigation in your menu. The first level represents the tabs you see across the top. The second level is the next level below the tab and the third level is indented or below the second level. Mega menus work best when you are using all three levels of navigation experiences. If you use a mega menu, the second level of links will appear in **bold**. If you only need two levels in your menu, consider using the cascading style.

-Choose an emoji that relates to the label topic. You can search for emojis at [emojipedia.org](https://emojipedia.org/), or use the Windows key + period (.). Copy the emoji and add it to the label when you are editing your navigation.

-> - [Learn about hosting events with Viva Engage](/viva/engage/manage-viva-engage-groups/viva-engage-live-events)

-The NEO site(s) helps organizations by:

-|Sense of place|Pre-onboarding|Departmental and team onboarding|Value realization|

-New employee onboarding involves multiple levels within an organization, including pre-onboarding, corporate onboarding, and departmental onboarding. Each onboarding level provides its own unique value, contributing to a comprehensive onboarding experience each new employee should experience.

-Research has shown Pre-onboarding new hires, after they sign their acceptance letter but before they officially join the company, can lead to higher performance and better retention rates. To deliver a flexible and consistent onboarding experience, NEO sites consist of three different SharePoint site templates, that are designed to work alone or as one cohesive and familiar experience for new hires.

-|Pre-onboarding site|Corporate onboarding site|Departmental onboarding site|

-|Share the Pre-onboarding site with new hires as soon as the job offer has been accepted|Share the Corporate onboarding site with new hires on their first day|Managers and onboarding buddies should share their respective Departmental onboarding site|

-1. **New employee pre-onboarding site:** A site for new hires, who have yet to officially join the company, to learn more about the company they have joined and to get ready for their official start date. External guest access can be used for providing pre-start hires, with no corporate credentials, access to the Pre-onboarding site only.

-3. **New employee departmental onboarding site:** A place for new hires to visit to learn more about the department they are joining, its people, culture, and priorities. The Departmental onboarding site can be associated to an existing departmental hub.

-To successfully provision the NEO sites via the SharePoint look book, the person doing the provisioning must be a site collection admin of the tenant where the NEO site(s) will be provisioned. If you have never provisioned a template from the Look book, [review overview guidance](./add-sample-site.md).

- - Provision the [New employee pre-onboarding site](https://lookbook.microsoft.com/details/8fefcc9a-7ca4-457f-bd10-acee3ae63b63)

-The New Employee Onboarding (NEO) sites consist of three SharePoint site templates that can be customized to fit the needs of your users and organization. Many of the core pages are already built and pre-populated with content. Review content on sites and pages, then plan on customizing content, images, branding, web parts, and pages.

-Before you customize NEO site content, ensure you understand the needs of your users and the business objectives of your organization. New hires will need different kinds of support and resources depending on the onboarding phase and culture of your organization. Begin by signing into your account and reviewing pre-populated content. Then, customize content and prepare to share the site with new hires.

-|Pre-onboarding site|Corporate onboarding site|Departmental onboarding site|

-|Share the Pre-onboarding site with new hires as soon as the job offer has been accepted|Share the Corporate onboarding site with new hires on their first day|Managers and onboarding buddies should share their respective Departmental onboarding site|

-1. **New employee pre-onboarding site:** A site for new hires, who have yet to officially join the company, to learn more about the company they have joined and to get ready for their official start date. External guest access can be used for pre-start hires who don't already have corporate credentials to give them access to the Pre-onboarding site only.

-3. **New employee departmental onboarding site:** A place for new hires to visit to learn more about the department they are joining, its people, culture, and priorities. Consider associating departmental onboarding sites with existing department portals if you have them.

-### Explore and review pre-populated content

-#### New employee pre-onboarding site

-The pre-onboarding site is where a new hire starts their onboarding journey. This site is for new hires who have accepted their job offer but have not officially joined the company yet. In this stage, new hires will be interested in learning more about the company, how to get ready for their official start date, and who to go to for questions.

-Now that you've reviewed the pre-built pages and pre-populated content, you are ready to customize the NEO experience for your organization.

-After customizing content, get ready to share the new onboarding experience with new hires. Different permissions will apply to the Pre-onboarding site since users will be external guests. Once new hires start working, use internal permissions sharing instructions to give access to the corporate onboarding site.

-### Share the Pre-onboarding site

-Before provisioning the SharePoint Success Site, meet the requirements for both the **person** provisioning and the **tenant.** Your tenant's configuration will determine what path you need to take to install the SharePoint Success Site. Start by reviewing the SharePoint Success Site requirements below to prepare your tenant.

-The **person** doing the provisioning must be a Global Administrator (sometimes called a tenant admin) where the SharePoint Success Site will be provisioned *and must also be* a site admin for the App Catalog.

-If you aren't sure, you can confirm your role by signing in to office.com. If you're a Global Administrator, you'll see an Admin center app icon in the app launcher next to your Microsoft 365 apps.

-The **tenant** where the site will be provisioned must have the [App Catalog](./use-app-catalog.md) installed *and* have the latest version of [Microsoft 365 learning pathways](/office365/customlearning/#:~:text=Microsoft%20365%20learning%20pathways%20is%20a%20customizable%2C%20on-demand,adoption%20of%20Microsoft%20365%20services%20in%20your%20organization.) installed. Your tenant must have **version 4.0 or higher** of Microsoft 365 learning pathways.

-If you are unsure, navigate to the SharePoint admin center, then select **Sites** > <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a>. The **App Catalog** will appear in the list of sites.

-If you are unsure, navigate to the SharePoint admin center, then select **Sites** > <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a>. **Microsoft 365 learning pathways** will appear in the list of sites.

-If you are unsure, navigate to your tenant's **Microsoft 365 learning pathways administration page** and select the ellipses **(...)**

-9. You'll see a prompt asking if you want to update, then select **Start**.

-Once you've confirmed the following, you are ready to provision:

-We recommend that you install the SharePoint Success Site by using the following steps. As an alternative, you [can install the SharePoint Success Site from the look book](./provision-sss-lookbook.md), just make sure you follow all instructions. Before getting started, [watch the provisioning instructions video](https://www.youtube.com/watch?v=HZjxBAKVnJs&feature=youtu.be)

-10. When you see **Provisioning completed** on the provisioning page, you'll see a new tab appear in your browser called **CustomLearningAdmin**. Select the **CustomLearningAdmin** tab as shown in the following image:

-Assign a few Site owners to grant administrative privileges to customize the site and training content. In order to hide, show, or enable playlists, users will need Site owner or Site member permissions to the Microsoft 365 learning pathways site. In order to edit the look, navigation, and site content, users will need Site owner or Site member permissions to the SharePoint Success Site.

-Share the URLs for the Microsoft 365 learning pathways administration site and the SharePoint Success site with the Site owners and members who will be responsible for customizing the site. Then, [customize](./customize-sss.md) Microsoft 365 learning pathways playlist content and the look and feel of your SharePoint Success Site to meet the needs of your organization.

-It is likely that the content pack has not been fully installed. You must return to the **CustomLearningAdmin** page that will appear when site provisioning is done to complete the installation. Confirm you have followed steps 10 through 12 above. Review the [provisioning video](https://www.youtube.com/watch?v=HZjxBAKVnJs&feature=youtu.be) for more detail.

-description: "In this article, you'll learn about how to remove (un-register) a hub site so that it no longer remains a hub site."

-If you're a Global Administrator or SharePoint Administrator in Microsoft 365, you can make a hub site no longer a hub site (unregister it as a hub site). Make sure you do this before you delete the hub site. When you unregister a hub site, the associated sites will not automatically disassociate from the hub site. Disassociating a site will remove the hub site navigation bar from the top of the site. The look that the site inherited from the hub site will stay the same and features such as additional navigation links, applications, or custom lists with specific columns that were added as part of the inherited hub site design will remain. Any hub-site-related web parts added to the home page will only show information from the site instead of from sites associated with the hub.

-## Related topics

-description: "In this article, you'll learn how to troubleshoot user profile removal issues in SharePoint."

- When a user or guest browses to a SharePoint site, their user information is cached in the UserInfo list. When the user or guest is deleted, their related UserInfo information is not removed. Their profile still appears, which may cause confusion when people view the people picker.

-4. Select the user, click **Select**, and then click **Delete**.

-You'll have to browse to each site collection that the user or guest visited, and then follow these steps:

- For example, the full URL will resemble the following: **`https://fabrikam.sharepoint.com/_layouts/15/people.aspx?membershipGroupId=0`**

-SharePoint uses browser caching in several scenarios, including in the people picker. Even when a user is fully removed, he or she may still remain in the browser cache. Clearing the browser history resolves this issue. For info about doing this in Edge, see [View and delete browser history in Microsoft Edge](https://support.microsoft.com/help/10607).

-As a Global Administrator or SharePoint Administrator in your organization, you can delegate app approval authority as a way of spreading the approval work around, or alleviating approval bottlenecks. Remember that apps are stored and managed in the Apps site. To grant app approval permission to select users, you can add them as site admins on the Apps site.

-|  until the conversation picks up naturally over time <br><br> **Analytics:** <br> - View [insights about questions and answers](https://support.microsoft.com/office/view-insights-about-questions-and-answers-in-viva-engage-fcde33cf-ee3f-4cc8-aa47-c6d0f3fc5dc0) in Viva Engage <br> - View insights about [Viva Engage community or group activity](https://support.microsoft.com/office/view-community-or-group-insights-in-yammer-06c5494a-d77c-410c-9464-98bc0b9dad84) <br> - [Determine how many people have seen a Viva Engage conversation](/microsoft-365/admin/activity-reports/viva-engage-activity-report)

-Microsoft Viva is made up of several apps that focus on specific employee experience areas and can be accessed in Teams. Viva apps are integrated with existing M365 apps like SharePoint, Viva Engage, and Teams. Some Viva apps can help organize, personalize, and amplify organizational communications. Other Viva apps will compliment popular business scenarios and can be combined to create more powerful experiences. [Learn more about Microsoft Viva](/viva/microsoft-viva-overview).

-The Basic Search Center is a classic search experience. To offer your users a richer search experience, you can either switch from a Basic Search Center to an Enterprise Search Center or rely on the modern search experience that SharePoint comes with. [Learn about differences between classic and modern search](./differences-classic-modern-search.md) and [when to choose which search experience](./get-started-with-modern-search-experience.md) for your organization.

-If you are currently using the Enterprise Search Center, you can easily replace (swap) it with the Basic Search Center if needed. This will result in your users seeing the classic search experience in their default search home page and default search results page. You can use the [Invoke-SPOSiteSwap](/powershell/module/sharepoint-online/invoke-spositeswap) PowerShell cmdlet to do this.

-| -ArchiveUrl | URL that the target site will be archived to. |

-Using SharePoint and OneDrive can be a big change for your users, depending on what your current systems are. Spend time understanding your user journeys - those sequences of tasks that users regularly follow in the course of their work. Determine how using SharePoint and OneDrive fit into these journeys and use that information to create a transition plan and resources to help your users.

-Your users will need to learn how to do these tasks in SharePoint and OneDrive. The resources in this article can help users learn how to do these and other tasks. If you have specific business processes around these tasks, you may need to create separate documentation for your users to incorporate that.

-If you'll be using both your existing solution and Microsoft 365 during your rollout, consider how users will navigate back and forth and include that in the guidance you give your users.

-The training resources in this section can help your users learn the everyday tasks they'll need to know to be successful with SharePoint and OneDrive.

-## Related topics

-|**Members** <br/> |**Edit** This level includes all permissions in Read, plus: <br/> View, add, update and delete Items <br/> Add, Edit and Delete Lists <br/> Delete Versions <br/> Browse Directories <br/> Edit Personal User Information <br/> Manage Personal Views <br/> Add , Update, or Remove Personal Web Parts <br/> |

-7. Some apps have the option to be added to all sites in the organization so that site owners don't have to. If you want to do this, select **Add this app to all sites**.

-9. If the app requires additional permissions, a message will appear. Select **Go to API access page** to approve the permission request.

-1. If it appears, in the **Hosting Licenses** box, specify the number of licenses you think you will need.

-If you did not choose to add an app to all sites when you enabled it, you can do so later on the Apps site.

-1. On the Manage apps page, select the app that you want to add to all sites.

-If you no longer want a specific app to be available for users to add, you can remove it from on the Manage apps page. Any instances of the app that have already been added to sites by users will remain, but the app will no longer be available for users to add to additional sites.

-## Related topics

-

-SharePoint Workflow Manager requires the server role of Web Server (IIS). If you're installing SharePoint Workflow Manager on a server without the IIS server role installed, the Workflow Manager Configuration Wizard fails with a message like *Could not load file or assembly 'Microsoft.Web.Administration'*. In addition to the features that are installed by default with the Web Server role, SharePoint Workflow Manager requires the following Web Server features:

-> [!NOTE]

-> SharePoint Workflow Manager may not be installed and configured correctly with only RODCs (read-only domain controllers) available in the network environment. It requires a RWDC (read/write domain controller).

-> SharePoint Workflow Manager supports the version 9.1 CU2 (9.1.1583.9590) of Azure Service Fabric and [higher versions](/azure/service-fabric/service-fabric-versions).

->

-> If **Windows Fabric** is already installed on your machine, you must uninstall it before installing Azure Service Fabric.

->

-> ItΓÇÖs been reported that Azure Service Fabric might generate a large number of logs, reducing the disk space. This can occur regardless of the SharePoint Workflow Manager workload. You can identify this issue by looking at the files generated in the `%ProgramData%\Microsoft Service Fabric\Log\Traces` directory. You can't control the log size through the [cluster configuration](/azure/service-fabric/service-fabric-cluster-fabric-settings#diagnostics), with only Azure Service Fabric Runtime installed. You might need to delete expired logs manually, or for example, create a periodic task through the Windows Task Scheduler to do it.

-Install **both** SharePoint Workflow Manager and SharePoint Workflow Manager Client on all servers in the **Workflow Manager** farm.

-Install **only** the SharePoint Workflow Manager **Client** on all servers in the **SharePoint Server** farm.

-To create a SharePoint Workflow Manager farm and join your servers to the farm, you can configure SharePoint Workflow Manager through the Workflow Manager Configuration Wizard.

-Logon to the SharePoint Workflow Manager server, click on ΓÇ£Workflow Manager ConfigurationΓÇ¥ and click on ΓÇ£Configure Workflow Manager with Default settingsΓÇ¥ or ΓÇ£Configure Workflow Manager with Custom SettingsΓÇ¥, depending on the requirements. If you want to use different ports, custom certificates, or custom database names, you'll want to use the "Configure Workflow Manager with Custom Settings" option.

-In this example, we will use the Default Settings option.

-> [!NOTE]

-> By default, only HTTPS (TLS / SSL) port 12290 is configured for the Workflow Management site. If you'd like to also allow communication over unencrypted HTTP port 12291, you must select the "Allow Workflow Management over HTTP on this computer" check box. This is a factor when running the Register-SPWorkflowService cmdlet later.

-Provide the necessary SQL Server and service account details in the workflow wizard.

-The configuration wizard will provide a summary of your choices before they are committed.

-> Some of the values are selected for you when you use the ΓÇ£Configure Workflow Manager with Default settingsΓÇ¥ option. If they are not correct for your environment, you may have to start the wizard over and choose ΓÇ£Configure Workflow Manager with Custom SettingsΓÇ¥.

-The configuration wizard should complete successfully. If it fails, please select the "View Log" link, find the problem and correct it before running the wizard again.

-If you are creating a multi-server SharePoint Workflow Manager farm, you must run the workflow configuration wizard on the other nodes and chose the "Join an Existing Workflow Manager Farm" option.

-### Configure App Management and Subscriptions Settings services in the SharePoint farm

-The App Management and Subscription Settings services are required in the SharePoint farm for SharePoint 2013-platform workflows to function.

-If not already set up in the SharePoint farm, on the SharePoint server, set up App Management and Subscription Settings services, service applications and service application proxies.

-The App Managment service can be created using Central Administration.

-You can use PowerShell to create a Subscription Settings Service application:

-```powershell

-$sa = New-SPSubscriptionSettingsServiceApplication -ApplicationPool 'SharePoint Web Services Default' -Name 'Subscriptions Settings Service Application' -DatabaseName 'Subscription'

-New-SPSubscriptionSettingsServiceApplicationProxy -ServiceApplication $sa

-```

-Consider the following key factors before configuring SharePoint Workflow Manager to work with SharePoint Server.

-**To configure SharePoint Workflow Manager in an environment where communication takes place using HTTP**

-> [!NOTE]

-> By default, only HTTPS (TLS / SSL) port 12290 is configured for the Workflow Management site. In order to configure the use of HTTP, the "Allow Workflow Management over HTTP on this computer" check box should have been selected when running the ΓÇ£Workflow Manager ConfigurationΓÇ¥ wizard in an earlier step.

-1. Sign-in to each server in the SharePoint Server farm.

-1. Install the SharePoint Workflow Manager **Client** on each server in the SharePoint farm.

- > [!IMPORTANT]

- > You must install the SharePoint Workflow Manager Client on each server in the SharePoint farm before you run the Register-SPWorkflowService cmdlet.

-3. On one SharePoint server, open the SharePoint Management Shell as an administrator by right-clicking the **SharePoint Management Shell** command and choosing **Run as administrator**.

-1. Run the **Register-SPWorkflowService** cmdlet to connect the SharePoint farm with the SharePoint Workflow Manager farm. The cmdlet should be run only once and can be run from any of the servers in the SharePoint farm.

- > [!NOTE]

- > The value for the -SPSite parameter can be any valid site collection within the SharePoint farm.

- > The correct value for the -WorkflowHostUri parameter can be found by running PowerShell `Get-WFFarm | select endpoints` on the SharePoint Workflow Manager server.

-**To configure SharePoint Workflow Manager in an environment where communication takes place using HTTPS**

-1. Determine whether you need to install SharePoint Workflow Manager certificates on the SharePoint servers.

- Under some circumstances, you must obtain and install SharePoint Workflow Manager certificates. If your installation requires that you obtain and install these certificates, you must complete that step before continuing. To learn whether you need to install certificates, and for instructions, see [Install Workflow Manager certificates in SharePoint Server](install-workflow-manager-certificates-in-sharepoint-server.md).

-1. Install the SharePoint Workflow Manager **Client** on each server in the SharePoint farm.

- > [!IMPORTANT]

- > You must install the SharePoint Workflow Manager Client on each server in the SharePoint farm before you run the Register-SPWorkflowService cmdlet.

-1. Run the **Register-SPWorkflowService** cmdlet to connect the SharePoint farm with the SharePoint Workflow Manager farm. The cmdlet should be run only once and can be run from any of the servers in the SharePoint farm.

- > [!NOTE]

- > The value for the -SPSite parameter can be any valid site collection within the SharePoint farm.

- > The correct value for the -WorkflowHostUri parameter can be found by running PowerShell `Get-WFFarm | select endpoints` on the SharePoint Workflow Manager server.

-Microsoft Workflow Manager cannot be upgraded in-place, and SharePoint Workflow Manager can't be placed on top of Microsoft Workflow Manager. In order to update Microsoft Workflow Manager (Classic WFM) to SharePoint Workflow Manager (SPWFM), you must uninstall any prior versions of Workflow Manager, Workflow Manager Client, and Service Bus.

-> [!NOTE]

-> You can upgrade to SharePoint Workflow Manager from any version of Microsoft Workflow Manager.

-> Because you are upgrading an existing "Classic WFM" farm to SPWFM, the WFM databases will be reused, and your existing registration and workflows should remain intact.

-> [!IMPORTANT]

-> Because the upgrade steps require that you disjoin and then rejoin an existing WFM farm, you will need the WFM "Certificate Generation Key", when rejoining. If you are not sure what that key is, and have not documented it somewhere, you may need to [Reset Certificate Generation Key](/SharePoint/governance/reset-certificate-generation-key-sharepoint-workflow-manager) before proceeding.

-> You will not be able to join the existing workflow farm without a valid Certificate Generation Key.

-1. Run the Workflow Manager Configuration Wizard.

-1. Select **Leave Workflow Manager Farm**.

-1. Confirm the subsequent steps until the end of the wizard.

-1. Repeat this step on every Microsoft Workflow Manager server in the workflow farm.

- > Each database used by Workflow Manager and Service Bus will need to be specified when rejoining the farm with SharePoint Workflow Manager. For example, the SQL Server instance and database name for the Workflow Manager farm management database and the Service Bus farm management database.

-1. Uninstall Microsoft Workflow Manager, Workflow Manager Client, Service Bus for Windows Server, and Windows Fabric if they're installed. You can uninstall them from the Control Panel. If Windows Fabric is installed, ensure you install Azure Service Fabric after uninstalling Windows Fabric.

- > [!IMPORTANT]

- > If you are installing SharePoint Workflow Manager on a SharePoint server, you may see both "Windows Fabric" and "AppFabric 1.1 for Windows Server" installed. Be sure to only uninstall Windows Fabric. **Do not uninstall AppFabric 1.1**. It is a different service, and is required for SharePoint Distributed Cache.

-1. If the folders "*%ProgramFiles%\Workflow Manager\1.0"* or *"%Program Files%\Service Bus\1.0"* already exist, you must manually remove them for the next steps to succeed.

-1. Reboot the SharePoint Workflow Manager server.

-1. If it's not already installed, use the steps from the [Prerequisites section above](/SharePoint/governance/install-and-configure-workflow-for-sharepoint-server#prerequisites) to install Azure Service Fabric.

-1. Install SharePoint Workflow Manager and SharePoint Workflow Manager Client. SharePoint Workflow Manager and SharePoint Workflow Manager Client can be downloaded from [here](https://www.microsoft.com/download/details.aspx?id=104867). The system requirements can be found on that page as well.

-1. Run the Workflow Manager Configuration Wizard and choose the "Join an Existing Workflow Manager Farm" to rejoin the previous farm. Use the database, service account, and Certificate Generation Key information used in the previous "Classic WFM" farm.

- > When upgrading, there is typically no need to delete the existing Workflow Service Application Proxy and reconnect using the Register-SPWorkflowService cmdlet. If you encounter the invalidity of the Certificate Generation Key for SharePoint Workflow Manager and Service Bus, you may need to reset it, see [Reset Certificate Generation Key](/SharePoint/governance/reset-certificate-generation-key-sharepoint-workflow-manager).

-1. Rerun the Workflow Manager Configuration Wizard, select **Upgrade Workflow Manager Farm**, and confirm subsequent steps until the end.

- > The "Upgrade Workflow Manager Farm" option is always presented in the Workflow Manager Configuration Wizard, whether an upgrade is required or not. There's no harm in running it multiple times, or when there's no upgrade pending.

-1. If there's more than one server in your Workflow Manager farm, repeat the previous steps on all workflow farm servers.

-1. Install the SharePoint Workflow Manager **Client** on each server in the SharePoint Server farm after uninstalling any previous versions.

-1. Add a user to your SharePoint site and grant the user Site Designer permissions.

-2. Install SharePoint Designer 2013 on a client machine and create a workflow based on the SharePoint 2013 Workflow platform. For more information, see [Creating a workflow by using SharePoint Designer 2013 and the SharePoint 2013 Workflow platform](/sharepoint/dev/general-development/creating-a-workflow-by-using-sharepoint-designer-and-the-sharepoint-wo).

-SharePoint Workflow Manager communicates by using TCP/IP or Named Pipes. Ensure that the appropriate communication protocol is enabled on the SQL Server instance that hosts the SharePoint Workflow Manager databases.

-1. A SharePoint Server Subscription Edition (SPSE) farm

-In this step, you need to modify the SharePoint Server farm properties based on the version of your SharePoint Server farm.

-Starting with SharePoint Server Subscription Edition Version 24H1 (March 2024), you can configure SharePoint Server farm properties by employing SharePoint Certificate Management to manage the nonce cookie certificate. The nonce cookie certificate is part of the infrastructure to ensure OIDC authentication tokens are secure. Run the following script to configure:

-> [!Note]

-> Start the SharePoint Management Shell as a farm administrator to run the following script. Read the instructions mentioned in the following PowerShell script carefully. You will need to enter your own environment-specific values in certain places.

-# Update farm property

-Prior to the 24H1 (March 2024) update, the nonce cookie certificate must be managed manually. This includes manually installing it on each server in the farm and setting permissions on the private key. The following PowerShell script can be used to accomplish that.

-> [!Note]

-> Start the SharePoint Management Shell as a farm administrator to run the following script. Read the instructions mentioned in the following PowerShell script carefully. You will need to enter your own environment-specific values in certain places.

-# Then update farm properties

-> [!IMPORTANT]

-> The nonce cookie certificate, with private key, must be installed on all SharePoint servers in the farm. Also, permission to the private key must be given to the web application pool service account on each server. Failure to complete this step will result OIDC authentication failures.

-> It's recommended to use the PowerShell example above to set permission on the private key file to ensure it's done correctly.

-In this step, you create a `SPTrustedTokenIssuer` that stores the configuration that SharePoint needs to trust Microsoft Entra OIDC as the OIDC provider.

- - By using the metadata endpoint, several parameters you need are automatically retrieved from the metadata endpoint.

-> Follow either the manual configuration steps or the metadata endpoint steps, but not both.

-> Using the metadata endpoint is recommended because it simplifies the process.

-### Configure SharePoint to trust Microsoft Entra OIDC by using metadata endpoint

-SharePoint Server Subscription Edition now supports using the OIDC metadata discovery capability when creating the Trusted Identity Token Issuer.

-In Microsoft Entra ID, there are two versions of OIDC discovery endpoints:

-> [!IMPORTANT]

-> Currently, SharePoint Server only supports the v1.0 metadata endpoint when used to create the Trusted Identity Token Issuer. The example PowerShell script below uses the V1.0 endpoint.

-When you use the metadata endpoint provided by the OIDC identity provider, some of the configuration is retrieved from the OIDC provider metadata endpoint directly, including:

-1. Certificate

-2. Issuer

-3. Authorization Endpoint

-4. SignoutURL

-This can simplify the configuration of the OIDC token issuer.

-With the following PowerShell example, we can use metadata endpoint from Microsoft Entra ID to configure SharePoint to trust Microsoft Entra OIDC.

-# In this example, we're using Email Address as the Identity claim.

-# Set the AAD metadata endpoint URL. Please replace <TenantID> with the value saved in step #3 in the Entra ID setup section

-$metadataendpointurl = "https://login.microsoftonline.com/<TenantID>/.well-known/openid-configuration"

-# Please replace <Application (Client) ID> with the value saved in step #3 in the Entra ID setup section

-New-SPTrustedIdentityTokenIssuer -Name "contoso.local" -Description "contoso.local" -ClaimsMappings $emailClaimMap -IdentifierClaim $emailClaimMap.InputClaimType -DefaultClientIdentifier $clientIdentifier -MetadataEndPoint $metadataendpointurl -Scope "openid profile"

-|ImportTrustCertificate | A certificate that is used to validate `id_token` from OIDC identifier. |

-| MetadataEndPoint | Specifies the well-known metadata endpoint from OIDC identity provider, which can be used to retrieve latest certificate, issuer, authorization endpoint, and sign out endpoint. |

-### Configure SharePoint to trust Microsoft Entra ID as the OIDC provider manually

-When configuring manually, several additional parameters must be specified. You can retrieve the values from the OIDC discovery endpoint.

-In Microsoft Entra ID, there are two versions of OIDC authentication endpoints. Therefore, there are two versions of OIDC discovery endpoints respectively:

-Replace TenantID with the **Directory (tenant) ID** saved in [Step 1: Setup identity provider](#step-1-setup-identity-provider) and connect to the endpoint through your browser. Then, save the following information:

-| Value | Link |

-|||

-| authorization_endpoint | `https://login.microsoftonline.com/<tenantid>/oauth2/authorize` |

-| end_session_endpoint | `https://login.microsoftonline.com/<tenantid>/oauth2/logout` |

-| issuer | `https://sts.windows.net/<tenantid>/` |

-| jwks_uri | `https://login.microsoftonline.com/common/discovery/keys` |

-Open jwks_uri (`https://login.microsoftonline.com/common/discovery/keys`) and save all the **x5c** certificate strings for later use in SharePoint setup.

-Start the SharePoint Management Shell as a farm administrator, and after entering the values you obtained above, run the following script to create the Trusted identity Token Issuer:

-# In this example, we're using Email Address as the identity claim.

-# Public key of the AAD OIDC signing certificate. Please replace <x5c cert string> with the encoded cert string which you get from x5c certificate string of the keys of jwks_uri from Step #1

-$encodedCertStrs = @()

-$encodedCertStrs += <x5c cert string 1>

-$encodedCertStrs += <x5c cert string 2>

-...

-$certificates = @()

-foreach ($encodedCertStr in $encodedCertStrs) {

- $certificates += New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 @(,[System.Convert]::FromBase64String($encodedCertStr))

-}

-# Set the AAD OIDC URL where users are redirected to authenticate. Please replace <tenantid> accordingly

-$authendpointurl = "https://login.microsoftonline.com/<tenantid>/oauth2/authorize"

-$registeredissuernameurl = "https://sts.windows.net/<tenantid>/"

-$signouturl = "https://login.microsoftonline.com/<tenantid>/oauth2/logout"

-# Please replace <Application (Client) ID> with the value saved in step #3 in AAD setup section

-New-SPTrustedIdentityTokenIssuer -Name "contoso.local" -Description "contoso.local" -ImportTrustCertificate $certificates -ClaimsMappings emailClaimMap -IdentifierClaim $emailClaimMap.InputClaimType -RegisteredIssuerName $registeredissuernameurl -AuthorizationEndPointUri $authendpointurl -SignOutUrl $signouturl -DefaultClientIdentifier $clientIdentifier -Scope "openid profile"

-Here, `New-SPTrustedIdentityTokenIssuer` PowerShell cmdlet is extended to support OIDC by using the following parameters:

-|ImportTrustCertificate | Imports a list of X509 Certificates, which is used to validate `id_token` from OIDC identifier. If the OIDC identity provider (IDP) uses more than one certificate to digital sign the `id_token`, import these certificates and SharePoint validates `id_token` by matching the digital signature generated by using these certificates. |

-| RegisteredIssuerName | Specifies the issuer identifier, which issues the `id_token`. It's used to validate the `id_token`. |

-| AuthorizationEndPointUrl | Specifies the authorization endpoint of the OIDC identity provider. |

-| SignoutUrl | Specifies the sign out endpoint of the OIDC identity provider. |

-| ResponseTypesSupported | Specifies the response type of IDP, which is accepted by this token issuer. It can accept two strings: `id_token` and `code id_token`. If this parameter isn't provided, it uses `code id_token` as default. |

-> [!IMPORTANT]

-> In order for the UPA-backed claim provider to work, users and groups must be imported into the User Profile Service Application. This can be challenging for cloud-only users and groups. You may instead consider implementing a [custom claims provider](/sharepoint/dev/general-development/how-to-create-a-claims-provider-in-sharepoint) to provide "People Picker" functionality.

- > [!IMPORTANT]

- > AD Import cannot import user profiles from Microsoft Entra ID. It can only import user profiles from on-premises Active Directory. In order to get cloud-only users and groups into the UPSA, you may need to utilize MIM.

- > You may also consider implementing a [custom claims provider](/sharepoint/dev/general-development/how-to-create-a-claims-provider-in-sharepoint) to provide "People Picker" functionality.