Updates from: 04/23/2024 02:00:49
Service Microsoft Docs article Related commit history on GitHub Change details
SharePoint Brand Center Font Packages https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/brand-center-font-packages.md
+ Last updated : 04/18/2024
+ Title: Brand center font packages
++++
+audience: Admin
+f1.keywords:
+- NOCSH
++
+ms.localizationpriority: medium
+search.appverid:
+- MET150
+
+- M365-collaboration
+
+- admindeeplinkSPO
+
+description: "Learn what font packages are, default font packages, components of a font package, the accessibility consideration for font packages, and supported custom font packages in SharePoint sites and Viva Connections."
+
+# Font packages
+
+A font package is a collection of fonts that are packaged together. Font packages are used in SharePoint and Viva Connections to control how the fonts look in different areas within each product.
+
+Typography provides the visual framework for presenting text. It's an important part of expressing a brand or creating a beautiful design. You'll often see multiple terms mixed or used interchangeably when referring to typography, such as typeface and fonts A typeface is the entire font family while a font is an individual font style. We often use these terms interchangeably. We refer to fonts to cover both scenarios for the SharePoint brand center.
+
+> [!NOTE]
+> Known Limitations:
+>
+> - Custom fonts are set at the site or Viva Connections experience level.
+>- A font package applied to the Homesite backing the Viva Connections desktop experience also applies to the Viva Connections desktop experience.
+>- A font package applied to the Viva Connections desktop experience also applies to the attached/associated SharePoint homesite.
+>- Font packages will not be pushed down to hub associated sites.
+> - Font packages cannot be deleted from the brand center app, they can be edited or made not visible to remove from selection experiences.
+
+You have the option to select from the standard font packages or a custom font package for your organization to modify the fonts of your SharePoint site or Viva Connections experience. The font packages that Microsoft offers are created to build on the Microsoft brand, while also enabling versatility to invigorate our partnerships without overpowering them. They show our shared goals and personality, and they represent our diversity and ability to optimize your experiences.
+
+## Default font packages
+
+- Microsoft default: Segoe UI
+
+- Amasis Pro
+
+- Aptos-Aptos Serif
+
+- Georgia Pro Condensed-Verdana Pro Condensed
+
+- Office: Aptos Display-Aptos
+
+- Sitka Heading-Sitka Text
+
+- Verdana Pro-Georgia Pro
+
+- Walbaum-Trade Gothic Next
+
+These font packages have been designed for readability, so you might find them useful starting points for creating custom font packages.
+
+## Anatomy of a font package
+
+Each font package is composed of two font families. We consider these to be our Display and Content fonts.
+
+### Display font
+
+The display font is a more decorative or eccentric typeface that is used for larger and more prominent elements of text. A display font is often used to express the feel of a brand. These are often slab serif, script, decorative, uppercase only typefaces.
+
+### Content font
+
+The content font is used more widely to ensure consistency and legibility at all sizes. A content font should be identified and ideally have a range of weights and styles to fit a wide range of scenarios. This font should be considered as the baseline for most of your content and should be the most legible font from your brand.
+
+## Font slot mappings
+
+Font packages use four font slots that correspond to different parts of the experience. For each part, you pick a font and font style that will change the fonts of different components based on these chosen font styles. These include:
+
+### Title
+
+The title font is used to identify the most distinct items for your experience. Consider using your display font.
+
+### Headline
+
+The headline font is used for a variety of headings and titles in the experience. Consider your content font in a bold or semibold style.
+
+### Body
+
+The body font is used in more versatile ways and should be easy to read. Consider your content font in a normal or regular style.
+
+### Interactive
+
+The interactive font is used for items that trigger action, such as buttons. Consider using your content font with a bold or semibold style.
+
+### Create your own font packages
+In the SharePoint brand center, a brand manager is able to create custom font packages for your organization. These font packages are available in the Change the Look experience for site owners and Viva Connections operators to apply to their sites and experiences.
+
+> [!NOTE]
+> To create a custom font package, you must upload your organizationΓÇÖs fonts to the brand fonts library.
+
+Visit the SharePoint or Viva Connections branding experiences and select **New Font Package**
+
+**Step 1**: Select display and content fonts using the font families visible in your Brand fonts library. You can select up to two different font families, you can select the same font family for both display and content fonts if desired.
+
+**Step 2**: Select your font family and font style for each of the four font slot mappings.
+
+**Step 3**: Name your font package and preview in different experiences. Determine the Visible setting for your font package.
+
+![Screenshot of step 3 of creating a new font package.](media/brand-center-font-package-creation-step3.png)
+
+## Pay attention to Accessibility
+
+An accessible font doesn't exclude or slow down the reading speed of anyone reading the text on your site, including people with low vision, or reading disability. The right font improves the legibility and readability of the text on a page.
+
+To reduce the reading load, select familiar fonts such as Segoe UI or Aptos. Avoid using all capital letters and excessive italics or underlines.
+
+A person with a vision disability might miss out on the meaning conveyed by particular colors. For example, add an underline to color-coded hyperlink text so that people who are color-blind know that the text is linked even if they canΓÇÖt see the color. For headings, consider adding bold or using a larger font.
+
+The text on your site should be readable in a high contrast mode. For example, use bright colors or high-contrast color schemes on opposite ends of the color spectrum. White and black schemes make it easier for people who are color-blind to distinguish text and shapes.
+
+For instructions on how to work with fonts and text, go to [Add accessible content and links to a SharePoint Online site](https://support.microsoft.com/office/add-accessible-content-and-links-to-a-sharepoint-online-site-dc34fac7-32d7-4dcf-b694-2cc6115ac8b9#PickTab=Online_Modern_Experience) and [Add text to a SharePoint space](https://support.microsoft.com/office/add-text-to-a-sharepoint-space-1b88da65-b38f-4a77-984a-0d4e5d2faf0e).
+
+## Use a font package to change the fonts in your experience
+
+With the introduction of the brand center app, custom fonts become available to Site owners to use from the **Change the Look panel** to customize the look and feel of their content. Once you have created a font package for your organization the ΓÇ£From my organizationΓÇ¥ section of the Font packages dropdown to the **Change the Look** \> **Font (preview)** panel.
+
+![Screenshot of changing the font from the font preview panel.](media/brand-center-change-look-org-section.png)
+
+Learn more about [Change the Look.](https://support.microsoft.com/office/change-the-look-of-your-sharepoint-site-06bbadc3-6b04-4a60-9d14-894f6a170818)
+
+## Font Packages in SharePoint
+
+### Supported custom fonts components in SharePoint
+
+Custom fonts are currently supported in the following areas:
+
+1. Site header - site title
+
+1. Hub header ΓÇô hub title
+
+1. Navigation (hub and site) ΓÇô links and labels
+
+1. News web part
+
+1. Page title region
+
+1. Quick links web part
+
+1. Button
+
+1. Dashboard for Viva Connections
+
+1. Image web part
+
+1. Site header - finish
+
+1. Section heading
+
+1. Hero web part
+
+1. Sites web part
+
+1. People web part
+
+1. Call to action web part
+
+1. Text web part (RTE)
+
+1. All web part titles (from Microsoft)
+
+## Font packages in Viva Connections
+
+### Supported custom fonts components in Viva Connections
+
+Custom fonts are currently supported in the following areas:
+
+1. Welcome/Greeting text
+
+1. Section Headings
+
+1. Dashboard cards Level 1
+
+1. Resources
SharePoint Brand Center Overview https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/brand-center-overview.md
+ Last updated : 04/18/2024
+ Title: SharePoint Brand Center
++++
+audience: Admin
+f1.keywords:
+- NOCSH
++
+ms.localizationpriority: medium
+search.appverid:
+- MET150
+
+- M365-collaboration
+
+- admindeeplinkSPO
+
+description: "Learn what SharePoint Brand Center is, how to set it up and manage it, and learn about brand assets."
++
+# SharePoint brand center
+
+The SharePoint brand center offers a centralized branding management application that empowers your brand managers or designated brand owners to help your organization to customize the look and feel of their experiences.
+
+With this new brand asset management system, you can handle your colors, fonts, and images, and other assets all in one place.
+
+## What is the brand center?
+
+The brand center uses the SharePoint Organization Asset Library (OAL) to store and manage assets in the background. The brand center app is located in a designated site within your tenant.
+
+![Screenshot of Brand Center preview overview.](media/brand-center-preview.png)
+
+> [!NOTE]
+> The SharePoint brand center currently only allows one brand center for your organization, and the Global Administrator sets it up.
+
+The brand center app lets you access and manage your organization's brand assets from one central place. By using the brand center app, you can make sure that your organization's brand identity is coherent and professional in all your communication channels. You can also save time and resources by avoiding duplication and confusion of brand assets, and by empowering your employees to create high-quality branded content.
+
+## Setting up the brand center
+
+To enable the new brand center the global administrator needs to perform a set of simple steps in the Microsoft 365 admin center to create/activate the Brand center app. The brand center app requires the use of Public CDN.
+
+The brand center administrative experience finds the site that has your organizationΓÇÖs existing organization asset libraries if you're using them and base your brand center on this site. If you aren't using the organization asset library feature, we'll prompt you to make a new site to be your brand center.
+
+When you turn on the SharePoint brand center for your organization, this lets you use the custom fonts feature in SharePoint and Viva Connections. You can find more details in the Message Center post for Custom Fonts.
+
+To enable the SharePoint brand center, the global administrator needs to perform a few simple steps in the Microsoft 365 admin center to create/activate the Brand center app.
+
+The steps required depend on your current tenant configuration. The following describes steps you need to do for each of the three scenarios:
+
+- Scenario 1: Your tenant doesn't currently utilize the SharePoint Organization Assets feature.
+
+- Scenario 2: Your tenant uses the SharePoint Organization Assets feature with Private CDN.
+
+- Scenario 3: Your tenant uses the SharePoint Organization Assets feature with Public CDN.
+
+![Screenshot of accessing brand center from microsofto 365 admin center.](media/mac-brand-center.png)
+
+**Scenario 1:** Your tenant doesn't currently utilize the SharePoint Organization Assets feature.
+
+For this scenario, the global administrator performs the following steps to create the Brand center app.
+
+1. In the admin center, go to **Settings \> Org settings**.
+
+1. Select **Brand center (preview)**.
+
+1. Choose site name for the Brand Center site ΓÇô Suggested ΓÇ£Brand GuideΓÇ¥.
+
+1. Read and give consent to the use of Public CDN in your tenant for the Brand center.
+
+1. Create the site and configure Public CDN in your tenant.
+
+1. Add site owners to the Brand center site you created and share the link to the site to those owners to unlock the Brand center app.
+
+**Scenario 2:** Your tenant uses the SharePoint Organization Assets feature with Private CDN.
+
+For this scenario, the global administrator performs the following steps to create the Brand center app.
+
+1. In the admin center, go to **Settings \>** **Org settings**.
+
+1. Select **Brand center (preview)**.
+
+1. The Brand center recognizes your existing organization assets site location and will utilize this as the location for the Brand center app.
+
+1. Read and give consent to the use of Public CDN in your tenant for the Brand center.
+
+1. Activate Public CDN in your tenant.
+
+1. Copy and share the link to the Brand center site/app to your site owners to unlock the Brand center app.
+
+**Scenario 3:** Your tenant uses the SharePoint Organization Assets feature with Public CDN.
+
+For this scenario, the global administrator needs to perform the following steps to create the Brand center app.
+
+1. In the admin center, go to **Settings \> Org settings**.
+
+1. Select **Brand center (preview)**.
+
+1. The Brand center recognizes your existing organization assets site location and will utilize this as the location for the Brand center app.
+
+1. Activate the Brand center app for your organization.
+
+1. Copy and share the link to the Brand center site/app to your site owners to unlock the Brand center app.
+
+After you finish setting up your SharePoint brand center, you can control who can access the brand center app by customizing the site permissions of the brand center site. Site owners of the brand center site will be able to use the brand center app.
+
+![Screenshot of accessing sharepoint admin center from MAC.](media/brand-center-admin-setup-final.png)
+
+## Managing the brand center
+
+The SharePoint brand center includes two levels of management: the Microsoft 365 Admin Center and the Brand Center associated SharePoint site. Within the Microsoft 365 Admin Center, the global administrator has control over the enablement of the Brand Center and easy access to the associated site with management in the SharePoint Admin Center.
+
+From the Brand center associated site, the Global administrators, site administrators, and owners can update the site permissions in the SharePoint Admin Center such as adding more brand managers to the experience. You can do this by adding members to the site ownersΓÇÖ group. Within the app itself, the brand managers are able to upload and manage their organizationΓÇÖs brand assets.
+
+|Who?|Where?|What?|
+|-||--|
+|Global administrator|Microsoft 365 Admin Center|- Enablement of the brand center <br> -Access to the SharePoint Admin Center of the brand center site|
+|- Global administrator<br>- Site administrator<br >- Site owner|Microsoft 365 Admin Center|Update permissions|
+
+> [!NOTE]
+> The brand center app is limited to brand font management while in Preview.
+
+## Managing brands in Multi-geo organizations
+
+One of the challenges of managing brand assets across geographies is ensuring consistency and compliance with local regulations and cultural preferences. Brand managers need to be able to adapt their brand assets to different markets and languages, while still maintaining a unified and recognizable brand identity.
+
+The SharePoint brand center currently only creates a single brand center app in the primary geo of a tenant. We havenΓÇÖt changed anything about how this impacts the current multi-geo operations for Organization Asset Image or Template Libraries. However, for custom fonts to work across geographies, the following requirements must be met:
+
+Each additional geography where custom fonts are wanted must have an organization asset library set up in a site that uses the Public CDN. Once these requirements are met, custom fonts show up in the **Change the Look** panel and will work in that geography.
+
+> [!NOTE]
+> This does not impact Organization Asset Image Libraries and Template Libraries.
+
+## Brand Assets
+
+Every organization has a set of brand assets that are important for expressing its brand identity. Brand assets are the things that give your brand its distinctive look, sound, and feel. They include your logo, colors, fonts, images, voice, and guidelines. You use your brand assets to show your brand personality and style in all the places where you communicate with your customers, such as websites, social media, marketing materials, presentations, and products. When you use your brand assets well, you make your brand more memorable, trustworthy, and unique.
+
+One of the challenges of managing brand assets is to ensure consistency and quality across different platforms and devices. You want your brand to look sharp and professional everywhere, without spending too much time and effort on resizing, formatting, or providing appropriate access to your users.
+
+The SharePoint brand center makes the management of brand assets simple across the Microsoft 365 product ecosystem. This centralized management system enables both asset management along with customization for how the assets are utilized within each product.
+
+### Brand Images
+
+SharePoint offers a feature called the organization asset library (OAL), which allows you to store and access your brand images from a central location. You can upload and manage your organization's logos, icons, backgrounds, and other images in a centralized library that can be accessed by all your users. This way, you can ensure that your team members have access to the latest and most relevant images that reflect your brand identity and message. You can also use organization assets to create templates and themes that incorporate your images and fonts, making it easy to create professional and consistent slides and documents.
+
+Learn more about [image asset management](/sharepoint/organization-assets-library).
+
+### Brand Fonts
+
+A font isn't just a way of writing. It's a visual feature that connects your content to your brand and expresses your tone and character. A font can give your content a professional, creative, friendly, or authoritative appearance, depending on the typeface, size, color, and spacing you use.
+
+For SharePoint and Viva Connections experiences, an organization uses the SharePoint brand center to control your organizationΓÇÖs fonts. This helps you make sure that your font selections are coherent and match your brand identity and guidelines.
+
+Learn more about [brand fonts in the SharePoint brand center](/sharepoint/brand-fonts).
+
+Organization font support for PowerPoint for the web is also available utilizing the organization assets infrastructure. Customers with E3 or E5 licenses can take advantage of Organization Font Support in PowerPoint for the web to edit and display their fonts.
+
+Learn more about [brand organization fonts for PowerPoint for the web](/sharepoint/support-for-organization-fonts-in-powerpoint-for-the-web).
SharePoint Brand Font Licensing https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/brand-font-licensing.md
+ Last updated : 04/19/2024
+ Title: Brand font licensing
++++
+audience: Admin
+f1.keywords:
+- NOCSH
++
+ms.localizationpriority: medium
+search.appverid:
+- MET150
+
+- M365-collaboration
+
+- admindeeplinkSPO
+- onedrive-toc
+description: "Learn about brand center font licensing."
++
+# Font Licensing for the brand center
+
+Fonts are a kind of software. Like many other kinds of software, you get a license to use font files instead of buying them. Different vendors have different licenses for their fonts, but most licenses, including the ones for the fonts Microsoft provides with applications and Windows, don't let you put the fonts in applications or share them with others.
+
+Any font used in Microsoft 365 applications requires a font license that covers the conditions of font usage for the intended product. This could include a webfont license, application license, desktop license, server license, or several other license types.
+
+> [!WARNING]
+> By using this feature and publishing font files, a font catalog is created. The newly created font catalog files are publicly stored, along with the fonts, in the cloud and won't respect the site classification guidelines if the Organization Asset Library is hosted in Restricted SharePoint Site. The font catalog files contain font names and other font related metadata. The files are accessible to anyone, even people outside of your organization, who can get the URLs that link to them.
+
+Don't use this feature if your fonts contain proprietary information, or if they have license usage restrictions, such as restrictions on cloud hosting, or your organization isn't comfortable making the fonts publicly available.
+
+## Microsoft provided fonts
+
+Microsoft provides a set of fonts for usage in Microsoft 365 applications. A Microsoft 365 application can use the fonts to render content to a screen, allow that content to be edited, and allow that content to be output to a device, like a printer. 
+
+Some of the fonts supplied with the Brand center were created specifically for Microsoft by leading type designers and type design companies (known as font foundries). Other fonts were licensed to Microsoft from font foundries for inclusion with Microsoft 365 applications.
+
+Reference: [Cloud fonts in Office - Microsoft Support](https://support.microsoft.com/office/cloud-fonts-in-office-f7b009fe-037f-45ed-a556-b5fe6ede6adb?ui=en-us&rs=en-us&ad=us)
+
+> [!NOTE]
+> Microsoft provided fonts are available to Microsoft 365 subscribers.
+
+## Custom brand fonts
+
+For fonts obtained elsewhere or supplied with other apps, you'll need to review the license agreements that accompany those applications.
+
+**Why must I dig up and read those agreements?**
+
+We're sorry, but Microsoft canΓÇÖt provide guidance to fonts that we didnΓÇÖt supply.
+
+The rights we provide you for Windows supplied fonts are considered quite broad, and itΓÇÖs possible that other font licenses, even some free ones, may be more restrictive.
+
+Some font foundries may give away ΓÇ£freeΓÇ¥ versions of fonts with limited licenses and make their money selling extended rights.
+
+Some font licenses may restrict commercial use, require attribution, and restrict redistribution or commercial redistribution of documents that include embedded versions of the font.
SharePoint Brand Fonts https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/brand-fonts.md
+ Last updated : 04/18/2024
+ Title: Brand fonts
++++
+audience: Admin
+f1.keywords:
+- NOCSH
++
+ms.localizationpriority: medium
+search.appverid:
+- MET150
+
+- M365-collaboration
+
+- admindeeplinkSPO
+- onedrive-toc
+description: "Learn what brand fonts are, how to add brand fonts to the brand center, and how to locate custom fonts on the web. Learn how to install and manage custom fonts, and supported font file types."
+
+# Brand Fonts
+
+The choice of font can have a significant impact on the look and feel of your content. A font can convey your brand personality, tone, and style, as well as enhance the readability and aesthetics of your text. Whether you want to create a professional, elegant, playful, or creative impression, using a font that matches your brand identity can help you stand out from the crowd and connect with your audience.
+
+![Screenshots of brand fonts.](media/brand-fonts.png)
+
+Brand fonts are your organizationΓÇÖs fonts that are uploaded and managed within the SharePoint brand center. In this article, we talk about how to manage your brand fonts so you can use them in Microsoft 365.
+
+There are different types of font format types and font file types. The way a font is used, digital, or printed, can change the font file type needed.
+
+### Web-safe fonts
+
+Web-safe fonts are a set of fonts that are widely used and available on most devices by default. They're designed to be compatible with different browsers and operating systems, and to reduce the risk of font substitution or distortion.
+
+## Adding brand fonts to the brand center
+
+SharePoint and Viva Connections include a set of font options that are available for use within Microsoft web products.
+
+However, sometimes you may want to use a custom font that youΓÇÖve created, purchased, or downloaded from somewhere else. These custom fonts might be more accurate to how you would like to represent your brand within Microsoft 365 applications like SharePoint and Viva Connections.
+
+### Locate custom fonts on the Web
+
+You can also get and use fonts that are installed with other applications, or download fonts from the Internet. Some fonts on the Internet are sold commercially, some are shareware, and some are free. The [Microsoft Typography site](https://www.microsoft.com/en-us/Typography/default.aspx) site provides links to other font foundries (the people or businesses outside of Microsoft who make and offer fonts) where you can find more fonts.
+
+## Install a custom brand font
+
+After choosing your custom brand font, you'll need to upload it into the SharePoint brand center so that it can be part of your font packages. You'll go to the Brand Fonts library from the Brand center app.
+
+1. Download or locate your custom brand font files. These often come in .zip folders.
+
+1. If the font files are zipped, unzip them by right-clicking the .zip folder and then clicking **Extract**.
+
+1. Navigate to the Brand fonts library in the SharePoint brand center app. Using the upload button
+
+After the brand font files are uploaded our system extracts the needed metadata from the font files for use in the Brand center.
+
+> [!NOTE]
+> There's a slight delay in the time from upload until this metadata is populated into the library and the font is available for use.
+
+### Supported font file types:
+
+| Font file type | File extension |
+|-|-|
+| True Type fonts | .ttf |
+| Open Type fonts | .otf |
+| Web Open Format Font | .woff |
+| Web Open Format Font | .woff2 |
+
+The Web Open Format file is a web-only font format that compresses the fonts to make them load faster on websites. This format can't be used for other purposes, such as installing the fonts on your computer. WOFF 2.0 is the ideal format for web fonts being used on SharePoint and Viva Connections. These fonts work well on the web but not in graphics software.
+
+Font file Size Limit: 10 MB
+
+## Manage your custom brand fonts
+
+To manage your custom brand fonts, you'll need to navigate to the Brand Fonts library in the Brand center app.
+
+1. Select your custom font file from the library.
+
+1. Edit the Visible property on your font file to control the availability of the font for experiences.
+
+> [!NOTE]
+> Deletion of custom brand fonts is not allowed from the Brand center app at this time.
SharePoint Information Architecture Modern Experience https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/information-architecture-modern-experience.md
Previously updated : 09/19/2018 Last updated : 04/22/2024 Title: "Introduction to SharePoint information architecture"
SharePoint [hubs](https://support.microsoft.com/office/what-is-a-sharepoint-hub-
Hub navigation appears above the local navigation on each site, just below the suite bar, as shown in the image earlier in this article. Hub navigation is established in the site that is declared to be the hub. It's defined by the hub owner and is shared by all the associated sites.
-![SharePoint hubs example](media/hub_nav_example.png)
+![SharePoint hubs example](media/hub-nav-home-example.png)
Each site can belong to only one hub at a time, but you can associate hubs together in a combination of navigation links and associated hubs as part of your navigation experience. For more information, see [Planning your SharePoint hubs](./planning-hub-sites.md).
Where you see local navigation elements:
**Team site navigation**
-![Team site navigation](media/team_site_nav.png)
+![Team site navigation](media/team-site-nav.png)
**Communication site navigation**
-![Communication site navigation](media/comm_site_nav.png)
+![Communication site navigation](media/comm-site-nav.png)
### Sites
SharePoint Install And Configure Workflow For Sharepoint Server https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/governance/install-and-configure-workflow-for-sharepoint-server.md
Previously updated : 3/14/2023 Last updated : 4/22/2024 audience: ITPro f1.keywords: - NOCSH
description: "Learn how to install and configure workflow in SharePoint Server."
[!INCLUDE[appliesto-2013-2016-2019-SUB-xxx-md](../includes/appliesto-2013-2016-2019-SUB-xxx-md.md)] This article contains the information and procedures required to configure SharePoint Workflow Manager (SPWFM) for SharePoint Server.- > [!NOTE] >There are two separate workflow engine products that power the SharePoint 2013 Workflow platform: Microsoft Workflow Manager ("Classic WFM") and SharePoint Workflow Manager (SPWFM). Microsoft Workflow Manager is no longer available to be installed, whereas SharePoint Workflow Manager has been released to replace it. Hence, the instructions outlined in this document explain how to install SharePoint Workflow Manager.
-> [!IMPORTANT]
-> The steps in this article apply to SharePoint Server. The SharePoint 2013 Workflow platform is not supported in SharePoint Foundation 2013.
-
-> [!NOTE]
-> You can watch a video series that walks through the process of installing and configuring the SharePoint 2013 Workflow platform. To view the videos, see [Video series: Install and configure Workflow in SharePoint Server 2013](video-series-install-and-configure-workflow-in-sharepoint-server-2013.md).
-
-Learn about [Workflows for SharePoint in Microsoft 365](../../SharePointOnline/extend-and-develop.md).
+
## Overview <a name="section1"> </a>
The only platform available when you first install SharePoint Server is the Shar
|**SharePoint 2010 Workflow** <br/> |Windows Workflow Foundation 3 <br/> |Installs automatically with SharePoint Server. <br/> | |**SharePoint 2013 Workflow** <br/> |Windows Workflow Foundation 4 <br/> |Requires SharePoint Workflow Manager or Microsoft Workflow Manager, and SharePoint Server. <br/> | |**SharePoint 2013 Workflow - Project Server** <br/> |Windows Workflow Foundation 4 <br/> |Requires SharePoint Workflow Manager or Microsoft Workflow Manager, and Project server. <br/> |- > [!NOTE] > SharePoint Workflow Manager must be downloaded and installed separately from SharePoint Server. It does not install automatically when you install SharePoint Server. ## New installation of SharePoint Workflow Manager SharePoint Workflow Manager may be installed on the same servers as SharePoint or on separate, dedicated servers. It's recommended that SharePoint Workflow Manager is installed on its own dedicated servers for performance and reliability reasons. - > [!NOTE] > SharePoint Workflow Manager is supported in farms having an odd number of hosts, for example, 1, 3, or 5. A farm with 2 or 4 SharePoint Workflow Manager hosts is not supported. ### Prerequisites
-SharePoint Workflow Manager requires the server role of Web Server (IIS). If you're installing SharePoint Workflow Manager on a server without the IIS server role installed, the Workflow Manager Configuration Wizard fails with messages like *Could not load file or assembly 'Microsoft.Web.Administration'*. Apart from the features that are installed by default, the SharePoint Workflow Manager work requires the following IIS features:
+SharePoint Workflow Manager requires the server role of Web Server (IIS). If you're installing SharePoint Workflow Manager on a server without the IIS server role installed, the Workflow Manager Configuration Wizard fails with a message like *Could not load file or assembly 'Microsoft.Web.Administration'*. In addition to the features that are installed by default with the Web Server role, SharePoint Workflow Manager requires the following Web Server features:
- Windows Authentication (under Security) - .NET Extensibility 4.7 (under Application Development) - ASP.NET 4.7 (under Application Development)
-SharePoint Workflow Manager might not be installed and configured correctly with only RODC (read-only domain controller) provided in the network environment as it requires RWDC (read/write DC, full DC).
-
+> [!NOTE]
+> SharePoint Workflow Manager may not be installed and configured correctly with only RODCs (read-only domain controllers) available in the network environment. It requires a RWDC (read/write domain controller).
SharePoint Workflow Manager requires Azure Service Fabric, which must be installed before you run SharePoint Workflow Manager setup. If the Azure Service Fabric Runtime isn't already installed, follow these steps below to install it: 1. The minimum version of Azure Service Fabric Runtime supported by SharePoint Workflow Manager is 9.1.1583.9590, and you can download it from [Azure Service Fabric Runtime](https://download.microsoft.com/download/b/8/a/b8a2fb98-0ec1-41e5-be98-9d8b5abf7856/MicrosoftServiceFabric.9.1.1583.9590.exe). Or you can find and download any higher version of its Windows Installer from [here](/azure/service-fabric/service-fabric-get-started#install-the-sdk-and-tools).
SharePoint Workflow Manager requires Azure Service Fabric, which must be install
`.\MicrosoftServiceFabric.9.1.1583.9590.exe /accepteula` 3. To verify the Azure Service Fabric is installed, you should be able to find it in the Programs and Features of the Control Panel.- > [!NOTE]
-> SharePoint Workflow Manager supports the version 9.1 CU2 (9.1.1583.9590) of Azure Service Fabric and [higher versions](/azure/service-fabric/service-fabric-versions). If **Windows Fabric** is already installed on your machine, you must uninstall it before installing Azure Service Fabric.
->
-> ItΓÇÖs been reported that Azure Service Fabric might generate a large amount of logs squeezing the disk space regardless of the SharePoint Workflow Manager workload, and you can identify it under the `%ProgramData%\Microsoft Service Fabric\Log\Traces`. But you can't control the log size through the [cluster configuration](/azure/service-fabric/service-fabric-cluster-fabric-settings#diagnostics), with only Azure Service Fabric Runtime installed. You might need to delete expired logs manually, or for example, create a periodic task through the Windows Task Scheduler to do it.
-
+> SharePoint Workflow Manager supports the version 9.1 CU2 (9.1.1583.9590) of Azure Service Fabric and [higher versions](/azure/service-fabric/service-fabric-versions).
+>
+> If **Windows Fabric** is already installed on your machine, you must uninstall it before installing Azure Service Fabric.
+>
+> ItΓÇÖs been reported that Azure Service Fabric might generate a large number of logs, reducing the disk space. This can occur regardless of the SharePoint Workflow Manager workload. You can identify this issue by looking at the files generated in the `%ProgramData%\Microsoft Service Fabric\Log\Traces` directory. You can't control the log size through the [cluster configuration](/azure/service-fabric/service-fabric-cluster-fabric-settings#diagnostics), with only Azure Service Fabric Runtime installed. You might need to delete expired logs manually, or for example, create a periodic task through the Windows Task Scheduler to do it.
### Install SharePoint Workflow Manager SharePoint Workflow Manager and SharePoint Workflow Manager Client can be downloaded from [here](https://www.microsoft.com/download/details.aspx?id=104867). The system requirements can be found on that page as well.
-Install both SharePoint Workflow Manager and SharePoint Workflow Manager Client on all servers in the Workflow Manager farm. Install only the SharePoint Workflow Manager Client on all servers in the SharePoint Server farm.
+Install **both** SharePoint Workflow Manager and SharePoint Workflow Manager Client on all servers in the **Workflow Manager** farm.
+Install **only** the SharePoint Workflow Manager **Client** on all servers in the **SharePoint Server** farm.
> [!NOTE] > Though it is supported to install SharePoint Workflow Manager on servers running SharePoint Server, it is recommended that SharePoint Workflow Manager is installed on its own dedicated servers for performance and reliability reasons. ### Configure SharePoint Workflow Manager farm
-To create a SharePoint Workflow Manager farm and join your servers to the farm, you can configure SharePoint Workflow Manager through the Workflow Manager Configuration Wizard, see [Video series Install and configure Workflow](/SharePoint/governance/video-series-install-and-configure-workflow-in-sharepoint-server-2013#episode-3-install-and-configure-workflow-manager).
+To create a SharePoint Workflow Manager farm and join your servers to the farm, you can configure SharePoint Workflow Manager through the Workflow Manager Configuration Wizard.
+Logon to the SharePoint Workflow Manager server, click on ΓÇ£Workflow Manager ConfigurationΓÇ¥ and click on ΓÇ£Configure Workflow Manager with Default settingsΓÇ¥ or ΓÇ£Configure Workflow Manager with Custom SettingsΓÇ¥, depending on the requirements. If you want to use different ports, custom certificates, or custom database names, you'll want to use the "Configure Workflow Manager with Custom Settings" option.
+
+In this example, we will use the Default Settings option.
+
+> [!NOTE]
+> By default, only HTTPS (TLS / SSL) port 12290 is configured for the Workflow Management site. If you'd like to also allow communication over unencrypted HTTP port 12291, you must select the "Allow Workflow Management over HTTP on this computer" check box. This is a factor when running the Register-SPWorkflowService cmdlet later.
+Provide the necessary SQL Server and service account details in the workflow wizard.
++
+The configuration wizard will provide a summary of your choices before they are committed.
+ > [!NOTE]
-> The SharePoint 2010 Workflow platform installs automatically when you install SharePoint Server. The SharePoint 2013 Workflow platform requires either Microsoft Workflow Manager ("Classic WFM") or SharePoint Workflow Manager (SPWFM) and must be installed separately and then configured to work with your SharePoint Server farm. To function correctly, SharePoint 2013 Workflows require that the App Management Service and Site Subscription Service are provisioned. It is not required to set up a wildcard certificate and DNS registration but both instances need to be running.
+> Some of the values are selected for you when you use the ΓÇ£Configure Workflow Manager with Default settingsΓÇ¥ option. If they are not correct for your environment, you may have to start the wizard over and choose ΓÇ£Configure Workflow Manager with Custom SettingsΓÇ¥.
+
+The configuration wizard should complete successfully. If it fails, please select the "View Log" link, find the problem and correct it before running the wizard again.
++
+If you are creating a multi-server SharePoint Workflow Manager farm, you must run the workflow configuration wizard on the other nodes and chose the "Join an Existing Workflow Manager Farm" option.
++
+### Configure App Management and Subscriptions Settings services in the SharePoint farm
+The App Management and Subscription Settings services are required in the SharePoint farm for SharePoint 2013-platform workflows to function.
+If not already set up in the SharePoint farm, on the SharePoint server, set up App Management and Subscription Settings services, service applications and service application proxies.
+
+The App Managment service can be created using Central Administration.
+
+You can use PowerShell to create a Subscription Settings Service application:
+
+```powershell
+$sa = New-SPSubscriptionSettingsServiceApplication -ApplicationPool 'SharePoint Web Services Default' -Name 'Subscriptions Settings Service Application' -DatabaseName 'Subscription'
+
+New-SPSubscriptionSettingsServiceApplicationProxy -ServiceApplication $sa
+```
### Configure SharePoint Workflow Manager to work with the SharePoint Server farm <a name="section5"> </a>
-Consider the following two key factors before configuring SharePoint Workflow Manager to work with SharePoint Server.
-
-- Is SharePoint Workflow Manager installed on a server that is part of the SharePoint farm?
-
-- Will communication between SharePoint Workflow Manager and SharePoint Server use **HTTP** or **HTTPS** ?
+Consider the following key factors before configuring SharePoint Workflow Manager to work with SharePoint Server.
-These factors translate into four scenarios. Each scenario configures a SharePoint Server farm to communicate and function with the SharePoint Workflow Manager farm. Follow the scenario that matches your circumstance.
-
-|Scenario Number and Description|Scenario Number and Description|
-|:--|:--|
-|1: SharePoint Workflow Manager is installed on a server that is part of the SharePoint Server farm. Communication takes place by using HTTP. <br/> |2: SharePoint Workflow Manager is installed on a server that is part of the SharePoint Server farm. Communication takes place by using HTTPS. <br/> |
-|3: SharePoint Workflow Manager is installed on a server that is NOT part of the SharePoint Server farm. Communication takes place by using HTTP. <br/> |4: SharePoint Workflow Manager is installed on a server that is NOT part of the SharePoint Server farm. Communication takes place by using HTTPS. <br/> |
-
+- Will communication between SharePoint Workflow Manager and SharePoint Server use **HTTP** or **HTTPS** ?
> [!NOTE] > For security reasons, we recommend HTTPS for a production environment.
-
-**To configure SharePoint Workflow Manager on a server that is part of the SharePoint Server farm and on which communication takes place by using HTTP**
-
-1. Sign-in to the computer in the SharePoint Server farm where SharePoint Workflow Manager was installed.
-
-2. Open the SharePoint Management Shell as an administrator by right-clicking the **SharePoint Management Shell** and choosing **Run as administrator**.
-
-3. Run the **Register-SPWorkflowService** cmdlet.
-
- **Example**:
-
- ```powershell
- Register-SPWorkflowService -SPSite "http://myserver/mysitecollection" -WorkflowHostUri "http://workflow.example.com:12291" -AllowOAuthHttp
- ```
-
-4. Sign-in to each server in the SharePoint Server farm.
-
- Each server in the SharePoint Server farm must have the Workflow Manager Client installed.
-
- > [!NOTE]
- > SharePoint Workflow Manager servers need both the SharePoint Workflow Manager and the SharePoint Workflow Manager client software installed. SharePoint servers only need the client installed.
-
-5. Install the SharePoint Workflow Manager Client on each server in the SharePoint farm.
-
-**To configure SharePoint Workflow Manager on a server that is part of the SharePoint Server farm and on which communication takes place by using HTTPS**
-
-1. Determine if you need to install SharePoint Workflow Manager certificates in SharePoint.
-
- Under some circumstances, you have to obtain and install SharePoint Workflow Manager certificates. If your installation requires that you obtain and install these certificates, you must complete that step before continuing. To learn whether you need to install certificates, and for instructions, see [Install Workflow Manager certificates in SharePoint Server](install-workflow-manager-certificates-in-sharepoint-server.md).
-
-2. Sign-in to the computer in the SharePoint Server farm where SharePoint Workflow Manager was installed.
-
-3. Open the SharePoint Management Shell as an administrator by right-clicking the **SharePoint Management Shell** and choosing **Run as administrator**.
-
-4. Run the **Register-SPWorkflowService** cmdlet.
-
- **Example**:
-
- ```powershell
- Register-SPWorkflowService -SPSite "https://myserver/mysitecollection" -WorkflowHostUri "https://workflow.example.com:12290"
- ```
+**To configure SharePoint Workflow Manager in an environment where communication takes place using HTTP**
+> [!NOTE]
+> By default, only HTTPS (TLS / SSL) port 12290 is configured for the Workflow Management site. In order to configure the use of HTTP, the "Allow Workflow Management over HTTP on this computer" check box should have been selected when running the ΓÇ£Workflow Manager ConfigurationΓÇ¥ wizard in an earlier step.
-5. Sign-in to each server in the SharePoint Server farm.
-
- Each server in the SharePoint Server farm must have the Workflow Manager Client installed.
-
- > [!NOTE]
- > SharePoint Workflow Manager servers need both the SharePoint Workflow Manager and the SharePoint Workflow Manager client software installed. SharePoint servers only need the client installed.
-
-6. Install the SharePoint Workflow Manager Client on each server in the SharePoint farm.
-
-**To configure SharePoint Workflow Manager on a server that is NOT part of the SharePoint Server farm and on which communication takes place by using HTTP**
-
1. Sign-in to each server in the SharePoint Server farm.+
+1. Install the SharePoint Workflow Manager **Client** on each server in the SharePoint farm.
+ > [!IMPORTANT]
+ > You must install the SharePoint Workflow Manager Client on each server in the SharePoint farm before you run the Register-SPWorkflowService cmdlet.
-2. Install the SharePoint Workflow Manager Client on each server in the SharePoint farm.
-
- Before you can run the workflow pairing cmdlet, you must install SharePoint Workflow Manager Client on each of the servers in the SharePoint farm.
-
-3. Open the SharePoint Management Shell as an administrator by right-clicking the **SharePoint Management Shell** command and choosing **Run as administrator**.
-
-4. Run the **Register-SPWorkflowService** cmdlet. The cmdlet should be run only once and can be run from any of the servers in the SharePoint farm.
+3. On one SharePoint server, open the SharePoint Management Shell as an administrator by right-clicking the **SharePoint Management Shell** command and choosing **Run as administrator**.
+1. Run the **Register-SPWorkflowService** cmdlet to connect the SharePoint farm with the SharePoint Workflow Manager farm. The cmdlet should be run only once and can be run from any of the servers in the SharePoint farm.
+ > [!NOTE]
+ > The value for the -SPSite parameter can be any valid site collection within the SharePoint farm.
+ > The correct value for the -WorkflowHostUri parameter can be found by running PowerShell `Get-WFFarm | select endpoints` on the SharePoint Workflow Manager server.
+ **Example**:
-
```powershell Register-SPWorkflowService -SPSite "http://myserver/mysitecollection" -WorkflowHostUri "http://workflow.example.com:12291" -AllowOAuthHttp ```
-> [!IMPORTANT]
-> You must install the SharePoint Workflow Manager Client on each server in the SharePoint farm before you run the pairing cmdlet.
-
-**To configure SharePoint Workflow Manager on a server that is NOT part of the SharePoint Server farm and on which communication takes place by using HTTPS**
+**To configure SharePoint Workflow Manager in an environment where communication takes place using HTTPS**
-1. Determine whether you need to install SharePoint Workflow Manager certificates in SharePoint Server.
+1. Determine whether you need to install SharePoint Workflow Manager certificates on the SharePoint servers.
- Under some circumstances, you have to obtain and install SharePoint Workflow Manager certificates. If your installation requires that you obtain and install these certificates, you must complete that step before continuing. To learn whether you need to install certificates, and for instructions, see [Install Workflow Manager certificates in SharePoint Server](install-workflow-manager-certificates-in-sharepoint-server.md).
+ Under some circumstances, you must obtain and install SharePoint Workflow Manager certificates. If your installation requires that you obtain and install these certificates, you must complete that step before continuing. To learn whether you need to install certificates, and for instructions, see [Install Workflow Manager certificates in SharePoint Server](install-workflow-manager-certificates-in-sharepoint-server.md).
2. Sign-in to each server in the SharePoint Server farm.
-3. Install the SharePoint Workflow Manager Client on each server in the SharePoint farm.
-
- Before you can run the workflow pairing cmdlet, you must install SharePoint Workflow Manager Client on each of the servers in the SharePoint farm.
+1. Install the SharePoint Workflow Manager **Client** on each server in the SharePoint farm.
+ > [!IMPORTANT]
+ > You must install the SharePoint Workflow Manager Client on each server in the SharePoint farm before you run the Register-SPWorkflowService cmdlet.
4. Open the SharePoint Management Shell as an administrator. This is accomplished by right-clicking the **SharePoint Management Shell** command and choosing **Run as administrator**.
-5. Run the **Register-SPWorkflowService** cmdlet.
-
+1. Run the **Register-SPWorkflowService** cmdlet to connect the SharePoint farm with the SharePoint Workflow Manager farm. The cmdlet should be run only once and can be run from any of the servers in the SharePoint farm.
+ > [!NOTE]
+ > The value for the -SPSite parameter can be any valid site collection within the SharePoint farm.
+ > The correct value for the -WorkflowHostUri parameter can be found by running PowerShell `Get-WFFarm | select endpoints` on the SharePoint Workflow Manager server.
+ **Example**:
-
```powershell Register-SPWorkflowService -SPSite "https://myserver/mysitecollection" -WorkflowHostUri "https://workflow.example.com:12290" ```
-> [!IMPORTANT]
-> You must install the SharePoint Workflow Manager Client on each server in the SharePoint farm before you run the pairing cmdlet.
- ## Upgrade existing Microsoft Workflow Manager
-In order to update Microsoft Workflow Manager (Classic WFM) to SharePoint Workflow Manager (SPWFM), SharePoint Workflow Manager can't be placed on top of Microsoft Workflow Manager. Installing this build requires first uninstalling any prior versions of Workflow Manager, Workflow Manager Client, and Service Bus.
+Microsoft Workflow Manager cannot be upgraded in-place, and SharePoint Workflow Manager can't be placed on top of Microsoft Workflow Manager. In order to update Microsoft Workflow Manager (Classic WFM) to SharePoint Workflow Manager (SPWFM), you must uninstall any prior versions of Workflow Manager, Workflow Manager Client, and Service Bus.
-You can upgrade to SharePoint Workflow Manager from any version of Microsoft Workflow Manager.
+> [!NOTE]
+> You can upgrade to SharePoint Workflow Manager from any version of Microsoft Workflow Manager.
+> Because you are upgrading an existing "Classic WFM" farm to SPWFM, the WFM databases will be reused, and your existing registration and workflows should remain intact.
Follow the steps below to uninstall Microsoft Workflow Manager and install SharePoint Workflow
-1. Open Workflow Manager Configuration Wizard.
-2. Select **Leave Workflow Manager Farm**.
-3. Confirm the subsequent steps until the end.
- > [!NOTE]
- >Each database used by Workflow Manager and Service Bus will need to be specified when rejoining the farm with SharePoint Workflow Manager. For example, the SQL Server instance and database name for the Workflow Manager farm management database and the Service Bus farm management database.
+> [!IMPORTANT]
+> Because the upgrade steps require that you disjoin and then rejoin an existing WFM farm, you will need the WFM "Certificate Generation Key", when rejoining. If you are not sure what that key is, and have not documented it somewhere, you may need to [Reset Certificate Generation Key](/SharePoint/governance/reset-certificate-generation-key-sharepoint-workflow-manager) before proceeding.
+> You will not be able to join the existing workflow farm without a valid Certificate Generation Key.
+
+1. Run the Workflow Manager Configuration Wizard.
+
+1. Select **Leave Workflow Manager Farm**.
+1. Confirm the subsequent steps until the end of the wizard.
-4. Uninstall Microsoft Workflow Manager, Workflow Manager Client, Service Bus for Windows Server, and Windows Fabric if they're installed. You can uninstall them from the Control Panel. If Windows Fabric is installed, ensure you install Azure Service Fabric after uninstalling Windows Fabric.
-5. If the folder *%ProgramFiles%\Workflow Manager\1.0* already exists, you must manually remove it for the next steps to succeed.
-6. Install SharePoint Workflow Manager and SharePoint Workflow Manager Client.
-7. If there's more than one server in your Workflow Manager farm, repeat the previous steps on all farm servers.
-8. Run the Workflow Manager Configuration Wizard and rejoin the previous farm with the databases you noted in the previous steps on all servers in your Workflow Manager farm.
+1. Repeat this step on every Microsoft Workflow Manager server in the workflow farm.
> [!NOTE]
- >There is no need to delete the existing Workflow Service Application Proxy, and there is no need to re-register SPWorkflowService. If you encounter the invalidity of the Certificate Generation Key for SharePoint Workflow Manager and Service Bus, you may reset it, see [Reset Certificate Generation Key](/SharePoint/governance/reset-certificate-generation-key-sharepoint-workflow-manager).
+ > Each database used by Workflow Manager and Service Bus will need to be specified when rejoining the farm with SharePoint Workflow Manager. For example, the SQL Server instance and database name for the Workflow Manager farm management database and the Service Bus farm management database.
+1. Uninstall Microsoft Workflow Manager, Workflow Manager Client, Service Bus for Windows Server, and Windows Fabric if they're installed. You can uninstall them from the Control Panel. If Windows Fabric is installed, ensure you install Azure Service Fabric after uninstalling Windows Fabric.
+ > [!IMPORTANT]
+ > If you are installing SharePoint Workflow Manager on a SharePoint server, you may see both "Windows Fabric" and "AppFabric 1.1 for Windows Server" installed. Be sure to only uninstall Windows Fabric. **Do not uninstall AppFabric 1.1**. It is a different service, and is required for SharePoint Distributed Cache.
+1. If the folders "*%ProgramFiles%\Workflow Manager\1.0"* or *"%Program Files%\Service Bus\1.0"* already exist, you must manually remove them for the next steps to succeed.
+
+1. Reboot the SharePoint Workflow Manager server.
+
+1. If it's not already installed, use the steps from the [Prerequisites section above](/SharePoint/governance/install-and-configure-workflow-for-sharepoint-server#prerequisites) to install Azure Service Fabric.
+
+1. Install SharePoint Workflow Manager and SharePoint Workflow Manager Client. SharePoint Workflow Manager and SharePoint Workflow Manager Client can be downloaded from [here](https://www.microsoft.com/download/details.aspx?id=104867). The system requirements can be found on that page as well.
-9. Rerun the Workflow Manager Configuration Wizard, select **Upgrade Workflow Manager Farm**, and confirm subsequent steps until the end.
+1. Run the Workflow Manager Configuration Wizard and choose the "Join an Existing Workflow Manager Farm" to rejoin the previous farm. Use the database, service account, and Certificate Generation Key information used in the previous "Classic WFM" farm.
+ > [!NOTE]
+ > When upgrading, there is typically no need to delete the existing Workflow Service Application Proxy and reconnect using the Register-SPWorkflowService cmdlet. If you encounter the invalidity of the Certificate Generation Key for SharePoint Workflow Manager and Service Bus, you may need to reset it, see [Reset Certificate Generation Key](/SharePoint/governance/reset-certificate-generation-key-sharepoint-workflow-manager).
+1. Rerun the Workflow Manager Configuration Wizard, select **Upgrade Workflow Manager Farm**, and confirm subsequent steps until the end.
> [!NOTE] > This step should be run on all servers in the SharePoint Workflow Manager farm.
- > The "Upgrade Workflow Manager Farm" option is always presented in the Workflow Manager Configuration Wizard, whether an upgrade is required or not. There's no harm in running it multiple times.
+ > The "Upgrade Workflow Manager Farm" option is always presented in the Workflow Manager Configuration Wizard, whether an upgrade is required or not. There's no harm in running it multiple times, or when there's no upgrade pending.
+1. If there's more than one server in your Workflow Manager farm, repeat the previous steps on all workflow farm servers.
-10. Install SharePoint Workflow Management Client on each server in the SharePoint Server farm after uninstalling any previous versions.
+1. Install the SharePoint Workflow Manager **Client** on each server in the SharePoint Server farm after uninstalling any previous versions.
## Validate the installation <a name="section6"> </a>
Follow these steps to validate that you have successfully installed and configur
**To validate the installation**
-1. Add a user to your SharePoint site, and grant the user Site Designer permissions.
-2. Install SharePoint Designer 2013 and create a workflow based on the SharePoint 2013 Workflow platform. For more information, see [Creating a workflow by using SharePoint Designer 2013 and the SharePoint 2013 Workflow platform](/sharepoint/dev/general-development/creating-a-workflow-by-using-sharepoint-designer-and-the-sharepoint-wo).
+1. Add a user to your SharePoint site and grant the user Site Designer permissions.
+2. Install SharePoint Designer 2013 on a client machine and create a workflow based on the SharePoint 2013 Workflow platform. For more information, see [Creating a workflow by using SharePoint Designer 2013 and the SharePoint 2013 Workflow platform](/sharepoint/dev/general-development/creating-a-workflow-by-using-sharepoint-designer-and-the-sharepoint-wo).
3. Run this workflow from the SharePoint user interface. ## Troubleshooting
You can determine which ports SharePoint Server and Workflow Manager are using f
![View ports in IIS Manager.](../media/WF15-.png)
-Sharepoint Workflow Manager communicates by using TCP/IP or Named Pipes. Ensure that the appropriate communication protocol is enabled on the SQL Server instance that hosts the SharePoint Workflow Manager databases.
-
+SharePoint Workflow Manager communicates by using TCP/IP or Named Pipes. Ensure that the appropriate communication protocol is enabled on the SQL Server instance that hosts the SharePoint Workflow Manager databases.
+ The SQL Browser Service must be running on the SQL Server instance that hosts the Workflow Manager databases. The System Account can't be used to develop a workflow. To troubleshoot SharePoint Server, see [Troubleshooting SharePoint Server](../administration/troubleshoot.md).++
SharePoint Set Up Oidc Auth In Sharepoint Server With Msaad https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-msaad.md
description: "Learn how to set up OIDC authentication in SharePoint Server with
When you configure OpenID Connect (OIDC) with Microsoft Entra ID, you need the following resources:
-1. A SharePoint Server Subscription Edition farm
+1. A SharePoint Server Subscription Edition (SPSE) farm
+ 2. Microsoft Entra Global Administrator role of the M365 tenant This article uses the following example values for Microsoft Entra OIDC setup:
Perform the following steps to set up OIDC with Microsoft Entra ID:
1. Go to the **Token configuration** tab and select **Add optional claim**. For each token type (ID, Access, SAML), add **email**, and **upn** claims. 1. Also on the **Token configuration** tab, select **Add groups claim**. Security Groups is the most common, but the group types you select depends on which types of groups you want to use to give access to the SharePoint web application. For more information, see [Configure groups optional claims](/entra/identity-platform/optional-claims#configure-groups-optional-claims) and Configure group claims for applications by using Microsoft Entra ID.+
+ :::image type="content" source="../media/sharepoint-oidc-token-configuration.png" alt-text="Token Configuration":::
8. Go to the **Manifest** tab, and manually change **replyUrlsWithType** from `https://spsites.contoso.local/` to `https://spsites.contoso.local/*`. Then select **Save**. :::image type="content" source="../media/sharepoint-oidc-manifest.png" alt-text="Manifest":::
-9. Get OIDC authentication information from OIDC discovery endpoint.
-
-In Microsoft Entra ID, there are two versions of OIDC authentication endpoints. Therefore, there are two versions of OIDC discovery endpoints respectively:
--- V1.0: `https://login.microsoftonline.com/<TenantID>/.well-known/openid-configuration`-- V2.0: `https://login.microsoftonline.com/<TenantID>/v2.0/.well-known/openid-configuration`-
-> [!NOTE]
-> When using OIDC authentication with SharePoint Server, currently only the V1.0 endpoint is supported.
-Replace TenantID with the **Directory (tenant) ID** saved in the third step mentioned previously and connect to the endpoint through your browser. Then, save the following information:
-
-| Value | Link |
-|||
-| authorization_endpoint | `https://login.microsoftonline.com/<tenantid>/oauth2/authorize` |
-| end_session_endpoint | `https://login.microsoftonline.com/<tenantid>/oauth2/logout` |
-| issuer | `https://sts.windows.net/<tenantid>/` |
-| jwks_uri | `https://login.microsoftonline.com/common/discovery/keys` |
-
-Open jwks_uri (`https://login.microsoftonline.com/common/discovery/keys`) and save all the **x5c** certificate strings for later use in SharePoint setup.
-- ## Step 2: Change SharePoint farm properties
-In this step, you need to modify the SharePoint Server farm properties based on the version of your SharePoint Server.
-
-> [!Note]
-> Start the SharePoint Management Shell as a farm administrator to run the following script. Read the instructions mentioned in the following PowerShell script carefully, and you will need to enter your own environment-specific values in certain places.
+In this step, you need to modify the SharePoint Server farm properties based on the version of your SharePoint Server farm.
- For more information on configuring SharePoint farm properties for SharePoint Server Subscription Edition Version 24H1, see [Configure SPSE Version 24H1 or higher version](#configure-sharepoint-server-subscription-edition-version-24h1-or-higher-versions). - For more information on configuring SharePoint farm properties for SharePoint Server Subscription Edition Version preceding 24H1, see [Configure SPSE prior to Version 24H1](#configure-sharepoint-server-subscription-edition-prior-to-version-24h1). #### Configure SharePoint Server Subscription Edition Version 24H1 or higher versions
-Starting with SharePoint Server Subscription Edition Version 24H1, you can configure SharePoint Server farm properties by employing SharePoint Certificate Management to manage the nonce cookie certificate. The nonce cookie certificate is part of the infrastructure to ensure OIDC authentication tokens are secure. Run the following script to configure:
+Starting with SharePoint Server Subscription Edition Version 24H1 (March 2024), you can configure SharePoint Server farm properties by employing SharePoint Certificate Management to manage the nonce cookie certificate. The nonce cookie certificate is part of the infrastructure to ensure OIDC authentication tokens are secure. Run the following script to configure:
+> [!Note]
+> Start the SharePoint Management Shell as a farm administrator to run the following script. Read the instructions mentioned in the following PowerShell script carefully. You will need to enter your own environment-specific values in certain places.
```powershell # Set up farm properties to work with OIDC
$certPassword = ConvertTo-SecureString -String <password> -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath $certPath -Password $certPassword $nonceCert = Import-SPCertificate -Path $certPath -Password $certPassword -Store "EndEntity" -Exportable:$true
+# Update farm property
$farm = Get-SPFarm $farm.UpdateNonceCertificate($nonceCert,$true) ``` #### Configure SharePoint Server Subscription Edition prior to Version 24H1
+Prior to the 24H1 (March 2024) update, the nonce cookie certificate must be managed manually. This includes manually installing it on each server in the farm and setting permissions on the private key. The following PowerShell script can be used to accomplish that.
+
+> [!Note]
+> Start the SharePoint Management Shell as a farm administrator to run the following script. Read the instructions mentioned in the following PowerShell script carefully. You will need to enter your own environment-specific values in certain places.
```powershell # Set up farm properties to work with OIDC $cert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -Subject "CN=SharePoint Cookie Cert"
$access_rule = New-Object System.Security.AccessControl.FileSystemAccessRule(<We
$permissions.AddAccessRule($access_rule) Set-Acl -Path $path -AclObject $permissions
-# Then we update farm properties
+# Then update farm properties
$farm = Get-SPFarm $farm.Properties['SP-NonceCookieCertificateThumbprint']=$cert.Thumbprint $farm.Properties['SP-NonceCookieHMACSecretKey']='seed' $farm.Update() ```
+> [!IMPORTANT]
+> The nonce cookie certificate, with private key, must be installed on all SharePoint servers in the farm. Also, permission to the private key must be given to the web application pool service account on each server. Failure to complete this step will result OIDC authentication failures.
+> It's recommended to use the PowerShell example above to set permission on the private key file to ensure it's done correctly.
## Step 3: Configure SharePoint to trust the identity provider
+In this step, you create a `SPTrustedTokenIssuer` that stores the configuration that SharePoint needs to trust Microsoft Entra OIDC as the OIDC provider.
+ You can configure SharePoint to trust the identity provider in either of the following ways: -- Configure SharePoint to trust Microsoft Entra ID as the OIDC provider **manually**. - Configure SharePoint to trust Microsoft Entra ID as the OIDC provider by using the **metadata endpoint**.
- - By using the metadata endpoint, several parameters you need in 'Configure SharePoint to trust Microsoft Entra ID as the OIDC provider manually' is automatically retrieved by metadata endpoint.
+ - By using the metadata endpoint, several parameters you need are automatically retrieved from the metadata endpoint.
+- Configure SharePoint to trust Microsoft Entra ID as the OIDC provider **manually**.
> [!NOTE]
-> Follow either the manual configuration steps or the metadata endpoint steps, but not both.
+> Follow either the manual configuration steps or the metadata endpoint steps, but not both.
+> Using the metadata endpoint is recommended because it simplifies the process.
+### Configure SharePoint to trust Microsoft Entra OIDC by using metadata endpoint
-### Configure SharePoint to trust Microsoft Entra ID as the OIDC provider manually
+SharePoint Server Subscription Edition now supports using the OIDC metadata discovery capability when creating the Trusted Identity Token Issuer.
+
+In Microsoft Entra ID, there are two versions of OIDC discovery endpoints:
+
+- V1.0: `https://login.microsoftonline.com/<TenantID>/.well-known/openid-configuration`
+- V2.0: `https://login.microsoftonline.com/<TenantID>/v2.0/.well-known/openid-configuration`
+
+> [!IMPORTANT]
+> Currently, SharePoint Server only supports the v1.0 metadata endpoint when used to create the Trusted Identity Token Issuer. The example PowerShell script below uses the V1.0 endpoint.
+
+When you use the metadata endpoint provided by the OIDC identity provider, some of the configuration is retrieved from the OIDC provider metadata endpoint directly, including:
+
+1. Certificate
+2. Issuer
+3. Authorization Endpoint
+4. SignoutURL
+
+This can simplify the configuration of the OIDC token issuer.
-In this step, you create a `SPTrustedTokenIssuer` that stores the configuration that SharePoint needs to trust Microsoft Entra OIDC as the OIDC provider. Start the SharePoint Management Shell as a farm administrator, and run the following script to create it:
+With the following PowerShell example, we can use metadata endpoint from Microsoft Entra ID to configure SharePoint to trust Microsoft Entra OIDC.
> [!NOTE] > Read the instructions mentioned in the following PowerShell script carefully. You will need to enter your own environment-specific values in certain places. For example, replace \<tenantid\> with your own Directory (tenant) ID. ```powershell # Define claim types
-# In this example, we're using Email Address as the identity claim.
+# In this example, we're using Email Address as the Identity claim.
$emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email" -SameAsIncoming
-# Public key of the AAD OIDC signing certificate. Please replace <x5c cert string> with the encoded cert string which you get from x5c certificate string of the keys of jwks_uri from Step #1
-$encodedCertStrs = @()
-$encodedCertStrs += <x5c cert string 1>
-$encodedCertStrs += <x5c cert string 2>
-...
-$certificates = @()
-foreach ($encodedCertStr in $encodedCertStrs) {
- $certificates += New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 @(,[System.Convert]::FromBase64String($encodedCertStr))
-}
-
-# Set the AAD OIDC URL where users are redirected to authenticate. Please replace <tenantid> accordingly
-$authendpointurl = "https://login.microsoftonline.com/<tenantid>/oauth2/authorize"
-$registeredissuernameurl = "https://sts.windows.net/<tenantid>/"
-$signouturl = "https://login.microsoftonline.com/<tenantid>/oauth2/logout"
+# Set the AAD metadata endpoint URL. Please replace <TenantID> with the value saved in step #3 in the Entra ID setup section
+$metadataendpointurl = "https://login.microsoftonline.com/<TenantID>/.well-known/openid-configuration"
-# Please replace <Application (Client) ID> with the value saved in step #3 in AAD setup section
+# Please replace <Application (Client) ID> with the value saved in step #3 in the Entra ID setup section
$clientIdentifier = "<Application (Client)ID>" # Create a new SPTrustedIdentityTokenIssuer in SharePoint
-New-SPTrustedIdentityTokenIssuer -Name "contoso.local" -Description "contoso.local" -ImportTrustCertificate $certificates -ClaimsMappings emailClaimMap -IdentifierClaim $emailClaimMap.InputClaimType -RegisteredIssuerName $registeredissuernameurl -AuthorizationEndPointUri $authendpointurl -SignOutUrl $signouturl -DefaultClientIdentifier $clientIdentifier -Scope "openid profile"
+New-SPTrustedIdentityTokenIssuer -Name "contoso.local" -Description "contoso.local" -ClaimsMappings $emailClaimMap -IdentifierClaim $emailClaimMap.InputClaimType -DefaultClientIdentifier $clientIdentifier -MetadataEndPoint $metadataendpointurl -Scope "openid profile"
```
-Here, `New-SPTrustedIdentityTokenIssuer` PowerShell cmdlet is extended to support OIDC by using the following parameters:
- | Parameter | Description | ||-| |Name | Gives a name to the new token issuer. | |Description | Gives a description to the new token issuer. |
-|ImportTrustCertificate | Imports a list of X509 Certificates, which is used to validate `id_token` from OIDC identifier. If the OIDC identity provider (IDP) uses more than one certificate to digital sign the `id_token`, import these certificates and SharePoint validates `id_token` by matching the digital signature generated by using these certificates. |
+|ImportTrustCertificate | A certificate that is used to validate `id_token` from OIDC identifier. |
| ClaimsMappings | A `SPClaimTypeMapping` object, which is used to identify which claim in the `id_token` is regarded as identifier in SharePoint. | | IdentifierClaim | Specifies the type of identifier. |
-| RegisteredIssuerName | Specifies the issuer identifier, which issues the `id_token`. It's used to validate the `id_token`. |
-| AuthorizationEndPointUrl | Specifies the authorization endpoint of the OIDC identity provider. |
-| SignoutUrl | Specifies the sign out endpoint of the OIDC identity provider. |
| DefaultClientIdentifier | Specifies the `client_id` of SharePoint server, which is assigned by OIDC identity provider. This is validated against aud claim in `id_token`. |
-| ResponseTypesSupported | Specifies the response type of IDP, which is accepted by this token issuer. It can accept two strings: `id_token` and `code id_token`. If this parameter isn't provided, it uses `code id_token` as default. |
+| MetadataEndPoint | Specifies the well-known metadata endpoint from OIDC identity provider, which can be used to retrieve latest certificate, issuer, authorization endpoint, and sign out endpoint. |
-> [!IMPORTANT]
-> The relevant certificate must be added to the SharePoint root authority certificate store:
->
-> `New-SPTrustedRootAuthority -Name "AAD OIDC signing root authority" -Certificate $signingCert`
+### Configure SharePoint to trust Microsoft Entra ID as the OIDC provider manually
-<a name='configure-sharepoint-to-trust-azure-ad-oidc-by-using-metadata-endpoint'></a>
+When configuring manually, several additional parameters must be specified. You can retrieve the values from the OIDC discovery endpoint.
-### Configure SharePoint to trust Microsoft Entra OIDC by using metadata endpoint
+In Microsoft Entra ID, there are two versions of OIDC authentication endpoints. Therefore, there are two versions of OIDC discovery endpoints respectively:
-SharePoint Server Subscription Edition now supports OIDC metadata discovery capability during configuration.
+- V1.0: `https://login.microsoftonline.com/<TenantID>/.well-known/openid-configuration`
+- V2.0: `https://login.microsoftonline.com/<TenantID>/v2.0/.well-known/openid-configuration`
-When you use the metadata endpoint provided by the OIDC identity provider, some of the configuration is retrieved from the OIDC provider metadata endpoint directly, including:
+Replace TenantID with the **Directory (tenant) ID** saved in [Step 1: Setup identity provider](#step-1-setup-identity-provider) and connect to the endpoint through your browser. Then, save the following information:
-1. Certificate
-2. Issuer
-3. Authorization Endpoint
-4. SignoutURL
+| Value | Link |
+|||
+| authorization_endpoint | `https://login.microsoftonline.com/<tenantid>/oauth2/authorize` |
+| end_session_endpoint | `https://login.microsoftonline.com/<tenantid>/oauth2/logout` |
+| issuer | `https://sts.windows.net/<tenantid>/` |
+| jwks_uri | `https://login.microsoftonline.com/common/discovery/keys` |
-This can simplify the configuration of the OIDC token issuer.
+Open jwks_uri (`https://login.microsoftonline.com/common/discovery/keys`) and save all the **x5c** certificate strings for later use in SharePoint setup.
-With the following PowerShell example, we can use metadata endpoint from Microsoft Entra ID to configure SharePoint to trust Microsoft Entra OIDC.
+
+Start the SharePoint Management Shell as a farm administrator, and after entering the values you obtained above, run the following script to create the Trusted identity Token Issuer:
> [!NOTE] > Read the instructions mentioned in the following PowerShell script carefully. You will need to enter your own environment-specific values in certain places. For example, replace \<tenantid\> with your own Directory (tenant) ID. ```powershell # Define claim types
-# In this example, we're using Email Address as the Identity claim.
+# In this example, we're using Email Address as the identity claim.
$emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email" -SameAsIncoming
-# Set the AAD metadata endpoint URL. Please replace <TenantID> with the value saved in step #3 in the Entra ID setup section
-$metadataendpointurl = "https://login.microsoftonline.com/<TenantID>/.well-known/openid-configuration"
+# Public key of the AAD OIDC signing certificate. Please replace <x5c cert string> with the encoded cert string which you get from x5c certificate string of the keys of jwks_uri from Step #1
+$encodedCertStrs = @()
+$encodedCertStrs += <x5c cert string 1>
+$encodedCertStrs += <x5c cert string 2>
+...
+$certificates = @()
+foreach ($encodedCertStr in $encodedCertStrs) {
+ $certificates += New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 @(,[System.Convert]::FromBase64String($encodedCertStr))
+}
-# Please replace <Application (Client) ID> with the value saved in step #3 in the Entra ID setup section
+# Set the AAD OIDC URL where users are redirected to authenticate. Please replace <tenantid> accordingly
+$authendpointurl = "https://login.microsoftonline.com/<tenantid>/oauth2/authorize"
+$registeredissuernameurl = "https://sts.windows.net/<tenantid>/"
+$signouturl = "https://login.microsoftonline.com/<tenantid>/oauth2/logout"
+
+# Please replace <Application (Client) ID> with the value saved in step #3 in AAD setup section
$clientIdentifier = "<Application (Client)ID>" # Create a new SPTrustedIdentityTokenIssuer in SharePoint
-New-SPTrustedIdentityTokenIssuer -Name "contoso.local" -Description "contoso.local" -ClaimsMappings $emailClaimMap -IdentifierClaim $emailClaimMap.InputClaimType -DefaultClientIdentifier $clientIdentifier -MetadataEndPoint $metadataendpointurl -Scope "openid profile"
+New-SPTrustedIdentityTokenIssuer -Name "contoso.local" -Description "contoso.local" -ImportTrustCertificate $certificates -ClaimsMappings emailClaimMap -IdentifierClaim $emailClaimMap.InputClaimType -RegisteredIssuerName $registeredissuernameurl -AuthorizationEndPointUri $authendpointurl -SignOutUrl $signouturl -DefaultClientIdentifier $clientIdentifier -Scope "openid profile"
```
+Here, `New-SPTrustedIdentityTokenIssuer` PowerShell cmdlet is extended to support OIDC by using the following parameters:
+ | Parameter | Description | ||-| |Name | Gives a name to the new token issuer. | |Description | Gives a description to the new token issuer. |
-|ImportTrustCertificate | A certificate that is used to validate `id_token` from OIDC identifier. |
+|ImportTrustCertificate | Imports a list of X509 Certificates, which is used to validate `id_token` from OIDC identifier. If the OIDC identity provider (IDP) uses more than one certificate to digital sign the `id_token`, import these certificates and SharePoint validates `id_token` by matching the digital signature generated by using these certificates. |
| ClaimsMappings | A `SPClaimTypeMapping` object, which is used to identify which claim in the `id_token` is regarded as identifier in SharePoint. | | IdentifierClaim | Specifies the type of identifier. |
+| RegisteredIssuerName | Specifies the issuer identifier, which issues the `id_token`. It's used to validate the `id_token`. |
+| AuthorizationEndPointUrl | Specifies the authorization endpoint of the OIDC identity provider. |
+| SignoutUrl | Specifies the sign out endpoint of the OIDC identity provider. |
| DefaultClientIdentifier | Specifies the `client_id` of SharePoint server, which is assigned by OIDC identity provider. This is validated against aud claim in `id_token`. |
-| MetadataEndPoint | Specifies the well-known metadata endpoint from OIDC identity provider, which can be used to retrieve latest certificate, issuer, authorization endpoint, and sign out endpoint. |
+| ResponseTypesSupported | Specifies the response type of IDP, which is accepted by this token issuer. It can accept two strings: `id_token` and `code id_token`. If this parameter isn't provided, it uses `code id_token` as default. |
## Step 4: Configure the SharePoint web application In this step, you configure a web application in SharePoint to be federated with the Microsoft Entra OIDC, using the `SPTrustedIdentityTokenIssuer` created in the previous step. > [!IMPORTANT]
->
> - The default zone of the SharePoint web application must have Windows authentication enabled. This is required for the Search crawler. > - The SharePoint URL that will use Microsoft Entra OIDC federation must be configured with Hypertext Transfer Protocol Secure (HTTPS).
To create a new web application, do the following:
2. Follow [Create a web application in SharePoint Server](../administration/create-a-web-application.md) to create a new web application enabling HTTPS/Secure Sockets Layer (SSL) named SharePoint - OIDC on contoso.local. 3. Open the SharePoint Central Administration site.
- 4. Select the web application you created, choose "Authentication Providers" in the Ribbon, click the link for the Default zone, and pick **contoso.local** as **Trusted Identity Provider**.
+ 4. Open the web application you created and pick **contoso.local** as **Trusted Identity Provider**.
:::image type="content" source="../media/authentication-providers.jpg" alt-text="Authentication Providers":::
To create a new web application, do the following:
:::image type="content" source="../media/new-web-application.png" alt-text="New web application":::
-To extend an existing web application and configure it to use the "contoso.local" trusted provider, do the following:
+To extend an existing web application, do the following:
-1. Start the SharePoint Management Shell and run PowerShell to extend the web application:
+1. Start the SharePoint Management Shell and run the following script:
-**Example:**
- ```powershell
- # Get the trusted provider
- $sptrust = Get-SPTrustedIdentityTokenIssuer "Contoso.local"
- $ap = New-SPAuthenticationProvider -TrustedIdentityTokenIssuer $sptrust
- # Get the web app
- $wa = Get-SPWebApplication http://spsites
- # Extend the web app to the "Intranet" zone using trusted provider auth and a SharePoint managed certificate called "SharePoint OIDC Site"
- New-SPWebApplicationExtension -Identity $wa -Name "spsites" -port 443 -HostHeader 'spsites.contoso.local'-AuthenticationProvider $ap -SecureSocketsLayer -UseServerNameIndication -Certificate 'SharePoint OIDC Site' -Zone 'Intranet' -URL 'https://spsites.contoso.local'
- ```
- 2. In the SharePoint Central Administration site, navigate to **System Settings** > **Configure Alternate Access Mappings** > **Alternate Access Mapping Collection**.
- 3. Filter the display with the web application that was extended and confirm that you see the following information:
+ ```powershell
+ # This script creates a trusted authentication provider for OIDC
+
+ $sptrust = Get-SPTrustedIdentityTokenIssuer "Contoso.local"
+ $ap = New-SPAuthenticationProvider -TrustedIdentityTokenIssuer $sptrust
+ ```
+
+ 2. Open the SharePoint Central Administration site.
+ 3. Open the web application you want to extend OIDC authentication to and pick **contoso.local** as **Trusted Identity Provider**.
+
+ :::image type="content" source="../media/authentication-providers-2.jpg" alt-text="Authentication Providers 2":::
+
+ 4. In the SharePoint Central Administration site, navigate to **System Settings** > **Configure Alternate Access Mappings** > **Alternate Access Mapping Collection**.
+ 5. Filter the display with the web application that was extended and confirm that you see the following information:
:::image type="content" source="../media/sharepoint-administration-site.png" alt-text="SharePoint Administration Site"::: ## Step 5: Ensure the web application is configured with SSL certificate
-Since OIDC 1.0 authentication can only work with HTTPS protocol, a certificate must be set on the corresponding web application. If not already configured, perform the following steps to set the certificate:
+Since OIDC 1.0 authentication can only work with HTTPS protocol, a certificate must be set on the corresponding web application. Perform the following steps to set the certificate:
1. Generate the site certificate:
In this step, you create a team site collection with two administrators: One as
11. Go to the account and select **OK** to close the People Picker dialog. 12. Select **OK** again to create the site collection.
-Once the site collection is created, should be able to sign-in using either the Windows or the federated site collection administrator account.
+Once the site collection is created, you're able to sign-in using either the Windows or the federated site collection administrator account.
## Step 7: Set up People Picker
-In OIDC authentication, the People Picker doesn't validate the input, which can lead to misspellings or users accidentally selecting the wrong claim type. This can be addressed either by using a Custom Claims Provider, or by using the new UPA-backed claim provider included in SharePoint Server Subscription Edition. To configure a UPA-backed claim provider, see [Enhanced People Picker for modern authentication](/sharepoint/administration/enhanced-people-picker-for-trusted-authentication-method)
+In OIDC authentication, the People Picker doesn't validate the input, which can lead to misspellings or users accidentally selecting the wrong claim type. This can be addressed using the new UPA-backed claim provider in SharePoint Server.
+
+> [!IMPORTANT]
+> In order for the UPA-backed claim provider to work, users and groups must be imported into the User Profile Service Application. This can be challenging for cloud-only users and groups. You may instead consider implementing a [custom claims provider](/sharepoint/dev/general-development/how-to-create-a-claims-provider-in-sharepoint) to provide "People Picker" functionality.
+
+To do this, perform the following steps:
+
+### 1. Create a new claim provider
+
+In the [previous step](#step-3-configure-sharepoint-to-trust-the-identity-provider), you already created an OIDC `SPTrustedIdentityTokenIssuer` by using `New-SPTrustedIdentityTokenIssuer` PowerShell cmdlet. In this step, you use the following PowerShell cmdlet to create a claim provider, which uses the User Profile Application service to search and resolve users and groups in the People Picker and specifies to use the OIDC `SPTrustedIdentityTokenIssuer`:
+
+ ```powershell
+ $claimprovider = New-SPClaimProvider -AssemblyName "Microsoft.SharePoint, Version=16.0.0.0, Culture=neutral, publicKeyToken=71e9bce111e9429c" -DisplayName 'OIDC Claim Provider' -Type "Microsoft.SharePoint.Administration.Claims.SPTrustedBackedByUPAClaimProvider" -TrustedTokenIssuer $tokenissuer -Description ΓÇ£OIDC Claim ProviderΓÇ¥ -Default:$false
+ ```
+
+Specify the following parameters:
+
+| Parameter | Description |
+||-|
+| AssemblyName | To be specified as `Microsoft.SharePoint, Version=16.0.0.0, Culture=neutral, publicKeyToken=71e9bce111e9429c`. |
+| Type | To be specified as `Microsoft.SharePoint.Administration.Claims.SPTrustedBackedByUPAClaimProvider` so that this command creates a claim provider, which uses UPA as the claim source. |
+| TrustedTokenIssuer | To be specified as the OIDC `SPTrustedIdentityTokenIssuer` created in the [previous step](#step-3-configure-sharepoint-to-trust-the-identity-provider), which uses this claim provider. This is a new parameter the user needs to provide when the type of the claim provider is `Microsoft.SharePoint.Administration.Claims.SPTrustedBackedByUPAClaimProvider`. |
+| Default | As we create a claim provider by using this cmdlet, this cmdlet can only work with `SPTrustedIdentityTokenIssuer` and `Default` parameter must be set to false so that it won't be used by any other authentication method assigned to the web application by default. |
+
+### 2. Connect `SPTrustedIdentityTokenIssuer` with `SPClaimProvider`
+
+In this step, the OIDC `SPTrustedIdentityTokenIssuer` uses the claim provider created in [step 1](#1-create-a-new-claim-provider) for searching and resolving users and groups:
+
+ ```powershell
+ Set-SPTrustedIdentityTokenIssuer <token issuer name> -ClaimProvider <claim provider object> -IsOpenIDConnect
+ ```
+
+Specify the following parameters:
+
+| Parameter | Description |
+||-|
+| token issuer name | The token issuer this People Picker will use. |
+| -ClaimProvider | The `SPClaimProvider`, which will be used to generate claim. |
+| -IsOpenIDConnect | Required when `SPTrustedIdentityTokenIssuer` is OIDC `SPTrustedIdentityTokenIssuer`. Without this parameter, OIDC `SPTrustedIdentityTokenIssuer` configuration fails. |
+
+An example of this command is:
+
+ ```powershell
+ $claimprovider = Get-SPClaimProvider -Identity "UPATest"
+ Set-SPTrustedIdentityTokenIssuer "ADFS Provider" -ClaimProvider $claimprovider -IsOpenIDConnect
+ ```
+
+### 3. Synchronize profiles to user profile service application
+
+There are two ways to synchronize user profiles into the SharePoint UPSA:
+
+- Create a new SharePoint Active Directory Import (AD Import) connection with **Trusted Claims Provider Authentication** as the **Authentication Provider Type** in the connection setting. To utilize AD Import, see [Manage user profile synchronization in SharePoint Server](../administration/manage-profile-synchronization.md).
+
+ :::image type="content" source="../media/add-new-sync-connection-2.png" alt-text="Add New Synchronization Connections":::
+
+ > [!IMPORTANT]
+ > AD Import cannot import user profiles from Microsoft Entra ID. It can only import user profiles from on-premises Active Directory. In order to get cloud-only users and groups into the UPSA, you may need to utilize MIM.
+ > You may also consider implementing a [custom claims provider](/sharepoint/dev/general-development/how-to-create-a-claims-provider-in-sharepoint) to provide "People Picker" functionality.
+
+- Use Microsoft Identity Manager (MIM). To utilize MIM, see [Microsoft Identity Manager in SharePoint Servers 2016 and 2019](../administration/microsoft-identity-manager-in-sharepoint-server.md).
+ - There should be two agents inside the MIM Synchronization Service Manager UX after MIM is set up. One agent is used to import user profiles from the source IDP to the MIM database. The other agent is used to export user profiles from the MIM database to the SharePoint UPSA.
+
+During the synchronization, the following three properties must be provided to the UPSA:
+
+- `SPS-ClaimID`
+- `SPS-ClaimProviderID`
+- `SPS-ClaimProviderType`
+
+ 1. `SPS-ClaimID`
+
+ During the synchronization, you must pick which unique identity property in the source is mapped to the `SPS-ClaimID` property in the UPSA. We suggest using **Email** or **User Principal Name** for the `SPS-ClaimID`. The corresponding **IdentifierClaim** value needs to be set when token issuer is created from the [New-SPTrustedIdentityTokenIssuer](/powershell/module/sharepoint-server/new-sptrustedidentitytokenissuer) cmdlet.
+
+ For AD Import synchronization, **Central Administration > Application Management > Manage service applications > User Profile Service Application > Manage User Properties** allows administrators to edit the `SPS-ClaimID` to indicate which property in the source identity provider should be synchronized to `SPS-ClaimID`. (The display name of this property is **Claim User Identifier** and it can be customized to other display names by the administrator.) For example, if email is to be used as the `SPS-ClaimID`, **Claim User Identifier** should be set to **Email**.
+
+ :::image type="content" source="../media/SPS-ClaimID-1.png" alt-text="SPS-ClaimID":::
+ :::image type="content" source="../media/SPS-ClaimID-2.png" alt-text="SPS-ClaimProviderID":::
+ :::image type="content" source="../media/SPS-ClaimID-3.png" alt-text="SPS-ClaimProviderType":::
+
+ MIM synchronization is done by mapping **Email** or **User Principal Name** to `SPS-ClaimID` in the MIM database to the SharePoint UPSA agent:
+ - In the MIM Synchronization Service Manager, select the agent and open the **Configure Attribute Flow**. You can map **mail** to `SPS-ClaimID`.
+
+ :::image type="content" source="../media/SPS-ClaimID-4.png" alt-text="SPS-ClaimID4":::
+
+ 2. `SPS-ClaimProviderID` and `SPS-ClaimProviderType`
+
+ For AD Import synchronization, these properties can be modified in **User Profile Service Application > Configure Synchronization Connections > Create New Connection** when you create a new AD Import synchronization connection.
+
+ - `SPS-ClaimProviderID` should be set to the provider name created in [step 1](#1-create-a-new-claim-provider) by the `New-SPClaimProvider` cmdlet.
+ - `SPS-ClaimProviderType` should be set to `SPTrustedBackedByUPAClaimProvider`.
+
+ For MIM synchronization, these properties can be set in the **Configure Attribute Flow** for the MIM database to SharePoint UPSA agent:
+
+ - `SPS-ClaimProviderType` should be set to **Trusted** as Constant type.
+ - `SPS-ClaimProviderID` should be set to the provider name created in [step 1](#1-create-a-new-claim-provider) by the `New-SPClaimProvider` cmdlet.
+
+ :::image type="content" source="../media/configure-attribute-flow-2.png" alt-text="Configure Attribute Flow":::
+
+### 4. Make groups searchable
+
+Perform the following steps to enable the People Picker control to work with groups:
+
+1. Group object must have a property named `SID` of type `groupid` in the identity provider.
+
+ You can create a `ClaimTypeMapping` object by using [New-SPClaimTypeMapping](/powershell/module/sharepoint-server/new-spclaimtypemapping) and then provide this object to [New-SPTrustedIdentityTokenIssuer](/powershell/module/sharepoint-server/new-sptrustedidentitytokenissuer) cmdlet with `-ClaimsMappings` parameter.
+
+ ```powershell
+ $sidClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" -IncomingClaimTypeDisplayName "SID" -SameAsIncoming
+ $tokenissuer = New-SPTrustedIdentityTokenIssuer -ClaimsMappings $sidClaimMap, $emailClaimMap
+ ```
+
+ This sample cmdlet first creates a `claimmap` object of type `groupsid` and indicates that it works with the `SID` property of the group and then creates a new identity issuer, which can understand this mapping.
+
+2. Synchronize `SID` property of groups from the identity provider to the `SID` property in UPSA.
+ 1. For AD Import synchronization, `SID` is synchronized automatically without other setup from the source identity provider to the SharePoint UPSA.
+ 2. For MIM synchronization, the property mapping needs to be taken from the identity provider to MIM and then from MIM to the SharePoint UPSA so that MIM can synchronize the group `SID` from the identity provider to the SharePoint UPSA. This is similar to how we do user profile synchronization for the `SPS-ClaimID` property for user profiles.
+
+1. For MIM synchronization, `sAMAccountName` should also be mapped to `accountName` from MIM to the SharePoint UPSA. If it doesnΓÇÖt exist, admin should create mapping pair from `sAMAccountName` to `accountName` in MIM manually.
+
+### 5. Enable fields being searchable in UPSA
+
+To make People Picker work, the final step is to enable fields to be searchable in UPSA.
+
+Users can set which properties are searched by the People Picker by following this sample PowerShell script:
+
+ ```powershell
+ #Get the property list of UPSA connected with the web application
+ $site = $(Get-SPWebApplication $WebApplicationName).Sites[0]
+ $context= Get-SPServiceContext $site
+ $psm = [Microsoft.Office.Server.UserProfiles.ProfileSubTypeManager]::Get($context)
+ $ps =
+ $psm.GetProfileSubtype([Microsoft.Office.Server.UserProfiles.ProfileSubtypeManager]::GetDefaultProfileName([Microsoft.Office.Server.UserProfiles.ProfileType]::User))
+ $properties = $ps.Properties
+
+ #Enable people picker search for property name 'FistName', 'LastName' and 'SPS-ClaimID'
+ $PropertyNames = 'FirstName', 'LastName', 'SPS-ClaimID'
+ foreach ($p in $PropertyNames) {
+ $property = $properties.GetPropertyByName($p)
+ if ($property) {
+ $property.CoreProperty.IsPeoplePickerSearchable = $true
+ $property.CoreProperty.Commit()
+ $property.Commit()
+ }
+ }
+ ```