Updates from: 06/21/2023 02:54:34
Service Microsoft Docs article Related commit history on GitHub Change details
SharePoint Customize Sharepoint Site Permissions https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/customize-sharepoint-site-permissions.md
A SharePoint group is a collection of users who all have the same set of permiss
You can add users to a group at any time.
-1. On your website or team site, click **Share**
+1. On your website or team site, click **Share**.
![Click the share button to send invites to new members](media/d4917a74-658e-4ca8-8f61-5b83e9a5b532.png) If you see **Members** instead of **Share**, click **Members**, and then click **Add members**.
-2. By default, the **Share** dialog that appears displays the message **Invite people to Edit** or **Invite people**. This invites the users who you add to join the SharePoint Members group. To choose a different group and permission level, click **Show options** and then choose a different SharePoint group or permission level under **Select a group or permission level**.
+2. In the **Share site** dialog that appears, enter the name or email address of the user or group that you want to add. When the name appears, choose the permission level from the dropdown.
- ![Add a member to a group dialog](media/1cc64d51-54cd-41e1-a4fd-db317e38251c.PNG)
+ ![Add a member to a group dialog](media/add-user-to-a-group.PNG)
+
-1. In the **Enter names, email addresses, or Everyone** box, enter the name or email address of the user or group that you want to add. When the name appears in a confirmation box below your entry, select the name to add it to the text box.
-
-2. If you want to add more names, repeat these steps.
-
-3. (Optional) Enter a personalized message to send to the new users in **Include a personal message with this invitation**.
+3. If you want to add more names, repeat these steps.
-4. Click **Share**.
+4. Enter a message to send to the new users in the **Add a message** box.
+
+5. Select **Share**.
+ ### Remove users from a group <a name="__toc340230104"> </a>
SharePoint External Sharing Overview https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/external-sharing-overview.md
Previously updated : 06/12/2023 Last updated : 06/19/2023 Title: Overview of external sharing in SharePoint and OneDrive in Microsoft 365
- seo-marvel-apr2020 - Adm_O365
+ms.localizationpriority: medium
- Strat_OD_share - M365-collaboration
If you want to get straight to setting up sharing, choose the scenario you want
> [!NOTE] > External sharing is turned on by default for your entire SharePoint and OneDrive environment. You may want to [turn it off globally](turn-external-sharing-on-or-off.md) before people start using sites or until you know exactly how you want to use the feature.
+### SharePoint and OneDrive integration with Azure AD B2B
+
+There are two external sharing models used in SharePoint and OneDrive:
+
+- SharePoint external authentication
+
+- SharePoint and OneDrive integration with Azure AD B2B
+
+When using Azure AD B2B integration, Azure AD external collaboration settings, such as [guest invite settings and collaboration restrictions](/azure/active-directory/external-identities/external-collaboration-settings-configure) apply.
+
+The following table shows the differences between the two sharing models.
+
+|Sharing method|Files and folders|Sites|
+|:--|:-|:-|
+|SharePoint external authentication<br>(Azure AD B2B integration not enabled)|No guest account created*<br>Azure AD settings don't apply|N/A<br>(Azure AD B2B always used)|
+|Azure AD B2B integration enabled|Guest account always created<br>Azure AD settings apply|Guest account always created<br>Azure AD settings apply|
+
+*A guest account may already exist from another sharing workflow, such as sharing a team, in which case it's used for sharing.
+
+For information on how to enable or disable Azure AD B2B integration, see [SharePoint and OneDrive integration with Azure AD B2B](sharepoint-azureb2b-integration.md).
+ ## How the external sharing settings work SharePoint has external sharing settings at both the organization level and the site level (previously called the "site collection" level). To allow external sharing on any site, you must allow it at the organization level. You can then restrict external sharing for other sites. If a site's external sharing option and the organization-level sharing option don't match, the most restrictive value will always be applied. OneDrive sharing settings can be the same as or more restrictive than the SharePoint settings. Whichever option you choose at the organization or site level, the more restrictive functionality is still available. For example, if you choose to allow unauthenticated sharing using "Anyone" links, users can still share with guests, who sign in, and with internal users.
-> [!IMPORTANT]
-> Even if your organization-level setting allows external sharing, not all new sites allow it by default. The default sharing setting for Microsoft 365 group-connected team sites is "New and existing guests." The default for communication sites and classic sites is "Only people in your organization."
+> [!NOTE]
+> Even if your organization-level setting allows external sharing, not all new sites allow it by default. See [Default site sharing settings](/microsoft-365/solutions/microsoft-365-guest-settings#default-site-sharing-settings) for more information.
**Security and privacy**
When you or your users create Microsoft 365 groups (for example in Outlook, or b
When users share with people outside the organization, an invitation is sent to the person in email, which contains a link to the shared item.
-These recipients are added to your directory as guests provided that [SharePoint and OneDrive integration with Azure AD B2B](sharepoint-azureb2b-integration.md) is enabled.
- Because these guests do not have a license in your organization, they are limited to basic collaboration tasks: - They can use Office.com for viewing and editing documents. If your plan includes Office Professional Plus, they can't install the desktop version of Office on their own computers unless you assign them a license.
If your authenticated guests need greater capability such as OneDrive storage or
## Stopping sharing You can stop sharing with guests by removing their permissions from the shared item, or by removing them as a guest in your directory.
-
-You can stop sharing with people who have an "Anyone" link by going to the file or folder that you shared and deleting the link.
+
+You can stop sharing with people who have an *Anyone* link by going to the file or folder that you shared and deleting the link or by turning off *Anyone* links for the site.
[Learn how to stop sharing an item](https://support.office.com/article/0a36470f-d7fe-40a0-bd74-0ac6c1e13323)
SharePoint Restricted Access Control https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/restricted-access-control.md
Previously updated : 06/16/2023 Last updated : 06/20/2023 Title: "Restrict SharePoint site access"
Set-SPOSite -Identity <siteurl> -RestrictedAccessControl $false
## Sites not connected to Teams or Microsoft 365 groups
-With restricted access control, you can ***restrict site access to members of specified [Azure AD security groups](/windows-server/identity/ad-ds/manage/understand-security-groups)*** using [SharePoint PowerShell](/powershell/sharepoint/sharepoint-online/introduction-sharepoint-online-management-shell). Users who aren't members of the specified security groups can't open the site or its content even if they previously had site access permissions. **You can apply restricted access control on a site with up to 10 security groups.**
+With restricted access control, you can ***restrict site access to members of specified [Azure AD security groups](/windows-server/identity/ad-ds/manage/understand-security-groups)*** using [SharePoint PowerShell](/powershell/sharepoint/sharepoint-online/introduction-sharepoint-online-management-shell). Users who aren't members of the specified security groups can't open the site or its content even if they previously had site access permissions. **You can apply restricted access control on a site with up to 10 security groups.** [Dynamic membership](/azure/active-directory/enterprise-users/groups-create-rule) of security groups is also supported for restricted access control policy.
### Enable restricted access control for non-group connected sites
Set-SPOSite -Identity <siteurl> -AddRestrictedAccessControlGroups <comma separat
> [!NOTE] > > - For restricted access control to be enforced on the site, you must add at least one security group whose members are allowed site access.
-> - You can add up to 10 Security Groups for a given site.
+> - You can add up to 10 security Groups for a given site.
> - The users in the security group will automatically have access to the site. **For example:**
Set-SPOSite -Identity https://contoso.sharepoint.com/sites/LegalDepartmentSite -
You can remove the specified security group from restricted access control configuration. Members of the security group are no longer be able to access site content while the policy is enforced on the site.
-To remove a security group from a restricted access control configuration for the non-group site, run the following command:
+**To remove a security group from a restricted access control configuration for the non-group site, run the following command:**
```Powershell Set-SPOSite -Identity <siteurl> -RemoveRestrictedAccessControlGroups <comma separated group GUIDS>
Set-SPOSite -Identity <siteurl> -RemoveRestrictedAccessControlGroups <comma sepa
Set-SPOSite -Identity https://contoso.sharepoint.com/sites/LegalDepartmentSite -RemoveRestrictedAccessControlGroups afd516b5-c350-4c2a-8339-600b93c56791 ```
+**To reset restricted access control configuration for a site, run the following command:**
+
+```powershell
+Set-SPOSite -Identity <siteurl> -ClearRestrictedAccessControl
+```
+
+**For example:**
+
+```powershell
+Set-SPOSite -Identity https://contoso.sharepoint.com/sites/LegalDepartmentSite -ClearRestrictedAccessControl
+```
+
+This command resets the restricted access control configuration for the given site by setting RestrictedAccessControl flag to false and clearing RestrictedAccessControlGroups for the given site.
+ > [!TIP] > The security groups removed from the restricted access control list will continue to have site permissions. We recommend SPO admin to review site permissions and remove users who should no longer have site access permissions.
SharePoint Sharepoint Sync https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/sharepoint-sync.md
Previously updated : 07/20/2018 Last updated : 06/20/2023 Title: Sync in SharePoint and OneDrive
ms.localizationpriority: medium search.appverid: - MET150
-description: "In this article, you'll learn about syncing SharePoint and OneDrive files using the OneDrive sync app for Windows and Mac."
+description: "In this article, you learn about syncing SharePoint and OneDrive files using the OneDrive sync app for Windows and Mac."
# Sync in SharePoint and OneDrive When users install the OneDrive sync app for Windows or Mac, and sync the files on a team site, they can work with the files in File Explorer or Finder. They can also easily save files to the team site from the programs they use.
-When users add, change, and delete files and folders on the site, the files and folders are automatically added, changed, or deleted on their computer and vice versa.
+If the user adds, changes, or deletes files and folders on the site, the changes also apply to the files and folders of the user's computer and vice versa.
-To upload files to the team site, users can simply copy or move them to the site in File Explorer or Finder. They can also use File Explorer or Finder to easily organize the document library by creating new folders, and moving and renaming files and folders. All these changes sync automatically.
+To upload files to the team site, users can copy or move them to the site in File Explorer or Finder. They can also use File Explorer or Finder to easily organize the document library by creating new folders, and moving and renaming files and folders. All these changes sync automatically.
Windows 10 devices come with the OneDrive sync app installed. Office 2016 and later installations also have the sync app installed.
Users have two options when syncing files in SharePoint libraries and Teams. The
- [Add shortcuts to libraries and folders to their OneDrive](https://support.microsoft.com/office/d66b1347-99b7-4470-9360-ffc048d35a33). - [Use the Sync button in the document library](https://support.microsoft.com/office/6de9ede8-5b6e-4503-80b2-6190f3354a88).
-Both options allow essentially the same thingΓÇöusers can access files on their local computer in Explorer or Finder. However, adding OneDrive shortcuts allows content to be accessed on all devices, whereas sync is related to a specific device. Additionally, OneDrive shortcuts offer improved performance versus using the sync button.
+## Deciding between OneDrive sync options
-We recommend using OneDrive shortcuts as the more versatile option. If you want to remove the Sync button from all the SharePoint libraries in your organization, you can use the [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant) PowerShell cmdlet:
+Both OneDrive shortcuts and OneDrive Sync options allow essentially the same thingΓÇöusers can access files on their local computer in Explorer or Finder.
+
+However, adding OneDrive shortcuts allows content to be accessed on all devices, whereas sync is related to a specific device. Additionally, OneDrive shortcuts offer improved performance versus using the sync button.
+
+We recommend using OneDrive shortcuts as the more versatile option.
+
+### Turn off OneDrive sync for SharePoint libraries
+
+You can turn off OneDrive sync from all the SharePoint libraries in your organization by using this [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant) PowerShell cmdlet to remove the OneDrive sync button:
```PowerShell Set-SPOTenant -HideSyncButtonOnTeamSite $true ```
-Removing the sync button blocks new syncs from being started but does not affect existing syncs.
+Removing the sync button blocks new syncs from being started but doesn't affect existing syncs.
-## Related topics
+## Related articles
[Read the release notes and install the latest fully released versions](https://support.office.com/article/845dcf18-f921-435e-bf28-4e24b95e5fc0). Read about [Invalid file names and file types in OneDrive and SharePoint](https://support.office.com/article/64883a5d-228e-48f5-b3d2-eb39e07630fa). [Fix OneDrive sync problems](https://support.office.com/article/fix-onedrive-sync-problems-0899b115-05f7-45ec-95b2-e4cc8c4670b2)-
SharePoint Turn External Sharing On Or Off https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/turn-external-sharing-on-or-off.md
Previously updated : 06/06/2023 Last updated : 06/19/2023 Title: Manage sharing settings for SharePoint and OneDrive in Microsoft 365
For end-to-end guidance around how to configure guest sharing in Microsoft 365,
To change the sharing settings for a site after you've set the organization-level sharing settings, see [Change sharing settings for a site](change-external-sharing-site.md). To learn how to change the external sharing setting for a specific user's OneDrive, see [Change the external sharing setting for a user's OneDrive](/onedrive/user-external-sharing-settings).
+### SharePoint and OneDrive integration with Azure AD B2B
+
+There are two external sharing models used in SharePoint and OneDrive:
+
+- SharePoint external authentication
+
+- SharePoint and OneDrive integration with Azure AD B2B
+
+When using Azure AD B2B integration, Azure AD external collaboration settings, such as [guest invite settings and collaboration restrictions](/azure/active-directory/external-identities/external-collaboration-settings-configure) apply.
+
+The following table shows the differences between the two sharing models.
+
+|Sharing method|Files and folders|Sites|
+|:--|:-|:-|
+|SharePoint external authentication<br>(Azure AD B2B integration not enabled)|No guest account created*<br>Azure AD settings don't apply|N/A<br>(Azure AD B2B always used)|
+|Azure AD B2B integration enabled|Guest account always created<br>Azure AD settings apply|Guest account always created<br>Azure AD settings apply|
+
+*A guest account may already exist from another sharing workflow, such as sharing a team, in which case it's used for sharing.
+
+For information on how to enable or disable Azure AD B2B integration, see [SharePoint and OneDrive integration with Azure AD B2B](sharepoint-azureb2b-integration.md).
+ ## Video demonstration This video shows how the settings on the <a href="https://go.microsoft.com/fwlink/?linkid=2185222" target="_blank">**Sharing** page in the SharePoint admin center</a> affect the sharing options available to users.
This video shows how the settings on the <a href="https://go.microsoft.com/fwlin
This setting is for your organization overall. Each site has its own sharing setting that you can set independently, though it must be at the same or more restrictive setting as the organization. See [Change the external sharing setting for a site](change-external-sharing-site.md) for more information. > [!IMPORTANT]
-> [Azure Active Directory external collaboration settings](/azure/active-directory/external-identities/external-collaboration-settings-configure) determine who can invite guests in your organization. Be sure to review Azure AD guest access settings as part of your SharePoint and OneDrive sharing setup.
-
+> [Azure Active Directory external collaboration settings](/azure/active-directory/external-identities/external-collaboration-settings-configure) determine who can invite guests in your organization for site sharing (always) and file and folder sharing (if Azure B2B collaboration is enabled). Be sure to review Azure AD guest access settings as part of your SharePoint and OneDrive sharing setup.
+ ### Which option to select | Select this option: | If you want to: |
This video shows how the settings on the <a href="https://go.microsoft.com/fwlin
**Limit external sharing by domain** This is useful if you want to limit sharing with particular partners, or help prevent sharing with people at certain organizations. The organization-level setting on this page affects all SharePoint sites and each user's OneDrive. To use this setting, list the domains (maximum of 3000) in the box, using the format *domain.com*. To list multiple domains, press Enter after adding each domain.
-
+ You can also limit external sharing by domain by using the [Set-SPOTenant](/powershell/module/sharepoint-online/Set-SPOTenant) Microsoft PowerShell cmdlet with -SharingDomainRestrictionMode and either -SharingAllowedDomainList or -SharingBlockedDomainList. For info about limiting external sharing by domain at the site level, see [Restricted domains sharing](restricted-domains-sharing.md).
-> [!IMPORTANT]
-> [Allowed or blocked domains in Azure AD](/azure/active-directory/external-identities/allow-deny-list) also affect SharePoint and OneDrive. Be sure to review Azure AD collaboration restrictions as part of your SharePoint and OneDrive sharing setup.
+[Allowed or blocked domains in Azure AD](/azure/active-directory/external-identities/allow-deny-list) also affect SharePoint and OneDrive site sharing (always) and file and folder sharing (if Azure B2B collaboration is enabled). Be sure to review Azure AD collaboration restrictions as part of your SharePoint and OneDrive sharing setup.
**Allow only users in specific security groups to share externally**
For info about this setting, see [Manage security groups](./manage-security-grou
**Guests must sign in using the same account to which sharing invitations are sent**
-By default, guests can receive an invitation at one account but sign in with a different account. After they redeem the invitation, it can't be used with any other account.
+By default, guests can receive an invitation at one account but sign in with a different account. After they redeem the invitation, it can't be used with any other account. This setting only applies to sharing that doesn't use Azure AD B2B collaboration.
**Allow guests to share items they don't own**
If your administrator has set an expiration time for guest access, each guest th
**People who use a verification code must reauthenticate after this many days**
-If people who use a verification code have selected to "stay signed in" in the browser, they must prove they can still access the account they used to redeem the sharing invitation by entering a code sent to that account.
+If people who use a verification code have selected to "stay signed in" in the browser, they must prove they can still access the account they used to redeem the sharing invitation by entering a code sent to that account. If Azure B2B collaboration is enabled, the [Azure AD setting](/azure/active-directory/external-identities/one-time-passcode) is used instead of this setting.
## File and folder links
SharePoint Host Named Site Collection Architecture And Deployment https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/administration/host-named-site-collection-architecture-and-deployment.md
description: "Plan and implement host-named site collections in SharePoint Serve
[!INCLUDE[appliesto-2013-2016-2019-SUB-xxx-md](../includes/appliesto-2013-2016-2019-SUB-xxx-md.md)]
-Host-named site collections are the preferred method to deploy sites in SharePoint Server. Because the Microsoft 365 environment uses host-named site collections, new features are optimized for these site collections and they're expected to be more reliable. Learn how to plan for and implement host-named site collections, design URLs, and manage URLs.
+Host-named site collections are an optional approach to deploy sites in SharePoint Server. Users who wish to have multiple site collections, with each site collection having its own DNS name, can opt to deploy host-named site collections. Otherwise, users should deploy path-based site collections.
+
+Learn how to plan for and implement host-named site collections, design URLs, and manage URLs.
## Architecture and design for host-named site collections <a name="section1"> </a>
-Host-named site collections enable you to assign a unique DNS name to site collections. For example, you can address them as `http://TeamA.contoso.com` and `http://TeamB.contoso.com`. This example shows that you to deploy many sites with unique DNS names in the same web application. It also enables hosters to scale an environment to many customers. If you don't use host-named site collections, your SharePoint web application will contain many path-based site collections that share the same host name (DNS name). For example, Team A has a site collection at `http://contoso.com/sites/teamA`, and Team B has a site collection at `http://contoso.com/sites/teamB`.
+Host-named site collections enable you to assign a unique DNS name to site collections. For example, you can address them as `http://TeamA.contoso.com` and `http://TeamB.contoso.com`. This example shows that you to deploy many sites with unique DNS names in the same web application. It also enables hosters to scale an environment to many customers.
-We recommend host-named site collections unless requirements dictate that path-based sites with alternate access mapping are necessary (described later in this article). This article describes how to implement host-named site collections in a recommended configuration with SharePoint Server. Information about advanced configurations is included at the end of this article: [Use multiple web applications with host-named site collections](host-named-site-collection-architecture-and-deployment.md).
+This article describes how to implement host-named site collections in a recommended configuration with SharePoint Server. Information about advanced configurations is included at the end of this article: [Use multiple web applications with host-named site collections](host-named-site-collection-architecture-and-deployment.md).
### Recommended architecture for host-named site collections <a name="section1a"> </a>
-The recommended configuration for deploying sites is using host-named site collections with all sites located within a single web application, as illustrated in the following diagram.
+The recommended configuration for deploying host-named site collections is to place all host-named site collections within a single web application, as illustrated in the following diagram.
**Recommended configuration for host-named site collections**
This recommended configuration in the diagram includes the following elements:
The number of sites within the web application and the URLs for sites aren't important for this example.
-When creating a Web application for host-named site collections, the URL of the Web application and the root site collection will be `http://<_webapp.contoso.com_>/`.
+When creating a web application for host-named site collections, the URL of the web application and the root site collection will be `http://<_webapp.contoso.com_>/`.
-![URLs of the Web app and root site collection.](../media/HNSC_Webapp_root_URL.jpg)
+![URLs of the web app and root site collection.](../media/HNSC_webapp_root_URL.jpg)
-This architecture is recommended to deploy sites because it's the same architecture that the Microsoft 365 environment uses. So, this configuration is the most heavily tested configuration. New features, including the App model and Request Management, are optimized for this configuration, and it's the most reliable configuration going forward.
+This architecture is recommended to deploy host-named site collections because it's the same architecture that the Microsoft 365 environment uses. So, this configuration is the most heavily tested configuration. New features, including the App model and Request Management, are optimized for this configuration, and it's the most reliable configuration going forward.
The recommended configuration doesn't include the following elements:
SharePoint Server supports both host-named and path-based site collections. The
|Creating sites|You can use Microsoft PowerShell to create host-named site collections. You can't use Central Administration to create host-named site collections.|You can use Central Administration or PowerShell to create path-based site collections.| |URLs|Each host-named site collection in a web application is assigned a unique DNS name. <br/> You can use zones to assign up to five URLs to host-named sites, including vanity URLs.|All path-based site collections in a web application share the same host name (DNS name) as the web application. You can extend a web application to implement up to five zones and create different host names for each zone. However, the host name for a zone applies to all site collections within the web application.| |Root site collection and search|A root site collection is required to crawl content in a web application. A root site collection can be a site collection that users can't access.|Typically, a single path-based site collection serves as the root site collection within a web application. You can use managed paths to create more site collections within the web application.|
-|URL mapping|Use PowerShell commands to manage URLs (Set-SPSiteURL, Remove-SPSiteURL, Get-SPSiteURL).|Use Alternate Access Mappings to manage URLs.|
+|URL mapping|Use PowerShell commands to manage URLs (`Set-SPSiteUrl`, `Remove-SPSiteUrl`, `Get-SPSiteUrl`).|Use Alternate Access Mappings to manage URLs.|
|Self-service site creation|You need to use a custom solution for self-service site creation with host-named site collections. <br/> The Self Service Site Creation feature that is part of the default installation of SharePoint Server doesn't work with host-named site collections.|When you use the Self Service Site Creation feature that is part of the default installation of SharePoint Server, you create path-based sites.| |Managed paths|Managed paths for host-named site collections apply at the farm level and are available for all web applications. <br/> You have to use PowerShell to create managed paths for host-named site collections.|Managed paths for path-based sites apply at the web application level. <br/> You can use Central Administration or Microsoft PowerShell to create managed paths for path-based site collections.|
SharePoint Server supports both host-named and path-based site collections. The
PowerShell cmdlets manage URL mappings for host-named site collections and enable you to map URLs to a single site collection: -- Set-SPSiteUrl ΓÇö Add or change a URL mapping for a site.
+- `Set-SPSiteUrl` ΓÇö Add or change a URL mapping for a site.
-- Remove-SPSiteUrl ΓÇö Remove a URL mapping from a site.
+- `Remove-SPSiteUrl` ΓÇö Remove a URL mapping from a site.
-- Get-SPSiteUrl ΓÇö See all URLs and associated zones for a site collection.
+- `Get-SPSiteUrl`ΓÇö See all URLs and associated zones for a site collection.
These cmdlets provide URL mapping functionality for host-named site collections that is similar to alternate access mapping.
These cmdlets provide URL mapping functionality for host-named site collections
Host-named site collections are available through any zone. Host-named site collections aren't limited to the default zone. If needed, you can implement multiple zones and use zones and host-named site collections to configure different authentication settings or policies. > [!NOTE]
-> To use different zones you need to extend existing web application.
+> To use different zones, you need to extend the existing web application into the new zones.
You can assign up to five URLs to a single site collection by assigning one URL per zone. Even if you follow the recommended architecture by implementing only one zone, you can still assign up to five URLs to host-named site collections. This provision is because if a zone isn't implemented by extending the web application, SharePoint Server uses the default zone.
For example, the following URLs could provide access to the same Internet site:
- www.Contoso.com -- www.Contoso.uk
+- www.Contoso.uk
- www.Contoso.ca
The cmdlets that manage URLs only operate on the root site collection for a host
Off-box termination of SSL occurs when a proxy server terminates an SSL request and uses HTTP to forward the request to a web server. To achieve off-box SSL termination with host-named site collections, the device that terminates the SSL connection, such as a reverse proxy server, must be capable of generating a custom HTTP header: **Front-End-Https: On**. For more information, see [Use host-named site collections with off-box SSL termination](host-named-site-collection-architecture-and-deployment.md).
-The protocol used for a host-named site collection depends on the value of the Url parameter that you specified when you used the Set-SPSiteURL cmdlet to map the URL to a particular zone: http or https. Ensure that the IIS bindings for the web application, SSL certificates, reverse proxy configuration, and any other configuration necessary is complete.
+Off-box termination of SSL is supported but not recommended because it results in unencrypted traffic being sent from the proxy server to the web server.
+
+The protocol used for a host-named site collection depends on the value of the URL parameter that you specified when you used the `Set-SPSiteUrl` cmdlet to map the URL to a particular zone: http or https. Ensure that the IIS bindings for the web application, SSL certificates, reverse proxy configuration, and any other configuration necessary is complete.
### When to use path-based site collections <a name="section1d"> </a>
-Although we recommend host-named site collections for most architectures, you should use the traditional path-based site collections and alternate access mapping if any of the following conditions apply:
+Use the traditional path-based site collections and alternate access mapping if any of the following conditions apply:
- You need to use the Self Service Site Creation feature that is part of the default installation of SharePoint Server.
Although we recommend host-named site collections for most architectures, you sh
### Use host headers and host-named site collections <a name="section1e"> </a>
-Host headers allow the web server to host multiple web sites on the same IP Address and Port combination. If the incoming HTTP request includes a host header name, and a matching host header is configured in IIS, IIS will respond with the content from the appropriate web site.
+Host headers allow the web server to host multiple websites on the same IP Address and Port combination. If the incoming HTTP request includes a host header name, and a matching host header is configured in IIS, IIS will respond with the content from the appropriate website.
+
+Host headers are configured at the web Application (IIS website) level, they're one of the website bindings properties.
-Host headers are configured at the Web Application (IIS web site) level, they're one of the website bindings properties.
+It's important to understand the distinction between Host headers in IIS and host-named site collections. Host headers at the IIS website level are only intended for path-based site collections.
-It's important to understand the distinction between Host headers in IIS and Host Named Site Collections. Host headers at the IIS web site level are only intended for path-based site collections.
+When using host-named site collections, SharePoint is responsible for resolving the correct site for the address based upon the incoming request passed through IIS. In most cases, applying a host header binding at the IIS website level makes it impossible to access host-named site collections through the IIS website. This inaccessibility is because IIS won't respond to requests for host names that differ from the host header binding.
-When using Host named site collections, SharePoint is responsible for resolving the correct site for the address based upon the incoming request passed through IIS. In most cases, applying a host header binding at the IIS web site level makes it impossible to access host-named site collections through the IIS web site. This inaccessibility is because IIS won't respond to requests for host names that differ from the host header binding.
+ You can use a wildcard host header binding in IIS, but you must ensure that all of the site collections within the web application conform to the wildcard host header pattern.
> [!IMPORTANT]
-> If an existing web application has a host header binding set, IIS won't return pages from the host-named site collection until you remove the binding from IIS. For more information, see [Update a web application URL and IIS bindings for SharePoint 2013](update-a-web-application-url-and-iis-bindings.md).
+> If an existing web application has a host header binding set, IIS won't return pages from the host-named site collection until you remove the binding from IIS. For more information, see [Update a web application URL and IIS bindings for SharePoint Server](update-a-web-application-url-and-iis-bindings.md).
### Mix host-named site collections and path-based site collections in the same web application <a name="section1f"> </a>
If you don't intend to configure two or more IIS websites that share the same po
- The Administrators group on the server on which you're running the Microsoft PowerShell cmdlet.
- An administrator can use the **Add-SPShellAdmin** cmdlet to grant permissions to use SharePoint Server cmdlets.
+ An administrator can use the **`Add-SPShellAdmin`** cmdlet to grant permissions to use SharePoint Server cmdlets.
> [!NOTE] > If you don't have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For more information about PowerShell permissions, see [Add-SPShellAdmin](/powershell/module/sharepoint-server/Add-SPShellAdmin?view=sharepoint-ps&preserve-view=true).
If you don't intend to configure two or more IIS websites that share the same po
### Create a root site collection <a name="section2b"> </a>
-A root site collection is a requirement for any Web application. It's also necessary for crawling content. This site collection must have the same URL as the Web application. Currently, SharePoint prevents the creation of a host-named site collection with the same URL as a Web application. Therefore, the root site collection is created as a path-based site collection.
+A root site collection is a requirement for any web application. It's also necessary for crawling content. This site collection must have the same URL as the web application. Currently, SharePoint prevents the creation of a host-named site collection with the same URL as a web application. Therefore, the root site collection is created as a path-based site collection.
![A web application with a root site.](../media/HNSC_rootsite.jpg)
Only the root site collection of the web application appears in the content sour
### Create host-named site collections <a name="section2c"> </a>
-You must use Microsoft PowerShell to create a host-named site collection. You can't use the SharePoint ServerCentral Administration web application to create a host-named site collection, but you can use Central Administration to manage the site collection after you have created it.
+You must use Microsoft PowerShell to create a host-named site collection. You can't use the SharePoint Server Central Administration web application to create a host-named site collection, but you can use Central Administration to manage the site collection after you have created it.
-You can create a host-named site collection by using the Microsoft PowerShell New-SPSite cmdlet with the -HostHeaderWebApplication parameter, as shown in the following example:
+You can create a host-named site collection by using the Microsoft PowerShell `New-SPSite` cmdlet with the -`HostHeaderWebApplication` parameter, as shown in the following example:
**To create host-named site collections**:
You can create a host-named site collection by using the Microsoft PowerShell Ne
- The Administrators group on the server on which you're running the Microsoft PowerShell cmdlet.
- An administrator can use the **Add-SPShellAdmin** cmdlet to grant permissions to use SharePoint Server cmdlets.
+ An administrator can use the **`Add-SPShellAdmin`** cmdlet to grant permissions to use SharePoint Server cmdlets.
> [!NOTE] > If you don't have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For more information about PowerShell permissions, see [Add-SPShellAdmin](/powershell/module/sharepoint-server/Add-SPShellAdmin?view=sharepoint-ps&preserve-view=true).
You can create a host-named site collection by using the Microsoft PowerShell Ne
```PowerShell New-SPSite 'http://portal.contoso.com' -HostHeaderWebApplication (Get-SPWebApplication 'Contoso Sites') -Name 'Portal' -Description 'Customer root' -OwnerAlias 'contoso\administrator' -language 1033 -Template 'STS#0' ```-
-This syntax creates a host-named site collection that has the URL, https://portal.contoso.com, in the SharePoint Server web application that has the URL, https://portal.contoso.com.
+ This syntax creates a host-named site collection that has the URL, https://portal.contoso.com in the SharePoint Server web application named "Contoso Sites".
### Use managed paths with host-named site collections <a name="section2d"> </a>
-You can implement managed paths with host-named site collections. Hosters can provide multiple site collections to the same customer with each site collection sharing the customer's unique host name but differentiated by the URL path after the host name. Managed paths for host-named site collections are limited to 20 per farm. For more information, see [Software boundaries and limits for SharePoint Server 2016](../install/software-boundaries-and-limits.md#WebApplication).
+You can implement managed paths with host-named site collections. Hosters can provide multiple site collections to the same customer with each site collection sharing the customer's unique host name but differentiated by the URL path after the host name. Managed paths for host-named site collections are limited to 20 per farm. For more information, see [Software boundaries and limits for SharePoint Server.](../install/software-boundaries-limits-2019.md)
Managed paths for host-named site collections behave differently from managed paths for path-based site collections. Managed paths for host-named site collections are available to all host-named site collections within the farm regardless of the web application that the host-named site collection is in. In contrast, managed paths for path-based site collections only apply to sites within the same web application. Managed paths for path-based site collections don't apply to path-based site collections in other web applications. Managed paths for one type of site collection don't apply to the other type of site collection.
Get-SPSiteUrl -Identity (Get-SPSite 'http://teams.contoso.com')
### Configure SSL certificates for host-named site collections <a name="section2f"> </a>
+> [!IMPORTANT]
+> If you are using SharePoint Server Subscription Edition, use the new [certificate management](../what-s-new/new-and-improved-features-in-sharepoint-server-subscription-edition.md) feature to install and assign SSL certificates to your web applications. This feature allows you to install and manage your SSL certificates directly in SharePoint instead of manually configuring SSL certificates in IIS.
+ You can configure a single web application that uses SSL and then create multiple host-named site collections within that web application. To browse to a site over SSL, you have to install and assign a server certificate to the IIS website. Each host-named site collection in a web application will share the single server certificate that you assigned to the IIS website. You need to acquire a wildcard certificate or subject alternate name (SAN) certificate and then use a host-named site collection URL format that matches that certificate. For example, if you acquire a \*.contoso.com wildcard certificate, you must generate host-named site collection URLs such as `https://site1.contoso.com`, `https://site2.contoso.com`, and so on, to enable these sites to pass browser SSL validation. However, if you require unique second-level domain names for sites, you must create multiple web applications rather than multiple host-named site collections.
If you're implementing multiple zones with host-named site collections, ensure t
You can use host-named site collections with off-box SSL termination. There are several requirements to use SSL termination with host-named site collections:
+> [!NOTE]
+> Off-box termination of SSL is supported but not recommended because it results in unencrypted traffic being sent from the proxy server to the web server.
+ - At least one IIS site should have a binding on port 80 (or whatever port the terminator forwards the request to). Microsoft recommends that you use the IIS site of a web application (or the IIS site of a zone for a web application) with HTTP/80. - The SSL terminator or reverse proxy must preserve the original HTTP host header from the client.
To resolve this issue, apply the SharePoint Server Cumulative Update Server Hotf
### Determine host-named site collections in existing web applications <a name="section3a"> </a>
-When you migrate from SharePoint Server 2010 to SharePoint Server, we recommend that you determine how SharePoint Server 2010 sites were created. If sites were created as path-based sites, consider migrating these sites to host-named site collections. If host-named and path-based sites were implemented together, identify the sites that were created as path-based sites and consider migrating these sites to host-named site collections. To accomplish this migration, look for the 'HostHeaderIsSiteName' flag.
-
-The following example determines if a site within a given web application is created as host-named or path based:
+You can use the following script to identify which existing site collections are path-based and which are host-named, so you can later decide if you want to convert any of them from one type to another.
```PowerShell $webApp = Get-SPWebapplication 'http://webapp.contoso.com'
If you use more than one web application, you add more operational overhead and
It's more complex to implement host-named site collections with multiple web applications in a farm because you must complete more configuration steps. For example, URLs with host-named sites might be spread across multiple web applications that share the same port in a single farm. This scenario requires more configuration steps to ensure that requests are mapped to the correct web applications. You have to manually configure the mappings on each web server in the farm by configuring a separate IP address to represent each web application. You also have to create and manage host-header bindings to assign unique IP addresses for each site. Scripts can manage and replicate this configuration across servers; however, this replication of configuration adds complexity to the solution. Each unique URL also requires a mapping in DNS. Generally speaking, if multiple web applications are a requirement, we recommend path-based site collections with alternate access mapping.
+> [!IMPORTANT]
+> SharePoint Server Subscription Edition Version 23H1 allows users to [assign wildcard host header bindings to their web applications](../what-s-new/new-and-improved-features-in-sharepoint-server-subscription-edition-23h1-release.md). This new feature can help you use multiple web applications with host-named site collections in the following ways:
+>
+> 1. Users no longer need to manually assign unique IP address bindings to their web applications on each of their SharePoint servers. Users running SPSE Version 23H1 can instead assign wildcard host headers to each of their web applications, which is simpler to manage.
+>
+> 2. The wildcard host headers assigned to each web application must be unique. For example, web application 1 could be `*.internal.example.com`, web application 2 could be `*.external.example.com`, etc.
+>
+> 3. The host-named site collections in these web applications will have to conform to its web application's wildcard host header pattern. For example, if a web application has a wildcard host header of `*.external.example.com`, then it can host host-named site collections with DNS names like `site1.external.example.com`, `site2.external.example.com`, etc.
+>
+> 4. Wildcard host header bindings can only have a single wildcard character as the left-most label in the DNS name. For example, a valid wildcard host header can be `*.external.example.com`, but it can't be `external.*.example.com`, `*.*.example.com`, `external*.example.com`, `*external.example.com`, etc.
++ The following two tables contrast three different design choices to implement site collections. These tables are intended to help you understand the consequences of each approach and how configuration varies depending on the architecture. **Table: Results of different design choices to provision site collections**
The following table summarizes the configuration that is necessary to manage URL
|&nbsp;|Host-named site collections with all sites in a farm consolidated into one web application|Path-based site collections with alternate access mapping and multiple web applications|Host-named site collections with multiple web applications in a farm| |:--|:--|:--|:--| |Within SharePoint Server|Create the web application. <br/> Create a root-site collection that isn't accessible to users (for example, `https://HNSC01.fabrikam.com`). <br/> Create the host-named site collections with the host header (for example, `https://intranet.fabrikam.com`). <br/> Optionally add more URLs for each site collection and configure zones by using **Set-SPSiteUrl**. (In corporate portal design samples there's no need because there's only one zone.)|Create the web application with the host header (for example, `https://intranet.fabrikam.com`). <br/> Optionally configure alternate access mapping. In the design sample, there's no need because there's only one zone). <br/> Create the root path-based site collection.|Create the web application. <br/> Create a root-site collection that isn't accessible to users (for example, `https://HNSC01.fabrikam.com`). <br/> Create the host-named site collections with the host header (for example, `https://intranet.fabrikam.com`). <br/> Optionally add more URLs for each site collection and configure zones by using **Set-SPSiteUrl**. (In corporate portal design samples there's no need because there's only one zone.)|
-|Within IIS|Associate an SSL certificate (wildcard certificate or SAN certificate) for all host-named site (domain) in the web application.|Associate an SSL certificate in IIS for each zone (each zone is a separate web application in IIS).|Associate an SSL certificate (wildcard certificate or SAN certificate) for a host-named site (domain) in the web applications. <br/> On each web server in the farm and for each web application that shares a port: <br/> Configure a separate IP address to represent each web application. <br/> Edit the IIS web site binding manually to remove the host header binding that was created when the web application was created and replace this binding with an IP address binding.|
+|Within IIS|Associate an SSL certificate (wildcard certificate or SAN certificate) for all host-named site (domain) in the web application.|Associate an SSL certificate in IIS for each zone (each zone is a separate web application in IIS).|Associate an SSL certificate (wildcard certificate or SAN certificate) for a host-named site (domain) in the web applications. <br/> On each web server in the farm and for each web application that shares a port: <br/> Configure a separate IP address to represent each web application. <br/> Edit the IIS website binding manually to remove the host header binding that was created when the web application was created and replace this binding with an IP address binding.|
If you use multiple web applications on different IP addresses, you might need to complete extra configuration for the NIC, DNS, and the load balancer for each server.