Thursday, 12 July 2018

Extract site classification report of Modern SharePoint sites using PnP-PowerShell

The Classification value of a SharePoint modern Team Site is not exposed through CSOM (at the time of writing this) unlike for the Communication Sites. This property for Team Sites exists on the Office 365 Group object (modern team site has a Office 365 Group connected to it) and can be extracted through a Graph API call.

The latest PnP-PowerShell release supports extracting classification value of a Team Site (Office 365 Group) using the Get-PnPUnifiedGroup command. This makes it very easy to extract a report of classification values of all the Team Sites in a tenant.

Below are a couple of scripts to export classification reports of all the modern sites - both Team and Communication sites in a tenant using PnP-PowerShell in just a couple of lines of code.

Make sure you have  2.28.1807.0 release installed before running the scripts.

Extract report for Team Sites :

To extract the classification report for Team Sites, we first need to connect to Microsoft Graph. Register an APP in and provide it appropriate permissions to be able to read Office 365 Group information. Also make sure you consent the app. Here is some documentation on how to do this

The report extraction might take some time as for each Office 365 Group, a separate call has to be made to the Graph API to fetch its classification value. This will change soon as PnP Core has been updated to the Latest Graph Version which supports extracting the classification value without a separate Graph call. Till this change is available, the report extraction process will be relatively slow :)

Extract report for Communication sites :

For communication sites, we first fetch all the Communication sites using the Get-PnPTenantSite command and filtering on the Template property. Then we get the Site object of each Communication Site and include the CLASSIFICATION property.

Execute the below command with the tenant admin account by replace the placeholders with relevant values in the below script

Wednesday, 28 March 2018

Microsoft Flow : Custom response summary with user comments in Approval action

Flow approvals are really great to implement simple business processes. With the "Start an approval" action, we can carry out two kinds of approvals

1) Anyone from the assigned list
2) Everyone from the assigned list.

With the "Everyone from the assigned list", each of the assigned user is sent a request to approve or reject. Consider a scenario where you send a request to 2 users for approval. The first user approves however, the second user rejects the request. In this case, the final response of the approval step is "Rejected".

You might want to know which user approved and which rejected the request along with their feedback. There is a way to do that in Flow, by using the "Response Summary" value that comes with the output of the approval step.

Drawback :

With this value, comments of each user are not captured in the response summary.

Here, we can create our custom response which also includes the comments sent by the individual
user while approving or rejecting the request

If the response is rejected (or approved) based on where you want to configure the response summary

- We loop the "Responses" value and for each response, we form a summary of the individual response using "IndividualApprovalData" compose action.

- Notice that the individual "Comments" are available now

- Response : We have used the "Approver response" value and not the "Response" value. Response value gives the overall response of the action.

- We have used a custom expression to format the date

             formatDateTime(items('Apply_to_each')?['requestDate'],'MM/dd/yyyy hh:mm:ss')
            formatDateTime(items('Apply_to_each')?['responseDate'],'MM/dd/yyyy hh:mm:ss')

- Leave some space at the bottom of each response in the compose action

- The "ResponseSummary" compose action joins all the individual responses using the below expression

Join(outputs('IndividualApprovalData'), '')

The custom summary looks as below

Wednesday, 21 February 2018

Azure AD B2B self-service registration - Register and Update a guest user using Graph API

Azure B2B capabilities give organizations the ability to provide external users (from partner organizations/ contractors etc) access to their data safely. This means that an External user can be added as a "Guest User" in an organization's Azure AD and this identity can be used to provide access to SharePoint online, Office 365 Groups etc.

An external user can be added to an Azure AD as a guest user using an E-mail address. An invitation email is sent out to the user to join the inviting tenant. This email ID can be of a user from another Azure AD, or a Microsoft Account or a personal/work ID which is not in an Azure AD.

In case the user is in another Azure AD, a password reset is not required for the user on accepting the invitation. User's main identity remains in the origin tenant and the user can continue to use the same set of credentials while accessing the inviting tenant. When the external user leaves their own organization and their account gets disabled, the access to inviting tenant also gets disabled automatically.

If the E-mail is a personal one, a new identity is created in the inviting tenant when the user accepts the invitation and creates a password. Here is some useful documentation to read through

Guest users can be registered through the Azure Portal or using the Graph API. Being able to send guest user invitations through the Graph API opens the possibility of creating self-service registration portals for guest users.

In this post we are going to walk through the process of

1) Sending guest user invite through Graph API

2) Updating the guest user's profile as soon as the the invitation email is sent - This makes sure that the basic user information is available in the inviting tenant. This helps in keeping data available for building People directory etc.

Self service registration can be implemented as a simple MVC web page where user provides the basic information such as

- First Name
- Last Name
- Email address
- Company
- Contact number etc

Rules/validations can be applied on the registration form as desired to make sure that only users from intended email domains are allowed to register as guest users.

In this post, we use App credentials and Graph API (GraphServiceClient) to send email invites to the guest users. Head over to to register an app that can call Graph API.

Permissions required for this app to send email invites are : User.Invite.All, User.ReadWrite.All, Directory.ReadWrite.All

First we authenticate and get the GraphServiceClient instance to work with Microsoft Graph using app credentials

Once we have the GraphServiceClient, create an "Invitation" objects and send the invite

The invitation object accepts

Email address of the Guest user
Display name with which the guest user will be registered in the Azure AD
- Redirect UI - this is the URL where the user will be redirected when the invitation is accepted - InvitedUserMessageInfo object where we can set a customized message to be send in the email

The call to send user invitation returns an Invitation object in response.

Once the invite is sent, the user gets registered in the Azure AD. We can update the user properties in Azure AD to make sure that when the user accepts the invitation, the basic information is available in the Azure AD.

The invitation object returned as a response of sending an invite also returns a Azure AD USER object. This object can be used to set the user profile properties and update it back in Azure AD.

Friday, 5 January 2018

Use Azure Functions as remote event receiver in SharePoint

SharePoint webhooks are a new way of building event receivers for SharePoint. However, webhooks are only enabled for SharePoint list items at the time of writing this.

Recently I was required to write a event receiver for ListAdded event in a web. I decided to try and use Azure functions to achieve this instead of writing the traditional provider hosted app remote event receiver. Came across this great post  from Sergei Sergeev for reference.

Lets create a ListAdded event receiver using Azure Functions.

To Begin with, create a Azure Function project in Visual Studio and created a Function App in Azure through the Azure Portal. Add a function to the function app and select the HTTP trigger type of function since the event receiver needs to send the event payload to a HTTP endpoint. Publish your Azure function to the function app created through Azure Portal. The Azure function is now ready to receive events from SharePoint.

The Azure Function will have an endpoint. This can be fetched by clicking on the function in the Azure portal and clicking on the Get function URL link

The URL will look something like this :


The domain may be different based on your tenant configurations. We need the domain part of this URL in the next steps.

Now we need to register a event receiver on a WEB in SharePoint. We will use a simple console app for this. The console app will use SharePoint App credentials. So, head over to the "/_layouts/AppRegNew.aspx" page in your site and register a new app. Remember to provide the domain of this app as the domain of your event receiver Azure function noted above. We will need this in the future. Provide full control permissions to this APP on the site collection.

Here is the code for installing an event receiver on the web. Replace receiverAzureFuncUrl, webUrl, ClientID and ClientSecret and run the console app. The console app users PnP Sites Core to get app-only client context.

Now the Azure function is ready to receive event of a list being added to the WEB. We need one more thing in our code and that is "TokenHelper". This is used to validate the context token received in the event payload and communicate with SharePoint through from within Azure function (which is our event receiver). I created a class library project in my Azure Function solution in Visual Studio and installed the "AppForSharePointOnlineWebToolKit" nuget package. Add a reference of this class library in your Azure Function APP project

NOTE : I had to add the reference of the DLL of this class library. Adding the project reference made the publish operation to fail.

Since the token helper fetches the ClientID and ClientSecret from webconfig, modify the code to fetch these values from the Azure Function APP settings.

Change the code of your Azure function to handle the incoming request from List Added event. This code reads the event payload and parses the XML to fetch the values that are of our interest. You can log the entire XML and see what are the values received through the Event payload. Once we have the "ContextToken" string, we can Validate the token and also get the client context of the site using "TokenHelper".  The "GetClientContextWithContextToken" method internally validates the token as well.

Hope this helps !

Friday, 24 November 2017

Graph API : Get all the Office 365 Groups Owned by a user

There is a Graph API endpoint to get all the Office 365 Groups a user is Member of. The filter is used to get only the Office 365 Groups.

I wanted to retrieve all the Groups that a user owns, however there is no "ownerOf" endpoint. The endpoint ownedObjects can be used to retrieve this data. 

For the current user :

For a specific user : 

However this endpoint returns all the directory objects the user is owner of.  When I tried to $filter on this endpoint, it did not work ! Through the Graph explorer it appears that at the time of writing this, $filter to this endpoint is not currently supported.  So you may just have to retrieve all the data that is returned and then filter on the "groupTypes" property of the group object in your application code.