Save Your SharePoint Online Tenant: The SharePoint Sandboxed Solutions Inspector

If you’ve been following the “code-based sandbox solutions on Office 365” saga, you know that there is little time left to fix your existing sandbox solutions in Office 365. See: Microsoft Is Removing Code-Based Sandbox Solutions in SharePoint Online – Be Prepared!

Last week, Vesa Juvonen (@vesajuvonen) released a script (New Script Available from Microsoft PnP: Generate list of sandbox solutions from SharePoint Online tenant) that can help you find your sandbox solutions. Surprisingly, what was missing from Vesa’s script was identification of the solutions that contain code. You’d get a list of all your sandbox solutions, but not specifically the ones that were going to cause you problems.

The Rencore Team

Some of the great looking folks at Rencore. Where’s Waldek?

My awesome friends at Rencore – the SFCAF folks – were kind enough to make a free tool available this week to help with even more with your diagnosis and even some of the cures. In Erwin van Hunen’s (@erwinvanhunenpost Introducing the Rencore SharePoint Sandboxed Solutions Inspector, you can learn more about the free tool and how it can help.

On August 31st, 2016 Microsoft is going to shut down support for Sandboxed Solutions with code.

Sandboxed Solutions containing code will be deactivated and this might impact your Office 365 tenant big time!

If you know you need it, just head right on over to the download page.

The SharePoint Sandboxed Solutions Inspector

They have already released several updates to the tool, and are keeping it current based on feedback from the folks using it. Now that’s service – and for a free tool!

But I think the best thing is that the Rencore tool can fix some of the most common issues – most notably the “empty DLL” issue that makes Office 365 think you have code in your sandbox solution when you don’t.

We heard “30 days” when all this started, and now people seem to be taking that as August 31. Don’t leave your users in the lurch – get going on handling this situation.

Oh, and if you’re a vendor or consultant who has written a sandbox solution with code over the last few years: reach out to your client and own it. Get them back on the right road and you’ll be the better for it.

Clean report!

Clean report!

New Script Available from Microsoft PnP: Generate list of sandbox solutions from SharePoint Online tenant

As I wrote on Monday, the decision to begin removing already deprecated code-based sandbox solutions on SharePoint Online took many people by surprise. Even though the news about the deprecation has been out there since 2014, the abrupt move – especially during a time when many people are on summer vacation – caused consternation for some. Others welcomed the move, in essence saying “good riddance” to a model that never really reached maturity.

But what if you manage a tenant on Office 365 that might have code-based sandbox solutions? Maybe you’ve used outside vendors to build solutions for you and you’re not sure what techniques they have used. Or maybe your own team built some things a few years back, you’ve had some turnover, and you source control isn’t so great. (Not so unusual, frankly.) How do you know what you have and what to do about it? You certainly don’t want functionality your users actually need to stop working unexpectedly. Some of these solutions could be InfoPath forms with code-behind, for example.

Office 365 Dev Patterns & Practices (PnP) Vesa Juvonen (@vesajuvonen) – one of my true Microsoft heroes for what he has done with the PnP set of tools – has come to the rescue, apparently with some help from Karine Bosch (@kboske). They have released a PowerShell script today that promises to “Generate [sic] list of sandbox solutions from SharePoint Online tenant“. (Far be it from me to correct Vesa’s Finglish!)

Generate list of sandbox solutions from SharePoint Online tenant

Generate list of sandbox solutions from SharePoint Online tenant

This script can be used to generate list of sandbox solutions in SharePoint Online tenant. You will need to use tenant administrator account to connect to SharePoint Online and script will generate a list of sandbox solutions to separate txt file, which can be imported to Excel for further analyses.

Note: This script is relatively simple and does not use multi-threading, so execution in larger tenants might take a while. We are looking for further enhancing the script with multi-threading support, if there’s demand for this. Also community contributions on this side are more than welcome.

Output file has following columns

  • URL of the site collection
  • Name of the sandbox solution
  • Author field from the sandbox solution – who uploaded the file
  • Created field from the sandbox solution – when solution was uploaded
  • Status field – 1=Activated, 0=Not activated

What seems to be missing here – at least to me – is the “and this one contains ‘code'” indication, but it’s still going to be very useful. Maybe it’s not simple to tell which solutions contain code? If you have ideas about this, it’s an open source project, so head over there and enhance it!

IMPORTANT: Please note that this script lists ALL sandbox solutions. But only code-based sandbox solutions have been deprecated and are being removed from Office 365. So don’t panic when you see all of your no-code solutions and site templates listed. This is a first step in inventorying your solutions.

The script requires – not surprisingly – that you have the SharePoint Online cmdlets installed. My bet is that there are plenty of Office 365 customers that have never really figured out how to download, install, and use PowerShell against Office 365. Many tenants are run by business users rather than technical types, as befits a powerful SaaS offering. In fact, in many cases, IT doesn’t need to be involved at all. That said, one would hope that those tenant administrators would know whether they have sandbox solution installed. However, see my mention of possible situations above, even if IT was in charge.

Here’s a quick tutorial on how to install those cmdlets in case you need it. In writing this section, I’m stealing the TechNet article Connect to Office 365 PowerShell. (I fear this article may not be available to everyone, as TechNet is part of subscriptions? I’m not really sure.) To do this, you have to be a tenant administrator. If you are, you’re probably the one wondering what you have in any case. It’s a pretty painless process, but if you haven’t used PowerShell – think batch files for servers – then it might be intimidating. I’m just copying the instructions from TechNet here, but I’ll add in some graphics and additional comments over the course of the day, so come back if you have questions. If you want to add any tips, please do so in the comments.

As Vesa always says: Sharing is Caring!

Step 1: Install required software

These steps are required once on your computer, not every time you connect. However, you’ll likely need to install newer versions of the software periodically.

  1. Install the 64-bit version of the Microsoft Online Services Sign-in Assistant: Microsoft Online Services Sign-in Assistant for IT Professionals RTW.

Microsoft Online Services Sign-In Assistant for IT Professionals RTW

2. Install the 64-bit version of the Windows Azure Active Directory Module for Windows PowerShell: Windows Azure Active Directory Module for Windows PowerShell (64-bit version).

Windows Azure Active Directory Module for Windows PowerShell (64-bit version)

Step 2: Open the Windows Azure Active Directory Module

  1. Find and open the Windows Azure Active Directory Module for Windows PowerShell by using one of the following methods based on your version of Windows:
    • Start menu   On the Start menu, enter Azure in the Search programs and files box.
    • No Start menu   Search for Azure using any of these methods:
      • On the Start screen, click an empty area, and type Azure.
      • On the desktop or the Start screen, press the Windows key+Q. In the Search charm, type Azure.
      • On the desktop or the Start screen, move your cursor to the upper-right corner, or swipe left from the right edge of the screen to show the charms. Select the Search charm, and enter Azure.
  2. In the results, select Windows Azure Active Directory Module for Windows PowerShell.
Here's what it looks like on my laptop running Windows 10

Here’s what it looks like on my laptop running Windows 10

Step 3: Connect to your Office 365 subscription

  1. In the Windows Azure Active Directory Module for Windows PowerShell, run the following command.

    In the Windows PowerShell Credential Request dialog box, type your Office 365 work or school account user name and password, and then click OK.

  2. Run the following command.

    Connect-MsolService -Credential $UserCredential - Success!

    Connect-MsolService -Credential $UserCredential – Success!

How do you know this worked?

After Step 3, if you don’t receive any errors, you connected successfully. A quick test is to run an Office 365 cmdlet—for example, Get-MsolUser—and see the results.

If the Get-MsolUser cmdlet runs successfully, you'll see a list of your users

If the Get-MsolUser cmdlet runs successfully, you’ll see a list of your users

If you receive errors, check the following requirements:

  • A common problem is an incorrect password. Run Step 3 again. and pay close attention to the user name and password you enter.
  • The Windows Azure Active Directory Module for Windows PowerShell requires that the Microsoft .NET Framework 3.5.x feature is enabled on your computer. It’s likely that your computer has a newer version installed (for example, 4 or 4.5.x), but backwards compatibility with older versions of the .NET Framework can be enabled or disabled. For more information, see the following topics:
  • Your version of the Windows Azure Active Directory Module for Windows PowerShell might be out of date. To check, run the following command in Office 365 PowerShell or the Windows Azure Active Directory Module for Windows PowerShell:

    If the version number returned is lower than the value 1.0.8070.2, uninstall the Windows Azure Active Directory Module for Windows PowerShell, and install the latest version from the link in Step 1.

  • If you receive a connection error, see this topic: “Connect-MsolService: Exception of type was thrown” error.

Microsoft Is Removing Code-Based Sandbox Solutions in SharePoint Online – Be Prepared!

Though Microsoft announced that sandbox solutions with “code” (this is becoming a more confusing distinction than ever with JavaScript becoming a first class coding citizen!) were deprecated back in 2014, last week’s announcement that sandbox code was being shut off caught many people by surprise.

There was a post that went up last Friday, July 29th, 2016, on the Office Dev Center blog that let us know that they were Removing Code-Based Sandbox Solutions in SharePoint Online. Unfortunately, there’s no date on the post, so quite a few people I shared it with doubted its relevance. But if you go up a level, you can see it was posted on the 29th.

Removing Code-Based Sandbox Solutions in SharePoint Online SharePoint team - Published 07/29/2016

Removing Code-Based Sandbox Solutions in SharePoint Online
SharePoint team – Published 07/29/2016

Here at Sympraxis, we’ve never used Sandbox solutions (client side rulez!), but this quick shutdown seems to be hitting many people hard. I would have thought there would have been  series of reminders, maybe a countdown clock, and some targeted emails to people who are still running this type of solution to help them prepare for the eventuality.

There’s been an active discussion on reddit, confusion in the SharePoint group on Facebook, complaints in the SPYam Yammer network, etc. In other words, the communication either didn’t hit or it hit too late.

Even worse, it seems as though the support people had no idea this was going to happen. As late as last Friday afternoon, this was considered a service issue, with updates coming into the Office 365 Admin Center to explain why it was happening.

Custom Solutions and Workflows - Service degradation

Custom Solutions and Workflows – Service degradation

I really try not to be publicly critical of my friends at Microsoft (I know some of you may find that hard to believe!), but this one could have been handled far better. Microsoft is learning how to be more open, and this is one place where I think they are going to learn some things. There may be good reasons why this shutdown is happening ex post haste, and letting us know what those reasons are would be helpful. With SaaS, whether we like it or not, we’re all riding in the same ship. When it springs a leak, not just the women and children need to know it’s time to head to the lifeboats. And it’s August, when not that many people are running at full steam.

There are clear ways to solve this for your own organization, and good articles explaining how to go about it. But you don’t have a lot of time (we’re hearing as little as 30 days, at least in the rumor mill), so you’d better get cracking!


Update 2016-08-01: Check out this post from Dave Feldman (@bostonmusicdave) about getting some non-code solutions to activate: Sandbox Solutions removed from SharePoint Online–Here’s the fix for your Visual Studio developed WSPs to get them to activate. It seems as though the change to SharePoint Online may be blocking some solutions it shouldn’t.

Update 2016-08-02: Apparently, some people are seeing a message like this in the Admin Center. If you aren’t sure if you have sandbox solutions, be sure to check!

MC73347 in the admin center:

We’ve detected that you are using a code-based sandbox solution with your tenant account. Please be advised that we’ve moved forward on our plans to remove code-based sandbox solutions as previously announced in 2014.

As part of the removal process, activation of new code-based sandboxed solutions, as well as updates of existing solutions are no longer available. In approximately 30 days, currently running, code-based sandbox solutions in the SharePoint Online environment will be disabled.

Update 2016-08-03: Be sure to read my follow up post New Script Available from Microsoft PnP: Generate list of sandbox solutions from SharePoint Online tenant

Response to Edin Kapic’s “The dark, hidden side of our technical communities”

I was going to just leave this as a comment on Edin Kapic’s (@ekapic) recent post The dark, hidden side of our technical communities, but I decided I wanted to put it up here instead to make it more visible. (A post usually gets more attention than a comment.)

Image source:

Image source:

Every time I read something like Edin’s post, it makes me feel truly bad. I want to treat everyone equally, but that doesn’t really work, either.

One of the joys in life is our human diversity. It goes way beyond what are called “protected classes” here in the USA. People are all different and that’s what makes life interesting. I want to have conversations about those differences and try to understand the ones that can be understood. If we treat everyone the same, we lose out on that festival of variety.

Image source:

Image source:

At the same time, tech is absolutely, no questions asked, a man’s game.

Image source:

Image source:

I don’t really understand why that is, where it starts for each promising young female, etc. But I do know that I can do my own best effort to make the women around me feel empowered to do tech if that’s what they want to do. Since hiring Julie Turner (@jfj1997) (in truth we started out more equals than anything else), we’ve had lots of discussions about this sort of thing. I value the different viewpoints she brings to my thinking when we talk about things like speaking at conferences, or business travel, or how to talk in a crowd of techies.

Unfortunately, at the same time that it seems like humankind is becoming more tolerant (LGBT-focused legislation, discussions about women in tech, etc.), it’s also becoming less tolerant (political-driven bigotry and xenophobia, religious zealots, etc.)

I think the best motto for all this might be the old “think globally, act locally”. If we each do our part to make the tech world a better place, it will be. Unfortunately, many other members of the community will also be doing their darnedest to do the opposite. And so it goes…

Understanding SOME of the Pratfalls and Pitfalls of Sharing in a Collaborative World

Digital content sharing with SharePoint is both a tremendously useful set of features and also a set of capabilities fraught with peril – depending on the type of content and the knowledge level of the person doing the sharing.

As most SharePointillists know, SharePoint provides a hierarchical security model. It can get extremely complex either by design or through ongoing usage, but the general scheme goes as follows…

Web Application – This is also known as your Office 365 tenant. Think of this as your collection of offices: your entire company.

Office buildings

Site Collection – Think of this as a “walled security garden”. Your might have an Intranet in one Site Collection at and a Project site in a different Site Collection at Think of these as rooms in your offices that can lock securely.

Locked Office

Sites – Sometimes also referred to as Webs (mainly by developers), these include the root site of any Site Collection as well as any subsites. Think of these as standalone filing cabinets.

Filing Cabinets

List and Libraries – These are content “containers” inside each site. Think of these as the drawers in your filing cabinet.

Filing Cabinet Drawer

Folders in lists or libraries – While we sometimes discourage the use of folders because of the impact on useful metadata tagging, people will probably always continue to use them – and they aren’t always bad. Think of these as the green (or orange or red or whatever) hanging folders in your filing cabinet. You might use them and you might not.

Filing Cabinet Drawer Folder

Individual list items or library documents – Finally we get to the real content! These are the papers or stapled sheaves of papers in the manila folders in the hanging green folders in the drawers in your filing cabinet in the room where you keep your content in your office building in your office in your company.

Manila folder

By the way – metadata? That’s the stuff you write on the manila folder to summarize what’s in it. It’s data about the data in the folder. Very meta.

Manila folder with metadata

Permissions can be applied at any of those levels. Applying permissions at too high a level (say, just at the tenant level) means you don’t really have any security or governance at all. If you apply permissions at too low a level (say, on individual documents), then you have an administrative nightmare and rarely really know who has access to what content. (There are performance implications with item-level security too, but I find that the other pitfalls hit you long before the performance ones do.)

OneDrive for Business

Add to the mix that we each have our own OneDrive for Business (OD4B). (We’ll leave personal OneDrive [OneDrive for Pleasure?] out of this conversation, but they also add a wrinkle. At the very least, many of us have two OneDrives. See: OneDrive, TwoDrive, ThreeDrive by John White (@diverdown1964).) Your own OD4B is really meant for you to store your own documents. These documents may be personal, but generally will be work-related in some way. In other words, this is not the place to store your music library.

You may want to occasionally share a document in your OD4B with others, either inside or outside the company. You’ll usually do this from the synced folders on your PC or laptop, but you can also do it through the Web interface or using Office applications like Word, Excel, PowerPoint, etc. Think of this level of sharing as “I have a document and I’d like to show it to you.” You may also want the person you share the document with to make some edits, but it’s more of an ad hoc thing.

If you find yourself working with others regularly on a document or if it will be accessed regularly by a group of people, then it doesn’t really  belong in your OD4B. In this case, it ought to live in a library in a SharePoint site. The permissions for that site or library should reflect the membership of the group of people who will play a role in the lifecycle of that document (and its companions in that location). These roles – in a simplistic way – tend to fall into three categories: owner, editor, or reader.

My recommendation is to always try to keep permissions set at the site level, where possible. If you don’t have a key for that specific filing cabinet, you simply can’t see anything in it. Setting permissions at a lower level – either at the list or library level or for individual documents – means you’d have access to the filing cabinet, but only some of the content within it. Knowing who has access to what is confusing, and each person’s view of the site will probably look different, adding to the support issues. Plus, when people don’t understand the permissions, they are likely to just grant highest permissions (everyone has Full Control!) to “clean up permissions”, which actually makes it even worse!

In today’s world, we also regularly want to share content with outside parties. This can be very temporary or quite permanent. We can email files, share individual files, share sites, etc., depending on the needs. “Collabotition” – especially the multidimensional types in some industries like pharma – means that you pretty much have to be good at this. In each case, the person doing the sharing needs to think about:

  • what the content is
  • why they are sharing it
  • who they are sharing it with
  • what the time span for the sharing should be
  • etc.

Few people consciously think through all of these aspects every time, and as humans we love to do things the same way over and over again. Thus we need to set things up in such a way that we can help or guide people to the right sharing mechanisms – ideally with as little training as possible, but there usually needs to be some.

Outlook logoOutlook adds ANOTHER wrinkle! Office 2016 is extremely “Office 365 aware”. When you attach a file to an email in Outlook from a shared location like your OneDrive for Business, it gives you the option of attaching the file the old way or by sending a link to the document instead. Taking the latter course effectively punches a hole through the firewall to make that document available to the person getting the link.

Other pieces of the governance puzzle that come in here are: retention policies, records management, templating, etc., but each of those are almost conversations in themselves.

All of this can become INCREDIBLY complex, but it only should become that complex when the business requirements dictate it. In many cases people want to over-engineer the technology to prevent people from doing dumb things, and that’s well-nigh impossible. If we lock things down too tightly, then people just start storing things in Dropbox or Google Docs instead, defeating the entire point! Be sure you’re setting things up to both provide a good user experience (UX) AND to protect your organization’s interests. Unfortunately, those two things can often be at odds.