Allowing custom script has its security implications. But what exactly does it mean? Is it dangerous? My colleauge Daniel and me have done a little experiment. There are two implications stated on MS Docs:
Scripts have access to everything the user has access to.
Scripts can access content across several Office 365 services and even beyond with Microsoft Graph integration.
To summarize, we can look at that picture:
So the risk that user 1 (the Blue User) intentionally or unintentionally places a script and lets user 2 (the Red User) run this script by linking to the page that has this script. The page must be in a “common” place.
Let’s try that. Let’s have a little hackathon.
Experiment A. Very Simple.
Scenario: the Red User (my colleague Daniel) has a site with with sensitive information (He has a list called Secrets). The Blue user (me) does not have access to that site. The Red User accidentially shares the link to the secret list. Now, to prove the security risks with the custom script, the Blue User has to get the secret information.
To make it more visual and fun, we have found a box where we have put candies and locked it with a combination lock. The code (the combination) is stored in the Secrets list.
The combination consists of three digits from 0 to 9. So there are 1000 possible combinations.
Since the Red User knows that he is going to be hacked, he acts as normal as possible, not especially suspicious. And since the experiment A is a simple one, we let the Red User to accidentially show the link to the Secrets list. That can be:
A screenshot that shows something else but contains the confidential site url
An email that is sent to a wrong recipient
A pasted link in a wrong Teams chat
So the Blue User finds out that there is a Secrets list that has the following address:
“Fortunately”, the Blue User has access to a classic site (where Custom Script is allowed). He shares that site with the Red User. Now both the Blue User and the Red User have it in common.
Then, a new Web Part Page is added with a tiny script.
That script makes a REST call to the Secrets list and uploads the result in Shared Documents. For the sake of simplicity, a built-in document library is used. An attacker would probably add a hidden list for that.
Now to get the Red User to that page, the Blue User adds some “important” information so that the Red User will not become suspiciuos.
Now it is just the matter of sending a link to the Red User. The Red User navigates to that page and the script is executed while he is reading the information on that page.
The Blue User gets the Secret that was generated by the Red User:
With that information the Blue User has hacked the combination lock and he can now open the red box with candies!
Experiment B. Harder
For now I think it is enough with the Experiment A, the Simple Experiment. We have proved, that, indeed, security is compromised with custom script allowed. A user can get confidential information from another user. Maybe some of you want to set up a more sophisticated experiment. Make sure the “hacked” person is warned and agrees to be part of an ethical hacking act. We maybe can try more to show the importance of keeping custom script disabled and not using classic sites that have it by default.
Custom Script (or DenyAddAnCustomizePages=false) is dangerous, it is of course not black and white. It provide the ability to have small appications directly on sites created by users. But as with all other aspects of IT, you should know what you are doing. Every site with custom script is a potential trojan horse. Minimizing the number of classic sites and sites with custom scripts lowers the risk. All the collaboration sites should be modern team sites without custom script.
An encoded value such as a blankspace (%20) is treated as one character, not three.
A unicode character, and an emoji is treated as one character. Good news for Non-English Names.
Url Parameters, like “?Web=1” are not calculated.
The site url and the document library url is taken into account
All slashes are included
A file extension is also included, and even the dot, e.g. “.docx”
Other related information
A site url and a group name can only be 64 characters max.
The path in the “Copy Link” is much shorter than the “real” path
There is no limit (as of time of writing – 2019-10-30) on the folder name length (other than the bigger limit of 400 characters), I had no issues to add a folder name with 312 characters.
A calculation example
Recommendations for Folder-heavy document management
I don’t want to discuss whether to folder not to folder. On that topic, my favorite is the slide deck with the same name by Bobby Chang: To Folder or Not To Folder. For those who need to use folders I would recommend:
Try to have a short site url/group name
Try to have a short document library url. Why not creating just “docs” instead of “Our very important documents”? Note, that I am talking about the url, not the display name. The trick is to call it “docs” (or some other short word) initially (which will turn to the url), and then you can name it to whatever you please.
Even if you use folders, try to flatten the structure.
I saw a demo of it on the European SharePoint Conference in Copenhagen in 2018. Sebastian Fouillade, who showed this, compared this big change with brain surgery. All the urls, all the connections. But now it is possible. Today I have seen it even in my standard release tenant.
It is really appreciated. Soon it will be possible to rename misspelled sites, like “devlepment” to “development” etc.
I also can image, it will be very handy to change the url of a SharePoint site that was automatically created for a Team (through the Office 365 Group). The team might have some longer name, but a simpler url is often appreciated.
I have tried and seen that also the automatic redirects from an old site url to a new site url works.
Caveats and Limitations
mailNickname ≠ site url
Now it is even more important to not to rely on the fact that mailNickname of an Office 365 Group and Site url are the same. As Elio Struyf describes, it is not a good idea to compose a URL from the group name. I have used in PoCs the site url to get the group id:
A non-admin user can create no more than 250 resources in Azure AD. That is one of the many Azure AD service limits and restrictions. A “resource” can be an app registration, an Office 365 Group etc. But I would like to discuss Groups more in detail.
Imagine the following scenario: Your organization has disabled Office 365 Group Creation. Only IT can create new groups. A service account has been set up for creation of team sites. The application permissions are “binary”, either everything or nothing: Group.ReadWrite.All. This service account will hit the limit very soon.
To prove that, I have created a small script that creates 251 groups.
# This script will try to create 251 groups
# The last one should fail
# 1. create an account email@example.com
By the way, just for clarification, when create a new group, that will also create a SharePoint site.
Please don’t try this with your real account in production. The 251st request will fail:
The directory object quota limit for the Principal has been exceeded. Please ask your ad ministrator to increase the quota limit or delete objects to reduce the used quota.
Even if you remove, it will take time to get free slots in this limit:
Deleted Azure AD resources that are no longer available to restore count toward this quota at a value of one-quarter for 30 days.
There is not much to do about it. For App Registrations you can create and assign a custom role. But for groups there is no custom roles available.
It might be obvious, but still:
Admins do not have this limit. But not all “admin roles” are really admins. Those roles are excepted:
Those roles are not excepted:
Message Center Reader
I don’t have time to try every admin role, but I suppose only admins that can change global configuration, are excepted, not the reader ones.
Since communication sites do not have an Office 365 Group behind the scenes, a non-admin user will still be able to create such sites even after the limit is hit.
Workarounds and Solutions
Since my scenario for creating groups with a service account does not work, we need to seek workarounds and solutions.
Do not restrict Group Creation
That is the best one. If users can create groups/sites by themselves, then none of this would be a problem. But still, in my scenario, there is a business requirement to control the creation of groups.
Application Permissions Group.ReadWrite.All
That is exactly the opposite of my scenario. This gives that application full access to all groups and files (!). This means, that application can access all Group-Connected SharePoint Sites as well.
Microsoft creates permissions for groups
If we also had “groups” permissions for custom roles, then we could do the same way as with app registrations. Today (2019-10-25), there are only permissions for applications.
Microsoft creates new permission Group.Create.All
If there were a permission for only creating groups, that would solve the problem.
There is a similar role: User.Invite.All, it allows only invitations, not editing All Users.
Microsoft allows exceptions per user
If there were a switch for the 250-limit per user, that would also solve the problem.
Granting the service account admin rights
Granting SharePoint Admin would solve the problem, but at what price? That is safer than Application Permissions Group.ReadWrite.All, since you need to actively add this account to the groups in order to read all the files, but this is still less secure than just a non-admin account.
Having multiple service accounts
If we had account 1..100 and we used every account 250 times. Theoretically it should work, but it is a cumbersome process. You need to keep track of how many groups an account as created, or having the right error handling. How should the password be kept safely. Should the accounts be removed when they have reached the 250 limit?
Group Creation Microservice
To overcome the limits and the ungranularity in the built-in permissions in Office 365, one way to solve it would be a tiny, but a dedicated, and secured service for creation of groups (and sites). It would still need the “hefty” Group.ReadWrite.All Application Permissions, but making it do the only thing and do it right, would mitigate the risks.
It could be a simple Azure Function that few have access to. That could be just a couple of lines of code.
Ett nytt tips på svenska: det finns en webpart i SharePoint Online: snabbdiagram.
När du har lagt till ett snabbdiagram, kan du skriva välja mellan stapel och cirkeldiagram
Resultatet får du direkt:
Använd data från en lista
Det går att visualisera data från en SharePoint-lista. Det är inte så mycket mer komplicerat, men det öppnar nya möjligheter. Du behöver bara hålla listan uppdaterad.
Nyttan med snabbdiagram
Det finns många olika sätt att visualisera data: PowerBI, Excel diagram, man skapa egna webparts. Men det är inte så sällan när man vill bara en liten visuell hjälp för att kommunicera ett budskap. Istället för att fastna på teknikaliteterna, kan man snabbt smälla upp ett diagram. Det gör inte heller att man behöver manuellt uppdatera sidan/listan.
Bra jobbat, Microsoft!
Bara moderna sidor
Snabbdiagram finns bara i “moderna” sidor, inte i klassiska sådana (wikisidor, webbdelssidor).
Mer SharePoint på svenska
Jag tänker använda taggen “svenska” för alla mina poster skrivna på svenska.
Jag har precis börjat med kolumnformatering, bara testat. Det är annorlunda, jag är nöjd med första resultatet. Även om det påminner om jslink som jag har jobbat mycket med, så är det mycket lättare att sätta igång:
Det är enklare att ändra, även för en icke-utvecklare. Man får en början:
Det är tre Ja/Nej-kolumner, som ska sättas till Ja under processen, listan representerar beställningar. Ja/nej-kolumnerna är actions för den som tar emot beställningar. Nej är en tom röd cirkel. Ja är en full grön cirkel. Du kan se koden här.
Det är lätt som en lek att börja med. Det är där för en Citizen Developer, en användare (ägare på siten) kan lätt sätta upp mer visuella vyer. Man behöver inte längre uppdatera JSlink-attributet i kolumnen eller vyn programmatiskt, man behöver inte stoppa in en Script Editor webpart. Med lite meckande av json, kan mycket anpassas. Json som man ändrar valideras direkt.
Om det skulle bli fel (att det inte visar något värde i kolumnen), går det lätt att nollställa formateringen. Jag hade lite problem först med att sätta in alla element på sin rätta plats i json-strukturen, då kändes det bra att kunna ta bort det snabbt, innan man fortsätter att experimentera.
Sammanfattningsvis kan jag säga att det är en intressant och uppskattad funktion i SharePoint för enklare vy-visualiseringar som är lättare att sätta upp och ta bort.
P.S. Vad tycker du om att jag skriver på svenska. Om du vill ha mer innehåll på min blogg på svenska, lämna en kommentar.
Today I will share a short script for getting totals from a list view in SharePoint. Imagine this scenario: you have set up a list view with totals and you want get the totals every day for statistics or some other reasons. Instead of getting all items, and/or fiddling around with CamlQueries, there is a better and quicker way – List.RenderListData. This combined with a tip from Piyush K Singhs blog post Get Aggregate Values… I came up with an idea to read the ViewXml from an existing view and retrieve the totals (in my case Count and Sum). Enough talking, let’s take a look at the code:
The good part of that approach is that you can let your view evolve over time and work together with colleagues on that, your script does not need an update every time you change the view. The only thing it alters is the RowLimit – that’s for better performance. Why load 30 or more list items when 1 is enough.
I have tested it in SharePoint 2013 and SharePoint Online.
This post is about the default language of a new site in SharePoint Online. There are some pros and cons of using English as the default language for Non-English sites.
In my case I want to know what is better for Swedish users:
A site with English as default and Swedish as an alternate language (among many other alternate languages)?
A site with Swedish as default?
Today, when you create a site, English is pre-selected in the form, you have to choose Swedish actively. When you create a team, the underlying SharePoint Site will have English as the default language.
There are a couple of advantages of starting from English:
Stream-lined urls for Document Libraries and Lists. For an admin or a support guy, it is better to know that the Url for the first document library is ../Shared Documents/ and not Delade dokument. It is easier to find things and provide help if needed.
In scripts you can skip if-statements or comments like this: “Step4(c): Upload Pages (Check for swedish sites it may be Sdior instead of SitePages)” or “if swedish, $doclib = “Delade dokument”
It is less error-prone to create and update Calculated fields from templates.
Unfortunately the (display) names of the default language are used as identifiers in CAML and in CSOM. That means, it is more cumbersome to support sites with different default languages in Add-Ins, apps etc.
The disadvantages are:
The choice fields are in English. While the most of the UI is available in all alternate languages by default, the values in choice fields can only be in one language, and it will be in English, e.g. Task status.
More a big caveat: Sort order, a tiny but an important setting for how things should be sorted. More on that below.
Sort order caveat
If you keep the General Sort Order, the Swedish ÅÄÖ will be treated as AAO, which means Ö-words that are expected to be in the end of a list, will show up in the middle. An important setting for business. And the bad part is you need to change it to Finnish/Swedish Sort Order before you add an indexed column (or a built-in list (e.g. Tasks) that adds indexed columns) .
For a Swedish site (a site where the majority of users are Swedish who expect the right sort order, the very first thing you have to do is to change the sort order (and also the time zone, and 24h clock, and Monday as the first day of week etc). Once you get an indexed column, no matter if you have zero list items, you will get an error like this: