Activate Privilege Identity Management (PIM) Role in PowerShell with MFA

There are plenty of articles and YouTube videos on this. But if your org has MFA enabled, good luck! You can start here:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/powershell-for-azure-ad-roles
You will not be able to make it work. And you will realize until you stumble upon this paragraph:
If you require multi-factor authentication for role activation, there is currently no way for PowerShell to challenge the user when they activate their role. Instead, users will need to trigger the MFA challenge when they connect to Azure AD by following this blog post from one of our engineers. If you are developing an app for PIM, one possible implementation is to challenge users and reconnect them to the module after they receive a “MfaRule” error.
So frustrating!!
However, the same post refers to a blog post by Anuj. I was surprised that Microsoft has referred to a 3rd party post from it’s own documentation! And it actually worked. Here is a little tweaked version of Anuj’s PowerShell:

function ActivatePIM{
# Get token for MS Graph by prompting for MFA, this is something I didn't understand completely, 
#but it didn't give the usual MFA experience, but it returned object as $MsResponse
$MsResponse = Get-MSALToken -Scopes @("https://graph.microsoft.com/.default") `
-ClientId "1b730954-1685-4b74-9bfd-dac224a7b894" `
-RedirectUri "urn:ietf:wg:oauth:2.0:oob" -Authority "https://login.microsoftonline.com/common" `
-Interactive -ExtraQueryParameters @{claims='{"access_token" : {"amr": { "values": ["mfa"] }}}'}     

# Get token for AAD Graph, this also worked at first attempt
$AadResponse = Get-MSALToken -Scopes @("https://graph.windows.net/.default") `
-ClientId "1b730954-1685-4b74-9bfd-dac224a7b894" `
-RedirectUri "urn:ietf:wg:oauth:2.0:oob" -Authority "https://login.microsoftonline.com/common"

#The following also worked at first attempt
Connect-AzureAD -AadAccessToken $AadResponse.AccessToken `
-MsAccessToken $MsResponse.AccessToken -AccountId: $myCloudUser -tenantId: $TenantID

# Call cmdlet which requires MFA, this seems to return the tenant Id
$resource = Get-AzureADMSPrivilegedResource -ProviderId AadRoles

$roleDefinition = Get-AzureADMSPrivilegedRoleDefinition `
-ProviderId AadRoles -ResourceId $resource.Id `
-Filter "DisplayName eq $RoleToActivate"

# The following will not work unless Connect-AzureAD worked successfully
$subject = Get-AzureADUser -Filter "userPrincipalName eq '$myCloudUser'"


$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
$schedule.Type = "Once"
$schedule.StartDateTime = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
#Adding 8 hours, but change as you need
$schedule.EndDateTime = (Get-Date).AddHours(8).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")


Open-AzureADMSPrivilegedRoleAssignmentRequest `
-ProviderId AadRoles -Schedule $schedule -ResourceId $resource.Id `
-RoleDefinitionId $roleDefinition.Id -SubjectId $subject.ObjectId `
-AssignmentState "Active" -Type "UserAdd" -Reason "Admin tasks"

}

<#
The following is really a one time need. May be needed if you working on a new jump box
Don't run it every time
if(!(Get-Module | Where-Object {$_.Name -eq 'PowerShellGet' -and $_.Version -ge '2.2.4.1'})) { Install-Module PowerShellGet -Force }

This installs one time  
if(!(Get-Package msal.ps)) { Install-Package msal.ps }   
#> 

$myCloudUser = Read-Host "Provide your user Id: "


$TenantID = Read-Host "Provide your tenant Id: " #You can double check this from Azure AD, 

$RoleToActivate = Read-Host "Provide your role to activate: " #Example: 'SharePoint Administrator'
                                                              # Super important, single quotes around
                                                              # the role name

ActivatePIM

Add Real-Time Chat gone!

Tags

Add Real-Time Chat

When you create a new Teams site that is group connected, you are presented with this first time you access the site:

Add real-time chat.

However, it provides you an option of permanently making it go away via the window below:

If you select Don’t show me again with Yes which is the default, good luck! You will not be able to connect Teams to SharePoint via the SharePoint site. You will not see this in the Next Steps:

So how do you connect such a site to Teams? Is there no other alternate way at all? Yes there is! We need to get to the following article by Microsoft:
https://docs.microsoft.com/en-us/microsoftteams/enhance-office-365-groups
Select Create From > Microsoft 365 group
And then select the group in the drop down. This selection is a little buggy. If you select the name of the group, it does not get highlighted. But even if it does not, click the Create button and it should get created. When I tried, it took couple of attempts before I could create it.

Changing value of hyperlink field of a list en masse using PowerShell

Forever grateful to Salaudeen Rajack for all the contributions over the years for SharePoint admin community. Recently I was tasked with changing values en masse of a column in a list of type picture/ hyperlink field in a SharePoint online list. The requirement was if you find a string in such a field replace a part of the string in all values. https://www.sharepointdiary.com/2017/08/sharepoint-online-update-hyperlink-field-using-powershell.html#ixzz6hNcutSdB
provides the main idea. But I had to marry this concept to all items in a list. This is not the most efficient way, but here is what I had to come up with quickly:

#Config Variables
$SiteURL = "Your site/ subsite where the list resides"
$ListName = "Your list name"
$counter = 0
$maxCount = 2500

 
#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -Credentials (Get-Credential)

#$myItem = Get-PnPListItem -List $ListName -Id $ItemID
 
#Loop through list and Update Hyperlink column 
#value using PowerShell

$listItems = Get-PnPListItem -List $ListName -Fields "Title","Column name with picture/ hyperlink column name" -PageSize 1000
   
ForEach ($item in $listItems)
{
$subCatUrl = $item["Column name with picture/ hyperlink column name"].Url.ToLower()

if ($subCatUrl.Contains("Your replacable content"))
{
    $newsubCatUrl = $subCatUrl.Replace("Your replacable content","Your desired content")

    Set-PnPListItem -List $ListName -Identity $item["ID"] -Values @{"Column name with picture/ hyperlink column name"= "$newsubCatUrl, $subCatText"}

    Write-Host $item["ID"] "Changed" -ForeGroundColor yellow

    $counter++

    If ($counter -ge $maxCount){break;}
}
else
{
    Write-Host "No Your replacable content found in" $item["ID"] -ForeGroundColor magenta
}

Write-Host "Total items processed are " $counter -ForeGroundColor green

Site Page not available in the New drop down

If you happen to stumble across a classic SharePoint online site where in the New option of site pages library drop down does not show “Site Page” but shows Wiki and Web part page and exhausted all other options please check if the site feature called:
Site Pages
Allows users to add new site pages to the site
is active.
Please remember this is a site feature and if you have a subsite, you have to enable it @ subsite level also.

View a previous version of an Excel file from SharePoint online library

Tags

SharePoint online

So a user came to me and asked “Soumya, I want to download a previous version of an excel document in a SharePoint online document library”. I don’t want to restore it. I just want to open it or download it.
Hmmm, not as easy as it sounds. But found how to do this in word document here:
https://sharepointmaven.com/5-ways-users-can-benefit-versioning-sharepoint/
All I had to do it expand this in Excel. In Excel, you will see a File > Info option that lets you see versions.

Open the Excel file in Excel app (not in browser). Go to File > Info to see all versions on the right hand side. Then by clicking the appropriate version, you should be able to open it and if needed save a local copy.
I wonder how the same thing is done for pdf files.

Find O 365 group Id

Tags

Office 365

This is a quick article. How to quickly find O 365 group Id. I am assuming you are a global admin. There are several articles online around it. https://www.rlvision.com/blog/how-to-quickly-get-the-group-id-for-an-office-365-group/ is one example. There are a few more. I also found that for me the quickest way to look this up is @ the azure portal. Go to portal.azure.com. Login with your global admin credentials. Click on Azure Active Directory > Manage > Groups. Look the group up. You will see something like below:

From here you pick up the ObjectId and you are all set.

Delete modern SharePoint Team site immediately to reclaim its URL

Tags

SharePoint online

Requirement came from user. She wanted me to migrate https://YourTenant.sharepoint.com/sites/YourCommunicationsSite (Communications site) to https://YourTenant.sharepoint.com/sites/YourTeamSite (Team site).

Well, I thought it is easy. Open ShareGate and start migrating. Turns out she wanted https://YourTenant.sharepoint.com/sites/YourTeamSite to be a communications site. That means we have to delete the current Team site and reclaim the URL to create a new communications site with the same URL.

Problem is Team sites are tied to Office 365 groups. Even if you delete a team site from SharePoint, you won’t be able to free up the URL. So here are the steps you do:

Delete the SharePoint site from SharePoint admin center. This is UI based.

Delete the SharePoint site from recycle bin. This will need SPO PowerShell.

Connect to SPO tenant using SharePoint admin url

Remove-SPODeletedSite -Identity https://YourTenant.sharepoint.com/sites/https://YourTenant.sharepoint.com/sites/YourTeamSite

Delete the Office 365 group from AzureAD group recycle bin. For this you will need AzureAD PowerShell module installed followed by PowerShell. For this I followeed Salaudeen Rajack’s blog post here:

How to Delete an Office 365 Group using PowerShell?

After the above I could immediately reclaim the URL and create a brand new communications site @ https://YourTenant.sharepoint.com/sites/YourTeamSite

Report couldn’t be loaded in PowerPlatform Admin center

I was called to provide a report on how many Flows (Power Automates) were created in the last 28 days. I thought Oh, this is easy. Start with Power Platform Admin Center and go to  Power Automate and click on analytics. And I got the following screen:
One colleague was seeing it just fine. I thought it’s got to be my license as for my life, I could not find an Environment Admin of the default environment I was in.
I found this https://docs.microsoft.com/en-us/power-platform/admin/analytics-flow#who-can-view-these-reports article. I thought I am a Global Admin too. So it must be license. It says:
Admins with the following roles and a license can view the reports in Power Automate analytics:
OK, what license? I had a P2 license. But I didn’t have a E5 license which my colleague had. As soon as the E5 license was assigned, my report started running!

Account throttled for SPO sites

Tags

SharePoint online

Recently, I started getting redirected to a throttling page for any SharePoint Online sites I tried to get on my tenant. This was happening with my regular account. The message said Something is not right. The page you requested is temporarily unavailable…. See image below.

The problem was intermittent. But the problem was occurring on 90+% of the attempts.

We opened a Microsoft ticket as the above problem went on for days. Initially we thought this may be a license issue.

There are some articles in the net about this. But in our case it turned out to be that I was migrating a site that has a list with 30000+ items and workflows associated with them. About 4 that are getting triggered for each item. The migration triggered 30000+*4 workflows which pretty much made Microsoft to flag my account and have it throttled.  See image below:

Once the above workflows were terminated/ removed, everything became normal.

One more SP 2013 on-prem patching

Nowadays I am more of an O 365 person than a traditional SharePoint on-prem person. But there are always remnant on-prem existence and my company is no exception. Hence recently I have been asked to patch an old farm that has not been upgraded for a while.  I have done enough of these to know that every such patch, no matter how many you have done, may pose it’s unique set of challenge.

I end up with errors like below:
An exception of type Microsoft.SharePoint.PostSetupConfiguration.PostSetupConfigurationTaskException was thrown. Additional exception information:
Feature (Name = [Operations Manager Dashboard Web Part], Id = [Your Id], Description = [Allows for Operations Manager Dashboards to be hosted in SharePoint], Install Location = [Your Location]) is referenced in database [Your database], but isn’t installed on the current farm. The missing feature might cause upgrade to fail. If necessary, please install any solution that contains the feature and restart upgrade. (EventID:ajxkh)

Feature (Name = [Power View Integration Feature], Id = [Your Id], Description = [Enables interactive data exploration and visual presentation against PowerPivot workbooks and Analysis Services tabular databases.], Install Location = [Your Location]) is referenced in database [Your Location], but isn’t installed on the current farm. The missing feature might cause upgrade to fail. If necessary, please install any solution that contains the feature and restart upgrade. (EventID:ajxkh)

Dug into some old notes and found this one:
https://soumyabhatta.wordpress.com/2017/05/26/delete-missing-features-dig-deeper/
Tried to remove the troubled features that I could. Another run of PSConfig left me with essentially this error:
An exception of type Microsoft.SharePoint.PostSetupConfiguration.PostSetupConfigurationTaskException was thrown. Additional exception information:
Application Resource Web Config for this IIS site (Your site#) could not be found

I noticed that the site above is not working anyway. Hence I decided to delete the site, using Central Admin and removed it from IIS.
After this, psconfig was a success. Viola!