Home > Sample chapters

Managing User Profiles in Microsoft SharePoint Online for Office 365

Manage user properties

When you click the Manage User Properties link under the People section, you’re taken to the page where you can create, modify, and delete user-profile properties. The default list is pretty extensive, comprising roughly 99 profile fields. Still, you will likely think of more fields to create that will be better descriptors in your environment. To create a new profile field, click the New Property link (not illustrated).

Once the New Property link is selected you’ll be presented with a screen to create a new profile property. (See Figure 2-3.)

Figure 2-3

Figure 2-3 The new profile creation screen in SharePoint Online

When creating the new profile property, there are several key decision points you should address. If you combine the use of descriptive terms from the term store with the user profiles, you can achieve significant organization and increase the findability of expertise. Use these property definitions to your advantage (I’ll discuss the more important configurations here’space limits my ability to go in depth into each configuration option):

  • Configure A Term Set To Be Used For This Property If the values for this property can be built into a pick-list rather than a free-text value, the list should be built in the term store and consumed by the profile property. Having a standard set of terms from which to pick differentiates meaning between each term. Also, it helps ensure everyone uses the same set of terms rather than having each user enter a term that is meaningful to them but lacks meaning to others. For example, in a list of colleges attended, a standard term might be “University of Minnesota,” whereas a meaningful term for a person who has attended that school might be simply “Minnesota” or “U of M.” Shortcut terms or abbreviations should be avoided in standard term sets so that the terms that appear are both meaningful and clear as to their meaning.
  • Allow Users To Edit The Values For This Property If you’re going to expose a list of values from a term set in the term store from which users can select their values, you need to allow users to edit the values for the property in question.
  • Show On The Edit Details Page By selecting this check box, you can ensure that users can easily make their selection for this profile property.

If the profile property values cannot be coalesced into a pick list, you’re left with users entering their own values; potentially misspelling words, inputting garbage into the field, or using words that are individually meaningful but lack value in the enterprise. Most users will not enter information with nefarious intentions, but they can unwittingly cause confusion with the terms and phrases they enter. Although such properties might be helpful in some way, I would advise that, as much as possible, you should rely on standard lists for the user-profile metadata.

From a risk and governance perspective, not building out a robust user-profile system can represent a loss of applied expertise and can create opportunity costs in which the same or similar mistakes are made by different employees over time when acting in similar capacities. Acquired understanding and wisdom that your organization paid for in the form of salaries goes unused when people work without the benefit of the wisdom of those who have gone before them. Compliance that lowers the risks represented in the opportunity costs includes having users fully fill out their user profiles and build a culture of collaboration across organizational teams, departments, divisions, and hierarchies. Of course, this assumes that the profile properties can tightly discriminate between users and surface experience and expertise in a way that helps propel your organization forward in fulfilling its strategic objectives.

Manage subtypes

Profile subtypes can be used to create a different set of properties for a different set of users. For example, you can create a subtype that categorizes a user as either an intern or a full-time employee. So, instead of having a one-size-fits-all profile for every user in your organization, each user type (defined by you, the system administrator) can have its own set of profile properties. For example, you might want to create the following sets of profiles: Manager and Intern. Hence, you would draw up something like this:

Profile Property



About Me









Current Job Title



Current School



Degrees Earned



Former Job Titles



While all these properties would be created within the overall user-profile service, the subtypes would allow you to associate each property with one profile type or more and then assign that profile type to the users.

Manage audiences

Creating audiences is a straightforward process. You first create the audience and decide if membership in the audience should satisfy all the rules that will define the audience or any one of the rules that defines the audience. After creating the audience, you need to create the rules that will define membership in the audience.

Membership (shown in Figure 2-4) can be defined in these pragmatic ways:

  • Existing membership in an Azure security group, distribution list, or organizational hierarchy
  • Existing reporting relationship, such as whether the user reports to another user account
  • A particular value assigned to a particular profile property’for example, a user whose Department property in his profile is defined as “Accounting”
  • A particular value not assigned to a particular profile property’for example, a user whose City in her profile is anything but “Minneapolis”

    Figure 2-4

    Figure 2-4 Target Audience input box in the Advanced properties section of a web part

More than one rule can define membership in an audience, so you can combine multiple rules to create unique audiences. For example, let’s say Juan has 120 people who report to him, but they work in three locations: Minneapolis, Indianapolis, and London. You want to build an audience for those who report to Juan but include only those who live in Minneapolis and who are working in the Marketing department. So you create three rules:

  • Rule 1 User reports to (“under” is the word used in the interface) Juan
  • Rule 2 User’s Office Location equals “Minneapolis”
  • Rule 3 User’s Department equals “Marketing”

The rules are not parsed in any particular order, so they can be taken as a whole. For each distinct aspect of the membership, you should plan to build a rule that defines that aspect and not try to combine two aspects into the same rule.

Audiences are applied at the site and web-part layers. In most web parts, you’ll find the ability to assign an audience under the Advanced properties of the web part, which are shown in Figure 2-4.

Audiences you create in the SharePoint Admin Center will appear as Global Audiences (as shown in Figure 2-5) after you click the Browse button.

Figure 2-5

Figure 2-5 The Select Audiences screen, where you can create audiences from multiple sources

Note that audiences don’t need to be created only from the Global Audiences. Audiences also can be assigned from distribution groups, security groups, or both from your directory service as well as from SharePoint groups from within your site collection. This gives your site-collection administrators the ability to create audiences without looping through the SharePoint Admin Center.

This is not something that you, the SharePoint system administrator, tries to control. Recall that audiences are not a security feature’they are a view-crafting feature. If it is advantageous to your users within a site collection to create SharePoint groups and then use them as audiences, this should be supported. This is the type of ownership-of-collaboration processes that you’ll want to foster in your environment.

From a governance perspective, if end users are selecting groups or distribution lists to build audiences, it would be ideal if they have a way to enumerate the memberships without having to loop through the IT department. Keeping the administration transaction costs low is essential to SharePoint Online being well adopted within your environment. If users don’t have a way to do this, they might assign an audience to a resource and either overexpose or underexpose that resource in the interface.

Although this isn’t a security issue, it could be an irritant that causes unnecessary support cycles. It is better to anticipate the potential support and process problems in advance and fix them before they cause real problems in your environment and, perhaps, dampen enthusiasm for SharePoint Online adoption.

Manage user profile permissions

When you click the Manage User Permissions link within the People section of the User Profiles page, you’ll be presented with a dialog box within which you can set permissions for who can create My Sites (shown as Create Personal Site in Figure 2-6) as well as configure settings for following people, editing their profile, and using tags and notes.

Figure 2-6

Figure 2-6 The dialog box that displays when you click Manage User Permissions

By default, the Everyone Except External Users is applied, which allows every user to perform all these actions, but you can restrict permissions by individual account or by group. The groups can be created within SharePoint Online, Azure Active Directory, or Windows Active Directory (if you’re in a hybrid environment) and consumed from a number of sources. These sources appear when you click the Address Book button to select which users and groups you want to manage for this purpose. (See Figure 2-7.) Of course, these sources need to be properly configured and populated before they will be of any value to you. Just because the source appears here’such as Forms Auth’doesn’t mean you can click on that source and find groups configured within them.

Figure 2-7

Figure 2-7 The Select People And Groups dialog box

Once you select a group, you can assign permissions to it such that membership in that group opens up the features and functionalities stated earlier. A common example of how this is used is for My Site creation and administration. I know of Microsoft customers who created a “Ready For My Site” (or some other name that was meaningful to them) security group in Windows Active Directory and assigned the available permissions to that group (refer back to Figure 2-6). As users attended training specific to My Sites and social technologies in SharePoint Online, their accounts were added into the Ready For My Site security group and thus were given permission to create a new personal site and engage in social activities.

Manage policies

Policies are used to govern the visibility of information in user-profile properties to others in the organization. These policies really represent privacy options that you, as the system administrator, configure on a global basis per profile property. This granularity might require additional administrative effort on your part, but it also enables each profile property to be aligned with your organization’s existing privacy and sharing policies.

The policies can be required, optional, or disabled. Required means the property must contain information and the information is shared based on default access. Optional means the property is created but its values are supplied by each user if they are not supplied automatically. In the case of the former, each user decides whether to provide values for the property or leave the property empty. Disabled means the property or feature is visible only to the User Profile Service administrator. It does not appear in personalized sites or web parts, and it cannot be shared.

The User Override option enables users to change the visibility settings for those properties when this check box is selected. Regardless of whether or not the User Override option is selected, when you create a new profile property, the user can always override the setting. Essentially, this means you cannot create a new profile property, set a value, and force users to live with that value.

The two basic Privacy choices are Only Me and Everyone. It’s either wide open or locked down to the individual user who the profile is describing. You select the User Can Override check box if you want to allow users to make their own selection on a given profile property. The most common way to use this check box is to set the property to Only Me and then allow users to choose if they want to open up that property to everyone else in the organization.

If you select the Replicable check box, you’re allowing user-profile data to be replicated to the various sites to display in the user information list. This is a good selection if surfacing social data is your goal. However, once the data is replicated, it cannot be removed by simply clearing this check box. The data will persist. So be sure you want this data replicated before selecting the Replicable check box.

For confidential or sensitive profile descriptors, it’s best to leave it at the setting you select and then clear the User Can Override check box.