Managing User Profiles in Microsoft SharePoint Online for Office 365
My Site settings
My Sites are personal portals that allows users to collaborate with others and offer ideas to the enterprise. I’ve been surprised at how many organizations have demurred from the use of My Sites. I suspect, over time, however, the collaboration and social features will become baked into the core processes such that My Sites will be routinely used.
My Sites must first be set up and then you can configure trusted host locations, manage promoted sites, and publish links to Office client applications. Let’s get started by looking at the setup of the My Sites in SharePoint Online.
My Site setup
In SharePoint Online, the setup of My Sites is managed from a single page. The environment is automatically created for you when your Office 365 tenant is created. You cannot change the My Site Host or the Personal Site Location like you can with an on-premises installation.
Preferred Search Center
The setup starts with the option to enter a Preferred Search Center. I find this to be particularly useful if you created an Enterprise Search Center. Having their queries automatically redirected to a global search center is useful if your users want to search for global content from within their My Site. However, if this is not a need, you can leave this input box (shown in Figure 2-11) blank and let users manually traverse to the Enterprise Search Center (assuming you created one) when they want to make global queries.
Figure 2-11 Working with the Preferred Search Center
Note that you can select the default search scopes for finding people and documents. This screen in SharePoint Online is outdated in the sense that it uses SharePoint 2010 terminology (scopes) instead of SharePoint 2013 terminology (result sources). Don’t confuse the two. Result sources are the updated and more mature version of search scopes and can include real-time queries and filters as well as carving out a portion of the index against which the keyword query is committed.
Read Permission Level
In the Read Permission Level input box (not illustrated), you’ll enter the accounts to whom you want to grant the Read permission level for each My Site when it is created. You’ll need to ensure that these accounts have the correct Personalization services permission to use personal features and create personal sites. (See the “Manage user profile permissions” section earlier in this chapter.) You’ll also need to ensure that the public My Site page in the My Site host site collection has these accounts assigned the Read permission. This configuration is not retroactive. If your users create a number of My Sites and then you change permissions here, those My Sites already created will not inherit the changed permissions from this page.
The default permission group is Everyone Except External Users. By default, all Office 365 users in your tenant automatically have Contribute permissions on all lists and libraries because this group is automatically added to each list and library in each site across your tenant with the permission level Contribute. This means, by default, that all users have Contribute permissions to the document library (named Documents) created in each user’s My Site.
You’ll have two check boxes with which to concern yourself in this section. The first check box, Enable Activities In My Site Newsfeeds, specifies whether or not to enable activities in the My Sites newsfeeds (not illustrated). If you select this check box, notifications can be generated when certain events occur from people and content the user follows. This check box is selected by default. Unless you have a specific reason to turn this off, leaving it selected is preferred. For example, if John is following Suzie and she follows a site that interests her, that Follow event will appear in John’s activity feed.
The second check box, Enable SharePoint 2010 Activity Migrations, enables SharePoint 2010 activity migrations. The word migrations is misleading: this selection simply means that if your organization is making use of SharePoint 2010 legacy activities, those can appear in the activity feeds as well. You select this only when you’re in a hybrid deployment between your SharePoint 2010 On-Premises farm and your SharePoint Online deployment.
Type the address you want used for sending certain email notifications for newsfeed activities in the String To Be Used As Sender’s Email Address input box. This address need not be a monitored mailbox. If you select the Enable Newsfeed Email Notifications check box, you’ll allow users to receive email messages for newsfeed activities, such as mentions or replies to conversations they’ve participated in. You’ll need to assess the usefulness of these types of email notifications. If there are too many of them, they just become white noise in the user’s inbox and no longer serve their alerting purpose.
My Site cleanup
Fortunately, in SharePoint Online, My Sites are automatically cleaned up after 14 days have passed since a user’s profile is deleted. This means that, by default, the user’s My Site is deleted and no longer accessible. By default, if the user’s manager can be discerned by the system, it will give the user’s manager full access rights to the user’s My Site. This permission level enables the manager to pull out information needed for the ongoing work of the organization before the My Site is deleted by the system.
However, you can input a secondary name in the Secondary Owner picker box to specify a person who also will have owner access to the My Site after the user’s profile has been deleted. I highly recommend you enter an account here to ensure you have a backdoor into each My Site once the profile is deleted.
From a risk and governance perspective, you should have an account designated for this purpose, and the account credentials should be made available to those in a need-to-know situation so that critical information isn’t lost. Because the password can be changed by the tenant administrator, each time the account’s credentials are passed out, they can be used and then effectively locked thereafter.
By default, in SharePoint Online, a user’s My Site is public, even though the interface says it is private by default. If you leave the Make My Sites Public check box selected, that user’s My Sites become public to the other users in the organization. When you deselect this check box, some elements of the user’s My Site are no longer shared on an automatic basis, such as the following:
- User’s list of followers
- Information about who that user is following
- User’s activities
When the check box is selected, user activities automatically become public, such as the following ones:
- New follow notifications
- Tagging of content, rating of content, or both
- Birthdays (if populated)
- Job title changes
- New blog posts
If these activities (and others) are made public, users can still override the default settings as long as they are allowed to manage their own privacy settings within their user profile.
What choices you make here is less a governance question than it is a cultural/collaboration question. The risks posed by opening this up are that users might unwittingly post information or activities in their newsfeed they don’t want going public. But the downside of closing this down is that, in a highly collaborative environment, other technologies will supplant SharePoint Online for certain sharing needs. It seems best to transfer to the user the management of which activities appear in the newsfeed instead of using a one-size-fits-all approach’unless that is what your organization wants.
Configure trusted-sites locations
The Trusted My Site Host Locations feature prevents a user from creating more than one My Site in an organization with multiple User Profile service applications. It also is a feature in both on-premises and Office 365 deployments, in which it informs the SharePoint environments where a user’s My Site and User Profile is located based on Active Directory groups, and, suboptimally, audiences. To enable Trusted Host Locations, simply enter the URL for Office 365 My Sites for a group of users. You can leverage existing Windows Active Directory security groups for targeting.
The URL entered into a trusted-site location becomes a simple redirect in the client web browser. Therefore, there does not need to be connectivity between the server environment running SharePoint Server on-premises and Office 365 as long as the users themselves can access both locations from their client devices.
Multi-user-profile service environments become more complex. For example, in a server farm deployment that spans geographic regions, you might have separate User Profile service applications for each region or regional server farms in the environment. By default, a user can create a different My Site in each User Profile service application or server farm, which could cause unwanted results from both an administration perspective and a user perspective. Where the potential exists for the user to create multiple My Sites, use of the Trusted Sites Locations is needed to ensure the user can work in different farms but will still have only one My Site.
Many hybrid deployments can place the user’s My Site in the SharePoint Online environment while leaving other services and applications running in the on-premises deployment.
Map an account through different membership providers
Federated user identities in Office 365 are prefixed with the membership provider that provides claims-based access. An on-premises user identity of firstname.lastname@example.org might become i:email@example.com in Office 365.
The My Site host uses this identity to display the correct My Site or User Profile by including it in the “accountname” querystring on the User Profile URL. An example, a User Profile URL for an on-premises installation might look as follows:
The formatting differences mean that the two environments will not automatically resolve the requested user identity. So a simple workaround for this formatting is to use an ASP.NET page running on the on-premises farm that can resolve the identities and then redirect the request to the real on-premises or Office 365 location. In the preceding example, some string manipulation would be sufficient to remove the i:0#.f|membership| part of the user identity so that it could be resolved on-premises or to add it so that it can be resolved by Office 365.
The script can be placed as inline code in a dummy profile.aspx page in a directory on each SharePoint front-end web. Configure the My Site Trusted Host locations to point to the directory that contains the script, rather than the actual destination, and allow the script to perform the redirect.
Suppose a user browsing the on-premises environment requests a user profile that is stored in SharePoint Online. This is the process that will take place:
Now, let’s suppose a user browsing the SharePoint Online environment requests a user profile that is stored on-premises. This is the process that will take place:
Manage promoted sites
You can promote any URL (not just SharePoint sites) to your user’s Sites page so that they see the link when they visit the Sites page. (See Figure 2-12.)
Figure 2-12 The Sites page with Contoso as a promoted site
To customize the Sites page, you’ll click on the Manage Promoted Sites link under the My Site Settings and then click the New Link link (not illustrated). On the next page (shown in Figure 2-13), you’ll fill in the URL, Title, and Owner text boxes and then optionally type a value for the Description box, a URL for the image that will appear with the link on the Sites page, and the target audience (if any). Note that even though the interface does not show it, the owner of the link is a required field, so you’ll need to enter an owner for the promoted link to save the entry and promote the link.
Figure 2-13 Managing promoted sites input screen (note the lack of an asterisk next to the Owner selection box even though it is a required field)
From a governance perspective, there isn’t much risk here. I would use this feature to promote websites and documents of a global nature to your users. You can think of the Sites page as a type of one-page portal in which you promote certain pages or opportunities. For example, you could promote the summer golf outing or the winter party on the Sites page. You could promote the company-giving campaign to a local charity or community group. Furthermore, you could promote the updating of the human-resources policy manual or a new expense-reimbursement program. This sites page can add real value to your organization. The only real risk is that users might filter out most of the links if they are not of use or interest to them. So, from a governance perspective, I suggest using audiences to refine the interface so that users don’t visually filter out unneeded links.
Publish links to Office client applications
When users are opening or saving documents from their Office client applications, you can ensure their most commonly accessed SharePoint Online sites, libraries, and lists appear in the client interface by publishing certain links from this location. Links published here will show up under the My SharePoints tab. The use of audiences for these links is strongly encouraged. Ironically, there is no owner attached to these links, unlike with a promoted-site link. And you can select the type of object to which you’re linking using the Type drop-down list (not illustrated).
I suspect your need to create these links will diminish as users implement OneDrive for Business more pervasively. (See my discussion below in the “OneDrive for Business” section.)