SkyNorth

Migrating to Microsoft 365 Government Cloud (GCC)

Thu, 07 May 2020 19:07:19 Z

Microsoft’s Government Cloud Computing (GCC) is used by federal, state, and local governments as well as counterparties that consume or produce government data subject to regulatory requirements. Successful migrations require partners that understand and have experience working within GCC, and the intricacies of its licensing.

What is the Microsoft Government Community Cloud?

Government technology, compliance, and security requirements are typically more stringent than that of private-sector business. For this reason, Microsoft created a separate environment with unique versions of its software and services that address the specific needs of the public sector.

Microsoft GCC takes the guesswork out of configuration, security, and controls to help you meet NIST, DFARS, and FEDRamp compliance, allowing government IT departments to concentrate on their business objectives.

GCC and GCC High are only available to U.S.-based government customers. Other government plans are available to those located outside of the United States.

The options: GCC, GCC High and Department of Defence (DOD).

All versions of GCC offer a standard set of features and functionality that complies with federal, criminal justice, and federal tax information systems requirements.

GCC High is typically 40% more expensive than typical Microsoft GCC license costs as it complies with a more stringent additional set of requirements:

Defense Federal Acquisition Regulations
Department of Defense Security Requirements Guidelines
International Traffic in Arms Regulations
The Cybersecurity Maturity Model Compliance framework (CMMC)

As one would expect, standard GCC typically sees new features sooner than GCC High and DOD, and in some cases includes features like Yammer that might never make it into GCC High and DOD.

Which does my organization need?

The good news is that majority of our public sector clients do not require GCC High. Even fewer require DOD. That said, its best to review with a partner experienced in determining which plan fits your needs and requirements.

That said, Not every organization connected to or part of the government needs GCC or GCC High and DOD. To determine whether it is necessary requires an understanding of the features that are above and beyond non-GCC Office 365 functionality.

For GCC and GCC High and DOD, these include:

Logical segregation of commercial customer content from GCC content.
The organization’s data is stored in the united states.
Only security screened Microsoft personnel is allowed to access the organization’s data.
Certification and accreditation compliance with U.S. Public sector customers.

We need GCC or GCC High or DOD, now what?

If you haven’t done so all ready, you will need to apply for validation as a type 3 entity with Microsoft by providing basic information, such as which category or government entity you are, your website, and address. Microsoft will confirm your organization’s eligibility through this process.

Getting Ready to Deploy - What Features are and are not available?

Whether you are moving over from a completely different service or just a different edition of Microsoft 365, these differences could impact day-to-day processes and systems. Understanding feature availability is one of the best ways to prepare and adjust.

Some excellent information detailing Office 365 services and availability for each offering can be found by following this link

Governance from the start is a must

Any organization moving to GCC must have a plan for governance. The first step in this process is identifying and documenting all of the governance requirements. Once done, you can then map these to the features and settings to ensure compliance.

Enlist a Partner to Guide You

SkyNorth is one of a few Microsoft partners in the Midwest with experience implementing GCC securely in both large and small organizations.

Our experience results in a much faster, smoother, and more cost-effective deployment than our competitors. You don’t need to take our word for it. We’ll happily provide a reference from one of your peers.

If you’re interested in discussing further click here to email us to set up a free consultation

Sharepoint Online Performance Monitoring with Application Insights

Tue, 29 Jan 2019 20:17:08 Z

My site is slow! ... we've all heard it, but then after digging into the issue the site doesn't seem to have any issues.

This is where a tool like Application Insights comes in handy. Application Insights is an Application Performance Monitoring (APM) tool that is targeted at developers and IT pros. You can instrument server side and client side applications, and send performance and usage data back to Microsoft Azure. It is then available for ad-hoc queries, reports, automated alerts, and other ancillary monitoring features. Also, it's pretty cheap for basic use cases! You can check out the pricing here and for additional reading, check out Microsoft's documentation here.

Alright, let's get to the point. I'm going to show you how to do two neat things with Application Insights.
- First, how to collect telemetry on your SharePoint performance using the http response headers for x-sharepointhealthscore and spiislatency
- Second, how to collect custom metrics using Application Insights

Step 1, wiring up Application Insights

In the Azure portal, create an Application Insights instance. Then, at the bottom of your page, insert a <script/> block like this:

<script>
    var appInsights=window.appInsights||function(a){
        function b(a){c[a]=function(){var b=arguments;c.queue.push(function(){c[a].apply(c,b)})}}var c={config:a},d=document,e=window;setTimeout(function(){var b=d.createElement("script");b.src=a.url||"https://az416426.vo.msecnd.net/scripts/a/ai.0.js",d.getElementsByTagName("script")[0].parentNode.appendChild(b)});try{c.cookie=d.cookie}catch(a){}c.queue=[];for(var f=["Event","Exception","Metric","PageView","Trace","Dependency"];f.length;)b("track"+f.pop());if(b("setAuthenticatedUserContext"),b("clearAuthenticatedUserContext"),b("startTrackEvent"),b("stopTrackEvent"),b("startTrackPage"),b("stopTrackPage"),b("flush"),!a.disableExceptionTracking){f="onerror",b("_"+f);var g=e[f];e[f]=function(a,b,d,e,h){var i=g&&g(a,b,d,e,h);return!0!==i&&c["_"+f](a,b,d,e,h),i}}return c
        }({
            instrumentationKey:"<guid-found-in-azure-portal>"
        });
    window.appInsights=appInsights;

    // More configuration will be added right here in next steps

</script>

Step 2, collecting SharePoint performance data

We'll be tracking the x-sharepointhealthscore and spiislatency response headers. A couple things to note here:
- First, this isn't perfect but it can give you some insight into your SharePoint tenant's performance. In order to get access to the Http response headers, we need to create a new Http request in JavaScript, and then pull the response headers from the call. Since we just need the response headers, we'll use a HEAD method to requests only for the headers. The problem with this is it's essentially a new SharePoint health score than the original page load.
- Second, since you are making a second request to the page, the SharePoint environment will receive more load than before. It should be minimal since we're just doing a HEAD request, but it could have unintended consequences.

Insert this code at the bottom of your <script/> block

var req = new XMLHttpRequest();
req.open('HEAD', document.location, false);
req.send(null); 

appInsights.trackPageView(
    _spPageContextInfo.webTitle,
    (window.location.protocol + "//" + window.location.hostname + _spPageContextInfo.serverRequestPath).toLowerCase(), // the full uri to the page
    {
        siteAbsoluteUrl: _spPageContextInfo.siteAbsoluteUrl.toLowerCase(),
        webAbsoluteUrl: _spPageContextInfo.webAbsoluteUrl.toLowerCase(),
        sharepointHealthScore: req.getResponseHeader('x-sharepointhealthscore'),
        sharepointCorrelationId: req.getResponseHeader('sprequestguid'),
        spiislatency: req.getResponseHeader('spiislatency'),
        statusCode: req.getResponseHeader('status')
    }
);

Step 3, collecting custom pageView data

Do you have an important metric you'd like to track when users traverse through your site? You can use this markup instead of Step 2 to get started collecting custom data.

appInsights.trackPageView(
    "my title",
    "https://mysite.skynorthsoftware.com/sites/coolsite",
    {
        customData = window.location.hostname,
        userName = localStorage.getItem("userName")
    }
);

Putting it all together

This is what the final result should look like. Once you save and deploy your changes to the site, you should see data trickling into the App Insights portal within a few minutes!

<script>
    var appInsights=window.appInsights||function(a){
        function b(a){c[a]=function(){var b=arguments;c.queue.push(function(){c[a].apply(c,b)})}}var c={config:a},d=document,e=window;setTimeout(function(){var b=d.createElement("script");b.src=a.url||"https://az416426.vo.msecnd.net/scripts/a/ai.0.js",d.getElementsByTagName("script")[0].parentNode.appendChild(b)});try{c.cookie=d.cookie}catch(a){}c.queue=[];for(var f=["Event","Exception","Metric","PageView","Trace","Dependency"];f.length;)b("track"+f.pop());if(b("setAuthenticatedUserContext"),b("clearAuthenticatedUserContext"),b("startTrackEvent"),b("stopTrackEvent"),b("startTrackPage"),b("stopTrackPage"),b("flush"),!a.disableExceptionTracking){f="onerror",b("_"+f);var g=e[f];e[f]=function(a,b,d,e,h){var i=g&&g(a,b,d,e,h);return!0!==i&&c["_"+f](a,b,d,e,h),i}}return c
         }({
                instrumentationKey:"<guid-found-in-azure-portal>"
        });

    window.appInsights=appInsights;

    var req = new XMLHttpRequest();
    req.open('HEAD', document.location, false);
    req.send(null); 

    appInsights.trackPageView(
        _spPageContextInfo.webTitle,
        (window.location.protocol + "//" + window.location.hostname + _spPageContextInfo.serverRequestPath).toLowerCase(), // the full uri to the page
        {
            siteAbsoluteUrl: _spPageContextInfo.siteAbsoluteUrl.toLowerCase(),
            webAbsoluteUrl: _spPageContextInfo.webAbsoluteUrl.toLowerCase(),
            sharepointHealthScore: req.getResponseHeader('x-sharepointhealthscore'),
            sharepointCorrelationId: req.getResponseHeader('sprequestguid'),
            spiislatency: req.getResponseHeader('spiislatency'),
            statusCode: req.getResponseHeader('status'),
            customData = window.location.hostname,
            userName = localStorage.getItem("userName")
        }
    );
</script>

Improving your Microsoft Cloud Security for FREE!

Thu, 24 Jan 2019 17:55:08 Z

So your organization has made the jump, at least on some level, to the Microsoft cloud. That’s a great forward thinking strategy.

I’m sure somewhere along this journey you were questioned about security. You assured them that it would be covered and the organization would be safe. Now that you're there, how are you living up to that promise? Wouldn’t it be great if there was a place you could look that would tell you?

Say hello to Microsoft’s free tool, Secure Score

Secure Score looks at your settings and activities for the Office 365 (and recently added Modern Workplace) services your organization is using (SharePoint, Exchange, One Drive, etc.), and compares them to a baseline established by Microsoft to give you a score on how well you are doing security wise. Examples of things you are scored on are multi-factor authentication status, policy progress, mailbox auditing, etc. You can then use this information to take action to improve your score based upon recommendations presented by the tool.

Did I mention it’s all FREE! That’s pretty cool.

Show value and justify actions

IT typically understands the big picture of what needs to be done, but often has a hard time quantifying the need. Because of this securing resources is a challenge especially when an initiative around security looks like a giant black hole to those on the outside. How do you combat this?

Metrics. Leadership loves metrics, as they should. They give you an accurate representation of a position.

Secure Score to the rescue by allowing you to identify and communicate your efforts in addition to the benefit received. Even better you can see how your security has changed historically, so once you complete a control you can see the before and after.

But wait there's more, Secure Score also holds the documentation around these areas and controls in place!

I’m in. (It’s FREE after all) How can I see my organizations Secure Score?

You can view your organizations Secure Score by logging in at https://securescore.office.com with an ID tied to your organization. Note: You must have Global Admin or a custom Admin role with permissions on an Office 365 Enterprise, M365 Business, or Office 365 Business Premium subscription In order to view the results. While non admins won't be able to access Secure Score directly, admins can share the results with others in their organization.

Caveat. You may see actions that are labeled “Not Scored”. Unfortunately these are not scored in the tool yet, but completing them will still benefit the security of your environment.

So will utilizing Secure Score mean my organization is safe?

There is no way of predicting if your organization will be subject to a breach. There are just too many variables. Secure Score simply gives you a view in to the measures taken to minimize that risk, and that is huge. Considering the price there is no reason you aren’t utilizing the tool.

I don’t understand everything being reported by Secure Score.

Unfortunately the bad guys do. The good news is that you now know what you don’t know.

If your organization doesn’t have the expertise to interpret and implement these controls there are third parties like us at SkyNorth Software that can help. Pick your favorite or feel free to drop us a line and if you have questions.

Create Azure Bot Registrations with Azure CLI

Wed, 02 Jan 2019 20:31:22 Z

There's a lot to decipher when looking at automating the creation of Bot Channel Registrations within Azure. At the time of this writing, the Azure CLI has the most complete set of automation options and the fastest time to value. This sample deploys a Bot Channel, and then configures it to be used with Microsoft Teams, but can also be used for configuring Facebook, web chat, and other channels.

Here it is, enjoy!

https://github.com/SkyNorth/Automation/blob/master/Azure/Bots/New-AzureBotRegistration.ps1

Silver DevOps Competency

Wed, 07 Nov 2018 19:03:43 Z

We are very excited to announce that we have achieved the Silver competency in DevOps!

DevOps starts with culture - something we are very passionate about at SkyNorth. We believe it is critical to learn from your failures - to experiment and fail fast. To reduce handoffs and increase autonomy. Let's move away from "if it's not broke, don't fix it" , and adopt a "constant beta/continuous improvement" mindset. Technology evolves so fast, we need to change our way of thinking to keep up and do more with less.

The Admins guide to securing your Office 365 data

Wed, 17 Oct 2018 02:05:06 Z

During my time at Microsoft and SkyNorth, one of the hottest cloud migration topics we have with clients, is around access and data security.

While most companies believe their on-premises data is secure, we’ve found it is usually at higher risk then data stored in a correctly configured Office 365 tenant. If you can properly answer the four primary concerns of the public cloud, O365 solutions will increase your security and flexibility.

How do we limit and control access?
How to ensure it’s the correct person?
How do we secure our data?
How do we secure our devices?

Out of the box, O365 cloud identities are accessible everywhere via internet, and secured with only username and password. This appears sketchy at best, until you start looking at all the built-in features that O365 & Azure Active Directory offer. When developing your O365 access policies you need to put together a plan that focuses on the 3 core areas.

The Who and Where
The What
The How

Please keep in mind, some of these technologies cross boundaries and can be used in conjunction with other features to maximize your cloud security strategy. If you haven't seen the Microsoft Identity and Device Access article. it is a must read (after you finish reading my blog post).

The Who and Where

Do you know who is accessing your cloud services, and where they are logging in from?

Option 1 - ADFS Server
- Pros
  - Many people already have this infrastructure in place from past SSO requirements
  - Uses Microsoft technologies
- Cons
  - Requires a lot of extra infrastructure and setup (ADFS, Proxy, x2 for HA)
  - Limited Options
  - This has became the 'outdated' way of providing a secured Single Sign-On solution
- Extras
  - Limiting Access to Office 365 Services Based on the Location of the Client
Option 2 - Conditional Access
- Pros
  - Extremely configurable and stackable rules
  - Tied to your cloud login
  - Available to all Azure Applications and internal apps that are published via Azure Application Proxy
- Cons
  - Requires Azure AD Premium Plan 1
- Extras
  - Limit logins based on the following policies
  - Allows you to limited login based on the following
    - Select Users
    - Trusted IP Range
    - Trusted Applications
    - Browser or Client Application
    - Device Platforms
    - Device Compliance (Requires Intune)
    - Login Risk (Requires Azure Active Directory Premium Plan 2)
    - Allows SharePointusers to only have READ access via Browser session, and others WRITE/EDIT via controlled Application

How do we ensure it’s the correct person?

Option 1 - Multi-Factor Authentication (MFA)
- Pros
  - Helps ensure the person is who they say they are
  - Easy to use and configure
  - Available for on-prem applications, rdp, and VPN via MFA Server
- Cons
  - Limited to call/text or mobile application
- Extras
  - A second form of user identification such as a phone call, email, or mobile app

Option 2 - ADFS Server 2016 – MFA First
- Pros
  - Skews attempts to brute-force login attempts
  - Validates the users device before the username/password
- Cons
  - Requires a lot of extra infrastructure and setup (ADFS, Proxy, x2 for HA)
- Extras
  - ADFS 2016 allows you to prompt for device MFA first, ensuring no password is passed to the session until the first factor has been passed
Option 3 - Password-free Login
- Pros
  - Very secure
  - Easy to use
  - No passwords to remember
  - Corporate Credentials are not passed through the session
  - Only devices with an approved certificate/key will be allowed access
- Cons
  - Certificate Based requires infrastructure and setup (ADFS, Proxy, x2 for HA)
  - Authenticator/Hardware Key have limited support at this time
- Extras
  - ADFS: Certificate Authentication with Azure AD & Office 365
- - Windows Hello for Business
  - Why a PIN is better than a password
  - Can Use Biometrics as a form of PC Authentication
    - Fingerprint
    - Facial recognition
  - Microsoft Authenticator App
    - Password-less phone sign-in with the Microsoft Authenticator app (public preview)

The What?

What data are people accessing and how do we secure it?

Option 1 - SharePoint Site Permissions
- Pros
  - Highly customizable at different SharePoint levels (Site/Web/Library/Item)
  - Have remained the same with all versions of SharePoint
- Cons
  - Can get complicated with breaking inheritance
  - Auditing/Ensuring users are correctly setting permissions
- Extras
  - Understanding permission levels in SharePoint
Option 2 - External Sharing Settings
- Pros
  - Allow or prevent external users from accessing your SPO data
- Cons
  - A misconfigured policy could mean bad news for your company
  - It's not meant for every type of business or scenario
- Extras
  - Manage external sharing for your SharePoint Online environment.
Option 3 - Tenant Restrictions
- Pros
  - Increased security
- Cons
  - Makes external collaboration difficult
- Extras
  - Use Tenant Restrictions to manage access to SaaS cloud applications
    - Prevent your users from accessing other data
    - This is handled via proxy server and HTTP Headers that identify and prevent external access
Option 4 - Azure Rights Management / Azure Information Protection
- Pros
  - Increased data security
  - Available to many data formats
  - Set up on the SPO library or global rules via Azure
  - Labeling Support for O365 Data Classification
- Cons
  - Multiple setup/config areas that do not span a broad spectrum of services
  - Typically requires an internet connection to pass ACL validation
- Extras
  - Protect SharePoint libraries to prevent read/write/edit/print/etc.
    - Enabled on the document library or list level.
  - Protect files with Azure Information Protection
    - Gives you the option to classify, encrypt, and secure your data at a local level
      - For use with O365 documents, as well as on-prem file storage
      - Uses Azure RMS to encrypt and secure access
Option 5 - Data Loss Prevention
- Pros
  - Easy to configure rules
  - Used for SharePoint/OneDrive/Exchange
- Cons
  - Other similar methods make it confusing to determine the best use
    - AIP / Transport Rules / Classification & Labels
- Extras
  - Overview of data loss prevention policies
    - Searches through your existing data to find matches that may need protection
- - - Create a DLP query to identify what sensitive information now exists in your site collections.
    - Create a DLP policy to monitor and automatically protect sensitive information in your site collections.

The How?

How are people accessing cloud services, and how do we secure it?

Option 1 - Azure AD Device Registration / Workplace Join
- Pros
  - Identifies what users and devices are using cloud services
  - Configure MFA for first-time registration
  - Allows easy SSO access to all of your apps
- Cons
  - There isn't much security you can place around the device without extras
  - MFA Conditional Access rules are met with registered devices so you will not receive a call/text
- Extras
  - Azure AD Device Registration
Option 2 - Azure AD Joined Device
- Pros
  - Same as Option 1
  - Azure AD Bitlocker Recovery
  - PIN Sign-In
  - Enterprise State Roaming Features
  - Automatic MDM Enrollment (With AAD Premium P1)
- Cons
  - On-premises domain access would typically require VPN client
  - There isn't much security you can place around the device without extras
Option 3 - O365 Mobile Device Management (MDM)
- Pros
  - Comes with O365 E3
- Cons
  - Limited control
- Extras
  - Provides Selective Wipe and removal of certain data
  - Set up O365 MDM
Option 4 - Microsoft Intune
- Pros
  - Highly configurable
  - Tied with your cloud identity and your device
  - Can manage Windows/iOS/Android Devices (limited MAC OSx Support)
- Cons
  - Requires Intune or EM+S subscription
- Extras
  - What is Intune?
  - Contains Mobile Application Management policies (MAM)
    - Prevent Cut/Copy/Paste
    - Prevent SaveAs
    - Require a PIN for specific Mobile Apps
    - *With or without device enrollment*
  - Selective or Full Wipes of the device
  - Manages device compliance settings
    - Encryption/Password Rules/Etc.
  - Manages device configuration settings
    - Blocks to cameras, screen shots, USB ports, and tons more
  - Conditional Access via Compliance Policy and Device Registration
    - Allow only ‘domain joined’ devices to access cloud data

I hope I've made an extremely complex topic a little easier for everyone to understand. Like I mentioned above, there isn't a single solution that you should decide on for all business & security scenarios. You may need to mix-and-match and you may also need to use features I didn't even mention here. If you find yourself in a confusing situation and need help finding the best approach please feel free to reach out to SkyNorth!

Need Help?

Be sure to contact SkyNorth Software today for an O365 Data Security Assessment or any of your data security needs!

What is our Data Security Assessment?

It’s a comprehensive technology and process review for how you handle data security within your organization.

How much does it cost?

It’s FREE! Out introductory package is completely free and includes a 1-hour finding call with self-help documentation. If you’d like to have a more comprehensive review or added support, you can look at our PREMIUM or PREMIUM – WITH SUPPORT options on our website.

Copy Azure Blobs with Data Factory Event Trigger

Fri, 05 Oct 2018 16:11:11 Z

NOTE: This article applies to version 2 of Data Factory. The integration described in this article depends on Azure Event Grid. Make sure that your subscription is registered with the Event Grid resource provider. For more info, see Resource providers and types.

Overview

This article builds on the concepts described in Copy Activity in Azure Data Factory. We will be using an event trigger to copy blobs between Azure Storage accounts.

There are scenarios where you need to copy blobs between storage accounts. It could be for another layer of redundancy, or simple to move to a lower tiered storage account for cost optimization. In this article, we will show you how to copy blobs immediately after they are created using Data Factory event triggers.

Prerequisites

1.) Azure Data Factory version
2.) Azure storage accounts for source and destination. Each storage has a container called backups
3.) Event Grid enabled as a resource provider on your Azure subscription

This is what our resource group looks like:
NOTE: The storage accounts are in the same location to prevent egress charges

Create Linked Storage Accounts

NOTE: Datasets and linked services are described in depth at Datasets and linked services in Azure Data Factory.

In this demo we will use two storage accounts named dfcopyeventsource and dfcopyeventdestination.

Create linked services for both storage accounts in Data Factory under the connections tab. For simplicity we will just use the storage account account key for authentication. We will just add a _ls suffix to these so we they are linked services later.

Select "Use account key" for authentication method

Both storage accounts are now linked.

Create Datasets

Now we will create a Dataset for each storage account with _ds as a suffix. For simplicity, use binary copy. Be sure to add the path backups.

Publish the Datasets

Create Pipeline

Now we will create a Pipeline and add the Copy Data activity. Our pipeline is called copy_blob_pipeline.

Drag the Copy Data activity onto the canvas.
1.) Name it Copy Data Activity
2.) Select source Dataset
3.) Select destination Dataset (sink)

Testing Pipeline

Publish all resources and your Pipeline should be ready to test. We will add event triggers after confirming the copy data activity works as expected.

Take the following steps to test the Pipeline

1.) Upload test data to source storage account
2.) In Data Factory, click the Debug button
3.) Verify the pipeline finishes without error and the data was moved to the destination

Adding Event Trigger

We will be adding a Blob Created event trigger to the copy_blob_pipeline. It will watch the source storage account under the backups container for new blobs, and then copy only the new blobs to the destination storage account. To accomplish this, we need to parameterize our Pipeline and source Dataset. The event trigger will inject information about the blob into our parameters at runtime.

Parameterize Pipeline

Edit the copy_blob_pipeline and add two parameters:
1.) sourceFolder
2.) sourceFile

Add Event Trigger with Parameters

We'll create the event trigger and configure it to inject the new blob sourceFolder and sourceFile into the pipeline parameters we just created.

Parameterize Source Dataset

The final step is to parameterize the source Dataset dfcopyeventsource_ds. On the Connection tab, add @pipeline().parameters.sourceFolder and @pipeline().parameters.sourceFile to their respective input boxes.

Testing Trigger

Publish All and the Event Trigger will be live and watching the source storage account. Upload a file to the source and then view the monitoring tab to validate the pipeline executed without issues. If all is configured correctly, the blob will be copied to the destination storage account.

Intermittent Workflow failures – ‘The workflow failed to start due to an internal error’

Tue, 03 Oct 2017 14:15:16 Z

I just got through working a pretty nasty workflow issue that had nothing to go on with verbose ULS logging. Our issue was that even the most basic workflow’s were failing on a brand new custom list, with the first item created. After the first item was created the workflow would work fine for X amount of time. This issue was ugly, and intermittent, and it probably would have helped if I read this first - http://support.microsoft.com/kb/2001370

We found a way to reproduce the error with the following:

1.) Create a new list

2.) Create a new workflow with SharePoint Designer

a.) Step 1: Email user X

3.) Create a new list item

4.) Start the workflow

5.) Watch the failure

Note: Every other attempt after this work would fine (restarting the workflow)

Like I said – the ULS logs were clean, tracking the correlation ID we came up with nothing. Right when we took a break to review the final 3 sets of logs, my friend Wes had attempted a fix he used in the past with another workflow problem.

Disabling the OffWfCommon feature.

disable-spfeature -identity "OFFWfCommon" –url http://yoursitehere/sites/site

enable-spfeature –identify “OffWfCommon” –url http://yoursitehere/sites/site

After doing this the workflow consistently worked - but had me questions as to why, so I did some checking and I have found this to be a fix for other similar workflow issues such as a modified “Workflow Task” content type version that contains this error:

The requested workflow task content type was not found on the SPWeb

If you have a modified "Workflow Task" version greater then 0 and are seeing this same issue, the steps above may be relevant. I would always recommend testing this in a test environment fully before doing it. Here is some sample PowerShell code to help find versions that are not 0. Again, to be used in a test environment.

$site = get-spsite http://yoursitehere/sites/site
$site = $site.RootWeb
foreach ($sites in $site)
{
   foreach ($ctype in $site.ContentTypes)
{
       if ($ctype.name -eq "workflow Task" -and $ctype.version -gt "0")
           {

$ctype.Scope,$ctype.name,$ctype.version }
}

}

Please only use these steps if you are experience the exact scenarios listed above, and I hope this helps you!

ULSViewer Filters – Performance Filters

Tue, 03 Oct 2017 13:13:54 Z

By now everyone should know about ULSViewer that is available for download from MSDN, and you also should be familiar with the data filter that comes built into the tool. If you are not familiar with the ULSViewer you may be using some other log reader that is out there, but I would highly recommend getting use to ULSViewer as it is a powerful, user friendly, tool. This blog is about making your life easier to troubleshoot SharePoint issues using the ULS logs and ULSViewer filter.

One of the best things I have found with the ULSViewer is the ability to create, save, and reuse a filter. When you do this, you can bring it to any other ULSViewer and import the filter. Why is this handy? This is handy because you may have a common web application, or site that you are trying to troubleshoot and you know exactly what you are looking for but don't like entering in all of the filter fields over and over again.

The following filter is one that I have used many times in performance related issues. It has a the common stack of performance EventIDs and has saved me many times during troubleshooting performance problem.

Tag Description (EventID)

nask             SPRequestMemory leak
c8hq            ECM Object Cache Full Flush - too many changes
8gsc             WSS Template Cache Trim - memory usage exceeds target
avjr              WSS Template Cache Trim - low memory condition
fa43             slow query with duration
fa44             call stack for slow query
tzkv             query text (useful for slow queries and sql exceptions)
tzku             connection string (useful for slow queries and sql exceptions)
8pbe            Watson bucketing parameters
fa45             exception encountered during a sql query
btq8             exception encountered during a sql query
d0d6            exception encountered during a sql query
880i             exception encountered during a sql query

So how to do this?

1.) Open ULSViewer and load a ULS log - this gives you the ability to create a filter

Notice: The EventID are IDs inserted in the ULS directly from the SharePoint source. In most scenarios this will be a pretty unique ID, however some generic catch-all's will be used and may not be as helpful, but great to Bing!

2.) Open the Filter Tool with the icon directly below the Edit Menu (shown above)

3.) Start creating your filter!

Note: This will be the hardest part. Everything will be OK in the end, so start clicking and typing!

Notice: One thing to note here is the 'Save As', 'Save', and 'Load' button. This is obviously where you would save, or import your filter for reuse. Start using this TODAY!

Notice: Another very cool feature is the ability to Group your AND/OR logic so your filter works as expected. If you have a grouping set the bar will show on the left side of the filter.

4.) That's It! You now have created a very useful filter that will help you troubleshoot a lot of performance related problems.

On a final note, I really love when our customers are proactive in troubleshooting new features or applications in SharePoint. You could create a AND filter like I have done above to watch for specific sites and see how they are performing when using your new tool, and if they trigger any of the performance EventIDs above when you test them.

If anyone has a useful filter combination please post it in the comments below and explain how it helped you troubleshoot SharePoint!

The first 30 days

Sun, 01 Oct 2017 02:03:53 Z

Well, we've done it. We made the leap and turned this dream into a reality. These next 30 days are going to fly by! We'll spend some time networking in Minneapolis and Fargo, and fine tuning our business model. We will also be presenting on data security at SharePoint Saturday Twin Cities on October 28th. While this is something we've done in the past when working at Microsoft, it will be the first time as SkyNorth! We'd love to see you there. #SPSTC

It's no secret that cloud computing has been disrupting the industry the past few years. We are thrilled to be a part of this digital transformation and to help companies accelerate their journey to the modern workplace and the cloud.

It has been hard for all of us to keep SkyNorth a secret the past several months. Our friends and family have been overwhelmingly supportive as we worked extra hours getting the business set up. Thank you for your support!