Microsoft Cloud News Round Up

We Told You So: Microsoft Cloud Leads in Gartner Magic Quadrant, Yet Again 

Gartner Magic Quadrant ranks Microsoft as a “Leader” in the BI and Analytics section for 2017. Gartner highlighted multiple key benefits of using Microsoft’s OneDrive for Business for companies who already use productivity and collaboration tools offered by Microsoft (i.e. Office365, SharePoint).  

Our founder and CEO, Thomas Carpe, remarks “Finally business advisors officially recognize what Liquid Mercury Solutions has known for years – that Microsoft’s cloud services are quickly becoming the standard by which all others will be compared. Where Office 365 once provided an advantage to businesses willing to take a chance on the cloud, soon enough it’ll become ubiquitous in business.” 

Microsoft’s optimism and determination seems to promise a growing trend of advancements in this area. Kamal Hathi, Microsoft Power BI general manager, wrote “We’re humbled by this recognition for the innovation we’ve delivered with Microsoft Power BI in the past year … But more importantly, we’re encouraged by the progress we’ve made as a community in executing against the ambitious goal set when Power BI was made generally available only a short time ago in July 2015: Provide BI to more people than ever before, across all roles and disciplines within organizations.” 

Alara Rogers responds, “Microsoft has actually been an industry leader in BI for many years. Excel is the world’s most widely used BI tool by a large margin. Where Microsoft struggles is in communicating to customers about the power and abilities of their platform, especially when we see lots of changes like we have with the shift from traditional tools like PowerPivot and SQL Reporting Services to a cloud platform Power BI. There’s room for improvement, but things are headed in the right direction.” 

Whatever your opinion, it’s safe to expect even bigger and better collaborative innovations in the years to come. 

Read More: 


Office 365 Takes the Lead Over Traditional Office for the First Time 

This week marks the first time that Office 365 users exceed the number of users for traditional versions of Office, making it the clear favorite both among users and at Microsoft. That trend will only continue as Microsoft plans to officially end support for Office 2007 later this fall. 

But what’s made Office 365 such a success? Let’s look at a few benefits. 

  • For starters, no one needs to suffer with the frustration of losing files that weren’t backed up because someone was too lazy to keep the laptop charged, thanks to OneDrive for Business and SharePoint Online. 
  • All the relevant applications people use for themselves can be synced across devices. That means next time your computer has a spontaneous meltdown, you can just switch to another one, easy as pie. 
  • Files can be shared with anyone, both inside the company and with vendors, partners, and customers. No need to clutter folks’ email with bulky and potentially risky attachments. 
  • Multiple people can edit a Word document or Excel spreadsheet simultaneously and it updates in real time. It’s so much easier than passing it around the office for review and revision. 
  • Thanks for applications like Delve, everything you need can be found in one place so say goodbye to having 27 windows open at once. 
  • Best of all, your information is kept safe using the latest encryption, and you can protect your account with more than just a password by using multi-factor authentication such as your phone. 

Office 365 has all the perks you wished Office XP had back in 2002. No wonder the trend of moving everything to the cloud is here to stay, because it works beautifully. 


Microsoft Welcomes Our Robot Overlords 

There has been buzz of Microsoft creating an AI supercomputer and people in the industry have strong opinions on how this will impact the future. Will it be chaos like The Terminator come to life? Or will we all fall in love like Joaquin Phoenix did with Her? 

OpenAI, a non-profit AI research organization, has teamed up with Microsoft to implement accessibility of AI to the masses. Azure is the crucial component that will take this idea and cultivate it into a reality. 

Microsoft already has tools within this platform that can will assist in this development (i.e. Azure Batch, Azure N-Series Virtual Machines, and Azure Machine Learning) but they are in the process of creating further technology to aid in AI research. 

Some of these advancements have already come to light, including the upcoming Hardware Microservices via Azure. Microsoft aims to have FPGA (field-programmable gate arrays) processing power be accessible to developers sometime next year to have a cloud that is 100% configurable. There are major perks to having this type of access including increased speed and functionality. 

What the heck is an FPGA? Thomas Carpe explains “Simply put, FPGA are hardware, like your graphics card for example. Unlike special purpose hardware, they can be programmed and reconfigured as needed using software, potentially including AI. Thus, they’re super-fast, and can facilitate machine learning.” 

This all sounds wonderful, but some think converting and relying on AI technology is going too far. World renowned icons in the tech and science communities have conflicting ideas on what this means for the future of civilization. 

Elon Musk has spoken out against AI, referring to it as “our greatest existential threat” almost three years ago. He’s taken a precautionary role as a member of OpenAI. 

Stephen Hawking made a point to compare the speed of biological evolution versus advancements in AI to show that AI would eventually outgrow us. 

Mark Zuckerberg seems to favor the idea of a world more heavily dependent on AI. He believes it could create vast improvements in every day scenarios like healthcare and transportation. 

Where do you stand on the subject? Will you embrace AI? How would you like to maximize the cloud with the new capabilities of Hardware Microservices via Azure? Let us know what you think in the comments below.

Learn More: 


Stay Ahead of Emerging Cloud Security Threats  

Recently, a massive cybersecurity attack on Office 365 targeted several Fortune 500 companies. How?! 

Skyhigh Networks explained the attackers consistently tried variations in a skillfully discreet manner to get into the accounts of “…high value targets, including more than 100,000 failed Office 365 logins from 67 IP addresses and 12 networks. The attempts in all targeted 48 different organizations.” 

Evidence shows the attackers might have already known some employee names and passwords through phishing and tried different combinations of usernames and passwords based on that. 

Your business can be vulnerable too! Do you reuse the same easy password for everything? Do you interact with spam emails? Do you have a basic username-password authentication system? If you answered yes to any of these questions, you need to up your security game. 

Don’t worry, you’re not alone. But that’s exactly how and why something like this could happen to your business soon. Embrace the modern world and get educated on how you can protect your data. 

There has been a huge shift of bringing sensitive information to the cloud amongst enterprise corporations as well as SMBs in recent years. Almost 60% of all sensitive corporate data in the cloud is based in Office 365. Additionally, it works on a myriad of devices which makes it even more appealing to users. 

The downside to this is that it’s also the hackers’ bull’s eye. It is often said “[w]ith great power comes great responsibility” …to protect your data. 

Slawomir Ligier, senior vice president of engineering at Skyhigh elaborates on this. “While companies traditionally have invested extensively in perimeter security, those without a dedicated cloud security solution will lack visibility and control for a growing category of attacks. Enterprise cloud providers secure their infrastructure, but the ultimate responsibility to control access to sensitive data lies with the customer.” 

Thomas Carpe goes on to say, “Many existing security experts as well as their tools and standards are seriously behind the times when it comes to including the cloud into their security plans. Where our customers have sensitive data, we must consider not just things like their firewalls or patching Windows, but also whether they’re subscribing to the right mix of cloud services to fully protect themselves.” 

Let that sink in for a moment. 

Protect your business! Now, wanna upgrade your security? Contact Liquid Mercury Solutions today to set yourself up with high quality cloud security and data protection to fit your business needs. 

Read More About It: 


Microsoft Renaming Kiosk Plans to Frontline Worker Plans 

For years, we’ve struggled to explain to our clients what a Kiosk plan is, often calling it the “deskless worker” plan instead in favor of Microsoft’s preferred naming. Now Microsoft seems to be catching on to the longstanding communication gap. This week, they’ve announced a naming change to the K1 plan, which will henceforth be known as… wait for it… the F1 plan! 

What’s the F for? Well, all joking aside (and, yes, we’ve had some good-natured fun at Microsoft’s expense), the F is for Frontline Worker – but it could easily mean Field, Fleet, Factory, First-line, or one of those other words that starts with the same letter. 

Whatever way you spell it or decide that it stands for, the F1 plan is still the cheapest way to get your non-IT, non-administrative employees into Office 365. The price is still the same at $4 a month, and while the plan doesn’t include a copy of Office it does have email, Skype, and access to OneDrive and SharePoint – which is fine since a key requirement to the F1 plan is that the user doesn’t have their own PC. The F1 plan is perfect for users who’ll access Office 365 primarily via their smartphone or tablet, and may use a shared computer (kiosk) on occasion. 

So, if just the name is changing, what do Office 365 subscribers need to know? Not a heck of a lot, just keep it in mind when you get your next billing statement. Nothing’s really changed at all, so you’re not getting “F”ed. ;-) 

Office 365 Security and You - Access Control

YouTuber JackSkepticEye plays Papers, Please. What does this have to do with Office 365 security, read on and find out! This is the second part of a series on cloud security topics. In the first part, I discussed the threat that has Ransomware over people and companies. I started this series to book-end around my appearance as part of the SharePoint security panel at this week's Federal IT Security Conference. Since that conversation unfolded, I think we'll do a Part 3 next week to cover the topics discussed at the panel, which were very different that I imagined they would be.

PART 2: 12 Ways to Control When and Where People Access Office 365

Recently, many of our customers who are interested in migrating to Office 365 have been asking us questions about whether it's possible to control when, how, and where their employees can access their data.

While there are some technical approaches that may work, the unfortunate news is that there's no "silver bullet", at least as far as we've been able to find - yet. Many possible solution feel like kludgy work-arounds, temporary half-measures, partial solutions, or something created only for larger organizations.

I thought I'd take the opportunity to put together a list of possible ways to tackle this challenge. Even though no option is a complete answer, it's possible that some of these may be a good fit for your specific circumstances. I'll do my best to go over the pros and cons of each option.

Is this necessary? Depending on who you are and what you do, maybe not. Overkill? A bit heavy handed? Perhaps. Thus the graphic above, which (for those of you who may not be gamers) parodies an Arstotzkan border guard from the dystopian job simulator game classic "Papers, Please". Understand though that in some cases it may be reasonable, since many industries are subject to regulatory compliance requirements that might not always be perfectly aligned with a cloud based IT strategy.

Fair warning, this is a pretty complex topic. Hopefully everyone has gotten over their election night hangover and is ready to dig in. So, without any more fanfare, let's check out some methods to implement extreme vetting in Office 365.

Access Control - The Basics

When we think about granting access, we're basically describing the five W's that need to be addressed in order to make a decision about letting a person have access to information. A perfect access and identity system would answer all the questions below before letting someone in to the system - and may even use some of the answers to put a limit on what they can access at any given moment.


  • Is the user logging in actually who they say that they are?
  • How confident are we in that?
  • Have they been educated and informed about security and privacy policies?
  • Is their ability to act responsibly expected?


  • What is being accessed; is it email, documents, some other data?
  • Is accessed content subject to regulation such as HIPAA, SOX, or GLBA?


  • What network are they connected from?
  • Do we have any geo-location data?


  • Is it the normal workday or after-hours?
  • How does "now" jive with past or expected work patterns?


  • Is it a known PC, mobile device, or something new/different?
  • Are they using a browser (that can run JavaScript or CAPTCHA test), or could this be a bot?


  • What's the business purpose behind needing the information?
  • Is it reasonable to expect responsible behavior?
  • If the behavior is unusual, is it known in advance or has it been vetted?

Okay, so now that we've been over what sorts of things go into granting access, let's get specific. The answers to "who" and "what" are already largely covered by conventional authentication and authorization systems. The topic in question - the one we're hearing about from our customers - specifically addresses the "when", "where", and maybe "how" above.

So, without further ado, here's my list of 12 things that can be done to control access to Office 365 and other resources in the cloud. Some are cheap. Some are definitely not. None are perfect for everyone. That's just life, I guess. If you'd like help finding a solution that will work for you, please talk to us about it, because that's what we do at Liquid Mercury Solutions.

Option 1: Just don't share the password with the user

It sounds stupidly easy, but if you don't want somebody to login from home, don't give them their own password. You can handle this in a couple of different ways. Either set up the Office 365 account on their work PC and save the credentials to it without telling them the password, or go ahead and give them their own account but have another account that is only used for access to important or sensitive information, and then keep that one under lock and key.

Plus side:

  • 100% effective once stored on the local PC.
  • Cheapest option available.
  • Can work even with Cloud Only users. No AD domain controller required.

Down side:

  • Creates a feeling of oppression and lack of ownership.
  • Ties access to a single person; people can't get access when people who know the password aren't there.
  • Tendency to use the same password on multiple logins is a bad idea.
  • Tendency to use the same login for multiple people is a worse idea.
  • These factors together mean that this approach may be abused in ways that are worse than the problem that its trying to prevent.

Option 2: Trust but verify

You know, I really think we spend too much time thinking about all the ways that people are going to steal from us. When you consider it, it's amazing how rarely someone actually does.

Today, our reporting tools are much better than our access controls, so it's much easier for us to build a solution that will help create accountability than it is to enforce compliance by making it impossible to violate policy. Instead of spending lots of money on IT, trying to fit a square peg in a round hole by making cloud services act like old-school computers, why not focus that same energy on making sure employees know their responsibilities to protect data.

If employees know that they are not supposed to access HIPAA sensitive documents from home - and that you can tell when they have done so and will fire them for it - chances are very good that nobody will ever cross that line. The hard part is making sure there is a system in place that makes you aware if there is a problem, and that your employees know they're accountable too.

Plus side:

  • Simply modifying employee policy to allow remote access can be cheaper than any technical solution.
  • Having HR policies in place should probably be done anyway to make sure users understand their responsibilities.
  • While not the cheapest option, no or very little IT cost required compared to other options.
  • Provides maximum flexibility in unusual or unplanned situations.

Down side:

  • There are a few options for decent reporting, but not as many as we'd like.
  • Taking the time to audit usage can be just as taxing as blocking it.
  • By itself, this does nothing to prevent an account from being used improperly.

Option 3: Use ADFS

If you absolutely need to make sure that nobody can login to Office 365 from home, there's one absolutely foolproof way to go about it and that's to federate with an ADFS server located in your office. Then, all you need to do is not expose the ADFS server to the internet and your users will never be able to get to anything in Office 365 - period.

This is actually a "broken" version of a typical ADFS configuration, since usually most folks want to be able to allow access from home. We know it works, because when the power or internet goes down at the main office where ADFS is running, people working from home can't login.

Of course, if you absolutely need remote access, or some users need cloud access, you can configure a second DNS domain for them and not enable it for SSO. Without ADFS, this second domain and its users would use the regular login process for Office 365, and thus be able to get in from anywhere.

Unless you are such a small company that you can't afford to maintain a domain controller in your office, this may very well be the best solution for you. I'd be hesitant to recommend it to companies of less than 25 employees unless they have a very compelling reason, like HIPAA for example. It does take an experienced IT person to get it set up and correctly configured.

Plus side:

  • Well established solution; well documented.
  • ADFS comes free with Windows Server.
  • Absolutely effective as preventing outside access; if you don't want users outside your network, simply don't expose ADFS to the internet.
  • Flexible enough to work in a variety of scenarios.

Down side:

  • ADFS has a high technical debt.
  • Requires a Windows AD domain controller; many small companies would rather eliminate on-premises servers.
  • Adds to technical complexity, especially if you also have some cases where access to Office 365 from outside the network is allowed.
  • Doesn't readily distinguish between access to e-mail and documents, so you may need multiple accounts if you want to access some systems remotely but not others.

Option 4: Lock account based on login times using a script

It's possible to enable and disable logins using PowerShell. It's also possible to run PowerShell as a scheduled task in Windows. Both of these can be done from a workstation computer and do not need a server or other fancy hardware. Using PowerShell, you could "open the cloud store" in the morning and close it in the evening. In this case, nobody but you would be able to sign in unless you logged into the web site and overrode the settings.

This is a sort of weird scenario, really. I don't know very many people willing to go to these lengths to keep people out of Office 365 when they aren't at work. Also, then they wouldn't be able to check email either. It might have an application against a special-access account that only gets used during the day, like the one I talk about above in Option 1.

I probably should mention that if you go with Option 3 and use ADFS, it will automatically follow login times configured in Active Directory, making this totally unnecessary. So, unless your company is very small, I'd probably recommend doing that instead.

Plus side:

  • This can be run from any Windows machine, even a workstation
  • Can work even with Cloud Only users. No AD domain controller required.
  • Easy to automate based on a schedule.

Down side:

  • Prone to problems if the script fails to fully "open or close the store".
  • Not a good fit for people who need around the clock access, but only from certain locations - or other scenarios that are not strictly time based.
  • Will take extra time and effort to manage and support.
  • Doesn't distinguish at all between access to e-mail and documents.

Option 5: Tie Office 365 Multi-Factor Authentication to a device that's only available in the office.

This is a lot like not sharing the password for an account, except that really what you'd be doing is withholding the second layer of authentication. Since the second factor authentication may not come up all the time, this would be more transparent and thus less destructive to employee autonomy than not giving them their own password.

Here's how it works: create an account in Office 365 and configure a password to use while you set it up. Then, configure multi-factor authentication and enroll the user against a device that's only in the office, like a desk phone or their supervisor's cell phone. Once they are enrolled, reset their password to a temporary one and share that with the user so they can pick one of their own. Now, you've effectively prevented them from logging in at home, since it will be an unfamiliar device and network, which would trigger the MFA.

Before you count on this method, you might want to test it for yourself. There are different flavors of MFA in Office 365, and some of them only come with E3 / E5 / EMS plans. The enforcement options, triggers, behavior, and configurability may all be different if you're using the vanilla MFA that comes with a Business Premium plan, for example.

Plus side:

  • Allows people to know their own password.
  • Adapts well to contingencies such as having to arrive early / work late.
  • MFA settings can be configured per user and overridden as needed.

Down side:

  • Requires a cell phone or voice phone to be present in the office; Most people have a voice line though.
  • You can't let users self-enroll in this scenario.
  • Takes about 1 to 2 minutes longer to login to the system each time.
  • May require multiple accounts/licenses per user if some information needs to be controlled but other information does not. For example, if you need MFA for access to HIPAA sensitive documents, but not to e-mail.

Option 6: Customize SharePoint to Increase Security

Most folks who want to protect documents from their own employees are not actually interested in preventing them from accessing emails. But, most security solutions for Office 365 are applied against all the Office 365 services. If the documents you need to protect are in SharePoint, there may be better ways to go about this that wouldn’t impact other aspects of your service.

Of course, the ultimate solution would be to deploy CipherPoint Eclipse. You can think of that as the very best form of SharePoint customization there is, because it will let you encrypt documents and then use a variety of different policies to determine whether they can be decrypted. It's an expensive option, comparatively, but also a good one that offers true security (rather than security through obscurity). And now that I'm done plugging for our partner, I'll tell you about a slightly cheaper one.

Microsoft won't actually let us run server side code in SharePoint Online as they once did. So, our options are limited from being able to control the users access and experience on the site. Even so, it's not too difficult to do some rudimentary access control using JavaScript in the browser. For example, you can hide the page contents and display apocalyptic warnings instead. In some cases, you can also end a user's login session.

However, it is important to understand that code that works this way can be circumvented by those with a moderate amount of computer savvy. If you're going to rely on sleight of hand tricks to protect your information, you'd better also back it up with a clear employee policy, firm contractual agreement, audit logs, and regular reviews for bad behavior.

Plus side:

  • Significantly easier (and cheaper) than implementing security at the login prompt
  • Relatively easy to track both IP address and login time when using SharePoint.
  • Transparent to non-SharePoint Office 365 services, so if you're just trying to protect HIPAA documents, but still allow email access, this may be the way to go.

Down side:

  • To be fully effective, use of OneDrive sync and the SharePoint API will need to be blocked in sites that have sensitive documents, and this can limit how you customize SharePoint.
  • Requires documents to be stored in SharePoint. Other Office 365 services can't be protected this way.
  • Can be defeated by a determined intruder; many would say this does not offer true security but is more "security theatre".

Option 7: Encrypt It!

Most people don't need to protect literally everything they store in Office 365. Further, not everyone needs to protect what they store in SharePoint lists too, or implement complex policies to determine which employees should have access to what documents. Thus, solutions like CipherPoint that I mention above would probably be a bit heavy handed for most small businesses. (If you fit the above description, we'd still love to hear from you, because there's a lot more we can do in these cases.)

If your need to protect sensitive information is moderate and limited to a particular site, document library, or classification of content, then Microsoft's solution that comes with the E3 plan is probably good enough for you. I'm talking about Azure Rights Management, and while it won't keep an employee from viewing a document on their home computer, it can keep them from downloading it to their phone, printing it, or copying its contents to an email. Also, should the unfortunate need arise to fire their ass, it can also let you take access to that information away after the fact - no matter how many times or places they've copied that file.

While I wasn’t a huge fan or early versions of ARM, it has matured a lot. It's easier to set up now than it used it be, which is good if you don't have a huge budget for IT. Since it can be purchased a la carte, you can let Business Premium users access ARM protected documents when necessary, without having to upgrade them to the E3. (Unless you want to. I'm totally cool with upgrading if you want to. Have you met the E5?)

Plus Side:

  • Encrypted documents are useless, even if copied off the network
  • Even your IT admin (or Office 365 support partner, like us) can't read the encrypted document.
  • Easily restrict who can read or edit a document - as well as some other things they can do with it (e.g. print, copy/paste)
  • Access can be revoked after-the fact.
  • A good solution if you only have a sub-set of documents you need to protect.

Down Side:

  • While you can control a lot of access, that does not necessarily include when or where users are allowed to read or edit a document.
  • Doesn't protect SharePoint data stored in lists or web pages, OneNote Notebooks etc.
  • Azure Rights Management is only included in E3 plan and above.
  • Third party solutions such as CipherPoint can be costly.

Azure AD Premium

Before I go on, here's a few notes about Options 8, 9, and 10 below regarding leveraging Enterprise Mobility + Security, Azure AD Premium, and Azure Advanced Security. These were things I think apply in general to the entire suite that go beyond the specific applications I mention in my list.

  • There will be additional monthly costs for service, and you may need on-premises hardware too.
  • Some solutions are simple while others can be quite technically complex.
  • While there may be features we're not aware of yet, there really doesn't seem to be the kind of access control our customers have been looking for, particularly for end-users. (See Identity Protection and Privileged Account Management below.)
  • Many scenarios, especially AD Premium, don't have a large user base yet outside a few big orgs and aren't well proven especially for in smaller companies.

Option 8: Registered Devices and Workplace Join

This is Microsoft's solution for adding PCs and mobile devices into Azure AD. And it's not a bad fit if you're interested in Windows as a Service, Intune, and the like. Joining devices to Azure AD basically makes it possible to login to your "domain" even when you're out of the office. It can also, conversely be used to require users to login only from approved hardware.

Plus side:

  • Prevents users from working on unapproved hardware, such as personal computers.
  • Controls access by physical device; if you want to control access by location, don't let the physical device leave the desired location (e.g. use desktop computers not tablets)

Down sides:

  • This is a fairly complex deployment, possibly requiring help from experienced experts, and may not be suitable for small businesses.
  • Requires modern PCs (the Windows 8.1/10 scenario is better than Windows 7/8)
  • Requires a modern (2012 R2) Windows Active Directory domain controller
  • Requires configuration of ADFS server, which need to be accessible form the internet
  • Requires a license to Azure AD Premium
  • Relies on AD Connect / Sync so it can take quite a while for hardware info to be fully synchronized.
  • This solution can't really distinguish between user access to e-mail and user access to documents, so if you need mobile access to mail but not sensitive documents, this isn't your best option.

Option 9: Azure AD Premium w/ Identity Protection

I actually like this option a lot, because of its simplicity. It's not easy to take something as complex as access security and make it as easy to set up and manage as Identity Protection is - especially if you're Microsoft who seems to thrive on complexity and options. It's a really good system, and they've done a good job of providing a solution to help users deal with the identity theft threats that are becoming increasing common nowadays.

But - and I'll cook my hat and eat it if I ever say these words again - Microsoft may have gone a bit too far into easy-to-configure territory, because there are a lot of options missing from Identity Protection that I would've thought would be obvious.

For example, where's my option to say "my employees only work in the United States, and for that matter they're only in Maryland for the most part." Or, how about, "We really don't work later than 8pm EST, so could any midnight logins please be labelled 'high risk'?" Why not let the admin get a notification in addition to blocking access or triggering MFA? All these things were missing, and I was really surprised by that.

Otherwise, it's pretty good and you should totally buy it. Maybe they'll improve it later. If not, please see Option 11.

Learn More about Identity Protection from Microsoft's Blog

Side note: We had a case recently where a client has an employee who was being targeted by a cybercriminal who had taken their credit card data and was trying very hard to target their email account in Office 365 too. Fortunately, Microsoft was diligent in locking the account after many successive failed attempts. However, it is important to understand that information which may have helped to lead to an arrest in this case was not being captured until we activated Azure AD Premium and Identity Protection for the customer. If you're locked out of your Office 365 account and you have good reason to think it was because of a hacking attempt, I strongly suggest that you do not wait, but go ahead and start the free trial for AD Premium and turn on all Identity Protection's logging features. From there, if you simply want to protect yourself, you can set up MFA - or consider setting up a honey pot if you want to try and catch the would-be thief.

Plus side:

  • No local server required.
  • Can work even with Cloud Only users. No AD domain controller required.
  • Microsoft Add-on for Windows Azure AD Tenants
  • Remediate risk by requiring multi-factor authentication, force password updates, and/or blocking access entirely
  • Uses threat analytics which includes data from other Azure users, not just your own company
  • Protects from: sign in from infected devices, new/unfamiliar locations, impossible travel distances, anonymous IP addresses
  • Tracks leaked credentials
  • Doesn't seem to add much burden in the way of administrative overhead or management
  • Most of the MFA enrollment is intuitive (at least for an IT person) and can be self-service.

Down side:

  • We thought that MFA enrollment left too many steps and choices to the end users and should be something admins could lock down or simplify.
  • Conditional access risks are managed by Microsoft and divided into low/medium/high; there does not seem to be a way to define things such as normal working hours or normal location.
  • Has a tendency to throw false alarms in some networks; for example whenever we visit the Microsoft office in Washington DC, it tells us we're trying to login from Redmond, WA.
  • Although you can resolve an event or mark it as a false alarm, there didn't appear to be anyplace for an admin to leave notes explaining why the login occurred, like the situation we describe above.
  • Despite some marketing materials that seemed to indicate this would be available in EMS E3 plan, it still required applicable users to have Azure Active Directory Premium Plan 2, which is part of the EMS E5 plan.
  • None of these Azure security and logging features are enabled until you activate this service.
  • We had to actually sign up for Azure AD Premium trial offer in order to get the system to recognize our existing AD Premium licenses from Office 365.

Option 10: Azure AD Premium w/ Privileged Identity Management

Okay, I'm going to sum this up nicely. If you're a Microsoft Partner, like us, supporting Office 365 customers, or if you have more than 2 Global Administrators on your Office 365 account - for whatever reason - this solution is for you. Everybody else will probably find this to be either too expensive or much too cumbersome to justify. It really only protects your admin accounts, so in most cases you'd probably do just as well to just configure MFA on them and be done with it.

Learn More about Privileged Identity Management from Microsoft's Web Site

Plus side:

  • No local server required.
  • Can work even with Cloud Only users. No AD domain controller required.
  • Microsoft Add-on for Windows Azure AD Tenants
  • Allows Just-in-Time Access to high level (e.g. global admin) accounts
  • Monitor how privileged access is being used
  • Notify other system admins in real-time when privileged accounts are used
  • Uses threat analytics which includes data from other Azure users, not just your own company.
  • Seems to have some really cool reporting capabilities, but they take time to populate.
  • Really the only way that I am aware you can give someone global admin access to Azure or Office 365 and still keep an eye on and require them to justify their use.

Down side:

  • Adds extra login steps and technical debt for admins.
  • There is significant complexity involved for those who will need to manage and support PIM.
  • Doesn't seem to provide an option for who should receive alerts about usage.
  • Does not provide JIT access or monitoring for regular user accounts.
  • The ticket number formats are a bit restrictive.
  • Required applicable users to have Azure Active Directory Premium Plan 2, which is part of the EMS E5 plan.
  • We had to actually sign up for Azure AD Premium trial offer in order to get the system to recognize our existing AD Premium licenses from Office 365

Option 11: Beowulf Identity Server

I’ve talked plenty elsewhere about how awesome Beowulf is, how it shuts the front door on SharePoint, and how it protects your public facing web sites and applications from unwanted access. You don't need to hear even more of that from me here, so I'll stick to what we haven't said before. (Aw, c'mon. You didn't think I was going to spend all this time and energy writing a two part blog about security without promoting my own product, did you?)

We’re working on a version of Beowulf that works with SharePoint Online and the rest of Office 365, which shouldn't be terribly difficult since we already fully integrate with ADFS which is what Microsoft is using for access control in the cloud.

Since others seems to have dropped the ball on some of the options and features we've talked about here, we're doing our best to include them in the new version targeted for release in early 2017. Well, that's the big problem isn't it. Unless you want to be part of our early adopter program - and get a big discount for helping us test these new features - you're out of luck.

Lean More about Beowulf Identity Server on Liquid Mercury Solutions' Web Site

Plus side:

  • Low cost cloud based solution
  • Transparent access layer between users and Office 365
  • Can work even with Cloud Only users. No AD domain controller is required.
  • Can block access or alert you (but not block access) when a user logs in from unexpected locations or at unusual times.
  • Configurable in a lot of ways that Microsoft's solution is not.
  • Has many of the same MFA capabilities as Azure AD Premium.
  • Integrates well with Azure AD, ADFS, and other MS solutions.

Down side:

  • There is an additional cost outside of the Office 365 subscription
  • Like many advanced security products, set up is relatively complex.
  • Though many of these features are available today, our full feature set for the next release will not be available until early 2017.

Option 12: Application Layer Security Enabled Next Gen Web Proxy/Firewall

You all knew I'd bring it up eventually. Why don't you just go out and buy an F-5 Big IP with the Access Policy Manager module on it? Then you can come back to us and hire us to configure it for you, and we can totally freak out because people hardly ever want to do that. Even so, this is a nice way to go if you have a lot of money lying around, and burning it would be inconvenient.

For large enterprises with hybrid cloud/on-premises deployments, I do recommend products from vendors like F-5, Kemp, or Cisco. This goes triply so if you run a large corporation with name recognition, store a lot of confidential customer data that hackers may want to steal, or your everyday business is something that might lead people wearing Guy Fawkes masks to try to ruin your holiday weekend. They offer security features that Microsoft doesn't even come close to having in Azure yet, but you can absolutely deploy them as Azure VMs in your environment or on-premises as real metal or VM.

But then, if you're going to go that far, why not also make sure you do all the other things I talked about too?

Plus side:

  • Really, really, configurable and powerful; can probably do anything you'd want in terms of limiting and responding to access requests and use.
  • Deployable in traditional on-premises and cloud-based scenarios.

Down side:

  • Really, really, complex to configure and expensive to implement.
  • Even cloud based subscription versions are going to cost a pretty penny.
  • It will require dedicated staff and constant upkeep, so probably only suited to large enterprises.

As you can see, Microsoft offers many choices - but none of them is the perfect solution for everyone. Better solutions I think will emerge in the coming months. I hope I've done a little here to shed some light on what is sadly a very complex answer to what seems like it should be a simple question. The most important thing to consider I think is that there are some low-cost things that you can do if you want to control how people use cloud services, starting with making sure that your employees know the rules.

Technology is always changing, and it often forces us to consider scenarios that previously were just impossible. If you're considering Office 365 as a solution, you may have concerns about people having access from home (or anywhere in the world really).

Office 365 provides a lot of security advantages compared to storing sensitive data on your laptop computer, a portable hard drive, or that server in the closet. Keep in mind that this is just one potential risk in a sea of others that we've all faced for a long time; the benefits should outweigh the risks if you approach the transition to cloud services with a little bit of thought and planning. We're here to make sure you don't have to go it alone.

Did I leave something out of my list that you'd like to add? Leave a message in the comments and I’ll reply.

Thomas is an acknowledged expert on information security, the creator of Beowulf Identity Server, and spoke on the SharePoint Security panel November 8th at the First Annual Federal IT Security Conference. You can follow him on Twitter and LinkedIn - but if you really want to connect, your best bet is probably to call us at 410-633-5959.

Office 365 Security and You - Ransomware

Minecraft creeper: 'That's a very nice file share you've got there - be a shame if something happened to it'

Since I'll be on a SharePoint security panel speaking at next week's Federal IT Security Conference, I wanted to do a couple blog posts this week about cloud security.

I'm going to leave discussion of Windows zero-days, Strontium / Fancy Bear / Apartment 2B etc. for another time. There's already plenty of FUD going around about that topic. If you're not sure whether you're protected, you can update to Windows 10 Anniversary Edition and you'll be covered. The easiest way I know to do that is to buy a Win 10 Enterprise E3 subscription from us for $6.50 a month; throw in Enterprise Mobility Suite and Symantec Endpoint Protection Cloud and you'd still be spending only $19 a month. That's about all there is to that, so let's move on.

Instead I want take some time this week to talk about recent (albeit non-federal) security challenges that we see our Office 365, and particularly SharePoint Online, customers facing. Specifically, two questions I'm being asked a lot lately are "Can Office 365 protect me from ransomware?" and "Can we control when and where people can connect to Office 365?".

Today, I'll be talking about ransomware. When I come back for Part 2 we'll talk about controlling access to Office 365. Part 3 will talk specifically about securing SharePoint in the cloud.

Part 1: All About Ransomware and Office 365

Q: "I've heard of this new thing called 'ransomware'. What is it?"

Firstly, for those of you who don't know, I'll explain what ransomware is all about, and then I'll tell you what you can do about it.

Maybe I should've done this post for Halloween, because ransomware is scary stuff. Ransomware is like other virus or malware, but with a twist. It does something much more insidious than just infecting your computer, turning it into a zombie, or deleting random files.

Ransomware uses our own security defenses against us, by applying encryption on us against our will and then attempting to extort money from us to undo the damage.

So how does that work? Well, what if somebody put a lock on your door and then demanded $100 from you to remove the lock so you can get inside your home? It's sort of the same thing. Once the ransomware infects your system, it will open whatever documents that it can get access to, scramble the contents with a secret key only known to it, and save them. It then sends the key to organized cyber-criminals, and alerts you to contact them and make payment arrangements to unlock your files.

Q: "Am I in danger from ransomware?"

Yes. Yes you are.

Be afraid. Be very afraid.

But seriously, Dusty, Seth, and I saw our first case of a client affected by ransomware back in 2014 - and it wasn't pretty. This was in the spring, around the time Microsoft ended support for Windows XP. We had a client who - despite our advice - was dragging their feet about buying new Windows 7 PCs because of the cost involved. As a result, ransomware got into one PC, spread to their other workstations and servers, and then proceeded to extort and threaten their employees. That's when we got the call for help.

For the three of us, it was two hellish days working double shifts to purge the virus (from slow outdated machines), restore backup files, and clean up the mess that totaled over 100 hours and ten thousand dollars in labor charges - services for which we were never fully paid. I would never wish this fate on any client, and I hope to never receive such an emergency call again in my lifetime.

Fast forward to two years later, we're seeing an increasing number of customers telling us that they have contracted ransomware. Everybody's reaction is a bit different. Some folks are willing and able to simply walk away from their lost files, while other businesses faced a real and existential threat to their continued operations.

Any way you look at it, ransomware is a very similar problem as having your hard drive crash.

But hard drives are pretty reliable; they tend to fail from heavy use, if they are dropped, or when they get very old.

Unlike hardware failure, ransomware *wants* to be a problem for you, and there are organized teams of cyber-criminals all over the world who are actively working every day to try and find new ways to infect you with it.

If you are not working to stay ahead of this threat, it will eventually get the better of you.

Q: "What kind of information is at risk from ransomware?"

Ransomware is smart enough to go after files that you use, like Word, Excel, or PDFs while leaving program files like EXEs and DLLs alone. It can also distinguish between files you access often and files that you haven't opened in years and aren't likely to ever notice.

Ransomware can detect attached portable USB drives and find network shared folders that you have access to, so if you're infected then any folder you have access to is at risk even if it isn't necessarily on your computer. I have personally witnessed ransomware that attacked a network file server at one company and scrambled their case files for literally hundreds of customers.

Q: "Should I pay the ransom?"

Generally speaking, I want to say that you should never negotiate with terrorists - or criminals. That's a nice sentiment, and it sounds good in the movies. But in reality I think maybe that's a bit naïve.

Your best bet of course is to have a backup strategy in place and simply recover a working copy of your files from the backup. Only do this after you have thoroughly scanned, found, and cleaned the ransomware from all of your computers. Otherwise, you're putting your backup copies at risk by accessing them, which may let the ransomware know where they are too.

If you don't have a backup of your files, then paying the ransom might be your only option.

In such a case, definitely do not give a criminal your credit card info when they ask you for it. That'd be dumb. Certainly if they run your card for the ransom, you can expect the info will also circulate into databases of cards that should be used for fraud later. If you must pay the ransom, purchase a pre-paid Visa gift card to do it. Some credit card companies will provide a temporary card number you can use for a one-time online purchase. If you have that option, it’s a good idea.

Q: "I already own a firewall. Doesn't that mean I'm protected?"

Having a firewall alone is not enough unless you also have anti-virus software on all your PCs and devices. More commonly these days it is called "endpoint protection", because the threat landscape has grown to include not only viruses but also malware, ransomware, zombies, and more.

Think of it this way. Your firewall is like building a wall around a city. It doesn't make sense to have a wall to protect yourself if you don't also have soldiers inside the wall who can react to intruders. In this case, the story of the Trojan Horse is very appropriate; you must have a layer of defense inside your walled city to protect yourself in case a threat does get a foothold inside the gates.

Having anti-virus software installed is like posting guards at important bases like your armory, grain store, or government center - or having a soldier boarding in each person's house. Anyone who has ever looked at how much CPU is used by their anti-virus software understands that it may be necessary, but it's also another mouth to feed.

We also need to account for the way that mobility has affected computer security. Today, we have laptops, tablets, and smart phones that come and go freely from within our fire-walled city and out into the wide, wide world. To extend our city metaphor, it is now a bustling metropolis with merchants and travelers coming and going at all times; and the freedom to travel has become a key aspect to life that we all benefit from. We connect to Wi-Fi networks at our friends' homes or the local coffee shop, as well as cellular data networks. Then we return to our own network, usually without much fuss. Unfortunately, we also potentially bring whatever plague we've exposed ourselves to from outside back with us when we return.

Protecting the desktop doesn't need to be an expensive proposition either. It costs only $4/month per user to purchase Symantec Endpoint Protection cloud, and Microsoft's advanced security tools that are part of Enterprise Mobility Suite and/or the Office 365 E5 plan each add only $8.70 and $15 (compared to E3 plan) respectively. This is something we can help you purchase and deploy, so please do reach out to us if you want to get this set up for your organization.

Modern IT security now also includes the concept of active network defense, which takes the fight from the PCs to the network itself. These are next generation Ethernet or Wi-Fi switches than can detect and block communications known to come from viruses, malware, etc. This is a lot like making the roads in your city unfriendly to invaders by having police guards on patrol. These new technologies haven't really filtered down to the consumer and small business market yet, but I expect that will happen fairly soon.

I hope that I've been able to explain why having a network firewall alone isn't enough to protect you from security threats out there today. While endpoint protection does add a cost and can sometimes limit PC performance, it's still very much a necessary evil. Meanwhile, new products are being developed that can do even more, so it may be time soon to start looking at replacing your old equipment.

Q: "Can ransomware affect files in Office 365?"

I get this question a lot, both from existing customers and from those considering Office 365 as a possible solution for protecting themselves from ransomware.

The answer is complicated, because really "it depends". I'm sorry if that sounds like consulting-speak, so let me explain what I mean.

Firstly, let me start by saying that we haven't observed yet any instance of ransomware in the wild that directly targets Office 365. But this alone doesn't mean these files are completely safe.

Let's say for example that you are using OneDrive for Business. You have a copy of your files in Office 365 and synced copy is also on your local C: drive. If the ransomware encrypts the file on your local drive, OneDrive for Business would simply see this change as being similar to if you had opened the file yourself in Word and then saved some changes. It would then sync the [bad] changes to the cloud and overwrite the file there.

Furthermore, if ransomware infects the Microsoft Office desktop software like Outlook, Word, or Excel, then it could theoretically corrupt the process by which files are saved, regardless of where you're saving them. In fact, Microsoft Office has its own layer of file encryption called Azure Rights Management. It's not difficult to imagine a possible exploit that might somehow subvert that mechanism - or replace it with one where you don't have the keys.

So in both cases, I would say that while we don't know of any ransomware - yet - that can log in to your Office 365 account and use that access to reach your emails or documents stored in SharePoint, it is still technically possible that your files stored in the cloud are not completely out of reach.

Q: "I was thinking of buying Office 365 and moving my files to the cloud to protect them. Does what you say mean that it won't work and I shouldn't do that?"

Not at all. Moving your files to Office 365 is a good first step, and it has lots of other benefits besides security.

For starters you'd be taking advantage of Microsoft's advanced Data Protection strategy. Microsoft also has a 15 day backup window on some types of data. As a first line of defense, these are going to be a lot more secure and reliable than saving files on a USB drive in your office - even if you just look at it from a hardware perspective.

To really cover yourself, you should always have a backup strategy in place.

If your needs are minimal and the cost is a big concern, that might just involve occasionally copying important emails or files to a local drive and then unplugging it from the network at sticking it in a drawer or safety deposit box. Of course, doing things this way takes time and work. There are better options.

Third-party backup solutions for Office 365 have been around for a while. These aren't expensive - most will back up both email and SharePoint/OneDrive for Business files for just $5/month/user. Compared to other cloud backup platforms, these can be cost effective alternatives. They also add the benefit that your data isn't entirely with Microsoft, so you can feel more secure knowing that you are not keeping all your eggs in one basket.

So, if you are looking for a way to escape the threat of ransomware, Office 365 may still be a good option for you - as long as you're prepared to purchase a bit more than just the basic Office 365 plan itself.

About the Author

Thomas is an acknowledged expert on information security, the creator of Beowulf Identity Server, and will be speaking on a panel about SharePoint Security November 8th at's First Annual Federal IT Security Conference. You can follow him on Twitter and LinkedIn - but if you really want to connect, you're best bet is probably to call us at 410-633-5959.

Microsoft Hates Folders (Part 2 of 3)

So last time we established that for some mysterious reason Microsoft hates folders. Microsoft does not want you to upload your folders to SharePoint. Microsoft is very, very convinced that uploading your folders to SharePoint is a terrible, horrible, no-good, very-bad idea, and is absolutely certain that what is best for you, your company, and the entire world would be if you never ever ever uploaded a folder to SharePoint ever again, and in fact never even used a folder in SharePoint.

Right. You’re going to keep using folders in SharePoint because that’s how all your stuff is organized, and re-organizing all of it right now to take advantage of SharePoint’s other methods of categorization, regardless of how much better they might or might not be, is time you simply don’t have.

So, how do you get your 300 gigs of data in folders into SharePoint Online?

Method 1: Use OneDrive for Business.

This is the method Microsoft would prefer you use. With OneDrive for Business, you synchronize your SharePoint MySite to your hard drive, and also any other SharePoint site you use that you might want to synchronize. This creates a great deal of confusion.


Notice that there are two different folders labeled OneDrive? One of them is labeled OneDrive – Personal and the other is OneDrive – LiquidMercurySolutions. Then there’s also the folder labeled SharePoint.

Sometimes I think Microsoft needs to adopt a strategy from the Evil Overlord list, but slightly modified. They should run their marketing plans past a 50 year old office administrator who does not work for Microsoft. If she is confused by the plan, maybe they should adopt a different strategy. Sure, once you know what’s going on, you know why there’s such a plethora of folders and why the ones that are OneDrive for Business have different names that aren’t OneDrive for Business and what the difference is between that and regular OneDrive. But when you don’t know, it’s hopelessly confusing, and even when you do know, it’s easy to click on the wrong thing.

So, to clarify, since Microsoft’s as clear as mud here:

  • OneDrive (no Business here) comes with Windows 10, and you can download it for earlier versions. It is Microsoft’s generic, consumer-oriented, cloud file share, similar to Dropbox. At one point it was named SkyDrive, but Microsoft got sued and had to change the name. This is for your personal stuff. Windows 10 tries to persuade you to save everything to your OneDrive, when you first install it or configure it for yourself after buying the PC. So this is where your family photos and your kids’ artwork and that screenplay you’re writing in your spare time go.
  • OneDrive for Business is used to synchronize SharePoint. One of the sites you have access to in SharePoint is called your MySite. For most folks, it’s going to look something like this:



You get to it by going to {yourdomain}, where your company’s regular SharePoint Online site is {yourdomain} Click “Sync”, and this site will synchronize to your PC in a folder called “OneDrive – {Your Business Name}” (so in the example up above, mine is “OneDrive – Liquid Mercury Solutions”). This is for your personal work documents, which is less oxymoronic than it sounds. Drafts, notes, things you want to share only with a small working group such as the one or two people helping you revise it, that letter you’re writing to OSHA about your horrible working conditions… the MySite/OneDrive for Business site is by default accessible only to you, except for the things you put in the Shared With Everyone folder.

  • SharePoint – the folder labeled SharePoint on your PC is where synchronized SharePoint libraries live. These are the folders on the main company site (or any other site – in the example above, I have a personal site collection for my development work, where I also keep a collection of cookbooks so I have documents to test various forms of metadata operations on, and that’s the one I keep synchronized.)

So, logically speaking, all you have to do to get your folders into SharePoint is synchronize a library and copy your folders into the sync folder that appears on your PC, right?

Oh, but the devil is in the details.

First of all. SharePoint libraries have a maximum of 5,000 items. Folders are items. Everything in the folder is also an item. So if you have 50 folders, and each one has 10 folders under that, and each of those folders has 10 items in it… boom, 5000 items. So you’re going to want to watch to see how many items you actually have. If the folder you want to copy has more than 5000 items in it – which is very easy to achieve in some businesses, for example, a legal office where every client has its own folder and every case also has its own folder – you’re going to want to think about how to break it up. Alphabetical ranges are popular (ie, library for A-M and library for N-Z). Or if your business has a regional structure, perhaps separate different libraries by region.

Secondly. There are characters that your PC’s file system will tolerate, but SharePoint Online will not, because they are special characters reserved for URL functions. They include &, % and #. So if you like to name your files “75% Growth Plan” or “#1234 Union Ave” or “Meeting with Bob & Jane”… you’re going to have to rename them. Those files will not sync.

Third, make sure you’ve got enough space. Today, Microsoft is giving every SharePoint Online customer a terabyte of space. But that’s a recent development. The limits on the size of your site collection might have been set before that was true, so maybe your entire site collection has only 20 gigs and you want to upload 21 gigs of data to it. That… won’t work out so well for you. Have your administrator check to see if there’s space.

Fourth, by default, the folders on the PC will be named “Your Site Name” – “Your Library Name”, but with only a certain number of characters allotted to either one. So if your firm is named “Dewey, Cheatum and Howe” and your main site is called “Dewey, Cheatum and Howe Team Site”… that’s going to download as “Dewey, Cheatum and Howe” because at best you get 24 characters. (It might even be less.) And worse, if your library is called “Legal Pleadings From April 2016” you’re going to end up with “Legal Pleadings From Ap”. If you broke up your libraries on A-M and N-Z and stuck the letters at the end of the library name, there’s a good chance they won’t even be there on the synced folder on your hard drive, because you’ll be out of characters. You can change them… sometimes… but it’s buggy. Some clients of mine have had no trouble; others, we change the name of the folder 5 times and it keeps resetting.

And fifth… prepare to wait, and to get very little useful information about what the sync is doing while you’re waiting. Sync is a very slow operation. It’s not intended to transfer gigs and gigs of data; it’s intended to keep changes made to the files or folders on the PC synced to the library and files in the cloud, and vice versa. You can hover your mouse over the little OneDrive icon in the systray to see if the sync is done or how it’s progressing. But if you’re synching multiple libraries,  your results will be misleading because it’s usually telling you how much is left to go on the one library it’s working on now.

For migrating a lot of data… there are better ways. For moderate values of “better”.

Method 2: Use File Explorer.

Use this one weird trick that Microsoft hates! …No, that’s not clickbait. It really is a weird trick and they really do hate it.

A long time ago, Microsoft made SharePoint compatible with File Explorer via a technology called WebDAV. So you could connect to a library directly via File Explorer, and copy files to and from SharePoint. This is dangerous. You can see the hidden folders and files that SharePoint hides from you, so you could theoretically cause a great deal of problems to your SharePoint site, to the point where you could potentially corrupt it into being unusable. Also, see, File Explorer is an icon of a folder, and Microsoft hates folders.

For a while they did their best to block this feature, but nowadays it actually works, most of the time, if you make the appropriate goat sacrifices on the full of the moon at the dark of night in a properly cleared stone circle. Or, at least, if you are using Internet Explorer as your browser. Internet Explorer is deprecated; even Microsoft doesn’t want to support it anymore, so Windows 10 machines ship with their default being a new browser, Edge, as in it’s on the very edge of being a usable browser but not quite there yet. (Don’t get me started talking about Edge.) But Edge doesn’t support this trick with SharePoint, and none of the non-Microsoft browsers do either. It only works in Internet Explorer.

You go to the library you want to open, in Internet Explorer. On the “Library” tab click “Open in Explorer”. (This is available from the new Document Library style that is missing the ribbon and its tabs; in this format you get to it from a drop-down menu at the far right.) You may have to do it more than once to get it to respond. Once you do, it will open File Explorer, connected directly to the library.



Note that if you have synced this library with OneDrive for Business, this trick will not work.  It can only be used if you don’t have a sync folder for this library; otherwise it will try to force you to use the sync folder instead.

Using File Explorer, you can bulk copy a lot of files and folders, a lot faster than you could have using OneDrive sync. But it’s buggy. Sometimes it will spontaneously lose its connection and have to be re-opened for no real reason. Sometimes you won’t be able to get it to open at all. And if the library in question has any required metadata, then every single file you upload will be checked out to you, as a draft, and invisible to anyone else because that’s how required metadata and drafts work in SharePoint.

Method 3: Purchase migration software.

This one’s always an option. For a small company, however, it’s not usually an affordable one. Most migration software prices come in at a minimum of 4 digits, or heavily restrict how many gigs of data you can transfer, or both.

(Shameless plug time: we have migration software that sells in the triple digits. The catch is that there’s no attractive UI; it’s all scripting, so it’s mainly for use by consultants like us and IT departments.)

No matter how you go, it’s gonna be slow

Transfers to Microsoft’s data centers are throttled so no one customer can consume enough bandwidth to negatively affect other customers. So expect your data migration to take a while. Sync is easily the slowest method, and File Explorer probably the fastest. All methods will run into the same issues with bad characters, although most migration software will take this into account and either allow you to change the names, or will change them for you. All methods will be affected by space and by the number of items per library, as well.

What if I’ve decided I hate folders too?

There are actually some good reasons for moving away from the folder model entirely when you migrate to SharePoint (or at least mostly.) In the third part of this blog, I’ll discuss those reasons, and how you would go about migrating data without migrating folders or losing metadata.

An Army of One Asks "SharePoint, What Is It Good For?" - Using SharePoint in One Person Companies

It's dangerous to go alone. Take SharePoint. Recently, we've been getting a lot of new customers who are the sole proprietor of their businesses. This isn't too unusual; many businesses are one-person shops who don't have any employees. For example, while it isn't unusual to eventually take on assistants, many tax preparation specialists, accountants, architects, lawyers, IT folks, marketing gurus, or business consultants start out as just an individual person going into business for themselves. I personally went this route; rather than take on a full-time job, I operated as an independent contractor for nearly 15 years.

Liquid Mercury has always been a company based on helping our customers get the best value out of SharePoint. This used to mean mostly Fortune 500 companies and government agencies. Then, Office 365 came along and has greatly increased the audience for whom SharePoint is accessible. Now, even a single person business can buy an Office 365 Business Premium plan for $12.50 a month and get access to SharePoint.

There's a lot of interest in the platform, and one question that people in business for themselves ask us more than any other is "What's the point to SharePoint when you haven't got anybody to share with?"

At first, the answer wasn't entirely obvious, even to me, so I thought it might be worth sharing a few tips on how sole proprietors can get the most out of the SharePoint component of their Office 365 service.

Author's Note: This article got to be much more involved than I expected. So I've decided to break it up into two parts. In this, part 1, I'll go over the first three tips, which are primarily about benefits you can achieve for yourself. In the next part, I'll go into depth about ideas that can help you when working with your customers.

Tip #1: Develop a Filing System

When I think about how to use SharePoint in a one-person office, the first thing that comes to mind for me is to simply get better organized with all the documents needed to operate the business every day.

Any business will have these. There will be invoices and communications from vendors that need to be scanned, filed, and paid out. Possibly, there will be invoices sent to customers. You may have to write your own contracts and then keep track of variations as you negotiate with your customers. Perhaps you'll need to write quotes or formal proposals in order to win the business. There might be status reports and time sheets.

You can certainly organize all these documents into folders. That's how people have been doing it for years. I will give you one good example why this might not be the best option in the long run.

Suppose you decide that your filing system will be organized by customer. One folder per customer, no problem. To keep clutter from piling up, under each customer folder you create a folder for time sheets, work logs, and invoices; a folder for documents the customer shares with you (so you can honor that NDA you signed); and one for the original proposal and agreement (so you can remember what you promised to do for them). You did remember to scan the signed copy of your contract and put it there, right?

Anyway, suppose you hire some help for a large customer. You need to share documents for that customer with your hired help. But there are certain details you'd prefer to keep in house, such as how much the customer is paying you, those confidential/proprietary documents, etc.

Now you also want to hire a bookkeeper to help you convert work activity into invoices. This person needs access to all the customer's documents, but only needs the financial stuff not the contracts or project documents.

You start to think that maybe it would've been better to organize the top level folders first by the type of document, and then have sub-folders for each customer. Over time you change the way your organizing your files, coming up with newer/better categorizations - but you don't really have time to go back and change the historical documents. What you need now is called a "matrix". What you actually have is probably better classified as a "mess".

But what does SharePoint do to resolve this problem?

SharePoint lets you attach any number of properties to a document. These are called Fields and they work exactly like you'd expect fields in a database or columns in a spreadsheet to work. You can have a Field for which customer a document relates to, and a different field for the purpose of the document. Say that later you decide to add a follow-up date to keep track of work on certain documents. With SharePoint, you can add that easily at point down the road.

Of course, we wouldn't just enter extra data about files for the fun of it. Learning to file things in a way that is completely different than what we've been taught to do for the past 25 years takes a certain amount of discipline. New skills will have to be learned and new work habits developed. For this effort, there must be a proportionate reward.

As it turns out there is such a benefit. Fields are useful because you can then create something called a View. Views let you show only the documents that meet certain criteria. For example, "Show me only the proposals that I won the business." or "Show me only the invoices where the customer hasn't paid me yet." Things can also be set up so that your bookkeeper wouldn't need to be confused by all those non-invoice documents that you have to track, because from their point of view (no pun intended) these can be completely hidden. So, you can start to see how Views would be very useful indeed and worth the effort of putting data into Fields on almost all your documents.

Tip #2: Find Things Faster, Easier

One thing that SharePoint has always done pretty well is search. (Hey, you SharePoint experts, don't laugh; I am serious.) Since the first version back in 2001, I have been very impressed that SharePoint was able to crawl all the documents on my entire network, including file shares, and bring back results that often times I'd completely forgotten even existed.

This was no small accomplishment, and SharePoint's ability to uncover hidden gems has only gotten better with time.

Quick Benefits Right Out of the Box

Today, in Office 365 we have something called Delve, which will show you not only what documents you've been working on, but timeline of your work with thumbnail representations of what these documents actually look like. Most one person shops are not running an traditional server with an enterprise version of SharePoint, so I feel pretty safe saying that for the purpose of this article, most interested readers will have access to Delve.

Here's a screen from Delve showing my recent documents.

Also, many people do not realize that OneDrive for Business is essentially SharePoint with another face. Yes, OneDrive lets you sync files to your local hard drive. However, when you browse the web site to look at the copies of your documents that are stored in the cloud, that web site is a SharePoint web site and those documents are stored in SharePoint Libraries. As a result, they are also searchable in SharePoint and will show up in Delve.

So, you can get a tremendous benefit without any extra effort at all on your part simply by choosing to save your documents into SharePoint or OneDrive for Business.

Taking Search to the Next Level

Combined with the proper use of the Fields we talked about in Develop a Filing System, SharePoint search can be used to not only search for documents based on their content, but also on how they were categorized using the data in those Fields. For example, just like you can create a View to show you certain types of documents within a Library, you can also use Search to surface documents stored on any SharePoint site.

This feature has many practical applications, especially for larger businesses, but the most compelling for a sole proprietor will likely be digging through lots of documents to find the one you need - as quickly as possible. Imagine for example that search results can be filtered by a specific customer, by a set of products that they relate to, or let's say... maybe by whether you remembered to scan and upload the final signed version.

Tip #3: Create Standard Operating Procedures

Almost every one person shop starts out with the idea that if you build a better mouse trap, people will beat a path to your door. Yet, in the course of business, we often fall into a trap ourselves. We discover that we're spending more time being a bookkeeper, bill collector, contract writer, office clerk, tech support, etc. rather than the thing we went into business to do.

Eventually, if you are going to stay focused on your mission, your one person business is going to take on hired help. That could mean employees or it could mean contracting with other specialty firms.

Either way, how you go about getting your work done is something that will need to be documented and shared. Without proper documentation of your processes, it becomes much more difficult to identify those parts of your work that can be effectively retooled, delegated, or outsourced to make your operation as efficient and competitive as it can be.

If you get to the point where you're successful enough that you are forced to grow, then you'll have no choice but to try and explain to other people what you want them to do and how you want it done.

Take it from me, it will be better for you if you start writing these things down before that day comes.

I learned the hard way that rapid business growth can be every bit as dangerous as a period of decline. In fact growth can trigger missteps, leading to long term problems and the ultimate downfall of a small business. Growth can turn many strategies that help the tiny business survive into bad habits that hold it back. Growth puts such a strain on the leadership of a business, that it might make one reconsider why they went into business for themselves in the first place.

By documenting your business processes before you're busting at the seams, you can go a long way towards making sure that once you're simply too busy to train new employees, there'll be a guidebook they can follow to help you get the most out of hiring them.

So enough about why you need to be writing SOPs before you actually think you need to have them. How does exactly SharePoint fit in with helping you define your business process?

Unstructured Notes

The first step is having a ready-to-share platform for writing things down as you think of them. At this stage, your ideas may not even be fully formed, so getting things on record quickly without interrupting your other work is essential.

For the unstructured piles of stuff I tend to generate at this stage, I use OneNote. OneNote is great because I never have to remember to hit Save, and it makes it relatively easy to record the web site where I found whatever helpful bit of information I might be working with. It has lots of features in that are helpful in taking down information quickly.

Okay, but you don't actually need SharePoint to use OneNote. It's part of Office and you could simply save your Notebook files to your laptop, or if you're really cloud savvy you can put them into OneDrive.

SharePoint sites include something called a Site Notebook. Site Notebooks are simply OneNote Notebooks that are already saved to a SharePoint library, set up for sharing with team members, and web accessible. If you start with a Site Notebook rather than creating a new Notebook some other way, then no extra steps are needed to start sharing the notes you take there.

Say that all you do when you start your business is create one SharePoint Team Site for each hat you have to wear - accounting, marketing, sales, management, and operations. Then, open the Site Notebook for each site in OneNote so you have a central place to start taking notes. When the time comes that you're ready to bring on some outside help, just share access to the appropriate Team Site, and they'll have your notes too.

By the way, there's a nice thing about sharing Notebooks this way. Two people can edit the notes at the same time and see one another's changes in real time.

Structured Documentation

Suppose you get to the point where you want to formalize your notes a bit further into something your assistant can use to help you perform some business tasks that come up fairly often. There are a couple things you can do in SharePoint that might be a better choice than using OneNote.

The first option is to create a Wiki Library. Wikis are web sites where you can quickly post and edit information directly on the web page. For example, this can be useful for creating and updating a company FAQ, employee policy handbook, etc. It's a bit easier to lock down a Wiki so that only certain people can make changes but everyone can read it. Wikis have the advantage that you have more control over how you structure the pages and navigation between them, and that users will not need any special knowledge beyond how to get to the web page using a browser. Wiki pages also show up as individual entries in search results (see Finding Things Faster) rather then one search result for an entire Notebook.

The other option for structured information is to copy your notes into Word documents. For example, if you wanted to create an Employee Handbook this might be the way to go. Personally, I find that if a process has a lot of diagrams, pictures, or screen shots, then creating the Word document is a lot easier than the work involved with uploading all those images to a Picture Library in SharePoint so they can be used on a Wiki. It's also easier to create a PDF from a Word document than a Wiki or Notebook, so if your process is something you'll have to share with people who don't have either Office or access to your SharePoint site, you might want that option. Word documents also show up in search as one result per document.

Defining a Process

When I talk about defining a business process, a lot of people will immediately jump to thinking about workflows. Workflows in SharePoint provide a way to marshal a process through several steps, with notifications for people when their step comes up.

Let me just get this out front; developing a workflow is not necessarily a great idea. There are several reasons. Firstly, workflows add overhead to a process. In addition to completing the task, you often have to report to the workflow that the task has been completed. Second, workflows define a process rather rigidly. This becomes a problem if your process changes fairly often - or worse yet maybe you don't even have the process fully defined. These issues are most obvious when you're a single person operation and need to track your own work.

SharePoint does provide some ways to improve your processes without forcing yourself into taking on a cumbersome system to track every step of what you do.

For example, Task Lists are a great way to plan a project and keep tabs on the steps involved so that you don't lose track of your progress. Over the years we've built a number of SharePoint add-ons to Tasks that let you do things like copy a set of template tasks to a new Task List, manage multiple projects within a single Task List, and more.

Microsoft recently released a tool called Planner that comes with some Office 365 subscriptions. We really like Planner! It shows a lot of potential, and in many ways it is easier to use than the SharePoint Task List. We wonder what Microsoft's plan for SharePoint Tasks will be in the long term, now that there are two different ways to accomplish essentially the same thing. Even so, Planner is a new product with several caveats and limitations that make it less amazing than we'd like it to be. For the moment, there are still times when choosing SharePoint Tasks instead is a valid option.

Screenshot of Microsoft Planner in Office 365

Beyond Task Lists, there are other ways to use SharePoint to structure your processes. Many people do not know that you can create a custom List in SharePoint very easily. These Lists can hold any kind of information you can imagine. For example, you could record a list of product prices, or a series of trade show events that are important to your business. You can even build a customer relationship management database using SharePoint.

Next Time in Part II

I'll post again soon about the next three tips, which are primarily about how you present your tiny rowboat of a company when you're working with all the tugs, oil tankers, and cruise liners of the world.

  • Tip #4: Look Bigger Than You Are
  • Tip #5: Share Documents, Securely
  • Tip #6: Structure Customer Service and Interactions

I hope you'll join us. Please consider subscribing to the blog to get notification for the next part and other content that might be of interest to you.

As always, if you use SharePoint or you're considering Office 365 for your one-person operation or army of employees, please don't hesitate to contact me, or visit us at to learn more about what we offer and how we can help you.

Outrageous Claims: SP Claims and Auth Will Lag Behind the Industry

Principal Architect Thomas Carpe shares his thoughts and opinions on the state of the art in SharePoint security, including predictions about things to come. This blog post is part of a continuing series leading up to and following the official launch of Liquid Mercury Solutions' new product Beowulf Identity Server.

Okay, this isn't really fair, since it's really more a case of predicting the present.

To be honest, I was completely caught off guard back in 2013 when the new version of SharePoint was released into the wild without even mediocre support for basic things like FederationMetadata.xml, token encryption, or a half-decent people picker for claims. I'd previously assumed that developing anything in this area was a lost cause; Since Microsoft could easily catch up, and whatever they implemented would inevitably become the standard.

Seems that I was mistaken about where they'd put their energy, and this got me thinking about why SharePoint, which was among the first Microsoft products to fully embrace the claims authentication model, would be so slow to mature.

First thing that comes to mind is that SharePoint really suffers from early adopter syndrome. Back in 2010 when claims authentication was still pretty new, SharePoint was one of the first to implement its own Secure Token Service. Unlike other web applications than can be easily adapted to use an external claims service, this STS still serves as the backbone of SharePoint security to this day, even when external providers are in the mix. At that time it was built with a still-beta version of Windows Identity Framework. Likewise, when 2013 was developed, it's also true that it was one of the first MS products built on .NET 4.5. However, at that time WIF still hadn't been fully integrated into the .NET framework - though parts of it had.

Lately I've been doing a lot of digging around in SharePoint's STS using Reflector, and I can see that a lot of design choices were made here without interoperability or extensibility in mind.

Just as one example, let's take the relationship between SPTrustedLoginProvider and the STS itself. Leaving aside the unusual naming convention (sometimes it's a trusted identity token issuer and other times it's called a login provider), it's interesting to note that much of the information actually needed to federate with another provider isn't actually part of this object, but has to be read from the STS itself. Compare this design with ADFS, which also serves as a kind of STS but has the structure for Relying Party configuration, wherein practically everything that you need to form a relationship between ADFS and another server is stored in one location.

Additionally, a lot of critical functionality here is internal and sealed. While I have never been shy about using reflection to invoke critical methods where needed, this is going to make life difficult for anyone who wants to develop capabilities that require these functions. Just from a support perspective alone, it means that you can't count on Microsoft not to change these functions later on - though from the look of things most of this stuff has not changed much in the past few years. IMHO, MS would do well to open up some of these classes and methods, since sealing them doesn't really provide much in the way of code security anyway. Until they do, it will always be a race to make sure that any patch they release don't radically change things.

Finally, the last reason that I think MS will continue to lag behind others in terms of supporting claims in SharePoint comes down to one simple thing. Microsoft's SharePoint strategy is cloud-first, and the fact is that what federation they needed to support SharePoint Online access via WAAD and externally shared MS accounts has already been implemented. Plus, they have their roadmap in place for SSO using ADFS. So, in essence, they have no impetus to make major improvements to the way this is being done. Sure, there'll continue to be improvements in the API for apps, client side code, etc. But don't expect future versions of SharePoint to be oriented around major usability enhancements for authentication - at least until there's something in it for Microsoft.

This op-ed piece is by no means the end of the story. What experiences have you had with configuring SharePoint security and do you agree with me or disagree that a lot of ground will continue to be left uncovered? Leave your opinion in the comments.

Outrageous Claims: SP Advanced Security Config Will Get Easier

Principal Architect Thomas Carpe shares his thoughts and opinions on the state of the art in SharePoint security, including predictions about things to come. This blog post is part of a continuing series leading up to and following the official launch of Liquid Mercury Solutions' new product Beowulf Identity Server.

I feel a bi t like Thomas Veil from Nowhere Man when I find myself saying "I know they will. They have to." I guess what I'm really trying to say here is that implementing security configurations for SharePoint is still too difficult. 

Take for example that blog from Wictor Wilen on setting up SharePoint 2013 with Thinktecture Identity Server. This is a great article, but it's typical of a configuration between two identity products in that there are a ton of settings to consider and some of it can only be done through the use of complicated PowerShell commands. 

Likewise, our own product Beowulf Identity Server has faced similar challenges in early deployments. The product is great, however there are still reams of documentation on how to set it up. Don't get me wrong; I'm all for having complete documentation. Still, you know you're in for a time when one of the first things you need to tell folks is the laundry list of skills they're likely to need to configure your product. 

So when I say that advanced SharePoint security will get simpler, understand where we're starting from is truly very complicated. As the demand for more security focused installations grows, those companies that thrive in this space will need to find creative ways to do more with the resources they have on hand in what is already a pretty tight labor market for a niche skill set. From where I sit, this means making the product easier to install and configure, whether that means creating an MSI package, PowerShell administration commands, a setup wizard, or all of the above. 

Further, since some of this complexity comes from the SharePoint side of things, and Microsoft isn't really going to make that easier, the community and vendors will have to pick up the slack. (see Improvements to SharePoint Claims Authentication and Security Will Lag Behind the Industry for reasons why.) 

Wizards and installers can give you a basic set of options that will work for most customers with typical needs, but they can't tell you what is the best practice in your particular circumstance. It's important to remember that wherever you find a security wizard, you'll probably find a security loophole there too. Let's just hope that people will do the right thing and not rely on self-signed certificates and other default settings. However, I would not bet the SharePoint farm on this being the case. 

At the end of the day, IT security itself isn't going to get any easier. I think we'll see security solutions and products that will offer a basic set of turn-key options. Anything advanced or unique to your organization left for experts to figure out how to accomplish it.


Outrageous Claims: Where Office 365 Leads, SharePoint Will Follow

Principal Architect Thomas Carpe shares his thoughts and opinions on the state of the art in SharePoint security, including predictions about things to come. This blog post is part of a continuing series leading up to and following the official launch of Liquid Mercury Solutions' new product Beowulf Identity Server.



Well, okay maybe that's not such an outrageous claim, since that's been Microsoft's strategy all along, right? What I mean here is that most improvements to SharePoint security have been coming out of changes driven by Office 365.  

So, for example, in 2013 we now have application and server based trust through OAuth type authentication. These are new; in 2010 land we could federate two farms through the mutual exchange of certificates, but there wasn't a really good story to tell around authorizing an individual application.

For folks who run on-premises environments, this means that there will be systems that have to be stood up and maintained alongside SharePoint that didn't exist before. For instance, admins now have to consider will they configure the app host services along with the rest of the basic SharePoint feature set. Or, will you do traditional Windows authentication or use a trusted login provider instead?

Living in a cloud first world also means that security measures we sometimes take for granted in Office 365 - like multi-factor authentication - aren't readily available to us in an on-premises farm. Yes, you could circumvent this by making your sites authenticate against ADFS 3.0 or WAAD/Azure ACS, but doing so is a complex exercise. If you're going to go that far, you'll have some very important decisions you'll want to make about what software package to use and how much you want to rely on either cloud-based or on-prem technology to manage something so important. Always keep in mind that if the authentication provider isn't available for any reason, nobody will be using SharePoint.

What we see happening in the industry now is that more and more products are switching from traditional Windows based authentication to claims based authentication. This change is no doubt fueled by the need to integrate in some respect with cloud platforms like Office 365. However, in the rush to support any possible type of authentication scenario, those same products are making trade-offs against single-sign-on.

Take SharePoint Online for example, where providing a windows-based SSO experience to the user requires running an IIS site specifically to redirect the user from a vanity URL to an Office 365 / ADFS sign-on page where the user's domain is already known. This trick lets us just ask for the user's Windows account and make the trip back to SharePoint without a login form, but this is something of a hack.

Another example comes from a third party product that supports many types of claims authentication including Windows, WAAD, and Office 365. Though the product is quite flexible, customers see issues with having to provide a forms based login when browsing between SharePoint sites and the product's web pages. Configuring things so that they are seamless from an authentication perspective takes significant work.

What we hope to see in the near future are improvements to the way these systems work together, both online and behind the company firewall, so that there's a better sign-on experience overall for the user. Seems like just a few years ago people were saying that federated authentication would mean not having to remember so many credentials, but there seem to be more systems today than there were at that time. Certainly, this one of the reasons why we built Beowulf, and we hope that Microsoft and other vendors will continue to open up new possibilities in this area too.

Sharepoint For Mere Mortals: What Can Be Done In Sharepoint 101

Sharepoint can do a lot of things and because of that it is hard to accurately describe it to people without using a lot of technical jargon.  However let us start with something simple that everyone is familiar with and expand from there to try and get people to understand what you can do with sharepoint.  Let us look at, an invite list.


Invite lists can be for anything but moving forward our example will be an invite list for a wedding.  First, think about all the people who would need to see it, you first and foremost, your significant other, maybe your parents, maybe their parents, maybe your wedding coordinator, and so on and so on.  Sharepoint would be able to store that list so that everyone would be able to see the most up to date one and there would not be a need to combine "this list" with "that list," or compare two lists to see which one is newer.  There is only one list stored in one location and whoever has permission can go and look at it.

But there is more, how about adding and taking people off the list?  Well you certainly would not want the caterers to be able to add and take off people but you may want to let them be able to see it.  Well, in sharepoint you can do that sort of thing with "permissions settings."  You can determine who is able to view the list, who can edit the list and who can add and take away people's ability to do those things.  Basically, do you want to give your soon to be mother-in-law the ability to give her friend the permission to edit your invite list?  How about the ability to take away your ability to view and edit the list?

So now you have your list and the contents are constantly (or sparingly) being adjusted to show the most up-to-date information.  There is more we can do with this.  In this list we can store each invitee's address, whether or not they are coming, their meal choice and who they are related to.  This sort of data is called "meta data."  Essentially it is data about data.  This can be helpful in terms of sorting or information gathering.  With a few simple commands in sharepoint you can have a quick count of how many people are coming who are vegetarian or want the steak dinner.  You can find out which side of the family has more people counting or you can find out how many people are coming who buy "the good gifts."  The limit is set by you and what kind of meta-data you would find useful.


So that is just a little taste of something very simple that sharepoint can do.  Sharepoint can also automatically send out reminder e-mails based upon your credentials, build a webpage for your wedding, save all the wedding pictures from every guest afterwards, display maps, give out directions, all sorts of details that are involved with weddings or businesses.  But this is just a simple introduction for now.  We can expand on this on a later date.

AgilePoint Anounces Office 365 and Forms Capabilities at SPC14

Well, it's that time of year again where all the SharePoint product companies trot out to Las Vegas to strut their stuff.

Today, we have a big anouncement from the SPC 2014 Keynote Sponsor, AgilePoint.

AgilePoint - SharePoint Conference New Product Highlights

In this release, there are two things I noticed right away that we've been eagerly awaiting for a long time. 1) AgilePoint support for Office 365 not just as something that can be manipulated by workflow, but in a fully integrated fashion similar to Nintex workflow. 2) An alternative to InfoPath forms that emphasizes responsive web design.

As readers of our blog will know, we're quite fond of AgilePoint's product. One of the difficulties we face in working with it, however is that it didn't really play well with customers working in Office 365. We're happy to see now that is a possibility, and we'll be putting together some demonstrations in the next few weeks, as we definitely want to be able to take this out for a test drive and see what's possible.

CloudPrep 2014 Development Update

I wanted to take a few minutes today to talk about what we've been doing since late January in regards to CloupPrep and the PowerShell commands for file migration and management of SharePoint Online.

First thing I can say is that one of our most difficult choices was in choosing an e-commerce platform and licensing API to use for our product. Even though we plan to keep our licensing fairly simply, we wanted to have options for future products and well as many of the items we also sell through our partners.

This turned out to be more challenging than I imagined, but we have settled down on using Fast Spring and LogicNP Crypto License. Perhaps in some future post I will talk about those more from a software developer's perspective. What I can say today is that it will be at least a couple weeks before we can get a working prototype of the licensing server and the store online, and so we have had to push back release closer to the end of March or early April, mostly for that reason.

Meanwhile, we have been developing features for the different editions of CloudPrep 2014. Progress on that front continues at a rapid pace and I am pretty satisfied with the way our tools are maturing.

When we decided to produce this software, we planned to release the lite and standard editions first and follow up with premium and professional features later this spring. I was a bit surprised to see that where we are putting our development efforts, probably all four editions of CloudPrep will be available at one time.

Now for the geeky stuff. Here's some of what's been happening as we've been building.

Features we've essentially completed:

  • Upload an entire folder or specific set files to document library
    We've tested that these commands will work against network drives and UNC paths. Take that, OneDrive!
  • Preserve metadata about the local file system that the document was uploaded from
  • Create and Modified dates on files are preserved, though we did find that with larger files there are limits to what we can accomplish here
  • You can specify the content type for uploaded files, root folders, and sub-folders - including Document Set and its child content types
  • A bunch of other random stuff including commands for manipulating SharePoint lists and reports to make sure that file uploads won't exceed SharePoint limits

We noticed that Office 365 throws us a lot of connectivity errors that we don't normally see in on-premises SharePoint environments. If you've been trying to copy files using their standard UI or using OneDrive, some of these errors might be hidden from you. However, they're readily apparent if you're using Web Folders (WebDAV) or Client Side Object Model to connect. We see unexpected dropped connections quite often, and certain upload methods will time out on files that are too big and required some fun workarounds. There are different methods needed for files under 2MB, under 35MB, and larger.

Our path was also complicated by the fact that on certain Office 365 sites, our rights come from delegated admin privileges. This is the preferred way that consultants get their rights to help clients manage SharePoint Online, so we figure a lot of folks who are interested in CloudPrep are seeing this phenomenon as well. When you log in with delegated admin to a client's Office 365 site using the credentials from your own Office 365 account, you sometimes see the access denied page; login again a few seconds later, everything is fine. Our code had to expect and handle this contingency.

Another thing that we did not expect is that we're seeing some reasonable evidence that Office 365 uploads are being throttled. Most of the time, file transfers seem to be limited to about 300KB/sec; there are days when the transfer speed is even slower than that, sometimes by half. As such, it is difficult for us to estimate file upload times, and we're having to improve our algorithms to take these fluctuations and sea changes into account.

As for the cause, we can't say if this is something Microsoft is doing, or if it comes from the erosion of net neutrality. We do wonder if Comcast or other providers may be limiting traffic to Office 365 in order to give their own offerings a competitive advantage or just to control their own costs. I expect we'll be doing some tests in the near future, and we've been kicking around some ways to circumvent these bandwidth caps - at least partially. One test we did in January showed that if we took half our files to a different physical location, we were able to upload them to SharePoint Online in about half the time it would have taken if we'd uploaded them all from one server.

One thing that became clear during early development was that the disconnected nature of cloud storage was going to introduce multiple random problems along the way. As a result, in any large set of documents to be moved to the cloud, there would be some which for one reason or another may not be successfully copied. We started by trying to get this failure rate as low as possible, down to less that 0.25% of files in most cases. We did a lot of work in early February to improve the code and reach this threshold.

Even so, we needed to be able to easily run multiple passes on any file copy operation and track the results. Our first prototypes had to crawl the Document Library in SharePoint one folder and file at a time. This proved to be incredibly slow, and it quickly became apparent that we needed to be able to gather status information for thousands of files at a time if we wanted to hone in on only those which required an update from the local copy. This is something we added to the code base about a week ago, and we're now in the process of replacing some of our early code to use the new file comparison analytics logic.

As a side note, a bevy of SharePoint management features found their way into our PowerShell library simply because we had customers who needed them in short order. For example, we now have the ability to take a View from any SharePoint List and make a copy of it in the same List or a different one even on another SharePoint Site. Of course, one must be very careful with this kind of power, since creating Views with field references that don't exist in the List will certainly break the View if not the entire List itself. When we've added sufficient safety checks, we'll open the capability up as part of the CloudPrep product.

This week, we introduced the concept of using a hash algorithm to test whether files in SharePoint match those on our local drive. Use of a hash in addition to checking the file size and date stamps of a document ensures that the document has been uploaded into SharePoint and that it has not been corrupted in the process. We developed this ability in order to add credibility to Office 365 migrations where we may be moving hundreds of thousands or even millions of files, and we need to establish that the migration process has been completed satisfactorily. This capability can also be used to perform duplicate file detection, and we may develop a follow on product or feature to do just that later on.

Next week, we're planning to work on some important features that we feel are a must for getting this product to where we want it to be.

The first is the make sure that we can translate between Active Directory permissions on the local file system and users in SharePoint. The primary purpose here is to preserve meaningful data for Created By and Modified By fields in SharePoint; this is something we can't do yet. As part of this process, we'll be introducing PowerShell commands to add new users into SharePoint sites and manage groups. For most customers, this is probably of limited use. However, those with several hundred users or groups to manage will find it much easier to deal with these via PowerShell instead of using the SharePoint admin web pages. For consultants, it will make migrations faster by speeding up the time it takes to implement the security configuration. Our goal here is to lower the cost of our migration services.

The next things we do after that will be:

  • Download documents from SharePoint to the local drive
  • Assign metadata from CSV file as you upload documents
  • Flatten a folder structure as you upload it.

These are harder to do than you might think. I'll post more on this in coming weeks, including our challenges and progress updates.

Anouncing CloudPrep 2014 Migration Toolkit for SharePoint Online

We do a lot of Office 365 migrations. Most of these are for businesses with fewer than 50 employees. This should surprise nobody except maybe Microsoft, who seemed to be slow to realize that their cloud platform would have the most appeal to companies with limited budgets – or that most jobs in the US are provided by small businesses. Go figure.

Over the years, I’ve written several times about the challenges of moving from a conventional file store to Office 365. Fact is, it’s just not simple to do. It really makes sense to have an experienced IT professional help you make the move. I like helping customers make the switch, but doing so has presented interesting challenges for my business that I’m sure other SharePoint consultants share too.

Firstly, there are great third party tools out there for migrating files. We often use ShareGate and Content Matrix from MetaLogix. MetaVis is another great company that has great tools with lots of features. Fact is that even though these tools are great, they are also quite expensive. They’re feature rich, so really knowing the tool is a skillset of its own – and it makes good IT people hard to find when I need them to do a job. We also run up against serious limitations when trying to use these tools; sometimes we cannot find a way to use the tools to migrate the files in exactly the way we want to.

Second, some of my client already have a part-time IT person or managed services company that helps them service their PCs and on premises servers. Traditionally, we’re a SharePoint consultancy and we never set out to try and replace other IT folks; they need work too. They have the relationship with my customer, and the local presence needed for that on-site work. Over the years, I’ve seen that customers prefer to have their own local IT provider for most small requests. We needed to find a way to coexist with these other businesses in a way that would benefit us both.

Back in 2012, at the behest of a marketing consultant (who gave me lots of advice that was either bad or I couldn’t follow it at the time) I created a small tool called CloudPrep. This tool wasn’t much; I never had much confidence in it and so I never really promoted it. But, it did the work of renaming files that SharePoint didn’t like, and combined with WebDAV it was enough to make getting 20 to 50 GB of customer files into the cloud in a few days’ time. I released it into the wild, and CloudPrep has been getting downloaded a few times a week – mostly by other Office 365 consultants to my chagrin. Lesson learned and another checkmark for finding a way to compete with other IT providers; there are more of you than there are of me!

One problem I’ve noticed is that Office 365 migration budgets are small – I mean really tiny! That’s weird when you consider that for a 25 person company the ROI could be hundreds of thousands of bucks. But, we have been in an economic slump for something like 5 years now. I guess that takes its toll; even if you knew it would make you a thousand dollars next month, you can’t spend $100 today unless you have it to spare. Some companies are reluctant to spend even a few thousand to plan and execute.

There are a few tools that are in the “beer money” range. I tried FilesToGo once – and only once. It lacked some features that seems obvious to me, but made my client extremely angry. It didn’t have a lot of options either, one size fits all. I won’t discourage anyone from using it if it meets your needs, but I’m not going to risk my relationship with my clients on it. I am honestly surprised that after all this time, there’s nothing else in its price range.

I guess you could say that I’ve gotten fed up with this situation. Yet another migration we had to do where the current tools on the market couldn’t meet our needs for the client’s budget. That story gets old.

So, the boys in the lab and I finally built our own!

Announcing CloudPrep 2014! Forget everything you ever knew about that crappy tool we made back in 2012, because this is completely something at a whole new level.

CloudPrep 2014 is not one of those big expensive tools with a fancy GUI. It’s a set of PowerShell command-lets that work with SharePoint Online and your local file system. These commands and the sample scripts provided with them are designed to empower IT people and make migrating files to and from SharePoint Online a piece of cake.

These tools don’t replace an IT person or their experience. You’ll still need an experienced consultant to tell you how to organize your files, use metadata, overcome or avoid SharePoint Online limitations, and of course actually use the tools. You needed all that before anyway. The difference is that now much of this can be provided by your own experienced IT staff; or if you’re an IT consultant yourself, you can use our tool and make your small-business and small-budget migrations a breeze instead of a quagmire.

Our commands fall into basic categories: planning, preparation, file migration, and SharePoint management. We’re still putting the finishing touches on the product now. We’re hoping to have the Lite and Standard editions released to market sometime in February, with the Premium and Professional versions available as soon as March or April.

In the meantime, please take a look at our feature matrix and proposed pricing structure. There’s still time to collect some feedback. So, if you have a feature you’d like to see that isn’t here, then leave us a comment and let us know. Even if you don’t add a feature by the launch date, we’re planning to add even more features later. We’ll entertain any reasonable suggestion – except charging more for the product.

Like what you see and can’t wait to try it out? Contact us and I’ll give you a 15% discount if you purchase during the early access period.

Edition->Feature        Lite   standard Premium Professional
Release Date   Feb  Feb  March  April
Proposed Price Free $285 $576


+$300 Per Tenant>2

Number of Office 365 Tenants Unlimited Unlimited unlimited Unlimited
Numbre of Site collections Unlimited Unlimited Unlimited Unlimited
Requires powershell 2.0 or higher Yes Yes Yes Yes
Requires Sharepoint client connectivity Yes Yes Yes


1 year support and Updates

(renewable Annually)

  Yes Yes Yes
Supported OS: Windows server 2008 or 2008 R2 N/A Yes Yes


Supported OS: Windows XP N/A   ?? ??
Supported OS: Windows Server 2003 N/A   ?? ??
Planning and Reporting        
Sizes and Numbers of items by folder, extention, ect. Yes Yes Yes



Check for Potentially Illegal file types   Yes Yes


Folder and File Path Length Checking   Yes Yes


Permissions Checking for Local Files     Yes


Target URL Length Check Report     Yes


Upload Time Estimates      


File Preparation        
File Renaming for Illegal charaters Yes Yes Yes Yes

File Renaming for Illegal Paths


Yes Yes Yes


Preserve Author and Editor for uploaded Files

  Yes Yes


Check for and Automatically ZIP files with illegal extentions (EXEs, Ect.)



Check for and Automatically ZIP "_files" Folders

  Yes Yes


Migrate and Manage Files


Supports Network Mapped Drives

yes yes yes yes

Supports Network UNC Paths

yes yes yes



Upload Entire Folder to Document Library

Yes Yes Yes


Upload Specific File to Document library

  yes Yes


Download Document Library to Folder

  Yes Yes


Download Specific File

  Yes Yes


Warns if Source Exceeds 5,000 items

  yes Yes


Warns if Target URL length Too Long

  yes Yes


Specify Content Type for Uploaded Documents

  Yes Yes


Specify Content Type for Top Level Folder



Specify Content Type for Sub-Folders



Support for Documents Sets



Flatten Folder Structure with duplicate filename handing



Flatten Folder Structure at 1 or more levels deep



Convert Folder Names to Metadata Fields



Create Source URL Field for Uploaded Files



Create MD5 Hash Field for Uploaded Files



Export Metadata to CSV File when Downloading Files



Synchronize of Local and Cloud files using File Modified Time



Synchronize of Local and Cloud Files using File Modified Time+ MD5 Hash



Automation Features


Powershell command-lets

Yes Yes Yes Yes

Unattended Execution

  Yes Yes Yes

Sharepoint Management &


Create and Edit SharePoint Users

  Yes Yes Yes

Set Common Properties for Lists and Document Librarys

  Yes Yes Yes

Create and Edit Columns in Lists and Document Libraries

  Yes Yes Yes

Create and Edit Views Lists and Document Libraries

    Yes Yes

Copy a view to same or Different Document Library or list and site

    Yes Yes

Import and Export Site Columns

    Yes Yes

Import and Export Content Types

    Yes Yes

Import and export views

    Yes Yes

Add, Remove users and Groups, Permission Sets

    Yes Yes


CloudPrep Lite
This edition is a good fit for small file migration needs and try-before-you-buy. You can use it to do basic reporting on the structure of your files, rename files that are known to cause problems during migration, and upload folder structures to your SharePoint Online document libraries. In most cases it has a 99.7% or better success rate, and it produces a handy report so that your remaining files can be uploaded manually.

CloudPrep Standard
This edition includes a standard set of features designed to help you move files into Office 365 with a minimum amount of difficulty. You can upload and download large file collections without having to stand by the computer, perform multiple upload/download passes, and specify a default content type for files. Run it from anywhere, including various versions of Windows Server. We also include some additional pre-migration reporting tools that help to identify problems before you migrate your files.

CloudPrep Premium
For the seasoned SharePoint admin or IT professional, this edition includes features that will help you get the most out of Office 365 in the cloud. We include even more reports to give you a 360 degree view into any potential file migration issues. The file upload tool includes a variety of features for setting metadata and flattening folder structures.

CloudPrep Professional
This edition enables the true Office 365 IT professional to handle migrations for multiple clients. All the features of the Premium Edition plus advanced content type features including support for Document Sets. It also includes the ability to create MD5 Hash file uploaded files, which helps in detecting duplicate files and in determining that if two files are not the same even when their date stamps match.

Lessons from the Field for Migrating to Office 365

Recently, I’ve talked a bit about how companies can save money in lots of places by moving to the cloud with Office 365, and I’ve also described some of the complexities involved in moving large file shares to SharePoint. Today, I’d like to take a few minutes to talk about some of the lessons learned on some of our Office 365 migration projects over the past several months.

Getting Good Information Up Front is A Challenge
As SharePoint developers, we’re used to working with the IT departments of larger organizations (say 500 to 5000 employees) as we develop solutions. However, with Office 365 customers, many times we’re not working directly with IT folks. The customer may have a managed service provider for desktop support, a part-time IT contractor, and some clients do not even have their own IT staff at all.

Needless to say, planning a move to Office 365 requires us to take stock of a great many technical details. It’s not surprising that folks outside of IT might miss the importance of the myriad trivial details involved.

But getting these facts wrong during the early stages can lead to incorrect estimates and costly mistakes down the road. It’s important to get the discovery right.
Here are some things customers should pay careful attention to when gathering information in the pre-project planning phase.

Basic Planning
Make a User Inventory
Know how many users you plan to have. We’re going to need their contact information, including phone and e-mail, because more than likely this information isn’t up to date in Active Directory. From there we can talk about what plans are best for your users.

Make a Workstation and Mobile Inventory
Know how many desktop PCs, laptops, and mobile devices you’ll be configuring. It’s also important to know what kind of mobile devices will be used and how many of each type.

Make a Server Inventory
Know exactly what servers you have, what operating system and version they run on, and exactly what purposes they serve (file shares, print server, domain controller, e-mail, etc.) If you do not know these things, you should consider paying for a 1 to 3 day evaluation to document all of your systems.

What Will You Turn Off After Migration?
Part of calculating the cost is understanding the benefits you get in return for it. If you’re not sure that a system can be fully disabled after moving to the cloud, that’s something we can help you figure out.

Will You Need Any Servers You Don’t Have?

For example, if you are synching Active Directory users to Office 365, you need a server to run this on - though it needn’t be very powerful. If you have applications running on servers that you otherwise want to decommission, you may need a server in the cloud to replace them. Likewise, if your security needs are high, you’ll want to have a CipherPoint Eclipse or F-5 Big IP running in the cloud in front of Office 365.

Domain Registration
You should verify that all your domain names are still current and that you have access to the DNS registration. We’ve occasionally had customers who have some older DNS names that were being used for e-mail aliases, and they weren’t able to migrate them fully because they’d lost the ability to manage the domain name. Check on these beforehand and avoid unpleasant surprises.

Remote Access
Some companies have VPN; this is ideal. Some do not and have to rely on clunky terminal servers or third-party services such as TeamViewer or LogMeIn. If you’re in the later circumstance or haven’t set anything up at all, we should talk about what is likely to cause issues for the folks doing the migration work, because not all of these services are created equal.

What’s Your Actual Available Bandwidth
Knowing if you have a T-1, cable modem, or DSL is helpful; it’s not the end of the story. We’ll want to perform some bandwidth tests at different times of the day in order to account for the connectivity that your company is already using. In general, migrations that have to be pushed to the evening or weekends will take longer.

Test for Equipment Bottlenecks
It’s also worth pointing out that some older equipment can actually be slower than the Internet connection can handle. Early on, we can do a trial run with a few files or a single mailbox in order to determine if there are going to be unexpected problems due to slow hard drives and outdated or overloaded servers.

E-mail Migration Planning
Know Your E-mail Server
Whether you’re using Exchange, Lotus, or some other server it helps to know what we’re dealing with. We’ll need to know how many users you have, how big are their mailboxes, and what distribution lists you’re using. It’s not unusual to find a few people in a company with mailboxes approaching 20GB (or bigger!). Anything at this size is going to take a lot longer to move than usual and that needs to be taken into account.

Great Firewall of Spam
For the mail server, the above is a good start, but not enough. You need to identify if you have an anti-spam appliance (e.g. Barracuda) or service (e.g. Postini) in front of your mail server. You probably won’t need it after moving to Office 365, but if you want us to make it a part of the move we need to know ahead of time.

E-mail Archives
Most people do not think about this, but Outlook Archives (*.PST) files do not move automatically to the cloud. One of the best approaches we’ve found is to copy their contents up into Exchange Online so that you’ll have access to them everywhere you go. If you’re using archives, it’s important to know this so we can take them into account when looking at mailbox sizes, migration plans, etc.

File Migration Planning
Make a File Inventory
Know where your files are, how big they are, what you will move, and what you might leave behind. Professionals have tools that can help to analyze your files and better determine the cost to migrate. However, these tools are only helpful if we have the opportunity to run them against all the files that will be moved.

Public Folders
If you use Exchange Public Folders, you will need to have those files copied down into a regular file share so they can be moved into SharePoint. Exchange Online does not support public folders, which have been phased out in recent versions of Exchange. When we determine the size of the file stores you’ll be moving, these files need to be included.

How Will the Migration Team Access Files?
Depending on the remote access method and the speed of your Internet connection, in some cases it may actually be faster to copy your files to a portable drive and FedEx them to us rather than have us try to copy them from your office. This also provides the fringe benefit of being able to split the migration up across multiple sites, which can make everything go faster.

Dealing with the Unexpected
Obvious, there’s no such thing as a crystal ball, and that’s even more true for IT. Aside from the things I talk about above that, little things can go awry during the project. It’s important to remember that migrating to Office 365 is a big change from the way companies used to work back in the 90s. Be ready to expect and deal with the unexpected.
Here are some things we’ve seen happen in the middle of a project that can really get things out of whack.

Sometimes it just takes longer to move files or e-mail than it seems like it should. It really helps to know exactly what we’re moving in the first place, but if your estimate and schedule were written sight unseen before we had access to the servers, then probably there are baked in assumptions that may prove to be wrong.

Even if we did a 1 day triage visit at the start of the project, sometimes the technology can make fools of us all. I had one customer where most mail moved over fine, but then one user’s mail dragged on and on weeks on end simply because their outdated server would not provide it any faster.

Needless to say, schedule creep can be very disruptive. As a result, we’ve learned to base our schedules on being 95% complete – anything more can be managed as ongoing support and needn’t cause everything else to back up waiting for it.

Limits of File Migration Tools
To move files into SharePoint is not a drag and drop operation. Fortunately, there are many good products on the market, and the state of the art is constantly changing. But, these products are not what I’d call mature - partly because Microsoft keeps changing the Office 365 platform itself. Over the years, we’ve seen file migration tools for SharePoint Online that don’t copy the date stamps on your documents, tools with poor or quirky support for Document Sets, and tools with draconian restrictions on the size of files that can be copied.

If we are copying a large volume of files, it is not uncommon that we may need to do a test run and then start over. We try to account for this in our estimates, but it’s not a perfect science. Tools are great, but if a tool or product does not get the results we want, we may have to switch tactics. This is not a sign of the coming apocalypse. Be prepared for this to be a part of the process.

Limits of E-mail Migration Tools
If you are migrating from Exchange 2007 or better, Microsoft has some great built in tools to make this possible. There are good third-party solutions for other platforms. Each of these has its own limitations. For example, Microsoft tools may not do well on extremely large mailboxes. Third party tools may be more robust, but they will take almost twice as long because they have to copy from the source and then copy to Office 365, whereas Microsoft has the benefit of running their tool in the same local network.

Limits of SharePoint
SharePoint is like any complex software product; it has boundaries. There are limits on the amount of storage you can have in a Site Collection, and limits on the number of items you can effectively put in a List or Library. Our job as consultants is to come up with plans and designs that avoid as many of these as possible. Still, it’s important to understand that Microsoft is constantly changing Office 365 – usually for the better. There have been times that we tried out a particular approach for organizing content and then had to change tactics because one of our assumptions proved to be incorrect.

Here are some examples of fiddly details that have sometimes pushed us around:

  • Flat views don’t work in large libraries (> 5000 items) even though you’d think they should be limited to the current folder.
  • In large libraries, indexes must be created before items > 5000.
  • Document Sets can only have one view inside the Document Set itself.
  • Nesting folders within Documents Sets is quirky.
    You cannot easily change the look and feel of the “my-sites” part of SharePoint.
  • And many more…

Shifting Requirements
Migrating to Office 365 is a big change. Training and discovery are a part of the process, and so you might learn something about the platform that you did not know at the beginning.

Likewise, we may learn something about your business that was not clear at the start and this could cause us to change our recommendations. Stay nimble and flexible; these moments can be opportunities to improve rather than a cause of stress.

15 Things: a Day in the Life of a SharePoint Life Coach

Recently, we launched a new service called SharePoint Life Coach. This service was designed to be of value of customers who need help with SharePoint but have a limited budget they can work with to get the support they need. To help folks understand this service better, I'd like to describe what sets this service apart and some of the questions we answer in a typical session.

With traditional consulting, you the customer tell us what to do and then we tell you how long it will take.  We then run off and accomplish these things for you, and sometimes we work with you along the way. Some consulting is about making recommendations, some is about troubleshooting. In general, the focus is to bring you a finished product, whether that deliverable is a document, a working system, or a piece of code. Of course, all of this is billed by the hour, and having a consultant working full-time is beyond reach for many companies.

SharePoint Life Coach service differs from traditional consulting in a couple of important ways.

  • The customer sets the pace for sessions, based on their time and budget.
  • Sessions follow a semi-structured format, so that desired material can be fit within the allocated time.
  • Focus on consistency and results will emerge - the idea is to have regular sessions over an extended period that help ensure better results.
  • The deliverable is you - our approach is "teach a person to fish and they'll eat for a year".

As we bring new folks into the Life Coach system, one of the first things we do is to set up topics for that all-important first session. Sometimes the hardest thing is knowing where to begin. Many times, our customers come to us after just getting started with Office 365 and SharePoint Online. They quickly realize that SharePoint is a very complicated product, and that there is more to managing it than just pulling some levers on the Office 365 management portal web site.

Over time, we've found that folks are asking some of the same questions over and over again. On some topics, we start to feel a bit like a broken record. Though we've answered those question many times, the answer varies from customer to customer based on their specific story - for example the size of their company, tech savvy of staff, etc.  As a result, while there are common themes, there is no one-size-fits-all solution for these things. Thus, being able to tailor these recommendations to your needs is what having a SharePoint Life Coach is all about.

Here are some of the popular topics that people have asked for:

  1. What are some of the pitfalls that I should avoid while working in SharePoint?
  2. What training do my end-users need to work effectively in SharePoint?
  3. How do I keep SharePoint from becoming a mess?
  4. What is the right way to structure my SharePoint web site and sub-sites?
  5. When should I use a sub-site, a list, a library, a document set, or folders?
  6. I know folders are bad, but my users love them; how do we cope?
  7. Everyone misses the network shared drive. How can people work with files quickly in SharePoint?
  8. I want to use SharePoint as an Intranet for my company; what kinds of content and things should I put on it?
  9. What's the best way to structure users, groups, and permissions?
  10. I've heard of SharePoint governance. It turns out it was a 500 page document. Is there anything for small businesses that is like governance-lite?
  11. Should I buy a file migration tool, move my files by hand, or just hire someone to do it for me?
  12. Should I use an Outlook Shared Calendar or a SharePoint Calendar?
  13. Can I organize our list of customers in SharePoint?
  14. How long does it take for stuff to show up in Search? Why aren’t my PDF files showing up?

Who Really Has the Best SharePoint Workflow Product?

I came across this blog article today, asking the question "Who has the best SharePoint Workflow Product?" This seems to have gotten a lot of attention, and so far I see that over 4,500 people have voted. That's some serious interest!

I sometimes get this question from our customers, and this is particularly challenging for me because often the correct answer is "it depends". Sure it sounds like a copout, but it's really not a very simple question.

It gets even a bit more complex for us, because we partnered with Nintex and AgilePoint, and needless to say Thanksgiving dinner can get a little bit awkward if I were to try and declare a unilateral favorite. But, read on and you'll see there's a reason that things played out that way.

I'm going to do my best to approach this question as impartially as I can. I will be very candid. From my point of view, the three workflow products mentioned in the article, AgilePoint, Nintex, and K2 are certainly the best of breed for all SharePoint workflow products. There's also Bamboo, Datapolis Workbox, HarePoint, MetaStorm, and Global360 to name just a few; but I really feel like most of these have missed their chance to take a leadership position in this space, in one way or another.

So here it goes: the good the bad, and the ugly of SharePoint workflow and third-party products.

Why Not OOTB SharePoint Workflow?

You can't have a serious discussion of third-party workflow products in SharePoint without asking the obvious question, "Why not use SharePoint workflow in the first place?" Personally, I am not a fan of SharePoint so-called out-of-the-box workflow for a lot of reasons.

OK - deep breath, inhale…

The first thing that jumps out at me is the way that Microsoft has absolutely bungled SharePoint workflow when you look at what they've done over the past ten years. In SharePoint 2001, they had workflow, but in SharePoint Portal Server 2003 they took it away completely. In 2007 they brought workflow back, using something like Outlook rules to help end users develop simple workflows, or Workflow Foundation in Visual Studio for the really complex stuff. These had serious limitations and neither could be effectively created by analysts alone, so in SharePoint 2010 they introduced some Visio capabilities - but then totally dropped the ball by taking away any ability to do simple workflows with loops or anything like "go back to step 2". I was sure they'd get it right in SharePoint 2013, so I was horrified to learn that they have completely revamped the workflow system so that now 2010 workflows and 2013 workflows are completely different and incompatible - and that in the 2013 version there are a significant number of actions you can no longer do that worked in the 2010 version. To me, this is not a stable and mature part of the platform; to leverage it will be like building on shifting sand and you should be prepared to rebuild everything in a couple of years if you go this way.

More so, SharePoint's native workflow cannot handle complex, recursive, or long-running flow patterns. Some processes are just too complex, long-running, or rapidly changing to be supported by SharePoint's native workflows without either a great deal of custom code - unless you use a third-party workflow product or in some cases a full-blown Business Process Management (BPM) suite.

As for Visual Studio workflow, custom code is expensive and time-consuming both to create and to maintain on an ongoing basis, so the best practice in almost any situation where the problem can be solved by either custom code or an existing product on the market is to use the existing product.

Finally, even in SharePoint designer there's a valid point that if you have developers available to do SharePoint workflow in Visual Studio or SharePoint designer, there is a very, very, very good chance that there's something (anything!) else that they could be doing instead which would give you a better return on their development time. Thus, we strongly recommend that you pick at least one third-party workflow product.

That being said, let's move on and take a look at some products!

Nintex Workflow

Nintex is an excellent choice if you have workflows that are more complex than can be easily done out-of-the-box with SharePoint. It's comparatively easy to set it up and use it when you contrast it with anything K2 has to offer. As a result, Nintex is commonly used to supplement SharePoint Workflow within the vast majority of SharePoint farms.


I haven't recently looked for any market data, but I'm pretty sure that Nintex is by far the most successful SharePoint product in terms of pure sales, and as a partner we love the Nintex web site for their ability to give us the resources we need to market and demonstrate their product. You will have no absolutely difficulty finding a reseller in your area to help you with professional services - although I hope that you'll just call on us instead. We'd be happy to give you a demo. Personally. ;-)

Nintex has pretty good integration with systems outside of SharePoint. Off the top of my head I know that we can use it to do most basic tasks within SharePoint, plus we can call web services from outside systems or manipulate databases. These features are pretty easy to use, but I would not say that your average SharePoint user or site owner will necessarily know how to leverage them. That said, most business users will be able to get by doing things purely inside of SharePoint.

Nintex has EXCELLENT support for the cloud. They have a version of their product that runs on Amazon Web Services and integrates with Office 365 SharePoint Online. At this writing, I'm not aware of any other workflow product for SharePoint that can claim this.

As far as downsides go, I'd say that Nintex architecture suffers from the same issues that SharePoint workflow does, so on SP 2010 or older your workflows are going to run on the web front end and will consume resources there. As a result, you may need to add more WFE to your farm the more you use it. This is mighty convenient for Nintex, since they license the product per WFE in your farm.

One other thing to note is that Nintex can't really handle the high complexity in some of the processes that we develop for our clients. We're talking about long-running processes that could take months or over a year to complete, and they have hundreds of steps. You see things like this in government agencies a lot. I've done really mind bogglingly complex ones for NIH, FAA, and most recently USDA. Personally, I wouldn't want to try to use Nintex to solve these sorts of problems.

AgilePoint (particularly Genesis Edition)

Considering all the workflow products for SharePoint, probably the main thing to point out about AgilePoint is that it is so much more than just a workflow engine. There just aren't that many players out there in SharePoint workflow who can honestly claim they are a fully functional business process management system, or BPMS.


As a result, AgilePoint workflows can be changed while running. A long-running flow will not be "orphaned" by changes to the process that occur while it is in progress. This is perhaps the very best feature. As a rule, if you process has 25 or more steps and is completed over the span of a month or more, you should strongly consider AgilePoint.

And yet, in contrast to many other BPMS systems, AgilePoint is designed exclusively for the Microsoft .NET framework, and relies heavily on the MS product suite for its creation and implementation, rather than using a proprietary tools. AgilePoint uses Microsoft Visio to design workflows and InfoPath to create forms, so any office with full Microsoft Office licensing already has all the tools AgilePoint requires. It integrates natively into SharePoint workflow; AgilePoint workflows can be deployed to SharePoint at least as easily as SharePoint's own native workflows can be deployed from SharePoint Designer.

AgilePoint Genesis installs natively alongside (and co-exists with) other SharePoint workflows. It supports every known pattern of dynamic and ad-hoc workflow identified by the BPM industry and provides 36 different functions for interacting with SharePoint. More are available with the Enterprise edition, and the possibilities with custom AgileParts are virtually limitless. This functionality leads us to conclude that AgilePoint sports A+ level “tight integration” with SharePoint. Users will never know their process has left the SharePoint server, yet AgilePoint will not negatively impact SharePoint performance in any way.

As a company, AgilePoint's primary focus is in workflow, and it’s designed to make creation and modification of workflows easily accessible to business users, rather than requiring high levels of programming skill. A business analyst with strong knowledge of Visio can be trained to create a fairly complex workflow within half a day. Workflow activities can be based on InfoPath forms created by anyone with technical savvy to create forms in Microsoft Access. Most process revision consists of moving objects on a diagram and doesn’t require a developer at all.

Call me a total geek, but one cannot discuss the strengths of AgilePoint without at least mentioning some of the obscure but important technical aspects that make it a truly impressive product. For one, AgilePoint’s model is declarative, meaning that there's almost entirely no code generated to drive the workflow process, only XML; this is in sharp contrast to many BPMS as ell as the MS Workflow Foundation Engine (SharePoint, K2, Nintex) which all use a high amount of dynamically generated source code to drive the workflow logic. In fact, AgilePoint actually uses the Visio document format itself to drive its workflow engine, so the process is literally running the exact same flow-charts drawn by the business analysts and developers! Another advantage is that AgilePoint is one of only a very few pure-play .NET BPMS out there in the market. Also, the product is built entirely on .NET; there is no part of the product which inherits from COM as many older and more well-established players in the market still do (over 10 years after .NET’s debut).

That’s not to say you can’t program against it if you want to; developers can write full featured extension in .NET, and they often know tricks to make InfoPath and SharePoint do things that go well beyond out-of-the-box capabilities. We've found that many additional things can be done if you're willing to add custom web services to the mix (also true for Nintex, to be completely fair). For example, we built a set of web services for one of our clients that allows them to move and copy Documents Sets around in SharePoint using AgilePoint, and it also implements structured creation of new team sites which is an important aspect to SharePoint governance.

Finally, the very low cost of AgilePoint's Genesis product is a significant advantage, putting it within reach of smaller companies and even single-project level budgets. AgilePoint's Enterprise Edition is traditionally a product costing five-figures; however they recently reduced their pricing quite substantially to be competitive in the SharePoint market. For 100 users, a typical annual fee for Genesis with AgileReports and InfoPath support would be less than $5k, and governments and non-profits get even better pricing. They've also proven to be flexible about selling additional components a-la-carte from the higher edition of the product if you only need a few. It's worth pointing out that even at the Enterprise price, it holds its own nicely against many six and even seven figure alternatives.

For up to date AgilePoint pricing or other product information, please fill out our short request form. You'll be taken to their product information and download page afterwards If you decide to download the free version, please let them know we sent you.
By now you probably realize that I truly love working with this product. So, I will mention a couple of disadvantages, just to prove I am being completely honest.

Firstly, I have to say that while AgilePoint comes closer to the promise of developer free workflow than just about anyone else does, their system is still quite complex and you will need the help of an experienced consultant to really make it sing. (I swear I am not saying that just so that you'll hire us.) For simple workflows, you will be fine following the basic patterns for which there are many demos, and I think most business users could probably make minor adjustments to processes. This is where a ley AgilePoint strength can become a bit of a weakness, because it really lets you build these amazingly complicated workflows. Once something gets that complex, of course it is going to require a specialist.

Also, AgilePoint does have a runs-in-the-cloud option, but it lags behind Nintex in terms of support for Office 365. Last we heard, you can't initiate a workflow instance from inside a SharePoint Online list or document library. However, their support for Office 365 sites as part of a workflow that starts in some other way is pretty good. If you're running a hybrid farm scenario with one foot on-premises and one foot in the cloud, you might be able to work around this. Also, their technical team is pretty savvy, and I live in hope that they might catch up pretty soon.

Another drawback is that AgilePoint Genesis is reliant on InfoPath. That could be a strength, depending on how you look at it. Microsoft has promised that InfoPath will be a part of SharePoint until at least 2020, but they've pretty effectively bumbled the message to customers and partners alike about what we should use instead of InfoPath. AgilePoint does have their own forms engine that is part of their enterprise product, and we're hoping to see some flavor of that included into Genesis edition so we can offer an option for folks trying to actively avoid InfoPath in their solutions.

One final note is that we've learned that very, very large forms could cripple the ability to do parallel process. This is because each step in the AgilePoint process is a view in the same InfoPath document; two people can't edit the document at the same time. However, it's possible to work around this issue, by designing you processes with this limitation in mind.

All in all, we find that AgilePoint pros far outweigh the cons. If you want a six-figure BPMS at a four-figure price and would like to avoid spending millions of dollars to support a system that might see fewer actual workflows implemented on it than I have fingers on one hand, skip the big boys and build it in AgilePoint.


K2 BlackPearl and BlackPoint, its lightweight SharePoint version, are great products built on .NET technology and well suited to strong integration with SharePoint. K2 has been around a long time, and as a result their product has a great feature set. They were the dominant player in SharePoint workflow until Nintex came along and ate their lunch as people made the switch from 2007 to 2010.

K2 has good integration with products that are not SharePoint. In fact, I'd describe their flagship product is a standalone workflow product that just happens to play really well with SharePoint. As such you won't have any serious issues using it to connect to Oracle or other non-Microsoft systems - though it is built on Microsoft so it's going to be stronger in that scenario.

In some ways, I feel a little bit guilty - as if my review of K2 should be a little bit longer. However, simply put, they're far too expensive for my taste. It costs a lot to buy, there aren't that many people who know if really well, and development isn't lightweight enough to give to the business users, so there will always be a development cost for using it.

My recommendation is that if you already leverage K2 in your enterprise, then using it in SharePoint is a no brainer; if you haven't already got it In house, you should weigh it against the other options available.

(More of my thoughts on this are now in the comments; thanks to the community for challenging my thinking on this.)


As a BPMS platform, MetaStorm has considerable strengths. Its primary focuses are on forms creation and business process modeling (i.e., analyzing and optimizing a flow that is not well understood in order to improve it). Its proprietary forms creation mechanisms are fairly robust, and they are fully integrated with its process flows. In addition, it can be integrated with Microsoft Office - a toolbar at the top allows work in MS Office applications to be integrated into MetaStorm processes, once the MetaStorm client has been installed. MetaStorm's design philosophy was to create a "One-stop shop" where flows, forms, reports and dashboards can all be created and managed within the same interface. For those who are adept with that interface, this can be an enormous advantage.

However, MetaStorm's weaknesses make it less than ideal for managing the workflow within SharePoint.

To begin with, while both products make the claim that they are integrated with SharePoint, it is very important to point out that MetaStorm is only “loosely” integrated with SharePoint. It offers web parts that are "windows" into the MetaStorm engine, allowing access to forms and dashboards, but these web parts can't be used to create MetaStorm elements, they merely interact with them. The actual forms and processes are housed entirely within the MetaStorm server, and users of the web parts are frequently directed to external web pages within that server. Sometimes web users are forced to accept functionality that is much more limited than that provided by the MS Office add-on.

The connections to SharePoint processes are not native and need considerable configuration and technical expertise. While MetaStorm processes and forms used solely within that product can indeed be developed by mid-level Information Workers, the ability to wire MetaStorm flows to SharePoint at various connection points requires strong developer-level skills; it is our opinion that it's a tool best suited for large organizations where an entire IT department exists to create and modify workflow, where that department can be trained on the use of a specialized, proprietary tool. There would be a substantial technical cost for most organizations to acquire these additional skills on top of skills in SharePoint development.

On a recently completed project, we had approached the company to show us how we might do manipulation of SharePoint sites, documents, and other assets from within MetaStorm. What we found was that this always came down to custom code. OpenText does have some impressive libraries of scripts that can be used for this purpose and they seem willing enough to share; but I keep coming back to this - it is more code and it will need to be maintained.

Finally, we could find no example of anyone leveraging InfoPath as the form repository with MetaStorm as the BPMS nor could OpenText point us to one, although this issue may pale compared to the complete confusion regarding Microsoft's plan vis-a-vis the future of InfoPath.

MetaStorm has been around for a while under different names and companies. It has both a Java version and a .NET version. Parts of the .NET version of their process engine pre-date .NET and require higher-level developer knowledge to program or troubleshoot. What will happen to MetaStorm in the future is really unclear to us, since OpenText also owns a couple other workflow products including the formerly known Global360.

For these reasons, we don't generally recommend trying to implement SharePoint workflow in MetaStorm. It's not necessarily a bad product, but it just doesn't seem like the right product for the job 99% of the time.

Other BPMS Products

The vast majority of BPMS products come from the IBM technology space, are written in Java, and they typically do not integrate with SharePoint at all. This makes the set of developer skills required to build and maintain flows in those products far different from the set needed for managing SharePoint. Many are also cost prohibitive. In an environment where SharePoint already exists this would certainly drive up costs beyond what is reasonable. In general, I don't think it's such a great idea to use these systems combined with SharePoint - YMMV.

SharePoint Workflow? Why Not Zoidberg?

If I had to pick a favorite from the list above, I would have a very hard time choosing between AgilePoint and Nintex. So, here's where I have to ask the question that I do not hear people asking very often. If these different products have such different strengths and weaknesses, why not simple use more than one?

I happen to think that's a great idea. Use Nintex for your quick-and-dirty, self service, six-guns blazing, SharePoint workflows that will work really well with the lazier faire approach to SharePoint collaboration - particularly in Office 365. Use AgilePoint to develop complex or long-running processes that will improve the maturity level of your organization and require continual adaptation and improvement. Especially when you look at prices for both AgilePoint Genesis and Nintex for Office 365, you'll see that you can probably fit both of them into your budget easily.

Did you like this article or find it helpful in making a decision? Do you work for one of these companies and feel like I didn't give your product a fair shake or left something out? Perhaps you've used one of these products in your organization and have an experience or opinion you'd like to share. Leave me something in the comments, subscribe to my blog (see upper right of this page), tell your friends about us, or give us a 5.0 on PinPoint - it's cheaper than buying me a beer and won't get lost in the mail.

----------------Comments from the old blog---------------------

12/12/2013, 7:17:50 AM
Great write up and very useful for anyone wanting to make a decision on choosing the right workflow/BPM tool for their SharePoint. 
Thanks and keep them coming!

12/12/2013, 11:25:46 AM
K2 is a fantastic product. It provides simple and easy approach to bringing data, forms and workflow capabilities together into applications that are configured. Reuse is at the core and configuration is everywhere. This is where I see the product lending itself for people to learn it quickly and leverage it massively.

12/12/2013, 11:46:04 AM
Your experience with K2 must be very outdated, as web based designers allow everyone to build processes. K2 also integerates with any .Net service application such CMS, SalesForce, SAS, etc., so there really are no limits.  
As to the price, well it is true that you get what you pay for. 
Too many of the SharePoint integrated BPMS products, especially those built on SharePoint Declarative Workflows (ah... extensions of SharePoint Designer), are too dependent on Microsoft not making any changes, and tend to break when SP Service Packs are rolled out.

Thomas Carpe
12/12/2013, 12:01:30 PM
Dayv and Jay, 
I agree with you that K2 is an excellent product. They've been around for several versions of SharePoint and so their feature set it robust and mature. 
I do not agree that it is a problem of you get what you pay for, as all these products are excellent for what they were designed to do. From my point of view, the main challenge with getting customers to adopt K2 has always been price, and that goes for any large scale product (take AvePoint's DocAve as one example). Especially since 2009, there's been a lot of downward pressure in the marketplace and with the appetization of the SharePoint market it is a challenge to get any but the largest enterprise to adopt a five or six figure solution no matter what bells, whistles, and unicorns are included in the box.  
Workflow (and the need for BPM) often starts at the project level and not in the enterprise - at least that's my experience where I have seen it succeed, and therefore the means are going to be on a much smaller scale in general. In particular, Office 365 customers have especially small budgets. 
I wouldn't say that my experience with K2 is limited, but I do admit that it is a bit out of date. The last time I used the product in a solution was on the SP2007 platform and at that time the engine was reliant on Workflow Foundation and thus had all the same fundamental flaws that Dayv describes regarding patching regimens and such. 
One thing I do feel like I need to rebut about your comments on declarative workflows: what you say about anything relying on SPD workflow, XOML, etc. is absolutely correct. One might say that same is true with WFE as a service packs and Microsoft product upgrades will almost certainly break workflow - just look at what happened with SP2010 vs. 2013 and workflow. However, AgilePoint's declarative model is their own XML schema and not based on XOML at all; therefore it has none of those drawbacks. In my view it has proven to be very reliable. 
It seems not we've heard a bit from some folks from K2, and I do appreciate that since my review of that product is a bit sparse and I think people need to hear about what it can do well in addition to where it falls short. I may take another look at the product if the opportunity presents itself.

Renier Britz
12/12/2013, 2:49:50 PM
Hi Thomas, 
Thank you for taking the time to put this post together.  
To be completely transparent, I work for K2.  
The first thing, you are correct by saying that K2 relies on Workflow Foundation our runtime execution engine is built on workflow foundation, to date we have never been disrupted by any updates on Windows Workflow Foundation. SharePoint ships with a workflow runtime that is also build on top of windows workflow foundation. You called out SP 2010 vs SP 2013 workflows, it’s not because of changes to Windows Workflow Foundation it is because of changes to the implementation of workflow runtime on top of workflow foundation. K2 is unaffected by changes made on the SharePoint workflow runtime as we don’t rely on the SharePoint workflow runtime and therefore don’t inherent the same set of limitations. 
The second point I would like to address: Pricing – as you mentioned “Workflow (and the need for BPM) often starts at the project level and not in the enterprise” I agree 100%. K2 pricing is competitive and allows organizations to start small, in many cases started on department level. We have more options in the works, lookout for major announcements in March ’14 at the K2 User Conference. 
Now back to what this is all about, workflow tools for SharePoint – With SharePoint 2013 Microsoft made a ton of existing enhancements, the app model being one of the most interesting changes. We had a choice, take what we have and make it work on SharePoint 2013 OR take full advantage of the changes and build something that will truly change the way people create forms and workflow-driven apps on the SharePoint platform (emphasis on create, this should not be a developer only play). The easiest way to get familiar with what K2 has to offer, go and have a look at the following recorded webcast: 
If you have any questions let me know. 

Thomas Carpe
12/12/2013, 3:15:45 PM
Thanks for sharing. I really do appreciate getting an outside perspective on K2. Our goal is always to make sure our customers get the right solution that works for them, which as I said before is one of the reasons that I may seem a bit ambivalent when it comes SharePoint workflow and third-party products. 
Going to what you said about WFE, you are correct and I am sorry if I was less than clear on this. WFE is a sub-structure which is different from SharePoint workflow in the same way that is a sub-structure and not the same thing as the SharePoint API. What I was referring to in the comment about the move from 2010 to 2013 SP workflow is that there was a lot of shifting around in the way Microsoft implemented workflow between the two versions. 
Some of that may be like you said, part of a fundamental shift in the way Microsoft wants developers to deliver on the platform. Back in July, I heard Ira Fuchs present on the differences between SP workflow in 2010 and 2013 and I have to say that I was not impressed at the loss of capabilities on the new model and that MS has basically said that if you don't like the takeaways well then you can still build SPD 2010 workflows instead. 
Maybe they will provide it later - maybe not. Either way, if you can't manipulate SharePoint with it, what was the point in Microsoft making the update in the first place? For now, all the third-party workflow products are safe until MS figures out how to do it right, but after 5+ versions I'm not holding my breath. 
At any rate, it's all part of a big shift to client side code, and like many people in the SharePoint development world I have mixed feelings about that too - and I am not fully sure that I can say I trust MS to deliver a framework that will be a place where we can exceed our client's expectations - at least in the near term future, since they usually take their time and a few tries before they do anything right. ;-) 
I do look forward to seeing what you guys are cooking for next year. Perhaps I will revisit this topic then, or take a more detailed look into K2 at that point. 
By the way, I maintained your product link in the comment. Make sure to hit your bosses up for a Christmas bonus and have a great holiday. ;-)

Steven Bretti
12/12/2013, 8:58:04 PM
K2 is a serious BPM product that allows for a number of capabilities that cover business needs very well. Forms, Data, Workflow and Reporting. It empowers the business users with simple user interfaces and no-code solutions. 
I think this is its biggest advantage, the ability to provide no-code solutions not just for the workflow, but also for capturing data through K2 smartforms, and any CRUD based requirements through K2 smartobjects without having to write code. Purely point and click through the UI. 
Yet it still has the capability to scale this out at a later stage to do more advanced business automation. 
This is important. You want to buy one product to cover the enterprise needs, rather than have multiple tools that you're paying multiple licences for. 
K2 can live within your SharePoint solution as a seamless application, or it can live on its own. It is not limited by SharePoint. It also provides integration options to common enterprise systems such as CRM, Salesforce and other LoB systems. 
Definitely a product worth considering in any BPM based solution, whether you are looking at it for a SharePoint based solution, or for your enterprise needs. I think it covers both very well, and priced accordingly.

Thomas Carpe
12/13/2013, 5:52:12 PM
Thank you steven for your insights. 
I do think that what you're saying about is probably true for any enterprise class BPMS product include AgilePoint Enterprise Edition. K2 also has a light-weight version that runs in SharePoint alone as I understand it, so to be fair I think I'd compare *that* version to Genesis and Nintex. It just seems a bit unfair to me to judge different weapons manufacturers by comparing a tank to a rifle. ;-) 
I have to say, I've noticed that this blog has gotten a lot of attention from the folks at K2. Their marketing department must be really good about getting the word out. I certainly don't mind since it's great exposure and a love a vigorous debate. It would also be cool to see hear some more from some of those people from in the original survey who voted for Nintex and AgilePoint. ^_^

Thomas Carpe
12/13/2013, 6:06:16 PM
Decided to check in on the original survey and see if things were still holding neck and neck or if there might be some trends. I was surprised to see today that AO is pulling ahead at almost 40% and Nintex is not too far behind. 
You folks who love K2 may have a point, but the survey seems to be saying something slightly different. Well, it's a web-poll so I guess you can't take these things too seriously, right? ^_^
12/16/2013, 11:36:50 AM
Hi Thomas, 
Thanks for a very interesting article. I do not have any experience with Nintex or Agilepoint but your comparisons and descriptions of them has been interesting. I do however have more than 10 years’ experience with K2 and I’d like to add to your review of K2 – and in fact compare it more closely to what you have written about Nintex and Agilepoint, especially since as you said you did not have a lot to write about K2, maybe this will be helpful.  
K2 vs Nintex 
Building simple SharePoint only workflows in either tool I guess is going to be a matter of preference. However the fact that the Nintex workflows run on the WFE vs K2 having its own dedicated execution engine is quite a big drawback. I guess that could even out if K2 is installed on a very small single server footprint, but I really like the fact that K2 can easily scale and a process that starts out simple now can grow as your organization’s needs grows. I believe that Nintex workflow reporting data is only stored for something like 90 days - In K2 this is not an issue at all as all data is stored in K2’s own databases and can be stored indefinitely or archived after a period of time. The other drawback for Nintex is complicated workflows as you mention – should not be a problem with K2.  
K2 vs AP 
You mention long running processes as a major feature and benefit, something that K2 is also good at, as mentioned above. K2 processes are versioned so by default process instances remain on the process version it started on (which is a good thing imo). Tools exist to manage cross process version migrations if that is really necessary. The ability to create K2 workflows inside Visio has existed since the late 2000’s but I guess it never really caught on with customers, since the K2 UI is already so user friendly and easy to use that the Visio UI components disappeared from the scene and frankly I do not miss them – so me personally… not to excited about building processes inside Visio in AgilePoint. It sounds almost like building forms inside MS Word.. the tool does not fit the job. I have not seen AP’s implementation of this, but that is just my opinion of it. Ease of use, non-developers making changes while still having flexibility to create amazing add-on components can all be done in K2, just like in AP. Your point about needing a consultant to “really make it sing”… I like the way you put it, and that’s also true for K2, but again it’s probably fair enough because in any such a complicated platform you will need a specialist to really bring it to its full potential.  
So from the information on your blog it seems to me that K2 is really not that different than Nintex or AgilePoint - and I guess you are right in that you will have to know your requirements for a workflow product very well and only with that in mind can you really decide amongst these contenders. Personally my vote will go for K2 because I am confident that I can really build any solution on it and scale it well into the future.  

Thomas Carpe
12/16/2013, 12:29:47 PM
All your points are well taken. This was the best read on K2 that I have seen yet, and yes I think you really are helping to create a complete picture which is great. I've gotten a lot of good information about a product I admittedly knew less about. 
I'd like to throw in a few Segway comments if I might, that were just sort of inspired by your remarks. 
The first is about Visio and its relationship to workflow. If I were diagramming a workflow or business process without any sort of BPA behind it, obviously I would diagram that in Visio using a flow chart. That's a no brainer. 
Over the years, I've used a variety of tools including BizTalk and yes sometimes even SharePoint Designer, and I've always been disappointed in their sad attempts to integrate with Visio. I never used the tools for Visio and K2 either, so I can't comment if they're better than the ones I've used. 
AgilePoint was the first product that I saw where I could basically map out my entire flow as a drawing and then publish it and refine the properties etc. In that aspect my biggest frustration is often that I get a flow chart in Visio from a business analyst and I have to re-draw the entire thing using AP shapes. The thing that I really like about it is that when it shows the status of my workflow in SharePoint it uses my actual Visio drawing to display it, including any custom shapes and comments I might add to it. There's an image up on this blog post as an example. Somehow people just really like seeing where their process it; and having the flexibility to display it in ways other than a cascading downward waterfall is great for me. If some other products can do that for me, yes I would really like to see that. So, maybe you don't go squeeeeee over Visio, and that's OK, but I see real value in using it. 
The other thing I thought of here is that it does generally depend on the developer's confidence in a product. And, confidence is generally a function of experience. We need those past products to help us understand the capabilities and also the limits of the products we are working with. This is true of SharePoint, and also I think that's true of any product including the workflow products we've been discussing here. In the end I think we will support those products where we have the most positive experiences and tend to drift away from products where we have negative experiences - or insufficient ones. And with that in mind, it's more than just a technical question but also a question of the marketplace. Though I worked with it before, my small firm couldn't find and win K2 projects at the time when we really started doing business, which was 2010. Thus, we never really developed that affection for the product. We got some lucky breaks working with AP and found that we were able to do some really impressive things with it, and at the same time there were a lot of clients asking for Nintex because their needs were less complex and they liked what the product could do. 
For this reason, I think you can't necessarily read what I've had to say all along as a recommendation per-se; rather it's a comparison based on my personal experience. If someone is looking for impartial analysis to choose a product, there's Forrester and Gartner etc. My hope is that we can help people to understand what we're able to work with as consultants and developers, and sort of which types of projects we've found that these products do a good job at meeting the requirements. To that end, I think there's no right or wrong answer to the question at the top of this article. 
That being said, if we can all manage to argue about it for just a little bit longer, I think everyone will benefit from the free publicity. ;-)

Mike Fitzmaurice
12/20/2013, 11:22:35 AM
Full disclosure: I am an employee of Nintex. 
I love blog posts that spark discussion — especially when Nintex is part of that discussion. Looking amid the fray, what’s quite apparent is that the wonderful world of SharePoint workflow solutions is alive, well, and worthy of plenty of enthusiasm. And that’s a Good Thing.

Thomas Carpe
12/20/2013, 12:10:45 PM
Good to hear from you. I completely agree! More information is always a good thing, and I enjoyed hearing from everyone on this. 
As a Nintex person, I do have a question for you. Did the changes to SharePoint workflow architecture in SP2013 cause any significant changes in the way that Nintex Workflow runs or is licensed on SP2013 as opposed to 2010? For example, I understand that now in 2013 all the workflow is supposed to run on its own service and not on the WFE anymore, so do you guys still sell it by the number of servers in the farm and did you find that this change has improved performance or scalability over the older version of SharePoint?

2/12/2014, 1:03:16 PM
Biggest downsides of Nintex: 
1. Workflow data and history are stored in mulitple locations. If you run into any issues with a workflow or the databases, it's extremely difficult to manage and control the workflow data. Their best practices are extremely cumbersome and not database friendly. 
2. Rollbacks are next to impossible. If you need to roll back a deployment, you will be SOL. You will need to copy the entire web app and nintex DB onto another environment. 
3. Documentation seems to have been written by a crossword puzzle designer. Info and steps are broken up between God knows how many docs. Best of luck.
3/25/2014, 6:56:56 PM
I think you need to investigate more of Sharepoint 2013 workflow manager and service bus as this is a highly scalable product, even more than Nintex, NIntex runs on wfe servers, but with workflow manager you can have a separate farm for workflows, which makes it an amazing product. 
This comparisson without comparing the ootb product makes no sense to me.

Thomas Carpe
3/27/2014, 1:18:53 PM
Hi Luis, 
While we haven't done a great number of solutions based on SPD workflow lately, I can say that I've done a lot of these over the years. I understand there were a lot of improvements in the architecture of workflow on SP2013. However, my issues with it are more a question of what features existed in 2010 workflows that were not carried over to the new version. You should check out Ira Fuchs' presentations on SharePoint workflow; I agree with a lot of his points. Beyond that, it is just a matter of the fact that we're now several major versions into SharePoint and yet the workflow portion of the product has had major shifts with each one. From a business perspective it is a real challenge to get someone to invest in technology that will have a shelf life of just a few years. 
That being said, I do have some customers who are asking what they can do with OoTB workflow and if something comes along that changes my opinion I will be sure to share it on the blog.

3/28/2014, 4:55:43 AM
Nintex is good, but only for simple workflows. Also it's forms application is terrible from what I've heard. 
K2 - much better when it comes to more complex workflows. Altough with high barrier to entry. Additionaly my customers say forms application has lots of bugs and performance issues. 
AgilePoint is the closer to BPM than simple workflow here. Although visio and their graphic designer have their limitations. 
You may want to check out WEBCON BPS. Forms and workflows (and business processes) in one application. Graphical designer, changes in processes can be done on the fly (no need to publish new version) and you also get plenty of DMS capabilities along with OCR, barcodes etc. On the downsize: it doesn't support cloud.

3/30/2014, 11:06:56 AM
Great review !!! 
nowadays I actually need to decide between nintex and agile point for our company . 
I still a bit confused regarding the strength of nintex compared to agile point . since agile point uses an external and separate server ,hence processing resources ,from share point itself (it's agnostic to SharePoint) and it cost about the same as nintex what's the question here ? would you say that nintex is not up to complexed and long processes managing ? 
from the review it seems like agile point is perfect if you have the time and human resources to invest in learning it's foundations and from the moment you get it it's one league above nintex for the same $ so what's the dilemma? or am I missing something here..... 

Thomas Carpe
3/31/2014, 10:13:57 AM
First I want to thank everyone who has made this a very active thread since it was posted back in December. You guys rock. 
Alex, to answer your question, there are differences between the two products that might affect your choice. 
AgilePoint has a forms engine also, but until recently they were using InfoPath as their main forms engine for Genesis. The Nintex forms engine has been a part of the product for a long time. If you are looking for an escape from InfoPath, this might be your option although AgilePoint is catching up fast. 
Nintex has been ahead on Office 365 development for quite a while. We are still waiting eagerly for an offering from AgilePoint but unfortunately it is still vaporware at this point. 
Nintex has pretty good support but they are a huge company. If your needs are complex they will probably connect you with a random partner. AgilePoint is a smaller shop and you would get to know the development team personally. 
AgilePoint server is a separate install. It can be configured to run on one of the SharePoint servers if necessary. There are different options if you are running SP2010 or SP2013 because of the .NET framework 3.5/4.0 difference. IMHO, the 4.0 version is much better. The installer varies a bit among the different builds and sometimes there are issues setting up advanced features such as data export. Nintex installer is pretty tight, but the options are fairly standard - NW 2010 or NW 2013. 
There are designer differences. Nintex designer is a web based tool built into SharePoint. If you have Visio aleady, then using it for AgilePoint will not bother you. If you don't have it, then the extra licensing cost for it will be another obstacle. Nintex charges by the number of WFE in your farm, and to the best of my knowledge there's no extra cost per user. 
Because as you mentioned, it is more system agnostic, AgilePoint will integrate well with more third-party systems. Both will do just about anything you want via calls to web services if you have that option. 
And off the top of my head that's about all I could think of today, but I hope it will help you.

pravesh kumar sharma
4/15/2014, 2:40:37 AM
i agree with most of the point which you have mentioned in blog .. i have worked on SharePoint and Skelta BPM tool for 8 years.. Technical and functional point of view.. 
i would like to add some points.. 
1. most of the enterprise tools having workflow capabilities (ERP,CRM, CCM, SCM etc. even MOSS) but that is very limited to its own suit. 
2. SP workflow does not have capability of process life cycle(designing, deploying, monitoring etc.) 
3. BPM engagement starts from Business point of view keeping in mind many factors (SOA, agility etc..), but workflow initiatives most of the time comes from IT initiatives and just customization of some small process 
4. workflow required customization most of the time whereas BPM suits having its own OTB modal like designing process, reports, UI and readymade LOBs connectors. 
5. SP workflow is very limited to SharePoint artifacts like DL, List, InfoPath, outlook etc.. whereas BPM starts from automating process via connecting machines to machine(SAP, oracle, SQL etc.) and people to people(Fin to HR to Procurement to Admin etc.) 
6. BPM provides BAM components and monitoring tool for KPI, MIS, graphical reports for Process and data in order to Optimize the process 
7. in last but not the least.. BPM is superset of workflow  

Thomas Carpe
4/15/2014, 8:25:39 AM
Thank you Pravesh for your comments. I agree with basically everything you have said here. If there were a line representing a maturity model, SP workflow would be on the lower-left end of that line, and BPM would be at the upper-right. Products like Nintex sit somewhere in the middle. It is important to understand that BPM goes well beyond what SharePoint does - or tries to do - and that these different tools serve different needs.

4/17/2014, 1:44:43 PM
Excellent overview and comments. We are using SP2010 OOB and a big issue we have is that it's so hard to troubleshoot a misbehaving WF. I'd be interested in hearing from Nintex and K2 "light" users on how well or poorly those products might address this.

Ahmed Mostafa
5/14/2014, 3:30:27 AM
I like this article. I have used K2 on a number of engagements for my clients. What I really want to investigate is ECM dimension. I believe the way SP stores fields and attachments together in SQL is a big drawback that affects the total performance. Have any of these vendors addressed this issue? how do they store their attachments and meta data?

Michael Mangan
11/10/2014, 9:24:11 AM
One of our specific requirements is to embed the workflow approval as a digital stamp on the document, do any of the solutions support this?  
I really appreciate this blog. Thanks

2/20/2015, 2:56:44 PM
Excellent article, Thanks all, hang around everyone will learn from each
3/6/2015, 4:53:31 AM
flowchart likes diagrams can be drawn from many visio alternatives as well. Its ok to use a visio alternative if it is online as platform indepedent

Cierra Luke
4/24/2015, 2:51:32 AM
Hi Thomas, 
Thanks for this helpful post. I a professional software solution provider in a web designing and development company. We have been using MetaStrom from last 3 years, but now our CEO wants a new BPM software to manage our workflow and processes. Can you suggest any good one? 
Thanks in advance

Thomas Carpe
4/24/2015, 10:57:26 AM
Thanks to everyone for the comments and questions. Haven't gotten the chance to come back here and reply very often, which I regret. Business has been getting quite active - perhaps the economy has finally really turned a corner? Will post some replies now to try and catch up. 
In the question of lite versions of Nintex and K2, I can't really make the comparison since I have seen the Workgroup and cloud versions of Nintex but have not played around much with K2. An old friend of mine, Mark McGovern recently went over to a new job at K2, and perhaps he can connect somebody with a person there who can speak to their product line. 
From what I know of the products we work with often, I would say that the workflow engine that drives the process will be the same in the lite version as in the enterprise edition. That's just good software development, because who wants to maintain two build sets. right? That being said where I think you'll see differences is in things like number of allowed users, what activities/actions you can perform in a workflow, etc. 
Moving on the SharePoint Foundation 2013 and the workflow product that Microsoft has produced. We've done some projects lately where this was required, because the customer did not have a budget to purchase another product. If you must go this way, I think you'll survive. But, I still feel like the MS workflow manager is not as robust as any of the products I talked about in this blog, and probably even Bamboo and Datapolis have something to offer that it does not. The new version has the disadvantage of needing to be installed on a seperate server from the SharePoint farm. Otherwise, you're stuck with SP 2010 workflows. Yes, I realize maybe I am talking out of both sides of my mouth here, because I will say the same thing is a feature of products such as AgilePoint which can be installed on their own server - however, it is possible to install AgilePoint on the SharePoint server if necessary and they cohabit quite nicely. I've never had anyone recommend to me that this is possible with MSWM. So there's the distinction in my mind. I also know that many of the activities that were possible in SP2010 workflow are no longer available in WM/2013. Haven't looked into it lately, so maybe that's changed. However the laundry list of takebacks was quite lengthy last I heard and MS would have serious catching up to do to make it comparable to what it was in the previous version. Anyone who wants to know the current status should seek out Ira Fuchs, as he's the guy that I have learned so much from in the past and can tell you what Microsoft is doing now at a level of detail that would just go beyond my own knowledge. 
If you find yourself in the unenviable position of working with SharePoint OOTB workflow, I believe you will find that it gets the job done well enough for simple processes. We use it all the time in Office 365 where it is a built in part of the feature set and I don't have to worry over things like who installed the extra server on the farm. I like it quite a lot when I need a short workflow to produce the same kind of behavior on SharePoint Online that in past years I might have been able to do with a List Item Event Receiver or Timer Job instead. But, like anything you get what you pay for, and I think with SP workflow what you gain by not buying a product is offset because it is back to IT people having to implement the workflow and there's a lot that business users will not be able to figure out for themselves. Since all the big players now have cloud capable versions of their workflow products, there's no reason to be stuck in this situation. 
Speaking of the lightweight and OOTB workflow in SharePoint, one product that came up on my radar recently was KissFlow. This product uses Zapier to integrate with other cloud products and says it has a connector connector to Office 365. While they don't offer one yet for SharePoint, look for them to become a major force in the market if that ever changes. The current lack of a proper connection to SharePoint is a major shortcoming IMHO and an opportunity for somebody. 
On the question of whether it is OK to develop workflow using online tools instead of Visio, I think this is just a question of personal preference. To be honest with you, I have tried many cloud platforms over the years - not just workflow - and for something really complex, I want to have the file on my desktop and not have to rely on a web browser to properly render it. I find cloud based development to be well over that magic 400ms threshold where my mind will wander and eventually I find myself checking email and standing up to get a cup of coffee. That being said, this is my criteria and for you the pros and cons may be different. Web based platforms have the advantage of being workable from anywhere regardless of what software you have. One thing I really like about AgilePoint by the way is that you can now choose either method to develop a workflow, so if you like Visio use Visio and if you like the browser use the browser. :-) 
On the most recent question about Metastorm. That's a tough one. I did a thorough analysis of Metastorm for a client a couple years ago, and I have to say that while it was a powerful product, it was definitely showing its age and there were lots of things that made it a poor fit for our project. 
That being said, without detailed criteria, it is impossible to say which product you should switch to if you're moving away from Metastorm. For example, you need to consider what processes you already have in that platform and whether you are using it like a BPMS or are the workflows you already have actually quite simple. Obviously, if you have a lot built on the Metastorm platform, you are going to need something equally robust which is going to take you toward the K2 and AgilePoint end of the spectrum. If your lack of satisfaction comes from feeling that you never fully utilized the product feature set, then maybe going with a simpler solution like Nintex or SP workflow would be the way to go. 
Hopefully this helps you realize that the problem is a really complex one and can't be easily solved with a one size fits all answer. "It depends." Classic consultant response, am I right? :-) So, go back and start asking the detailed questions and I think the answer will present itself. Best of luck!

Thomas Carpe
4/24/2015, 11:02:09 AM
I was reading my own old posts and wanted to chime in to remind everyone that you can now subscribe to MS Visio in Office 365, so that's another barrier to entry that's come down. If you need a quote for anything Office 365 related, follow the links to contact us and we'll do that for you. :-)

Brian Garnica
4/27/2015, 1:49:46 PM
It was really good to read this article!! Excellent job about comparing different products. We had been making some research to offer the right option to our customer. 
Thomas Carpe
4/27/2015, 3:36:33 PM
Brain, thanks for the whuffie. Feedback about the blog posts is always appreciated, as they're a labor of love. Hope your customer makes a good choice; it is always a complex decision figuring out which horse to hitch your wagon to. ;-)
7/8/2015, 3:16:23 AM
just to make it clear i dont work for any of these companies but I am a sharepoint developer from 2003 to 2013 so far. I have used k2 2003, black pearl and now nintex. nintex by far is seriously bad for complex worflows and time consuming. K2 is far better in complex workflows that span over time. plus i dont care what people think of what they like but care more about what business use.... in my experience in the uk the majority of banks and consultant companies use K2. the place i work for at the moment are using nintex and they already regret it.
Thomas Carpe
7/8/2015, 12:08:11 PM
Good to hear from you. 
I am so surprised this post still attracts comments so long after I wrote it! It seems everyone has strong feelings about this stuff. 
I was more familliar with Black Pearl and Black Point back in the 2003-2007 days and really started drifting away from it in 2010. With AppIt from K2 released now as well as AgilePoint NX One cloud offering and new pricing models for Nintex on Office 365 too, I feel like maybe this topic is due for a revisit. There are so many more exciting possibilities to choose from this year than there've ever been before, especially if you don't have the luxury of managing your own SharePoint farm. 
I imagine that market share for the big workflow software products varies by country and type of company. It's my understanding that Nintex has the most market share overall when it comes to SharePoint - I wouldn't be shocked if Microsoft buys them outright - but there will be local differences in different places around the world and various sizes and types of companies. That being said, my feeling is that who's on top shouldn't be the way that companies decide what product to choose. You have to go with your experiences and those of others in the community, and I am grateful for everyone who shared here because it gives me a good sense of what people are seeing outside of my own little world. 
You're definitely not the first person I've heard express some negatives about a particular product. I think that each case is different and you have to consider the pluses and minuses individually, and that the market and the best choice is a moving target. I still have to say that whatever the down sides may be, almost any product would be better than the OOTB experience in SharePoint. 

How to Generate Proposals 376% Faster Using SharePoint

In a previous case study and white paper, I described how to make proposal generation a snap using SharePoint's Document Set feature for quick proposals, and site templates for more complicated RFP responses.

We used this method in house for a long time. One thing that struck me about this approach was that it still took a long time to get the proposals together. Also, even though we has a few good templates, it was often better to copy a winning proposal than it was to go back to our building blocks and start fresh. I wondered what we could do to make this process easier and get more mileage out of our existing library of written materials.

Thankfully, the technology to solve this problem has been around for quite a while - it just isn't part of SharePoint's out-of-the-box feature set. Today, I'm going to describe our solution to this challenge.

Document Automation and the Proposal Process
Did you ever wonder why Microsoft changed all of the extensions for Office documents, for example from .DOC to .DOCX? Well, it isn’t just because Microsoft has a long standing love-affair with the letter X - though they certainly do. It's actually because they made a switch to a new document format called OpenXML. Open XML is basically just a giant ZIP file (actually CAB, but whatever) full of XML files that describe Office documents.

What makes OpenXML significant is that it is the standard that lets us manipulate those documents. Aha! Now we've come back to my problem with proposals. (I bet you wondered where I was going with that tangent?) Previously, we've been able to manage our documents, but all the work we do with them has been manual. But, what if we can further automate the process?

In many ways, our proposals are not very different from those of other companies. A lot of this is dictated by the best practices of purchasing departments or government agencies.

Here's the basic structure of a typical proposal.

  1. Title Page
  2. Executive Summary
  3. About Us: History, Services We Provide, Locations, Etc.
  4. Capabilities:
    1. Certifications, Etc.
    2. Several Short Resumes for Staff*
    3. Products / Line Card*
  5. Past Performance:
    1. Customer Satisfaction
    2. Several Project References*
  6. Technical Approach
    1. Describe the Problem
    2. Methodology*
    3. Proposed Scope of Work
  7. Pricing, Terms, Etc.
  8. Appendix - pretty much anything that does not fit elsewhere

Essentially, this structure is pretty formulaic. We can trim this up, or expand it to hundreds of pages. Sometimes the customer will have RFP requirements that will force us to rearrange or rename the sections, but the same things appear over and over again.

Salespeople complain that these proposals take too much effort for too little reward. Often, the large ones end up being written by entire teams of people over several weeks. There's a lot of hand wringing about getting the tone to be consistent throughout the document - and there are often more opinions than there are people doing the work. For all the effort, often the chances of winning are very small.

However, our best and most successful proposals did not take very long to write. The reason for this is that most of the material above is repetitive - meaning it will appear in any proposal. The exceptions to this are the Executive Summary, The Technical Approach, and the Price. The less time we take to craft the rest of the document, the more likely we will have the time needed to craft a good proposal in the places that actually matter.

Rather than letting people have their way and just never write proposals, why not find a way to make them easier to do? There's something to be said for the fact that if you don't bid on an RFP your chances of winning are zero.

Document Automation by Brute Force
Notice that in the above list, I have marked some of the items with blue asterisk (*)?

The way we used to handle these sections was to have one big document called, for example, "Past Performance". It would have all our past projects and references that we might be inclined to use. Because there are lots of different kinds of SharePoint projects (and even more kinds of customers) this document would get pretty big. Same goes for staff biographies or the products that we sell. When a proposal would get created, we would paste the contents of only those items that we wanted to include for a particular proposal.

The other way to do it would be, for example, to have one document for each methodology section. These tend to be pretty large; they talk about for example how you would do an Intranet project differently from an Extranet project. We'd just paste the entire document directly into the target proposal.

For the asterisked items, this is how we would handle things. Sounds easy enough right? It has a couple of drawbacks though.

Firstly, it is pretty manually labor intensive. And, you need a person knowledgeable with Word to do it, or the formatting will get all screwed up. There's a large potential to make a mistake and forget to put in a particular reference. Believe it or not, this is the less serious of the two problems with this approach.

The other issue is that changes do not make it back into the master documents. For example, somebody who is doing a red-team review of a draft proposal might notice that there is some language in a paragraph that's confusing and so they revise it. If that paragraph came from our templates, then we'll make the same mistake on the next proposal; we might repeat the same work fixing it - or we might not catch it the next time through.

You can imagine this is a serious enough problem if you're just trying to write more professional looking documents, but consider this. It is not just your past experience or the qualifications of your staff that are different over time - the marketplace is always changing too. Because of these problems, our best work was often not giving us the repeat value that would have helped us win more business.

The Concept of Document Assembly
What you want instead is to reach that sweet spot, where you can reproduce success at a minimal cost. Each time you get a little bit better, and all the while you can adjust your tactics to deal with new information or moves from the competition. We found a way to do exactly that with OpenXML using a technique called document assembly.

The concept behind document assembly is really simple. It is basically a streamlined version of what Office already lets you do with copy-and-paste. The way it works is that you have many smaller documents - sometimes they may even be only a paragraph or two. For each one, you focus continual effort on making those two paragraphs the best that they can be. This is something you should be doing even when you don't have an RFP to work on, but it's especially important when there is a proposal due.

The key is to always make the changes to the master documents - unless they're a one-time thing for a particular proposal. Near the end of the proposal process, you use document assembly to piece together all the parts of the proposal. Make a couple of formatting changes and then send the document to the printer.

There are several benefits to doing things this way:

  • You can add metadata to each document "part" so that you know its status, where it belongs in the overall proposal, how recently it was updated, and what types of clients or jobs it's relevant to.
  • You can assign rights so that, for example, the resumes are always updated by HR staff and the past project summaries are always added by whoever led the project.
  • You can leave the really strong branding stuff out of your proposals until the very last minute. Often, really fancy branding stuff looks great but slows Word down a lot.
    You can have different document styles, such as a version for professional two-sided printing, a version for economy print or PDF, and a version for those pesky government bids that don't want color images or any fancy font-work.
  • If you don't like the results you get, you can easily rebuild from the template and source document parts.
  • If you liked the document format that you got, you can copy the template for next time. That's way better than just copying the finished product and then doing find-and-replace on the customer's name.

What Document Assembly Looks Like in SharePoint
But you don’t want to hear me going on and on about this stuff, right? Let's take a look at how we do this in SharePoint and you'll see how much easier it is.

We start in the Quick Proposals document library. This library has been set up with some SharePoint document sets (whose content type is called Proposal Set). That helps us keep track of data about separate proposals that might include one or more related documents. By the way, if you want more information on how we set up Proposal Sets and our Quick Proposals library, you can reach out to me for details.


From here, you can see our default view is Active Proposals. In our case an active proposal is one that is either "In Progress" or "Submitted". Today we don't actually have very many of those, because two of our most recent proposals were accepted - yay! So, there's not much in the queue today.

Let's make a new proposal for a client who called us this week. We switch to the Document tab on the ribbon and under the chevron for New Document we'll find Proposal Set. (You could also hit the big icon for New Document, since Proposal Set is the default - and only - option.)


In some cases, we might also include options here for Proposal Document and Proposal Document Link. These can be added when folks have a bad habit of dropping documents directly into the root of the Quick Proposals library before they've created a Proposal Set. Usually it's better to leave them out, so people have to create the Proposal Set first, but that's really a business decision.

From here, we need to enter some basic details about the proposal. Not all of these fields have to be filled out right away, but we do need to give the proposal set a name.


Personally, I find it really helpful to fill out all these fields from day 1. It helps with managing the proposal creation as a project, and I can use some views in SharePoint to generate reports for my business partners, Alara and Justin.

When you're done filling out the data you want, you hit OK and SharePoint will create the new Proposal Set.


Above, you can see the Proposal Set has been configured to show me all of the information I entered on the welcome page. This is useful for sharing the key data with my teammates who will help me generate the proposal documents.

We can customize the welcome page to include a variety of different things. For example, we can combine the Proposal Set with our Document Rules Engine to show KPIs for completed or missing documents or metadata. We can change the columns shown for individual documents, and even add custom web parts to this page.

Let's start creating some documents; there are two ways to do this. The first method is to configure SharePoint to create new documents each time a new Proposal Set is created, which is what we've done here. But, if the type of documents you'll create is going to vary a lot from proposal to proposal, you'll want to create them by hand.

You'll notice that we already have 2 documents in our Proposal Set. This was done to make the whole process fast and easy. We could have easily created these from the New Document menu in the ribbon.

The XLSX document is a worksheet that we can use to create estimates. The Word document is our DocxFusion Proposal Template. This document is customized for each company and specific print formats. Here's what ours looks like.


As you can see, this template contains all the styling for the proposal as well as placeholders for content that's going to come later from other canned documents we've already created. We also have some review comments to give guidance on how this proposal should be crafted.

Here's a close-up view of a content control that's being used as a placeholder, with reminders about the recommended length of each section.


You can customize the template now, by changing some of the copy or entering the name of the person it is intended for. Sometimes it is better to customize the output document, and sometimes it is better to customize the template.

We're going to go ahead now and build our final proposal from the template. To do this, click the chevron (or ellipses in SP 2013) and then click Build Document.


This will pull up the Build Document screen, where we can choose content to put into our proposal.


The left hand panel shows documents from a Templates library. This is where I've saved all my reusable proposal materials, including canned marketing copy, case studies, and short pieces describing the technical approach for different types of projects. Don't worry if you don't have all these things yet, because you can build your collection up as you go.

Above the left hand panel, you can see there's a dropdown to choose the view for the Templates library; I'm only looking at approved content right now. You could organize this in a variety of different ways.

By checking the documents on the left hand side and clicking the > and < buttons, I can copy them into different parts of my template document. I can also change the order using the Move Up and Move Down buttons, so things will appear in the order that I want them to later on.

Here's the list I decided to go with for the Black Mesa proposal. Specifically, since Black Mesa is in the defense industry, I only picked case studies for government agencies. Also, I only chose the Team Bios for people who will be working on the project as Key Staff, as well as recommendations and methodologies that apply to this opportunity.


When finished, I click Build to start the process of document assembly.

We're given a quick chance to add some metadata to the document, some of which will actually appear in the text of the document itself.


And now, voilà! Here's our new proposal.


Here's what our finished proposal looks like by the way. Very professional!

... and, well, you get the idea. Here's the back cover.


Where to from Here?
Of course, if that were all there was to do, then there wouldn't be any work left for the sales team! We can open the document and put in our finishing touches, additional content, etc. If you need to rebuild the proposal from the template, you can do so as many times as you'd like.

It's also possible to add content from image files, Excel workbooks, and PowerPoint slides using this approach. For example, I could complete my WBS worksheet and then include it under Schedule or Pricing sections.

Best of all, you can make updates to any of the template documents that will be included in any subsequent builds (for this or other proposals). You can re-use effective content from winning proposals quite easily.

Suddenly, bidding on those last minute proposals and adapting to the changing marketplace is no longer the bridge-too-far that it used to be. We liked this solution a lot; and other people have started asking about it. So, we've made it into a software product named Chimera. If you'd like to put this kind of solution to work at your business, you can contact me about it and we'll be happy to build you a proposal for it. ;-)

Geographically Dispersed SharePoint and Other Collaboration Tools

For those who may have mised the #CollabTalk TweetJam today, hosted by our good pal Mark McGovern @DocPointMark from MetaLogix and Chistian Buckley @BuckleyPlent, we're posting our Q&A from the event.

From the event description:

Many organizations are looking for ways to reduce costs, and improve performance associated with managing SharePoint between geographically-dispersed teams. While many organizations struggle to make their environments highly-available and performant, the breadth of SharePoint content available does not focus on SharePoint in high-performing, high-availability scenarios – and the purpose of this tweetjam is to share some of the community knowledge and expertise for these environments. We're assembling a great panel for this event including MVPs and other industry leaders.
Mark McGovern and Christian Buckley promise a blog about the event soon, to recap the entire conversation. You can also see the full conversation including responses from other participants at The tweetjam was also captured using the #CollabTalk hash tag, so you can use the Twitter platform of your choice. 

Q1. What are the top 3 issues geographically dispersed teams face when trying to collaborate?
A1 #1: Disconnected Teams: Updates in the field don’t make it back to the head office and updates at the home office don’t make it to the field.
A1 #2: Latency: Whether you have a single farm in one location, or separate farms with synchronization, somewhere there will be delays in getting data where it needs to go.
A1 #3: Networks: team members may be working in locations with limited bandwidth or inconsistent/poor connectivity.

Lots of chuckles about the poor quality of conference calls, background noise, heavy breathing, etc.

There was also a bit of back and forth about latency and the fact that people not only do not understand the difference between bandwidth and latency - but also most folks cannot tell whether their performance issue is coming from the network or the browser.

It came in a bit late, but I really liked Michael Herman's garden hose metaphor for latency. No, I don't mean, "it's not how long your hose is; its how you use it." In this case its all about how long the hose is; in other words, latency is the time it takes water (information) to get down the hose (internet) after you turn it on. Bandwidth would be the size of your hose I guess, and I need to stop making these metaphors, because I've got a dirty mind - and.. yeah. Movin' on!

Q2. How have social and mobile impacted your worldwide collaboration?
A2 #1: They’ve allowed us to reach out to the community for collaboration - at least as far as the dev and support side.
A2 #2: We are now able to share information with our client as it happens, ex: Tweeting key points of a SharePoint Saturday presentation in real time.
A2 #3: We see more new customers coming from outside of our core operating area, nationwide and abroad.

Q3. What technologies have you found that can improve geographically dispersed collaboration/communication?
A3 #1: Faster and more reliable cellular connections. This applies to broadband too.
A3 #2: Cloud services have come a long way in making this more manageable, ex: SharePoint and Lync Online.
A3 #3: There are also products/appliances and applications that do well to synchronize SharePoint content between farms.

We talked a bit here about the F-5 BigIP. Some folks on the TweetJam have had good success using this appliance. Liquid Mercury Solutions is an F-5 partner. We can sell, service, and implement F-5 based solutions using the BigIP.

We had a great discussion about security, and maybe we can convince HelloItsLiam to participate in a panel specifically about SharePoint security at some point soon. It suffices to say this is a topic that needs some more attention.

Q4. If your team is geographically dispersed, is your best option to move your data to the cloud? Why/why not?
A4: Sometimes: it depends on the type of data and the location of team members.
A4 Why #1: Having data in the could improves access, assuming the cloud provider has distributed their datacenters across a large geographical area.
A4 Why #2: Greater availability to resources - gets around firewalls, corporate networks / VPN, and political boundaries.
A4 Why Not: Some data is too sensitive to store in the cloud without a plan to protect it. Ex: defense, proprietary secrets, healthcare PII.

The cloud is great from some circumstances and not so much for others. If you are on the borderline between these two scenarios and would like to talk to us about securing your sensitive data in the cloud, we are a CipherPoint partner and can develop you a solution using their on premises or in-the-cloud product offerings. By the way, F-5 BigIP is another solution that can enhance cloud security for SharePoint content.

Q5. How do global collaboration teams deal with poor quality bandwidth/connections?
A5 #1: Use asynchronous communication channels like e-mail, Yammer, and Lync instead of Skype, etc.
A5 #2: SharePoint 2013 can reduce the amount of transfer using MDS feature (Minimal Download Strategy).
A5 #3: Develop low-bandwidth tolerant branding (ex: Metro UI) and apps (server side vs. AJAX). There are optimizers for JavaScript and CSS, as well as ways to do this at the firewall/proxy/load-balancer.

Collaboration tools are an indispensable part of today's business world. How many of us could survive without GotoMeeting (or something like it) for example. What starts as a competitive advantage will eventually become the standard by which all businesses are judged, and tools like SharePoint are no exception to this. Someday, all restaurants will be Taco Bell. :-)

Yammer gets a lot of attention, but people are unhappy with the limited (read: "weak") integration between Yammer and SharePoint. In 2012, when Microsoft purchased Yammer, I shelved plans for a Yammer+SP product release in order to see what they would do. Seeing that they have not decided to eat our lunch, Liquid Mercury Solutions has plans to release a stronger Yammer + SharePoint integration solution in the very near future. The best way you can find out about this tool is the subscribe to our blog or newsletter (It's over there in the upper-right part of the page).

I made an additional comment here about using all the tools in the drawer, no silver bullet.

Q6. What are the best ways to maintain multiple systems/versions of your collaboration platform, such as SharePoint?
A6 #1: A communication plan with stakeholders + predictable schedule for updates / merges is essential to make sure everyone knows what they're seeing and how out of date it may be.
A6 #2: Assigning a "system of record" is extremely important to maintain one version of the truth.
A6 #3: There are tools in SharePoint like content syndication, cross-farm publishing, etc. - as well as a variety of third-party tools that fill this need nicely. Syncing at the SQL level is also an option, but less favored than it used to be.

Somebody said that they had 5 versions of a document to maintain. If this sounds like something you have to deal with on a regular basis, talk to us, because we may have a solution that will work for you.

Q7. What are the leading factors that restrict organizations from maintaining high-availability systems?
A7: Factors that limit orgs use of High availability and DR include cost, bandwidth, product limits, undefined SLA, lack of institutional support, and insufficient technical knowledge and/or best practices.

Money was the big winner on this question. There is always, always, always going to be a relationship between your budget and the capabilities you can obtain. My adivce is to be up front with with your IT professional about your budget, and work with them to understand how to get what you need within your means, and don't set your expectations unneccessarily high.

Q8. How does a geographically dispersed infrastructure impact disaster recovery planning?
A8 #1: If the primary datacenter is impacted by a disaster, then the outlying datacenter will experience higher loads and in some cases becomes the systems of record.
A8 #2: If it not previously planned and drilled, during major disasters (natural or civil), communication to outlying centers re tactics - or even that there's a problem - can be confused or conflicted.
A8 #3: Sometimes switching back to normal after DR can be just as difficult.

Can't say it enough, when it comes to disaster preparedness "Drill, baby, drill!" ;-)

I hope you enjoyed our recap of today's #CollabTalk tweet jam. If you feel like I've left something out, or if you just want to throw your 2 cents in, leave us something in the comments. If you found this information helpful, please give us a 5 Star Rating on PinPoint, so so we can reach more customers.

Know Your Meme: SharePoint Staffing Anti-patterns

Over the years, the Microsoft SharePoint ecosystem has given rise to new and wondrous beings. These mythical memes deserve some light shed upon them, lest one find oneself trapped in their terrible clutches or wandering the Development Wastelands, like Sir Percival, in search of an impossible quest.

Join me now as we explore the first of what may become many entires to the compendium of hiring anti-patterns for SharePoint.

The SharePoint Unicorn

The SharePoint Unicorn is someone who can do it all - and perfectly too! She or he is a project manager, consultant, architect, administrator, and developer all rolled into one; a one person wrecking crew; cheap-by-volume, quick, often very hard-working, and has near-perfect delivery; and a multitasking master who is so damned good that instead of costing money, they can recover the cost of the project before it's even finished. In other words, SharePoint Unicorns have so much ROI that their net billable rate is actually negative - no matter what they charge. ;-)

I won't deny they exist, I’m pretty sure my friend, fellow Baltimore SharePoint Users Group commitee member, and founder of, Shadeed Eleazer, is one such being; he actually coined the term “SharePoint Unicorn” back in 2011 along with Marie-Michelle Strah and Mack Sigman. People have sometimes accused me of being one, so much so that it’s become sort of a running office joke. There's even a @Shareicorn on Twitter, although I am a bit peeved they haven't posted anything ever. You can go to any SharePoint Saturday and if you swing a broom around too vigorously you’ll probably knock 4 or 5 SP Unicorns over. Seriously, don’t do that; we don’t like getting hit in the head with a stick, no matter what your hiring manager says!

But, people like this are rare - and almost impossible to pin down. Much akin to the equine Unicorn of legend, which can only be approached by virginal maidens, one must be damned sexy to capture the SharePoint Unicorn. Don’t all you LMS clients feel super-special now?

These masters of their craft have worked hard to become so and know their own value. They want to work only on well managed, challenging, and interesting projects. They're typically well into their careers, and many would rather be consulting or going on speaking tours than developing in a cubicle for months on end. Many of them get scooped up by Microsoft or other best of breed SharePoint consulting firms. They're in very high demand, and thus probably not available for your random meetings. They will not be cheap.

A SharePoint Unicorn is not one of your cavalry horses. They will not be your full time employee - unless you're prepared to offer something truly unique. They're best leveraged as a precision instrument to ensure designs are sound, lead technical discussions, overcome specific obstacles, and find creative solutions to truly tough problems.

One last word of warning. If you think you are about to capture such an amazing creature, Ware the SharePoint Rockstar, which may be lurking just beneath a thin façade.

The SharePoint Rockstar

This clever beast is a brilliant mimic of the SharePoint Unicorn, a wolf in sheep’s clothing if you will. The SharePoint Rockstar is a young intelligent individual who has the ability to do every aspect of a SharePoint development project (or at least they think they can and tell you so). But, once they are hired to consult, design, or architect they begin to hoard technical responsibility insist that you only use them for the entire project.

Like the movie Aliens, there may be a voracious Ego that dwells within the architect or developer, incubating until it erupts to insinuate itself into every aspect of development, eventually becoming too expensive to remove. It then transforms into a prima donna and/or drama queen, sowing decent and causing friction within the whole project team. The Rockstar has a lot of talent and appeal, but ultimately they become more trouble than they're worth.

Possible indications that you have encountered such a beast are: 1) you think you hired a SharePoint Unicorn; 2) their Ego arrives at the meeting 15 minutes prior to their person; 3) they're not helpful to and well-liked by the rest of your team; or 4) they tell you not to hire any other developers, they can do it all themselves. A little Ego can be a good thing. The problem is that the Rockstar does not play well with others.

Protect yourself by considering personality as well as a candidates technical skills. Let your technical team interview as a group - and collect candid feedback from them. If you are interviewing the first person on your team, consider a relaxed social setting to see how they behave when their guard is down, and craft interview questions that make them reveal their personality and how they work with others and share responsibility.

Given enough time, a SharePoint Rockstar may mature into a SharePoint Unicorn. Indeed, they can become an invaluable and irreplaceable asset - but at a terrible cost to you. Caveat Emptor.

The SharePoser, aka SharePoint Shyster, or SharePoint Fraud

These vile parasites may be masters of illusion - but they are very real! They are senior-seeming people who don’t know anything about SharePoint at all. They exist only to suck the lifeblood out of a company. As comedy, Jen Barber from the “IT Crowd” is a good example. But seriously, I once met a SharePoint Architect who was actually just a regular building architect and somehow got hired to lead the whole SharePoint development team.

Frighteningly enough, I’ve seen this kind of thing happen at more than one organization. It sounds like something that should be rare, but it is not. Lots of reasons for this, I suppose. Firstly, there's a legitimate shortage of qualified SharePoint talent – though that problem solves itself slowly over time. Secondly, lots of people are attracted to SharePoint because it is such a marketable skill. Many are ethical, hardworking folks - a few are not.

If you’re lucky, you only hire someone at a low level who sneaks through the interview by saying all the right things. It would be bad to hire a Windows Admin who doesn’t know how to add users to Active Directory, a SharePoint Developer who doesn’t know the difference between a Site Column and a List Column, or a SharePoint Architect who has to ask the developers if a Web Part Zone can hold more than one Web Part – but it’s not the end of the universe. Just fire the bum and move on! (By the way, these are all real life examples.)

The damage is really greatest if the SharePoser actually establishes their power base. One needs to be especially careful when qualifying those in leadership positions like project manager, architect, or consultant. The well-spoken Fraud flourishes when there’s no one to vet their technical skills and disqualify them during the hiring process. IMHO these creatures are the gateway to hell; in order to perpetuate the lie and insulate themselves from discovery, they often hire a whole department of equally inexperienced or incompetent people who can do the work - slowly - but are too beholden to them for the job to rat them out. Thus begins the downward spiral to the underworld of underperformance and waste.

Possible indicators of these individuals are: 1) a well-padded resume, 2) unreachable contacts or not-so-professional references, 3) lots of buzzwords during the interview, 4) claiming to have “all the SharePoint certifications”, 5) and/or a secret copy of SharePoint for Dummies in their briefcase. Remember that insecurity is the hallmark (and weakness) of the Shyster, because they live in the constant shadow of being exposied.

Protect your company by vetting hires using real-world work simulations (instead of just interview questions), having a proven expert screen and qualify your team, verifying any Microsoft certifications, and hiring a variety of differently-skilled individuals who complement each other (and can keep the each-other honest).

Tune in next time for The Do’s and Don’ts of hiring a SharePoint Developer.

Outrageous Claims Part 1: It's All About Trust

In the summer of 2011, I did a series of blog posts and a presentation at SharePoint Saturday: The Conference in Washington DC which were called "Real World Claims". My goal was to talk about the good, bad, and ugly of settings up claims authentication in SharePoint.

In 2013, we now have a new version of SharePoint and an improved
version of ADFS in Windows Server 2012. There are more products on the market that are supporting claims authentication through SAML, and technology folks have gotten better at configuring claims - and if I had to guess based on the web analytics, I'd say that my blog articles probably played a part in that.

There's also been much revelation regarding the activities of agencies such as NSA and GCHQ which threaten to undermine the public's trust of Internet security standards in general. It's important to understand that the security of claims authentication is largely dependent on SSL, and therefore whatever the outcome of shifting in this space will have a direct impact on claims, both from a technical and a business point of view.

All that being said, it's time to revisit claims authentication in light of these things. Tonight I am presenting at the local BSPUG, and in the coming weeks and months I am going to be devoting more of my time to blogging so I can update the old information and provide some new insights on this topic.

So, today it is my great pleasure to introduce you to the first chapter of Outrageous Claims. Why did I call it that? Is it because my kids all think I've been to the moon, and that the Kraken started the Great Fire of Baltimore? Well, maybe. The answer will reveal itself in time, but for now a brief description will suffice.

DISCLAIMER: The examples in this article are purely hypothetical. I do not hold a security clearance, because the government thinks I can't be trusted. So, I only know what I read in the paper. If it turns out to be true, "don't Taze me bro!" Also, that Google search I did the other day about carbon tetrachloride and aluminum powder was because I was curious about something I saw in an anime and not because I'm trying to make explosives. Also, in my defense, I may have pirated that anime from BitTorrent, but only after I'd rented the DVDs from Netflix first, so it's time deferred viewing. Just sayin'.

At its heart, claims authentication is about trust. You trust me to tell you the truth, and I'm telling you that my user name is Thomas Carpe and that my phone number is 410-633-5959. Actually, it’d be a claims provider that's telling you these two things about me, so I guess you also trust that claims provider too.

In most claims configurations, this trust is represented by an exchange of certificates. Your system that consumes claims gives a public key certificate to a claim provider. In exchange, the claim provider gives your consumer a public key certificate too, so that they both know they're talking to each other and not somebody else. The login page for the provider gives an SSL certificate to me when I log in, so that I know my username and password aren't being sent all over cyberspace in plain text, and so that I know I'm really using Windows Live ID and not somebody pretending to be Microsoft who's cleverly replaced my DNS server or something.

There's also an implied trust that both I the user and the claim consumer have about the provider. I believe that my identifying information will be safe - or at least I want to believe - and that my password, e-mail, and phone number will not be stolen (or sold) to hackers, spammers, and other ne'er-do-wells. The consumer wants to believe that the provider has done enough due diligence to be reasonably sure that I really am who I say that I am.
So what happens when our trust is tested?

My favorite example is to say that sometimes Dan Usher might be feeling spunky and decide one day to login to the SPSEvents web site using a fake account he's created as Scott Hoag on Google. He plans to login to the web site for SPSDC and post a funny message posing as Scott and telling everyone that he's giving up SharePoint work so he can go into the beer making industry. But, he needs to get the admin to grant him access to do it, thus the charade.

That's actually a pretty easy thing to do. Back in the early days of claims AuthN and Open ID, providers used to be willing to give up information like an email address, which would have gone a long way toward figuring out that our fake 'Scott' is actually sending his email to "". For complicated reasons, providers aren't willing to give this information up so easily anymore, which actually makes it easier for Dan to play his trick and harder for our system to realize what's going on.

Somewhere, the trust that claims providers had of their consumers was tested, and they failed that test. Now, consumers have to have faith that what they are being given from the provider is correct. Another trust test.

What Dan is doing in the above example is making an outrageous claim, namely that he is Scott. It becomes a problem when we believe it at face value.

Claims authentication was supposed to free us from the cost of maintaining secure username/password stores and managing a thousand passwords for the many sites we log into. But now, if we want to keep Dan from playing his little joke, we have to ask each user to give us something that can't be faked like their e-mail address or phone number, store it in our [secure] database, and then verify it - I assume by calling each potential new user and asking them what account they'll be using to get into our site. Obviously, that works better for some scenarios than others.

(Aside from the fact that they're buds, why do I always pick on Dan and Scott when I talk about this scenario? Maybe I'm hoping that one of them will mention me in a presentation or blog post. Anyway, it's all in fun.)

Here's another example. Recently it was revealed that the NSA can now successfully attack SSL and that many SSL certificates have already been compromised. (NYT, Guardian, ProPublica) So what? What if NSA wants to break the certificates Al Qaeda uses to send communications? That's reasonable and it's good for our national security.

But, Al Qaeda doesn't have an IT department with firewalls and hundreds, of dedicated servers. If they did, we could pretty easily bomb it out of existence. All their communications would appear to be concentrated and they'd be easy to follow. Al Qaeda does what many small businesses do when they need to get a lot done on a budget - they use cloud services.

So, NSA isn't going after SSL certificates for the enemies of America, it's going after certificates of some of America's largest cloud service providers: Google, Amazon, Microsoft, Twitter, and Facebook - and just about any other provider that they think the enemy might run to if they decide to take their operation underground.

So, why is that a problem? Because SSL is the lock on the front door of your house. Whenever you log in to a web site like Gmail or Facebook, it's SSL that ensures your password cannot be sniffed out over the wires using SIGINT, and that you have some assurance that Gmail is still being run by Google and not by Fly-by-Night Honey Pots, Inc.

What I am saying is that once you compromise SSL, the sky is the limit. That's saying a lot for services that run in the cloud! If you break someone's SSL certificate, that means that you can read all their traffic including logins and passwords. It also means that you can pretend to be them.

So, say you've scooped up petabytes of network traffic that were secured with SSL and you filter out just the ones that go to the Facebook login page. Crack the SSL certificate and watch thousands of passwords fall out. Some of those usernames and passwords will work on other sites too like LinkedIn or Twitter, or if the user isn't very password savvy maybe their online bank. They may work for years to come. If you have interest in someone on the Internet, maybe because you think they're a bad guy, and you know the password of someone close to them, well… that could be a very powerful weapon indeed.

But that's only half the picture of what SSL gives you. Collecting so much data is expensive and time consuming. But, what if you had a little box over in AT&T communications HQ that could track traffic just enough to look for DNS requests to that come from certain IP addresses? Whenever it finds one, instead of directing the traffic as usual, it replaces the IP address with one that points to a special proxy server. The proxy has a false copy of Facebook's SSL certificate, so people are told that it's really legit, and they willingly enter their username and password for the site, plus all the traffic to and from is being decrypted (and recorded) in real time.

If you had a setup like that, just imagine what you could do! Say you find out tomorrow that every bad-ass in the world has switched from Facebook to Qik. As soon as you get their SSL broken, you can reconfigure your little DNS spoofing and proxy operation and start listening in on everything they're doing. And all you have to do to accomplish you goal is lie to everyone on the Internet.

Now, those are outrageous claims! …and a test of trust.

Error Creating WCF Connection for BCS Content Type in SharePoint Online

***some links Currently Broken***

I started this week's Super SharePoint Detective Adventure while trying to follow Nick
Swan's blog article about creating a BCS External Content Type for CRM 2011. This kind of integration between SharePoint and CRM is something I've been wanting to prove out for our own use for a long time now, and Nick's approach (although it still involves a lot of "glue code") seems like the most reasonable one I've seen to date.

True, his article talks about SharePoint 2010, but he has another one based on 2013 and all the concepts look like they ought to be backward compatible. In fact, everything was going fairly well, until I got to the last step in SharePoint Designer where you actually create the ECT connected to your WCF service. Then, things just wouldn't work - no matter what I tried, SharePoint Designer kept giving me this error.

  • An error occurred while accessing WCF service URL: http://<myStagingGuid>
  • Connection to the WCF service that has connection name BcsTest cannot be established.
    • Unknown Error occurred. Unable to load one or more of the requested types. Retrieve the LoaderExceptions property for more information.

I could see others online are having this problem too, as there are questions about it posted in a few places, but mysteriously so far there was no answer:

  • MS Forums: Problem creating external content type from WCF service
  • Stack Overflow: Consume WCF Service in Office365 from window Azure

So, I did some experimentation. People say this works in on premises SharePoint, so I point
SPD at my on-prem SharePoint 2013 farm, and just as they say everything works fine.

Maybe my types are too complex. After all I am trying to pull a ton of data fields from a CRM Account. I create a much smaller web service with a data structure containing just a string with "Hello world!" and an integer ID of 1234. Still, I cannot create the data connection to this service either.

I spend some time trying to package up my data model into a *.bdcm file, and then do the export from my on-prem farm to SPO. No dice! This just breaks differently, because now when I go back to SP Designer my data connections are still broken, and my options from the SharePoint web UI are too limited to complete the configuration.

After beating my head against the wall all Friday evening - then stressing out all weekend about how I'm supposed to get a good hybrid solution with one part in the cloud and one part on our local network when I can't get the in the cloud part of it to work - I decided to open a ticket with support. At this point, I am not expecting great things to happen.

I guess it's a good thing that my experience did not live up to my expectations. I got the answer that I needed, and I didn't even have to wait a fortnight!

Update: Yay! Microsoft releases official KB article for my issue. KB2879695: Unknown Error occurred" error message when you try to create an External Content Type in SharePoint Online by using SharePoint Designer 2013 came out yeterday; interesting timing, indeed. ;-)

I was also surprised when I learned the cause to this problem, and its solution - or at least the workaround. More on the cause in a moment. I think it may surprise you. Here's the workaround for you, in glorious Technicolor.

  1. Find the spdesigner.exe.config file. In my case this was in C:\Program Files\Microsoft Office\Office15 because I am using the 64 bit version. You're all using 64 bit now right? Right?
  2. Make a backup of this file, because you never know when you'll want to reverse this fix, like maybe on whatever day SharePoint 2016 finally rolls out.
  3. Add the runtime element below, so that your file looks like the following code, then save it.

    And that's it. Just re-execute SharePoint Designer and it will magically work.

So what's going on here? Bascially, we're telling SPD that if it gets a reference to a version
16.* assembly, it should use version instead. Seems that the Office 365 team has incremented the version number for SharePoint online to for some reason. That's why the BCS connection will work fine if you are pointing to your on premises SharePoint farm.

Do they have a time machine into the not-so-distant future? Are they pilot testing the super-secret-squirrel beta version? Was somebody just a very bad typist working with an equally bad set of software testers? As Fox Moulder once said, "The truth is out there." But it turns out that it really isn't so exciting. I'm told that the reason this was done is to help differentiate the build running in Office 365 from the on premises version.

I'll defer judgment for now on whether this was a particularly wise decision on Microsoft's part, but I encourage you to leave your opinions in the comments. Let's just say that heir workaround has had some unintended consequences, and my error was one of those.

And of course, if you think this was a particularly brilliant piece of detective work and want us to help on your next SharePoint project, you can reach me here.

Further reading / related articles:


**Moved over old comments for this blog***

A SharePoint Success Story

Before I got to Liquid Mercury and indeed before I even got into SharePoint at all, I was a contractor working for HHS’s Health Resources and Services Administration (HRSA).  When I started, we worked as the “Application Processing Center” the NHSC Loan Repayment Program.  It was a program for doctors who were willing to work in high need areas, like free clinics in urban or rural areas to get some help in paying back their student loans.  The branch had about 40 people in total working on processing, analyzing and approving about 11,000 applications per fiscal year.  Then we made the transfer to SharePoint, once everything got up and running, 50 of us were not only processing, tracking and generating business intelligence 11-15k applications, but we also had so much excess utility that we absorbed the work load for 9 other programs as well!  I cannot even begin to imagine how much money that saved the HRSA.

Allow me to start from the beginning and paint you a picture.  Originally the application process for just one program (the loan repayment program), candidate applications were all hard copy and tracking them involved Excel sheets, hundreds of them.  We tried to keep everything on the computer, but most of the people in the chain would make notes on the hard copies and this would never make it into the Excel files notes or worse, they would get lost entirely. In addition to the actual application process we also had a team of contractors who assembled and collated the data from the application for analysis and business intel.  I would guess that the ideal-est of candidates could be processed in about 2 weeks, but that only happened once, generally it took about 6 weeks to process an application.  Needless to say it was a fairly inefficient and labor intensive process.

In 2010, we moved over to the SharePoint environment and moved the entire application and tracking process online.  We eventually used SharePoint to manage our application intake through the website portal; an intranet to handle document storage and tracking; and business intelligence from automated report generation, analysis, and easy to digest metrics through management dashboards.  Bottom line: we went from a clerical office to a technology office by getting rid of the receiving, assembly, and data entry teams; then tripling the size of our IT staff.  But once the process was automated, applicants were processed loss went to zero, redundant processes were heavily reduced, metrics and analysis were 1 click away, and thus utility also dropped. This meant that we started doing the same work for similar departments like nursing and medical school scholarships.  In the end we were doing 9 times the work for less than double the cost and that is what made a SharePoint convert out of me.  

And yes, you should probably study IT in school.

3 Reasons Why Microsoft Acquiring Yammer Will Change SharePoint Forever

And a lot of other thoughts on the matter that are probably just TLDR

So recently, some of my colleagues have been asking me what I think about Microsoft acquiring Yammer. My short answer is that I think it's a good thing (if you want my long answer, keep reading.) But you've just got to love these news articles that are saying things like it signals some cosmic shift in the way businesses and software companies will think about social. I mean really guys, seriously?

Sure, I guess this might be big news if you’ve been living in a cave in Tora Bora for the past ten years. From where I've been standing, it's just a logical move in the same direction that Microsoft was already heading a few years ago when they started working on SharePoint 2010. It may be an exaggeration, but at SharePoint Conference 2009, it seemed like you couldn’t swing a dead cat around in the Mandalay Bay without knocking over 3 or 4 sessions about "Enterprise Social."

I especially love this quote from a Seattle Times article. "For all its successes, here's one thing Microsoft has never managed to do: Create a consumer product that people like so much they clamor for it in their workplace." Um, wait -- what? Microsoft may have a fairly mundane batting average when it comes to their products' overall success record, but to say something like this you'd have to have basically forgotten the journey that SharePoint has taken since it was originally released (under that name) in 2001 to where it is now the dominant platform for enterprise collaboration and file sharing.

SharePoint's ascendancy wasn't something that happened because CIOs saw the vision Microsoft was trying to pitch -- far from it, IMHO. First versions of SharePoint were clunky. It couldn’t make up its mind if it wanted to be a poor man's version of Documentum or MS FrontPage++ (*shudders*). In 2001, I tried in earnest to convey the great features of SharePoint search but my appeals too often fell flat. It wasn't until 2003 when Microsoft unified the free and pay-for versions of SharePoint under a single name that things started to get real and I believe it was precisely this "freemium" model that caused SharePoint to take off at a viral adoption pace.

True, we're not directly talking about the consumerization of IT -- more like the consumerization of the IT department. It was information workers who elevated SharePoint into ubiquity by deploying it everywhere they could put it to work. The fact that users approved made it a done-deal.

Of course, a good bit of my time over the next few years was spent cleaning up messes made in the essentially-free-but-not-technically-really-free Windows SharePoint Services that could have been avoided or solved with SharePoint Portal Server (or MOSS, if you prefer). But that's not my point. Rather, I want to emphasize that Microsoft has been talking about Software as a Service and pushing what is essentially ShareWare (no pun intended) for over a decade; so it's silly to think that this acquisition is about them trying to buy something that they couldn't do for themselves.

Or is it? One of the things I have noticed over the past 15 years as a Microsoft developer, consultant, and partner is that Microsoft seems to have a systemic problem imagining what customers will actually want to do with their products. This leads to craziness like pie charts where you can't pick the colors for the pie slices. (Seriously, you can't make this stuff up!)

My exposure to this phenomenon has always been from the outside looking in -- thank goodness; I can't even begin to speculate as to why this might be the case. But it occurs to me that there are so many examples that perhaps even Microsoft is aware of its own limits and may simply be acquiring companies like Skype and Yammer because they do a better job of understanding and predicting what customers want.

However, rather than trying to read the tea leaves about why Microsoft is doing what they're doing, I'd rather speculate on the impact for those of us who -- for good or ill -- have come to rely on Microsoft products. I think there's a compelling story to tell there and I have some experiences that might inform -- or perhaps confuse -- in an entertaining way.

So here it is, with a full disclaimer regarding my lack of credentials as a fortune teller and an explicit request that if my prescience should make you a million dollars you should buy me a nice steak dinner (or at least a beer).

Prediction #1: More Business Solutions Incorporating Yammer
While I'm technically not sure if I can say that this means "more than 0", it does strike me that in spite of Yammer being a compelling service we don't see more business solutions based on this technology. Essentially, Yammer is Twitter in a walled garden, which is exactly what anyone would want if you like the connectedness and real-time sharing of Twitter but don't like pictures of your boxers (or your books) hanging out there for the public (or your competition) to see.

That workgroups adopt it as a way to share information is not especially surprising, but there doesn't seem to be a lot of apps on their platform that do very business oriented things. Whatever happens, both companies will want to make a compelling case that Yammer can have more uses then just letting employees chat with each other sans water-cooler; they can already do that in Lync.

I wouldn't be surprised if within a year or so, you see a proliferation of apps for Yammer that appeal to business uses like tracking interaction with customers or entering your expenses. Also, I think you'll see some solutions built on top of SharePoint that start to incorporate the Yammer message feeds directly into SharePoint sites. Why do I think this? Because this is exactly the sort of avant-garde work we were using Yammer to experiment with as far back as 2009 while I was working at the IMF. (Also, some of those apps and solutions might end up being written by me – just sayin'.)

Prediction #2: Office 365 Users Will Benefit First - You Other Jerks Get in Line
One thing I've noticed since Office 365 was released last year is how it's changed the maintenance cycle for SharePoint (and probably Office, Exchange, and Lync as well.)

It used to be that service packs were primarily focused on improvements to SharePoint for on premises deployments. Sure, I'm assuming that hosting partners with armies of SharePoint farms probably had significant influence over which bugs received attention first. Whatever their size, customers who had purchased SharePoint would open tickets with Premier Support Services and those would get turned into KB articles and possibly somewhere down the road your bug might see a hotfix and get scooped up into a service release.

This still happens, but now there is a new seat at the table for the Office 365 team -- and their motivations are very different than those of existing customers. For one thing, they are forward focused on selling new subscriptions as well as retaining existing ones. As a result, we've seen features added to SharePoint 2010 that were meant specifically for Office 365 servers; in some cases these are not even supported for on premises customers. In other cases, the Office 365 team has quietly deployed fixes across their entire farm (think Monsanto, not the Kent family), for problems that are notorious for plaguing on-premises deployments.

So, it should surprise nobody if a SharePoint/Yammer expansion pack, software development kit, or CodePlex project experiences its first life as a set of enhancements or features that are only available for Office 365 customers. Personally, it'd be an amusing turnaround from having to say "No, you can't do that with SharePoint in Office 365," to "Sorry, only Office 365 customers have access to that SharePoint feature right now."

Maybe the rest of us will just have to wait for Office 15 in order to take advantage of Yammer in SharePoint. I guess only time will tell.

Prediction #3: What Yammer Does Well Can – And Will - Be Done Well In SharePoint
One way to get more free Yammer users would be to offer more Yammer interoperability in SharePoint right out of the box. Now that Microsoft owns Yammer, this makes absolute sense. Why shouldn't the bump that Yammer already gives to SharePoint go both ways?

As far back as the 2010 beta I've stated that Microsoft was incredibly excited about social. I heard the phrase "Facebook for the enterprise" mentioned at least often enough that I still remember it now a few years later -- despite filling my head with myriad technical trivialities and my belly with what feels like probably a good stiff drink for each of them.

SharePoint 2010 does indeed have a lot of great social features. There's folksonomy / tagging / "I like It", tag clouds, and even knowledge networks that can recommend people at your company based on your need to share knowledge and skills. Ubiquitous presence indicators have been in SharePoint since 2003 and are inherently social; they let you reach out and tap someone at the moment you’re looking at a document they wrote. How about the fact that two people can work on a Word document at the same time -- how cool is that? I have to give Microsoft props. There are a lot of compelling "social" features already in SharePoint and there always have been, which is why I think it’s been such a compelling platform for collaboration.

Given all this, I still see three thorny problems with the push for social as implemented in SharePoint 2010.

First, I think Microsoft didn't know what to call it. (See above reference to "tagging", "folksonomy", "I like it", etc. which probably goes by a half dozen other names that I'm not remembering offhand.) This is partly a problem with Microsoft in general that's been true for years; they take an awesome name like Vertipaq and change it to xVelocity (whatever that means!) There's a running joke around the office here that if Microsoft made cars they'd call them something like "Microsoft Car", "Microsoft Go", or maybe on a stroke of genius "Travel-X-lerator". I suppose when you're *that* bad at naming things, nobody can blame you for changing the name every couple of years, which is how SharePoint itself came to have something like 6 slightly different names over a 10 year timespan.

The second issue is that Microsoft’s social implementation is -- well, it pains me to say things that will hurt my friends' feelings, but sorry Microsoft -- just plain clunky. I know this because the main reason we've never used it or had any success in getting our clients to use it is that it just takes too much effort. 99% of folks don't even know where to start filling out their user profile on My Site. The tagging interface is dreadful, and the activity feed is even worse. (How bad? Start here and here; Chris O'Brien has an excellent article on improving SharePoint social.) And if the interface is terrible, the API is a nightmare! I'm well informed on this topic because we've recently created some solutions that improve SharePoint's social features. Fortunately these dovetail very well with Yammer since they focus on adding hash-tag capabilities to SharePoint and fixing e-mail alerts. We're looking forward to building some exciting products with Yammer as part of our strategy.

Problem number 3 is that Microsoft saw the overwhelming influence of Facebook and got, well, obsessed. Not only did this basically leave them functionally blind to all the other cool social apps out there, it also opens up a huge vulnerability. What happens when people stop being in love with Facebook and decide that they want to go do something else? Will SharePoint 2020 start chasing Google+? (Somebody over at Google will no doubt find that a delicious thought.) While repeating "Facebook of the Enterprise" does cause me to go into uncontrollable chuckles as I imagine Capt. Kirk updating the status of his wall, I notice that nobody says "the Tumblr of the Enterprise" or "the TinyUrl of the Enterprise." And the missed opportunities that really floor me are of course Twitter and LinkedIn (where most of the actual business discussions are taking place, duh!)

Bringing Yammer integration into SharePoint will require Microsoft to clarify its vision of what tags *are* and how to make them easier to use. SharePoint already has the infrastructure to do 95% of what Yammer does under the hood; seeing discussions, folksonomy, and user profiles rolled up under the Yammer banner would give them a much-needed identity. And, while all of these things will no doubt come to Office 365 customers first, we can probably expect them, eventually, to benefit the overall SharePoint community.

So, my hope for Microsoft is that by acquiring Yammer they have gotten over their infatuation with Facebook, they can better focus, and can start making lasting social improvements to SharePoint. I think they will.

Besides, in my opinion, Yammer is a much better cook and wayyy-less crazy; they make a good couple.


SharePoint Content Planning: Marathon or Sprint?

As this is one of my first blog posts for Liquid Mercury Solutions, I wanted to discuss something I feel strongly about. The content planning process is such a critical phase of the SharePoint development cycle because the entire site architecture will depend on the content types and workflows you create. Many companies just slap the content together using OOB types and never really bother to plan them out. Then, when they want to extend, enhance, or redesign the site, oops! Too bad!

For convenience, we’ll follow some of the planning worksheets from Microsoft Technet. Specifically:

  • Document Management Participants worksheet
  • Analyze Document Usage worksheet
  • Content Type and Workflow Planning worksheet
  • Information Management Policy planning
  • Managed Metadata Services Planning worksheet
  • Policy worksheet
  • There are a number of other worksheets, but for the purposes of keeping clients in-line and moving the pace along, we’ll keep those in-house.

Rule: The client should be responsible for a little as possible. That helps narrow down the feedback, minimizes risk of overwhelming the client, and keeps the project moving along quickly. But you do want to have clients participating at some level.

One approach is to show only the most relevant columns and hide the rest. The assumption is that whatever the client fills in will tend to be the most important information to them. You can have them fill out the rest of the information later, which will result in a naturally prioritized list of content types.

1. Document Management Participants
The first thing I like to do is have the client list 5 types of users in their organization whom they expect to use the portal. For this step, I have them fill out the Document Management Participants worksheet. I ask them to fill in the columns for a User’s position (title), the types of documents that user might create or utilize, and the user’s role in the organization. It’s also helpful to ask the client to solicit contributions from potential users in building this list. So ask them to pass it around if they can.


2. Analyze Document Usage
Here, we’ll use the Analyze Document Usage worksheet to identify some specific documents that each participant will use, what formats those documents will be (doc, pdf, web page, etc.,) who will create them, who will use them, and who will need access to them (i.e. for record-keeping.) A good rule of thumb is to populate the roles column first, then think of some document types they would be working with and proceed from there.

For this step, we come up with 2 documents for each of the 5 participants (positions) you identified in the first step. There may be some overlap on some documents and that’s fine. It can be addressed later.

Ex: Employee resume


3. Content Type and Workflow Planning
For step 3, we need to fill in some information to give each document type its metadata. Metadata is information about a document that is used to categorize and classify your content. Metadata is associated with a content type as a column.

In the Content Type and Workflow Planning worksheet, add between 3 and 5 columns for each document type. I’ve added Employee Resume as the example again. Try to add columns that would make each type of document easy for you to find (author, subject, audience, language, etc) as well as editorial columns (date posted, last modified, etc) to help track the document’s history.


4. Information management policy planning 
Stay tuned for the next steps in part 2. Same LMS time, same LMS channel.

SharePoint Quirks: Getting Past Content Type Errors

SharePoint is awesome. It really is. But it sure has its quirks. Case in point – you want to do something simple like deleting a content type. Seems like it should be pretty simple, but you get an error like "Content Types Still In Use" or "Can't Delete This Column While It's Part of a Content Type."

So you look at the documentation, but it's no help at all. It suggests you check SharePoint Manager to see where the content types and columns are being used. Good luck -- that's not going to help.


But like so many things with Sharepoint, the solution is actually painfully simple.

Why is SharePoint Such a Pain?

Before we get to the solution, first a little background. There's actually a pretty good reason why SharePoint is the way it is. It's to protect you from yourself.

Why do you need protection? Because it's awfully easy to delete content by mistake. Microsoft tries to prevent this by offering trash bins. LOTS of trash bins.

 You can find your trash bin either in the left navigation or in the site collection settings if you're in the root of the site collection.

When you delete content, it goes to the appropriate trash bin for your user level. But here's the thing. Only the site collection administrators can empty the end user trash bins. If any deleted lists or columns are still in the trash bins, then any content types or columns that those deleted lists or columns point to, cannot be deleted.

So what can you do about it?

A Simple Solution 

So, the easy, but hard-to-find solution? Have the site collection administrator delete all "End user recycle bin items" and then delete all items from the "Deleted from end user Recycle Bin."


It’s really that simple. You should now be able to delete your orphaned columns and content types.


Still having trouble? Liquid Mercury Solutions helps all kinds of businesses deal with the quirks of their SharePoint systems. Let us know how we can help.

Office 365 User Permissions Gotcha!

Congratulations! You convinced your client to sign up for Office 365. They subscribed to licenses for various apps like SharePoint Online and SQL Azure. The wireframes look good. You've created the SharePoint site structure. Wonderful! You're off to a great start. But… get ready for a big "gotcha!"

You decide to make use of the Content Type Syndication Hub. Wise move. You go into the SharePoint online site, activate the Hub and click on the link to the Hub… bzzzzzzzzzzzz! Access Denied.

Uh oh.

You've run into a little known gotcha in Microsoft Office 365.

According to the small-print regarding Permissions in Office 365, "The person who signs up for Office 365 for his or her organization automatically becomes the 'top-level administrator.'" Notice, though, this says nothing about the fact that it's also the only person/account who can access certain features of the Office 365 products.

At the time of this writing, the Content Type Hub and the Search Center are the only two features known to be provisioned with a default administrator (I've only encountered this in SharePoint Online so far). The Search Center is provisioned automatically when the root site collection is set up (the first time Office 365 is logged into by the person who created the account). The Content Type Hub is provisioned when the feature is activated in the Site Collection Features.

Microsoft's logic is that, like an on-premises server hosted at your facility, roles need to be delegated such that no single person (except the domain admin) has access to every role and resource. This is essential for many reasons, security being the biggest.

But unfortunately, this becomes illogical when you move to the cloud. Now, instead of increasing security, you're actually committing an IT sin by creating a single point of failure. When you're hosting your own server, you probably have access to the domain admin account (or at least to someone who does). But if you're in the cloud, you probably don't. And even if you do, you don't have access to the administrative console on Office 365.

Needless to say, as a SharePoint consultant, having to ask your client for permission to do things on the "very-first-ever" account is less than ideal. What if you lose access to that person at a critical juncture? (In my case, they went to the Carribean for two weeks, yay!)

When we discovered this problem, the client was small and the need for the Content Type Hub was not particularly urgent. No harm, no foul. If your client's business depends on a web site that hosts thousands of transactions per day, you can see where that could make for some trouble all the way around.

Microsoft, unfortunately, says they will not reassign this account under any circumstances without explicit orders from the portal creator. But what if the Portal account is deleted by mistake? What if the account creator quits the business, leaves the country, or gets hit by a bus?

Just ask this guy what happens. Not pretty.

According to Microsoft, best practice is to delegate this control to other admins. Agreed!

But, your client may not be that savvy - or that motivated. Or your client may be a control freak. Maybe, like many of our clients, they only became your client *after* they created their O365 free trial account and got in over their head. I can list a million reasons this creates risk, but mostly, it's the reasons I can't think of that usually kill me.

So how to handle this issue? The best way would be to change this policy system-wide.

It's Microsoft, so don't hold your breath.

Another way is to ask the client to share their credentials with you after they've created the portal. This is also risky, and, like I said, some clients are reluctant to give up so much control.

A third way is to ask your client to let you create the portal for them. This is fairly low-risk and should work in many cases, but there's always those situations where you got involved at a point where it's too late - or control issues, yet again.

The last reasonable solution is to ask the client to create a dummy Windows Live account (such as 365Admin), which they can use to create the portal and which they'll be comfortable sharing with you or any other vendor. We recommend doing this from the beginning; it is slightly more painful, but possible, to rename the "primary" account after the fact (and create a new account for the CEO).

Got any more ideas to improve these best practices or know of any other features in SharePoint Online or other Office 365 components that would have this issue? Post them in the comments and I'll stick them into a follow-up post. Hope this helps some of you avoid this weird gotcha. Getcha next time!