Afraid of data breach? Locking everything may not be the answer.

“Cloud first, mobile first” and the news of data breach becoming routine, company owners are more and more sceptical when realising that what we call their “digital company assets” could be available by external users in just one click. I am often asked this question by my clients, “can I lock it down so that nobody can share externally?”. So I thought it was worth a bit of braindump from my experience.

The answer may not be the simplistic one of locking everything down and opt for the ivory-tower policy!

Turning off all external sharing for users may be a short answer to a problem of trust. But they will need to share with external partners, customers so.. trust me ;-) they will find other ways to share, and then it will be even more disastrous if that data is duplicated outside the business’ environment and gets into the wrong hands.
What happens when a child if forbidden to play with fire without being taught the reasons? He will burn himself with something else!
Some 4 years ago, I recall speaking at a SharePoint conference and we were already predicting to customers that in the next decade what we call “end-users” will not be just users but “data agents”. With the reinforcement of the personal data protection in Europe this year, every business owner without exception should now be aware that these new users even have a specific title: data processor or data controller.

Trust vs. training.

Users can make mistakes, they are human! But (unless deliberate mischiefing) they cannot be blamed if they have not been trained on how to use the tools that are available for doing their work.
You mean sit in a training room?!

Training can take several forms

Training nowadays is not just the classic day long listening to a trainer explaining a tool where 70% of it do not apply to the user’s work. It can be a classroom training but can also take different form:
  • workshop activity to define what the user’s tasks are and can be with the tool
  • brainstorming on what a tool is for and what not
  • group demonstration
  • one on one remote screen sharing by the “IT Guy”
  • and my favourite: – have a “Power user” (the champion who has used the tool a lot in the business), to organise breakfast or lunchtime sessions showing how they use the features and warn about pitfalls.
All these activities need to be suggested, if not coordinated within the deployment plan of the tool, otherwise they may not happen at all.

What to do for sharing the right way?

  • Let your users share, but restrict what can be shared
  • Publish clear rules for sharing and how to report when it goes wrong (ie. part of the organisation’s data governance)
  • Train staff on how to share and what to share
  • Define the governance in detail, apply it but also have the power to action it when it is not respected
  • Examples of automated rules include:
    • enforce an expiration time to all sharing
    • allow sharing to only certain domains
    • allow sharing to only certain IP addresses
    • allow sharing of only some sites and not others
  • And finally, review reports on sharing regularly!
Office 365 has some great features to configure and monitor sharing, for instance using activity alerts when a permissions has been loosened but I am more in favour for using a third party tool such as ShareGate. At Paperblade, we talk to business owners on how to make the most of current technologies at the lowest cost and in the most secure, reliable and responsible manner. Governance and sharing policies is a integral part of it.

What do you think?

My views are not set in stone and I do not believe that there is only one correct way, so please comment below or speak me to bounce an idea or start a debate.

Left navigation intranet is so last year!


I have always been a defender of using the “OOB” Out Of the Box tool of a product before it comes to adding some custom code to it. However, let’s be honest, for years SharePoint was not great at it when only using out-of-the-box features. I even gave a talk in the past where we discussed how to gain the love back from users.

Image result for sharepoint team siteIn the SharePoint world, “Team site” was the default layout for any SharePoint Intranet for years, and still are. Left navigation being super boring, especially when more than 15 links and scrolling 2 meters down the page! So most companies ended to customise their site so much that the next version of SharePoint meant to do it all again.

But with the latest SharePoint modern sites and pages, it’s sleek, minimalist,  MODERNSITE.pngclean and .. well, not clunky anymore! SharePoint owners are now super excited to use them as their intranet pages.

There is just one problem:

we haven’t been told how to use these as the “top level page” of an intranet. The first page that user will see when they click on the SharePoint homepage:

Thanks to this blog article by Jimmy Hang and reading the comments, I have summarised how to do so. And I can confirm to have repeated the steps in 3 different tenants, therefore, no, Microsoft did not remove the ability to use these “workarounds.”

  1. Delete Top Site

    the top site collection of SharePoint already exists (as a boring team site), go to SharePoint admin and delete it (if empty ;-).

  2. Recreate top site collection without selecting a template

    Do not select any template, use the option “Custom / select template later”


  3. Create a modern communication site anywhere

    Create a new site from the new SharePoint Admin Center or from the “SharePoint” site list, if this option is not disabled for your tenant.


  4. Enable to run custom scripts on self-service sites on your tenant

    Preferably from PowerShell for quasi-immediate effect.

    Connect-SPOService -Url -credential
    Set-SPOSite -Identity -DenyAddAndCustomizePages 0
  5. Save this communication site as a template

    Adding /_layouts/15/savetmpl.aspx after the site URL

  6. Open top site collection

    When prompted for a template, upload the template file to solutions, activated it.

  7. Create the site using that template

  8. job done!

But remember, if Microsoft decides to change only one small parameter in the root site or the template, it may break, so don’t do it in a live environment.

Using Nintex Connection Manager with SharePoint Administrator privileges


A couple of months ago Nintex released the Connection Manager for SharePoint Online which -finally- gives a much awaiting supported feature for using elevated permissions in a Nintex Workflow, previously we always used some workaround but the super user’s credentials had to be passed to the workflow unencrypted (example here).

It all looked fine in principle but my action kept returning an “unauthorised” error after I converted it to that new connection manager.

createsitecol.pngThe action that was failing on was “Create Site Collection”, and it was simply because the new connection I created had rights at List/Library level, Site Level and Site Collection Level, but in my case I needed that permission to apply at Tenant level (higher than all site collection: just like a SharePoint Administrator).

The Nintex connection manager documentation definitely mentioned using it for action Create Site Connection but clearly, it was a fail.

Since I knew that Microsoft would not let a third party tool like Nintex have its settings page on their Central Admin, I sensed that it would be tricky to create the new connection manager at tenant level, so where would that be done?

After a couple of interaction with Nintex support and escalation to product developers, we found out that to tell the connection that to apply the permission to the tenant you had to specify the URL of the SharePoint site to be the Central Admin site, hence just adding -admin to the URL is enough. Since Nintex connection can exist in any site or site collection, setting a tenant-wide connection can be done anywhere too.



The documentation is now reflecting this



Thanks, Nintex for this precision.


How to create two Shared Mailboxes with Same Alias at Different Domains in Office 365 


Who would guess that some simple features in any email system including exchange on-prem can become a problem in Office 365, using the web UI.

Thanks to this blog article, I was able to find a solution to my requirement: have one email an, both managed by Office 365.

—>  Create Shared Mailboxes with Same Alias at Different Domains in Office 365 | Cogmotive Reports Blog

Microsoft and LinkedIn published free Office 365 training


Microsoft and LinkedIn have created new training courses about various Office apps and services. The courses are available for free in the Office Training Center, and cover topics like how to use Outlook 2016 and Excel 2016.


Source: New Office training courses from LinkedIn Learning – Office Blogs

SharePoint is like a large commode


“Site collection” and “Site”, I am lost !

… this is what I heard yesterday in a meeting.

To illustrate what it is and give my advice to the person who, I thought, was acting as the company’s SharePoint Administrator, I asked to see the Office 365 Admin Center and SharePoint Admin Center.

What was there: a dozen of size collections and all “pilot sites” that have been requested by a couple of teams to “play with SharePoint”, all of them where just under the Managed Path /Sites/ such as

No no, sir ! Let’s go back to basics and understand why you would like to use a few Site Collections in your environment and where to put the sites.

It has been a few years that I am avoiding technical jargon with my clients because the person who previously only had to be the SharePoint Administrator is now also the head of IT Support, the Infrastructure Manager and oh, may be also managing the 500 staff mobile phones, so I get that they don’t have to remember every systems’ ins and outs.

I used the old analogy that we used to use for Windows Folders:

Would you create a new drawer each time you have a new colours of socks to put together, or would you just find more space within that drawer to add the new item?


Image courtesy:

Site collection” would be your drawers, where you would put your “group of items’ in each one (granted, you may however have a very high commode of 20+ drawers, so build it wide!), and your “sites” would be your little compartments in each, to keep thing cleaner, neat and hum.. may be block access to some of them by having a little lock on it.

My user was happy with the explanation and actually was feeling sorry for the messy sites he created, not his fault I said, it’s not that obvious when the names are so similar.

Let’s demystify SharePoint and refer to it in plain English so that everybody gets it, shall we ?!

[Nintex Workflow] Add user to Site Collection Administrator group with REST API


Helping people to automate their workplace is my passion and lucky for me I also get paid to do so !

This week I was finishing working with a partner to improve the (poor) automation steps required by Matter Center, which no-one can really complain because Microsoft made it open-source.
Matter Center documentation requires to create each client as a new site collection in PowerShell, but this is not quite possible if the users registering these new clients on a daily basis are regular Office 365 users and not SharePoint Administrators.Thanks to a few Nintex Workflows we managed to do all the configuration in the background.

Thanks to a few Nintex Workflows we managed to do all the configuration in the background.
Today’s post is not about the site collection creation so I will spare the details, but in summary and very high level, I developed 4 workflows, 1 CSOM Javascript to be executed on the browser, and 1 Nintex Form of course for submitting the new client on desktop or mobile.

Now this quick blog post is regarding the challenge that we had to add the user as a Site Collection Administrator of that newly created site collection.

Since there is no mention of the sort in it may useful for someone, so here it is:

  1. Create a new Nintex workflow in an Office 365 site list.
  2. Download and Import the .NWP workflow file available here to replace the blank workflow
  3. Edit a few of the actions at the beginning of the workflow to set the variables (I never hard-code UserName and Password for instance, so you will see a few Lookup to a different list to get the value, which you can replace since they will be showing an error once imported into your list)

Note: In this workflow, the “user” I am adding to the Site Collection Administrators group is actually the “CreatedBy” of the list item, which may sound strange since the user running that workflow may be the CreatedBy. However this is NOT the case (refer to above point: we do not want all users to be SharePoint admins!), here is how you should sequence the workflow to start:
1) After the List Item is created, a first workflow (run by CreatedBy) i.e. called “Start and Call workflow 2” and in the workflow we just add a “Start Workflow”

2) then within that first workflow we just add a “Start Workflow” making sure that this action is bein executed in an “App Step” in order to use “elevated privilege”.


3) finally all the actions are happening in Workflow2 (which you imported in step 2)


Hope this helps someone.