Frequently Ask Question

SharePoint Development involves creating custom solutions, web parts, and extensions for Microsoft SharePoint. Developers use tools like SharePoint Framework (SPFx) to enhance SharePoint sites and tailor them to specific business needs.

SharePoint development offers benefits such as improved collaboration, document management, workflow automation, and integration with other Microsoft 365 services.

Power Platform Development focuses on building low-code/no-code solutions using Power Apps, Power Automate (formerly Flow), and Power BI. It empowers users to create custom apps, automate processes, and analyse data.

SharePoint and Power Platform can be seamlessly integrated. For example, you can embed Power Apps within SharePoint pages or trigger Power Automate flows based on SharePoint events.

SPFx allows developers to create modern, client-side web parts and extensions for SharePoint. It leverages popular technologies like React and TypeScript.

You can use SPFx to create custom list forms, add custom columns, and apply conditional formatting to lists and libraries.

Power Apps are low-code apps that can be embedded in SharePoint. They allow users to build custom forms, automate processes, and connect to external data sources.

Power Automate (formerly Flow) lets you create automated workflows triggered by SharePoint events. For example, you can automate approval processes or document routing.

Power BI is a powerful business intelligence tool. You can embed Power BI reports and dashboards directly into SharePoint pages for data visualisation.

Implement role-based access control, data loss prevention policies, and adhere to compliance standards. Regularly review permissions and audit logs.

Ensuring security in SharePoint Framework (SPFx) solutions is crucial to protect your organisation’s data and maintain a robust development environment. Let’s explore some best practices:

  1. Stay Updated with SPFx Versions:

    • Regularly check for updates to the SPFx framework. New versions often include security enhancements and bug fixes. Keeping your solution up-to-date helps mitigate vulnerabilities.
  2. Dependency Management:

    • Save Dependencies: When adding external packages (npm modules), use npm install --save to save them as dependencies. This ensures consistent versions across environments.
    • Lock Dependencies: Create a package-lock.json file to lock down dependency versions. Avoid relying on auto-generated lock files.
  3. Content Delivery Networks (CDNs):

    • Be cautious when using external CDNs for loading scripts or stylesheets. Verify the integrity of the CDN provider. A compromised CDN could impact your SPFx solution.
    • Consider hosting critical assets within your SharePoint environment or a trusted CDN.
  4. Office UI Fabric and Fabric React:

    • Leverage Office UI Fabric components and Fabric React controls. These are designed with security and accessibility in mind.
    • Avoid using custom CSS or JavaScript that might introduce security risks.
  5. Permissions and Authentication:

    • Follow the principle of least privilege. Assign only necessary permissions to SPFx components.
    • Use OAuth or other secure authentication methods when connecting to external services or APIs.
  6. Secure API Calls:

    • If your SPFx solution communicates with external APIs, validate input parameters and sanitize data to prevent injection attacks.
    • Use HTTPS for all API calls to ensure data confidentiality.
  7. Sensitive Data Handling:

    • Avoid hardcoding sensitive information (e.g., API keys, secrets) directly in your SPFx code. Use environment variables or secure configuration settings.
    • Encrypt any sensitive data stored within your solution.
  8. Code Reviews and Static Analysis:

  9. Deployment Practices:

    • Deploy SPFx solutions at the site collection level rather than globally. This limits their impact.
    • Test thoroughly in a non-production environment before deploying to production.
  10. Logging and Monitoring:

    • Implement logging to track potential security incidents.
    • Monitor logs for suspicious activity or unexpected behaviour.

Securing custom APIs used in SharePoint Framework (SPFx) solutions is essential to protect your data and maintain a trustworthy environment. Let’s explore some best practices for achieving this:

Use Azure Active Directory (Azure AD) Authentication:

AAD-Protect Your API: Ensure your custom API is protected by Azure AD. Register an application in Azure AD that represents your API.

OAuth Flow: Configure your API to support both Azure AD and your existing authentication method. SPFx components will use the OAuth implicit flow to authenticate.

Define Permissions in Your Solution Manifest:

In your SPFx solution, list the specific resources (API endpoints) that your solution needs access to. Specify the required permission scopes in your solution manifest.

When deploying the solution package to the app catalog, SharePoint will create permission requests based on your manifest.

Administrator Approval for Permissions:

SharePoint administrators (global or site-level) manage permissions. They can grant or deny specific permissions requested by your solution.

Permissions are granted at the tenant level, not to a specific application. When approved, they apply to all instances of your solution.

Leverage the AadHttpClient:

The AadHttpClient is part of the SharePoint Framework (introduced in v1.4.1). It simplifies connecting to APIs secured by Azure AD.

You don’t need to implement the OAuth flow manually; AadHttpClient handles it for you.

Secure Your Azure Function (or Custom API):

If your custom API is an Azure Function, enable authentication/authorization via Azure AD.

Verify that your Azure Function works when called from a browser.

Logging and Monitoring:

Implement logging within your custom API to track potential security incidents.

Monitor logs for suspicious activity or unexpected behavior.

Handling token expiration in SharePoint Framework (SPFx) solutions is crucial to ensure uninterrupted access to secured services. Let’s explore some strategies for managing token expiration:

OAuth Implicit Flow:
SPFx relies on the OAuth implicit flow to acquire access tokens. In this flow, tokens are obtained directly in the browser without using a client secret.
When a token expires, SPFx components automatically request a new one using silent single sign-on (SSO) via a hidden <iframe>. However, there are scenarios where this silent SSO might fail (e.g., due to browser settings or third-party cookie blocking).
AADTokenProvider:
The AADTokenProvider API in SPFx allows developers to obtain OAuth tokens from Azure AD. These tokens authenticate users to services like Microsoft Graph, Power BI, and more.
When silent SSO fails, SPFx can fall back to a full page redirect or a popup flow experience to prompt users for sign-in.
Popup Flow Experience:
To enable the popup experience, a tenant administrator must first activate the feature at the tenant level using the Set-SPOTenant command with the -IsEnableAppAuthPopupEnabled argument.
When SPFx components encounter token expiration, they trigger a popup window for user authentication instead of a full page redirect.
Your component can handle the AADTokenProvider.popupEvent to customize the popup flow. For example:


TypeScript

const configurableTokenProvider: AadTokenProvider = _AadTokenProviders.configurable as AadTokenProvider;
configurableTokenProvider.popupEvent.add(this, (args: IPopupEventArgs) => {
args.cancel(); // Cancel the default popup
args.showPopup(); // Initiate the custom popup flow
});

User Interaction Requirement:
Note that browsers often block popups unless initiated by a user action (e.g., button click). Ensure your component initiates the popup flow appropriately.

Certainly! Securing custom APIs used by SharePoint Framework (SPFx) components is essential to protect your data and ensure a trustworthy integration. Let’s dive into the details:

  1. Azure Active Directory (Azure AD) Integration:

    • Why Azure AD?: Azure AD provides robust authentication and authorization mechanisms. It’s the recommended way to secure APIs in SPFx.
    • OAuth Implicit Flow: SPFx components use the OAuth implicit flow to obtain access tokens. This flow is suitable for client-side applications (like SPFx) that can’t securely store secrets.
    • AadHttpClient: SPFx introduces the AadHttpClient, which simplifies connecting to APIs secured by Azure AD. You don’t need to manually implement the OAuth flow—it’s handled for you.
  2. Web API Permissions Overview:

    • Resource Access: Azure AD secures various resources, including Microsoft 365 services and custom line-of-business applications.
    • Access Tokens: To connect to these resources, applications (like SPFx components) need valid access tokens.
    • OAuth Authorization Flow: SPFx components obtain these tokens as part of the OAuth authorization flow.
  3. SPFx Integration with Azure AD:

    • MSGraphClient and AadHttpClient: In SPFx v1.4.1 and later, the framework includes the MSGraphClient and AadHttpClient.
      • MSGraphClient: Used for accessing Microsoft Graph resources.
      • AadHttpClient: Used for connecting to custom APIs secured by Azure AD.
    • Solution Manifest: Developers list required resources and permission scopes in the solution manifest.
    • Permission Requests: When deploying the solution, SharePoint generates permission requests.
    • Administrator Approval: Global or SharePoint administrators approve or deny requested permissions at the tenant level.
  4. Permissions Are Tenant-Wide:

    • Permissions granted apply to the entire tenant, not just the specific application requesting them.
    • When an administrator approves a permission, it’s added to the SharePoint Online Client Extensibility Azure AD application (provisioned by Microsoft in every Azure AD).
    • The SharePoint Framework uses this application during the OAuth flow to provide valid access tokens.
  5. Earlier Versions of SPFx:

    • If you’re using an SPFx version earlier than v1.4.1, you can still connect to Azure AD-secured resources.
    • In that case, directly use Microsoft identity platform authentication libraries to implement the OAuth implicit flow.
  6. Best Practices:

    • Always validate input parameters and sanitize data in your custom APIs.
    • Monitor logs for suspicious activity.
    • Keep your SPFx solution up-to-date to benefit from security enhancements.

Certainly! Securing SharePoint list data accessed by web parts is crucial to protect sensitive information and ensure proper access control. Let’s explore some best practices for achieving this:

  1. Row-Level Security in SharePoint Lists:

    • Option 1: Row-Level Security:
      • Just like we can maintain individual security for files in a document library, we can also maintain individual security for each row in a SharePoint list.
      • By default, all rows in a SharePoint Custom List inherit security from the site. However, you can break this inheritance and set unique permissions for specific rows.
      • This approach allows you to control who can view or edit specific list items based on their permissions.
    • Option 2: Folder-Level Security:
      • Yes, SharePoint lists can have folders! While I’m a fan of metadata-driven organization, folders can be useful in certain scenarios.
      • Organize rows (e.g., project records) into folders within the list.
      • Set security at the folder level rather than for each individual row.
      • This reduces maintenance overhead since you don’t need to set unique security for every row.
      • To display all entries without folders, use the same folder-less view trick as in document libraries:
        • Go to List Settings (click the gear icon > List settings).
        • Under Advanced settings, enable the “Make ‘New Folder’ command available?” option.
        • Create folders and set folder-level permissions.
        • Rows within a secure folder are invisible to unauthorized users.
  2. Web Part Security:

    • When using web parts to display list data, consider the following:
      • Authentication: Ensure that your SharePoint sites use SSL (secure sockets layer) for data transmission. This provides a secure channel.
      • Web Application Firewall (WAF): Consider using a WAF for additional protection against web-based attacks.
      • Validate Input: If you’re developing custom web parts, validate user input to prevent server attacks.
      • Least Privilege: Assign minimal necessary permissions to web parts and their associated accounts.
  3. Collaborative Effort:

    • Protecting web parts and their associated data is a collaborative effort.
    • Developers, site administrators, and server administrators should work together to improve security.
    • Regularly review permissions and access controls.

Certainly! Securing SharePoint document libraries is crucial to protect sensitive information and maintain data integrity. Whether you’re storing confidential files, intellectual property, or critical documents, here are some best practices to build a super secure document library in SharePoint:

  1. Implement the 10 Steps to Secure a Site:

    Before focusing on the document library, start with the site itself. Follow comprehensive security practices for the entire site. If you haven’t already, review my guide on how to secure a SharePoint site. These steps lay the foundation for a secure environment.
  2. Add Only Necessary Users and Groups:

    • Keep it lean! Only grant access to users and groups who genuinely need it. Avoid adding everyone by default.
    • Be cautious with domain groups like “Everyone” or “Everyone except external users.” They might inadvertently provide broader access than intended.
  3. Disable Sharing:

    • This step is crucial. By default, members (those with Contribute privileges) can freely share the entire site, files, and documents with anyone else in the organisation.
    • Disable sharing to maintain control. You don’t want sensitive content floating around without your knowledge.
  4. Disable Offline Sync:

    • If your content is confidential or represents intellectual property, prevent offline synchronisation of the document library to users’ computers.
    • Disabling sync ensures that even if a laptop is stolen, your content won’t end up in the wrong hands. Here’s how to disable sync.
  5. Prevent File Deletion:

    • Accidental deletions happen. To prevent data loss, consider disabling file deletions in your secure document library.
    • Users won’t be able to delete files, reducing the risk of accidental removal.
  6. Set Up Alerts:

    • Be proactive! Configure alerts to notify you when specific actions occur in the library.
    • For example, receive an alert when a file is modified, deleted, or shared. This way, you can promptly address any security incidents.

Certainly! When it comes to securing SharePoint document libraries and managing permissions, there are some common pitfalls to watch out for. Let’s explore these, along with best practices to avoid them:

  1. Inadequate User Permissions Settings:

    • Pitfall: Assigning overly permissive permissions at the individual file or folder level can lead to data exposure. It’s tempting to grant broad access, but it increases the risk of unauthorized users accessing sensitive content.
    • Best Practice: Apply security at the site level whenever possible. Set default groups (like site owners, members, and visitors) to simplify management. Regularly review permissions to ensure they align with current needs.
  2. Lack of Regular Audits and Reviews:

    • Pitfall: Failing to periodically review permissions can result in stale or unnecessary access. Roles and responsibilities change over time, and outdated permissions may linger.
    • Best Practice: Conduct regular audits to identify and remove unnecessary permissions. Ensure that only authorized users have access. Adjust permissions as needed based on organizational changes.
  3. Inconsistent or Lax Security Policies:

    • Pitfall: Not having clear security policies or enforcing them inconsistently can lead to confusion. Without guidelines, users may inadvertently share sensitive documents or misconfigure permissions.
    • Best Practice: Establish and communicate security policies. Educate users on best practices for sharing, access control, and data protection. Consistently enforce these policies across your SharePoint environment.
  4. Deep-Assigned Permissions:

    • Pitfall: Granting permissions too deep within a list or library—especially without proper reporting tools—can make management challenging. Fine-grained permissions create complexity.
    • Best PracticeGrant permissions at the highest possible level. Avoid excessive unique permissions. Use groups to simplify management. Reduce the number of fine-grained permissions.
  5. Data Loss During Local Sync:

    • Pitfall: Allowing users to sync document libraries to local computers without proper controls can lead to data loss. If a laptop is lost or stolen, sensitive content may be compromised.
    • Best Practice: Consider disabling offline sync for confidential content. Educate users about the risks and encourage them to access files directly from SharePoint.
  6. Overreliance on Admins:

    • Pitfall: Having too many administrators with full control can be risky. Admins may inadvertently make changes that impact security.
    • Best Practice: Limit the number of admins. Use role-based access control. Separate administrative tasks from day-to-day content management.
  7. Unclear File Storage Locations:

    • Pitfall: Users storing files in random locations can lead to security gaps. Without a clear structure, it’s harder to manage permissions effectively.
    • Best Practice: Define a logical structure for document libraries. Educate users on where to store files. Use folders or metadata to organize content.

Certainly! Managing permissions in SharePoint is crucial for maintaining security, controlling access, and ensuring efficient collaboration. Let’s explore some best practices to help you effectively manage permissions:

  1. Apply Security at the Site Level:

    • Set permissions at the site level whenever possible. This approach simplifies management and provides a clear overview of who has access to what.
    • Key steps:
      • Use default groups (like site owners, members, and visitors) for straightforward management.
      • Control sharing settings to prevent unauthorized access.
      • Regularly review permissions to keep them up to date.
  2. Use Built-In Security Groups:

    • Built-in security groups come with predefined roles that fit common scenarios:
      • Owners: Have full control over the site.
      • Members: Can add, edit, and delete content.
      • Visitors: Have read-only access.
    • These default groups maintain a consistent permission structure across your SharePoint environment.
  3. Regularly Review and Audit Permissions:

    • Over time, roles and responsibilities change. Regular audits help:
      • Identify and remove unnecessary permissions.
      • Ensure only authorized users have access.
    • Align permissions with current organizational needs.
  4. Grant the Least Permissions Possible:

    • Follow the principle of least privilege. Assign minimal necessary permissions to users.
    • Avoid overcomplicating the permission setup by granting excessive unique permissions.
  5. Manage Inheritance of Permissions:

    • Inherit permissions from parent objects (e.g., site or library) whenever feasible.
    • Avoid deep-assigned permissions at the item level unless absolutely necessary.
  6. Educate Users on Permissions Management:

    • Provide training on best practices for handling permissions.
    • Encourage users to follow security guidelines and avoid sharing sensitive content indiscriminately.