SharePoint Office Online Editing Service Mode Setup Guide
SharePoint Office Online Editing Service Mode Setup Guide
MyWorkDrive 6.1.1 Server or higher Required:
The SharePoint Office Online Editing Service Mode option works by temporarily copying the file to be edited using the Azure Graph API running as an AAD Application Service with permissions to a dedicated SharePoint Online site. A file lock is placed on the file on-premises, monitored for edits and coedits and finally, removed once editing is completed from the SharePoint Site. Unlike our OneDrive option the SharePoint Editing option centralizes temporary files to a single site instead of placing them on each user’s OneDrive folder and does not require any user permissions on the SharePoint site.
With the SharePoint Office Editing option customers will need to specify a SharePoint Site to store temporary documents and secure it with permissions to only the SharePoint Site Owners and the dedicated Azure AD Application. By locking it down to only SharePoint Site Owners and their own Azure AD App registration, administrators are ensuring the highest level of security.
The Application Service mode utilizes the new Azure Graph API Site.Selected application permission role. Microsoft graph now provides the option to grant granular permissions using the new Graph API Sites.Selected application permission for each AAD application Registration instead of granting permission for all the sites in the tenant. The Azure Graph API permission – Sites.Selected – does not provide access to any SharePoint site collections for the application unless the AAD application has been additionally assigned the permission roles: (read/write) by a SharePoint Admin. No user permissions or delegation will be needed on the SharePoint Online Site. The new Azure Graph API Site.Selected MyWorkDrive Azure AD Application service mode provides the following security benefits:
- No User Access to the SharePoint Site or temporary files
- Azure AD App Registration only granted rights to a dedicated site controlled by SharePoint Owners (no access to other SharePoint Sites, Files or Logins).
- Users edit online using a temporary organizationally locked down sharing link with no permissions to the SharePoint Online site.
- SharePoint Site Owners may restore temporary files or empty the recycle bin automatically using Power Automate.
Provide Site Name, Privacy Settings (Private – only members can access this site).
Specify Any Additional Owners:
Remove Permissions, Components and Views as needed:
Site Settings Quick Launch either Disable or Edit:
- Remove Notebook, Conversations, Pages, Site Contents
- Remove Features: /sites/MyWorkDriveEdit/_layouts/15/ManageFeatures.aspx
- Following Content
- SharePoint Recommendations
- Site Pages
- Workflow Task Content Type
- Site Libraries and Lists: /sites/MyWorkDriveEdit/_layouts/15/mcontent.aspx
Customize Documents: Advanced Settings: Open Documents in the Browser, Make New Folder Command available: No, Search: No, Offline Availability: No
Site Sharing Settings:
- Only site owners can share files, folders and the site
- Allow access requests: Off
Note the Site URL: This will be needed later during setup of the Azure AD App Registration and on the MyWorkDrive Server – e.g. https://company.sharepoint.com/sites/MyWorkDriveEdit
Step 2: Custom Azure AD App Registration
Each organization will need their Azure AD Global Admin to create an Azure AD App registration with only Microsoft Graph API Access to Sites.Selected.
Security Note: Note this application registration itself does not provide any SharePoint Site permissions – it’s only used in later steps to allow the SharePoint site Owners to grant it permissions to a specific SharePoint site.
Create a new Azure AD App Registration in the same Azure AD as your user’s Office 365 Subscription. This will be used to allow SharePoint Administrators to provide graph API application site permissions.
On portal.azure.com, login using Global Admin Account. Bring up Azure Active Directory: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade
Click App Registrations: Create New Registration
Provide a Name, Selected Account Types and insert your public MyWorkDrive URL with subsite added of /OfOnShPo/Home/SignInRedirect
Instead of using your own Public Server Redirect URL you may use our Cloudflare assigned hostname under our MyWorkDrive.net domain. In this case Cloudflare must be permitted from the MyWorkDrive Server to Cloudflare. When Cloudflare is used, you will need to enter https://*.online.myworkdrive.net as an allowed host to your Customer Azure AD Application instead of using your own host name values.
Azure AD App Registrations do not allow entering in a wild card directly. To enter in a wildcard, insert a temporary address such as https://temp.online.myworkdrive.net/OfOnShPo/Home/SignInRedirect
To update the URL click Manifest to edit the Manifest and update the temporary URL to https://*.online.myworkdrive.net/OfOnShPo/Home/SignInRedirect.
Click API permissions, Add Graph API Application Permissions: Microsoft Graph – Sites.Selected
Create Client Secret: Certificates & Secrets: New client secret
Note and Calendar Secret Expiration Date as it will need to be regenerated at that time and updated on all MyWorkDrive Servers.
Click Authentication: Enable Access Tokens and ID tokens.
Copy the Client Secret Value (not the secret ID): Keep this backed up and secured as it will only display briefly.
Click Overview: Copy the Application (client) ID: Retain this value for use in the MyWorkDrive Admin Panel.
Copy the Directory (tenant) ID: Retain this value for use in the MyWorkDrive Admin Panel.
*Note the Client Secret Expiration – this will need to be renewed before it expires and updated on each MyWorkDrive Server in the future.
Update Branding on your custom Azure AD App Registration to verify app or add Company Logo as desired.
The SharePoint Online Site owner will need to grant write permissions to the Azure AD Application. There are multiple methods to grant SharePoint Site permissions to the Azure AD Application. The easiest is to use PnP PowerShell to grant the permission. To grant the permission the SharePoint Owner will need the Azure Application Registration App ID and site URL.
In addition to using PnP PowerShell we have made a SharePoint Web Part available which adds an app to a SharePoint site that can be used to grant permissions.
To run the PnP PowerShell cmdlets, you’ll need to perform to install PnP PowerShell and run the following commands (using your own SharePoint site URL):
- Download and install the PnP PowerShell Module by running:
- Connect to the SharePoint Online Admin Center of your tenant and login using an account with Owner Permissions on the SharePoint site:
Connect-PnPOnline -Url https://wanpathdev.sharepoint.com/site/MyWorkDriveEdit -Interactive
- Grant the Azure AD Application Write Permissions to the site:
Grant-PnPAzureADAppSitePermission -AppId ‘xxxxxxx-xxxxxxx-xxxx-xxxx-xxxxxxxx’ -DisplayName ‘mwd-service’ -Site ‘https://wanpathdev.sharepoint.com/sites/MyWorkDriveEdit’ -Permissions Write
Step 4: MyWorkDrive Server Configuration
Paste the values of the Azure AD Application ID, Secret, Single Tenant Domain ID, Your Server URL and finally your SharePoint Site URL:
Office Online Editing using SharePoint site should now be ready for testing using your Custom Azure AD App Registration.
File Locking & Monitoring Process
When files are opened using the SharePoint Editing option, they are locked on the MyWorkDrive Server and set to allow co-editing. If other users wish, they may co-edit the file in Office Online through the browser. Traditional Mapped Drive or Local office users will receive a file locked message while the user has the file open for edit in Office Online SharePoint Edit.
MyWorkDrive server will monitor files for changes every 1 minute. If changes are found they will be copied the Windows File Share. If no changes are found, MyWorkDrive will attempt to determine if the user has completed editing. If user closes the browser tab the file will be removed from SharePoint immediately after copying changes back to the Windows File Share through MyWorkDrive. If communication is lost MyWorkDrive will attempt to remove the file until it is unlocked on SharePoint.
MyWorkDrive will attempt to close the user’s browser tab if no changes are made to the document that exceed the overall idle timeout setting.
Session Timeout Settings
To prevent users from keeping idle files open for coedit, customers may wish to set idle timeout settings https://docs.microsoft.com/en-us/sharepoint/sign-out-inactive-users.
- The policy is applicable to entire tenant and cannot be scoped to user/users or SharePoint sites.
- It will not sign out users who are on managed devices or select Keep Me Signed In during sign-in (It will not sign out users who are on managed devices or select Keep Me Signed In during sign-in).
Conditional access policies may also be used https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-technical-reference#cloud-apps-assignments.