About this guide
This guide provides information about installing and configuring the product on Microsoft 365 and Microsoft Azure.
The solution is targeted for SharePoint Online.
The setup differs from SharePoint 2013/2016/2019/SE on-premises, as we are using Azure Services (PaaS), Azure Enterprise EA or CSP Subscription and SharePoint Online in a low-trust provider model.
Document version
Owner | Date | Comments | Version |
Peter Jensboel - PS | 2020-12-04 | Release | 1.1.0 |
Peter Jensboel - PS | 2021-01-19 | Reach integration in Noticeboard | 1.2.0 |
Peter Jensboel - PS | 2021-03-19 | Added "ACS Combo Authentication" | 1.2.1 |
Peter Jensboel - PS | 2021-08-25 | Changes to AAD permissions in release 6.55 | 1.2.2 |
Peter Jensboel - PS | 2023-05-25 | Migrated to LiveTiles Knowledge Base | 1.3.0 |
Peter Jensboel - PS | 2023-05-30 | Changes to "Using Search User" | 1.3.1 |
Intended audience
This guide is intended for anyone who need to install, configure, upgrade, or perform maintenance in SharePoint Online and Microsoft Azure Active Directory.
This audience is most likely Microsoft 365 administrators and people who possesses a deeper knowledge combined with certifications in Microsoft 365.
Document feedback
LiveTiles welcomes your suggestions for improving our documentation and if you have comments, please send your feedback to support@livetilesglobal.com.
Online and telephone support
To use online support to submit technical support requests use our online knowledge portal https://support.livetilesglobal.com/hc/en-us or you can submit a support request form https://support.livetilesglobal.com/hc/en-us/requests/new.
Support offerings
To find out how LiveTiles support offerings can help meet your business needs, go to https://livetilesglobal.com/products/livetiles-intranet/.
LiveTiles Intranet Enterprise Installation and Deployment
In the following the process installing and configuring LiveTiles Enterprise Intranet for Modern Experiences is described in detail using the manual installation method.
LiveTiles Intranet Enterprise is provided as SaaS in Azure and configured as “block services”.
LiveTiles Intranet Enterprise for Microsoft 365 are using the SharePoint Add-in model (previously named app-model).
When using the Add-in model, the LiveTiles Intranet Enterprise application have a minimal footprint on the SharePoint Online tenant. Application code are executed outside the SharePoint platform.
Azure infrastructure
LiveTiles Intranet Enterprise services are provisioned as services in Azure in a dedicated resource group and dedicated subscription.
Illustration: Azure resources provisioned as SaaS services. Key Vault and Redis Cache are optional and not required when hosted by LiveTiles.
Depending on the number of users accessing the solution, services can be provisioned using either web app memory cache (1 node) or using redis cache (2+ nodes). LiveTiles are performing full maintenance and monitoring of the services, as well patching.
Illustration: Realtime monitoring on hosted services providing alert functions
Access requirements
If the customer planning to install LiveTiles Intranet Enterprise on their own Azure subscription and Microsoft 365 tenant, the following requirements are needed when setting up the services in Azure and prepare Microsoft 365 for LiveTiles Intranet Enterprise:
- Microsoft 365 administrative rights are needed for:
- Create SharePoint Online app
- Create Service Accounts
- Setup Taxonomy store
- Configure Microsoft Teams integration (as needed)
- Microsoft Azure administrative rights are needed for:
- Create Microsoft 365 Azure Active Directory (AAD) app
- Grant consent to AAD app
If the installation is a guided installation together with a partner or LiveTiles Professional Services, the following administrative permissions are required by the partner or LiveTiles to keep administrative permissions as low as possible.
- SharePoint Online Site Collection administrator access required for:
- <Intranet> site collection to create SPO app (Client ID and Secret)
- Microsoft 365 Azure Active Directory administrative permission (not Global Admin)
- Create AAD app (Azure AD app ID and Key)
- Create Search and Graph service accounts
Highlight installation values
In this guide we have marked sections and text that need to have installation specific values entered accordingly to the setup.
The sections are marked with text highlighted and in “<>” like this example <SharePointURL> and need to be changed to match the current configuration.
Please note: You can select not to use Azure cache for Redis and change caching to use memory caching. Using memory cache has a slightly better performance, but the web app cannot be scaled vertically using two or more nodes.
There are steps in the installation where you must share values and settings with LiveTiles and this has been highlighted with a “share” sign in this document like this:
If values and settings cannot be shared on regular basis, we recommend using OneTimeSecret https://onetimesecret.com or similar solution.
Prerequisites and Requirements
This section describes access requirements and prerequisites for installing LiveTiles Intranet Enterprise for Modern Experiences.
Prerequisites
The following access requirements are needed to install LiveTiles Intranet Enterprise and provision Azure services and configuration:
- Access to LiveTiles Enterprise binaries LiveTiles Enterprise versions (SPO) – Knowledge Base (livetilesglobal.com)
- Please note that binaries used for classic and modern EX are the same package.
- Microsoft 365 administration access
- User for creating site collections, app catalog and configuring SPO must have administrative access in SharePoint Online and Microsoft 365 Azure AD
- Azure PowerShell Command lets
Used for creating Microsoft 365 Azure Active Directory app registration.
- If Azure command-line tools are not installed on the client computer, please do this before starting on provisioning.
Please note: The client running the command lets on must be as minimum Windows 10.
- Open PowerShell with elevated right on the client computer
- Type the following commands to install the Azure PowerShell command lets:
Install-Module AzureRM -AllowClobber -Force
Install-Module Azure -Force
Install-Module AzureAD -Force
Please note: If you have a version older than 2.8.5.201 of NuGet, you are prompted to download and install the latest version of NuGet.
- When done, close PowerShell
- SharePoint Online PowerShell
Used for creating new SPO app to be uploaded to the global app catalog.
- If SharePoint Online Management Shell is not installed on the client computer, please use this link to download the command lets: https://www.microsoft.com/en-us/download/details.aspx?id=35588
- SharePoint Online Client Components SDK
Used for enabling global term sets in SPO.
- To be able to add global term sets when using LiveTiles Intranet Enterprise for Modern Experiences, the following client components SDK must be installed on the client computer
https://www.microsoft.com/en-us/download/details.aspx?id=42038
- Microsoft Web Deployment Tools
Used for manual deployment of LiveTiles Intranet Enterprise installation binaries.
- You must have Web Deployment Tools installed on the client computer
https://www.microsoft.com/en-us/download/details.aspx?id=43717
SharePoint Online default regional settings
By default, all SharePoint sites created in SharePoint Online are set to United States time zone and locale.
News is that you can set the default time zone for all new sites via the SharePoint Admin Center.
If the default time set in SharePoint Online does not match time zone in Noticeboard, then you will see the following:
To change default the settings for time zone, do the following:
- Log in to SharePoint admin center https://<customer-subscription>-admin.sharepoint.com using the tenant admin account
- Select Settings > Site creation and select the right time zone and click Save
ACS combo authentication
Microsoft is gradually retiring Azure Control Services (ACS) and use of Client ID and Client Secret when adding SharePoint apps to SharePoint Online.
If your tenant has been created after August 2020 you most likely have a soft-disabling of use of ACS and use of Client ID and Client Secret – combo to authenticate against Microsoft 365.
After September 2020 Microsoft added a new tenant-level property called DisableCustomAppAuthentication to SharePoint Online. This release is available as a NuGet package from version 16.1.20412.12000
Fix “401 Unauthorized” approving app
The following section list the steps to take to fix the “401 Unauthorized” when using app authentication on a SharePoint tenant that was provisioned after August 2020.
Set the property DisableCustomAppAuthentication to false:
You can enable custom app authentication by disabling the tenant property DisableCustomAppAuthentication .
You will need to have at least SharePoint Online administrator permissions to apply this property.
Connect-SPOService -Url https://<tenant>-admin.sharepoint.com
Set-SPOTenant -DisableCustomAppAuthentication $true
After that the app can be approved as described here in the documentation.
LiveTiles Intranet Enterprise URL whitelisting
If an organization has implemented URL restrictions on their firewall for clients to access the Internet, the following section listing URL’s that need to be whitelisted on the firewall/proxy server.
Please note: We only document URL’s needed for LiveTiles Intranet Enterprise to function on SharePoint Online.
For more information using location conditional in a conditional access policy, please see article https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
CDN token authentication and LiveTiles Intranet Enterprise app
The following flowchart describes how Azure CDN validates a client request when token authentication is configured on CDN endpoint.
Client access browser type
Using an older browser can have a performance degrade on the clients accessing LiveTiles Intranet Enterprise application and we recommend using a browser that has a faster engine and support for HTTP2. The build-in browser Internet Explorer in Windows does not support HTTP2 and has a much slower JS engine, compared to Chrome, Safari a Firefox. If possible, consider not using Internet Explorer and use a browser that has support for HTTP2.
The illustration below shows the difference between Chrome (light blue) and Internet Explorer (brown) rendering/download time on the client.
We do not recommend using Internet Explorer and browser is no longer supported by Microsoft.
https://docs.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge
User profile pictures
One of the main reasons for confusion regarding user profile pictures in Microsoft 365 is where does they come from? As per default it is Exchange Online that is the main source for handling profile pictures and will get them from AD attribute thumbnailPhoto when using Azure AD Sync.
The sequence is as follows:
- The user browses to SharePoint Online home page or OneDrive for Business
- During a page load operation in SharePoint Online, a request us made for the photo. This will generate a call to Exchange Online for the user’s profile picture
- If the user has an Exchange Online mailbox, and the mailbox contains a profile picture for the user, SharePoint Online will request the picture from Exchange Online
- SharePoint Online creates a small, medium, and large thumbnail photo from the picture that was returned from Exchange Online. The photos are saved in a folder in the User Photo Library for the MySite Host site collection.
- The Picture Timestamp, Picture Placeholder State and Picture Exchange Sync State profile properties for the user are set or updated to reflect the profile picture synchronization state.
Link to Set-UserPhoto PowerShell command https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/set-userphoto?view=exchange-ps.
The following table lists Experience and source to make things easier to understand.
Experience | Source |
Outlook Online | Uses Exchange Online image |
Delve User Profile | Uses Exchange Online image or Active Directory thumbnailPhoto |
Microsoft Teams (legacy Skype for Business) | Uses Exchange Online image or Active Directory thumbnailPhoto |
SharePoint Online | Synchronize from Exchange Online |
Outlook/Word/Excel/PowerPoint native apps | Uses Exchange Online image or Active Directory thumbnailPhoto |
Installing LiveTiles Enterprise Intranet
Create search user
- Log in to https://portal.office.com/Admin with <Tenant Admin> account
- Go to Users > Active Users
- Create a new account needed for search configuration – user account with standard role and no licenses - share account username and password with LiveTiles
- Change the password to never expires in Azure PowerShell
Install-Module MSOnline
Connect-MsolService
Set-MsolUser -UserPrincipalName <livetiles_search_service_acc>@<customer-subscription>.onmicrosoft.com -PasswordNeverExpires $true
- Give the search user READ permission to the site collection where LiveTiles Intranet Enterprise is provisioned
- Add the search account with OWNER permission to the classic data site collection
- Document SearchUsername and SearchPassword
Password restrictions
When using special signs in the password that can functions as injection characters you are not allowed to use these characters directly. When saving strings to XML, it is important to escape invalid characters. The following table shows the invalid XML character and their escaped equivalents.
Invalid XML Character | Replaced with |
< | < |
> | > |
“ | " |
‘ | ' |
& | & |
Create graph user
- Log in to https://portal.office.com/Admin with <Tenant Admin> account
- Go to Users > Active Users
- Create a new account needed for graph configuration – user account with standard role and assigned licenses - share account username and password with LiveTiles
- Change the password to never expires in Azure PowerShell
Install-Module MSOnline
Connect-MsolService
Set-MsolUser -UserPrincipalName <livetiles_graph_service_acc>@<customer-subscription>.onmicrosoft.com -PasswordNeverExpires $true
- Give the graph user EDITOR access to the site collection where LiveTiles Intranet Enterprise is provisioned
- Document GraphUsername and GraphPassword
The following permissions are required when using Teams and it is important to know these permissions will create a group in the Azure Active Directory named like the Team site but is not allowed to create users and groups. When the group has been created, LiveTiles Intranet Enterprise permanently removes access to the Search account on that group.
Permissions type | Permissions (from least to most privileged) |
Delegated (work or school account) | Group.ReadWrite.All |
Delegate (personal Microsoft account) | Not supported |
Represents an Azure Active Directory (Azure AD) group, which can be a Microsoft 365 group, a team in Microsoft Teams, a dynamic group, or a security group.
License requirements
Requirement for the graph users is that this account has as minimum an E1 license and assigned role as Team service admin.
Enable LiveTiles Intranet Enterprise for Modern Experience
The following section will describe how to install LiveTiles Intranet Enterprise using modern experience.
Please note: LiveTiles Enterprise Intranet for modern experience must be configured when using one of the following offerings:
- LiveTiles Intranet Enterprise
- LiveTiles Everywhere
Create site collections
LiveTiles Intranet Enterprise requires a modern site collection and can be provision using the root site collection or hosted in a managed path, e.g. /sites/intranet.
Another modern site collection is also required and acts as datastore. The site collection will not be accessed by users but is used for replication noticeboard news items from the database in Azure to SharePoint Online. When these news items have been replicated to SharePoint Online, they will be indexed and enabled in the search index. This feature is used in the Noticeboard search.
Intranet site collection
- Log in to SharePoint admin center https://<customer-subscription>-admin.sharepoint.com using the tenant admin account
- Go to Sites > Active sites and click
- In Type, select Communication site and fill out the details
- Click Finish to create the new modern site collection
- Next open the new site clicking on the URL
- Open the Settings menu and click on Site permissions and select Advanced permission settings
- Click on Grant Permissions and add the <Search> account created previously
- In the Permission level, select <Intranet> Visitors [Read]
- Click Share to add the permission
- Once again, Click on Grant Permissions
and add the <Graph> account created previously
- In the Permission level, select <Intranet> Members [Edit]
- Click Share to add the permission
Datastore site collection
- Log in to SharePoint admin center https://<customer-subscription>-admin.sharepoint.com using the tenant admin account
- Go to Sites > Active sites and click
- In Type, select Communication site and fill out the details
- Click Finish to create the new modern site collection
- Next open the new site clicking on the URL
- Open the Settings
menu and click on Site permissions and select Advanced permission settings
- Click on Grant Permissions
and add the <Search> account created previously
- In the Permission level, select <Datastore> Owners [Full control]
- Click Share to add the permission
Setup AD application Registrations
Requirements for creating app
Create a new Azure AD app requires Azure Active Directory PowerShell module for Graph.
For more information and explanation of permissions configured, please see the following KB article
Create new AD app registration (up to version 6.55)
The following section describes how to create a new Azure AD app registration and is mandatory up to version 6.55 only.
The Azure AD app registration in https://aad.portal.azure.com will be done using script.
Please note: The script will add permissions as listed in the table, but permissions are not active until grant consent.
Executing the script requires global administrator privileges.
See appendix for explanation of permissions required.
Azure Active Directory Graph | Application Permissions | Delegated Permissions |
Directory.Read.All | Directory.AccessAsUser.All | |
Group.Read.All | ||
Group.ReadWrite.All | ||
User.Read | ||
Microsoft Graph | Application Permissions | Delegated Permissions |
Directory.ReadWrite.All | ||
Group.ReadWrite.All | Group.ReadWrite.All | |
Sites.Read.All | Sites.Read.All | |
Sites.FullControll.All |
- Open PowerShell and run the following command to create new directory:
PS C:\ cd \
PS C:\ mkdir LiveTiles
- Download the script and save the file in C:\LiveTiles https://livetilesrepository.blob.core.windows.net/livetilesintranetcloud/installationfiles/CreateWizdomADApplication.zip
- Unpack the file and run this command:
PS C:\> dir C:\LiveTiles\*CreateWizdomADApplication* | Unblock-File
- Run script .\createwzadapp.ps1
- Log on with the GA Microsoft 365 account
- Type the name of the new AAD App, e.g. LiveTilesADApp
- Type the web app URL, e.g., https://livetiles.azurewebsites.net
Please note: You will be provided with the Azure Web App URL from LiveTiles in order to execute this script.
- Type the site collection URL used for LiveTiles Intranet Enterprise for Modern Experiences https://<customer-subscription>.sharepoint.com/sites/<intranet>
- When script is finished, copy the AzureADClientID and AzureADKey and share these values with LiveTiles
- Using the global administrator account logon to https://aad.portal.azure.com
- Click Azure Active Directory > App registrations > Select All apps in dropdown
- Select the App registration created above e.g. LiveTilesADApp > Click API permissions
- Click + Add a permission and select Microsoft Graph
- In Microsoft Graph, select Delegated permissions
- Select Group.ReadWrite.All
- Click Add permissions
- Finally, click Grant admin consent for <organization> > click yes
Create new AD app registration (>v6.55)
The following section describes how to create a new Azure AD app registration and is mandatory from version 6.56 only.
Using Search User
If you have a business need for enabling search user account in the solution, the following need to configured in AD app permissions.
This will ensure revision timer job will not fail when search account has been enabled:
Microsoft Graph | Application Permissions | Delegate Permissions |
Sites.FullControll.All |
Add support for Yammer integration
The following section describes how to enable support for Yammer integration in LiveTiles Intranet Enterprise.
Please note: Only configure these settings if you are planning to have Yammer integration in LiveTiles Enterprise Intranet.
Add Azure AD permissions
- Log in to https://aad.portal.azure.com with M365 Admin account
- Click on Azure Active Directory and select App registrations
- Select
new registration
- In Register an application, type a name for the new Azure AD application, i.e., LiveTilesADApp
- In Supported account types, select the first option Accounts in this organization directory only (<tenant> - Single tenant)
- Next in Redirect URI (optional), add the URL the SPO tenant site URL, i.e., https://company.sharepoint.com/ (with a “/” in the end)
- Click on Register to create the new Azure AD app. This will bring you to the overview page when completed
- Click on Authentication in the Manage section and add the URL where LiveTiles Enterprise will be provisioned, i.e., https://company.sharepoint.com/sites/modern
- In the Implicit grant and hybrid flows, select ID tokens (used for implicit and hybrid flows)
- Click on Save to save the changes
- Click Certificates & secrets in the Manage section
- Add new secret
New client secret, add a description and in Expires, select the drop-down and grant expiration of 24 months – click Add to save
- Next a new client secret has been added and important is to copy this now as it is only visible one time
Please note: Take note of the client secret and save it. This value must be added to the web app configuration settings.
- From Manage section, click on API permissions and
Add a permission
- In Request API permissions, select Microsoft Graph and type is Application permissions
- Select Group.Read.All (Application) and click Add permissions
- Remove the build in permission User.Read (Delegated)
- Effective the permissions by clicking Grant admin consent for <organization> > click yes
Verify the Azure AD API permission sets needed. Please make sure that you had given the elevated app privileges while installing via SharePoint. Below are the permissions required by the Azure AD application.
- Directory.Read.All - Application Type
- Group.ReadWrite.All (If you don't use the Workspaces module, this permission is not required) - Application Type
- Yammer:user_impersonation (If you don't use the Yammer module, this permission is not required)
You can find more about the Azure AD API Permission here.
Register new app
Next step is to register a new SharePoint Online app needed for LiveTiles Intranet Enterprise to be able to communicate with the Azure backend services.
Do the following to register the new app on the root site collection or in a managed path in SharePoint Online:
- Log on to site
- https://<customer-subscription>.sharepoint.com/sites/<livetilesSite> with <Site Collection admin> account or
- https://<customer-subscription>.sharepoint.com/ with <Site Collection admin> account
- Register app settings
- Go to site
- https://<customer-subscription>.sharepoint.com/sites/<livetiles-site>/_layouts/15/appregnew.aspx or
- https://<customer-subscription>.sharepoint.com/_layouts/15/appregnew.aspx
- Client ID = Generate
- Client Secret = Generate
- Title = LiveTilesApp (do not use spaces or special characters)
- App Domain = <livetileswebapp>.azurewebsites.net
- Redirect URL = https://<livetileswebapp>.azurewebsites.net
- Click on Create to create the App
- Save ClientID and ClientSecret and share these values with LiveTiles
- Go to site
Please note: You will be provided with the Azure web app URL from LiveTiles to be able to run the script.
Extend client secret to 3 years
As per default when you make a new app request in SharePoint Online, the client secret is valid for 12 months. To extend the period to 3 years, please follow these steps:
Prerequisites for accomplish this task
- Microsoft Online Services Sign-In Assistant for IT Professionals
https://www.microsoft.com/en-us/download/details.aspx?id=41950
- SharePoint Online Management Shell
https://www.microsoft.com/en-us/download/details.aspx?id=35588
- Tenant administrator user for Microsoft 365
- Script to generate new client secret
Download newclientsecret.zip https://livetilesrepository.blob.core.windows.net/livetilesintranetcloud/installationfiles/newclientsecret.zip
3.6.2 Procedure for generating new client secret
To generate and extend the current client secret from 1 year to 3 years, do the following:
- Log in to https://portal.azure.com with the <Azure Admin> account
- Select Resource Groups, and click resource group = <LiveTilesRsg>
- Click the web app service = <LiveTilesWebApp>
- Select Application Settings
- Copy existing ClientID and save it in Notepad for later use
- Open SharePoint Online Management Shell with elevate rights
- Run the following cmdlet Connect-MsolService and sign in as Microsoft 365 tenant administrator
- Change directory to the downloaded script newclientsecret.ps1 and run the script
- At the prompt for client id : enter the current ClientID as documented in step 5
- The new client secret will appear in the Windows PowerShell console - share these values with LiveTiles
3.7 Create app-package
SharePoint Online must be able to communicate with Azure website and get access tokens, next step is to create an app package for that purpose.
- Download the Generate app-package.zip script from https://livetilesrepository.blob.core.windows.net/livetilesintranetcloud/installationfiles/GenerateAppPackage.zip and save the file in C:\LiveTiles
- Unpack the file and run this command:
PS C:\> dir C:\LiveTiles\*GenerateAppPackage* | Unblock-File
- Fill in with ClientID and APPURL (Remember https:// in front of the URL)
- AppUrl must be without the “/” at the end
- Client ID is the client ID you created earlier when you created the app request in section 3.5
- New product ID is required and can easily be generated in PowerShell by running this command:
# PowerShell version 5.0 or newer
PS Z:\> New-Guid
Guid
----
c6c39e03-1c25-4b9e-a428-6ad9e890a1c5
- Below is an example of how the command will look like in PowerShell
new-guid
Guid
----
70e2c3a0-c68f-42cf-a5f3-112dc3a6540f
.\generateAppPackage.ps1 -clientid 79fbfd0b-524d-4a5a-b2c0-1c32f8e3d706 -appurl https://livetileswebapp.azurewebsites.net -outfile "LiveTilesWebApp.app" -title "LiveTilesWebApp" -name "LiveTilesWebApp" -productid 70e2c3a0-c68f-42cf-a5f3-112dc3a6540f
Elevate app privileges global app catalog
Use the following guidelines to approve the app request for the global app catalog.
Approval must be done on the SPO admin site https://<tenant>-admin.sharepoint.com.
- Log on to the SPO admin site https://<customer-subscription>-admin.sharepoint.com/_layouts/15/appinv.aspx
- with the <SPO admin> account
- Type in the ClientID from the LiveTiles Intranet Enterprise app and click on Lookup
- In the Permission Request XML box add the following:
<AppPermissionRequests AllowAppOnlyPolicy="true" >
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />
<AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="FullControl" />
<AppPermissionRequest Scope="http://sharepoint/search" Right="QueryAsUserIgnoreAppPrincipal" />
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
<AppPermissionRequest Scope="http://sharepoint/taxonomy" Right="Write" />
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" />
</AppPermissionRequests>
- Click Create to update the permissions
- Click Trust It to trust the app permissions.
Please note: Do not copy text directly from Word into PowerShell, as special characters like " can be changed to invalid characters such as “ and therefore will not work.
Elevate app privileges local app catalog
Use the following guidelines to approve the app request in the local app catalog. Since this section is for modern site experience, the steps have changed from classic site experience and app approval need to be done on Admin Site level in SharePoint Online.
- Log on to the <intranet> site collection
- https://<tenant>.sharepoint.com/<sites>/<intranet>/_layouts/appinv.aspx
with the <SPO admin> account
- Type in the ClientID from the LiveTiles Intranet Enterprise app and click on Lookup
- In the Permission Request XML box add the following:
<AppPermissionRequests AllowAppOnlyPolicy="true" >
<AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="Read" />
<AppPermissionRequest Scope="http://sharepoint/search" Right="QueryAsUserIgnoreAppPrincipal" />
<AppPermissionRequest Scope="http://sharepoint/taxonomy" Right="Read" />
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />
</AppPermissionRequests>
- Click Create to update the permissions
- Click Trust It to trust the app permissions.
Search configuration import
The last part of the installation and configuration of LiveTiles Intranet Enterprise is to import search configuration functionality and metadata.
- Log on to site https://<customer-subscription>.sharepoint.com/sites/<livetiles-site> with <Site Collection admin>
- Click Settings
and select Site information
- Select View all site settings to get to the site settings page
- In the Search section, click Configuration Import
- Download search configuration and save the file in C:\LiveTiles
- Unpack the file and run this command:
PS C:\> dir C:\LiveTiles\*SearchConfiguration* | Unblock-File
- Click on Choose File and browse to SearchConfiguration.xml
- Click Import to update search scheme configuration settings
Enable global term sets
Global term sets are necessary to make sure all functionalities are working as expected, such as Workspaces, Related Content etc. in LiveTiles Intranet Enterprise.
Please ensure that you have installed the SharePoint Online Client Components SDK as described in prerequisites before proceeding.
Installation using non-MFA account
To enable global term sets, do the following to add permissions to run the script:
- Log in to https://<customer-subscription>-admin.sharepoint.com with <Tenant Admin> account
- Click More features and click Open on Term store
- In Term Store Administrators, add the account that must perform this change
Please note: Term store administrators added must not be enabled for MFA, if the account is enabled for MFA, then you must add global term sets manually - see below.
- Click Save to save the changes
- Download the script WizdomGlobalTermsets from https://livetilesrepository.blob.core.windows.net/livetilesintranetcloud/installationfiles/LiveTilesGlobalTermsets.zip
- Change the values $SiteUrl, $Username and $Password to match the installation and save
$SiteUrl = "https://<tenant>.sharepoint.com/"
$Username = "<TermStoreAdmin>"
$Password = ConvertTo-SecureString "<Password>" -AsPlainText -Force
- Run the script WizdomGlobalTermsets.ps1
- When completed the output will look like this
Manual installation using MFA enabled account
In some situations where it is not possible to remove MFA from the account, configuring global term sets can be done manually and is straight forward.
- Log in to https://<customer-subscription>-admin.sharepoint.com with <Tenant Admin> account
- Click More features and click Open on Term store
- In Term Store Administrators, add the account that must perform this change
- Click Save to save the changes
- In the Taxonomy Term Store, click the little arrow on the right side and select New Group
- Name the new group Wizdom Global and click Save
- On the new group, select New Term Set and add the following:
Term Group Name | Term Set Name |
Wizdom Global | Wizdom_Department |
Wizdom Global | Wizdom_Languages |
Wizdom Global | Wizdom_Location |
Wizdom Global | Wizdom_ManualArea |
Wizdom Global | Wizdom_ManualType |
Wizdom Global | Wizdom_RelatedTopic |
Result will look like this:
- Click Save to save the changes
Install LiveTiles Intranet
In the following section we will configure the steps needed for deploying LiveTiles Intranet Enterprise on the site collection and finishing the installation.
Open LiveTiles Intranet admin center
To open LiveTiles Intranet for the first time, you will need to create URL manually.
The URL contains the Azure web app URL and the site collection URL used for the Intranet:
https://<webapp>.azurewebsites.net/Base/Pages/Configuration.aspx?SPHostUrl=https%3A%2F%2F<tenant>%2Esharepoint%2Ecom%2Fsites%2F<sitecollection>
Use the following ASCII encodings to design the URL for LiveTiles Intranet Admin Center:
Sign | ASCII Encoding Reference |
: | %3A |
/ | %2F |
. | %2E |
Please note: To learn more about URL encodings and how to use them, please visit https://www.w3schools.com/tags/ref_urlencode.ASP
If the URL in Azure is https://livetilesapp.azurewebsite.net and the URL in SPO is https://nextzen.sharepoint.com/sites/intranet the ASCII encoded URL will be:
When completed, put in the new URL in the browser to open LiveTiles Intranet Admin Center.
Please note: When opening LiveTiles Intranet Admin Center for the first time, please allow the installation to complete as there are running several SQL scripts on the database causing non-responsive behavior.
Add license to LiveTiles Intranet Enterprise
A valid license should have been provided before the installation session, - if not, please contact support@livetiles.nyc to receive a new. To add the license, do the following:
- Open LiveTiles Intranet Admin Center
- Click on the Admin module
- Find the License module and open it
- Add the PIN received and click Pair
- Press F5 to refresh the page
Check and validate installation settings
Next step is to check the installation settings for Azure and Microsoft 365 are done correctly and if any errors, they must be fixed before continuing the setup.
- Open LiveTiles Intranet Admin Center
- Click on the Admin module
- Find the Installation module and open it
- Let the installation prechecks run and wait for the output
Please note: Unified Gateway is only a warning and can be safely ignored.
Per default all user have administrator access to all modules why we see this warning "No administrator group has been defined".
As part of the setup we recommend adding admins to groups and use the Audience module to control permissions and access.
- If there e.g., are any errors related search or graph accounts and not able to validate authentication, please fix.
Configure datastore site collection
To configure the datastore site collection used for synchronizing noticeboard news items to SharePoint Online to enable search functionality, do the following:
- Open LiveTiles Intranet Admin Center
- Click on the Admin module
- Find the Sitecollections module and click open it
- Add the URL created previously
- Type in the search account and select it from the dropdown list (indicates that the AAD app is working as expected)
- Press Save configuration to save the settings
Check and validate synchronization timer job
To validate that noticeboard news items can be replicated to the datastore site collection, do the following:
- Open LiveTiles Intranet Admin Center
- Click on the Admin module
- Find the Timerjobs module and click open it
- Click Run on Noticeboard News Synchronization Job and wait for it to complete
- In SPO open https://<tenant>.sharepoint.com/sites/<datastore> URL
- Click Settings
and select Site contents
- Go to Subsites and verify a new subsite Noticeboard has been created
Deploy Modern Experiences
The initial deployment of Modern Experiences design templates is easy when using the global app catalog deployment in SharePoint Online.
- Open LiveTiles Intranet Admin Center
- Click on the Admin module
- Find the Modern Experiences module and click open it
- Select the checkbox to enable deployment and click Associate modern packages with this Wizdom instance and next Deploy modern packages immediately
- Click Save configuration to deploy features and templates
Using Root Site Collection
If you are deploying LiveTiles Intranet for Modern Experiences on the root site collection in SharePoint Online, - most often the page properties are not committed, and we need to add them manually.
Check if page properties have been added:
- Open https://<tenant>.sharepoint.com
- Click
Page details button to verify if LiveTiles custom properties are missing
If page properties are not present, please follow these instructions to add them to the root site collection.
- Open https://<tenant>.sharepoint.com
- Click
Site contents settings wheel top right
- Click on Site Pages and find the Home.aspx page
- Next click on the tree dots and select More > Properties
- In the Content Type, select Wizdom Page and close
- Finally, check if page properties have been added to the root site collection
Validate Installation
The following section is added as a supplemental to assist you validate the installation.
Since there are many manual steps involved provisioning LiveTiles Intranet Enterprise for Modern Experiences, we recommend reading and comparing the steps listed below here:
Site collection data store
To validate if Noticeboard news items can be replicated to SharePoint Online and Noticeboard items will become searchable, perform the following test:
- Open https://<tenant>.sharepoint.com
- Open
LiveTiles Intranet admin center
- Click on Admin module and open the Sitecollections module
- Check if the datastore URL and the search account has been added
- Click ← Back top left and select the Timerjobs module
- Click Run on Noticeboard News Synchronization Job
- Check status in Show logs and no errors in output
- Check if new subsite Noticeboard has been created https://<tenant>.sharepoint.com/sites/<datastore>/_layouts/15/viewlsts.aspx?view=15
Validate search and graph accounts
To validate if search or graph accounts are valid and can sign in, please follow these steps.
Please note: Search account cannot be enabled for MFA, but graph account can, if graph account is enabled for MFA, the authentication will be done using the service API. This is however not the case for the search account.
- Open https://portal.office.com
- Select to sign-in with the <search> account
- Type the password and if the account is valid, the following message will appear:
- Repeat the steps for the graph account and use MFA if required
Ensure correct language settings
Language settings are important for some areas of LiveTiles Intranet Enterprise to work as expected. One specific area where this is important, is in the Noticeboard web parts.
To ensure the tenant has the correct language settings, please follow these steps:
- Open https ://<tenant>-admin.sharepoint.com
- Click on
Settings and select
Site creation
- Chose the correct Default time zone from the dropdown list
- Click Save to save the settings tenant wide.
Create Additional Accounts
Generic or personal accounts?
In some implementation projects it can be necessary to create additional accounts for accessing the solution e.g., design and workshops.
We highly recommend that external resources are provided with a personal account with at minimum the following privileges:
Description | Role | Access | Comments |
Design Implementor | SPO Administrator | All LiveTiles site collections and SPO Admin Center |
Need to be able to create site collections and add permissions. Full access to LiveTiles Intranet admin center. |
LiveTiles Supporter w/normal access | SPO User | All LiveTiles site collections |
Must have site collection administrator permissions and full admin access to LiveTiles Intranet admin center |
LiveTiles Supporter w/extended access | SPO Admininstrator | All LiveTiles site collections and SPO Admin Center |
Besides for LiveTiles Supporter w/normal access, with extended permissions the supporter can re-generate expired SPO apps (client secrets) |
SharePoint Online administrator account
User is needed to be able to create site collections in SharePoint Online in connection with the workshop and design implementation phase. When completed, this account can most likely be degraded to normal user again.
End user with E3 license assigned
To be able to test the solution logged in as an end user, we recommend that the user is assigned a license such as E3. Part of this test is also access using different browser types such as Edge or Chrome.
Smoke-Test
Corporate News
Verify that search works as expected in the corporate news web part.
Noticeboard
Create new noticeboard item selecting channels, likes and comments.
LiveTiles Everywhere (PowerPanel)
Possible to configure a single widget.
Phonebook
Search for and display people in the web part.
People in Department
Related Pages
Test Creation
Test P&P Site Creation
Workspace Module
Appendix
Integrate Reach into Noticeboard
The following section describes how to integrate Reach into Noticeboard. Reach is an internal communications app and pocket Intranet that can be incorporated into LiveTiles Intranet Enterprise. For more information about Reach, please visit link https://livetilesglobal.com/products/livetiles-reach/.
If you currently do not have a Reach subscription, it is easily by going to https://app.condense.ch/subscribe and create your own subscription, preferably with an account of the same AD that is used for SharePoint Online where Noticeboard is running.
Just fill in the information to get started.
Overview
The architecture of the Reach application consists of a client area and a multi-layer back end.
The client area consists of a web client and a mobile app, via which users can use the functions of Reach. The Web Client runs in Microsoft Azure in a Web App Service. The mobile apps are provided as native IOS and Android apps. The back-end area is used to execute the entire business logic and data management. Most of the back-end area runs on services within Microsoft Azure. The following functionalities run on cloud services outside of Microsoft.
- OneSignal: Mobile push notifications
- SendGrid: Email notifications
- Kraken.io: Processing of images
- Unsplash: Picture archive
Prerequisites and Requirements
The following requirements are needed to setup integration from Reach into Noticeboard:
LiveTiles Intranet Enterprise
- LiveTiles Intranet Enterprise version 6.49.1.0 or newer
- Microsoft 365 with SPO administrative access (site collection tasks)
- Microsoft 365 Azure Active Directory (AAD) Global Administrator (grant consent)
- Azure subscription administrative permissions (if hosted by LiveTiles)
- Not targeted if LiveTiles Intranet Enterprise Azure services are hosted by the customer. Please contact LiveTiles Support to get additional assistance.
Reach
- Active Reach subscription
- Features enabled: In-app Browser, External Content (see note below)
- Configure the subscription handle and link
- API URL: https://api.condense.ch
- API-key (see note below)
- Login to https://app.condense.ch/ with your Reach admin account
- Click on your account name
- Next click on About LiveTiles Reach and copy the subscription ID
- Save this key and share it with LiveTiles to be able to activate the subscription
- Assigned owner role
Please note API-key/Features: The API-key must be requested by contacting support@livetiles.nyc and reference to Reach, attention
Alexander Halder, specifying the Reach Subscription ID and the desired validity period of the API Key. The API Key is usually issued within 1 day. Also ask for enabling in-app browser and external content.
Configuration of Intranet Enterprise Azure web app
The following section describes how to configure LiveTiles Intranet Enterprise web app service for Reach.
Please note: To update Azure web app with Reach app settings, you should have received the new API-key from LiveTiles Support before starting on this task.
Please note that update and changes to web app configuration requires restart and services will be unavailable for a short period.
- Log in to https://portal.azure.com with resource group admin account
- Select Resource Groups, and click resource group = <livetiles>
- Click the web app service = <livetilesweb>
- Select Application Settings
- Add new app setting Name = ReachApiUri, press OK to save
- Add new Value = https://api.condense.ch, press OK to save
- Add new app setting Name = ReachApiKey, press OK to save
- Add new Value = <ApiKey>, press OK to save
- Add new app setting Name = ReachIntegrationEnabled, press OK to save
- Add new Value = true, press OK to save
{
"name": "ReachApiKey",
"value": "12345678909.eyJzdWIiOiJwZXRlci5qZW5zYm9lbEBsaXZldGlsZXNnbG9iYWwuY29tIiwianRpIjoiMDBlNjFlNWItMTVlNC00OWM3LWEyMzMtMTA0MzhjYThjOTIxIiwiaWF0IjoxNjEwOTgwOTQ2LCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy91cG4iOiJwZXRlci5qZW5zYm9lbEBsaXZldGlsZXNnbG9iYWwuY29tIiwiaHR0cDovL3NjaGVtYXMuY29uZGVuc2UuY2gvaWRlbnRpdHkvY2xhaW1zL3VzZXJ1bmlxdWVpZCI6ImFwaWtleTpwZXRlci5qZW5zYm9lbEBsaXZldGlsZXNnbG9iYWwuY29tIiwiaHR0cDovL3NjaGVtYXMuY29uZGVuc2UuY2gvaWRlbnRpdHkvY2xhaW1zL3N1YnNjcmlwdGlvbmlkIjoiMDFiMTM1OTMtOWUwNi00ZmI3LWFlOGUtNWQ3NzE3ODY1ZjMyIiwibmFtZSI6IlBldGVyIEplbnNib2VsIEFQSSBLZXkiLCJuYmYiOjE2MTA5ODA5NDYsImV4cCI6MTY0MjUxNjkwNCwiaXNzIjoiaHR0cHM6Ly9hcHAuY29uZGVuc2UuY2gvYXBpX2tleSIsImF1ZCI6Imh0dHBzOi8vYXBpLmNvbmRlbnNlLmNoIn0.oJNP_2sUzRIZFMteeVrkY5VdHKoXYh4pPLlXZSgFXxOdbkrBiWSEU7gdw4XsDg80Zq3ZYe12mtr5MpS4XBMZYboXx6F8Wryup7BRljQewDhPT1jcGin10UE6JzwyCWPDonTwePC3zymSscXIesj8_WYzwQ0qad9lRKZxaQEdHBu-tnR_A20wmNWW5jXRdky3ICV73KreXuuE_kvM9SFfQYrQxenmwRcFf2wv7gBERJdK76MiaUkpk7MNXZZAAe3Unw_W_LeSEYTbDwvI6O4qRIH-F-7Uddp5Fk9IoxV-abcdefgijklmnopqrstuvwxyz",
"slotSetting": false
},
{
"name": "ReachApiUri",
"value": "https://api.condense.ch",
"slotSetting": false
},
{
"name": "ReachIntegrationEnabled",
"value": "true",
"slotSetting": false
},
- Go to Overview and restart the web app by click on
Configuration of Reach
In the following we will list the few steps there are to configure Reach to use Azure web app services.
- Login to https://app.condense.ch/ with your Reach admin account
- Go to Settings and click Owners and add the primary user for the API-Key by clicking Add owner
You can search for “api” in the search box.
- Verify that the API-key users have been delegated the account type of API Key
- Add the API-Key user to the publishing role in the Reach groups:
- Go to Settings to add the API-Key as Editor:
- Click on Everyone group to open its membership settings
- In Add or invite users to the group, select Editor permissions from the drop-down list
- Search for API-Key user and add this to the Everyone group
- Go to Settings to add the API-Key as Editor:
Configuration of Reach integration in Noticeboard Module
The following section will list the steps required to integrate Reach in Noticeboard module.
- Add the Noticeboard item detail page in SharePoint Online:
- Open the LiveTiles Intranet Enterprise site
- Click + New and select Page from the list
- Go to Apps (see note below) section and select Noticeboard single item and then Create page
- In the App page details, fill in required name for Title, e.g., Noticeboard item detail view
- Deselect Show in site navigation and click Save
Configure Noticeboard Module in LiveTiles Intranet admin center
- Open LiveTiles Intranet admin center and go to Modules > Noticeboard
- Click on Integrations and open Reach Mobile App
- Click Enable and in Page URL, specify the URL you created above for the Noticeboard single item page, e.g. https://<tenant>.sharepoint.com/sites/Modern/SitePages/Noticeboard-item-detail-view.aspx
This URL will be used for displaying the Noticeboard items within the Reach app.
- Specify the Noticeboard WebPart View ID and this ID of the Noticeboard web part that is added to the Intranet. The channel subscriptions made by the Intranet users within that web part us synchronized with the Reach app.
To find the View ID, follow these steps:
- Open the page that contains the webpart you wish to synchronize channel subscriptions from, e.g.:
https://nextzen.sharepoint.com/sites/Modern/SitePages/Noticeboard.aspx
- Append the property ?maintenancemode=true to the URL and refresh the page
It should look like this:
https://nextzen.sharepoint.com/sites/modern?maintenancemode=true
- The Noticeboard will be displayed by its relevant properties like this:
- Select the Data tab of this panel and scroll down and find viewId section
- Copy the viewId value (without the quotation marks) from the list
- Map Noticeboard Channels to Reach by selecting a noticeboard channel and the corresponding Reach channel and group. Channels not mapped will not be synchronized between Noticeboard and Reach.
Please note: If you cannot find Noticeboard single item in Apps section, solution is to redeploy modern packages in LiveTiles Intranet admin center.
Configure Suggested and Mandatory Channels (optional)
In Noticeboard, channels can be targeted to specific user groups (users or AD groups) so the channel is either mandatory for those users or suggested.
To replicate these settings within Reach the configuration must be done manually in Reach. This is done in the Settings area in the Reach app. The configuration can be applied via Audience Targeting feature available in the Channels section.
Usage of Integration
Reach
- Make sure to download and install the mobile app from Apple store or Google Play store.
Reach for iOS https://apps.apple.com/dk/app/livetiles-reach/id1227790709?l=da
Reach for Android https://play.google.com/store/apps/details?id=ch.itsystems.condense.appstore
- Sign-in by using the branded login page configured in Reach:
- Make the banded login page link available within your mobile by sending it to your mobile via e-mail.
- Clicking on the link will open the Reach mobile app displaying the branded login page.
- Sign-in by providing the credentials of your account associated with SharePoint Online (AD account)
Noticeboard
- Navigate to the page where the Noticeboard web part is available
- Create a new Noticeboard post in a channel that has been mapped to a Reach channel in the Noticeboard module configuration.
- After a while the Reach mobile app should receive a push notification about the created Notification post.
- Open Reach app and click on the card displaying the created noticeboard post in the news overview. The Noticeboard post will open in an in-app browser window showing the content served from the SharePoint Online page specified in the Reach integration settings of the Noticeboard configuration.
Manual Search Configuration
If the import configuration somehow does not work, then it is possible to create the LiveTiles Intranet Enterprise managed properties. However, we recommend using the SearchConfiguration.xml to set these properties.
- Log in to the SharePoint Server
- Open SharePoint Central Administration
- In the left side select Application Management and open Manage Service Applications
- Open Search Service Application and select Search Schema
- Managed Property w365Birthday
- In the Managed property field, search for Refinable
- Select Edit/Map Property on of the available RefinableDate properties
- In Main characteristics area, mark Searchable checkbox
- Fill out an alias name in Alias input box with name w365Birthday
- Add mapping to People:SPS-Birthday and click OK to save the new managed property
- Managed Property w365HireDate
- In the Managed property field, search for Refinable
- Select Edit/Map Property on of the available RefinableDate properties
- In Main characteristics area, mark Searchable checkbox
- Fill out an alias name in Alias input box with name w365HireDate
- Add mapping to People:SPS-HireDate and click OK to save the new managed property
- Managed Property w365RevisionDate
- In the Managed property field, search for Refinable
- Select Edit/Map Property on of the available RefinableDate properties
- In Main characteristics area, mark Searchable checkbox
- Fill out an alias name in Alias input box with name w365RevisionDate
- Add mapping to ows_q_DATE_W365_RevisionDate and click OK to save the new managed property
- Managed Property w365ManualType
- In the Managed property field, search for Refinable
- Select Edit/Map Property on of the available RefinableString properties
- In Main characteristics area, mark Searchable checkbox
- Fill out an alias name in Alias input box with name w365ManualType
- Add mapping to ows_taxId_W365_ManualType and click OK to save the new managed property
- Managed Property w365ManualArea
- In the Managed property field, search for Refinable
- Select Edit/Map Property on of the available RefinableString properties
- In Main characteristics area, mark Searchable checkbox
- Fill out an alias name in Alias input box with name w365ManualArea
- Add mapping to ows_W365_ManualArea and click OK to save the new managed property
- Managed Property w365ManualLocation
- In the Managed property field, search for Refinable
- Select Edit/Map Property on of the available RefinableString properties
- In Main characteristics area, mark Searchable checkbox
- Fill out an alias name in Alias input box with name w365ManualLocation
- Add mapping to ows_W365_ManualLocation and click OK to save the new managed property
The result should look like this:
Limit LiveTiles Intranet Enterprise People-Picker to Certain AD OU’s
If an organization has a specific business requirement for limit the scope of identities for specific Microsoft 365 groups, it can be done by adding a new app setting on the web app in Azure.
In that way people-picker will be able to select identities from configured Azure AD Organizational Units. This will limit LiveTiles Intranet Enterprise only to show results from pre-configured groups.
How it works:
The following is an example to limit results in LiveTiles Intranet Enterprise people-picker to show identities from Microsoft 365 groups starting with “GRP_*”. Must be added to the app settings on the web app in Azure
key="ADGroupPrefix", value="GRP_"
Then we can get results if: “gr”or “grp” or “grp_” is typed, results will be:
GRP_DE_IT
GRP_FR_IT
GRP_FR_MARKETING
If “fr” or “grp_fr” is typed, results will be:
GRP_FR_IT
GRP_FR_MARKETING
This means that prefix [prefix]_[groupname] isn’t required to type.
LiveTiles Everywhere Caching
This section describes how caching works in LiveTiles Everywhere – formerly known as PowerPanel.
The option of resetting / invalidating LiveTiles Intranet Enterprise browser cache, but in Modern there are not that option.
The Clear browser cache functionality under LiveTiles Intranet > Admin > Cache only works for some calls in Modern.
LiveTiles Everywhere in Modern has the functionality of resetting/ invalidating the browser cache, but it does not happen immediately.
Here are the details of LiveTiles Everywhere caching logic:
- By default, LiveTiles Everywhere structure/static content is cached for 30 days on client side (browser cache)
- Any updates to LiveTiles Everywhere will update “powerpanelTimestamp”, the timestamp will force to get the latest version of PowerPanel
- powerpanelTimestamp, as part of LiveTiles Intranet Everywhere configuration, is also cached on the client side for approx. 10 minutes.
From the logic above, the changes to LiveTiles Everywhere should be visible to the client in a page load after approx. 10 minutes.
Local App Catalog Deployment In Modern Sites
Introduction
LiveTiles Intranet Enterprise supports out-of-the-box deployments of all its modern webparts to the global app catalog in Microsoft 365. All webparts are instantly available to all modern site collections.
The following section describes how to deploy LiveTiles Intranet Enterprise webparts to local app catalog and what is pros/cons using this approach.
Please note: If you cannot find Noticeboard single item in Apps section, solution is to redeploy modern packages in LiveTiles Intranet admin center.
For more information about using the local app catalog deployment in SharePoint Online, use the following link: https://docs.microsoft.com/en-us/sharepoint/dev/general-development/site-collection-app-catalog
Local App Catalog Deployment
Prerequisites
Disable auto upgrade of modern packages in LiveTiles Admin Center > Admin > Modern Experiences
The auto upgrade function always deploys the apps to the global app catalog and therefore should be disabled.
Do not use Deploy modern packages immediately function in the LiveTiles Intranet Enterprise Admin Center because it deploys the modern packages to the global app catalog.
Please note: This requires SharePoint Online Management PowerShell to be installed
https://www.microsoft.com/en-us/download/details.aspx?id=35588
First Time Installation
Use the following script to deploy to local app catalog and change variables:
- <Modern SiteCollection Url>
- <SharePoint apps Client ID >
- <SharePoint Apps Client Secret>
- WizdomVersion
.\UploadWizdomPackagesTolocalAppCatalog.ps1 -siteCollectionUrl <ModernSCUrl> -clientId <xxx> -clientSecret <xxx> -WizdomVersion $WIZDOM_APPLICATION_VERSION$
The script uploadWizdomPackagesTolocalAppCatalog.zip can be downloaded here: https://livetilesrepository.blob.core.windows.net/livetilesintranetcloud/installationfiles/uploadLiveTilesPackagesTolocalAppCatalog.zip
Upgrading LiveTiles Intranet Enterprise
If you need to upgrade LiveTiles Intranet Enterprise, run the same PowerShell script as above, but replace WizdomVersion for each LiveTiles Intranet Enterprise modern site collection.
To find all modern site collections, open Wizdom Admin Center > Admin > Sitecollections > Modern Sitecollections.
Pros and Cons
Pros: The webparts are not available in all modern site collections, but only in those with the local app catalog deployed.
Cons: You must run the custom PowerShell script every time you create a new LiveTiles Intranet Enterprise modern site collection, and it can last up to 10 minutes per site collection.
Even though the app packages can be deployed locally, SharePoint site designs can only be deployed globally.
Also, - every time LiveTiles Intranet Enterprise is upgraded, you need to run the script on each modern site collection. This means if the customer has hundreds of LiveTiles Intranet Enterprise modern site collections, it can take several days to upgrade. Site collections whose app catalogs have not been updated after LiveTiles Intranet Enterprise upgrade may not work.
Local app catalog deployment is NOT recommended for customers with many LiveTiles Intranet Enterprise modern site collections and if you need to, contact support@livetiles.nyc.
Explanation of AD APP Permissions Required
Windows Azure Active Directory Permissions:
Used to ensure connection between LiveTiles Intranet Enterprise and Active Directory or Azure Active Directory.
Scope | Permission | Description | Scope Type | Requires Administrator Consent |
Sites.Read.All | Read directory data |
Allows the app to read all the data in the organization's directory, such as users, groups, and apps, and their associated navigation properties. Note: Users may consent to applications that require this permission if the application is registered in their own organization’s tenant. |
app-only, delegated | Yes |
Directory.AccessAsUser.All | Access the directory as the signed-in user | Allows the app the same access to data in the organization's directory as the signed-in user. Note: A native client app can have the user consent to this permission however, a web app requires administrator consent. | delegated | Yes |
Group.Read.All | Read all groups | Allows the app to read the basic profile of all groups in the organization on behalf of the signed-in user. The app can also read the basic profile of the groups that a group is a member of. The basic profile for a group includes only the group’s display name. To read the profile information of a group’s members, the app will also require either User.ReadBasic or User.Read.All. | delegate | Yes |
User.Read | Sign in and read user profiles | Allows the app to read the basic profile of the user in the organization on behalf of the signed-in user. The basic profile for a user includes only the user’s display name. To read the profile information of a user, the app will also require either User.ReadBasic or User.Read.All. | delegate | No |
Microsoft Graph Permissions:
Used to ensure connection between LiveTiles Intranet Enterprise and Office Graph.
Scope | Permission | Description | Scope Type | Requires Administrator Consent |
Sites.Read.All | Read items in all site collections (preview) | Allows the app to read documents and list items in all site collections on behalf on the signed-in user. | app-only, delegated | No |
Group.ReadWrite.All | Read and write all groups | Allows the app to read the full profile of all groups in the organization, as well as to create and update groups on behalf of the signed-in user. The app can also read the full profile of the groups that a group is a member of. The full profile includes all the declared properties of the Group entity. To read the profiles of or update a group’s members, the app will also require either User.ReadBasic or User.Read.All. | delegated | Yes |
Directory.ReadWrite.All | Read and write directory data | Allows the app to read all the data in the organization's directory. Allows the app to create and update users and groups, and update their navigation properties, but prohibits user or group deletion. Also allows the app to define schema extensions on applications. | app-only, delegated | Yes |
Files.Read.All | Read items in all site collections | Allows the app to read all files in all site collections without a signed in user. | delegated | Yes |
People.Read | Read all users' relevant people lists | Allows the app to read a scored list of people relevant to the signed-in user or other users in the signed-in user's organization. The list can include local contacts, contacts from social networking or your organization's directory, and people from recent communications (such as email and Skype). Also allows the app to search the entire directory of the signed-in user's organization. | app-only | Yes |
Uninstalling LiveTiles Intranet Enterprise add-in from SharePoint Online
If you no longer want LiveTiles Intranet Enterprise to be installed on your tenant, you can remove the configuration from LiveTiles Intranet Enterprise Configuration Center.
Please note: Uninstalling LiveTiles Intranet Enterprise will not remove everything related to LiveTiles Intranet Enterprise in SharePoint.
Here are some things to consider before starting on the uninstallation process:
- LiveTiles Intranet Enterprise Content Types and Site Columns are not removed
- LiveTiles Intranet Enterprise Page Layouts are not removed from the Master Page Gallery, but will stop rendering correctly
- LiveTiles Intranet Enterprise web parts are not removed from the Web Part gallery, but will stop rendering correctly
- Managed properties mapped to LiveTiles Intranet Enterprise Site Columns etc. are not removed
- Term sets created by LiveTiles Intranet Enterprise are not removed
- Any custom development provided through our Custom Module framework will stop working
Based on above considerations you should therefore carefully plan what should happen with your site after you remove LiveTiles Intranet Enterprise. LiveTiles Intranet Enterprise does not provide any cleanup scripts and tools out of the box to help with this process. If you ever want to roll back changes
Comments
0 comments
Please sign in to leave a comment.