Archive for May 22, 2016

Setting up Provider hosted apps environment with SharePoint 2013

Hi All,

As we all know, setting up Provider hosted app in SharePoint 2013 environment can be a pain at times.

We all have come across various issues while setting this up.

Sharing a self created and tested document with step-by-step approach to set this up and create a provider hosted app.

Any suggestions, thoughts or comments are appreciated!!!


SharePoint Central Admin Prerequisites

SharePoint you must have the following service applications provisioned and started:

· Subscription Service Application with proxy

· Subscription Settings Service instance started

· Application Management Service Application and proxy

· App Management Service instance started

· Must have User Profile Service started

Prerequisite (Need to check if we need to setup ADFS on INT environment?)

1. SharePoint 2013 server is ready with apps configured

2. ADFS 3.0 server is ready with realm set to SharePoint.

3. ADFS is registered with SharePoint as a trusted identity provider.

4. ADFS 3.0 server is ready with realm set to provider hosted app

5. Server is ready for hosting provider hosted app.

6. Load balancer configured for provider hosted web application

7. Certificate is available in private, public part along with password.

Step 1: Create a Certificate

1. In the development environment you can use a self-signed certificate, but you would need a commercial certificate when you publish your Apps to store. So we will create a self-signed one. In the IIS manager, click on Server Certificates.

2. Click on Create Self Signed Certificate

3. Enter some meaningful name like HighTrustCert and Click on Ok.

4. Now we need to export the personal exchange format (.pfx) file. Right Click on the Certificate in IIS click on Export and provide an accessible location. Also enter the password that you want to use and Click on Ok

5. Next, double click on the Certificate in IIS. Click on Details tab and click onCopy to File.

6. Now you should see the Certificate Export Wizard (remember earlier we exported the .pfx file). The first screen elucidate the significance of what we are doing. Keep Clicking Next across the three screens. Below screenshots demonstrate the same. I keep all the default options. Just one thing to mark that now we are now exporting the .cer file. I choose the same location. Click onSave.

And finally, click on Finish. You should see you the message “The export was successful”.

Step 2: Run Windows PowerShell cmdlets to set up trusted security token service

1. Run SharePoint 2013 Management Shell as administrator. First thing first, you need an Issuer ID. An important point, it has to be Lowercase only.

Create a GUID with Visual Studio. Make sure all letters are lowercase. For e.g.7591c7a2-cc56-40ef-8f71-20a4d8450ed7

2. Run the below PowerShell cmdlets to create trusted security token service.

$publicCertPath = “D:\Certificate\WB_EBiz_WFACert.cer”

$appId = “7591c7a2-cc56-40ef-8f71-20a4d8450ed7”

$spurl = “http://wbgmsspsnd017/sites/EBiz”

$spweb = Get-SPWeb $spurl

$realm = Get-SPAuthenticationRealm -ServiceContext $spweb.Site

$certificate = Get-PfxCertificate $publicCertPath

$fullAppIdentifier = $appId + ‘@’ + $realm

New-SPTrustedSecurityTokenIssuer -Name “WB EBiz WFA App” -Certificate$certificate -RegisteredIssuerName $fullAppIdentifier

$appPrincipal = Register-SPAppPrincipal -NameIdentifier $fullAppIdentifier -Site $spweb -DisplayName “WB EBiz WFA App”

This will add certificate to both Personal Store and Trusted Root Certification Authorities store in mmc. To verify, go to your Trusted Root Certification Authorities Store and you should see your Certificate there

Significance / additional info of the cmdlets

issuerID : assigning the GUID generated in the previous step

publicCertPath : path where I saved my .cer file.

web : your Developer site URL

realm : should be the same as your farm ID

New-SPTrustedSecurityTokenIssuer : Just a tip, when you use the Name parameter it can be helpful to include a readable name, such as “High Trust App” or “Contoso S2S apps” instead of the issuer ID.

IsTrustBroker: this flag ensures that you can use the same certificate for other apps as well. If you don’t include this, you might receive “The issuer of the token is not a trusted issuer” error. So we have two possible approaches each having their own pros and cons .i.e. use the same certificate shared by multiple apps Or use a separate certificate for each app. Read additional details at Guidelines for using certificates in high-trust apps for SharePoint 2013

iisreset : to ensure the Issuer becomes valid, else it takes 24 hours.

Additionally you can turn off the https requirements using below PowerShell cmdlets. But ensure to turn it on by changing $true to $false in the second cmdlet below.

$serviceConfig = Get-SPSecurityTokenServiceConfig

$serviceConfig.AllowOAuthOverHttp = $true


Refer to the screenshot below of for the complete steps:

Step 3: Create a Simple “High Trust” Provider Hosted App using Visual Studio 2012(DEVELOPMENT)

1. Click New Project -> App for SharePoint 2013

2. Select ASP.NET MVC web app

3. Now select the PFX certificate generated in the last step. Provide password and Issuer ID

4. This will create a new MVC project.

5. Now Visual studio created two projects with in the same solution. MVCApp1 is the SharePoint App and MVCApp1Web is the remote webapp. Only artifact of the MVCApp1 is the appmanifest.xml. This is similar to what feature.xml to WSP. We provide the version, permission and startpage details of the app.

6. Make sure Windows authentication is enabled for web project, and check other settings as well.

7. Now you can directly debug the app by pressing f5. Now login to app using your windows credentials and trust the app. This will lead to sample app hosted from VS2013 if all the settings are right.

Step 4: Create App Domain and Set for SharePoint (DEPLOYMENT)

Configure App Domain

1. Create App Catalog site – new site from going in Central Admin – Apps – Manage App Catalog, Create new site collection

2. Configure App URLs

If you get a message – The Subscription Settings service and corresponding application and proxy needs to be running in order to make changes to these settings.

                Run the belowPS script to create new service application for subscription service… Though service is already running but service application is missing

$account = Get-SPManagedAccount “WB\spm13devep1” 

$appPool = New-SPServiceApplicationPool -Name SubscriptionServiceAppPool -Account $account

$serviceApp = New-SPSubscriptionSettingsServiceApplication -ApplicationPool $appPool -name “Subscription Settings Service Application” -DatabaseName “SP2013INT-SubscriptionSettingsDB”

$serviceAppProxy = New-SPSubscriptionSettingsServiceApplicationProxy -ServiceApplication $serviceApp

Then try again

Step 5: IIS Site Creation (DEPLOYMENT)

1. App Catalog Server (IIS) Configuration

a. Copy the Personal Information Exchange (.pfx) and published files into the app catalog server.

b. Enable the required features (refer the below screenshot) through “Add Roles and Features” in Server Manager.

c. Import the Certificate, IIS -> Server Certificates -> then click “Import” link in the right top.

d. Create a Folder for place the web app published files (ex. C:\inetpub\wwwroot\eBizApps )

e. Create a Website in IIS.  Right click in “Sites” then choose “Add Website”.

f. In the “Add Website” window, enter the proper site name, select the physical path (C:\inetpub\wwwroot\eBizApps) and then click “OK” button.

g. Select the site name (ex. eBizApps), click the “Bindings” link in right side.

h. In the Site Bindings window, Click “Add” button”

i. In the Add Site Binding window, select the Type as “https” and then select the SSL certificate. And then click “OK” button

j. Browse this site using Internet Explorer.  The site will open.

Once created, create SSL binding also

Click Bindings on right side

So we should have 2 bindings now

This website is empty now we need to deploy content from code (11 machine) to 08 machine which is here

Deployment involves App deployment and Website deployment

App Deployment:

Before publishing the app, a new client ID for the App should be generated form the app site. SharePoint uses this client ID to validate the App file while installing. Navigate to appregnew.aspx

Navigate to https://sp2013.gsi.local/sites/apps/ and generate AppId


So we might get a result like this when hit create button

The app identifier has been successfully created.

3. The App Domain is the domain name set on the remote web application server’s IIS Site that will be hosting this app.

App Id:    1b395959-b36f-47b3-84dc-f695d3a6a585   — this is APP/ CLIENT ID

App Secret:    Cf6n+YWaBJ8bDIqJp656J76IoJNPcNh+C3H99Ob0i/U= 

Title:    EBizWFA 

App Domain:    wbgmsspsnd008 

Redirect URI:    

Right click the solution and click publish and select Package the app. And enter the client ID and the remote site URL.

This wizard will generate a package

Take this package on 08 machine where IIS is. And run this command

Now IIS website should have all the content. Web project has been deployed

Make changes to web config file specific to environment.

Step 6: Package SharePoint App

Update clientId in App Manifest file.

Check for correct permissions assigned in AppManifest file. – Web (Full control)

Target url should be of the site to be deployed

Click Finish and this will publish the file in the bin\debug folder under “app.publish” folder

On opening the .app file with good old WINRAR all the resources can be extracted out. And verify appmanifest.xml .

Step 7: Add app to App Catalog

For an app to be consumed, it must be added to an app catalog.

1. Navigate to the app catalog and select Apps for SharePoint
2. Select New App and upload the .app file produced from the last set of steps

Step 8: Add app to site

1. Access a team site and selected site contents and clicked Add App.

2. Click on it and click Trust It

Note: If it errors on this step and you’re logged in as the system account, try again using a non-system account.

2.  After install, test by clicking on the app.

How to Create Provider-Hosted Apps For SharePoint 2013

This article will explain how to create and host your first provider-hosted app for SharePoint Online (Office 365 and SharePoint 2013 on premise). 


My Office 365 public site: 

Office 365 site: just4sharing
Windows Azure Web site: myphapp.azurewebsites
Visual Studio 2012/2013

Step 1: Start a new Visual Studio Project, use the “App for SharePoint 2013” template as in the following:

new Visual Studio Project

Step 2: Select the Provider-hosted option for this example. In a Provider-hosted app, application resources will be deployed in a server outside the SharePoint environment.

Provider-hosted option

Step 3: In the next step, select “Use Client secret (requires a SharePoint farm connected to ACS)”. We will be using the Access Control Service (ACS) available with Windows Azure for this example.


Step 4: Click “Finish” and the project is created for you by Visual Studio. You can see two projects created under the solution. The first project consists of just an app icon and AppManifest.xml that manages all the settings like start URL, permission, Query strings, Client ID, Tokens and so on.

project created

Step 5: The next step is to register a new app using client Id and Client Secret.

  1. Go to the “/_layouts/15/appregnew.aspx” page of your SharePoint site (in my case, it to generate the client Id and client secret id.
  2. Click on the generate buttons of Client Id and Client Secret to generate both. 

    generate buttons of Client Id

Step 6: We need to fill in “App Domain” and “Redirect URL”. In fact, this is the website where the app is hosted. I am using Windows Azure to host my app. Let us go to the Windows Azure Management Portal and create a web site to host your app. 

windows Azure management portal

Step 7: I am done with my web site in Windows Azure. 

web site in Windows Azure

Step 8: As I said in the previous step, let us supply “Domain Name” and “Redirect URL” in the registration page.

Step 9: We are done with the registration process. Copy the Client Id and Client Secret to a safe place. 

Step 10: The next step is to publish both projects separately. First, publish the app project as in the following:

Step 11: Create the publishing profile providing the Azure site name, Client Id and Client Secret as in the following:

Step 12: Click “Finish” to see the summary page as in the following:

Step 13: The output is a package file as shown in the following screen shot.

Step 14: Time to upload the package. Upload your custom package to the developer site. All steps are shown in the following screenshots.



Clicking on the application link will throw a server error. That is because we haven’t deployed the remote web to Windows Azure. The next step is to deploy the web app to Azure.

Step 15: Publish the application to Windows Azure. Open web.config and update the client ID and Client secret as in the following:

Step 16: Import the Azure profile and do a publish as in the following:


Step 17: We are done with publishing and deploying.

Step 18: It is time to click on the app link.

Step 19: You are done! You get the URL:
Step 20: What you see is the template type of the SharePoint Site.

Step 21: Also this image would provide you some idea about AppManifest.xml as in the following:

Step by Step approach to create a Provider Hosted Application in SharePoint 2013

This article on provider hosted application in SharePoint 2013 explains each and every step involved in creation of a Provider hosted App, one of the new App hosting Model available in SharePoint 2013.

Apps in SharePoint

Basically in SharePoint, the application can be hosted by 3 types.

a. SharePoint Hosted Application.

b. Auto Hosted Application.

c. Provider Hosted Application.

Let us concentrate on the Provider Hosted Application. The remaining, I am planning to write a separate article.

Provider Hosted Application

Provider Hosted Application is very useful to re-use the existing .Net application with very minor changes and their hosting environment. The topology of the Provider Hosted Application is as follows.


The user calls the SharePoint server and the SharePoint portal intern calls the .Net Application as a Separate Application. Moreover, there is an option to create an App Part and loads the .Net Application inside the App Part which can be placed on the SharePoint Page.


With this brief introduction about the App Development Model, we can move on to the creation of Basic Provider Hosted Application using Visual Studio 2012.

Steps to Create a Provider Hosted Application:

1. Open the Visual Studio 2012 as Administrator


2. Click New Project.

3. Select the Template App for SharePoint 2013.


4. On the Creation of the Solution, Visual Studio will ask for the Site Collection against which we are going to deploy our app. And on the same screen, we need to choose the type of hosting which we are planning. In our case, it is going to be Provider Hosted Application.


5. On the selection of Provider Hosted, Click Next. The below screen will be asking the Certificate.


6. The Certificate needs to be created on the SharePoint machine and pfx file needs to be exported and shared with the Visual Studio Machine. Creating a certificate on the SharePoint machine can be covered on a separate article. As of now, I am assuming that, we have a certificate created and an Issuer ID has been associated with the certificate.

7. Now, the Solution has been created. The basic solution is as follows.


8. Our solution will comprise of 2 projects.

a. App Project

b. AppWeb Project

9. App Project – This is going to be deployed on the SharePoint.

10. AppWeb Project – This is going to be the .Net Web Application. This application can be hosted on any IIS.

11. Go to the Property of the AppWeb project and make sure that the Target Framework is set to 4.5.


12. Create the virtual directory will be helpful to host our AppWeb on the Local IIS, instead of using the IIS Express, let us host our application on the IIS itself.


13. By Clicking the “Create Virtual Directory” button on the Web Tab, virtual directory will be created on the local IIS. You can confirm this by going to inetmgr.


14. After the property configurations, we are ready with our Provider Hosted Application. Rebuild the solution to make sure everything is fine.

15. Go to the AppManifest.xml in the App project. AppManifest file will be looking like this.


16. Modify the Start Page attribute to point the IIS directly. Please refer the below figure.


17. Go to Permissions Tab. Add the corresponding scope and the permissions as per the requirement. In this demo, I am adding the web as full control. This will give the rights to do CRUD Operations over the list present with in my web.



By doing this, we are sure that our app is having the Full Control Permission through the Web Scope.

– See more at:


18. The AppManifest.xml will be like this.

<?xml version="1.0" encoding="utf-8" ?>


<App xmlns=""










<RemoteWebApplication ClientId="*" />



<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" />



19. Now, we came to the final step of our provider hosted application creation. That is, we need to register our clientID with the sharepoint before deploying the app.

20. ClientID is nothing but a GUID. But the only special thing about the ClientID is, it should be small case. i.e., some thing like 24576c92-961f-442b-a866-e612222cad36

21. To generate the GUID, we can’t use the “Create GUID” option in the Visual Studio. Because that will generate the GUID with Upper Case too. But, it will not work for our scenario.

22. Hence, from our sharepoint site itself, go to the AppRegNew.aspx page. The page will present inside the layouts folder. The URL would be something like https://MyServer/sites/MySiteCollection/_layouts/15/Appregnew.aspx.

23. The page will look like


24. By clicking the “Generate Button” of the App ID, ClientID can be generated.

25. Copy the GUID and we need to paste that in 2 places.

a. Web.Config File – App Settings.


<add key="ClientId" value="1de402c2-911a-47f5-8b51-fd8b57144c41"/>

<add key="ClientSecret" value="7Q1y02pvvWMBW7fzlAEnHsSGGATFWra1YEFCIo117sg="/>

<add key="ClientSigningCertificatePath" value="C:\MyCertificate.pfx"/>

<add key="ClientSigningCertificatePassword" value="****"/>

<add key="IssuerId" value="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"/>


b. AppManifest.xml – AppPrincipal


<RemoteWebApplication ClientId="1de402c2-911a-47f5-8b51-fd8b57144c41" />


26. After updating the ClientID, we can build and Deploy the solution. Right click the solution and click Deploy.


27. You will get the following error. Don’t panic about the error. Still we haven’t completed our app development. Still there is one last thing we need to do after getting this error.


28. To rectify this error, we need to register our ClientID on the SharePoint Farm. We can do this by using powershell on the SharePoint Farm.

// Registering App principal


Add-PSSnapin "Microsoft.SharePoint.PowerShell"

# set intialization values for new app principal

$appDisplayName = "Sathish.App"

$clientID = "1de402c2-911a-47f5-8b51-fd8b57144c41"

$targetSiteUrl = "https://MyServer/sites/MySiteCollection/"

$targetSite = Get-SPSite $targetSiteUrl

$realm = Get-SPAuthenticationRealm -ServiceContext $targetSite

$fullAppPrincipalIdentifier = $clientID + '@' + $realm

Write-Host "Registering new app principal"

$registeredAppPrincipal = Register-SPAppPrincipal -NameIdentifier $fullAppPrincipalIdentifier -Site $targetSite.RootWeb -DisplayName $AppDisplayName

$registeredAppPrincipal | select * | Format-List

$registeredAppPrincipal | select * | Format-List | Out-File -FilePath "Output.txt"

Write-Host "Registration Completed"

#Get-SpAppPrincipal -?

29. On the successful registration, we will get the output like,


30. Now, go back to the Visual Studio and do deploy once again. This time, we will not be getting any error message. The site will be opened like below.


31. Click on Trust It. The app will get installed. We can launch the App from our SharePoint Portal.

With this we are now familiar with creating a Provider Hosted Application

– See more at:

Part 4: SharePoint Governance Best Practices for Adoption, Training and Measuring Success

In Part 3 of this blog series: Building your Governance Plan – A Deeper Dive we examined the details of building out your Governance Plan in a way that meets your business requirements while striking the balance that ensures a successful adoption.  In this installment, we will discuss additional Adoption topics as well as Training Guidelines and Measuring Success.

Adoption Woes

Getting users to adopt a new tool or way of doing their jobs can be very difficult, and SharePoint is certainly no exception.  SharePoint has historically been brought into organizations by IT professionals who understand the platform enough to believe it will add tremendous value.  Unfortunately this group often does not understand the business requirements enough to build the solutions most relevant to users across the organization.  The absence of the conversations needed to gather these requirements leads to many failed adoptions.

Once installed, tools like Microsoft Office experience almost instantaneous adoption because they are tools that can be used independently.  They aren’t tailored to how individual users work, and they usually aren’t tailored to how they work together.

Successful adoption of a collaboration tool such as SharePoint requires an understanding of how users engage with each other currently, (“current state”) and how that could be made better (“desired future state”).  The people best suited to tell you this are the users themselves, or representatives thereof.

If your SharePoint project is planned without input from your primary business units your adoption will fail.  Put a different way:  If you don’t fully understand how your users do their jobs, you can’t build them tools to improve how they do their jobs and they won’t use what you build them because it’s an irrelevant burden.  

Adoption Best Practices

A successful SharePoint Adoption involves proper planning with Key Stakeholder involvement and a full understanding of your business requirements across the organization.  Because of this, Adoption Planning must start at the very beginning, during the solution design process.

During the Discovery Phase of your project, you will hold envisioning sessions with your Leadership team (“Executive Stakeholders”), your Department Stakeholders and your Information Security Team (“Key Stakeholders”).  These sessions allow you to capture a clear picture of the needs of your users and areas that will need to be governed.  During this process, you also begin grooming your “Champions”.

Champions are the boots-on-the-ground that represent their constituents and spread the SharePoint excitement.  The thought process of their fellow workers goes something like this:  “Jake understands what we need and is excited about this change.  We are going to get what we need because Jake is involved.  We can learn from him, and though the change will be difficult, we feel properly represented so expect this to be a good thing.”  The first impression win in this game is a significant win, and keeping an “A” is a lot easier when you start with an “A”.

These Champions are an integral part of all phases of the project and will continue to be hands on in the evolution of the solution; participating in Design sessions, and periodic demonstrations of functionality as it is completed.  They will also be key players in the creation of training plans for their teams and often will play an active role in delivering that training, and follow-up support.

Keeping Momentum, Building Excitement

Throughout the project, regular team meetings should be held where your Champions share project status and updates with their organizational units.  These sessions can include demonstrations as well.  It’s important during these sessions that the message is business solution-oriented and not techno-speak.  Technology discussions can be overwhelming when introducing new tools, but the business solutions are familiar ground and build excitement for the change that’s coming.

Corporate launch events or broadcasts and announcements, brown bag lunch sessions and other activities are a great way to build enthusiasm for what’s to come, especially when these activities include participation from the Leadership team and Champions of the project.  This shows Corporate Leadership “buy in”, validates the project and allows your users to become invested without fear that this is just an unsupported flash in the pan.

Targeted Training

Your Training programs will include instruction on how to use the platform and solutions being built.  These programs will also include details around Governance and the specific importance of each piece of your Governance Plan as it applies to that particular group of users.  A typical Training Plan would include at least the following types of training:

  • Administrator training.  Administering, configuring and maintaining the business solutions in your SharePoint portal, as well as the portal itself.  Topics from all three Governance Pillars will be covered in this training:  IT Governance, Information Management, and Application Management Governance.
  • Content Owner Training.  For users who will be responsible for updating content in the sites, sub-sites and pages.  Typically this training will include topics of Information Management and Application Management Governance.
  • Power User Training.  For users who will expand the features for their organizational units based on a deeper understanding of the platform and how it can be leveraged to better serve business requirements.  Information and Application Management Governance will be covered here, and depending on the level of customization, these users may also need to be fully educated on the IT Governance policies of your organization as well.
  • Help Desk.  For employees who will support your end users.  The members of your Help Desk team also need to be instructed on the other project roles and their division of responsibility for the platform; Administrators, Content Owners, Power Users.  A Help Desk request is often where the clock starts ticking on your SLA’s so be aware that this is an incredibly important role in your rollout, adoption and user satisfaction metrics.
  • End User Training.  Basics of how to use the applications in your sites.  This training can often be delivered by departmental Champions.  Governance topics covered for these users are typically centered on your Information Management Governance, but can include topics from the other pillars as well.

The format for your training sessions can be demonstration based, or presented as hands-on sessions where users perform a series of scenario-based instructions that give them the opportunity to learn by doing.  This hands-on approach is also a fantastic opportunity to identify areas of improvement in your user experience and your end user documentation.

To supplement your group based training you can make use of training tools, FAQ’s, Wikis, and video tutorials for these different user groups and these elements can be factored into your Information Architecture.  You can also use SharePoint surveys and social features to gather important feedback from the consumers of your training to improve your delivery of these important topics.

In addition to the initial training that occurs as part of the solution development and rollout, periodic refresher training is important as you identify areas that are not gaining adoption or where Governance is failing.

Gathering Feedback and Measuring Success

Providing channels for feedback increases engagement and expands your team of champions.  As adoption grows, so will the need for new features, solutions and Governance improvements.  Providing channels for this communication will increase user engagement and timely response to those requests will increase adoption of SharePoint as a valuable business tool.

Adoption activities happen frequently during the planning, design, build and initial SharePoint deployment, but they should not stop there.  Once the solution has been delivered, it is important to hold regular sessions with your teams of end users to gather feedback, positive and negative and use this as a mechanism to improve your business solutions and your Governance.  This end user interaction allows you to understand the items that are enabling or driving success, and the issues that are inhibiting or slowing your users down.

Your help desk statistics are also a fantastic way to measure success and identify areas in need of improvement based on call volume.

Supporting Your Users

In Part 3 of this series, we discussed Service Level Agreements and their importance in your Governance Plan.  Not surprisingly, these SLA’s play a large part in your Adoption.  A system that is dependable, remediated in a timely fashion when there are issues, and a responsive Help Desk go a long way toward growing trust and adoption of your solution as an integral tool in the daily lives of your users.

Putting it all Together

In summary, SharePoint is a highly customizable and flexible platform, and collaboration at its root, is highly individual.  Because of this, when building business solutions and forming policies for how SharePoint can be used it is important to expand the conversation to include key representatives from across the organization in all phases of the project.  These individuals are not only your Governance Committee, but they are your project Champions and play an integral role in your Adoption.

There is a very balanced relationship between Governance and Adoption.  Your Governance Committee, in understanding your business and your users is best suited to come up with a Governance Plan that meets the business requirements without inhibiting productivity.  Rollout activities that keep your users engaged in the project build ownership of the end solution and ensures successful adoption.  Proper initial training programs targeted to different user types, periodic refresher training and feedback sessions will help you evolve your Governance Plan and your platform in a way that ensures continued success.

This wraps up our 4-part series on SharePoint Governance Best Practices. If you need help developing your Governance Plan, please contact us for assistance!


Part 3: Building your Governance Plan – A Deeper Dive

As discussed in Part 2:  Building a Governance Plan that works for YOU, the most successful Governance plans are those that achieve the right blend of control vs freedom to meet your business requirements without inhibiting productivity.  In this installment, we will examine the details of building out your Governance Plan in a way that meets your business requirements while striking the balance that ensures a successful adoption.

Understand your Business Content

By now you should have formed your Governance Committee.  Representatives on that team have in-depth knowledge of your business, its processes and collateral.  The next step is defining your Information Architecture and that requires an understanding of your Business content, how it needs to be organized, presented, secured, managed, who the content owners are and any regulatory compliance or Information Rights Management needs that surround it.

For each department or team in the organization, you will identify the types of content they work with in their day to day activities.  This includes content that they produce and share with others and content that others share with them.   Throughout these discussions you will begin to lay out the structure of your sites and a picture of what types of permissions and access will be permitted or required based on answers to questions like the following:


What does it tell you?

Is this content shared with other users outside of this department or team?  This can include internal users and users external to the company.


Content that is not accessed outside the department or team can live in an internal department or team site.  Content that needs to be available to users outside of the department or team will call for different placement.


Does this content have unique security needs?


If this content requires limited access, it will need to live in a site that has restricted access.


Is this content under regulatory control?   If so, what are the restrictions placed on it?


This will indicate the level of security and potentially the availability needs for this content as well as any other controls that need to be placed on it.


If this content is accessed by an unauthorized user, will it hurt my business?  Could this content be part of an eDiscovery and what is the legal lifetime it needs to be retained for?


This provides further indication of where this content might live and what type of controls it may need, including Information Rights Management needs; Expiration, and Restrictions on Print or Email for example.


If this content isn’t available, can my business run?


This will help you define the Service Level Agreement necessary around this content to ensure that business critical content is highly available.

It is helpful to establish a baseline plan for taxonomy and tagging during your Information Architecture Discovery discussions.  Taxonomies are used to classify or “Tag” your organization’s content.   Identify your most critical content; and at a minimum address these 2 important questions:  “What is the Risk of Corporate Exposure?” and “What are the Availability Requirements?”  For instance, it may be enough to begin by identifying “internal”, “need to know – external” and “public” content.  Even this little piece of information allows you to begin to identify what sites this content can live in, who owns the content, permissions around it and whether it should fall under Information Rights Management Policies.

Information gathered in these discussions allows you to determine the Availability and Security needs for all business content as well as its Classification.   Now that you have gone through this cataloging exercise, you can identify which site types this content will live in; specifically where it can live and where it must not live.

Microsoft has published a guideline for determining Governance Levels needed based on site type.   While this is helpful to use as a guide, it is not always enough.  For instance, though My Sites are typically lightly governed, your Governance Plan will specify the types of content that should not be shared in those sites.


Service Level Agreements

Quite often you will find a direct correlation between the level of Governance needed and the SLA (Service Level Agreement) needs around availability.  For instance, Personal Sites and Community Sites typically require less Governance, and have lower availability needs, whereas Department Sites with information critical to running the business, as well as the Intranet Home pages that communicate critical information across the organization will have tighter Governance and a more secure SLA that guarantees higher availability.  Content shared outside of your organization with business partners or vendors may have a more stringent SLA as well due to the need for that communication mechanism to be of higher availability.

IT Governance provides the details needed to guarantee the Service Level Agreements identified for your different business content are met.   Topics that are typically covered are:

  • Policies around problem resolution through a support team i.e. Helpdesk
  • Backup and Restore policies and Disaster Recovery Plans – these differ according to the SLAs you offer for each site type.
  • Update Schedules and Code Deployment processes – Code Review, Test, Signoff
  • Quotas
  • Life Cycle Policies – How will you handle stale or inactive sites?

Site Management Policies

Each Site will have a Site Owner who is responsible and accountable for all content published in their site.   Site Management Policies should be established that specify how tightly controlled the site or site collection is and indicates the rights given to the Site Owner.  For instance:

  • Can they grant permissions to other users?
  • Can they create and delete Subsites?
  • Can they add apps? – Is there an approval process and if so who governs that?
  • Can they create pages, lists, libraries, site columns, content types?
  • Can they create SharePoint groups and are they required to be based on Active Directory groups?
  • Can they modify permissions of their sites or is approval required?

Site Customizations

SharePoint is a highly customizable platform and the number of 3rd party applications that can be used to augment the out of the box functionality grows every day.  In addition, tools like SharePoint Designer and Visual Studio can be used to build customizations and deploy them to your sites and site collections; this can include Branding and custom Master Pages, or full-fledged custom code.  Further, code can be placed directly in SharePoint pages, and the list of ways to customize your sites goes on.

Your Governance Plan should include details on which types of customizations you will support in your organization, any approval processes required and relevant Change Management Policies.  For instance, where are these customizations developed and tested prior to deployment in your production environment?  A schedule can also be included for Production Update windows that support these activities.

In Summary

There are a fair number of topics that should be covered in your Governance Plan, but not all of these topics require paragraphs of information.  The best and most adopted Governance Plans are concise, to the point and under 3 pages long.  It’s important to remember that unless you can think of a reason why something should be governed, it likely shouldn’t be governed.  Contact us for help with your governance plan!

Tune in next for Part 4:  Training, Adoption & Measuring the Success of your Governance Plan.

Part 2: Building a Governance Plan that works for YOU

As discussed in “Part 1:  What the heck is a SharePoint Governance Plan? a successful Governance Plan is one that allows the platform to be leveraged in an organized and thoughtful way, based on an understanding of the business information and requirements, environments and processes that work best with the team members in your organization.  In this post, we will walk through the steps involved in developing a Governance Plan that is tailored to your organization.

Form a Governance Committee

A Governance Committee is a group of people from across your company who understand the needs and inner-workings of your organization and works together to build your Governance Plan.

Typically, this committee consists of the following types of people:

  • Executive Stakeholders who hold the corporate vision
  • Department Stakeholders from representative Business Units. For example:  Human Resources, Finance, Legal, Research, and of course IT
  • Compliance and Information Security Representatives who can represent any mandated compliance over your content based upon your business and associated regulatory control. For example PCI, HIPAA and FedRAMP

Together, this combination of members represents an understanding of your business content, how it is used, its logical groupings, and any related security or regulation and control it requires.

It’s important to remember that even if you are not in a business that falls under regulatory control, there are important business documents that require different levels of security such as:

  • Human Resources: Employee reviews, confidential employee benefits information
  • Finance: Accounts Receivable and Payable, Payroll Records, Client References
  • Research: Competitive Intelligence and other information that if “leaked” could compromise corporate goals.

Establish a Governance Plan

Determine initial principles and goals

Your governance committee should develop a governance vision, policies, and standards that can be measured to track compliance and to validate the benefit of your plan to your organization.   Periodic audits can be performed using out of the box SharePoint audit capabilities for basic auditing, or 3rd party tools such as Metalogix ControlPoint for more detailed audit and tracking.  Audit data can be used to identify what’s working and what’s not working in your Governance Plan and where additional user training may be required.

Classify your business information 

Taxonomies are used to identify and classify or “Tag” your organization’s content.   This step can be overwhelming but it’s important to remember that you will start basic and build upon this over time.  Identifying your most critical content – remember those 2 questions – risk of corporate exposure and availability requirements – is a good place to start.

For instance, it may be enough to begin by identifying “internal”, “need to know – external” and “public” content.  Even this little piece of information allows you to begin to identify your Information Architecture – what sites this content can live in, who owns the content, permissions around it and whether it should fall under Information Rights Management Policies for expiration, archiving, eDiscovery or restrictions on print or email.

Develop an education strategy

The best written Governance Plans have fallen on their sword because of the lack of training around them.  At the end of the day, the consumers of your Governance Plan need to understand it in order to apply it to their day to day corporate lives.

When a Governance Plan is too complicated, it has a negative impact on user adoption.  Folks will resort to using file shares or emails to share content because they are worried about making a mistake, or worse, confused as to where to put things.  Alternatively, they can store content in the wrong places and make it difficult to find, which results in the consumers of their content throwing up their hands and requesting email copies to be sent.  Frustration is the key to failed adoption and frustration is often the product of a failed training program.

A comprehensive training plan should show how to use SharePoint according to the standards and practices that you are implementing and explain why those standards and practices are important.

Your education strategy should be included in your plan and should include auditing and periodic refresher training as you identify areas that are not gaining adoption.   Keep in mind that different user groups in your organization will require different levels of training, and different methods.  Site and Content Owners will need training in the policies and practices of creating sites, editing pages, and modifying permissions.  End users will need training in how to use the applications in your sites; document libraries and metadata tagging and search.

You can make use of training tools, FAQ’s, Wikis, and Videos for these different user groups and these elements can be factored into your Information Architecture.  You can also use SharePoint surveys and social features of SharePoint to gather important feedback from the consumers of your training to improve your delivery of these important topics.

Develop an ongoing plan 

A Governance Plan is a living, breathing document that will evolve over time.  Refinement of the plan and its associated training will be ongoing.  You will likely add members to your Governance Committee as adoption increases and you identify gaps in your committee’s representation of your business needs.

In support of this, your governance committee should meet with regularity to review potential new requirements, reevaluate and adjust governance policies based upon usage, feedback and audit reports.   Refresher training should be available to your end users as well.

My recommendation is that during the initial months of deployment, the Governance Committee should meet several times a month, and as time goes on the frequency of this can drop down to monthly and then quarterly, or several times a year.  Once again, this schedule will be highly individual to your company and based completely on what your audit and tracking and user feedback is telling you about what is needed.

In Summary

SharePoint is a highly customizable and flexible platform, and collaboration at its root, is highly individual.  Because of this, when forming policies for how SharePoint can be used, and moderating that based upon the business criticality of the different types of business content, its important to tailor these policies to your users and business needs.

There is a very balanced relationship between Governance and Adoption.  Your Governance Committee, in understanding your business and your users is best suited to come up with a Governance Plan that meets the business requirements without inhibiting productivity.  My recommendation is to start small, and through the evolution of the plan over time, you will identify the areas that need refinement.

In Part 3:  Building your Governance Plan – A Deeper Dive I will lead you through more detailed discussion of building out your Governance Plan to address the different areas of Governance called out in Part 1 (IT Governance, Information Management, Application Management).  See you soon!

Part 1: What the heck is a “SharePoint Governance Plan”?

This is Part 1 in a multi-part series on Governance.  See the first post “A Word on SharePoint Governance“.

Microsoft provides a sample Governance Plan and overview on their website, and in this sample plan, they indicate:

Governance is the set of policies, roles, responsibilities, and processes that control how an organization’s business divisions and IT teams work together to achieve its goals. Every organization has unique needs and goals that influence its approach to governance. Larger organizations will probably require more, and more detailed governance than smaller organizations.

Clear as mud, right? Let’s break it down. In less general terms, there are 3 basic pillars of governance in a SharePoint Governance Plan.

1. IT Governance

IT Governance is the set of policies that allow for support and management of the basic infrastructure and planning, as well as supporting predicted growth of your environment. What does that mean? This section of the plan will address your security, infrastructure and web application policies around things like quotas, permissions, site ownership and backup and recovery.

In an on-premises installation, you will also establish governance around SharePoint installations in your environment.   Is your IT Governance centralized with your IT Department, or do you allow a more decentralized approach that lets others install SharePoint, create web applications or site collections, and grant permissions? You will include details of how you will track installations of SharePoint 2013 in your environment; block installations if your governance plan does not allow for them, keep servers current with software updates, and manage site collection upgrades.

Office 365 and the ability to host your SharePoint infrastructure with other Cloud providers like Rackspace call for different details in this section of the plan. For example, the management of your servers, backup and recovery, and SharePoint installations and patches or updates are handled by your hosting provider based upon the service level agreement (SLA) you have established with them.

2. Information Management

Information Management is achieved through a well thought out and planned Information Architecture that specifies how business content in SharePoint is organized, presented, secured, managed and the content owners who are responsible for it.

In simpler terms, this means – understand your Business collateral, who uses it, how it can be classified and who owns it.   You don’t need to boil the ocean here, and your information architecture will evolve over time, but a basic understanding of how the users in your organization collaborate around content and work together is the key to identifying the organization, tagging and ownership of that content in your SharePoint portal in such a way that it can be properly secured and easily found.

Companies that have content that is regulated by compliance will have those details in this section of the plan.  Information Rights Management decisions will be made including plans for content expiration and retention.

3. Application Management

Application Management Governance defines the corporate policies for Customization, Life Cycle Management, and Branding.  SharePoint is a deep and wide technology that allows for unlimited customization, whether that’s in look and feel (Branding) or additional applications that can be custom built by your team, or downloaded from the App Store; things like news sliders, accordion controls, and custom workflows.

Depending on the level of customization your organization will allow, processes must be put into place that establish:

  • Change Management Policies: The types of changes that are supported, who is authorized to make these changes, and how they are rolled out.
  • Life Cycle Planning: Versioning, updates, aging of older code, and rollback strategies; what to do when things go wrong.
  • Production update schedule and sign off committee, code reviews, maintenance windows and such.

In summary, a successful Governance Plan is one that allows the platform to be leveraged in an organized and thoughtful way, based on an understanding of the business information and requirements, environments and processes that work best with the team members in your organization.

Next, we will walk through the steps of creating a SharePoint Governance Plan tailored to your organization, in Part 2 : One size does not fit all – Building a Governance Plan that works for YOU.