SharePoint 2019 August 2020 Updates

The SharePoint 2019 August 2020 Updates have been released.

Product KB Article
SharePoint Server 2019 (sts-x-none)
SharePoint Server 2019 (wssmui)
Office Online Server
Office Updates

For all SharePoint updates, visit SharePoint Updates.

SharePoint 2016 August 2020 Updates

The SharePoint 2016 August 2020 Updates have been released.

Product KB Article
SharePoint Server 2016 (sts-x-none)
SharePoint Server 2016 (wssmui)
Office Online Server
Office Updates

For all SharePoint updates, visit SharePoint Updates.

Orchestry Review

Orchestry is a mix of governance and management tool. It doesn’t have reporting capabilities, such as ShareGate, AvePoint Cloud Governance, or a few others, but instead focuses on self-service governance – enforcing standards and processes for provisioning sites and Teams.

Orchestry setup is quite easy, navigate to and follow the prompts. You will need Global Administrator rights as you will be confirming quite a few Graph API permissions. Fill in a few fields about yourself and the company, then you’re good to go while the service provisions into your tenant. Orchestry will automatically provision a new Communication site at /sites/orchestry within your tenant to store assets and the site directory.


The installation didn’t notate this, but I didn’t have an App Catalog set up in this tenant. In the Orchestry tool, post-setup there is an Installation tab under Settings which will show the status of the install. This indicated that I needed to create the App Catalog. Once I did so and waited a few minutes, I was able to provision the Orchestry-provided apps into the App Catalog with a single click. From there, Orchestry prompted me to approve Graph API permissions in the SharePoint Admin center.


The next step, because I missed it during the installation process, was to import existing sites into the Orchestry Directory. The Orchestry Directory is a site directory that allows a user to view all sites in the tenant, Private, Public, and sites the end user otherwise does not have access to. Prior to import, you may want to hide the directory by going to Settings -> Teams Applications at This allows you to hide particular sites from end users, in case you have sensitive sites.

Because querying the Graph is expensive, Orchestry stores all site information into a SharePoint List on a new site dedicated to Orchestry. Each site becomes a List item and has an Yes/No column “Is Visible In Directory” which when set to no, will hide that site from the Workplace Directory in Microsoft Teams. If you want to fully hide it however, you need to break List Item permissions for the entry in the Orchestry site collection. Remember that all users have read access to the Orchestry site collection!

Also present on the Orchestry site are all of the document templates that are provisioned with the templates you create. Orchestry provides a few examples out of the box.

Site Naming

Orchestry allows an administrator to configure Blocked Words and Naming Policies for Teams. The Naming Policies include Prefix and Suffix as well as URL naming policies. Each Naming Policy can be assigned to one or more templates. The naming and blocked word policies function like the Azure AD implementation but do not require additional Azure AD licensing.


Templates (SharePoint Team site, SharePoint Communications site, Microsoft Teams) can be made from scratch, an existing site/Team, or even an exported PnP template. Each template has feature sets that can be turned on, off, or be made optional. Security (Private or Public) can be enforced or the end user can pick the privacy setting. Same with document templates, and other options. This allows both administrator and end user control over provisioned sites and Teams.

Orchestry allows you to add your own features via PnP packages, such as those found on the PnP Samples & Solutions site.

Live Templates

Live templates are based on an existing site, but as the templated site changes, newly provisioned sites will incorporate those changes. For example, if I add a new document library to the source site, new sites provisioned from the live template will reflect that change. Sites previously provisioned based on the template will not incorporate any changes in the templated site post-provisioning.

Here’s an example of creating a live template based off of an existing site. The source site has a modified home page, custom document library, and a Planner plan.


In Orchestry under Workspaces -> Templates, creating a new template is easy. The first step is to fill in some basic information about the template, such as the name, template type, and any naming policies you want to enforce.


If you want it to be a live template, the second step is to enable the live template feature. In addition, you can clone the Planner plan.


Next, you can add features to the destination site. These come in the forms of various SharePoint Framework apps. You can enable the end user to customize the available features or enforce features.


Orchestry included example document templates for various industries, and we can add these here – or our own document templates. Document templates are stored within the Orchestry site collection.


The last configuration for a template is to allow anyone to provision a template or make the template available to only specific Active Directory groups.

Provisioning Process

In Microsoft Teams we can use the Orchestry app to create a new site based off of an available template.


In my template I did not provide the end user with the option to override various configurations of the template, so the options are locked down.


As with your standard site creation, you’ll be asked for the name of the site and be provided the ability to edit the URL. Orchestry automatically fills in the Site Description, but you can adjust that as required.


Once I’ve confirmed my selections, the provisioning process starts, cloning the existing site.


Orchestry keeps a history of provisioned sites along with a significant number of details and the raw provisioning log. This can be found in Teams under the Orchestry Management tab.


As with SharePoint Online sites, you can also clone Microsoft Teams. And even better, during the configuration of the template, you can remove the Wiki tab!



As part of the provisioning process, you can require metadata. Orchestry comes with a few pre-defined metadata, such as Department. This metadata is attached to the SharePoint List Item. This allows you to gather more information from the end user when provisioning a site or Team.




The directory is straightforward and what you’d expect – a directory of all sites and Teams. The directory allows all users to see both Public and Private Groups as well as Communication sites even if they don’t have access to the site. You can hide on a site-by-site or Team basis by going to the Orchestry site collection setting the List Item metadata “Is Visible In Directory” to No. To truly hide it, you can modify the security on the particular List Item. Using security trimming isn’t ideal but your only option to hide fully hide sites from the end user (unlikely to happen, but what if you have more than 50K sites to hide?). Bulk actions may come in the future. The directory can either be displayed in a list or card view, like you see below.



Orchestry has a multi-step approval workflow for approving site creation. You can create workflows associated with specific templates and these workflows can have one or more approvers per step. These workflows are easy to create and associate with existing templates.


PnP Packages

Orchestry can extract an existing site into a PnP file with the options presented by Get-PnPProvisioningTemplate. Once the tool has extracted the PnP file, you can view the contents of the PnP package. You can also apply the PnP package to an existing site.


What I love about this tool is it brings options that would otherwise require PnP PowerShell or development skills. It has a super-simple interface and using Microsoft Teams as the end-user facing app is smart. Just build your site (webparts, Lists, Libraries, etc.) or Team (Channels, tabs, apps, etc.) and point Orchestry at it to generate a brand new template for deployment.

There are a few of rough edges I’ve found so far, but what I identified has either already been resolved or are minor UI issues that don’t impact functionality; you will see in my screenshots a few mis-aligned elements due to the browser window size – these don’t appear in a window that is desktop sized as the Orchestry team has prioritized the desktop experience.

I think the use of a SharePoint site was both good and bad for storage of the directory and templates. The SharePoint site allows the Orchestry service to not store your data or require the costs from a self-hosted system (i.e. Azure services like a Cosmos DB for Directory and Blob Storage for templates). However, it does come with a downside of SharePoint’s List limitations like List View Threshold and security trimming limit. It also makes it cumbersome to hide sites and Teams from the end user as the administrator must explicitly work with SharePoint permissions.

I would highly recommend this tool to anyone looking for a self-service provisioning tool for Microsoft 365. It is quick to get set up, get your current sites into the tool, and make templates and provision new sites and Teams. The provisioning process is smart and very flexible; much better than attempting to build a PowerApp for self-service or developing your own solution. The Directory can help users find sites and Teams they’re interested in or need access to without having to ask IT who the site owner is to request access.

The Orchestry team provided me with a trial tenant but otherwise didn’t solicit a review. I hope this was informative and I’d like to hear your thoughts about Orchestry on Twitter.

Stop Using Azure AD Security Groups in SharePoint Online

With SharePoint Server, it was strongly recommended to use Active Directory security groups to secure SharePoint resources, i.e. add users to the security group and nest the security group in the SharePoint group. This was primarily for search performance and query freshness for the newly added users. When assigning users to a SharePoint group, they may not see content until search has performed a security crawl on that content to update security scopes, and visa versa, a user may see content when they’re removed from the object until a security crawl has completed.

If using Continuous Crawl, that guidance isn’t recommended for on-premises either, however I have seen that practice continue to be carried forward on-prem and in SharePoint Online.

I strongly recommend against using Azure AD Security Groups outside of very specific scenarios for SharePoint Online and here’s why:

  • Search performance is Microsoft’s domain
  • Search architecture in SPO is vastly different from on-premises
  • Using Azure AD Security Groups prevents end users from managing their own resources
    • And the iron fist of IT has made more than one SharePoint implementation underutilized or DOA
  • You can’t nest, as of this post, Azure AD Security Groups into Microsoft 365 Groups
    • This means access to certain resources, i.e. Microsoft Teams, has to be managed independently of Azure AD groups

The very specific scenarios I do recommend using Azure AD Security Groups are when you need dynamic groups to be added to SharePoint Online sites, i.e. you want a subset of users to have Visitor access to a SharePoint site and do not want to maintain group membership. For Team sites or Microsoft Teams, you can also do this with Microsoft 365 Groups which will prevent Owners from managing the Group membership, though they can manage who is an Owner.

Otherwise, let users get their work done – it will reduce the workload for IT significantly with your help desk no longer needing to field permission requests. Even in an SMB sized org, this can mean you have a lot of time to do more important tasks.

If you need to add users to a number of sites at all once, look into Azure Access Packages. This does require a P2 or EMS+E5 license for your users, but it has some other fancy functions as well, such as auto-removal of users after a time period or self-service via the Azure My Profile portal.

Think hard before using Azure AD Security groups for access management to Microsoft 365. There are often times better solutions available that allow end user flexibility to get their work done and free your time up for more important tasks.

Microsoft Q&A Replacing SharePoint TechNet/MSDN Forums

The TechNet/MSDN SharePoint forums are on their way out and being replaced by the Microsoft Q&A discussion boards.

The current schedule for retirement of the SharePoint TechNet/MSDN forums is:

  • As of this post, you can post in either TechNet/MSDN forums or Microsoft Q&A.
  • July 27th, 2020 through August 10th, 2020 you can continue to comment, propose or mark answers, and vote on posts in the SharePoint TechNet/MSDN forums. For new posts, you must use Microsoft Q&A.
  • August 10th, 2020 onward the SharePoint TechNet/MSDN forums will be read only.

Microsoft Q&A is a bit more like the StackExchange network in terms of functionality, that is, less of a classic forum experience with a back-and-forth discussion instead favoring the Q&A style of discussion where each top-level comment can be marked as an answer and (potential) answers can be replied to in a threaded format. For technical content where one needs to tease out details prior to answering, this isn’t the best format for non-developer questions, in my personal opinion.

Microsoft Q&A does not use a forum-per product format. It instead uses tags for each discussion item. The tags I personally follow (so far) are:

All of the Office-related content, including Office Client, Microsoft Teams, SharePoint Online/Server, and Exchange Online/Server content in Microsoft Q&A can be found at the Office products page.

See you on the forums!