Azure Information Protection Automatic Classification

Leave a comment

Another interesting behavior I came across when adding conditions and the way labels are applied.

My Confidential AIP labels are configured as shown below.


I configured the parent label (Confidential) to automatically classify documents.


I entered the text below to trigger one of the conditions. I noticed that the document was labeled as ‘Confidential \ Restricted’ which is the last child label listed in my AIP portal. Well, this was, obviously, not what I expected.


To further test if it will always default to the last child label, I reordered the child labels. I moved the ‘Restricted’ child label up and now ‘Anyone (not protected)’ is listed as the last child label.


Just as I expected, the new document was labeled as ‘Confidential \ Anyone (not protected)’ automatically.


In this experience, I learned that I need to configure the conditions at the specific child label level to get the anticipated results.

Thanks for reading!



Classifying and Protecting Data in Office 365

Leave a comment

In my previous post, I introduced how to classify data with Azure Information Protection (AIP). In this post, I’ll introduce how to create a policy / label and additional data classification features you can use to enhance and protect your data.

Creating Azure Information Protection Policy (Label)

You can access Azure Information Portal from the Microsoft Azure Portal. With each AIP label, you can further protect your data by applying any or all of the additional features:

  • Create visual markings (header, footer watermark). Watermarks are applied to Word, Excel, and PowerPoint only.
  • Associate Azure Rights Management (RMS) policies
  • Define conditions that could detect data patterns for automatic classification. Custom conditions can be either words, phrases, patterns, and even regular expressions.

Create New Label: The process of creating a new label is pretty straight forward. You will need to provide a label name, and description. Optionally, you can change the color of the label, and add visual markings such as header, footer, and watermark to the documents.

AIP Visual Markings

In this example, I created a label called ‘Confidential Project’, a footer text of ‘Sensitivity: Confidential’, and added ‘Contoso Confidential’ for its watermark. After the label is saved and published, when the user selects the above label, the document displays as shown in the following image.

AIP Document Visual Marking

Note that visual markings are not applied to documents when the label is applied by using File Explorer and the right-click action, or when a document is classified by using PowerShell.

Associate Azure Rights Management (RMS) Policy: Azure RMS is the protection technology used by Azure Information Protection. Azure RMS allows you to set permissions and automatically applies protection for documents and emails.

You can protect your data within AIP by selecting one of the available options:

  • Do not forward – allows recipients to read the message, but cannot forward, print, or copy content.
  • Select a predefined template – must use PowerShell (New-AadrmRightsDefinition) to create templates for the entire organization
  • Set (custom) permissions

By selecting ‘Set permissions’, you can select users or groups from your tenant. You also have an option to select users or domains from outside your organization, and apply different permissions as necessary.


Define Conditions: Within AIP, you can define one or more conditions within a label. You can select from one of the default conditions or create custom conditions. When a document or email matches the condition associated with the label, you can automatically apply the label to the document or email, or visually show the user a recommendation.

AIP Conditions

These are just a few examples of how you can extend AIP and RMS features to protect your documents and email.

Establishing and maintaining an effective security and information management program involve people, process and technologies working in concert. From the technologies standpoint, IT administrators can start by enforcing rules to ensure documents are classified and protected by using tools available in Office 365.

These are some of the features in Azure Information Protection and Exchange Online. In my next post, I will cover how you can protect your data when sharing with external organizations by integrating the footer information used in this post.

Upgrade SharePoint 2016 from Beta 2 to Release Candidate (RC)

1 Comment

The process of upgrading from SharePoint 2016 Beta 2 to Release Candiate (RC) was pretty straight forward.

I started with my existing SP2016 VM that I already had Beta 2 installed and configured.  My VM is a single server farm with no language packs running on Windows Server 2012 R2 and SQL Server 2014.

The version of SP2016 on my VM before the upgrade was 16.0.1406.1001. You can download SP2016 Beta 2 here.

I downloaded the following two zip packages:

SharePoint Server 2016 Release Candidate English Prerequisite and SharePoint Server 2016 Release Candidate Global from here.

After I extracted the two zip files, I started with the PrerequisiteInstaller.exe.  I only had to reboot my server once for the .NET Framework 4.6 to complete its installation.

After the prerequisites installation process completed, I installed the sts.msp from the Global Patch zip file.

What I found interesting was the pop up window indicating that this file is from an Unknown Publisher.


After the patch was installed, it prompted for a reboot.


After the server rebooted, I checked to see what the new version would be.


Of course, it’s the same as it was before as I had yet to run the PSConfig.

After the PSConfig completed, the new version is now 16.0.4327.1000


Now, I’m ready to perform my next task – upgrade SP2013 databases.


Learn more about Centric’s Portals and Collaboration Practice


SharePoint 2016 – Change MinRole Error a72id

Leave a comment

After hearing and reading a whole lot about the new MinRole in SharePoint 2016, I had to see what it’s all about by building my own VM.

For this post, I installed SQL Server 2014 and SharePoint 2016 Beta on the same VM server.  I ran the SharePoint Configuration Wizard to get all services and Central Admin provisioned.

I selected the ‘Single-Server Farm’ in the Server Role wizard.


I checked ‘Servers in this farm’, so far so good.


I then tried to convert from ‘Single-Server Farm’ to ‘Application’ using Central Administration.  I got this lovely ‘Sorry, something went wrong’ message.


So, I searched the ULS and found these two entries.

12/29/2015 09:21:35.41         OWSTIMER.EXE (0x109C)                           0x316C        SharePoint Foundation                 Topology                             a72id        Exception        Failed converting server ‘VMSP2016T’ from ‘Application’ to ‘Application’ role. System.InvalidOperationException: Invalid search service unprovisioning: application ‘Search Service Application’ still has a ready component ‘in search service instance’ on server ‘VMSP2016T’.     at Microsoft.Office.Server.Search.Administration.SearchServiceInstance.ThrowIfComponentsRunning()     at Microsoft.Office.Server.Search.Administration.SearchServiceInstance.Unprovision()     at Microsoft.SharePoint.Administration.SPServerRoleManager.<>c__DisplayClass4.<UnprovisionServiceInstance>b__3()     at Microsoft.SharePoint.Administration.SPServerRoleManager.ConfigureServiceInstanceInternal(SPServiceInstance serviceInstance, Action configureAction)     at Microsoft.SharePoint.Administration.SPServerRoleManager.C…        9b04509d-281a-f0ea-9175-4a569f8e73cf

12/29/2015 09:21:35.41*        OWSTIMER.EXE (0x109C)                           0x316C        SharePoint Foundation                 Topology                             a72id        Exception        …onfigureServiceInstance(SPServiceInstance serviceInstance)     at Microsoft.SharePoint.Administration.SPServerRoleManager.ConfigureServer(Boolean throwOnFailure)     at Microsoft.SharePoint.Administration.SPServerRoleConversionJobDefinition.Execute(Guid targetInstanceId) StackTrace: at onetnative.dll: (sig=55ee5f49-67a4-4a49-9862-19eec61e14d2|2|onetnative.pdb, offset=3712D) at onetnative.dll: (offset=1E35E)        9b04509d-281a-f0ea-9175-4a569f8e73cf

I tried unprovisioning, re-provisioning Search and all of its components, and tried and tried without success to convert to the ‘Application’ role.

I ended up disconnecting and reconnecting the server from its configuration database via PowerShell.  Credit for this solution goes to Nik Charlebois.

Disconnect-SPConfigurationDatabase -Confirm:$False

Connect-SPConfigurationDatabase -DatabaseServer SharePointDB -DatabaseName SharePoint_Config -Passphrase (ConvertTo-SecureString “P@ssw0rd1” -AsPlainText -Force) -LocalServerRole “Application”



As you can see from the Get-SPServer command that the server is now running as an ‘Application’ role.

Just to re-validate, I launched Central Admin and voila!  My server is now configured as ‘Application’.




Add Term Sets to SharePoint 2013 Search Refinement Panel

Leave a comment

Following my previous post on working in Search Center.  Now I need to add crawled properties to the Search Refinement Panel.  These crawled properties can be content types, custom columns, or term sets.  In this post, I’ll use term sets.

My term store has regions which has U.S. States within each region populated.  For this example, we’ll use the West Region.


Here’s my list with region term sets used.  I called that column “Store Region”.


After the list is populated with some values, go to List Settings –> Advanced Settings –> Reindex List

Just to make sure I get the crawled properties without waiting for the next scheduled crawl, I started the incremental crawl.

I then mapped the managed property to the crawled property.  In this example, I used RefinableString02 managed property.

In the mappings to crawled properties –> Add a Mapping –> I typed region and clicked Find


Here I selected, ows_Store_x0020_Region, after a full crawl, I can now see the values in this mapped property.

From Search Center, after typing in a search term –> Edit Page, Edit Refinement web part properties, click Choose Refiners

In the list of Available Refiners, select RefinableString02 (this is what I mapped to in my earlier step).  Here, the list of available values displayed in the preview.


Click Add –> Type a meaningful name in the Display name text box.  In my case “Store Region”, click OK to close the refinement configuration window, then click OK to close the web part properties window.  Check-in and publish the page.

Here’s the end product.



Customize SharePoint 2013 Search Navigation

Leave a comment

I’ve been working on search, mostly search center, lately. I need to create a custom search navigation to display only content from a legacy SharePoint site. So, I thought I’d share my process here.

First, the content needs to be indexed by the local search service. In other words, SharePoint 2013 must index legacy SharePoint site(s). Second, you’ll need to have access to modify the search center. Since I created my Search Center in its own site collection, the steps outlined below reflect that.

1. Launch the Search Center site from the browser window
2. Select Site Settings
3. Under Site Collection Administration, select Search Result Sources
4. Select New Result Source
5. Provide a name for the new result source (ex: Legacy)
6. Under the Protocol section, select Local SharePoint
7. Under the Type section, select SharePoint Search Results
8. Under the Query Transform section, click Launch Query Builder
9. In the Query text box, type: {searchTerms} (contentclass:sts_listitem) path:http://<oldSharePointsite>
Your screen should look similar to the following screenshot:


10. To validate the query, click Test Query (This should return relevant results in the preview pane.)
11. Select the TEST tab, and select Show more
12. To mimic what a user will see in the Search Center, type a query in the {searchTerms}: box
13. Click Test query (This should return a filtered result view based on the value provided in the searchTerms box.
14. Click OK to close the Build Query window
15. Click Save to close the Result Source window
16. Select Add a page from the Gear Icon
17. Provide a name for the page (ex: Legacy), then click Create
18. In the Search Results web part, select Edit Web Part

19. In the Web part properties, click Change query

20. In the Select a query section, select Legacy (Site Collection) from the dropdown menu


21. Click OK to close the Build Your Query window
22. Click OK to close the Web part properties window
23. Check in and publish the page
24. From Search Center, select Site Settings
25. Under Search, select Search Settings
26. Under Configure Search Navigation section, select Add Link
27. Provide a title (ex: Legacy) (This will appear on the Search Navigation as “Legacy”)
28. Select Browse
29. Select Pages, select Legacy.aspx, then click Insert

30. Click OK to close the Navigation Link window
31. Click OK to close the Search Settings window
32. To validate changes made to the Custom Search Navigation, navigate to the Search Center site
33. Type in a query string – notice the results displayed at the bottom of the ‘Everything’ tab.
34. Click on the ‘Legacy’ tab, notice the results is less than the results in the ‘Everything’ tab

Your custom navigation should look similar to this:


Happy searching!!


Heartland SharePoint Conference 2014 – SharePoint Hosted-App Infrastructure Setup

Leave a comment

The Heartland SharePoint Conference was held on Thursday, Mary 15, 2014.  It was a huge success.  Over 300 business users, developers, and IT Pros attended.

I covered the topic of setting up your on-premises environment to host your own Apps.

Thank you to all who attended.  As promised during the session, the presentation is posted here. SharePoint 2013 Hosted-Apps (On-premises) – Infrastructure Setup

It’s also posted on

Thanks again!


Older Entries