Cases where a Microsoft provided Graph Connector might be better than a custom Graph Connector

 

In recent weeks Waldek Mastykarz, MS Developer Advocate, has spearheaded an information campaign about Microsoft Graph Connectors, which is wonderful as that service really deserves to be known by the SharePoint/M365 community.

A good handful of community members has provided a broad range of custom Graph Connectors and proven that creating a customer Graph Connector is within the capabilities of most organisations.

There are many good cases where a custom Graph Connector is the right choice for bringing 3rd party data into the M365 environment and thus breaking down the information silos which have caused employees to switch context repeatedly during a workday.

Yet, I have seen a few cases where I would recommend an Out Of The Box Microsoft provided Graph Connector over a custom Graph Connection.

The reason is not technical at all but more related to having a very clear segregation of responsibility between two or more parties.

Example:

Contoso Inc. has two suppliers and would like the information from one system to be available in another:

Supplier A is providing Building Inspection software as a SAAS solution and supplier B is providing an "Intranet In A Box" as a SAAS solution.

Since Supplier A is not providing a public API and isn't familier with M365 they will not be able to manage the Graph Connector required. Supplier B is very familiar with M365 but does not have access to the databases that supplier A is using in their SAAS solution.

In cases like this the obvious choice is to use an intermediate format that suits both parties. In one case Azure SQL was the right choice and in another case, Oracle was chosen as the common ground. 

Disabled or inactive User Accounts in M365 - a prerequisite for Governance

 

Among the many "triggers" in SharePoint Online these are the ones with the greatest impact:

Content created

Content updated

User Account disabled

Today we are taking a look at the latter and how to detect that a User Account no longer is active, as this is the primary trigger for a lot of governance actions.

You might expect that a key property of a User Account such as if it is active should be pretty obvious, but it is NOT. (unless HR remembers to inform you) 

The fellowing approaches to detecting disabled or inactive user account is available as a PnP Script Samples PowerShell script 😊

First of all, what do we mean by "User Account"? 

Are we defining this as a User Profile in the SharePoint User Profile Application (UPA)?

Are we talking about the Users endpoint in Microsoft Graph?

The answer is YES, as both can be used to decide if the User Account is active.

HideFromAddressLists

In the UPA we have the SPS-HideFromAddressLists property which, as the name implies, is used to hide the account from a address list. This property is synchronized into the UPA and originates in Exchange and is used to exclude the account from the Global Address List (GAL).

Once the SPS-HideFromAddressLists property changes to true, it is very often a good indicator that the User Account has been disabled. 

In Microsoft Search this property is the only way to exclude accounts from being shown.

Customer AD Properties

Another option is that the organization have added a customer User Profile Property like "EmployeeStatus"/"UserDisabled" and this property is sync'ed from AD/AAD to SharePoint via a customer sync job. 

I have even seen an organization where the UserAccountName was prefixed with ZZ[YearOfLeaving] as a way to tag the user as disabled 😮

Please consult your friendly Entra ID admin for details if the organization is using this approach.

Graph 😃

Using Graph we can query the Users endpoint to get the accountEnabled property

However, you will have to check with the Entra ID team in your organization to verify when Accounts gets disabled and if it is a good indicator that the employee no longer is with the Organization. 

Perhaps you will have to check if another criterium is fulfilled, like no licenses assigned, in order to determine that the user has been off-boarded.

No Activity

Yet another way to query if the user is inactive is to use the Auditlogs in Graph to check if the user has been active within the last X days.

https://graph.microsoft.com/v1.0/auditLogs/signIns?$top=1&$filter=userPrincipalName eq 'LeeG@tcwlv.onmicrosoft.com'

 The absence of logins is not a bullet proof way to detect that the user no longer is with the Organization, but it is a pretty good indicator.

Summary

The above should make it clear that we most likely will have to test a number of criteria in order to determine if we should start the governance actions, like rerouting the workflows assigned to the user in question, reassign ownerships on assets and so on.

The list of criteria will probably vary from organization to organization, but using the right mix should give you a good chance to detect those users.

#SharingIsCaring

New video on YouTube - Options for integrating 3rd party data with SP/MS Search as of Q4 2023

 

5 October I gave a presentation at the Danish SharePoint User Group's meeting, covering the options that we have as of Q4 2023 when we want to integrate 3rd party data into Microsoft or SharePoint Search.

This is a shortened version and in English rather than Danish.  ;-) 

YouTube

View from MAN Energy (the host for the meeting, and thanks for that) is magnificent on a beautiful evening.