SharePoint Missing Authentication for _vti_bin
The issue with the vti_bin folder is that it is accessible without authentication. However, the remediation measures outlined below are not technically feasible for SharePoint Online (O365). I found few remediations for this issue which are as follows: Configuration Options: Administrators can configure authentication for _vti_bin through various methods, such as: Enabling anonymous access:This allows anyone to access the site and its resources, including _vti_bin URLs, without logging in. Restricting access in Web.config:The Web.config file can be modified to deny access to anonymous users for specific _vti_bin paths. Using the ViewFormPagesLockDown feature:This feature can help restrict access to certain SharePoint resources, including those within _vti_bin The below links are for reference: https://www.c-sharpcorner.com/uploadfile/Roji.Joy/how-to-secure-external-anonymous-access-to-sharepoint-2010-sites/#:~:text=Even%20when%20lockdown%20mode%20is, https://learn.microsoft.com/en-us/archive/blogs/fabdulwahab/security-protecting-sharepoint-server-applications https://sharepoint.stackexchange.com/questions/167264/restricting-access-to-contents-in-vti-bin-for-both-authenticated-as-well-as-a I would like to verify whether the provided fixes are applicable to O365 SharePoint. If they are not, could you please advise on alternative solutions that can be implemented to mitigate this issue?
problems with sharepoint subscription edition post updates. psconfig fails.
We are facing 2 issues, but i suspect its related. OS is server 2025. Patches are current. We applied the sharepoint upgrade: KB5002784 yesterday. At that time we discovered psconfig failed to complete. Initially it was due to a problem with the sharepoint admin service. Of note it would not start. I found this to be a problem with windows exploit protection. Exempting the exe associated with the admin service fixed this and the service now starts. PSconfig still fails, its failing at the spcopysidebyside step. of note the sidebyside log that the error references is never created. additionally running the spcopysidebyside powershell script, and specifiying a log file location also results in no log being created. i suspect this may be another windows exploit protection exemption that needs to be created. at this time im not sure what one is required, nor how this is not effecting all installs vs just ours.
Microsoft IPs in audit logs
I'm investigating an incident and noticed that in many instances throughout the audit log, there is a Microsoft IP address associated with the action (in this case the action is "FileAccessed"). I'd like to know if this is some backend process that occurs automatically when using Sharepoint, or if this action originated from a user, but appears as a Microsoft IP due to some interaction with the server/onedrive/other process. Thanks in advance, helping me with this example could help in a lot of other areas of this audit log investigation as well.
VAPT issue raised for CKEditor 4.13.0 Cross-Site Scripting
URL to JS file: https://testsite.com/_layouts/15/16.0.18526.20508/next/spclient/43.sp-canvas-sp-ckeditor-flight.js Associating Common Weakness Enumeration (CWE) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE 79) Evidence(s) Steps to derive Evidence(s) 1. Request to CKEditor File 2. Reponse indicating the version Recommendation(s) Upgrade CKEditor to the latest version 4.25.1-lts for extended support on the package. As this JS file is a part of SharePoint itself, cannot upgrade explicitly. Can anyone share the mitigation or plan to get it fixed except until Microsoft releases an update for same.
Automating Permissions
Question Title: Automating Permissions for New Document Libraries in a SharePoint Hub Site Based on a Templated CSV Description: I have a SharePoint hub site for all our projects. For each new project, I need to create a new document library within this hub site. The challenge I'm facing is that each document library needs a specific, templatized folder and permission structure for different departments. My goal is to find an automated solution that, whenever a new project library through template is created, it automatically applies the correct folder structure and permission levels as defined in my template. Are there any other out-of-the-box SharePoint features or Power Automate that can accomplish this?
Help! SharePoint is mixing up my document metadata and it's driving me crazy 😅
Hey everyone! I'm hoping someone here has seen this weird issue before because it's starting to really mess with our approval workflows. What's happening (the really frustrating part) So I built this document management system using SharePoint + Power Automate for our approval process. It was working great for months, but now SharePoint has started doing this really weird thing where it's mixing up metadata between different documents. Like, User A uploads a document, but SharePoint says it was uploaded by User B. Or a document from our other office suddenly shows up as being from another country. It's like SharePoint is getting confused and grabbing random metadata from other files! Here's what I'm seeing with the metadata fields: Wrong uploader names - The metadata shows the wrong person uploaded it (but version history is correct) Department mix-ups - Documents are getting tagged with the wrong office/department Date weirdness - Upload dates keep changing on existing documents My setup (in case it matters) SharePoint Online with custom document library Power Automate flows that kick off approval workflows when docs are uploaded Multiple users uploading files throughout the day Custom metadata fields for uploader, department, dates, etc. Since we use these documents for approvals, having wrong metadata is really bad news. Approvals are going to the wrong people, our audit trail is messed up, and people are starting to not trust the system. Has anyone else run into this metadata inheritance/mixing problem? A few specific things I'm curious about: Could this be a content type issue? Like, are multiple content types somehow sharing metadata? Is Power Automate maybe processing things too fast and causing conflicts? Could it be some kind of caching problem in SharePoint? Is this related to users uploading documents at the same time? What I've already tried Checked version history (it's correct there) Looked at my Power Automate flows Had users clear their browser cache Double-checked permissions Really just looking for anyone who's been through something similar! Specifically: What caused it for you? How did you fix it? Any tips to prevent it from happening again? Should I maybe restructure how my document library is set up? This worked perfectly for months and now it's like SharePoint has developed multiple personality disorder with my metadata 🤦♂️ Any ideas or war stories would be super helpful! Thanks in advance! Thanks in advance !SharePoint Guest Expiry
We have recently enabled the SharePoint guest expiry setting on our tenant and set this at 30 days. However, we have noticed that this hasn't filtered down to all existing sites which have a custom guest expiration set (e.g. they are still set to expire after 60 days rather than the org level setting of 30 days). I know that we can change this manually on the sites that we are aware of, but we have thousands of sites. Therefore, is there a way of: Getting an export of all SharePoint sites that do not match the org level setting of 30 days guest expiry AND Ensuring that all SharePoint sites are set to match the org level setting of 30 days for the sites that we have external sharing switched on forFor Retention Policy, if I set Retain + Delete, does it delete the original file/copy/both?
Hello, I am learning about Retention Policy for SharePoint Online and wanted to get a confirmation on this option below. Let's say I chose to retain for 10 years based on when it was created AND said Yes to "Do you want us to delete it after this time?" option. After 10 years, does it delete original files, copies that are generated in Preservation Hold Library, or both? This part was a bit confusing for me lolCan default permission groups be restored in SharePoint Online?
Hi everyone, In a SharePoint Online site, someone with permissions modified the default site groups (Owners, Members, and Visitors), replacing the users and groups that were originally there. This also affected several subsites and lists that inherited permissions from the main site, and even some lists with broken inheritance were unexpectedly modified. I’m not sure if that’s directly related. I have Site Collection Administrator permissions, but I’m not a SharePoint global admin, so there may be things I can’t see or do. Should I escalate this to a global admin? Is there any way to check or recover how those groups were configured a few days ago? Any advice or shared experience would be greatly appreciated. Thanks!If you set a retention policy to retain and delete, how will an existing file be affected?
Hello, I asked to separate forums and Support people but received a different response so I just wanted to come here for some sanity check. Let's say you set up a new retention policy for SharePoint Online sites and site A already has a file that's created/uploaded 4 years ago. For the retention configuration, you chose Retain for 5 years, Based on Created, and Delete after the retention policy expires. Once this policy is applied today, will the existing file be deleted after 1 year or 5 years? Once this retention policy is applied, will that file be deleted after 1 years or 5 years? I just wanted to use the community who seemed to have users with real experience with Microsoft tools.
