Skip Ribbon Commands
Skip to main content

 Follow Me


 SharePoint Blog List

Todd Klindt's home page > Todd Klindt's Office 365 Admin Blog
What's going on with TK.
November 25
Tips for using the Microsoft Authenticator app for MFA

Earlier this month, Alex Weinert, the Director of Identity Security at a little company called Microsoft, published a blog post begging us to stop using SMS as the second factor for MFA. I’m an MFA kind of guy, I live the MFA life style, and I’m on board with that. As the majority of the accounts I use can use the Microsoft Authenticator app, that’s what I use the most. Other companies, like Google, also have authenticator apps. I’m sure they’re fine and well loved by their friends and families. Smile

Over the last few months I’ve moved most, if not all, of the apps and sites I can to MFA using the Microsoft Authenticator app and I’ve picked up a few tricks along the way. I thought I’d blog a few of them in case they help anyone else. Keep in mind this blog post was written in November of 2020 and the version of the app I’m using is 6.2010.7266 on Android.

Use Microsoft Your Phone

My first tip for using Microsoft Authenticator is not about using Microsoft Authenticator at all. It’s about using a Windows 10 feature called “Your Phone.” This feature, along with an app running on your phone, allow you to interact with your Android phone on your Windows 10 machine, or machines. I initially started using it to send text messages but it can do so much more. For instance, you can run phone apps on your PC, via screen sharing. One of those apps can be your friend and mine, Microsoft Authenticator. Since web sites (like Microsoft 365) and other services like VPN use codes generated from Microsoft Authenticator it is handy to have quick access to it on your PC. Here’s what it looks like:


That saves you fumbling with the UI on your phone, but you’d still need to look at your phone to get the code.

For this to really be helpful you also need to change a setting in the app to allow its screen to be captured. Go into Settings and enable Screen Capture:


If you don’t, you’ll see this on your PC when you open Microsoft Authenticator:


When I need to log into my GitHub account I fire up Your Phone on my computer, switch to the Microsoft Authenticator app and type the secret 6 characters in. Now I’m logged into GitHub and ready to cause some trouble.

Show the Codes

By default, when you open Microsoft Authenticator you’re greeted with a list of all of the accounts you’ve registered and you select the one you want to log in to. Authenticator takes you to a screen with the one-time passcode for that account. But all that clicking is sooo much work. I take advantage of the “Show Codes” option, like below.


That shows me all the codes for the accounts that support it. You can see how it looks in the first screenshot. Combining these two techniques my MFA process went from:

  1. Hunting around for my phone
  2. Unlocking it (unsuccessfully the first couple of times)
  3. Finding the Microsoft Authenticator app
  4. Finding the account I want to log in to
  5. Clicking it (so much work)
  6. Typing all six digits into the MFA prompt on my computer
  7. Collapsing from exhaustion

To this:

  1. Clicking the Microsoft Authenticator app on my Windows 10 Taskbar
  2. Copying the one-time passcode for the account
  3. Pasting into the MFA prompt
  4. There’s no step 4!

Wait, copy and paste the passcode? How’s that again?

Copy and Paste the Passcode

Once you have that set up you can actually copy the passcode from your phone in Windows and paste it into whatever web page or app is asking for it. To take advantage of this magic you need to enable copy and paste in the Your Phone app on Windows 10.


You might have to close the Authenticator app both on your phone and your PC for that to take effect. When you have it working, it’s a thing of beauty. Just copy the passcode with your mouse like you would any other application. There’s no visual indication that it’s copying, but trust me, it is. Go ahead, paste it into Notepad and see for yourself. Cool, huh?

Backup Your Settings

I recently heard a sad tale of woe from a friend of mine that uses Microsoft Authenticator for all of his MFA needs. Something went wonky on his phone and he lost a bunch of the account settings. He had to go through a lot of work to get it all set back up. That’s when he and I both noticed the handy Backup functionality. Like all the other fun we’ve looked at it’s in the Settings page of the app. You can read all about it on this Docs Page. But the basic idea is, turn it on. Future you will appreciate your consideration and foresight.

There are a few other fun Authenticator tricks, but these are my favorites. Are you using Authenticator and have tips to share? Put them in the comments below.



September 14
Free SharePoint Migration Webinar with me!

My friends at SysKit have been kind enough to do all the work for me to put on a free webinar on SharePoint migration. Those folks are the best! They do all the work, and you and I get to chat about one of our favorite topics! The big day is Wednesday September 16th. It’s 10:00 am CDT

The registration is free, and you can find out more details and sign up here.

I’ll give some good advice, and tell some stories, and generally have fun. Join me, I’d love to see you there.



August 18
Create "All Users" Groups and Distribution Lists in Office 365 and Azure AD

Some blog posts just beg to be written, and this is one of them. I swear I’ve had this conversation half a dozen times in last month after having never had it at all before. It just keeps coming up, I’m guessing because the adoption of Office 365 has really taken off in the last 5 months. What’s the topic? It boils down to, “How do I create a Team/Distribution List/SharePoint site that is always available everyone in the company?” The first couple of times the topic came up I tried to talk the customer out of it. I’m usually not a fan of big blast communication like that, and in the case of products that are built on top of Microsoft 365 Groups, there are published limitations to this. It just seemed like a bad idea. But every time a customer asks me about it I understand it a little better, so I threw this blog post together to point people at if they want to do it. This post is meant to be  technical, not prescriptive. I won’t cover why you should employ any of these techniques, but how you can do them if you have already decided they are a good idea. I’ll leave the why up to people that are smarter than me.

The Options

There are several “All User” communication methods that have come up in my discussions with customers. I’ll cover how to enable them. They all leverage the functionality of updating dynamically as people join your company. Your company could already handle adding people to Distribution Lists (DLs) as part of your onboarding process. All of my examples will show how to keep the All User list populated automatically. All of these examples also assume the groups are cloud only, not synced from on-prem Windows Active Directory.

Distribution Lists (DLs)

The first option I’ll cover is the old tried and true email Distribution List. These things have been around since shortly after prehistoric fish came on land from the primordial soup and they’ve been going strong ever since. DLs are email only  and they’re a good way to send out company wide things like “There are donuts in the breakroom. Get here quick before Gary eats them all” or “The CEO is feeling generous and she’s giving everyone (except Gary) Friday off!”

To do this, create a new DL and make it a dynamic DL. This one is a little tricky. When you create a dynamic anything you have to provide a rule so that Azure AD (AAD) knows whether someone should be in the thing or not. In the case of a dynamic DL the way to get everyone is to create no rule. If there’s no rule, emails sent to that DL end up in every mailbox in your tenant. If you currently have any static DLs they cannot be changed to dynamic DLs, but they can be upgraded to Office 365 Groups. Dynamic DLs cannot be upgraded to Office 365 Groups. I’ve also had customers set one of these up and send News Digests from SharePoint Online to it. The owner of the dynamic DL does not need to be IT or have any elevated roles in the tenant.

How do I Create one?

There are a couple of different ways to create a dynamic DL. You can do it in the Exchange admin center in Office 365. Then navigate to the Groups tab. Next to New Microsoft 365 Group click the dropdown and select Dynamic distribution list.


The configuration will look something like this. Do not add a rule.


Once your dynamic DL is created there are some fun settings you can play with. For instance, you can moderate messages and have approved senders.

If you’re super cool, you can create dynamic DLs with PowerShell. First connect to Exchange Online PowerShell, then run New-DynamicDistributionGroup:

New-DynamicDistributionGroup -IncludedRecipients MailboxUsers -Name "Blog Lovers"

Doesn’t that feel better than using the UI? I thought so.

Security Groups and Microsoft 365 Groups

Both AAD Security Groups and Microsoft 365 Groups support dynamic membership, so they can be used the same way. A dynamic, all company, Microsoft 365 Group can be used for a site that you want everyone to have access to, and they’ll all get emails sent to that Group’s DL. Depending on how the Group is configured or how the users configure their mail client the Group’s emails may or may not show up in their Inbox. There will also be a Team for that Group that everyone will be in. Lots of ways to annoy everyone with one of these. I honestly can’t think of a way to leverage a Security Group in the context of Office 365, but I added since it’s the same process as the Office 365 Group, and it makes this blog post look that much longer.

How do I Create Them?

As we are all painfully aware, there are just shy of 117 different ways to create an Microsoft 365 Group. I think two more have been added since I started writing this blog post. There might be more than one way to create a dynamic Microsoft 365 Group, but I’m only going to cover how to do it in the Azure AD Portal and with Azure PowerShell. Navigate to the Groups blade and click "New group.” Under Membership type choose “Dynamic User”


If Membership type is greyed out that’s because the user creating the group does not have an Azure AD Premium license.

To set the rule, click “Edit dynamic query” button to get to the rules page. The rule we want is “user.objectId -ne null”. You can build that in the wizard at the top. Don’t worry about a user’s ID actually being “Null.” The rule knows the difference between null and “Null.” Ned Ull will not be the only member of the Group.


Once you tab out of the Value box the Save button will light up and you’ll be able to save the query and go back to creating your group. The process is the same for Security Groups.

But what about PowerShell?? I’m so glad you asked. Make sure you have the AzureAD module loaded and you’re connected as an account that can create Groups. Then run this little gem to create a Dynamic Microsoft 365 Group:

New-AzureADMSGroup -DisplayName "Dynamic M365 Group From PowerShell!" -Description "Dynamic group created with PowerShell!" -MailEnabled $true -MailNickName "Dynamic-M365-Group-From-PowerShell" -SecurityEnabled $True -GroupTypes "Unified","DynamicMembership" -MembershipRule "(user.objectId -ne null)" -MembershipRuleProcessingState "On"

If you only want a Security Group (I’m not sure why) change the –MailEnabled parameter to $false, and the –GroupTypes to only DynamicMembership, like this:

New-AzureADMSGroup -DisplayName "Dynamic Security Group From PowerShell!" -Description "Dynamic security group created with PowerShell!" -MailEnabled $false -MailNickName "Dynamic-Security365-Group-From-PowerShell" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(user.objectId -ne null)" -MembershipRuleProcessingState "On"

It is also possible to switch an existing static Security Group or Microsoft 365 Group to dynamic. It’s a long process, and this article does a good job explaining how. I don’t think there’s a way to convert a Security Group to a Microsoft 365 Group.

Happy Dynamic Group Creating!

Question #1: "Can you use Dynamic Groups with Audience targeting?"
Answer #1: Despite this Microsoft Support document saying otherwise, I was able to target links in both Global (top) Nav and Quick (left) Nav by audience with a Dynamic Microsoft 365 Group. 

Question #2: "Does the 'user.objectId -ne null' approach include Guests?"
Answer #2: I'm not sure, I'll look into that and update this blog post. 



Edit: 8/24/20 to add questions

July 29
Use PowerShell to Work with SharePoint 2010 Workflow Scan

Workflow Retirement Series TOC

Part 1 - SharePoint 2010 and 2013 Workflows Kaput in Office 365
Part 2 - Finding All the SharePoint 2010 Workflows in SharePoint Online
Part 3 - Find Only the Active SharePoint 2010 Workflows in SharePoint Online 
Part 4 - Use PowerShell to Work with SharePoint 2010 Workflow Scan

In Part 2 of my much beloved “Workflow Retirement Series” I covered how to scan your SharePoint Online environment for those pesky SharePoint 2010 workflows with the free SharePoint Modernization Scanner. I figured that was that. I was preparing to do my victory lap when I started getting some feedback. It seems some folks have a a lot of workflows in their environment, and a CSV file with a few hundred, or a few thousand rows isn’t terribly helpful. Now, once you get that CSV file into Excel you have one of the best data slicing and dicing tools invented by man at your disposal. You can slap a couple of filters on there, sort a few columns, hide a few others, and you can probably get whatever information you need. But I’m a PowerShell guy. I like to do things the hard way, with maximum typing. Let’s walk through what I did.

One of the reports the SharePoint Modernization Scanner makes is

ModernizationWorkflowScanResults.csv  and that’s the one I’m going to use. Since it’s a pretty well formed CSV file we can import it into an object without much fuss:

$results = Import-Csv .\ModernizationWorkflowScanResults.csv

As a gut check we can see how many rows we brought in:


You can also type $results[0] to see the first row, since it’s just an object. And since it’s an object, it has Members that we can exploit. What are those Members? I’m glad you asked:

$results | Get-Member


My eagle-eyed readers will notice that the NoteProperties are the column headers in the CSV file. To get my feet below me I did a simple Select to get a few properties:

$results | select "Definition Name",Version

You can add any of the columns you want. Remember to put quotes around the columns with spaces in the name.

$results | select "Definition Name","Subscription Name","List Title",Version,enabled

Depending on how your PowerShell host is configured that might be wide enough that might switch from table to list. To get it back to table pipe it through Format-Table:

$results | Select-Object "Definition Name","Subscription Name","List Title",Version,enabled,"Flow upgradability" | Format-Table –AutoSize


This report has both SharePoint 2010 and SharePoint 2013 workflows in it. The current fire is around SharePoint 2010 workflows, so let’s just look at those:

$results | Where-Object -Property version -EQ -Value "2010" | Select-Object "Definition Name","Subscription Name","List Title",Version,enabled,"Flow upgradability" | Format-Table -AutoSize

That should give you a better picture of the Herculean task in front of you. There’s one final piece I want to show you, and that’s how to see which sites have the most workflows:

$results | Where-Object -Property version -EQ -Value "2010" | Select-Object "Definition Name","List Title",enabled,"Site Url" | Group-Object -Property "Site Url" | Format-Table –AutoSize


This will help you figure out where to focus your efforts between now and November 1st.

Like I said at the beginning of this post, all of this and more is available in Excel and most of it has been done for you already in the Office 365 Classic workflow inventory.xlsx report that the SharePoint Modernization Scanner creates. But it’s a fun PowerShell exercise just the same.



July 15
How to use PowerShell to Find all the Flows in Your Tenant

I have a OneNote file that is full of blog posts that seemed like a great idea at the time, but never saw the light of day for various reasons. Maybe I couldn’t research it as much as I wanted, maybe I couldn’t make it as thorough as I wanted, maybe I just got distracted by something shiny. This blog post is one of them. I was never confident enough to post this one, but given all the Workflow excitement, and a couple of customer requests I decided to dig in and get serious about it. So here it is, two years after I first took the notes for it.

As an administrator, I find myself frustrated a lot by the lack, or at least lack of understanding on how to manage Flows and Power Apps. They never quite behave exactly like I want them to. One of the things that keeps coming up is being able to get a list of all of the Flows in a Tenant. This could be for licensing questions, migrating questions, or just plain curiosity. Whatever it is, it’s never as easy as I want it to be. Being the fanboy of PowerShell that I am, that’s where I looked. Without boring you with a lot of story part, I’ll show you the PowerShell I settled on.

Get-AdminFlow | ForEach-Object { $user = Get-UsersOrGroupsFromGraph -ObjectId $_.CreatedBy.userId;[PSCustomObject]@{ FlowName = $_.DisplayName; OwnerName = $user.DisplayName ; OwnerEmail = $user.UserPrincipalName ; }; }

Let’s break that down a bit. You’ll need to install the PowerApps and Flow for Admins module. Install the PowerApps and Flow for Makers module while you’re at it. If you don’t run Add-PowerAppsAccount and add your Tenant Admin account you’ll get prompted for authentication the first time you run Get-AdminFlow.

Get-AdminFlow lists all of the Flows in a tenant, but not in the most user friendly way:


So I cleaned it up a bit. Using ForEach-Object I walk through each Flow. I use Get-UsersOrGroupsFromGraph to get the Owner object. Then I create a PSCustomObject and populate it with the Flow’s DisplayName and the user’s DisplayName and UserPrincipalName properties. It looks like this:


Making it an object is a little extra work as opposed to just spewing it onto the screen with Write-Host. But it’s worth the extra effort because I can send it down the pipeline and do more with it. For instance, I can easily pipe it out to a CSV file by appending | Export-Csv -Path .\Flows.csv –NoTypeInformation to the end.


That seems a bit anticlimactic at first, but open up that CSV file and prepare to be amazed.


If you want different information about each Flow, run Get-AdminFlow | Get-Member and see what other properties are exposed to you.

Let me know if this helps and what else you’d like help with.



Edit 7/15/2020 – Changed the PowerShell to be more efficient, but now it doesn’t match the screenshots.

July 14
Find Only the Active SharePoint 2010 Workflows in SharePoint Online

Workflow Retirement Series TOC

Part 1 - SharePoint 2010 and 2013 Workflows Kaput in Office 365
Part 2 - Finding All the SharePoint 2010 Workflows in SharePoint Online 
Part 3 - Find Only the Active SharePoint 2010 Workflows in SharePoint Online   
Part 4 - Use PowerShell to Work with SharePoint 2010 Workflow Scan  ​


In the last episode of “Oh my god, SharePoint Workflows are Going Away!!!” I covered how to find the SharePoint 2010 and 2013 Workflows that might be lurking about in your SharePoint Online environment. As I wrote that blog a big smile crept across my face. I figured this was going to solve everyone’s problem. I assumed I would be cheered as a hero, parks would named after me, the whole thing. Imagine my surprise when the response was, “That’s great Todd, but how can I tell which ones are actually being used?” No directions to the Todd Klindt Celebratory Highway or nothing. Ingrates!

After I dried my tears I did decided that question had some legitimacy to it, so I put pen to paper and wrote this blog post.

I was never much of a workflow guy, either on-prem or in SPO. But in the deep, dark recesses of my mind I did remember an on-prem issue where the “Workflow History List” would get huge and cause database issues. “Workflow History List” sounds promising. I wondered if SPO has such a beast. Sure enough, it does, and it seems to be exactly what we’re looking for.

Like the name suggest, it’s a List of the Workflow History. Since it’s a list it’s a child of a web, or the root web of a site. That list covers the Workflow History of the entire web or site. When you run the SharePoint Modernization Scanner from my previous blog post the ModernizationWorkflowScanResults.csv file lists all the Workflows in your tenant and which site (Columns A and B) that Workflow is in. It also shows when that Workflow was last edited (Column T) but not when it was last used. Fortunately we can take the URL in Column A, tack /lists/Workflow%20history/AllItems.aspx at the end of it and get which Workflows are being executed. Here is what we see in the report:


In my browser I pasted and I got a page like this:


From this I can tell that the “Create Home Schedule” Workflow is being used regularly and I need to find an alternate for it before November 1st, 2020. If a Workflow shows up in the Scan Results spreadsheet, but you can’t find it in the Workflow History List you probably don’t need to rewrite it. However, in the Workflow’s settings it is possible to assign a different list for that Workflow’s history.


Of course you won’t know that unless you look at every Workflow’s settings in SharePoint Designer, which sounds pretty tedious. I was able to whip up some PowerShell that looks for Workflow History lists:

Get-PnPList | Where-Object -Property BaseTemplate -EQ -Value "140" | Select-Object Title, @{Label="URL";Expression={$_.RootFolder.ServerRelativeUrl}}, BaseTemplate


You can run that against the sites that show up in the ModernizationWorkflowScanResults.csv file. If another list shows up there you’ll want to see which workflow is writing its history to that list. By default the Workflow History list is hidden in the UI, so you won't see it in the site's Site Contents page. You can unhide the list in SharePoint Designer, or my preferred method, PowerShell:

Set-PnPList -Identity "Workflow History" -Hidden $false

It’s also important to note that the Workflow History List purges entries over 60 days old. In this case that’s not a problem. Any Workflow that hasn’t been run in the last 60 days probably doesn’t deserve saving.

Look at all the time you just saved! More time to watch hamster videos on YouTube.



July 09
Finding All the SharePoint 2010 Workflows in SharePoint Online

Workflow Retirement Series TOC

Part 1 - SharePoint 2010 and 2013 Workflows Kaput in Office 365
Part 2 - Finding All the SharePoint 2010 Workflows in SharePoint Online 
Part 3 - Find Only the Active SharePoint 2010 Workflows in SharePoint Online
Part 4 - Use PowerShell to Work with SharePoint 2010 Workflow Scan 

By now you’ve probably seen Microsoft’s announcement that they’re going to remove SharePoint 2010 Workflows on November 1st, 2020. SharePoint 2013 Workflows aren’t too far behind. Not only did they not give us much time to rewrite these workflows in Power Automate, there aren’t any great ways to find out where they are in the first place. Since the beauty of SharePoint is how it empowers users to create, it’s likely that users are making workflows all over and admins have no exposure to it. Today I’m going to show you how to use the SharePoint Modernization Scanner (SMS) to find those Workflows that will soon be shown the door. The SMS is a general tool that helps people already in Office 365 to Modernize individual pieces of the platform. Workflow is one of those pieces.  So while the tool wasn’t meant for exactly this scenario, it fits nicely.

To get started, download the SMS from the link on this page. It’s going to come down as an EXE, there’s no installation. I recommend copying it to its own location. When it creates its logs it creates them in the folder it was run from, and I’ve found it helpful to keep all of that in one place. In the screenshots in this blog post, I copied

SharePoint.Modernization.Scanner.exe to D:\SMAT. When you run the tool without any parameters it guides you through a UI Wizard. The first decision you have to make is how you’re going to authenticate against your tenant.


The default option is “Azure AD App Only” and it’s my recommendation that you go that route. You’ll notice there’s a very comfy looking “Username and password” option farther down the list. It’s tempting to go that route, as it’s much easier, but if you’re running the tool seriously in production, go to the extra work and create an App Registration for it. If there’s interest, I might do a blog post on that, too. It’s less scary than it seems. Here’s what my screen looked like all filled out.


The Application ID can be copied directly from the Overview page of the App Registration itself. The domain is the Azure AD domain, and it will most likely be a * address. This can be a bit confusing since we’re doing all of this in the context of SharePoint. It can feel like you should use, but that won’t work. The App Registration is an Azure AD thing that happens to work with SharePoint. If you’re not sure what the correct Domain is, go to the Azure Active Directory Dashboard Overview page and find Primary Domain.


You will also need the PFX file for the certificate that was used for the App Registration, and the password for that cert.

After you’ve entered that hit Next. The next screen lets you choose which Site Collections you’ll be scanning. The environments I’ve run this on are small enough that I’ve been able to stick with the “Complete Tenant” option, but you can also choose them individually or feed the tool a CSV file. These options are handy if your tenant is large. You also need to enter your SharePoint tenant name in this screen.


The next screen is the whole reason we’re here, to scan those Workflows. The tool can find all manner of objects that can Modernized, and I encourage you to scan for all of them at some point, but I just chose Workflows to speed things along.


The final screen has some options. I always go with the defaults.


Hit “Start scan” and then anxiously await the report. It’ll look like this.


Maybe pop some popcorn. It might take a minute. Finally you’ll get this:


If you want to run it all from the command line like a hot shot, run this command with your own values in place of mine.

.\SharePoint.Modernization.Scanner.exe --azuretenant --certificatepfx "d:\smat\SMAT App Reg.pfx" --certificatepfxpassword pass@word1 --tenant M365x541279 --mode WorkflowOnly --clientid a204b312-c2a9-4a47-861c-b0c874e8219a

If you're running version or later you need to change the operation to WorkflowWithDetailsOnly. Starting in WorkflowOnly gives fewer details about the individual Workflows. My and later command line looks like this:

.\SharePoint.Modernization.Scanner.exe --azuretenant --certificatepfx "d:\smat\SMAT App Reg.pfx" --certificatepfxpassword pass@word1 --tenant M365x541279 --mode WorkflowWithDetailsOnly --clientid a204b312-c2a9-4a47-861c-b0c874e8219a​ 

It looks like this:


Once the scanner is finished it’ll drop a bunch of files into the folder listed above. Mine looked like this:


Since we only care about Workflows we can jump right into the ModernizationWorkflowScanResults.csv file and see where workflows are hiding out in our tenant. You may also want to give Errors.csv a once over just to see if everything went fine. Here’s my workflow report:


The report is pretty good. We can see I have two workflows, one 2010 and 2013. We can see which site and list they’re in. We can also see that the 2010 is published (Enabled) and the 2013 is only saved. If you go farther to the right there are also columns that indicate when it was changed last. Lots of good information there. At this point you’ll probably want to reach out to the site owner and have them verify if the Workflow is being used. You or they will have to connect with SharePoint Designer (still free) and start figuring out how to turn that workflow into a Flow.

I could end the blog post here. I’ve delivered the promised content, and did a fine job if I do say so myself. You’ve gotten your money’s worth. Smile I want to add one additional bit though. In that same report directory is Office 365 Classic workflow inventory.xlsx. That’s another Excel document with workflow information, but it uses a fancy Pivot Table to show it. You and I, we’re technical folks. The raw spreadsheet with sites and lists is what we wanted. But we likely have bosses (with or without pointy hair) and they like pictures. That’s where this last file comes in. Open up Office 365 Classic workflow inventory.xlsx and click “Enable” in the bar at the top. When you click Enable the spreadsheet will load the information from the ModernizationWorkflowScanResults.csv file and make it look all pretty.


That version will look better on a PowerPoint. You’ve got some filters to play with, really put some polish on it. Smile 

Hopefully this will help you chase down the SharePoint 2010 and 2013 Workflows in your Office 365 tenant. Let me know how it worked. You can leave a comment here, or reach out on Twitter at @toddklindt.



Edit (7/9/20): Edited to replace wrong tool name with SharePoint Modernization Scanner.

Edit (7/10/20): Edited to add command line syntax.

Edit (7/27/20): Edited to add the and later command line syntax.

July 06
SharePoint 2010 and 2013 Workflows Kaput in Office 365

Workflow Retirement Series TOC​

Part 1 - SharePoint 2010 and 2013 Workflows Kaput in Office 365
Part 2 - Finding All the SharePoint 2010 Workflows in SharePoint Online
Part 3 - Find Only the Active SharePoint 2010 Workflows in SharePoint Online 
Part 4 - Use PowerShell to Work with SharePoint 2010 Workflow Scan  ​

Hot off the presses! Today Microsoft announced the SharePoint 2010 workflow retirement in Office 365. They sort of buried it, but SharePoint 2013 workflows are meeting the same fate. Here’s a quick breakdown of the dates where stuff stops working:

SharePoint 2010 workflows turned off for new tenants

August 1, 2020

SharePoint 2010 workflow turned off for ALL tenants November 1, 2020
SharePoint 2013 workflow turned off for new tenants November 1, 2020
SharePoint 2013 workflow turned off for ALL tenants TBD

The following built-in workflows will also be removed; Approvals, Collect Feedback, Collect Signatures, Classic pages publishing Approval, and Three-state.

How do you know which workflow engine your workflows are using? It doesn’t really matter. They’re both going away. They should both be replaced with Power Automate flows. If you’ve been putting it off, now is the time to get on it. You do, however, need to know where all of these workflows are in your tenant. Microsoft has a tool, the SharePoint modernization scanner, that will search out classic workflows, among other things. It’s pretty painful tool to use, so I wouldn’t break it out late in the afternoon on Halloween. If I’m feeling sadistic, I may make a walkthrough of it. Once you have a good handle on where the workflows are being used in your tenant you can decide which ones to jettison, and which ones get to be reborn into flows.

Let me know what you think about it. Let me know how this impacts you. The July 15th, 2020 episode of Ask Sympraxis will cover this topic. Join us. It’s free. It’ll be a hoot, and worth every penny you spend on it.


June 01
Are you joining us for Ask Sympraxis? Why not?

Every couple of weeks me and my fellow Sympraxians get together on Wednesday for an open forum we call Ask Sympraxis. Anyone can get on and chat with us. We take questions to seed the discussion and then we all sit around and chat. If you’re not already attending, we’d love for you to join us. You can add it to your calendar, or you can just jump into the Teams meeting the first and third Wednesday of the month at 11:30 Central Time.

If you want to get some free advice from us, or just talk about how great Marc’s hair is, stop by and say hello.



May 21
Using PowerShell to Find Power Apps that use the SharePoint Connector

I recently had a fun task come across my desk. A customer of mine has a large tenant, with a lot of Power Apps and a lot of Power App makers. They’re doing a tenant migration, and the Power Apps themselves will likely move over pretty easily. A lot of them are connecting to the tenant’s SharePoint site, and after the tenant move those SharePoint URLs are going kaput. The customer wanted to be able to find out which Power Apps were going to be broken so they could reach out to the owners to get them fixed. That’s where I, and my PowerShell prowess came in.

I had whipped up some quick and dirty PowerShell for this customer before so they asked if I could work my magic with this. I have dabbled a bit with the Power Apps and Flow Power Automate PowerShell in the past, and while I found it… lacking, I figured this was something it could handle. Here is the PowerShell I eventually went with:

Get-AdminPowerApp | ForEach-Object { if (Get-AdminPowerAppConnectionReferences -EnvironmentName $(Get-PowerAppEnvironment).EnvironmentName -AppName $_.AppName | Where-Object -Property ConnectorName -EQ -Value "shared_sharepointonline") {$_ | Select-Object DisplayName, @{Label="Owner";e={$_.Owner.displayName}},@{Label="Email";e={$_.Owner.userPrincipalName}}, AppName }}

Here’s what it looks like when it runs:


I have the following two Power Apps modules installed with these versions:

2.0.61 Microsoft.PowerApps.Administration.PowerShell

(Full list of Office 365 PowerShell modules)

You’ll get prompted to log in. The account will have to have the necessary permissions to enumerate all of the Power Apps in the tenant.

I know what you’re thinking, “Todd, that’s amazing! Solid work! I hate to seem greedy, but, um, where is the URL of the SharePoint site the Power App is connecting to?” That’s a funny story, but the punchline is, there isn’t a way. At least not from the PowerShell modules we have today. Apparently the Center of Excellence Starter Kit has a way to get that information, but it’s a really big hammer for a nail this small.

This will work for any of the Connectors. You can use the following PowerShell to see all Connectors that are in use:

Get-AdminPowerAppConnection | Select-Object ConnectorName

That will give you the value you need to search for with the Where-Object. If you’re looking for more ways to abuse Power Apps and Power Automate with PowerShell (so many Powers there) you can watch Shane’s so-so PowerShell for PowerApps and Flow video. It’s okay. I guess. In a pinch.




1 - 10Next

 Subscribe to my Netcast


You can watch Shane and I's Cloudy Podcast live every Wednesday Morning at 10:00 am Central US time at

You can subscribe to the Podcast in the following ways:

MP3 Audio

Windows WMV video

YouTube Channel




 Todd's Upcoming Events

There are no items to show in this view of the "Events" list.