Pushing the Boundaries Real-World SharePoint Add-In DevelopmentEric ShuppsSharePoint Server MVP

About Me

@eshupps sharepointcowboywww.sharepointcowboy.-com

slideshare.net/eshupps linkedin.com/in/eshupps

Eric ShuppsSharePoint Server MVP

• Models• API’s• Security• Customizations• Deployment

Agenda

Models

SharePoint Hosted

What Works What Doesn’t

JSOM & REST

Auto Deployment

Inherited Context

Declarative Artifacts

REST

CSOM

Compiled Code

Event Receivers

Iterative Deployment

Forms Authentication

Provider Hosted

What Works What Doesn’t

CSOM, REST & O365 API’sIterative Deployment

Forms Authentication

Compiled Code

Event Receivers

JSOM

Inherited Context

Auto Deployment

RequestDigest

Client Secret Expiration

Declarative Artifacts

Mobile

What Works What Doesn’t

REST & O365 API’s

IOS & Android

Native Code

Azure AD SSO

JSOM

Inherited Context

Declarative Artifacts

Deep Integration

API’s

CSOM

Managed

Typed

Coverage

Samples

Server Side

Synchronous

Authorization

.NET Only

Compiled

The Good

The Bad

The Ugly

JSOM

Authorization

Context

Client-side

Asynchronous

Coverage

Samples

Dependencies

Cross Domain

SP Hosted Only

Debugging

The Good

The Bad

The Ugly

REST

Cross Platform

Client-side

ODATA

Asynchronous

Authorization

Samples

Coverage

Cross Domain

Syntax

Performance

Throttling

The Good

The Bad

The Ugly

Office 365

Client-side

Cross Platform

Unification

Asynchronous

O365 Only

Samples

Authorization

Cross Domain

Coverage

Performance

Throttling

The Good

The Bad

The Ugly

DEMOThrottling Management

Security

PermissionsAuthorizationAuthentication

On-Premise

NTLM

Forms

SSO

High Trust

Low Trust

Anonymous

User

App

Groups

PermissionsAuthorizationAuthentication

Office 365

Azure AD

NTLM

SSO

Low Trust

High Trust

Anonymous

User

App

Groups

PermissionsAuthorizationAuthentication

Azure

Azure AD

SSO

NTLM

Low Trust

High Trust

Anonymous

User

App

Groups

DEMOAssigning App Permissions in Azure

Customizations

App Web

• Not primary user context

• Declarative artifacts or code

• Iterative deployments destroy content

• Only provisioned via SPHA or PHA with declarative artifacts

Host Web

• Code only – no declarative artifacts

• Requires Cross Domain calls

• Injection remnants difficult to remove

Scopes

• On-Premise• Modify and manipulate – do not

replace

Master Pages

•PHA: External (CDN)•SPHA: External or App Web

Dependencies

• On-Premise: Declarative or Programmatic

• Online: ProgrammaticAssets

•Do not rely upon remote event receivers•Beware the dangers of injection

Retraction

Branding

DEMOJavaScript Injection Issues

Data Sources

• Lists• Managed

Metadata• Search• BCS• External

Components

• Master Pages• Client Web

Parts• Scripts

Navigation

Sites

What Works What Doesn’t

Programmatic ProvisioningCSOM, JSOM & REST

App Deployment

Core Templates

Site/Web Templates

Stapling

STP Files

Sandbox Solutions

Features

App Authorization

DEMOSite Provisioning

Deployment

On-Premise

• Apps• SSL• DNS• [PHA] Server to Server (S2S) High Trust or Hybrid Low

Trust

Configuration

• [SHA] None• [PHA] Servers, Networking, Authentication, Admin Access

Resources

•Corporate Catalog•Developer Site•Store

Distribution

Office 365

• Apps

Configuration

• [SHA] None• [PHA] Servers, Networking, Authentication, Admin

Access

Resources

• Corporate Catalog• Developer Site• Store

Distribution

Azure

• AD Apps• SSL• DNS• SSO• Permissions

Configuration

•Servers, Networking, Authentication, Admin Access•Azure AD Premium*

Resources

• Admin assignment

Distribution

DEMOConfiguring S2S On-Premise