Fixing apps after configuring SharePoint Hybrid

Update: Microsoft included the fix in the hybrid picker experience. This means you no longer have to perform the steps outlined in this blog post.
You can find the updated article by Microsoft here:

For hybrid search (outbound/inbound query federation or Cloud Hybrid Search Service Application) a manual approach is needed to remediate this scenario.
A KB article was released, which can be found here:

Summary: This article provides a solution to broken provider-hosted add-ins after configuring SharePoint hybrid features. For a full list of hybrid features, see the following article:

The following hybrid features will break your server-to-server trusts that were already set up before configuring hybrid for SharePoint 2013 or SharePoint 2016:

This post will describe why this happens and how we can fix this.

In order to establish a server-to-server trust between your on-premises SharePoint environment and Office 365, Microsoft relies on the SPAuthenticationRealm. More information can be found here:

This article has a “Caution” section, warning that any access tokens created for a specific realm, won’t work after changing the SPAuthenticationRealm.
SharePoint hybrid

To fix this, I wrote a script that gives you 2 options:

Undo Fix
Reverse the changes made by configuring Hybrid. It will change the SPAuthenticationRealm back to the old value. All SharePoint hybrid features stop working. All your provider-hosted add-ins will work again. This option will try to change your SPTrustedSecurityTokenIssuers so that it uses the new SPAuthenticationRealm set by configuring hybrid.

CautionThere are some notes that I described later in this post, make sure to read them.

Running the script will result in something like this:
SharePoint hybrid
Running the Fix-Hybrid.ps1 script

You can download the script here:

If you choose to fix your SPTrustedSecurityTokenIssuers, you will need to do some additional work to have everything work again.

  • Regrant app permissions

App permissions rely on the SPAuthenticationRealm.
This means that any App permissions that you set, will be gone after updating your SPTrustedSecurityTokenIssuers.
You will have to register the apps again and assign the permissions to the app.
The following script can do this for you (the current script is app-instance based, this means you have to run it for every app instance.
Also, make sure to change the variables in the script before running it.

  • Workflow Manager

Workflow Manager also relies on the SPAuthenticationRealm. Thanks to Ruben de Boer for proposing the solution.
After running the Fix-Onboarding.ps1 script, make sure to remove the existing Workflow Service Application Proxy.
Then run the Register-SPWorkflowService cmdlet again. Make sure to use the same scope that you used before. I recommend using the -Force parameter.

I hope this helps anyone! Do not hesitate to contact me if you have any trouble using the script of have any questions.

People picker settings for all Web Applications one-liner

Summary: This PowerShell one-liner will show the people picker settings for each Web Application, including Central Administration.

If you want to know the settings for the people picker in your SharePoint farm, you can run the following line of PowerShell.
It will retrieve all Web Applications and show the people picker settings for each one.

Get-SPWebApplication -IncludeCentralAdministration | %{Write-Host $_.url; $_.peoplepickersettings | select * | fl }

Running the one-liner will result in something like this:

People picker settings

Download content from a site collection

I’ve been working on a script that will allow you to download all files that are stored in SharePoint in a given site collection.

If the path does not exist, the script will prompt you to create it for you. Before the script runs, it also checks if the site collection exists.

Run the script like this:

.\Get-SPContent.ps1 -SiteCollection "<SiteCollectionURL>" -Destination "<Path>"

Download content

The console shows which libraries were exported to your file system.

—– * Advanced * —–

If you have specific requirements as to which (type of) libraries you want to export, you can change the following line to fit your requirements:

$lists = $web.lists | ?{$_.itemcount -ge &quot;1&quot; -And $_.Hidden -eq $false -And $_.BaseType -eq &quot;DocumentLibrary&quot;} #Excludes all hidden libraries and empty libraries

Below is the code you can save as Get-SPContent.ps1

[ValidateScript({asnp *sh* -EA SilentlyContinue;if (Get-SPSite $_){$true}else{Throw &quot;Site collection $_ does not exist&quot;}})]
if (Test-Path $_)
$d = $_
$title = &quot;Create Folder?&quot;;
$message = &quot;$_ doesn't exist, do you want the script to create it?&quot;;
$yes = New-Object System.Management.Automation.Host.ChoiceDescription &quot;&amp;Yes&quot;, &quot;Creates directory $_&quot;;
$no = New-Object System.Management.Automation.Host.ChoiceDescription &quot;&amp;No&quot;, &quot;Exits script&quot;;
$options = [System.Management.Automation.Host.ChoiceDescription[]]($yes,$no);
$result = $host.ui.PromptForChoice($title,$message,$options,1);
0 {New-Item $d -Type Directory;$true}
1 {Throw &quot;Please create the folder before running the script again. `nExiting script&quot;}

Asnp *sh* -EA SilentlyContinue

Start-SPAssignment -Global | Out-Null

function Get-SPWebs($SiteCollection){
$SiteCollection = Get-SPSite $SiteCollection
$webs = @()
$SiteCollection.allwebs | %{$webs += $_.url}
return $webs

function Get-SPFolders($webs)
foreach($web in $webs)
$web = Get-SPWeb $web
Write-Host &quot;`n$($web.url)&quot;

$lists = $web.lists | ?{$_.itemcount -ge &quot;1&quot; -And $_.Hidden -eq $false -And $_.BaseType -eq &quot;DocumentLibrary&quot;} #Excludes all hidden libraries and empty libraries
#$lists = $web.lists | ?{$_.title -eq &quot;Documents&quot; -and $_.itemcount -ge &quot;1&quot; -And $_.BaseType -eq &quot;DocumentLibrary&quot;} #Change any identifier here
foreach($list in $lists)
Write-Host &quot;- $($list.RootFolder.url)&quot;

#Download files in root folder
$rootfolder = $web.GetFolder($list.RootFolder.Url)

#Download files in subfolders
foreach($folder in $list.folders)
$folder = $web.GetFolder($folder.url)



function Download-SPContent($folder)
foreach($file in $folder.Files)
$binary = $file.OpenBinary()
$stream = New-Object System.IO.FileStream($destination + &quot;/&quot; + $file.Name), Create
$writer = New-Object System.IO.BinaryWriter($stream)

$webs = Get-SPWebs -SiteCollection $Sitecollection
Get-SPFolders -Webs $webs

Stop-SPAssignment -Global

Encrypting text-based files using PowerShell


This script will encrypt text-based files using PowerShell.

Please find the script in the TechNet Gallery here. All updates to this script will also be managed here:

As a SharePoint administrator I am often asked to script certain tasks. Of course, PowerShell does a great job at this, as it allows me to automate repetitive tasks.

One commonly faced issue (for me), is that whenever I am using a XML file for those tasks, I sometimes have to include a password in the XML file for some scripts to run. An example is AutoSPInstaller. Personally, I don’t think you should have your passwords in an unencrypted XML file just sitting around for some developer to find and possibly abuse it. To work around this, I created some scripts to help me address this issue.



Restore deleted site collections SharePoint 2013

In SharePoint 2013 it is possible to restore a deleted site collection. For more information, read this article:

You can use the Restore-SPDeletedSite cmdlet to restore a site collection.

However, if you removed the site collection using the Remove-SPSite cmdlet using PowerShell, the site collection will not be stored in a SPDeletedSite object.

This means you cannot restore a site collection that has been removed using PowerShell.


Add PDF mimetype for all Web Applications oneliner

By default, PDF files cannot be opened directly from SharePoint 2010/SharePoint 2013.

To add the PDF mimetype to all Web Applications (Instead of doing it seperately for each Web Application), you can use the following oneliner:

Get-SPWebApplication | %{$_.AllowedInlineDownloadedMimeTypes.Add("application/pdf");$_.Update()}

Get all subsites of a subsite using PowerShell

Getting a list of all subsites of a particular site (not a site collection) was a little more work than I expected, so here is how I did it.

Let’s say we have the following situation site structure:


What if we want an overview of all sites under “Https://”?

My first thought was to use the “Webs” property of the SPWeb object. Unfortunately, this only shows the direct subsites for this site. This means that for “Https://”, it only shows the Level 3 sites.


To work around this, I used the “AllWebs” property of the SPSite object and filtered the URL’s starting with “Https://”.

Here is the code used: (Download .zip file)

param ( [Parameter(Mandatory=$true)][ValidateNotNullOrEmpty()] [String]$StartWeb, [Boolean]$IncludeStartWeb = $true )

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

$subsites = ((Get-SPWeb $StartWeb).Site).allwebs | ?{$_.url -like "$StartWeb*"}

foreach($subsite in $subsites) { Write-Host $subsite.url }

As you can see in the source code, I added 2 parameters to the script:

StartWeb: String. This is the starting URL. All subsites under this site will be showed in the result.

IncludeStartWeb: Boolean. When set to $false, the output will not include the URL provided in the StartWeb parameter.

Remove users from User Information List (people picker) using PowerShell

This post will describe how you can remove users in bulk from the User Information List using a PowerShell script and a simple CSV file.

In SharePoint 2010, the people picker retrieves data from multiple sources.

– The Site Collection’s User Information List (UIL);
– Active Directory.

When you delete a user from Active Directory, this will not mean the user isn’t searchable in SharePoint. Actually, if you look for this person in the people picker, you will probably find him/her. As the data is pulled from different sources, there may be several causes for this.

Assuming the user is really deleted from the Active Directory, I will give you some pointers as to how to “delete” the users from the People picker.

I have a user called Kim Akers in my Contoso environment. She has permissions on several sites/subsites, and placed documents and list items in multiple places.

Example site

She also has a MySite.


For some reason, Kim is fired. The Active Directory administrators remove her account from Active Directory.

However, when I look at the People Picker in SharePoint, I can still find this user.

People picker

Why is this happening?

Every user that is given direct permissions, or has logged in to SharePoint, will be added to the Site Collection’s User Information List. This is a hidden list, that you can access by going to your site collection’s URL and add /_catalogs/users/simple.aspx. For instance:

This will show a list of all users that have logged in on your SharePoint. Sure enough, Kim can still be found here, even though her account has been deleted in Active Directory.

User Information List


To remove the user from the information list, you can use the GUI. If you want more information on how to do this, read this article. Also, make sure the profile for this user is not in the Profile Database. You can remove users from the Profile Database directly by going to Central Administration -&> Application Management -&> Manage Service Application -&> Click your User Profile Service Application -&> Manage User Profiles -> Find profile by entering the name -> Select the name in the list, and click Delete.

In my case, I wanted to remove a list of users from All site collections, because I am certain that these users will never log in again, and I don’t want them to show in the people picker. The below script will do just that!

[Parameter(Mandatory=$true)][ValidateScript({Test-Path $_ -Include "*.csv"})]

#This script will remove users specified in the CSV.

$CSVFile = Import-CSV $CSVPath
Add-PSSnapin Microsoft.SharePoint.PowerShell -EA SilentlyContinue

#Get all site collections
$Sites = Get-SPSite -Limit All
$AllSites = @()
foreach($Line in $CSVFile)
foreach($Site in $Sites)
#Get the rootweb for the site collection
$RootWeb = $Site.RootWeb
If([bool](Get-SPUser $Line.Username -Web $RootWeb -EA SilentlyContinue) -eq $True)
#Remove the user from the User Information List
Remove-SPUser -Identity $Line.username -Web $RootWeb -Confirm:$False
$AllSites += $RootWeb.Url
if(!($AllSites).count -eq 0)
#Give feedback on deleted users
Write-Host "Removed user $($Line.username) from:" -Fore "Magenta"
foreach($S in $AllSites){Write-Host "- $S"}
Write-Host ""
$AllSites = @()

I save the above text in a .ps1 file called Remove-SPUserBulk.ps1.

Next, I create a CSV file (Users.csv) that will contain all the users that I want to remove. My demo CSV looks like this:


As you can see, I added a non-existing account, to show that the script actually just deletes the existing user, and the output is correct. I run the script by going to the location where the Remove-SPUserBulk.ps1 file is located, and enter: “Remove-SPUSerBulk.ps1 -CSVPath “C:scriptsUsers.csv”.

Below is the result.


Be aware that if the user is a site collection administrator, you will get an error stating you cannot delete the owners of a Web site collection.

Site collection creation time using PowerShell

This script will show you the site collection creation time for each site collection using PowerShell.
Try the following oneliner to get all the information you need:

Get-SPSite -Limit All | %{$root = $_.rootweb; $date = $root.created.toShortDateString(); Write-Host "$($root.url) was created on $($date)"}

Site collection creation time