This guide contains instructions for installing and configuring Metalogix ControlPoint for Office365 SharePoint Administration (alternatively called ControlPoint Online). ControlPoint Online is a Web-based application that offers a proactive, integrated solution for managing site collections within a hosted SharePoint environment.
On-Premises/Azure VM Server Requirements
IMPORTANT: To install ControlPoint Online in Azure, you must use a dedicated Azure VM. ControlPoint cannot be installed as an Azure service app.
·Windows Server 2012 Service Pack 3, 64-bit, Windows Server 2016, or Windows 2019 with the IIS role configured.
NOTE: The server can be either dedicated to ControlPoint Online or shared with other functions.
·Microsoft SQL Server: SQL Server 2012, 2014 SP1 (64 bit), 2016, or 2019 (to host the ControlPoint Services (xcAdmin) database).
NOTE: ControlPoint can use the same SQL Server instance as SharePoint, but it can also use a separate instance or separate server.
·.NET framework version 4.5 or later (for use by the installer), and ASP.NET 4.0 or later.
·TLS version 1.2 (preferably with .NET framework version 4.7).
·PowerShell version 3.0 or later.
·The account used to install the on-premises components of ControlPoint Online must be:
§a member of the local Administrator's group on the machine where ControlPoint Online is installed
§added to the security server role sysadmin in the SQL server that will be hosting the ControlPoint Services (xcAdmin) database
·The account used to create the ControlPoint Online site and create/register the ControlPoint Online app (to allow the use of Modern and Multi-Factor Authentication) must be an O365 Global Administrator.
·The account that will be used to run ControlPoint (that is the ControlPoint Service Account) must:
§be a member of the local Administrator's group on the machine where ControlPoint Online is installed
§have a valid login for the SQL server that will be hosting the ControlPoint Services (xcAdmin)database. (sysadim rights are not required for this account)
§be a Site Collection Administrator for each site collection to be managed using ControlPoint.
NOTE: If you will be configuring ControlPoint Services, the account must meet all of the requirements listed above and have permissions to Run as a Service.
ControlPoint User Requirements
ControlPoint users must:
·be any of the following:
§members of the Site Collection Administrators group in site collection that will host the ControlPoint Configuration site as well as in every Site Collection they will be managing using ControlPoint Online.
§a Global Administrator in the Office 365 tenant.
§SharePoint Administrator in the Office 365 tenant.
IMPORTANT: Global and SharePoint Administrators who are not also Site Collection Administrators can view the entire SharePoint Hierarchy and perform operations on all site collections via ControlPoint but will be unable to access SharePoint content directly.
·use a compatible Web browser:
§Mozilla Firefox version 3 or later
§Google Chrome (latest public release)
§Microsoft Internet Explorer (IE) version 10 or later
EXCEPTION: When using Internet Explorer build 11.0.9600.18617, report results do not fill the entire results section.
Note that some browsers may have limitations.
·Prior to ControlPoint Online installation, a site collection must exist in SharePoint Online to host the ControlPoint Online Configuration Site.
·If SharePoint is not installed on the same server as ControlPoint Online, IIS must be configured to allow the ControlPoint Online Configuration Site to run on the server. See Appendix: Configuring IIS if SharePoint is not Installed for details.
Supported Authentication Methods
As of version 8.3.1, ControlPoint Online uses Microsoft Modern Authentication to connect to hosted site collections. Authentication can be based on any of the following methods:
·Separate accounts that are managed within the hosted environment
When this method is used, credentials are passed to and must be verified in the hosted environment in order for ControlPoint to be accessed.
·Using Azure Active Directory
·Using Active Directory Federated Services (ADFS)
When this method is used, ControlPoint will authenticate with the local ADFS and use that identity to communicate with the hosted environment.
IMPORTANT: Currently, ControlPoint users cannot be members of an Office 365 group that was created at the tenant level. The only groups whose members can have permissions in ControlPoint are Security groups.
If you want to use ControlPoint to manage multiple farms and/or O365 tenants, a copy of the ControlPoint application must be installed on a server in each environment. Each farm has:
·its own Web application and ControlPoint Configuration site
·its own ControlPoint menus (including any customized menus), and
·its own ControlPoint security model, which determines administrators' access to ControlPoint menu items.
You have the option of installing ControlPoint either:
·as separate, single-farm installations, which means that each farm has:
§its own ControlPoint Service (xcAdmin) databases, and
§its own ControlPoint license activation code
·as a multi-farm installation, which means that farms share:
§the same ControlPoint Service (xcAdmin) database, which allows ControlPoint users to navigate among and operate on other farms and makes it easier to switch from one farm to another from within the ControlPoint application interface, and
§a common ControlPoint license activation code.
IMPORTANT: Install the same version of ControlPoint on all farms in a multi-farm installation, as updates to to the ControlPoint Service (xcAdmin) database may not be compatible with earlier versions.
Factors to Consider When Choosing the Appropriate Installation Type for your SharePoint Environment
The optimal installation type depends on a number of factors, including how your SharePoint environment is configured, the size of your farms, and whether there is connectivity between them.
Single-farm installations are preferable if
·farms are in different domains that do not have a two-way trust relationship
·farms are on different WANs or network segments where bandwidth is limited or connectivity between farms is not maintained
·SQL server resources are limited and scalability of the xcAdmin database is a concern, and/or
·different groups of people are responsible for managing different farms.
If you choose this approach, you will need to bookmark each of the farms if you want to easily switch between them. You will still be able to copy and move sites across farms, but you will have to enter the destination site's url instead of selecting it from a list.
Consider a multi-farm installation if:
·you want to be able to:
§navigate through and operate on more than one farm using a single application interface
§run ControlPoint actions and analyses on more than one farm in a single operation, and/or
§quickly switch between farms from the ControlPoint application interface
·farms are in the same domain or in domains with at least a two-way trust relationship
·farms are on the same WAN or network segment (that is, bandwidth is adequate and connectivity between farms is maintained)
·your SQL server is robust enough that scalability of the xcAdmin database is not an issue
·the same group of people is responsible for managing all farms.
For farms that utilize a common instance of SQL server, you will need to perform a multi-farm installation. When installing ControlPoint in this circumstance, be sure to provide a unique name for the content database used by the Web application that hosts the ControlPoint Configuration Site collection for each farm.
You can of course use different installation types to suit the needs of different farms. For example, you may want to use a multi-farm installation for QA and development farms and single farm installations for production farms.
·Contact Quest Support to obtain a license activation code for each additional farm.
·For each farm, complete the entire installation process, which includes:
§specifying the location where you want to create the ControlPoint Service (xcAdmin) database for the farm, and
§activating a separate ControlPoint license for each farm.
a multi-farm installation
·Install ControlPoint in the first farm, which includes:
§specifying the location where you want to create the ControlPoint Service (xcAdmin) database that will be shared by all farms, and
§activating your ControlPoint license.
·For additional farms, perform a complete installation and when you specify the location of the xcAdmin database, be certain to specify the server on which you created the database for the first farm.
NOTE: Make sure that all farms in a multi-farm environment are running the same version of ControlPoint.
Special Considerations When Using Different Editions of ControlPoint in a Multi-Farm Environment
If all farms in a multi-farm environment have the same edition of ControlPoint (Standard, Non-Standard, or Online) installed, any one of the farms can be the home farm, and all farms will display in the SharePoint Hierarchy, which enables you to perform operations on multiple farms.
However, for multi-farm environments that have different editions of ControlPoint installed, some limitations apply if you want to be able to display multiple farms in the SharePoint Hierarchy and perform multi-farm operations.
If the multi-farm installation ...
Then for multiple farms to display in the SharePoint Hierarchy ...
includes ControlPoint Standard along with Non-Standard and/or ControlPoint Online
a Standard farm must be the home farm.
consists of only Non-Standard and ControlPoint Online
a Non-Standard farm must be the home farm.
NOTE: Regardless of whether or not all farms display in the SharePoint Hierarchy, you will always be able to change the active farm by selecting from the Available Farms drop-down.
Additionally, if you log into a multi-farm environment that includes both ControlPoint on premises and ControlPoint Online, you will be prompted to log into ControlPoint Online using your Microsoft Office 365 credentials.
If you want to load on-premises farms only, you can dismiss the dialog by clicking [Ignore Cloud Farms].
To use Discovery and Sensitive Content Manager services:
·TLS version 1.2 must be enabled on the server where the services are installed
·the .NET Framework must be configured to support strong cryptography (via the Windows Registry setting SchUseStrongCrypto).
Refer to the following Microsoft articles for complete details.