diff --git a/microsoft-365/enterprise/content-delivery-networks.md b/microsoft-365/enterprise/content-delivery-networks.md index 7360bed3902..6e3f0a4e72a 100644 --- a/microsoft-365/enterprise/content-delivery-networks.md +++ b/microsoft-365/enterprise/content-delivery-networks.md @@ -35,7 +35,8 @@ CDNs help keep Microsoft 365 fast and reliable for end users. Cloud services lik A CDN is a geographically distributed network consisting of proxy and file servers in datacenters connected by high-speed backbone networks. CDNs are used to reduce latency and load times for a specified set of files and objects in a web site or service. A CDN may have many thousands of endpoints for optimal servicing of incoming requests from any location. -CDNs are commonly used to provide faster downloads of generic content for a web site or service such as JavaScript files, icons and images, and can also provide private access to user content such as files in SharePoint document libraries, streaming media files, and custom code. +CDNs are commonly used to provide faster downloads of generic content for a web site or service such as Javascript files, icons and images. + CDNs are used by most enterprise cloud services. Cloud services like Microsoft 365 have millions of customers downloading a mix of proprietary content (such as emails) and generic content (such as icons) at one time. It's more efficient to put images everyone uses, like icons, as close to the user's computer as possible. It isn't practical for every cloud service to build CDN datacenters that store this generic content in every metropolitan area, or even in every major Internet hub around the world, so some of these CDNs are shared. @@ -56,15 +57,13 @@ The built-in Microsoft 365 Content Delivery Network (CDN) allows Microsoft 365 a > [!NOTE] > The Microsoft 365 CDN is only available to tenants in the **Production** (worldwide) cloud. Tenants in the US Government, China and Germany clouds do not currently support the Microsoft 365 CDN. -The Microsoft 365 CDN is composed of multiple CDNs that allow you to host static assets in multiple locations, or _origins_, and serve them from global high-speed networks. Depending on the kind of content you want to host in the Microsoft 365 CDN, you can add **public** origins, **private** origins or both. +The Microsoft 365 CDN is composed of multiple CDNs that allow you to host static assets in multiple locations, or _origins_, and serve them from global high-speed networks. ![Microsoft 365 CDN conceptual diagram.](../media/O365-CDN/o365-cdn-flow-transparent.svg "Microsoft 365 CDN conceptual diagram") Content in **public** origins within the Microsoft 365 CDN is accessible anonymously, and can be accessed by anyone who has URLs to hosted assets. Because access to content in public origins is anonymous, you should only use them to cache non-sensitive generic content such as JavaScript files, scripts, icons and images. The Microsoft 365 CDN is used by default for downloading generic resource assets like the Microsoft 365 client applications from a public origin. -**Private** origins within the Microsoft 365 CDN provide private access to user content such as SharePoint document libraries, sites and proprietary images. Access to content in private origins is secured with dynamically generated tokens so it can only be accessed by users with permissions to the original document library or storage location. Private origins in the Microsoft 365 CDN can only be used for SharePoint content, and you can only access assets through redirection from your SharePoint tenant. - -The Microsoft 365 CDN service is included as part of your SharePoint subscription. +The Microsoft 365 CDN service is included as part of your SharePoint Online subscription. For more information about how to use the Microsoft 365 CDN, see [Use the Microsoft 365 content delivery network with SharePoint](use-microsoft-365-cdn-with-spo.md). @@ -105,12 +104,8 @@ Regardless of what CDN you configure for your Microsoft 365 tenant, the basic da 1. Your client (a browser or Office client application) requests data from Microsoft 365. -2. Microsoft 365 either returns the data directly to your client or, if the data is part of a set of content hosted by the CDN, redirects your client to the CDN URL. - - a. If the data is already cached in a _public_ origin, your client downloads the data directly from the nearest CDN location to your client. - - b. If the data is already cached in a _private_ origin, the CDN service checks your Microsoft 365 user account's permissions on the origin. If you have permissions, SharePoint dynamically generates a custom URL composed of the path to the asset in the CDN and two access tokens, and returns the custom URL to your client. Your client then downloads the data directly from the nearest CDN location to your client using the custom URL. - +2. Microsoft 365 either returns the data directly to your client or, if the data is part of a set of content hosted by the CDN, redirects your client to the CDN URL. If the data is already cached in a _public_ origin, your client downloads the data directly from the nearest CDN location to your client. + 3. If the data isn't cached at the CDN, the CDN node requests the data from Microsoft 365 and then caches the data for time after your client downloads the data. The CDN figures out the closest datacenter to the user's browser and, using redirection, downloads the requested data from there. CDN redirection is quick, and can save users a lot of download time. @@ -127,7 +122,7 @@ The CDNs in use by Microsoft 365 are always subject to change and in many cases |CDN |Company |Usage |Link | |---------|---------|---------|---------| -|Microsoft 365 CDN |Microsoft Azure |Generic assets in public origins, SharePoint user content in private origins |[Microsoft Azure CDN](/azure/frontdoor/) | +|Microsoft 365 CDN |Microsoft Azure |Generic assets in public origins |[Microsoft Azure CDN](/azure/frontdoor/) | |Azure CDN |Microsoft |Custom code, SharePoint Framework solutions |[Microsoft Azure CDN](/azure/frontdoor/) | |Microsoft Ajax CDN (read only) |Microsoft |Common libraries for Ajax, jQuery, ASP.NET, Bootstrap, Knockout.js etc. |[Microsoft Ajax CDN](/aspnet/ajax/cdn/overview) | diff --git a/microsoft-365/enterprise/office-365-cdn-quickstart.md b/microsoft-365/enterprise/office-365-cdn-quickstart.md index 47f857f3830..769eb0474ea 100644 --- a/microsoft-365/enterprise/office-365-cdn-quickstart.md +++ b/microsoft-365/enterprise/office-365-cdn-quickstart.md @@ -30,9 +30,6 @@ You can use the built-in **Office 365 Content Delivery Network (CDN)** to host s For more detailed information, see [Use the Office 365 Content Delivery Network (CDN) with SharePoint](use-microsoft-365-cdn-with-spo.md). -> [!CAUTION] -> As images are now automatically managed in a SharePoint service-managed Private CDN, the manually configured Private CDN is in the process of being deprecated. This means that customers no longer need to configure private CDN. The recommended practice remains unchanged as images will be hosted via the service-managed Private CDN automatically and Public CDN will continue to be available for all other file types, like CSS and JS. Any customers using Private CDN for file types other than images, will need to move those files into Public CDN. Public CDN is recommended for these file types, to enhance performance. - >[!NOTE] >The Office 365 CDN is only available to tenants in the production (worldwide) cloud. Tenants in the US Government, China and Germany clouds do not currently support the Office 365 CDN. @@ -53,14 +50,14 @@ When you run the Page Diagnostics for SharePoint tool on a SharePoint in Microso The Office 365 CDN is designed to optimize performance for users by distributing frequently accessed objects like images and JavaScript files over a high-speed global network, reducing page load time and providing access to hosted objects as close as possible to the user. The CDN fetches your assets from a location called an _origin_. An origin can be a SharePoint site, document library, or folder that is accessible by a URL. -The Office 365 CDN is separated into two basic types: +The Office 365 CDN supports: -- **Public CDN** is designed to be used for JS (JavaScript), CSS (StyleSheets), Web Font File (WOFF, WOFF2) and nonproprietary images like company logos. -- **Private CDN** is designed to be used for images (PNG, JPG, JPEG, etc.). +- **Public CDN**, which is designed to be used for JS (JavaScript), CSS (StyleSheets), Web Font File (WOFF, WOFF2) and non-proprietary images like company logos. -You can choose to have both public or private origins for your organization. Most organizations will choose to implement a combination of the two. Both public and private options provide similar performance gains, but each has unique attributes and advantages. For more information about public and private CDN origins, see [Choose whether each origin should be public or private](use-microsoft-365-cdn-with-spo.md#CDNOriginChoosePublicPrivate). +You can choose public origins for your organization [Choose public origins](use-microsoft-365-cdn-with-spo.md). -## How to enable Public and Private CDN with the default configuration +## How to enable Public CDN with the default configuration +Before you make changes to the tenant CDN settings, you should verify that it meets compliance, security and privacy policies of your organization. Before you make changes to the tenant CDN settings, you should verify that it meets compliance, security, and privacy policies of your organization. @@ -72,16 +69,12 @@ Connect to your tenant using the SharePoint Management Shell: Connect-SPOService -Url https://-admin.sharepoint.com ``` -To enable your organization to use both public and private origins with the default configuration, type the following command: +To enable your organization to use public origin with the default configuration, type the following command: ```PowerShell -Set-SPOTenantCdnEnabled -CdnType Both -Enable $true +Set-SPOTenantCdnEnabled -CdnType Public -Enable $true ``` -Output of these cmdlets should look like the following: - -![Output of Set-SPOTenantCdnEnabled.](../media/O365-CDN/o365-cdn-enable-output.png) - ## See also [Use the Page Diagnostics tool for SharePoint](./page-diagnostics-for-spo.md) diff --git a/microsoft-365/enterprise/use-microsoft-365-cdn-with-spo.md b/microsoft-365/enterprise/use-microsoft-365-cdn-with-spo.md index d3b6ec68a41..7517c6135f2 100644 --- a/microsoft-365/enterprise/use-microsoft-365-cdn-with-spo.md +++ b/microsoft-365/enterprise/use-microsoft-365-cdn-with-spo.md @@ -30,13 +30,10 @@ description: Learn how to use the Office 365 Content Delivery Network (CDN) to s You can use the built-in Office 365 Content Delivery Network (CDN) to host static assets to provide better performance for your SharePoint Online pages. The Office 365 CDN improves performance by caching static assets closer to the browsers requesting them, which helps to speed up downloads and reduce latency. Also, the Office 365 CDN uses the [HTTP/2 protocol](https://en.wikipedia.org/wiki/HTTP/2) for improved compression and HTTP pipelining. The Office 365 CDN service is included as part of your SharePoint Online subscription. -> [!CAUTION] -> As images are now automatically managed in a SharePoint Online service-managed Private CDN, the manually configured Private CDN is in the process of being deprecated. This behavior means that customers no longer need to configure private CDN. The recommended practice remains unchanged as images are hosted via the service-managed Private CDN automatically. Public CDN continues to be available for all other file types (for example, CSS and JS). Customers using Private CDN for file types other than images, need to move those files into Public CDN. We recommend Public CDN for these file types to enhance performance. - > [!NOTE] > The Office 365 CDN is only available to tenants in the **Production** (worldwide) cloud. Tenants in the US Government and China clouds don't currently support the Office 365 CDN. -The Office 365 CDN is composed of multiple CDNs that allow you to host static assets in multiple locations, or _origins_, and serve them from global high-speed networks. Depending on the kind of content you want to host in the Office 365 CDN, you can add **public** origins, **private** origins or both. See [Choose whether each origin should be public or private](use-microsoft-365-cdn-with-spo.md#CDNOriginChoosePublicPrivate) for more information on the difference between public and private origins. +The Office 365 CDN is composed of multiple CDNs that allow you to host static assets in multiple locations, or _origins_, and serve them from global high-speed networks. Depending on the kind of content you want to host in the Office 365 CDN such as you can add **public** origins. ![Office 365 CDN conceptual diagram.](../media/O365-CDN/o365-cdn-flow-transparent.png "Office 365 CDN conceptual diagram") @@ -54,7 +51,6 @@ To set up the Office 365 CDN for your organization, you follow these basic steps - [Plan for deployment of the Office 365 CDN](use-microsoft-365-cdn-with-spo.md#plan-for-deployment-of-the-office-365-cdn) - [Determine which static assets you want to host on the CDN](use-microsoft-365-cdn-with-spo.md#CDNAssets). - [Determine where you want to store your assets](use-microsoft-365-cdn-with-spo.md#CDNStoreAssets). This location can be a SharePoint site, library or folder and is called an _origin_. - - [Choose whether each origin should be public or private](use-microsoft-365-cdn-with-spo.md#CDNOriginChoosePublicPrivate). You can add multiple origins of both public and private types. - Set up and configure the CDN, using either PowerShell or the CLI for Microsoft 365 - [Set up and configure the CDN by using the SharePoint Online Management Shell](use-microsoft-365-cdn-with-spo.md#CDNSetupinPShell) @@ -64,7 +60,6 @@ To set up the Office 365 CDN for your organization, you follow these basic steps When you complete this step, you get the following results: - The CDN is enabled for your organization. - - You added your origins, identifying each origin as public or private. Once you're done with setup, you can [Manage the Office 365 CDN](use-microsoft-365-cdn-with-spo.md#CDNManage) over time by: @@ -83,7 +78,6 @@ Before you deploy the Office 365 CDN for your Office 365 tenant, you should cons - [Determine which static assets you want to host on the CDN](use-microsoft-365-cdn-with-spo.md#CDNAssets) - [Determine where you want to store your assets](use-microsoft-365-cdn-with-spo.md#CDNStoreAssets) -- [Choose whether each origin should be public or private](use-microsoft-365-cdn-with-spo.md#CDNOriginChoosePublicPrivate) @@ -103,30 +97,16 @@ Performance improvement on a per-file basis is dependent on many factors, includ ### Determine where you want to store your assets -The CDN fetches your assets from a location called an _origin_. An origin can be a SharePoint site, document library or folder that is accessible by a URL. You have great flexibility when you specify origins for your organization. For example, you can specify multiple origins or a single origin where you want to put all your CDN assets. You can choose to have both public or private origins for your organization. Most organizations choose to implement a combination of the two. +The CDN fetches your assets from a location called an _origin_. An origin can be a SharePoint site, document library or folder that is accessible by a URL. You have great flexibility when you specify origins for your organization. For example, you can specify multiple origins or a single origin where you want to put all your CDN assets. You can create new container for your origins such as folders or document libraries, and add files you want to make available from the CDN. This is a good approach for a specific set of assets that you want to be available from the CDN, and you want to restrict the set of CDN assets to only those files in the container. You can also configure an existing site collection, site, library or folder as an origin, which makes all eligible assets in the container available from the CDN. Before you add an existing container as an origin, it's important to make sure you're aware of its contents and permissions so you don't inadvertently expose assets to anonymous access or unauthorized users. -You can define _CDN policies_ to exclude content in your origins from the CDN. CDN policies exclude assets in public or private origins by attributes such as _file type_ and _site classification_, and are applied to all origins of the CdnType (private or public) you specify in the policy. For example, if you add a private origin consisting of a site that contains multiple subsites, you can define a policy to exclude sites marked as **Confidential** so content from sites with that classification applied aren't served from the CDN. The policy applies to content from _all_ private origins that you added to the CDN. +You can define _CDN policies_ to exclude content in your origins from the CDN. CDN policies exclude assets in public origins by attributes such as _file type_ and _site classification_, and are applied to all origins of the CdnType (private or public) you specify in the policy. For example, if you add a origin consisting of a site that contains multiple subsites, you can define a policy to exclude sites marked as **Confidential** so content from sites with that classification applied aren't served from the CDN. The policy applies to content from _all_ origins that you added to the CDN. Keep in mind that the greater the number of origins, the greater the effect on the time it takes the CDN service to process requests. We recommend that you limit the number of origins as much as possible. - - -### Choose whether each origin should be public or private - -When you identify an origin, you specify whether it should be made _public_ or _private_. Access to CDN assets in public origins is anonymous, and CDN content in private origins is secured by dynamically generated tokens for greater security. Regardless of which option you choose, Microsoft does all the heavy lifting for you when it comes to administration of the CDN itself. Also, you can change your mind later, after you set up the CDN and identified your origins. - -Both public and private options provide similar performance gains, but each has unique attributes and advantages. - -**Public** origins within the Office 365 CDN are accessible anonymously, and hosted assets can be accessed by anyone who has the URL to the asset. Because access to content in public origins is anonymous, you should only use them to cache nonsensitive generic content such as JavaScript files, scripts, icons and images. - -**Private** origins within the Office 365 CDN provide private access to user content such as SharePoint Online document libraries, sites and proprietary images. Access to content in private origins is secured by dynamically generated tokens so it can only be accessed by users with permissions to the original document library or storage location. Private origins in the Office 365 CDN can only be used for SharePoint Online content, and you can only access assets in private origins through redirection from your SharePoint Online tenant. - -You can read more about how CDN access to assets in a private origin works in [Using assets in private origins](use-microsoft-365-cdn-with-spo.md#using-assets-in-private-origins). - #### Attributes and advantages of hosting assets in public origins - Assets exposed in a public origin are accessible by everyone anonymously. @@ -143,30 +123,10 @@ You can read more about how CDN access to assets in a private origin works in [U - You can configure a policy to exclude assets based on specified site classifications. For example, you can exclude all assets that are marked as "confidential" or "restricted", even if they're an allowed file type and are located in a public origin. -#### Attributes and advantages of hosting assets in private origins - -- Private origins can only be used for SharePoint Online assets. - -- Users can only access the assets from a private origin if they have permissions to access the container. Anonymous access to these assets is prevented. - -- Assets in private origins must be referred from the SharePoint Online tenant. Direct access to private CDN assets doesn't work. - -- If you remove an asset from the private origin, the asset might continue to be available for up to an hour from the cache. But, links to the asset in the CDN are invalid within 15 minutes of the removal of the asset. - -- The default file types that are included for private origins are .gif, .ico, .jpeg, .jpg, .js, and .png. You can specify other file types. - -- Just like with public origins, you can configure a policy to exclude assets that are identified by site classifications that you specify even if you use wildcards to include all assets within a folder or document library. - -For more information about why to use the Office 365 CDN, general CDN concepts, and other Microsoft CDNs you can use with your Office 365 tenant, see [Content Delivery Networks](content-delivery-networks.md). - ### Default CDN origins Unless you specify otherwise, Office 365 sets up some default origins for you when you enable the Office 365 CDN. If you initially opt not to provision them, you can add these origins after you complete setup. Unless you understand the consequences of skipping the setup of default origins and have a specific reason for doing so, you should allow them to be created when you enable the CDN. -Default private CDN origins: - -- \*/siteassets - Default public CDN origins: - \*/masterpage @@ -188,7 +148,7 @@ Complete these steps to set up and configure the CDN to host your assets in Shar ### Enable your organization to use the Office 365 CDN -Before you make changes to the tenant CDN settings, you should retrieve the current status of the private CDN configuration in your Office 365 tenant. Connect to your tenant using the SharePoint Online Management Shell: +Before you make changes to the tenant CDN settings, you should retrieve the current status of the CDN configuration in your Office 365 tenant. Connect to your tenant using the SharePoint Online Management Shell: ```powershell Connect-SPOService -Url https://contoso-admin.sharepoint.com @@ -197,29 +157,23 @@ Connect-SPOService -Url https://contoso-admin.sharepoint.com Now use the **Get-SPOTenantCdnEnabled** cmdlet to retrieve the CDN status settings from the tenant: ```powershell -Get-SPOTenantCdnEnabled -CdnType +Get-SPOTenantCdnEnabled -CdnType Public ``` The status of the CDN for the specified CdnType is shown on the screen. -Use the **Set-SPOTenantCdnEnabled** cmdlet to enable your organization to use the Office 365 CDN. You can enable your organization to use public origins, private origins, or both at once. You can also configure the CDN to skip the setup of default origins when you enable it. You can always add these origins later as described in this article. +Use the **Set-SPOTenantCdnEnabled** cmdlet to enable your organization to use the Office 365 CDN. You can enable your organization to use public origins. You can also configure the CDN to skip the setup of default origins when you enable it. You can always add these origins later as described in this article. In Windows PowerShell for SharePoint Online: ```powershell -Set-SPOTenantCdnEnabled -CdnType -Enable $true -``` - -For example, to enable your organization to use both public and private origins, type the following command: - -```powershell -Set-SPOTenantCdnEnabled -CdnType Both -Enable $true +Set-SPOTenantCdnEnabled -CdnType Public -Enable $true ``` -To enable your organization to use both public and private origins but skip setting up the default origins, type the following command: +To enable your organization to use public origins but skip setting up the default origins, type the following command: ```powershell -Set-SPOTenantCdnEnabled -CdnType Both -Enable $true -NoDefaultOrigins +Set-SPOTenantCdnEnabled -CdnType Public -Enable $true -NoDefaultOrigins ``` See [Default CDN origins](use-microsoft-365-cdn-with-spo.md#default-cdn-origins) for information about the origins that are provisioned by default when you enable the Office 365 CDN, and the potential effect of skipping the setup of default origins. @@ -230,12 +184,6 @@ To enable your organization to use public origins, type the following command: Set-SPOTenantCdnEnabled -CdnType Public -Enable $true ``` -To enable your organization to use private origins, type the following command: - -```powershell -Set-SPOTenantCdnEnabled -CdnType Private -Enable $true -``` - For more information about this cmdlet, see [Set-SPOTenantCdnEnabled](/powershell/module/sharepoint-online/Set-SPOTenantCdnEnabled). @@ -245,24 +193,24 @@ For more information about this cmdlet, see [Set-SPOTenantCdnEnabled](/powershel > [!TIP] > When you define file types by using the **Set-SPOTenantCdnPolicy** cmdlet, you overwrite the currently defined list. If you want to add other file types to the list, use the cmdlet first to find out what file types are already allowed and include them in the list along with your new ones. -Use the **Set-SPOTenantCdnPolicy** cmdlet to define static file types that can be hosted by public and private origins in the CDN. By default, common asset types are allowed, for example .css, .gif, .jpg, and .js. +Use the **Set-SPOTenantCdnPolicy** cmdlet to define static file types that can be hosted by public origins in the CDN. By default, common asset types are allowed, for example .css, .gif, .jpg, and .js. In Windows PowerShell for SharePoint Online: ```powershell -Set-SPOTenantCdnPolicy -CdnType -PolicyType IncludeFileExtensions -PolicyValue "" +Set-SPOTenantCdnPolicy -CdnType -PolicyType IncludeFileExtensions -PolicyValue "" ``` For example, to enable the CDN to host .css and .png files, you would enter the command: ```powershell -Set-SPOTenantCdnPolicy -CdnType Private -PolicyType IncludeFileExtensions -PolicyValue "CSS,PNG" +Set-SPOTenantCdnPolicy -CdnType Public -PolicyType IncludeFileExtensions -PolicyValue "CSS,PNG" ``` To see what file types are currently allowed by the CDN, use the **Get-SPOTenantCdnPolicies** cmdlet: ```powershell -Get-SPOTenantCdnPolicies -CdnType +Get-SPOTenantCdnPolicies -CdnType ``` For more information about these cmdlets, see [Set-SPOTenantCdnPolicy](/powershell/module/sharepoint-online/) and [Get-SPOTenantCdnPolicies](/powershell/module/sharepoint-online/). @@ -279,13 +227,13 @@ Use the **Set-SPOTenantCdnPolicy** cmdlet to exclude site classifications that y In Windows PowerShell for SharePoint Online: ```powershell -Set-SPOTenantCdnPolicy -CdnType -PolicyType ExcludeRestrictedSiteClassifications -PolicyValue "" +Set-SPOTenantCdnPolicy -CdnType -PolicyType ExcludeRestrictedSiteClassifications -PolicyValue "" ``` To see what site classifications are currently restricted, use the **Get-SPOTenantCdnPolicies** cmdlet: ```powershell -Get-SPOTenantCdnPolicies -CdnType +Get-SPOTenantCdnPolicies -CdnType ``` The returned properties are _IncludeFileExtensions_, _ExcludeRestrictedSiteClassifications_ and _ExcludeIfNoScriptDisabled_. @@ -311,7 +259,7 @@ Use the **Add-SPOTenantCdnOrigin** cmdlet to define an origin. You can define mu > You should never place resources that contain user information or are considered sensitive to your organization in a public origin. ```powershell -Add-SPOTenantCdnOrigin -CdnType -OriginUrl +Add-SPOTenantCdnOrigin -CdnType -OriginUrl ``` The value of _path_ is the relative path to the library or folder that contains the assets. You can use wildcards in addition to relative paths. Origins support wildcards prepended to the URL. This allows you to create origins that span multiple sites. For example, to include all of the assets in the `master pages` folder for all of your sites as a public origin within the CDN, type the following command: @@ -325,33 +273,30 @@ Add-SPOTenantCdnOrigin -CdnType Public -OriginUrl */masterpage You can add an origin with a specific relative path. You can't add an origin using the full path. -This example adds a private origin of the `siteassets` library on a specific site: +This example adds a public origin of the siteassets library on a specific site: ```powershell -Add-SPOTenantCdnOrigin -CdnType Private -OriginUrl sites/site1/siteassets +Add-SPOTenantCdnOrigin -CdnType Public -OriginUrl sites/site1/siteassets ``` -This example adds a private origin of the _folder1_ folder in the site collection's site assets library: +This example adds a public origin of the _folder1_ folder in the site collection's site assets library: ```powershell -Add-SPOTenantCdnOrigin -CdnType Private -OriginUrl sites/test/siteassets/folder1 +Add-SPOTenantCdnOrigin -CdnType Public -OriginUrl sites/test/siteassets/folder1 ``` If there's a space in the path, you can either surround the path in double quotes or replace the space with the URL encoding %20. The following examples add a private origin of the _folder 1_ folder in the site collection's site assets library: ```powershell -Add-SPOTenantCdnOrigin -CdnType Private -OriginUrl sites/test/siteassets/folder%201 +Add-SPOTenantCdnOrigin -CdnType Public -OriginUrl sites/test/siteassets/folder%201 ``` ```powershell -Add-SPOTenantCdnOrigin -CdnType Private -OriginUrl "sites/test/siteassets/folder 1" +Add-SPOTenantCdnOrigin -CdnType Public -OriginUrl "sites/test/siteassets/folder 1" ``` For more information about this command and its syntax, see [Add-SPOTenantCdnOrigin](/powershell/module/sharepoint-online/Add-SPOTenantCdnOrigin). -> [!NOTE] -> In private origins, assets being shared from an origin must have a major version published before they can be accessed from the CDN. - After you run the command, the system synchronizes the configuration across the datacenter. This result can take up to 15 minutes. @@ -376,46 +321,6 @@ For more information about this command and its syntax, see [Add-SPOTenantCdnOri After you run the command, the system synchronizes the configuration across the datacenter. This result can take up to 15 minutes. - - -### Example: Configure a private origin for your site assets, site pages, and publishing images for SharePoint Online - -- Use the **Add-SPOTenantCdnOrigin** cmdlet to define the site assets folder as a private origin. - - ```powershell - Add-SPOTenantCdnOrigin -CdnType Private -OriginUrl */siteassets - ``` - -- Use the **Add-SPOTenantCdnOrigin** cmdlet to define the site pages folder as a private origin. - - ```powershell - Add-SPOTenantCdnOrigin -CdnType Private -OriginUrl */sitepages - ``` - -- Use the **Add-SPOTenantCdnOrigin** cmdlet to define the publishing images folder as a private origin. - - ```powershell - Add-SPOTenantCdnOrigin -CdnType Private -OriginUrl */publishingimages - ``` - -For more information about this command and its syntax, see [Add-SPOTenantCdnOrigin](/powershell/module/sharepoint-online/Add-SPOTenantCdnOrigin). - -After you run the command, the system synchronizes the configuration across the datacenter. This result can take up to 15 minutes. - - - -### Example: Configure a private origin for a site collection for SharePoint Online - -Use the **Add-SPOTenantCdnOrigin** cmdlet to define a site collection as a private origin. For example: - -```powershell -Add-SPOTenantCdnOrigin -CdnType Private -OriginUrl sites/site1/siteassets -``` - -For more information about this command and its syntax, see [Add-SPOTenantCdnOrigin](/powershell/module/sharepoint-online/Add-SPOTenantCdnOrigin). - -After you run the command, the system synchronizes the configuration across the datacenter. You might see a _Configuration pending_ message. This message is expected as the SharePoint Online tenant connects to the CDN service. This result can take up to 15 minutes. - ### Manage the Office 365 CDN @@ -452,7 +357,7 @@ You can't modify an origin after you create it. Instead, remove the origin and t #### Disable the Office 365 CDN -Use the **Set-SPOTenantCdnEnabled** cmdlet to disable the CDN for your organization. If you have both the public and private origins enabled for the CDN, you need to run the cmdlet twice as shown in the following examples. +Use the **Set-SPOTenantCdnEnabled** cmdlet to disable the CDN for your organization. If you have public origins enabled for the CDN, you need to run the cmdlet as shown in the following examples. To disable use of public origins in the CDN, enter the following command: @@ -460,12 +365,6 @@ To disable use of public origins in the CDN, enter the following command: Set-SPOTenantCdnEnabled -CdnType Public -Enable $false ``` -To disable use of the private origins in the CDN, enter the following command: - -```powershell -Set-SPOTenantCdnEnabled -CdnType Private -Enable $false -``` - For more information about this cmdlet, see [Set-SPOTenantCdnEnabled](/powershell/module/sharepoint-online/Set-SPOTenantCdnEnabled). @@ -483,7 +382,7 @@ Complete these steps to set up and configure the CDN to host your assets in Shar ### Enable your organization to use the Office 365 CDN -Before you make changes to the tenant CDN settings, you should retrieve the current status of the private CDN configuration in your Office 365 tenant. Connect to your tenant using PnP PowerShell: +Before you make changes to the tenant CDN settings, you should retrieve the current status of the CDN configuration in your Office 365 tenant. Connect to your tenant using PnP PowerShell: ```powershell Connect-PnPOnline -Url https://contoso-admin.sharepoint.com -UseWebLogin @@ -492,29 +391,23 @@ Connect-PnPOnline -Url https://contoso-admin.sharepoint.com -UseWebLogin Now use the **Get-PnPTenantCdnEnabled** cmdlet to retrieve the CDN status settings from the tenant: ```powershell -Get-PnPTenantCdnEnabled -CdnType +Get-PnPTenantCdnEnabled -CdnType Public ``` The status of the CDN for the specified CdnType is shown on the screen. -Use the **Set-PnPTenantCdnEnabled** cmdlet to enable your organization to use the Office 365 CDN. You can enable your organization to use public origins, private origins, or both at the same time. You can also configure the CDN to skip the setup of default origins when you enable it. You can always add these origins later as described in this article. +Use the **Set-PnPTenantCdnEnabled** cmdlet to enable your organization to use the Office 365 CDN. You can enable your organization to use public origins. You can also configure the CDN to skip the setup of default origins when you enable it. You can always add these origins later as described in this article. In PnP PowerShell: ```powershell -Set-PnPTenantCdnEnabled -CdnType -Enable $true -``` - -For example, to enable your organization to use both public and private origins, type the following command: - -```powershell -Set-PnPTenantCdnEnabled -CdnType Both -Enable $true +Set-PnPTenantCdnEnabled -CdnType Public -Enable $true ``` -To enable your organization to use both public and private origins but skip setting up the default origins, type the following command: +To enable your organization to use public origins but skip setting up the default origins, type the following command: ```powershell -Set-PnPTenantCdnEnabled -CdnType Both -Enable $true -NoDefaultOrigins +Set-PnPTenantCdnEnabled -CdnType Public -Enable $true -NoDefaultOrigins ``` See [Default CDN origins](use-microsoft-365-cdn-with-spo.md#default-cdn-origins) for information about the origins that are provisioned by default when you enable the Office 365 CDN, and the potential effect of skipping the setup of default origins. @@ -525,12 +418,6 @@ To enable your organization to use public origins, type the following command: Set-PnPTenantCdnEnabled -CdnType Public -Enable $true ``` -To enable your organization to use private origins, type the following command: - -```powershell -Set-PnPTenantCdnEnabled -CdnType Private -Enable $true -``` - For more information about this cmdlet, see [Set-PnPTenantCdnEnabled](https://pnp.github.io/powershell/cmdlets/Set-PnPTenantCdnEnabled.html). @@ -540,24 +427,24 @@ For more information about this cmdlet, see [Set-PnPTenantCdnEnabled](https://pn > [!TIP] > When you define file types by using the **Set-PnPTenantCdnPolicy** cmdlet, you overwrite the currently defined list. If you want to add more file types to the list, use the cmdlet first to find out what file types are already allowed and include them in the list along with your new ones. -Use the **Set-PnPTenantCdnPolicy** cmdlet to define static file types that can be hosted by public and private origins in the CDN. By default, common asset types are allowed, for example .css, .gif, .jpg, and .js. +Use the **Set-PnPTenantCdnPolicy** cmdlet to define static file types that can be hosted by public origins in the CDN. By default, common asset types are allowed, for example .css and .js. In PnP PowerShell: ```powershell -Set-PnPTenantCdnPolicy -CdnType -PolicyType IncludeFileExtensions -PolicyValue "" +Set-PnPTenantCdnPolicy -CdnType Public -PolicyType IncludeFileExtensions -PolicyValue "" ``` For example, to enable the CDN to host .css and .png files, you would enter the command: ```powershell -Set-PnPTenantCdnPolicy -CdnType Private -PolicyType IncludeFileExtensions -PolicyValue "CSS,PNG" +Set-PnPTenantCdnPolicy -CdnType Public -PolicyType IncludeFileExtensions -PolicyValue "CSS,PNG" ``` To see what file types are currently allowed by the CDN, use the **Get-PnPTenantCdnPolicies** cmdlet: ```powershell -Get-PnPTenantCdnPolicies -CdnType +Get-PnPTenantCdnPolicies -CdnType Public ``` For more information about these cmdlets, see [Set-PnPTenantCdnPolicy](https://pnp.github.io/powershell/cmdlets/Set-PnPTenantCdnPolicy.html) and [Get-PnPTenantCdnPolicies](https://pnp.github.io/powershell/cmdlets/Get-PnPTenantCdnPolicies.html). @@ -574,13 +461,13 @@ Use the **Set-PnPTenantCdnPolicy** cmdlet to exclude site classifications that y In PnP PowerShell: ```powershell -Set-PnPTenantCdnPolicy -CdnType -PolicyType ExcludeRestrictedSiteClassifications -PolicyValue "" +Set-PnPTenantCdnPolicy -CdnType -PolicyType ExcludeRestrictedSiteClassifications -PolicyValue "" ``` To see what site classifications are currently restricted, use the **Get-PnPTenantCdnPolicies** cmdlet: ```powershell -Get-PnPTenantCdnPolicies -CdnType +Get-PnPTenantCdnPolicies -CdnType ``` The returned properties are _IncludeFileExtensions_, _ExcludeRestrictedSiteClassifications_ and _ExcludeIfNoScriptDisabled_. @@ -606,7 +493,7 @@ Use the **Add-PnPTenantCdnOrigin** cmdlet to define an origin. You can define mu > You should never place resources that contain user information or are considered sensitive to your organization in a public origin. ```powershell -Add-PnPTenantCdnOrigin -CdnType -OriginUrl +Add-PnPTenantCdnOrigin -CdnType -OriginUrl ``` The value of _path_ is the relative path to the library or folder that contains the assets. You can use wildcards in addition to relative paths. Origins support wildcards prepended to the URL. This allows you to create origins that span multiple sites. For example, to include all of the assets in the `master pages` folder for all of your sites as a public origin within the CDN, type the following command: @@ -620,33 +507,30 @@ Add-PnPTenantCdnOrigin -CdnType Public -OriginUrl */masterpage You can add an origin with a specific relative path. You can't add an origin using the full path. -This example adds a private origin of the site assets library on a specific site: +This example adds public origin of the site assets library on a specific site: ```powershell -Add-PnPTenantCdnOrigin -CdnType Private -OriginUrl sites/site1/siteassets +Add-PnPTenantCdnOrigin -CdnType Public -OriginUrl sites/site1/siteassets ``` -This example adds a private origin of the _folder1_ folder in the site collection's site assets library: +This example adds a public origin of the _folder1_ folder in the site collection's site assets library: ```powershell -Add-PnPTenantCdnOrigin -CdnType Private -OriginUrl sites/test/siteassets/folder1 +Add-PnPTenantCdnOrigin -CdnType Public -OriginUrl sites/test/siteassets/folder1 ``` -If there's a space in the path, you can either surround the path in double quotes or replace the space with the URL encoding %20. The following examples add a private origin of the _folder 1_ folder in the site collection's site assets library: +If there's a space in the path, you can either surround the path in double quotes or replace the space with the URL encoding %20. The following examples add a public origin of the _folder 1_ folder in the site collection's site assets library: ```powershell -Add-PnPTenantCdnOrigin -CdnType Private -OriginUrl sites/test/siteassets/folder%201 +Add-PnPTenantCdnOrigin -CdnType Public -OriginUrl sites/test/siteassets/folder%201 ``` ```powershell -Add-PnPTenantCdnOrigin -CdnType Private -OriginUrl "sites/test/siteassets/folder 1" +Add-PnPTenantCdnOrigin -CdnType Public -OriginUrl "sites/test/siteassets/folder 1" ``` For more information about this command and its syntax, see [Add-PnPTenantCdnOrigin](https://pnp.github.io/powershell/cmdlets/Add-PnPTenantCdnOrigin.html). -> [!NOTE] -> In private origins, assets shared from an origin must have a major version published before they're accessible from the CDN. - After you run the command, the system synchronizes the configuration across the datacenter. This result can take up to 15 minutes. @@ -671,26 +555,26 @@ For more information about this command and its syntax, see [Add-PnPTenantCdnOri After you run the command, the system synchronizes the configuration across the datacenter. This result can take up to 15 minutes. - + -### Example: Configure a private origin for your site assets, site pages, and publishing images for SharePoint Online +### Example: Configure a public origin for your site assets, site pages, and publishing images for SharePoint Online -- Use the **Add-PnPTenantCdnOrigin** cmdlet to define the site assets folder as a private origin. +- Use the **Add-PnPTenantCdnOrigin** cmdlet to define the site assets folder as a public origin. ```powershell - Add-PnPTenantCdnOrigin -CdnType Private -OriginUrl */siteassets + Add-PnPTenantCdnOrigin -CdnType Public -OriginUrl */siteassets ``` -- Use the **Add-PnPTenantCdnOrigin** cmdlet to define the site pages folder as a private origin. +- Use the **Add-PnPTenantCdnOrigin** cmdlet to define the site pages folder as a public origin. ```powershell - Add-PnPTenantCdnOrigin -CdnType Private -OriginUrl */sitepages + Add-PnPTenantCdnOrigin -CdnType Public -OriginUrl */sitepages ``` -- Use the **Add-PnPTenantCdnOrigin** cmdlet to define the publishing images folder as a private origin. +- Use the **Add-PnPTenantCdnOrigin** cmdlet to define the publishing images folder as a public origin. ```powershell - Add-PnPTenantCdnOrigin -CdnType Private -OriginUrl */publishingimages + Add-PnPTenantCdnOrigin -CdnType Public -OriginUrl */publishingimages ``` For more information about this command and its syntax, see [Add-PnPTenantCdnOrigin](https://pnp.github.io/powershell/cmdlets/Add-PnPTenantCdnOrigin.html). @@ -699,12 +583,12 @@ After you run the command, the system synchronizes the configuration across the -### Example: Configure a private origin for a site collection for SharePoint Online +### Example: Configure a public origin for a site collection for SharePoint Online -Use the **Add-PnPTenantCdnOrigin** cmdlet to define a site collection as a private origin. For example: +Use the **Add-PnPTenantCdnOrigin** cmdlet to define a site collection as a public origin. For example: ```powershell -Add-PnPTenantCdnOrigin -CdnType Private -OriginUrl sites/site1/siteassets +Add-PnPTenantCdnOrigin -CdnType Public -OriginUrl sites/site1/siteassets ``` For more information about this command and its syntax, see [Add-PnPTenantCdnOrigin](https://pnp.github.io/powershell/cmdlets/Add-PnPTenantCdnOrigin.html). @@ -732,7 +616,7 @@ If you need to retrieve the location of the origin, you can use the **Get-PnPTen You can remove access to a folder or SharePoint library that you identified as an origin. To take this action, use the **Remove-PnPTenantCdnOrigin** cmdlet. ```powershell -Remove-PnPTenantCdnOrigin -OriginUrl -CdnType +Remove-PnPTenantCdnOrigin -OriginUrl -CdnType ``` For information on how to use this cmdlet, see [Remove-PnPTenantCdnOrigin](https://pnp.github.io/powershell/cmdlets/Remove-PnPTenantCdnOrigin.html). @@ -786,12 +670,6 @@ To enable the Office 365 Public CDN in your tenant, run the following command: m365 spo cdn set --type Public --enabled true ``` -To enable the Office 365 SharePoint CDN, run the following command: - -```cli -m365 spo cdn set --type Private --enabled true -``` - #### View the current status of the Office 365 CDN To check if the particular type of Office 365 CDN is enabled or disabled, use the [spo cdn get](https://pnp.github.io/cli-microsoft365/cmd/spo/cdn/cdn-get/) command. @@ -820,7 +698,7 @@ See [Default CDN origins](use-microsoft-365-cdn-with-spo.md#default-cdn-origins) Use the [spo cdn origin add](https://pnp.github.io/cli-microsoft365/cmd/spo/cdn/cdn-origin-add/) command to define a CDN origin. You can define multiple origins. The origin is a URL that points to a SharePoint library or folder that contains the assets that you want the CDN to host. ```cli -m365 spo cdn origin add --type [Public | Private] --origin +m365 spo cdn origin add --type [Public] --origin ``` Where `path` is the relative path to the folder that contains the assets. You can use wildcards in addition to relative paths. @@ -831,12 +709,6 @@ To include all assets in the **Master Page Gallery** of all sites as a public or m365 spo cdn origin add --type Public --origin */masterpage ``` -To configure a private origin for a specific site collection, run the following command: - -```cli -m365 spo cdn origin add --type Private --origin sites/site1/siteassets -``` - > [!NOTE] > After adding a CDN origin, it might take up to 15 minutes for you to be able to retrieve files via the CDN service. You can verify if the particular origin has already been enabled using the [spo cdn origin list](https://pnp.github.io/cli-microsoft365/cmd/spo/cdn/cdn-origin-list/) command. @@ -901,13 +773,9 @@ This section helps you understand how to use CDN URLs in your SharePoint pages a - [Updating links to CDN assets](use-microsoft-365-cdn-with-spo.md#updating-links-to-cdn-assets) - [Using assets in public origins](use-microsoft-365-cdn-with-spo.md#using-assets-in-public-origins) -- [Using assets in private origins](use-microsoft-365-cdn-with-spo.md#using-assets-in-private-origins) For information on how to use the CDN for hosting client-side web parts, see the article [Host your client-side web part from Office 365 CDN (Hello World part 4)](/sharepoint/dev/spfx/web-parts/get-started/hosting-webpart-from-office-365-cdn). -> [!NOTE] -> If you add the _ClientSideAssets_ folder to the **private** CDN origins list, CDN-hosted custom web parts will fail to render. Files used by SPFX web parts can only utilize the public CDN and the ClientSideAssets folder is a default origin for public CDN. - ### Updating links to CDN assets To use assets that you added to an origin, you simply update links to the original file with the path to the file in the origin. @@ -955,7 +823,7 @@ The following diagram illustrates the workflow when SharePoint receives a reques If the _Publishing_ feature isn't enabled for a public origin, or the asset isn't one of the link types supported by the auto-rewrite feature of the CDN service, you can manually construct URLs to the CDN location of the assets and use these URLs in your content. > [!NOTE] -> You can't hardcode or construct CDN URLs to assets in a private origin because the required access token that forms the last section of the URL is generated at the time the resource is requested. You can construct the URL for Public CDN and the URL shouldn't be hard-coded as it's subject to change. +> You can construct the URL for Public CDN and the URL should not be hard coded as it's subject to change. For public CDN assets, the URL format looks like the following example: @@ -974,40 +842,6 @@ https://publiccdn.sharepointonline.com/contoso.sharepoint.com/sites/site/library > > As an example for SPFx, you can construct the URL using the property `this.context.pageContext.legacyPageContext.publicCdnBaseUrl` - `/` - `host` - `/` - `relativeURL for the item`. For more information, see the video [Using CDN in Client-side code](https://youtu.be/IH1RbQlbhIA), which is part of the [season 1 performance series](https://aka.ms/sppnp-perfvideos). -### Using assets in private origins - -No other configuration is required to use assets in private origins. SharePoint Online automatically rewrites URLs for assets in private origins so requests for those assets are always be served from the CDN. You can't manually build URLs to CDN assets in private origins because these URLs contain tokens that must be auto-generated by SharePoint Online at the time the asset is requested. - -Access to assets in private origins is protected by dynamically generated tokens based on user permissions to the origin, with the caveats described in the following sections. Users must have at least **read** access to the origins for the CDN to render content. - -The following diagram illustrates the workflow when SharePoint receives a request for a page containing assets from a private origin. - -![Workflow diagram: Retrieving Office 365 CDN assets from a private origin.](../media/O365-CDN/o365-cdn-private-steps-transparent.png "Workflow: Retrieving Office 365 CDN assets from a private origin") - -#### Token-based authorization in private origins - -Access to assets in private origins in the Office 365 CDN is granted by tokens generated by SharePoint Online. Users who already have permission to access to the folder or library designated by the origin are automatically granted tokens that permit the user to access the file based on their permission level. These access tokens are valid for 30 to 90 minutes after they're generated to help prevent token replay attacks. - -Once the access token is generated, SharePoint Online returns a custom URI to the client containing two authorization parameters _eat_ (edge authorization token) and _oat_ (origin authorization token). The structure of each token is _<'expiration time in Epoch time format'>__<'secure signature'>_. For example: - -```http -https://privatecdn.sharepointonline.com/contoso.sharepoint.com/sites/site1/library1/folder1/image1.jpg?eat=1486154359_cc59042c5c55c90b26a2775323c7c8112718431228fe84d568a3795a63912840&oat=1486154359_7d73c2e3ba4b7b1f97242332900616db0d4ffb04312 -``` - -> [!NOTE] -> Anyone in possession of the token can access the resource in the CDN. However, URLs containing these access tokens are only shared over HTTPS, so unless the URL is explicitly shared by an end user before the token expires, the asset won't be accessible to unauthorized users. - -#### Item-level permissions aren't supported for assets in private origins - -It's important to note that SharePoint Online doesn't support item-level permissions for assets in private origins. For example, for a file located at `https://contoso.sharepoint.com/sites/site1/library1/folder1/image1.jpg`, users have effective access to the file given the following conditions: - -|User|Permissions|Effective access| -|---|---|---| -|User 1|Has access to folder1|Can access image1.jpg from the CDN| -|User 2|Doesn't have access to folder1|Can't access image1.jpg from the CDN| -|User 3|Doesn't have access to folder1, but is granted explicit permission to access image1.jpg in SharePoint Online|Can access the asset image1.jpg directly from SharePoint Online, but not from the CDN| -|User 4|Has access to folder1, but has been explicitly denied access to image1.jpg in SharePoint Online|Can't access the asset from SharePoint Online, but can access the asset from the CDN despite being denied access to the file in SharePoint Online| - ## Troubleshooting the Office 365 CDN diff --git a/microsoft-365/solutions/tenant-management-networking.md b/microsoft-365/solutions/tenant-management-networking.md index 76f7e32478b..001192aef6b 100644 --- a/microsoft-365/solutions/tenant-management-networking.md +++ b/microsoft-365/solutions/tenant-management-networking.md @@ -116,9 +116,9 @@ For more information, see [Microsoft 365 Network Insights](../enterprise/office- A cloud-based Content Delivery Network (CDN) allows you to reduce load times, save bandwidth, and speed responsiveness. A CDN improves performance by caching static assets such as graphic or video files closer to the browsers requesting them, which helps to speed up downloads and reduce latency. You can use the built-in Office 365 Content Delivery Network (CDN), included with SharePoint in Microsoft 365 E3 and E5, to host static assets to provide better performance for your SharePoint pages. -The Office 365 CDN is composed of multiple CDNs that allow you to host static assets in multiple locations, or _origins_, and serve them from global high-speed networks. Depending on the kind of content you want to host in the Office 365 CDN, you can add **public** origins, **private** origins, or both. +The Office 365 CDN is composed of multiple CDNs that allow you to host static assets in multiple locations, or _origins_, and serve them from global high-speed networks. Depending on the kind of content you want to host in the Office 365 CDN, you can add **public** origins. -When deployed and configured, the Office 365 CDN uploads assets from public and private origins and makes them available for fast access to users located across the Internet. +When deployed and configured, the Office 365 CDN uploads assets from public origins and makes them available for fast access to users located across the Internet. ![Office 365 CDN deployed for users.](../media/O365-CDN/o365-cdn-flow-transparent.svg "Office 365 CDN deployed for users")