Posts Tagged Microsoft Office 365
Federation and the cloud
Posted by Nick Bowyer in Cloud, Office365 on April 21, 2012
The term Federation is something I am familiar with, thanks largely to may hours spent watching Star Trek as a kid. The United Federation of Planets in the TV series/movies referred to very different cultures having a common bond, in a political sense. Federation when it comes to cloud services has more than one meaning, and I want to use this blog to explain the term Federation and how it relates to various cloud services and how it improves the overall cloud experience.
We will talk about federation relating to cloud services hosted by Microsoft specifically Office 365, although Windows Intune and Azure also use the term Federation (ill save those for a future blog post). There are many other technologies that deliver similar results with other cloud services but I really want to focus on the term federation when it relates specifically to a Microsoft solution.
In the old days of Windows NT if you wanted to access information in another Domain you would need to setup a trust , a trust was setup either one way or two way and was generally quite unreliable. It did however address the issue of sharing information between business units or organizations (if you were brave). There needed to be a better more secure way of sharing information while limiting the access either party had to the other party’s security context.
Along came Active Directory Federation Services or ADFS, it has been around for some time and uses Microsoft’s version of the Security Assertion Markup Language or SAML claims based authentication model. It is now in its second generation and with version 2.0 comes the ability to federate your Active Directory with Office 365. ADFS 2.0 isn’t just restricted to Office 365 for its federation options, there are a number of cloud providers that support ADFS including IBM Tivoli, Novell Access manager, Sun Open SSO and CA (Site Minder and Federation Manager) using SAML, Microsoft is also a founding member of OpenID the organisation that is promoting standards in identity management.
ADFS 2.0 allows a customer to federate their identity to the cloud services contained within Office 365, creating what is known as a Single Sign On experience for end users. Single Sign On or SSO allows users to login to their PCs (assuming they are connected to an Active Directory service with ADFS installed) and seamlessly connect to any Online Service they are licensed for and have permission to access. SSO is the holy grail of any cloud service and removes one of the biggest barriers to cloud adoption in the enterprise.
ADFS is a pre-requisite when you want to configure Exchange or Lync (Lync will allow this in a future release) to run in a hybrid scenario (what used to be called co-existence). For more information on running a hybrid deployment of Exchange 2010 SP2 go here: http://technet.microsoft.com/en-us/library/gg577584.aspx
Due to its complexity and demand on resources (servers and administration) ADFS is only suited to larger organizations, thus ADFS implementations are only possible with the Enterprise offering of Office 365 (E and K plans). ADFS also requires an additional Windows Sever 2008 (or R2) and some thought into providing a resilient installation (read more than one ADFS server!), if the ADFS service fails… users will no longer be able to connect to their cloud services either from inside their network or externally.
To learn more about ADFS go here : http://technet.microsoft.com/en-us/library/cc736690(v=ws.10).aspx
For a tutorial video on identity and Office 365 go here: http://technet.microsoft.com/en-us/edge/office-365-jump-start-04-microsoft-office-365-identity-and-access-solutions
Virtual Labs on ADFS and Federation here: http://technet.microsoft.com/en-us/office365/hh744605
Given the complex nature of setting up a resilient ADFS service there needs to be another way to synchronize user accounts from an on-premise Active Directory to the cloud. The previous version of Microsoft Online Services (Business Productivity Online Services) or BPOS attempted to make life easier for administrators by providing a one-way sync from the on premise Active Directory Server to the cloud. This sync known as DirSync would create the user ID’s in the cloud (over writing whatever was there to begin with), the one major problem was that it didn’t synchronize the users Passwords. This option is still available to all users of Office 365 and doesn’t require the complexity associated with ADFS, it will however only synchronize objects from the on-premise AD to the cloud, including groups and users. The DirSync application has been updated to include a x64 version that in turn must be installed on a members server (non-domain controller). From the admin portal under users you are able to setup the DirSync function.
To learn more about DirSync go here: http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652543.aspx
Application Specific Federation
Now that we have covered the use of Federation when it relates to your user identity its nice to know that the word Federation is also used when describing the sharing of information between applications existing in separate organizations.
Lync Online delivers its Federation experience by putting you in touch with those who are not part of your organization. It has the ability to federate presence, instant messaging and voice/video calls with the following deployments:
- On-premise Office Communications Server 2007 R2
- On-premise Lync Server
- MSN (Live) Messenger
- Other Office 365 customers
Obviously the other organizations will need to have federation setup themselves. For your Office 365 deployment it is as easy as ensuring the SRV record is configured in your DNS settings as described previously here and the federation is enabled in your Office 365 administration portal / Lync Online Control Panel as pictured below.
There is a tool which searches you contacts for those who are available to federate via Lync here: http://gallery.technet.microsoft.com/Who-Can-Federate-Tool-a9e00d23 There is also a database maintained of the organizations with either OCS 2007 R2 or Lync on-premise / Online who are available for federation available here: http://www.lyncdirectory.com/
Federation relating to Microsoft Exchange is a one-to-one relationship between two federated Exchange organizations that allows recipients to share free/busy (calendar availability) information. It is also known by the term “federated delegation“. Both sides of the Federation need to be configured, for an on-premise Exchange 2010 deployment a connection must be made to the Microsoft Federation Gateway. The Microsoft Federation Gateway provides applications with a free, simple, standards-based method of establishing trust between separate organizations that uses SSL certificates to prove domain ownership. Because the organizations federate with the gateway instead of with each other, it is much easier for an organization to establish trust relationships with multiple partners than is possible when it uses conventional one-on-one federation or other trust relationships. The scope of the federation can be easily controlled by creating allow or deny lists of users and domains for licensing and by specifying the domains that can receive publishing licenses. This guarantees that only appropriate organizations are given access to protected information. More information for a local deployment of Exchange 2010 can be found here: http://technet.microsoft.com/en-us/library/dd335047.aspx or here http://technet.microsoft.com/en-us/library/dd638083.aspx .
With Office 365 the hard work is done for you. All of the detail described above is baked right in and it is up to the users to delegate the access to their own calendars individually. This is turned off by default and can be enabled to the following degree:
- No free/busy access
- Free/busy access with time only
- Free/busy access with time, plus subject and location
This access can be granted via the Outlook application and can be granted to users outside the organization if they are using a Federated Exchange Server or another Office 365 tenant. There is a tool that will tell which one of your contacts is available to view you calendar available to download here: http://gallery.technet.microsoft.com/Exchange-Federation-fdf8a324
Although not strictly Federation at the application level, it utilizes Federation between the Office 365 tenant and Windows Live ID’s. Within any deployment of Office 365 and Sharepoint Online you are able to invite external users to view or edit your documents by simply sharing the site/library and use their email address. If the recipient hasn’t done so already they will be prompted to create a Live ID when they attempt to access your site using their email address. This external access is included in Sharepoint Online within Office 365 and doesn’t consume any licenses. Keep in mind as I mentioned previously that the P plan of Sharepoint Online does NOT deliver the content over a secure channel (SSL) so you should ensure you choose the right plan for your intention.
Federation is a term that will be used hand in hand with any cloud conversation in the future. As with any technology it pays to understand it ahead of time and ensure your customers/users are using it in an appropriate manner.
Robust email for business
Posted by Nick Bowyer in Cloud, Office365 on April 2, 2012
I may have a better appreciation of the things I can do within my Office 365 environment due to my past life as an IT administrator, but I thought it would be good to point a few of those features out and describe why they may mean something to the average business user. The application that is most attractive out of the Office 365 suite has to be Exchange Online. This hosted email service is available as a base component of all of the suites on offer and is probably the “first cab off the rank” when a customer looks to a cloud offering.
Exchange Online launched in New Zealand back in April 2009 and it formed part of what was then known as BPOS or Business Productivity Online Suite. This product was based on a multi-tenanted version of Exchange 2007. In the middle of last year Office 365 launched and with it came a better Exchange Online experience, offering some of the great features you would get with an on premise installation of Exchange 2010. As with any hosted offering the products get better over time and since the release of Office 365 certain features have been added to the suite. These features are make it easier for non-technical employees to administer the functionality of what would be normally complex back-end systems all via a web portal.
Mobile device management
One of the biggest advances in email technology over the past few years has been the introduction of Mobile access. Microsoft set the standard in my opinion with ActiveSync, blowing away the previous market leader RIM (aka Blackberry). With the RIM offering you needed middleware to connect and manage the mobile handsets, furthermore they needed to be Blackberry handsets. ActiveSync on the other hand is now licensed by Microsoft to many handset providers including Apple’s iPhone and iPad, Google Android devices and obviously Windows Phone 7 devices. ActiveSync allows the management of devices from the Outlook Web App experience, remote wipe etc as well as push notification and contact/calendar/contact sync. As an administrator you are also able to restrict access to mailboxes by mobile devices as well.
While Office 365 supports Blackberry devices, the “native” support is for ActiveSync devices as shown above. There has also been an announcement recently to introduce the ability to connect mobile devices via ActiveSync to the Kiosk Worker plan at $3.06 per user per month for a 1Gb mailbox. The kiosk worker plan is great for a mobile worker who is rarely in the office and doesn’t use a desktop PC on a regular basis, it won’t let you connect Outlook to the mailbox but the Outlook Web App is more than enough for occasional users. For more information on Exchange Online Plans visit www.office365.com
Legal Hold and Archive
Legal hold is something that I believe should be part of any email solution. In the press you hear often how emails can get people, and more importantly businesses into and sometimes out of trouble. The legal hold functionality of Exchange Online is provided by the premium product in either the Exchange Online Plan 2 stand alone product or the E3 and E4 suites. Do not confuse legal hold with the personal archive capability.
Personal Archive – Provides the ability for users to manage the retention of mail in their mailboxes. Personal archive is available to all suites and product versions of Exchange Online with the exemption of the Kiosk Plans. (Kiosk Plans are able to add the archive product separately). For P1 plans of Exchange Online the Archive and Mailbox capacity is a combined total of 25Gb, Plan 2 is unlimited.
Legal Hold – Provides legal hold capabilities to preserve users’ deleted and edited mailbox items (including email messages, appointments, and tasks) from both their primary mailboxes and personal archives. Administrators can use the Exchange Control Panel or Remote Power Shell to set legal holds on individual mailboxes or across an organization. The administrator can then choose to notify the user of the legal hold or not.
Deleted Item Retention – Provides the end-user with the ability to recover a deleted item from any folder for up to 14 days. This timeframe can be changed using remote Power Shell commands or via a Service request.
Multi-mailbox search is available in Exchange Online. This comes in useful when investigation is undertaken by Human Resources or a legal investigation takes place. This is a very powerful feature and can be accessed via a web portal (under the Exchange Management Portal from your Admin Site) or via remote power shell cmdlets. The e-discovery power shell scripts can also be used to find and remove email items from multiple mailboxes that match a certain criteria. For more information see: http://www.microsoft.com/exchange/en-us/email-archiving-and-retention.aspx
Exchange Online is protected by The Microsoft Forefront Service for anti-spam and malware. This product can be tuned via the Exchange Management portal which is accessible to administrators through the Admin Portal. Most businesses I have dealt with have paid an additional cost to filter un-wanted email from their inboxes using a product hosted by a third-party (ISP or other hosted provider) or in some instances another product sitting on a separate server. This feature comes with all product versions of Exchange Online and in my experience hasn’t failed me yet. The administrator is able to configure the Forefront product to alert users if any spam has been filtered by way of email or indeed turn the feature off altogether and let the spam be dealt with by the Junk Mail folder within Outlook.
Role Based Access
Exchange Online uses a Role-Based Access Control (RBAC) model that allows organizations to finely control what users and administrators can do in the service. Using RBAC, administrators can delegate tasks to employees in the IT department as well as to non-IT employees. For example, if a compliance officer is responsible for mailbox search requests, the administrator can delegate this administrative feature to the officer. It is important to note that many of the features above need to be restricted to certain people within your organization.
These are but a few enterprise features delivered by Exchange Online that expands the value email has to a business. Anywhere access, reliability and security are components of what a robust email solution needs to provide. The pricing for Office 365 Exchange Online products are below (New Zealand $).
- Kiosk (deskless) Users – 1Gb Mailbox for Mobile device access using ActiveSync and Outlook Web App – NZD $3.06 per user per month
- Exchange Online Plan 1 – 25Gb Mailbox for users connecting via Outlook and Mobile devices, includes personal archive – NZD $6.11 per user per month
- Exchange Online Plan 2 – Unlimited mailbox for users connecting via Outlook and Mobile devices, includes personal archive and legal hold ability – NZD $12.25 per user per month.
The products above are also available in select Office 365 Suites. For more information visit http://www.office365.com. Or click here : http://bit.ly/ProvokeTrial
The case for local cloud
Posted by Nick Bowyer in Cloud, Local Cloud Providers on March 25, 2012
I became a systems engineer for an IT firm back in the early 1990’s, back in the good old days when re-installing Windows was a regular piece of advice you would give to your customers in order to solve a software crash. Back in those days it was not uncommon to turn up to a customers site to find software that was installed incorrectly or misconfigured, worse still there was little or no documentation to assist you with restoring the server that had just crashed. Not to mention a tape “backup” that was of little or no value due to lost incremental backup tapes, cumbersome offsite storage or worse still a series of unsuccessful backup jobs leaving the customer with no restorable data.
Those kind of situations were of a regular occurrence and cost customers lots and lots of money. To prevent such catastrophes a customer would be asked to deploy resilient servers with redundant hardware and big capacity backup tapes. More often than not the customer would purchase part of the required solution but not be able to justify the “best practice” solution. Cutting corners was a recipe for disaster but at the end of the day it was what most small businesses in New Zealand could afford.
Technology didn’t come cheap back then, and today at the top end of the market it still isn’t cheap. Resilient server hardware still costs, even though I can buy a 2TB hard drive for under NZ$200 it’s not the same as a high performance RAID system that can cost 5 times as much for the same capacity. Lucky for us that cloud computing has started to take off, companies are now able to access a “best practice” deployment of their favorite software running on the resilient hardware we could only dream of in the 1990’s.
The software companies of today are very different to what they were in the 1990’s, they recognize the fact that their software may be installed incorrectly and cause a customer a great deal of pain. What used to be a few wizards used in the setup process has now become an entire suite of tools focused on management and monitoring. Microsoft is one of the players in the market that provides cloud solutions based on the software they have sold to their customers for many years, allowing them to not only provide the best experience of their software to their customers but also to their partners, IT firms, who also have the ability to run the software in a “best practice” environment. All of the tools Microsoft uses in their data centers in Singapore are now used by partners in New Zealand to run their hosted environments, providing a resilient and efficient service.
Microsoft’s hosted offering is price competitive and, as an economy of scale, it will only get cheaper. Recently Microsoft announced a 20% drop in the pricing of their Office 365 suite. So why would I chose to use a local partner to host my email, CRM or line of business software?
Local cloud providers matter, there are many reasons why you would choose a local cloud provider over a larger provider such as Microsoft or Google. It shouldn’t come down to cost of the subscription alone, there are other important factors to consider when working with a cloud provider.
New Zealand is a very small island in a big ocean and as a result our connectivity to the world is somewhat limited. This will change over time with other connections coming online soon however at this point in time there is only the Southern Cross Cable connecting New Zealand businesses to the internet. This will obviously result in some latency and moreover additional cost depending on the plan you have with your ISP. Local providers are usually connected into the local loop via high speed fiber: think latency of around 10 – 30ms compared to Singapore of around 180ms (what I have seen on a GOOD day). This isn’t a problem for 80% of most businesses and their requirements, such as email, however when you are dealing with applications such as CRM with integration into custom line of business applications the latency starts to have a negative impact on the end user experience. The advice I have is to run a trial of the software you intend to run before you purchase, something all cloud providers offer at no cost.
When you think of a local cloud provider don’t be surprised to know that there has been and will continue to be significant investment in large data centers in New Zealand. Over the past 3 years I know of more than three Class 3 data centers that have opened up in New Zealand, these data centers are bigger than a football field and are utilized by your local cloud providers. The photo above shows the inside of one of these data centers just north of Auckland’s CBD. They are built using the same guidelines that Microsoft and Google use and are usually helped along by the various hardware vendors; HP, EMC, Dell etc.
Most providers of cloud solutions are able to keep costs low because they do not provide any level of customization for the solution. To most small businesses this will not matter however when integration to an existing on premise solution is required or better yet that solution is to be pulled into a hosted environment a local cloud provider is the only sensible option to choose. Recently I worked with www.onenet.co.nz to host a customers CRM solution. The solution required a level of customization that OneNet was able to provide in-house allowing for tighter integration to their line of business applications. Furthermore the location of the OneNet servers gave the end users a snappy response when using CRM from within their Outlook client, this was a client requirement in a heavy use scenario.
Throat to choke
Local providers have one benefit as well that the likes of Microsoft and Google will never be able to provide, and that is a local “throat to choke”. Don’t get me wrong, the support I have had from Microsoft whenever I have had “challenges” with aspects of BPOS or Office 365 has been first class, however 100% of the time I am talking with someone in a call-center overseas. With local cloud providers, they are just that, LOCAL. If I have an issue with the cloud service or I want some customization I am able to visit local premises or have a representative visit me. As mentioned before this doesn’t matter to 80% of businesses but for those who seek comfort for knowing their service is coming from somewhere local its a deal maker.
Cloud isn’t just a product or a price point, to me it is a responsible way to provide computing capacity to businesses. Good riddance to the all night recovery processes to restore a crashed server and hello to reliable applications!
Office 365 drops in price
Posted by Nick Bowyer in Cloud, Office365 on March 15, 2012
Today it was announced by Microsoft that they are to drop the price of the Office 365 products to new and renewing customers. The price drop is around 20% on all subscriptions listed on their site. This doesn’t come as a surprise, not long after the launch of the predecessor to Office 365 (BPOS) Business Productivity Online Suite, the price was cut in half. The explanation for the reduction in price is quoted by Microsoft to come from the increase in efficiency within the systems that run the platform, but its simpler than that…
Microsoft has made no secret of the fact that Google Apps is a target for their Office 365 offering and price is usually one of the biggest talking points when the two are compared. Even with a large customer spending many millions of dollars on IT infrastructure every year a dollar makes a difference. The price conversation just got a whole lot easier for Microsoft, throw in the total cost of deployment and you will find that there is little between the two.
The message is clear, Microsoft are in the cloud game for keeps and the longer they remain there the better they will get at it. The support is second to none, I have been working through a few customer issues recently and think that it could put a lot of IT firms with SLAs to shame. The interface in Office 365 is slick and will only get better.
With Windows 8 and the next version of Office on the horizon the cloud strategy held by Microsoft becomes even more relevant, the integration with the desktop will become tighter and sooner or later cloud will become the way you work…
Migration from Office 365 P plan to E plan
Posted by Nick Bowyer in Cloud, Office365 on March 7, 2012
One of the things that impresses me with the cloud offerings from Microsoft is the great partner community dedicated to delivering the solution. In this blog I want to talk about the experience I had recently moving a customer from the P Plan of Office 365 to the E Plan. I talked about the reasons why this migration became necessary in my earlier blog post . In this post I will talk about the migration of the DNS records and the mail data, as we are deploying CRM Online we will not be transferring any existing Sharepoint configuration, rather bulk copy the files using explorer to the new Sharepoint structure.
Microsoft have their own reasons for creating two separate product offerings within Office 365, one of which is the Google compete aspect. The P plan is a direct competitor with Google Apps/Docs/Mail and is priced accordingly, it does however miss out on a few important features, SSL (secure) connection to Sharepoint Online, more than 25 users (50 users hard limit), no Active Directory integration to list a few. Microsoft don’t currently offer customers any tools to migrate from the P Plan to the E Plan and you can’t purchase E Plan licenses from a P Plan tenant. This is where a partner steps in to make life extremely easy, MigrationWiz have been at the forefront of providing cloud migration tools for a number of years now, my first interaction with them came when I wanted to migrate a customer from Gmail to BPOS – Microsoft Online Services back in 2010.
The experience with MigrationWiz has only become better since my last trial. The interface is slick and easy to understand and for around US$10 per mailbox it just doesn’t make sense to attempt to migrate any other way. I would suggest that Microsoft purchase MigrationWiz but then again I appreciate the neutrality provided by their current position. There are a few things you need to understand when performing such a migration and while simple to understand, they may interrupt your services and/or mail flow.
Understand your DNS, this has to be the most important part of the migration. I spoke earlier about DNS Records and in this case too you will need to make changes to these records. The DNS record allowing you to route mail and authenticate users is only able to be associated with one tenant of Office 365, so if you are migrating to another tenant as in this case you will need to plan when to move this record across.
You will get an error when you attempt this in Office 365 if the domain is associated with another tenant.
I suggest that you choose a weekend to migrate your customer as the DNS changes may take up to 24 hours to complete. It needs to start with “releasing” or deleting the DNS record from the old tenant, this will initiate some hidden scripts which de-provision the record from the services in the back end. It is important to understand that at this stage you will still be able to access the user accounts using their tenant alias @.onmicrosoft.com . Email will stop at this time, you could employ the use of a “mail bagging” service, usually provided by your ISP, make some enquiries as it will prevent email from being dropped in the time you take to transfer the record to the new tenant. Changing your MX record at this time to the mail bagging service will prevent mail from being dropped. The domain name will take some time to be released from the old tenant, Microsoft advise this could be up to 24 hours, if after 24 hours it still won’t allow you to verify the domain in the new tenant then make a call to Microsoft Support and they will manually release the record. Once you have verified the domain in the new tenant of Office 365 you will then be able to redirect the MX record again, pointing it to the Office 365 servers. Again this should be completed on a weekend or an outage window of at least 24 hours.
I used the premium license of MigrationWiz as I wanted to make a couple of passes to migrate the mail. The other thing this allows you to do is perform a complete migration without interrupting any mail flow for the customer. At a cost of US$11.99 per mailbox it was only $2 more than the standard single pass license. Before I migrated any mail data I needed to ensure the mailboxes I was migrating to existed in the new tenant.
Having purchased the P Plan originally I had no Active Directory federation or synchronization to worry about, Microsoft gave me a couple of great tools to create the user accounts by way of uploading a CSV file with the usernames in it, this was exported from the old tenant of Office 365 using the free poweshell cmdlets, if you don’t know how to use Powershell i highly recommend you do as it will make life a lot easier. When importing the users from the CSV file you will need to change the user account ID to use the default tenant id @.onmicrosoft.com as the domain will not be verified yet.
This CSV file can then be modified and used in the MigrationWiz portal to configure the mailboxes you want to migrate. Credentials can be that of an administrator, as administrator accounts have access to all users mailboxes.
As you can see from the screenshot above, the console in MigrationWiz is clean and easy to understand, mirroring the experience had within the Office 365 environment. The status of the migration can be seen at a glance and any errors are easy to identify and fix. The beauty of using a cloud to cloud service is that my bandwidth isn’t used, all the data is transferred direct from one data center to another. Be aware that the migration does take some time therefore I would recommend using the premium license of MigrationWiz that allows you to make more than one pass of the mailboxes, the first, a week before the migration date and once again after the MX records have been migrated. Contacts, Calendar and email folders are migrated using this method and users will not notice the difference when they connect to their new mailbox.
The last thing to remember is that the user’s passwords will need to be changed. I this case I logged into every account and changed the users passwords via the portal. This was fine for the 20 user accounts I was migrating, however the Powershell cmdlets I mentioned earlier could have easily achieved the same result allowing you to set a default password for the new accounts. The auto discover record will allow the devices to automatically redirect the connection to the new mailbox.
I hope this has shown how easy a migration can be once you have chosen a cloud service, with the tools made available by Microsoft and more importantly by the partner community it can be achieved in a few easy steps.