A day in the life of an Office 365 consultant

A DAY IN THE LIFE OF AN OFFICE 365 CONSULTANT

Solution Architect / Owner @ VH Consulting & Training Office Servers & Services MVP

MCSM | Messaging

www.vanhybrid.com www.vhct.be @vanhybrid #ITDevConnections

Office 365, Exchange, (Azure) AD, Security

A DAY IN THE LIFE OF AN OFFICE 365 CONSULTANT

Being an Office 365 Consultant A quick overview of what being an Office 365 Consultant means…

Multi-Forest O365 migrations A scenario-based overview of a more complex multiforest Office 365 migration

Agenda

Common Questions (and answers) The most common questions (and their answers) out “in the field”

#ITDevConnections

Questions & Answers Ask me (almost) anything!

A DAY IN THE LIFE OF AN OFFICE 365 CONSULTANT

Being an Office 365 Consultant… What society thinks we do…

#ITDevConnections

What our parents think we do…

What customers think we do…

What we actually do!

A DAY IN THE LIFE OF AN OFFICE 365 CONSULTANT

Questions & Answers

#ITDevConnections

We are planning to move to Office 365. How can we deal with the frequent updates? We aren’t used to deploying new software versions (or updates) at that rate!

It’s easier to get on board with the new management/administration paradigm, rather than trying to control updates too much and fight the pace of updates.

A DAY IN THE LIFE OF AN OFFICE 365 CONSULTANT

Dealing with updates

RING 0

1st Release

#ITDevConnections

RING 1

RING 2

1st Release for Deferred Channel Deferred Channel

Use rings to control update version & frequency

What is the difference between password sync and AD FS. Which one should I choose?

Password sync only enables same sign on; it still requires you to enter a username & password in most scenarios. AD FS can provide SSO in a variety of cases, removing the need to manually enter credentials.

A DAY IN THE LIFE OF AN OFFICE 365 CONSULTANT

Password Hash Sync Identity Provider  



Similar to cloud identities, Azure AD is the identity provider and authenticates all requests. Passwords just happen to be the same as on-prem because of sync. Passwords in Azure AD set to not expire.

Synchronization   

No clear text passwords are synced. It’s a hash of a hash and then some more security is applied. Fully depends on Azure AD Connect (DirSync server) Only changed passwords are synced, except for initial synchronizations.

Caveats  

Azure AD Connect is not “fully” highly available; can create some interesting scenarios (split-brain etc.) Self-Service Password Reset almost required (can operate without, but hampers the end user experience).

Operations  

“Set and forget”-alike setup. Quite resilient and low-key management. Monitoring through 3rd-party tools on Azure AD Connect Health.

A DAY IN THE LIFE OF AN OFFICE 365 CONSULTANT

Identity Federation Identity Provider 



On-premises AD is the Identity Provider; it handles all authentication request for online services (through AD FS infrastructure). Passwords do not leave on-premises directory.

Caveats   

Strongly recommended to use email address as UPN to avoid confusion for end-user. AD FS infrastructure must be setup highly available. No ADFS = No auth. Different flows depending on app that is authenticating = more complex!

Synchronization? 

Similar to other scenarios, user accounts must be synced (and thus linked) to an on-premises account.

Operations    

Higher management cost (because of AD FS infrastructure) Underlying DB structure for AD FS might increase management effort too! Monitoring through 3rd-party tools on Azure AD Connect Health. Azure reports can help detect malicious activity.

A DAY IN THE LIFE OF AN OFFICE 365 CONSULTANT

Authenticating through AD FS AD FS Farm considerations: • With or without Web Application Proxy? • # of users to be supported • Database sub-system? • Related to functionality & HA

@contoso.com

ADFS

AD1

UPN Suffix(es): @contoso.local @contoso.com

Why do I have to log into everything? I thought we were supposed to have single sign on?

The client experience depends on the (version of) application you use, and the service you are trying to access. Although advertised as SSO, there are only limited scenarios that offer true SSO.

A DAY IN THE LIFE OF AN OFFICE 365 CONSULTANT

A quick look at SSO scenarios Scenario

Domain Computer

Non-Domain Computer

O365 Portal

Browser-specific SSO

Username & PW

Outlook 2010

Username & PW

Username & PW

Outlook 2013/2016

Depends on Auth. Type

Depends on Auth. Type

EAS Clients

Username & PW

Username & PW

Outlook on Mobile

Username & PW

N/A

Skype (on desktop)

SSO through SSO assistant

Username & PW

#ITDevConnections

I have heard that DirSync synchronizes every account; I don’t what that: it would be insecure!

Should you really care? What is the risk of having those additional accounts synced? If it’s really a problem, you can use filtering based on attributes, Organizational Units, Security Groups, etc…

I want to implement Password Synchronization. Do I need password write back? If so, is there a (free) alternative?

There is no such things as a free lunch… If you want to provide SSPR, then you have two options: use Azure AD writeback (which requires AAD-P) or implement an on-premises solution. The latter does not integrate with O365 as neatly as Azure SSPR does…

My on-premises UPNs are different from my user’s email address. Why is that a problem?

It’s no longer a real technical problem per se, although some scenarios can cause some technical difficulties. Biggest problem is the confusion for the end user and the increased support cost as a result.

We don't offer Outlook Anywhere on the Internet. We use Terminal Services for remote users, and for mobile devices we use MobileIron. Do we really need to enable Outlook Anywhere?

Yes and no. If you are using Outlook, than you must provide at least one way for it to connect to Office 365. OA, or MAPI/HTTP are most common. Securing those protocols can be done through e.g. Conditional Access or AD FS Claim Rules.

I would like to perform a staged migration to Office 365; is there anything I need to be aware of?

Staged migrations are only available for 2003/2007 orgs; IF you have DirSync in place. User experience is similar to dial-tone recovery.

I am in the process of moving to Office 365. After moving a shared mailbox to Office 365 it mentions I should license it? I though shared mailboxes were free?

Shared mailboxes are free; but sometimes the user account is enabled on-premises (!), causing this behavior.

How do I configure my onpremises devices and applications to relay messages through Office 365 after I remove my onpremises mail servers?

Check out Jeff Guillet’s (@ExPTA) his session “Configuring a proper SMTP relay for Exchange on-premises and Exchange online”

Where do I point my int/ext Autodiscover URL when hybrid (with and without on-prem mailboxes)?

If you still have users on-prem: autodiscover should point to on-prem. If all users are in O365, either remove SCP or point directly to O365.

When can I get rid of “all my Exchange servers”?

Although there is no such things as a hybrid server; you must keep an Exchange server for management purposes IF you have DirSync enabled.

What version of Exchange should I use for my hybrid deployment?

It depends… ;-)

A DAY IN THE LIFE OF AN OFFICE 365 CONSULTANT Are you happy?

Why?

Purpose?

I have an Office 365 E3 license plan right now. I hear a lot about this EMS license plan. Do I need it? If so, why?

It all depends on what you are looking for… EMS is great for further protect data and secure access to your Office 365 tenant. It also contains AAD-P which unlock a plethora of additional features such as Azure MFA, Identity Protection etc.

I’m using a hybrid deployment to move to Office 365. What gotchas do I need to know about?

Do you have a few hours…?

A DAY IN THE LIFE OF AN OFFICE 365 CONSULTANT

Hybrid Administration Built-in Exchange Server managements tools are the only supported way to manage recipients; even in hybrid

3rd-party solutions exist (and work fine), but you have to use them “at own risk”

#ITDevConnections

A DAY IN THE LIFE OF AN OFFICE 365 CONSULTANT

Hybrid Challenges

01 02 03

Cross-Forest Permissions Limited permissions are available like Free/Busy and Full Access; no “Send-As”, “Send-on-Behalf”, or Delegate Access. Impacts planning for mailbox moves.

Release Cadence Release cadence in Office 365 means you have to keep up with the on-premises environment too!

Directory Synchronization Directory Synchronization can introduce some peculiar behaviour with regards to recipient management

04 05

Troubleshooting Troubleshooting a hybrid deployment is sometimes like trying to find a needle in a haystack. Issues can occur on-premises, on the internet, and in Office 365

Operations Once in place, a hybrid requires little maintenance (except for upgrade of Exchange etc). Monitoring is important because of the functionality offered!

A DAY IN THE LIFE OF AN OFFICE 365 CONSULTANT

Implications of using Directory Synchronization

01 02 Ex.

Source of Authority To avoid disjoint object values, synchronized objects cannot be modified in Azure AD / Office 365; changes must be made on-premises; A few exceptions exist

Management Tools Changes only supported through native tools (i.e. Exchange Management Tools)

Example: Archive Creation Enable Archive and sync to cloud; status on-premises is set to “HostedPending”. Archive is enabled in Office 365 and new status is synced back and updated to “HostedProvisioned”

Ex. Ex. Ex.

Example: Office 365 Groups Hybrid coexistence for Office 365 can be daunting. On-prem and O365 are not on-par. Using “external” guests can be a (partial) solution.

Shared Mailbox Dilemma No way to natively create a “shared” hybrid mailbox. Either create on-premises and then move it or use ADSIEdit to modify attributes (not supported)

New-RemoteMailbox Great way to create new mailboxes directly, but will prevent moving mailbox back to on-premises. You must copy ExchangeGUID from cloud first before you can move back.

I am moving to Office 365, and would like to ingest my (legal) archives too. What is the best approach?

It’s a complicated matter, both from a technical, legal and licensing perspective. It also depends on what your definition of “legal archive” is.

A DAY IN THE LIFE OF AN OFFICE 365 CONSULTANT

Legal archiving & Office 365

01 02 03

Migrations Office 365 does not allow you to ingest data of multiple users into a single mailbox in Office 365 (license restriction). 3rd party tools such as TransVault & QuadroTech can help solve this problem.

Regulations From a legal perspective, there are various regulations that may (or may not) apply. All of those can impact your possibilities.

Features in Office 365 Office 365 hosts a variety of features that likely surpass what you already have available today. This creates an opportunity to handle things differently. E.g. Inactive Mailboxes

04

Journaling Journaling is possible, but still requires a journaling recipient outside of Office 365. This can be onpremises or a third-party tool.

A DAY IN THE LIFE OF AN OFFICE 365 CONSULTANT

The good, the bad and the ugly of

Multi-Forest O365 MULTI-FOREST MIGRATIONS Migrations #ITDevConnections

A DAY IN THE LIFE OF AN OFFICE 365 CONSULTANT

Scenario • •



Company “Belgian Waffle Association” merges with “Belgian Chocolate House”. Both organizations have gone through M&A scenarios before; each org still has one or more subsidiaries. Both organizations decide to buy out a competitor called “Belgian Fruit Company”. #ITDevConnections

A DAY IN THE LIFE OF AN OFFICE 365 CONSULTANT

BWA.be

BFC.be

BWM.be

BCH.be

BCB.be #ITDevConnections

• Setup a (single) global solution to improve collaboration between all subsidiaries (organizations). Customer demands…

• Keep the time to implement as low as possible; impact on the end-user should be minimized at all times • Use “low hanging fruit” to show benefits early on…

A DAY IN THE LIFE OF AN OFFICE 365 CONSULTANT

When tackling an multi-forest/multiorganization Office 365 migration, there are a few steps that you go through. Although these steps aren’t necessary in order, they highlight the most important items.

Start

Step 1

Step 2

Create a list of “challenges”. This is best done through a (series of) workshop(s). For example: • Mail Flow • Inter-tenant migration(s) • Non-MS platforms • Directory Synchronization (IdM) • Cross-forest interop • Define a (common) service

Step 3

Work towards solving each of the technical challenges. Some can be solved natively, others need a 3rd-party solution to work around the (technical) limitation.

A DAY IN THE LIFE OF AN OFFICE 365 CONSULTANT

Step 4

Step 5

Step 6

Define the migration approach and the order of the migration: • How are you going to move each environment. • Which environment first?

Maintain clear communications with the project team and end users throughout the project. Often there are disruptions involved.

Start moving each environment, following the approach outlined earlier. Do not hesitate to make changes to the approach if necessary. Make sure to learn from earlier migrations and apply those lessons learned!

#ITDevConnections

End

A DAY IN THE LIFE OF AN OFFICE 365 CONSULTANT

Sharing domain names

01

Using a single domain across environments can be challenging. Office 365 does not allow a domain to be registered in more than one tenant. Authentication can be challenging too!

Mail routing

Mail Flow

02

3rd party solutions (i.e. MimeCast) can solve some of the routing issues you might encouter and enables all organizations to benefit from a single (external) namespace

Updating recipients

03 #ITDevConnections

One of the biggest challenges is to deal with updated recipient information (i.e. when a mailbox is moved to Office 365).

A DAY IN THE LIFE OF AN OFFICE 365 CONSULTANT

UPN Suffix Routing

01 Multi-Forest Authentication

An on-premises Active Directory can share a User Principal Name, but cannot authenticate cross forest with the same UPN. Alternatives are to use a 3rd-party solution or use samAccountName or Explicit UPN on-prem.

End-user impact

02

You cannot share a domain name (nor UPN for authentication) across tenants. This means you cannot maintain the same authentication method during a migration (at least not without end-user changes/impact)

Leverage Azure AD

03 #ITDevConnections

The biggest opportunity is to start using Azure AD to authenticate to a variety of applications (both on-prem and in the cloud).

A DAY IN THE LIFE OF AN OFFICE 365 CONSULTANT

Moving data

01 Inter-tenant migrations

There are no built-in tools that can assist in this scenario. The only (viable) option is to use 3rd-party tool like e.g. MigrationWiz. Alternatively you can perform a double-hop migration (offboard-onboard throug hybrid).

Workloads

02

Emails are typically the easiest to move across tenants. Things can get a lot more difficult when dealing with e.g. SPO or ODFB. This is mostly because of either the size of data or structure of the data (sites etc). Skype contact migration is a pain to deal with too!

Non-MS platforms

03 #ITDevConnections

Migration and interop with non-MS platforms typically also requires a 3rd-party solution which increases cost and complexity. However, mostly this cannot be avoided unless the size of the organization is very small and a quick migration is possible.

A DAY IN THE LIFE OF AN OFFICE 365 CONSULTANT

SourceAnchor

01 Identity Synchronization

It is important to agree on the sourceAnchor to be used. If each environment is going to remain, use the default (objectGUID). If onpremises environments are to collapse later: use a different attribute (i.e. Base64-encoded objectGuid in Ext.Attribute.

On-premises sync

02

Azure AD Connect only synchronizes (multiple) directories with Azure AD. You must implement a 3rd-party solution or script to maintain synchronicity across on-premises directories.

Thou art warneth!

03 #ITDevConnections

Multi-forest identity synchronization has an impact at various levels (authentication, global address list, interoperability, etc.). Plan and test before you execute.

A DAY IN THE LIFE OF AN OFFICE 365 CONSULTANT

Password write-back

01 Multi-forest Write-back

Write-backs in Multi-Forest somewhat limited and defined by the objects synced to Azure AD in the first place. Password writeback is possible because Azure AD knows the object it is changing the PW for. This is different for new objects.

Group & Device write-back

02

All groups and devices are written back in 1 (default) on-premises directory because Azure AD does not have an identifier (or matched) object in the on-premises environment.

AD2

AD1

#ITDevConnections

A DAY IN THE LIFE OF AN OFFICE 365 CONSULTANT

Service-provider model

01 Define the service you are offering

Because you (IT) are providing a service to your end users (potentially across multiple organizations), you have to define / establish what your service will look like.

Baseline feature set

02

Start by defining what features you will be delivering across all organizations. This should be a grouping of features commonly used, something organizations cannot opt-out of.

Additional features

03 #ITDevConnections

Define which features are optional. Here, the choice is driven by technological limitations (some features are controlled at tenant level) and political motivations (sometimes, one division wants something entirely different from all other divisions).

A DAY IN THE LIFE OF AN OFFICE 365 CONSULTANT

#ITDevConnections

Rate This Session Now! Tell Us What You Thought of This Session #ITDevConnections

Rate with Mobile App: •

Select the session from the Agenda or Speakers menus



Select the Actions tab



Click Rate Session

Be Entered to

WIN Prizes!

Rate with Website: Register at www.devconnections.com/logintoratesession Go to www.devconnections.com/ratesession Select this session from the list and rate it