FISMA Update for Office 365

Another win for Office 365 and security! Up until now Office 365 Dedicated with ITAR had the ability to meet FISMA. Now Office 365 Enterprise Services (the multi-tenant cloud) has a FISMA authority to operate (ATO). Please review the following for more details about this announcement - http://blogs.office.com/b/microsoft_office_365_blog/archive/2012/05/03/fisma-security-certification-office-365.aspx

Office 365 Federation Overview

Background

I keep on neglecting to finish this blog post, so I am going to crank this out. I recently federated a lab environment with Office 365 and I wanted to share the resources and some of my lessons learned. Actually federating with Office 365 is a pretty straight forward task.

In this blog I will capture the major steps I took, capture some lessons learned, and give you the resources you need to get there.

Authentication Options

With Office 365 you have a few authentication options:

• Microsoft Online IDs – These are cloud based IDs. They are best for small organizations. Users will have a different log-in a different username and password; so there is no Single Sign On experience for the user accessing cloud services. If there is a two factor authentication requirement, that cannot be supported using this authentication method. You do have the option to bring in your corporate GAL that is managed through on-premise Exchange with the synchronization tool.
• Federated IDs – This is when you decide you want to provide a Single Sign-On (SSO) experience with Office 365. This is enabled through Active Directory Federation Services 2.0 (AD FS 2.0) to be installed on premise. Implementing federations provides the ability to support two-factor authentication and enables co-existence/hybrid scenarios.
• External User Authentication – It is worth mentioning on the side that organizations want to bring in external users and partners to collaborate with them. SharePoint Online supports the ability to create a partner cloud account that is within Office 365 or allow users to authenticate to SharePoint Online with Windows Live ID. The Windows Live ID is very appealing because external users can use whatever email address and password they have to access SharePoint Online.

Major Steps for Federation

This is all actually very well documented in the references I am providing at the end blog. The steps for federating with Office 365 are:

• Plan and Prepare
• Deploy Active Directory Federation Services
• Establish a Relying Party Trust with office 365
• Set Up Active Directory Synchronization
• Activation of Services for Users

Plan and Prepare

First thing you really need to sit down, read the materials and come up with execution plan. It is not brain science however knowing your requirements and how people will access Office 365 services will directly affect how you deploy your federation services.

Here are some things to think about:

• Multiple Domains - If you have multiple domains and sub domains you should spend some extra time planning trusts with AD FS.
• Multiple Forests - If you have multiple active directory forests, synchronization and authentication is not currently supported today with Office 365 Multi-tenant. To get around this you can consider consolidating forests or only deploy Office 365 with a primary login forest.
• Deployment Readiness Tool – As part of running the Deployment Readiness Tool, you may have some changes as it will check email domains, AD (required attributes, remove special characters, etc.), networks, DNS, etc.
• DNS – Part of the configuration will require DNS configuration and you need to make sure you are working with a person in your company or organization that can make these configuration changes.
• Access Outside Corporate Network – Need to understand how users will need to get access to your environment. If they will be accessing from home, public areas, etc. you will need to need to deploy proxy servers in your DMZ (will discuss later).
• Two-Factor Authentication – If you need to support two-factor authentication some additional configurations (will discuss later).
• Certificates – You will need SSL and Token Signing Certificates. I highly recommend getting all of this worked out from a logistics perspective before you start, otherwise you will be waiting for people to get things for you.
• Administration Rights – Note that many of the configuration steps require domain administrator rights. You will need to get this person involved and they need to participate as part of the configuration and installation of the service.

Approach

Honestly every plan to implement this will differ to some degree based on the current state of your current infrastructure. The link below entitled “Office 365 Single sign-on: Roadmap” along with the “Office 365 Deployment Guide” are your best resources for configuring federation with Office 365.

Federation

Initially there are a couple resources that will need to be added such as:

• AD FS 2.0 – Must be installed on-premise to support federation. It is recommended that you add more than AD FS 2.0 server for redundancy purposes and load balance them.
• Directory Synchronization Tool – This tool will synchronization active directory information to Office 365 to support the GAL. The reason why you need to do this is because AD FS only helps with the ability to authenticate, it will not actually allow you to find other users in your organization like in Exchange or SharePoint Online. This cannot be installed on a Domain Controller or AD FS server.

So minimally you will need something like this.

If you need to be able to support users to access Office 365 services when outside the corporate network, you will need to add some additional resources to support the federated authentication.

Federation with External Network Access

The most common documented one is to install AD FS 2.0 Proxy Server(s) in the DMZ (depicted below). Requests come in externally to the proxy servers and then sent through to corporate network to authenticate against AD.

An alternative is to use something like Microsoft Forefront Unified Access Gateway (UAG) for supporting users to access federated Office 365 services when outside the corporate network.

Strong / Two-Factor Authentication

Another common requirement is the need to support two-factor authentication along with federation. If a user is logging in on the corporate network or with a domain joined machine, you can utilize the existing infrastructure to meet this requirement and no further deployment is required except for AD FS 2.0 (which provides the single-sign on experience to Office 365). However if need to extend support of two-factor authentication for users accessing Office 365 services from non-domain joined machines additional configuration is required.

One solution is to use Microsoft Forefront Unified Access Gateway (UAG) SP1 to provide two-factor authentication for these users whom need to access Office 365 services from non-domain joined machines. UAG provides several solutions for two-factor authentication and direct access. One thing to be aware of is UAG supports two-factor authentication for passive federation endpoints (i.e. web clients such as SharePoint Online and OWA). UAG cannot support two-factor authentication for active federation and basic authentication endpoints (i.e. Outlook client, Lync client, ActiveSync). This means providing strong authentication with UAG will be limited to using Office 365 web clients. In my opinion this is not a major limitation for businesses utilizing Office 365 services because typically the only thing that IT will for non-domain joined machines are browsers. Even with bring your own device policies, organizations will typically not support down to the rich client; nor do they really need to.

Another potential solution is to use AD FS 2.0 to enforce strong authentication by modifying the AD FS 2.0 proxy logon page to add two-factor support. This would entail adding extra fields for the users to enter extra factors for authentication. Doing this would require integration with whatever two-factor authentication servers/services that is in place.

In summary, UAG is a good solution for accessing Office 365 service when supporting two-factor authentication for external, non-domain joined machines.

Pilot Single Sign On

Additionally you may be interested in piloting users with single sign-on authentication. There is a great article in the references in this blog that explains how to do this. It is really straight forward. First you will notice that you can always add single sign-on later. You have the ability to create your Office 365 tenant using cloud IDs and when you are ready you can transition over to federated authentication with active directory. Second thing to note is you can even create scenarios where some users authenticate to Office 365 services using a federated account while other users only use cloud based IDs. This can provide you some flexibility in potentially how you want to manage accounts.

References/Resources

• Office 365 Single sign-on: Roadmap - http://onlinehelp.microsoft.com/en-us/office365-enterprises/hh125004.aspx
• Office 365 Deployment Guide - http://community.office365.com/modg/default.aspx
• Office 365 Identity Management Service Description - http://www.microsoft.com/download/en/details.aspx?id=13602
• Office 365 Virtual Labs - http://technet.microsoft.com/en-us/office365#tab=1
• ADFS Guidance - http://technet.microsoft.com/en-us/library/adfs2(WS.10).aspx
• How to publish AD FS 2.0 endpoints on to the internet using Microsoft ISA or TMG - http://community.office365.com/en-us/w/sso/293.aspx
• Strong authentication (two-factor, 2FA) for Office 365 - http://community.office365.com/en-us/w/sso/294.aspx
• ADFS and UAG - http://community.office365.com/en-us/f/178/p/4628/20658.aspx
• How to pilot single sign-on in a production user forest - http://community.office365.com/en-us/w/sso/357.aspx

Office 365 Dedicated Service Description Update for April 2012

The Office 365 Dedicate service descriptions have been updated for at in April 2012. Go here to get the service descriptions:

1. Office 365 Dedicated Service Descriptions - http://www.microsoft.com/download/en/details.aspx?id=18128
2. Office 365 Dedicated with ITAR Service Descriptions - http://www.microsoft.com/download/en/details.aspx?id=23910

To get a quick description of all the changes read the document called “What's New in the Latest Service Update_Office 365 Dedicated Plans_April 2012.docx” which captures all the changes in the services.
Here are some changes to take note of:

• Mailbox Auditing Reports
• Hosted voicemail services
• More streamlined process for approving SharePoint Full Trust code
• Lync data access and IM archiving
• Enterprise Voice updates

There are some others but these are some highlights.
Note if you are looking at Office 365 Multi-tenant (meaning the shared Office 365 cloud) please review those service descriptions here as they are different (http://www.microsoft.com/download/en/details.aspx?id=13602).

Office 365 Multi-tenant Deployment Guide Updated in March

The Office 365 Multi-tenant deployment guide has been updated in late March.

• http://www.microsoft.com/download/en/details.aspx?id=26509
• http://technet.microsoft.com/en-us/library/hh852466.aspx

Review this to understand what were the latest changes - http://community.office365.com/en-us/w/office_365_service_updates/974.aspx

Office 365 Multi-tenant Service Description Updated

The Microsoft Office 365 Multi-tenant Service Descriptions have been updated - http://www.microsoft.com/download/en/details.aspx?id=13602

• Exchange Online Archiving – Feb 2012
• Exchange Online – Feb 2012
• Lync Online – March 2012
• Office Professional Plus – Feb 2012
• Office Web Apps – March 2012
• SharePoint Online – March 2012
• Office 365 Enterprise Support – Feb 2012

The other service descriptions on Identity, Mobility, Security/Continuity, and Apple have not changed.

Updated Independent Analysis on Microsoft Productivity Solutions for Prem and Cloud

There have been a lot of updates with Gartner analysis for the Microsoft Productivity stack and other related stacks that I work with. Specifically SharePoint, Office 365, Lync and BI have all been getting great independent reviews. The important take away that I discuss with my customers is that all these top quartile rated technology is delivered on a single, integrated solution stack. They are NOT hodgepodge solutions brought custom integration.

Many of the reports and newest reports can always be accessed from here - http://www.microsoft.com/presspass/itanalyst/default.mspx

SharePoint and Office 365

As you can see we have been great assessments for enterprise content management, enterprise search with FAST for SharePoint 2010, great recognition as portal provider, social computing and business process analysis with Visio Services and SharePoint workflow. Much of this capability is delivered through the Office 365 cloud as well.

• Magic Quadrant for Enterprise Content Management – October 2011 - G00219745 - http://www.gartner.com/technology/reprints.do?id=1-180UJ6N&ct=111116&st=sb
• MarketScope for Enterprise Search – November 2011 - G00216488 - http://www.gartner.com/technology/reprints.do?id=1-1835DKL&ct=111123&st=sb
• Magic Quadrant for Horizontal Portals – October 2011 - G00219245 - http://www.gartner.com/technology/reprints.do?id=1-17RRLXF&ct=111025&st=sb
• Magic Quadrant for Social Software in the Workplace – August 2011 - G00214779 - http://www.gartner.com/technology/reprints.do?id=1-173SL7W&ct=110826&st=sb
• Magic Quadrant for Business Process Analysis Tools – December 2011 - G00219247 - http://www.gartner.com/technology/reprints.do?id=1-18EUESV&ct=111221&st=sb

SQL Server and BI

As you can see these are very recent reports giving us good reviews in the areas of BI and Data Warehouses. I think the big take away is again total cost of ownership (TCO). We give strong BI solutions and customers do not need to make significant investments to deliver BI through the same SharePoint investments discussed above.

• Magic Quadrant for Business Intelligence Platforms - Feb 2012 - G00225500 - http://www.gartner.com/technology/reprints.do?id=1-196VVFJ&ct=120207&st=sb
• Magic Quadrant for Data Warehouse Database Management Systems – Feb 2012 - G00219281 -http://www.gartner.com/technology/reprints.do?id=1-196VVFG&ct=120207&st=sb

Exchange and Office 365

For email with Exchange either delivered on-premise or through the Office 365 cloud we continue to be evaluated as a leader. This really speaks to our versatility in allowing customers to select the most appropriate place and get the same level of end user experience for business users.

• MarketScope for Email Systems – June 2011 - G00213356 - http://www.gartner.com/technology/media-products/reprints/microsoft/vol14/article22/article22.html
• Magic Quadrant for Secure Email Gateways – August 2011 - G00214080 - http://www.gartner.com/technology/reprints.do?id=1-16XZCJZ&ct=110811&st=sb
• Magic Quadrant for Enterprise Wireless Email Market – December 2011 - G00219736 - http://www.gartner.com/technology/reprints.do?id=1-18KGC8M&ct=120105&st=sb

Lync and Office 365

Microsoft is again recognized as a leader in all these types of solutions with Lync which can additionally be delivered through the Office 365 cloud. Our Unified Communications solutions are completely integrated in Office, Outlook and SharePoint allowing users to quickly transition between tasks they are working on making them highly productive. These capabilities are extremely useful for telework or communications between people spread across large geographies.

• Magic Quadrant for Unified Communications – August 2011 - G00214025 - http://www.gartner.com/technology/reprints.do?id=1-1728DMD&ct=110823&st=sb
• Magic Quadrant for Web Conferencing – December 2011 - G00219266 - http://www.gartner.com/technology/reprints.do?id=1-188LI4E&ct=111207&st=sb
• MarketScope for Enterprise Instant Messaging and Presence – July 2011 - G00213790 - http://www.gartner.com/technology/media-products/reprints/microsoft/vol14/article7/article7.html
• Critical Capabilities for Unified Communications as a Service – March 2011 - G00210950 - http://www.gartner.com/technology/media-products/reprints/microsoft/vol14/article18/article18.html
• Magic Quadrant for Corporate Telephony – September 2011 - G00215455 - http://www.gartner.com/technology/reprints.do?id=1-17DCX5P&ct=110920&st=sb

SQL Server 2012 Brings New Features and Capabilities for SharePoint 2010

Introduction
If you have SharePoint customer or architect and you really should be looking at the new SQL 2012 release. As we all know SharePoint success is highly contingent on SQL Server. You need a strong SQL Server deployment to ensure there is good performance, high availability, back up/recovery, etc. Additionally Microsoft delivers their Business Intelligence (BI) stack through SharePoint and there have been several new features and capabilities added there as well.
For SQL 2012 there are three areas where there have been major capability additions:

1. Mission Critical Confidence – This is the capability to more easily deliver high-availability with lower total cost of ownership.
2. Breakthrough Insight – New and expanded capabilities for Business Intelligence.
3. Cloud on Your Terms – Additional capabilities to create SQL databases in either the private or public cloud (Office 365).

In this blog I am going to cover some of the new SQL 2010 capabilities specifically focusing on how they can improve your SharePoint 2010 implementation. Please note that there are a lot of new capabilities for SQL Server 2012 which I have not covered such as data warehousing, resource management, full text searching, auditing, Big Data (Hadoop), etc. Here is a good reference to quickly spin up on all the new capabilities (“What's New in SQL Server 2012 Whitepaper” located here).
Mission Critical Confidence
AlwaysOn
First and foremost is the new high-availability solution in SQL Server 2012 called AlwaysOn. One of the first and foremost challenges that organizations face with deploying SharePoint 2010 is providing a solution architecture that will meet the SLA’s of their business users. Business processes, technical processes and Governance need to be put in place to ensure that SharePoint 2010 will be up as much as possible.
In the past with SQL Server 2008 R2, you employ such solutions as clustering, mirroring, log shipping and replication (my previous blog on this topic). However this could require a lot of planning, configuration, and management. With SQL 2012 AlwaysOn, new configuration wizards and tuning tools are now provided that makes set-up and configuration of High-Availability extremely simple.
The concept of Availability Groups have been added which specifically makes configuration of Database Mirroring easier. Availability Groups are a logical of databases that failover together. Through the configuration wizard, you can determine if you need such things as automatic or manual failover, set-up of primary and multiple secondary instances, synchronous or asynchronous data movement, etc.
Availability Groups remove the need for shared disk storage (SAN or NAS) for deployment of a failover cluster instance. Note that AlwaysOn Failover Cluster Instances support multiple-site clustering across subnets which subsequently enables cross datacenter failover.
This feature is very useful when setting up your SharePoint 2010 (or 2007) farm because High Availability is one of the most paramount tasks that are needed when setting up a mission critical SharePoint environment.
Recovery Advisor
Database Recovery Advisor provides many new features and capability for the support of back-up and restore of databases through SQL Server Management Studio. The new Recovery Advisor streamlines the back-up process. One such solution is a visual timeline that provides the backup history and all the available points in which you can restore from.
There is also new capability called Split File Backup which allows you to split a backup into multiple files. This allows for quicker backup and restores because they can be written and restored across disks running in parallel.
This is very helpful for improving the amount of time to work with large SharePoint 2010 (or 2007) Content Databases that have grown significantly.
Breakthrough Insight
As you probably already know SharePoint 2010 is where Microsoft’s Business Intelligence (BI) stack is delivered. This is a combination of solutions such as Excel Services, PerformancePoint, Visio Services, Chart Web Parts (Dundas), PowerPivot, and SQL Reporting Services (SSRS). With the release of SQL 2012 a new solution called Power View is now provided, PowerPivot can now be done on SharePoint 2010 server side and there is significantly enhanced integration with SSRS.
Power View
Power View is a new highly interactive data exploration and reporting tool that allows business users to visually explore data, in an ad-hoc fashion. End users can create the reports/dashboards very quickly, create shapes/graphs with clicks, create animation, highlight capabilities based on rules, drill down relationships and performs very well with large datasets. The design environment is very similar to Office. It can be published through SharePoint 2010 as shown in the diagram below.
Note that Power View requires SQL Reporting Services (SSRS) to be integrated with SharePoint 2010 and there be an instance of SQL Server 2012 Analysis Services (SSAS) or PowerPivot be available.
PowerPivot
Up to this point PowerPivot was a solution that was available through Excel client only via an Add-in. This is a really powerful, end user friendly capability that allows for data analytics. There are actually several new capabilities that have been introduced that I recommend you read up on (in references below).
Specifically to SharePoint 2010, PowerPivot for SharePoint is available as an add-in and can run server side in conjunction with Excel Services. This now allows end users the ability to publish PowerPivot reports through the browser allowing end users easy access to this data.

As well, in SharePoint 2010 Central Administration there is a new PowerPivot Management Dashboard that provides several reports on performance of reports.

SQL Reporting Services (SSRS)
Personally the enhancements to SSRS are very exciting to me as I have had to do configuration of SSRS with SharePoint 2007 and 2010 in the past in production environments. If you have done it before, you may recall it was tedious task of configuration the SSRS Configuration Wizard and getting Kerberos Authentication set-up correctly. Now with SQL Server 2012, configuration of SSRS with SharePoint 2010 is completely done through Central Administration. Additionally there is a new service in SharePoint 2010 that runs SSRS, it supports WCF/Claims authentication, integrated ULS logging, built in load balancing across SharePoint servers, report performance improvements and there are PowerShell commands for management.

Additionally there is a SSRS alerting capability that allows end users to subscribe to alerts that are associated to SSRS report. Users can create conditions for any report, and when they are met a notification will be sent to them.

One more last addition change is you may know that SSRS reports can generate Word or Excel Documents. Up to now, the file formats generated were either .doc or .xls which means they are not Open XML document renditions. With SQL Server 2012 and SSRS now .docx and .xlsx file types will now be generated.
Cloud on Your Terms
With SQL Server 2012, there are a bunch of new capabilities to support even tighter integration with SQL Azure. You will have a unified database development experience between SQL 2012 on-prem and SQL Server. The reason why I bring this up is because it is very common that when creating a solution inside SharePoint, you will have complex data management requirements that can be better supported with a SQL Server database instead of a SharePoint list.
Now we have the ability to more quickly and efficiently create custom database in SQL Azure which can be utilized with SharePoint 2010. Plus this is really good for working with Office 365 SharePoint Online because we can make a cloud to cloud connection to work with advanced data structures.
References

• SQL Server 2012 Technical Whitepapers - http://www.microsoft.com/sqlserver/en/us/learning-center/resources.aspx. Specifically read “What’s New in SQL Server 2012 Whitepaper” and “SQL Server 2012 What’s New Breakthrough Insight Whitepaper”.
• SharePoint 2010 SP1 – Supports project Code Name “Denali” which is now SQL Server 2012 - http://support.microsoft.com/kb/2460045
• SQL Server 2008 High Availability with SharePoint 2010 – Previous article that I wrote - http://www.astaticstate.com/2010/12/sharepoint-2010-high-availability-with.html.