Thursday, December 13, 2012

Office 365 for Government FISMA ATO

Office 365 for Government The Recovery Accountability and Transparency Board (RATB) has granted the Authority to Operate (ATO) under the Federal Information Security Management Act (FISMA). This is a moderate rating. To read more – please read this announcement - http://blogs.office.com/b/microsoft_office_365_blog/archive/2012/11/29/office-365-government-customer-ratb.aspx

Additionally here is another article on how The Recovery Accountability and Transparency Board (RATB) is being a trend setter for cloud computing within US Federal - http://gcn.com/Articles/2012/12/12/Recovery-Board-hub-gathers-multiple-clouds.aspx?Page=1

Friday, November 30, 2012

Office 365 Preview Service Descriptions

Not sure if anyone has noticed but the Office 365 Preview Service Descriptions are published here - http://technet.microsoft.com/en-us/library/jj819284.aspx. There is really good information in here to help you evaluate all the features and capabilities that are available in each type of Office 365 plan. Remember these are Preview and subject to change; however this will really help you with your planning!!!

If you read my blog at all, you will know that I constantly talk about Service Description updates and such. These are really the most important documents customers should be reviewing as part of their decision to the cloud.

Friday, November 23, 2012

SharePoint Conference, SharePoint Online Operations Team Presentations

1.0 Introduction
I recently went to the SharePoint Conference and attended several great sessions. I am going to put up some of my notes from the conference as there was a ton of great information for the 10,000 people whom attended. I openly admit that I am a little focused on SharePoint Online because I am constantly talking with customers about all our solutions available in Office 365. Also excuse the grammar – I am just trying to get content up as quick as I can…

1.1 Cloud First and Aligned Management
From a SharePoint perspective, Office 365 has really driven Microsoft towards building solutions that are more scalable and manageable. For instance in SharePoint 2010 we were given this “new SharePoint Federate Services model” that really not many organizations stood up on-premise however it is heavily used in SharePoint Online. Now with SharePoint 2013 we can really see that everything is being built for a cloud environment. For instance SharePoint 2013 upgrades, wow. If you look at the way we will be doing upgrades from SharePoint 2010 to 2013 you are going say “this so much more well thought out now”. First, we have lessons learned since the product has been around since 2001 however the cloud has really driven Microsoft to deliver better solutions. Why? Because Office 365 delivers a finically backed SLA with a promise to keep customers moving forward on latest and greatest solutions in the cloud. We will not get stuck in an old version and this has forced Microsoft deliver even better upgrade capabilities.
In this blog I am going to be capturing some information from two specific sessions I attended on “How We Do It” for SharePoint Online. Throughout these sessions it really resonated to me how we were changing the architecture of the SharePoint product to be cloud first. The Microsoft SharePoint Product Group is the same group of people supporting SharePoint Online. I will talk about this later in the blog but this is a big deal as it really demonstrates Microsoft’s commitment to have people, process and technology strategically aligned.

1.2 Sessions on How We Do It at SharePoint Online
There were two amazing sessions at the SharePoint Conference. One was called Operating SharePoint Online and the other was called Building and Managing SharePoint Online. If you are a developer of SharePoint you may not have attended these two sessions but they will blow your mind. Specifically if you are a person that has ever managed a production SharePoint farm, you will really appreciate what they have done; not just from a physical and logical architecture perspective as there is program management and governance built into Office 365 that frankly organizations have a very tough time in building and delivering on-premise. This is driven by the 99.9% finically backed SLA that Microsoft delivers with Office 365.

1.3 Session on Operating SharePoint Online
Here are some of my notes (formalized a little) from the presentation.

Some Current Stats - Microsoft has made over a $3.28 billion dollar investment in data centers that are supporting Office 365. This really demonstrates Microsoft’s commitment to the cloud. At the time of this presentation, in support of SharePoint Online, there are currently more than 13,000 servers with over 37,000 SQL servers in the cloud data center. They indicated they are currently bringing on 30,000 companies a week! They have a 24/7 development staff. Plus they have actually maintained 99.95% YTD deliver of service for SharePoint Online – basically beating their stated SLA. This is absolutely amazing when you hear stats like this, and you have done SharePoint administration, it really makes understand the value that Microsoft is delivering to your organization. Stop and think a second for all the people, business processes, governance, management, etc. that is needed to deliver this.

Goals – The SharePoint Online Operations team discussed their focus on several things such as zero downtime, zero loss of data, always up to date and security/compliance. These are all things which organizations whom deploy SharePoint Online try to adhere to which are very challenging to implement because they can require serious investment in people, process and technology which may not simply deploying some SharePoint servers.

Zero Downtime – During the session they spent a lot of time discussing this.
  • In order to support this, the SharePoint Online team is constantly monitoring from multiple different angles. SCOM is highly utilized in support of this activity. They specifically implement scenario based monitoring so it is just not checking server machine status. As part of this they do a lot of live traffic monitoring and watch for patterns. They also implement rather comprehensive scenario based monitoring on the SharePoint Online environment.
  • They stated that one of the biggest reasons for their success thus far is their alignment to the SharePoint Product Group. They have direct integration with the people whom write the actual code for SharePoint and these same people have direct responsibilities support SharePoint Online. As I mentioned earlier, it is this sort of alignment which drives great delivery as there are is direct access to people who wrote SharePoint to support SharePoint Online.
  • They also stated that even though they have access to the people who built SharePoint Online, from a support perspective they have a goal to “automate everything”. Really this is the only way they can ever scale and they have demonstrated that with the level they are currently delivering at.
  • They said stated they are doing close to 172 million probes per month to make there are no issues. They stated that this can result in roughly 600,000 anomalies a month that SCOM may identify. Through correlations systems, they are able to identity roughly 200 escalations a month they may need to deal with. This is pretty amazing when you look at the number of probes and the amount of automation they put in place to discover and automatically resolve. Plus they continually find ways to reduce this.
  • When issues are discovered they have an entire automated system will communicate to engineers, manage workflows and tasks, and proactively initiates meetings between responsible engineers. The system even provides a full report and list of past resolutions on how to immediately resolve it if is something that has been encountered before.
  • Additionally they talked a little about this internal solution they created with Microsoft Research that can parse ULS logs. I know when I have had to debug SharePoint on-premise production issues in the past I had to work with ULS logs which can never be a fun task. However this tool provides a dashboard, drill down capabilities and pattern analysis across every ULS log across the entire SharePoint Online cloud. It is impressive.
Zero Data Loss – The SharePoint Online Operations team spent some time talking about zero data loss. If you have ever read the SharePoint Online Service Descriptions this directly correlates to RTO and RPO. RTO is Recovery Time Objective which is the target time to between when there is a disaster and when the service is running again. RPO is Recovery Point Objective which is the time associated to the possible data loss that could occur during an unexpected event. The key word here is “disaster recovery”. The definition is nice but how is this actually achieved with SharePoint Online and they explained how they do it. If you are a SharePoint architect you know that this would be driven by SQL Server configuration. The SharePoint Online team stated that this is what they do today. When a document hits SharePoint Online:
  • The document is first stored in the content database associated to the site, so that is on place it is stored.
  • Second, all the SQL databases are using RAID 10, so there is an immediate duplication.
  • Third, there is synchronous SQL Mirroring built up to a DR SQL server in the immediate data center, so that is 4 copies of the file.
  • Fourth, there is asynchronous log shipping from the primary cloud data center to the secondary data center. So that is roughly 4 additional copies of the file into the secondary data center.
  • Fifth, there are schedule backups at the primary data center and then asynchronous replication of those backups to the secondary data center.
As many of you may know, getting that sort of SQL Server redundancy built and managed can be challenging for many organizations to handle however it is required for Microsoft to meet the RTO/RPO.

On top of all this, remember users have the Recycle Bin to recover items that they may have deleted. Note I re-checked the service descriptions and they state the Recycle Bin will keep deleted items for 30 days and backups are stored for 14 days. Also note with SharePoint Online, the Recycle Bin is can also be used to recover objects such as site and even site collections (through tenant administration).
The Operations team stated that Disaster Recovery for them is a hot standby where data centers are always paired with each other. They adhere to an Active-Passive farm set-up with automated failure overusing DNS. They do tons of monitoring, testing, and production fail overs tests. They states specifically that each data center is production and there is no such thing as on primary data center is taking all the traffic while secondary is just sitting there waiting. They ensure that all data centers are performing primary workloads and if there ever is a disaster, they would just re-distribute that workload across the data centers. They stated that as part of this they demand resiliency at both hardware and software layers. They also indicated that for SharePoint Online that they have never really run into the whole situation where the data center has gone. More realistic scenarios they run into are connectivity issues or something to that effect where they will do a DNS flip and keep operations going.

Always Up to Date – Again one of the biggest reasons why customers want to move to SharePoint Online is to ensure they are always up to date with latest SharePoint software, but additionally all the security and feature patching that is provided to ensure that best secure user experience is being delivered. The SharePoint Online Operations team discussed some of their change management and governance they implement to support this for their customers. They need to make sure that security patches, platform upgrades, escalation responses and latest/greatest features are deployed.
Doing this across a large cloud environment requires a significant amount of automation and they built internal tools that will orchestrate these changes. There is a Change Manager application that manages all the physical and virtual machines. The manager knows the state of every machine, the patch level, how it is being utilized and has deep logic for it to know how to apply patches based on scenarios. Plus VMs (where SharePoint servers roles running for SharePoint Farm) are not all located in the same physical servers. VMs are deployed across multiple physical machines and “availability groups” are created so that when a patch is run, it is executed by availability group to ensure there are no performance issues during patching. The Manager will handle lock management across VMs and SharePoint farms and they state they do patching roughly every two weeks worldwide but this could be more dependent on the need.

The Operations team also noted that changes are not rolled out whenever they feel like it J There is a phased roll out process including change approve board which analyzes every proposed change. They have an automated, multi-step process of numerous environments they will test these changes out before ever going into production. The SharePoint Online Operations team even said “we eat our own dog food” by pushing all completely vetted patches into the Microsoft Corporate’s SharePoint Online production tenant before it goes to customer. SharePoint Online is highly utilized by Microsoft employees.

Secure and Compliant – The final goal they discussed was security and compliance.
  • First there was a good discussion on how they are fully patched 100% of the time. They have a team of security specialists (they joked hackers) whose job it to continually search and test for vulnerabilities.
  • Security by Design was something the team stressed. Role based access is required at all times, regardless of the task or operation at hand. If there is an operation that must be done by a human, then there are secure consoles that are provided based on your role. Plus permissions are managed using an on-demand access model. The said almost no operations required admin access levels. They also stated the operations people do not need access to customer data to perform the tasks they need to complete. They need to work with system logs and such. If support needs to work with customer data, that would be done as part of a customer request. The goal is to be extremely respectful to customer data. They even discussed that for the US Government cloud personnel must be US Citizens.
  • They discussed, which I talk a lot about is, Office 365 support for compliance through audits. ISO 27001, EU Model, HIPPA, FISMA, etc. This is the only way to scale and Microsoft has demonstrated they adhere to the most of them.
  • One last thing they discussed is they take the approach that they always assume there could be a breach. This is basically to ensure that they are always proactive, checking, monitoring and improving. To assist them with this they actually have a Big Data solution (which is compliant with all our standards and scrubs out PII) that consume log data for them to proactive searching and security analysis. For instance they said SharePoint Online today generates roughly 2TB of ULS logs per day (that is amazing). They scrub and then push this data in the system and they check for instance SharePoint correlation logs in less than a second going back three or more years.
All in all, this was a very impressive session to sit in where the SharePoint Online Operations team shared with customer what they do to ensure how they meet their SLAs.

1.4 Session on Building and Managing SharePoint Online
The second session I sat in and took notes was on was a session on how SharePoint Online is built and managed. In this session they discussed at length how SharePoint Farms are provisioned.

Layers of Office 365 – They had a good discussion on how they logically break out the layers of Office 365.
  • Office 365 Portals – This was the sign up experience and tenant administration services that allow customers to manger purchased services.
  • Office 365 Platform Services – This is made up of Commerce / Billing, Identity Platform, authentication, and DNS.
  • Office 365 Services – These are the services that you know and purchase today – SharePoint, Lync, Exchange and Office Web Apps.
The SharePoint Online team then discussed some of the components of Office 365. They noted that the SharePoint 2013 bits are the same bits that customer purchase and install on premise. The Service Fabric is made up all the components that are needed to run the service. For instance this is this is made up of several things such as deployment / environments, authentication, tenant administration, upgrade, high availability and production support management.

Layers of SharePoint Online – They then broke out the layers of SharePoint Online as being three core layers:
  • Physical – this is all the data centers, machines and physical networks that are used to support SharePoint Online.
  • Virtual Machines – they then discussed how Hyper-V was central to their delivery strategy. They also discussed how the break out units of scale by “networks”. Now the term network does not really mean what you normally think. Let’s come back to that a little later.
  • Services – they noted that every service that runs in SharePoint Online has a 1+ redundancy strategy. There are thousands of services that are running and everything must be integrated.
Topology – Next the SharePoint Online service team showed a topology of SharePoint in Office 365.
  • First they have a network. On that network they have a lot of common services that are available. For instance such services AD synchronization, provisioning services, SCOM, DNS, administration, back-up, etc.
  • Then within each network they create what the call a stamp. A Stamp is a set of SharePoint Farms that a customers are brought into. First within the stamp the have a SharePoint Federated Services farm. This was introduce in SharePoint 2010 as a way to create scaled our services for such things a search, metadata managed service, etc. The second farm in the stamp is the SharePoint farm itself including all the WFEs, crawl WFEs, app servers, timer jobs, sandboxes, etc. They said this usually will be around 10 or more SharePoint servers. The third farm is a SQL Server farm. Finally there is a local Active Directory with accounts for the customers who have been provisioned to that stamp. Remember this could be a mixture of cloud based IDs or federated IDs from on premise. Once a stamp is built, there will be a second identical stamp set up on a network. They stated that each one of these stamps could support roughly 100,000 users.
  • Third they discussed this component of Office 365 called the Grid Manager. This is the component of SharePoint Online that is responsible for basically running, coordinating and automating almost everything. Then there are other services such as the Global directory, tenant administration, commerce backend, DNS, authentication, incident management, Azure service and CDN services.
Grid Manager – They then proceed to discuss the Grid Manager at more length. Basically the Grid manager is a solution that is in constant communication with all the stamps and networks of SharePoint Online. It does this communication through APIs, web services and powershell scripts. It does a significant amount of remote orchestration through scripts to really support this goal of complete automation. The Grid Manager stores the state information for all managed objects in all of SharePoint Online. It has hundreds of automated jobs to strategically manage all these objects.

Provisioning Process – The operations team then discussed at a high-level how the Grid Manager would provision a new stamp. Many of the operations SharePoint Administrators do but this is completely automated. For instance they have stamps such as bring in the standard VMs, deploy the local AD and SQL farms, create the federated services farm, then the content management farm, then post deployment patching of VMs and SharePoint, etc.

Provisioning New Customers – The operations team then had another interesting discussion on how they provision customers based on the layered architecture they described earlier. They also gave some interesting stats that they on board roughly 30K new tenants a week with roughly 4K new tenants a day. They then discussed some of the rules that would determine when network and stamp that a customer is provisioned to. The Grid Manager basically has tons of factors that it evaluates as part of that such as geography, capacity of existing farms, operation activities currently occurring within a stamp, tenant vision (is it primarily a SP 2010 of 2013 farm), and dependency of services (for instance a government customer will go into a government network and stamps). Once that is done there is a whole another set of provisioning services that are responsible for setting up the initial site collections for the customer, creating DNS entries, creating user groups, etc. They even discussed how they have become pretty smart with doing pre-provisioning of tenants in advance and then can just adjust them as customers come into the service to be even more efficient with delivery.

Upgrades – The operations team had a very interesting discussion on this but my next blog will be focused on that with notes I captured from another session. Will post a link here once I have that done.

1.5 Conclusions
You can draw a ton of conclusions from this. The point everyone should be taking away is building this on your own, even if it is nowhere as near as automated as SharePoint Online is a major task for many organizations to take on. Why? Organizations are in the business of providing goods and services. Even though organizations create IT groups in support of their mission, it is really hard to justify this sort of level of automation and management for an organization that may have a just a 12 server farm on-premise. The value of SharePoint Online is your business can focus IT resources at building solutions versus running them.

1.6 Additional References
There is more information associated if you read the service descriptions. In this case read the SharePoint Online, Security and Continuity and Support Service Descriptions and you will see how all this information plays into supporting them.
http://www.microsoft.com/en-us/download/details.aspx?id=13602

Monday, October 29, 2012

Office 365 for Enterprise Service Description Updates

The Office 365 Services Descriptions have been updated in October 2012 - http://www.microsoft.com/en-us/download/details.aspx?id=13602
If you want to get further details of the changes since you last read them – please read this - http://community.office365.com/en-us/wikis/office_365_service_updates/974.aspx
Some ones you should be aware of are:
  • New Office Web Apps features in SharePoint are being released!
  • Dirsync Scoping and Filtering is now supported – this is great so you do have to sync up your entire directory.
  • There is new Interop to work with Third Party Identity Solutions (or STS servers)
  • New PDF Viewing through browser.
There are a few other things as well. I highly recommend adding an RSS feed to this wikipage.

Thursday, October 18, 2012

Office 365 Dedicated Service Descriptions Updated - October 2012

The Office 365 Dedicated Service Descriptions have all been updated for October 2012 - http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=18128
The What’s New document nets out all of the latest changes. Some highlights are:
  • Personal Archiving for email is now available in dedicated giving each end user 100 GB of storage on top of their primary mailbox.
  • WAN accelerator support.
  • Note – content migrations for SharePoint Online has changed.
  • There are some additional new Lync Online capabilities around reporting, archiving, devices and voice.

Monday, October 1, 2012

SharePoint 2013 Training Videos

Are you a SharePoint professional trying to get a jump start on SharePoint 2013? If so, here are two links to a ton of videos on SharePoint 2013 to jumpstart you. I have been getting my through the material and is really good. It covers architecture changes, new features, new development practices, new infrastructure / deployment, etc.

Wednesday, September 26, 2012

Happy 5 Years

Holy smokes – I just noticed we need celebrate that I have been running this blog for 5 years now. I am ashamed to say that in July of this year, I actually missed a month. How did that happen? Well it is summer time and in July 2012 was one of the most busiest I have ever been with work. Well with all the new SharePoint products to be released in the next couple months, I will have more than enough stuff to do to make up for it. Happy trails….

SharePoint 2013 Technical Diagrams Notes

Introduction

SharePoint 2013 Preview Technical Diagrams are now available here - http://technet.microsoft.com/en-us/library/cc263199(v=office.15).aspx

Ever since SharePoint 2007 started publishing these technical diagrams, I have recommended that architects become very familiar with them. I always start here when trying to understand a new major product release for SharePoint. If you search my blog, you will see that I have directly referenced these diagrams when building SharePoint strategies for customers.

The following is a high-level review of the new architecture changes available with SharePoint 2013.

Corporate Portal Diagrams

I reviewed the two new Corporate Portal Diagrams for SharePoint 2013. From a logical architecture perspective, these diagrams do not have any major changes from the SharePoint 2010 versions. These diagrams accurately capture how organizations should build web applications, site collections, application pools, SharePoint services, etc. to support major business initiatives. The diagrams are still a must read for people who are new or who need a refresher to understand how they should be segregating content and business functions across SharePoint.

Extranet Diagram

The new diagram for SharePoint 2013 extranet architecture closely resembles the corporate portal diagrams, however it is not very revealing on the type of information organizations need when making a decision on how to deploy an extranet. Looking back at the SharePoint 2010 Extranet Topologies diagrams (http://technet.microsoft.com/en-us/library/cc263199.aspx), I find that diagram to be much more helpful and the information contained here still holds true with SharePoint 2013. I would recommend reviewing both of them together.

Services in SharePoint 2013 Diagram

I admit this has always been one of my more favorite diagrams. When this was released in SharePoint 2010, it captured a fundamental change in how SharePoint services are configured and delivered. This new architecture was created to support Microsoft’s ability to deliver SharePoint Online as a SaaS solution.

I reviewed this diagram and nothing has significantly changed in regards to sharing services across farms, the logical architecture of services, service groups and service deployment.

In the services table there are a few new services that have been added.

  • Access Services – Do not be confused by this. Yes there was Access Services in SharePoint 2010. At this early point, I know that that Access Services for SharePoint 2013 have been changed to be more focused on utilize the new App Architecture. As such, Access Services for SharePoint 2013 is pretty different. Access Services solutions created in SharePoint 2010 will still be supported moving forward, however they will run in a different service.
  • App Management Services - This is a new service that will be used specifically for supporting the new internal catalog or the public SharePoint store. Remember that in SharePoint 2013, everything is an app; EVERYTHING. Even everyday SharePoint lists are now called an app. Once you get over the name change, you will find out it makes complete sense and Microsoft has just aligned what is does with how business users talk about technology.
  • Machine Translation Service – This is a new one and as of right now, I do not have much information on the purpose of this service other than the description which says it performs automated machine translation.
  • Work Management Services – This service provides task aggregation across management systems including SharePoint, Exchange and Project Server. This is huge from a user perspective. One single place to see all of your tasks. No more building content query web parts to find all tasks; this effectively does this plus goes outside the SharePoint boundary to find more tasks. This is a very exciting service.
  • Office Web App Services – Is called out in here as a service that is no longer running inside of SharePoint server. Why? Microsoft strategy is to provide Office Web App Service to other enterprise application than just SharePoint and it strategically made sense to move it out of SharePoint.

In the rest of this diagram there are architecture diagrams for how to architect service groups across farms, none of which have changed from SharePoint 2010. If you are not familiar with this stuff, this is a must read and I recommend reading my old posting on it here.

Mobile Architecture Diagram

There is a brand new mobile architecture diagram provided and obviously this is drive by Microsoft’s focus on being a “services and devices” company. This is a pretty simple architecture that basically describes some things you need to think about if you are going to support mobile to your users and discusses some of the mobile capabilities. This can serve as a launch point for you to begin to dive deeper into how you will support mobile for your organization. The following are some high-level observations I had when reading this the first time:

Extranet – If you are not thinking extranet, you need to so you mobile users can access content when they are on a mobile device. They have some diagrams which will get your started thinking about it and additionally how you can use Unified Access Gateway (UAG) as a reverse proxy to help with that.

Mobile Device Management (MDM) – One interesting thing brought up in this diagram is how do you manage mobile devices? If you need something simple, you can leverage Exchange ActiveSync for remote device wipe, password enforcement, etc. If you are looking for application level MDM there are additional solutions out in the marketplace today that provide even more capabilities.

Application Architecture – The new SharePoint 2013 mobile architecture is introduced. They break it down basically into two logical layers: mobile and SharePoint. Some key points are:

  • Automatic Mobile Browser Redirection – Is a new capability that can be used to optimize the mobile experience based on the connecting device. This Feature must be active on the site and will be activated by default on numerous site templates. First there is the Classic View which is used to provide backwards capability to mobile devices and will have a SharePoint 2010 mobile browser experience. Then there is the Contemporary View which is geared to support HTML5 browsers. The Contemporary View is several enhanced features for navigation of SharePoint sites. Additionally, Full Site View is available so the SharePoint site page can be viewed as if it were on a desktop browser or a tablet device.
  • Office Hub for Windows Phone – Is an application for Windows phone devices that provides enhanced capabilities to access SharePoint content from multiple places in one spot. It also leverages mobile Office.
  • Location – There is a new geo-location field type that is available in a SharePoint List. This can make a list location aware to capture latitude and longitude which can be used with map applications. For instance, if a user enters in data on their mobile device, it will capture where it was done from and then can be displayed on a map. Here is some more information about this - http://technet.microsoft.com/en-us/library/fp161355(v=office.15).aspx
  • Push Notifications – There is a new capability to allow notifications to be sent from a SharePoint site to registered applications running on a mobile device. The nice thing about this is that Windows Phone Apps can receive notifications without having to poll. Here is some additional reading on the topic - http://msdn.microsoft.com/en-us/library/jj163784(v=office.15).aspx
  • Device Channels – This is a really important new capability as device channels allow you to deliver a publishing site geared specifically to support different types of remote devices. Basically the site can mapped to multiple master pages and style sheets and even control what content you want to make available to specific devices. Here is an overview on the new device channels - http://technet.microsoft.com/en-us/library/fp161351(v=office.15).aspx
  • Office Web Apps – As mentioned earlier in this posting, Office Web Apps is now a separate standalone server which does not run inside of the SharePoint boundary. Office Web Apps has been improved a lot to support mobile devices. There are Word, Excel and PowerPoint Mobile Viewers.

SharePoint 2013 Upgrade Process Diagrams

There are two upgrade diagrams that have been provided. Here are some high points I walked away with:

  • Must be on SharePoint 2010 – To upgrade, you must be on SharePoint 2010 technologies. This means if you are on SharePoint 2003, 2007 or 2010, you will need to upgrade to the appropriate version to get to SharePoint 2013. There are Microsoft migration partners that have solutions to assist with this. I saw many times, this is the big value proposition for using SharePoint Online as this is handled for customers.
  • Database Attach Upgrade – Is the only supported method for upgrading. There is no more “in-place” upgrade option. Frankly that is fine because most customers always went down a database-attach upgrade.
  • Preparation – much of the preparation activities that we have discussed in the past with SharePoint 2010 hold true with SharePoint 2013. There is a bunch of information you are responsible for gathering.
  • Manual Configuration Settings – In the preparation phase is recommended to get a understanding of all the custom configurations that you may have done because not all of them are going to be migrated. This is because not all databases are upgraded. So many custom configurations in central admin such as alternate access methods, time job tweaks, managed paths, incoming/outgoing email settings, certificates, etc. will need to be documented and reconfigured in the new farm.
  • Databases That Can Be Upgraded – There is a set of databases that can be upgraded. They are Content, BDC, Managed Metadata, PerformancePoint, Secure Store, Search and User Profile databases.
  • Customizations – This is an important task that needs to be completed. I have seen many cases where good software organizations have not implemented a strong configuration management process and the result is an organization may not know about all the customize code that may be implemented. There are numerous ways to find all of them by running PowerShell commands, doing system directory diffs, checking web.config, etc.
  • Upgrade Health Checks – There are some new features that are available to site collection administrators that will show you a health check of a site collection before actually upgrading the site collection.
  • Evaluation Site Collection – Site Collection Administrators also have the ability to request the site collection be copied into a new site collection to evaluate how the upgrade will affect any customizations they may have. This is helpful so you can remediate issues before you actually perform the upgrade. This is also nice because your site collection will run in a SharePoint 2010 mode until you are ready to actually upgrade it.
  • Testing – Just like for SharePoint 2010, the best way to prepare for a migration is to build up your new SP 2013 farm and then multiple practices runs of that upgrade into the new production environment. An entire process is defined in one of the diagrams and is a great place to start.

SharePoint 2013 Search Diagrams

If you are a reader of my blog, I wrote some long postings about the search architecture for both SharePoint 2010 Search (here) and FAST for SharePoint 2010 (here). I am not going to do a deep dive into all these search components and roles because they are basically covered. As many people now know, the FAST search engine is now the core search engine for SharePoint. It will just be referred to as SharePoint Search. Now you will be able to leverage a very powerful search engine out of the box. However many of the advanced enterprise features of search will only be available in the SharePoint Enterprise addition. I am also really excited about this for SharePoint Online because it can leverage FAST too. SharePoint Online will not be able to do Enterprise Search of line of business systems but a Search Farm (which is FAST underneath the hood) can be configured on premise and SharePoint Online can invoke that search and provide the search results in the cloud; pretty exciting.

I highly recommend taking the time to review both of these diagrams. It explains how each of the components interacts with each other. Additionally there is a diagram the goes into how to scale the server farms for the amount of content you will need to index. There is a great, new table in there that shows you how scaling will work. To be honest, the folks who are really serious about search will say it is an art and a table does not always communicate how you will do it. It always comes down to how many items, the types of data sources, custom transformations, query latency, index latency, etc.

SharePoint 2013 App Overview Diagram

This is an area I plan to do a lot more exploration of this coming year on and writing on this blog. Why? This is something we have been waiting for a long time with SharePoint development. There are several ways to look and this. SharePoint Features which we have been writing for years are Apps. This is name change to better communicate our technology to the end users who have to use SharePoint. However the new SharePoint App architecture is way more than that.

I have seen so many things over the years.

  • I think one of the biggest challenges people would run into is developing great SharePoint solutions only to find out they incorporated some dependency they should not have, they wrote some high-end code that should not be running in the SharePoint layer, they cannot leverage their solution outside the SharePoint boundary, etc. We want to resolve those problems by helping developers to deploy solutions in way that will keep their SharePoint environment nimble.
  • Plus we want to provide third-party vendors quicker access to customers. We want to help customers to quickly acquire third-party solutions.
  • Additionally we want to allow customers to leverage commodity based SharePoint Online. As you may know SharePoint Online has restrictions on high-end custom development and if that code where to run in another location, while be highly integrated with SharePoint Online, that is a huge win.

I will thing of many more reason this year on why this is so great J

Now we can achieve this through the new SharePoint App architecture. The old SharePoint Solution architecture where you create a WSP is still around. Nothing has changed there. This is used to create deployment packages and in many cases is used to deploy code that requires full trust. SharePoint Solution packages will continue to be used by third-party vendors or developed internally with such tools as Visual Studio. You can still create Sandbox Solutions which run in a more secure runtime and can be deployed in SharePoint Online.

Now the new Apps framework for SharePoint 2013 is a packaged up in a file called .APP. It is composed of many of the same types of files, AppManifest, embedded Solution.wsp, etc. Once an app is loaded into SharePoint, it is accessible through the App Catalog in SharePoint. This App Catalog can be controlled at an organizational level.

Remember the big point with Apps is, that the custom solution you are writing may or may not actually run in SharePoint. Full trust code is not supported. Your custom solution code itself may run in a different SharePoint farm, on an IIS server as ASP.net pages, ASP.net pages running in Windows Azure, etc. So how does SharePoint access these solutions running outside the SharePoint context? In simple terms we have an IFrame (with some extensions) that external solution is available through. OAuth provides the secure connection for access SharePoint objects from a remote location. We will additionally use a new extended and robust event model and remote client SharePoint library to write integrated, remote code.

Why is this so great? We are going to ensure that custom applications and solutions that are being developed with SharePoint are isolated. No more writing a bunch code and services that should not be running in SharePoint servers. It is great that you can do whatever you want with SharePoint, however this will drive solution management.

So you may be asking where does this get deployed? There are many different options for hosting.

  • SharePoint Hosted – This means the app and all the resources run in SharePoint. Remember you server side is not supported however you can write applications with SharePoint’s JavaScript libraries and such.
  • Windows Azure Autohosted – This is a model that is only supported in SharePoint Online. In This case you can write an App package that will have code for Azure and SQL Azure embedded into it. When the application is deployed, the azure solution will be automatically deployed for you. You do not have to go to Azure and set anything up at all; it is all handled for you behind the scenes.
  • Provider-Hosted – This is the third model where custom code and solutions are hosted in a separate server in your organization, hosted in Azure, hosted in different SharePoint servers, etc.

Once an App package is installed, it can be managed and monitored through the catalog. End users have the ability to select an app to run in their sites (much in the same way as turning on a Feature). If and when an app is updated, the user can decide how they want to upgrade to the new app.

Again I really plan to go much deeper on this in my blog but for right now, these are just some introduction notes and ramblings on how excited I am about this new capability J

Back Up and Recovery Diagram

There is a new diagram that goes into the details of doing your own back-up and recovery for SharePoint 2013. I know many people have become accustomed to using third-party vendors for supporting these operations and I still believe these vendors will continue to provide features above and beyond what is out of the box. However, if you are a do it yourself sort of person, this is a great diagram to review.

Not much has changed in regards to developing back-up procedures for both the SQL Servers and the SharePoint Servers. There are tons of scenarios covered in here, and I recommend reading this if it is important to you.

SharePoint 2013 Database Diagram

Finally the database server diagram has been updated. This is a really really really important diagram to review if you are managing on-premise servers. It goes over all the SharePoint databases, plus provide sizing and scaling guidance. Great information.

Thursday, September 13, 2012

Updates on Gartner Reports for Exchange and Lync Online

There are some new updates to Gartner reports associated to Office 365 - http://www.microsoft.com/en-us/news/itanalyst/default.aspx
Exchange Online
For Exchange Online there are two new reports:
In both reports Microsoft is the leader in providing cloud based email services with Exchange Online.
Lync Online
Here is the new Magic Quadrant for Unified Communications released in August 2012 - http://www.gartner.com/technology/reprints.do?id=1-1BUINJX&ct=120828&st=sb
As you will see Lync Online continues to be a market leader for providing cloud based services.

Saturday, September 1, 2012

SharePoint Online Hybrid Whitepaper Updated

I am excited to see that my colleague finished a bunch updates to the Hybrid SharePoint Environments with Office 365 located here. I provided feedback and direction based on some of my writings (read here). This whitepaper is a must read for organizations who have mature SharePoint implementations and who want to significantly reduce their operational cost by leveraging SharePoint workloads delivered through the cloud.  This whitepaper is focused on SharePoint 2010 at the moment.

SharePoint Managed Metadata Service Whitepaper

I just recently read a pretty good whitepaper by BA Insights on the Managed Metadata Service here. It has a really good discussion on how the Managed Metadata Service can be used to improve your search experience within SharePoint 2010.

Wednesday, August 15, 2012

Office 365 and Office 2013 Preview

As many of you know Office 2013 Preview is available in Office 365. You have the ability to go create your own free tenant to start playing with Office 365 with Office 2013 Preview software. Go here - click here
Additionally, if you like to get a high-level overview of some of the new features and capabilities that are available in the preview – I recommend that you review these short high level articles about many of the new capabilities.

Office 365 ADFS Whitepaper

I have had a few customers ask me recently about low level details around how authentication works for Office 365 and Active Directory Federation Services (ADFS). There is a great whitepaper located here that I highly recommend that you read - http://www.microsoft.com/en-us/download/details.aspx?id=28971
I recommend reviewing sections:
  • Section 5.2 covers Web Client for SharePoint/OWA authentication flow.
  • Section 5.3 covers the Lync authentication flow.
  • Section 5.4 covers the Outlook authentication flow.
All are a little different because clients are active vs. passive which determines the flow of how the claim is ultimately sent to Office 365.

Friday, June 29, 2012

SharePoint Templates for Government

Microsoft Government SharePoint Templates for On-Premise or Online are now available at www.microsoft.com/GovernmentSharepoint
Why you should care? This is a great way to help your organization get more value from Microsoft technologies and see more possibilities with SharePoint.
  • Providing your organization a starting place to see the possibilities with SharePoint, a great solutions platform.
  • Jumpstart your organization to use SharePoint for more than just document libraries by identifying a couple templates that they might find useful.
  • This offers examples of great out-of-the-box capabilities to compose end to end business solutions. Many templates are designed for SharePoint 2010 AND SharePoint Online!

Monday, June 25, 2012

Microsoft Purchases Yammer

Today we had a major announce for Office 365 and SharePoint which I am very excited about. Microsoft announced that we had reached a definitive agreement to buy Yammer, a leading provider of enterprise social networks.
Why am I excited about this?
I think we have a great partner portal and social computing solutions in SharePoint Online today; however the addition of Yammer makes our story even stronger and resilient. Yammer is a best-in-class enterprise social networking solution and Microsoft plans to utilize Yammer with SharePoint, Office 365, Dynamics and Skype. Microsoft has stated they do not plan to disrupt Yammer’s current business and there will be focus to bring the Yammer services into the products I just mentioned.
It is my job to talk with customers about all of our Office 365 services and I had several customer conversations this year where having a solution like Yammer would have been very helpful.
With Yammer, you have a simple, clean, direct user experience where group workspaces and collaboration areas can be quickly created with tons of business social solutions such as profiles, organization charts, praise, question, messaging, feeds, announcements, member directories, expertise management, leaderboards, events, polls, shared group areas, content collaboration, and tons of additional solutions.

Friday, June 15, 2012

SharePoint Online Partner Access

Introduction
I have to say that Partner Access is probably one of the best kept secrets for SharePoint Online in Office 365. Additionally for customers who have SharePoint and want to extend it to people outside of their organization, SharePoint Online provides a unique solution for partner access which is different that on-premise. I can honestly see scenarios, with financial justification, where organizations may keep portions of SharePoint implementation on-premise while moving completely over to SharePoint Online just to support extranets. I still believe that a majority of SharePoint workloads can be moved to the cloud (as I captured in this blog) but partner access is something that many organizations what to do.
Some of the most common reasons why I have seen requests for Extranets/Partner Portals with SharePoint are:
  • Support Business-to-Business and/or Business-to-Customer initiatives
  • Personnel who travel or are in the field
  • Geographically dispersed teams
  • Employees/Partners Teleworking both connected and disconnected
  • Support real time unified communications
  • Secure and centralized communications with external entities
This typically translates into the following:
  • Extranet Site for Partner Organization - Dedicate site with features driven specifically to facilitate better coordination with partners.
  • Tactical Partner Site - There is an immediate need for collaboration area to support a business activity with external people to the organization.
  • Community of Interest - There is a need to provide focused support, collaboration and knowledge sharing for a target group of organizations and individuals.
  • Partner/Customer Support - Need the ability to interact with partners, customers or constituents in a secure environment.
  • Etc.
Challenges with Extranet Deployments
First I want to say that deployment of SharePoint Extranets solutions can be implemented very efficiently and securely, however there are a lot of hurdles that organizations must overcome. In many cases, they are not even technical. Here are some of the most common:
  • Infrastructure and Deployment - Managing an extranet environment requires a lot of security and configuration management best practices. This is mostly because you are now deploying SharePoint into the DMZ so it can be accessible from the outside. I have seen organizations punch holes through the firewalls which again require new security configurations and controls.
  • Ease of Management - Organizations are challenged to have an environment that they can quickly use with a partner in time of need.
  • Agility, Scalability and Service Level Agreements - The deploying organization is responsible for building an environment that scales to changing business requirements. Provisioning and maintaining an environment that is highly available can be expensive. Additionally providing an environment that needs to potentially be globally available.
  • Access and Security Management - Managing access control of individuals to only have access to the extranet is important. In some cases, organizations use Active Directory to give external users access which can create a lot of new security controls to be put in place. None of these controls have anything to do with SharePoint. For instance, new security policies need to be put in place to ensure that external partners have their accounts removed when they no longer need access.
Extranet Architectures
There are some very common solution architectures for implementing SharePoint Extranets on-premise. Here is a great reference that you should read – http://technet.microsoft.com/en-us/library/hh204611.aspx. I highly recommend reading the topologies diagram. I am not going to go into the pros/cons of each ones of these architectures as they have been pretty well documented.
Below is what is referred to as an Edge Firewall where direct access is provided from the Internet.
image
This is what is called a Back to Back Perimeter which basically standing up the entire SharePoint Farm in the DMZ.
image
Finally another popular called a Split Back to Back where some servers are deployed in the DMZ while other server roles remain inside the internal network. This is commonplace when SQL is not deployed in the DMZ.
image
Benefits of the SharePoint Online Partner Sites
This approach literally changes the way we implement a solution to work with Partner Sites. The benefits of using SharePoint Online for Partner Sites are immense.
  1. Highly available, scalable and accessible architecture – No more having to build and manage highly available SharePoint environments as you can rely on the cloud to provide it to you and your partners.
  2. No more AD Accounts for Partner Users – I know perfectly well that SharePoint support Forms Based Authentication (FBA), LDAP directories, etc. but all too often I have seen organizations just use their AD which get the security team nervous when there is no plan in place to manage these accounts. With SharePoint Online we have the ability to use Partner Accounts (to be explained in next section).
  3. Immediately provision new secure sites – It is really quick and easy to set up a partner site as I am about to show you. Instead of spending weeks standing up a new SharePoint Extranet farm, an Office 365 tenant can be purchased and Partner Sites can be stood up in minutes.
  4. No software and hardware in the DMZ – This is a huge plus for the security team as you just made their lives easier. Plus external users never come into the organization, they always go to Office 365.
What are SharePoint Online Partner Accounts?
You may be wondering what are SharePoint Online Partner Accounts. A SharePoint Online Partner Account is a solution for Office 365 whereby a user can use Windows Live ID to authenticate themself to your SharePoint Online tenant. For example, if they person email address is smith@xyzcompany.com, all they need to do is register that email with Windows Live and they will create a password that they know. Then all you need to do is invite smith@xyzcompany.com to a SharePoint site and they will use their own email address and password to authenticate to SharePoint Online.
No more managing external accounts in any type of directory services solution (AD, FBA, etc.). All you do is control what the user is authorized to do with SharePoint permissions.
Steps for Creating a Partner Site in Three Steps
The steps for creating a partner site are extremely simple.
Step 1 - Allow external users
First we need to go into the SharePoint Online administration center and allow SharePoint Online to have external users. You do this by going to the ribbon and selecting Manage External Users.
image
Then in the prompt, change the selection value to Allow.
image
Step 2 – Create a New Site Collection
Next we need to create a site collection for our partners.
image
Then once the new site collection has been created, I select it and in the Ribbon I select “Add Support Partners”.
image
Then in the prompt I selected the company site administrator.
image
Step 3 – Activate External User Invitation Feature
This is one step which could use some automation as this is a common step that people miss. If you think you are ready to start adding partner accounts, hold up. To add an external user you will use the Share Site button in the Site Actions Menu.
image
However when you go here, and try to add an external user by typing in an email address that is not in your domain, you will receive an error.
image
To resolve this, you must go to Site Collection Administration, go to Site Collection Features and activate the External User Initiations feature.
image
Now when you go Site Actions >> Share Site you will notice that this screen has changed. You will now be able to type in email address from another domain and invite that user to the SharePoint Site.
image
Steps for Inviting a User
The steps for inviting a user are extremely simple.
Step 1 – The Invitation
First, in the Share Site prompt, type in an email address of someone you like to invite.
image
You will receive a confirmation that it has been sent.
image
Step 2 – Confirm the Invitation
Note – if you are doing this for internal testing, close all browsers before continuing and you may need to delete your internet cache because you will be logging in with a different account.
The invitee will receive an email like the following. In this case it went to my Yahoo email address. The invitee will need just press the accept button.
image
The invitee will be taken to this screen where they will need to log in. The invitee will need to click on the Windows Live Hotmail link on the left. This will take them to a page to sign in with their Windows Live ID, which is tied to the email address I invited.
Note – if the user accidently clicked on the Microsoft Online Services ID link, they will be redirected to the correct Windows Live ID login screen they can click on a link that will take them to the appropriate sign in page.
image
On this screen the invitee must enter their email address. This should be the email address that was invited.
image
Now the user will be brought into SharePoint Partner site using their Windows Live ID.
image
Step 3 – Administration (Optional)
To administer this external user, you just go to the SharePoint group that was assigned to the user when they were invited.
Note - that the user will not appear in the group until they accept the invitation.
image
Here is the profile of the invitee. As you can see it is tied to the Yahoo email address that was used.
image
In Closing
If you are an experience SharePoint professional you will know this is a game changer; and if you are not, you should see how easy this is to implement.

Sunday, June 3, 2012

Office 365 Government Community Cloud

There was a big announcement this week for Office 365 and for our Federal Customers. Office 365 now has a US Government Community Cloud - http://blogs.office.com/b/microsoft_office_365_blog/archive/2012/05/30/announcing-office-365-for-government-a-us-government-community-cloud.aspx
What does this mean? On top of providing industry standards for privacy and security such as ISO 27001, SAS70 Type II, EU Safe Harbor, HIPPA, etc., Microsoft will be providing a FISMA certified cloud environment that is segregated to US Government organizations.
It is important to know that the Office 365 Multi-tenant cloud is just as secure as the Office 365 US Government cloud however there is not a “one size fits all” solution. US Government agencies just have different policies they must to adhere to and having US Government only cloud allows them to move forward. For instance, there are different US Federal background checks of personnel that are required.
Here are some other notes you should be aware of:
  • Right now, this cloud is targeted to US Government agencies with a .GOV or .MIL domain extensions. As we already know data is segregated between customers, but there is an additional layer of segregation for government only customers.
  • The ITAR controls are not available on the US Government Community Cloud. ITAR is only available for Office 365 Dedicated which also FISMA security controls.
  • Purchase of the US Government Community Cloud is done through an EA.
  • Pricing of the Government Community Cloud is the same as the Multi-tenant cloud with additional government discounts; contact your account executive for details.

Thursday, May 3, 2012

FISMA Update for Office 365

Another win for Office 365 and security! Up until now Office 365 Dedicated with ITAR had the ability to meet FISMA. Now Office 365 Enterprise Services (the multi-tenant cloud) has a FISMA authority to operate (ATO). Please review the following for more details about this announcement - http://blogs.office.com/b/microsoft_office_365_blog/archive/2012/05/03/fisma-security-certification-office-365.aspx

Monday, April 23, 2012

Office 365 Federation Overview

Background
I keep on neglecting to finish this blog post, so I am going to crank this out. I recently federated a lab environment with Office 365 and I wanted to share the resources and some of my lessons learned. Actually federating with Office 365 is a pretty straight forward task.
In this blog I will capture the major steps I took, capture some lessons learned, and give you the resources you need to get there.
Authentication Options
With Office 365 you have a few authentication options:
  • Microsoft Online IDs – These are cloud based IDs. They are best for small organizations. Users will have a different log-in a different username and password; so there is no Single Sign On experience for the user accessing cloud services. If there is a two factor authentication requirement, that cannot be supported using this authentication method. You do have the option to bring in your corporate GAL that is managed through on-premise Exchange with the synchronization tool.
  • Federated IDs – This is when you decide you want to provide a Single Sign-On (SSO) experience with Office 365. This is enabled through Active Directory Federation Services 2.0 (AD FS 2.0) to be installed on premise. Implementing federations provides the ability to support two-factor authentication and enables co-existence/hybrid scenarios.
  • External User Authentication – It is worth mentioning on the side that organizations want to bring in external users and partners to collaborate with them. SharePoint Online supports the ability to create a partner cloud account that is within Office 365 or allow users to authenticate to SharePoint Online with Windows Live ID. The Windows Live ID is very appealing because external users can use whatever email address and password they have to access SharePoint Online.
Major Steps for Federation
This is all actually very well documented in the references I am providing at the end blog. The steps for federating with Office 365 are:
  • Plan and Prepare
  • Deploy Active Directory Federation Services
  • Establish a Relying Party Trust with office 365
  • Set Up Active Directory Synchronization
  • Activation of Services for Users
image
Plan and Prepare
First thing you really need to sit down, read the materials and come up with execution plan. It is not brain science however knowing your requirements and how people will access Office 365 services will directly affect how you deploy your federation services.
Here are some things to think about:
  • Multiple Domains - If you have multiple domains and sub domains you should spend some extra time planning trusts with AD FS.
  • Multiple Forests - If you have multiple active directory forests, synchronization and authentication is not currently supported today with Office 365 Multi-tenant. To get around this you can consider consolidating forests or only deploy Office 365 with a primary login forest.
  • Deployment Readiness Tool – As part of running the Deployment Readiness Tool, you may have some changes as it will check email domains, AD (required attributes, remove special characters, etc.), networks, DNS, etc.
  • DNS – Part of the configuration will require DNS configuration and you need to make sure you are working with a person in your company or organization that can make these configuration changes.
  • Access Outside Corporate Network – Need to understand how users will need to get access to your environment. If they will be accessing from home, public areas, etc. you will need to need to deploy proxy servers in your DMZ (will discuss later).
  • Two-Factor Authentication – If you need to support two-factor authentication some additional configurations (will discuss later).
  • Certificates – You will need SSL and Token Signing Certificates. I highly recommend getting all of this worked out from a logistics perspective before you start, otherwise you will be waiting for people to get things for you.
  • Administration Rights – Note that many of the configuration steps require domain administrator rights. You will need to get this person involved and they need to participate as part of the configuration and installation of the service.
Approach
Honestly every plan to implement this will differ to some degree based on the current state of your current infrastructure. The link below entitled “Office 365 Single sign-on: Roadmap” along with the “Office 365 Deployment Guide” are your best resources for configuring federation with Office 365.
Federation
Initially there are a couple resources that will need to be added such as:
  • AD FS 2.0 – Must be installed on-premise to support federation. It is recommended that you add more than AD FS 2.0 server for redundancy purposes and load balance them.
  • Directory Synchronization Tool – This tool will synchronization active directory information to Office 365 to support the GAL. The reason why you need to do this is because AD FS only helps with the ability to authenticate, it will not actually allow you to find other users in your organization like in Exchange or SharePoint Online. This cannot be installed on a Domain Controller or AD FS server.
So minimally you will need something like this.
image
If you need to be able to support users to access Office 365 services when outside the corporate network, you will need to add some additional resources to support the federated authentication.
Federation with External Network Access
The most common documented one is to install AD FS 2.0 Proxy Server(s) in the DMZ (depicted below). Requests come in externally to the proxy servers and then sent through to corporate network to authenticate against AD.
image
An alternative is to use something like Microsoft Forefront Unified Access Gateway (UAG) for supporting users to access federated Office 365 services when outside the corporate network.
Strong / Two-Factor Authentication
Another common requirement is the need to support two-factor authentication along with federation. If a user is logging in on the corporate network or with a domain joined machine, you can utilize the existing infrastructure to meet this requirement and no further deployment is required except for AD FS 2.0 (which provides the single-sign on experience to Office 365). However if need to extend support of two-factor authentication for users accessing Office 365 services from non-domain joined machines additional configuration is required.
One solution is to use Microsoft Forefront Unified Access Gateway (UAG) SP1 to provide two-factor authentication for these users whom need to access Office 365 services from non-domain joined machines. UAG provides several solutions for two-factor authentication and direct access. One thing to be aware of is UAG supports two-factor authentication for passive federation endpoints (i.e. web clients such as SharePoint Online and OWA). UAG cannot support two-factor authentication for active federation and basic authentication endpoints (i.e. Outlook client, Lync client, ActiveSync). This means providing strong authentication with UAG will be limited to using Office 365 web clients. In my opinion this is not a major limitation for businesses utilizing Office 365 services because typically the only thing that IT will for non-domain joined machines are browsers. Even with bring your own device policies, organizations will typically not support down to the rich client; nor do they really need to.
Another potential solution is to use AD FS 2.0 to enforce strong authentication by modifying the AD FS 2.0 proxy logon page to add two-factor support. This would entail adding extra fields for the users to enter extra factors for authentication. Doing this would require integration with whatever two-factor authentication servers/services that is in place.
In summary, UAG is a good solution for accessing Office 365 service when supporting two-factor authentication for external, non-domain joined machines.
Pilot Single Sign On
Additionally you may be interested in piloting users with single sign-on authentication. There is a great article in the references in this blog that explains how to do this. It is really straight forward. First you will notice that you can always add single sign-on later. You have the ability to create your Office 365 tenant using cloud IDs and when you are ready you can transition over to federated authentication with active directory. Second thing to note is you can even create scenarios where some users authenticate to Office 365 services using a federated account while other users only use cloud based IDs. This can provide you some flexibility in potentially how you want to manage accounts.
References/Resources

Saturday, April 7, 2012

Office 365 Dedicated Service Description Update for April 2012

The Office 365 Dedicate service descriptions have been updated for at in April 2012. Go here to get the service descriptions:
  1. Office 365 Dedicated Service Descriptions - http://www.microsoft.com/download/en/details.aspx?id=18128
  2. Office 365 Dedicated with ITAR Service Descriptions - http://www.microsoft.com/download/en/details.aspx?id=23910
To get a quick description of all the changes read the document called “What's New in the Latest Service Update_Office 365 Dedicated Plans_April 2012.docx” which captures all the changes in the services.
Here are some changes to take note of:
  • Mailbox Auditing Reports
  • Hosted voicemail services
  • More streamlined process for approving SharePoint Full Trust code
  • Lync data access and IM archiving
  • Enterprise Voice updates
There are some others but these are some highlights.
Note if you are looking at Office 365 Multi-tenant (meaning the shared Office 365 cloud) please review those service descriptions here as they are different (http://www.microsoft.com/download/en/details.aspx?id=13602).

Tuesday, March 20, 2012

Office 365 Multi-tenant Service Description Updated

The Microsoft Office 365 Multi-tenant Service Descriptions have been updated - http://www.microsoft.com/download/en/details.aspx?id=13602
  • Exchange Online Archiving – Feb 2012
  • Exchange Online – Feb 2012
  • Lync Online – March 2012
  • Office Professional Plus – Feb 2012
  • Office Web Apps – March 2012
  • SharePoint Online – March 2012
  • Office 365 Enterprise Support – Feb 2012
The other service descriptions on Identity, Mobility, Security/Continuity, and Apple have not changed.

Thursday, March 15, 2012

Updated Independent Analysis on Microsoft Productivity Solutions for Prem and Cloud

There have been a lot of updates with Gartner analysis for the Microsoft Productivity stack and other related stacks that I work with. Specifically SharePoint, Office 365, Lync and BI have all been getting great independent reviews. The important take away that I discuss with my customers is that all these top quartile rated technology is delivered on a single, integrated solution stack. They are NOT hodgepodge solutions brought custom integration.
Many of the reports and newest reports can always be accessed from here - http://www.microsoft.com/presspass/itanalyst/default.mspx
SharePoint and Office 365
As you can see we have been great assessments for enterprise content management, enterprise search with FAST for SharePoint 2010, great recognition as portal provider, social computing and business process analysis with Visio Services and SharePoint workflow. Much of this capability is delivered through the Office 365 cloud as well.
SQL Server and BI
As you can see these are very recent reports giving us good reviews in the areas of BI and Data Warehouses. I think the big take away is again total cost of ownership (TCO). We give strong BI solutions and customers do not need to make significant investments to deliver BI through the same SharePoint investments discussed above.
Exchange and Office 365
For email with Exchange either delivered on-premise or through the Office 365 cloud we continue to be evaluated as a leader. This really speaks to our versatility in allowing customers to select the most appropriate place and get the same level of end user experience for business users.
Lync and Office 365
Microsoft is again recognized as a leader in all these types of solutions with Lync which can additionally be delivered through the Office 365 cloud. Our Unified Communications solutions are completely integrated in Office, Outlook and SharePoint allowing users to quickly transition between tasks they are working on making them highly productive. These capabilities are extremely useful for telework or communications between people spread across large geographies.