Should you be planning to move from Exchange to Office 365? If so, why? What sort of license should you get, and should you use cloud identities or federated identities for your users? Jaap starts a series of articles with an overview of the advantages, and a simple explanation of the options in subscriptions and licenses for Office 365.
So, your management has decided to move to Office 365 and you, as the (Exchange) administrator, have been assigned the job of figuring out what’s the best solution when it comes to licensing, migration, coexistence, decommissioning Exchange On-Premises etc.
Starting with Office 365
Before you start with Office 365, it is worth asking a number of questions to determine which kind of Office 365 license you need:
- What’s the size of the company?
- Do you want to connect your internal Active Directory to Office 365 to synchronize both?
- Do you want to create a single sign-on environment?
- Which application do you want to use in Office 365?
- Which application do you currently use in your environment?
These questions are all related to each other of course. The size of the company, for example, will determine the way you manage your user accounts. If you have a 30 employee organization you most likely won’t connect your internal Active Directory to Office 365 and thus won’t create a single sign-on environment. This is different when you have a 3,000 employee Active Directory. Most likely you want to create a Directory Synchronization solution to have manage all accounts from your local Active Directory.
It is important to establish which applications do you want to use as well. Are you just interested in Exchange Online, or do you also want to use Lync Online, Office 2013 or maybe OneDrive for Business as a storage solution in the cloud? For years it has been Exchange Online that has driven businesses to Office 365, but these days more and more customers are deploying Lync Online and SharePoint online as well.
A very important question also is what application you are currently using in your environment On-Premises. Maybe you are running Exchange 2007 or Exchange 2010, or Lotus Notes or Groupwise. This will largely impact the migration strategy when moving to Office 365.
Why Office 365?
Why do you want to use Office 365 instead of building and maintaining your Exchange 2013, Lync 2013 and SharePoint 2013 infrastructure on-premises? The typical answer that a consultant would give would be “it depends” and it does depend. If you recently upgraded to a new Exchange 2013 environment you won’t be too happy to move to Office 365 and the same is true if you recently migrated to Lync Server 2013 on-premises. But if you’re running some old messaging platform, and maybe you are new to Instant Messaging and Presence that Lync Online offers that it’s a different story.
Of course there’s always the financial point of view and I won’t argue about that; but when doing the math, take into account the investment needed for hardware and software, maybe some investment for an external consultant, power usage by the server, air-conditioning etc. And don’t forget your labor cost of running the Exchange and Lync environment for a couple of years.
If you’re running on Office 365, the only thing to worry about is your internet connection, your identity management and your Outlook or Lync clients. If there’s a hiccup in the Microsoft service, you know that hundreds of extremely qualified people are working hard to get the issues resolved.
Don’t forget the ease of maintenance. Everybody that has ever installed a highly available and redundant Exchange 2013 or Lync 2013 infrastructure knows how much hardware you need to accomplish this. It can take several days of hard work to build such an environment and it takes quite some work to keep it up to date, especially with the current Exchange 2013 Support Lifecycle where an update is released on a quarterly basis.
If you are using Exchange Online and Lync Online it’s just a matter of provisioning the accounts, changing your public DNS records and it is running. Ok, when you want to integrate Office 365 into your existing environment it’s more work because you need a synchronization and single sign-on solution, but still, it is a lot less hassle. Your life as an (Exchange) administrator will become a lot easier when moving to Office 365 and certainly a lot less stressful. Will your job as an (Exchange) Administrator in jeopardy? I don’t think so as long as you’re willing to change and become more of an Identity Management administrator.
Maybe I’m doing a bit too much marketing for Office 365, but as an Exchange consultant and Exchange Server MVP I do quite lot of work with Office 365 in all flavors and I truly see the added value that Office 365 can offer.
It is impossible to present a simple overview of all licenses available in Office 365 so I’ll keep this brief and only mention a couple of possibilities. Basically you can separate the business plans in three categories:
- Small Business;
- Midsize Business;
- Large Business or Enterprises.
When it comes to Office 365, a small business is an organization up to 25 users. This is a fairly simple configuration. In the Office 365 Small Business plan you get:
- Exchange Online with a mailbox with 50GB of storage (which actually is a pretty large mailbox!) including anti-spam and anti-virus;
- Lync Online with Instant Messaging, Presence and Web Conferencing;
- 1 TB of file storage in OneDrive for Business;
- A public website and an Intranet site through SharePoint online.
Note. If you opt for the Office 365 Small Business Premium plan you also get a license for Office 2013 which you can install on 5 separate devices. What you also get in this Premium plan are mobile apps. These are Office 2013 apps that can be run on mobile devices such as your iPad.
What you don’t get in a Small Business plan is integration in your local Active Directory. All users are cloud users that are provisioned directly in Office 365. These users have an account and a password in the cloud, and this is fully separated from your local environment.
The Office 365 Midsize Business is targeted towards organizations with up to 300 users. It has the same features as the Office 365 Small Business Premium (so it includes Office 2013!) but it can be used in conjunction with your local Active Directory and as such you can configure Directory Synchronization and Federation Services. The latter gives you the opportunity to create a single sign-on solution where you can logon to the Office 365 solution using your Active Directory domain credentials.
To accomplish this you need quite some infrastructure on-premises but we’ll get back on the requirements in a future article.
Large Business or Enterprises
The Office 365 Enterprise plans are for large organizations with thousands of users: In theory the number of users is unlimited in these subscriptions. All features in Office 365 are available for Office 365 Enterprise users. Not just Exchange Online, Lync Online and Sharepoint Online, but also features like Yammer, Business Intelligence, Voice Mail and Enterprise Voice are available for Office 365 Enterprise. These subscriptions are also known as E1, E3 and E4.
Large organizations typically have their own Active Directory so all Office 365 Enterprise plans have support for Active Directory integration and thus can offer Directory Synchronization and single sign-on.
For an up to date overview of all Office 365 plans please check the following Microsoft links:
- http://bit.ly/CompareO365Business - Compare Office 365 business plans
- http://bit.ly/CompareAllO365BusinessPlans - Compare all Office 365 business plans
Cloud Identity versus Federated Identity
There’s a distinct difference between Cloud Identities and Federated Identities in Office 365 and you should be aware of this before you implement Office 365 in your organization.
- Cloud Identities are security principals (i.e. accounts) that are created and maintained in Office 365, more specifically in Windows Azure Active Directory. You can see this as a separate Active Directory environment, fully controlled by Microsoft. You can create the accounts, but the Microsoft security policies like password expiration policies are applied to these accounts. Authentication occurs via the cloud directory service. So you basically have two user accounts. One account is your local Active Directory account on-premises, the second account is the account in Office 365. Both can have the same name and same password, but they are two different accounts, with different security policies. These type of Identities are typically used in the Office 365 Small Business subscriptions. When you are using Cloud Identities and an employee leaves the organization you have to disable all Cloud Identities that have been in use by this employee.
- Federated Identities are user accounts in Office 365 that originate in your local Active Directory. Federated Identities in Office 365 are typically created using a Directory Synchronization solution. Using Federated Identities you don’t logon to Office 365 using cloud credentials but you logon using your Active Directory domain credentials, so authentication occurs via your on-premises Active Directory. There’s only one security principal, and that’s the one in your local Active Directory. At the same time this means that only local security policies are applied to this account. For Federated Identities you also need a Federation solution to use local Active Directory accounts against Office 365. You’ll see Federated accounts typically in larger organizations since they need an extensive infrastructure to facilitate federation. If you are using Federated Identities and an employee leaves the organization you only have to disable the Active Directory account. All Federated Identities rely on this Active Directory account and cannot be used anymore when this account is disabled.
So it is obvious that Cloud Identities are different then Federated Identities. For Federated Identities you need a Directory Synchronization solution _and_ you need a federation infrastructure. When you implement Directory Synchronization, you also have the possibility to synchronize Active Directory accounts with their passwords. This is a very interesting solution since you have a similar account in Active Directory and Office 365 with the same password, it is not a true single sign-on solution. It’s just a Cloud Identity with the same password and as such still under control of Microsoft and its security policies. On the other hand, if you don’t care about this… using Directory Synchronization with passwords give you the opportunity to use the same account name and password in Office 365 and it saves you a tremendous amount of work building and maintaining a federation infrastructure.
In this first part of this series I tried to explain some of the basics of Office 365. There are so many subscription plans that one of them is bound to match your type of organization. When you are thinking about moving to Office 365, you have to be aware of the type of accounts that are used. Cloud accounts are accounts that are created in the cloud (i.e. Office 365) and are separate accounts. When using multiple cloud solutions, you have to create and maintain multiple accounts. Federated accounts are used when you want to use your local Active Directory account for authentication in cloud solutions such as Office 365. From an end user perspective this is very transparent but you as an administrator need to provide the infrastructure.
In the next article I will discuss more about Office 365 Small Business and how to implement this, in the third article I will discuss more about Office 365 Enterprise including Directory Synchronization and Federation and whether this is a good idea.