Click here to monitor SSC
  • Av rating:
  • Total votes: 13
  • Total comments: 0
Jaap Wesselius

Office 365 Essentials - Subscriptions and Licenses

08 August 2014

Should you be planning to move from Exchange to Office 365? If so, why? What sort of license should you get, and should you use cloud identities or federated identities for your users? Jaap starts a series of articles with an overview of the advantages, and a simple explanation of the options in subscriptions and licenses for Office 365.

So, your management has decided to move to Office 365 and you, as the (Exchange) administrator, have been assigned the job of figuring out what’s the best solution when it comes to licensing, migration, coexistence, decommissioning Exchange On-Premises etc.

Starting with Office 365

Before you start with Office 365, it is worth asking a number of questions to determine which kind of Office 365 license you need:

  • What’s the size of the company?
  • Do you want to connect your internal Active Directory to Office 365 to synchronize both?
  • Do you want to create a single sign-on environment?
  • Which application do you want to use in Office 365?
  • Which application do you currently use in your environment?

These questions are all related to each other of course. The size of the company, for example, will determine the way you manage your user accounts. If you have a 30 employee organization you most likely won’t connect your internal Active Directory to Office 365 and thus won’t create a single sign-on environment. This is different when you have a 3,000 employee Active Directory. Most likely you want to create a Directory Synchronization solution to have manage all accounts from your local Active Directory.

It is important to establish which applications do you want to use as well. Are you just interested in Exchange Online, or do you also want to use Lync Online, Office 2013 or maybe OneDrive for Business as a storage solution in the cloud? For years it has been Exchange Online that has driven businesses to Office 365, but these days more and more customers are deploying Lync Online and SharePoint online as well.

A very important question also is what application you are currently using in your environment On-Premises. Maybe you are running Exchange 2007 or Exchange 2010, or Lotus Notes or Groupwise. This will largely impact the migration strategy when moving to Office 365.

Why Office 365?

Why do you want to use Office 365 instead of building and maintaining your Exchange 2013, Lync 2013 and SharePoint 2013 infrastructure on-premises? The typical answer that a consultant would give would be “it depends” and it does depend. If you recently upgraded to a new Exchange 2013 environment you won’t be too happy to move to Office 365 and the same is true if you recently migrated to Lync Server 2013 on-premises. But if you’re running some old messaging platform, and maybe you are new to Instant Messaging and Presence that Lync Online offers that it’s a different story.

Of course there’s always the financial point of view and I won’t argue about that; but when doing the math, take into account the investment needed for hardware and software, maybe some investment for an external consultant, power usage by the server, air-conditioning etc. And don’t forget your labor cost of running the Exchange and Lync environment for a couple of years.

If you’re running on Office 365, the only thing to worry about is your internet connection, your identity management and your Outlook or Lync clients. If there’s a hiccup in the Microsoft service, you know that hundreds of extremely qualified people are working hard to get the issues resolved.

Don’t forget the ease of maintenance. Everybody that has ever installed a highly available and redundant Exchange 2013 or Lync 2013 infrastructure knows how much hardware you need to accomplish this. It can take several days of hard work to build such an environment and it takes quite some work to keep it up to date, especially with the current Exchange 2013 Support Lifecycle where an update is released on a quarterly basis.

If you are using Exchange Online and Lync Online it’s just a matter of provisioning the accounts, changing your public DNS records and it is running. Ok, when you want to integrate Office 365 into your existing environment it’s more work because you need a synchronization and single sign-on solution, but still, it is a lot less hassle. Your life as an (Exchange) administrator will become a lot easier when moving to Office 365 and certainly a lot less stressful. Will your job as an (Exchange) Administrator in jeopardy? I don’t think so as long as you’re willing to change and become more of an Identity Management administrator.

Maybe I’m doing a bit too much marketing for Office 365, but as an Exchange consultant and Exchange Server MVP I do quite lot of work with Office 365 in all flavors and I truly see the added value that Office 365 can offer.


It is impossible to present a simple overview of all licenses available in Office 365 so I’ll keep this brief and only mention a couple of possibilities. Basically you can separate the business plans in three categories:

  • Small Business;
  • Midsize Business;
  • Large Business or Enterprises.

Small Business

When it comes to Office 365, a small business is an organization up to 25 users. This is a fairly simple configuration. In the Office 365 Small Business plan you get:

  • Exchange Online with a mailbox with 50GB of storage (which actually is a pretty large mailbox!) including anti-spam and anti-virus;
  • Lync Online with Instant Messaging, Presence and Web Conferencing;
  • 1 TB of file storage in OneDrive for Business;
  • A public website and an Intranet site through SharePoint online.

Note. If you opt for the Office 365 Small Business Premium plan you also get a license for Office 2013 which you can install on 5 separate devices. What you also get in this Premium plan are mobile apps. These are Office 2013 apps that can be run on mobile devices such as your iPad.

What you don’t get in a Small Business plan is integration in your local Active Directory. All users are cloud users that are provisioned directly in Office 365. These users have an account and a password in the cloud, and this is fully separated from your local environment.

Midsize Business

The Office 365 Midsize Business is targeted towards organizations with up to 300 users. It has the same features as the Office 365 Small Business Premium (so it includes Office 2013!) but it can be used in conjunction with your local Active Directory and as such you can configure Directory Synchronization and Federation Services. The latter gives you the opportunity to create a single sign-on solution where you can logon to the Office 365 solution using your Active Directory domain credentials.

To accomplish this you need quite some infrastructure on-premises but we’ll get back on the requirements in a future article.

Large Business or Enterprises

The Office 365 Enterprise plans are for large organizations with thousands of users: In theory the number of users is unlimited in these subscriptions. All features in Office 365 are available for Office 365 Enterprise users. Not just Exchange Online, Lync Online and Sharepoint Online, but also features like Yammer, Business Intelligence, Voice Mail and Enterprise Voice are available for Office 365 Enterprise. These subscriptions are also known as E1, E3 and E4.

Large organizations typically have their own Active Directory so all Office 365 Enterprise plans have support for Active Directory integration and thus can offer Directory Synchronization and single sign-on.

For an up to date overview of all Office 365 plans please check the following Microsoft links:

  1. - Compare Office 365 business plans
  2. - Compare all Office 365 business plans

Cloud Identity versus Federated Identity

There’s a distinct difference between Cloud Identities and Federated Identities in Office 365 and you should be aware of this before you implement Office 365 in your organization.

  • Cloud Identities are security principals (i.e. accounts) that are created and maintained in Office 365, more specifically in Windows Azure Active Directory. You can see this as a separate Active Directory environment, fully controlled by Microsoft. You can create the accounts, but the Microsoft security policies like password expiration policies are applied to these accounts. Authentication occurs via the cloud directory service. So you basically have two user accounts. One account is your local Active Directory account on-premises, the second account is the account in Office 365. Both can have the same name and same password, but they are two different accounts, with different security policies. These type of Identities are typically used in the Office 365 Small Business subscriptions. When you are using Cloud Identities and an employee leaves the organization you have to disable all Cloud Identities that have been in use by this employee.
  • Federated Identities are user accounts in Office 365 that originate in your local Active Directory. Federated Identities in Office 365 are typically created using a Directory Synchronization solution. Using Federated Identities you don’t logon to Office 365 using cloud credentials but you logon using your Active Directory domain credentials, so authentication occurs via your on-premises Active Directory. There’s only one security principal, and that’s the one in your local Active Directory. At the same time this means that only local security policies are applied to this account. For Federated Identities you also need a Federation solution to use local Active Directory accounts against Office 365. You’ll see Federated accounts typically in larger organizations since they need an extensive infrastructure to facilitate federation. If you are using Federated Identities and an employee leaves the organization you only have to disable the Active Directory account. All Federated Identities rely on this Active Directory account and cannot be used anymore when this account is disabled.

So it is obvious that Cloud Identities are different then Federated Identities. For Federated Identities you need a Directory Synchronization solution _and_ you need a federation infrastructure. When you implement Directory Synchronization, you also have the possibility to synchronize Active Directory accounts with their passwords. This is a very interesting solution since you have a similar account in Active Directory and Office 365 with the same password, it is not a true single sign-on solution. It’s just a Cloud Identity with the same password and as such still under control of Microsoft and its security policies. On the other hand, if you don’t care about this… using Directory Synchronization with passwords give you the opportunity to use the same account name and password in Office 365 and it saves you a tremendous amount of work building and maintaining a federation infrastructure.


In this first part of this series I tried to explain some of the basics of Office 365. There are so many subscription plans that one of them is bound to match your type of organization. When you are thinking about moving to Office 365, you have to be aware of the type of accounts that are used. Cloud accounts are accounts that are created in the cloud (i.e. Office 365) and are separate accounts. When using multiple cloud solutions, you have to create and maintain multiple accounts. Federated accounts are used when you want to use your local Active Directory account for authentication in cloud solutions such as Office 365. From an end user perspective this is very transparent but you as an administrator need to provide the infrastructure.

In the next article I will discuss more about Office 365 Small Business and how to implement this, in the third article I will discuss more about Office 365 Enterprise including Directory Synchronization and Federation and whether this is a good idea.

Jaap Wesselius

Author profile:

Jaap Wesselius is an independent consultant from The Netherlands focusing on (Microsoft) Business Productivity solutions with Microsoft Exchange, Lync and Office 365. Prior to becoming an independent consultant in 2006, Jaap worked for 8 years for Microsoft Services in The Netherlands, specializing in Exchange Server. Jaap has a Bsc in Applied Physics & Computer Science, is an MCSE, MCITP and MCT, and has consistently been awarded the Microsoft MVP Award (Exchange Server, eighth year now) for his contributions to the (Dutch) Exchange community. For his blog posts, you can visit If you'd like to get in touch, you can reach Jaap via email at, or follow him on twitter as @jaapwess.

Search for other articles by Jaap Wesselius

Rate this article:   Avg rating: from a total of 13 votes.





Must read
Have Your Say
Do you have an opinion on this article? Then add your comment below:
You must be logged in to post to this forum

Click here to log in.

Top Rated

Connecting to SQL Data Warehouse
 The most frustrating thing with any new system is often just working out how to connect to it. Oddly,... Read more...

Getting started with Azure SQL Data Warehouse
 Azure SQL Data Warehouse is an obvious first-step towards migrating on-premise organisational data to... Read more...

Using Azure KeyVault with Node.js
 Some of the most intractable problems of application design are concerned with how to store credentials... Read more...

How to Build and Deploy Azure IaaS VMs with PowerShell
 The whole point of using a cloud service is to be able to use it intensively for a brief period just... Read more...

Azure DocumentDB Server-Side Scripting
 DocumentDB only uses SQL for querying data. To create procedures and functions, you have to flex your... Read more...

Most Viewed

Windows Azure Virtual Machine: A look at Windows Azure IaaS Offerings (Part 2)
 We continue our introduction of the Azure IaaS by discussing how images and disks are used in the Azure... Read more...

An Introduction to Windows Azure BLOB Storage
 Azure BLOB storage is persistent Cloud data storage that serves a variety of purposes. Mike Wood shows... Read more...

An Introduction to Windows Azure Table Storage
 Windows Azure Tables are intended for the storage of large amounts of schemaless data. Tables are just... Read more...

Windows Azure Management Certificates
 Although Windows Azure can be used from the portal, it comes into its own once provisioning,... Read more...

An Introduction to Windows Azure Service Bus Brokered Messaging
 As applications grow, a message queue system soon becomes the best way of achieving scalability. It is... Read more...

Why Join

Over 400,000 Microsoft professionals subscribe to the Simple-Talk technical journal. Join today, it's fast, simple, free and secure.