18 May

What is Azure Active Directory and which edition should you choose?

Azure Active Directory (AD) comes up in virtually all cloud conversation that I have with clients these days, which is to be expected given the dependency Microsoft online services have on Azure AD. What I do find though is that I spend more time than I expect explaining Azure AD and what you do/don’t get with it.

Microsoft describes Azure AD as “a comprehensive identity and access management cloud solution that provides a robust set of capabilities to manage users and groups and help secure access to on-premises and cloud applications including Microsoft online services like Office 365 and a world of non-Microsoft SaaS applications.”

If you have invested in, or planning to invest in, Azure or Office 365, then you’ll need to be familiar with Azure AD. Azure AD enables organizations to leverage their on-premises Active Directory to gain identity and access management in the cloud. Effectively, users can use their Active Directory credentials to sign on to applications in the cloud, including Microsoft online services like Office 365 and Azure, as well as over 2,400 pre-integrated SaaS applications. Additionally, Azure AD enables organizations to use the cloud to provide self-service capabilities. For example, you can allow users to reset their password through the Office 365 portal, and that password reset will be written back to your on-premises Active Directory. These are the most common functions that organizations use Azure AD for. However, there are many more features in Azure AD that organizations get access to.

It’s important to note that Azure AD comes in three editions – Free, Basic, and Premium. The features vary between editions… Read More

15 May

Microsoft Operations Management Suite

Managing any instance in any cloud is a tall order. Microsoft is going after it nonetheless. They’ve released Microsoft Operations Management Suite (OMS), which extends System Center and allows you to manage any instance in any cloud, including your datacenter, Azure, AWS, Windows Server, Linux, VMware, and OpenStack. OMS focuses on the following scenarios:

  • Log Analytics
  • Automation
  • Availability
  • Security
  • I was able to catch a demo of OMS at Ignite, and saw firsthand how fast OMS is to get started.

    More details on OMS can be found here and here.

    15 May

    Using the Office 365 Import Service for Large Migrations

    Organizations who are moving email to Office 365 typically face a lengthy migration process. The time it will take to move email is dependent on several factors; the most limiting is usually the network throughput you can achieve. There’s only so much data you can push through your Internet pipe.

    One solution to this is to leverage the Microsoft Office 365 Import Service, which was recently released. The Microsoft Office 365 Import Service is intended to allow you to transfer PST files from your on-premises environment to your Exchange Online mailboxes. Transfer can be done by uploading the files to Office 365, or by shipping disks to Microsoft. The option you use will vary depending on the amount of data to be imported – general rule of thumb is to ship disks for >10 GB.

    Although the Office 365 Import Service is intended for PST files. You can incorporate this into your migration strategy to expedite the actual migration process. For example, you can export all email older than 1 month from users’ live mailboxes to a PST file, import the PST file into Office 365 using the Import Service, and then migrate the reduced size live mailbox. The users can then decide to keep the email that was imported in their Online Archive or move it from their Online Archive to their mailbox. Effectively, you can reduce the amount of time it takes to migrate TBs of email from months to a few weeks (assuming you use the ship disks option).

    Full details on the Office 365 Import Service can be found here. Be sure to read the FAQs in this article as well.

    19 Jan

    OneDrive for Business Client Network Bandwidth Calculator

    OneDrive for Business is a workload within Office 365 that I am personally seeing a significant amount of interest in from clients. One of the first questions I get when clients are considering OneDrive for Business is “what will be the impact to my network”. Microsoft has a Beta OneDrive for Business Client Network Bandwidth Calculator available, which can help answer this question.  I emphasize “help” because this is simply an estimate – you will need to do a proper PoC / Pilot to get a better indication of the impact OneDrive for Business will have on your network.

    The OneDrive for Business Client Network Bandwidth Calculator can be downloaded here.

    15 Dec

    New Azure Active Directory Features Released / Preview

    The Azure AD team has announced general availability for some key features in Azure AD as well as new features that are now in preview, including:

    Generally available:

    • Password write-back in Azure AD Sync: Users can now change their passwords in the cloud and have the change flow all the way back to your on-premises AD.
    • The Azure AD App Proxy: This proxy makes it easy to give your employees secure access to on-premises applications like SharePoint and Exchange/OWA from the cloud without having to muck around with your DMZ.

    Public preview:

    • Question based security gates for use in password resets
    • Admins can add their own password SSO based SaaS apps to Azure AD
    • And probably the most exciting news of all – Administrative Units (AUs). AU’s are like OUs modernized for the cloud. They let you sub-divide your Azure Active Directory, enabling the separation of administrative duties and policy creation across a large company.

    Also, Azure AD Premium is now available for direct online purchase, using a credit card, in the Office 365 admin portal (you do not need to be an existing Office 365 customer to buy).

    More details on the above features can be read here.

    09 Dec

    Private Cloud Security Considerations Guides

    Microsoft has released guides that speak to security considerations for Private Cloud. The intent of the guides is to provide you with design considerations and architectural view for designing effective security within a private cloud environment.

    09 Dec

    Microsoft Infrastructure as a Service Foundations

    Microsoft has released a series of articles that are designed to provide IT departments and cloud service providers with information required to understand, develop, and implement IaaS infrastructures. The articles provide conceptual background that combines Microsoft software, consolidated guidance, and validated configurations with partner technologies such as compute, network, and storage architectures, in addition to value-added software features. Here’s the full list of articles:

    09 Dec

    Office 365 IMAP Migration Troubleshooter

    IMAP migrations are sometimes used for organizations migrating from non-Exchange email systems, such as Google or Notes, to Office 365. IMAP migrations are often cumbersome and troubleshooting issues can be difficult. Microsoft has released a IMAP Migration Troubleshooter to assist customers migration from IMAP to Office 365. The IMAP Migration Troubleshooter is available as a guided walkthrough, and can be found here.

    09 Dec

    Office 2013 gets support for Multi-Factor Authentication and SAML identity providers

    Microsoft is enabling Multi-Factor Authentication and SAML identity providers for Office 2013. This is achieved through the Active Directory Authentication Library (ADAL). The ADAL based authentication stack enables the Office 2013 clients to engage in browser-based authentication (also known as passive authentication) where the user is directed to a web page from the identity provider to authenticate. The updated authentication features are available in private preview starting with the November 2014 update.

    Here are the scenarios for ADAL based authentication:

    • MFA for Office 2013 client applications
    • SAML based identity provider sign in
    • Smart card and certificate-based authentication
    • Outlook no longer requires basic authentication

    The following post has more details on ADAL and the ADAL based scenarios.

    02 Nov

    New MDM capabilities coming to Office 365

    Microsoft recently annoinced new Mobile Device Management (MDM) capabilities will be coming to Office 365′ including:

    • Help secure and manage corporate resources — Apply security policies on devices that connect to Office 365 to ensure that Office 365 corporate email and documents are synchronized only on phones and tablets that are managed by your company.
    • Apply mobile device settings—Set and manage security policies such as device level pin lock and jailbreak detection on devices to help prevent unauthorized users from accessing corporate email and data when a device is lost or stolen.
    • Perform a selective wipe of Office 365 data—Remove Office 365 corporate data from a device when an employee leaves your organization, while leaving their personal data, photos and apps intact.
    • Preserve Office 365 productivity experience—Unlike third-party MDM solutions that have replaced productivity apps with restrictive all-in-one apps for corporate email, calendars and documents, MDM for Office 365 is built directly into the productivity apps your employees know and love. You can set access policies to help secure company data while keeping employees productive.
    • Manage policies with ease—Administer mobile device policies directly from within the Office 365 administration portal, through an easy to use interface with wizard-based set up. View reports on which devices are connected to Office 365 and identify devices that have been blocked due to non-compliance.

    These new MDM capabilities, set to roll out in the first quarter of 2015, will help you manage access to Office 365 data across a diverse range of phones and tablets, including iOS, Android and Windows Phone devices.

    The announcement can be found here

    02 Nov

    Free Office 365 Performance Management Course

    Microsoft published a new course on Office 365 Performance Management at the Microsoft Virtual Academy, which contains 11 modules across planning and troubleshooting areas including:

    1. Office 365 Performance Management Course Introduction
    2. Office 365 Datacenters and Network
    3. Planning for Office 365 Internet Capacity – Exchange Online
    4. Planning for Office 365 Internet Capacity – Lync Online
    5. Planning for Office 365 Internet Capacity – SharePoint Online
    6. The Baselining Model for Internet Capacity Planning
    7. Best Practices & Real Customer Projects Planning Internet Capacity
    8. Planning for Office 365 Firewalls Whitelisting
    9. Performance Troubleshooting Process and Tools Used
    10. Performance Troubleshooting Tests
    11. Troubleshooting SharePoint Online Customizations
    The course can be found here
    22 Sep

    Azure Active Directory Integration Feature Comparison

    With Microsoft’s recent release of Azure Active Directory Sync (AAD Sync), there are now three options for synchronizing your directory with Azure Active Directory, including:

    • Azure Active Directory Synchronization Tool (DirSync)
    • Azure Active Directory Synchronization Services (AAD Sync)
    • Forefront Identity Manager 2010 R2 (FIM)

    The release of AAD Sync is significant for organizations that have multiple forests / multiple Exchange Organizations and want to leverage a single Tenant. At present, AAD Sync will likely replace DirSync. However, there are feature differences between the tools, as well as DirSync features that are not supported in AAD Sync (specifically – Password Hash Sync) yet.

    20 Sep

    Group-based License Management comes to Azure AD and EMS

    You can now assign a security group and Azure AD will automatically assign licenses to all the members of the group. If a user is subsequently added to, or removed from the group, a license will be automatically assigned or removed as appropriate. 

    You can use groups you synchronize from on-premises AD or manage in Azure AD. Pairing this up with Azure AD premium Self-Service Group Management you can easily delegate license assignment to the appropriate decision makers. You can be assured that problems like license conflicts and missing location data are automatically sorted out.

    For more information, refer to this post

    20 Sep

    Azure Active Directory Basic Released

    Microsoft released Azure Active Directory (AAD) Basic last week. AAD Basic bridges a gap between Azure AD (Free) and Azure AD Premium. It is geared towards the needs of employees that are deskless, who typically do not have an office or corporate PC. Microsoft views retail store employees, baristas, and bank tellers (and other similar roles), as those that fit this profile. Most of these employees were never even represented in the organizations on-premises Active Directory as they didn’t use a PC or access corporate applications. AAD Basic provides essential features like company branding, group-based application access and self-service password reset.

    For a complete comparison of features between AAD Free, AAD Basic, and AAD Premium, go here.

    Note, AAD Basic is available for purchase through the volume-licensing channel.

    20 Sep

    Azure Active Directory Synchronization Services Released

    Microsoft released Azure Active Directory Synchronization Services (AAD Sync) last week. AAD Sync is a replacement for DirSync, and comes with some welcome new features such as multi-forest support. Finally, we now have the ability to connect a single tenant to multiple Active Directory forests.Here’s a list of the new functionality introduced by AAD Sync:

    • Active Directory and Exchange multi-forest environments can be extended now to the cloud.
    • Control over which attributes are synchronized based on desired cloud services.
    • Selection of accounts to be synchronized through domains, OUs, etc.
    • Ability to set up the connection to AD with minimal Windows Server AD privileges.
    • Setup synchronization rules by mapping attributes and controlling how the values flow to the cloud.
    • Preview AAD Premium password change and reset to AD on-premises

    Some of the features coming to AAD Sync include:

    • Extended attributes
    • Write-back of users, devices and groups
    • Support for non-AD directories.

    AAD Sync can be downloaded here.

    26 Jun

    Azure Tenant Deletion

    Microsoft recently reenabled the ability for customers to delete Azure tenants. This was possible in the early days of Office 365 but later disabled until more safeguards were imolemented to prevent the accidental deletion of tenants. To delete a directory in Azure, the following conditions must be met:

    • The only user in the directory is the global administrator who will delete the directory. Any other users must be deleted before the directory can be deleted. If users are synchronized from on-premises, then sync will need to be turned off, and the users must be deleted in the cloud directory by using the Management Portal or the Azure module for Windows PowerShell. There is no requirement to delete groups or contacts, such as contacts added from the Office 365 Admin Center.
    • There can be no applications in the directory. Any applications must be deleted before the directory can be deleted. Note: It is not possible to delete a directory if an application has been added from the Azure AD Application Gallery, even if that application is subsequently deleted. We are working to remove this limitation.
    • There can be no subscriptions for any Microsoft Online Services such as Microsoft Azure, Office 365, or Azure AD Premium associated with the directory. For example, if a default directory was created for you in Azure, you cannot delete this directory if your Azure subscription still relies on this directory for authentication. Similarly, you cannot delete a directory if another user has associated a subscription with it. To associate your subscription with a different directory, click Settings -> Subscriptions -> Edit Directory. For more information about Azure subscriptions, see How Azure subscriptions are associated with Azure AD.
    • No Multi-Factor Authentication providers can be linked to the directory.
    06 Jun

    Understanding Azure Active Directory

    With the popularity of Office 365, and it’s use of Azure Active Directory (AD), I get a fair amount of questions pertaining to Azure AD. I thought I’d put together a post that provides an overview of Azure Active Directory, what it is, and what it isn’t.

    Azure AD is used to manage access to Microsoft cloud applications, such as Azure and Office 365, as well as non-Microsoft Software as a Service (SaaS) applications. Azure AD is separate from your on-premises AD; it is not a replacement.

    You can synchronize your on-premises AD with Azure AD so that user attributes and passwords are consistent between the two directories. Effectively, users can use the same credentials to access on-premises resources and cloud-based resources.

    Azure AD can be used to provide a single sign-on experience across Microsoft cloud applications, such as Azure and Office 365, and non-Microsoft SaaS applications. Users can leverage a personalized web-based Access Panel to launch cloud applications.

    Azure AD supports the use of Azure Multi-Factor Authentication, and additional offering from Microsoft, which supports the use of mobile apps, phone calls and text messages.

    Beyond the above features, Microsoft has a premium version of Azure AD – called Azure AD Premium. The additional features available in Azure AD Premium include:

  • Self-service password reset
  • Self-Service Group Management
  • Group-based provisioning and access management to SaaS applications
  • Company branding
  • Advanced Security Reports and Alerts
  • Usage Reports
  • Enterprise scale SLA
  • In addition, Azure Multi-Factor Authentication for cloud and on-premises applications is included with Azure AD Premium. Azure AD Premium also grants you entitlements to Forefront Identity Manager Server and CALs.

    There are some limitations with the free version of Azure AD that do not apply to Azure AD Premium. Specifically:

  • Maximum of 500,000 objects in free Azure AD; no object limit in Azure AD Premium.
  • Up to 10 apps per user can reside in the Access Panel portal for SSO-based user access to SaaS; no app limit in Azure AD Premium.
  • For a full comparison of features between the free Azure AD and Azure AD Premium, see http://msdn.microsoft.com/library/azure/dn532272.aspx

    29 Apr

    Exchange, Lync, SharePoint, and Office 365 Guided walkthroughs

    Here is a consolidated list of guided walkthroughs for Exchange, Lync, SharePoint, and Office 365. Guided walkthroughs fall into one of two categories “troubleshooter” and “how-to”. A “troubleshooter” guided walkthrough helps you diagnose and resolve issues in your environment. A “how-to” guided walkthrough contains step-by-step information to help you perform a task, such as setting up a particular aspect of your environment.

    The consolidated list can be found here.

    29 Apr

    Microsoft Adds more storage for OneDrive for Business and helps with data migration

    Microsoft announced enhancements to OneDrive for Business, which are focused on data. Specifically:

      – Increased storage from 25GB to 1TB per user.
      – All Office 365 ProPlus customers will get 1TB of OneDrive for Business storage per user as part of their Office 365 ProPlus subscription.
      – They’ll help organizations migrate data from their existing solutions to OneDrive for Business

    More details can be read here.

    22 Apr

    Azure AD Sync – Replacement for DirSync

    Microsoft has released a preview of the new Azure AD (AAD) Sync. AAD Sync is a newly created “one sync service to rule them all”. In the first preview, Microsoft is focusing on the demand from large clients – enabling synchronization from multi-forest Windows Server AD Deployments. Within the next 6-8 months AAD Sync will replace DirSync, likely at no additional charge to Azure AD, Office 365, and Microsoft customers. Future versions of AAD Sync will expand on the capabilities of DirSync (support for combinations of directories and the ability or remap and swizzle on-premises attributes). Additionally, AAD Sync will enable Azure AD Premium customers to do things like self service group management. 

    The AAD Sync Preview allows you to:

    • Onboard your multi-forest Active Directory deployment to AAD
    • Advanced provisioning, mapping and filtering rules for objects and attributes, including support for syncing a very minimal set of user attributes (only 7!)
    • Configuring multiple on-premises Exchange organizations to map to a single AAD tenant
    17 Apr

    Exchange Server Deployment Assistant Updated

    Microsoft has updated the Exchange Server Deployment Assistant, which is a free web-based tool that helps you deploy Exchange 2013 or Exchange 2010 in your on-premises organization, configure a hybrid deployment between your on-premises organization and Office 365, or migrate completely to Office 365. The updated to the Exchange Server Deployment Assistant include: 

    • Support for the Exchange 2013 Edge Transport server role in all on-premises and hybrid deployment scenarios
    • Support for the new, automated process for requesting an Exchange 2013 or Exchange 2010 Hybrid Edition product key