Enabling and disabling DirSync in BPOS and Office 365

If you have some experience with BPOS or the Office 365 Beta, you know there’s a tool called DirSync that allows you to synchronize your Active Directory with Microsoft’s Online Services. During a course last week, I was asked if you can use DirSync temporarily to sync users, contacts and groups and, after migration, turn it off.

In BPOS, you can certainly do the above and essentially use DirSync as just a migration tool. It is in fact the easiest way to load users, contacts and groups into BPOS if you don’t mind setting up the software. When you turn off DirSync in the BPOS Administration website, all synchronized users become normal users which means their properties become editable. Turning off DirSync is done from the Migration / Directory Synchronization tab:

image

In Office 365, it’s a totally different story because DirSync is intended as a tool for permanent coexistence. As a result, you will not find a Disable button in the UI and there’s also no PowerShell cmdlet to turn it off. If you just want to migrate your users, contacts and distribution groups to Office 365 you should use other means such as CSV, PowerShell, etc…

Office 365 and Identity

imageMicrosoft has provided more details about Office 365 and the different identity options in a service description document (link at the bottom of this post).

There are two types of identities:

  • Cloud Identity: credentials are separate from your corporate credentials
  • Federated Identity: users can sign in with their corporate Active Directory credentials

With BPOS, there was only one type: cloud identity. Users had to logon using a Sign-In Assistant that stored the cloud credentials (name and password) and used those credentials to sign in in the background. For larger organizations, the Sign-In Assistant was a pain to install and manage so it’s a good thing it is going away.

With the new identity solution, as stated above, the Sign-In Assistant goes away and the logon experience is determined by the type of identity and how you access the service. The table below summarizes the sign-in experience:

image

1 The password can be saved to avoid continuous prompting
2 During the beta, with Federated IDs, you will be prompted when first accessing the services
3 Outlook 2007 will be updated to give the same experience as Outlook 2010

Note that it is required to install some components and updates on user’s workstations if rich clients are used to access Office 365. Although you can manually install these updates, the Office 365 Desktop Setup package does all that is needed. Office 365 Desktop Setup was formerly called the Microsoft Online Services Connector. Office 365 Desktop Setup supports Windows XP (SP2) and higher.

A couple of other things that are good to know:

  • Office 365 supports two-factor authentication if you implement SSO with Active Directory Federation Services 2.0. There are two options to enforce two-factor auth: on the ADFS 2.0 proxy logon page or at the ForeFront UAG SP1 level.
  • Active Directory synchronization is supported with the Microsoft Online Services Directory Synchronization tool. The tool is basically the same as with BPOS although there are some changes to support new features: security group replication, write back (which also enables some extra features), etc…
  • Note that the synchronization tool still does not support multiple forests.
  • The synchronization tool is required in migration scenarios like rich coexistence, simple coexistence and staged migration with simple coexistence.

The full details can be downloaded from the Microsoft website. If you are involved in Office 365 projects, this is considered required reading!

Office 365 SharePoint Online Storage

imageMicrosoft has recently published updated Office 365 Service Descriptions at http://www.microsoft.com/downloads/en/details.aspx?FamilyID=6c6ecc6c-64f5-490a-bca3-8835c9a4a2ea.

The SharePoint Online service description contains some interesting information, some of which I did not know yet. We typically receive a lot of questions about SharePoint online and storage. The list below summarizes the storage related features:

  • The storage pool starts at 10GB with 500MB of extra storage per user account (talking about enterprise user accounts here).
  • Maximum amount of storage is 5TB.
  • File upload limit is 250MB.
  • Storage can be allocated to a maximum of 300 site collections. The maximum amount of storage for a site collection is 100GB.
  • My Sites are available and each My Site is set at 500MB (this is not the 500MB noted above, in essence this is extra storage for each user’s personal data).
  • A My Site is not counted as a site collection. In other words, you can have 300 normal site collections and many more My Sites.
  • Extra storage can be purchased (as before) at $2,5USD/GB per month.

When it comes to external users (for extranet scenarios), the document states that final cost information is not available yet. It is the intention of Microsoft to sell these licenses in packs.

Check out the SharePoint Online service description for full details.

BPOS PowerShell Commands

While I am delivering BPOS courses for Microsoft partners, there’s always a lot of interest in using commands to control directory synchronization, the migration tools, provisioning users and so on. Microsoft actually provides several PowerShell cmdlets with the two main tools that come with BPOS:

  • Directory synchronization cmdlets become available when you install the directory synchronization software
  • Migration and configuration cmdlets become available when you install the migration tools

There is one directory synchronization cmdlet of interest and that is the Start-OnlineCoexistenceSync cmdlet. That cmdlet starts a synchronization run from the on-premises Active Directory to the customer’s BPOS environment. When you start c:\program files\microsoft online directory sync\dirsyncconfigshell.psc1, a PowerShell session is started that allows you to run the cmdlet. If you just want to run the command from an existing PowerShell session, first load the Directory Synchronization snapin with the following command:

Add-PSSnapin Coexistence-Configuration

After the snapin is loaded, you can use the Start-OnlineCoexistenceSync cmdlet to start a synchronization run. Although I have not yet seen the next version of DirSync for use with Office 365, I presume that the above cmdlet will still be available since the DirSync tools will be very similar.

The cmdlets that come with the migration tools are much more interesting because they can be used to provision users, enable users, enable POP3 access for users, grant Send As or Full Mailbox Access and so forth. When the migration tools are installed, you will have a shortcut in the Start Menu in Microsoft Online Services > Migration > Migration Command Shell. When you click that shortcut, a PowerShell session is started with the Microsoft Exchange Transporter snapin loaded. You can ask for the list of cmdlets loaded by this snapin using the following command:

get-command -PSSnapin Microsoft.Exchange.Transporter

Some interesting cmdlets:

  • Add-MSOnlineUser: can be used to add users to BPOS from a script; note that the users are added as synchronized disabled users; you will have to use Enable-MSOnlineUser to enable the user in a separate step
  • Add-MSOnlineMailPermission: can be used to grant Send As, Full Mailbox access or Send On Behalf Of rights on a mailbox
  • Enable-MSOnlinePOPAccess: can be used to enable POP3 access on a mailbox
  • Set-MSOnlineAlternateRecipient: can be used to set an alternate recipient on an Exchange Online mailbox; you can configure the mailbox to deliver e-mails to both the Exchange Online inbox and the alternate recipient
  • Set-MSOnlineUserPassword: can be used to set a password on an online user

Note that there are no cmdlets to create contacts and distribution lists in the Exchange Online global address lists. You can also see that these cmdlets are specifically created for use with Exchange Online in BPOS and that they have no relation at all with Exchange Server 2007 or Exchange Server 2010 cmdlets in an on-premise solution. To fix those issues and provide many more options, Exchange Online in Office 365 will actually allow full use of Exchange Server 2010 SP1 cmdlets over the Internet. Naturally, not all cmdlets will be available and some cmdlets will not support all parameters.

By the way, if you don’t like to work with PowerShell commands, a company called MessageOps has a free tool called BPOS PowerShell GUI. You need to install that tool on a system that has the Microsoft migration tools installed. The tool looks like this:

image

The tool provides easy access to allmost all the available PowerShell cmdlets using the above GUI. Highly recommended!

Enabling Forefront Administration and Quarantine in BPOS

Exchange Online, standalone or as part of BPOS (Business Productivity Online Suite), always comes with antivirus and anti-spam protection delivered by Forefront Online Protection for Exchange or FOPE. Mails are always scanned for viruses and, depending on your settings, checked for spam.

As a BPOS administrator you can control the anti-spam checking behavior by configuring safe and blocked senders in the BPOS Administration Center. E-mail addresses, IP addresses or domains added to the safe senders for instance are not checked for spam by the FOPE infrastructure.

When e-mail is marked as spam, it is held by FOPE. By default, a BPOS user gets an e-mail every three days (from FOPE) with a list of e-mails marked as spam. The user can then decide to move the e-mail to the inbox.

If you want more control and visibility into what FOPE does, and you want to grant users access to the quarantine website at FOPE for immediate action on blocked mails, you will need to ask support to enable the following for you:

You can initially ask that the BPOS administration account you are using is granted access to both. From the FOPE administration website, you can add other users so that they have access to their quarantine. Note that the password to access FOPE admin and quarantine is different from the BPOS password!

Now the question is: “What can you do in the FOPE administration website?”. The answer is simple: “Not that much.” Basically, you get read-only access to most settings. However, you can generate reports and, as stated above, add other users so that they can access the quarantine website. The screenshot below shows an example of a report (in Dutch):

image

A user with access to the quarantine, sees the following:

image

The user can easily select the e-mails that are not spam and move them to the inbox (or mark them as not spam).

If we look forward to how things will be in Office 365, administrators will have more control over the settings in FOPE. That, for sure, will be a welcome addition to the capabilities of Exchange Online and the administrative control customers will have over it.