The new Office Garage Series: Automating User Provisioning in Office 365
This week our hosts address one of the most visible changes to the new Office desktop apps - sign in experience for the service. Jeremy and Yoni draw out the identity architecture on the PPI to show the main options. Then they demonstrate how to get users into an organization's Office 365 identity store and how to grant specific users access to Office 365 services. You'll see how to do all of this manually or using scripted automation solutions with PowerShell cmdlets. They catch up with Trustworthy Computing Lead for Office, Keith Yedlin, to talk about security and they show the single sign on experience with Active Directory Federation Services (ADFS). In this week's XStream install Yoni takes on the water as he tries to install Office 365 ProPlus before a wakeboarder takes a spill.
Add an ICS reminder to your calendar to tune in each Wednesday 9am PST. We redirect the www.microsoft.com/garage link each week to go to the latest episode.
Jeremy: Last week we went deeper on the anatomy of software updates in Click-to-Run-delivered Office 365 ProPlus. Remember, many of those concepts translate to all Office 2013 consumer products and Office 365 Home Premium as well as Office 365 Small Business Premium, which all use Click-to-Run servicing. Office 365 ProPlus is unique compared to other Office versions because it also allows IT administrators to control which Office build is installed, where updates are pulled from and whether the update service is enabled or not.
Yoni: The software update controls give IT the ability to test, validate and roll-back updates as needed. That is super important for IT especially when they have third party or in-house solutions built and they need to make sure those are compatible before they roll an update into production.
Jeremy: This week we tackle a very visible topic in a services-based world where the user is at the center - Identity Management. We covered this at a foundational level in Episode 4 when we had Mark Russinovich on the show. Identity management is one of the biggest mental hurdles in adapting to a user-based model. It also provides the foundation for many of the benefits users see, like roaming settings, access to their email and Office files on almost any device and the ability to install Office on five PCs or Macs.
Yoni: As I talk to my peers and customers, a lot of them are thrilled about the prospect of user-based licensing and how that can impact costs and accounting in a world of multiple devices per user. On the flipside, they are typically unsure of what that means and how it impacts the way they manage desktop services. In many people's minds, they want to buy via user-based licensing and deploy with a more anonymous Key Management Service (KMS). But for many reasons this cannot work and there is no way to connect the user to his or her files without their identity somehow being involved to create the relationship between them and their data. Imagine trying to use social networking services like Facebook or Twitter anonymously or applying for a credit card without giving your name. Services need something to tie the person back to their organization.
Jeremy: In Office's case, it also means we can eliminate the need to otherwise hand out 5x5 keys. Users not only can access services, but they can also activate Office on up to five devices and manage those devices using their Organizational ID. Microsoft provides tools to import and synchronize user objects from an existing Active Directory environment, perform bulk CSV list imports or use custom PowerShell scripts to populate the identity store with User Principle Names and required directory attributes. We mapped out all of the primary options on the PPI display and then demonstrated these tools in action.
Yoni: One thing people often overlook is that once the users are in the store, they need to purchase then assign licenses to various Office 365 services, like the Office 365 ProPlus desktop applications. We showed how licenses for services are assigned manually in the portal. But assuming you've set up Directory Synchronization and maybe even Single Sign On with ADFS, then you probably want to automate the process of assigning licenses and for that we use the Set-MsolUserLicense cmdlet.
Jeremy: The final frontier from an automation perspective is really to set up ADFS and single sign-on as a way to ensure that your policies for password updates and the service authentication itself integrates with your existing tools and policies. The best place to go for all of this is the Office 365 deployment center on TechNet. It walks you through the right solution depending on your organization size and needs.
Yoni: Of course the Office 365 deployment center and more key resources are listed below. This week we also took to the water in this week's XStream install. I wanted to find out if Office 365 ProPlus could install without an Internet connection on a boat before our stuntman took a spill in a local river. You will need to watch the video to see if that worked out. If you watched last week, Sydney traffic managed to beat our Click-to-Run install, so anything can happen.
Jeremy: Luckily our stunt man didn't encounter any crocodiles during this week's stunt.
Next week we'll cover the major desktop virtualization options and how you can use the new Office - both the traditional volume license packages and the new Office 365 ProPlus packages - with desktop virtualization solutions. Also, if you are coming to Microsoft TechEd in New Orleans on June 3-6, we'll be filming shows live from the Office show floor. We are going beyond the Office desktop apps to show the best of Exchange, SharePoint, apps for Office, Lync, touch and large screen experiences and the integration across all of these solutions.
See you next week,
Jeremy and Yoni
More Resources:
Manage Windows Azure Active Directory by using Windows PowerShell
Directory synchronization roadmap
Garage Series for IT Pros Archive of previous episodes
Office 365 TechCenter on TechNet
Follow @OfficeGarage on Twitter
About the Garage Series hosts:
By day, Jeremy Chapman works at Microsoft, responsible for optimizing the future of Office client and service delivery as the senior deployment lead. Jeremy’s background in application compatibility, building deployment automation tools and infrastructure reference architectures has been fundamental to the prioritization of new Office enterprise features such as the latest Click-to-Run install. By night, he is a car modding fanatic and serial linguist. He first met Yoni Kirsh, founder of the Australian-based deployment services company Fastrack Technology, back in 2007 at a Microsoft customer desktop advisory council. Yoni's real-world experience managing some of the largest Client deployments for the Asia Pacific region has helped steer the direction of the new Office. Additionally, Yoni is an aviation enthusiast and pilot. Both Jeremy and Yoni are respected technical speakers and between them have over 20 years of experience in the deployment and management of Microsoft Office and Windows clients. They are also leading experts in the transition to Office as a service.
Comments
Anonymous
January 01, 2003
Excellent presentation and very entertaining. This is the future now. I have been waiting for this for a long time. MS has finally pieced all of it together. In the future all will just assume that this is the norm. Bravo - more.Anonymous
January 01, 2003
Thank you, jrv. More is coming and we'll go beyond just the Office client and related topics starting with our TechEd New Orleans specials in June. -JeremyAnonymous
January 01, 2003
Thanks Bill. In that case, I manually logged in. You can use integrated auth as well. I wanted to show the trigger for all of the address redirections. We actually showed integrated auth as part of first run in Click-to-Run installs to suppress all login screens and user prompts.Anonymous
May 15, 2013
When Jeremy logged into O365 was that a seamless login? Were his AD credentials actually passed to ADFS via Windows Integrated Authentication?