This is a live blogging post from the International SharePoint Conference London 2012. So don’t expect well-written proza here.
Session by Spencer Harbar, Kimmo Forss
Consolidated post for sessions IT114, IT115
Introduction
- focus on the public offerings of Office365, not dedicated offering
- all technical capabilities are baked into the SharePoint 2010 product
- all cloud offerings are being moved to Office365
- P1 plan: small businesses & individuals
- E plans: midsize & enterprises
- Regular new “service updates” (updates, limits, features, experience)
Architecture & Capabilities
- 3 urls with predefined DNS names: tenant.sharepoint.com, tenant-my.sharepoint.com, tenant-admin.sharepoint.com
- Optional vanity url for brochure-style internet website
- all provisioning is fully automated
- farms are never patched, content is moved to a new patched farm fully automated
- number of users determines the provisioning & automation, not the number of tenants
- services farm & several content farms
- around 120.000 servers are used to run Office365
- 500 MB per user, maximum 25 TB per tenant
- number of site collections per tenant is 300, maximum 10.000
- maximum site collection size is 100 GB
- collaboration features mostly covered in Office365
- more limited in BI & BCS features
- no full trust code, so sandbox only
- full trust code would be available to all tenants and makes upgrades painful
- enterprise search is an island in Office365, you cannot crawl the cloud from on premise and vice versa
- functional requirements on data location may prevent using the cloud
- european data will remain in europe at all times
Authentication & Authorization
- 3 kinds of identities: Microsoft Online, Federated & Partner Access
- For MS Online & Federation dirsync can be used to sync AD info to the cloud
- For true SSO you need federation
- When using MS Online user mgmt is more complicated, two users/pwds have to be managed
- Microsoft Online: smaller orgs without on premise AD, no infra required
- Microsoft Online & dirsync: medium/large orgs with on premise AD (not widely used)
- Federated IDs & dirsync: larger enterprise orgs, extra infra needed, true SSO possible
Identity Federation
- requires trust between cloud security token service and the on-premise one
- the only supported STS is ADFS 2.0
- setup your ADFS in a highly available way
- even with federation, dirsync is being used
- passive auth: based on HTTP redirects (SharePoint)
- multi factor authn is possible through ADFS
- to have seamless experience you need a recent desktop environment (no Office 2003 for example)
Preparing your OnPremises environment
- Underestimated by a lot of customers
- Active Directory cleanup & data cleanup needed
User Principal Names
- Logging on to your workstation with your user principal name is key requirement!
- DNS changes required to validate your domains in Office365, so no .local please 🙂
- text record in DNS will be needed to validate ownership
- you have to add a UPN suffix that contains a public domain
- uPNSuffixes attribute on a container to create a new suffix
- script the upn change for the users with ad powershell
- good practice: use the email address for your upn
Active Directory
- different considerations when using subdomains, different upn’s
- have different forests? contact microsoft
Desktop
- Office365 Desktop Setup on all desktops
- also install it on your ADFS box(es)
- make sure your desktop software is current
- don’t forget your 3rd party office tools, do they support this kind of authn?
ADFS
- to have HA you need 4 machines and load balancing
- SSL certificates are needed, preferably a subject alternate name (SAN) certificate
- AD level must be 2003 at least
- make sure your DNS infra is ok
- WS-* protocols are used or SAML 1.1
- Shibboleth or SAML 2 are coming
- strong authn is possible via UAG
- config of ADFS will be done through PowerShell (specific for MS Online)
- ADFS needs access to and from the internet
- you can use ADFS proxy for access by users outside the firewall
- alternative proxies are possible, like UAG or TMG – but ADFS proxy is the easiest one to set up
Dirsync
- enables ongoing identity mgmt & provisioning
- based on FIM – “set it and forget it”
- install on a separate machine
- MS actively checks if the service is up at your side
- part of your domain
- cannot be a domain controller itself
- critical part of the infrastructure, so treat it accordingly
- enterprise admin permissions needed in your forest during setup
- all on premises changes are replicated!
- approx. 120 attributes are synced
- distribution group mgmt cannot be done in Outlook as the sync is one-way only
- 10.000 accounts can be synced by default, more is possible but you have to contact MS first
- User Profile Services import happens from the cloud directory
SharePoint Configuration & Administration
- config & services are shared across tenants
- most webapp settings are not possible to change
- based upon the multi tenant capabilities of sharepoint
- claims based authn is used
- a lot of admin tasks around site collections & subsites can be used because they are delegated to the tenant admin
PowerShell
- you can download a MS Online PowerShell cmdlets package
- account mgmt, bulk edits, automation
- Import-Module MSOnline
- No way to manage SharePoint unfortunately