Planning for the cloud

This is a live blogging post from the International SharePoint Conference London 2012. So don’t expect well-written proza here.

Session by Spencer Harbar, Kimmo Forss

Consolidated post for sessions IT114, IT115


  • focus on the public offerings of Office365, not dedicated offering
  • all technical capabilities are baked into the SharePoint 2010 product
  • all cloud offerings are being moved to Office365
  • P1 plan: small businesses & individuals
  • E plans: midsize & enterprises
  • Regular new “service updates” (updates, limits, features, experience)

Architecture & Capabilities

  • 3 urls with predefined DNS names:,,
  • Optional vanity url for brochure-style internet website
  • all provisioning is fully automated
  • farms are never patched, content is moved to a new patched farm fully automated
  • number of users determines the provisioning & automation, not the number of tenants
  • services farm & several content farms
  • around 120.000 servers are used to run Office365
  • 500 MB per user, maximum 25 TB per tenant
  • number of site collections per tenant is 300, maximum 10.000
  • maximum site collection size is 100 GB
  • collaboration features mostly covered in Office365
  • more limited in BI & BCS features
  • no full trust code, so sandbox only
  • full trust code would be available to all tenants and makes upgrades painful
  • enterprise search is an island in Office365, you cannot crawl the cloud from on premise and vice versa
  • functional requirements on data location may prevent using the cloud
  • european data will remain in europe at all times

Authentication & Authorization

  • 3 kinds of identities: Microsoft Online, Federated & Partner Access
  • For MS Online & Federation dirsync can be used to sync AD info to the cloud
  • For true SSO you need federation
  • When using MS Online user mgmt is more complicated, two users/pwds have to be managed
  • Microsoft Online: smaller orgs without on premise AD, no infra required
  • Microsoft Online & dirsync: medium/large orgs with on premise AD (not widely used)
  • Federated IDs & dirsync: larger enterprise orgs, extra infra needed, true SSO possible

Identity Federation

  • requires trust between cloud security token service and the on-premise one
  • the only supported STS is ADFS 2.0
  • setup your ADFS in a highly available way
  • even with federation, dirsync is being used
  • passive auth: based on HTTP redirects (SharePoint)
  • multi factor authn is possible through ADFS
  • to have seamless experience you need a recent desktop environment (no Office 2003 for example)

Preparing your OnPremises environment

  • Underestimated by a lot of customers
  • Active Directory cleanup & data cleanup needed

User Principal Names

  • Logging on to your workstation with your user principal name is key requirement!
  • DNS changes required to validate your domains in Office365, so no .local please 🙂
  • text record in DNS will be needed to validate ownership
  • you have to add a UPN suffix that contains a public domain
  • uPNSuffixes attribute on a container to create a new suffix
  • script the upn change for the users with ad powershell
  • good practice: use the email address for your upn

Active Directory

  • different considerations when using subdomains, different upn’s
  • have different forests? contact microsoft


  • Office365 Desktop Setup on all desktops
  • also install it on your ADFS box(es)
  • make sure your desktop software is current
  • don’t forget your 3rd party office tools, do they support this kind of authn?


  • to have HA you need 4 machines and load balancing
  • SSL certificates are needed, preferably a subject alternate name (SAN) certificate
  • AD level must be 2003 at least
  • make sure your DNS infra is ok
  • WS-* protocols are used or SAML 1.1
  • Shibboleth or SAML 2 are coming
  • strong authn is possible via UAG
  • config of ADFS will be done through PowerShell (specific for MS Online)
  • ADFS needs access to and from the internet
  • you can use ADFS proxy for access by users outside the firewall
  • alternative proxies are possible, like UAG or TMG – but ADFS proxy is the easiest one to set up


  • enables ongoing identity mgmt & provisioning
  • based on FIM – “set it and forget it”
  • install on a separate machine
  • MS actively checks if the service is up at your side
  • part of your domain
  • cannot be a domain controller itself
  • critical part of the infrastructure, so treat it accordingly
  • enterprise admin permissions needed in your forest during setup
  • all on premises changes are replicated!
  • approx. 120 attributes are synced
  • distribution group mgmt cannot be done in Outlook as the sync is one-way only
  • 10.000 accounts can be synced by default, more is possible but you have to contact MS first
  • User Profile Services import happens from the cloud directory

SharePoint Configuration & Administration

  • config & services are shared across tenants
  • most webapp settings are not possible to change
  • based upon the multi tenant capabilities of sharepoint
  • claims based authn is used
  • a lot of admin tasks around site collections & subsites can be used because they are delegated to the tenant admin


  • you can download a MS Online PowerShell cmdlets package
  • account mgmt, bulk edits, automation
  • Import-Module MSOnline
  • No way to manage SharePoint unfortunately