Scary Office 365 MisconceptionsNovember 2nd, 2018 by Chris Colden
In our last blog we shared some Halloween horror stories that we’ve encountered during our time working with Office 365 and Microsoft Cloud services. Today we would like to talk about some scary misconceptions about moving to the cloud.
There is no need to maintain additional infrastructure
One of the largest misconceptions when moving to the Cloud is that you no longer need to maintain infrastructure on premises. Whilst this can be true in some instances, it’s not always the case.
If you wish users to login with the same credentials as they use to login to their domain joined desktop then you will need to run something called Azure Active Directory Connect (AADConnect). Whilst this only requires a small server which can be virtualised, it’s still an additional server which you didn’t have to worry about before.
When using AADConnect you must also maintain at least one Exchange Server. Microsoft have been making moves to remove this dependency however we haven’t had the magic update yet and there is no confirmed ETA as to when this might arrive. With AADConnect deployed you can only edit attributes for users or mailboxes from on premises. This is fine for the user objects in Active Directory, as that’s how you would manage them anyway, however without an Exchange Server you are unable to update Exchange attributes in a way which your IT department is familiar with. You also need to factor in any on premises applications or multifunctional devices which need to send email but do not currently support relaying though Exchange Online.
If you want users to access Office 365 services seamlessly without providing login credentials you need to deploy Single Sign On. Typically, this requires the deployment of Active Directory Federation Services (ADFS). To ensure ADFS is protected when published on the internet, you need to sit it behind a reverse proxy. This normally means deploying Web Application Proxy Servers in the Demilitarised Zone.
That’s already two servers required, however if they become unavailable users cannot authenticate to Office 365. This means no email, no phone calls, no instant messaging, and no files. For many organisations this is simply not acceptable, so you will need to make sure ADFS highly available. To achieve this, you need to deploy a second ADFS server and second Web Application Proxy server.
We are now at four servers which you need to make highly available to your users. You could use Windows Network Load Balancing for automatic failover between the hosts, but it might be worth looking at deploying some dedicated load balancers. Again, these are typically virtualised and require a small foot print but still come at an additional cost, which should be factored into your projects budget.
Exchange Online Migration
Many people don’t realise that not all permissions currently work across the Organisational boundary (this is the boundary between your on premises Exchange Organisation and the Exchange Online Organisation). This is a major issue for users who access shared mailboxes or share their calendar with other users within the organisation.
There is currently no Microsoft supported way to make this work and although Microsoft are working on a solution there is no ETA as to when this will be available. The only supported method is to move users together in logical groups to maintain all functionality. This gives us a second problem; how do you know which mailboxes need to be migrated together?
Another “gotcha” with Exchange Online is Dynamic Distribution Lists. Many businesses use these as an easy way to include members based on Organisational Unit (OU). Which is great when it comes to Exchange on premises, but not when we throw Exchange Online into the mix. This is because the Azure Active Directory which holds all the cloud user identities has no concept of an OU. Therefore, your Active Directory OU’s are not synced, and your Dynamic Distribution Lists are not going to function as they have done previously. To mitigate this problem extensive planning must be undertaken to ensure that these are updated to remove the dependency on targeting an OU.
Help is at hand
If your migration has stalled, or you need some help with the planning our Office 365 experts can turn your Office 365 nightmares into dream come true.
The journey starts with an understanding of your requirements and a discovery of current systems such as Active Directory and Exchange, so informed high-level decisions can be made. Following the initial discovery, a high-level design is produced and reviewed with your in-house team to ensure the solution meets your business needs and feedback can be captured.
Upon the review of the high-level design a low-level design is produced, which looks at everything from invalid characters in Active Directory, to Exchange configuration including items such Dynamic Distribution Lists. Once approved BrightCloud will enable your team to move services to the cloud in a logical manor with minimal disruption to your everyday business.