News on the Office Store Front: Subscription Apps!

Standard

This is really big news on the Office Store front, at least in my humble opinion, and straight from the Office News blog: http://blogs.office.com/b/office-news/archive/2013/10/01/office-store-investments-bring-new-opportunities-to-developers.aspx.

It reads as though we’ll be able to submitting updates to existing apps and submitting new apps for approval which leverage a subscription model sometime this month (October 2013). These apps will be available for purchase in the store starting in November! Looks like some of the supporting pricing model documentation has been updated too.

Now, I am personally a bit less concerned with Apps for Office and more concerned about Apps for SharePoint – naturally – but this is a big deal for both! What is the significance of the addition of this subscription pricing model? The answer is two-fold for me:

1) Constant revenue stream

This is a big problem I have had with the whole movement toward apps in general. For phones, tablets, you name it – anything you buy apps for. I know Apple addressed it a while ago – which was great – but for those of us taking a hard look at SharePoint 2013 app feasibility – how do you build a business focused app, sell it for a one-time fee, and support it forever? It’s not exactly a business model I’d be to ecstatic to jump into.

There was the option of making the app free and building your own subscription model into it, but knowing sometime down the road that Microsoft was going to release this functionality to the store didn’t really drive me to dedicate resources to building one of my own.

2) Support / maintenance costs

This really goes hand-in-hand with the requirement of a constant revenue stream, but I like to highlight it due to the importance of it in planning an app. Typically a solid app is going to require some kind of back-end system or infrastructure  as well as people to support it. I know there are apps or services out there, such as some of the platform agnostic messaging apps, which are reliant on outside capital to support their infrastructure and development while the business grows. There is nothing wrong with the outside capital approach and it could very well be used to when developing subscription apps – but the subscription model provides that clear revenue path to support and maintain what is required for the app to function. It also makes the business model a bit more desirable if you do need capital.

Take a document conversion app for SharePoint Online as an example, the conversion itself needs to happen somewhere outside of SharePoint and someone needs to pay for that processing power. A subscription takes care of these costs. Don’t get me wrong, a large enough single purchase price could as well, but a small monthly cost is easier to sell than a large one-time cost.

There are many more reasons why this announcement is important to app developers and businesses, I for one am just happy the Office app subscription model is becoming a reality!

Office 365 Pricing for Nonprofits Released

Standard

… well, kind of. We’re still waiting on some Office 365 for Small Business Nonprofit pricing, but it shouldn’t be too long. Complete details can be found here. Here are the highlights (prices are in CAD):

  • Office 365 Small Business for Nonprofits – Price coming soon, limit 25 users (Retail $5.10/user/month annual subscription)
  • Office 365 Small Business Premium* for Nonprofits – Price coming soon, limit 25 users (Retail $13.25/user/month annual subscription)
  • Office 365 Enterprise E1 for Nonprofits – Donation, unlimited users (Retail $8.20/user/month annual subscription)
  • Office 365 Enterprise E3* for Nonprofits – $5.20/user/month, unlimited users (Retail $23.20/user/month annual subscription)

*Note: These plans include desktop installations of Microsoft Office 2013.

Not-for-profits / charities involved in the following activities are eligible (if you’re eligible for TechSoup, you should be eligible for this):

  • Providing relief to the poor
  • Advancing education
  • Improving social welfare
  • Preserving culture
  • Preserving or restoring the environment
  • Promoting human rights
  • Establishment of civil society

The usual organization are not eligible such as government, education, health care, etc.

Complete pricing and plan details can be found here.

Who has forwarding enabled in their Exchange Online mailbox??

Standard

How do I know, without looking at the properties of every Exchange Online mailbox, which users have setup mail forwarding on their mailbox?  That is a very good question.  If you Google around you’ll find lots of interesting answers, particularly around using LDAP queries to identify those mailboxes – but how do you do that in Exchange Online???  PowerShell is the answer!

First, here is how you connect to your Exchange Online tenant: http://technet.microsoft.com/en-us/library/jj984289(v=exchg.150).aspx.

Second, run this command:

Get-Mailbox -Filter {ForwardingSmtpAddress -ne $null}

That will give you a list of all the users that have enabled (or have a not null) forwarding address configured.  Taking this one step further you can grab the user and the destination address by using this command:

Get-Mailbox -Filter {ForwardingSmtpAddress -ne $null} | foreach {$recipient = $_; $forwardingsmtp = (Get-Recipient $_.ForwardingAddress).PrimarySmtpAddress; Write-Host $recipient.Name, $_.ForwardingSmtpAddress }

Ultimately you’d probably want to put this in a script of it’s own an pipe the results to a text file for further analysis.

Lastly, don’t forget to disconnect your PowerShell session – remember, you can only have 3 open sessions to Exchange Online.

Microsoft EA & Office 365 Tenants

Standard

Important little thing to know when dealing with larger companies in particular: Microsoft only allows one Office 365 tenant per Enterprise Agreement.

While a company can have many Office 365 tenants, all the additional ones cannot be part of the company’s existing EA with Microsoft. I will try to get some links to official documentation on this policy.

Moving to Office 365

Standard

With the full GA release of Office 365 Wave “15”, I thought it was about time I started to really see what I could do with this platform.  I have been an avid SkyDrive and Outlook.com user for my personal email for sometime now, so why not see what else I can do with the cloud & Office 365 with my little experimental company.  I should also mentioned that my little company is a Microsoft registered partner and I have enrolled in the Cloud Essentials program to make this endeavour a bit more cost effective.

My objectives for this experiment:

  1. Enable Office 365 for my company and federate authentication with my on-premise Active Directory
  2. Federate my on-premise Active Directory with Azure Active Directory
  3. Leverage Windows Intune to decommission my on-premise System Center deployment

My primary reason behind federating with Azure Active Directory for is really for the challenge – just to see if I can do it.  However, secondary to that is that I am normally working remotely and of course, I would not be very happy if my my company internet connection was down and I could not log into my Office 365 account.  I am aware that I could use the Access Control Services that come with Office 365 and DirSync, but realistically my company may want to authenticate more than just Office 365 against my on-premise Active Directory.

Here is a nice video that explains how this federation works.

Here is a little diagram of my current state:

Experiment-CurrentState

And here is one of my end-state goal:

Experiment-EndState

Thank you to Buck Woody for the very nice Azure Visio shapes!

I’ll be honest – I think this plan is going to work based on what I have read, but I really don’t know fore sure.  I will continue to update this post with my full experience as I plug away at this experiment.

——————————

Update 1 (March 6, 2013 8:55 AM MT):

Currently provisioning an new Windows Server 2012 VM using Hyper-V.  I will be adding  the Active Directory role to this server and joining it to my existing domain.  This server will be used to federate with Azure Active Directory for authentication.

Office 365 account is setup and running with my domain. Just waiting to finish with Active Directory before adding user accounts.

——————————

Update 2 (March 6, 2013 10:50 AM MT):

Server 2012 deployed with Active Directory and Active Directory Federated Services running.  Server is joined to my existing domain and has been promoted to a domain controller.  ADFS has been configured and after getting myself a trial SSL certificate, I have been able to add it to my Azure Active Directory service.  This part was surprisingly easy, just ran through the wizards that came with Server 2012 and it appears to be working.  Don’t forget that ADFS has to have port 443 open on your firewall.

Next steps: Prove that my Azure AD is working / provide authentication services and figure out how to connect it to Office 365.

——————————

Update 3 (March 6, 2013 1:45 PM MT):

There seems to be a very distinct difference between the ‘Active Directory’ service you can use via https://manage.windowsazure.com and the Active Directory that is found at https://activedirectory.windowsazure.com.  As far as I can tell, they are both based on the same under-lying service – ACS – but they both seem to offer very different interfaces.

Best I can figure right now, federation was not the correct route.  I should have gone down the DirectorySync (DirSync) route from the bigging.  Now to demote my newly promoted DC and turn it into a DirSync box.  More info here.

And a good article on demoting a Server 2012 Domain Controller.

——————————

Update 4 (March 6, 2013 3:20 PM MT):

——————————

Directory Sync is up and running… and syncing all my user accounts and service accounts.  Given that this is really an experimental Active Directory, there are a lot of service accounts.  DirSync really wasn’t too bad to get going.  Just took time reading through the guides and waiting for components to install.

Next tasks: Try to filter the user accounts that are sync’d via DirSync and take another crack at SSO.

One good thing to remember: DirSync cannot be on a Domain Control or server running ADFS.

——————————

Update 5 (March 6, 2013 9:10 PM MT):

After lots of research and testing, I have determined that because I signed up for Windows Intune, I am stuck on an Office 365 Wave 14 tenant for the time being.  Service request is open with Microsoft to see if I can do anything about this.  Haven’t found a way to force an upgrade yet either.

Still working on SSO.

——————————

Update 6 (March 6, 2013 10:10 PM MT):

A very helpful post from Sean Deuby seems to be debunking my theory about using Azure Active Directory as an authentication mechanism for my Office 365 tenant:

“If you’re running Office 365 with the federated identity + directory synchronization option, you’re already running a hybrid Active Directory where your user’s on-premises AD identity is authenticated to Office 365 via federation and their accounts are provisioned or de-provisioned in your own little cloud AD via the dirsync process.”

I may need to take a closer look at using an Azure VM if I want to achieve this type of authentication distribution as highlighted in this StackOverflow post.

——————————

Update 7 (March 11, 2013 7:30 PM MT):

Well, this sure is proving to be an adventure. After 5 days, numerous emails and phone conversations, the closest I am on getting my tenant either upgraded to Wave 15 from Wave 14 or just simply getting it deleted so I can associate a new tenant with my partner account is being told to contact the partner support group.  I did attempt that today. Tried giving them a call at 6:00 PM PT – the referral I got said that their hours were until 6:30 PM PT time – no luck.

Will update again soon.

——————————

Update 8 (March 12, 2013 10:10 AM MT):

Success! If you are registering as a Microsoft Partner and did not have a Wave 15 tenant – deal with partner support.  I had to end up giving up my original onmicrosoft.com domain, but I also had nothing in my tenant so it didn’t really matter to me.  If you don’t want to give up your onmicrosoft.com domain or you have content that you don’t want to lose, you have to wait for the upgrade email.

On to doing what I started!

——————————

Update 9 (May 17, 2013 12:30 PM MT):

Well, I have managed to get a Wave 15 tenant all set up (got busy of course and this little initiative has taken a bit of a backseat).  I have spend some time researching cloud authentication strategies and I *think* password sync with Azure Active Directory is possible, but only with Windows Server 2012 Essentials.  Here is my current evidence for this.  Hopefully I have more time in the coming weeks to to dig more into this.

On the flip side, I do have DirSync running and only synchronizing a subset of my user accounts (have lots of service accounts that certainly don’t need to be in Azure AD).  That was fairly easy to set up.  Haven’t gone for SSO yet due to the high risk of auth failures if my on-prem connection is down.  Going to take another look at the VPN options from Azure VMs as well.

——————————

Key Learnings:

  • If you’re going to integrate Office 365 with your on-premise environment, start here.
  • If using Azure Connect to an on-premise DC, be sure to populate the Azure VM’s IPv6 DNS address with your on-prem machines Azure Connect IPv6 address.

Resources:

Bad Behavior has blocked 25 access attempts in the last 7 days.