Notes from the field: some common dependencies for Microsoft 365 deployments

This content is 3 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

My blog posts take a while to get published these days. I struggle to find the time to write them and often a few notes can remain in draft form for a long time. Some of those notes never make it. Others possibly shouldn’t.

This is one of those posts where I’m not sure whether to publish or not. It’s based on an email I sent to a client, in 2018, as we were starting to work together. That client was about to embark on a migration to Windows 10 and Office 365, and these notes were intended to set them in the right path.

We all know that Office 365 is under constant development, and some of the advice below might not be current. I don’t think it’s too far off the mark but your mileage may vary. I’ve also added a few comments where I know we’d look to do things differently today. Those comments are marked with square parentheses.

All of these dependencies were things I identified before we got into design… but many more came out as we got into the detail.

Preparing the identity platform

[Identity is key to any successful Microsoft cloud implementation. And Azure AD is Microsoft’s cloud identity platform.]

Recommendation:

  • IdFix tool used to ensure that there are no directory issues that will cause synchronisation issues.
  • Azure AD Connect synchronising without error between on-premises Active Directory and Azure Active Directory. Even with on-premises authentication via ADFS or similar, user objects will be required in Azure AD in order to populate the Exchange GAL.

[in this case, I could be reasonably sure that both of these are already in place for the existing Skype for Business Online deployment.]

Useful links:

Preparing for Exchange hybrid

[It’s common to run Microsoft Exchange in a hybrid configuration when migrating mailboxes to Office 365. Generally, the hybrid will remain in place even after user mailboxes have been migrated to the cloud, for management purposes. There are constraints around the versions of Exchange Server that can be used though.]

  • The hybrid server must be running the latest or immediately previous (i.e. n or n-1) cumulative update or update rollup available for the version of Exchange installed on-premises
  • Domain names that will be used for email should have the appropriate records created and verified in DNS.
  • Ports should be enabled to allow traffic to flow as outlined in the above article. It may be useful to run the Remote Connectivity Analyzer (RCA) tools to verify this.
  • In addition, I recommend that the other Exchange servers in the organisation are upgraded to run with the latest available updates.

Useful links:

Preparation for deployment of Windows 10 images using SCCM

[System Center Config Manager (SCCM) is now part of Microsoft EndPoint Manager (MEM) and I’m not sure I’d recommend an SCCM-based deployment these days. My first preference would be to use Microsoft’s own Windows images, in Azure AD-joined configuration managed with Intune (also part of MEM). This topic would make a blog post on its own…]

Config Manager needs to be updated to align with the version of Windows 10 being deployed: Support for Windows 10 in Configuration Manager.

[Even when I wrote the notes 3 years ago, it seems I was guiding the client towards a Modern Device Management approach with Intune…]

Preparation for the use of Office applications (desktop and web)

[Office 365 ProPlus is now Microsoft 365 Apps for Enterprise but the advice below is unchanged apart from the product name.]

Office 365 ProPlus (i.e. subscription-based Office application) requirements are the same as for Office Professional Plus 2016 (i.e. perpetually-licensed applications) and are detailed at Microsoft 365 and Office Resources.

With regards to documents (including spreadsheets, presentations, etc.) containing macros, etc. It would be advisable to perform some basic compatibility testing: Check file compatibility with previous versions.

Office 2016 and 2019 are supported under the Fixed Lifecycle Policy.

Use of a supported browser is critical to the use of Office 365 web-based components although many organisations are held back by legacy software releases.

General Microsoft 365 system requirements may be found at the Microsoft 365 and Office Resources link above. Most notably:

“Microsoft 365 is designed to work with the latest browsers and versions of Office. If you use older browsers and versions of Office that are not in mainstream support:

  • Microsoft won’t deliberately prevent you from connecting to the service, but the quality of your Microsoft 365 experience will diminish over time.
  • Office 2019 connections to Microsoft 365 services will be supported until October 2023.
  • Microsoft won’t provide code fixes to resolve non-security related problems.

[Microsoft’s guidance previously stated that “Office 365 doesn’t support interoperability with any software that isn’t supported by its manufacturer.”]

Intel NUC makes a fantastic Zwift computer (and Samsung DeX is pretty cool for homework)

This content is 5 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

With my tech background, my family is more fortunate than many when it comes to finding suitable equipment for the kids to use whilst school is closed. Even so, we’ve struggled with both my teenagers sharing one laptop – they really do both need to use it at the same time.

We thought that one of them would be using a tablet would be OK, but that wasn’t really working out either. Then, a few weeks ago, we thought I’d found a great solution to the problem. My youngest has a Samsung Galaxy S10 smartphone, which supports Samsung DeX. We tried it out with the Apple USB-C to HDMI/USB-A power adapter and it worked a treat:

The only problem was the keyboard. I tried some Bluetooth keyboards for Android but they all had small keys. And we tried a normal PC keyboard, which worked well but lacked a trackpad and didn’t have a USB port for a mouse. Using the phone as a trackpad was awkward, so I was going to have to buy another keyboard and either a trackpad or a mouse – or find a way of splitting the USB-A socket to run two devices. It was all a bit Heath Robinson so I started looking for another approach…

I had been using an old laptop for Zwifting but, after seeing Brian Jones (@brianjonesdj) tweet about an Intel NUC, I realised that I could get one for not too much money, hook it up to the TV in the Man Cave and release the laptop for general family use.

It took a while to decide which model to go for but, in the end, I settled for the Intel Dual Core 8th Gen i3 Short NUC Barebone Mini PC Kit, with 120GB SSD and 8GB RAM (all from Scan Computers) – and it is a fantastic little thing:

I did spend far too much time downloading the latest version of Windows 10 because I thought it was corrupted when I didn’t read the error message properly. Actually it was a problem with the USB thumb drive I was using, fixed with a full format (instead of a quick one).

Anyway, here’s Microsoft’s instructions for creating Windows 10 boot media. F10 is the magic key to make the NUC boot from an alternative device but I found USB boot only worked at the rear of the machine – not using the ports on the front. Finally, here’s a location for downloading Windows 10 ISOs (it doesn’t really matter where you get the media, as long as it’s an official source, so if you download from a Volume Licence or Visual Studio subscription, that should be fine too).

With the NUC in the cave, the laptop has been released for general family computing. My Microsoft 365 Family subscription (formerly Office 365 Home) gives access to 6 copies of the Office apps so that more than covers us the Windows and macOS PCs used by myself, my wife and the boys. (The Microsoft 365 subscription also includes Office mobile apps for iOS/Android and 1TB cloud storage in OneDrive as well as other benefits).

Weeknote 20/2020: back to work

This content is 5 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Looking back on another week of tech exploits during the COVID-19 coronavirus chaos…

The end of my furlough

The week started off with exam study, working towards Microsoft exam AZ-300 (as mentioned last week). That was somewhat derailed when I was asked to return to work from Wednesday, ending my Furlough Leave at very short notice. With 2.5 days lost from my study plan, it shouldn’t have been a surprise that I ended my working week with a late-night exam failure (though it was still a disappointment).

Returning to work is positive though – whilst being paid to stay at home may seem ideal to some, it didn’t work so well for me. I wanted to make sure I made good use of my time, catching up on personal development activities that I’d normally struggle to fit in. But I was also acutely aware that there were things I could be doing to support colleagues but which I wasn’t allowed to. And, ultimately, I’m really glad to be employed during this period of economic uncertainty.

Smart cities

It looks like one of my main activities for the next few weeks will be working on a Data Strategy for a combined authority, so I spent Tuesday afternoon trying to think about some of the challenges that an organisation with responsibility for transportation and economic growth across a region might face. That led me to some great resources on smart cities including these:

  • There are some inspirational initiatives featured in this video from The Economist:
  • Finally (and if you only have a few minutes to spare), this short video from Vinci Energies provides an overview of what smart cities are really about:

Remote workshop delivery

I also had my first experience of taking part in a series of workshops delivered using Microsoft Teams. Teams is a tool that I use extensively, but normally for internal meetings and ad-hoc calls with clients, not for delivering consulting engagements.

Whilst they would undoubtedly have been easier performed face-to-face, that’s just not possible in the current climate, so the adaptation was necessary.

The rules are the same, whatever the format – preparation is key. Understand what you’re looking to get out of the session and be ready with content to drive the conversation if it’s not quite headed where you need it to.

Editing/deleting posts in Microsoft Teams private channels

On the subject of Microsoft Teams, I was confused earlier this week when I couldn’t edit one of my own posts in a private channel. Thanks to some advice from Steve Goodman (@SteveGoodman), I found that the ability to delete and/or edit messages is set separately on a private channel (normal channels inherit from the team).

The Microsoft Office app

Thanks to Alun Rogers (@AlunRogers), I discovered the Microsoft office app this week. It’s a great companion to Office 365 (or , searching across all apps, similar to Delve but in an app rather than in-browser. The Microsoft Office app is available for download from the Microsoft Store.

Azure Network Watcher

And, whilst on the subject of nuggets of usefulness in the Microsoft stable…

A little piece of history

I found an old map book on my shelf this week: a Halford’s Pocket Touring Atlas of Great Britain and Ireland, priced at sixpence. I love poring over maps – they provide a fascinating insight into the development of the landscape and the built environment.

That’s all for now

Those are just a few highlights (and a lowlight) from the week – there’s much more on my Twitter feed

Weeknote 18/2020: Microsoft 365, the rise of the humans and some data platform discovery

This content is 5 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Some highlights from the last week of “lockdown” lunacy*…

Office 365 rebranding to Microsoft 365

For the last couple of years, Microsoft has had a subscription bundle called Microsoft 365, which includes Office 365 Enterprise, Enterprise Mobility and Security and Windows 10 Enterprise. Now some bright spark has decided to rebrand some Office 365 products as Microsoft 365. Except for the ones that they haven’t (Office 365 Enterprise E1/3/5). And Office 365 ProPlus (the subscription-based version of the Office applications) is now “Microsoft 365 Apps for Enterprise”. Confused? Join the club…

Read more on the Microsoft website.

The Rise of the Humans

A few years ago, I met Dave Coplin (@DCoplin). At the time he was working for Microsoft, with the assumed title of “Chief Envisioning Officer” (which was mildly amusing when he was called upon to interview the real Microsoft CEO, Satya Nadella at Future Decoded). Dave’s a really smart guy and a great communicator with a lot of thoughts about how technology might shape our futures so I’m very interested in his latest project: a YouTube Channel called The Rise of the Humans.

Episode 1 streamed on Wednesday evening and featured a discussion on Algorithmic Bias (and why it’s so important to understand who wrote an algorithm that might be judging you) along with some discussion about some of the tech news of the week and “the new normal” for skills development, education and technology. There’s also a workshop to accompany the podcast, which I intend to try out with my family…

Data Platform Discovery Day

I spent Thursday in back-to-back webcasts, but that was a good thing. I’d stumbled across the presence of Data Platform Discovery Day and I joined the European event to learn about all sorts of topics, with talks delivered by MVPs from around the world.

The good thing for me was that the event was advertised as “level 100” and, whilst some of the presenters struggled with that concept, I was able to grasp just enough knowledge on a variety of topics including:

  • Azure Data Factory.
  • Implementing Power BI in the enterprise.
  • An introduction to data science.
  • SQL Server and containers.
  • The importance of DevOps (particularly apt as I finished reading The Pheonix Project this week).
  • Azure SQL Database Managed Instances.
  • Data analysis strategy with Power BI.

All in all, it was a worthwhile investment of time – and there’s a lot there for me to try and put into practice over the coming weeks.

2×2

I like my 2x2s, and found this one that may turn out to be very useful over the coming weeks and months…

Blogging

I wrote part 2 of my experiences getting started with Azure Sphere, this time getting things working with a variety of Azure Services including IoT Hub, Time Series Insights and IoT Central.

Decorating

I spent some time “rediscovering” my desk under the piles of assorted “stuff” this week. I also, finally, put my holographic Windows 2000 CD into a frame and it looks pretty good on the wall!

* I’m just trying to alliterate. I don’t really think social distancing is lunacy. It’s not lockdown either.

Office updates in an unfamiliar language

This content is 5 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

A few weeks ago, I spotted this, when I went to apply updates to Office 365 ProPlus on my work laptop:

It had me confused, but Colin Powers (@iamcolpow) pointed me to a Microsoft Community forum post with a potential fix.

I changed the language order in my Office settings so that English was the first option after Match Windows. Whatever was causing Windows to fall back down the list then went to English rather than Arabic.

Office Language Preferences as originally set
Office Language Preferences after the change

Now I can read the dialogue boxes on my Office updates!

Microsoft Online Services: tenants, subscriptions and domain names

This content is 5 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I often come across confusion with clients trying to understand the differences between tenants, subscriptions and domain names when deploying Microsoft services. This post attempts to clear up some misunderstandings and to – hopefully – make things a little clearer.

Each organisation has a Microsoft Online Services tenant which has a unique DNS name in the format organisationname.onmicrosoft.com. This is unique to the tenant and cannot be changed. Of course, a company can establish multiple organisations, each with its own tenant but these will always be independent of one another and need to be managed separately.

It’s important to remember that each tenant has a single Azure Active Directory (Azure AD). There is a 1:1 relationship between the Azure AD and the tenant. The Azure AD directory uses a unique tenant ID, represented in GUID format. Azure AD can be synchronised with an existing on premises Active Directory Domain Services (AD DS) directory using the Azure AD Connect software.

Multiple service offerings (services) can be deployed into the tenant: Office 365; Intune; Dynamics 365; Azure. Some of these services support multiple subscriptions that may be deployed for several reasons, including separation of administrative control. Quoting from the Microsoft documentation:

“An Azure subscription has a trust relationship with Azure Active Directory (Azure AD). A subscription trusts Azure AD to authenticate users, services, and devices.

Multiple subscriptions can trust the same Azure AD directory. Each subscription can only trust a single directory.”

Associate or add an Azure subscription to your Azure Active Directory tenant

Multiple custom (DNS) domain names can be applied to services – so mycompany.com, mycompany.co.uk and myoldcompanyname.com could all be directed to the same services – but there is still a limit of one tenant name per tenant.

Further reading

Subscriptions, licenses, accounts, and tenants for Microsoft’s cloud offerings.

Using Microsoft Bookings to manage device rollouts

This content is 5 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.
Microsoft Bookings, showing available services

End-user computing (EUC) refreshes can place significant logistical challenges on an organisation. Whilst technologies like Windows 10 Autopilot will take us to a place where users can self-provision, often there’s more involved and some training is required to help users to adopt the technology (and potentially associated business changes).

Over the last few years, I’ve worked on projects that have used a variety of systems to manage the allocation of training/handover sessions to people but they’ve always been lacking in some way. We’ve tried using a PowerApps app, and a SharePoint calendar extension but then Microsoft made their Bookings app available on Office 365 Enterprise subscriptions (it was previously only available for Business subscriptions).

Microsoft Bookings is designed for small businesses and the example given in the Microsoft documentation is a pet grooming parlour. You could equally apply the app to other scenarios though: a hairdressing salon; bike repairs; or IT Services.

I can’t see Microsoft Bookings on my tenant!

That’s because, by default, it’s not there for Enterprise customers. Most of my customers use an E3 or E5 subscription and I was able to successfully test on a trial E3 tenant. My E1 was no good though…

The process to add the Business Apps (free) – including Bookings – to an Enterprise tenant will depend on whether it’s Credit Card (PAYG), Enterprise Agreement (EA) or Cloud Solutions Provider (CSP) licenced but it’s fully documented by Microsoft. When I enabled it on my test tenant, I received an invoice for £0.00.

So, how do I configure Microsoft Bookings?

The app is built around a calendar on a website, with a number of services and assigned staff. Each “staff member” needs to have a valid email address but they don’t need to be a real person – all of the email messages could be directed to a single mailbox, which also reduces the number of licences needed to operate the solution.

It took some thinking about how to do this for my End User Device Handover scenario but I set up:

  • A calendar for the project.
  • A service for the handover sessions. Use this to control when services are provided (e.g. available times and staff).
  • A number of dummy “staff” for the number of slots in each session (e.g. 10 people in each session, 10 slots so 10 “staff”).
Microsoft Bookings, showing confirmation of booked service Microsoft Bookings, calendar view

Once all of the staff available for a session are booked (i.e. all of the slots for a session are full), it’s no longer offered in the calendar. There’s no mechanism for preventing multiple/duplicate bookings but a simple manual check to export a .TSV file with all of the bookings each day will allow those to be identified and remediated.

(Incidentally, Excel wouldn’t open a TSV file for me. What I could do though was open the file in Notepad and copy/paste it to Excel, for sorting and identification of multiple bookings from the same email address.)

Further reading

These blog posts are a couple of years old now but helped a lot:

Microsoft Ignite | The Tour: London Recap

This content is 6 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

One of the most valuable personal development activities in my early career was a trip to the Microsoft TechEd conference in Amsterdam. I learned a lot – not just technically but about making the most of events to gather information, make new industry contacts, and generally top up my knowledge. Indeed, even as a relatively junior consultant, I found that dipping into multiple topics for an hour or so gave me a really good grounding to discover more (or just enough to know something about the topic) – far more so than an instructor-led training course.

Over the years, I attended further “TechEd”s in Amsterdam, Barcelona and Berlin. I fought off the “oh Mark’s on another jolly” comments by sharing information – incidentally, conference attendance is no “jolly” – there may be drinks and even parties but those are after long days of serious mental cramming, often on top of broken sleep in a cheap hotel miles from the conference centre.

Microsoft TechEd is no more. Over the years, as the budgets were cut, the standard of the conference dropped and in the UK we had a local event called Future Decoded. I attended several of these – and it was at Future Decoded that I discovered risual – where I’ve been working for almost four years now.

Now, Future Decoded has also fallen by the wayside and Microsoft has focused on taking it’s principal technical conference – Microsoft Ignite – on tour, delivering global content locally.

So, a few weeks ago, I found myself at the ExCeL conference centre in London’s Docklands, looking forward to a couple of days at “Microsoft Ignite | The Tour: London”.

Conference format

Just like TechEd, and at Future Decoded (in the days before I had to use my time between keynotes on stand duty!), the event was broken up into tracks with sessions lasting around an hour. Because that was an hour of content (and Microsoft event talks are often scheduled as an hour, plus 15 minutes Q&A), it was pretty intense, and opportunities to ask questions were generally limited to trying to grab the speaker after their talk, or at the “Ask the Experts” stands in the main hall.

One difference to Microsoft conferences I’ve previously attended was the lack of “level 400” sessions: every session I saw was level 100-300 (mostly 200/300). That’s fine – that’s the level of content I would expect but there may be some who are looking for more detail. If it’s detail you’re after then Ignite doesn’t seem to be the place.

Also, I noticed that Day 2 had fewer delegates and lacked some of the “hype” from Day 1: whereas the Day 1 welcome talk was over-subscribed, the Day 2 equivalent was almost empty and light on content (not even giving airtime to the conference sponsors). Nevertheless, it was easy to get around the venue (apart from a couple of pinch points).

Personal highlights

I managed to cover 11 topics over two days (plus a fair amount of networking). The track format of the event was intended to let a delegate follow a complete learning path but, as someone who’s a generalist (that’s what Architects have to be), I spread myself around to cover:

  • Dealing with a massive onset of data ingestion (Jeramiah Dooley/@jdooley_clt).
  • Enterprise network connectivity in a cloud-first world (Paul Collinge/@pcollingemsft).
  • Building a world without passwords.
  • Discovering Azure Tooling and Utilities (Simona Cotin/@simona_cotin).
  • Selecting the right data storage strategy for your cloud application (Jeramiah Dooley/@jdooley_clt).
  • Governance in Azure (Sam Cogan/@samcogan).
  • Planning and implementing hybrid network connectivity (Thomas Maurer/@ThomasMaurer).
  • Transform device management with Windows Autopilot, Intune and OneDrive (Michael Niehaus/@mniehaus and Mizanur Rahman).
  • Maintaining your hybrid environment (Niel Peterson/@nepeters).
  • Windows Server 2019 Deep Dive (Jeff Woolsey/@wsv_guy).
  • Consolidating infrastructure with the Azure Kubernetes Service (Erik St Martin/@erikstmartin).

In the past, I’d have written a blog post for each topic. I was going to say that I simply don’t have the time to do that these days but by the time I’d finished writing this post, I thought maybe I could have split it up a bit more! Regardless, here are some snippets of information from my time at Microsoft Ignite | The Tour: London. There’s more information in the slide decks – which are available for download, along with the content for the many sessions I didn’t attend.

Data ingestion

Ingesting data can be broken into:

  • Real-time ingestion.
  • Real-time analysis (see trends as they happen – and make changes to create a competitive differentiator).
  • Producing actions as patterns emerge.
  • Automating reactions in external services.
  • Making data consumable (in whatever form people need to use it).

Azure has many services to assist with this – take a look at IoT Hub, Azure Event Hubs, Azure Databricks and more.

Enterprise network connectivity for the cloud

Cloud traffic is increasing whilst traffic that remains internal to the corporate network is in decline. Traditional management approaches are no longer fit for purpose.

Office applications use multiple persistent connections – this causes challenges for proxy servers which generally degrade the Office 365 user experience. Remediation is possible, with:

  • Differentiated traffic – follow Microsoft advice to manage known endpoints, including the Office 365 IP address and URL web service.
  • Let Microsoft route traffic (data is in a region, not a place). Use DNS resolution to egress connections close to the user (a list of all Microsoft peering locations is available). Optimise the route length and avoid hairpins.
  • Assess network security using application-level security, reducing IP ranges and ports and evaluating the service to see if some activities can be performed in Office 365, rather than at the network edge (e.g. DLP, AV scanning).

For Azure:

  • Azure ExpressRoute is a connection to the edge of the Microsoft global backbone (not to a datacentre). It offers 2 lines for resilience and two peering types at the gateway – private and public (Microsoft) peering.
  • Azure Virtual WAN can be used to build a hub for a region and to connect sites.
  • Replace branch office routers with software-defined (SDWAN) devices and break out where appropriate.
Microsoft global network

Passwordless authentication

Basically, there are three options:

  • Windows Hello.
  • Microsoft Authenticator.
  • FIDO2 Keys.

Azure tooling and utilities

Useful resources include:

Selecting data storage for a cloud application

What to use? It depends! Classify data by:

  • Type of data:
    • Structured (fits into a table)
    • Semi-structured (may fit in a table but may also use outside metadata, external tables, etc.)
    • Unstructured (documents, images, videos, etc.)
  • Properties of the data:
    • Volume (how much)
    • Velocity (change rate)
    • Variety (sources, types, etc.)
Item TypeVolume Velocity Variety
Product catalogue Semi-structured High Low Low
Product photos Unstructured High Low Low
Sales data Semi-structured Medium High High

How to match data to storage:

  • Storage-driven: build apps on what you have.
  • Cloud-driven: deploy to the storage that makes sense.
  • Function-driven: build what you need; storage comes with it.

Governance in Azure

It’s important to understand what’s running in an Azure subscription – consider cost, security and compliance:

  • Review (and set a baseline):
    • Tools include: Resource Graph; Cost Management; Security Center; Secure Score.
  • Organise (housekeeping to create a subscription hierarchy, classify subscriptions and resources, and apply access rights consistently):
    • Tools include: Management Groups; Tags; RBAC;
  • Audit:
    • Make changes to implement governance without impacting people/work. Develop policies, apply budgets and audit the impact of the policies.
    • Tools include: Cost Management; Azure Policy.
  • Enforce
    • Change policies to enforcement, add resolution actions and enforce budgets.
    • Consider what will happen for non-compliance?
    • Tools include: Azure Policy; Cost Management; Azure Blueprints.
  • (Loop back to review)
    • Have we achieved what we wanted to?
    • Understand what is being spent and why.
    • Know that only approved resources are deployed.
    • Be sure of adhering to security practices.
    • Opportunities for further improvement.

Planning and implementing hybrid network connectivity

Moving to the cloud allows for fast deployment but planning is just as important as it ever was. Meanwhile, startups can be cloud-only but most established organisations have some legacy and need to keep some workloads on-premises, with secure and reliable hybrid communication.

Considerations include:

  • Extension of the internal protected network:
    • Should workloads in Azure only be accessible from the Internal network?
    • Are Azure-hosted workloads restricted from accessing the Internet?
    • Should Azure have a single entry and egress point?
    • Can the connection traverse the public Internet (compliance/regulation)?
  • IP addressing:
    • Existing addresses on-premises; public IP addresses.
    • Namespaces and name resolution.
  • Multiple regions:
    • Where are the users (multiple on-premises sites); where are the workloads (multiple Azure regions); how will connectivity work (should each site have its own connectivity)?
  • Azure virtual networks:
    • Form an isolated boundary with secure communications.
    • Azure-assigned IP addresses (no need for a DHCP server).
    • Segmented with subnets.
    • Network Security Groups (NSGs) create boundaries around subnets.
  • Connectivity:
    • Site to site (S2S) VPNs at up to 1Gbps
      • Encrypted traffic over the public Internet to the GatewaySubnet in Azure, which hosts VPN Gateway VMs.
      • 99.9% SLA on the Gateway in Azure (not the connection).
      • Don’t deploy production workloads on the GatewaySubnet; /26, /27 or /28 subnets recommended; don’t apply NSGs to the GatewaySubnet – i.e. let Azure manage it.
    • Dedicated connections (Azure ExpressRoute): private connection at up to 10Gbps to Azure with:
      • Private peering (to access Azure).
      • Microsoft peering (for Office 365, Dynamics 365 and Azure public IPs).
      • 99.9% SLA on the entire connection.
    • Other connectivity services:
      • Azure ExpressRoute Direct: a 100Gbps direct connection to Azure.
      • Azure ExpressRoute Global Reach: using the Microsoft network to connect multiple local on-premises locations.
      • Azure Virtual WAN: branch to branch and branch to Azure connectivity with software-defined networks.
  • Hybrid networking technologies:

Modern Device Management (Autopilot, Intune and OneDrive)

The old way of managing PC builds:

  1. Build an image with customisations and drivers
  2. Deploy to a new computer, overwriting what was on it
  3. Expensive – and the device has a perfectly good OS – time-consuming

Instead, how about:

  1. Unbox PC
  2. Transform with minimal user interaction
  3. Device is ready for productive use

The transformation is:

  • Take OEM-optimised Windows 10:
    • Windows 10 Pro and drivers.
    • Clean OS.
  • Plus software, settings, updates, features, user data (with OneDrive for Business).
  • Ready for productive use.

The goal is to reduce the overall cost of deploying devices. Ship to a user with half a page of instructions…

Windows Autopilot overview

Autopilot deployment is cloud driven and will eventually be centralised through Intune:

  1. Register device:
    • From OEM or Channel (manufacturer, model and serial number).
    • Automatically (existing Intune-managed devices).
    • Manually using a PowerShell script to generate a CSV file with serial number and hardware hash, which is then uploaded to the Intune portal.
  2. Assign Autopilot profile:
    • Use Azure AD Groups to assign/target.
    • The profile includes settings such as deployment mode, BitLocker encryption, device naming, out of box experience (OOBE).
    • An Azure AD device object is created for each imported Autopilot device.
  3. Deploy:
    • Needs Azure AD Premium P1/P2
    • Scenarios include:
      • User-driven with Azure AD:
        • Boot to OOBE, choose language, locale, keyboard and provide credentials.
        • The device is joined to Azure AD, enrolled to Intune and policies are applied.
        • User signs on and user-assigned items from Intune policy are applied.
        • Once the desktop loads, everything is present, including file links in OneDrive) – time depends on the software being pushed.
      • Self-deploying (e.g. kiosk, digital signage):
        • No credentials required; device authenticates with Azure AD using TPM 2.0.
      • User-driven with hybrid Azure AD join:
        • Requires Offline Domain Join Connector to create AD DS computer account.
        • Device connected to the corporate network (in order to access AD DS), registered with Autopilot, then as before.
        • Sign on to Azure AD and then to AD DS during deployment. If they use the same UPN then it makes things simple for users!
      • Autopilot for existing devices (Windows 7 to 10 upgrades):
        • Backup data in advance (e.g. with OneDrive)
        • Deploy generic Windows 10.
        • Run Autopilot user-driven mode (can’t harvest hardware hashes in Windows 7 so use a JSON config file in the image – the offline equivalent of a profile. Intune will ignore unknown device and Autopilot will use the file instead; after deployment of Windows 10, Intune will notice a PC in the group and apply the profile so it will work if the PC is reset in future).

Autopilot roadmap (1903) includes:

  • “White glove” pre-provisioning for end users: QR code to track, print welcome letter and shipping label!
  • Enrolment status page (ESP) improvements.
  • Cortana voiceover disabled on OOBE.
  • Self-updating Autopilot (update Autopilot without waiting to update Windows).

Maintaining your hybrid environment

Common requirements in an IaaS environment include wanting to use a policy-based configuration with a single management and monitoring solution and auto-remediation.

Azure Automation allows configuration and inventory; monitoring and insights; and response and automation. The Azure Portal provides a single pane of glass for hybrid management (Windows or Linux; any cloud or on-premises).

For configuration and state management, use Azure Automation State Configuration (built on PowerShell Desired State Configuration).

Inventory can be managed with Log Analytics extensions for Windows or Linux. An Azure Monitoring Agent is available for on-premises or other clouds. Inventory is not instant though – can take 3-10 minutes for Log Analytics to ingest the data. Changes can be visualised (for state tracking purposes) in the Azure Portal.

Azure Monitor and Log Analytics can be used for data-driven insights, unified monitoring and workflow integration.

Responding to alerts can be achieved with Azure Automation Runbooks, which store scripts in Azure and run them in Azure. Scripts can use PowerShell or Python so support both Windows and Linux). A webhook can be triggered with and HTTP POST request. A Hybrid runbook worker can be used to run on-premises or in another cloud.

It’s possible to use the Azure VM agent to run a command on a VM from Azure portal without logging in!

Windows Server 2019

Windows Server strategy starts with Azure. Windows Server 2019 is focused on:

  • Hybrid:
    • Backup/connect/replicate VMs.
    • Storage Migration Service to migrate unstructured data into Azure IaaS or another on-premises location (from 2003+ to 2016/19).
      1. Inventory (interrogate storage, network security, SMB shares and data).
      2. Transfer (pairings of source and destination), including ACLs, users and groups. Details are logged in a CSV file.
      3. Cutover (make the new server look like the old one – same name and IP address). Validate before cutover – ensure everything will be OK. Read-only process (except change of name and IP at the end for the old server).
    • Azure File Sync: centralise file storage in Azure and transform existing file servers into hot caches of data.
    • Azure Network Adapter to connect servers directly to Azure networks (see above).
  • Hyper-converged infrastructure (HCI):
    • The server market is still growing and is increasingly SSD-based.
    • Traditional rack looked like SAN, storage fabric, hypervisors, appliances (e.g. load balancer) and top of rack Ethernet switches.
    • Now we use standard x86 servers with local drives and software-defined everything. Manage with Admin Center in Windows Server (see below).
    • Windows Server now has support for persistent memory: DIMM-based; still there after a power-cycle.
    • The Windows Server Software Defined (WSSD) programme is the Microsoft approach to software-defined infrastructure.
  • Security: shielded VMs for Linux (VM as a black box, even for an administrator); integrated Windows Defender ATP; Exploit Guard; System Guard Runtime.
  • Application innovation: semi-annual updates are designed for containers. Windows Server 2019 is the latest LTSC channel so it has the 1709/1803 additions:
    • Enable developers and IT Pros to create cloud-native apps and modernise traditional apps using containers and micro services.
    • Linux containers on Windows host.
    • Service Fabric and Kubernetes for container orchestration.
    • Windows subsystem for Linux.
    • Optimised images for server core and nano server.

Windows Admin Center is core to the future of Windows Server management and, because it’s based on remote management, servers can be core or full installations – even containers (logs and console). Download from http://aka.ms/WACDownload

  • 50MB download, no need for a server. Runs in a browser and is included in Windows/Windows Server licence
  • Runs on a layer of PowerShell. Use the >_ icon to see the raw PowerShell used by Admin Center (copy and paste to use elsewhere).
  • Extensible platform.

What’s next?

  • More cloud integration
  • Update cadence is:
    • Insider builds every 2 weeks.
    • Semi-annual channel every 6 months (specifically for containers):
      • 1709/1803/1809/19xx.
    • Long-term servicing channel
      • Every 2-3 years.
      • 2016, 2019 (in September 2018), etc.

Windows Server 2008 and 2008 R2 reach the end of support in January 2020 but customers can move Windows Server 2008/2008 R2 servers to Azure and get 3 years of security updates for free (on-premises support is chargeable).

Further reading: What’s New in Windows Server 2019.

Containers/Azure Kubernetes Service

Containers:

  • Are fully-packaged applications that use a standard image format for better resource isolation and utilisation.
  • Are ready to deploy via an API call.
  • Are not Virtual machines (for Linux).
  • Do not use hardware virtualisation.
  • Offer no hard security boundary (for Linux).
  • Can be more cost effective/reliable.
  • Have no GUI.

Kubernetes is:

  • An open source system for auto-deployment, scaling and management of containerized apps.
  • Container Orchestrator to manage scheduling; affinity/anti-affinity; health monitoring; failover; scaling; networking; service discovery.
  • Modular and pluggable.
  • Self-healing.
  • Designed by Google based on a system they use to run billions of containers per week.
  • Described in “Phippy goes to the zoo”.

Azure container offers include:

  • Azure Container Instances (ACI): containers on demand (Linux or Windows) with no need to provision VMs or clusters; per-second billing; integration with other Azure services; a public IP; persistent storage.
  • Azure App Service for Linux: a fully-managed PaaS for containers including workflows and advanced features for web applications.
  • Azure Kubernetes Service (AKS): a managed Kubernetes offering.

Wrap-up

So, there you have it. An extremely long blog post with some highlights from my attendance at Microsoft Ignite | The Tour: London. It’s taken a while to write up so I hope the notes are useful to someone else!

Caching OneDrive for Business content when Files On-Demand is enabled

This content is 6 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Not surprisingly, given who I work for, I’m a heavy user of Microsoft technologies. I have a Microsoft Surface Pro, running the latest versions of Windows 10 of Office 365 ProPlus, joined to Azure Active Directory and managed with Intune. I use all of the Office 365 Productivity apps. I AM A MICROSOFT POWER USER!

Enough of the drama! Let’s bring this down a level…

…I’m just a guy, using a laptop, trying to get a job done. It’s a tool.

OneDrive icon

Most of my files are stored in OneDrive for Business. There’s lots more space there than the typical SSD has available and so Microsoft introduced a feature called Files On-Demand, whereby you see the whole list of files but it’s only actually downloaded when you try to access it.

That sounds great, unless you travel a lot and work on trains and other places where network connectivity is less than ideal.

In my case, I have around 50GB of data in OneDrive and 90GB of free space on my Surface’s SSD so I have the potential to cache it all locally. I used to do this by turning off Files On-Demand but the latest build I’m running has disabled that capability for me.

It’s not feasible to touch every file and force it to be cached and I thought about asking my admins to reverse the setting to force the use of Files On-Demand but then I found another way around it…

If I right-click on a OneDrive file or folder in Windows Explorer there’s the option to “Always keep on this device”. [Update: Peter Bryant (@PJBryant) has flagged a method using the command line too – it seems there are new attributes P and U for Files On-Demand]

By applying this to one of the top-level folders in my OneDrive, I was able to force the files to be cached – regardless of whether Files On-Demand is enabled or not. Now, I can access all of the files in that folder (and any subfolders), even when I’m not connected to the Internet.

Explaining Office 365, with particular reference to the crossover between OneDrive, SharePoint and Teams

This content is 6 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

For most of my career, I’ve worked primarily with Microsoft products. And for the last three years, I’ve worked in a consulting, services and education organisation that’s entirely focused on extracting value for our customers from their investments in Microsoft technology (often via an Enterprise Agreement, or similar). So, living in my Microsoft-focused bubble, it’s easy to forget that there are organisations out there for who deploying Microsoft products is not the first choice. And I’ve found myself in a few online conversations where people are perplexed about Office 365 and which tool to use when.

I used to use the Office 365 Wheel from OnPoint solutions until I discovered Matt Wade’s “Periodic Table of Office 365”, which attempts to describe Office 365’s “ecosystem of applications in the cloud” in infographic format:

The web version even lets you select by licence – so, for most of my customers, Enterprise E3 or E5.

But, as I said, I’ve also been in a few discussions recently where I’ve tried to help others (often those who are familiar with Google’s tools) to understand where SharePoint, OneDrive for Business and Microsoft Teams fit in – i.e. which is used in what scenario?

A few weeks ago, I found myself trying to do that on the WB-40 Podcast WhatsApp group, where one member had asked for help with the various “file” constructs and another had replied that “not even Microsoft” knew that. Challenge accepted.

So, in short form for social media, I replied to the effect that:

  1. Teams is unfinished (IMHO) but built on top of Office 365 Groups (and very closely linked to SharePoint).
  2. SharePoint can be used for many things including a repository for team-based information – regardless of what those teams are (projects, hierarchy, function).
  3. OneDrive is a personal document store.

In effect OneDrive can be used to replace “home drives” and SharePoint to provide wider collaboration features/capabilities when a document moves from being “something I’m working on” to “something I’m ready to collaborate on”. Teams layers over that to provide chat-based workspace and more.

And then I added a caveat to say that all of the above is the way we work and many others do but there is not one single approach that fits all. And don’t even get me started with Yammer…

The key point for me is that organisations really should have an information management strategy and associated architecture, regardless of the technology choices made.

And, just in case it helps, this is how one UK Government department approaches things (I would credit my source, but don’t want to get anyone into trouble):

They split up documents into a lifecycle:

  1. Documents start life with a user, so can go in OneDrive.
    • As the user collaborates with colleagues those colleagues can gain shared access to the document in OneDrive.
    • They proposed the use of 2-year deletion policies on all OneDrive for Business files [I would question why… storage is not an issue with Enterprise versions of Office 365, and arbitrary time-based deletion is problematic when you go back to a document for a reference and find it’s gone…].
  2. If the original document leads to a scoped piece of work then the Documents are moved to an Office 365 Group, as that neatly fits in with a number of resources that are common to collaboration: Planner, Calendar, File Storage (SharePoint), etc. And O365 Groups underpin Teams.
    • However, this type of data is time limited.
    • They proposed the use of 2-year deletion policies on all O365 Groups [again, why?].
  3. If a document became part of organisational policy/guidance, etc. then the proposal was to create permanent SharePoint sites for document management or potentially to move such documents to the organisation’s Intranet service [which could be running on SharePoint Online], or other relevant location.

So, you can see the lifecycle properties:

  1. User (limited need to know).
  2. Group (wider need to know).
  3. Organisation (everyone can know).

This plan has the potential to allow the organisation to manage data in a better way and minimise the costs of the additional storage required for SharePoint. But, core to that is turning the idea that OneDrive for Business is personal use on its head. It’s a valid place to store business data, but users should manage the lifecycle of data better. And this needs to be plain for the user to understand so they can spend the minimum amount of time managing the data.

[i.e. they don’t like the idea that OneDrive for Business is a personal data store – it’s a data store provided to users as part of their job and they don’t like “personal” being part of that definition. My 4pth is that the limits of “personal” and “work” are increasingly eroded, but I can see that organisations have legal and regulatory concerns about the data held in systems that they manage.]

So, which Office 365 tool to use? There is no “one size fits all” but some of the above may help when you’re defining a strategy/architecture for managing that information…