As I mentioned in my intro post on Identity in Office 365, there are a couple of different ways your organization can go about provisioning user accounts in Office 365. Just to review, here they are again:

• Managed IDs – these are also known as “MSO IDs” or “Cloud IDs”, accounts which you create directly in Office 365 and manage there as well.
• Federated IDs – these are accounts based in a local Active Directory environment that you manage. It requires that you configure federation between your AD and the Office 365 Cloud, but allows users to log in with accounts they’ve already been using and maintain a single username and password for both on-premise and Cloud systems.
• DirSync without Federation – As my friend Mike Holcomb pointed out in an comment on my intro post, there is a third option available: synchronizing accounts up to Office 365 via DirSync without configuring AD Federation. It is less complicated to configure than AD Federation, but only synchronizes accounts to the cloud, not passwords.

To me, the options available for account management with Office 365 are a really big reason why it can be such a compelling option for a wide range of businesses of all sizes. There really is a lot of flexibility in how you can choose to create accounts, take advantage of existing identity resources you may already be using, as well as provide a low-friction experience for your end users that doesn’t require them to track multiple accounts and passwords. Now, that’s not to say that it’s perfect, but in general I think it’s a compelling selling point for Office 365.

Please keep in mind that the info I’m providing here is meant as an introduction to the topic, and that there’s a good chance that it will change and develop over time as Office 365 matures. For the most up to date information on accounts in Office 365, you should definitely refer to the excellent Office 365 Identity Service Description document available for download from Microsoft, it should be considered your authoritative and current source.

Now that we’ve set the stage, let’s take a look at each of the options above and take a look at why they can make sense for a company, as well as some of the considerations and drawbacks that also need to be taken into account when deciding which one is the best choice for an organization looking to move to the cloud…

Managed IDs

Managed IDs exist only in the Office 365 cloud, these are accounts that you create and manage in your Office 365 environment, without needing to create, configure, or set up any local Identity systems like Active Directory or Small Business Server. Managed IDs are perfect for organizations that want to limit their reliance on local IT systems, or don’t want to have any local servers or log-ins at all. They’re also great for organizations that are what we refer to as “greenfield” situations; just getting started with their infrastructure so there’s a clean slate when it comes to Identity solutions. That’s not to say that you can’t switch over to Managed IDs with Office 365 if you are already using something like Small Business Server or Active Directory, I’m just saying that there will be additional costs you’ll have to consider in transitioning to the cloud around moving over your accounts and training your users on using the new accounts. The issue of training users can be a big one that’s easily overlooked, especially if they’re already used to using a different system.

With Managed IDs, you have to remember that you will have little control over a lot of the policies that Microsoft is using to govern these accounts in Office 365. You do have more control with Office 365 than was available with BPOS, but you’re still going to have to accept some of the constraints that Microsoft has defined for Managed IDs and be ready to work within them. This includes set minimum and maximum password lengths, set password complexity and strength rules, 90 day password expiry duration, password history restrictions, and account lockout rules. One nice change from Office 365 to BPOS, you can actually disable password expiry for Managed IDs in Office 365 if you want.

Managed IDs also benefit greatly from the new delegated administration roles that can be applied to accounts in Office 365, something else that wasn’t before possible in BPOS.  Now you can assign a user rights to manage subscriptions and Managed IDS and/or reset passwords on Managed IDs without having to make them a full administrator of your Office 365 service.

One final item to consider in the area of managing Office 365 is that you have to have access to the Office 365 Administration web site (or have the Office 365 PowerShell CMDLETs installed locally) to be able to carry out your management activities. This may not be a big deal, given that a robust and reliable connection to the Internet is a big general prerequisite (in my mind) for using Office 365, but it’s worth noting, just in case.

Federated IDs

Federated IDs exist in a local account repository (at this time only Active Directory (AD) is supported, and while I don’t expect that to change, you never know), and are connected up to an Office 365 environment in the cloud via Active Directory Federation Services (ADFS). (As an aside, “federation” is a term that comes up quite frequently in Office 365, but it doesn’t always mean the same thing depend on the context it’s used in) Federated IDs are user accounts that you create in an Active Directory domain running on your own servers and through that ADFS connection are recognized by Office 365 as a valid user account in the cloud.

If your organization already has an AD domain up and running (typically referred to as a “brownfield” scenario, the other side of the “greenfield” coin I mentioned above), then you should very seriously consider going with Federated IDs and ADFS instead of Managed IDs. Federated IDs allow you to continue to use your existing tools and policies to manage your accounts, giving you complete control over your security policies (password expiration, password complexity, etc.) and account lifecycles. It also provides your users with a seamless user experience, because they only have one account to manage and use to log in to your systems. Federated IDs can also be used in greenfield situations if your organization would prefer to have more control over the IDs you provision for your users in Office 365, but setting it up will increase the time it will take you to roll out Office 365 to your users.

While Federated IDs do provide you with a great deal more control over your accounts, you need to keep in mind that this is not without some drawbacks. The biggest one is that you’re going to need to continue to spend time to maintain and administer your local AD domain, so you won’t be making a “total” move to the cloud. For many large organizations with other local servers or applications that rely on AD, this probably isn’t a big deal, but that care and feeding is still something you need to remember to plan and budget for. Also, ADFS usually requires additional configuration and administration above and beyond normal AD management as well as likely necessitate additional servers (could be physical or virtual) to host both ADFS itself, which can be tricky (especially if you’ve never done it before) AND the Office 365 DirSync tool (this is required for Federation, but as shown below you can run it without Federation). Finally, it also places a premium on the availability of your Internet connection to Office 365, because if that connection goes down you will not be able to push up updates to your local accounts into the cloud and your users may not be able to log in at all.

DirSync without Federation

DirSync is a tool provided by Microsoft that was originally intended as a tool to be used to do short-term migration of user accounts from a local AD environment up to BPOS. Basically, the BPOS DirSync tool was a stripped down version of a product called Microsoft Identity Integration Server (MIIS, which is now known as Forefront Identity Manager), which scanned through an AD domain and did a copy of all email enabled accounts into BPOS where they could be assigned a User Subscription License (USL) to be activated. This was seen as Microsoft as a way to help a company do a one-time migration of existing accounts into the BPOS cloud, or to be run during a brief period of co-existence if a migration could not be completed during a single window of time. But, as often happens with useful tools, Microsoft’s customers found that they usually preferred to make that period of co-existence permanent, managing their accounts with their existing AD tools and procedures, then copying them up to the cloud with DirSync.

The DirSync option is still available with Office 365, but there are a few things to keep in mind about it. It’s best suited for situations where you’re using some sort of a co-existence set up (either over a short period of time for a migration, or for the long term), but you also have to be careful because there are some situations where it is not supported for use (such as intermittent use solely for user creation, syncing multiple AD forests, or attempting to filter syncing to a scope smaller than all trusted domains). The other important aspect of DirSync to remember is that by default it is a limited, one-way synchronization from AD up to Office 365. One-way because it is not possible to synchronize objects from Office 365 back down to your AD domain, which means that you can only create new accounts in AD, you cannot create them in Office 365. Limited because only certain types of objects are sync’d (users, mail-enabled groups, security groups, and contacts) from AD to Office 365 and because passwords are not included in that sync, which means that users must managed their passwords in both AD and Office 365, as they must with Managed IDs. NOTE: there is some limited capabilities to write data from Office 365 back to AD through DirSync, but there is not much detailed information available from Microsoft on this feature, so I’d recommend treading lightly and testing heavily if you want to look at this.

For more information on what AD attributes are synchronized from AD to Office 365 by the DirSync tool, I’d recommend checking out this page: http://support.microsoft.com/kb/2256198

I had a great time this past weekend hanging out at SharePoint Saturday Columbus with several of my friends from around the SharePoint Community, and I even got to present a new session that I’ve been working on: “Establishing Dominance - How to Put Your Developers Right Where You Want Them, and Have Them Love You for It.” It was a lot of fun to present, and please take a look at the whole set of slides (my overarching message is nowhere as adversarial as the title would lead you to believe).

I’ve posted my slide deck online at SlideShare.net if for you to check out: http://www.slideshare.net/ferringer/establishing-dominance-sps-columbus-2011. If you have any questions about it or want more information, please just post a comment on this post and I’ll do my best to respond.

I got a request during the session to provide some additional links and info to build on the concepts I talk about in the presentation, so I’m going to do my best to list as many as I can think of below. This may not be a complete list, but I’ll try to add to it as I come across new info or think of items I’ve missed:

• This link provides a nice intro to Code Access Security (CAS) in .NET: http://msdn.microsoft.com/en-us/library/930b76w0%28v=VS.90%29.aspx
• CAS, the Global Assembly Cache (GAC), and Bin Deployment with SharePoint: http://blog.henryong.com/2009/09/02/code-access-security-vs-global-assembly-cache-vs-full-trust-bin-deployment-for-sharepoint
• Here’s a quick blog post by my friend Geoff Varosky to get started with SharePoint Designer 2010 Governance, lots of good links in it too: http://gvaro.wordpress.com/2010/01/07/limiting-sharepoint-designer-access-in-sharepoint-2010/
• This blog post has a really good list of recommendations that I’ve used in the past to create a SharePoint Developer Guidelines document (I hope to eventually publish that actual document, but I need to do some scrubbing and re-work on it before I can put it out for public consumption) : http://johanolivier.blogspot.com/2010/05/suggested-sharepoint-development.html
• Take a look at the SharePoint 2010 Development Guidance project on CodePlex from Microsoft’s Pattern’s and Practices group, lots of great stuff to think about: http://spg.codeplex.com/
• This is a very good write up on the SharePoint 2010 Developer Dashboard from Steve Peschka: http://blogs.technet.com/b/speschka/archive/2009/10/28/using-the-developer-dashboard-in-sharepoint-2010.aspx
• Fiddler is the best tool I know of for HTTP Debugging, and a must have for web developers: http://www.fiddler2.com
• Another crucial debugging tool is Firebug, although it does require the Mozilla Firefox browser: http://getfirebug.com/
• There’s a very handy development-focused edition of the Community Kit for SharePoint, CKS:DEV: http://cksdev.codeplex.com/
• WSPBuilder, a good tool for speeding up creation of SharePoint Solution Packages in Visual Studio (but know how to create a WSP by hand before you start relying on it!): http://wspbuilder.codeplex.com/ (main download is for SP 2007, dig around for 2010)
• In general, there are a lot of great tools at CodePlex.com, check it out!
• If you’re working with CAML Queries at all, U2U’s CAML Query Builder is a must-have (there’s also another option or two on CodePlex if you want an alternative): http://www.u2u.net/Tools/wincamlquerybuilder/CamlQueryBuilder.aspx
• And another: Stramit CAML Viewer http://spcamlviewer.codeplex.com/ (this tool is great for looking for the CAML behind an existing item, while the U2U tool is best suited for building a new CAML query.
• Another must-have, SPDisposeCheck provides automated checking of your code to make sure you’re properly disposing of your SharePoint objects: http://archive.msdn.microsoft.com/SPDisposeCheck
• A helpful development tool on CodePlex: SharePoint Manager http://spm.codeplex.com/
• If you don’t want to take the trouble of working up your own logging system for your application, take a look at the Enterprise Library from Microsoft: http://msdn.microsoft.com/en-us/library/ff648951.aspx
• TechNet article on SharePoint Solution Packages, how they work, and how to deploy them: http://technet.microsoft.com/en-us/library/cc262995.aspx
• Intro to disposing objects in SharePoint 2010, the why and the how: http://msdn.microsoft.com/en-us/library/ee557362.aspx
• Not a bad article on the trouble with “Running with Elevated Privileges” and alternative approaches: http://mssharepointtips.com/tip.asp?id=1022
• A good general article: http://www.sharepointpromag.com/article/sharepoint/sharepoint-admins-work-sharepoint-devs-136094 “What SharePoint Admins Need to Know to Work with SharePoint Devs—And Vice Versa”
• Setting Up the Development Environment for SharePoint 2010 on Windows Vista, Windows 7, and Windows Server 2008 - http://msdn.microsoft.com/en-us/library/ee554869.aspx
• Check out the “Customization Policy” section of this TechNet page on SharePoint Governance: http://technet.microsoft.com/en-us/library/cc263356.aspx
• For info on SharePoint’s APIs and web services, see the SharePoint SDK – http://msdn.microsoft.com/en-us/library/ee557253.aspx
• MSDN SharePoint Developer Center: http://msdn.microsoft.com/en-us/sharepoint/default
• Best Practices section within that SharePoint Development Center: http://msdn.microsoft.com/en-us/sharepoint/ff660756
• Great overall SharePoint Governance links from Bill Baer: http://blogs.technet.com/b/wbaer/archive/2010/09/02/governance-resources-for-sharepoint-2010.aspx

I’d also like to send a big THANK YOU out to the folks who worked so hard to make SPS Columbus happen this past weekend (organizers, speakers, sponsors, attendees, and volunteers!), it was a great time and I really appreciate all of your efforts and the opportunity!

John

This morning I was lucky enough to be invited to speak to the SharePoint Users of Fort Wayne (Indiana) on the topic of SharePoint 2010 Development Best Practices, and I just wanted to get a quick post up to link to the slide deck I used for the talk, as well as provide some links to the critical resource I mentioned in the presentation. Also, I’d really like to thank Scott Hamman, Jon Fazzaro, and Aptera Software for extending me the invitation to present to their outstanding group and the great discussions we had before, during, and after the presentation. I always love getting to see digital acquaintances out in the “meatspace”, and today was great because it was a fun challenge for me to cover a topic that isn’t a skill set I use on a regular basis. But enough with my rambling, on to the links!

I’ve posted my slide deck online at SlideShare.net if for you to review at your leisure: http://www.slideshare.net/ferringer/sharepoint-2010-development-best-practices-spufw-8172011. If you have any questions about it or want more information, please just post a comment on this post and I’ll do my best to respond.

I also reference several tools and resources throughout the presentation that I wanted to make sure I provided to everyone, so here they are:

• First and foremost is the SharePoint 2010 SDK: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=12323
• I mentioned in the presentation that MSDN has a ridiculous amount of great content on SharePoint Development that you need to take a look at, I’d highly recommend starting with the MSDN SharePoint Developer Center: http://msdn.microsoft.com/en-us/sharepoint/default
• There’s also a Best Practices section within that SharePoint Development Center, given the title of this presentation I figure it’s worth calling out: http://msdn.microsoft.com/en-us/sharepoint/ff660756
• Fiddler is the best tool I know of for HTTP Debugging, and a must have for web developers: http://www.fiddler2.com
• Another crucial debugging tool is Firebug, although it does require the Mozilla Firefox browser: http://getfirebug.com/
• There’s a very handy development-focused edition of the Community Kit for SharePoint, CKS:DEV: http://cksdev.codeplex.com/
• WSPBuilder, a good tool for speeding up creation of SharePoint Solution Packages in Visual Studio (but know how to create a WSP by hand before you start relying on it!): http://wspbuilder.codeplex.com/ (main download is for SP 2007, dig around for 2010)
• In general, there are a lot of great tools at CodePlex.com, check it out!
• If you’re working with CAML Queries at all, U2U’s CAML Query Builder is a must-have (there’s also another option or two on CodePlex if you want an alternative): http://www.u2u.net/Tools/wincamlquerybuilder/CamlQueryBuilder.aspx
• On the client-side of things, Marc Andersen’s SPServices library is a great wrapper for combining jQuery and SharePoint’s web services: http://spservices.codeplex.com
• Another must-have, SPDisposeCheck provides automated checking of your code to make sure you’re properly disposing of your SharePoint objects: http://archive.msdn.microsoft.com/SPDisposeCheck
• Virtualization is a key tool for developers (it’s not just for admins!), and VMware Workstation is just about the best option available: http://www.vmware.com/products/workstation/
• If VMware Workstation’s price tag bothers you, you’ll love VirtualBox’s (hint: free): http://www.virtualbox.org/
• If you don’t want to take the trouble of working up your own logging system for your application, take a look at the Enterprise Library from Microsoft: http://msdn.microsoft.com/en-us/library/ff648951.aspx

UPDATE: I’ve gotten some good follow up info from Stuart Pegg, so I wanted to go ahead and get it added to the post:

• A helpful development tool on CodePlex: SharePoint Manager http://spm.codeplex.com/
• And another: Stramit CAML Viewer http://spcamlviewer.codeplex.com/ (as Eric Alexander pointed out, this tool is great for looking for the CAML behind an existing item, while the U2U tool is best suited for building a new CAML query.
• Finally, if you’re a user of the Chrome browser, there are developer tools built right into it very similar to what Firebug and the IE Developer Toolbar provide, so it can provide you another option for debugging CSS and JavaScript from the client perspective.

Again, thanks to everyone who came out this morning, I had a great time and hope you did as well.

John

I’ve been invited to do a couple of presentations this week, so I wanted to provide some links and info for anyone who may be in the area and want to come throw tootsie rolls at me

• Wednesday, August 17th, I’ll be presenting to the SharePoint Users of Fort Wayne, Indiana on “SharePoint 2010 Development Best Practices.” The meeting starts at 7:30 AM EDT, and is held in downtown Fort Wayne at the offices of Aptera, one of the group’s sponsors. I’m planning on the presentation leaning more towards the beginner side of SharePoint Development, focusing on helping a developer new to the platform getting started the right way to ensure better long term success. I’m also excited about this because its an area of SharePoint that I haven’t spent the majority of my time thinking about, so it’s a great way to challenge myself to move outside my comfort zone and expand my range a bit. There may also be an element of “Admin Eye for the SharePoint Development Guy” to this as well, because as a proper administrator I just can’t see myself passing up an opportunity to warp some developers either!
• Saturday, August 20th, I’ll be in Columbus, Ohio for SharePoint Saturday Columbus, delivering “Establishing Dominance: How to Put Your Developers Right Where You Want Them, and Have Them Love You for It”. SPS Columbus is a FREE day long event organized and delivered by the SharePoint community, and a great way to pick up a lot of information about SharePoint (from a ton of people way smarter than me) in a very short time. This time my target audience is IT Professionals and Administrators, and I’ll talking about how to prepare your precious SharePoint environment for those nasty developers, keep them from burning the whole place down, and all the while fall over themselves thanking you profusely for “helping” them so much

I’ll post links to the published slide decks here in as well, but not till after the events (can’t go giving the punchline away, can I?). I hope I’ll see you there!

John

Hopefully your Friday is off to a good start, here’s some Office 365 reading for you to prepare for the weekend with:

• Something Microsoft does a pretty good job of is pulling together several different tools and platforms to provide compelling solutions. In this video on the SharePoint Get the Point blog, check out how you can host an Access database in SharePoint Online and update it from your Windows Phone 7 mobile device: http://sharepoint.microsoft.com/Blogs/GetThePoint/Lists/Posts/Post.aspx?ID=495
• I’ll be the first guy to admit that I’m drinking the Kool-Aid when it comes to Office 365 and am much more likely to link to articles that laud Office 365 over Google Apps. And since that’s the case, why not go ahead and let you read a pretty blatant one? In all seriousness though, I like the rational and real world approach the author takes to the differences between the two options: http://venturebeat.com/2011/06/30/why-microsofts-office-365-will-clobber-google-apps/
• SharePoint MVP Corey Roth has been playing with SharePoint Online a lot recently, and has some good stuff you should take a look at. Last month he posted a really interesting write up on how to add SharePoint Search capabilities to the public site you can create with Office 365, and it’s definitely worth a look: http://www.dotnetmafia.com/blogs/dotnettipoftheday/archive/2011/07/21/office-365-how-to-add-search-to-your-public-facing-web-site-with-sharepoint-online.aspx
• Remember those links I’ve been posting to lately about how to migrate from BPOS to Office 365? Well, I should have been mentioning this sooner, but you’ll want to take them with a grain of salt of five… Don’t believe me? Here’s the definitive word from Michael O’Neill, the czar of MSO’s BPOS to Office 365 Transition Team: http://blogs.technet.com/b/msonline/archive/2011/08/07/transitioning-from-bpos-to-office-365.aspx
• SharePoint tool vendor Lightning Tools now has a solution that allows you to synchronize a list between an on-premise SharePoint farm and a site collection running in SharePoint Online, which could be pretty handy (especially since it can go either up to the cloud or down from it): http://www.lightningtools.com/blog/archive/2011/07/26/office-365-integration-with-sharepoint-intranet.aspx
• Here’s another helpful article on how to make some changes to that public site you get with Office 365 from Martin Hatch: http://www.martinhatch.com/2011/07/how-to-add-contact-us-gadget-to-your.html
• Email is a challenge for many organizations because of all the laws and regulations that require them to govern their email systems in specific ways or retain specific emails for longer periods of time (known as a Legal Hold). Well, Exchange Server and Exchange Online in Office 365 have some excellent functionality built right into them to assist organizations in those efforts: http://www.networkworld.com/community/node/77005
• Getting started with Office 365′s “Professional” or “P” SKUs? Here’s a good article on how to configure your account to use your company’s own domain for its accounts, a critical first step for anyone starting off with Office 365: http://www.theemailadmin.com/2011/08/using-office-365-plan-p-with-your-companys-domain-name/
• Dux Sy is one of the most dynamic and engaging presenters I’ve had the opportunity to see in person, and the SharePoint community is lucky to call him one of our own. Because he’s also so self-less with sharing his outstanding content (there’s video available of almost every presentation he gives, pretty much right after he’s done delivering it), he’s also a SharePoint MVP, a very deserving award. This is a GREAT presentation he recently gave at SharePoint Saturday New York City on successful Project Management with SharePoint Online: http://www.vimeo.com/27160309
• Finally, here’s another of those “tea leaves” posts that Mary Jo Foley does pretty well looking at how Microsoft’s move to embrace HTML 5 and Javascript will impact the developer story in the next version of Office, codenamed “Office 15″. This plays into the ongoing HTML 5 versus Silverlight discussion that’s been going on, and has real implications for development in the next wave of both SharePoint and Office 365 in addition to the client tools: http://www.zdnet.com/blog/microsoft/microsoft-to-focus-on-html5-and-javascript-for-office-15-extensions/10266

Enjoy!

John

Here’s the latest Office 365 articles and posts that I’ve come across in the last few days:

• I love coming across posts that make cool stuff easy (PowerShell is a very common factor in meeting that criteria for me), here’s one from Office 365 MVP Loryan Strant on how to enable calendar sharing between two organizations within Office 365: http://blogs.msdn.com/b/mvpawardprogram/archive/2011/08/08/mvps-for-office-365-establishing-calendar-sharing-between-office-365-customers.aspx
• Here’s another one that covers lots of ground I like working with: monitoring your Office 365 environment with an on-premise System Center Operations Manager (SCOM) 2007 server thanks to a newly released management pack. This is a great example of how the Cloud and Office 365 don’t make in house IT obsolete, it just changes the playing field and makes you look at things differently! http://blogs.technet.com/b/momteam/archive/2011/07/29/monitoring-office-365-using-operations-manager.aspx
• I saw this blog post this morning and it reminded me of the email thread that went around several years ago that compared Microsoft Windows to GM cars on each side of the equation. This time the author is comparing Office 365 and Google Apps against each other if they were cars (not to give it all away, but I don’t think it bodes well for Google Apps when the author likens it to a Trabant… http://clouddiscussions.wordpress.com/2011/08/05/weekend-special-if-google-apps-and-office-365-were-cars/
• It’s never good to have to remove functionality from a product, but at least Microsoft is willing to admit when something in Office 365 isn’t working the way they want it to. Last month they removed the ability to chat with Windows Live Messenger accounts from within the Lync Online service: http://community.office365.com/en-us/b/office_365_technical_blog/archive/2011/07/14/notice-temporarily-removing-lync-connectivity-with-windows-live-messenger-in-office-365-for-professionals-and-small-businesses.aspx
• I’m of the opinion that everyone wins when Mike Watson is blogging, so it’s great to see him back at it with a new blog. On top of that, he’s talking about some great stuff with Office 365, like this really strong look at why Microsoft needs to figure out what it’s doing with Silverlight because it fills a very important need for Office 365 development that just isn’t there yet from HTML5/JavaScript (since it seems like that’s what Microsoft is about to abandon Silverlight for): http://jmikewatson.wordpress.com/2011/08/04/why-silverlight-ambiguity-is-a-bad-thing-for-office-365/
• I’d say that this one is best described as “SharePoint Online for the IT Guy” Lots of good links from the SharePoint Product Team’s blog for IT Pros looking to learn more about SharePoint Online: http://sharepoint.microsoft.com/blog/Pages/BlogPost.aspx?pID=990
• Rene Modery has been doing a lot of great writing on Office 365 lately, if you’re interested in the platform I’d strongly recommend subscribing to his blog immediately. He’s done a really informative three part series on how to modify the look and feel of the public web site that comes with Office 365, here’s a link to the first post: http://www.modery.net/1_moderynet_–_share-manage-govern/archive/660_modifying_the_design_of_your_office_365_public_homepage-part_1.html

That’s it for now, hope they’re helpful!

John

If you’re a frequent visitor to any of Microsoft’s public websites like I am, there’s a good chance you probably use a Live ID at some point to log into those sites, whether it’s Hotmail, MSDN, TechNet, MSN, or another resource. Most of Microsoft’s content doesn’t require that you log in with a Live ID, but eventually you’re bound to come across something like an interesting webcast or a tool you want to download that you need a Live ID to access. But the good news is that this isn’t a big deal, the Live ID system (like so many other websites and identity systems, such as Google, Facebook, Yahoo, or Open ID just to name a few) is free and just requires you provide some demographic info to sign up and get started, most often with an account that ends in a domain owned by Microsoft, such as such as “@live.com” or “@hotmail.com” (or similar country-specific domains if you’re based outside the US and want to use one).

But, if you don’t want to use one of those Microsoft domains, the nice thing about the Live ID program is that you can use any email address you have control over and set up a Live ID for it, such as “john@foo.com”. This is called an “Email As Sign In” (EASI) ID, and it’s handy if you don’t want to try to remember a bunch of different account names for multiple systems or websites. It’s also nice because email addresses through Live.com or Hotmail.com are automatically de-activated after 90 days of inactivity, so if you’re just creating an account to post to the forums at MSDN, you may not want to use Hotmail as your domain if you don’t plan on checking that account’s email after 90 days. (As an aside, I can’t understand why they still do this, especially after it was used as a means to hack the accounts of Twitter employees a few years ago.)

I like that flexibility, it seems to me like it’s a definite benefit to creating a Live ID as an EASI ID, but there are also some serious drawbacks. EASI IDs have been around for a while, you could create them back when Live ID was still known as Microsoft Passport and you could use them to chat via MSN Instant Messenger with users running Office Communications Server (OCS) 2007 via federation just like you could standard Live IDs. But the problem is that Microsoft appears to treat EASI IDs differently within the inner workings of Live ID (hence the Animal Farm reference in the title of this post); for example you couldn’t always do that OCS 2007 federation with EASI IDs, it only worked with regular Live IDs. As I was trying to figure all this out, the natural question I asked myself was “Self, why are they different?”

After I got done enjoying how clever I am (I’m not), I did some digging, and basically what I found is that there isn’t a whole lot out there about EASI IDs. There’s a post in Hotmail’s Help documentation that mentions it in the URL, but nowhere in the article. There’s an old thread about EASI IDs in OCS 2007, but it’s not relevant for anything other than historical parallels. There’s an article from November 2010 about how EASI IDs were being added to Hotmail to allow users to get email on non-Hotmail addresses. But just about the only relevant post I could find was from the blog of a Microsoft IT Active Directory administrator, where he talks about the thought Microsoft put into their account federation configuration, and even then I’m not sure how relevant that is to what is currently going on with Office 365… Even after reading through that blog post, I’m still kind of at the point where I don’t know why an EASI ID is treated differently by Microsoft than a standard Live ID; I just know that it is.

So why did I bring this up, and what in the wide world of sports does it have to do with the stuff I normally talk about on this blog, like SharePoint or Office 365? Well, it’s a bit convoluted, but it relates to a feature is new to Office 365: collaboration with users outside of your organization in your SharePoint Online team sites.

The cool thing about this new functionality (nothing like it was available in the Shared edition of SharePoint Online in BPOS) is that it allows “external users” to interact with your internal users without having to provision a User Subscription License (USL, basically a paid seat for a user) for them in your environment. Instead you only provisioned USLs for your internal users, and they log into Office 365 using either a Microsoft Online Services (MSO) ID or an ID from your own local environment that is federated with Office 365 (my previous post on Identity in Office 365 for an introduction to those two options; over time I’ll be updating it with links to more detailed posts specifically about them). But for external users, you don’t have to provision a USL for them; instead you provided them with a Partner Access License. (That’s right, they’re your PAL! This is officially my new favorite acronym. I’m going to warn you, I’m a little conflicted here because I’d really like to spend some time diving into the humorous possibilities of that acronym.) As an aside, you only are allowed a finite number of PALs in Office 365, all SKUs start with 50 available PALs and only E SKUs can purchase additional PALs but I think there’s even a cap on that amount.

This enthusiasm I have for this new external user feature in SharePoint Online is however tempered by the limitation that you can only assign a PAL to a MSO ID, so the external user you want to collaborate also has to be an Office 365 user or have access to an MSO ID in some way. Now, this wasn’t the case in the Office 365 Beta program, in the Beta you could also assign PALs to Live IDs. Or, as some Office 365 Beta participants found out (Doug Ware wrote a [understandably] frustrated blog post about this limitation last month about exactly this issue if you’re interested), you could assign PALs to some Live IDs. You could assign a PAL to a Live ID, as long as that Live ID was not an EASI ID.

As I’ve hopefully shown above, the distinction between a Live ID and an EASI ID is not an easy one to make, and I think because of that Microsoft pulled back on the new external user functionality a bit in the GA release and only allows you to assign PALs to external users with MSO IDs (i.e. other Office 365 customers from outside your organization). No PALs for Live IDs allowed, at least not for now (as best I can tell right now, they’re aiming for returning that option in the first half of 2012, but don’t hold me to that).

Another problem with EASI IDs, is that you can’t create one for an account that you have a MSO ID for, even if that account uses a domain you own rather than Microsoft’s. Does that make sense? For example, if I own “johnisawesome.com” and register it with Office 365 as a domain, I can create user accounts and assign them to that domain, such as “heckyeah@johnisawesome.com”. But if I take that account and go to Live.com and attempt to register it as a Live ID, my request will be denied because I can’t use it to create an EASI ID (interestingly, if I create an EASI ID for my account and verify it before I add my domain to Office 365, I can still create an MSO ID for that same username without any problem).

As usual, I cranked out another monster of a post on accident, so I’m going to wrap this up. Long story short, not all Live IDs are the same, and that can definitely cause some problems for you if you’re planning on using them closely with Office 365. I think part of the problem is that Live IDs integrate into so many consumer platforms from Microsoft (Windows Phone 7, Zune, Xbox, etc), and then when they come up against business and enterprise platforms like Office 365 there are issues around some of the tighter security configurations and account management policies that consumer systems don’t deal with. It’s something that Microsoft needs to figure out, and honestly I’m kind of glad they pulled back on the external access piece of SharePoint Online a bit until they could get that identity confusion functioning more effectively.

Here’s the latest Office 365 articles and posts that I’ve found interesting lately, for your reading pleasure.

This time around I’ve broken them into a couple of categories, so to start with here’s some articles I would consider definitely worth the time if you’re just getting started with Office 365 or trying to figure out if it’s right for you:

• This post is a bit old (it dates back to October 2010 from when Office 365 was initially announced), but it still has some good information to get started with, and the author has done a good job of responding to comments so there’s good stuff to be found there too: http://community.office365.com/en-us/b/microsoft_office_365_blog/archive/2010/10/19/top-10-office-365-questions-and-answers.aspx
• Here’s a helpful “How To” article describing the process for adding users to a P1 (Small Business) Office 365 plan: http://community.office365.com/en-us/f/152/p/8008/33039.aspx#33039
• The Office 365 Community site has a lot of good info on it (if you’re not checking it out regularly, you should!), and here’s another good one about how to determine which Office 365 SKU your SharePoint Online site is running: http://community.office365.com/en-us/b/office_365_technical_blog/archive/2011/07/14/determining-office-365-sku-.aspx
• Starting to see even more books about Office 365 cropping up: http://www.amazon.com/dp/1463758693/
• Four interesting things to think about when you’re considering Office 365 for your business: http://officeonlineinthecloud.com/433/top-4-reasons-why-businesses-should-take-advantage-of-microsoft-office-365/
• My friend Jennifer Mason has a great post on her blog taking a look at Office 365 from the perspective of a new user, can’t recommend this one enough! http://blogs.sharepoint911.com/blogs/jennifer/Lists/Posts/Post.aspx?ID=83
• Here’s a great set of tips from Steve Mann about how to properly set up your Office 365 account, another must read: http://stevemannspath.blogspot.com/2011/08/office-365-ramp-up-tips.html

These articles are going to be most relevant if you’re a current BPOS customer and still trying to figure out how you’re going to move to Office 365:

• If you hadn’t heard about it yet, Live Meeting will be phasing out of Office 365 in the next few years (I don’t think its available for new subscriptions, but will be continued for customers transitioning from BPOS to Office 365 for the next 18 months or so) and replaced by functionality in Lync Online. It’s not a 1:1 replacement (I’ll try to get a blog post up about the differences here soon), so its important that you plan out the right way to move from Live Meeting Online to Lync Online. Here’s documentation from Microsoft to help you get started: http://technet.microsoft.com/en-us/lync/hh182968
• This post scratches a lot of itches for me, it’s about how to migrate on premise mailboxes (I think this will mainly work for Exchange, but the post indicates that Hotmail could somehow also be possible…) to Exchange Online in Office 365 via PowerShell: http://blog.c7solutions.com/2011/07/migrate-to-office-365-using-command.html
• A few LWL posts ago I linked to a manual migration solution proposed by a vendor called MigrationWiz that BPOS customers could use to migrate from BPOS to Office 365 on their own. Another vendor, Paradyne, tested out that process and was nice enough to post their findings, and more importantly, provide an additional step they found to be quite helpful. I highly recommend this one if you’re contemplating this approach:http://www.bpossibility.com/2011/07/29/manually-migrating-from-bpos-to-office-365/

Enjoy!

John

Here’s the latest Office 365 articles and posts that I’ve found interesting lately, for your reading pleasure:

• This is some interesting competitive analysis compiled by Microsoft partner AgileIT comparing Office 365 and Google Apps, with Apple thrown in as an interesting reference point: http://www.agileit.com/Blog/Lists/Posts/Post.aspx?ID=864
• Back on July 22nd, I linked to a tool, the Cloud Connector, from a company called Layer2 that can be used to integrate local data into the Office 365 cloud. One of their team members has posted a nice video on YouTube showing how it can be used to connect data from an on-premise CRM implementation to Office 365: http://www.youtube.com/watch?v=-bN_I8hcZbo
• This blog seems to have a nice approach, briefly addressing one item at a time about SharePoint. Ahh, brevity…something I’m completely incapable of In this post, Stephen looks at some of the differences between developer SharePoint for an on-premise solution versus SharePoint Online (he calls them gotchas, I think that’s a bit unfair): http://share1point.com/2011/05/office365devgotcha/
• This article is a bit dated, but still worth a look if you want to see some of the issues the author had with the Office 365 Beta before it was publicly released: http://reseller.co.nz/reseller.nsf/inews/microsofts-office-365-not-ready-to-leave-beta-analyst-says
• Something I was always pleased with in BPOS was the quality of its help documentation (something I reflexively expect to suck, and always have a hard time remembering that Microsoft has gotten a lot better in that area over the years), and they’ve kept it going with Office 365. This article covers how to set up a hybrid Exchange Deployment and Migration for on-premise and Office 365: http://help.outlook.com/en-us/140/ff633682.aspx
• If you’re currently a BPOS customer and want to know more about when your account will be moved to Office 365, you need to start with the Transition center website Microsoft has set up to help you learn more about it: http://www.microsoft.com/online/transition-center.aspx

That’s it for now (lots more to come soon though), hope they’re helpful!

John

A little over a year ago, I ran into an odd situation at a client that I was recently reminded of while listening to Todd Klindt’s SharePoint Admin Netcast (Episode 87), which I highly recommend. The root cause of my issue was very similar to what Todd went through with users downloading files from his blog, but there’s also some interesting differences in how the issue presented itself for me that I wanted to go ahead and get it written down in case anyone else out there runs into a similar problem down the road. In my case, we were having issues because an Adobe Illustrator file was opening on client computers in Adobe Acrobat Reader rather than its actual default application: Adobe Illustrator.

So here’s the background on the scenario. We built out a WSS v3 and Search Server Express 2008 environment (we started planning it out w/ the customer while SharePoint 2010 was still in Beta, and none of us wanted to wait on it) on Windows Server 2008 R2 with IIS 7.5. End users were running Windows XP (which I sometimes accidentally refer to as the Fisher Price operating system, sorry!), Office 2003/2007 (another reason why we waited on SharePoint 2010), and IE 7 or 8. The environment was running pretty well, and we were in the early stages of running a Pilot program for early adopters and the SharePoint steering committee.

One of the key use cases for this SharePoint environment was to allow the company’s marketing department to share and access a vast bank of digital media (mainly images, but also some videos) that they had accumulated over the years. Most of it was stored in multiple locations, but they were going to move it to a centralized network file share so it could be indexed by Search Server Express and be searchable from within SharePoint (a lot of the files were pretty large, so SharePoint’s content databases didn’t seem like the right place to put it, but it was something we planned on re-evaluating once we got to 2010 with its enhanced media management capabilities and remote BLOB storage). The other thing the marketing department wanted to do was to use SharePoint’s check in/check out and versioning functionality to be able to collaborate more easily on image documents that they were working on for various marketing campaigns. This could include image file formats we’re using to seeing in Internet sites such as .JPG, .GIF., and .PNG, as well as file formats for editing tools like Adobe Photoshop (.PSD) and Adobe Illustrator (.AI).

My main concern was to make sure that the users were going to be able to upload files with those .PSD and .AI file extensions into the WSS sites, so I confirmed that they weren’t listed on the blocked file types list in the WSS Central Admin site (if you’re looking for info on that, this TechNet article has the default list for WSS v3 and instructions at the bottom of the list on how to modify it in your farm: http://technet.microsoft.com/en-us/library/cc287701%28office.12%29.aspx) and figured that was that. And as usual when I make assumptions like this one, it turns out that wasn’t that.

A week or so after I opened up the marketing team’s site, the steering committee member from marketing told me about a strange issue he was having. He had uploaded several Photoshop and Illustrator files into a document library in his site without any issue, but was running into a major problem whenever he tried to open an Illustrator file from the library. When he opened it (didn’t matter if he was doing it as an Edit or just by clicking on it), his computer was always using Adobe Acrobat Reader to open the .AI file, instead of Illustrator. My initial thought was that this was an issue with his client computer; that somehow the mapping of the default application that the computer should use to open Illustrator files had been changed to incorrectly point to Acrobat Reader instead of Illustrator. But we quickly proved that wasn’t the case, because he was able to double-click on local .AI files and they automatically opened in Illustrator on his computer. I also saw that it happened for other users on the same computer (so it wasn’t an issue with his local profile in XP), as well as other users with Illustrator installed on their computers (which indicated it was a server-based problem, rather than a local workstation issue).

It’s been a long, long, long time since I spent any serious time in Adobe Illustrator (believe it or not, I used to be a Mac diehard, but I haven’t seriously used one since Mac OS version 7.5.5), so I ran the problem by a teammate who does. What he came back with surprised me (I still kind of thought it was a client issue at this point), but shouldn’t have. It turns out that the problem was in IIS, with how the web server was telling the client computers what type of file they were being sent when the user tried to open the .AI file. IIS uses something called MIME types (MIME as in Multipurpose Internet Mail Extensions, not Marcel Marceau) to indicate what type of data is contained in a file by mapping file extensions to a type of file content; its how your computer knows that a .PPTX file you’re downloading from Sky Drive should be opened in PowerPoint instead of Outlook. And in this case, IIS didn’t quite know what to do with the .AI file type for Adobe Illustrator so it was mapping it to the MIME type for PDF files, which led to the client computer always trying to open it with Acrobat Reader.

Once we had that figured out, all I had to do to resolve the issue was to add a new MIME type to the IIS servers in the farm for the .AI file extension with a value of “image/ai”. After that was configured properly in IIS and saved, users were able to successfully open Illustrator files directly from a SharePoint site with the Illustrator client application without a problem. If you want more details on how to add MIME types in IIS 7/7.5, there’s a very good article on TechNet you should check out (http://technet.microsoft.com/en-us/library/cc725608%28WS.10%29.aspx), it tells you how to do it from both within the IIS Manager UI and from the command line.