Posted by: John Ferringer | August 8, 2011

All Live IDs are Equal, Some are Just More Equal than Others, and Why that Matters with Office 365


If you’re a frequent visitor to any of Microsoft’s public websites like I am, there’s a good chance you probably use a Live ID at some point to log into those sites, whether it’s Hotmail, MSDN, TechNet, MSN, or another resource. Most of Microsoft’s content doesn’t require that you log in with a Live ID, but eventually you’re bound to come across something like an interesting webcast or a tool you want to download that you need a Live ID to access. But the good news is that this isn’t a big deal, the Live ID system (like so many other websites and identity systems, such as Google, Facebook, Yahoo, or Open ID just to name a few) is free and just requires you provide some demographic info to sign up and get started, most often with an account that ends in a domain owned by Microsoft, such as such as “@live.com” or “@hotmail.com” (or similar country-specific domains if you’re based outside the US and want to use one).

But, if you don’t want to use one of those Microsoft domains, the nice thing about the Live ID program is that you can use any email address you have control over and set up a Live ID for it, such as “john@foo.com”. This is called an “Email As Sign In” (EASI) ID, and it’s handy if you don’t want to try to remember a bunch of different account names for multiple systems or websites. It’s also nice because email addresses through Live.com or Hotmail.com are automatically de-activated after 90 days of inactivity, so if you’re just creating an account to post to the forums at MSDN, you may not want to use Hotmail as your domain if you don’t plan on checking that account’s email after 90 days. (As an aside, I can’t understand why they still do this, especially after it was used as a means to hack the accounts of Twitter employees a few years ago.)

I like that flexibility, it seems to me like it’s a definite benefit to creating a Live ID as an EASI ID, but there are also some serious drawbacks. EASI IDs have been around for a while, you could create them back when Live ID was still known as Microsoft Passport and you could use them to chat via MSN Instant Messenger with users running Office Communications Server (OCS) 2007 via federation just like you could standard Live IDs. But the problem is that Microsoft appears to treat EASI IDs differently within the inner workings of Live ID (hence the Animal Farm reference in the title of this post); for example you couldn’t always do that OCS 2007 federation with EASI IDs, it only worked with regular Live IDs. As I was trying to figure all this out, the natural question I asked myself was “Self, why are they different?”

After I got done enjoying how clever I am (I’m not), I did some digging, and basically what I found is that there isn’t a whole lot out there about EASI IDs. There’s a post in Hotmail’s Help documentation that mentions it in the URL, but nowhere in the article. There’s an old thread about EASI IDs in OCS 2007, but it’s not relevant for anything other than historical parallels. There’s an article from November 2010 about how EASI IDs were being added to Hotmail to allow users to get email on non-Hotmail addresses. But just about the only relevant post I could find was from the blog of a Microsoft IT Active Directory administrator, where he talks about the thought Microsoft put into their account federation configuration, and even then I’m not sure how relevant that is to what is currently going on with Office 365… Even after reading through that blog post, I’m still kind of at the point where I don’t know why an EASI ID is treated differently by Microsoft than a standard Live ID; I just know that it is.

So why did I bring this up, and what in the wide world of sports does it have to do with the stuff I normally talk about on this blog, like SharePoint or Office 365? Well, it’s a bit convoluted, but it relates to a feature is new to Office 365: collaboration with users outside of your organization in your SharePoint Online team sites.

The cool thing about this new functionality (nothing like it was available in the Shared edition of SharePoint Online in BPOS) is that it allows “external users” to interact with your internal users without having to provision a User Subscription License (USL, basically a paid seat for a user) for them in your environment. Instead you only provisioned USLs for your internal users, and they log into Office 365 using either a Microsoft Online Services (MSO) ID or an ID from your own local environment that is federated with Office 365 (my previous post on Identity in Office 365 for an introduction to those two options; over time I’ll be updating it with links to more detailed posts specifically about them). But for external users, you don’t have to provision a USL for them; instead you provided them with a Partner Access License. (That’s right, they’re your PAL! This is officially my new favorite acronym. I’m going to warn you, I’m a little conflicted here because I’d really like to spend some time diving into the humorous possibilities of that acronym.) As an aside, you only are allowed a finite number of PALs in Office 365, all SKUs start with 50 available PALs and only E SKUs can purchase additional PALs but I think there’s even a cap on that amount.

This enthusiasm I have for this new external user feature in SharePoint Online is however tempered by the limitation that you can only assign a PAL to a MSO ID, so the external user you want to collaborate also has to be an Office 365 user or have access to an MSO ID in some way. Now, this wasn’t the case in the Office 365 Beta program, in the Beta you could also assign PALs to Live IDs. Or, as some Office 365 Beta participants found out (Doug Ware wrote a [understandably] frustrated blog post about this limitation last month about exactly this issue if you’re interested), you could assign PALs to some Live IDs. You could assign a PAL to a Live ID, as long as that Live ID was not an EASI ID.

As I’ve hopefully shown above, the distinction between a Live ID and an EASI ID is not an easy one to make, and I think because of that Microsoft pulled back on the new external user functionality a bit in the GA release and only allows you to assign PALs to external users with MSO IDs (i.e. other Office 365 customers from outside your organization). No PALs for Live IDs allowed, at least not for now (as best I can tell right now, they’re aiming for returning that option in the first half of 2012, but don’t hold me to that).

Another problem with EASI IDs, is that you can’t create one for an account that you have a MSO ID for, even if that account uses a domain you own rather than Microsoft’s. Does that make sense? For example, if I own “johnisawesome.com” and register it with Office 365 as a domain, I can create user accounts and assign them to that domain, such as “heckyeah@johnisawesome.com”. But if I take that account and go to Live.com and attempt to register it as a Live ID, my request will be denied because I can’t use it to create an EASI ID (interestingly, if I create an EASI ID for my account and verify it before I add my domain to Office 365, I can still create an MSO ID for that same username without any problem).

As usual, I cranked out another monster of a post on accident, so I’m going to wrap this up. Long story short, not all Live IDs are the same, and that can definitely cause some problems for you if you’re planning on using them closely with Office 365. I think part of the problem is that Live IDs integrate into so many consumer platforms from Microsoft (Windows Phone 7, Zune, Xbox, etc), and then when they come up against business and enterprise platforms like Office 365 there are issues around some of the tighter security configurations and account management policies that consumer systems don’t deal with. It’s something that Microsoft needs to figure out, and honestly I’m kind of glad they pulled back on the external access piece of SharePoint Online a bit until they could get that identity confusion functioning more effectively.

Advertisements

Responses

  1. […] The thing I like about Identity in Office 365 is that there is flexibility in the options you have available to get your users into the Office 365 Cloud, but its not without its challenges as well. To me, the biggest challenge is sorting through all of the available choices you can make in this area, because it can get really confusing when you start to take a look at things like Identity Federation (which allows your users to log in with their local Active Directory accounts) and Lync Online Federation (which allows users in your organization to communicate via instant message with users in other organizations), which are two very different technical options that use the same terminology. Then there’s the fact that some of the choices that Microsoft had to make in preparing Office 365 for RTM have even further muddied these waters (here’s an example I’ve blogged about: All Live IDs are Equal, Some are Just More Equal than Others, and Why that Matters with Office 365). […]

  2. […] EASI ID (a Live ID you create with your own email address, see my post on EASI IDs for more […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: