Monthly Archives: July 2012

Office 365 – Delegated Administration /w UMRA

July 9, 2012 – 6:35 pm

I’m on my second Office 365 project using Tools4ever‘s UMRA and looks like more are coming down the pipeline; Microsoft’s got a pretty hot product here!

Office 365 & Exchange 2010 Online

I’ve got my hands dirty on a recent “Live@EDU to Office 365 Migration” project; some takeaways:

  • Office 365 and Exchange 2010 Online are 2 separate entities with separate account storage
  • Office 365 is nothing more than accounts storage – federated identity, if you will, and “license” management (i.e. this user gets email, but this other user gets SharePoint too)
  • If you create an account in Office 365 with Exchange 2010 Online license, within a few seconds that same account will exist in Exchange 2010 Online
  • If you create an account in Exchange 2010 Online (using its own management tools), within a few seconds that same account will exist in Office 365 (though it will be missing a “License” and “Location” settings, marking it with errors)
  • The PowerShell interface used to manage Exchange 2010 Online is the same as Live@EDU or on-premise Exchange 2010, but it’s different from Office 365 cmdlets

Office 365 Delegated Administration Web Portal

Office 365 management tools do not support the following scenario: Location-Based Access Control (LBAC) where administrators in a given business unit can only administer users within their own business unit, or other business units they have explicit administrative access to. I’ve got a project in the scoping/Proof of Concept stage where we intend to make this LBAC look something like this:

  1. All Office 365 users have “Department” (or some other attribute) set to a business unit code, i.e. “FIN”
  2. We set up Office 365 groups for the administrators, i.e. “Admins-FIN”
  3. We set up an IIS website with Windows Authentication in Client’s on-premise Active Directory
    1. AD has single-sign-on and sync with Office 365 (using MS tools for this particular Client, but could have been using UMRA)
  4. We only allow members of the “Admins-*” group to log into the website
  5. All administrative actions are limited to the appropriate business units – i.e. if you’re in “Admins-FIN”, you can only find users with “FIN” in the “Department” attribute, and you can manage only their licenses, attributes, etc.

For performance sake, I’m thinking it will be best to keep the LBAC and user searching all on AD side, rather than Office 365, but either way should work.  Stay tuned for how this ultimately works out!

By The One | Posted in UMRA | Tagged , , , , | Comments (0)