Tag Archives: office 365

Microsoft Planner: a good task management solution for small teams?

It is a common scenario for any team: you have projects which break down into various tasks, and you need to assign tasks to team members with deadlines. The low-tech solution is that you have a meeting, you assign the tasks, and each person organises their time in whatever way works for them. A calendar entry with a reminder, perhaps, or a task entry with a reminder, if you use Outlook and Exchange or Office 365.

But what if you want a project-level view of how the tasks are going? Again there are low-tech solutions like Excel spreadsheets or even a whiteboard on the wall. Of course there are software solutions as well. On Microsoft’s platform (which is the subject of this post) you could use Microsoft Project. A user license for Project Online Professional is currently £22.60 per month, though, more than double the cost of an Office 365 Business Premium account (£9.40). Even a team member license (Project Online Essentials) is £5.30. It seems a big leap in cost, and is more than many businesses need in terms of features.

There is an alternative, which is Microsoft Planner. This is one of those Office 365 apps that is not all that well known, and it comes for free with most Office 365 plans. It gives you basic project management, with the ability to assign tasks to team members.

You can find Planner by logging into Office 365 and choosing Planner from the All Apps view.

image

Once Planner opens you can create a plan.

image

I advise a careful look at this dialog before clicking Create plan. If you have one big project, such as perhaps a new product you are developing, a plan dedicated to that project makes sense. If you have multiple small projects though, it would be better to have a single plan to contain multiple projects. The reason is that plans have a relatively high overhead. Each plan by default creates an Office 365 group and an Office 365 Sharepoint site. This could easily become a maintenance nightmare. Within a plan though, you can have multiple buckets, and each bucket can contain multiple tasks.

Note also that you can use an existing Office 365 group. It might make sense to create the group first, if only to get a sensible name. By default, the group gets the game of the plan. Only one Sharepoint site is created per group, so this is more lightweight (phew!).

After thinking this through you hit Create plan. The plan is created and you can get on with adding tasks, the base unit of a plan.

A few things about tasks:

– they have due dates

– they are assigned to one or more team members

– they can have checklists of sub-tasks which you check off

– they can have attachments

– they have a status of “Not started”, “in progress”, or “complete”

image

Tasks can be grouped into buckets (a good idea). Once you have a few tasks you can view charts showing progress and a schedule showing when task completion is due.

image

When members are assigned a task, they get an email notification.

image

And as I mentioned there is Sharepoint site which can have all sorts of junk added to it.

image

Now a few observations. Planner looks useful but as so often with these Microsoft apps, there are things that make you want to bang your head against the nearest wall. The most obvious problem is that Planner tasks do not integrate with Outlook tasks. The best you can do is to export the plan schedule to an Outlook calendar. Guess what is the top user request for Planner?

image

From here we learn of an added complication, that Outlook tasks are being replaced by Microsoft To-Do. Inevitable perhaps but I like Outlook tasks and the fact that everything is in an Exchange mailbox, and therefore easy to manage.

Still, the good news is that it says In Development.

Other limitations? Well, Planner is very basic. You cannot even have dependent tasks. You cannot set status to show the degree to which a task is complete, which even Outlook tasks can do. No Gantt charts either. Or features like milestones, cost tracking, risk assessment, time management, templates, prioritisation, projections, or other such features.

In fact, you cannot even export to Excel, the second most requested feature (the team is working on this too).

image

You cannot help but wonder if Microsoft does not want to make Planner too good, lest it cut into lucrative Project sales.

If so, this is to my mind wrongheaded. For every Project sale lost, there would be three sales won for Office 365 if it came with an excellent project management tool built in. There is also the problem of duplicated effort. Why not get the Project team to develop Project Lite for Office 365, limited by lack of some of the more advanced features, but with a smooth upgrade path, rather than making an alternative product which is still not fully ready?

Still, Planner is free with Office 365, and worth being aware of if you can get it to do what you need.

Office 365 vs Office 2019 vs LibreOffice: some thoughts

What has rescued Microsoft in the cloud era? It seems to me that Office 365, rather than Azure, is its most strategic product. Users do not like too much change; and back when Office 365 was introduced in 2011 it offered an easy way for businesses small and large to retire their Exchange servers while retaining Outlook with all its functionality (Outlook works with other mail servers but with limited features). You also got SharePoint online, cloud storage, and in-browser versions of Word, Excel and PowerPoint.

There was always another aspect to Office 365 though, which is that it allowed you to buy the Office desktop applications as a subscription. Unless you are the kind of person (or business) that happily runs old software, the subscription is better value than a permanent license, especially for small businesses. Currently Office 365 Business Premium gets you Outlook, Word, Excel, PowerPoint, OneNote and Access, as well as hosted Exchange and SharePoint etc, for £9.40 per month. Office Home and Business (which does not include Access) is £250, or about the same as two years subscription, and can only be installed on one PC or Mac, versus 5 PCs or Macs, 5 tablets and 5 mobile devices for the subscription product.

The subscription product is called Office 365, and the latest version of the desktop suite is called Office 2019. Microsoft would much rather you bought the subscription, not only because it delivers recurring revenue, but also because Office 365 is a great upselling opportunity. Once you are on Office 365 and Azure Active Directory, products like Dynamics 365 are a natural fit.

Microsoft’s enthusiasm for the subscription product has resulted in a recent “Twins Challenge” campaign which features videos of identical twins trying the same task in both Office 365 and Office 2019. They are silly videos and do a poor job of selling the Office 365 features. For example, in one video the task is to “fill out a spreadsheet with data about all 50 states” (US centric or what?).

image

In the video, the Office 365 guy is done in seconds thanks to Excel Data Types, a new feature which uses online data from the Bing search engine to provide intelligent features like entering population, capital city and so on. It seems though that the twins were pre-provided with a spreadsheet that had a list of the 50 states, as Excel cannot enter these automatically. And when I tried my own exercise with a few capital cities I found it frustrating because not much data was available, and the data is inconsistent so that one city has fields not available for another city. So my results were not that great.

image

I’m also troubled to see data like population chucked into a spreadsheet with no information on its source or scope. Is that Greater London (technically a county) or something less than that? What year? Whose survey? These things matter.

Perhaps even more to the point, this is not what most users do with Office. It varies of course; but a lot of people type documents and do simple spreadsheets that do not stress the product. They care about things like will it print correctly, and if I email it, will the recipient be able to read it OK. Office to be fair is good in both respects, but Microsoft often struggles to bring new features to Office that matter to a large proportion of users (though every feature matters to someone).

It is interesting to browse through the new features in Office 2019, listed here. LaTeX equation support, nice. And a third time zone in Outlook, handy if you discover it in the convoluted Outlook UI (and yes, discoverability is a problem):

image

It is worth noting though that for document editing the free LibreOffice is excellent and good enough for a lot of purposes. You do not get Outlook though, and Calc is no Excel. If you mostly do word processing though, do look at LibreOffice, it is better in some respects than Word (style support, for example).

I use Office constantly and like all users, I do have a list of things I would like fixed or improved, that for the most part seem to be completely different from what the Office team focuses on. There are even longstanding bugs – see the recent comment. Ever had an email in Outlook, clicked Reply, and found that the the formatting and background of the original message affects your reply text as well and the only way to fix it is to remove all formatting? Or been frustrated that Outlook makes it so hard to make interline comments in a reply with sensible formatting? Or been driven crazy by Word paragraph numbering and indentation when you want to have more than one paragraph within the same numbered point? Little things; but they could be better.

Then again there is Autosave (note quite different from autorecover), which is both recent and a fantastic feature. Unfortunately it only works with OneDrive. The value of this feature was brought home to me by an anecdote: a teenager who lost all the work in their Word document because they had not previously encountered a Save button (Google docs save automatically). This becomes what you expect.

So yes, Office does improve, and for what you get it is great value. Will Office 2019 users miss lots of core features? No. In most cases though, the Office 365 subscription is much better value.

OneDrive Upload Blocked and the “Use Office 2016 to sync Office files” setting

For several years the story with Office 365 was that email (essentially hosted Exchange) works great but OneDrive cloud storage, not so good. The main issues were not with the cloud storage as such, but with the sync client on Windows. It would mysteriously stop syncing and require a painful reset process to get it going again.

Microsoft squashed a lot of bugs and eventually released a much-improved “Next generation sync client” (NGSC) based on consumer OneDrive rather than Groove technology.

In the 2017 Windows 10 Fall Creators Update Microsoft also introduced Files on Demand, a brilliant feature that lists everything available but downloads only the files that you use.

The combination of the new sync client and Files on Demand means that life has got better for OneDrive users. It is not yet perfect though, and recently I came across another issue. This is where you get a strange “Upload blocked” message when attempting to save a document to the OneDrive location on your PC. Everything works fine if you go to the OneDrive site on the web; but this is not the way most users want to work.

The most popular fix for this problem is to go into OneDrive settings (right-click the little cloud icon to the right of the taskbar and choose Settings). Then find the Office tab and uncheck “Use Office 2016 to sync Office files that I open.” But don’t do that yet!

If you check this thread you will see that over a thousand users clicked to say they had the same problem, and over 400 clicked to say that the solution helped them. Significant numbers for one thread.

image

But what does this option do? It appears that checking the option makes big changes to the way Office files are saved. Here is the explanation:

Similar to how Office opens files, saves start with the locally synced file. After the file saves, Office will upload changes directly to the server. If Office can’t upload because the device is offline, you can keep working offline or close the file. Office will continue to save to the locally synced file, and OneDrive will handle the upload once the device gets back online. In this integration, Office works directly with the files that are currently open, enabling co-authoring in Office apps like Word on the desktop, which no competitor offers. For files that are not open in Office, OneDrive handles all syncing. This is the key difference between the old sync client integration and the NGSC, and this lets us achieve co-authoring along with the best  performance and sync reliability.

We can conclude from this that the “upload blocked” message comes when Office (not OneDrive) tries to “upload changes directly to the server”. Office as well as OneDrive needs to be signed in. The place to check these settings in on the Account tab of the File menu in an Office application like Word or Excel. There is a section called Connected Services and you need to make sure this lists all the OneDrive locations you use.

I suggest that you check these settings before unchecking the “use Office 2016 to sync” option in OneDrive. However, if it still does not work and you cannot troubleshoot it, it is worth a try to get reliable OneDrive sync

If you uncheck the “User Office 2016” option you will lose a couple of features:

  • Real-time co-authoring with the desktop application
  • Merge changes to resolve conflicts

The first of these features is amazing but many people rarely use it. It depends on the way you and your organization work. The second is to my mind a bit hazardous anyway.

Microsoft’s 82 Ignite announcements: what really matters

Microsoft’s PR team has helpfully summarised many of the announcements at the Ignite event, kicking off today in Orlando. I count 82, but you might make it fewer or many more, depending on what you call an announcement. And that is not including the business apps announcements made at the end of last week, most notably the arrival of the HoloLens-based Remote Assist in Dynamics 365.

image

Not all announcements are equal. Some, like the release of Windows Server 2019, are significant but not really news; we knew it was coming around now, and the preview has been around for ages. Others, like larger Azure managed disk sizes (8, 16 and 32TB) are cool if that is what you need, but hardly surprising; the specification of available cloud infrastructure is continually being enhanced.

Note that this post is based on what Microsoft chose to reveal to press ahead of the event, and there is more to come.

It is worth observing though that of these 82 announcements, only 3 or 4 are not cloud related:

  • SQL Server 2019 public preview
  • [Windows Server 2019 release] – I am bracketing this because many of the new features in Server 2019 are Azure-related, and it is listed under the heading Azure Infrastructure
  • Chemical Simulation Library for Microsoft Quantum
  • Surface Hub 2 release promised later this year

Microsoft’s journey from being an on-premises company, to being a service provider, is not yet complete, but it is absolutely the focus of almost everything new.

I will never forget an attendee at a previous Microsoft event a few years back telling me, “this cloud stuff is not relevant to us. We have our own datacenter.” I cannot help wondering how much Office 365 and/or Azure that person’s company is consuming now. Of course on-premises servers and applications remain important to Microsoft’s business, but it is hard to swim against the tide.

Ploughing through 82 announcements would be dull for me to write and you to read, so here are some things that caught my eye, aside from those already mentioned.

1. Azure confidential computing in public preview. A new series of VMs using Intel’s SGX technology lets you process data in a hardware-enforced trusted execution environment.

2. Cortana Skills Kit for Enterprise. Currently invite-only, this is intended to make it easier to write business bots “to improve workforce productivity” – or perhaps, an effort to reduce the burden on support staff. I recall examples of using conversational bots for common employee queries like “how much holiday allowance do I have remining, and which days can I take off?”. As to what is really new here, I have yet to discover.

3. A Python SDK for Azure Machine Learning. Important given the popularity of Python in this space.

4. Unified search in Microsoft 365. Is anyone using Delve? Maybe not, which is why Microsoft is bringing a search box to every cloud application, which is meant to use Microsoft Graph, AI and Bing to search across all company data and bring you personalized results. Great if it works.

5. Azure Digital Twins. With public preview promised on October 15, this lets you build “comprehensive digital models of any physical environment”. Once you have the model, there are all sorts of possibilities for optimization and safe experimentation.

6. Azure IoT Hub to support the Android Things platform via the Java SDK. Another example of Microsoft saying, use what you want, we can support it.

7. Azure Data Box Edge appliance. The assumption behind Edge computing is both simple and compelling: it pays to process data locally so you can send only summary or interesting data to the cloud. This appliance is intended to simplify both local processing and data transfer to Azure.

8. Azure Functions 2.0 hits general availability. Supports .NET Core, Python.

9. Helm repositories in Azure Container Registry, now in public preview.

10 Windows Autopilot support extended to existing devices. This auto-configuration feature previously only worked with new devices. Requires Windows 10 October Update, or automated upgrade to this.

Office and Office 365

In the Office 365 space there are some announcements:

1. LinkedIn integration with Office 365. Co-author documents and send emails to LinkedIn contacts, and surface LinkedIn information in meeting invites.

2. Office Ideas. Suggestions as you work to improve the design of your document, or suggest trends and charts in Excel. Sounds good but I am sceptical.

3. OneDrive for Mac gets Files on Demand. A smarter way to use cloud storage, downloading only files that you need but showing all available documents in Mac Finder.

4. New staff scheduling tools in Teams. Coming in October. ”With new schedule management tools, managers can now create and share schedules,employees can easily swap shifts, request time off, and see who else is working.” Maybe not a big deal in itself, but Teams is huge as I previously noted. Apparently the largest Team is over 100,000 strong now and there are 50+ out there with 10,000 or more members.

Windows Virtual Desktop

This could be nothing, or it could be huge. I am working on the basis of a one-paragraph statement that promises “virtualized Windows and Office on Azure … the only cloud-based service that delivers a multi-user Windows 10 experience, is optimized for Office 365 Pro Plus … with Windows Virtual Desktop, customers can deploy and scale Windows and Office on Azure in minutes, with built-in security and compliance.”

Preview by the end of 2018 is targeted.

Virtual Windows desktops are already available on Azure, via partnership with Citrix or VMWare Horizon, but Microsoft has held back from what is technically feasible in order to protect its Windows and Office licensing income. By the time you have paid for licenses for Windows Server, Remote Access per user, Office per user, and whatever third-party technology you are using, it gets expensive.

This is mainly about licensing rather than technology, since supporting multiple users running Office applications is now a light load for a modern server.

If Microsoft truly gets behind a pure first-party solution for hosted desktops on Azure at a reasonable cost, the take up would be considerable since it is a handy solution for many scenarios. This would not please its partners though, nor the many hosting companies which offer this.

On the other hand, Microsoft may want to compete more vigorously with Amazon Web Services and its Workspaces offering. Workspaces is still Windows, but of course integrates nicely with AWS solutions for storage, directory, email and so on, so there is a strategic aspect here.

Update: A little more on Microsoft Virtual Desktop here.

More details soon.

Microsoft Office 365 and Google G-Suite: why multi-factor authentication is now essential

Businesses using Office 365, Google G-Suite or other hosted environments (but especially Microsoft and Google) are vulnerable to phishing attacks that steal user credentials. Here is a recent example, which sailed through Microsoft’s spam and malware filters despite its attempts to use AI and other techniques to catch them.

image

If a user clicks the link and signs in, the bad guys have their credentials. What are the consequences?

– at best, a bunch of spam sent out from the user’s account, causing embarrassment and a quick password reset.

– at worst, something much more serious. Once an unauthorised party has user credentials, there are all sorts of social engineering possibilities to escalate the attack, obtain other credentials, or see what interesting data can be found in collaborative document stores and shared applications.

– another risk is to discover information about an organisation’s customers and contact them to advise of new bank details which of course direct payments to the attacker’s account.

The truth is there are many risks and it is worth every effort to prevent this happening in the first place.

However, it is hard to educate every user to the extent that you can be confident they will never click a link in an email such as the one above, or reveal their password in some other way – such as using the same one as one that has been leaked – check here to find out, for example.

Multi-factor authentication (MFA), which is now easy to set up on both Office 365 or G-Suite, helps matters by requiring users to enter a one-time code from their mobile, either via an authenticator app or a text message, before they can log in. It does not cost any extra and now is the time to set it up, if you have not already.

It seems to me that in some ways the prevalence of a few big providers in hosted email and applications has made matters easier for the hackers. They know that a phishing attack simulating, say, Office 365 support will find many potential victims.

The more positive view is that even small businesses can now easily use Enterprise-grade security, if they choose to take advantage.

I do not think MFA is perfect. It usually depends on a mobile phone, and given that possession of a user’s phone also often enables you to reset the password, there is a risk that the mobile becomes the weak link. It is well known that social engineering against mobile providers can persuade them to cancel a SIM and issue a new one to an impostor.

That said, hijacking a phone is a lot more effort than sending out a million phishing emails, and on balance enabling MFA is well worth it.

Microsoft announces free version of Teams, ahead of Inspire partner conference

Microsoft’s partner conference, Inspire, kicks off in Las Vegas next week; and as part of the event the company has announced big news concerning Teams: a free version.

image

What is Teams? It is a collaboration tool for Office 365, or at least it was, since the new free version can be used with any email address and without Office 365. Here is what you get:

  • Chat
  • Audio and video calling
  • 10GB online storage, plus 2GB for each additional team member (SharePoint/OneDrive)
  • Word, Excel and PowerPoint online
  • Ability to install unlimited additional applications

Teams is a strategic product for Microsoft – see here for the reason. A free version is way for the company to promote Office 365, and you will see an upgrade link in the user interface.

There are also new features coming to Teams. One seems minor, but will be popular. It deals with the problem of video conferencing from home, and not being sure what may happen behind you. You may remember this:

image

So now Teams video conferencing will let you blur the background. Here is Raanah Amjadi, Marketing Manager, Microsoft Teams, demonstrating the feature:

image

In addition, Teams is getting a new Live Events feature. This is where you broadcast a presentation or meeting to others in your company. Automatic speech-to-text will do close captions (so you can watch with the sound done, if you trust it enough), and this then enables text search of the event with index points into the video. Bing Translate is also included in Teams so you can have multi-lingual conversations.

image

Microsoft Workplace Analytics is getting enhancements including “My Analytics” which will give you AI-powered “nudges” in Outlook online. I am not sure I trust this to be much real-world use; but the example shown was intriguing: alert you if you try to schedule a meeting with someone out of their working hours.

Whiteboard, a collaboration canvas, is now generally available for Windows 10 and mobile.

image

Free Teams is available immediately here.

On Microsoft Teams in Office 365, and why we prefer walled gardens to the Internet jungle

Gartner has recently delivered a report called Why Microsoft Teams will soon be just as common as Outlook, which gave me pause for reflection.

The initial success of Office 365 was almost all to do with email. Hosted Exchange at a reasonable cost is a an obvious win for businesses who were formerly on on-premises Exchange or Small Business Server. Microsoft worked to make the migration relatively seamless, and with strong Active Directory support it can be done with users hardly noticing. Exchange of course is more than just email, also handling calendars and tasks, and Outlook and Exchange are indispensable tools for many businesses.

The other pieces of Office 365, such as SharePoint, OneDrive and Skype for Business (formerly Lync) took longer to gain traction, in part because of flaws in the products. Exchange has always been an excellent email server, but in cloud document storage and collaboration Microsoft’s solution was less good than alternatives like DropBox and Box, and ties to desktop Office are a mixed blessing, welcome because Office is familiar and capable, but also causing friction thanks to the need for old-style software installations.

Microsoft needed to up its game in areas beyond email, and to its credit it has done so. SharePoint and OneDrive are much improved. In addition, the company has introduced a range of additional applications, including StaffHub for managing staff schedules, Planner for project planning and task assignment, and PowerApps for creating custom applications without writing code.

We have also seen a boost to the cloud-based Dynamics suite thanks to synergy between this and Office 365.

Having lots of features is one thing, winning adoption is another. Microsoft lacked a unifying piece that would integrate these various elements into a form that users could easily embrace. Teams is that piece. Introduced in March 2017, I initially thought there was nothing much to it: just a new user interface for existing features like SharePoint sites and Office 365/Exchange groups, with yet another business messaging service alongside Skype for Business and Yammer.

Software is about usability as much or more than features though, and Teams caught on. Users quickly demanded deeper integration between Teams and other parts of Office 365. It soon became obvious that from the user’s perspective there was too much overlap between Teams and Skype for Business, and in September 2017 Microsoft announced that Teams would replace Skype for Business, though this merging of two different tools is not yet complete.

image

To see why Teams has such potential you need only click Add a tab in the Windows client. Your screen fills with stuff you can add to a Team, from document links to Planner to third-party tools like Trello and Evernote.

image

This is only going to grow. Users will open Teams at the beginning of the day and live there, which is exactly the point Garner is making in its attention-grabbing title.

A good thing? Well, collaboration is good, and so is making better use of what you are paying for with an Office 365 subscription, so it has merit.

The part that troubles me is that we are losing diversity as well as granting Microsoft a firmer hold on its customers.

It all started with email, remember. But email is a disaster, replete with unwanted marketing, malware links, and some number of communications that have some possible value but which life is too short to investigate. In the consumer world, people prefer the safer world of Facebook Messenger or WhatsApp, where messages are more likely to be wanted. Email is also ancient, hard to extend with new features, and generally insecure.

Business-oriented messaging software like Slack and now Teams have moved in, to give users a safer and more usable way of communicating with colleagues. Consumers prefer Facebook’s walled garden to the internet jungle, and business users are no different.

It is a trade-off though. Email, for all its faults, is open and has multiple providers. Teams is not.

This will not stop Teams from succeeding, even though there are plenty of user requests and considerable dissatisfaction with the current release. Performance can be poor, the clients for Mac and mobile not as good as for Windows, and there is no Linux client at all.

Third-parties with applications or services that make sense in the Teams environment should hasten to get their stuff available there.

Unhealthy Identity synchronization Notification: a trivial solution (and Microsoft’s useless troubleshooter)

If you use Microsoft’s AD Connect, also known as DirSync, you may have received an email like this:

image

It’s bad news: your Active Directory is not syncing with Office 365. “Azure Active Directory did not register a synchronization attempt from the Identity synchronization tool in the last 24 hours.”

I got this after upgrading AD Connect to the latest version, currently 1.1.553.

The email recommends you run a troubleshooting tool on the AD Connect server. I did that. Nothing wrong. I rebooted, it synced once, then I got another warning.

This is only a test system but I still wanted to find out what was wrong. I tweaked the sync configuration, again without fixing the issue.

Finally I found this post. Somehow, AD Connect had configured itself not to sync. You can get the current setting in PowerShell, using get-adsyncscheduler:

image

As you can see, SyncCycleEnabled is set to false. The fix is trivial, just type:

set-adsyncscheduler –SyncCycleEnabled $true

Well, I am glad to fix it, but should not Microsoft’s troubleshooting tool find this simple configuration problem?

Microsoft Office 365 Activation Hassles

Imagine you are a customer of Microsoft’s Office 365 service, including a subscription to the Office desktop applications like Word, Excel and Outlook.

One day you click on the shortcut for Word, but instead of opening, it just shows a “Starting” splash screen which never progresses.

Being smart, you try to start Word in safe mode by holding down the Ctrl key, but the exact same thing happens.

Annoying, when you want to do your work. What is going on?

I took a look at a case like this. Two things you should do (after the usual reboot):

1. Look in the event viewer. Here, I found a clue that the issue is related to software activation, specifically Event 2011 “Office Subscription Licensing exception”:

image

2. For all things related to Office licensing, open a command prompt, go to (for example) C:\Program Files (x86)\Microsoft Office\Office16, and type:

cscript ospp.vbs /dstatus

In this case I got the following:

image

This told me that Windows thinks TWO product keys for Office are installed. One has expired, the other is fine.

The guilty party may (or may not) be the trial version of Office typically pre-installed with a new PC. Or it could be a consequence of changing your Office 365 subscription. Neither would be the fault of the user, who is fully licensed and has done nothing other than follow Microsoft’s normal procedures for installing Office 365.

Solution: we reinstalled Office from the Office 365 portal, and attempted to remove the dud product key with:

cscript ospp.vbs /unpkey:<Last five characters of product key>

as explained here. All is well for the moment.

This kind of thing drives me nuts though. Activation and subscription license checking is for the benefit of the vendor, not the user, and should never get in the way like this.

Further, cannot Microsoft find some way of informing the user when this happens, and not have Word simply hang on starting? How difficult is it to check for licensing and activation issues, and throw up a message?

Hands on with Microsoft’s ADConnect

I’ve been trying Microsoft’s ADConnect tool, the replacement for the utility called DirSync, which synchronises on-premises Active Directory with Azure AD, the directory used by Office 365.

It is therefore a key piece in Microsoft’s hybrid cloud story.

In my case I have a small office set-up with Active Directory running on Server 2012 R2 VMs. I also have an Office 365 tenant that I use for testing Microsoft’s latest cloud stuff. I have long had a few basic questions about how the sync works so I created a small Server 2012 R2 VM on which to install it.

ADConnect can be installed on a Domain Controller, though this used to be unsupported for DirSync. However it seems to be tidier to give ADConnect its own server, and less likely to cause problems.

There are a number of pre-requisites but for me the only one that mattered was that your domain must be set up on the Office 365 tenant before you configure ADConnect. You cannot configure it using the default *.onmicrosoft.com domain.

Adding a domain to Office 365 is straightforward, provided you have access to the DNS records for the domain, and provided that the domain is not already linked to another Office 365 tenant. This last point can be problematic. For example, BT uses Office 365 to provide business email services to its customers. If you want to migrate from BT to your own Office 365, detaching the domain from BT’s tenant, to which you do not have admin access, is a hassle.

When I tried to set up my domain, I found another problem. At some point I must have signed up for a trial of Power BI, and without my realising it, this created an Office 365 tenant. I could not progress until I worked out how to get admin access to this Power BI tenant and assign my user account a different primary email address. The best way to discover such problems is to attempt to add the domain and note any error messages. And to resist the wizard’s efforts to get you to set up your domain in a different tenant to the one that you want.

That done, I ran the setup for ADConnect. If you use the Express settings, it is straightforward. It requires SQL Server, but installs its own instance of SQL Server Express LocalDB by default.

image

You enter credentials for your Office 365 tenant and for your on-premises AD, then the wizard tells you what it will do.

image

I was interested in the link on the next screen, which describes how to get all your Windows 10 domain-joined computers automatically “registered” to Azure AD, enabling smoother integration.

image

If you follow the link, and read the comments, you may be put off; I was. It involves configuring Active Directory Federation Services as well as Group Policy and looks fiddly. I suspect this is worth doing though, and hope that configuration will be more automated in due course.

The next step was to look at the outcome. One thing that is important to understand is that synced users are distinct from other Office 365 users. Imagine then that you have existing users in Office 365 and you want to match them with existing on-premises users, rather than creating new ones. This should work if ADConnect can match the primary email address. It will convert the matching Azure AD user into a synced user. Otherwise, it will just create new users, even if there are existing Azure AD users with the same names. If it goes wrong, there are ways to recover. Note that the users are not actually linked via the email address, they are linked by an attribute called an ImmutableID.

The Office 365 admin portal is fully aware of synced users and the user list shows the distinction. Users are designated as “In Cloud” or “Synced with Active Directory”.

image

Synced users cannot be deleted from the Office 365 portal. You delete them in on-premises AD and they disappear.

The next obvious issue is that if you dive in like me and just install ADConnect with Express Settings, you will get all your on-premises users and groups in Azure AD. In my case I have things like “ASP.NET Machine Account”, various IUSR* accounts, users created by various applications, and groups like “DHCP Administrators” and “Exchange Trusted Subsystem” that do not belong in Office 365.

These accounts do not do much harm; they do not consume licenses or mess up Office 365. On the other hand, they are annoying and confusing. You may also have business reasons to exclude some users from synchronization.

Fortunately, there are various ways to fine-tune, both before and after initial synchronization. You can read about it here. This document also states:

With filtering, you can control which objects should appear in Azure AD from your on-premises directory. The default configuration takes all objects in all domains in the configured forests. In general, this is the recommended configuration.

I find this puzzling, in that I cannot see the benefit in having irrelevant service accounts and groups synced to Office 365 – though it is not entirely obvious what is safe to exclude.

I went back to the ADConnect tool and reconfigured, using the Domain and OU filtering option. This time, I selected what seems to be a minimal configuration.

image

The excluded objects are meant to be deleted from Office 365, but so far they have not. I am not sure if this will fix itself. (Update: it did, though I also re-ran a full initial sync to help it along). If not, you can temporarily disable sync, manually delete them in the Office 365 portal, then re-enable sync.

What if you want to exclude a specific user? I used the steps described to create a DoNotSync filter based on setting extensionAttribute15. You use the ADConnect Synchrhonization Rules Editor to create the rule, then set the attribute using ADSIEdit or your favourite tool. This worked, and the user I marked disappeared from Office 365 on the next sync.

image

Incidentally, you can trigger an immediate sync using this PowerShell command:

Start-ADSyncSyncCycle -PolicyType Delta

Complications

Setting up ADConnect does introduce complexity into Office 365. You can no longer do everything through the portal. It is not only deletion that does not work. When I tried to set up a mailbox in Office 365 I hit this message:

image

“This user’s on-premises mailbox hasn’t been migrated to Exchange Online. The Exchange Online mailbox will be available after migration is completed.”

I can see the logic behind this, but there might be cases where you want a new empty mailbox; I am sure there is a way around it, but now there is more to go wrong.

Update: there is a rather important lesson hiding here. If you have are running Exchange on-premises and want to end up on Office 365 with ADConnect, you must take care about the order of events. Once ADConnect is running, you cannot do a cutover migration of Exchange, only a hybrid migration. If you don’t want hybrid (which adds complexity), then do the cutover migration first. Convert the on-premise mailboxes to mail-enabled users. Then run ADConnect, which will match the users based on the primary email address.

It is also obvious that ADConnect is designed for large organisations and for administrators who know their way around Active Directory. There is a simplified sync tool in Windows Server Essentials, though I have not used it. It would be good though to see something between Essentials and the complexity of ADConnect. For example, I had imagined that there might be a mapping tool that would let you see how ADConnect intends to match on-premises users with Office 365 users and let you amend and exclude users with a few clicks.

Microsoft has been working on this stuff for some time and is not done yet. In preview for example is Group Writeback, which lets you sync Office 365 groups back to on-premises AD.

image

Maybe Microsoft might also consider using different icons for the various ADConnect utilities as they do look a bit silly if you pin them to the taskbar:

image

The tools are:

  • Azure ADConnect (Wizard)
  • Synchronization Rules Editor (advanced filtering)
  • Synchronization Service WebService Connector Config (SOAP stuff)
  • Synchronization Service Key Management (what it says)

On the plus side, I have not hit any mysterious Active Directory errors and it has all worked without having to set up certificates, reverse proxies, special DNS entries (other than the standard ones for Office 365), or anything too fiddly, though note that I avoided ADFS and automatic Windows 10 registration.

Final thoughts

If you need to implement this, you will find doing what I did and trying it out on a test domain is worth it. There seem to be quite a few pitfalls, and as ever, it is easier to get it right at the start rather than trying to fix things up afterwards.