Home / Nerdio Academy / Microsoft Azure / Office Fundamentals: Introduction and Azure AD

Office Fundamentals: Introduction and Azure AD

0 commentsMay 19, 2019Videos

Joseph Landes
There is hardly an MSP who has not already started to think through the impact of moving their customer to Office 365 from on-premise versions of Office. Most MSPs we speak to are well down this path, and in fact, have migrated the majority of their customers to Office 365. As a result, building a successful cloud practice in Azure is very much connected to ensuring your customers are also using Office in the cloud.

Joseph Landes
We will use this session to introduce you to Office 365, the various plans available, how to transact with Office 365, and the impact of Office 365 on Azure Active Directory.

Vadim Vladimirskiy
And I want to clarify that Office 365 is often thought of as a particular product, but really, it’s a product category, product family that includes different packages, different suites, that have different products as part of those suites.

Vadim Vladimirskiy
So the most popular part of Office 365 is the actual Office Suite itself, they applications that get installed on the end-user devices, the desktop, laptops, mobile devices, et cetera. And those come in two flavors. In Office Pro Plus and Office Business. It’s kind of the equivalent of what used to be Office Professional and Office Standard in the previous version of Office 2016 as an example. So you can see on this page, which is just an example of a handful of plans, this is the Enterprise Plans. On the left, here, you have Office 365 Pro Plus, which has the Office applications that you get to install on your mobile, on your end-user device, and it also comes with a service called One Drive. One Drive is a repository that you can, sort of the cloud repository, maybe the iCloud equivalent of what Apple has, so that the Productivity Suite, the Office applications can automatically save their data into an online location, which you can then share or access through the web, et cetera. So in addition to getting the applications, you are also getting a subscription to One Drive as part of that.

Vadim Vladimirskiy
Now, as we move to the right, then we start looking at these packages. So this is called the Enterprise E1, E3, and E5. I would say E3 is probably the most popular Office 365 package. And in addition to including the applications, just like Pro Plus includes, it also includes a bunch of other services. The most popular services, obviously, Exchange Online, that’s for e-mail. There’s also One Drive that’s included in each one of these. You also get Sharepoint, you get Teams, Yammer, Stream, and a bunch of other things that are not even listed on here, but if you go into your Office 365 portal, and you look at the number of applications that are there, there is Planner, there is Flow, Microsoft has really built a fairly robust set of applications that they bundle at no additional charge inside of these packages.

Vadim Vladimirskiy
So, again, here you have all of these packages. So, you have Office 365 Business, which is the equivalent of Office 365 Pro Plus, it’s just the Office Suite, it’s missing a few features. It’s a little bit cheaper, and it still has One Drive as part of it. Then there is Business Premium, which is kind of the equivalent of E3, and then there is Business Essentials, which is, basically the services, so it’s kind of equivalent of E1. So E1 includes Exchange, One Drive teams, et cetera, but it does not include the Office Suite. And Business Essentials is kind of the equivalent of that for small business. And Business Premium is the equivalent of E3.

Vadim Vladimirskiy
So why am I telling you this? I want to be sure that it’s clear that the individual products within the Office 365 are just sort of combined together into a plan, and are effectively, they’re integrated, but they’re independent products. So, like Exchange and Sharepoint, they share the same Azure AD tenant for user information and authentication, but it’s the equivalent of having an on-prem environment, where you have one server that’s doing Exchange, and another server that’s doing Sharepoint, and another server that’s doing Lync, so all of those are brought together in one package, but they are still individual products. So you can manage them in their own, individual management portals or admin portals, in Office 365.

Vadim Vladimirskiy
If you go into an Office 365 management portal, and I have a couple of them open here, let’s see, I think it’s in here. Yeah. So, if we go into this, the Office 365 or now it’s called Microsoft 365 Admin Center, what you can see under Admin Center is you have individual Admin Centers for each one of those products. So as long as I have a single license that has an Exchange Online component to it, inside of this Azure AD tenant, or this Office 365 tenant, I will have and Exchange organization which is going to be spun up for me, and then if I have one with teams in Skype, I will have one like that. If I have one with Sharepoint, then it will spin up Sharepoint.

Vadim Vladimirskiy
As soon as I remove any licenses that entitle me to Exchange, then this will get disabled after some time, and then eventually will get deleted. So you can see, every one of you has seen this screen. You can go in here and select the user, and then the user, you can assign a product license based on what’s available in the account. So, let’s see. We have … United States, and here is an E3 license. An E3 has all of these components. And all of these are individual products that are packaged together into an E3 license. And then an E1 license will have different components to it.

Vadim Vladimirskiy
So I can either enable the entire suite for this particular user, or I can enable a particular feature from that suite. So let’s say I wanted to give this user teams only. So I could do that. So what that would give this user is just the ability to log into teams, but that would not give him a mailbox, that would not give him access to Stream, that would not give him Yammer, that would not give him Sharepoint, et cetera. So these are independent things, and there’s a hierarchy, there. The products that are packaged into these plans like E3.

Vadim Vladimirskiy
Now, all of this relies on Azure AD. And Azure AD, we looked at before. Azure Active Directory is Microsoft’s implementation of a directory that all of their cloud services plug into. Both Azure and Office 365. The Office 365 integration with Azure AD is extremely tight, meaning every object that you want to entitle to a service inside of Office 365 like Exchange or Sharepoint has to be a user object inside of Azure AD. Every object that you want to share data with, for example, even somebody who’s external to your organization, if you want to share a document via OneDrive with somebody in another company, and you create that sharing link with their e-mail address, what it’s going to do is actually going to create a special user object in your own Azure AD that you’ll be able to go in the back end here, and see it’s going to get listed, here. So everything is tied into Azure AD.

Vadim Vladimirskiy
So let’s talk about how this gets transacted. So, we talked about Azure, where you have the Azure AD tenant, also know as the directory, or the account, could have multiple subscriptions, and those subscriptions are sort of associated with that tenant. They sit inside of that tenant, but they’re not necessarily connected to individual objects inside of Azure Active Directory. What do I mean by that? So, let’s say you have one Azure tenant, and you have two … So you have one Azure AD tenant, and you have two Azure subscription. Those two subscriptions could be used completely independently of each other. You can deploy one NFA account in one, and another account in the other, and they will not be able to see each other in any way.

Vadim Vladimirskiy
Okay, now, in order to log in, and to manage one of those subscriptions, you would need to use an account that’s part of Azure AD, but those subscriptions are independent. Office 365 works a bit differently. So, I’m going to show you, through our CSP portal, I’m going to pick up a sample account. This account is called Nerdio 5004, 5004 Nerdio, that’s sort of the customer in the Azure AD. And within that Azure AD, I can add multiple usage based subscriptions, which is another name for Azure, that’s the way that I provision Azure subscriptions. I can add another one here, or I can add additional licensing subscriptions, licensing based subscriptions.

Vadim Vladimirskiy
So let’s click here, add subscription. Can I do that? I can. Okay. And here I get to select from a catalog of Enterprise names. So there’s Dynamics, there is Exchange Online Plan 2, and then there’s also Windows, and then there are packages. So if you see, up here, I have a few of them sort of selected as favorites. But I have Enterprise E3 is a package. But if I did not want to buy the entire E3 package, if I only needed some components from it, I could go down here, and say, “Okay. I just was Office Pro Plus.” So I would go here and find my Office 365, wherever that is, let’s search for it … Pro, there it is. It’s in the favorites. So I could buy Pro Plus, and let’s say Teams, separately. I guess Teams, maybe, is not something that you can license separately. Maybe you could. But you get the idea. I don’t have to buy it as a package, I could buy it as individual components. It’s obviously more cost effective to buy it as a package, as an E3.

Vadim Vladimirskiy
When I want to assign those licenses, I can assign them to users of this Azure AD tenant only, so that means any licenses I add into the Azure AD tenant are all sort of mixed together in one bucket, and can be assigned to users inside of this Azure AD tenant. So, with Azure subscriptions, I can have one AD tenant for multiple customers, but for Office 365, I must have an individual Azure AD tenant per customer, because the licenses get aggregated in one place, and they can be assigned out of one pool to the same set of users.

Vadim Vladimirskiy
Where does that make a difference? So, if we go to the NAP, and we try to provision a new account, when we provision a new account, there are two things we have to specify. Connection into Azure, and a subscription, and a connection to Office 365. A lot of times, these two are, they could be the same, or they could be independent. But a lot of times, you’ll have a partner that’s going to use the same Azure account, and just segregate customers based on the subscription within that account.

Vadim Vladimirskiy
With Office 365, that’s not an option. So every customer needs to have a dedicated Office 365 account, i.e., Azure AD tenant, for Office 365 data.

Vadim Vladimirskiy
So I’m logged into the partner center for ADAR, and I am able to add a customer like this 5004 Nerdio is a customer. And then I’m able to add a subscription like you saw me do. It could be an Azure subscription, or it could be an Office 365 subscription. And then, once I go as the customer into my Office 365 Admin Center, and I look, let’s say, under billing, I look under subscriptions, what you’ll see is it will show me that I have this subscription for five E3 licenses, and it’ll tell you it’s billed by ADAR, and I don’t have the ability to really increase or decrease this count. In order to do that, I can only do that at the CSP level. I cannot do it as the user level.

Vadim Vladimirskiy
However, a user can go in and simply add a subscription, and this will be a direct bill subscription, that they can specify a credit card for, they can add a payment method. And they can purchase additional items within the same Azure AD tenant, within the same Office 365 account, there could be CSP subscriptions, and direct-pay subscriptions, and the licenses from both will get aggregated in one place. So if I go under settings, licenses … I’m sorry. Billing licenses, and I have … Okay. So this is a CSP subscription. I may have another one that also says Office 365 Enterprise E3, and it will be a direct bill subscription, and it will have its own quantity, and then, basically, what matters is the total.

Vadim Vladimirskiy
So when I go to assign it to a user, it basically looks at the pool of available licenses and puls one from there. It doesn’t really matter if it comes from a CSP license or a direct-pay license. So, again, all of these things are pulled together inside of one account.

Vadim Vladimirskiy
Now, there are a couple of ways to look at Azure AD. You can see it in the way that we’re all used to, which is through this portal, so if you go under users, you’ll see that I have these three users, and the management interface is very familiar. But, what you also have to realize is if I now open Azure for that very same tenant, and I go to Azure Active Directory on the left, here, I’m look at the same data. So it still says it’s Azure AD for Office 365. And if I click on users, you’re going to see the same set of users. If I wanted to reset the password, I could do it from here, I can do it from there, there’s different functionality. There’s some advanced things you can do from this screen that you cannot do from Office 365.

Vadim Vladimirskiy
But again, the point I’m driving home is it’s relying on the very same database of information that’s underpinning both of the products, Azure and Office 365.

Vadim Vladimirskiy
Okay. So, when we talk about domains, we don’t mean active directory domains. We mean kind of e-mail or internet domains. So this is where you would go to add a new e-mail domain into the account. So you can add [Radim 00:15:57].com. Maybe it’s available, who knows? Probably not. Okay. So you can add any domain. You have to validate that you own it, et cetera. You, and I think most of you have been through the process. We’ve automated a lot of this, and simplified it through the Nerdio Admin Portal as well, but domains are associated with an Office 365 Azure AD account.

Vadim Vladimirskiy
If you look here, under active users, these objects are users. Now, users may have a mailbox that is assigned to them, but that mailbox is not part of the user object, meaning they’re kind of independent. One is mapped to the other, so if you were to go directly into the Exchange Management Center, right here, it will open it up in a new tab, if you look at mailboxes, they will be linked with users, but they don’t have to be. For example, you could have a resource mailbox, or you can have a shared mailbox, which doesn’t have a user assigned to it.

Vadim Vladimirskiy
And that’s the case for all the other products. You can delete a user, and not delete the mailbox. When somebody, let’s say, migrates from one on-premises active directory to another, and the source active directory may be connected to an exchange online database, where all the mailboxes are, without deleting those mailboxes, it’s possible to take them from whatever existing users they’re connected to right now, and reattach them to other users. So you can kind of swing those mailboxes over from one user object to another. And that’s sort of what happens when somebody that’s already using Azure AD Connect, the tool that syncs the local active directory to Azure AD, they’re able to take that and convert from using it with their existing domain on premises, to using it with a new active directory domain inside of Nerdio.

Vadim Vladimirskiy
Here, if we go under mailboxes in the Exchange Admin Center, there aren’t going to be any, because I don’t have any users that have an Exchange Online license. But if I wanted to assign one, if I’d go here, and I assign a product to this user, and that product is, let’s say, E3, then after awhile, that mailbox would get built inside of Exchange Online, and then when I go here and refresh, that mailbox would be listed in this screen.

Vadim Vladimirskiy
One of the requirements we have during provisioning of a new Nerdio account is, I think, either an E3 or an E5 license. And people ask, “Well, why is that?” And there are two reasons for this. Number one, we need an Exchange organization to be available inside of the Office 365 account in order to run some of the automations that we do as part of the provisioning. For example, Nerdio automatically configures FS01 as a relay for any internal, for an unauthenticated mail relay, like an SMTP relay for any internal machines to route e-mail through Office 365. Why do we need that? Because sometimes, let’s say you have scanners that are in customer’s offices, and they want to point those scanners to do scan to e-mail. So we automate it in such a way that all they have to do is specify the IP address of FS01, no authentication required, and then based on the automation that we do during provisioning, it will send those e-mails through FS01 which will route it through Office 365.

Vadim Vladimirskiy
So in order to enable all of that and secure it to make sure the Office 365 is not an open relay for other locations, only this FS01, there needs to be an Exchange Online organization that exists, and if an E3 or an E5 license, or if no licenses exist inside of the account, then those commands will basically fail. So that’s number one.

Vadim Vladimirskiy
Number two, during the provisioning, we set up a number of demo accounts. And one of these accounts has an Office E3 license assigned to that account. So there’s NDIT admins as it gets created by default, an NDIT admin has an Enterprise E3 license account assigned during provisioning so that somebody can come in, generate the RDP file, log into the desktop, and actually see Office functional with an e-mail mailbox, and everything like that. So that’s why during provisioning, we require E3. We do tell partners that once the account is provisioned, they can go in here, they can remove this license, unassign it for Andy, and then go in and then cancel the subscription.

Vadim Vladimirskiy
It’s not going to break anything, as long as the Exchange Online stays active. So if they remove all the licenses that have Exchange Online as part of them, then eventually the Exchange Online organization will get deleted by Microsoft on the back end because there aren’t any users that … Or, aren’t any licenses that entitle you to it. And then NAP is going to start running into errors, because it does a lot of shared mailbox caching and it runs a lot of mailbox rules, and things like that. There is all sorts of integration with Exchange Online, and that’s the reason for that requirement.

Vadim Vladimirskiy
Microsoft is going one step further. They now have something called Microsoft 365. And Microsoft 365 is yet another suite that includes Office 365, plus Windows, plus security packages. So I think that’s kind of their latest and ultimate package they want people to buy. There’s two flavors of it. There’s Microsoft 365 Enterprise, and Microsoft 365 Business. And then the one that’s Business includes Business, Office 365 Business Premium with Windows 10 Enterprise, and then Microsoft 365 Enterprise includes either E3 or E5, and then Windows Enterprise E3 or E5, and there’s functionality differences in those, too.