What Defines “Office 365 Hybrid” – A Deep-dive from EPC Group
The project stakeholders within IT may have a total understanding of the Office 365 offering but the organization’s legal and compliance stakeholders may still be unclear or hesitant because of the similar naming of products and their past understanding of SharePoint.
There are terms that can be very “down in the technical weeds,” such as Reverse Proxy and SSO or MSOL Tools, that can quickly sidetrack the conversation.
This also requires reexamining your Office 365 and/or SharePoint governance model because there are key functional pieces in these new releases that now have their own layer or uncoupled type of behavior that must be signed off on and understood by all stakeholders.
The on-premises and/or cloud or off-premises architecture is typically clear, but the term “hybrid” is referred to when one of the following five “non-SharePoint elements” is configured to support a hybrid SharePoint 2013 deployment:
- Reverse proxy and certificate authentication
- Identity provider (ADFS, etc.)
- MSOL tools
- SSO with O365 (single sign-on)
- Dirsync (Azure Active Directory)
Overview of Office 365 Plans
Office 365’s underlying licensing model represents an array of plans and capabilities. The Office 365 business offerings, as shown in the image below, are centered on small business, midsize business, and the enterprise.
Most businesses will require a plan that includes the capability to enable Active Directory integration (with Active Directory Federation Services [ADFS] and Directory Sync) and single sign-on (SSO) with local Active Directory credentials to seamlessly access Office 365 in the cloud.
As shown in the image below, the enterprise plan, also referred to as the “E” plan, allows for hybrid configurationsof Exchange, Lync, and SharePoint, but it’s important to review your specific requirements and discuss them with a licensing and Office 365 plan expert who is knowledgeable about the latest plans, capabilities, and prices, and the future of each plan.
Microsoft continues to add capabilities to its Office 365 plans, and I can’t stress enough how important it is to stay up-to-date on the available options before moving forward with any Office 365 plan.
When looking at the Office 365 plans for the enterprise, you will see many options for integration with Exchange and other technologies that your organization very well may not even be considering moving or integrating with the cloud, so discussing your organization’s SharePoint and overall IT roadmap and having a clearer understanding of it will allow you to review these plans with a much more educated perspective about what you may or may not want to consider.
Key Cloud Terms
You will hear many different technical references within an Office 365 architectural or business planning conversation, so it is key to understand the core terms as detailed in the sections that follow.
A tenant is required for the setup of an Office 365 account with Microsoft or the Office 365 provider. A tenant is the domain login (.yourcompany.com) that you use to log in.
Office 365 shares a global name space. Consequently, company “A” in the United States may already have registered and be utilizing Office 365, and company “B” in the United Kingdom, possibly an affiliate company, would not be able to use that same tenant name.
When you hear the multitenant system, think of this in terms of a single store in a mall that is unique and has its own inventory, employees, and so forth but shares hallways, stairs, elevators, and such with the other stores in the mall.
The Domain Name System, or DNS, translates domain names to the numerical IP addresses needed for the purpose of accessing computer services and devices throughout the globe.
There are multiple records that must be entered publicly and privately for all the services in Office 365 to function correctly. The complexity of Office 365 is based on the configuration that is required to ensure security and proper governance.
ADFS and ADFS Proxy Servers
The Active Directory Federation Services (ADFS) is based on an industry-supported Web services architecture. Organizations’ internal ADFS servers and external ADFS proxy servers will be essential for single sign-on to be accomplished.
Directory Synchronization Server
The Directory Synchronization Server is key to a proper single sign-on architecture because this will synchronize the entire Active Directory, or a subset of it, to your organization’s tenant account in Office 365.
Implementing Office 365 Within Your Organization
Several key strategies are involved in a best practices implementation of Office 365 and the overall SharePoint 2013 service. It is key to think holistically about your environment and what you’re trying to accomplish with SharePoint, both in the near term and in the long term.
Within an implementation, keep the following questions in mind:
- What are the core strategic initiatives that your organization has planned within the next 24 months in terms of your SharePoint roadmap, and how will Office 365 benefit these efforts?
- What will the overall balance of on-premises versus hosted within your organization be, and have the key stakeholders in your organization, including legal and compliance, been included in the development of this strategy?
- How will this data be protected at an information management level, and how will the security or control differ between on-premises and cloud-based?
- What is your organization seeing in terms of proliferation within its users’ overall mobile device usage, and what is your opinion of the best way to develop a stated BYOD strategy for the organization that would gain initial buy-in?
- Are there any set requirements related to the integration of other line of business (LOB) systems, and will the environment affect the access to this other data source? (Think of it in terms of future business intelligence [BI] initiatives.)
Key Components of a Hybrid Office 365 Initiative
Office 365 may be the core technology and platform an organization is implementing, but do not focus solely on the technology side of this initiative because many of the key success components are business-related processes that need to be thoroughly analyzed.
By establishing a phased success criteria, just like that of an on-premises deployment, working with the business and key IT stakeholders to define the project objectives, establishing an overall project plan and timeline, you will ensure that the initial pieces are in place.
There should be a project manager or specific group identified who will own the overall control and execution of the project.
Multiple stakeholders and team members will be involved with the execution of the actual tasks, but by first identifying the objectives and implementation plan, you will put a stake in the ground that the team can work toward.
Office 365 and Lync (Note: Lync is soon to be renamed to “Skype for Business”)
The image below show a hybrid Office 365 and Lync topology, which has a number of more granular components that your organization should investigate to fully understand its capabilities and organizational impact.
There are additional considerations related to on-premises versus cloud or online when you are analyzing your organization’s Lync roadmap, as shown in the image below.
Note: Lync Online will soon be renamed “Skype for Business”
Office 365’s Security Considerations and Components
In reviewing Office 365’s capabilities, a key factor in all your decisions must be the security integration elements of Office 365.
The image below details three separate Office 365 identity integration scenarios. I find that it is always important to have the on-premises options available to compare with cloud offerings because this helps bring clarity to many questions.
Being able to “whiteboard” the possible integration options your organization may be considering is key to a best practices Office 365 architecture.
The hybrid, on-premises and cloud combination, as shown in the image below, will be a more common architecture over the next five years as the cloud offerings mature and organizations identify what benefits the cloud may offer them, as well as what risks the cloud may bring that need to be avoided.
Office 365 Reverse Proxy and Authentication
There are several very technical terms that may be used during meetings with stakeholders by both the business and IT, and one of those is “reverse proxy.” When using hybrid features for Office 365, the system sends requests from sites in the cloud to your organization’s on-premises farm.
To accomplish this, your organization needs to establish a reverse proxy for these calls to be channeled through to secure the process so that those requests can be authenticated before they are forwarded to SharePoint.
Identity Provider Overview – Office 365
Another term that you may hear referenced in an Office 365 conversation is “identity provider.” To have a single sign-on experience, your organization needs to have a federated identity provider like Active Directory Federation Service. This requires the following:
- Two or more load-balanced ADFS servers
- An SSL certificate for the ADFS site
- A proxy device, like the ADFS proxy server
- A UPN of a registered domain (that is, “.local” or similar suffixes will not work) for all users
MS Online Overview (Microsoft Online Services)
Your organization will most likely require your users to access tools from Microsoft Online Services, MS Online (MSOL), in order to complete various functions such as these:
- Microsoft Online Services Sign-In Assistant
- Microsoft Online Services Module for Windows PowerShell (MSOL PS)
- The Directory Synchronization tool (dirsync)
The Office 365 Secure Store
The Office 365 Secure Store provides for the ability to access external business application data in a governed and defensible manner. It is designed to allow for a background mapping between a group of users in SharePoint and a single user known to the external data system. This feature enables a user to authenticate through their Internet connection at any given location into SharePoint.
The Secure Store Service uses mapped credentials known to the external business application to render any necessary external data on the site for the authenticated user.
An Office 365 deployment can quickly derail if users are getting prompted time and time again for their credentials, so the secure store is critical to this process.
It allows users to access the required data without prompting them to enter usernames and passwords specific to the external application, thus limiting the need for multiple passwords and the core element of the SharePoint as a Platform or SharePoint as a Service strategy.
EPC Group’s Nationally Recognized Practice Areas
EPC Group leading SharePoint, Office 365, Infrastructure Design and Business Intelligence Practice areas continue to lead the way in providing our clients with the most up-to-date and relevant information that is tailored to their individual business and functional needs.
Additional “From the Consulting Trenches” strategies and methodologies are covered in EPC Group’s new book, “SharePoint 2013 Field Guide: Advice from the Consulting Trenches” covering not only SharePoint 2013, Office 365 and SharePoint Online but Information Management, ECM\RM and overall compliance strategies in this ever changing world of “Hybrid IT.”
With over 25 years of experience in Information Technology and Management Consulting, Errin O’Connor has led hundreds of large-scale enterprise implementations from Business Intelligence, Power BI, Office 365, SharePoint, Exchange, IT Security, Azure and Hybrid Cloud eﬀorts for over 165 Fortune 500 companies.