office 365 groups: are you missing out?
TRANSCRIPT
Welcome! We will get started shortly…Office 365 Groups: Are You Missing Out?
A Binary Tree SMART Migration Webinar
Who I am.
Justin Harris is a Microsoft Certified Master on Exchange Server and a Microsoft MVP for Exchange Server. Justin is a Principal Solution Architect with Binary Tree, blogger, author, and Pluralsight author.
@ntexcellence
http://www.ntexcellence.com
What are we going to cover?
• Single place for team-based collaboration
• Which social network?• Discovery of information• Maintain historical context of
collaborative team activities
• Office 365 admin center• Available *UnifiedGroup and
*UnifiedGroupLinks Cmdlets• OWA Mailbox Policy
Need for Collaboration Architecture Administration
• Many different Office 365 workloads have been “bolted on”
• Azure Active Directory is the single source of authority
• Concept of FwdSync• Groups only reside in Office 365
Times have changed!
• Expectations of how people work has profoundly changed
• The rise of mobile• Technology has changed my
personal life
• Maximize customer interactions• How to leverage technology to
“get in earlier and stay longer”
On-demand workforce On-demand meetings Responsive to customers
• The need to spin up ad-hoc teams
• Do more with less• Working with partners
What has fueled the change?
Education Social networks Evolution of technology
On-demand workforce
File shares SharePoint Lync/Skype for Business Mobile applications to communicate
Office 365 Groups
“Groups brings together people, info, and apps across O365 platform to help spark communication and collaboration.”
Office 365 Groups
“Groups brings together people, info, and apps across O365 platform to help spark communication and collaboration.”
In other words – an AAD object that is backed by a shared mailbox in EXO (email & cal) and a document library in SPO (files & OneNote). Not to be confused with…
Groups have many different bolted-on modules
Groups have many different bolted-on modules
OFFICE 365 groups
Groups have many different bolted-on modules
EXO
One
Driv
e
One
Not
e
Skyp
e fo
r Bus
ines
s
Dyna
mic
s CRM
Delv
e (c
omin
g so
on)
Yam
mer
(com
ing
soon
)
OFFICE 365 groups
An Office 365 Group is not
Not a distribution list Not a security group Not just a SPO doc library
• Only mailboxes (tenant) can be a member
• No site or shared mailboxes• No MEUs• No contacts• No external recipients (soon)• No PF’s that are mail-enabled
• Cannot be set on ACLs to control access
• Only controls access to resources that are approved workloads
• Can only be set to private or public (default) and cannot change after creation
• Document library created for each new Group when user tries to access for the first time saving quota overhead
• Document library is associated with a hidden site collection
EXO Directory StoreEXODS provides a layer of separation for AAD• You have configuration data about workloads like EXO• You have Exchange specific configuration data for each tenant• Continuous stream of synchronization between EXODS and AAD• Hybrid – DirSync – AAD is target then sync to EXODS
EXODS provides redundancy• A cached copy of relevant tenant AAD information• Provides continuity in the event of service disruptions or regional AAD outages• EXO queries EXODS for items such as objects stamped with mail properties• EXO deployed across 30 forests (source: Office 365 for Exchange Professionals) @ntexcellence
Architecture
Group Identity
AAD
Master identityAzure Active Directory (AAD) is the master for group identity and membership across Office 365
Working togetherServices work together but are independent workloadsEmail conversations stored in EXODocuments & OneNote reside in SPO
The synchronization glueDual writes to AAD and EXODSConvergence handled by FwdSync
Architecture
EXO AD
SPO AD
Mailbox
OneDriveGroup Identity
AAD
Exchange
SharePoint
Master identityAzure Active Directory (AAD) is the master for group identity and membership across Office 365
Working togetherServices work together but are independent workloadsEmail conversations stored in EXODocuments & OneNote reside in SPO
The synchronization glueDual writes to AAD and EXODSConvergence handled by FwdSync
What About Synchronization?Any action by EXO/SPO are made against AAD object• Repetitive theme!• Only one master identity• If you think about it – this one-way sync model makes life easier
Changes in AAD are funneled down to other workloads through a process called “FwdSync”• All changes against a group are made against the AAD object• “FwdSync" takes care of notifying workloads like EXO & SPO of the change• The other workloads then update their own Active Directory copy (cached instance)• Architecturally speaking – all sync traffic flows downhill (AAD to EXO for instance)• Changes in EXODS (new-mailbox) replicated to AAD through backsync (https)
Synchronization in Action
MSODSAzure Active Directory
Exchange Online SharePoint Online
EXODS SPODS
EXO SPO
Synchronization in Action
MSODSAzure Active Directory
Exchange Online SharePoint Online
EXODS SPODS
EXO SPO
Create group
Synchronization in Action
MSODSAzure Active Directory
Exchange Online SharePoint Online
EXODS SPODS
EXO SPO
Create group
Create via AAD
Synchronization in Action
MSODSAzure Active Directory
Exchange Online SharePoint Online
EXODS SPODS
EXO SPO
Create group
Create via AAD
New Group
Synchronization in Action
MSODSAzure Active Directory
Exchange Online SharePoint Online
EXODS SPODS
EXO SPO
Create group
Create via AAD
New Group
Dual writeCached
Synchronization in Action
MSODSAzure Active Directory
Exchange Online SharePoint Online
EXODS SPODS
EXO SPO
Create group
Create via AAD
New Group
Dual writeCached
New Group
Synchronization in Action
MSODSAzure Active Directory
Exchange Online SharePoint Online
EXODS SPODS
EXO SPO
Create group
Create via AAD
New Group
Dual writeCached
New GroupFwdSync
Synchronization in Action
MSODSAzure Active Directory
Exchange Online SharePoint Online
EXODS SPODS
EXO SPO
Create group
Create via AAD
New Group
Dual writeCached
New GroupFwdSync
Cached
Synchronization in Action
MSODSAzure Active Directory
Exchange Online SharePoint Online
EXODS SPODS
EXO SPO
Create group
Create via AAD
New Group
Dual writeCached
New GroupFwdSync
Cached
New Group
Loosely Coupled
#ITDEVCON
Exchange SharePointNotifications
• FwdSync is the sync mechanism that AAD uses but…
• EXO can notify SPO of a new group • New Groups may not automatically appear
until synchronization occurs• Each workload is independent of each other
which Microsoft calls “loose coupling”
AAD Object ID
Groups is an AAD Object• Unique identifier stamped on each
object• You can see Object ID in Azure portal
for a Group• Public health warning – please do
not edit here!
What About Hybrid?History of Groups – Old-style vs New-style• Before Ignite - AAD group associated with an Exchange mailbox• After Ignite – Unified Groups are now viewed as distribution groups• Script on TechNet Gallery to convert distribution groups to Unified @ntexcellence
What About Hybrid?History of Groups – Old-style vs New-style• Before Ignite - AAD group associated with an Exchange mailbox• After Ignite – Unified Groups are now viewed as distribution groups• Script on TechNet Gallery to convert distribution groups to Unified @ntexcellence
What About Hybrid?History of Groups – Old-style vs New-style• Before Ignite - AAD group associated with an Exchange mailbox• After Ignite – Unified Groups are now viewed as distribution groups• Script on TechNet Gallery to convert distribution groups to Unified Groups
• Old-style Groups that have been converted have the (OFF1CE) suffix
@ntexcellence
What About Hybrid?History of Groups – Old-style vs New-style• Before Ignite - AAD group associated with an Exchange mailbox• After Ignite – Unified Groups are now viewed as distribution groups• Script on TechNet Gallery to convert distribution groups to Unified Groups On-premises users cannot access fully-featured Group functionality• On-premises users when added to a Group are “auto-subscribed”• Outlook user will receive email copies of Group interactions automatically
AAD Connect is required for better end user experience • Use AAD Connect to sync or “write-back” AAD Group object • The object is written to on-premises AD as a DL• The Group then appears in the on-premises GAL
@ntexcellence
Outlook 2016How does Outlook 2016 find Groups?• Autodiscover writes info about Groups for user to an XML file• C:\Users\jharris\AppData\Local\Microsoft\Outlook\16• Once you access a Group the local XML is refreshed
Outlook 2016How does Outlook 2016 find Groups?• Autodiscover writes info about Groups for user to an XML file• C:\Users\jharris\AppData\Local\Microsoft\Outlook\16• Once you access a Group the local XML is refreshed
Offline access for Groups?• Group Storage File or GST• .NST file extension• C:\Users\jharris\AppData\Local\Microsoft\Outlook• Only mail items like a conversation and calendar are written to local disk
Site collection created for new Group is hidden• Cannot see it in SPO Admin• You need to trick the system to see path• Cannot go to URL as you will be redirected• SharePoint Designer is required to edit –
Public Service Warning!!
Hidden site collection?
Site collection created for new Group is hidden• Cannot see it in SPO Admin• You need to trick the system to see path• Cannot go to URL as you will be redirected• SharePoint Designer is required to edit –
Public Service Warning!!
Hidden site collection?
Site collection created for new Group is hidden• Cannot see it in SPO Admin• You need to trick the system to see path• Cannot go to URL as you will be redirected• SharePoint Designer is required to edit –
Public Service Warning!!
Hidden site collection?
SPO Team Site?Group document libraries have several limitations:• Cannot check documents in and out• Workflows are not available (expense reports etc.)• Cannot create views• Cannot provide read-only access to Group data
Available Cmdlets• Help UnifiedGroup• Get/New/Remove/Set-UnifiedGroup• Add/Get/Remove-UnifiedGroupLinks• New-OWAMailboxPolicy -Name DisableGroupCreation• Set-OWAMailboxPolicy -Identity DisableGroupCreation -GroupCreationEnabled $false• Scripts on TechNet Gallery to convert distribution groups to modern Groups
Administration
@ntexcellence
Available Cmdlets• Help UnifiedGroup• Get/New/Remove/Set-UnifiedGroup• Add/Get/Remove-UnifiedGroupLinks• New-OWAMailboxPolicy -Name DisableGroupCreation• Set-OWAMailboxPolicy -Identity DisableGroupCreation -GroupCreationEnabled $false• Scripts on TechNet Gallery to convert distribution groups to modern Groups
Administration
@ntexcellence
What’s Missing?
Compliance Backup & Migration Administration
• eDiscovery• In-place Hold• DLP• Lifecycle
• No soft-delete function• When groups are deleted – they
are gone• Cannot remove individual post
in conversation – delete all • Public Folder migration• SharePoint migration
• DL & Query-based membership• External users• Mobile (coming fall)• Lack of EWS support – Outlook
2016 for Mac!• Missing notification of
@mentions or likes (Outlook 2016)
Key Takeaways
“Groups brings together people, info, and apps across O365 platform to help spark communication and collaboration”
Other workloads bolt-on and add additional data like EXO and SPO
Still a lot of key missing features
Growing set of administrative features
Single source for identity – AAD