At the very interesting “Thrive as an enterprise organization in Microsoft Exchange Online” session at the Ignite conference, Microsoft’s Jeff Kizner discussed some of the issues that block on-premises customers from moving to Office 365. The focus here is specifically on Exchange, but it’s important because email is often the first workload that moves to Office 365.
Microsoft acknowledges that many of the scenarios for delegate access to mailboxes break in hybrid configurations. This is a major source of frustration to customers, especially when users want to give access to other people whose mailboxes are on the other platform. For example, a manager’s mailbox is on-premises and their assistant is in the cloud.
The good news is that Microsoft is working hard to provide cross-platform delegate access for Exchange hybrid organizations. You will be able to grant Full Access, Send As, and Send On Behalf Of permissions to users and expect the permissions to work no matter what platform their mailbox is on. Send On Behalf Of is coming first and should be available before the end of 2017. Send As is more difficult because the feature depends on permissions stored in Active Directory, but it is coming.
I see a lot of potential in what Microsoft called an “Exchange Hybrid Connector” to solve some issues that customers have in configuring network firewalls to support hybrid Exchange traffic. Not everyone is happy to open ports to support traffic like Autodiscover or Exchange Web Services (EWS), nor do they want to track the large set of IP addresses used by Exchange Online and update their firewalls with these addresses. Another issue is that hybrid traffic does not support pre-authentication, exposing the potential (at least in their minds) for yet another attack vector.
The idea is simple and is based on the Azure service bus connector, an intelligent app proxy. When an Exchange Online user wants to check some on-premises information, like the free/busy information for an on-premises mailbox, Exchange Online channels the request via the hybrid connector, which sends it to Exchange on-premises using well-known network ports. The response travels back to Exchange Online via the same route. The connection is verified by checking of certificates at both ends to ensure that only traffic from a known source (in this case, Exchange Online) can travel across the link. In effect, it is like having an application-specific tunnel from Exchange Online to Exchange on-premises.
Microsoft will use this technique to eliminate or radically simplify the network requirements for hybrid organizations and expects to have a hybrid connector available for limited preview in early 2018.
Using a hybrid connector to route Exchange-specific traffic is in line with the message about Office 365 network traffic in general – this is trusted traffic that should not be handled in the same way as general internet traffic. It sounds like a good idea to me and it is a key part of removing the need to keep the last Exchange on-premises server to handle directory synchronization.
One interesting fact Jeff shared with the audience is that 70% of the Office 365 tenants who configured hybrid organizations have moved all their mailboxes to Exchange Online. This probably indicates that a lot of small tenants have moved all their mailboxes to the cloud but have not yet been able to decommission the last Exchange server.
Another fact that he revealed that the average number of mailboxes running in hybrid organizations configured with the HCW is 105. Most large companies run in hybrid mode to keep some workload on-premises, so such a low average is further confirmation that many small tenants have a lingering Exchange server.
Often the case is that the last server is in place for local Exchange management. If all mailboxes are in the cloud, a fair chance exists that you can simply go ahead and decommission that server. If some mailboxes remain or you still need a server for directory synchronization because on-premises is the identity source of authority for the organization, you cannot remove the server. At least, not until everything is in the cloud.
To help with management of on-premises objects, the hybrid connector will allow you to update those objects in Office 365 and have the changes pushed to the on-premises organization via the hybrid connector. The changes are then then synchronized back to the cloud to complete the process. In other words, management of all objects in the tenant from one place, which will reveal the frustration illustrated in Figure 1.
When you have a hybrid Exchange organization, objects are either owned by the on-premises or cloud platform. Today, if you want to apply the same policies across the organization, you must update the policies on both sides. For example, if you want to apply the same mailbox retention policies, you must create the necessary retention tags and policy in both on-premises Exchange and Exchange Online. Creation is a one-time operation. The real pain comes in the need to maintain settings on both sides afterwards (Figure 2).
Microsoft plans to solve the problem by using the hybrid connector to enable dual writes for policy settings on either a one-time or recurring basis. This will appear soon and make hybrid deployments easier to manage.
Another pain point is how to make sure that mailbox settings stick when moving from on-premises to the cloud. Microsoft plans to solve this problem by allowing the Mailbox Replication Service (MRS) to transfer settings along with mailbox contents. You will be able to customize the settings for MRS to move per mailbox batch,
For years, Microsoft has ignored the fact that mergers, acquisitions, and divestitures are part of normal corporate activity. If your tenant is bought by another company or you acquire another company with an on-premises or Office 365 deployment, a lot of manual processing is needed to achieve the end goal of a unified environment. As I describe in this article, that effort is expensive and it can take months to plan and execute.
Microsoft is working on the ability to allow the Mailbox Replication Service (MRS) to move mailboxes between Office 365 tenants (a CrossOrg move). The tenants must create an organization relationship with each other to allow mailbox moves to occur. This authorization can be revoked at any time, perhaps when a merger fails.
Although moving mailboxes between tenants is a welcome step forward, it is important to underline that this is just one small point in tenant-to-tenant migrations. Using MRS is sensible because MRS has a long history of moving mailboxes on-premises, within tenants, and during migrations.
Taking a wider perspective, Microsoft acknowledges that they have work to do to address other issues inside Exchange, like address rewriting. In addition, for now, Microsoft has no answer for how to deal with Teams, Groups, SharePoint Online, OneDrive for Business, or other aspects of Office 365 that need to be considered when mergers and acquisitions occur.
The good thing is that Microsoft has recognized the M&A problem for Office 365. Moving mailboxes between tenants is a basic processing capability that ISVs and partners can integrate into their toolsets to build a complete tenant to tenant solution.
Microsoft is doing lots of good stuff to solve the pain points that customers have in hybrid deployments. The hybrid connector is most important from a strategic perspective. Solving the mess around delegated access and bidirectional transfer of organization and mailbox settings are important from an operational stance. Moving mailboxes between tenants is good because it solves a pain point in tenant to tenant migrations, but it is important to underline that tenant to tenant is a huge area of work and this is only one step along that road.
Follow Tony on Twitter @12Knocksinna.
Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.