Thursday, 26 January 2012

Office 365 Exam Revision Notes

I recently took both Office 365 beta exams (70-321 & 70-323) and along the way made many revision notes relating to key points particular around Exchange & Lync Online.  There’s some reference to SharePoint to but I’m noticing more & more notes are becoming available in this area, especially with the recent service updates applied to Office 365.

The notes were derived from a culmination of the following sources: -

1. Personal experience

2. Office 365 Deployment Guide

3. Office 365 virtual labs (although at the time of writing these haven’t been updated to take advantage of Exchange 2010’s hybrid deployment functionality in service pack 2.

I hope these notes are of as use to the community as they were to me.

NoteThese are not ‘brain dumps’ of  contents from the exams I took, they are my personal notes taken to remind me of key points…and I’m happy to share this with everyone.

clip_image002

Key Points

Service

· RPO: described as ‘near instantaneous’

clip_image003

· RTO: 1 hour

clip_image004

clip_image006

Support

· Hybrid deployments only support coexistence within a single AD forest

· Use Exchange Deployment Assistant for configuring hybrid deployments

· Support exception required for DirSync replicating more than 20,000 objects

· High latency (bad), low latency (good)

Deployment Overview

· 3 x phases – Plan, Prepare & Migrate

· Plan & Prepare will overlap

· DirSync (Microsoft Online Services Directory Synchronization Tool) must be used to sync on-premise AD with O365

· To enable single sign-on, ADFS 2.0 federation & proxy servers must be used

· All ADFS (inc proxies) can be made HA

· For hybrid deployments, an Exchange 2010 hybrid server must be deployed on-premise

· Virtualisation support – federation & proxy servers supported, recommended on seperate physical hosts. Exchange 2010 hybrid supported

· No support for single label domains

· SSL requirements complex!

· Multiple forest deployment considerations: -

clip_image007

· ADFS allows only one namespace per farm/instance, i.e if busitc.com & busitc.co.uk are required then two ADFS farms are required to provide authentication for each namespace (subdomains, i.e. sales.busitc.co.uk don’t require a separate ADFS farm)

· Only internet routable domain names supported with ADFS, i.e. .co.uk, .com. .local, .internal etc aren’t (for AD’s that use non-routable domain names a UPN suffix needs to be added into ADF&T’s and then each user’s ‘UserPrincipleName’ suffix needs to be modified to routable domain

Distinct Functionality differences between Exchange 2010 SP1 & Office 365

· Max message size: 25MB

· Max 1500 recipients/day

· Max 30 messages/minute

· Deleted item retention: 14 days

· Deleted mailbox retention: 30 days

· No Outlook 2003 support

· No OWA public/private log-in

· Vanity OWA etc URL can be set-up through redirect

· OWA default time-out: 6 hours (configurable up to 24 hours)

· Minimum Windows Mobile 6.0

· No certificate based authentication for EAS

· BES support later in year

· No catch-all mailbox

· No custom address lists

· No GAL segmentation

· UM interoperability with on-premise Voicemail via SMTP or EWS only

· No OWA support for S/MIME

· Outlook S/MIME support limited

· No app connectivity through Exchange MAPI/CDO API

· No public folders

Exchange 2010 SP1 & Exchange Online (Office 365) Feature Comparison

clip_image008

clip_image010

clip_image011

clip_image012

clip_image013

clip_image014

clip_image015

clip_image016

clip_image017

clip_image018

clip_image019

clip_image020

Administration

· Partners can be authorised as a ‘delegate administrator’

· EWS only supported. CDO, WebDAV and any customer code requiring changes to Exchange Online not supported

· Standard identity – term refers to requirement for separate identity required for on-premise AD and O365

· SSO – also called identity federation – users use corporate AD credentials for both on-premise AD and O365

· User creation and provisioning options

clip_image021

· Microsoft Online Services Module for Windows PowerShell’ enables single sign-on

· Microsoft Online Services Portal; used for: -

Add users, add domains, manage licenses, create groups.

· ECP allows Admins to manage individual mailboxes or entire Org (www.outlook.com/ecp/busitc)

· Remote PowerShell cmdlets: http://technet.microsoft.com/en-us/library/dd575549(EXCHSRVCS.149).aspx

· RBAC – following groups available by default in Exchange Online: -

Organization Management

View-Only Organization Management

Recipient Management

Unified Messaging Management

Help Desk

Records Management

Discovery Management

· Message Tracking – use ECP

· Remote PowerShell for usage reporting

· Auditing. O365 provides two types:

Admin Audit Logging – tracks changes made by Admins (on by default)

Mailbox Audit Logging – tracks access to mailboxes by users other than owners (off by default) (http://help.outlook.com/en-us/140/ff628722.aspx)

Archiving & Compliance

· Disclaimers supported – can be applied to different groups and control whether applied to internal messages, outbound or both (http://help.outlook.com/en-us/140/ff852816.aspx)

· Full transport rule support of all functionality in Exchange 2010 SP1 – managed using ECP or Remote PowerShell

· Using transport rules to copy all mail to an O365 mailbox for the purposes of archiving is not permitted.

· Personal archives – only fully supported with Outlook 2010 & Outlook Web App. Outlook 2007 provides basic support for personal archive. Outlook 2007 cannot apply retention or archive policies to items in mailboxes; instead must rely on Administrator-provisioned policies

· Enable archiving using remote PowerShell (http://help.outlook.com/en-us/140/ff628726.aspx)

· Outlook 2007 needs SP2 & cumulative update for Feb 2011 to access the personal archive

· O365 P1 plan includes 25GB storage for both primary & archive mailboxes

· O365 P2 plan includes 25GB storage for primary & unlimited storage in archive mailbox

· Default quota for O365 archive is 100GB. If more is needed a call needs to be raised with O365 support, this can be raised up or down

· Users can import data into archive by: -

Importing directly into archive mailbox in Outlook

Move messages from primary to archive

Let retention policies automatically move based on age

Note: New-MailboxImportRequest cmdlet is not available in Exchange Online!

· http://help.outlook.com/en-us/140/ff628726.aspx

· Deleted item retention – 14 days

·

Journaling

· Only journaling to any external location that can receive SMTP is supported, i.e on-premises to Exchange hosted archive,or third-party solution supported

· Journaling destination cannot be an O365 mailbox

· Journal managed by ECP or RPS

· Journaling configured on a per-user or per-distribution list basis

· Scoped for internal and/or external recipients

· Journaled messages include original message, sender, recipients, coped recipients including BCC!

· http://help.outlook.com/en-us/140/ff633680.aspx

Retention Policies

· Managed using RPS

· Two types of policies: -

Archive Policies

Delete Policies

· Users can, for example, tag a message so it’s auto moved to archive and deleted after another span of days

· Capabilities same as offered in Exchange 2010 SP1

· http://help.outlook.com/en-us/140/gg271153.aspx

Legal Hold

· Preserves users deleted and edited mailbox items for both primary & archive mailboxes

· Use ECP or RPS to set legal hold on individual mailbox or entire Org

· Includes ability to send users notification of hold

· http://help.outlook.com/en-us/140/ff628734.aspx

Multi Mailbox Search/Cross Premises

· Use ECP

· Emails, attachments, appointments & contacts supported

· Searches simultaneously across primary & archive mailboxes

· Items can be copied/moved to a designated mailbox for further investigation

· Administrators can connect Outlook to this mailbox and export search results to PST

Note: Admins can’t directly export mailbox search results to PST in O365

AD Synchronization

· Supports only 1 x AD forest

· DirSync requires Enterprise Admins access

· Exchange Hybrid deployments (2010 CAS & HT on-site) requires on-premise AD schema update

· Exchange 2010 hybrid deployments can be made HA by implementing 2 or more

· Domain Controller requirements for on-premise that communicate with O365

clip_image022

· AD on-premise clean-up

clip_image024

clip_image026

clip_image028

clip_image030

clip_image032

clip_image034

· DirSync sends status emails of objects that require sync attention

· AD Auditing – enabling SSO will capture directory services logs on DC’s

Single Sign-On

· SSO aka identify federation

· Allows for users to enter their corporate AD credentials to gain access to O365

· SSO used ADFS

· Must be ADFS 2.0

· Recommended ADFS is installed in ‘farm mode’. This allows flexibility if further ADFS servers later (maximum 5).

· When ADFS is installed in ‘farm mode’, first fed server acts as primary authentication liaison. All additional ADFS roles are deployed in ‘read-only’ mode

· Recommended 2 x ADFS fed servers & 2 x ADFS proxy severs are deployed for resilience

· Should be deployed at location nearest to majority of end users

· ADFS proxy servers should be deployed in DMZ

· Proxy to federation communications is port 443.

· Best practice to deploy hardware load balancer in front of ADFS proxies to balance authentication requests, although Windows NLB supported

· HLB/NLB can also be used for ADFS fed roles

clip_image035

· DirSync must be deployed first

· Plan for and deployed AD FS 2.0 for use with single sign-on (http://onlinehelp.microsoft.com/en-us/O365-enterprises/ff652539.aspx)

· End user experience: -

clip_image037

· No SSO means separate log-in’s for both AD on-premises & O365

· Main benefit of SSO means on-premises AD password policies & account restrictions can be enforced

· SSO supports 2-factor authentication. This is only available using Office Web Clients

· User experience varies dependent on location: -

Corporate network: enables access to O365 resources without signing in again

Roaming on domain-joined PC: enables access to O365 resources without signing in again

Home or public PC: user needs to sign-in to O365 and ADFS proxy servers are required

· ADFS requirements: -

Single AD Forest

AD FS 2.0

Windows 2008 or Windows 2008 R2

Clients: Windows 7, Windows Vista SP2, Windows XP SP3

SSL certificates required for AD federation & proxy servers

Windows PowerShell 2.0 & Microsoft Online Services Module for Windows PowerShell (http://onlinehelp.microsoft.com/en-us/O365-enterprises/ff652560.aspx)

· Relying Party trust relationship required between federation server farm & O365. Relying party acts as a secure channel where authentication tokens can pass between on-premise & O365: -

clip_image039

· ADFS Pre-Installation Requirements: -

.Net framework 3.5 SP1

ADFS hotfixes (http://office.microsoft.com/en-us/outlook/top-10-reasons-to-try-outlook-2010-HA101631728.aspx)

· To check UPN suffixes using PowerShell

o Import-Module ActiveDirectory

o CD AD

DirSync

· REQUIRES X86 PLATFORM!

· Hardware specs: -

clip_image040

· Syncs mail-enabled users, mail-enabled groups, security-enabled groups (for SharePoint Online) & mail-enabled contacts from on-premise AD to O365

· Requires install on dedicated domain member server

· Set-up installs SQL Server Express edition which has maximum file size limitation 10GB (sufficient for about 50,000 objects)

· More than 50,000 objects to sync, full version of SQL Server 2008 required

· Deploying full SQL is best practice

· Enterprise Admin rights required at time of install. Post-install a non-priviledged AD account required and done automatically at DirSync install

· Required if Exchange hybrid deployment model needed with O365

· Can also provide GAL sync between on-premise & O365

· First-time sync results in all replicated objects being marked as ‘non-activated’, this means they can’t send or receive email and do not use any subscription licenses. Sync’d users are activated by being assigned appropriate license

· DirSync enables the following: -

SSO

Lync Online coexistence

Hybid deployment using: -

Fully shared GAL between on-premises & O365

Ability to ‘onboard’ & offboard’ users between on-premises & O365, i.e move users back to on-premises if needed

Allow mailboxes to be on-premises and at O365

Safe & blocked senders are replicated to O365

Sync of photos, thumbnails & conf rooms

clip_image041

· If DirSync needs to replicate more than 10,000 objects a support request needs to be logged with O365 support and number of objects roughly to be replicated needs to be given

· First sync network heavy, proceeding sync’s incremental

· 2-way sync option is known as ‘write-back’

· 2-way sync option takes advantage of O365 archiving, safe & blocked sender config, voicemail

· 2-way sync necessary for copying changes at O365 AD back to on-premise AD

· Features enabled by 2-way dirsync and write-back attributes necessary: -

clip_image042

Capacity Planning

· Recommended hardware based on user numbers: -

clip_image043

Exchange Online Planning

· Two types of coexistence with O365 - Hybrid Deployment & Simple Coexistence

· Hybrid deployment – requires Exchange 2010 hybrid role on-premise, dirsync & ADFS

· Simple Coexistence – No SSO, users maintain separate authentication credentials for O365 & on-premise

· Hybrid deployment can: -

Share free/busy calendar data

EMC can be used to manage both O365 & on-premises environments

Outlook profiles are automatically updated, as in intra-org transition (requires appropriate hybrid server & autodiscover configuration)

No resync of OST

OWA redirection allows for redirection from on-premise OWA to O365 OWA

MailTips, OOO etc continue to work as all part of same topology

Delivery reports & multi-mailbox search work with users in both O365 & on-premises

Authentication headers are preserved during O365 & on-premises mail flow, so all mail feels and looks internal to company

Mailbox moves can go from O365 to on-premises if required, as well as vice-versa

· Hybrid Coexistence vs Simple Coexistence: -

clip_image045

· Hybrid Deployment considerations: -

Delegate permissions (inc delegate access,l folder permissions and “send on behalf of”) are migrated but not available until ALL PARTIES are moved at same time, e.g. if an executive in your organization is migrated to Exchange Online then his or her administrative assistant will need to be migrated at the same time in order to maintain delegate access

On-premises mailbox permissions such as Send As, Receive As and Full Access that are explicitly applied on the mailbox are migrated. However, inherited (non-explicit) mailbox permissions as well as any permissions on non-mailbox objects—such as distribution lists or a mail-enabled user—are not migrated. Therefore, you will need to plan for configuring these permissions in Exchange Online if applicable for your organization. For example, you can use the Add-RecipientPermission and Add-MailboxPermission Windows PowerShell cmdlets to set the permissions in O365

Multi-forest AD environments implementing multiple forests for logon or resource segmentation do not support a hybrid deployment.

· Hybrid Deployment Requirements

Exchange 2010 Hybrid must be running SP1

Exchange 2010 Client Access server role on the hybrid server acts a proxy between older Exchange environments and Exchange Online without the need to migrate on-premises Exchange mailboxes to Exchange 2010

DirSync write-back is recommended to enable smooth offboarding of users

Microsoft Federation Gateway is free online service offered by Microsoft that acts as the trust broker between your on-premises Exchange organization and your Exchange Online service. Organizations implementing a hybrid Exchange deployment must create a federation trust with the Microsoft Federation Gateway

· Use Exchange Server Deployment Assistant for detailed deployment configuration

· Hybrid role requirements: -

clip_image047

· Topology where no coexistence established: -

clip_image048

· Topology with coexistence established: -

clip_image049

· Changes after hybrid coexistence complete

clip_image051

clip_image053

Migration

· O365 supports 5 types of mailbox migrations

Exchange Server mailbox

Hosted Exchange mailbox

IMAP4 mailbox

Lotus Notes

GroupWise

· Types of Exchange migrations: -

clip_image055

clip_image057

· Supports migration of ‘delegates’

· Mailbox migration of ‘delegates’ and their ‘managers’ should occur at the same time

IMAP Migration

· Suitable for small org’s, quick cut-over, no coexistence

· User ID’s are automatically provisioned with the IMAP migration tool within ECP (Mailboxes will need to be created before use of IMAP migration tool)

· ADFS can be deployed after

· Supported IMAP servers: -

Courier-IMAP

Cyrus

Dovecot

UW-IMAP

Exchange 2010, 2007 & 2003

· Recommended max 10 connections to IMAP server to avoid IMAP resources/bandwidth overload

Notes/GroupWise Migrations

· MS recommend third-party tool involvement; Quest/Binary Tree etc

Mailbox Migrations

· Common practice to reduce mailbox sizes is to move mail to archive either manually or with auto-archive. This is discouraged as when user moves PST export back in to mailbox, the Exchange online mailbox wil not allow user to reply to mail.

· To reduce mailbox size consider following: -

Delete or archive mail in sent items

Delete or archive calendar attachments

Delete or archive attachents over 5MB

Disable Outlook journaling

Empty deleted items

Run mailbox cleanup wizard from Tools menu in Outlook

Bandwidth

· Not just Exchange mailbox moves, but also impact of Lync & SharePoint use

· Determine average mailbox size for mailboxes to be moved to O365

· Determine average connection & throughput speed from O365 to on-premise

· Calculate average expected transfer speed and plan mailbox moves based on these

Certificates

· For hybrid deployment MS recommend: -

Dedicated third-party certificate for ADFS

Dedicated third-party certificate for Exchange services on Hybrid Server

Self-signed for federated delegation on Hybrid Server

clip_image059

As at http://technet.microsoft.com/en-gb/library/gg476123.aspx

Public Folders

· Not supported in O365

· Mailboxes moved to O365 won’t have access to public folder data in on-premise Org

· Existing on-premise public folder config won’t be changed during hybrid deployment

· Microsoft recommends moving PF-located calendars, tasks & contact lists to SharePoint

· Alternative is to use ‘shared’ mailbox in O365

Client

· Defined as ‘rich’ experience or ‘web’ experience

· Rich experience is native Outlook client

· Web experience is browser-based

· Port exhaustion must be considered. A public IP for every 2000 user due to connection persistency requirements

· Recommended clients are: -

Outlook 2010

Outlook 2007 with SP2

Outlook Web App

Outlook for Mac 2011

Entourage 2008 Web Services Edition

· Outlook 2003 not supported

· All client connections support encryption: -

Outlook, OWA, EAS & EWS use SSL over 443

IMAP uses SSL over 995

O365 supports transport and storing of messges encrypted using client-side, third-party encryption, i.e. PGP. O365 does not host public keys, key management or key directory services

· ActiveSync supported against Hybrid server

· Minimum Windows Mobile version is 6.0

· Nokia E & N Series, Android, iOS & BlackBerry supported during coexistence

· RIM will introduce a new hosted BES service for Exchange Online customers later in year. RIM will host, license & support the service (http://community.O365.com/en-us/b/microsoft_office_365_blog/archive/2011/03/16/office-365-and-blackberry.aspx)

· Thresholds for mail items in folders (set deliberately by MS for O365 to mitigate service performance issues (http://technet.microsoft.com/en-us/library/cc535025(EXCHG.80).aspx) : -

Inbox: 20,000 items

Sent Items: 20,000 items

Deleted Items: 20,000 items

Calendar: 5000 items

Contacts: 5000 items

Contacts & Distribution Groups

· Created in ECP or sync’d from AD on-premise

· Supports restricted, dynamic, moderated & self-service DG’s

Address Lists

· Hierarchical, GAL segmentation & custom GAL views not supported in O365

· Photos can be provisioned on-premise and will be sync’d to O365, users can also upload their own photo in MOS portal

Calendar Sharing

· Free/Busy easily shared with anyone else on O365, trust is pre-config’d for all customers on O365

· O365 supports federated sharing with Exchange Org’s outside of O365

· http://technet.microsoft.com/en-us/library/dd638083.aspx

Conference Rooms & Resource Mailboxes

· Created in ECP or RPS

· DirSync will sync existing on-premise to O365

· Mailbox quota for conference rooms is 250MB

· Conference Rooms do not require a user subscription license (http://help.outlook.com/en-us/140/Ff628697.aspx)

Mail-Enabled Apps

· User the Exchange Legacy API Scanner to analyse mail-enabled applications with legacy API’s (http://exapiscanner.codeplex.com/)

· Mail-enabled apps may require Exchange HT on premise if it doesn’t support EWS

· Forefront Online white list, block list & policy filtering modification may be required in order to allow potentially blocked emails generated by mail-enabled apps

· O365 can be used as an SMTP delivery service to relay messages from fax, network appliances or any custom/bespoke app

· Must authenticate to an O365 mailbox, connect over TCP 587 and use TLS

· Same message size limits apply

· http://blogs.technet.com/b/msonline/archive/2009/09/02/using-smtp-relay-with-exchange-online.aspx

· http://help.outlook.com/en-us/140/cc835669.aspx?sl=1#FindTheServerSettings

· Outlook Web App parts supported http://technet.microsoft.com/en-gb/library/bb232199.aspx

· Exchange MAPI & CDO not supported as these need to be on same local network as Exchange and will not connect over internet, which is required

· Lync Online can be federated with Lync/OCS on-premise as long as using different SIP domains

· No support for WebDav

Archiving, Retention & Compliance

On Office 365, Ankur noted that Single Item Recovery (SIR) is enabled by default for all mailboxes. SIR means that all changes to deleted items in a mailbox such as attempts to purge the items or to edit their contents will be tracked by Exchange for the retention period that’s specified. In this case, Office 365 uses a retention period is 14 days. On-premises Exchange 2010 mailboxes are not enabled for SIR by default. You have to enable mailboxes explicitly by running the Set-Mailbox cmdlet. For example:

Set-Mailbox -Identity Tony -SingleItemRecoveryEnabled $True

The retention window is configured per-mailbox or per-database. For example, if I wanted to set a retention period of 365 days for a mailbox, I’d run a command like:

Set-Mailbox -Identity Tony -RetainDeletedItemsFor 365

Whereas for a mailbox database I’d use a command like:

Set-MailboxDatabase -Identity DB2 -DeletedItemRetention 365

Of course, expanding the deleted item retention period (for a database in particular) increases the storage requirement for a database and shouldn’t be altered unless necessary. It’s also worth noting that calendar items are retained for 120 days at least even if a smaller retention period is specified.

The next factoid that I learned is that Office 365 uses a Managed Folder Assistant (MFA) workcycle of seven days. By comparison, the on-premises Exchange 2010 MFA uses a one-day workcycle. The workcycle sets a goal for the MFA in terms of how often it should process a mailbox to clear out deleted items, stamp items with retention tags, and action items whose retention period has expired. I guess it’s logical that Office 365 would want to minimize the amount of processing load that MFA imposes on mailbox servers but a 7-day workcycle does mean that items in mailboxes might not be processed as quickly as you’d expect. For example, an item that you’d expect to move to the archive after 30 days might linger in the mailbox and only move after 36 days. A small point to keep in mind.

It’s logical but might escape some that retention policies have to be maintained in two places if you operate a hybrid on-premises/cloud environment. For on-premises Exchange 2010, retention policies and tags are maintained in the Exchange configuration data in Active Directory and are not shared with the cloud. Therefore, if you’ve created a set of retention policies and tags to enforce compliance, you have to duplicate them in both places.

Some scripts are provided on the Exchange 2010 kit that can help, even if the ongoing synchronization will be a manual process. Details of the scripts can be found in the deck referred to above. As per this TechNet article, the magic that assures that both policies are deemed to match is having a similar RetentionId property. Having the same policy and tag occurs automatically in at least one instance. If you enable an archive mailbox for an on-premises user, their mailbox is assigned the “Default Archive and Retention Policy”. This policy is the same on both sides of the cloud divide so it follows that the policy can be implemented consistently. Before you rush to implement archive mailboxes and their associated retention policy, you might like to read this post.

If policies are not identical on both sides, mailboxes that are moved to Office 365 cannot maintain the tags that the on-premises MFA stamped on them. The tags are removed by MFA when it processes the Office 365 mailbox for the first time because MFA cannot resolve the tags (this is the same behavior that exists when you delete a retention tag from on-premises Exchange). All of this means that it’s important the same policies and tags are available on both sides else the Office 365 MFA cannot apply them to the newly arrived mailbox.

Ankur was asked whether it’s possible to apply a retention tag with a transport rule to an outgoing message as it passes through the transport system en route to another domain. The answer is “no” and again it’s pretty logical as Exchange has no knowledge of what kind of target domain you’re sending to and anyway, it’s only Exchange 2010 that would have any chance of understanding and applying the retention tag on arriving items. Also, would you like if an external organization had the chance to apply retention policies to items under your control? The real answer here is that if you want control over outgoing items you’ll have to use Active Directory Rights Management Services to apply templates and then hope that the receiving servers can understand and respect the restrictions.

The question was posed whether Exchange 2010 discovery searches can generate a manifest (perhaps in XML format) of all items discovered by the search so that this can be included in a PST (generated by the New-MailboxExportRequest cmdlet) and provided to a legal investigator. Again the answer is no. Exchange captures items that satisfy search criteria in the target discovery search mailbox and it’s up to you to decide how to process them from there on. I’m sure that someone clever could use Exchange Web Services to scan the discovery search mailbox and enumerate the items retrieved by a search to create a manifest – maybe this has already been done elsewhere or perhaps it’s a feature of one of the third-party compliance products that now compete with Exchange.

Ankur was asked how to migrate items from a third-party archive to Exchange 2010. The answer was that some products include the ability to restore items from their archive into user mailboxes. If this is possible, then the user can move the recovered items into the archive or let Exchange do this automatically through archive tags in a retention policy. The alternative is to use products such as those available from Transvault to move data directly from the archiving solution to Exchange 2010.

An interesting question was how best to export data from a discovery search mailbox on Office 365? The problem here is that the New-MailboxExportRequest cmdlet is not available to Office 365 administrators, probably because the cmdlet depends on the ability to access a network file share where it will create the PST to hold the exported data. Of course, Office 365 doesn’t have access to network file shares in your environment so it can’t write out the data. So you have to revert to the age-old answer of using Outlook as an intermediary. Connect Outlook (2007 or 2010 – 2003 can’t connect to Office 365) to the discovery search mailbox where the data is located and drag and drop to a local PST and then provide that PST to whoever needs it. A kludge, but it works.

Message Hygeine

· O365 uses Microsoft Forefront Online Protection for Exchange (FOPE)

· Protects incoming, outgoing & internal message flow

· Uses proprietary anti-spam technology and multiple anti-virus engines

· Admins can manage advanced settings specific to environments using FOPE Admin Centre

· Users manage safe & blocked senders within Inboxes in Outlook or OWA

· Admins can manage org-wide safe & blocked senders via FOPE Admin Centre (IP’s, domains & email addresses can be allowed or restricted)

· SCL processing: -

High SCL’s are deleted at perimeter

Low SCL’s delivered to Inboxes

Borderline SCL’s are placed in Junk folder and automatically removed after 30 days

· By default, no emails are kept in FOPE spam quarantine; eliminates need for managing separate quarantine

· Clients can choose to use FOPE’s spam quarantine rather than integrated junk mail filter in Outlook/OWA

· Admins can change spam action settings in FOPE Admin Centre (http://technet.microsoft.com/en-us/library/ff715240.aspx)

Message Routing

· On premises appliance or another hosted service can be used to filter email before it reaches O365. In this scenario, the email domain’s MX record is pointed to the appliance or service which then passes to O365. This config can also be used in coexistence

· O365 supports ability to route outbound mail through on-premises server or hosted service. This allows custom post processing of outbound email and another option of delivering mail to business partners via private networks

· Custom routing configured within FOPE

· Address re-writing not supported by O365 however messages can be routed via on premises server for this functionality

· O365 supports opportunistic & forced TLS encryption

Unified Messaging

· Allows a business to connect its on-premise phone system to voicemail services provided by O365

· Speech access to directory not supported (http://help.outlook.com/en-us/140/gg299309.aspx)

· On-premises PBX can be connected to O365 using VOIP media gateways or an IP-based PBX directly to O365 UM through session border control.

· Interoperability with Lync 2010 on-premise for full voice support is supported in O365

· Voicemails are recorded and stored in O365 mailboxes

· Hosted UM services supported include call answering (VM), dial-in to Exchange (OVA) and automated attendant

· UM migration supported only from on-premise Exchange 2007 & 2010

· http://help.outlook.com/en-us/140/ff628732.aspx

· http://technet.microsoft.com/en-us/exchangelabshelp/gg702674

· O365 does not provide outbound fax services

· Inbound fax solutions can interoperate with O365

Monitoring

· If federation servers &/or proxies are unavailable , single sign-on users who attempt to access any O365 service will be unable to authenticate and therefore access services

· SCOM management pack available for ADFS

· SCOM allows for ‘synthetic’ log-ins to ADFS

Backup & Restore

· The ‘Update-MSOLFederationDomain’ PowerShell cmdlet in the MS Online Services module for Windows PowerShell needs to be run to restore ADFS configuration

Known Issues

clip_image060

clip_image062

Other

· Administrators can reduce maximum mailbox sizes via Remote PowerShell

SharePoint

clip_image063

clip_image065

clip_image067

clip_image069

Lync 2010

· Lync Online provides: -

Presence

IM

A/V communication

Online Meetings

Application & Desktop Sharing

Lync Domain Federation

Lync Client

Lync Web Application

· Lync Online is not a PBX replacement/integration

· When deploying with Lync on-premise, SMTP address & SIP URI must be the same

· OCS 2007/R2 client cannot be used with Lync Online

· Lync client uses ports TCP 5061 & 443

Prepare

· High-level sequence of tasks: -

clip_image071

· Key Activities Summary

clip_image072

clip_image073