Microsoft Cloud News Round Up

We Told You So: Microsoft Cloud Leads in Gartner Magic Quadrant, Yet Again 

Gartner Magic Quadrant ranks Microsoft as a “Leader” in the BI and Analytics section for 2017. Gartner highlighted multiple key benefits of using Microsoft’s OneDrive for Business for companies who already use productivity and collaboration tools offered by Microsoft (i.e. Office365, SharePoint).  

Our founder and CEO, Thomas Carpe, remarks “Finally business advisors officially recognize what Liquid Mercury Solutions has known for years – that Microsoft’s cloud services are quickly becoming the standard by which all others will be compared. Where Office 365 once provided an advantage to businesses willing to take a chance on the cloud, soon enough it’ll become ubiquitous in business.” 

Microsoft’s optimism and determination seems to promise a growing trend of advancements in this area. Kamal Hathi, Microsoft Power BI general manager, wrote “We’re humbled by this recognition for the innovation we’ve delivered with Microsoft Power BI in the past year … But more importantly, we’re encouraged by the progress we’ve made as a community in executing against the ambitious goal set when Power BI was made generally available only a short time ago in July 2015: Provide BI to more people than ever before, across all roles and disciplines within organizations.” 

Alara Rogers responds, “Microsoft has actually been an industry leader in BI for many years. Excel is the world’s most widely used BI tool by a large margin. Where Microsoft struggles is in communicating to customers about the power and abilities of their platform, especially when we see lots of changes like we have with the shift from traditional tools like PowerPivot and SQL Reporting Services to a cloud platform Power BI. There’s room for improvement, but things are headed in the right direction.” 

Whatever your opinion, it’s safe to expect even bigger and better collaborative innovations in the years to come. 

Read More: 

https://blogs.microsoft.com/firehose/2017/02/16/microsoft-named-a-leader-in-gartner-magic-quadrant-for-business-intelligence-and-analytics-platforms/ 

https://mspoweruser.com/microsoft-named-leader-2017-gartner-magic-quadrant-content-collaboration-platforms/ 

  

Office 365 Takes the Lead Over Traditional Office for the First Time 

This week marks the first time that Office 365 users exceed the number of users for traditional versions of Office, making it the clear favorite both among users and at Microsoft. That trend will only continue as Microsoft plans to officially end support for Office 2007 later this fall. 

But what’s made Office 365 such a success? Let’s look at a few benefits. 

  • For starters, no one needs to suffer with the frustration of losing files that weren’t backed up because someone was too lazy to keep the laptop charged, thanks to OneDrive for Business and SharePoint Online. 
  • All the relevant applications people use for themselves can be synced across devices. That means next time your computer has a spontaneous meltdown, you can just switch to another one, easy as pie. 
  • Files can be shared with anyone, both inside the company and with vendors, partners, and customers. No need to clutter folks’ email with bulky and potentially risky attachments. 
  • Multiple people can edit a Word document or Excel spreadsheet simultaneously and it updates in real time. It’s so much easier than passing it around the office for review and revision. 
  • Thanks for applications like Delve, everything you need can be found in one place so say goodbye to having 27 windows open at once. 
  • Best of all, your information is kept safe using the latest encryption, and you can protect your account with more than just a password by using multi-factor authentication such as your phone. 

Office 365 has all the perks you wished Office XP had back in 2002. No wonder the trend of moving everything to the cloud is here to stay, because it works beautifully. 

 

Microsoft Welcomes Our Robot Overlords 

There has been buzz of Microsoft creating an AI supercomputer and people in the industry have strong opinions on how this will impact the future. Will it be chaos like The Terminator come to life? Or will we all fall in love like Joaquin Phoenix did with Her? 

OpenAI, a non-profit AI research organization, has teamed up with Microsoft to implement accessibility of AI to the masses. Azure is the crucial component that will take this idea and cultivate it into a reality. 

Microsoft already has tools within this platform that can will assist in this development (i.e. Azure Batch, Azure N-Series Virtual Machines, and Azure Machine Learning) but they are in the process of creating further technology to aid in AI research. 

Some of these advancements have already come to light, including the upcoming Hardware Microservices via Azure. Microsoft aims to have FPGA (field-programmable gate arrays) processing power be accessible to developers sometime next year to have a cloud that is 100% configurable. There are major perks to having this type of access including increased speed and functionality. 

What the heck is an FPGA? Thomas Carpe explains “Simply put, FPGA are hardware, like your graphics card for example. Unlike special purpose hardware, they can be programmed and reconfigured as needed using software, potentially including AI. Thus, they’re super-fast, and can facilitate machine learning.” 

This all sounds wonderful, but some think converting and relying on AI technology is going too far. World renowned icons in the tech and science communities have conflicting ideas on what this means for the future of civilization. 

Elon Musk has spoken out against AI, referring to it as “our greatest existential threat” almost three years ago. He’s taken a precautionary role as a member of OpenAI. 

Stephen Hawking made a point to compare the speed of biological evolution versus advancements in AI to show that AI would eventually outgrow us. 

Mark Zuckerberg seems to favor the idea of a world more heavily dependent on AI. He believes it could create vast improvements in every day scenarios like healthcare and transportation. 

Where do you stand on the subject? Will you embrace AI? How would you like to maximize the cloud with the new capabilities of Hardware Microservices via Azure? Let us know what you think in the comments below.

Learn More: 

http://www.techrepublic.com/article/microsoft-partners-with-openai-to-advance-ai-research-with-azure/ 

http://www.zdnet.com/article/how-microsoft-plans-to-turn-azure-into-an-ai-cloud/ 

http://observer.com/2015/08/stephen-hawking-elon-musk-and-bill-gates-warn-about-artificial-intelligence/ 

http://fortune.com/2017/07/26/mark-zuckerberg-argues-against-elon-musks-view-of-artificial-intelligence-again/ 

https://channel9.msdn.com/Blogs/Azure/Why-OpenAI-chose-Azure+video 

https://fossbytes.com/satya-nadella-microsoft-is-turning-azure-into-the-first-ai-supercomputer/ 

 

Stay Ahead of Emerging Cloud Security Threats  

Recently, a massive cybersecurity attack on Office 365 targeted several Fortune 500 companies. How?! 

Skyhigh Networks explained the attackers consistently tried variations in a skillfully discreet manner to get into the accounts of “…high value targets, including more than 100,000 failed Office 365 logins from 67 IP addresses and 12 networks. The attempts in all targeted 48 different organizations.” 

Evidence shows the attackers might have already known some employee names and passwords through phishing and tried different combinations of usernames and passwords based on that. 

Your business can be vulnerable too! Do you reuse the same easy password for everything? Do you interact with spam emails? Do you have a basic username-password authentication system? If you answered yes to any of these questions, you need to up your security game. 

Don’t worry, you’re not alone. But that’s exactly how and why something like this could happen to your business soon. Embrace the modern world and get educated on how you can protect your data. 

There has been a huge shift of bringing sensitive information to the cloud amongst enterprise corporations as well as SMBs in recent years. Almost 60% of all sensitive corporate data in the cloud is based in Office 365. Additionally, it works on a myriad of devices which makes it even more appealing to users. 

The downside to this is that it’s also the hackers’ bull’s eye. It is often said “[w]ith great power comes great responsibility” …to protect your data. 

Slawomir Ligier, senior vice president of engineering at Skyhigh elaborates on this. “While companies traditionally have invested extensively in perimeter security, those without a dedicated cloud security solution will lack visibility and control for a growing category of attacks. Enterprise cloud providers secure their infrastructure, but the ultimate responsibility to control access to sensitive data lies with the customer.” 

Thomas Carpe goes on to say, “Many existing security experts as well as their tools and standards are seriously behind the times when it comes to including the cloud into their security plans. Where our customers have sensitive data, we must consider not just things like their firewalls or patching Windows, but also whether they’re subscribing to the right mix of cloud services to fully protect themselves.” 

Let that sink in for a moment. 

Protect your business! Now, wanna upgrade your security? Contact Liquid Mercury Solutions today to set yourself up with high quality cloud security and data protection to fit your business needs. 

Read More About It: 

https://www.infosecurity-magazine.com/news/widespread-bruteforce-office-365/ 

 

Microsoft Renaming Kiosk Plans to Frontline Worker Plans 

For years, we’ve struggled to explain to our clients what a Kiosk plan is, often calling it the “deskless worker” plan instead in favor of Microsoft’s preferred naming. Now Microsoft seems to be catching on to the longstanding communication gap. This week, they’ve announced a naming change to the K1 plan, which will henceforth be known as… wait for it… the F1 plan! 

What’s the F for? Well, all joking aside (and, yes, we’ve had some good-natured fun at Microsoft’s expense), the F is for Frontline Worker – but it could easily mean Field, Fleet, Factory, First-line, or one of those other words that starts with the same letter. 

Whatever way you spell it or decide that it stands for, the F1 plan is still the cheapest way to get your non-IT, non-administrative employees into Office 365. The price is still the same at $4 a month, and while the plan doesn’t include a copy of Office it does have email, Skype, and access to OneDrive and SharePoint – which is fine since a key requirement to the F1 plan is that the user doesn’t have their own PC. The F1 plan is perfect for users who’ll access Office 365 primarily via their smartphone or tablet, and may use a shared computer (kiosk) on occasion. 

So, if just the name is changing, what do Office 365 subscribers need to know? Not a heck of a lot, just keep it in mind when you get your next billing statement. Nothing’s really changed at all, so you’re not getting “F”ed. ;-) 

Verizon Punts Email to AOL. What Do You Do Now?

AOL mail gives Verizon a shove

Does Verizon's recent move to end email services and move millions of email boxes to AOL have you thinking about alternatives? We can help. Here's some useful information and recommendations to keep in mind while you consider your options.

Tip #1: Doing Nothing Isn't An Option

When you receive the email from Verizon notifying you that the mail service is being ended, you'll have about 30 days to act. If you do nothing, your email box will be deleted and you will lose access to all your past mail.

Fortunately, Verizon is providing an option that will buy you some time. You can choose to let them move your mailbox to AOL, and it will keep your @verizon.net address, at least for now. No word currently on how long Verizon will let these addresses stick around. AOL is owned by Verizon, but like any company it could be sold at some future point.

Our recommendation is to let Verizon convert your mailbox to AOL. There are other options. For example you could switch to Outlook.com or Gmail, but these require more work and you'd lose your @verizon.net address. That could make it very difficult for you if you need to recover passwords from online account where you provided that address.

Fortunately, it looks like AOL's service will have better capabilities than the Verizon email service did, so you'll have more options available if and when you decide to permanently change your email address. Remember that even if you take them up on the offer to move to AOL, you aren’t locked in; you can always move to a new account later.

Tip #2: Inventory Your Online Accounts and Passwords

Because Verizon's email service is going away, you can end up in a bind if you were using a @verizon.net account to login to other web sites or cloud services. Now would be a good time to do a crawl of your old email and inventory any sites and services you've previously registered - old ones as well as those you currently still use.

Once you know which accounts are important to you, services like LastPass or RoboForm can be used to store your login information. This will reduce the chances that you'll need to fall back on password reminders that rely on your email address. Then, you can go into each service and update your profile to reflect your new address. Or, delete the account if you no longer need it, which will help protect you from username/password leaks that have become far too commonplace in recent years.

If all this sounds like a lot of work, consider what could happen if you find that you need to recover an account, but you can't because the @verizon.net email account no longer exists. So, for a quick fix, go back to Top #1 and let them more your address to AOL *before* you move to a new service provider.

Tip #3: Consider Replacement Email Services

Once you switch your Verizon email to AOL, you may still want to consider other options. Why? One reason would be because AOL is a consumer service, and perhaps you've been using your Verizon account for business. Or, maybe you aren't fond of AOL's user interface, tools, or customer support and would prefer to work with a different company. Yet another reason would be if you want to protect yourself in case AOL and Verizon parts ways at some future point - or if maybe they decide to merge AOL and Yahoo! Services together.

Whatever your motivation, you may decide that you want to make a permanent switch. Here are some options you can consider.

If you're a consumer using the Verizon account for personal reasons, the good news is that you have many other great options. You can create a free account at Outlook.com, Microsoft's successor to Hotmail and MSN. (Use this link provided here, then click "Get a new email address".) Or, you can do the same at Gmail, Yahoo, or any number of other great providers. In case it affects your decision, keep in mind that Yahoo is also being bought by Verizon and that it and AOL will be merged into something currently being called "Oath", whatever that means.

If you've been running a small or home based business using your Verizon email address, it might be time to think about upgrading to a business class service like Office 365.

Office 365 has plans that include the latest version of Office (including Outlook), email service with perks like shared calendars, spam protection, and your own domain name (e.g. @mycompany.com). It even has voice telephone services for businesses. These services aren't outrageously expensive, will make your small business look extremely professional, and can really level the playing field against larger competitors. All these services and more are available for less than $50 a person per month.

If you decide that you'd like to explore Office 365 as an option for your business, please feel free to give us a call. If you have a few minutes, you can fill our free Microsoft Cloud Services Assessment form and/or free Office 365 Migration Assessment form, and we'll follow up with you to schedule a free consultation. We're very attentive to our customers, will take the time to understand your business and go over all the options, and we offer lot of valuable but affordable services to go along with Microsoft plans that can take your business to the next level.

Tip #4: Collect Addresses of Your Contacts and Send a Notice

If you plan to permanently move your email address, you may want to let friends, family, customers, and business colleagues know. While you certainly can't force anyone to update their contact information for you, doing all that you can is certainly advisable. This is also possibly a good opportunity to rekindle communication with old contacts that you may not have heard from in a while - and you never know what opportunities could come from that.

Of course, to tell everyone about your move, you'll need their contact information. If you've been disciplined about keeping Contacts up to date, you might already have this, but many times we may have exchanged email with folks who never made it to our contacts folder. Fortunately, there are still ways to get this data so that you can make good use of it.

While you may be using different email software, here's how you'd do this in Outlook:

  1. In Outlook click on File, then Open & Export tab, then Import and Export button. This will open the wizard.
  2. Select the option to "Export to a File" and click on Next.
  3. Select "Comma Separated Values" and click Next. You can open this later in Excel.
  4. Select the folder you want to collect from and click on Next. We want "Sent Items" in this case. You could also do this for "Inbox".
  5. Enter a file location or click "Browse" to pick a folder and type the file name, then click Next.
  6. Click on "Map Custom Fields" button. This will bring up a list of all the available fields that are available in that folder.
  7. Since we only want the email address and name, click on "Clear Map".
  8. From the Left side click-and-hold on "To: (address)", "To (name)", "CC (address)", and "CC (name)"; drag each to the Right list. For Inbox you would do this for "From: (address)" and "From (name)" instead.
    • Pro Tip: If you also include the date/time of the email, you can use it to break your list out into years and track when you last contacted people.
  9. You can optionally click Next a few times to preview the results.
  10. When you're ready, click on OK then Finish.
  11. Now, you can open the results in Excel and do any de-duplication or other data clean-up you need to do.
  12. Once you have your list of addresses, you can use a service like MailChimp or Constant Contact to send an announcement to those you need to keep in touch with.

Please be polite and remember that it is considered very bad form to send e-mails out to a large audience using the CC or BCC features, since these may allow your contacts to see each other's address and even reply to each other. I can't tell you how many times I've seen someone do that only to watch my inbox blow up with a dozen replies of "please take me off your list." Keep you communications 1 on 1, use a bulk mail service, or see Tip #5.

Outlook users may also want to go spelunking for the Suggested Contacts folder to capture those addresses as well. To find this, go to Folders, then Contacts and scroll down until you see "Suggested Contacts" which should be just between "Sent" and "Sync Issues". You can copy these into your new account, export then to PST for later use, or export them to CSV as described above.

Tip #5: Set-up An Auto-Responder

After you switch your account to AOL, which we recommend that you do, you can set up an auto-reply rule to let people know that you're going to move permanently. This is something that Outlook does very well, and we've helped many customers to set this up before. If you don't have Outlook, or prefer an option that works when your computer isn't online, you can set up an away message in AOL Mail using their website.

Smooth Sailing or Rough Waters Ahead?

With these tips in mind, your Verizon email transition should be a pretty smooth one. Did you have a different experience or something that you'd like to share? Let us know in the comments.

Office 365 Security and You - Access Control

YouTuber JackSkepticEye plays Papers, Please. What does this have to do with Office 365 security, read on and find out! This is the second part of a series on cloud security topics. In the first part, I discussed the threat that has Ransomware over people and companies. I started this series to book-end around my appearance as part of the SharePoint security panel at this week's Federal IT Security Conference. Since that conversation unfolded, I think we'll do a Part 3 next week to cover the topics discussed at the panel, which were very different that I imagined they would be.

PART 2: 12 Ways to Control When and Where People Access Office 365

Recently, many of our customers who are interested in migrating to Office 365 have been asking us questions about whether it's possible to control when, how, and where their employees can access their data.

While there are some technical approaches that may work, the unfortunate news is that there's no "silver bullet", at least as far as we've been able to find - yet. Many possible solution feel like kludgy work-arounds, temporary half-measures, partial solutions, or something created only for larger organizations.

I thought I'd take the opportunity to put together a list of possible ways to tackle this challenge. Even though no option is a complete answer, it's possible that some of these may be a good fit for your specific circumstances. I'll do my best to go over the pros and cons of each option.

Is this necessary? Depending on who you are and what you do, maybe not. Overkill? A bit heavy handed? Perhaps. Thus the graphic above, which (for those of you who may not be gamers) parodies an Arstotzkan border guard from the dystopian job simulator game classic "Papers, Please". Understand though that in some cases it may be reasonable, since many industries are subject to regulatory compliance requirements that might not always be perfectly aligned with a cloud based IT strategy.

Fair warning, this is a pretty complex topic. Hopefully everyone has gotten over their election night hangover and is ready to dig in. So, without any more fanfare, let's check out some methods to implement extreme vetting in Office 365.

Access Control - The Basics

When we think about granting access, we're basically describing the five W's that need to be addressed in order to make a decision about letting a person have access to information. A perfect access and identity system would answer all the questions below before letting someone in to the system - and may even use some of the answers to put a limit on what they can access at any given moment.

Who

  • Is the user logging in actually who they say that they are?
  • How confident are we in that?
  • Have they been educated and informed about security and privacy policies?
  • Is their ability to act responsibly expected?

What

  • What is being accessed; is it email, documents, some other data?
  • Is accessed content subject to regulation such as HIPAA, SOX, or GLBA?

Where

  • What network are they connected from?
  • Do we have any geo-location data?

When

  • Is it the normal workday or after-hours?
  • How does "now" jive with past or expected work patterns?

How

  • Is it a known PC, mobile device, or something new/different?
  • Are they using a browser (that can run JavaScript or CAPTCHA test), or could this be a bot?

Why

  • What's the business purpose behind needing the information?
  • Is it reasonable to expect responsible behavior?
  • If the behavior is unusual, is it known in advance or has it been vetted?

Okay, so now that we've been over what sorts of things go into granting access, let's get specific. The answers to "who" and "what" are already largely covered by conventional authentication and authorization systems. The topic in question - the one we're hearing about from our customers - specifically addresses the "when", "where", and maybe "how" above.

So, without further ado, here's my list of 12 things that can be done to control access to Office 365 and other resources in the cloud. Some are cheap. Some are definitely not. None are perfect for everyone. That's just life, I guess. If you'd like help finding a solution that will work for you, please talk to us about it, because that's what we do at Liquid Mercury Solutions.

Option 1: Just don't share the password with the user

It sounds stupidly easy, but if you don't want somebody to login from home, don't give them their own password. You can handle this in a couple of different ways. Either set up the Office 365 account on their work PC and save the credentials to it without telling them the password, or go ahead and give them their own account but have another account that is only used for access to important or sensitive information, and then keep that one under lock and key.

Plus side:

  • 100% effective once stored on the local PC.
  • Cheapest option available.
  • Can work even with Cloud Only users. No AD domain controller required.

Down side:

  • Creates a feeling of oppression and lack of ownership.
  • Ties access to a single person; people can't get access when people who know the password aren't there.
  • Tendency to use the same password on multiple logins is a bad idea.
  • Tendency to use the same login for multiple people is a worse idea.
  • These factors together mean that this approach may be abused in ways that are worse than the problem that its trying to prevent.

Option 2: Trust but verify

You know, I really think we spend too much time thinking about all the ways that people are going to steal from us. When you consider it, it's amazing how rarely someone actually does.

Today, our reporting tools are much better than our access controls, so it's much easier for us to build a solution that will help create accountability than it is to enforce compliance by making it impossible to violate policy. Instead of spending lots of money on IT, trying to fit a square peg in a round hole by making cloud services act like old-school computers, why not focus that same energy on making sure employees know their responsibilities to protect data.

If employees know that they are not supposed to access HIPAA sensitive documents from home - and that you can tell when they have done so and will fire them for it - chances are very good that nobody will ever cross that line. The hard part is making sure there is a system in place that makes you aware if there is a problem, and that your employees know they're accountable too.

Plus side:

  • Simply modifying employee policy to allow remote access can be cheaper than any technical solution.
  • Having HR policies in place should probably be done anyway to make sure users understand their responsibilities.
  • While not the cheapest option, no or very little IT cost required compared to other options.
  • Provides maximum flexibility in unusual or unplanned situations.

Down side:

  • There are a few options for decent reporting, but not as many as we'd like.
  • Taking the time to audit usage can be just as taxing as blocking it.
  • By itself, this does nothing to prevent an account from being used improperly.

Option 3: Use ADFS

If you absolutely need to make sure that nobody can login to Office 365 from home, there's one absolutely foolproof way to go about it and that's to federate with an ADFS server located in your office. Then, all you need to do is not expose the ADFS server to the internet and your users will never be able to get to anything in Office 365 - period.

This is actually a "broken" version of a typical ADFS configuration, since usually most folks want to be able to allow access from home. We know it works, because when the power or internet goes down at the main office where ADFS is running, people working from home can't login.

Of course, if you absolutely need remote access, or some users need cloud access, you can configure a second DNS domain for them and not enable it for SSO. Without ADFS, this second domain and its users would use the regular login process for Office 365, and thus be able to get in from anywhere.

Unless you are such a small company that you can't afford to maintain a domain controller in your office, this may very well be the best solution for you. I'd be hesitant to recommend it to companies of less than 25 employees unless they have a very compelling reason, like HIPAA for example. It does take an experienced IT person to get it set up and correctly configured.

Plus side:

  • Well established solution; well documented.
  • ADFS comes free with Windows Server.
  • Absolutely effective as preventing outside access; if you don't want users outside your network, simply don't expose ADFS to the internet.
  • Flexible enough to work in a variety of scenarios.

Down side:

  • ADFS has a high technical debt.
  • Requires a Windows AD domain controller; many small companies would rather eliminate on-premises servers.
  • Adds to technical complexity, especially if you also have some cases where access to Office 365 from outside the network is allowed.
  • Doesn't readily distinguish between access to e-mail and documents, so you may need multiple accounts if you want to access some systems remotely but not others.

Option 4: Lock account based on login times using a script

It's possible to enable and disable logins using PowerShell. It's also possible to run PowerShell as a scheduled task in Windows. Both of these can be done from a workstation computer and do not need a server or other fancy hardware. Using PowerShell, you could "open the cloud store" in the morning and close it in the evening. In this case, nobody but you would be able to sign in unless you logged into the web site and overrode the settings.

This is a sort of weird scenario, really. I don't know very many people willing to go to these lengths to keep people out of Office 365 when they aren't at work. Also, then they wouldn't be able to check email either. It might have an application against a special-access account that only gets used during the day, like the one I talk about above in Option 1.

I probably should mention that if you go with Option 3 and use ADFS, it will automatically follow login times configured in Active Directory, making this totally unnecessary. So, unless your company is very small, I'd probably recommend doing that instead.

Plus side:

  • This can be run from any Windows machine, even a workstation
  • Can work even with Cloud Only users. No AD domain controller required.
  • Easy to automate based on a schedule.

Down side:

  • Prone to problems if the script fails to fully "open or close the store".
  • Not a good fit for people who need around the clock access, but only from certain locations - or other scenarios that are not strictly time based.
  • Will take extra time and effort to manage and support.
  • Doesn't distinguish at all between access to e-mail and documents.

Option 5: Tie Office 365 Multi-Factor Authentication to a device that's only available in the office.

This is a lot like not sharing the password for an account, except that really what you'd be doing is withholding the second layer of authentication. Since the second factor authentication may not come up all the time, this would be more transparent and thus less destructive to employee autonomy than not giving them their own password.

Here's how it works: create an account in Office 365 and configure a password to use while you set it up. Then, configure multi-factor authentication and enroll the user against a device that's only in the office, like a desk phone or their supervisor's cell phone. Once they are enrolled, reset their password to a temporary one and share that with the user so they can pick one of their own. Now, you've effectively prevented them from logging in at home, since it will be an unfamiliar device and network, which would trigger the MFA.

Before you count on this method, you might want to test it for yourself. There are different flavors of MFA in Office 365, and some of them only come with E3 / E5 / EMS plans. The enforcement options, triggers, behavior, and configurability may all be different if you're using the vanilla MFA that comes with a Business Premium plan, for example.

Plus side:

  • Allows people to know their own password.
  • Adapts well to contingencies such as having to arrive early / work late.
  • MFA settings can be configured per user and overridden as needed.

Down side:

  • Requires a cell phone or voice phone to be present in the office; Most people have a voice line though.
  • You can't let users self-enroll in this scenario.
  • Takes about 1 to 2 minutes longer to login to the system each time.
  • May require multiple accounts/licenses per user if some information needs to be controlled but other information does not. For example, if you need MFA for access to HIPAA sensitive documents, but not to e-mail.

Option 6: Customize SharePoint to Increase Security

Most folks who want to protect documents from their own employees are not actually interested in preventing them from accessing emails. But, most security solutions for Office 365 are applied against all the Office 365 services. If the documents you need to protect are in SharePoint, there may be better ways to go about this that wouldn’t impact other aspects of your service.

Of course, the ultimate solution would be to deploy CipherPoint Eclipse. You can think of that as the very best form of SharePoint customization there is, because it will let you encrypt documents and then use a variety of different policies to determine whether they can be decrypted. It's an expensive option, comparatively, but also a good one that offers true security (rather than security through obscurity). And now that I'm done plugging for our partner, I'll tell you about a slightly cheaper one.

Microsoft won't actually let us run server side code in SharePoint Online as they once did. So, our options are limited from being able to control the users access and experience on the site. Even so, it's not too difficult to do some rudimentary access control using JavaScript in the browser. For example, you can hide the page contents and display apocalyptic warnings instead. In some cases, you can also end a user's login session.

However, it is important to understand that code that works this way can be circumvented by those with a moderate amount of computer savvy. If you're going to rely on sleight of hand tricks to protect your information, you'd better also back it up with a clear employee policy, firm contractual agreement, audit logs, and regular reviews for bad behavior.

Plus side:

  • Significantly easier (and cheaper) than implementing security at the login prompt
  • Relatively easy to track both IP address and login time when using SharePoint.
  • Transparent to non-SharePoint Office 365 services, so if you're just trying to protect HIPAA documents, but still allow email access, this may be the way to go.

Down side:

  • To be fully effective, use of OneDrive sync and the SharePoint API will need to be blocked in sites that have sensitive documents, and this can limit how you customize SharePoint.
  • Requires documents to be stored in SharePoint. Other Office 365 services can't be protected this way.
  • Can be defeated by a determined intruder; many would say this does not offer true security but is more "security theatre".

Option 7: Encrypt It!

Most people don't need to protect literally everything they store in Office 365. Further, not everyone needs to protect what they store in SharePoint lists too, or implement complex policies to determine which employees should have access to what documents. Thus, solutions like CipherPoint that I mention above would probably be a bit heavy handed for most small businesses. (If you fit the above description, we'd still love to hear from you, because there's a lot more we can do in these cases.)

If your need to protect sensitive information is moderate and limited to a particular site, document library, or classification of content, then Microsoft's solution that comes with the E3 plan is probably good enough for you. I'm talking about Azure Rights Management, and while it won't keep an employee from viewing a document on their home computer, it can keep them from downloading it to their phone, printing it, or copying its contents to an email. Also, should the unfortunate need arise to fire their ass, it can also let you take access to that information away after the fact - no matter how many times or places they've copied that file.

While I wasn’t a huge fan or early versions of ARM, it has matured a lot. It's easier to set up now than it used it be, which is good if you don't have a huge budget for IT. Since it can be purchased a la carte, you can let Business Premium users access ARM protected documents when necessary, without having to upgrade them to the E3. (Unless you want to. I'm totally cool with upgrading if you want to. Have you met the E5?)

Plus Side:

  • Encrypted documents are useless, even if copied off the network
  • Even your IT admin (or Office 365 support partner, like us) can't read the encrypted document.
  • Easily restrict who can read or edit a document - as well as some other things they can do with it (e.g. print, copy/paste)
  • Access can be revoked after-the fact.
  • A good solution if you only have a sub-set of documents you need to protect.

Down Side:

  • While you can control a lot of access, that does not necessarily include when or where users are allowed to read or edit a document.
  • Doesn't protect SharePoint data stored in lists or web pages, OneNote Notebooks etc.
  • Azure Rights Management is only included in E3 plan and above.
  • Third party solutions such as CipherPoint can be costly.

Azure AD Premium

Before I go on, here's a few notes about Options 8, 9, and 10 below regarding leveraging Enterprise Mobility + Security, Azure AD Premium, and Azure Advanced Security. These were things I think apply in general to the entire suite that go beyond the specific applications I mention in my list.

  • There will be additional monthly costs for service, and you may need on-premises hardware too.
  • Some solutions are simple while others can be quite technically complex.
  • While there may be features we're not aware of yet, there really doesn't seem to be the kind of access control our customers have been looking for, particularly for end-users. (See Identity Protection and Privileged Account Management below.)
  • Many scenarios, especially AD Premium, don't have a large user base yet outside a few big orgs and aren't well proven especially for in smaller companies.

Option 8: Registered Devices and Workplace Join

This is Microsoft's solution for adding PCs and mobile devices into Azure AD. And it's not a bad fit if you're interested in Windows as a Service, Intune, and the like. Joining devices to Azure AD basically makes it possible to login to your "domain" even when you're out of the office. It can also, conversely be used to require users to login only from approved hardware.

Plus side:

  • Prevents users from working on unapproved hardware, such as personal computers.
  • Controls access by physical device; if you want to control access by location, don't let the physical device leave the desired location (e.g. use desktop computers not tablets)

Down sides:

  • This is a fairly complex deployment, possibly requiring help from experienced experts, and may not be suitable for small businesses.
  • Requires modern PCs (the Windows 8.1/10 scenario is better than Windows 7/8)
  • Requires a modern (2012 R2) Windows Active Directory domain controller
  • Requires configuration of ADFS server, which need to be accessible form the internet
  • Requires a license to Azure AD Premium
  • Relies on AD Connect / Sync so it can take quite a while for hardware info to be fully synchronized.
  • This solution can't really distinguish between user access to e-mail and user access to documents, so if you need mobile access to mail but not sensitive documents, this isn't your best option.

Option 9: Azure AD Premium w/ Identity Protection

I actually like this option a lot, because of its simplicity. It's not easy to take something as complex as access security and make it as easy to set up and manage as Identity Protection is - especially if you're Microsoft who seems to thrive on complexity and options. It's a really good system, and they've done a good job of providing a solution to help users deal with the identity theft threats that are becoming increasing common nowadays.

But - and I'll cook my hat and eat it if I ever say these words again - Microsoft may have gone a bit too far into easy-to-configure territory, because there are a lot of options missing from Identity Protection that I would've thought would be obvious.

For example, where's my option to say "my employees only work in the United States, and for that matter they're only in Maryland for the most part." Or, how about, "We really don't work later than 8pm EST, so could any midnight logins please be labelled 'high risk'?" Why not let the admin get a notification in addition to blocking access or triggering MFA? All these things were missing, and I was really surprised by that.

Otherwise, it's pretty good and you should totally buy it. Maybe they'll improve it later. If not, please see Option 11.

Learn More about Identity Protection from Microsoft's Blog

Side note: We had a case recently where a client has an employee who was being targeted by a cybercriminal who had taken their credit card data and was trying very hard to target their email account in Office 365 too. Fortunately, Microsoft was diligent in locking the account after many successive failed attempts. However, it is important to understand that information which may have helped to lead to an arrest in this case was not being captured until we activated Azure AD Premium and Identity Protection for the customer. If you're locked out of your Office 365 account and you have good reason to think it was because of a hacking attempt, I strongly suggest that you do not wait, but go ahead and start the free trial for AD Premium and turn on all Identity Protection's logging features. From there, if you simply want to protect yourself, you can set up MFA - or consider setting up a honey pot if you want to try and catch the would-be thief.

Plus side:

  • No local server required.
  • Can work even with Cloud Only users. No AD domain controller required.
  • Microsoft Add-on for Windows Azure AD Tenants
  • Remediate risk by requiring multi-factor authentication, force password updates, and/or blocking access entirely
  • Uses threat analytics which includes data from other Azure users, not just your own company
  • Protects from: sign in from infected devices, new/unfamiliar locations, impossible travel distances, anonymous IP addresses
  • Tracks leaked credentials
  • Doesn't seem to add much burden in the way of administrative overhead or management
  • Most of the MFA enrollment is intuitive (at least for an IT person) and can be self-service.

Down side:

  • We thought that MFA enrollment left too many steps and choices to the end users and should be something admins could lock down or simplify.
  • Conditional access risks are managed by Microsoft and divided into low/medium/high; there does not seem to be a way to define things such as normal working hours or normal location.
  • Has a tendency to throw false alarms in some networks; for example whenever we visit the Microsoft office in Washington DC, it tells us we're trying to login from Redmond, WA.
  • Although you can resolve an event or mark it as a false alarm, there didn't appear to be anyplace for an admin to leave notes explaining why the login occurred, like the situation we describe above.
  • Despite some marketing materials that seemed to indicate this would be available in EMS E3 plan, it still required applicable users to have Azure Active Directory Premium Plan 2, which is part of the EMS E5 plan.
  • None of these Azure security and logging features are enabled until you activate this service.
  • We had to actually sign up for Azure AD Premium trial offer in order to get the system to recognize our existing AD Premium licenses from Office 365.

Option 10: Azure AD Premium w/ Privileged Identity Management

Okay, I'm going to sum this up nicely. If you're a Microsoft Partner, like us, supporting Office 365 customers, or if you have more than 2 Global Administrators on your Office 365 account - for whatever reason - this solution is for you. Everybody else will probably find this to be either too expensive or much too cumbersome to justify. It really only protects your admin accounts, so in most cases you'd probably do just as well to just configure MFA on them and be done with it.

Learn More about Privileged Identity Management from Microsoft's Web Site

Plus side:

  • No local server required.
  • Can work even with Cloud Only users. No AD domain controller required.
  • Microsoft Add-on for Windows Azure AD Tenants
  • Allows Just-in-Time Access to high level (e.g. global admin) accounts
  • Monitor how privileged access is being used
  • Notify other system admins in real-time when privileged accounts are used
  • Uses threat analytics which includes data from other Azure users, not just your own company.
  • Seems to have some really cool reporting capabilities, but they take time to populate.
  • Really the only way that I am aware you can give someone global admin access to Azure or Office 365 and still keep an eye on and require them to justify their use.

Down side:

  • Adds extra login steps and technical debt for admins.
  • There is significant complexity involved for those who will need to manage and support PIM.
  • Doesn't seem to provide an option for who should receive alerts about usage.
  • Does not provide JIT access or monitoring for regular user accounts.
  • The ticket number formats are a bit restrictive.
  • Required applicable users to have Azure Active Directory Premium Plan 2, which is part of the EMS E5 plan.
  • We had to actually sign up for Azure AD Premium trial offer in order to get the system to recognize our existing AD Premium licenses from Office 365

Option 11: Beowulf Identity Server

I’ve talked plenty elsewhere about how awesome Beowulf is, how it shuts the front door on SharePoint, and how it protects your public facing web sites and applications from unwanted access. You don't need to hear even more of that from me here, so I'll stick to what we haven't said before. (Aw, c'mon. You didn't think I was going to spend all this time and energy writing a two part blog about security without promoting my own product, did you?)

We’re working on a version of Beowulf that works with SharePoint Online and the rest of Office 365, which shouldn't be terribly difficult since we already fully integrate with ADFS which is what Microsoft is using for access control in the cloud.

Since others seems to have dropped the ball on some of the options and features we've talked about here, we're doing our best to include them in the new version targeted for release in early 2017. Well, that's the big problem isn't it. Unless you want to be part of our early adopter program - and get a big discount for helping us test these new features - you're out of luck.

Lean More about Beowulf Identity Server on Liquid Mercury Solutions' Web Site

Plus side:

  • Low cost cloud based solution
  • Transparent access layer between users and Office 365
  • Can work even with Cloud Only users. No AD domain controller is required.
  • Can block access or alert you (but not block access) when a user logs in from unexpected locations or at unusual times.
  • Configurable in a lot of ways that Microsoft's solution is not.
  • Has many of the same MFA capabilities as Azure AD Premium.
  • Integrates well with Azure AD, ADFS, and other MS solutions.

Down side:

  • There is an additional cost outside of the Office 365 subscription
  • Like many advanced security products, set up is relatively complex.
  • Though many of these features are available today, our full feature set for the next release will not be available until early 2017.

Option 12: Application Layer Security Enabled Next Gen Web Proxy/Firewall

You all knew I'd bring it up eventually. Why don't you just go out and buy an F-5 Big IP with the Access Policy Manager module on it? Then you can come back to us and hire us to configure it for you, and we can totally freak out because people hardly ever want to do that. Even so, this is a nice way to go if you have a lot of money lying around, and burning it would be inconvenient.

For large enterprises with hybrid cloud/on-premises deployments, I do recommend products from vendors like F-5, Kemp, or Cisco. This goes triply so if you run a large corporation with name recognition, store a lot of confidential customer data that hackers may want to steal, or your everyday business is something that might lead people wearing Guy Fawkes masks to try to ruin your holiday weekend. They offer security features that Microsoft doesn't even come close to having in Azure yet, but you can absolutely deploy them as Azure VMs in your environment or on-premises as real metal or VM.

But then, if you're going to go that far, why not also make sure you do all the other things I talked about too?

Plus side:

  • Really, really, configurable and powerful; can probably do anything you'd want in terms of limiting and responding to access requests and use.
  • Deployable in traditional on-premises and cloud-based scenarios.

Down side:

  • Really, really, complex to configure and expensive to implement.
  • Even cloud based subscription versions are going to cost a pretty penny.
  • It will require dedicated staff and constant upkeep, so probably only suited to large enterprises.

As you can see, Microsoft offers many choices - but none of them is the perfect solution for everyone. Better solutions I think will emerge in the coming months. I hope I've done a little here to shed some light on what is sadly a very complex answer to what seems like it should be a simple question. The most important thing to consider I think is that there are some low-cost things that you can do if you want to control how people use cloud services, starting with making sure that your employees know the rules.

Technology is always changing, and it often forces us to consider scenarios that previously were just impossible. If you're considering Office 365 as a solution, you may have concerns about people having access from home (or anywhere in the world really).

Office 365 provides a lot of security advantages compared to storing sensitive data on your laptop computer, a portable hard drive, or that server in the closet. Keep in mind that this is just one potential risk in a sea of others that we've all faced for a long time; the benefits should outweigh the risks if you approach the transition to cloud services with a little bit of thought and planning. We're here to make sure you don't have to go it alone.

Did I leave something out of my list that you'd like to add? Leave a message in the comments and I’ll reply.

Thomas is an acknowledged expert on information security, the creator of Beowulf Identity Server, and spoke on the SharePoint Security panel November 8th at the First Annual FITSI.org Federal IT Security Conference. You can follow him on Twitter and LinkedIn - but if you really want to connect, your best bet is probably to call us at 410-633-5959.

Office 365 Security and You - Ransomware

Minecraft creeper: 'That's a very nice file share you've got there - be a shame if something happened to it'

Since I'll be on a SharePoint security panel speaking at next week's Federal IT Security Conference, I wanted to do a couple blog posts this week about cloud security.

I'm going to leave discussion of Windows zero-days, Strontium / Fancy Bear / Apartment 2B etc. for another time. There's already plenty of FUD going around about that topic. If you're not sure whether you're protected, you can update to Windows 10 Anniversary Edition and you'll be covered. The easiest way I know to do that is to buy a Win 10 Enterprise E3 subscription from us for $6.50 a month; throw in Enterprise Mobility Suite and Symantec Endpoint Protection Cloud and you'd still be spending only $19 a month. That's about all there is to that, so let's move on.

Instead I want take some time this week to talk about recent (albeit non-federal) security challenges that we see our Office 365, and particularly SharePoint Online, customers facing. Specifically, two questions I'm being asked a lot lately are "Can Office 365 protect me from ransomware?" and "Can we control when and where people can connect to Office 365?".

Today, I'll be talking about ransomware. When I come back for Part 2 we'll talk about controlling access to Office 365. Part 3 will talk specifically about securing SharePoint in the cloud.

Part 1: All About Ransomware and Office 365

Q: "I've heard of this new thing called 'ransomware'. What is it?"

Firstly, for those of you who don't know, I'll explain what ransomware is all about, and then I'll tell you what you can do about it.

Maybe I should've done this post for Halloween, because ransomware is scary stuff. Ransomware is like other virus or malware, but with a twist. It does something much more insidious than just infecting your computer, turning it into a zombie, or deleting random files.

Ransomware uses our own security defenses against us, by applying encryption on us against our will and then attempting to extort money from us to undo the damage.

So how does that work? Well, what if somebody put a lock on your door and then demanded $100 from you to remove the lock so you can get inside your home? It's sort of the same thing. Once the ransomware infects your system, it will open whatever documents that it can get access to, scramble the contents with a secret key only known to it, and save them. It then sends the key to organized cyber-criminals, and alerts you to contact them and make payment arrangements to unlock your files.

Q: "Am I in danger from ransomware?"

Yes. Yes you are.

Be afraid. Be very afraid.

But seriously, Dusty, Seth, and I saw our first case of a client affected by ransomware back in 2014 - and it wasn't pretty. This was in the spring, around the time Microsoft ended support for Windows XP. We had a client who - despite our advice - was dragging their feet about buying new Windows 7 PCs because of the cost involved. As a result, ransomware got into one PC, spread to their other workstations and servers, and then proceeded to extort and threaten their employees. That's when we got the call for help.

For the three of us, it was two hellish days working double shifts to purge the virus (from slow outdated machines), restore backup files, and clean up the mess that totaled over 100 hours and ten thousand dollars in labor charges - services for which we were never fully paid. I would never wish this fate on any client, and I hope to never receive such an emergency call again in my lifetime.

Fast forward to two years later, we're seeing an increasing number of customers telling us that they have contracted ransomware. Everybody's reaction is a bit different. Some folks are willing and able to simply walk away from their lost files, while other businesses faced a real and existential threat to their continued operations.

Any way you look at it, ransomware is a very similar problem as having your hard drive crash.

But hard drives are pretty reliable; they tend to fail from heavy use, if they are dropped, or when they get very old.

Unlike hardware failure, ransomware *wants* to be a problem for you, and there are organized teams of cyber-criminals all over the world who are actively working every day to try and find new ways to infect you with it.

If you are not working to stay ahead of this threat, it will eventually get the better of you.

Q: "What kind of information is at risk from ransomware?"

Ransomware is smart enough to go after files that you use, like Word, Excel, or PDFs while leaving program files like EXEs and DLLs alone. It can also distinguish between files you access often and files that you haven't opened in years and aren't likely to ever notice.

Ransomware can detect attached portable USB drives and find network shared folders that you have access to, so if you're infected then any folder you have access to is at risk even if it isn't necessarily on your computer. I have personally witnessed ransomware that attacked a network file server at one company and scrambled their case files for literally hundreds of customers.

Q: "Should I pay the ransom?"

Generally speaking, I want to say that you should never negotiate with terrorists - or criminals. That's a nice sentiment, and it sounds good in the movies. But in reality I think maybe that's a bit naïve.

Your best bet of course is to have a backup strategy in place and simply recover a working copy of your files from the backup. Only do this after you have thoroughly scanned, found, and cleaned the ransomware from all of your computers. Otherwise, you're putting your backup copies at risk by accessing them, which may let the ransomware know where they are too.

If you don't have a backup of your files, then paying the ransom might be your only option.

In such a case, definitely do not give a criminal your credit card info when they ask you for it. That'd be dumb. Certainly if they run your card for the ransom, you can expect the info will also circulate into databases of cards that should be used for fraud later. If you must pay the ransom, purchase a pre-paid Visa gift card to do it. Some credit card companies will provide a temporary card number you can use for a one-time online purchase. If you have that option, it’s a good idea.

Q: "I already own a firewall. Doesn't that mean I'm protected?"

Having a firewall alone is not enough unless you also have anti-virus software on all your PCs and devices. More commonly these days it is called "endpoint protection", because the threat landscape has grown to include not only viruses but also malware, ransomware, zombies, and more.

Think of it this way. Your firewall is like building a wall around a city. It doesn't make sense to have a wall to protect yourself if you don't also have soldiers inside the wall who can react to intruders. In this case, the story of the Trojan Horse is very appropriate; you must have a layer of defense inside your walled city to protect yourself in case a threat does get a foothold inside the gates.

Having anti-virus software installed is like posting guards at important bases like your armory, grain store, or government center - or having a soldier boarding in each person's house. Anyone who has ever looked at how much CPU is used by their anti-virus software understands that it may be necessary, but it's also another mouth to feed.

We also need to account for the way that mobility has affected computer security. Today, we have laptops, tablets, and smart phones that come and go freely from within our fire-walled city and out into the wide, wide world. To extend our city metaphor, it is now a bustling metropolis with merchants and travelers coming and going at all times; and the freedom to travel has become a key aspect to life that we all benefit from. We connect to Wi-Fi networks at our friends' homes or the local coffee shop, as well as cellular data networks. Then we return to our own network, usually without much fuss. Unfortunately, we also potentially bring whatever plague we've exposed ourselves to from outside back with us when we return.

Protecting the desktop doesn't need to be an expensive proposition either. It costs only $4/month per user to purchase Symantec Endpoint Protection cloud, and Microsoft's advanced security tools that are part of Enterprise Mobility Suite and/or the Office 365 E5 plan each add only $8.70 and $15 (compared to E3 plan) respectively. This is something we can help you purchase and deploy, so please do reach out to us if you want to get this set up for your organization.

Modern IT security now also includes the concept of active network defense, which takes the fight from the PCs to the network itself. These are next generation Ethernet or Wi-Fi switches than can detect and block communications known to come from viruses, malware, etc. This is a lot like making the roads in your city unfriendly to invaders by having police guards on patrol. These new technologies haven't really filtered down to the consumer and small business market yet, but I expect that will happen fairly soon.

I hope that I've been able to explain why having a network firewall alone isn't enough to protect you from security threats out there today. While endpoint protection does add a cost and can sometimes limit PC performance, it's still very much a necessary evil. Meanwhile, new products are being developed that can do even more, so it may be time soon to start looking at replacing your old equipment.

Q: "Can ransomware affect files in Office 365?"

I get this question a lot, both from existing customers and from those considering Office 365 as a possible solution for protecting themselves from ransomware.

The answer is complicated, because really "it depends". I'm sorry if that sounds like consulting-speak, so let me explain what I mean.

Firstly, let me start by saying that we haven't observed yet any instance of ransomware in the wild that directly targets Office 365. But this alone doesn't mean these files are completely safe.

Let's say for example that you are using OneDrive for Business. You have a copy of your files in Office 365 and synced copy is also on your local C: drive. If the ransomware encrypts the file on your local drive, OneDrive for Business would simply see this change as being similar to if you had opened the file yourself in Word and then saved some changes. It would then sync the [bad] changes to the cloud and overwrite the file there.

Furthermore, if ransomware infects the Microsoft Office desktop software like Outlook, Word, or Excel, then it could theoretically corrupt the process by which files are saved, regardless of where you're saving them. In fact, Microsoft Office has its own layer of file encryption called Azure Rights Management. It's not difficult to imagine a possible exploit that might somehow subvert that mechanism - or replace it with one where you don't have the keys.

So in both cases, I would say that while we don't know of any ransomware - yet - that can log in to your Office 365 account and use that access to reach your emails or documents stored in SharePoint, it is still technically possible that your files stored in the cloud are not completely out of reach.

Q: "I was thinking of buying Office 365 and moving my files to the cloud to protect them. Does what you say mean that it won't work and I shouldn't do that?"

Not at all. Moving your files to Office 365 is a good first step, and it has lots of other benefits besides security.

For starters you'd be taking advantage of Microsoft's advanced Data Protection strategy. Microsoft also has a 15 day backup window on some types of data. As a first line of defense, these are going to be a lot more secure and reliable than saving files on a USB drive in your office - even if you just look at it from a hardware perspective.

To really cover yourself, you should always have a backup strategy in place.

If your needs are minimal and the cost is a big concern, that might just involve occasionally copying important emails or files to a local drive and then unplugging it from the network at sticking it in a drawer or safety deposit box. Of course, doing things this way takes time and work. There are better options.

Third-party backup solutions for Office 365 have been around for a while. These aren't expensive - most will back up both email and SharePoint/OneDrive for Business files for just $5/month/user. Compared to other cloud backup platforms, these can be cost effective alternatives. They also add the benefit that your data isn't entirely with Microsoft, so you can feel more secure knowing that you are not keeping all your eggs in one basket.

So, if you are looking for a way to escape the threat of ransomware, Office 365 may still be a good option for you - as long as you're prepared to purchase a bit more than just the basic Office 365 plan itself.

About the Author

Thomas is an acknowledged expert on information security, the creator of Beowulf Identity Server, and will be speaking on a panel about SharePoint Security November 8th at FITSI.org's First Annual Federal IT Security Conference. You can follow him on Twitter and LinkedIn - but if you really want to connect, you're best bet is probably to call us at 410-633-5959.

Microsoft Hates Folders (Part 2 of 3)

So last time we established that for some mysterious reason Microsoft hates folders. Microsoft does not want you to upload your folders to SharePoint. Microsoft is very, very convinced that uploading your folders to SharePoint is a terrible, horrible, no-good, very-bad idea, and is absolutely certain that what is best for you, your company, and the entire world would be if you never ever ever uploaded a folder to SharePoint ever again, and in fact never even used a folder in SharePoint.

Right. You’re going to keep using folders in SharePoint because that’s how all your stuff is organized, and re-organizing all of it right now to take advantage of SharePoint’s other methods of categorization, regardless of how much better they might or might not be, is time you simply don’t have.

So, how do you get your 300 gigs of data in folders into SharePoint Online?

Method 1: Use OneDrive for Business.

This is the method Microsoft would prefer you use. With OneDrive for Business, you synchronize your SharePoint MySite to your hard drive, and also any other SharePoint site you use that you might want to synchronize. This creates a great deal of confusion.

 

Notice that there are two different folders labeled OneDrive? One of them is labeled OneDrive – Personal and the other is OneDrive – LiquidMercurySolutions. Then there’s also the folder labeled SharePoint.

Sometimes I think Microsoft needs to adopt a strategy from the Evil Overlord list, but slightly modified. They should run their marketing plans past a 50 year old office administrator who does not work for Microsoft. If she is confused by the plan, maybe they should adopt a different strategy. Sure, once you know what’s going on, you know why there’s such a plethora of folders and why the ones that are OneDrive for Business have different names that aren’t OneDrive for Business and what the difference is between that and regular OneDrive. But when you don’t know, it’s hopelessly confusing, and even when you do know, it’s easy to click on the wrong thing.

So, to clarify, since Microsoft’s as clear as mud here:

  • OneDrive (no Business here) comes with Windows 10, and you can download it for earlier versions. It is Microsoft’s generic, consumer-oriented, cloud file share, similar to Dropbox. At one point it was named SkyDrive, but Microsoft got sued and had to change the name. This is for your personal stuff. Windows 10 tries to persuade you to save everything to your OneDrive, when you first install it or configure it for yourself after buying the PC. So this is where your family photos and your kids’ artwork and that screenplay you’re writing in your spare time go.
  • OneDrive for Business is used to synchronize SharePoint. One of the sites you have access to in SharePoint is called your MySite. For most folks, it’s going to look something like this:

 

 

You get to it by going to {yourdomain}-my.sharepoint.com, where your company’s regular SharePoint Online site is {yourdomain}.sharepoint.com. Click “Sync”, and this site will synchronize to your PC in a folder called “OneDrive – {Your Business Name}” (so in the example up above, mine is “OneDrive – Liquid Mercury Solutions”). This is for your personal work documents, which is less oxymoronic than it sounds. Drafts, notes, things you want to share only with a small working group such as the one or two people helping you revise it, that letter you’re writing to OSHA about your horrible working conditions… the MySite/OneDrive for Business site is by default accessible only to you, except for the things you put in the Shared With Everyone folder.

  • SharePoint – the folder labeled SharePoint on your PC is where synchronized SharePoint libraries live. These are the folders on the main company site (or any other site – in the example above, I have a personal site collection for my development work, where I also keep a collection of cookbooks so I have documents to test various forms of metadata operations on, and that’s the one I keep synchronized.)

So, logically speaking, all you have to do to get your folders into SharePoint is synchronize a library and copy your folders into the sync folder that appears on your PC, right?

Oh, but the devil is in the details.

First of all. SharePoint libraries have a maximum of 5,000 items. Folders are items. Everything in the folder is also an item. So if you have 50 folders, and each one has 10 folders under that, and each of those folders has 10 items in it… boom, 5000 items. So you’re going to want to watch to see how many items you actually have. If the folder you want to copy has more than 5000 items in it – which is very easy to achieve in some businesses, for example, a legal office where every client has its own folder and every case also has its own folder – you’re going to want to think about how to break it up. Alphabetical ranges are popular (ie, library for A-M and library for N-Z). Or if your business has a regional structure, perhaps separate different libraries by region.

Secondly. There are characters that your PC’s file system will tolerate, but SharePoint Online will not, because they are special characters reserved for URL functions. They include &, % and #. So if you like to name your files “75% Growth Plan” or “#1234 Union Ave” or “Meeting with Bob & Jane”… you’re going to have to rename them. Those files will not sync.

Third, make sure you’ve got enough space. Today, Microsoft is giving every SharePoint Online customer a terabyte of space. But that’s a recent development. The limits on the size of your site collection might have been set before that was true, so maybe your entire site collection has only 20 gigs and you want to upload 21 gigs of data to it. That… won’t work out so well for you. Have your administrator check to see if there’s space.

Fourth, by default, the folders on the PC will be named “Your Site Name” – “Your Library Name”, but with only a certain number of characters allotted to either one. So if your firm is named “Dewey, Cheatum and Howe” and your main site is called “Dewey, Cheatum and Howe Team Site”… that’s going to download as “Dewey, Cheatum and Howe” because at best you get 24 characters. (It might even be less.) And worse, if your library is called “Legal Pleadings From April 2016” you’re going to end up with “Legal Pleadings From Ap”. If you broke up your libraries on A-M and N-Z and stuck the letters at the end of the library name, there’s a good chance they won’t even be there on the synced folder on your hard drive, because you’ll be out of characters. You can change them… sometimes… but it’s buggy. Some clients of mine have had no trouble; others, we change the name of the folder 5 times and it keeps resetting.

And fifth… prepare to wait, and to get very little useful information about what the sync is doing while you’re waiting. Sync is a very slow operation. It’s not intended to transfer gigs and gigs of data; it’s intended to keep changes made to the files or folders on the PC synced to the library and files in the cloud, and vice versa. You can hover your mouse over the little OneDrive icon in the systray to see if the sync is done or how it’s progressing. But if you’re synching multiple libraries,  your results will be misleading because it’s usually telling you how much is left to go on the one library it’s working on now.

For migrating a lot of data… there are better ways. For moderate values of “better”.

Method 2: Use File Explorer.

Use this one weird trick that Microsoft hates! …No, that’s not clickbait. It really is a weird trick and they really do hate it.

A long time ago, Microsoft made SharePoint compatible with File Explorer via a technology called WebDAV. So you could connect to a library directly via File Explorer, and copy files to and from SharePoint. This is dangerous. You can see the hidden folders and files that SharePoint hides from you, so you could theoretically cause a great deal of problems to your SharePoint site, to the point where you could potentially corrupt it into being unusable. Also, see, File Explorer is an icon of a folder, and Microsoft hates folders.

For a while they did their best to block this feature, but nowadays it actually works, most of the time, if you make the appropriate goat sacrifices on the full of the moon at the dark of night in a properly cleared stone circle. Or, at least, if you are using Internet Explorer as your browser. Internet Explorer is deprecated; even Microsoft doesn’t want to support it anymore, so Windows 10 machines ship with their default being a new browser, Edge, as in it’s on the very edge of being a usable browser but not quite there yet. (Don’t get me started talking about Edge.) But Edge doesn’t support this trick with SharePoint, and none of the non-Microsoft browsers do either. It only works in Internet Explorer.

You go to the library you want to open, in Internet Explorer. On the “Library” tab click “Open in Explorer”. (This is available from the new Document Library style that is missing the ribbon and its tabs; in this format you get to it from a drop-down menu at the far right.) You may have to do it more than once to get it to respond. Once you do, it will open File Explorer, connected directly to the library.

 

 

Note that if you have synced this library with OneDrive for Business, this trick will not work.  It can only be used if you don’t have a sync folder for this library; otherwise it will try to force you to use the sync folder instead.

Using File Explorer, you can bulk copy a lot of files and folders, a lot faster than you could have using OneDrive sync. But it’s buggy. Sometimes it will spontaneously lose its connection and have to be re-opened for no real reason. Sometimes you won’t be able to get it to open at all. And if the library in question has any required metadata, then every single file you upload will be checked out to you, as a draft, and invisible to anyone else because that’s how required metadata and drafts work in SharePoint.

Method 3: Purchase migration software.

This one’s always an option. For a small company, however, it’s not usually an affordable one. Most migration software prices come in at a minimum of 4 digits, or heavily restrict how many gigs of data you can transfer, or both.

(Shameless plug time: we have migration software that sells in the triple digits. The catch is that there’s no attractive UI; it’s all scripting, so it’s mainly for use by consultants like us and IT departments.)

No matter how you go, it’s gonna be slow

Transfers to Microsoft’s data centers are throttled so no one customer can consume enough bandwidth to negatively affect other customers. So expect your data migration to take a while. Sync is easily the slowest method, and File Explorer probably the fastest. All methods will run into the same issues with bad characters, although most migration software will take this into account and either allow you to change the names, or will change them for you. All methods will be affected by space and by the number of items per library, as well.

What if I’ve decided I hate folders too?

There are actually some good reasons for moving away from the folder model entirely when you migrate to SharePoint (or at least mostly.) In the third part of this blog, I’ll discuss those reasons, and how you would go about migrating data without migrating folders or losing metadata.

Microsoft Hates Folders (Part 1 of 3)

It’s not clear what brought this on. For many years, Microsoft – inventor of Windows, which did not create the folder metaphor for directories (I believe that was Mac, or maybe Xerox PARC), but certainly used them happily for decades – and folders got along just fine. Then suddenly one day users of SharePoint Online couldn’t work with folders anymore, except in very limited ways.

I’ve encountered this many, many times in the course of helping clients migrate into Office 365. They want to move off OneDrive into SharePoint, or off of networked file shares. Great! We create a site for them, and appropriate libraries. And then it turns out that we can’t upload their stuff the way that anyone would normally upload things into SharePoint, because SharePoint no longer allows you to upload folders.

Did… it never occur to Microsoft that people who are migrating into SharePoint Online would probably have a lot of folders? That they might like to upload?

I know what the technical logic is behind deprecating folders, of course. At practically every SharePoint Saturday I’ve been to, someone has been teaching a class on why you don’t want to, or need to, use folders in SharePoint libraries.

A folder structure, when it comes right down to it, is metadata. You could have piled all your finance documents in the root of your C drive, but instead you put them in a directory labeled C:\My Documents\Finance to organize them better, because a Windows directory doesn’t allow you to apply metadata directly to files, so in order to mark them as Finance files you put them in a directory labeled Finance. And then you probably have directories like Taxes\Federal\2007, or Reports\P&L\2013, or Register\MyBank\Checking\2001, or stuff like that. All of this is metadata. Tax files, specifically federal tax files, specifically the ones from 2007. Reports, specifically P&L reports, specifically the ones from 2013. And so forth.

It’s a method of organization that comes from mentally projecting filing cabinets, where there can be only one physical sort method of physical objects, into the world of computers, where there could theoretically be as many sort methods as you have different data to sort by. So Microsoft has been pushing hard for SharePoint users to get out of the habit of folders, and use metadata instead with views that group, sort, and filter the data in different ways.  That way, should you have a need to pull together all financial reports for 2013, you aren’t hampered by the fact that the reports have been set into different directories by the type of report and then within those directories divided by year; you can simply pull all of one year together.

Well, ok, Microsoft, that’s great, but do you have time to go through half a terabyte of data going back 10 years to add metadata to it so that you can safely mark it in SharePoint without having to upload the folders? “Yes,” Microsoft says, “we do! We’re one of the biggest corporations on the planet and we are crawling with low-paid interns who can do that sort of work for us!” OK, but have you thought about the fact that your customers don’t all have those resources? In particular, your customers of SharePoint Online, which is most economic for small and micro businesses?

No. Of course they haven’t.

All is not lost, of course. There are two ways to get your folders into SharePoint anyway. There’s the method recommended by Microsoft, which is full of bugs, and then there’s the old, deprecated and nowadays mostly undocumented method, which is full of different bugs. The third option is to hire us to do it for you, since we’ve written our own tools to solve this problem, and if you’re planning to do that, you can call us at 410 633 5959 or email me at alara.rogers@liquidmercurysolutions.com . Operators are standing by!

Yeah, I kind of assumed that if you were reading a blog about how to do this, you wanted to do this yourself. But I had to try.

So. In the next part of this blog, I’m going to talk about how to get your folders onto SharePoint anyway. Then in the third and final part, I’ll demonstrate the advantages to using metadata rather than folders and show why you actually might want to try to move away from folders as a method for organizing your data on SharePoint, going forward.

Full Service Office 365 Admin vs. Support

I had a conversation today with a customer that made me realize that we might be offering something fairly unique, so I wanted to take a moment to talk about that.

We offer a service called The Full Monty. While the name implies you get everything, certainly we have services that are higher priced and not included in this bundle - but as the name implies, The Full Monty gives almost everything you could want to add to Office 365 that Microsoft doesn't sell you.

What's Included?

Compliance 365

Reports and alerts for Office 365 to keep tabs on your account. This offering is awesome if you have compliance requirements like SOX, HIPAA, FINRA, or GLBA. It also gives you better intelligence into what's going on within your Office 365 subscription, so it has real value for companies that don't necessarily have heavy regulatory obligations.

Managed Help Desk

friendly technical staff to provide Tier 1 support for Office 365, backed up by our experienced Office 365 and SharePoint experts. While we do support Office 365 customers at no extra cost, this service takes that to a whole new level. We include a toll free number and robust management of all your IT issues, including those with for which outside parties are responsible. We'll even manage your support requests and forward them to your own IT staff as needed, if that's what works for you.

Admin OnDemand

This is the one our customers really love. This service puts our Office 365 SharePoint experts at your beck and call for practically any routine administrative task you could possibly want. It goes beyond support, which covers break/fix and telling you how tasks can be performed; we actually do the work for you. Good examples include on-boarding a new employee or creating a new SharePoint site or document library.

What's Not Included?

Support and technical administrative staff don't write code, and they aren't consultants.These services weren't intended to replace those provided during more complex development or systems integration projects. So, we do all that we can to offer the best service possible, but if a particular task would require these skills or take longer than a couple of hours, chances are it's not covered in this program.

Our services don't normally cover desktop OS or hardware support. Many of our customers tell us that such services that they get from "managed service providers" are a waste of money. A good option for hardware support is to rely on the warranty services provided by hardware vendors like Dell, HP, BestBuy, or MicroCenter. If you need an on site technician or remote support for desktop software and OS, we can provide these at additional cost. 

The Full Monty isn't a cloud backup service, extra app, or SharePoint add-on. If you want to put additional capabilities into Office 365 that it doesn't provide natively, we can help you by recommending such services. I know, that seems obvious, but sometimes we get interesting questions, so we thought it would be a good idea to spell it out.

What Does It Cost?

The Full Monty Costs the equivalent of $7.77/user/month, so that's $93.24/user/year. Quarterly billing is available if you're in a pinch.

Here's another way to think about the price. If you have 100 employees in your company, the cost would be $9,324/year. Compare that to hiring an average part-time IT worker, which is likely to cost you something in the neighborhood of $40,000/year and possibly more. In such a situation, if our service prevented someone from having to hire a person to perform these duties, they'd be saving 30k per year at the very least.

What if I add users later?

Yes, as your workforce grows your costs will go up, but in a very predictable way. There are very practical reasons why we can't offer to provide this service to only some of your employees while excluding others. You can always opt out of the program or switch to a different plan, but of course the services we'll offer in that case will likely be different. So, it's best to decide if you want this level of support and then plan accordingly.

What if I have users who aren't using the whole Office 365 suite?

The Fully Monty was intended for customers with plans like Business Premium, the E1, or E3. Sometimes, folks will have e-mail only or kiosk workers. That's fine, and of course it isn't our intention to charge full price in such cases. However, each situation is different, so we'd need to have a conversation with you and work up a custom quote based on your unique situation in order to get you the best price.

In Summary

People often have questions about what services they need and why they should pay more in addition to what Microsoft already charges for Office 365. While we do make some money from reselling Microsoft's cloud services, our margins are not fantastic; we do the best job we can to support 365 customers at no extra cost.

Often, companies have IT needs that go well beyond what can be considered support in a traditional sense. The Full Monty is our offering that addresses this. By taking into account what customers are likely to need at any given time and using an actuarial model to distribute the risk, we keep the costs as low as possible. Think of this like insurance for your Office 365 services. When you need assistance, we'll be there.

We think it's a great service and quite affordable compared to those offered by traditional MSPs. Maybe even it could be the cheapest way to hire a SharePoint admin that ever existed.  Do you agree or disagree? Did I leave something important out? If so, I'd like to hear from you. Competitors are welcome to reply too. Please leave me a comment below and tell me what you think.

 

 

OneDrive sync problems

So if you use services such as OneDrive for Business to sync to SharePoint, and you’re on Windows 10, you may have noticed a bug that has started recently popping up. When you attempt to sync, or when you disconnect from a network and reconnect to another (such as if you’re on a laptop and you travel, so you need to connect to a WiFi that’s not in your office after being connected within your office), you may get a prompt to log into your SharePoint with your login id:

 

 

 

 

 

 

 

 

Some will get a straightforward password request, like this:

 

 

 

 

 

 

Others first get a box asking them if they want to use their Microsoft account (meaning their personal account) or their work or school account. In fact, they may get this box twice, looking slightly different each time. I suspect that this happens to customers whose Office365 email is the same as their Microsoft personal account. In my case, they’re two different logins, so I can’t replicate the “two requests for Microsoft vs. work/school account” issue in order to display screenshots.

In either case, the result is the same. You click “Sign in.” The button changes color like it’s supposed to on click. But it doesn’t do anything else. It doesn’t sign you in. Click, click, click, click. No sign in. How are you supposed to sync if you can’t sign in?

The answer – at least, for me, sometimes, and several others who’ve reported this bug – is breathtakingly simple to the point where it makes me feel stupid for not thinking of it myself. Hit enter.

Sometimes this works perfectly. Other times you get a blood-chilling message:

“The server you are trying to access is using an authentication protocol not supported by this version of Office.”

What does this mean? How can SharePoint Online not be supported by the latest version of Office?

It’s a ridiculous bug, that’s what, and Microsoft needs to fix it. Until they do, here are some steps that may fix it:

Method 1:

  1. Click on your system tray at the bottom right of your screen.

See OneDrive for Business with a little exclamation mark covering it?

 

 

 

  1. Click on it, and it will prompt you to enter your credentials:

 

 

 

  1. Follow the same steps to enter your credentials that you did before.

For me, this just magically worked, even though it had failed the first time.

Method 2: If that didn’t work, try this.

  1. Exit OneDrive for Business by right-clicking on it in the system tray and choosing Exit.
  2. Close all desktop Office apps. This includes Outlook, Word, Excel, and any other Office application you may have open.
  3. Because the closing of OneDrive might not be a clean exit, or there may be background Window apps, check Task Manager (ctrl-alt-del and choose Task Manager) for the presence of background processes named GROOVE, MSOSYNC, or OneDrive anything. End these processes. End anything labeled Microsoft Office.
  4. Go to the Users directory on C: (it’s usually on C:), find the user you’re trying to fix this problem for, and delete the following folders if they exist:

c:\users\<username>\appdata\local\microsoft\office\sp
c:\users\<username>\appdata\local\microsoft\office\16.0\OfficeFileCache
c:\users\<username>\appdata\local\microsoft\office\15.0\OfficeFileCache

It’s possible that there will still be a locked Access database in the OfficeFileCache. I had one. I also have Access, so I opened it in Access and then closed it, and that unlocked it and allowed me to delete it. Hopefully it won’t be there if you don’t have Access.

 Don’t worry about deleting “important system files.” You’re going to run a repair, which will recreate the folders and files.

  1. Open Control Panel, find Credential Manager and open it. There are two sections, Web Credentials and Windows Credentials. You want the Windows one. Remove any credentials that look like : MicrosoftOffice16_data:(anything), or something like that.
  2. In Control Panel / Programs and Features, go to Microsoft Office 365 Business or ProPlus. Right Click and select Change (not Uninstall).
  3. You’ll be given the option to do a Quick Repair or an Online Repair. Choose the Online Repair, but first make sure your internet connection is stable. This will essentially re-install all of your Office apps, but because you didn’t uninstall first it will keep all of your customizations.
  4. When the Online Repair is complete, find the OneDrive for Business desktop client, and open it. (It’s usually on your Start Menu someplace.)
  5. Now you ought to get the same prompts to login that you did before, but this time once you do the procedure above, it should work.

Pros and Cons of Using Distribution Lists vs. Shared Mailboxes in Office 365

Over the years, we've seen a number of clients who make good use of Shared Mailboxes in Exchange Online. But you may find that Microsoft's implementation leaves some room for improvement, and there may be some edge cases where this is not the right choice for your situation. This article hopes to demystify the Shared Mailbox and help you decide if it is the right solution for you.

My assumption in writing this is that you the reader are either the business owner or manager of IT, and that in either case the specific how-to accomplish the proper set up of the Shared Mailbox, Outlook, Mail Flow, or e-Discovery settings in Exchange Online is not as important to you as being able to weigh the pros and cons of different options. My company is like many other Microsoft cloud service providers; we provide the technical services to get things configured correctly once a decision is made, and that's something I am hoping you might reach out to us about it you're looking at or currently using Office 365. (If that isn't the case, these things aren't trade secrets; you can find instructions pretty easily using your favorite search engine.)

Firstly, what's a Shared Mailbox?

If you have an email address that you want several people to receive or reply to, you have a few choices about how to do this.

  • Distribution List / Distribution Group / Mail Enabled Security Group
  • Site Mailbox in SharePoint Online
  • Exchange Online Shared Mailbox
  • New: Office 365 Groups

Maybe in a future article, we'll look at some of the other options. Wouldn't that make a great e-book? For today, let's focus on the Shared Mailbox and how it compares to its closest cousin, the distribution list.

Most folks who've been using email a while are familiar with the distribution list, sometimes referred to as listserv by certain Internet dinosaurs. In simple terms, a distribution list is an email address like info@mycompany.com that will actually send the email to the inbox of multiple people. When you hit Reply All on such a message, everyone on the distribution list will get your message. Multiple copies of the message are sent to each individual, so if I delete my copy, you may still have yours.

Think of a distribution list like a copy machine sitting by the internal office mail sorter. Someone comes along and makes 12 copies, then puts a copy into each person's mail slot.

A Shared Mailbox is similar in that it can still have its own email address like the info@mycompany.com example above, but the mail goes to the shared mailbox. Individuals are given access, but they have to connect to the mailbox to see what's inside. Reply All will go to the sender and the Shared Mailbox. There's only a single copy of the message in that account; if Alara and I have access, if I delete a message from the inbox, it will be gone when Alara signs into the mailbox too.

In this case, no copy machine, but the mailbox itself is a slot in the mail sorter and the mail gets put directly there.

Why would you choose a Shared Mailbox over a distribution list?

A Shared Mailbox can send mail, so that replies come from billing@mycompany.com instead of person1@mycompany.com or person2@mycompany.com. If the goal is to get people to stop sending emails to a single person that need to be accessible to everyone in a department, a Shared Mailbox is one way to help accomplish that. That's because the mail will go to the Shared Mailbox when the recipient hits Reply. Another reason is to reduce clutter.

A third reason would be to conceal the identity of the sender. There are lots of business reasons you might need to do this. However, Office 365 can make this a challenge. There are some specific technical steps that need to performed in order to make sure that billing emails in the above example come from billing@mycompany.com and not companyowner@mycompany.com.

More importantly, by default the mail sent using the Shared Mailbox will still be in the individual's Sent Mail folder. That can make it significantly harder to track down a message, unless you know who actually sent it. There's another technical trick needed to change this behavior. However, doing so makes it harder to tell what user actually sent a message as the shared role. For most companies, this is a reasonable trade off.

If accountability is important, than there are ways to ensure it and still get the benefits of having a Shared Mailbox along with centralized communication. You can combine a Shared Mailbox and a distribution list for a best of both worlds configuration. You can configure mail flow in Exchange to modify the From or Reply To address. You can use e-discovery features available in the Office 365 E3 plan.

So, how to determine which option is right for you? Here's a handy PMI analysis you can use for easy reference. Feel free to apply your own weighting system to determine which choice works best for you based on your own priorities and goals.

  User Mailbox Distribution List Shared Mailbox
Increased Office 365 License Cost  Yes No No
 Can be converted later to User/Shared Mailbox? Yes No Yes
 Can be combined with Distribution List? Yes  N/A Yes
 More clutter in primary mailbox? N/A Yes No
Additional action needed from user to check for new mail? No No Yes (unless combined with distribution list or using separate logins on mobile devices) 
Can you login separately from primary account? N/A  No Yes, but not easily; caveats apply 
Impact on mailbox storage limits  N/A Negatively affects storage for all accounts on list  Comes with its own mailbox storage limit, separate from other accounts
Experience in Outlook It just works No additional configuration required  Shared account appears in list below primary account without additional configuration; additional configuration is needed to keep messages in Shared account Sent Mail folder.
Experience in Outlook Web Access It just works No additional configuration required Can easily switch to Shared account or display as a Shared Folder in your main mailbox; sent mail stays in Shared account's Sent mail folder if connected as such, but may need additional steps to do so when sending from the Shared Folder.
Experience in OWA Mobile App Authentication is not connected to the OS, but appears to persist for some time; notifications do appear in Android; Contacts and Calendar do not appear to sync with OS / other mobile apps. No additional configuration required Shared folders have to be set up in OWA on a PC to show up in OWA on mobile; special steps are required to send mail as the Shared Mailbox.
 Experience in Outlook Mobile App It just works No additional configuration required Ability to connect is not clearly proven or defined
 Experience in Native Apps
(Android / iOS)
Connect via ActiveSync/IMAP/POP  No additional configuration required Complex configuration needed, but possible; sent items stay in Shared account's Sent Mail folder.

I hope you found this analysis useful. If you did, leave us a comment. Perhaps later I will extend this to include other options for Office 365 mailbox that I mentioned above.

Microsoft Anounces Windows 10 Enterprise E3 OS as a Subscrption

Windows 10 EnterpriseWhen Microsoft said back in 2000 that someday your operating system would be something you'd rent, like cable, I had a hard time taking it seriously.

My goodness, how times have changed!

Monday, Microsoft announced that Windows 10 Enterprise E3 will be available on a monthly per user subscription basis for just $7 a month or $84 per year. Given that people have been paying $200-300 for Windows OS without upgrades, this is actually sounding like a pretty smart idea and one that will benefit both Microsoft and their customers.

Microsoft has struggled for many years now to get customers to accept their upgrade program called Software Assurance. We've tried to sell it, but people simply weren't buying it. Seems that most customers would rather take their chances than shell out 150% more over a 3 year period for the right to upgrade their software for free... eventually... someday. In fact, over the past five years, we've also seen many customers who simply "forgot" to renew their SA agreements after year 1, thus sacrificing their right to the upgrade. So, perhaps this position is somewhat justified.

A couple years ago, Microsoft offered free upgrades as part of Windows Intune at a cost of about $6 / month / user. This was a pretty good deal. But, Intune didn't really take off and the higher priced subscription at $11/mo fell flat, possibly due to the unpopular Windows 8. Seems Microsoft was peddling upgrades while everyone was asking about downgrade rights. The $5 component of Intune was bundled into Enterprise Mobility Suite and the software assurance component was officially scrapped about a year ago.

I actually liked the idea of SA as a subscription when it was part of Intune. To me, it makes sense that if you're depending on the publisher of your OS to constantly provide updates for security and to fix issues while staying on top of the latest technology, you would probably want to be paying them a recurring fee so they will have an incentive to keep working on improving the product. Plus, spending a small amount of money on a monthly basis makes a whole lot more sense to small businesses than shelling out thousands of dollars up front for Windows licenses.

The new subscription will be available through CSP, so if you're buying Office 365 from a Microsoft Partner like us, you can call on them (or us!) to also sell you Windows. If you're buying Office 365 directly through Microsoft, we want to know why haven't you looked into a Cloud Solutions Partner yet? There are lots of great deals available on Office 365 that can improve your support experience or give you other value-added features.

Microsoft has very little to say about the new plan other than its cost. They wouldn't say if the plan will be available as part of the August 2nd roll-out called anniversary edition. They had even less to reveal about the accompanying Windows 10 Enterprise E5 plan, which would include security features not found in the E3 - think ForeFront on steroids. There are also supposed to be bundles coming out that would roll together Office 365 and Windows subscriptions, as well as personal editions for home use, but we haven't got any details yet on any of these. We do expect that once those details emerge, we'll be able to sell them to you just the same as the E3.

Even though Microsoft has been largely mum about the details, we still feel like celebrating.

So, today we have a special announcement.

Liquid Mercury Solutions is a Microsoft CSP provider, gold competency partner, and among the top 10% of Microsoft cloud providers in the US for small to mid-sized business. So, to put our best foot forward with this new program, we're offering a special incentive to customers who want to take advantage of this new and potentially revolutionary way to license their Windows desktop fleet.

Starting today, we're offering 10% off Windows 10 Enterprise E3 subscription for the first year when you purchase an Office 365 E3 plan *or* our Full Monty bundle that includes Admin OnDemand 365, Compliance 365, and our managed Help Desk service.

So, that's Windows 10 Enterprise E3 for just $6.30/user/month or $75.60/user/year.

You can also earn this discount for blocks of users when you purchase qualifying professional services from us. For example, a one week engagement like SharePoint Online Jump Start earns the discount for 10 Windows users. That could amount to equivalent savings as one user getting a free year of Windows 10 Enterprise E3. The discount varies by service offering, so ask us for details.

Even though this Windows subscription plan isn't available today, you don't have to wait to take advantage of this promotion. All customers who purchase from us starting today will be eligible for the discount for all Windows licenses added to their cloud subscription for the entire year. We'll apply the discount for a full year after Microsoft makes the subscription available.

So stay tuned, and subscribe to our blog. The market's about to get all shook up! We'll update you as soon as we hear more information about these new plans.

An Army of One Asks "SharePoint, What Is It Good For?" - Using SharePoint in One Person Companies

It's dangerous to go alone. Take SharePoint. Recently, we've been getting a lot of new customers who are the sole proprietor of their businesses. This isn't too unusual; many businesses are one-person shops who don't have any employees. For example, while it isn't unusual to eventually take on assistants, many tax preparation specialists, accountants, architects, lawyers, IT folks, marketing gurus, or business consultants start out as just an individual person going into business for themselves. I personally went this route; rather than take on a full-time job, I operated as an independent contractor for nearly 15 years.

Liquid Mercury has always been a company based on helping our customers get the best value out of SharePoint. This used to mean mostly Fortune 500 companies and government agencies. Then, Office 365 came along and has greatly increased the audience for whom SharePoint is accessible. Now, even a single person business can buy an Office 365 Business Premium plan for $12.50 a month and get access to SharePoint.

There's a lot of interest in the platform, and one question that people in business for themselves ask us more than any other is "What's the point to SharePoint when you haven't got anybody to share with?"

At first, the answer wasn't entirely obvious, even to me, so I thought it might be worth sharing a few tips on how sole proprietors can get the most out of the SharePoint component of their Office 365 service.

Author's Note: This article got to be much more involved than I expected. So I've decided to break it up into two parts. In this, part 1, I'll go over the first three tips, which are primarily about benefits you can achieve for yourself. In the next part, I'll go into depth about ideas that can help you when working with your customers.

Tip #1: Develop a Filing System

When I think about how to use SharePoint in a one-person office, the first thing that comes to mind for me is to simply get better organized with all the documents needed to operate the business every day.

Any business will have these. There will be invoices and communications from vendors that need to be scanned, filed, and paid out. Possibly, there will be invoices sent to customers. You may have to write your own contracts and then keep track of variations as you negotiate with your customers. Perhaps you'll need to write quotes or formal proposals in order to win the business. There might be status reports and time sheets.

You can certainly organize all these documents into folders. That's how people have been doing it for years. I will give you one good example why this might not be the best option in the long run.

Suppose you decide that your filing system will be organized by customer. One folder per customer, no problem. To keep clutter from piling up, under each customer folder you create a folder for time sheets, work logs, and invoices; a folder for documents the customer shares with you (so you can honor that NDA you signed); and one for the original proposal and agreement (so you can remember what you promised to do for them). You did remember to scan the signed copy of your contract and put it there, right?

Anyway, suppose you hire some help for a large customer. You need to share documents for that customer with your hired help. But there are certain details you'd prefer to keep in house, such as how much the customer is paying you, those confidential/proprietary documents, etc.

Now you also want to hire a bookkeeper to help you convert work activity into invoices. This person needs access to all the customer's documents, but only needs the financial stuff not the contracts or project documents.

You start to think that maybe it would've been better to organize the top level folders first by the type of document, and then have sub-folders for each customer. Over time you change the way your organizing your files, coming up with newer/better categorizations - but you don't really have time to go back and change the historical documents. What you need now is called a "matrix". What you actually have is probably better classified as a "mess".

But what does SharePoint do to resolve this problem?

SharePoint lets you attach any number of properties to a document. These are called Fields and they work exactly like you'd expect fields in a database or columns in a spreadsheet to work. You can have a Field for which customer a document relates to, and a different field for the purpose of the document. Say that later you decide to add a follow-up date to keep track of work on certain documents. With SharePoint, you can add that easily at point down the road.

Of course, we wouldn't just enter extra data about files for the fun of it. Learning to file things in a way that is completely different than what we've been taught to do for the past 25 years takes a certain amount of discipline. New skills will have to be learned and new work habits developed. For this effort, there must be a proportionate reward.

As it turns out there is such a benefit. Fields are useful because you can then create something called a View. Views let you show only the documents that meet certain criteria. For example, "Show me only the proposals that I won the business." or "Show me only the invoices where the customer hasn't paid me yet." Things can also be set up so that your bookkeeper wouldn't need to be confused by all those non-invoice documents that you have to track, because from their point of view (no pun intended) these can be completely hidden. So, you can start to see how Views would be very useful indeed and worth the effort of putting data into Fields on almost all your documents.

Tip #2: Find Things Faster, Easier

One thing that SharePoint has always done pretty well is search. (Hey, you SharePoint experts, don't laugh; I am serious.) Since the first version back in 2001, I have been very impressed that SharePoint was able to crawl all the documents on my entire network, including file shares, and bring back results that often times I'd completely forgotten even existed.

This was no small accomplishment, and SharePoint's ability to uncover hidden gems has only gotten better with time.

Quick Benefits Right Out of the Box

Today, in Office 365 we have something called Delve, which will show you not only what documents you've been working on, but timeline of your work with thumbnail representations of what these documents actually look like. Most one person shops are not running an traditional server with an enterprise version of SharePoint, so I feel pretty safe saying that for the purpose of this article, most interested readers will have access to Delve.

Here's a screen from Delve showing my recent documents.

Also, many people do not realize that OneDrive for Business is essentially SharePoint with another face. Yes, OneDrive lets you sync files to your local hard drive. However, when you browse the web site to look at the copies of your documents that are stored in the cloud, that web site is a SharePoint web site and those documents are stored in SharePoint Libraries. As a result, they are also searchable in SharePoint and will show up in Delve.

So, you can get a tremendous benefit without any extra effort at all on your part simply by choosing to save your documents into SharePoint or OneDrive for Business.

Taking Search to the Next Level

Combined with the proper use of the Fields we talked about in Develop a Filing System, SharePoint search can be used to not only search for documents based on their content, but also on how they were categorized using the data in those Fields. For example, just like you can create a View to show you certain types of documents within a Library, you can also use Search to surface documents stored on any SharePoint site.

This feature has many practical applications, especially for larger businesses, but the most compelling for a sole proprietor will likely be digging through lots of documents to find the one you need - as quickly as possible. Imagine for example that search results can be filtered by a specific customer, by a set of products that they relate to, or let's say... maybe by whether you remembered to scan and upload the final signed version.

Tip #3: Create Standard Operating Procedures

Almost every one person shop starts out with the idea that if you build a better mouse trap, people will beat a path to your door. Yet, in the course of business, we often fall into a trap ourselves. We discover that we're spending more time being a bookkeeper, bill collector, contract writer, office clerk, tech support, etc. rather than the thing we went into business to do.

Eventually, if you are going to stay focused on your mission, your one person business is going to take on hired help. That could mean employees or it could mean contracting with other specialty firms.

Either way, how you go about getting your work done is something that will need to be documented and shared. Without proper documentation of your processes, it becomes much more difficult to identify those parts of your work that can be effectively retooled, delegated, or outsourced to make your operation as efficient and competitive as it can be.

If you get to the point where you're successful enough that you are forced to grow, then you'll have no choice but to try and explain to other people what you want them to do and how you want it done.

Take it from me, it will be better for you if you start writing these things down before that day comes.

I learned the hard way that rapid business growth can be every bit as dangerous as a period of decline. In fact growth can trigger missteps, leading to long term problems and the ultimate downfall of a small business. Growth can turn many strategies that help the tiny business survive into bad habits that hold it back. Growth puts such a strain on the leadership of a business, that it might make one reconsider why they went into business for themselves in the first place.

By documenting your business processes before you're busting at the seams, you can go a long way towards making sure that once you're simply too busy to train new employees, there'll be a guidebook they can follow to help you get the most out of hiring them.

So enough about why you need to be writing SOPs before you actually think you need to have them. How does exactly SharePoint fit in with helping you define your business process?

Unstructured Notes

The first step is having a ready-to-share platform for writing things down as you think of them. At this stage, your ideas may not even be fully formed, so getting things on record quickly without interrupting your other work is essential.

For the unstructured piles of stuff I tend to generate at this stage, I use OneNote. OneNote is great because I never have to remember to hit Save, and it makes it relatively easy to record the web site where I found whatever helpful bit of information I might be working with. It has lots of features in that are helpful in taking down information quickly.

Okay, but you don't actually need SharePoint to use OneNote. It's part of Office and you could simply save your Notebook files to your laptop, or if you're really cloud savvy you can put them into OneDrive.

SharePoint sites include something called a Site Notebook. Site Notebooks are simply OneNote Notebooks that are already saved to a SharePoint library, set up for sharing with team members, and web accessible. If you start with a Site Notebook rather than creating a new Notebook some other way, then no extra steps are needed to start sharing the notes you take there.

Say that all you do when you start your business is create one SharePoint Team Site for each hat you have to wear - accounting, marketing, sales, management, and operations. Then, open the Site Notebook for each site in OneNote so you have a central place to start taking notes. When the time comes that you're ready to bring on some outside help, just share access to the appropriate Team Site, and they'll have your notes too.

By the way, there's a nice thing about sharing Notebooks this way. Two people can edit the notes at the same time and see one another's changes in real time.

Structured Documentation

Suppose you get to the point where you want to formalize your notes a bit further into something your assistant can use to help you perform some business tasks that come up fairly often. There are a couple things you can do in SharePoint that might be a better choice than using OneNote.

The first option is to create a Wiki Library. Wikis are web sites where you can quickly post and edit information directly on the web page. For example, this can be useful for creating and updating a company FAQ, employee policy handbook, etc. It's a bit easier to lock down a Wiki so that only certain people can make changes but everyone can read it. Wikis have the advantage that you have more control over how you structure the pages and navigation between them, and that users will not need any special knowledge beyond how to get to the web page using a browser. Wiki pages also show up as individual entries in search results (see Finding Things Faster) rather then one search result for an entire Notebook.

The other option for structured information is to copy your notes into Word documents. For example, if you wanted to create an Employee Handbook this might be the way to go. Personally, I find that if a process has a lot of diagrams, pictures, or screen shots, then creating the Word document is a lot easier than the work involved with uploading all those images to a Picture Library in SharePoint so they can be used on a Wiki. It's also easier to create a PDF from a Word document than a Wiki or Notebook, so if your process is something you'll have to share with people who don't have either Office or access to your SharePoint site, you might want that option. Word documents also show up in search as one result per document.

Defining a Process

When I talk about defining a business process, a lot of people will immediately jump to thinking about workflows. Workflows in SharePoint provide a way to marshal a process through several steps, with notifications for people when their step comes up.

Let me just get this out front; developing a workflow is not necessarily a great idea. There are several reasons. Firstly, workflows add overhead to a process. In addition to completing the task, you often have to report to the workflow that the task has been completed. Second, workflows define a process rather rigidly. This becomes a problem if your process changes fairly often - or worse yet maybe you don't even have the process fully defined. These issues are most obvious when you're a single person operation and need to track your own work.

SharePoint does provide some ways to improve your processes without forcing yourself into taking on a cumbersome system to track every step of what you do.

For example, Task Lists are a great way to plan a project and keep tabs on the steps involved so that you don't lose track of your progress. Over the years we've built a number of SharePoint add-ons to Tasks that let you do things like copy a set of template tasks to a new Task List, manage multiple projects within a single Task List, and more.

Microsoft recently released a tool called Planner that comes with some Office 365 subscriptions. We really like Planner! It shows a lot of potential, and in many ways it is easier to use than the SharePoint Task List. We wonder what Microsoft's plan for SharePoint Tasks will be in the long term, now that there are two different ways to accomplish essentially the same thing. Even so, Planner is a new product with several caveats and limitations that make it less amazing than we'd like it to be. For the moment, there are still times when choosing SharePoint Tasks instead is a valid option.

Screenshot of Microsoft Planner in Office 365

Beyond Task Lists, there are other ways to use SharePoint to structure your processes. Many people do not know that you can create a custom List in SharePoint very easily. These Lists can hold any kind of information you can imagine. For example, you could record a list of product prices, or a series of trade show events that are important to your business. You can even build a customer relationship management database using SharePoint.

Next Time in Part II

I'll post again soon about the next three tips, which are primarily about how you present your tiny rowboat of a company when you're working with all the tugs, oil tankers, and cruise liners of the world.

  • Tip #4: Look Bigger Than You Are
  • Tip #5: Share Documents, Securely
  • Tip #6: Structure Customer Service and Interactions

I hope you'll join us. Please consider subscribing to the blog to get notification for the next part and other content that might be of interest to you.

As always, if you use SharePoint or you're considering Office 365 for your one-person operation or army of employees, please don't hesitate to contact me, or visit us at http://www.liquid-hg.com/cloud to learn more about what we offer and how we can help you.

We're baaaaack!

Here's Johnny!!Okay, so it took us a bit longer than I would've liked to get the new blog set up, but now it's done and it seems to be working fine. For now, if you're looking for old blog posts, you can visit http://blog.liquidmercurysolutions.com to get those; they will be migrated over to this platform over time. Soon, we'll be posting new articles here for everyone's enjoyment!

Something New is Springing Up at Liquid Mercury

Today’s technology marketplace is constantly changing. Larger IT departments are working with smaller budgets, and in-the-cloud capabilities are bringing abilities to smaller businesses that they’ve never had before. Disruptive technologies have everyone feeling a little bit irritable, and somebody keeps moving their cheese. The overall result is strong down-market pressure on the entire market.

Many companies tell us that they’re now working actively to reduce their recurring monthly costs for cloud based solutions such as PaaS, SaaS, and hosting. As such, they’re seeking to return to the earth with solutions that – while they may represent a larger investment in the short term – allow them to control the terms under which they incur costs for initiatives such as upgrades, maintenance, and support.

In short, our clients are reporting that cloud based solutions simply provide too much functionality for their money; they want to do less with less.

Liquid Mercury Solutions is constantly striving to stay ahead of these emerging business trends. In response to overwhelming requests from you the customer (usually made in the form of late or non-payment) we’ve made an important decision to diversify our offerings.

Announcing Liquid Mercury Farms, a new venture devoted to getting our head out of the cloud.

“I thought you were talking about server farms.”
– LMS founder and CEO Thomas Carpe seen with Attila (left) and Seth (right)
As an alternative to moving to the cloud, Liquid Mercury Farms offers a broad array of ground-based solutions for “subsistence IT”. For example, our premier line of Liquid Mercury Eggs* is Grade A extra-large. They’re an excellent source of protein, delicious with toast, and the perfect add-on once you’ve uploaded bacon into SharePoint.

Our farm is also highly secured, with all equipment stored behind electrified barbed-wire fencing. Production servers are kept in locked cages, and all gates require two-tractor authentication.

The farm is fault tolerant, offering five nines of capacity – that’s almost 4 dozen eggs a day. Farm infrastructure has been fully optimized for production layers. Also, our cluck-through ratio is off the chart. 

Best of all, our support staff work for chicken feed.

To make licensing Liquid Mercury Farms’ products as pain-free as possible, we’re now accepting sacks of potatoes and fresh dairy in addition to our usual methods of payment. So, at the risk of beating a dead horse, why not give us a call and save a few bucks?

*Please note that Liquid Mercury Eggs contain no actual mercury. Happy April 1st!

“I thought you were talking about server farms.”
– LMS founder and CEO Thomas Carpe seen with Attila (left) and Seth (right)

Limited Time Offer: Save 5% on Office 365

Okay, we have a whole series about Office 365 coming to the blog soon, but this news just couldn't wait! Eligible Office 365 Subscription Advisor customers will get 5% off your subscription for 3 months when you switch subscription plans to Liquid Mercury Solutions.

Plus that's not all! All our new Office 365 / Azure customers receive a complimentary Subscription Review ($600 value). Plus, customers with at least 50 seats qualify for free regularly scheduled Office 365 and SharePoint Strategy Sessions, worth up to $3,600 annually in valuable consulting and advice that helps you get the most out of your investment in Microsoft products. (The length and frequency of sessions varies based on number of users and plans, so ask us for details.)

Best of all, the price of Office 365 won't change at all. That's "money for nothing"!

Okay, what's an "eligible customer"? A Subscription Advisor (SA) license is one when you have Office 365 and pay Microsoft for it on a monthly basis; that means you didn't pre-purchase annually through Microsoft Open. To be eligable, you must be have SA licenses for Business or Enterprise plans. Sorry but Personal, Government, Education, and Charity plans don't qualify for this discount. This promotion is for new customers only, so if LMS is currently your Partner of Record we have other goodies we can tell you about instead.

If you are renewing your existing annual subscription in December that's great. This will be really easy. If you don't renew this month, that's OK. We'll help you submit the necessary request to Office 365 billing support to cancel the annual SA subscription. Microsoft says this is OK by them and that they've provided an option in the ticket request for swtiching to the new pricing model. (Don't cancel your current plan if you pre-paid for the entire year, because this isn't refundable. However, we can still grandfather you in at the end of your contract year.)

Sound complicated? Not really. Most Office 365 customers fit this description.

We'll even make it easy and help you figure this out. Click here to add us as a delegated admin to your Office 365 account and we'll check things out and let you know if you qualify for these discounts and incentives. If you aren't sure, you can contact us email sales@liquidmercurysolutions.com or call 410-633-5959 and we'll help you find out what we can do for you.

Seasons greetings from all your friends at Liquid Mercury!

Outrageous Claims: SP Claims and Auth Will Lag Behind the Industry

Principal Architect Thomas Carpe shares his thoughts and opinions on the state of the art in SharePoint security, including predictions about things to come. This blog post is part of a continuing series leading up to and following the official launch of Liquid Mercury Solutions' new product Beowulf Identity Server.

Okay, this isn't really fair, since it's really more a case of predicting the present.


To be honest, I was completely caught off guard back in 2013 when the new version of SharePoint was released into the wild without even mediocre support for basic things like FederationMetadata.xml, token encryption, or a half-decent people picker for claims. I'd previously assumed that developing anything in this area was a lost cause; Since Microsoft could easily catch up, and whatever they implemented would inevitably become the standard.

Seems that I was mistaken about where they'd put their energy, and this got me thinking about why SharePoint, which was among the first Microsoft products to fully embrace the claims authentication model, would be so slow to mature.

First thing that comes to mind is that SharePoint really suffers from early adopter syndrome. Back in 2010 when claims authentication was still pretty new, SharePoint was one of the first to implement its own Secure Token Service. Unlike other web applications than can be easily adapted to use an external claims service, this STS still serves as the backbone of SharePoint security to this day, even when external providers are in the mix. At that time it was built with a still-beta version of Windows Identity Framework. Likewise, when 2013 was developed, it's also true that it was one of the first MS products built on .NET 4.5. However, at that time WIF still hadn't been fully integrated into the .NET framework - though parts of it had.

Lately I've been doing a lot of digging around in SharePoint's STS using Reflector, and I can see that a lot of design choices were made here without interoperability or extensibility in mind.

Just as one example, let's take the relationship between SPTrustedLoginProvider and the STS itself. Leaving aside the unusual naming convention (sometimes it's a trusted identity token issuer and other times it's called a login provider), it's interesting to note that much of the information actually needed to federate with another provider isn't actually part of this object, but has to be read from the STS itself. Compare this design with ADFS, which also serves as a kind of STS but has the structure for Relying Party configuration, wherein practically everything that you need to form a relationship between ADFS and another server is stored in one location.

Additionally, a lot of critical functionality here is internal and sealed. While I have never been shy about using reflection to invoke critical methods where needed, this is going to make life difficult for anyone who wants to develop capabilities that require these functions. Just from a support perspective alone, it means that you can't count on Microsoft not to change these functions later on - though from the look of things most of this stuff has not changed much in the past few years. IMHO, MS would do well to open up some of these classes and methods, since sealing them doesn't really provide much in the way of code security anyway. Until they do, it will always be a race to make sure that any patch they release don't radically change things.

Finally, the last reason that I think MS will continue to lag behind others in terms of supporting claims in SharePoint comes down to one simple thing. Microsoft's SharePoint strategy is cloud-first, and the fact is that what federation they needed to support SharePoint Online access via WAAD and externally shared MS accounts has already been implemented. Plus, they have their roadmap in place for SSO using ADFS. So, in essence, they have no impetus to make major improvements to the way this is being done. Sure, there'll continue to be improvements in the API for apps, client side code, etc. But don't expect future versions of SharePoint to be oriented around major usability enhancements for authentication - at least until there's something in it for Microsoft.

This op-ed piece is by no means the end of the story. What experiences have you had with configuring SharePoint security and do you agree with me or disagree that a lot of ground will continue to be left uncovered? Leave your opinion in the comments.

Outrageous Claims: SP Advanced Security Config Will Get Easier

Principal Architect Thomas Carpe shares his thoughts and opinions on the state of the art in SharePoint security, including predictions about things to come. This blog post is part of a continuing series leading up to and following the official launch of Liquid Mercury Solutions' new product Beowulf Identity Server.

I feel a bi t like Thomas Veil from Nowhere Man when I find myself saying "I know they will. They have to." I guess what I'm really trying to say here is that implementing security configurations for SharePoint is still too difficult. 

Take for example that blog from Wictor Wilen on setting up SharePoint 2013 with Thinktecture Identity Server. This is a great article, but it's typical of a configuration between two identity products in that there are a ton of settings to consider and some of it can only be done through the use of complicated PowerShell commands. 

Likewise, our own product Beowulf Identity Server has faced similar challenges in early deployments. The product is great, however there are still reams of documentation on how to set it up. Don't get me wrong; I'm all for having complete documentation. Still, you know you're in for a time when one of the first things you need to tell folks is the laundry list of skills they're likely to need to configure your product. 

So when I say that advanced SharePoint security will get simpler, understand where we're starting from is truly very complicated. As the demand for more security focused installations grows, those companies that thrive in this space will need to find creative ways to do more with the resources they have on hand in what is already a pretty tight labor market for a niche skill set. From where I sit, this means making the product easier to install and configure, whether that means creating an MSI package, PowerShell administration commands, a setup wizard, or all of the above. 

Further, since some of this complexity comes from the SharePoint side of things, and Microsoft isn't really going to make that easier, the community and vendors will have to pick up the slack. (see Improvements to SharePoint Claims Authentication and Security Will Lag Behind the Industry for reasons why.) 

Wizards and installers can give you a basic set of options that will work for most customers with typical needs, but they can't tell you what is the best practice in your particular circumstance. It's important to remember that wherever you find a security wizard, you'll probably find a security loophole there too. Let's just hope that people will do the right thing and not rely on self-signed certificates and other default settings. However, I would not bet the SharePoint farm on this being the case. 

At the end of the day, IT security itself isn't going to get any easier. I think we'll see security solutions and products that will offer a basic set of turn-key options. Anything advanced or unique to your organization left for experts to figure out how to accomplish it.

 

Outrageous Claims: Where Office 365 Leads, SharePoint Will Follow

Principal Architect Thomas Carpe shares his thoughts and opinions on the state of the art in SharePoint security, including predictions about things to come. This blog post is part of a continuing series leading up to and following the official launch of Liquid Mercury Solutions' new product Beowulf Identity Server.

 

 

Well, okay maybe that's not such an outrageous claim, since that's been Microsoft's strategy all along, right? What I mean here is that most improvements to SharePoint security have been coming out of changes driven by Office 365.  

So, for example, in 2013 we now have application and server based trust through OAuth type authentication. These are new; in 2010 land we could federate two farms through the mutual exchange of certificates, but there wasn't a really good story to tell around authorizing an individual application.

For folks who run on-premises environments, this means that there will be systems that have to be stood up and maintained alongside SharePoint that didn't exist before. For instance, admins now have to consider will they configure the app host services along with the rest of the basic SharePoint feature set. Or, will you do traditional Windows authentication or use a trusted login provider instead?

Living in a cloud first world also means that security measures we sometimes take for granted in Office 365 - like multi-factor authentication - aren't readily available to us in an on-premises farm. Yes, you could circumvent this by making your sites authenticate against ADFS 3.0 or WAAD/Azure ACS, but doing so is a complex exercise. If you're going to go that far, you'll have some very important decisions you'll want to make about what software package to use and how much you want to rely on either cloud-based or on-prem technology to manage something so important. Always keep in mind that if the authentication provider isn't available for any reason, nobody will be using SharePoint.

What we see happening in the industry now is that more and more products are switching from traditional Windows based authentication to claims based authentication. This change is no doubt fueled by the need to integrate in some respect with cloud platforms like Office 365. However, in the rush to support any possible type of authentication scenario, those same products are making trade-offs against single-sign-on.

Take SharePoint Online for example, where providing a windows-based SSO experience to the user requires running an IIS site specifically to redirect the user from a vanity URL to an Office 365 / ADFS sign-on page where the user's domain is already known. This trick lets us just ask for the user's Windows account and make the trip back to SharePoint without a login form, but this is something of a hack.

Another example comes from a third party product that supports many types of claims authentication including Windows, WAAD, and Office 365. Though the product is quite flexible, customers see issues with having to provide a forms based login when browsing between SharePoint sites and the product's web pages. Configuring things so that they are seamless from an authentication perspective takes significant work.

What we hope to see in the near future are improvements to the way these systems work together, both online and behind the company firewall, so that there's a better sign-on experience overall for the user. Seems like just a few years ago people were saying that federated authentication would mean not having to remember so many credentials, but there seem to be more systems today than there were at that time. Certainly, this one of the reasons why we built Beowulf, and we hope that Microsoft and other vendors will continue to open up new possibilities in this area too.

Sharepoint For Mere Mortals: What Can Be Done In Sharepoint 101

Sharepoint can do a lot of things and because of that it is hard to accurately describe it to people without using a lot of technical jargon.  However let us start with something simple that everyone is familiar with and expand from there to try and get people to understand what you can do with sharepoint.  Let us look at, an invite list.

 

Invite lists can be for anything but moving forward our example will be an invite list for a wedding.  First, think about all the people who would need to see it, you first and foremost, your significant other, maybe your parents, maybe their parents, maybe your wedding coordinator, and so on and so on.  Sharepoint would be able to store that list so that everyone would be able to see the most up to date one and there would not be a need to combine "this list" with "that list," or compare two lists to see which one is newer.  There is only one list stored in one location and whoever has permission can go and look at it.

But there is more, how about adding and taking people off the list?  Well you certainly would not want the caterers to be able to add and take off people but you may want to let them be able to see it.  Well, in sharepoint you can do that sort of thing with "permissions settings."  You can determine who is able to view the list, who can edit the list and who can add and take away people's ability to do those things.  Basically, do you want to give your soon to be mother-in-law the ability to give her friend the permission to edit your invite list?  How about the ability to take away your ability to view and edit the list?

So now you have your list and the contents are constantly (or sparingly) being adjusted to show the most up-to-date information.  There is more we can do with this.  In this list we can store each invitee's address, whether or not they are coming, their meal choice and who they are related to.  This sort of data is called "meta data."  Essentially it is data about data.  This can be helpful in terms of sorting or information gathering.  With a few simple commands in sharepoint you can have a quick count of how many people are coming who are vegetarian or want the steak dinner.  You can find out which side of the family has more people counting or you can find out how many people are coming who buy "the good gifts."  The limit is set by you and what kind of meta-data you would find useful.

 

So that is just a little taste of something very simple that sharepoint can do.  Sharepoint can also automatically send out reminder e-mails based upon your credentials, build a webpage for your wedding, save all the wedding pictures from every guest afterwards, display maps, give out directions, all sorts of details that are involved with weddings or businesses.  But this is just a simple introduction for now.  We can expand on this on a later date.

Shut the Front Door! Newly Released Beowulf Identity Server Puts Better Locks on Internet Facing SharePoint Web Sites

BALTIMORE, MD, July 18, 2015 - Liquid Mercury Solutions is proud to announce the official public launch of our groundbreaking security platform Beowulf Identity Server.  

According to LMS Principal Architect Thomas Carpe, "The first step to a secure SharePoint farm is not leaving your front door hanging wide open for just anyone to simply walk in. To that end, Beowulf locks SharePoint's login and puts a two-factor deadbolt on it." 

While Beowulf isn't limited to just SharePoint sites, it offers unique features that greatly enhance the way users sign-in to SharePoint, beyond providing two-factor authentication. For example, Beowulf can convert claims-based users into Windows accounts, preserving the native SharePoint user experience while providing added protection against security risks associated with making it Internet accessible. 

BeowulfScreen1BeowulfScreen2BeowulfScreen3

Department of Energy's Office of Project Management Oversight and Assessment (formerly APM) was the first customer to implement Beowulf in order to provide Multi-factor authentication for the PARSIIe web site based on SharePoint. This was a joint effort in cooperation with DOE's contractor ActioNet and CipherPoint who provided a SharePoint document and content encryption solution. Our implementation was submitted for Assessment & Authorization review on July 1st, with release to production targeted by the end of the federal government's fiscal year. 

Marc Cree of ActioNet affirms that Beowulf meets Department of Energy's rigorous security requirements, while providing an intuitive and user friendly interface. He further noted that "Liquid Mercury worked with us to ensure that all security requirements were met and that the added layer of multi-factor authentication would seamlessly integrate not only with our application, but end-user expectations." 

 About Liquid Mercury Solutions 

Liquid Mercury Solutions is a Microsoft partner with gold competency in SharePoint and Office 365, founded in 2009 and headquarters in Baltimore, Maryland. LMS serves customers throughout the US, Canada, and the Caribbean. To learn more, visit www.liquidmercurysolutions.com. For more information about Beowulf, visit http://www.liquid-hg.com/apps/beowulf, contact Liquid Mercury Solutions by email at beowulf@liquidmercurysolutions.com, or 410-633-5959. 

 

Take Care When Deleting Users in Office 365

Today's blog post will be a quick one. Over the past few months, we've had several help requests from Office 365 customers, and I want to make sure that we get this information out there to the public. I am sure these issues are probably happening for folks all over the place.

Microsoft does not make it plainly obvious what will happen when a user's account is decommissioned. There are several ways to do this, so before you delete a user, please consider the following alternatives.

Changing the user's password and/or denying their ability to log in is certainly the easiest way to make sure that they can no longer access their account. Certainly, Active Directory admins will tell you this is standard practice in on-premises Windows networks.

Why? Because you just never really know what that user has access to that might be needed after they are gone.

Also, suppose the user is laid off today and re-hired in a few months; AD accounts have weird behavior when it comes to re-creating an account later on that has the same user name but a different SID. This can also be true in Office 365, which uses Windows Azure AD in the background to authenticate users.

So, the best policy for your sanity is don't delete users.

But, what about the license that user is consuming? Wouldn't it be best to unassign it so that you can stop paying for that extra E3 plan you no longer need?

Stop right there. Think about what you are doing for a moment. Firstly, you're commited to have that license for a full year term, so there is certainly no rush. When you take away the user's license, it means their e-mail box is going to be de-provisioned exactly as if they had been deleted.

Our experience is that the user's email is the most likely thing that other people in the company are going to want/need access to after they are gone, so consider carefully if it can be safely deleted. A good alternative is to lock the user out, then delegate the mailbox to someone else and have them move the user's mail into a subfolder of their own mailbox. Don't forget to grab send mail as well as received mail.

If you don't like the idea of filling up your mailbox, you can move the mail into a new Shared Mailbox which doesn't consume a license, or download it to a PST instead. Once you have all the mail backed up and go ahead and delete the user's account permanently, don't forget to put an alias on some other mailbox so that incoming mail for the user will be redirected to their supervisor or whatever you want to do with it.

Fortunately, Microsoft will hold the e-mail account in limbo for 30 days. So, if you have accidentally taken away the Exchange license you can add it back again. There is a risk that the mailbox might get permanently deleted during this limbo period, so if you're reading this now and are in this situation, stop reading our blog and go re-license the user immediately!

Okay, so that covers what happens when you remove the Exchange Online subscription from the user. If you deleted the user, things are a bit different. The user goes to the users and groups recycle bin and lives there for 30 days. You can safely undelete the user and everything will come back, but again there is a risk that the e-mail account would be permanently deleted at some point and Microsoft hasn't been 100% clear on what conditions increase that risk.

While your user is in the Deleted Users bin, it's kind of like that one episode of classic Star Trek where the villain turns the crew of the enterprise into styrofoam dodecahedrons. (I suppose you ST-TNG fans might be more familliar with Q's "penalty box", but either metaphor works well if you ignore the fact that in Office 365 you can put everyone in the penalty box all at once.) Anyway, someone might come along and crush your users into powder using PowerShell, and if that happens you will never be able to rehydrate them again. No backup to restore from, nada, zilch, zippers, nuthin.

So, be careful how and when you delete, unlicense, or deprovision users. Hopefully you can avoid getting fired by someone who will come along and disable your Office 365 login. ;-)

AgilePoint Anounces Office 365 and Forms Capabilities at SPC14

Well, it's that time of year again where all the SharePoint product companies trot out to Las Vegas to strut their stuff.

Today, we have a big anouncement from the SPC 2014 Keynote Sponsor, AgilePoint.

AgilePoint - SharePoint Conference New Product Highlights

In this release, there are two things I noticed right away that we've been eagerly awaiting for a long time. 1) AgilePoint support for Office 365 not just as something that can be manipulated by workflow, but in a fully integrated fashion similar to Nintex workflow. 2) An alternative to InfoPath forms that emphasizes responsive web design.

As readers of our blog will know, we're quite fond of AgilePoint's product. One of the difficulties we face in working with it, however is that it didn't really play well with customers working in Office 365. We're happy to see now that is a possibility, and we'll be putting together some demonstrations in the next few weeks, as we definitely want to be able to take this out for a test drive and see what's possible.

CloudPrep 2014 Development Update

I wanted to take a few minutes today to talk about what we've been doing since late January in regards to CloupPrep and the PowerShell commands for file migration and management of SharePoint Online.

First thing I can say is that one of our most difficult choices was in choosing an e-commerce platform and licensing API to use for our product. Even though we plan to keep our licensing fairly simply, we wanted to have options for future products and well as many of the items we also sell through our partners.

This turned out to be more challenging than I imagined, but we have settled down on using Fast Spring and LogicNP Crypto License. Perhaps in some future post I will talk about those more from a software developer's perspective. What I can say today is that it will be at least a couple weeks before we can get a working prototype of the licensing server and the store online, and so we have had to push back release closer to the end of March or early April, mostly for that reason.

Meanwhile, we have been developing features for the different editions of CloudPrep 2014. Progress on that front continues at a rapid pace and I am pretty satisfied with the way our tools are maturing.

When we decided to produce this software, we planned to release the lite and standard editions first and follow up with premium and professional features later this spring. I was a bit surprised to see that where we are putting our development efforts, probably all four editions of CloudPrep will be available at one time.

Now for the geeky stuff. Here's some of what's been happening as we've been building.

Features we've essentially completed:

  • Upload an entire folder or specific set files to document library
    We've tested that these commands will work against network drives and UNC paths. Take that, OneDrive!
  • Preserve metadata about the local file system that the document was uploaded from
  • Create and Modified dates on files are preserved, though we did find that with larger files there are limits to what we can accomplish here
  • You can specify the content type for uploaded files, root folders, and sub-folders - including Document Set and its child content types
  • A bunch of other random stuff including commands for manipulating SharePoint lists and reports to make sure that file uploads won't exceed SharePoint limits


We noticed that Office 365 throws us a lot of connectivity errors that we don't normally see in on-premises SharePoint environments. If you've been trying to copy files using their standard UI or using OneDrive, some of these errors might be hidden from you. However, they're readily apparent if you're using Web Folders (WebDAV) or Client Side Object Model to connect. We see unexpected dropped connections quite often, and certain upload methods will time out on files that are too big and required some fun workarounds. There are different methods needed for files under 2MB, under 35MB, and larger.

Our path was also complicated by the fact that on certain Office 365 sites, our rights come from delegated admin privileges. This is the preferred way that consultants get their rights to help clients manage SharePoint Online, so we figure a lot of folks who are interested in CloudPrep are seeing this phenomenon as well. When you log in with delegated admin to a client's Office 365 site using the credentials from your own Office 365 account, you sometimes see the access denied page; login again a few seconds later, everything is fine. Our code had to expect and handle this contingency.

Another thing that we did not expect is that we're seeing some reasonable evidence that Office 365 uploads are being throttled. Most of the time, file transfers seem to be limited to about 300KB/sec; there are days when the transfer speed is even slower than that, sometimes by half. As such, it is difficult for us to estimate file upload times, and we're having to improve our algorithms to take these fluctuations and sea changes into account.

As for the cause, we can't say if this is something Microsoft is doing, or if it comes from the erosion of net neutrality. We do wonder if Comcast or other providers may be limiting traffic to Office 365 in order to give their own offerings a competitive advantage or just to control their own costs. I expect we'll be doing some tests in the near future, and we've been kicking around some ways to circumvent these bandwidth caps - at least partially. One test we did in January showed that if we took half our files to a different physical location, we were able to upload them to SharePoint Online in about half the time it would have taken if we'd uploaded them all from one server.

One thing that became clear during early development was that the disconnected nature of cloud storage was going to introduce multiple random problems along the way. As a result, in any large set of documents to be moved to the cloud, there would be some which for one reason or another may not be successfully copied. We started by trying to get this failure rate as low as possible, down to less that 0.25% of files in most cases. We did a lot of work in early February to improve the code and reach this threshold.

Even so, we needed to be able to easily run multiple passes on any file copy operation and track the results. Our first prototypes had to crawl the Document Library in SharePoint one folder and file at a time. This proved to be incredibly slow, and it quickly became apparent that we needed to be able to gather status information for thousands of files at a time if we wanted to hone in on only those which required an update from the local copy. This is something we added to the code base about a week ago, and we're now in the process of replacing some of our early code to use the new file comparison analytics logic.

As a side note, a bevy of SharePoint management features found their way into our PowerShell library simply because we had customers who needed them in short order. For example, we now have the ability to take a View from any SharePoint List and make a copy of it in the same List or a different one even on another SharePoint Site. Of course, one must be very careful with this kind of power, since creating Views with field references that don't exist in the List will certainly break the View if not the entire List itself. When we've added sufficient safety checks, we'll open the capability up as part of the CloudPrep product.

This week, we introduced the concept of using a hash algorithm to test whether files in SharePoint match those on our local drive. Use of a hash in addition to checking the file size and date stamps of a document ensures that the document has been uploaded into SharePoint and that it has not been corrupted in the process. We developed this ability in order to add credibility to Office 365 migrations where we may be moving hundreds of thousands or even millions of files, and we need to establish that the migration process has been completed satisfactorily. This capability can also be used to perform duplicate file detection, and we may develop a follow on product or feature to do just that later on.

Next week, we're planning to work on some important features that we feel are a must for getting this product to where we want it to be.

The first is the make sure that we can translate between Active Directory permissions on the local file system and users in SharePoint. The primary purpose here is to preserve meaningful data for Created By and Modified By fields in SharePoint; this is something we can't do yet. As part of this process, we'll be introducing PowerShell commands to add new users into SharePoint sites and manage groups. For most customers, this is probably of limited use. However, those with several hundred users or groups to manage will find it much easier to deal with these via PowerShell instead of using the SharePoint admin web pages. For consultants, it will make migrations faster by speeding up the time it takes to implement the security configuration. Our goal here is to lower the cost of our migration services.

The next things we do after that will be:

  • Download documents from SharePoint to the local drive
  • Assign metadata from CSV file as you upload documents
  • Flatten a folder structure as you upload it.


These are harder to do than you might think. I'll post more on this in coming weeks, including our challenges and progress updates.

Anouncing CloudPrep 2014 Migration Toolkit for SharePoint Online

We do a lot of Office 365 migrations. Most of these are for businesses with fewer than 50 employees. This should surprise nobody except maybe Microsoft, who seemed to be slow to realize that their cloud platform would have the most appeal to companies with limited budgets – or that most jobs in the US are provided by small businesses. Go figure.

Over the years, I’ve written several times about the challenges of moving from a conventional file store to Office 365. Fact is, it’s just not simple to do. It really makes sense to have an experienced IT professional help you make the move. I like helping customers make the switch, but doing so has presented interesting challenges for my business that I’m sure other SharePoint consultants share too.

Firstly, there are great third party tools out there for migrating files. We often use ShareGate and Content Matrix from MetaLogix. MetaVis is another great company that has great tools with lots of features. Fact is that even though these tools are great, they are also quite expensive. They’re feature rich, so really knowing the tool is a skillset of its own – and it makes good IT people hard to find when I need them to do a job. We also run up against serious limitations when trying to use these tools; sometimes we cannot find a way to use the tools to migrate the files in exactly the way we want to.

Second, some of my client already have a part-time IT person or managed services company that helps them service their PCs and on premises servers. Traditionally, we’re a SharePoint consultancy and we never set out to try and replace other IT folks; they need work too. They have the relationship with my customer, and the local presence needed for that on-site work. Over the years, I’ve seen that customers prefer to have their own local IT provider for most small requests. We needed to find a way to coexist with these other businesses in a way that would benefit us both.

Back in 2012, at the behest of a marketing consultant (who gave me lots of advice that was either bad or I couldn’t follow it at the time) I created a small tool called CloudPrep. This tool wasn’t much; I never had much confidence in it and so I never really promoted it. But, it did the work of renaming files that SharePoint didn’t like, and combined with WebDAV it was enough to make getting 20 to 50 GB of customer files into the cloud in a few days’ time. I released it into the wild, and CloudPrep has been getting downloaded a few times a week – mostly by other Office 365 consultants to my chagrin. Lesson learned and another checkmark for finding a way to compete with other IT providers; there are more of you than there are of me!

One problem I’ve noticed is that Office 365 migration budgets are small – I mean really tiny! That’s weird when you consider that for a 25 person company the ROI could be hundreds of thousands of bucks. But, we have been in an economic slump for something like 5 years now. I guess that takes its toll; even if you knew it would make you a thousand dollars next month, you can’t spend $100 today unless you have it to spare. Some companies are reluctant to spend even a few thousand to plan and execute.

There are a few tools that are in the “beer money” range. I tried FilesToGo once – and only once. It lacked some features that seems obvious to me, but made my client extremely angry. It didn’t have a lot of options either, one size fits all. I won’t discourage anyone from using it if it meets your needs, but I’m not going to risk my relationship with my clients on it. I am honestly surprised that after all this time, there’s nothing else in its price range.

I guess you could say that I’ve gotten fed up with this situation. Yet another migration we had to do where the current tools on the market couldn’t meet our needs for the client’s budget. That story gets old.

So, the boys in the lab and I finally built our own!

Announcing CloudPrep 2014! Forget everything you ever knew about that crappy tool we made back in 2012, because this is completely something at a whole new level.

CloudPrep 2014 is not one of those big expensive tools with a fancy GUI. It’s a set of PowerShell command-lets that work with SharePoint Online and your local file system. These commands and the sample scripts provided with them are designed to empower IT people and make migrating files to and from SharePoint Online a piece of cake.

These tools don’t replace an IT person or their experience. You’ll still need an experienced consultant to tell you how to organize your files, use metadata, overcome or avoid SharePoint Online limitations, and of course actually use the tools. You needed all that before anyway. The difference is that now much of this can be provided by your own experienced IT staff; or if you’re an IT consultant yourself, you can use our tool and make your small-business and small-budget migrations a breeze instead of a quagmire.

Our commands fall into basic categories: planning, preparation, file migration, and SharePoint management. We’re still putting the finishing touches on the product now. We’re hoping to have the Lite and Standard editions released to market sometime in February, with the Premium and Professional versions available as soon as March or April.

In the meantime, please take a look at our feature matrix and proposed pricing structure. There’s still time to collect some feedback. So, if you have a feature you’d like to see that isn’t here, then leave us a comment and let us know. Even if you don’t add a feature by the launch date, we’re planning to add even more features later. We’ll entertain any reasonable suggestion – except charging more for the product.

Like what you see and can’t wait to try it out? Contact us and I’ll give you a 15% discount if you purchase during the early access period.

Edition->Feature        Lite   standard Premium Professional
Release Date   Feb  Feb  March  April
Proposed Price Free $285 $576

$1,092

+$300 Per Tenant>2

Number of Office 365 Tenants Unlimited Unlimited unlimited Unlimited
Numbre of Site collections Unlimited Unlimited Unlimited Unlimited
Requires powershell 2.0 or higher Yes Yes Yes Yes
Requires Sharepoint client connectivity Yes Yes Yes

Yes

1 year support and Updates

(renewable Annually)

  Yes Yes Yes
Supported OS: Windows server 2008 or 2008 R2 N/A Yes Yes

Yes

Supported OS: Windows XP N/A   ?? ??
Supported OS: Windows Server 2003 N/A   ?? ??
Planning and Reporting        
Sizes and Numbers of items by folder, extention, ect. Yes Yes Yes

Yes

 

Check for Potentially Illegal file types   Yes Yes

 Yes

Folder and File Path Length Checking   Yes Yes

Yes

Permissions Checking for Local Files     Yes

Yes

Target URL Length Check Report     Yes

Yes

Upload Time Estimates      

Yes

File Preparation        
File Renaming for Illegal charaters Yes Yes Yes Yes

File Renaming for Illegal Paths

(_files,_forms)

Yes Yes Yes

Yes

Preserve Author and Editor for uploaded Files

  Yes Yes

Yes

Check for and Automatically ZIP files with illegal extentions (EXEs, Ect.)

    Yes

Yes

Check for and Automatically ZIP "_files" Folders

  Yes Yes

Yes

Migrate and Manage Files

       

Supports Network Mapped Drives

yes yes yes yes

Supports Network UNC Paths

yes yes yes

yes

 

Upload Entire Folder to Document Library

Yes Yes Yes

Yes

Upload Specific File to Document library

  yes Yes

Yes

Download Document Library to Folder

  Yes Yes

Yes

Download Specific File

  Yes Yes

Yes

Warns if Source Exceeds 5,000 items

  yes Yes

Yes

Warns if Target URL length Too Long

  yes Yes

Yes

Specify Content Type for Uploaded Documents

  Yes Yes

Yes

Specify Content Type for Top Level Folder

    Yes

Yes

Specify Content Type for Sub-Folders

    yes

Yes

Support for Documents Sets

     

Yes

Flatten Folder Structure with duplicate filename handing

    Yes

Yes

Flatten Folder Structure at 1 or more levels deep

     

Yes

Convert Folder Names to Metadata Fields

    Yes

Yes

Create Source URL Field for Uploaded Files

    Yes

Yes

Create MD5 Hash Field for Uploaded Files

     

Yes

Export Metadata to CSV File when Downloading Files

     

Yes

Synchronize of Local and Cloud files using File Modified Time

    Yes

Yes

Synchronize of Local and Cloud Files using File Modified Time+ MD5 Hash

     

Yes

Automation Features

       

Powershell command-lets

Yes Yes Yes Yes

Unattended Execution

  Yes Yes Yes

Sharepoint Management &

Development      

Create and Edit SharePoint Users

  Yes Yes Yes

Set Common Properties for Lists and Document Librarys

  Yes Yes Yes

Create and Edit Columns in Lists and Document Libraries

  Yes Yes Yes

Create and Edit Views Lists and Document Libraries

    Yes Yes

Copy a view to same or Different Document Library or list and site

    Yes Yes

Import and Export Site Columns

    Yes Yes

Import and Export Content Types

    Yes Yes

Import and export views

    Yes Yes

Add, Remove users and Groups, Permission Sets

    Yes Yes

 

CloudPrep Lite
This edition is a good fit for small file migration needs and try-before-you-buy. You can use it to do basic reporting on the structure of your files, rename files that are known to cause problems during migration, and upload folder structures to your SharePoint Online document libraries. In most cases it has a 99.7% or better success rate, and it produces a handy report so that your remaining files can be uploaded manually.

CloudPrep Standard
This edition includes a standard set of features designed to help you move files into Office 365 with a minimum amount of difficulty. You can upload and download large file collections without having to stand by the computer, perform multiple upload/download passes, and specify a default content type for files. Run it from anywhere, including various versions of Windows Server. We also include some additional pre-migration reporting tools that help to identify problems before you migrate your files.

CloudPrep Premium
For the seasoned SharePoint admin or IT professional, this edition includes features that will help you get the most out of Office 365 in the cloud. We include even more reports to give you a 360 degree view into any potential file migration issues. The file upload tool includes a variety of features for setting metadata and flattening folder structures.

CloudPrep Professional
This edition enables the true Office 365 IT professional to handle migrations for multiple clients. All the features of the Premium Edition plus advanced content type features including support for Document Sets. It also includes the ability to create MD5 Hash file uploaded files, which helps in detecting duplicate files and in determining that if two files are not the same even when their date stamps match.

Lessons from the Field for Migrating to Office 365

Recently, I’ve talked a bit about how companies can save money in lots of places by moving to the cloud with Office 365, and I’ve also described some of the complexities involved in moving large file shares to SharePoint. Today, I’d like to take a few minutes to talk about some of the lessons learned on some of our Office 365 migration projects over the past several months.

Getting Good Information Up Front is A Challenge
As SharePoint developers, we’re used to working with the IT departments of larger organizations (say 500 to 5000 employees) as we develop solutions. However, with Office 365 customers, many times we’re not working directly with IT folks. The customer may have a managed service provider for desktop support, a part-time IT contractor, and some clients do not even have their own IT staff at all.

Needless to say, planning a move to Office 365 requires us to take stock of a great many technical details. It’s not surprising that folks outside of IT might miss the importance of the myriad trivial details involved.

But getting these facts wrong during the early stages can lead to incorrect estimates and costly mistakes down the road. It’s important to get the discovery right.
Here are some things customers should pay careful attention to when gathering information in the pre-project planning phase.

Basic Planning
Make a User Inventory
Know how many users you plan to have. We’re going to need their contact information, including phone and e-mail, because more than likely this information isn’t up to date in Active Directory. From there we can talk about what plans are best for your users.

Make a Workstation and Mobile Inventory
Know how many desktop PCs, laptops, and mobile devices you’ll be configuring. It’s also important to know what kind of mobile devices will be used and how many of each type.

Make a Server Inventory
Know exactly what servers you have, what operating system and version they run on, and exactly what purposes they serve (file shares, print server, domain controller, e-mail, etc.) If you do not know these things, you should consider paying for a 1 to 3 day evaluation to document all of your systems.

What Will You Turn Off After Migration?
Part of calculating the cost is understanding the benefits you get in return for it. If you’re not sure that a system can be fully disabled after moving to the cloud, that’s something we can help you figure out.

Will You Need Any Servers You Don’t Have?

For example, if you are synching Active Directory users to Office 365, you need a server to run this on - though it needn’t be very powerful. If you have applications running on servers that you otherwise want to decommission, you may need a server in the cloud to replace them. Likewise, if your security needs are high, you’ll want to have a CipherPoint Eclipse or F-5 Big IP running in the cloud in front of Office 365.

Domain Registration
You should verify that all your domain names are still current and that you have access to the DNS registration. We’ve occasionally had customers who have some older DNS names that were being used for e-mail aliases, and they weren’t able to migrate them fully because they’d lost the ability to manage the domain name. Check on these beforehand and avoid unpleasant surprises.

Remote Access
Some companies have VPN; this is ideal. Some do not and have to rely on clunky terminal servers or third-party services such as TeamViewer or LogMeIn. If you’re in the later circumstance or haven’t set anything up at all, we should talk about what is likely to cause issues for the folks doing the migration work, because not all of these services are created equal.

What’s Your Actual Available Bandwidth
Knowing if you have a T-1, cable modem, or DSL is helpful; it’s not the end of the story. We’ll want to perform some bandwidth tests at different times of the day in order to account for the connectivity that your company is already using. In general, migrations that have to be pushed to the evening or weekends will take longer.

Test for Equipment Bottlenecks
It’s also worth pointing out that some older equipment can actually be slower than the Internet connection can handle. Early on, we can do a trial run with a few files or a single mailbox in order to determine if there are going to be unexpected problems due to slow hard drives and outdated or overloaded servers.

E-mail Migration Planning
Know Your E-mail Server
Whether you’re using Exchange, Lotus, or some other server it helps to know what we’re dealing with. We’ll need to know how many users you have, how big are their mailboxes, and what distribution lists you’re using. It’s not unusual to find a few people in a company with mailboxes approaching 20GB (or bigger!). Anything at this size is going to take a lot longer to move than usual and that needs to be taken into account.

Great Firewall of Spam
For the mail server, the above is a good start, but not enough. You need to identify if you have an anti-spam appliance (e.g. Barracuda) or service (e.g. Postini) in front of your mail server. You probably won’t need it after moving to Office 365, but if you want us to make it a part of the move we need to know ahead of time.

E-mail Archives
Most people do not think about this, but Outlook Archives (*.PST) files do not move automatically to the cloud. One of the best approaches we’ve found is to copy their contents up into Exchange Online so that you’ll have access to them everywhere you go. If you’re using archives, it’s important to know this so we can take them into account when looking at mailbox sizes, migration plans, etc.

File Migration Planning
Make a File Inventory
Know where your files are, how big they are, what you will move, and what you might leave behind. Professionals have tools that can help to analyze your files and better determine the cost to migrate. However, these tools are only helpful if we have the opportunity to run them against all the files that will be moved.

Public Folders
If you use Exchange Public Folders, you will need to have those files copied down into a regular file share so they can be moved into SharePoint. Exchange Online does not support public folders, which have been phased out in recent versions of Exchange. When we determine the size of the file stores you’ll be moving, these files need to be included.

How Will the Migration Team Access Files?
Depending on the remote access method and the speed of your Internet connection, in some cases it may actually be faster to copy your files to a portable drive and FedEx them to us rather than have us try to copy them from your office. This also provides the fringe benefit of being able to split the migration up across multiple sites, which can make everything go faster.

Dealing with the Unexpected
Obvious, there’s no such thing as a crystal ball, and that’s even more true for IT. Aside from the things I talk about above that, little things can go awry during the project. It’s important to remember that migrating to Office 365 is a big change from the way companies used to work back in the 90s. Be ready to expect and deal with the unexpected.
Here are some things we’ve seen happen in the middle of a project that can really get things out of whack.

Slippage
Sometimes it just takes longer to move files or e-mail than it seems like it should. It really helps to know exactly what we’re moving in the first place, but if your estimate and schedule were written sight unseen before we had access to the servers, then probably there are baked in assumptions that may prove to be wrong.

Even if we did a 1 day triage visit at the start of the project, sometimes the technology can make fools of us all. I had one customer where most mail moved over fine, but then one user’s mail dragged on and on weeks on end simply because their outdated server would not provide it any faster.

Needless to say, schedule creep can be very disruptive. As a result, we’ve learned to base our schedules on being 95% complete – anything more can be managed as ongoing support and needn’t cause everything else to back up waiting for it.

Limits of File Migration Tools
To move files into SharePoint is not a drag and drop operation. Fortunately, there are many good products on the market, and the state of the art is constantly changing. But, these products are not what I’d call mature - partly because Microsoft keeps changing the Office 365 platform itself. Over the years, we’ve seen file migration tools for SharePoint Online that don’t copy the date stamps on your documents, tools with poor or quirky support for Document Sets, and tools with draconian restrictions on the size of files that can be copied.

If we are copying a large volume of files, it is not uncommon that we may need to do a test run and then start over. We try to account for this in our estimates, but it’s not a perfect science. Tools are great, but if a tool or product does not get the results we want, we may have to switch tactics. This is not a sign of the coming apocalypse. Be prepared for this to be a part of the process.

Limits of E-mail Migration Tools
If you are migrating from Exchange 2007 or better, Microsoft has some great built in tools to make this possible. There are good third-party solutions for other platforms. Each of these has its own limitations. For example, Microsoft tools may not do well on extremely large mailboxes. Third party tools may be more robust, but they will take almost twice as long because they have to copy from the source and then copy to Office 365, whereas Microsoft has the benefit of running their tool in the same local network.

Limits of SharePoint
SharePoint is like any complex software product; it has boundaries. There are limits on the amount of storage you can have in a Site Collection, and limits on the number of items you can effectively put in a List or Library. Our job as consultants is to come up with plans and designs that avoid as many of these as possible. Still, it’s important to understand that Microsoft is constantly changing Office 365 – usually for the better. There have been times that we tried out a particular approach for organizing content and then had to change tactics because one of our assumptions proved to be incorrect.

Here are some examples of fiddly details that have sometimes pushed us around:

  • Flat views don’t work in large libraries (> 5000 items) even though you’d think they should be limited to the current folder.
  • In large libraries, indexes must be created before items > 5000.
  • Document Sets can only have one view inside the Document Set itself.
  • Nesting folders within Documents Sets is quirky.
    You cannot easily change the look and feel of the “my-sites” part of SharePoint.
  • And many more…


Shifting Requirements
Migrating to Office 365 is a big change. Training and discovery are a part of the process, and so you might learn something about the platform that you did not know at the beginning.

Likewise, we may learn something about your business that was not clear at the start and this could cause us to change our recommendations. Stay nimble and flexible; these moments can be opportunities to improve rather than a cause of stress.

Save Money for Your Small or Midsize Business by Moving to the Cloud

There are many small companies out there with a rack of servers in a closet. Years ago, this was the expected way that companies supported their internal operations. My company has one too. Many companies depend heavily on this equipment to perform vital functions for the business operation. E-mail and files typically live here - lots of files!

In recent years, there's been a shift to a new IT strategy called "the cloud". For small companies that may not have a lot of cash to make big changes, a move to the cloud can seem to involve a lot of risks and requires spending precious resources.

Today, I want to take a few minutes to explain some of the most compelling reasons that you might want to find a will and a way to turn that closet full of equipment off - because losing that ball and chain could help to set your business free.

Cloud Savings from Electrical Utility Costs
For starters, all that stuff running in your closet uses a lot of electricity. It's hard to tell how much exactly, because that depends on how old the equipment is and things like how many CPUs, drives, extra power supply it might have installed. Air conditioning costs energy too, and many people fail to take cooling costs into account when they try to estimate how much energy their computers use.

You can make some educated guesses based on the size of the circuit breaker on your equipment rack. For example, if you run everything on a single 20 amp circuit and it isn't blowing out like a Christmas tree in a hundred-year-old house circa 1974, then you are probably consistently pulling less than 18 amps and it's probably more like 15. Converted to watts, that's 1800 to a max. of 2400 watts. That's more than enough to run 5 servers with 500 watt power supplies - assuming you don't power them all up at one time. If you have fewer servers than that running, you either have older equipment that consumes more power or you aren't really using the circuit to its capacity.

1200 w at 120 v = 10A

500 w / 120 v = 4.15A

Another rule of thumb would be to assume about 550 watts per server, unless there's something fancy going on like it has a redundant power supply.

So let's use my own equipment as an example and I'll see if I can guess how much it costs me every month.

Here's my inventory:

  • Firewall
  • Domain Controller
  • 2 Virtual Servers
  • Database Server
  • Other Small Load Equipment: Wi-Fi Router, Network Switches, Battery Back UPS 


5 x 550 w = 2,750 w

2,750 w / 120 v = 22.9167 A

Maybe it's a little more than that if you include all the low end equipment.

This runs on a 20 amp circuit, so if I were really pushing 22A or more then I'd be blowing the circuit all the time, but I do know that if we add anything like a mini-fridge to the mix then we will trip the breaker, so I'm probably not far off. I could use this figure and call the overhead the cost of air conditioning.

Fortunately, I have another way to tell. I have these two APC 1500 VA back-up batteries and each is nice enough to tell me their load. Right now each is sitting at about 50% load. So, that's about the same as saying that we're running is 15 amps. This figure makes more sense, because you have to figure that the servers need a little extra capacity for starting up and such.

I could've come to the same conclusion by guessing that my equipment uses about 70% of its max. capacity. All these methods brings me to about the same figure.

My system uses 15A * 120v = 1,800 watts. I'll round it up to 2,000 watts to make the math easier and account for cooling costs and spikes in use that occur once in a while.

So, how much is that in money? The power company charges me per kilo-watt-hour. That's a fancy term for saying that if I use 1,000 watts for 1 hour, that's one unit on my electrical meter - for which they charge me $0.12.

24 hours in a day times an average 30.4 days in a given month equals 729.6 hours per month. Remember that this equipment runs 24 x 7 x 365, in case some employee wants to VPN in at an odd hour and get a little extra work done. So we have 2 kilo-watts times 729.6 hours times 12 cents. That's about $175.10 a month or $2,101.25 per year. Over time that really adds up.

What if I could cut that power consumption in half, by removing some of that equipment? If I had a thousand bucks, I could do a lot of things with that money instead. Here are some examples: 

  • Office 365 E3 plans for 4 employees
  • A small virtual server in the cloud with a VPN connection to my local network
  • Business-grade broadband internet service
  • A fancy office lunch for all the employees once per quarter
  • An extra grand for me to take home as a bonus

In fact, over five years this alone could pay for about 25 to 50% of the budget for moving to the cloud.

We do some really fancy stuff with our servers, but most companies are doing pretty ordinary things with their equipment. Here's some examples: 

  • Domain Controller
  • File server
  • Backup server
  • E-mail server
  • Anti-spam appliance
  • Company Intranet site
  • Remote Login / VPN / Terminal Server
  • Accounting Software
  • Other Customer Application Servers


If you replace that old equipment with cloud services and virtual servers in the cloud, you can eliminate a lot of these. In fact, only the domain controller and those last two items are particularly challenging to phase out completely. Depending on how your systems are configured, that could be as many as 3 servers (maybe more) that are just sitting there chewing up power that you could save.

Cloud Savings by Avoiding Upgrades to Hardware and Software


All of that hardware may be aging; the recession hit a lot of businesses that haven't had spare funds to update their servers since before 2008. That was 5 years ago, when Windows Server 2003 was still considered reasonably current. A lot of it isn't upgradable, because it's 32 bit architecture and won't support the newer operating systems, which means you have to figure hardware into your upgrade costs as well.

Even if your hardware is state of the art with the latest operating system, chances are good that you'll probably want to upgrade it sometime in the next 3 to 5 years. Depending on what the hardware does and what software runs on it will say a lot about how much you could save by freeing yourself from that burden.

Likewise, at some point you're probably going to want to upgrade Microsoft Office. Many companies say they're perfectly happy using Office XP or 2007; often, they just don't know about certain features that could be of really high value to them. Because they can't afford to upgrade, they never get the chance to discover the benefits on their own. Office 365 solves that problem because your Office desktop client software is included with the service.

For example, modern versions of Office have improved abilities to collaborate on documents when they're saved on a SharePoint server. Two people can edit the same Word document or Excel spreadsheet at the same time from two different computers. Most folks also don't realize that Excel has some very promising business intelligence features now that can let you crunch your business data in ways that could give your company the competitive edge.

One customer told us that because they were switching to a cloud architecture, they would be able to stop buying the more expensive laptops they'd been providing to their employees, in favor of units that we about half the price. If you have less than 10 employees that may not seem like a big deal, but if you're buying computers for a larger team, the multiplying effect can lead to formidable savings.

Here are some examples of some hardware and software costs you can save by switching to the cloud:

  • Typical mid-grade business server: $3,000 to $6,000 per server
  • Cheaper desktops or laptops: $250 to $1000 per user
  • Windows Server operating system: $1,000 per server
  • Exchange Server software: $1,000 + $120 per user
  • Microsoft Office client software: $400 to $700 per user depending on edition 


There are other miscellaneous software expenses too, like Remote Desktop Server (terminal server) clients, VPN devices, anti-spam appliances like the Barracuda, or backup solutions like Veritas. Having some of these in your company typically comes with annual support contracts that must be renewed - that's kind of like paying for cloud services without getting the cloud. You may not be able to discontinue all of these services, but especially for those which charge per user, scaling back the number of seats can save you a lot.

Cloud Savings by Reallocating IT Service Costs
Of course, computers don't take care of themselves. Some companies have an IT staff of their own, others hire managed services companies or freelance IT tradespeople to help maintain their computer systems.

These services come at a cost. A full-time IT person can cost $80,000 a year to keep on staff. Part time workers will usually charge consulting rates of around $50-100 an hour or more. Such a consultant might cost you $25,000 a year even if you bargain shop and only give him 10 hours a week. 

Such services are necessary. Backups need to be run. Users need help with malfunctioning software or broken equipment. Server drives will get full, fail, or both. Learning all those systems and which levers to pull in order to keep them running is a distraction from your business operation. Most business consultants agree that smaller companies should outsource their IT needs.

It might be tempting to think that you'll be able to cut the budget for IT support if you move to the cloud; after all your IT staff or MSP will have less equipment to maintain. The truth is that this will probably be a wash, because it's common to see both IT departments and managed service providers starved to the bone for resources. Likely, some of your resources will shift to supporting the new cloud solutions instead of the old infrastructure. Also, there are probably projects that have needed attention for a long time where you could redirect those funds or hours instead of cutting back.

So, look for changes in where you get your IT support, how it is delivered, and what platforms it will support - but don't expect to unearth a gold mine of savings by cutting back on IT work when you switch to the cloud. Fortunately, there are so many other places to find savings that it probably won't matter.

Cloud Savings from Stupid Accounting Tricks
Another thing to consider is that in some cases there are significant differences between CAPEX and OPEX, meaning that capital expenditures - those which result in obtaining assets - require different accounting treatment then ongoing expenses like your phone bill. Because cloud services are operating expenses, you may be saving money on stuff like business property taxes and depreciation if you go into the cloud.

Another thing to point out is that cloud services do not have to be paid all at once. For example, buying Office 2013 for 25 employees could mean coming up with over 17 grand up front, tapping into a line of credit, or having to phase the purchase in slowly. Getting that kind of money for big expenditures can also involve jumping through flaming hoops. Such obstacles might delay purchases you need to make, and they'll certainly drain your productivity.

Cloud services also scale much better than conventional server infrastructure. For example, you might provision an Exchange server that is reasonable for 15 employees. Over time, as employees are added to the company and old e-mail accumulates that server would be overburdened, thus accelerating the pace at which you'd have to spend more to upgrade it. Or, alternatively, you could plan ahead and buy a server that could support up to 30 employees, but then all that added expense is an opportunity cost and wasted resource for every year that you don't use the server to its full capacity.

Cloud services typically come with an annual agreement, just like your cell phone plan, which means there are some limits on how fast you could scale back if you have to, but you can increase capacity at any time. So, there's no excess supply except in cases where you shrink the company a bit - and your maximum liability is something you can plan for. With the traditional server all you could do is wait for users to drop to zero and then turn it off - just before hitting the light switch on your way out of the office.

Cloud Savings from Productivity Gains
This is the fun part that I always like to talk about, because people really overlook it when they're trying to find ways to save money - and this is where the real money is.

Suppose your small company grows, and you need to hire another office employee to handle the work. That probably costs you anywhere from $50,000 to $80,000 per year - maybe more depending on their qualifications, experience, and the value they bring to your company.

Suppose your company does less well than you'd like and you want to cut your staff. Everyone else would feel the pinch as their work is transferred to the rest of the team. The added workload affects morale, and productivity could drop - increasing the chances that you'll continue to slide downhill.

My point here is that whether your company is struggling or growing, both of these come with a cost. What if you could mitigate that cost by cutting out wasteful activities that aren't really productive but have just sort of become habits because you've always worked that way before?

If your business is like a lot of other companies, you probably have some pretty typical work patterns in your office. Here are some examples:

  • You have a network file share that you've been using for years; maybe you have everything going back to the early days of the company; there's an elaborate folder structure to keep everything organized, which has changed over time; finding things involves digging around in different folders until it turns up or asking the office admin if they know where it is.
  • Once in a while, somebody deletes a file off the network file share; either you don't ever find out about it, or when you need it you have to go to a backup since there's no recycle bin for the file share.
  • Since there's no official document retention policy - or way to automate it - old documents just pile up and lay around making everything else harder to find.
  • You have tons of documents living in e-mail; when you need a document you have to search Outlook to find it; sometimes you're not sure if it's the latest version or not.
  • You archive your old emails to gigantic PST files which you can only access on your work computer, because the file has to live on the network share in order to get backed up.
  • When you're on the road or working from home, you have to remote into a terminal server so that you can get access to all of your files at the office; you can't use your tablet or smartphone to do it; it's extremely slow compared to working on your home computer.
  • Your version of Office at home is different than the one you have at work, and so some of the stuff that you can do in the office can't be taken home with you
  • If there's an internet connection or electrical issue at the office, you can't really work from home, because VPN is down; business just shuts down for the day until the crisis is past.
  • If you do most of these things, chances are you could gain a lot of productivity by moving to the cloud. And, if you do any of these, chances are pretty good that everyone else in your office has the same bad habits and coping skills.

Logging into VPN, working with slow connections, foraging for documents, lugging portable drives back and forth, trying to find the correct version among duplicates, waiting for e-mail and file searches to finish running, being at specific computers to in order to complete certain tasks, and having to ask other people where to find that important file are all wasteful unproductive activities. Up to a certain point in time, they were considered necessary, just like people still consider driving to and from the office to be necessary - at least some of the time.

According to one McKinsey study, workers spend about 30% of their time reading and answering emails, 20% of the day looking for things, and 15% communicating and collaborating with their fellow workers. That's a whole workday every week spent looking for information, much of which may already exist inside your own company.

And yet, if each employee in a 25 person company could save just 2 hours a week by cutting down on how long it takes to find things, that'd add up to 50 hours a week in reclaimed productivity. In other words, you can add an entire virtual employee to the rolls without paying a penny - whether you simply avoid hiring another warm body or have to make due with less staff, either way you're looking at an effective savings of $50-80k.

The reality is that you can probably save a lot more than just 2 hours per week; that's just 24 minutes a day. If you think of it more like a worst case scenario, it's a pretty darn compelling argument to go ahead and make the change even if it costs you a little in the short run.

Think your company could benefit from a move to cloud architecture including Office 365? Reach out to us and we'll develop a custom migration plan, cost breakdown, and ROI.