Two decisions made by Microsoft in a week had an unfortunate impact on customers who were not aware that things were about to change. But they did, and mail routing halted for some while others were perplexed by the renaming of the administrative role groups used by Office 365 to control access to different features. Is this important? Well, they did not affect me, but I know some others who are annoyed by the changes, which should have been better communicated and explained. But we don't live in a perfect world.
The law of unintended consequences was in full flow lately when two well-intended actions provoked some interesting reactions.
The first was the civil lawsuit filed by Microsoft on June 19 against criminals who produce and disseminate malware. This sounds like an extremely laudable and worthwhile action to take and something that you could only but applaud. That is, until you realize that the action forced No-IP.com, a company providing a free dynamic DNS service to users, to cede control over 22 domains to Microsoft. In turn, the domains stopped working and caused anyone who depended on No-IP.com to translate their domain name to experience problems, including those who used the service for email routing.
As explained by No-IP.com, several other dynamic domain services remain operational and the immediate solution was to transfer the host names from No-IP.com to another service such as ddns.net or webhop.me. Mail flow and other operations that depend on the resolution of these host names should return to normal once the change is effective. However, after some pressure, Microsoft began to hand back control of the seized domains and normal service began to resume.
Of course, when you’re working to take down some international malware creators, you don’t advertise the actions that you want to take, especially those filed in court, beforehand. So Microsoft said nothing and those who depended on the disconnected service only found out when the outage occurred. There’s probably no better way to do take actions of this nature but Microsoft’s communications to valid users of the No-IP.com service, including those who use it in tandem with its own cloud services likeor Azure, could have been better.
The other action happened when the nice people who run Office 365 decided that the old names that they had been using for administrative role groups weren’t as good as they might be. Role groups are assigned to users to allow them to access different levels of functionality within Office 365. So names like “Global administrator”, were “upgraded” to become “Company administrator.” This caused some upset in various places, including Microsoft's Yammer IT Pro network for Office 365, mostly because no one expected the change.
I must admit that I pay relatively little attention to these names but a flurry of activity on the Internet caused me to look at the role groups available for my Office 365 tenant. I don’t recognize the “Exchange Administrator”, “Lync Administrator” and “Service support administrator” groups either, but that’s probably because I never noticed them before. Or they are new.
I don’t notice a “SharePoint administrator” in the list of available role groups. Perhaps this is because SharePoint Online has no need of administrators and is perfectly happy to continue on its merry way without human intervention. But then again, the number of people who attend the SharePoint sessions at IT/Dev Connections every year make me suspicious that SharePoint often needs some tender loving care. So it was a little odd not to have an administrative group for SharePoint.
These are Office 365 groups and not the Exchange management role groups that those running Exchange Online, Exchange 2010, orwill recognize. However, a relationship existed between the two sets. For instance, if you added a user to the "Exchange Administrator" group, they showed up in an Exchange Online role group called "ExchangeServiceAdmins_53add" (the name used in my tenant - it might be different for you - but what a name!) that appeared to be equivalent to the Organization Management role group that you find in on-premises deployments. I assume a similar link (no pun intended) existed between "Lync Administrator" and Lync Online.
On a serious level, not every Office 365 customer is a company so it’s an odd but arguable choice. But apart from debating the nomenclature, the more important issue is that the change was made without any communication (that I can find) that it was going to happen. And confusingly, although the change has been made live within Office 365, those responsible for maintaining the Office 365 help were clearly blindsided by the update because the help text covering administrative roles continues to use the old names.
All of this happened after Microsoft made a big deal of the new Office 365 change management model, so perhaps it’s a change that slipped in before the new model became effective. Or that team didn't attend the change management training. In any case, the Office 365 team realized that the change was not fully baked and demonstrated the level of control that they have over changes by reversing direction late on July 2. The change will take a little time to back out for all tenants (it is not yet effective in my tenant), which is the reason why the following message is displayed in the Office 365 Message Center.
Decisions happen in odd ways within big companies and it’s not always clear how something came to happen in a particular way. The events of this week demonstrate how hard it is to anticipate every reaction that will flow from a decision and how complicated it is to manage change.
Follow Tony @12Knocksinna