Executive Summary:
Microsoft's Business Productivity Online Suite makes it easy to set up, manage, and use online versions of Exchange Server, SharePoint, and Microsoft Office Live Meeting. Learn what you need to know to subscribe to these services, configure settings and users, and some tips for planning your Business Productivity Online Suite deployment.

If you’ve been paying even half attention to technology media in the last year, you’ve probably noticed that more and more vendors are trying to sell businesses on moving core IT operations to an Internet-based service-delivery mechanism—that is, cloud computing. Microsoft has been promoting a version of cloud computing, Software Plus Services (S+S). The heart of the difference between S+S and Software as a Service (SaaS) is that S+S uses specialized client-side software such as Microsoft Office in conjunction with online applications. This combination blends the convenience of a web service with a feature-rich client application.

Microsoft’s Business Productivity Online Suite is a great example of the kind of services that can have a big impact on small-to-midsized businesses (SMBs). A “seat” on the services give you access to Microsoft Exchange Online, Microsoft SharePoint Online, and Microsoft Office Live Meeting at the affordable price of $15 per user per month. Small-to-midsized businesses (SMBs) that would never consider having an on-premises Exchange server, for example, can now benefit from Microsoft Office Outlook features that “wake up” when used with Exchange (e.g., using the Global Address List—GAL, meeting-room scheduling, invitations to meetings with accept/deny built in, calendaring, and free direct push email to Windows Mobile 6 devices). Similar capabilities are available from SharePoint Online for document collaboration and Live Meeting for real-time collaboration. Let’s take an IT pro’s eye view of the suite, starting with a quick overview of the online services, then walk through setting up the services, with some helpful deployment and management tips.

Services Overview
The suite comes in three flavors:

  • Standard: This is the primary version of the Business Productivity Online Suite. At the Microsoft data center, these standard services are deployed using a multi-tenant architecture (i.e., a single instance of the software runs on the cloud vendor's servers, serving multiple client organizations, or tenants), which provides a very useful set of services at an affordable price. Microsoft made the solution scalable and affordable by providing the most valuable core services while limiting the user’s ability to customize the solution. Understanding the scope of what is and isn’t customizable in the Standard version is key when you’re evaluating or migrating to the Online Suite.
  • Dedicated: Dedicated offerings, usually for businesses with 5,000 seats or more, are typically customized agreements that engage Microsoft to facilitate migration, support, and deployment. The dedicated version enables a greater degree of customization in multiple layers, such as support for specific types of federated identity and SharePoint customizations.
  • Deskless Worker: This is an inexpensive option for shop-floor workers or other scenarios that provides a mailbox accessible via Microsoft Outlook Web Access (OWA) and read-only SharePoint. This option is due for release the first half of 2009.

Subscribing to Microsoft Online Services
The Microsoft Online Customer Portal (MOCP) is where you subscribe for services and add additional storage, if needed. Before you begin the signup process, you can select to Try or Buy the services. If you select Try, you get a free, 30-day subscription limited to 20 seats. (The services are otherwise the same as for a paid subscription.) After 30 days, you’ll have the opportunity to convert to a paid subscription.

Ordering the Business Productivity Online Suite is like ordering any other service: You provide your basic contact and company information and agree to the licensing and privacy terms. Here’s how the signup procedure works.

  1. Select a valid Windows Live ID to permanently associate with a MOCP account. The Live ID you select will be associated with the subscription you create. You can’t use this ID for more than one subscription, and at the time of this writing, the Live ID association with subscription cannot be changed. You’ll use MOCP for adding more services or increasing storage, but not for day-to-day administration. Note that the LiveID used can’t be a username on the system, so you might want to create a special, new Live ID for the MOCP account.
  2. Provide a good technical contact. The technical contact information you provide will receive communications about service updates and other service news. Microsoft support may also call or email this contact, if needed.
  3. Provide the “base” domain name. The base domain name you provide will be added to microsoftonline.com to create a unique login domain for your account. For example, if you entered contoso.com, your account will be provisioned as something similar to “contoso1.microsoftonline.com”. You can add a unique domain name to use for email and logon after your account is provisioned. Entering a domain during the signup doesn’t affect any DNS server or impact mail routing for the entered domain in any way.
  4. Associate a partner. When you sign up, you’ll be asked to select a Microsoft Partner to associate with your account. You can proceed without such an association, but Microsoft recommends working with a partner to help answer questions, plan migration, and integrate the services into your existing workflow.
  5. Receive the Admin password. Once provisioned, you’ll receive an email inviting you to return to MOCP and retrieve the Admin account password. Note that there’s a delay at this stage while your account is provisioned. This could take an entire day, but when I used the prerelease beta versions of Online Services, it took less time than this.

With password in hand, you can now browse to the Microsoft Online Administration Center (MOAC) (admin.microsoftonline.com), which Figure 1 shows, and start configuring the services.

Figure 1: Microsoft Online Services Administration Center portal

Tips: First Actions for New Subscribers
There are few actions an experienced services administrator (that’s you) will want to take when a new account is provisioned. Following this advice will help you avoid reconfiguring settings later.

Add custom domains. Before you create new users, add and validate your main custom domain (click the Users tab, then click Add a New Domain from the Action List). To prevent fraudulent use of domain names, all custom domains used with the service must be validated. To validate a domain, you run the validation wizard, which provides you with a unique “string” that you then place into a CNAME of the authoritative DNS server for the domain. The domain validation wizard will then query DNS and examine the CNAME for the provided content. If there’s a match, the domain is accepted. The assumption is that if you control the DNS server for your custom domain, that you effectively own the domain.

It’s best if you reference the online Help for this process (search for “verify a domain”), which does a good job of explaining the process and provides examples for 1&1, Enom, GoDaddy, and other popular domain registrars.

Once the domain is validated, set it as the default domain. Now proceed to create users. New users will automatically be assigned to the custom domain, so they log on as username@customdomain.com instead of username@customdomain1.microsoftonline.com. This particular tip is useful as the default logon domain for a user can’t be changed at this time. So if you created 100 users before you added a custom domain, they would always have to log on as username@customdomain1.microsoftonline.com until this feature is added.

Create a new administrator that uses the services. Those of us used to managing OSs assign special meaning to the built-in Administrator account. With the suite, the Admin account is like any other user account that’s marked as service administrator. In other words, you can delete it or disable it and there are no ill effects. I recommend that you create two administrator accounts, one that’s provisioned for using all the services (i.e., one of your seats is consumed by this account) and a “backup” account that can be used for logging on and administering the services but isn’t used a service client. This backup account allows for a second administrator to gain access should the primary administrator be unavailable when needed.

Configure Live Meeting settings. While logged as Admin (and without the Sign-in application running; more about this application shortly), launch Live Meeting from MOAC and configure the default settings for the Live Meeting administrator. Proceed to configure the Live Meeting profile for the Admin account. These settings will be used as the defaults for new Live Meeting users. If you set the defaults after users log on to Live Meeting, user settings aren’t updated to reflect the changes as their profile is already created. Settings to update include the maximum number of participants (15 maximum in the standard offering) and conference call/voice information, among others.

Creating and Managing Users
There are two types of users in the suite: those you create in the administration center and those created by the Directory Synchronization tool. The process of creating users in MOAC is straightforward. Just start the New User Wizard from the Actions list on the main page and send the user the new password (which the user must change at the first logon). Note that you can also import multiple users by using a .csv file.

You can download and install the Directory Synchronization tool via MOAC. The tool doesn’t have a lot of administrative handles and is remarkably self-contained. Behind the scenes, the installer adds to the server Microsoft Identity Integration Server (MIIS), SQL Server 2005 Express Edition, and a Windows service that periodically replicates new accounts. Enterprise Administrator credentials are required to install the tool since it will crawl all domains in the forest for user objects.

When creating and managing users, here are some important things to keep in mind:

  • An account will be created on the service for every user in the Active Directory (AD) forest. This cannot be constrained to a specific organizational unit (OU) or domain in the current version of the Directory Synchronization tool.
  • Passwords are not copied.
  • New users created in AD will be replicated to the Online Suite, whereas users created in the suite won’t be replicated to AD. In other words, it’s a one-way arrangement.
  • Replicated accounts in the service aren’t automatically provisioned with licenses; you must do so manually. This process is straightforward as you can select all unlicensed users at the same time and provision them.
  • Replication occurs every 30 minutes by default. Event viewer messages tell you when sync starts and ends.
  • You can kick off replication manually by running the Directory Synchronization tool.

For more information about the Directory Synchronization tool, see the TechNet webcast “Migration and Coexistence for the Business Productivity Online Suite from Microsoft Online Services” and the online Help.

Client Management
Client-side management tasks for the suite include deploying the Sign-in application, performing some Outlook user-profile tweaking, installing Live Meeting add-ons for Microsoft Office, and migrating email from your on-premises Exchange server to Exchange Online.

Sign-in application deployment. The suite’s Sign-in application is built to be deployed on subscriber desktops. As Figure 2 shows, you use the application to launch Outlook, OWA, SharePoint Online, and Live Meeting. In most cases, launching from the Sign-in application eliminates the need to manually authenticate to the services.

Figure 2: Microsoft Online Services Sign-in application

The sign-in application is needed because user accounts for the service exist in Microsoft’s data center and aren’t part of the local company’s AD or other membership system. As a result, the user ID and password are unique entities and don’t share a security context with the signed-on user for the client system. As a customer, I like this because my company’s local usernames and passwords aren’t hosted inside Microsoft’s data center. On the other hand, it would be convenient to have MIIS or another service as an option to bridge the identities. The initial release of the Business Productivity Online Standard Suite doesn’t currently support federated identity.

As with any deployment, you’ll need to assess the minimum hardware and software requirements, impact on user experience, support, update, and installation requirements. The Sign-in application requires Windows XP Professional SP2, or Windows Vista Premium, Ultimate, or Enterprise. Microsoft .NET Framework 2.0 must be installed as the tool uses Windows Communication Foundation (WCF) to communicate to the service for authentication. Microsoft Office Outlook 2007 is supported as the email client. Finally, you’ll need to be an administrator to install the tool. Download the tool from the Administration Center or https://home.microsoftonline.com.

Profile management. The Sign-in application will create a new Outlook user profile that connects Outlook to the suite. Autodiscover works automatically in most cases (some tweaking may be needed in coexistence scenarios; check the online documentation for details) so that configuration is a seamless experience. You might need to perform certain administrative tasks associated with recovering autocomplete entries or adding a locally stored Inbox into the new profile. Both of these are straightforward tasks that you could automate if needed. Check out my blog entry for more information about performing these tasks, at http://blogs.technet.com/bpositive.

Email migration. The email migration tool moves email and related content to the suite from Exchange. It also supports POP3 migration to a limited extent. Like the other tools, you can download this from MOAC and install it on a system that’s joined to the AD forest. After you enter the online services you’re subscribed to and your Exchange admin credentials, the tool will query the Exchange server and find matching online accounts. You can then choose which users and content you want to migrate. For example, you could choose to migrate email in certain date ranges as well as journals, tasks, and other content associated with user’s email accounts.

Once email is migrated to the online service, the user’s AD account is set up with an alternate delivery address so that email directed to the local Exchange server is now routed to the service. The new online-services user will see a complete GAL (as a result of using the Directory Synchronization tool), will receive all mail from all sources, and can email any user without an interruption in service. Be aware that the migration tool doesn’t migrate SharePoint content.

SharePoint Online
Service administrators can create SharePoint sites in MOAC. Doing so automatically makes the service admin who created the site an administrator on the SharePoint site. The first order of business, then, is to enter the SharePoint site and add SharePoint users.

Using SharePoint Online is much like using SharePoint on premises, except that the online version has some limitations due to the services’ multi-tenant architecture. To quote David Gorbet, product manager for SharePoint Online: “In general, you can

  • Use SharePoint Designer to create and deploy no-code workflows; customize content types, taxonomy, and branding via master pages and layouts; and create and deploy site templates.
  • Use the Data Form Web Part to create applications that mash up, filter, roll up, and render SharePoint data or data consumed from a Web Service (e.g., RSS feeds) in new ways.
  • Use InfoPath to design forms for workflows, provided these forms are user-deployable (i.e., contain no custom code).
  • Use the SharePoint Web Services to access and manipulate SharePoint data remotely.

“Currently you cannot

  • Use inline code, build coded workflows, or develop InfoPath forms with coded business logic.
  • Deploy features, solutions, pluggable auth\[entication\] providers, Web Parts, site definitions, or other features that require deployment and configuration on the server.
  • Modify any SharePoint files, web configuration settings, security policy, database schema, or any other serverwide or server-based resource.”

SharePoint Online is built on Microsoft Office SharePoint Server, so that a small business can benefit from publishing and collaboration and Microsoft Office integration. Some SharePoint web services are exposed, which makes possible client-side custom applications and line-of-business integrations, such as those highlighted at the Partner Solutions Showcase. For more information about SharePoint Online extensibility, see the Microsoft SharePoint Online Standard Developer Guide.

Planning to Deploy Online Services
Using the Business Productivity Online Suite is the easy part. Once you’ve deployed the software, trained your users, and have your support systems in place, day-to-day operations using the online services should be easier for you than doing the same operations with on-premises servers. Getting there, however, requires some careful planning. Some of the items you need to consider are the impact of the online services on network bandwidth, reliability of your ISP, alternate Internet access plans, email migration planning, software upgrades, mobile-device configuration for email access (the Online Suite supports Windows Mobile 6 or later), DNS configuration, identification of service administrators, updating support systems and network devices as required (e.g., content filtering, routers, proxies).

On the business side, you’ll want to ensure that users are trained on how to use the Sign-in application to launch Outlook and other services. For example, if you launch Outlook from the desktop icon instead of the Sign-in application dashboard, you’ll be prompted to select the Outlook profile you want to use. In addition, if the Sign-in application isn’t running, you’ll be prompted to authenticate and provide a client certificate. So make plans to inform users about these changes before deploying the Sign-in application.

To help with the planning process, the Microsoft Assessment and Planning (MAP) Toolkit has been updated to evaluate the on-premises systems for deploying the suite. This set of questions and network query tool will provide useful information regarding impacts on bandwidth and currently installed versions of OSs and Office and includes checklists you can use to assess your preparation. In addition, you’ll want to review the materials at the Microsoft Online Services site.

Now Try It Out!
IT pro expertise is essential to the successful deployment, support, and administration of the Online Suite. Once you’ve deployed the online services, routine server administration tasks are managed by Microsoft—so you’ll probably find yourself dusting off those network rearchitecture or server upgrade plans (you know, those projects that would really increase efficiencies but you haven’t been able to get to?). You can get a free trial account for Microsoft Online Services at mocp.microsoftonline.com. Take some time to review the online documentation, download the MAP toolkit, and get a feel for how the suite works. I think you’ll be impressed with how much capability is provided as well as the ease of administration.