“ … eac falls down in one important way. it totally lacks any of the valuable learning tools for...

Warren JohnsonSenior Program Manager LeadMicrosoft

Getting Administration Done

MNG301

AgendaPowerShell log viewer is back!Bridging the gap between what’s possible in the UI and the power of PowerShell scripting

On-premises interoperabilityUsing EAC in a mixed-version interoperability deploymentRouting to E2013 CAS servers for the ECP protocol

Deployment varietiesWhat’s unique about on-premises, hybrid and Office 365 manageability?

Managing RBAC groups, roles and scopesWhat can be managed through the GUI and what is left to PowerShell?

Introducing … GroupsAn introduction to the suite-level manageability experience

PowerShell log viewer is back!“The rumors of my death have been greatly exaggerated”-Mark Twain

“ … EAC falls down in one important way. It totally lacks any of the valuable learning tools for PowerShell that are in EMC.”

“I think that Microsoft will disappoint both experienced and novice administrators when they discover that EAC offers zero insight into the code that it executes to do its work. It’s a sad omission.”

Tony Redmond’s Exchange Unwashed Blog

Aug 7, 2012

PowerShell log viewer is back!What’s includedHow to use itAvailability on-premises and in the Cloud

PowerShell log viewer details

PowerShell log viewerSearching for cmdletsPaste to PowerShell

PowerShell Log Viewer Demo

Warren Johnson

On-premises InteroperabilityBetter together

“Just give us one all up console view over side by side”

E2003

+ E2007 + E2010

E2013 ECP Protocol Connectivity FlowE2013/E2010/E2007

Layer 4 LB

E2013 CAS

IIS

HTTP Proxy

E2013 MBX

Protocol Head

DB

E2010 CAS

Protocol Head

E2010 MBX

E2010 MBX E2007 MBX

Store

DB

RPC

Multiple ECP admins with E2013/E2010/E2007 mailboxes …

contoso.com/ecp

E2007 CAS

Protocol Head

E2010 MBX

Store

DB

RPCRPC

E2013 ECP Protocol Connectivity FlowE2013/E2010

Layer 4 LB

E2013 CAS

IIS

HTTP Proxy

E2013 MBX

Protocol Head

DB

E2010 CAS

Protocol Head

E2010 MBX

Store

DB

An ECP admin with an E2010 mailbox ... contoso.com/ecp?ExchClientVer=15 (now in the

desktop link!)

E2007 CAS

Protocol Head

E2010 MBX

Store

DB

RPC

E2013 ECP Protocol Connectivity FlowE2007 Coexistence

Layer 4 LB

E2013 CAS

IIS

HTTP Proxy

E2013 MBX

Protocol Head

DB

E2010 CAS

Protocol Head

E2010 MBX

Store

DB

ECP admin with E2007 mailbox ...

contoso.com/ecp?ExchClientVer=15

(now in the desktop link!)

E2007 CAS

Protocol Head

E2010 MBX

Store

DB

RPC

Rules for E2013 CAS15 Routing On-PremisesIF (RFR = "OWA")DO NORMAL PROXY VIA ANCHOR MBX LOCATION // Came from non-admin

ELSE (VERSION=Y) DO RANDOM PROXY TO MATCHING VERSION BE SERVER // Pick version

Explicit Versioning Demo

Warren Johnson

Deployment varieties“Nature is an endless combination and repetition of a very few laws. She hums the old well-known air through innumerable variations.”-Ralph Waldo Emerson

Summary of deployment variations

Deployment Includes Does /not/ include

Enterprise on-premises

Nearly everything related to Exchange!

O365 Suite level management. Suite reporting

Hybrid Everything++ including a single all up recipients list from EAC

Single list of policy configuration cross-premises e.g. Retention Policies

Office 365 Recipient and Configuration management

Server or physical resource management e.g. DAGs

O365 Suite-level e.g. Mobile Devices *plus* the workload-admin-centers included in your offer (SKU) e.g. EAC, LAC, SAC and more e.g. Yammer

Suite level Reporting (see MEC Session)

Managing RBAC Groups, Roles and ScopesEAC simplicity and PowerShell fidelity

Understanding RBAC and PermissionsUser versus Admin authorizationAdmin management with Roles Based Access ControlUser management with Role Assignment Policies

Groups and RolesContainers of properties via RBAC RoleGroupsFeature level granularity via Roles

EAC v. PowerShellRBAC RoleGroups Create, Edits and Deletes via EACRBAC Role and Scope updates via PowerShell (EMS)

Understanding RBAC and PermissionsIt’s still about Who can do What … and Where

Who• Administrative Role Groups define high-level job functions• End user Role Assignment Policies for self-service management scenarios

What• Task-, action-, or feature-based permissions• Management Roles consist of Exchange cmdlets and their parameters• Multiple roles can be assigned

Where• Limits the Scope of the Role Assignment• For example, “All users in the Legal Department”

Understanding RBAC and PermissionsUnderstanding the relationship of O365 permission management across workload-admin-

centers (e.g. Lync, SharePoint) versus native Exchange RBAC Groups

RBAC is used to hide complexity that tenant admins don’t need to worry about, including… • Active Directory Permissions• Cmdlet Extension Agents• Database Availability Groups• Databases• Disaster Recovery• Edge Subscriptions• Exchange Connectors• Exchange Servers• Etc.

RBAC remains as flexible as ever… Online Administrators have access to the full feature set of RBAC in the Cloud.

Understanding Permission ManagementTask Tool

Office 365 suite-wide roles e.g. “Global Administrator” Office 365 UI or MSOL PowerShell

Assign a “pre-canned” RBAC RoleGroup to Admin user e.g. Recipient Management

EAC > “Permissions” > “admin roles”

Assign a Role Assignment Policy to an end-user EAC > “Permissions” > “user roles”

Create a new RBAC Role Group from an existing one EAC

Create a new RBAC Role PowerShell

Edit an existing RBAC Role PowerShell

Create an RBAC Recipient Scope PowerShell

RBAC Groups, Roles and Scopes Demo

Warren Johnson

Introducing … GroupsPutting collaboration first while focusing on admin uniqueness

A Look Ahead: Managing GroupsIntroducing Groups manageability for Office 365!

A Look Ahead: Managing GroupsSuite-level – created for Admin awareness firstComprehensive all-up list of GroupsRemove GroupsPromote or demote AdminAdd or remove members

Workload-level e.g. EAC, SACCompliance e.g. retention, hold, e-discovery search, policies

SkyDriveCalendarOutlookAdmin People Yammer Sites

System alerts 1 Reminders 4 Chats 3 2

dashboard

users

groups

licensing

service settings

service health

reports

domains

support

purchase services

guest polices

group management security groups

NAME

Public

Public

Private

TYPE

Marketing team

Admin team

IT early adopt



dashboard

users

groups

licensing

service settings

service health

reports

domains

support

purchase services

guest polices


NAME

Public

Public

Private

TYPE

Marketing team

Admin team

IT early adopt

When you delete a group, the groups data is removed and is not recoverable. Learn More

Are you sure that you want to delete the selected groups?

noyes



dashboard

users

groups

licensing

service settings

service health

reports

domains

support

purchase services

guest polices


NAME

Public

Public

Private

TYPE

Marketing team

Admin team

IT early adopt



dashboard

users

groups

licensing

service settings

service health

reports

domains

support

purchase services

guest polices


Contoso Market Research

NAME

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

EMAIL ADDRESS

Bob Kelly

Filip Rehorik

George Schaller

Howard Gonzalez

Jay Henningsen

Laura Steele Polly

Matej Potokar

Neil Orint



dashboard

users

groups

licensing

service settings

service health

reports

domains

support

purchase services

guest polices


All members


NAME

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

EMAIL ADDRESS

Bob Kelly

Filip Rehorik

George Schaller

Howard Gonzalez

Jay Henningsen

Laura Steele Polly

Matej Potokar

Neil Orint

6 x



dashboard

users

groups

licensing

service settings

service health

reports

domains

support

purchase services

guest polices


All admins


NAME

[email protected]

[email protected]

[email protected]

EMAIL ADDRESS

Bob Kelly

Filip Rehorik

George Schaller

6 x



dashboard

users

groups

licensing

service settings

service health

reports

domains

support

purchase services

guest polices



NAME

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

EMAIL ADDRESS

Bob Kelly

Filip Rehorik

George Schaller

Howard Gonzalez

Jay Henningsen

Laura Steele Polly

Matej Potokar

Neil Orint



dashboard

users

groups

licensing

service settings

service health

reports

domains

support

purchase services

guest polices



NAME

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

EMAIL ADDRESS

Bob Kelly

Filip Rehorik

George Schaller

Howard Gonzalez

Jay Henningsen

Laura Steele Polly

Matej Potokar

Neil Orint

add members to group

group member

save cancel

Type of user:



dashboard

users

groups

licensing

service settings

service health

reports

domains

support

purchase services

guest polices



NAME

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

EMAIL ADDRESS

Bob Kelly

Filip Rehorik

George Schaller

Howard Gonzalez

Jay Henningsen

Laura Steele Polly

Matej Potokar

Neil Orint



dashboard

users

groups

licensing

service settings

service health

reports

domains

support

purchase services

guest polices



NAME

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

EMAIL ADDRESS

Bob Kelly

Filip Rehorik

George Schaller

Howard Gonzalez

Jay Henningsen

Laura Steele Polly

Matej Potokar

Neil Orint

Use this property page to set the admin property of a group member.

Bob Kelly

save cancel

This member is a group admin



dashboard

users

groups

licensing

service settings

service health

reports

domains

support

purchase services

guest polices



NAME

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

EMAIL ADDRESS

Bob Kelly

Filip Rehorik

George Schaller

Howard Gonzalez

Jay Henningsen

Laura Steele Polly

Matej Potokar

Neil Orint



dashboard

users

groups

licensing

service settings

service health

reports

domains

support

purchase services

guest polices



NAME

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

EMAIL ADDRESS

Bob Kelly

Filip Rehorik

George Schaller

Howard Gonzalez

Jay Henningsen

Laura Steele Polly

Matej Potokar

Neil Orint

This user will be removed from the group but may be added again later. Learn More

Are you sure that you want to delete the selected user?

noyes



dashboard

users

groups

licensing

service settings

service health

reports

domains

support

purchase services

guest polices



NAME

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

EMAIL ADDRESS

Filip Rehorik

George Schaller

Howard Gonzalez

Jay Henningsen

Laura Steele Polly

Matej Potokar

Neil Orint

Coming soon for Office 365 admins!Direct links to Shared MailboxesSetting secondary SMTP addresses Global Search

Office 365 Global Search Demo

Warren Johnson

Check out these related sessionsMNG.303 Make Role Based Access Control (RBAC) work for you

MNG.304 Reporting On O365 Mail-flow and Mailbox Data

ARC.302 Exchange Server 2013 Architecture: mailbox and client access

DMI.304 Exchange hybrid: architecture and deployment

USX.202 Introducing groups

Thank you!

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

“ … eac falls down in one important way. it totally lacks any of the valuable learning tools for...

Documents

e2003 e2007 e2010 slide

mec session slide

legal department slide

e2010 mailbox

admin user

o365 suite level management

suitewide roles

new rbac role group