“ … eac falls down in one important way. it totally lacks any of the valuable learning tools for...
TRANSCRIPT
AgendaPowerShell log viewer is back!Bridging the gap between what’s possible in the UI and the power of PowerShell scripting
On-premises interoperabilityUsing EAC in a mixed-version interoperability deploymentRouting to E2013 CAS servers for the ECP protocol
Deployment varietiesWhat’s unique about on-premises, hybrid and Office 365 manageability?
Managing RBAC groups, roles and scopesWhat can be managed through the GUI and what is left to PowerShell?
Introducing … GroupsAn introduction to the suite-level manageability experience
“ … EAC falls down in one important way. It totally lacks any of the valuable learning tools for PowerShell that are in EMC.”
“I think that Microsoft will disappoint both experienced and novice administrators when they discover that EAC offers zero insight into the code that it executes to do its work. It’s a sad omission.”
Tony Redmond’s Exchange Unwashed Blog
Aug 7, 2012
E2013 ECP Protocol Connectivity FlowE2013/E2010/E2007
Layer 4 LB
E2013 CAS
IIS
HTTP Proxy
E2013 MBX
Protocol Head
DB
E2010 CAS
Protocol Head
E2010 MBX
E2010 MBX E2007 MBX
Store
DB
RPC
Multiple ECP admins with E2013/E2010/E2007 mailboxes …
contoso.com/ecp
E2007 CAS
Protocol Head
E2010 MBX
Store
DB
RPCRPC
E2013 ECP Protocol Connectivity FlowE2013/E2010
Layer 4 LB
E2013 CAS
IIS
HTTP Proxy
E2013 MBX
Protocol Head
DB
E2010 CAS
Protocol Head
E2010 MBX
Store
DB
An ECP admin with an E2010 mailbox ... contoso.com/ecp?ExchClientVer=15 (now in the
desktop link!)
E2007 CAS
Protocol Head
E2010 MBX
Store
DB
RPC
E2013 ECP Protocol Connectivity FlowE2007 Coexistence
Layer 4 LB
E2013 CAS
IIS
HTTP Proxy
E2013 MBX
Protocol Head
DB
E2010 CAS
Protocol Head
E2010 MBX
Store
DB
ECP admin with E2007 mailbox ...
contoso.com/ecp?ExchClientVer=15
(now in the desktop link!)
E2007 CAS
Protocol Head
E2010 MBX
Store
DB
RPC
Rules for E2013 CAS15 Routing On-PremisesIF (RFR = "OWA")DO NORMAL PROXY VIA ANCHOR MBX LOCATION // Came from non-admin
ELSE (VERSION=Y) DO RANDOM PROXY TO MATCHING VERSION BE SERVER // Pick version
Deployment varieties“Nature is an endless combination and repetition of a very few laws. She hums the old well-known air through innumerable variations.”-Ralph Waldo Emerson
Summary of deployment variations
Deployment Includes Does /not/ include
Enterprise on-premises
Nearly everything related to Exchange!
O365 Suite level management. Suite reporting
Hybrid Everything++ including a single all up recipients list from EAC
Single list of policy configuration cross-premises e.g. Retention Policies
Office 365 Recipient and Configuration management
Server or physical resource management e.g. DAGs
O365 Suite-level e.g. Mobile Devices *plus* the workload-admin-centers included in your offer (SKU) e.g. EAC, LAC, SAC and more e.g. Yammer
Suite level Reporting (see MEC Session)
Understanding RBAC and PermissionsUser versus Admin authorizationAdmin management with Roles Based Access ControlUser management with Role Assignment Policies
Groups and RolesContainers of properties via RBAC RoleGroupsFeature level granularity via Roles
EAC v. PowerShellRBAC RoleGroups Create, Edits and Deletes via EACRBAC Role and Scope updates via PowerShell (EMS)
Understanding RBAC and PermissionsIt’s still about Who can do What … and Where
Who• Administrative Role Groups define high-level job functions• End user Role Assignment Policies for self-service management scenarios
What• Task-, action-, or feature-based permissions• Management Roles consist of Exchange cmdlets and their parameters• Multiple roles can be assigned
Where• Limits the Scope of the Role Assignment• For example, “All users in the Legal Department”
Understanding RBAC and PermissionsUnderstanding the relationship of O365 permission management across workload-admin-
centers (e.g. Lync, SharePoint) versus native Exchange RBAC Groups
RBAC is used to hide complexity that tenant admins don’t need to worry about, including… • Active Directory Permissions• Cmdlet Extension Agents• Database Availability Groups• Databases• Disaster Recovery• Edge Subscriptions• Exchange Connectors• Exchange Servers• Etc.
RBAC remains as flexible as ever… Online Administrators have access to the full feature set of RBAC in the Cloud.
Understanding Permission ManagementTask Tool
Office 365 suite-wide roles e.g. “Global Administrator” Office 365 UI or MSOL PowerShell
Assign a “pre-canned” RBAC RoleGroup to Admin user e.g. Recipient Management
EAC > “Permissions” > “admin roles”
Assign a Role Assignment Policy to an end-user EAC > “Permissions” > “user roles”
Create a new RBAC Role Group from an existing one EAC
Create a new RBAC Role PowerShell
Edit an existing RBAC Role PowerShell
Create an RBAC Recipient Scope PowerShell
A Look Ahead: Managing GroupsSuite-level – created for Admin awareness firstComprehensive all-up list of GroupsRemove GroupsPromote or demote AdminAdd or remove members
Workload-level e.g. EAC, SACCompliance e.g. retention, hold, e-discovery search, policies
SkyDriveCalendarOutlookAdmin People Yammer Sites
System alerts 1 Reminders 4 Chats 3 2
dashboard
users
groups
licensing
service settings
service health
reports
domains
support
purchase services
guest polices
group management security groups
NAME
Public
Public
Private
TYPE
Marketing team
Admin team
IT early adopt
SkyDriveCalendarOutlookAdmin People Yammer Sites
System alerts 1 Reminders 4 Chats 3 2
dashboard
users
groups
licensing
service settings
service health
reports
domains
support
purchase services
guest polices
group management security groups
NAME
Public
Public
Private
TYPE
Marketing team
Admin team
IT early adopt
When you delete a group, the groups data is removed and is not recoverable. Learn More
Are you sure that you want to delete the selected groups?
noyes
SkyDriveCalendarOutlookAdmin People Yammer Sites
System alerts 1 Reminders 4 Chats 3 2
dashboard
users
groups
licensing
service settings
service health
reports
domains
support
purchase services
guest polices
group management security groups
NAME
Public
Public
Private
TYPE
Marketing team
Admin team
IT early adopt
SkyDriveCalendarOutlookAdmin People Yammer Sites
System alerts 1 Reminders 4 Chats 3 2
dashboard
users
groups
licensing
service settings
service health
reports
domains
support
purchase services
guest polices
group management security groups
Contoso Market Research
NAME
EMAIL ADDRESS
Bob Kelly
Filip Rehorik
George Schaller
Howard Gonzalez
Jay Henningsen
Laura Steele Polly
Matej Potokar
Neil Orint
SkyDriveCalendarOutlookAdmin People Yammer Sites
System alerts 1 Reminders 4 Chats 3 2
dashboard
users
groups
licensing
service settings
service health
reports
domains
support
purchase services
guest polices
group management security groups
Contoso Market Research
NAME
EMAIL ADDRESS
Bob Kelly
Filip Rehorik
George Schaller
Howard Gonzalez
Jay Henningsen
Laura Steele Polly
Matej Potokar
Neil Orint
SkyDriveCalendarOutlookAdmin People Yammer Sites
System alerts 1 Reminders 4 Chats 3 2
dashboard
users
groups
licensing
service settings
service health
reports
domains
support
purchase services
guest polices
group management security groups
All members
Contoso Market Research
NAME
EMAIL ADDRESS
Bob Kelly
Filip Rehorik
George Schaller
Howard Gonzalez
Jay Henningsen
Laura Steele Polly
Matej Potokar
Neil Orint
6 x
SkyDriveCalendarOutlookAdmin People Yammer Sites
System alerts 1 Reminders 4 Chats 3 2
dashboard
users
groups
licensing
service settings
service health
reports
domains
support
purchase services
guest polices
group management security groups
All admins
Contoso Market Research
NAME
EMAIL ADDRESS
Bob Kelly
Filip Rehorik
George Schaller
6 x
SkyDriveCalendarOutlookAdmin People Yammer Sites
System alerts 1 Reminders 4 Chats 3 2
dashboard
users
groups
licensing
service settings
service health
reports
domains
support
purchase services
guest polices
group management security groups
Contoso Market Research
NAME
EMAIL ADDRESS
Bob Kelly
Filip Rehorik
George Schaller
Howard Gonzalez
Jay Henningsen
Laura Steele Polly
Matej Potokar
Neil Orint
SkyDriveCalendarOutlookAdmin People Yammer Sites
System alerts 1 Reminders 4 Chats 3 2
dashboard
users
groups
licensing
service settings
service health
reports
domains
support
purchase services
guest polices
group management security groups
Contoso Market Research
NAME
EMAIL ADDRESS
Bob Kelly
Filip Rehorik
George Schaller
Howard Gonzalez
Jay Henningsen
Laura Steele Polly
Matej Potokar
Neil Orint
SkyDriveCalendarOutlookAdmin People Yammer Sites
System alerts 1 Reminders 4 Chats 3 2
dashboard
users
groups
licensing
service settings
service health
reports
domains
support
purchase services
guest polices
group management security groups
Contoso Market Research
NAME
EMAIL ADDRESS
Bob Kelly
Filip Rehorik
George Schaller
Howard Gonzalez
Jay Henningsen
Laura Steele Polly
Matej Potokar
Neil Orint
add members to group
group member
save cancel
Type of user:
SkyDriveCalendarOutlookAdmin People Yammer Sites
System alerts 1 Reminders 4 Chats 3 2
dashboard
users
groups
licensing
service settings
service health
reports
domains
support
purchase services
guest polices
group management security groups
Contoso Market Research
NAME
EMAIL ADDRESS
Bob Kelly
Filip Rehorik
George Schaller
Howard Gonzalez
Jay Henningsen
Laura Steele Polly
Matej Potokar
Neil Orint
add members to group
group member
save cancel
Type of user:
SkyDriveCalendarOutlookAdmin People Yammer Sites
System alerts 1 Reminders 4 Chats 3 2
dashboard
users
groups
licensing
service settings
service health
reports
domains
support
purchase services
guest polices
group management security groups
Contoso Market Research
NAME
EMAIL ADDRESS
Bob Kelly
Filip Rehorik
George Schaller
Howard Gonzalez
Jay Henningsen
Laura Steele Polly
Matej Potokar
Neil Orint
add members to group
group member
save cancel
Type of user:
SkyDriveCalendarOutlookAdmin People Yammer Sites
System alerts 1 Reminders 4 Chats 3 2
dashboard
users
groups
licensing
service settings
service health
reports
domains
support
purchase services
guest polices
group management security groups
Contoso Market Research
NAME
EMAIL ADDRESS
Bob Kelly
Filip Rehorik
George Schaller
Howard Gonzalez
Jay Henningsen
Laura Steele Polly
Matej Potokar
Neil Orint
SkyDriveCalendarOutlookAdmin People Yammer Sites
System alerts 1 Reminders 4 Chats 3 2
dashboard
users
groups
licensing
service settings
service health
reports
domains
support
purchase services
guest polices
group management security groups
Contoso Market Research
NAME
EMAIL ADDRESS
Bob Kelly
Filip Rehorik
George Schaller
Howard Gonzalez
Jay Henningsen
Laura Steele Polly
Matej Potokar
Neil Orint
Use this property page to set the admin property of a group member.
Bob Kelly
save cancel
This member is a group admin
SkyDriveCalendarOutlookAdmin People Yammer Sites
System alerts 1 Reminders 4 Chats 3 2
dashboard
users
groups
licensing
service settings
service health
reports
domains
support
purchase services
guest polices
group management security groups
Contoso Market Research
NAME
EMAIL ADDRESS
Bob Kelly
Filip Rehorik
George Schaller
Howard Gonzalez
Jay Henningsen
Laura Steele Polly
Matej Potokar
Neil Orint
Use this property page to set the admin property of a group member.
Bob Kelly
save cancel
This member is a group admin
SkyDriveCalendarOutlookAdmin People Yammer Sites
System alerts 1 Reminders 4 Chats 3 2
dashboard
users
groups
licensing
service settings
service health
reports
domains
support
purchase services
guest polices
group management security groups
Contoso Market Research
NAME
EMAIL ADDRESS
Bob Kelly
Filip Rehorik
George Schaller
Howard Gonzalez
Jay Henningsen
Laura Steele Polly
Matej Potokar
Neil Orint
SkyDriveCalendarOutlookAdmin People Yammer Sites
System alerts 1 Reminders 4 Chats 3 2
dashboard
users
groups
licensing
service settings
service health
reports
domains
support
purchase services
guest polices
group management security groups
Contoso Market Research
NAME
EMAIL ADDRESS
Bob Kelly
Filip Rehorik
George Schaller
Howard Gonzalez
Jay Henningsen
Laura Steele Polly
Matej Potokar
Neil Orint
This user will be removed from the group but may be added again later. Learn More
Are you sure that you want to delete the selected user?
noyes
SkyDriveCalendarOutlookAdmin People Yammer Sites
System alerts 1 Reminders 4 Chats 3 2
dashboard
users
groups
licensing
service settings
service health
reports
domains
support
purchase services
guest polices
group management security groups
Contoso Market Research
NAME
EMAIL ADDRESS
Filip Rehorik
George Schaller
Howard Gonzalez
Jay Henningsen
Laura Steele Polly
Matej Potokar
Neil Orint
Coming soon for Office 365 admins!Direct links to Shared MailboxesSetting secondary SMTP addresses Global Search
Check out these related sessionsMNG.303 Make Role Based Access Control (RBAC) work for you
MNG.304 Reporting On O365 Mail-flow and Mailbox Data
ARC.302 Exchange Server 2013 Architecture: mailbox and client access
DMI.304 Exchange hybrid: architecture and deployment
USX.202 Introducing groups
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.