The new Office Garage Series: Identity, Activation and Data Access with a User-Based Office

In this blog post, our intrepid hosts Jeremy Chapman and Yoni Kirsh answer your questions about a user-based Office service, how identity and services are provisioned, where data and passwords are stored and what the user experiences look like. They also catch up with cybersecurity expert and author, Mark Russinovich, to discuss the cloud security model.

Add a reminder to your calendar to tune in each Wednesday 9am PST. Also mark April 3rd, 9am PST on your calendars when we come to you with the Garage Series Live! We'll have Paul Thurrott, early adopters and Office engineers to discuss lessons learned, deployment secrets and much more.  

Jeremy: Last week we focused on the introductory themes of configuration management as a primer to pre-installation, install time, policy and post-installation configuration management. This week we look at the most fundamental shift in the new Office, enabling it as a user-based service. Users can benefit from this new model as we discussed in episode 1, but for IT it means that the pivot point for all of this - the user ID - is now added into the Office online services identity store.

Yoni: If we think about this, the core thing we are enabling as an IT admin is the activation service. In the past (Office 2007 and earlier) we used a bypass key in a settings file and in the volume licensing editions of Office 2010 we leveraged the Windows activation model with the Key Management Service (KMS) or Multiple Activation Key (MAK) and we can still do that with Office Professional Plus or Standard 2013. Now with Office 365 ProPlus, the model is user based and each user can install Office on up to 5 PCs or Macs.

Jeremy: That means that Microsoft in some way needs to know who that user is to enable them to install and manage those five copies - whether on domain-joined or privately-owned and unmanaged machines - there has to be some mechanism in place to show what where the user has installed Office and be able to deactivate copies as he replaces his computers in the future. This along with roaming settings really define the new Office user-based model.

Yoni: I often get asked whether we can still do the user-based licensing and give everyone five copies of Office, but do everything with MAK or bypass keys. Why didn't you do this, Jeremy?

Jeremy: Well, it is an interesting idea, but when you think about it, just about every option would have implementation or usability challenges. Sending unique 5x5 keys to everyone is a challenge and once a user would reach their limit of 5 installs, then the telephone activation model doesn't scale too well. Also there would be nothing tying Office to that user. Imagine trying to use email, Facebook or Twitter without a user account - there would be no personalization. Once you add monetary value each installation of the software, connecting to the paying user is even more important. 

As we saw in our first episode we can move between devices and links to my files move with me, so I can be productive on any device without having to email myself files or log into web-based services manually each time, all of that is hooked directly into the Office apps to make it easier for people to access their content.

Yoni: That makes sense, but there are a few new steps we need to get all of this working and there are a few options. We can manually provision users and assign them services - all of this including password assignment can be automated using PowerShell - or we can use Directory Sync to automatically populate user principle names in the Windows Azure Active Directory service. In both of these options, the user passwords are mastered in Azure AD.

Jeremy: If you want to keep password management in sync with your on premises directory service and not move passwords up to Azure Active Directory, you can use Active Directory Federation Services (ADFS) to master user passwords and keep authentication on premises. ADFS will pass login attempts to your on premises Security Token Service (STS) and your STS issues claims tokens to the user to access the service. That way the user can use the same password he would use for his Active Directory on premises login, so he doesn't have a second password to remember. Of course you can use PowerShell or other tools to synchronize passwords, between the on premises environment and Azure AD, but not everyone is comfortable doing that.

Yoni: Running all of this in Azure AD is certainly easier and we'll go into more detail in a future episode, but setting up ADFS and achieving single sign on is easier than many people would think and there are benefits beyond Office 365 when thinking about directory federation.

Jeremy: So we showed the installation experience for a domain-joined computer where single sign on is enabled and one that is not domain-joined, but installs via the Office 365 portal. In the direct from portal case when you kick off the installation, you will see a file that looks something like this:


The string above bascially shows architecture (x86), language (en-us), product ID (O365ProPlusRetail) and unique identifier (_24...). In cases where we manage the installation, we use the configuration XML with the Office Deployment Tool and push the installation with some form of automation - like scripts, System Center Configuration Manager, Microsoft Deployment Toolkit, Windows Intune or a plethora of third party equivalents. In a future episode we'll talk about all of the configurations needed to suppress completely sign-in, first run experiences and user prompts. IT admins have had to deal with these in past releases of Office, but now there are ways to automatically sign users in to Office 365 installs picking up their domain credentials. I also showed the effects of deleting the user account from the Azure AD store and how it put Yoni's Office into Reduced Functionality Mode (RFM) - even if Yoni installs Office on his personal devices using his organization's Office software assets, once Yoni leaves the org the IT department can deprovision his personal installs. That keeps software asset management cleaner and IT is in control.

Yoni: Don't forget we also had Mark Russinovich on the show and he explained the security model for online services with Azure AD - in your car. It sounds like they are taking the defense in depth approach to harden the service. And you made him slum it in your car, Jeremy.

Jeremy:  Yes, I caught up with Mark the week before he went to the RSA conference to promote his new book, Trojan Horse. Mark is a technical fellow for the Windows Azure team and of course is one of the industry's foremost cybersecurity experts. He had just returned from Costa Rica and was concerned about my abilities to interview and drive at the same time - you can see that in one of the outtakes. I wish I would have filmed this, but he was even troubleshooting my crash dump logs in my car PC. I hope that you like the interview and don't forgot to check out his book Trojan Horse for yourself, the sequel to Zero Day. Both are great books with themes taken right out of today's headlines. 

Yoni: I wish I could have been there for the interview, mate. Don’t forget to join us next week where we take a closer look at compatibility and gear up for the great race of Office installs from the traditional MSI, System Center Configuration Manager, Microsoft Deployment Toolkit, Windows InTune and Click-to-Run as we look at whether or not deployment just got faster

See you then.


More Resources:

Garage Series for IT Pros Archive for previous episodes

Office 365 ProPlus Trial

Office TechCenter on TechNet

Office 365 TechCenter on TechNet

Follow @OfficeGarage on Twitter



About the Garage Series hosts:

By day, Jeremy Chapman works at Microsoft, responsible for optimizing the future of Office client and service delivery as the senior deployment lead. Jeremy’s background in application compatibility, building deployment automation tools and infrastructure reference architectures has been fundamental to the prioritization of new Office enterprise features such as the latest Click-to-Run install. By night, he is a car modding fanatic and serial linguist. He first met Yoni Kirsh, founder of the Australian-based deployment services company Fastrack Technology, back in 2007 at a Microsoft customer desktop advisory council. Yoni's real-world experience managing some of the largest Client deployments for the Asia Pacific region has helped steer the direction of the new Office. Additionally, Yoni is an aviation enthusiast and pilot. Both Jeremy and Yoni are respected technical speakers and between them have over 20 years of experience in the deployment and management of Microsoft Office and Windows clients. They are also leading experts in the transition to Office as a service.