Tuesday, March 14, 2017

Making Sense of Office 365 Plans

If you're just starting to look at Office 365 as a solution for your organization, the various plans can be overwhelming and confusing. I'm going to try and boil down all of the Office 365 plan information to just the essentials that allow you to make an informed decision.

This is all based on research done March 2017 and the prices I include are Canadian dollars. You should verify that these features and prices are still correct for your scenario before making any decisions. I've includes some links at the bottom of this article to Microsoft documentation for you to verify. Microsoft should be keeping that content up to date.

I'm going to focus on Office 365 plans for small business and enterprise. However, whether you are small business, non-profit, enterprise, or education, there are basically three generic Office 365 plans available:
  • Office 365 desktop apps (Word, Excel, Outlook, etc)
  • Cloud services (Exchange, Skype for Business, etc)
  • Office 365 desktop apps and cloud services
Most of the organizations I work with are looking for the cloud services. The initial driver most of them have is replacing an older installation of Exchange Server. At the same time, they can evaluate whether including Office 365 desktop apps is appropriate. I do not have any customers subscribing to only the Office 365 desktop apps.

The Office 365 plans for small business (300 user max) are:
  • Office 365 Business (desktop apps)
  • Office 365 Business Essentials (cloud services)
  • Office 365 Business Premium (Business + Business Essentials)
The Office 365 plans for enterprise (unlimited users) are:
  • Office 365 ProPlus (desktop apps)
  • Office 365 Enterprise E1 (cloud services)
  • Office 365 Enterprise E3 (ProPlus + E1 + a few cloud features)
  • Office 365 Enterprise E5 (E3 + cloud telephony)
It is possible to continue using your existing OEM, retail, or volume licensed edition of Microsoft Office with Office 365 cloud services. So, if you recently purchased 100 volume licenses of Office 2016, that is not a lost investment. You can use those licenses until you are ready to upgrade to a newer edition of Office and then evaluate whether you prefer to purchase new volume licenses for Microsoft Office or change your Office 365 licensing to include the desktop apps.

Office 365 Desktop Apps

The Office 365 desktop apps are similar to the Microsoft Office Suite that you can buy retail, OEM, or through volume licensing. The biggest difference you'll notice is that these apps are streamed to desktops from Office 365 rather than a traditional installation (however it looks the same from a user perspective). This means that they are automatically updated outside of the Windows Update process. This should make the apps more secure because they will be updated faster than most organizations typically deploy updates. However, you do loose control over the update process and this may be a concern in organizations with specialized plugins.

The licensing for the Office 365 desktop apps is per named user rather than per computer. Each user can have up to five instances of the Office 365 desktop apps on devices. This allows a single user to put the Office 365 desktop apps on a work computer, a work laptop and a home computer. However, this does not mean that an organization with 20 users and 20 computers should purchase just 4 user licenses and install the Office 365 desktop apps 5 times per license. You need to license the Office 365 desktop apps for each user.

Licensing for Office 365 desktop apps is verified by signing in to Office 365. On each computer with the Office 365 desktop apps, you need to sign in to Office 365 at least every thirty days to verify that the license is still valid. This is a concern only in scenarios where a mobile computer would not have Internet access for more than 30 days.

Office 365 Business and Office 365 ProPlus contain the same apps:
  • Outlook
  • Word
  • Excel
  • PowerPoint
  • OneNote
  • Access
However, there are minor differences in app functionality. The following features are available only in Office 365 ProPlus and are not available in Office 365 Business:
  • Outlook:
    • Information Rights Management (IRM)
    • Data Loss Prevention (DLP)
  • Access:
    • Database Compare
  • Excel:
    • Spreadsheet Compare
    • Spreadsheet Inquire
    • Power Map
    • Power Pivot
    • Power Query
    • Power View
  • Support for Group Policy-based configuration
  • Support for Office add-ins, ActiveX, and browser helper objects (BHO)
  • Roaming settings
For a complete comparison of features, see Office Applications Service Description.

Note that some older documentation may reference that:
  • "Access is not included in Office 365 Business." Update: Access is included with Office 365 Business starting in November 2016.
  • "Outlook in Office 365 Business cannot access Exchange in-place archives." Update: The current version of Outlook in Office 365 Business can access in-place archives (also referred to as archive mailboxes). See Outlook license requirements for Exchange features.

Office 365 Plans with Cloud Services

Most cloud services in the small business and enterprise plans are the same. All of the small business and enterprise plans include the following:
  • Mailbox and calendar
  • Office Online apps - web-based versions of Word, Excel, and PowerPoint
  • OneDrive - personal file storage
  • SharePoint Online - shared file storage
  • Skype for Business - teleconferencing and instant messaging
  • Active Directory integration - synchronizes Active Directory users into Office 365
  • Yammer - Group discussions
The Office Online apps are very useful for performing quick edits to documents stored in OneDrive or viewing email attachments. In most cases, users prefer to continue using standard Microsoft Office desktop apps. However, in a very cost conscious organization, with limited needs, the online Office apps may be sufficient.

The graphic below summarizes some of the similarities and differences between the small business and enterprise plans:

Some differences to highlight are:
  • The small business plans are limited to 300 users. However, you can have a mix if small business and enterprise licenses in a single Office 365 tenant.
  • The small business and E1 plans have 50 GB mailboxes with 50 GB archives. The E3 plan has a 100 GB mailbox with unlimited archives. For small business and E1 plans, you can purchase an Archiving add-on for unlimited archiving.
  • Only the E3 plan supports litigation hold and data loss prevention for email.
  • The small business and E1 plans have 1 TB of OneDrive storage per user. The E3 plan has 5 TB of OneDrive storage per user.
  • SharePoint Online has 1TB of storage per Office 365 tenant and then 500 MB additional storage per licensed user. Storage consumed by Office 365 Teams come out of this pool.
  • All plans include Skype for Business, but only enterprise plans can add unified communications.
  • Only enterprise plans have meeting broadcast that allow presentations to thousands of users.
  • Only the E3 plan supports Azure Rights Management to encrypt and secure files.

Why Wouldn't I use Office 365?

The main reason you might not be able to use Office 365 is compliance and recovery purposes. For example, you can recover deleted items in Exchange Online for up to 30 days (only 14 days by default). There is no option to recover deleted data older than that.

It's possible for you to work around this issue, but it's not inexpensive. You will need to implement some sort of third-party backup or archiving solution. However, you'll need that type of system if you have Exchange on-premises anyway. It just becomes more complicated to backup data in the cloud. That said, third-party vendors have recognized this need and more backup and compliance products for Office 365 are being made available.


Most smaller organizations do not need the extra features included in the enterprise plans. The differences Business Essentials and E1 are mostly whether you can add on other features. The core level of functionality is mostly the same. If you have less than 300 users the Business Essentials and Business Premium plans are what you should evaluate first due to the cost savings.

For a very small organization, of 5 or 10 users, it's a pretty easy decision to use Office 365 based only on avoiding the cost of the local Exchange Server and hardware. But, you also avoid other costs like backup software, anti-spam software, and anti-virus software for a local Exchange server.

For slightly larger organizations, you might do a cost comparison and see that the cost of on-premises Exchange is about the same as Office 365 licensing. However, Office 365 is giving you high availability across multiple data centers that you probably can't implement your self. Then throw in the ability to have large mailboxes (up to 50 GB), that most on-premises instances of Exchange don't allow, and Office 365 is a winner on features.

For even larger organizations, you might find that Office 365 licensing is more expensive than purchasing and managing on-premises Exchange. However, Office 365 is more than just email. There are additional features like Skype for Business, OneDrive, and SharePoint Online. So, while you may start evaluating Office 365 as a replacement for on-premises email, remember about the extra value the additional services provide and identify whether those services are useful for your organization. Maybe having video conferencing with Skype for Business is a big value add in your organization.

If you have more than 300 users, you can mix business and enterprise plans in the same Office 365 tenant. However, you probably want to be consistent and stick with the enterprise plans to avoid user and helpdesk confusion. Imagine that you implement a Group Policy object for managing Office 365 Proplus but half of your users are using Office 365 Business so that the GPO doesn't apply. It would be a mess.

If your organization is academic or non-profit, check out the Office 365 licensing available specifically to your type of organization. There are academic and non-profit licenses equivalent to business and enterprise plans. At time of writing the plans with only cloud services were free. The plans that include Microsoft Office apps are heavily discounted compared to business and enterprise plans. It almost becomes foolish to keep running your own internal Exchange server.

Useful Links

The following are some of the links I found useful:

Thursday, March 9, 2017

Exchange 2010 SP3 Hub Transport Upgrade Error

Ran into a new issue yesterday related to installing Exchange 2010 SP3. I was called in to help when the initial upgrade attempt failed. The error during SP3 installation was:
An unexpected error occured while modifying the forms authentication settings for path /LM/W3SVC/1. The error returned was 5506.
A screenshot of the error is below:

Doing a search didn't come up with much, but it did give this:
That link seemed to indicate that it could be related to the SSL binding on the default web site in IIS. Taking a look at the SSL binding, it seemed to be missing the certificate assignment. However, when I tried to add the certificate I got a strange error about the session be closed.

Ok then, since you won't let me add the SSL certificate to the binding by using IIS Manager, let's try with Exchange Admin Console. When I assigned the IIS service to the certificate in EAC, it all looked fine. I also took this moment to review the certificate and verify that the SAN names were correct. I also noted that it did indicate that there was a private key for the certificate.

After this the binding worked because we could access https://servername/owa URL, but it returned a 503 error. However, rather than attempting to fix that error, we tried the SP3 install again. Since a service pack upgrade rewrites a lot of the content in the IIS virtual directories we through we might get lucky and it would fix and configuration errors that we had.

During the next install, the installation of the Hub Transport role completed successfully, but now we got an error on the Client Access role installation. As we were actively troubleshooting I didn't write it down at the time, but it was something like:
Could not grant Network Service access to the certificate with thumbprint BIGLONGHEXTHUMBPRINT because...
Based on this I decided to review the certificate in the Certificates MMC snap-in. Again, all the details looked right. Maybe I can add the necessary permissions myself for Network Service. To access the permissions for a certificate, you right-click it, point to All Tasks, and click Manage Private Keys. This normally brings up a security dialog box. However for me it brought up the following error:
Object not found.
I interpreted this error to mean that either the private keys were not really present for the certificate. Or the Domain Admin account that we were using to access the certificate and run the install didn't have permission to access the private keys. In either case, since our Domain Admin account couldn't set permissions in the certificate, we were dead in the water.

Fortunately certificates are much less expensive than they used to be and we quickly obtained a new certificate with all of the necessary names from NameCheap. They might not have the best management tools for certificates, but the price is right. So, if this didn't work it didn't waste a lot of money.

After installing the new certificate and assigning the correct services to it, we ran the Exchange 2010 SP3 upgrade again. And after some nervous waiting, the upgrade completed properly. And the upgrade fixed all of the errors for the web services. Email for phones began to work immediately, as did OWA.

So, You Wanna Be a Computer Geek?

I recently did a presentation for an Introduction to Management Information Systems class at the University of Manitoba Asper School of Business.  Students in this class are just starting to look at how IT and business are interrelated. One of the students asked me for advice on getting into the IT industry and this content grew out of that.

I suppose the more polite way to phrase it would be:
  • So, you'd like to work in the IT industry?

Areas of IT

One of the things that surprises many people looking at IT is that wide range of job roles. When you haven't been working in the industry, you tend to think that there is just the one role of computer geek. And your impression is likely that the computer geek does all computer related stuff including physically repairing computers.

In actuality, there are multiple job roles in IT. And, the more you learn about IT, the more you realize that you understand only your little corner of the world. The more you learn, the more you realize how little you actually know. Don't be disheartened as you go through that process. Nobody knows all of it.

Some of the job roles  are:
  • Help Desk - Takes support calls from users when computers or applications are not working correctly.
  • Desktop Support - Manages desktop computers which includes software deployment, repairing software problems, and repairing hardware problems.
  • Server/System Administration - Responsible for implementing and maintaining servers. This includes the server hardware and operating systems, Active Directory, and potentially some additional software that runs on servers such as SQL server.
  • Application Support - Responsible for configuring and maintaining specific business applications. For advanced troubleshooting, they act as an interface for interacting with the application vendor for support.
  • Database Administrator - A specialist that is responsible for managing and maintaining databases that are used by applications. This role troubleshoots database performance issues and implements the requirements specified for individual applications.
  • Network Administrator - Responsible for configuring switches, routers, firewalls, and other network specific devices.
  • Programmer - Builds and maintains customized software used internally. Programmers can also perform customizations for off-the-shelf software. Web development is also in this category.
  • System/Business Analyst - Responsible for helping bridge the gap between business units and the technical side by translating business requirements into technical requirements that can be implemented.
  • System Architect/Designer - This role is responsible for understanding how systems work and a high level and ensuring that any new applications/solutions work within the framework already developed for existing systems.
It's important to realize that not every organizations has all of these roles. Smaller organizations tend to combine these roles together. For example a small business may have 1 or 2 IT staff that effectively fill all of these roles.

If you want get into IT, you need to understand which role you're hoping to fill. The education requirements and career progression for each role is different.

Educational Requirements

When I started in this industry in the 1990s, many of us were self-taught and didn't have any formal computer training. That is not typical today. In most cases, you need to have formal related training in order to be considered for a position.

Help desk and desktop support are often thought of as entry level positions. The education requirement for these roles is usually a one or two year program that includes content on configuring desktop computers and some information about managing servers.

In larger organizations, desktop support can be an area of specialization rather than just a starting point. There is opportunity to move up within desktop support and have a wide scope of responsibility. For example, a large organization can have specialists that develop processes for deploying operating systems, applications, and configuring computers centrally.

Server/System administrators typically require at minimum the same one or two year program that is required for help desk and desktop support. However, this role is not entry level and you do require experience to obtain it. That on the job experience allows you to understand how all of the pieces really fit together and learn more technical details. In this role, you often have additional specialized technical training focused on specific products. Some organizations prefer a computer science degree for this role.

Application support can require a wide variety of technical skills. Depending on the organization, it may require a computer science degree or business degree. There will also be some element of training in the specific applications being supported. Some common applications such as Exchange Server for email may be taught as part of a formal education process. Other less common applications may be learned on the job or in training provided by the vendor.

Database administrator is a specialized role that requires specific education in database management. This can be a one or two year program or a computer science degree. There may also be training in how to use specific types of databases such as Microsoft SQL Server, Oracle, or MySQL.

Network administrators require specific training in how to configure network equipment. The most common way to show your knowledge in networking is to obtain industry certification from Cisco. Even if you don't use Cisco equipment in the job, having that certification shows you understand the general concepts that are required. Then you figure out the specific commands to implement what you need on equipment from a different vendor. Training for Cisco certification is provided in many one or two year technical courses.

You can get the training to be a programmer from technical colleges (2 year programs) or as part of a computer science degree. Generally speaking, a computer science degree will provide more theoretical knowledge that will help you advance more into design. A shorter program from a technical college will teach you programming, but less of the design aspects.

System/Business analyst is usually someone with broad business education and some technical knowledge. Often people in this role have a business degree with additional education or experience on the technical side.

A system architect/designer needs to have a broad range of technical experience, and years of it. In terms of formal education, it may be a business degree, computer science degree, or even an MBA. However, the real key here is that this is not an entry level position, it's something you work up to.

Industry Certifications

When you need to prove your knowledge of specific technologies, you'll most often end up obtaining industry certifications. Industry certification are exam-based certifications designed by the product vendors. I previously mentioned Cisco certification for networking, but many vendors offer certification for their products.

You do not need formal training in order to obtain most certifications. You can study on your own and then write the exam. Or, you can take short courses (often a week or less, but crazy expensive) that focus on the specific content related to that certification before writing the exam. Exams are available at testing centers throughout the world. Some certifications consist of multiple exams.

Here is information about some vendor certifications:
Some of the entry level certifications are included as part of formal training in technical schools. For example, you may get Cisco Certified Network Administrator (CCNA) or Microsoft Certified Professional (MCP) training. Another commonly included entry level certification is A+ certification for basic hardware and software configuration.

How Do I Decide?

If you're not already in the IT industry, it's pretty hard to figure out what you might want to do. I'm a firm believer in trying stuff out (or at least learning about it) to get a better understanding. It would be unfortunate to take a two-year programming course and then realize that you don't like programming at all.

The Internet is full of many resources on the technical details of help desk, desktop support, server administration, programming, and database administration. However, you may find it easier to start  learning about working in these roles by using content with some structure. Fortunately there is lots of that available for free on the Internet too.

The following resources are Microsoft-based because that's what I work with the most. There are many other worthwhile resources, but these are the ones I'm familiar with.

  • Microsoft Virtual Academy – Free online video training. This is no cost and Microsoft does it to spread knowledge about how to use their products. The IT Pros content is what I deal with, but you can also check out the developer (programmer) and data pro (database) content.
  • Channel 9 – Free online videos (typically 1 hour or less) about Microsoft products and features. Presentations from Microsoft conferences such as Microsoft Ignite are also hosted here (in the events section). Many people attend these conferences (at a cost of several thousand dollars), but I find it hard to justify when I can view the same information the day after for free.
  • TechNet Virtual Labs – Hands-on virtual labs that give you experience actually working with Microsoft products. Want to try out using Windows Server and creating SQL databases? This gives you access to virtual machines running that software completely free of charge. No need to setup your own test lab when they provide it for you. The labs includes specific activities for you to try or do your own thing.
  • Free eBooks from Microsoft Press - Most of these books tend to be introductory, almost marketing level content. They do a good job of describing features without some of the technical details. This makes them good for getting an overview of the products as someone looking at the industry for the first time.

Add Your Own Comments

If you have any additional suggestions for this content, please leave a comment below. This was written up in a couple of hours and I'm sure there are important and useful items that I've missed.