Microsoft is cranking with Office 365. It is the most commonly used application within Okta and the second most commonly deployed in our network of 4,000+. No matter if you’re a small business, large enterprise, or somewhere in between, organizations are choosing Office 365 for email, collaboration, calendaring and more.
Once that decision is made, the challenge then becomes how they get the most value as quickly as possible from their investment. And let’s just say, if you’re not ready, the process of onboarding all users to Office 365 and ensuring the best experience across desktop, web and mobile can become a much bigger challenge than it is for nearly any other application.
SSO As The Starting Point
Getting your users to make the most out of Office 365 means making it easy for them to access all of its constituent services and clients. The sheer volume of Office 365 clients can be overwhelming vs. other applications. On a PC, you have the desktop versions of Word, Excel, PowerPoint, Outlook, Lync and OneDrive for Business. Mac has all of those except for OneDrive. You also have the web versions of Word, Excel, PowerPoint, Outlook and OneDrive. And finally, you’ve got Microsoft’s web and native app clients for mobile, spanning iOS, Android and Windows Phone – and the native email, calendar and contacts apps on those platforms.
A full Office 365 deployment on the server side also moves Exchange, SharePoint and Lync to Microsoft’s SaaS versions (Exchange Online, SharePoint Online and Lync Online). The web app clients mentioned above are built into these cloud services.
The fun part comes in ensuring users can easily get in and out of all Office 365 services with minimal hurdles from any device, on any client, any location, any time. If employees need to constantly re-enter passwords, they will quickly give up and go back to doing things the old way – or turn to tools not managed by the IT department. Syncing passwords to the cloud may seem like a lightweight option compared to federation. In reality, you’ll pay for the cost in the long run with more helpdesk tickets and user dissatisfaction when things get out of sync or if there isn’t a good, high-availability architecture in place. Plus, users still have to re-enter their passwords in the cloud, hardly ideal.
True SSO that authenticates a user seamlessly to single source of truth for the user’s password (likely in AD) creates a superior user experience. The massive side benefit is that it’s also more secure. You have one place to secure credentials, and you have one place to disable users, instantly shutting off their access. Desktop SSO is also critical for increasing usage of web apps, so users don’t have to re-enter credentials if they close their browser and open it back up again.
Provisioning & Directory Sync with Office 365
Next, you need to securely and efficiently provision user accounts. For example, when a new employee joins, you need to be able to add them in Active Directory with the same process you’ve been using – and instantly have their account provisioned in Office 365 – so they’re able to get up and working immediately. (It’s going to be a long day if they can’t access email.)
Once again, things get more complex with Office 365 in particular. A user’s Office 365 profile likely has the most attributes of any other app, except for perhaps the HR system. It starts with simple things like syncing office address and phone numbers with AD or HR to maintain a Global Address List (GAL) with rich attributes. It gets even more complex if you are running Office 365 in Hybrid Exchange mode. Then, you’ll need to keep calendar resources and free/busy times in sync, too. In addition, because there are so many license types and services within Office 365, you need to also assign the right license to users for the right service. Some companies do all of this manually, while others write some PowerShell scripts, but it’s easy to see why an automated approach is more efficient.
The same can be said with offboarding. When an employee leaves, you also need to be able to use your existing process for disabling their account in AD, with that user being immediately shut out of Office 365. Sure, this too can be done manually, but to gain the most efficiency from Office 365, it’s essential to automate and integrate this as completely as possible to your on-premises directory. You want, and need, these processes to operate as closely to “real time” as possible.
And if you’re an entirely cloud-based organization without an on-premises directory, you may have multiple sources of truth for employee identities today. The process of rolling out Office 365 is an opportunity to evaluate which platform to use as your sole identity platform and create a single source of truth. While you’re choosing Office 365 today, you also want to keep your options open and take advantage of the cloud’s flexibility to change out underperforming services and create a best-of-breed environment that works well for your unique requirements. With a single source of truth, users can easily access all Office 365 services, as well as any others, through one cloud-based entry point wherever, whenever they need to get work done.
Getting the Most Out of Mobile
It’s not enough to just make the desktop experience of Office 365 amazing. All employees now demand email and calendar on their phones, and Microsoft has made big investments in the Office mobile apps. Making the experience simple, yet secure is now the challenge.
Self-service enrollment for employees choosing BYOD gets the experience off to a good start. In many companies, it’s a tedious process for users to sync their phones to Exchange Online, and may even involve direct help from the helpdesk or an IT admin. The typical result is IT focusing efforts so executives get it all working while general staff waste a bunch of time figuring it out instead of just being productive from day one. With self-service, users can get their phone automatically, and reliably configured.
Once you provide users a self-service capability, you’ll want that capability to automate a number of things, such as installing native Office 365 apps and configuring the device’s native email, calendar and contacts apps. For stronger security, when an employee leaves you want the whole process to work in reverse. Remove them from AD and have their Office 365 account and other company managed apps automatically removed from the device without touching their personal data.
Sure, many organizations have depended on ActiveSync for basic capabilities in managing mobile access to date. But as mobile becomes a key complementary experience as Office 365 climbs in popularity, companies are starting to consider more comprehensive solutions to nail that user experience and maintain a secure environment.
It’s no secret that Office 365 deployment rates are growing rapidly. The secret lies in how companies go about getting the most value as quickly as possible from their investments – and that hinges greatly on ensuring the best user experience across desktop, web and mobile while keeping access secured. Choosing the right partner to overcome common deployment hurdles for identity and mobility management can accelerate rollout periods, delight employees and deliver even more value from Office 365.
For more information on how our customers use Okta to deploy Office 365, please visit: https://www.okta.com/product/office365/.