News from Microsoft Ignite 2016

CoreAzure at Microsoft Ignite

CoreAzure at Microsoft Ignite (click for full size image)

This week a few of us at CoreAzure have been stateside in Atlanta, Georgia for the Microsoft Ignite conference.

Microsoft Ignite brings together thousands of IT Decision Makers, IT Professionals, and Enterprise Developers from all over the world to attend sessions run by Microsoft technical and business leaders in order to get a greater in-depth understanding of the Microsoft technology stack. The great and the good from Microsoft are here starting with a Keynote from Satya Nadella, Scott Guthrie, and Brad Anderson to deep-dive hands on technical sessions from the likes of Mark Russinovich and Gurdeep Singh Pall.

The week has been packed full of product and service announcements (so much so it’s been difficult to keep up), so I thought it may be helpful to list just a few of our favourites: –

Windows Server 2016

On Monday (26th September) during the Keynote speech Microsoft announced the General Availability of Windows Server 2016. Windows Server 2016 is the next generation of their cloud-ready enterprise server operating system featuring innovations such as Windows Server and Hyper-V Containers, Nano Server, and Software Defined Networking (SDN).

Windows Server 2016 features: –

 Extended security: Windows Server 2016 introduces new layers of security to harden the platform to address emerging threats, control privileged access, and protect virtual machines (shielded VM’s in Hyper-V)

 Resilient compute: Simplified virtualisation upgrades, new instalment options, and increased resilience helping ensure the stability of the infrastructure without limiting agility

 Reduced cost storage: Expanded capabilities in software defined storage with an emphasis on resilience, reduced costs, and increased control

 Simplified networking: New networking stack brings the core networking capabilities and SDN architecture directly from Azure

 Application efficiency and agility: Windows Server 2016 delivers new ways to package, configure, deploy, run, test, and secure your applications running on-premises or in the cloud using new capabilities such as Windows containers and the new Nano Server lightweight OS deployment option

To learn more about Windows Server 2016 head over to the official Microsoft Windows Server 2016 product site here.

Storage Spaces Direct

Microsoft Storage Spaces Direct is a feature of Windows Server 2016 that pools storage to build a highly available and scalable software defined storage system for Hyper-V VMs.

Storage Spaces Direct makes two copies of data to other nodes in the cluster. Each node runs as a fault domain and data is spread across the fault domains to prevent data loss if a disk fails. If a disk fails, data will be replicated to another disk in the cluster so three copies of data are present at all times.

By adding more nodes to the cluster Storage Spaces Direct will automatically pool the storage into the cluster (up to 240 disks and 12 nodes can be added to a cluster).

Storage Spaces Direct uses Server Message Block (SMB) 3.0 for communication between storage nodes.

Storage Spaces Direct can be deployed two ways. In the hyper-converged deployment, the Hyper-V clusters and storage are on the same hardware; this model is more appropriate for smaller scale-out deployments. In the private cloud storage deployment, the Hyper-V clusters and storage resources are separate; this model is for larger scale-out deployments.

By separating the Hyper-V clusters and storage in the private cloud deployment, administrators can scale and manage the storage and compute resources independently.

System Center 2016

At the same time as announcing the general availability of Windows Server 2016, Microsoft also announced general availability of System Center 2016.

System Center Configuration Manager 2016 provides a plethora of tools and features to manage your Windows client environments (especially Windows 10), as well as those non-Windows clients such as Linux and OS-X. SCCM 2016 also integrates with Microsoft InTune to enable management of all devices within your organisation from fixed desktops to mobile devices including Android, iOS, and Windows.

System Center 2016 provides easy discoverability of management packs, alert tuning, scheduled maintenance windows to reduce alert noise, support for Windows Server 2016 security capabilities such as Shielded Virtual Machines (preventing illicit virtual machine copying) and Host Guardian service (providing key management to support Shielded VMs).

System Center 2016 also supports handling rolling upgrades to cluster nodes without the need to stop workloads. Additionally, it can manage the lifecycle of Windows Server 2016 Nano Server – the minimal footprint server deployment of Windows Server 2016 which is 20 times smaller than Server Core deployment in Windows Server 2012 R2.

For ease of management across a hybrid cloud System Center 2016 integrates with Operations Management Suite.

Operations Management Suite

The cloud based management suite gained several improvements with insights and analytics, security and compliance, and protection and recovery. Here are just a few of the new features of OMS: –

 New application and service monitoring capabilities for Azure SQL, MySQL, and VMware Hosts
 Connector for Application Insights enabling integrated application and workload analytics
 Azure activity log search
 New ingestion API’s for expanded data and log collection
 Enhanced Update Management features including insights into time estimates as well as update sequencing (keeping Windows Server and Linux system up to date)
 Enhanced change tracking with granular file-based tracking to support Windows Server and Linux
 Azure Security Center
 Expanded security data ingestion using Common Event Format (including Cisco ASA)
 Behavioural analytics to detect insider threats and attempts within a compromised system
 Expanded Linux and VMware backup and recovery support
 Integrated monitoring with Log Analytics including Site Recovery capacity planning

New licensing options for hybrid cloud environments have also been announced. Microsoft are now offering two new subscription options: –

 Operations Management Suite E1: Insight & Analytics and Automation & Control
 Operations Management Suite E2: Includes everything in E1 and adds both Security & Compliance, and Protection & Recovery services

Both E1 and E2 also includes subscription rights to System Center 2016.

Increased Performance in Azure

Microsoft have announced a number of advancements including new server categories, network bandwidth improvement (resulting in an increase of bandwidth of up to 50%), and increased IOPS performance of Azure Storage combined with newly developed storage specific offloads.

Virtual Network Peering

Microsoft officially announced the general availability of Virtual Network Peering. VNet Peering connects two virtual networks in the same region through the Azure backbone. Once peered the two virtual networks appear as one for all connectivity purposes. Although they are managed as separate resources, virtual machines in the virtual networks can communicate with each other directly using private IP addresses.

Traffic between VMs within the peered virtual networks is routed through Azure much like traffic is routed between VMs in the same virtual network.

Some of the benefits of using VNet Peering are:

 Low latency, high bandwidth connectivity between resources in different virtual networks

 Ability to use resources such as Network Appliances and VPN Gateways as transit points in a peered virtual network

 Ability to connect a virtual network using Azure Resource Manager to a virtual network that uses the classic deployment model enabling full connectivity between resources in those virtual networks

Requirements of Virtual Network Peering are:

 Networks that are peered must be in the same Azure region

 Peered networks must have non overlapping IP address spaces

 VNet Peering is between two virtual networks with no derived transitive relationship. For example, if virtual network A is peered with virtual network B, and if virtual network B is peered with virtual network C, then virtual network A is not peered with virtual network C.

 Peering can be established between virtual networks in two different subscriptions as long as a privileged user of both subscriptions authorises the peering, and the subscriptions are associated to the same Active Directory tenant

 A virtual network using ARM (Azure Resource Manager) can be peered with a virtual network using either ARM or the classic deployment model. But two virtual networks both using the classic deployment model cannot be peered with each other

 Although communication between VM’s in peered virtual networks has no additional bandwidth restrictions, bandwidth caps based on VM size still applies

Azure Native IPv6 Support

Internet facing load balancers can now be deployed with an IPv6 address thereby providing the following capabilities:

 Native end-to-end IPv6 connectivity between public Internet clients and Azure VM’s through the load balancer

 Native end-to-end IPv6 outbound connectivity between VM’s and public Internet IPv6-enabled clients

This means that an IPv4 or IPv6 enabled Internet client can communicate with the public IPv5 or IPv6 address (or hostname) of the Azure Internet facing Load Balancer. The load balancer routes the IPv6 packets to the private IPv6 addresses of the VM’s using NAT (the IPv6 Internet client cannot communicate directly with the IPv6 address of the VM’s).

Native IPv6 support for VM’s deployed via ARM provides:

 Load balanced IPv6 services of IPv6 clients on the Internet
 Native IPv6 and IPv4 endpoints on VM’s (known as “dual-stacked”)
 Inbound and outbound initiated IPv6 connections
 Supported protocols including TCP, UDP, and HTTP(s) enabling the full range of service architectures

This level of functionality enables the following benefits:

 Compliance: Regulatory requirements insisting that application be accessible to IPv6 only clients
 IOT: Allows developers to use dual-stacked (IPv4 & IPv6) Azure VMs to address the massively growing number of mobile & IOT requirements

There are however some limitations you need to be aware of:

 IPv6 load balancing rules can only be created through the template, CLI, or PowerShell (i.e. they cannot be created through the Azure Portal)

 Existing VMs cannot use IPv6 addresses – you must deploy new VM’s

 Public IPv6 addresses cannot be assigned to a VM – they can only be assigned to a load balancer

 VMs with IPv6 addresses cannot be members of an Azure Cloud Service (they can be connected to a VNet and communicate with each other over their respective IPv4 addresses)

 Private IPv6 addresses can be deployed on individual VM’s in a Resource Group but cannot be deployed into a Resource Group via Scale Sets

 NSG protection for IPv4 is supported in dual-stacked deployments. NSG’s do not apply to the IPv6 endpoints

 Changing the IdleTimeout for IPv6 is not currently supported – the default if 4 minutes

Active-Active VPN Gateway

You can now create an Azure VPN gateway in an active-active configuration, where both instances of the gateway VMs will establish S2S VPN tunnels to your on-premises VPN device, as shown the following diagram:

VPN Gateway

In this configuration, each Azure gateway instance will have a unique public IP address, and each will establish an IPsec/IKE S2S VPN tunnel to your on-premises VPN device specified in your local network gateway and connection. Note that both VPN tunnels are actually part of the same connection. You will still need to configure your on-premises VPN device to accept or establish two S2S VPN tunnels to those two Azure VPN gateway public IP addresses.

Because the Azure gateway instances are in active-active configuration, the traffic from your Azure virtual network to your on-premises network will be routed through both tunnels simultaneously, even if your on-premises VPN device may favor one tunnel over the other. Note though the same TCP or UDP flow will always traverse the same tunnel or path, unless a maintenance event happens on one of the instances.

When a planned maintenance or unplanned event happens to one gateway instance, the IPsec tunnel from that instance to your on-premises VPN device will be disconnected. The corresponding routes on your VPN devices should be removed or withdrawn automatically so that the traffic will be switched over to the other active IPsec tunnel. On the Azure side, the switch over will happen automatically from the affected instance to the active instance.

Azure DNS

Microsoft announced the general availability of Azure DNS. Customers can now host domains in Azure DNS and manage DNS records using the same credentials, APIs, tools, billing, and support as other Azure services.

Microsoft Certifications

Microsoft is streamlining its technical certifications, aligning to industry recognised areas of competence while providing flexibility to showcase your specific skills in Microsoft products and services.

Five new MCSE and MCSD specialities have been released and aligned to Centres of Excellence used by the Microsoft Partner Network to identify technical competencies that are widely recognisable by both Microsoft Partners and customers.

The five new certifications are: –

 MCSE: Cloud Platform and Infrastructure – focusing on skills validation for Windows Server and Microsoft Azure

 MCSE: Mobility – focusing on skills validation for Windows Client and Enterprise Mobility Suite

 MCSE: Data Management and Analysis – focusing on skills validation for both on-premises and cloud-based Microsoft data products and services

 MCSE: Productivity – focusing on skills validation for Office 365, SharePoint, Exchange, and Skype for Business

 MCSD: App Builder – focusing on skills validation for Web and Mobile app development

To earn each of these certifications you must first earn a qualifying MCSA certification and then pass a single additional exam from a list of electives associated with the corresponding Center of Excellence.

Microsoft Certification Paths

Microsoft Certification Paths (click for full size image)

Update 1606 for System Center Configuration Manager

Many of our customers use System Center Configuration Manager (SCCM) to manage end-user devices and servers running Windows, Linux and Mac OS X. We have also helped several clients implement a full Enterprise Mobility Suite solution (incorporating SCCM, Microsoft Intune, Azure AD Premium and Azure Information Protection), allowing them to remotely manage corporate and personal mobile devices and provide mobile workers with access to company resources whilst preventing data loss. None of this would be possible without the cloud-first features provided by the latest current branch releases of System Center Configuration Manager.

The latest 1606 version of SCCM provides a wealth of new functionality, particularly around the areas of mobile device management (when used in conjunction with Microsoft Intune), security (via Windows Hello) and user experience. As well as providing support for the management and deployment of Windows 10 Anniversary Edition (version 1607), this release includes the following headline features:

  • Windows Information Protection (formerly EDP): Allows you to create and deploy information protection policies, including the ability to choose your protected apps and define your EDP-protection level.
  • Windows Defender Advanced Threat Protection: Enables the ability to onboard and offboard Windows 10 clients to the cloud service and view agent health in the monitoring dashboard (requires a Windows Defender ATP tenant in Azure).
  • Windows Store for Business Integration: Allows you to manage and deploy applications purchased through the Windows Store for Business portal for both online and offline licensed apps.
  • Software Update Point Switching: You can now enable the option for Configuration Manager clients to switch to a new software update point when there are issues with the active software update point. Once enabled, the clients will look for another software update point during the next scan cycle.

Microsoft are already hard at work on the next major SCCM update which is likely to incorporate many improvements to Software Center (including customisable branding of dialog boxes), enhancements to Asset Intelligence and the ability to identify the MAC addresses of USB network dongles used during operating system deployment (ensuring that SCCM does not treat machines built using these dongles as “known” devices).

Please feel free to contact us at CoreAzure if you have any queries about upgrading your SCCM solution or if you would like more information about how Microsoft technologies can assist you in managing, configuring and securing your corporate devices.

 

Microsoft Azure available from UK data centres

We at CoreAzure are delighted at Microsoft’s announcement in relation to the general availability of their UK data centres enabling businesses and government bodies to be able to secure information in the UK.

Notable first customers of these UK cloud services include; the Ministry of Defence, whose 230,000 employees will use Office 365 and Azure, and the South London and Maudsley NHS Foundation Trust, the largest mental health trust in the UK to name just a few.

Microsoft’s announcement to move its services to UK data centres will in our opinion enable many organisations to review their current business and IT strategies in relation to public cloud adoption in the UK.

The new facilities in Cardiff, Durham and London will host Microsoft’s Azure cloud platform and Office 365 productivity suite. Dynamics CRM Online will be added in the first half of 2017. Not every Azure service is generally available yet within the UK, but it is worth reviewing at what Microsoft Azure can offer your organisation. https://lnkd.in/d2Pna-j

The CoreAzure team pride themselves as being specialists in Microsoft Azure with an ability to maximise your existing investment in Microsoft technologies whilst realising your vision to adopt cloud.  If you are thinking of moving to Microsoft Azure, let us help you in that journey.

2016-Finalist-Partner-of-the-Year

What is Microsoft Office 365?

In spite of Microsoft’s considerable marketing efforts surrounding Office 365, we still get a lot of people asking us to explain in detail exactly what Office 365 is all about. As much as we love waxing lyrical about one of our most favourite Microsoft services, I thought it might be useful to put together a comprehensive guide.

Introduction

Office 365 provides hosted services such as Email (Microsoft Exchange), Unified Collaboration (Microsoft SharePoint, OneDrive for Business, and Skype for Business), and on-premises software such as the Office productivity suite through subscription licensing.

This allows organisations to reduce their operating costs, avoid capital costs, and add or remove capacity at a moment’s notice. For most organisations moving to a hosted SaaS (Software as a Service) model also improves uptime and security/compliance, whilst at the same time reducing licensing costs and mitigating license compliance risks.

Office 365 services and software are delivered by the Office 365 E1, E3 and E5 subscription plans: –

Office 365 Subscription Features

Office 365 allows organisations to consume services such as email, collaboration, and other functions directly from Microsoft, freeing up their internal IT resources and avoiding costs associated with IT infrastructure, staffing, software and license management, and facilities management (data centre related).

Office 365 is updated multiple times per year with updates delivering new features as well as bug fixes. Microsoft reserve the right to retire or replace any of the hosted services or any of the Office 365 Pro Plus (on-premise productivity suite) features at any time.

Note: Microsoft used to provide 12 months’ notice for disruptive changes but dropped this commitment in 2015.

All Microsoft hosted Office 365 services are eligible for product support, but only when using specific versions of client software (i.e. browser or Office productivity suite). Although they don’t block unsupported versions of client software from accessing Office 365 services, Microsoft will reserve the right to refuse any break/fix support services and the end user may find that some features are not available to them.

Microsoft publishes an Office 365 roadmap online (https://fasttrack.microsoft.com/roadmap) listing the status of planned service improvements. Furthermore, a First Release preview program (known as Fast Track) allows Office 365 subscribers early access to upcoming changes.

Office

Office Online: This feature was formerly known as Office Web Apps and provides hosted applications (Word, Excel, PowerPoint, and OneNote) enabling users to create and edit Office documents via a web browser without the need for the equivalent Office applications being installed on the client device.

Office 365 ProPlus: This is the latest Office suite (currently Office 2016) for local installation on either Windows or Mac personal computers.

Office Mobile Applications: This feature allows users to create and edit Office documents on Apple iOS and Android devices, using Office apps for those platforms.

Exchange

Exchange Online: This service offers email, calendars, contacts, and tasks all based on Microsoft Exchange Server (currently Exchange 2016).

Exchange Online Premium: This service offers the same features as Exchange Online but with enhanced tools for archiving, retention, and eDiscovery.

Exchange Online Protection: This service filters out malware, spam, and other unwanted content for Exchange Online. This service can also be used with on-premise Exchange Server installations to filter messages before they are delivered to the on-premise Exchange Server.

Exchange Online Archiving: This service archives emails for Exchange Online, but can also be used to archive emails for Exchange Servers running in Azure. This feature helps enforce comms and record retention policies. It has recently been extended to archive other types of messages such as social network traffic.

Exchange Advanced Threat Protection: This service extends Exchange Online Protection to protect e-mail users against previously unknown malware as well as malicious URLs and other types of threats.

SharePoint, Power BI, and OneDrive for Business

SharePoint Online: This service delivers functions such as file sharing, team collaboration, enterprise search, content management, and portal hosting to name just a few. Based on SharePoint Server (SharePoint Server 2016) this service is the platform where improvements are delivered first before they are migrated to the on-premise version of SharePoint Server.

SharePoint Online Premium: This service delivers all of the features of SharePoint Online, but in addition delivers enhancements in eDiscovery, Business Intelligence, and Web Content Management.

Power BI: Microsoft’s Business Intelligence service enables users to share reports (that are refreshable as opposed to static) that includes access to refreshable on-premise data, complete with interactive features for self-service analysis. Power BI Pro is the premium product that is included in higher levels of Office 365 subscriptions (currently E5), or you can buy it separately as a standalone online subscription.

OneDrive for Business: This service provides unstructured storage for users, enabling them to store and share their files both within, and outside, their organisations.

Skype for Business

Skype for Business Online: This service provides unified communications with presence status, instant messaging (IM), voice and video calls, application sharing, web conferencing, and Skype Meeting Broadcast web conferences for up to 10,000 internal attendees.

Skype for Business Online Premium: The premium version of Skype for Business Online included with higher levels of Office 365 subscriptions (currently E5) provides a hosted Cloud PBX service that provides advanced telephone calling and management. Further add-ons to the premium service offer hosted PSTN dial-in conferencing so remote attendees can dial into meetings.

Collaboration & Search

Yammer: This service offers collaboration spaces with groups, conversations, and data sharing that are similar to social networking services such as Facebook and Twitter.

Groups: This feature offers collaboration spaces with a shared mailbox, calendar, and file library across several Office 365 products such as Outlook 2016 and SharePoint Server.

Delve: This feature provides a set of Office 365 functions to help users discover people and documents in Office 365. Delve feeds targeted search results and views of content to users based on their user activity and other information collected by the Office Graph service.

Delve Analytics: This is a premium feature and provides reports that show analytics of employees (for example how many emails are sent outside business hours) to help track things such as organisational health and efficiency indicators.

Video: This feature offers a portal for securely viewing, sharing, discussing, and discovery of an organisation’s video content.

Planner: This feature provides task and project management that is integrated with Groups and other Office 365 collaboration services. Planner offers a simple alternative to Project Online (the Microsoft hosted version of Project Server), competing with products such as Asana, Smartsheet, and Trello.

Security & Compliance

Security & Compliance Centre: This feature offers a single web-based console for managing, archiving, mobile device management, basic eDiscovery, hold and retention, and other compliance tasks including data loss prevention (enabling organisations to limit leakage of sensitive data). The Security & Compliance Centre manages content across Exchange Online, OneDrive for Business, SharePoint Online, and Skype for Business.

Advanced eDiscovery: This feature provides filtering and detailed search capabilities using Equivio (software acquired by Microsoft). Equivio’s text analysis technology helps locate and organise documents that are relevant to legal cases ready for archiving, allowing organisations to use machine learning technology to train the system for specific cases or purposes.

Management & Security

Office 365 offers a complete administrative platform for managing and securing its services, including important management and security services.

Azure Active Directory (AAD): This service provides identity and access management for Office 365, along with other online services (both by Microsoft and other 3rd party vendors).

Office 365 Mobile Device Management: This feature protects Office 365 content on mobile devices, along with the devices themselves, enforcing device policies (such as password complexity) and enabling selective remote wipe of Office 365 documents and emails on a specific device.

Office 365 Advanced Security Management: This feature provides organisations with threat detection, application control, and usage discovery for user of Office 365.

Azure Rights Management: This service allows organisations to encrypt and control access to sensitive content to enable them to comply with privacy and disclosure regulations. Rights management protection is part of, and travels with, the content allowing controlled access even if the content moves to a device that is outside an organisation’s control. This feature includes Office 365 Message Encryption, which enables encryption of messages in Exchange Online.

Customer Lockbox: This feature enables organisations to individually approve or deny requests for access to their Office 365 data by Microsoft administrators.

Compliance

Office 365 provides a plethora of compliance from ISO27001, PCI DSS, FIPS 140-2, right through to CESG OFFICIAL.

If you’re a Public Sector organisation here in the UK and you’re concerned about data residency, or PSN compliance, you can rest assured that moving to Office 365 will most likely enhance the security of your data/users. There are plenty of resources available to ensure that when adopting Office 365 you ensure that you remain fully compliant – just take a look at some of these: –

CESG Cloud Security Guidance

CESG Microsoft Office 365 Security Guidance: Email

CESG Microsoft Office 365 Security Guidance: Administrator good practice

Meeting the UK Government’s 14 Cloud Security Principles

And with the announcement of 3 new UK Microsoft Data Centres brought online (7th September 2016), you can rest assured that your data stays in the UK: –

http://www.bbc.co.uk/news/technology-37285667

If you are a Public Sector organisation then we believe it is imperative that when working with a Microsoft Partner you ensure they fully understand your compliancy requirements, and more importantly the impact of non-compliance. Here at CoreAzure we have a dedicated Architecture & Security Practice headed up by Gareth Jones – Gareth just happens to be one of the first in the Country to become a CESG Certified Professional (CCP), so we have both the experience and the credentials to ensure our Public Sector customers remain fully compliant.

I hope this has given you a reasonable insight into what Microsoft Office 365 is all about. If you have any questions, or wish to discuss your Office 365 requirements with a Microsoft Gold Partner that has both the experience and expertise in all Microsoft Cloud technologies then feel free to contact me directly: mark.briggs@coreazure.com

In my next few blogs I’ll take a deep dive into some of the individual products & features of Microsoft Office 365.