Migrating MSA to AAD “fun” (rant)

I am starting to go through the Microsoft push to move from Microsoft Accounts (MSA, a.k.a. live.com accounts) to Azure Active Directory (AAD), their cloud-based enterprise solution to user and group management.

With a heavy investment in Azure, Visual Studio Team Services (VSTS), Visual Studio Subscriptions (formerly MSDN subscriptions), etc., this has been challenging.  We have run into issues with moving Azure subscriptions to AAD (previously managed via MSA).  We have run into PowerShell for Azure scripting issues.  We have run into automation issues between VSTS and Azure. VSTS has strange requirements with the primary email address on MSA must be the VS subscription email address (change the primary email address on your MSA and you won’t see your VS subscription, unless it is the free one).

Add to the fact that my MSA used to have a custom domain.  They offered it, promoted it, and then are taking it away although “grandfathering” those that had it.  But this has been problematic in that I couldn’t renew it and their support kept trying to push me over to the business side (Office 365) when it is part of Outlook Premium.  I finally gave up and moved my custom domain to Office 365 to make it more straight forward.  But I shouldn’t have had to do that, now having two separate accounts where before I had one.

I know we will get through this.  In the long run, it will probably be for the best.  In addition to my navigating from MSA to AAD, I also access multiple AADs, so that fun should be interesting when the time comes.

Microsoft should have continued to embrace custom domains with Outlook Premium (via MSA).  Microsoft should have done a much better job of supporting both MSA and AAD integration, giving us migration tools to map MSA accounts to AAD (with the MSA accounts approval of course) so resource access wasn’t lost or confusing (instead of having to work with Microsoft directly, where they have made mistakes because of the complex array of services over the decades via MSA).

I did look at an alternative to O365 and Outlook Premium once I knew I was in trouble with their policy changes that were well supported.  Unfortunately, there wasn’t much that could provide the Exchange Active Sync (EAS) capabilities along with Webmail and Outlook support (with all the features of Calendar, Inbox, Folders, Contacts, etc.).

OneDrive for Business and SharePoint Online not so enterprising

It appears OneDrive for Business has a 15GB file size limit.  This is for business-class enterprise level cloud file storage.  15GB.  I am granted up to 1TB of space that comes with the Office 365 subscription.  Dropbox Personal even goes to 20GB per file.  15GB is easily possible with DB backups.  Or video editing.  Or a large zip/7z archive file.

I would be fine with OneDrive for Personal having such a limit (okay, well they should at least be up to 20GB to match Dropbox).  But the enterprise class service limitation is ridiculous.  This is also true with SharePoint Online (SPO) having a view limit of 5000 files.  That is nothing for an Enterprise organization.  SPO should be equal or better than on-premise (our on-premise SharePoint 2013 Enterprise easily handles over 80,000 files in one library).  OneDrive for Business should have the same vision of enterprise class capabilities.

Microsoft, you need to start thinking enterprise for your online services if you expect the enterprise to actually jump over to your services.  And what is good for the enterprise is also good for SMBs because, well, they are even more dynamic and agile with data storage needs.  This is the real world knocking on your door.

Yes, I can break the file up with multiple archive files (e.g. using compression software) but that is a pain especially given bandwidth capabilities where direct access to files is desirable for efficient work effort.

Joining Azure Active Directory (1703+)

The process of joining an Azure Active Directory (AAD), starting with Windows 10 build 1703, has changed.

Why Azure AD Domain Join?

There are a number of benefits of joining AAD so you are able to use your Azure AD / Office 365 login:

  1. Centralized login credentials, especially nice with multiple devices
  2. Eliminate Office 365 and Azure-based login prompts when accessing word-based resources (e.g. Single Sign-On or SSO).
  3. Enterprise-based roaming of user settings across joined devices without the need for a Microsoft Account (e.g. account.microsoft.com).
  4. Access to Windows Store for Business using the AAD account.
  5. Doesn’t require a Windows Domain Controller (Windows Active Directory, or WAD) for smaller businesses.

If you are an enterprise (or even a smaller business with local authentication services on Windows AD, you can connect AAD to WAD and automatically link devices via Group Policy to AAD.

This requires allowing devices to join the Azure Active Directory. This is done via the Azure AD Portal. Navigate to Azure Active Directory and Devices, and finally Device settings.

Notice that the setting Users may sync settings and app data across devices is missing. This is because Intune and AAD Premium are not being used.

Without this setting being enabled, on Windows 10, the following will be displayed (Sync is not available for your account. Contact your system administrator to resolve this.) to end users with respect to Syncing your settings (which is available when a Microsoft Account is used).

Azure AD Domain Join

Windows 10 devices can join AAD for centralized authentication and limited management (unless you have an Intune Subscription).

Click on Start and then Settings. Click on Accounts.

Click on Access work or school. Click on Connect.

Click on Join this device to Azure Active Directory link:

Ignore the fact that the title states Microsoft account, which could be confused with a Microsoft Account. This is the right place for using AAD logins.

Enter in your AAD login (email address) and click Next button:

Enter in the password for the account and click Sign in button (noting that your screen will look slightly different, depending on the branding done on the AAD side of things):

Confirm you are joining the right organization and click Join button:

If all goes well, you will receive a confirmation message and can click Done.

You are now connected to the domain AAD (so the account is technically AzureAD\youremail@domain.com using the previous examples).

It is recommended you restart your computer and login with the new login by clicking Other user on the login screen and entering the email address of your AAD login.

OneDrive for Business 101-ish

I have been a long time Dropbox user.  I also have been a long time Office 365 Business User.  OneDrive was always subpar to Dropbox, but I kept an eye on it because I would like to eliminate the redundant expense for 1TB storage.  With the introduction of Files On-Demand with Windows 10 1709, OneDrive for Business and Personal are now much stronger contenders.  Dropbox Plus doesn’t have this feature via Smart Sync.  At double the cost, you have to upgrade to Dropbox Professional to get this service.  This means that if you synchronize a subset of folders/files (Selective Sync) to your local machine, you have to use a browser to determine if a folder or file in the cloud exists and set it up to sync.  A lot of extra steps.

Dropbox still has a simpler experience in general.  Managing the OneDrive client is confusing especially if you have multiple OneDrive accounts and have folders shared and synchronized (which creates landing folder separate locations).  It is made additionally confusing, but powerful, if you synchronize SharePoint Online files locally.

If you like simple, stick with Dropbox or other favorite file sync software.  Dropbox also offers long term file retention option (at an extra cost) in case you delete a folder or file and don’t check often.  If you have Office 365 (and all of its services) and are wiling to spend time to  learn its configuration, OneDrive is very useful.

Configuration OneDrive for Business

If you have OneDrive for Personal Setup

To add an Office 365 account (which accesses OneDrive for Business) or right-click on OneDrive in your Windows tray (typically on the lower right corner).  Select Settings.  Click Add an account button.  Enter in the credentials for your Office 365.

If you don’t have OneDrive for Personal Setup

OneDrive for Personal doesn’t need to be setup.  Open the OneDrive application (click Start and start typing OneDrive).  When it prompts for an account, enter in the Office 365 credentials.

Once OneDrive for Business is setup

A new OneDrive icon will appear in your Windows tray (it is currently a blue cloud icon).  Hovering with the mouse on the cloud icon will indicate which account is associated with the specific tray icon.  You can configure settings for each of the accounts by right-clicking on the cloud icon and selecting Settings.  This includes setting up Files On-Demand (currently not enabled by default with Windows 10 1709), Selective Sync, etc.

Accessing OneDrive files

This is where it gets a little weird until it becomes ingrained.  There are essentially three folders when using OneDrive for Personal, OneDrive for Business, synchronizing shared folders in OneDrive for Business (done by going to http://onedrive.live.com, selecting Shared with me, opening a desired folder, clicking Sync button) and synchronizing folders in SharePoint Online (opening the desired folder and clicking the Sync button).  Assume your Office 365 directory is called RecursiveGeek.  Your Windows profile will have the following folders:

  • OneDrive
  • OneDrive – RecursiveGeek Directory
  • RecursiveGeek Directory

The first folder is for OneDrive for Personal (folders and files setup to sync and, if enabled, Files On-Demand).  The second folder is your OneDrive for Business synchronized folders (folders and files setup to sync and, if enabled, Files On-Demand).  The third folder is your Sync folders from shared content (by other OneDrive for Business users) and SharePoint Online.

Conclusion

OneDrive for Business is really useful and has come a long way.  It would be nice if they cleaned up the UI with the OneDrive client in the Windows tray (single icon, single application that is managed in a single interface).  Files On-Demand is awesome, allowing you to conveniently and seamlessly access files in the cloud when not on the local drive to save space.  Dropbox Plus is no longer a compelling reason for me to use them and thus I will be dropping them once it is time to renew.