Category Archives: UC&C

Operational maturity and Exchange

Over at my work blog, I have a post that tackles an important issue: how do you reliably design and operate Exchange if you don’t happen to have a large team of Exchange rock stars on staff? (Short answer: hire me. Longer answer: read the post to find out). Bonus: the post contains a picture of Ross Smith IV Yoda.

Leave a comment

Filed under Office 365, UC&C

Setting the record straight on Microsoft and subpoenas

This week I had the opportunity to present a session called “Cloud Best Practices” at the Alabama Digital Government Summit. I had a great time— it was fascinating to see how many different agencies in our state are putting advanced IT to work to save money and get more done for the taxpayer. However, there was one blemish on the experience that I wanted to polish away, so to speak.

Part of my talk concerned the fact that no matter where you live, your local government has lawful means to get your data: they can subpoena you, or your cloud provider, to get it. There’s nothing that you can do about it. It’s a feature, not a bug, of modern legal systems. I often talk about this in the context of people’s fears that the NSA, GCHQ, or whomever will snag their data, by lawful or unlawful means. Here’s the slide I put up:

NewImage

I don’t think these are controversial assertions. However, at this point in my talk, Stuart McKee (chief technical officer for state and local government at Microsoft) flatly asserted that Microsoft does not comply with government subpoenas for customer data; I believe he used the word “never”. He went on to say that Microsoft has a pattern of resisting subpoena requests and that this “has gotten [them] into some trouble.” He concluded by saying that Microsoft’s standard action is to tell governments that they must subpoena the data owner, not the service provider.

I believe these assertions to be largely untrue, and certainly misleading. (I’ll leave aside the insulting manner in which Stuart asserted that I was wrong— after all, I am certainly wrong sometimes and generally appreciate when people point it out.) I want to set the record straight to the extent that I can.

First, Microsoft absolutely does comply with lawful subpoenas for customer data. This page at Microsoft’s web site summarizes their responses to lawful legal demands for customer information (both information about customers and information belonging to customers) across a broad variety of jurisdictions, from Argentina to Venezuela. To assert otherwise is ludicrous.

Second, Microsoft has a pattern of complying with these lawful subpoenas, not refusing them. When Stuart said that Microsoft is “in trouble” for refusing a subpoena, I suspect that he’s referring to Microsoft vs United States, where the issue at hand is that Microsoft was served a search warrant for data stored in a Microsoft data center hosted in Ireland. The data are stored there because the customer is located outside the US. Microsoft moved to have the warrant vacated, and when that failed, asked the cognizant district court to vacate it. The district court upheld the original warrant; Microsoft refused to comply and was held in contempt. Now this particular case is working its way through the US federal court system.

Let me be clear: I applaud Microsoft for standing up and resisting the overreach in the original warrant— there doesn’t seem to be (at least not to my layman’s understanding) a right of the US government, at any level, to subpoena data belonging to a non-US person or organization if it’s stored outside the US, even if it’s held in a cloud service operated by a US person or organization. The brief Microsoft filed likens this to a German court ordering seizure of letters stored in a safe deposit box in a US branch of a German bank. Having said all that, claiming that this kind of resistance is routine is overblown. It isn’t. If Microsoft were refusing subpoenas left and right, the numbers I mentioned above would look very much different.

Third, Microsoft’s policy is indeed to try to redirect access requests whenever possible. The Office 365 privacy page has this to say:

We will not disclose Customer Data to a third party (including law enforcement, other government entity, or civil litigant; excluding our subcontractors) except as you direct or unless required by law. Should a third party contact Microsoft with a request for Customer Data, we will attempt to redirect the third party to request the data directly from you. As part of that process, we may provide your contact information to the third party. If compelled to disclose Customer Data to a third party, we will use commercially reasonable efforts to notify you in advance of a disclosure unless legally prohibited.

In other words, Microsoft will try to redirect subpoenas from themselves to the data owner, where they are allowed by law to do so, and if they can’t, they will notify you, if allowed by law to do so. This is the only one of Stuart’s claims that I think is inarguable.

Finally, Microsoft proactively cooperates with law enforcement. The Microsoft Digital Crimes Unit newsroom contains press releases touting Microsoft’s cooperation with law enforcement agencies around the world (here’s just one example). This cooperation and disclosure extends to Microsoft proactively notifying law enforcement agencies when their PhotoDNA service identifies child porn images in customer’s private OneDrive data. I support their right to do this (it’s covered very clearly in the terms of service for Microsoft cloud services), and I believe it’s the right thing to do— but to claim that Microsoft never discloses customer data to law enforcement agencies while they are voluntarily doing so is both untrue and misleading.

Everyone’s interests are best served when everyone understands the specifics of the legal interaction between local and national governments and cloud service providers in various jurisdictions. This is a really new area of law in many respects, so it’s understandable that some things may not be clear, or even defined yet, but I wanted to correct what I view as dangerously misleading misinformation in this specific instance.

The bottom line: no matter what cloud service you choose, be sure you understand the policies that your cloud provider uses to determine the conditions under which they’ll cough up your data.

Leave a comment

Filed under Office 365, Security, UC&C

Fixing “Cannot find registrar pool” error for sipfed.online.lync.com

I was recently setting up hybrid Lync Skype for Business for a customer. This is more properly known as “split-domain” configuration because you share a single SIP namespace across both the on-premises and cloud portions of the infrastructure.

If you’re not familiar with the process, it goes like this:

  1. Set up AD FS or whatever other identity federation solution you like.
  2. Configure the service to allow federation.
  3. Configure the on-premises Lync/SfB servers to allow federation.
  4. Turn on federation.
  5. Enable your tenant for split-domain operations with Set-CsTenantFederationConfiguration.
  6. Start moving users.

Adam Jacobs’ summary is worth reading if you haven’t seen this before, but even without reading it, it seems straightforward enough, right? I found that when I got to step 6 I got a vexing error: “Cannot find Registrar pool. Verify that ‘sipfed.online.lync.com’ is a valid registrar pool.”
sipfederr

I was 100% sure that the registrar pool name was correct and that it existed, so why couldn’t the Move-CsUser cmdlet find it? I spent some fruitless time binging for a solution (note: this is not the same as “binging on beer” or “binging on carbs before my race”); the few hits I found all suggested ensuring that you’d connected to the service with Import-PSSession, which is, as suggestions go, right up there with “make sure it’s plugged in.”

After some experimentation, I finally figured out that step 3 above hadn’t been performed completely; when I ran Get-CsHostingProvider, the EnableSharedAddressSpace and HostsOcsUsers parameters were both set to “false”. I reset them (and the AutodiscoverUrl parameter, also required), and that solved the problem. It’s not clear to me why anyone at Microsoft thought “cannot find registrar pool” would be an appropriate error for this condition; there are distinct error messages for most other problems that might occur (such as trying to move users to the wrong pool) but not here.

Perhaps this breadcrumb will help some future admin who gets the error, or maybe Microsoft will fix it…

5 Comments

Filed under Office 365, UC&C

Fixing SharePoint Online OneNote “something went wrong” errors

I recently ran into a problem with a SharePoint Online site that had previously been created on BPOS and moved around through various iterations of Office 365. None of the site users had ever used the OneNote notebook associated with the site, but the link was present in the side navigation bar. When I tried to access it, I got the infamous “sorry, but something went wrong” error page. (For another day: discuss the Fisher-Price-ization of service error messages; the low information content doesn’t scare end users but makes it impossible to troubleshoot problems.)

A little binging turned up a plausible solution: “SharePoint 2013 OneNote Notebook something went wrong error“. I was a little leery of turning off the feature for fear that it wouldn’t turn back on. However, I took the plunge. After disabling the feature and re-enabling it, I was able to open the OneNote Online notebook, but I wasn’t able to use the “open in OneNote” link until I added some content in OneNote Online. All’s well that ends well. This may not be the only solution for this problem, but it has a 100% success rate for me so far.

1 Comment

Filed under Office 365, UC&C

A brief rant about the Mac Lync client

I’m supposed to be working on my Ignite slides, but I just ran into something that has flipped my safeties.

I just don’t understand.

Sure, I know the Lync/Skype for Business team has a lot of irons in the fire, what with their new product line and all. And I get that the Mac install base is small relative to the other things they have to do. But there is no reason I can see for the Mac Lync client to be as buggy and underfeatured as it is. They’ve had years to improve it.

The Lync PG has proven they can do rapid engineering work, as evidenced by the excellent speed and quality of the Lync mobile apps for Android and iOS.

And they’ve proven they can build a robust client, as evidenced by the history of the Lync desktop client for Windows.

The Mac Office team, for their part, has shown that they can produce high-quality clients that reliably work with Microsoft’s services.

So why does the Mac Lync client make me want to start throwing things?

Today’s example: I am signed into Lync with my work account. I want to create a meeting in my personal Exchange calendar, invite attendees, and set it up as an online meeting. This is trivial using Windows Outlook and the Lync (and, now, SfB) client: create the invite, click the “Lync meeting” button, and boom.

On the Mac, however, this scenario doesn’t work– clicking the “Online Meeting” button produces an obnoxious dialog telling me that I must be signed in to the same account in Lync as I’m using in Outlook.

This is just the latest in the pecked-to-death-by-ducks experience of using the Lync client on a Mac. In honesty, the client is more stable and has more features than its predecessors; hell, it even supports the Conversation History folder now. But what I want is a robust client, with feature parity with Windows, that works to enable the same scenarios I can easily perform in Windows. That’s not too much to ask.

I don’t know (and, as an end user, don’t care) which team inside Microsoft owns this. And I don’t have an opinion on who should own it. All I want is a solid client experience.

(And while I am on a rant: damnit, the Windows Phone sync client for the Mac is a giant pile of fail. Microsoft has apparently abandoned it in place. Bug reports go into a black hole. Latest example: after months of prerelease availability, Apple released the Photos app and… surprise… the WP8 sync app doesn’t work with it.)

 

6 Comments

Filed under FAIL, OS X, UC&C

Preparing for Ignite

I’m heads-down working on my materials for the upcoming Microsoft Ignite conference. This year, I have three sessions:

  • MVPs Unplugged: Real-World Microsoft Exchange Server Designs and Deployments. This is a panel with Jeff Guillet, Nic Blank, and Sigi Jagott, so I am really looking forward to it. I love panels in general, and my co-presenters are incredibly knowledgeable about the ins and outs of large and small Exchange deployments.
  • Exchange Online Archiving: Notes from the Field. Archiving is one of those topics that isn’t interesting to everyone— but for people who are interested, they tend to be very interested. In this session, I’ll be talking about various aspects of EOA, including what it is, how it works, and how to efficiently move to it.
  • Servicing Microsoft Exchange Server: Update Your Knowledge: this is a joint effort between me and Microsoft’s Brent Alinger. As you may know, he is Mr. Exchange Servicing. I’m really excited to have the chance to be onstage with him. He has some very interesting (dare I say “provocative”) things to say. I consistently find that people misunderstand (or maybe under-understand) how Exchange servicing works and why Microsoft does things the way they do, and I think this session will help shine a brilliant beam of knowledge down from the mothership.

As always, Microsoft has deployed a whole behind-the-scenes infrastructure for managing all this stuff; this year, the system allows attendees to register their session preferences, and we see projected attendee numbers in the speaker portal. When I check these sessions in the speaker portal, all 3 of them are shown as having more enrollees than the currently booked rooms can support— that’s an excellent sign.

Of course, I have to point out that the session schedule is still not 100% set in stone, and sessions may change both times and locations. That’s a good thing, as right now my EOA session is up against Julia White’s keynote, generating the following exchange:

Google ChromeScreenSnapz013

(Just for the record, Julia, you are more than welcome in my sessions, and I promise to come up with better jokes before you arrive!)

In addition to our assigned sessions, Microsoft has asked each speaker to conduct peer review of other presentations. In addition to the sessions I’m presenting, I’m peer-reviewing sessions on Clutter, Office 365 Groups, and SharePoint enterprise search (pretty sure this last assignment was an accident). We’re also all supposed to man the show floor Office 365 booth, plus there are various side events to plan and RSVP for. In particular, if you haven’t yet requested an invitation to the Scheduled Maintenance party, you’d better act quickly; I hear it will introduce a new level of awesomeness.

Apart from my sessions, the only logistical item I have to complete is to book my flights; until the session schedule is finalized, I can’t. While I’d much prefer to fly myself, Microsoft only covers commercial airfare for speakers. I might fly myself anyway, though!

The workload is ramping up quickly as we get closer to the event, but it should pay off with some excellent sessions. I’m looking forward to Ignite– drop by and say hello if you’re there!

Leave a comment

Filed under Office 365, UC&C

License usage reporting in Office 365, part 2

If you’ve been wondering where part 2 of my series on reporting in Office 365 was, wonder no more; it just went live this morning.

Leave a comment

Filed under Office 365, UC&C