-1

We are looking at deploying the latest version of Office but are having difficulty deciding between Office 365 or Office 2013 volume license. I understand the cost benefits of 365 (and I actually like the user based approach) however I'm having a hard time finding all the info in one place regarding authentication.

I've found an article that describes 3 different auth methods (Office 365 account, DirSync, and ADFS). Ideally I would like to provide as seamless integration as possible so SSO using ADFS is my choice but I don't know much about any of the gotchas that would prevent users from being able to open Office.

I know they have to authenticate every 30 days (with another 30 day grace) to not enter reduced functionality mode) but what about each time Word or Outlook or whatever is opened. Do users creds need to be verified each time? What if the user wasn't connected to our internal network, or they installed a copy on their home computer, or they didn't have network connectivity at all?

Stefan Lasiewski
  • 22,949
  • 38
  • 129
  • 184
MarcLaf
  • 105
  • 2
  • 12
  • Its likely not what you want to hear, but call Microsoft, they are best equipped to answer. – DanBig Apr 30 '14 at 18:21
  • Looked at the post that people claimed this was a duplicate of - not the same at all. Unless you're basing it off the use of the word "license". – MarcLaf May 01 '14 at 13:43

2 Answers2

3

All of this is from my real world experience with Office 365 deployments/setups.

We are looking at deploying the latest version of Office but are having difficulty deciding between Office 365 or Office 2013 volume license. I understand the cost benefits of 365 (and I actually like the user based approach) however I'm having a hard time finding all the info in one place regarding authentication.

The first thing I'd want to know is how many users you have. That helps greatly with which version of Office 365 to go with should you choose it over just the standalone Office 2013. There is a sweet spot for each version of Office 365 that is dependent upon number of users. Also, you'll want to look at other factors when making this decision such as cost of on-premise Exchange and the CALs/licensing that goes along with it as well as the server that would run an on-premise Exchange environment and the CALs/licenses associated with it. If you already have your own Exchange environment then I'd look at the cost of upgrading to 2010 or 2013 vs. going with Office 365. Let me give you a real world example that I recently was involved with setting up and configuring: We had a client that had 20 users and their own Exchange server. The Exchange version was 2003 and the Server was also 2003. This client didn't want to spend a huge chunk of money (as they didn't have it to spend in the first place) on an upgrade but knew that they needed to do something. To upgrade to the newest (at that time Exchange 2013 had just come out and we were going to recommend that) Exchange version as well as the newest Windows Server (2012) version to support this combined with the CALs they would need for the new server version, the CALs they would need for the new Exchange version, and the purchase cost of buying Server 2012 and Exchange 2013 the price was way more than going with an Office 365 Small Business Plan. The plan we choose for this client was the Office 365 plan that allowed them the newest versions of Office; which you speak of. They choose this (the regular Office 365 Small Business was around $4-$5) option which made their per user price $12; per month, so per user per year total was $144. Take $144 times 20 users, and you have a grand total $2880. Now, this may seem like a lot but when you compare it to the cost of getting the CALs for both Exchange and Windows Server as well as purchasing each product, and updating Microsoft Office (as 2003 isn't compatible with Exchange 2013) you are talking a grand total of roughly $9000 ($1200 for Exchange CALs, $1200 for Server 2012 CALs, $600-1200 for Exchange 2013, $600-1200 for Server 2012, $6000 for 20 copies of Office 2013 Professional) to $10,000. People would argue that you'd pay for that in 3 years if you are using Office 365 Small Business at $12 per user per month, but they have to factor in the cost of upgrading Exchange during the next version which is coming, along with a potential Server OS and Office Suite upgrade all over again in three years. Also remember that our client was able to get the newest version of Office each time it came out at no additional cost and the fact that you don't have to have an IT guy there to manage it is a huge plus. If I've way over done this part of the answer forgive me, but I'd rather over inform you then under inform you. On to the next section.

I've found an article that describes 3 different auth methods (Office 365 account, DirSync, and ADFS). Ideally I would like to provide as seamless integration as possible so SSO using ADFS is my choice but I don't know much about any of the gotchas that would prevent users from being able to open Office.

The three auth methods are correct, however you need an Active Directory domain for two of the three, one of which isn't probably viable unless you're a large enterprise. The Office 365 auth is pretty self explanatory, it's handled on MS' side and you don't have to worry about much other than resetting the occasional password. The AD directory sync method requires a piece of software to be setup on your domain controllers and literally sync's passwords to Office 365. It requires a little more configuration and ultimately provides a way of SSO; albeit not as good as ADFS. ADFS basically makes a connection from a server running Active Directory Federation Services on your domain to an MS Azure server on the other side. Your password is truly SSO, but let me warn you, if your ADFS server(s), or your WAN connection goes down, there is no way to log on to your Office 365 account until these resources come back up. It is also more secure as it only passes the password response from your AD servers rather than your actual password to the Office 365 side of things. Keep in mind again, that if you only have 1 ADFS server and it goes down, your Internet might be perfectly fine, but you will not be able to log in or access anything as Office 365 queries your ADFS server for a response and if it can't get it then you are screwed until you can fix it. We've been in that boat, and it's not fun. ADFS is traditionally for large enterprises that can create ADFS Farms.

but what about each time Word or Outlook or whatever is opened. Do users creds need to be verified each time?

No, only when they want to access the online portion will they need to verify their credentials.

I hope I've helped here as I truly enjoy Office 365 and see how it can be a big benefit if thought out correctly from my own experience working with it. Let me know if you need more info.

Brad Bouchard
  • 2,507
  • 2
  • 12
  • 22
  • Hi Brad Thanks for the thorough reply. Here's our info. About 150 users, two geographic sites, AD infrastructure (2 DCs at each site) and will be 2003 functional level after tonight when I decommission our last 2000 DC. We are looking at 365 ProPlus but not the for business one with hosted everything. This is just the 2013 version but with subscription model. Exchange was in house but is now hosted. I think your answer about if the ADFS box goes down then no one uses Office is what I was looking for. Doesn't the program cache creds? It's the SSO that we want but seems like a huge POF. – MarcLaf Apr 30 '14 at 22:53
  • No problem. The programs can cache creds but at that point ADFS isn't what we're talking about because it's geared more for the Exchange portion of Office 365. Individual users can still stay signed in to their OneDrive and Iffice apps just fine though. Tell me what you're looking for SSO for because again that is for orgs who have cloud Exchange with their own AD environment onsite. Looking forward to your reply. Thanks. – Brad Bouchard May 01 '14 at 02:32
  • 1
    Maybe I am getting my information crossed then. The version we are looking at purchasing doesn't have Exchange or OneDrive bundled. Just the core applications and access to the WebApps if needed. I thought users had to sign in to open Word or Excel? The documents from MS seem conflicting (or maybe I'm just not grasping the concepts). RE: SSO, users sign into their desktops/laptops with their domain account/password. We don't want any additional sign-ins to happen when they launch Office applications (Word, Excel, Outlook, etc). That's what the end goal is. – MarcLaf May 01 '14 at 13:39
  • Let me reassure you that you're information isn't crossed, you are correct in that creds will be used to validate and open the Office products, however I just wanted to make sure that you were aware of the pitfalls of ADFS even if the products can cache creds. You have everything else correct. Also, be sure to mark an answer for anything that solved/helped you on this post. I can be reached at any time too for any other questions you might have by emailing bradjbouchard [at] gmail – Brad Bouchard May 01 '14 at 14:23
-1

As you have already read, the user trying to use the Office application needs to authenticate to MS at least once every 30 days, with grace period, blah blah blah. So you can be offline for about a month before there's a problem.

Citation : http://technet.microsoft.com/en-us/library/gg998766(v=office.15).aspx

Users don’t need to be connected to the Internet all the time to use Office 365 ProPlus. However, users must connect to the Internet at least once every 30 days. This is so the status of their Office 365 subscriptions can be checked. If users don’t connect within 30 days, Office 365 ProPlus goes into reduced functionality mode. After users connect to the Internet and their subscription status is verified, all the features of Office 365 ProPlus are available again.

It has nothing to do with connectivity to your office, unless you use a password-sync option that MS can't connect to for that length of time.

Multiple installations (work plus home computer) is explicitly covered in the licensing. Which you should read, and ask the vendor for help if you don't understand.

If they don't have network connectivity at all (seriously?), contact MS for this question or just buy a regular Office license.

mfinni
  • 35,711
  • 3
  • 50
  • 86
  • Actually, you can run O365 apps without network connectivity. It's a cloud service that's entirely installed on your machine (or some stupid shit like that). Probably won't be able to send or receive many emails, but other than that, it works fine without a network connection. – HopelessN00b May 01 '14 at 14:19
  • Not entirely correct. Of course it runs offline, but you need to be online to activate it and once every 30 days to maintain the activation. http://technet.microsoft.com/en-us/library/gg998766(v=office.15).aspx Bottom of the page. 'Users don’t need to be connected to the Internet all the time to use Office 365 ProPlus. However, users must connect to the Internet at least once every 30 days. This is so the status of their Office 365 subscriptions can be checked. If users don’t connect within 30 days, Office 365 ProPlus goes into reduced functionality mode.' – mfinni May 01 '14 at 14:26
  • The once every 30 days (or rather 60) isn't my main concern. It's the ADFS Achilles Heel that has me concerned and confused. – MarcLaf May 01 '14 at 14:43
  • I'm not sure what your remaining confusion is. Authentication is not required at every opening; if it were, that would be a direct contradiction that O365 can be run while offline for up to 30 days. – mfinni May 01 '14 at 15:13
  • Unless you can configure a highly-available ADFS infrastructure, you'll be much better off going with DirSync. None of my clients are using ADFS for an 0365 hybrid, they're using DirSync. – mfinni May 01 '14 at 15:14