Second Part: [Yada Yada Cloud] Choosing from Exchange On-prem vs Exchange Online: The never ending story? – Part II

Continuing with the cloud discussions, an interesting theme to review is the Office 365 suitability and readiness for each organization. I want to expand this discussion with a comparison between Exchange Online vs Exchange On-Prem, reviewing the most common conversation points when I get to evaluate the Office 365 migration alternative.

This is going to be a two set article, distributed with the top 8 discussions topics when organizations need to choose from Exchange On-Prem or Exchange Online. Each of these topics will include the Exchange on-prem side of the discussion as well as the Exchange Online, I’ll add my opinion and thoughts regarding each discussion.

As an initial disclaimer I must say that it is my firm believe that Office 365, as pretty much any technology available, does not represent a silver bullet. There’s no one and final truth all organizations will apply, that is what makes this conversation valuable and rich.

“No Silver Bullet – Essence and Accidents of Software Engineering” is one of the most important and fundamental papers related to software engineering, it was released in 1986 by Frederick P. Brooks.

“Not only there are no silver bullets now in view, the very nature of software makes it unlikely that there will be any –no inventions that will do for software productivity, reliability, and simplicity what electronics, transistors, and large-scale integration did for computer hardware.”

To download the full publication, access this link (PDF).

1. Office 365 is forcing customers to update the software frequently to be functional.

This is the initial complain I hear from customers when we are talking about a new Office 365 environment.

Let’s make a quick review about the Exchange on-premises perspective:

• Updates are out of our control in the environment, if Microsoft releases an update that is required for clients to work with O365, we have no option.
• Critical updates might be released during a company’s end of fiscal year or any sensitive week, might generate a huge business impact.
• Desktop clients’ updates could be time consuming and an expensive task for IT admins, Help Desk, etc. Microsoft released over 300 updates within the same year for Office 365.

Microsoft’s update model for Office 365 ProPlus on monthly basis

“Admins—get ready for Office 2016, rollout begins September 22!”

And for the Exchange online perspective:

• Updates are required for on-premise scenarios as well. Any security update release by Microsoft should be addressed in a timely fashion.
• Microsoft updates management platforms WSUS and SCCM already support Office 365 clients, you can update them within your methods and schedule.

Check the following links for more information “Office 365 Client Updates via WSUS” and “Manage updates to Office 365 ProPlus with System Center Configuration Manager”.

• If you have a dependency with Outlook 2003 or 2007 and you are not able to update it, this might be because you have a different problem to face better than Exchange Online.
• Clients’ deployments are easily managed with Click-to-Run for Office 365.

Click-to-Run is a technology developed from the App-V principles of application virtualization and streaming. The Click-to-Run process can be executed on demand from the user (accessing the website and/or installer), or deploying it with an automated method for the application streaming to start, making the Office 365 client components available rapidly.

Following the application virtualization model, the Click-to-Run Office 365 deployment runs isolated from other Microsoft Office versions already installed in the client OS, therefore no conflicts will appear.

Click-to-Run deployment process, the applications are ready as the streaming and preparation is completed.

Click-to-Run, same as previous versions of Microsoft Office, provides the alternative to use the configuration.xml file for customizations. For more information: “Reference: Configuration options for the Office Deployment Tool”.

Also, Click-to-Run offers the alternative to allow an automated deployment for one or several computers using local content for the installation files (the components that are streamed to the client), instead of each client downloading from the Internet these components. Check the following link: “Deploy Office 365 ProPlus from a local source”.

A couple of considerations regarding Click-to-Run are: Click-to-Run products are installed only on the system drive, which is typically drive C; you cannot customize the installation location. Also, Click-to-Run has enabled the automatic updates for their products, this option can be modified using the configuration.xml file.

• Migrating to Exchange Online should be the only big and final migration each organization will experience. Migrating from different Exchange On-prem versions can have larger impacts.
• Tie the productivity experience to old applications versions reduce the chance of innovating and offering improved experiences.

As my personal opinion:

Most organizations that mentioned this topic usually are experiencing challenges on updating their client platforms based on problems that go beyond their productivity suite (for example, as mentioned, depending on legacy applications no one can update). It is never a good idea to depend on old and outdated software.

Additionally, for any change to succeed, user adoption is critical. Therefore, organizations need to assess and understand their productivity use cases in order to create the proper training. If your organization can’t or won’t face this change and training, then migrating to Office 365 will transform more into a problem than a solution.

2. Larger mailboxes, our salvation or downfall

No matter if you are talking about going to Exchange Online or you’ve been on-premises for several years, this is for sure a discussion that most of messaging admins had and still have to this day.

Reviewing the Exchange on-premise arguments:

• Large mailboxes offered by Exchange Online can be a liability, the IT / Exchange admins end up being accountable for all the data in their inbox. Let’s force users to have only work stuff in their mailbox.
• Forcing users to manage their own mailbox and deleting their own data is a far simpler solution.
• In case we absolutely need to, we can provide large mailboxes on our terms. Buying more disks for my Exchange it’s not that expensive.
• We can provide an on-premise archive solution to mitigate large mailboxes or compliance requirements.

And if you talk with the Exchange Online approach:

• Too much corporate data is spread across PSTs in local or external drives or shared folders. PSTs are the real liability!
• Having online data always available offers users a simpler way to handle their history mailbox data.
• Compliance is easier with Office 365.
• Implementing an archive solution can be really complex and costly to operate and maintain.

Office 365 offers several options regarding compliance, the most important ones are related to In-Place Archive, In-Place Hold and Litigation Hold. Exchange 2016 also offers pretty much same capabilities, but usually harder to implement and maintain than just enabling these features within O365.

In-Place Archive provides additional storage space for the mailbox data. Appears alongside the users’ primary mailbox folders in Outlook or Outlook Web App. Microsoft offers 50GB in addition to the 50 or 100GB mailbox (depending the plan), but additional space can be provided if it’s required. The archive cost represents $3.00 per user / month.

Litigation hold is normally used when you want to put an entire mailbox on hold. Preserves all data in this mailbox, including deleted items and original versions of modified items. This option is usually what legal departments need. For more information: “Place a mailbox on Litigation Hold” (option also available in Exchange 2016: “In-Place Hold and Litigation Hold in Exchange 2016”).

In-place hold allows administrators to create hold based on different criteria, like keywords. Which can be applied to several mailboxes with the same criteria.

Combined with these options, Office 365 includes eDiscovery, when in-place hold is enabled, allows the administrators for a single pane where the searches are defined and results are constantly being updated. For more information: “Manage eDiscovery cases in the Office 365 Security & Compliance Center”.

The eDiscovery searches are defined as “cases”, where we can define keywords and where. The “Search everywhere” option includes mailboxes and SharePoint sites.

This option is also available in Exchange 2016: “In-Place eDiscovery in Exchange 2016”.

Curious fact: Microsoft states that every year they save $4.5M on eDiscovery by reducing manual work from discovery requests: “Microsoft saves $4.5 million annually using Office 365 eDiscovery”.

My personal take regarding the large mailbox dilemma between on-prem and online:

Being accountable for every email and item on each user mailbox could be madness, the same applies for PSTs, it is almost impossible to track and own for an IT department these files scattered everywhere. The mailbox size discussion is usually related to each organization culture, several times I’ve heard IT admins complaining about most users demanding mailboxes quota increases without any specific reason besides “if you don’t increase the mailbox size, I’m not productive and you are disrupting the business”.

Exchange on-prem, no matter the organization big or small, require clear policies, defined and respected mailboxes quota profiles.

The questions back usually are: “How much time, effort and money are you spending for that accountability?” “Would you rather to transfer the responsibility to Exchange Online to keep that data?”

Granted there are some scenarios and organizations that indeed have compliance or security issues to use Office 365 (we’ll talk about them also). Sometimes those cases are suitable for a hybrid approach on Exchange, some particular mailboxes need to keep on-prem and some others are easier and cheaper to maintain online.

3. Basic email is the only feature needed, no need to pay additional features or workloads available with Office 365

Let’s take a quick look about these scenarios where organizations are just happy with the email functionality provided by Exchange on-prem.

Here are the Exchange on-prem arguments:

• Why do we need additional workloads if the organization just needs email? Why pay extra for features we will not use? Exchange on-prem already provides High Availability scenarios and reliable parameters to guarantee a solid Service Level Agreement (SLA).
• Microsoft pushes collaboration platforms like SharePoint or Yammer when our organization it’s not interested, everything they need is provided by email.
• Collaboration activities can be provided by Facebook, all of our users are already using it and talking with that platform.
• Exchange on-prem represents a reliable platform, we know how to operate it correctly and it does not surprise us with inconsistent behavior.

For the Exchange Online comments:

• Exchange Online includes high availability, load balancing, security, Data Loss Prevention (DLP), anti-spam and anti-malware; etc. All of those messaging related components within one price.

Exchange Online Protection (EOP) offers all these security capabilities included by default with all Exchange Online subscriptions. EOP can be acquired as a standalone service and used with an Exchange on-prem implementation.

• Office 365 offers predictable cost. Even if you just need email, there are variable costs associated to maintaining, operating and upgrading when necessary an on-prem platform.
• There are going to be, in the near future, some innovations into the email platform that will only apply for Exchange Online and not on-prem.
• Regarding security concerns, Office 365 has built-in parameters making it more secure than most Exchange on-prem implementations.
• You don’t have to worry to ensure the Exchange backend platform is functional, that’s Microsoft’s responsibility.

Here’s my personal view about this topic:

I’ve engaged with organizations with a genuine lack of interest on renovating their messaging platform. Sometimes because their users are fairly static and simple email consumers or they just have a user count fairly small. In most of those cases they usually rely on an old Exchange version and also this messaging platform does not represent a core and critical service for their business.

Trying to convince these type of business that Office 365 is the right answer for them might not be true. Having said that, for those organizations running outdated versions of Exchange, running an unsupported version represents a clear risk that they need to assume. Sometimes the “low operational cost” mentioned by them about the Exchange platform it is not 100% accurate; the probability of those risks (like security breach, unstable platform, etc.) and its impact should be quantified and included in this cost.

And we should also always remember that organizations can just acquire Exchange Online without the need to pay for other features like SharePoint, Yammer, Delve, etc.

4. Office 365 has an inexistent backup strategy, Exchange on-prem backups provide an additional guarantee

When this topic appears and there’s someone related to the auditing process present, it’s usually a difficult topic to handle if Office 365 shows up as the main alternative.

The Exchange on-prem admins arguments:

• Offsite backup policy is established within our organization, we are required to have a backup available in one of our sites due audit compliance or fraud investigation.
• Auditors tend to have a “boolean” review about policies: Either you have a backup or you don’t.
• We had cases from an Executive requiring to recover an email he/she deleted 3 months ago. Our cold backups can provide that functionality.
• We just need the comfort feeling on having a backup available.
• Human error for Exchange Online admins apply as well. We don’t have any control over that infrastructure.

For the Exchange Online discussion:

• That’s correct Office 365 doesn’t make backups, Native Data Protection is the answer to that. Exchange Online does not need backups when multiple databases are replicated to different datacenters.

So, what is exactly Native Data Protection included in Exchange Online? This feature appeared in Exchange 2010 and basically resides in Database Availability Groups (DAGs) databases replication. The databases and the logs associated to those are replicated between the Exchange servers member of the DAG group. The idea behind it was to reduce costs from Exchange backups and providing the alternative to eliminate them completely.

Native Data Protection definition for Exchange Online uses also the database lagged copies. This feature allows that any change in a database will have a delay (specified by a customizable period of time for Exchange on-prem) until these changes are fully committed. Exchange Online, unofficially, has a 7-day delay for lagged copies. This permits that any database corruption (logical or hardware based) will have a point in time prior to that corruption or loss.

Sample diagram of an Exchange DAG with active, passive and lagged databases.

Unofficially, Microsoft has 6 database copies for the Exchange Online servers. This databases are distributed, by default, within 2 datacenters within the same region. But there are some regions that have the databases replicated into 4 different datacenters.

• Exchange Online offers the capabilities to configure deleted item retention to restore emails deleted; single item recovery; and retention tags and policies to easily customize the platform.

So, what happens when a user deletes an email? If the mailbox does not have In-Place Hold or Litigation Hold enabled, when the user deletes an item, it is kept in the Deletions subfolder of the Recoverable Items folder. Items remain in this folder until the user manually removes them, or until they are automatically removed by retention policies. For Exchange Online the after an email is deleted, by default, it stays for 14 days. It can be modified up to a maximum of 30 days, for more information check: “Change how long permanently deleted items are kept for an Exchange Online mailbox”. Exchange on-premises allows a maximum of 24,855 days or the equivalent of 68 years (?!) to be set as a retention period.

One of the features that were evaluated by the Exchange Online team in Microsoft was to allow an unlimited amount of days to recover items, unless the user manually removes them. It’s still unconfirmed if this feature will be enabled at some point.

But if the mailbox has enabled the In-Place Hold or Litigation Hold, stops the processes on purging deleted items, all the content in that mailbox will be preserved. Additionally, copy-on-write page protection is also enabled for the mailbox. Copy-on-write page protection creates a copy of the original item before any modifications are written to the Exchange store.

Workflow overview of a message life cycle:

• The In-Place Hold and Litigation Hold are the easy way to resolve backup issues. With that approach, you are guarantee to maintain all items for selected or all mailboxes.
• Destructible PowerShell cmdlets are not accessible for Office 365 tenant admins. No one in Microsoft has standing admin access.

As my personal review about this topic:

As mentioned, this could be a difficult topic to engage when there’s a hard requirement about offsite backups and/or audit compliance; because depending on the point of view, some could assert that Office 365 doesn’t have the same capabilities as an on-prem solution.

The initial response to that requirement is that you can enable In-Place and Litigation Hold and you are fulfilling the need on having backups for mailboxes (I’ve heard this recommendation mentioned from Microsoft as well). This solution still does not fit for organizations requiring to own the backups in a different site.

Sometimes I hear questions from organizations asking: “What happens if there’s a massive earthquake that takes down a whole Microsoft region with all their datacenters?” If that’s the case, we may have a world catastrophic event, considering that these datacenters are built and regulated to support earthquakes, flooding, fire and most of intentional and unintentional disasters. It is definitely most likely that a simultaneous event affecting your datacenter and your offsite location for backups will occur before that catastrophic scenario.

The protection offered by Microsoft within Office 365 and Exchange Online is one of the highest and most reliable in the market; that concept alone is the backbone of their cloud services. If customers’ data is lost or becomes unavailable, how Microsoft and other companies can profit with these solutions?

In the second post I’ll cover some of the additional discussions related to the Exchange On-Prem vs Exchange Online, including: The challenges of inconsistent Internet connections; on-prem collaboration platforms built and integrated already; Office 365 service availability and monitoring; compliance and legal issues. And yes, we will have some comments regarding the “Public Folders” scenarios.

Second Part: [Yada Yada Cloud] Choosing from Exchange On-prem vs Exchange Online: The never ending story? – Part II