Author: Jeremy_MSFT
Originally published to the Office 365 Preview blog.

If you are coming from a software or desktop deployment background, Office 365 ProPlus will change the way you think about software distribution. Many people will be asking, “Where are the bits?” or “Just give me the ISO file and I’ll extract everything and figure it out.” The big difference here is that because Office 365 ProPlus is user- and not device-pivoted, then the first task you’ll usually need to do is populate user accounts in the administrator portal of Office 365. User accounts will have the rights to install up to five copies of Office 365 ProPlus and can de-provision and reassign licenses if they cycle through computers.

Office 365 ProPlus provides several administrational options to determine how users are provisioned in the Office 365 ProPlus service, which service components are made available to users and how to distribute and manage Office 365 ProPlus desktop applications. The administration process for Office 365 ProPlus begins with an assessment of your current Office environment, then users are added to the service, Office 365 ProPlus applications are configured then deployed. Office 365 ProPlus introduces new tools to manage client health – these tools collectively known as Office Telemetry are an integral part of Office.

Because Office 365 ProPlus is a service and pivoted on the user account, it gives users new access to personalized Office experiences across PCs or on computers they may be using temporarily. The goal is to ensure users are productive as long as they can connect to the service. All of these concepts are predicated on identity management and having a single address and set of user credentials to access these experiences. IT organizations can choose to integrate with their directory services, regularly synchronize Office 365 accounts with their user base, perform bulk list imports periodically or manually provision users.

Office provisioning in Office 365 ProPlus brings new capabilities to ensure users are quickly up and running with Office programs. Deployment options include all of the standard approaches from standalone installations using enterprise software distribution to Windows image-based deployments, but the service also enables new scenarios supported by Internet-based installation and software update support. An IT organization can decide to perform most tasks using their network or use Office 365 cloud services to augment Office desktop app provisioning and software update management.

Provisioning Users and Activation Basics

Office 365 ProPlus activation is tied to the user account, so the account needs to be provisioned and configured to access Office 365 ProPlus services in order for Office programs to remain in an activated state. The users’ Office 365 account status is continually checked by the Office applications to ensure that if a user is de-provisioned by their administrator – for example, the user leaves the organization – then Office 365 ProPlus programs can quickly move to a de-activated state.  This is increasingly important with the impacts of consumerization of IT and users having the ability to install Office on personally-owned PCs and devices. Office and the state of that service is tied to the organization he or she works for, so the administrator needs the ability to turn that service on or off.

Office 365 ProPlus is designed with a few important activation grace periods to provide flexibility in automated deployment scenarios and for when users go offline for extended periods of time. An IT administrator can preinstall Office in a Windows operating system image and reset the activation state if required using ospprearm.exe found in %programfiles%\Microsoft Office\Office15 (no longer the previous location of %programfiles%\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform).

An installation of Office 365 ProPlus provides 5 days of use in the initial grace period before a Microsoft Online Services ID is required. Once Office 365 ProPlus is activated, it can go as long as one month without connecting to the online service to rearm activation. If a user exceeds month and Office 365 ProPlus is de-activated, the user will only need to reconnect to the Internet with a valid user account to rearm the activation. The expectation with the service is that PCs do connect at least once per month to the Internet and activation processes run in the background and are never seen by the user.

The next section goes into detail about identity management in Office 365 and if you are an existing Office 365 user most of this should look pretty familiar.

Microsoft Online Services ID in Office 365

One of the first things people will notice with Office 365 ProPlus is that they now sign in to Office programs. The sign-in is typically a one-time operation after Office is installed and users will be asked to input an “Organization or School” ID to begin using Office. This ID as previously described is part of the process for software activation and facilitates the concept of roaming settings per user.

Sign in to Office Dialog in Office 365 ProPlus

For an IT administrator, this typically means a number of things need to happen before a user is greeted with the dialog.

-          In the Office 365 tenant, the User Principal Name (UPN) and required attributes have been entered,

-          the account has been provisioned for Office 365 ProPlus, and

-          the user has received some form of communication to inform her that she has an account with Office 365 and will need set an Office 365 password in cases where Office 365 is implemented without Active Directory Federation Services to enable single sign on.

Users may be manually entered by the administrator or entered via CSV file list import. Once she launches an Office program for the first time, she will need to enter her username and password then Office 365 ProPlus will activate and sign in to her personalized settings. If the user is the first person to sign in to an Office 365 ProPlus program on a PC, the installation once complete and signed into will be tallied against the five PC per user installation count. This is important for an administrator, because it means they should not be using their own administrator Office 365 credentials to activate Office installs on behalf of their users, as they will quickly reach their five PC limit. After that initial experience and login, the user can roam from PC to PC within her organization using the same username and password to present her personalized settings. If she is not the first person to log into Office 365 ProPlus and activate for that PC, the activation will not be tallied against her count of five PCs.

Synchronizing Active Directory with Directory Sync Tools

Directory synchronization with an Active Directory service is often a better way to populate UPNs and attributes in the Office 365 identity store. This is a service which runs within your organization’s Active Directory environment and synchronizes user objects every three hours. You still need to provision users with the rights to use the desired Office 365 services, such as Office 365 ProPlus, in order for users to self-install Office 365 ProPlus or activate Office programs installed on their behalf by IT administrators. More information about Office 365 and Directory Synchronization can be found on TechNet

 

Microsoft Online Services Directory Synchronization tool

Federating Active Directory with Office 365

Identity federation in Office 365 allows users to access Office 365 services, activate their Office 365 ProPlus installations and roam their user settings with existing Active Directory corporate credentials (user name and password).

The setup of single sign-on requires Active Directory Federation Services (AD FS) 2.0. The advantage of using identity federation is that users only need to memorize one set of credentials, all authentication happens on your organization’s premises and adheres to your policies, administrators can control access to services, user credentials are stored and mastered on-premises, and multi-factor authentication is possible. More information about identity federation can be found in the Prepare for single sign-on article on the Office 365 support site.

The number of options available means there is most likely a method that best serves your needs. There isn't a one-size-fits-all solution, due to the varying number of customer needs and security policies. While most of these options are rooted in the current Office 365 in market service, many more options and optimizations are coming across the tools and services, plus there are a few partner offerings to assist with user provisioning and authentication.