Office 365 Multi-Geo Part03 (Configuring)

This is the part 03 of this article series where we will be going through the technical part of enabling Multi-Geo in Office 365.

Support_Wrench_Cog_Tools_Repair_Fix_Gear-512

Part 1: Get Started

Part 2: Planning and recommendation

Part 3: Configuration

Let’s ensure that we have the following in place before get started.

  1. Office 365 Multi-geo capability is added to the tenant. As the introductory article stated, this capability is a user-level service plan that is optional for you to add. If you have worked closely with your account team this might be all set to go by now.
  2. Test users created and are ready to use.

If you have enabled the Multi-geo, a new tab call “Geo Location Tab” should now appear under the settings in SharePoint and OneDrive admin panels.

To add new geo locations, open the SharePoint admin center –>
Navigate to the Geo locations tab. Click Add location –> Select the location that you want to add, and then click Next –>
Type the domain that you want to use with the geo location, and then click Add –> click Close.

Every new location that you add here are called “satellite locations

3

If everything went well, you will receive an email notification in few hours after provisioning. It could take up to 72 hours which is up to the size of your tenant.

As the new geo location appears in blue on the map on the Geo locations tab in the OneDrive admin center, you can proceed to set users’ preferred data location to that geo location. Usually a new satellite location comes with the default settings, it gives you the freedom of localizing as per your compliance needs.

After you enabling the satellite locations, it is recommended to set the preferred Data Location (PDL) for every user in the directory. In Azure AD there are two types of identities as Cloud and Synchronized. You have to follow the right instructions to deal with each of them when it comes to setting PDL.

Setting PDL for cloud only users (Azure Users)

User objects that are not synchronized from a local AD are the cloud ones. You have to use Microsoft Azure AD PowerShell to set this configuration for such users. This procedure needs Azure AD Module for Windows PowerShell

  1. Launch Microsoft Azure Active Directory Module for Windows PowerShell

Run the following line and enter the Admin Credentials for your Office 365 tenant.

Connect-MsolService

2. Now let’s run the next line to set the PDL for a specific user.

Set-MsolUser -userprincipalName manoj@mantoso.onmicrosoft.com -PreferredDatalocation AUS

3. To find out if this has executed properly, you can use the following command. It should return the new PDL value.

(Get-MsolUser -userprincipalName manoj@mantoso.onmicrosoft.com).PreferredDatalocation

Notes: During the new user creation process, its recommended that you include setting PDL command at the end of the workflow, so that you do not have to do it as a separate task.

User with no OneDrive provisioned yet, better be wait for at least 24 hours in order to allow the change to propagate in the backend. This ensures that  OneDrive sites are provisioned in the correct PDL for such users.

Setting PDL for Synchronized users (Hybrid Users)

Setting the preferred data location for Hybrid users is a bit lengthy process and is well explained in this post.

Search Experience in a Multi-Geo Setup

Every geo location acts as a Search Index (you must be familiar with this term if you are a SharePoint guy) in a Multi-Geo setup. When there is a search query, the results are usually returned as a merged result out of all indexes, which means all these satellite locations we added are works together behind the scenes towards one goal.

9

Following search clients are supported in Multi-Geo

  • OneDrive for Business
  • Delve
  • The SharePoint home page
  • The Search Center
  • Custom search applications that use the SharePoint Search API

Consult this detailed article to understand and configure the search experience in a Multi-Geo setup.

End user experience validation

Validation is utmost important before you roll out the change widely across the organization. Following are some key scenarios for you to try out using test users before make it to everyone.

OneDrive Portal

Click on to OneDrive from the Office 365 App Launcher. You should be directed to the defined geo location automatically, and it will now begin to provision the service in that PDL. After provisioning, try to upload and download some files and ensure everything works as expected.

OneDrive App

Use a mobile device to login to the OneDrive App using the test account that you used to upload the files and verify if the files are available in the mobile and you have to the control to perform actions on those files.

OneDrive Client

Use a laptop or a desktop to verify if the OneDrive Sync client works are expected. You can download the latest client by heading on to the OneDrive Library and click “Sync”. this will prompt you to download the client automatically if it doesn’t exists in the particular device.

Office Integration

Open up Word or Excel and check if your OneDrive location appears there. Try to save a file to OneDrive from there and ensure they are synchronized across your devices.

Sharing Experience

Despite any of these changes we did, you should be able to share a OneDrive file seamlessly (based on your compliance settings). To verify, try to share a file from OneDrive and confirm that the people picker allows you to add any user within the organization regardless of their location.

Things to consider when deleting a user account from an Office 365 subscription

When an employee departs from a company, it’s part of the procedures to flush the account and take necessary actions on the content associated based on the company policies.

Associated Content Might be Crucial to your Organization:

4893ddd7-b7be-453c-a3c3-6776636f1925

OneDrive content stored by the target user shall remain for 30 days as per the default retention period. You can restore the account within 30 days or the data will be permanently flushed off. If the target user’s data is critical, you can move it to a different location (this can be performed within 30 days of account deletion).

Nevertheless, this doesnt matter if the user has a Manager defined because, by default OneDrive content of deleted users are automatically delegated to the Line Manager so that he may have the access to the content up until the end of retention period.

This is how the whole process would roll:

  1. An account is deleted from AD Sync or Office 365 User list
  2. The deletion activity is Synchronized to SPO (SharePoint Online)
  3. OneDrive will then be marked for deletion through Cleanup jobs and the deleted identity shall remain appearing in Office 365 for 30 days (or whatever the period defined in the retention)
  4. If this user has an Manager defined in his profile, the Manager will receive a an email with the access details to OneDrive of the deleted user and the Manager will have access until the retention period. At the end of the retention period, OneDrive jobs will run and execute to delete.
  5. There will be reminder emails to the relevant manager 7 days prior to the end of the retention period and after 7 days, OneDrive of this user is sent to Site Collection Recycle bin. Site Collection Recycle bin will hold it for 93 days by default (3 Months) During this period, no one has access to Shared Content of this OneDrive and you can only restore it using PowerShell.
  6. Content in the Site Collection Recycle bin will not appear in search results and eDiscovery hold also can’t locate any content resides in the bin too.

However, you can customize the retention policy to reflect your needs and set your own duration so that OneDrive will hold deleted user’s data for longer time than the default 30 days. Go ahead and check this post for changing the “Retention Policy” of OneDrive.

Licenses:

Up on removal of the user identity, you can detach the licenses associated with the account to stop unnecessarily paying for them. This option will automatically remove licenses from the target subscription. You can’t remove licenses from a subscription which has ongoing commitments (such as annual commitments and you bought it from a license partner). You will not be able to remove the licenses unless your commitment period completed.

Mailbox and Associated Aliases:

whitehall-custom-mailbox-package-shopping

By default a deleted mailbox is recoverable for 30 days, yet it depends on your retention policy. To understand more on this, read the article – Delete or restore user mailboxes in Exchange Online.

You can delegate the mailbox of a deleted account to someone else (in most cases, the Manager) and it will make the mailbox a Shared one. New owner of the mailbox shall then access it and monitor for new messages. Shared Mailbox object will appear under the Active Users list in Office 365.

Addition to that, you also can change the display name (This is recommended to do so you can easily identity the Shared Mailbox among the other identities in the Active user list of Office 365). And you may turn on “Automatic Replies“. There is a default automatic reply comes out of the box when you enable it as well. but it’s up to you if you want to have a custom one.

Active Directory:

If Active Directory is Hybrid, you have to perform the deletion from your local AD. Synchronized identities cannot be deleted from Office 365 accounts.

To remove an account:

  • Sign in to Office 365 portal from your Admin account
  • From the Admin Center, go to the Active user section and choose Users –> Active
  • Select the target user and delete

Notes: There can be exceptions such as those who have downloaded OneDrive or SharePoint content to their personal devices. There is no way to remove these type of content if user has already done it before the removal of the account so ensure you take necessary compliance actions across all formal and BYOD devices to avoid such compliance breaches. Microsoft Intune and associated EMS tools can help you meet your need on this perspective.

For detailed steps of configuring automatic access delegation, refer to this article

DISCLAIMER NOTE: This is an enthusiast post and is not sponsored by Microsoft or any other vendor.