As many readers will be aware, Microsoft’s Ignite conference starts in Atlanta on September 26, 2016. I am speaking at a number of sessions. Possibly my favorite is the opportunity to debate Greg Taylor from the Microsoft Exchange development group on the topic “The Top Ten reasons not to move your Exchange on-premises mailboxes to Exchange Online“. The debate will be chaired by Steve Conn, who might have quite a task on his hands as those who have seen Greg in action in the past understand how excited he can become. I’ll be the calm, logical one with the scintillating comments. Or not. We’ll just have to see.
In any case, we need to understand the reasons why people might choose to leave their mailboxes on-premises so that we can debate the rationale and reasoning. I’ve put together a list of the most common reasons I know of and would appreciate your help in recording others, if they exist. Please reply to this topic with your reason and we’ll add it to the mix.
I doubt that we will get to debate more than 10 topics during the 75-minute session… But you never know!
Thanks for your help
Follow Tony on Twitter @12Knocksinna.
Backup and recovery
- Microsoft uses Native Data Protection and doesn’t take backups of Exchange Online data. I like to have the security of backups, just in case an administrator or a user does something stupid – or we are hit by a ransomware attack and have to restore some mailboxes.
Stability and robustness
- Our Exchange 2013 infrastructure delivers better availability to our business than we believe is possible from Office 365, especially with all the horror stories we hear about multi-hour outages for essential components like AAD and EOP. The SLA results as reported by Microsoft are accurate for the entire service but don’t reflect the experience of individual tenants.
- Our server infrastructure is modern, we’re up to date with Windows Server, and we think we have a highly cost-effective platform for the next five years.
- Exchange 2013 and Exchange 2016 are feature-rich email servers already and Microsoft is doing a good job in transferring some excellent technology from the cloud, like Managed Availability, simplified DAGs, and automatic DAG activation. We don’t need anything else.
- Our Exchange admins are the best in the business and have our Windows servers humming beautifully. Why would we plunge into the unknown world of Office 365 and all its component parts?
- When a problem happens inside Office 365, it seems like no one knows what is really happening and you have to fall back on Twitter and Facebook to gain some insight into how widespread the problem is and when it might be resolved. That’s an unacceptable state of affairs for our business. In other words, monitoring and reporting for Office 365 to understand the current state of affairs on a minute-by-minute basis is poor when compared to what we can do inside an on-premises environment.
- We’ve heard that the Office 365 support is pretty poor at times and you have to wait before you can get to speak to someone who isn’t reading off a script and might actually be able to help. That’s a big concern when you consider moving from a tightly managed and well-supported on-premises environment.
- We want to use our own keys with Exchange and AAD RMS and Exchange Online doesn’t support BYOK. In other words, I don’t trust Microsoft to protect the privacy and security of my organization’s email and documents, if we let them own the encryption keys.
- The fact that the Office Graph records every interaction between Office 365 users is downright scary in a “big brother” kind of way. There’s no way that my users want or need to know the kind of information that Delve Analytics reports.
- My Microsoft sales person is selling Office 365 because they are compensated on that basis. They’re not interested in listening to our desire to remain on-premises and that makes us believe that the move to the cloud is great for Microsoft and probably less good for us.
- We don’t trust the costs cited by Microsoft for Office 365. You start off with a low monthly cost but then need to spend more to get the functionality that you really need, like AAD Premium or a high-end plan. We also think that you have to spend a lot of time managing licenses to make sure that you’re not overpaying for unused licenses.
- There’s no guarantee that Microsoft won’t increase the costs of all the bits we need to buy to create our Office 365 environment at a higher rate than inflation to achieve their goal of a $20 billion annual revenue run rate for commercial cloud products by mid-2018.
- Exchange is the fulcrum of an ecosystem we have constructed to serve business needs. To move to Office 365, we’d need to do a heap of redevelopment to make sure that Exchange Online delivers everything that we need. That work costs money.
- Giving users a standard 50 GB mailbox quota only encourages them to keep stuff that they should delete immediately. If we want to give 50 GB quotas, we can, especially now that storage costs are so low and Exchange 2016 does such a good job of supporting JBOD.
- We have users in some pretty remote places where Internet access is not great. The cloud’s not for us.
- Office 365 requires customers to keep software components at a far more recent level than we are accustomed to on-premises. It seems that we would be constantly updating Exchange 2016 to maintain support for a hybrid connection or Outlook to make sure that clients can connect to Exchange Online. That seems like a whole heap of effort for not a lot of return.
- The rate of change inside Office 365 is too rapid and challenging for our business users to cope with. No one wants to see a new client interface every three months. We like the stability and robustness we can assure through our own deployment.
- Public folders are all the collaboration tools that any reasonable person could want. It will take us forever to move the data out of public folders and to realign business processes around new types of collaboration tools. That’s a real hidden cost of migration both in terms of getting the work done and the business disruption. We just can’t take that cost on now.
- There seems to be a lot of SharePoint wrapped up in Office 365. Who wants to go near that stuff?
Out of the box thinking
- I do want to move to the cloud and am thinking about migrating from Exchange to Outlook.com.
- We believe that Microsoft will fulfil their commitment to support Exchange 2016 until 2025. Why would we ever move until they stop supporting on-premises software?
- If we migrated to the cloud, Ross Smith IV and Greg Taylor would hate us very much and that would be no fun.
There is a lot of custom work to integrate account/object provisioning and licensing into our existing workflows, and Microsoft doesn’t make it easier by adding new services in an “on by default” way. We need to see a more robust provisioning framework that we can adapt rather than re-inventing the wheel.
Within a given region such as EMEA, our data could be spread over datacenters in different countries — and that can change on a daily basis. We need to have more control over which datacenters our user data is in.
Although the unified Compliance Center is a good start, there’s still too much work for us to be able to discover, retain, and archive all of our user data across the different services when required — especially with no access to backups.
Compliance: Devin, I think you have misunderstood how this works. MS do absolutely tell you up front where your data will be and you always know. Many governments are using O365 because MS have done this right. Of course, some countries have excessively restrictive rules – e.g. Germany – any MS are putting new DC’s in these locations as quickly as they can. Germany, UK and Canada for example are getting or already have new DC’s this year.
Julian — I’m not necessarily representing my own voice/concerns, merely those of customers I have worked with. Having said that, though, I am aware of multiple conversations where large customers are having this conversation with their Microsoft reps because they AREN’T getting that transparency or because data did get moved to locations it wasn’t supposed to/wasn’t expected to.
Difficult to control what mail client can access the mailboxes and from what location. The existing conditional access controls are not flexible enough. For example restricting the full Outlook client to managed PCs while still allowing other clients to run on any machine with MFA. If not all the managed PC’s are domain joined it becomes very difficult.
The controls and offerings for mobile access lacking.
It is difficult to control what O365 offerings the user has access to. For example, Office Online requires SharePoint and Onedrive. It is difficult to restrict the full use of those and still allow Office Online.
The latest Azure AD condition policies for device access might help you solve the problem of what mail client can access applications from where…
first hi from a fellow Compaq/digital follower:)
second most places(and I deal with very lage customers) aren’t keen on going conditional access direction its too messy,expensive and they got other solutions.
so basicly from the time they added modern auth we are “screwed” cause cap’s are useless(which were a mess by itself:))
they charge for every little thing so you end up paying a lot of money for something you could have done very easily with onprem software.
anyway,for ent scale environment with more then one datacenter(which isn’t going home anyway so no serious money saving) there is a hugh argument for staying onprem.
don’t forget traces that take 24-48h 🙂 wth:)
Add, unless you have a custom solution you have to give microsoft your passwords due to old activesync protocol not supporting federation. Same issue with outlook unless you are running 2013 which supports modern authentication. Oh and add to 22, tha would be a good thing, Ross Smith is the most arrogant people i ever had to talk to.
Throttling for messages and protocols (ews, imap, etc.)
Remote “Offices” connected over satellite links (cruise ships), that can have extended outages due to satellite issues. The ship needs to be able to function as a unit during these times, able to email other shipboard users.
Email address rewriting on Edge servers
when involved in company mergers/de-mergers and acquisition scenarios, difficult to do tenant to tenant migrations which microsoft doesnt support either.
I agree on the backups issue.
Previous places I’ve had journaling systems but had quite a few instances of ‘we want to see exactly what this users mailbox contained on such and such a date’
Also sometimes had a user cannot remember the contents of a deleted message sufficiently to do a journal search for it but could remember what folder it would have been in. It was quicker to do a mailbox restore than trawl through all the mail they might have sent and received.
WAN / internet redundancy
Network teams always say they have perfect internet access redundancy, until they don’t. Then you have loads of users who can access their old e-mails due to cached mode but can’t actually communicate internally.
MD – Right so we’ll save $x thousand per year on all the server hardware, backups etc. etc. Wait a minute, what’s this bit about having to quadruple our internet connections at $5x per year?
Should have thought about virtualization! Oh Boy!
Multi-tenancy/shared tenancy. One large customer I am working with has multiple business units in quasi-independent states. Because the O365 tenant is the security boundary, even with good RBAC roles that only goes so far — it addresses most (if not all) Exchange operational concerns, but the write scopes only match Exchange Online (and don’t necessary sync with on-premises scopes in a hybrid configuration). Customers who are sharing tenants without sharing on-premises infrastructure have to do a lot of extra duplication, share the keys to the kingdom, or otherwise severely restrict one or more partners in what they can do. And moving those customers to a separate tenant either requires third-party tools ($$$) or double migration through a shared on-premises service. Once they’re there, every tenant is an island — more policies to set up and maintain, no shared address spaces unless you start messing with routing sub-domains, etc.
How about the fact that when I send mail, I have to watch a dialog box say “Authenticating…” for about 20 seconds instead of the send process being almost instant? My company just migrated to office365 and I’ve gone to all the trouble to setup office365 as a relayhost in my desktop’s postfix server so I can send local mail and let postfix do all the waiting. The time it took to set that up will be more than paid back by not having to stare at the send dialog all the time :-).
This sounds bizarre. My experience with Exchange Online is that email goes as fast if not faster than with on-premises servers (possibly because of reduced server load or the availability of more resources). I have never had to authenticate when I send email. Something is up with your setup.
And lets not forget about third party integration at the back end. Netmail had been able to integrated client access components into OWA for on premise but not cloud. What about other vendors such as McAfee SIEM for enhanced management?
There are upgrades in O365 that we have no controls. In fact O365 upgrades fall into our moratorium period that can impact our business. It is totally unacceptable for our user base. Many time upgrades causes breakage to our client end functionality.
Bring back SBS. Monthly fees for e-mail are for the birds.
You forgot the most important argument: Data is the new currency. That’s why the big push for the cloud. It’s where the money is. If done right, the total cost of ownership for on-premise solutions can be drastically lower, while providing the same or greater availability and peace of mind. But the vendors (MS in this case) don’t have a big enough incentive to pursue that path. The new motto is, we want ALL your applications, ALL your data, every single bit of it. It makes us money.
Which explains why EVERY vendor that provides us with services or equipment is CONSTANTLY trying to get us to move to office 365, and move everything we have to Azure or AWS, even if it doesn’t make sense for our business. Large tech companies PAY them to evangelize. They get compensated for every client they get to migrate.
Exchange just is NOT that hard to manage on Prem. Build in redundancy with DAGs and your outages are virtually non-existent. I spend next to no time trouble-shooting server side issues. I lost two servers in a three node DAG cluster, and none of my users even noticed. I was able to reseed the databases on the other two servers from healthy copies, and performance wasn’t even affected. Exchange server maintenance takes up maybe 1% of my time, yet everyone is trying to convince me that we’d be better off handing control of our systems over to Microsoft. Ever try to deal with Microsoft support? If they handle 0365 support like they handle other matters, I’ll pass. As for hosted exchange, I worked for a hosting company. Lots of them operate on the margins. Just enough engineers to cover their customer base, if that. Most of them are stressed and over worked. When your mail is down hard, I wonder how much time they’re going to devote to it? One client with problems, when you have 300 other clients to maintain? When one of my systems is down I work until I get it back up. My job and professional reputation depend on that very fact. Given the cost, additional configuration requirements, and loss of control, someone’s going to have to work real hard to get me to support a switch. Also anyone who asks me to give up the fast, clean, and stable function of our current outlook function, for authentication errors and directory sync issues is nuts.
Our users would revolt.