Getting Started with Office 365 and EMS for Microsoft Cloud Solution Providers

Introduction

The Microsoft Cloud Solution Provider (CSP) program was released in July 2014 t to provide a scalable, flexible partner program. Designed to deepen customer relationships and expand business opportunities, the CSP program allows partners to:

  • Own and control billing
  • Sell combined offers and services
  • Deliver direct provisioning, management and support

To achieve those capabilities, CSP partners need to integrate their backend systems and business processes with various Microsoft cloud services and processes. Once integration has taken place, CSP partners then have the ability to directly provision, manage and support clients within the Microsoft Office 365, Microsoft Azure, Dynamics CRM, and Enterprise Mobility Suite (EMS) product offerings.

The goal of this document is to help CSP partners to quickly implement Enterprise Mobility Suite (EMS) solutions for clients who have Office 365 E3/E5 or Office 365 Business Premium.

This document provides guidance to support the extension for CSPs looking to enable clients with subscriptions.

Scope

The scope of this document is to provide the necessary guidance to extend an existing Office 365 deployment to include EMS.

The focus of this document is on the implementation guidelines for extending a deployment to include EMS, but not how to configure EMS.

Terminology

Term

Description

CSP

Cloud Solution Provider

EMS

Enterprise Mobility Suite

Partner Center

Portal for CSP Partners to administer their CSP offerings http://partnercenter.microsoft.com

End Customer

Organization that is managed by the CSP Partner

Admin Agent

Partner administrator who has the following access within the CSP Partner Portal:

  • Customer management
  • Subscription management
  • Service health and service requests for customers
  • Request delegated admin privileges
  • View pricing and offers
  • Billing
  • Admin on behalf of
  • Register a value added reseller

Office 365 Global Administrator

Administrator who has access to all administrative features within the end customer's Office 365 subscription

Before you start

This document assumes that the following conditions have been met:

  • The administrator completing these steps has Office 365 Global Admin access to the end customer's Office 365 subscription
  • The end customer's Domain has been setup in Office 365 (refer to Setting up your domain for Office 365)
  • Users have been synchronized from on-premises, or exist as cloud only identities in Azure Active Directory via the Azure AD Connect tool. Older versions of the Azure AD
  • Connect tool such as DirSync for example does not support Password Write-back
  • CSP administrator has access to the Partner Center as an Admin Agent
  • Windows Azure Active Directory Module for Windows PowerShell is installed and available for use

Assigning an EMS subscription

In this section, three use cases will be examined to cover common scenarios surrounding an EMS Subscription assignment.

Section 3.1 describes establishing a relationship with an existing Office 365 end customer and assigning EMS Licensing to their subscription.

Section 3.2 describes assigning EMS Licensing to an existing CSP end customer.

Section 3.3 describes setting up a subscription for a new end customer and assigning Office 365 and EMS licensing to that subscription.

Assigning EMS to an existing Office 365 customer – Request Relationship

  1. Browse to the CSP Partner Center Portal and sign in as an Admin Agent.

  1. Click on Request a reseller relationship. This will activate a relationship request email:

  1. To request a reseller relationship with an end customer, copy and paste the text on the screen, including the URL, into an email. Edit the text if necessary, and send as an email to your end customer:

  1. Click on Done.
  2. At this stage, the end customer will have to complete the relationship request process.
  3. Once the end customer has authorized the CSP relationship, a confirmation email will be sent to the Admin Agent who requested the relationship. The email will be similar to the following:

  1. Within the CSP Partner Center Portal, search for the end customer who has just established a relationship with the CSP Partner:

  1. Select the end customer and review their existing subscriptions, if any:

Assigning EMS licenses to an Office 365 Tenant for an existing CSP Customer

1. Browse to the CSP Partner Center Portal and sign in as an Admin Agent:

2. Click on View customers:

  1. Search for the end customer you are adding the offering to:

  1. Select the end customer and review their existing subscriptions:

  1. Select Add subscription.
  2. Select Enterprise Mobility Suite and enter the number of licenses required:

  1. Select Submit.
  2. Review the summary once Enterprise Mobility Suite has been added:

Assigning EMS and Office 365 to a New Customer

Section 3.3 describes setting up a subscription for a new end customer and assigning Office 365 and EMS licensing to that subscription. The creation of the subscription involves the creation of a new Azure Active Directory tenant for the end customer.

1. Browse to the CSP Partner Center Portal and sign in as an Admin Agent:

2. Click on Add new customer

  1. Complete the form with the required customer information. It is important that all information be correct:

  1. Select Next: Subscriptions to continue.
  2. Select the relevant EMS and Office 365 subscriptions, along with the required number of licenses per subscription:

  1. Select Next: Review to continue.
  2. Review the summary page, ensuring that all the correct information is displayed:

  1. Click Submit to complete the process of adding a new customer.
  2. The confirmation page will provide all of the required information needed to sign into the Azure Active Directory Tenant:

Assigning an EMS license to a user via the Office 365 Portal

  1. Browse to the Office 365 administration portal.
  2. Log on with an Office 365 Global Administrator account to access the end customer's subscription:

  1. From the Admin Dashboard, select User – Active Users:

  1. Select a user:

  1. A preview of the properties for that user will be displayed. Select EDIT.
  2. The detailed properties for the user will be displayed. Select the Licenses node:

  1. Select the check box for Enterprise Mobility Suite, and select Save.
  2. The preview of the user's properties will update to display the number of licenses the user now has assigned with their identity.

    Activating the Azure Active Directory Tenant

  3. Browse to the Office 365 administration portal
  4. Log on as the Office 365 Global Administrator account to access the end customer's subscription:

  1. From the Admin Dashboard, select Admin – Azure AD:

  1. If the tenant does not have an associated Azure subscription already, you will be prompted to setup an Azure subscription.
  2. Complete the details and select Sign up:

  1. Once the signup process is complete, select Start managing my service:

  1. The Azure portal will display the Active Directory instance (along with any other items associated with the subscription).
  2. From the Azure portal, select the end customer's Azure Active Directory instance and review:

Integrating your on-premises identities with Azure Active Directory

Azure Active Directory (AAD) Connect is used to integrate the end customer's on-premises identity system, such as Windows Server Active Directory, with Azure Active Directory. It connects the end customer's users to AAD and thousands of available SaaS applications.

To integrate your on-premises Active Directory with your Azure Active Directory tenant, refer to the article, Integrating your on-premises identities with Azure Active Directory.

It is recommended that the Customized Installation process is followed. This is important in order to enable the following additional feature in AAD Connect:

Features

Status

Description

Password Write-back

Enabled

Password Write-back will be enabled as a feature in the document, "Getting Started with Azure Active Directory Premium for Microsoft Cloud Solution Providers"

Other customizable features include:

  • The ability to specify specific Organization Units (OUs) to synchronize, rather than the entire domain
  • Specify a SQL Database rather than using the default SQL Express
  • Specify an existing service account
  • Synchronization filtering for users and devices based on security groups

Once the integration of on-premises Active Directory and the end customer's Azure Active Directory tenant is complete, you will have achieved the following:

  • Established end customer's user identity in the cloud
  • Provided users with same password authentication
  • Enabled Password Write-back for Self-Service Password Reset

Appendix A – End customer relationship request steps

The following steps are provided to CSP Partners for informational purposes only.

These steps are required actions that an End Customer must complete to have the relationship request submitted by a CSP Partner approved.

  1. The end customer will receive the customized email that the CSP Partner sends requesting the establishment of a relationship (refer to section 3.1), similar to the example below:

  1. The end customer, with Office 365 Global Administrator rights to the Office 365 subscription, should click on the URL supplied in the email.
  2. The Administrator will be prompted to sign in:

  1. Proceed with the sign in process:

  1. The invitation to accept the Cloud Solution Provider will be displayed on sign in:

  1. The end customer should review the terms and select the check box "Yes, I have read and understand the terms of establishing a Microsoft Cloud Solution Provider and Delegated Administration Permission relationship and I am authorized to agree to these terms on behalf of my organization.":

  1. The end customer should then select Authorize CSP.
  2. The Partner Relationships node will now update with the authorized CSP:

Reference Links