Alternative Architecture for Exchange On-Premises (Small Businesses)
In recent years, the Exchange Product Team began recommending the "Preferred Architecture" for...
So, the cloud, am I right? While it's always nice to get away from having to worry about failed hard drives, or backups, or patches, or a million other things, the real upside to using cloud services is that the good folks at Microsoft are able to put so much more into developing new features. Even for services like Exchange that seem mature, there are always new and unexpected ways for them to evolve as part of a huge infrastructure like Office 365 and Azure.
While this blog post isn’t about new features in Exchange Online, it is about a new way to access and administer Exchange Online.
Let's explore a new feature of Azure that allows for administrators to access Exchange Online in a whole new way.
Starting from the beginning, Azure is Microsoft’s cloud service that runs along side Office 365. Parts of Office 365 relay on Azure services, but Office 365 does not “run on” Azure. They are two different, but related, services with multiple links and interdependencies between them.
There are several Azure services that can and do interact with your Office 365 tenant. Services like Intune, Azure Information Protection, and other Azure services “tap into” your Office 365 tenant is multiple ways to provide enhanced services. Azure Cloud Shell, like the other services listed above, is an Azure service that works with your Office 365 tenant.
Azure Cloud Shell is a web-based shell experience for managing Azure resources. ACS is browser-based environment that is pre-configured and maintained in the cloud for you. ACS gives you the ability to customize your environment, but also maintains the flexibility to work from any browser.
ACS isn’t just PowerShell either. You can also run ACS with a bash experience, but since I really don’t know anything about bash, I think this sentence is about all I’ll say about it.
ACS runs on Ubuntu servers hosted in Azure. That’s a sentence that no one would have been able to write about a Microsoft service just a few short years ago.
There are several different ways to access ACS. You can launch ACS from the Azure Portal by clicking the icon at the top of your screen next to your account information.
You can also access ACS directly from https://shell.azure.com in every browser that I have tried.
A third option for access ACS is the Azure app on iOS and Android. That’s right, you can now connect to PowerShell for Exchange Online from your phone quickly and easily. Here’s what it looks like.
There’s always a catch, isn’t there? It can’t possibly be as easy as just opening a web browser and running one command to connect to a PowerShell session for your Exchange Online tenant from your phone, can it?
It is pretty easy, but there is a one-time setup and that setup does require an Azure subscription. If you do not already have an Azure subscription associated with your Office 365 tenant, then you’re going to need a credit card to set one up.
At this point you’re probably asking “Why on earth do I need to pay to access Azure Cloud Shell?” As ACS is an entirely cloud based shell, you need some storage in which to store configuration files. Things like your PowerShell profile, and any scripts that you’d like to run from within ACS need to be stored in Azure. You really don’t need much storage, and the costs are very low (unless you do something crazy).
Once you setup the Azure subscription and storage container, you really don’t ever have to put anything in there if you don’t want. If the costs of using ACS is something your concerned about, I suggest setting up a Resource Group in Azure that’s only for ACS file storage. Then your Azure bill will have a break out of exactly what it’s costing you to have ACS access, and you can make a determination about the value from there.
I personally find using https://shell.azure.com to be the easiest way to access ACS. While it’s a neat trick to PowerShell into my Exchange tenant from my phone, the onscreen keyboard on my iPhone is rough.
Also, my laptop is Azure Domain joined to my Office 365 tenant, and I use Windows Hello to get Multi-Factor Authentication into Azure and Office 365 just by looking at my screen. The login process for me into my ACS is really just look at my laptop, wait for the browser to open (I even setup a tab to open straight to ACS when I launch the browser), and type “Connect-EXOPSSession"
I didn’t type my password once to get there. This also works on my phone as well since I installed Microsoft Authenticator on my iPhone.
This browser-based PowerShell session isn’t going to be able to read scripts from your local computer. That’s why you needed to setup an Azure subscription before you could log into ACS. If you want to run any scripts, you’ll need to upload them into Azure first.
At the top of the browser, click the file management button and upload the script you want to run into your Azure storage. Select “Upload” and you can choose the PowerShell scripts you want to run.
Once the scripts are uploaded, just switch to that directory (as shown below) and proceed.
Of course, once those scripts are uploaded, you can access them from any ACS session. So if you have some script that you need to run to check on the status of a migration batch, for instance, it’s pretty easy to do that from your phone.
Historically Exchange has led the way at Microsoft in many ways. Exchange was, and still is, the driving force to move many organizations into Office 365 for instance. Exchange was the first Microsoft product to be built on PowerShell. Now Exchange is the first product to allow ACS management (outside of Azure itself).
I expect that soon you’ll be able to launch Teams and SharePoint session connections from ACS as well. I’m sure over the coming months ACS will support connections to all your Office 365 resources. Start using ACS now, and enjoy the flexibility!
Monitoring a Hybrid deployment is complex. Administrators that use Mailscape 365 are confident their entire system is functioning correctly as they begin transitioning into using Office 365. See why top trusted brands such as Experian, Facebook, VMware, and Barclay's use Mailscape 365's personalized monitoring dashboards and reporting to self-generate the most crucial, current, and accurate data.
Nathan is a five time former Microsoft MVP and he specializes in Exchange, Microsoft 365, Active Directory, and cloud identity and security.