The 5 Pillars of Nova – Transcript

Here is a transcript of the video that Paul prepared:


At Quadrotech, we believe really strongly in our vision of having a single platform that does everything that customers need to do, and service providers need to do for Office 365 management.

This diagram on the right hand side of the slide shows what we jokingly called the Circle of Life or the Wheel of Fortune. It covers the 5 primary areas of Office 365 management that we focus on:

Security and Audit
Delegation and Policy Control
and Service Sonitoring

Why did we do it this way?

Why did we structure our offering for the platform around these 5 things?

Well, we did it to deliver on our vision.

First, we want to give our customers visibility across the entire organization. Whether that organization is a single tenant, multiple tenants that belong to the same larger entity such as divisions of a large company. Or multiple tenants that are managed by a service provider.

We want to give our customers the ability to action insights or to take actions based on what they see from our analytics engine.

We want to give our customers proactive, granular control across job roles, business units and tenants through policies. Not through manual granting of access and not through requiring everybody to be a Global Admin everywhere, the way that Microsoft does.

We also want to provide role and policy-based alerting and enforcement of these policies so you can define a policy at the top level of a single tenant and push that down to every child tenant in a service provider environment.

Finally we want to be able to bring business processes closer to the end user by giving them self service, delegated so that every end user has exactly the permissions that you want them to have, to do only the things you want them to do, on the objects that you want them to have access to.

Nova is built on 5 pillars. The first of those pillars is migration integration.

Now it’s really important to keep in mind what this means. Migration itself has been the core of our business since we’ve been founded. But not every customer needs migration and for those who do sometimes they’ve already started a migration by the time they consider deploying Nova. Sometimes they’re most of the way through the migration. Sometimes it’s complete. Sometimes it’s just a dream on the horizon.

The value we add here is not just our migration services we’ll talk about those another time. It’s the integration that we provide between the Nova management capabilities and migration. So starting with the ability to do cloud to cloud migrations for mergers and acquisitions, for divestitures, for tenant consolidation. Driven by contributing data into the Nova reporting engine that you can see everything that is happening.

Which mailboxes and user entities, SharePoint sites, OneDrive file collections, Microsoft Teams objects have been migrated in which ones haven’t. Now the interesting part here is that we’re taking this migration data and we’re feeding it into the second pillar of Nova.

The second pillar is reporting. Now the interesting thing about reporting is this. Microsoft treats it like a commodity and often times when I talk to customers. They say:

OK. So why would I pay for reporting?

Microsoft already gives me reporting in the product.

It turns out a well executed reporting solution can do a lot more for you than just give you the basics that Microsoft offers.

First we unify all of our reporting data so you see all the data from all the tenants you have under management. From both Azure AD and from Office 365.

This is a pretty interesting contrast, Microsoft at anytime if they wanted to could unify Azure AD, and Intune and Office 365 data into a single home but they haven’t. The reason they haven’t is because doing that doesn’t help drive their goals of adoption and growth. But it ignores the fact that what people actually want to be able to do is very quickly see and understand what’s happening in their environments. Who’s doing what? With what? What files are they accessing? How many resources are being consumed? Who are the most active users of a service?

If you look at the last bullet here. This is actually pretty exciting. We have a feature in Nova that we call Adoption Accelerator that uses the reporting data store to let you make analytically driven decisions to drive adoption in your organization.

This also part of a separate demo that I do another time.

But the interesting thing about that is, it Adoption Accelerator is completely dependent on the reporting data that we gather. So if you were going to pick one pillar of Nova that might be maybe more preeminent than the others, even as cool and useful as the other ones are, the availability of this data in the reporting store for as long as you have a Nova subscription and not limited by the arbitrary time limits that Microsoft puts into place, is probably the best contender because with that reporting data I have complete visibility into everything that people are doing throughout my environment.

Now, maybe you don’t believe me when I was talking a minute ago about how important reporting was. Security and audit functionality is the proof in the pudding. So when I talk to customers all of them have got security management solutions. Whether that security incident and event management. Whether that’s the endpoint management. Whether it’s intrusion detection and that’s fine.

That’s not what we do. What we do is we take the data that we gather from the Azure Active Directory, and the Office 365 audit logs. We aggregate it, and we make it easy for people to look at.

Why is that important?

A better way to think about what we do with our security and audit tool is as an investigation tool. Suppose I have a sales representative. He calls me and says ‘Hey Paul my laptop was stolen’. Not uncommon scenario now I have a very simple way, in a very simple tool that literally anyone in my organization could use if I give them permission, to see everything that that user account and the associated device have done.

So I can say:

OK sales Rep. I’m going to take a look at your activity from the time you told me you lost the laptop until the present time I can see all the login activities on that account whether successful or failed. I can see what files have shared I can see what services they’ve logged into. I can see when they have communicated and with whom by email, and by teams. I can see when they synced OneDrive.

In other words, all of the activity data that Microsoft already records, but scatters around among a dozen or more portals. We put together in a single place.

If you’re in Europe or doing business in the EU you already understand how important GDPR is, and I want to be clear this isn’t a GDPR solution. This is a solution to the very specific problem of how you investigate and prepare to notify your data protection folks if you know, or suspect that there’s been a breach.

Now there is another security in order to feature that we have been talking about more lately, which is the ability to have a dashboard. It’s specific. To a particular compliance or governance regime. So we call this a Governance Dashboard and if you think about what Governance Dashboard is for, it’s like the Microsoft secure score technology. Except that instead of restricting you to the security categories in Microsoft thinks are important, we give you the ability to see governance related metrics. That express the degree of risk in your tenants.

For example, how many of your users have email forwarding to external addresses? On average how long is it been since your users have changed their passwords? Etc.

These aren’t security metrics necessarily per say, but they’re governance metrics, which means that if you were regulatorily required to comply with a certain compliance regime. Now we give you tools that help you understand how close are how far you are from compliance with that regime and also a way to track your scores and their trending overtime. So you can prove to your regulators to your management, and to your customers that you’re getting better at it as time goes by.

The next pillar is Delegation and Policy Control.

Now, I’ll admit this is not a great name. It sounds like a name that Microsoft would come up with for a product functionality. But it’s important because it encompasses 2 pieces, the 1st is a solution to the problem of access delegation in complex environments. In the olden days, the only thing that you could do was grant someone global administrator. There were only 2 Office 365 user types: Global Admins and ordinary users.

That meant the global admin role was all powerful, you could do anything to any object anywhere in the tenant. That made it dangerous, so Microsoft guidance was always:

OK have as few global administrators as you can get away with.

Well, the problem with doing that, is that in larger enterprises or more complicated enterprises, taking
everyday administrative actions, sometimes required use of a global admin account.

So fast forward a few years to where we are now. Microsoft has implemented role based access control in Office 365 and Azure AD. But the admin roles that they let you delegate are still limited in a lot of ways.

For example, I can give someone exchange administrator access or Teams Communication administrator access. And it gives the holder of that role access to do a bunch of stuff. But it’s very difficult or impossible for me to chip down any further, and say:

OK. I don’t want you to be a Teams administrator. I really only want you to be able to administer this one little tiny thing in a corner of Teams.

Let me give you a real world example. At Quadrotech our human resources people who are located in 2 locations throughout the world, have the delegated ability to onboard users. What I mean by that is the HR team, some of whom are in Switzerland, some of whom are in the UK, have the ability to create a new user in our on-prem AD. Dirsync that user to the cloud. Put that user in the correct Teams. Put that user in the correct Active Directory security a distribution groups. Set parameters on that user such as what their country and location and so on are. Without having any administrative access whatsoever.

Furthermore, that delegation is scoped so that individuals within the HR Department can only take those actions for the countries that they manage.

This is all done through a simple portal. They don’t have to know how to be Office 365 administrators. They never see the Office 365 or Azure AD portal. I want you to think about that example for a second.

Imagine that you had to go to a customer or go to a service provider and say:

Got a solution for you, that allows you to have your HR People register new users. So the first thing they have to do is they have to VPN into end user or the company network. Then they have to RDP to a domain controller and they have to run this script and then they have to log into the Office 365 portal.

Nobody wants to do that. Having a single delegated, controlled, audited point of access to let certain
people do certain things, to certain objects, is the basis of delegation. And that’s exactly what we deliver.

Now there’s another piece here, which is a policy control part. Being able to set an authorization policy or a configuration policy that applies to all the objects within scope. And says for example:

You are authorized to take these actions. That’s really a RBAC policy by another name.

Except it can cross tenants.

So, in the service provider space, we have a way to let an administrator decide which of their customer tenants are delegated access, to do which things in the customer tenant.

The analogy I like to use for this is if you rent space in office building there may be certain parts of that space that you as a tenant do not have access to. The room where the air conditioner is, or the phone closet, or the electrical switch room, or the firefighting equipment. The reason is the landlord needs to maintain access to those spaces to make sure that you as the tenant, or your guests, or your employees don’t break anything. It’s the exact same model here.

Our self service capabilities built on top of both delegation and policy control because now with the combination of those two features you can reliably and safely give individual users the ability to do self service operations on their own accounts. Or and this is the cool part, this goes back to the HR scenario I just mentioned, or you can give them the ability to do self service actions on other objects that you have given them permission to work with.

Now, when I add in the 5th pillar – Service Monitoring – you can see what we talk about Nova as a comprehensive platform. Because just like DPC, just like security and audit, Service monitoring builds on top of the core reporting capabilities to give you visibility into what’s happening with all of the workloads that your end users, or your end user customers are dependent on.

The idea here is Quadrotech maintains a network of beacons. These feedback data about global availability of Office 365. So we have beacons monitoring each of the data centers where Microsoft offers Office 365 services.

Then we give customers the ability to install around their own beacons too. It gives customers at least 2 sources of truth, about what’s really happening with Office 365.

The reason why this is so important is not because there are a lot of outages on the Microsoft Side, let me be really clear about that. But there are a couple of other factors come into play. One is it just like people are afraid of sharks, people are afraid of outages that are caused by or that involve Microsoft. Because their sort of Forces of nature. You can’t really do anything about them, as an Office 365 end user.

But it’s critical to know when they exist especially for service providers because the cost of suddenly having to absorb a spike in call volume and ticket volume due to something that Microsoft did can be a huge burden.

The other reason that this is really significant is customers want to have assurance that they’re getting what they pay for from the service.

They want to know when it’s up, they want to know when there are problems. And the mechanisms Microsoft provides just don’t do a good enough job of giving customers the assurance that they’re looking for.

So if you take all of these capabilities and you put them together, what do you get?

We built Nova to be an integrated platform. One key takeaway that I want you to get from thinking about the pillars is they all work together to give customers a unified interface, and a unified experience. Where instead of having to bounce from portal to portal in Microsoft World, they can go to one place to see and do everything that they have authorization or permission to do.

For one or many Office 365 and Azure AD Tenants, all in a single place.

No jumping around, no having to correlate data from this portal with different data from that portal, to speed things, up to reduce friction, and to give our customers better tools to manage the Office 365 environments they’re responsible for.