Office 365 versus Exchange Server. It’s battle of the corporate email Titans. Who’s going to win? Well..
. Microsoft. Because they get your money either way. But how can you get best value for that money? Well, stick around and I’ll try to help you through it.
Welcome to the Pro Tech Show – the place for tech, tips, and advice for IT Pros and decision-makers. If that sounds like your kind of thing then hit that subscribe button. Today we’re comparing Exchange Server with Office 365. Specifically, the Exchange Online component of Office 365. I’m going to compare the two based on cost, extensibility, security, features, and reliability.
First up: cost. Now I’m covering cost mainly because if I don’t, you’re going to ask me to; but it’s a difficult thing to compare because both Exchange Server and Office 365 can be bought in a whole variety of ways. You can buy them individually, or as part of packages, and through different licensing models. For the sake of comparison I’m just going to look at individual components here. I’m not going to consider suites.
In the real world that would be a mistake. Office 365 for example – a lot of its benefits actually come from its synergy between the different products, so you need to consider the whole package, the full total cost of ownership. Don’t ignore for example that once you go to Office 365 you never have to upgrade an Exchange Server again. Slso don’t ignore that once you go to Office 365 you’re going to have to keep upgrading things when Microsoft tell you to regardless. One quick note: if you have access to education or nonprofit licensing then feel free to just skip this section.
Office 365 will be cheaper. The reason being if you’re on those licensing schemes Microsoft basically gives it away for free; and you can’t beat free.
I’m going to break this down based on the size of organization, because the balance does shift around a little depending on scale. At the bottom of the scale we’ve got very small companies maybe a handful of people. If you’re at this level, then Office 365 is almost a no-brainer.
Exchange Online can currently be had for £3 per user per month. Now if you’ve got three people that’s £108 per year for a geographically resilient messaging system. The cost of doing that yourself would be considerably higher. As we start going up in size, and assuming you’re the type of organization who likes to buy their kit upfront and run it for 5 or so years, then the advantage starts to swing away from Office 365 and towards Exchange Server. The simple fact is it’s almost always cheaper to run the kit yourself than to pay someone else to buy it and run it for you; and given the choice, most organizations don’t upgrade every single version.
They upgrade when there’s a compelling reason to actually do so. So once you get into the territory of a few hundred users, Exchange Server is usually more cost effective. Now once you get past the 500 user mark, the advantage suddenly swings back towards Office 365; because now you’re an Enterprise Agreement territory. When you’ve got an Enterprise Agreement you’ll usually find that the most cost-effective way to license Exchange Server is to buy office 365 licences and use the on-premises access rights.
Once you’ve done that, both of them costs exactly the same, essentially, from a licensing perspective.
The difference is that with Exchange Server you need to buy some kit to run it, and with Office 365 you don’t. Now that cost may or may not be significant depending on what you’re already running, but let’s face facts. Buying kit is never going to be cheaper than not buying kit, so Office 365 should be a bit cheaper. Now, it’s worth making a quick point about extensibility. Both Exchange server and Office 365 have numerous ways for third-party applications to hook into them, but Exchange Server is the hands-down winner.
That’s because you control the server. With Office 365 you’re effectively limited to web services, or shoving something in front of Office 365. With Exchange Server you don’t really have any limitations.
If you want to write your own code and shove it into the server itself, you can do that. Now, let’s talk security.
This one’s annoying, because the technologist in me wants to give it to Office 365; but the realist says I can’t. I’ll explain. Both products can in theory be held to a very high level of security. In practice, Microsoft have all of the resources and they’re sparing no expense on this. Quite frankly, they cannot afford the reputational damage if their infrastructure got breached; so they’re putting a lot of effort into this.
Now in theory you can do the same, but in practice that’s probably going to be cost prohibitive.
Added to this you’ve got the fact that multi-factor authentication works right out-of-the-box with Office 365; whereas with Exchange Server you have to bolt it on. So it looks like a clear winner for office 365, right? No. Unfortunately the stats don’t seem to back this up.
My own experience has been that after an organization moves to Office 365 they are significantly more likely to be breached.
So why is that? Well, it has nothing to do with Office 365’s infrastructure and everything to do with the people using it. Us. The problem is people people do silly things; like falling for phishing scams, giving someone their password, reusing the password elsewhere.
That’s the problem – it’s the people using it. But these are the same people who are using Exchange Server, so what gives? Well, imagine a hacker has access to a database of 10,000 stolen user credentials. What is he going to do with that? Is he going to look for 10,000 Exchange Servers on-premises to try and use each of these 10,000 credentials against?
Probably not. Is he going to take the whole lot, and just throw it at Office 365 to see what doors open? Yes.
Yes he is. And that’s the problem.
Office 365 is technologically more secure than any server you or I would build. But it’s a bigger target. It’s a much bigger target, and as such it’s more vulnerable to exploits based on user behavior. So I’m going to call this one a draw, but I really don’t want to. Security through obscurity is not a valid defence!
But I also can’t ignore real-world experience. I’d be interested to hear your thoughts in the comments. If you are moving to Office 365 and you want to protect yourself against this type of threat, then check out my other video on two-factor authentication. I’ll make sure there’s a link at the end of this video for you. We need to talk about features and reliability together because they’re really like two sides of the same coin; and if you want to know what the differences are, then you need to understand a little bit of how Exchange is developed.
In the beginning there was Exchanged 2010. Well, obviously not in the beginning, because there were several versions before that; but Exchange 2010 was the first one that was deployed in the cloud under the name of Office 365; so we’re going to start there. Now Exchange 2010 was developed primarily as an on-premises product and then it was also deployed in the cloud as Exchange Online. Updates came as annual service packs. Exchange 2013 marked a significant shift.
Unlike Exchange 2010, 2013 was developed primarily for the cloud, so that new deployments were released weekly, and pushed straight into Exchange Online. Then every quarter, those updates were packaged up as a cumulative update for Exchange 2013 on-premises. Exchange 2016 continued with the same approach.
Now the idea was that Office 365 would get a regular release cadence so it was always getting new features. To help test these features Microsoft first pushed them to Microsoft themselves.
After that it went to a little bit of Office 365. Then a little bit more of Office 365; and more, and more, and so on. If there was any problems they’d halt the rollout as soon as they were found. This meant that Microsoft were able to keep up a rapid development cycle, but it also meant that Office 365 users were effectively taking turns at being guinea pigs for testing.
Exchange Server by comparison received the updates later on – after they’d been tested in Office 365.
Now this meant that Exchange Server lagged behind Office 365 in terms of features; but those features should be better tested by the time they get there, and therefore should be more reliable. That was the theory. In practice, a few admins felt that the updates for 2013 and 2016 were less reliable than they’d been on 2010. Now the servers generally ran OK, and you could argue they were more reliable than Office 365, but the problem was these updates. Now why were these updates a problem?
Well, one of the reasons might be that there was more of them. Instead of an annual service pack you’ve got quarterly cumulative updates.
That means four times the amount of change, with a quarter of the testing. Another potential problem is that rolling software out across Office 365 isn’t representative of the rest of the world. Office 365 is a great way to see if your software stands up against real users, but it’s not a great way of capturing all the diversity of an on-prem environment.
Office 365 is pretty homogeneous. It doesn’t the same variety of hardware, drivers, third-party integrations, software patch level… All that kind of thing that varies between company and company, Office 365 doesn’t really test well.
This leads us to Exchange 2019 and another significant change in how Exchange is developed. The Exchange codebase has been forked. There are now two streams of development: Exchange Online and Exchange 2019, independently. The focus for Exchange Online is rapid release cycles and new features.
The focus for Exchange 2019 on the other hand is reliability.
So Exchange Server is going to lag behind Exchange Online but it’s going to have more time spent on reliability, to make sure it’s meeting the needs of large enterprises. This leads me to my conclusion. Office 365 wins for features. Exchange Server wins reliability. That’s a conclusion based on real-world experience.
After the release of 2019, we have seen features appear in Office 365 with no roadmap to bring them on-prem, and even before of the release of 2019 with its specific focus on reliability; I would have said that a single well-managed Exchange Server should have less unplanned issues than Office 365. Now I say “unplanned” because if you are running a single server and you don’t have a DAG or any clustering involved, then you’re going to have to take that down once a month for patching, right? So there will be planned downtime, but the point stands.
A well-managed Exchange infrastructure will tend to have less issues throughout the year than Office 365 probably will. Now I realize that might come as a surprise; because I’ve effectively just told you that if I were to build an Exchange infrastructure it would be more reliable than one Microsoft would build themselves.
I mean, that sounds crazy, right? They made Exchange. They know how to do it better than anyone, right? What you have to remember is Microsoft aren’t trying to build the most reliable Exchange infrastructure. That’s not their goal with Office 365.
If they wanted to, I’m sure they could. I mean they’ve said as much themselves – the phrase was something along the lines of “We could build it for you, but you wouldn’t pay for it”. Office 365 needs to continually innovate in order to stay ahead of it’s competitors. Remember Facebook’s motto used to be “move fast and break things”? Well, if Microsoft doesn’t move fast as well, then the likes of Google are going to leave them behind.
So Microsoft need to move fast, and that means sometimes things will break. So how reliable is Office 365? Well, it comes with a 99.9% uptime guarantee. Now that sounds really good, although if you crunch the numbers that does add up to about 45 minutes downtime that’s allowed per month.
Now in practice, Microsoft are smashing that. They’re not going down for 45 minutes every month, they’re doing way better than that. But they do have a trick up their sleeve, Sometimes when an issue occurs, in fact usually when an issue occurs, you’ll find it’s not classed as “downtime” its classed as “disruption”; and there is no guarantee for disruption. Now I don’t know where the line is drawn.
I don’t know the criteria by which something becomes “downtime” or “disruption” in Microsoft’s world.
What I do know is there have been several incidents that I consider to be major incidents, and I certainly couldn’t have sold to my customers as “just disruption”, but that’s why they’ve been classified. So be aware of that your definition of downtime and Microsoft’s might differ a little.
That’s not to say these things happen all the time. If they did, people would take their business elsewhere, and Microsoft are not going to let that happen. Major issues are quite rare.
Minor issues on the other hand do happen fairly often; but they’re usually so minor that they go completely unnoticed by most people, or if they do see an issue they come back ten minutes later and it’s working. So it’s usually quite low impact. At the end of the day, Microsoft aren’t trying to make it perfect. They’re trying to make it good enough that most people will be reasonably happy, whilst innovating, whilst keeping the cost down, and whilst making a profit. You just need to know: is it delivering the features you need, reliably enough, and is the price right?
I hope this video has gone some way to helping you with that.
Drop me a comment, let me know. This is the second video I’ve done so I’m interested in getting your feedback. If you found this helpful, give me a thumbs up. I’ll do a new video in a couple of weeks time.
If you want to be the first to know about that, then hit the subscribe button and use a bell icon to turn on notifications. Thanks for watching, guys. See you next time..
Read More: Notion Offline Twitter