310 likes | 322 Views
Migrating to Office365 for Tens of Thousands. Colin Chaplin End User Computing Architect @ ColinChaplin. Or. Best bits of ‘lessons learnt’ reports Notes from the field Don’t make as many screw ups as Colin!. Objectives. Consider “Real World” and focus on areas that get less attention
E N D
Migrating to Office365 for Tens of Thousands Colin Chaplin End User Computing Architect @ColinChaplin
Or • Best bits of ‘lessons learnt’ reports • Notes from the field • Don’t make as many screw ups as Colin!
Objectives • Consider “Real World” and focus on areas that get less attention • Step outside the blueprints and sometimes best practise – use at your own discretion • Identity • Look at the classic workloads
Connectivity • Microsoft really don’t want you to use Expressroute • Nor a proxy – but it can work • No auth, inspection, SSL bypass • Must have lots of capacity • Protocols may be https but other protocols are encapsulated inside • WARNNG – networks/ IP/ domains do change • Direct routing is best • If default network route cannot be used – consider number of routes to add to your network • Unless wholly undersized, connectivity is probably not a consideration for migration
Identity is Key! • Getting people in O365 • Azure AD Connect. Treat like a DC • Consider the value in a domain consolidation. Or not! • Directory sync is SLOW • UPN == Email Address • Microsoft refer to email address when they mean UPN • Be aware of challenges with changing UPN
Manage Identities • Health of identities needs tending (sync and security) • Register Computers with Hybrid Azure AD domain Join • Better user experience • Unlocks more Conditional Access scenarios • Identities sync from on premise are almost completely read only in the cloud, still managed on prem • Directory updates are slow – and can be unpredictable • Group Based Licensing (GBL) allows additive licensing
Authenticating Users • ADFS is the traditional choice • From an era when syncing hashed passwords to the cloud was a concern • InsideCorpNet and Legacy Auth blocking are compelling features
InsideCorpNet • Useful where egress IP is not dedicated
ADFS • Do not use it or • Password Hash Sync with Seamless Single Sign On • No extra on-prem kit at all • At the very least, turn on Password Hash Sync • Incremental migration to PHS/ SSSO is coming
Standardised user settings • Highly repeatable, standardise setup, suchlike: • I want all offshore callcentres to have HD Video disabled • I want UPN to equal email address and be updated (dealing with sync bugs) • I want leaver mailboxes to be put on legal hold for 366 days immediately after they leave
Solution • Third party tooling? • Roll your own? • Group Membership->Script->O365 setting • Must have a strategy for active license mangement
MFA and SSPR • Multi Factor Auth – text to phone, app, call • Don’t enable per-user • Don’t use trusted IPs • Enable via Conditional Access policy..
MFA/ SSPR Roll out • Users are prompted to enrol first time its turned on and they access a O365 service (SSPR) or MFA would be required • Despite recent fettling, process is still unsettling for some users, and might be impossible • MI for signup still isn’t brilliant • Communications process, go slow…
Conditional Access • Office365 by design is any device/ any location • – an anathema for many corporate customers • Firewall for the identity era • For Office365 And Enterprise Apps (more later) • From this type of device allow access to this type of workload in this way • From a corporate PC, Allow access for outlook app and webmail • From an untrusted PC, allow access to webmail (with no downloads) but require MFA, block access to outlook client. Allow access to yammer with Username and Password
Trust defined a number of ways • Source IP • and insidecorpnetwork claim if AzureAD used • Hybrid Azure AD join • Marked as compliant (Intune) • Sign in risk
Identity – Enterprise Apps • Never ‘roll your own’ username and password solution • Many third parties support this (albeit with varying levels of knowledge!) – incredibly popular • Azure AD acts as an IDP • Users logs in (likely single sign on) with normal credentials
User Consent • Allows users to give access to 3rd party apps to the permission level they have • Illicit grants is a real problem • Many organisations turn this off • Admin consent only
Benefits • Use same Azure AD features as O365 • Use Conditional Access, MFA, sign in risk • Logging, Access reviews • Cloud accounts and AD-derived accounts – no ADFS configuration • But… • Certificates expire • Someone needs to read the contact email address • You will need to build a review and workflow process • Be aware of lazy developers over-reaching with permission ask
Clients – Smartphones and Tablets • Intune • Obvious point to move from 3rd party MDM to intune • Process is unpopular with users and can be biggest pain point in process • Use Manufacturer Auto Enrol (DEP/ Zero Touch) if possible – devices are wiped • Or don’t manage devices at all! • Intune App protection can apply policies to apps (e.g outlook app, sharepoint app) • Disable copy and paste, require pin, no jailbroken device • May be possible to grant higher level access on smart devices due to contracts (compared to wintel/ mac)
Clients • Win 7 and Office 2007 (fully patched) will work • Any client not ‘modern auth’ aware (=>Office 2013) is a bad idea – will fail if MFA is enabled per user or required via CA policy • Hybrid Azure AD Domain Join is not as mature in Win7 • Plan to have all devices up-to-date before O365 migration, but accept some may slip through
Clients – Shared Desktop/ Thin Client • Outlook and Onedrive work really well on dedicated PCs/ Laptops where they can cache data • Doesn’t work on non-persistent devices. Even with very fast connection, outlook in online mode is unsatisfying • Shared Computers – consider activation of ProPlus and how to roam • FSLogix product suite is a good stop-gap
Exchange • No-one gets excited about this any more • Until it goes wrong! • Do full hybrid during migration • Remove afterwards – but consider keeping an exchange server • Use a 3rd party for application SMTP relay (e.g. sendgrid)not o365
Sharepoint • Less functionality in O365 • Or similar but repurchase third party tools • Or rework in flow! • Capacity management can be a ‘thing’
Onedrive • Many Onedrive horror stories are now resolved (but not all!) • Win10 1803/ Files on Demand is what make it enterprise class • Redirect My Documents/ Desktop etc into it, and migrate away from personal home drive • There’s no way to monitor success of users sync
Evergreen • No more monolithic upgrades every 4-5 years • Technology will change during the rollout • Users will start to demand new features – do not release (actively block) until you have assessed and have a structure • E.g. Groups is a fundmental structure of teams, without a strategy management of Groups, chaos will ensue!
Conclusions • Identity, Identity, Identity • Keeping on top of developments is a daily task, either to protect service or exploit features • O365 is a comprehensive, but not complete, suite and you will have to add to it with your own policies and solutions