1 / 30

Migrating to Office365 for Tens of Thousands

Migrating to Office365 for Tens of Thousands. Colin Chaplin End User Computing Architect @ ColinChaplin. Or. Best bits of ‘lessons learnt’ reports Notes from the field Don’t make as many screw ups as Colin!. Objectives. Consider “Real World” and focus on areas that get less attention

scampbell
Download Presentation

Migrating to Office365 for Tens of Thousands

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Migrating to Office365 for Tens of Thousands Colin Chaplin End User Computing Architect @ColinChaplin

  2. Or • Best bits of ‘lessons learnt’ reports • Notes from the field • Don’t make as many screw ups as Colin!

  3. Objectives • Consider “Real World” and focus on areas that get less attention • Step outside the blueprints and sometimes best practise – use at your own discretion • Identity • Look at the classic workloads

  4. Connectivity • Microsoft really don’t want you to use Expressroute • Nor a proxy – but it can work • No auth, inspection, SSL bypass • Must have lots of capacity • Protocols may be https but other protocols are encapsulated inside • WARNNG – networks/ IP/ domains do change • Direct routing is best • If default network route cannot be used – consider number of routes to add to your network • Unless wholly undersized, connectivity is probably not a consideration for migration

  5. Identity is Key! • Getting people in O365 • Azure AD Connect. Treat like a DC • Consider the value in a domain consolidation. Or not! • Directory sync is SLOW • UPN == Email Address • Microsoft refer to email address when they mean UPN • Be aware of challenges with changing UPN

  6. Don’t be these guys….

  7. Manage Identities • Health of identities needs tending (sync and security) • Register Computers with Hybrid Azure AD domain Join • Better user experience • Unlocks more Conditional Access scenarios • Identities sync from on premise are almost completely read only in the cloud, still managed on prem • Directory updates are slow – and can be unpredictable • Group Based Licensing (GBL) allows additive licensing

  8. Authenticating Users • ADFS is the traditional choice • From an era when syncing hashed passwords to the cloud was a concern • InsideCorpNet and Legacy Auth blocking are compelling features

  9. InsideCorpNet • Useful where egress IP is not dedicated

  10. Full Scale ADFS

  11. = Complexity

  12. ADFS • Do not use it or • Password Hash Sync with Seamless Single Sign On • No extra on-prem kit at all • At the very least, turn on Password Hash Sync • Incremental migration to PHS/ SSSO is coming

  13. Standardised user settings • Highly repeatable, standardise setup, suchlike: • I want all offshore callcentres to have HD Video disabled • I want UPN to equal email address and be updated (dealing with sync bugs) • I want leaver mailboxes to be put on legal hold for 366 days immediately after they leave

  14. Solution • Third party tooling? • Roll your own? • Group Membership->Script->O365 setting • Must have a strategy for active license mangement

  15. MFA and SSPR • Multi Factor Auth – text to phone, app, call • Don’t enable per-user • Don’t use trusted IPs • Enable via Conditional Access policy..

  16. MFA/ SSPR Roll out • Users are prompted to enrol first time its turned on and they access a O365 service (SSPR) or MFA would be required • Despite recent fettling, process is still unsettling for some users, and might be impossible • MI for signup still isn’t brilliant • Communications process, go slow…

  17. Conditional Access • Office365 by design is any device/ any location • – an anathema for many corporate customers • Firewall for the identity era • For Office365 And Enterprise Apps (more later) • From this type of device allow access to this type of workload in this way • From a corporate PC, Allow access for outlook app and webmail • From an untrusted PC, allow access to webmail (with no downloads) but require MFA, block access to outlook client. Allow access to yammer with Username and Password

  18. Trust defined a number of ways • Source IP • and insidecorpnetwork claim if AzureAD used • Hybrid Azure AD join • Marked as compliant (Intune) • Sign in risk

  19. Identity – Enterprise Apps • Never ‘roll your own’ username and password solution • Many third parties support this (albeit with varying levels of knowledge!) – incredibly popular • Azure AD acts as an IDP • Users logs in (likely single sign on) with normal credentials

  20. User Consent • Allows users to give access to 3rd party apps to the permission level they have • Illicit grants is a real problem • Many organisations turn this off • Admin consent only

  21. Benefits • Use same Azure AD features as O365 • Use Conditional Access, MFA, sign in risk • Logging, Access reviews • Cloud accounts and AD-derived accounts – no ADFS configuration • But… • Certificates expire • Someone needs to read the contact email address • You will need to build a review and workflow process • Be aware of lazy developers over-reaching with permission ask

  22. Clients – Smartphones and Tablets • Intune • Obvious point to move from 3rd party MDM to intune • Process is unpopular with users and can be biggest pain point in process • Use Manufacturer Auto Enrol (DEP/ Zero Touch) if possible – devices are wiped • Or don’t manage devices at all! • Intune App protection can apply policies to apps (e.g outlook app, sharepoint app) • Disable copy and paste, require pin, no jailbroken device • May be possible to grant higher level access on smart devices due to contracts (compared to wintel/ mac)

  23. Clients • Win 7 and Office 2007 (fully patched) will work • Any client not ‘modern auth’ aware (=>Office 2013) is a bad idea – will fail if MFA is enabled per user or required via CA policy • Hybrid Azure AD Domain Join is not as mature in Win7 • Plan to have all devices up-to-date before O365 migration, but accept some may slip through

  24. Clients – Shared Desktop/ Thin Client • Outlook and Onedrive work really well on dedicated PCs/ Laptops where they can cache data • Doesn’t work on non-persistent devices. Even with very fast connection, outlook in online mode is unsatisfying • Shared Computers – consider activation of ProPlus and how to roam • FSLogix product suite is a good stop-gap

  25. Exchange • No-one gets excited about this any more  • Until it goes wrong! • Do full hybrid during migration • Remove afterwards – but consider keeping an exchange server • Use a 3rd party for application SMTP relay (e.g. sendgrid)not o365

  26. Sharepoint • Less functionality in O365 • Or similar but repurchase third party tools • Or rework in flow! • Capacity management can be a ‘thing’

  27. Onedrive • Many Onedrive horror stories are now resolved (but not all!) • Win10 1803/ Files on Demand is what make it enterprise class • Redirect My Documents/ Desktop etc into it, and migrate away from personal home drive • There’s no way to monitor success of users sync

  28. Evergreen • No more monolithic upgrades every 4-5 years • Technology will change during the rollout • Users will start to demand new features – do not release (actively block) until you have assessed and have a structure • E.g. Groups is a fundmental structure of teams, without a strategy management of Groups, chaos will ensue!

  29. Conclusions • Identity, Identity, Identity • Keeping on top of developments is a daily task, either to protect service or exploit features • O365 is a comprehensive, but not complete, suite and you will have to add to it with your own policies and solutions

More Related