Series of migration guides written by me on Azure AD, Intune and Office 365. We will be going through Design phase, Migrating E-mail and configuring Intune Standalone. Let’s start
Azure AD Standalone
Quite recently I was called to help a company move 11 sub-companies into the same tenant. They want to move away from On-Premise, and move to the cloud with Azure AD, Intune and Office 365.
At the same time, it was time to create a blog.
Let’s go to our customer with needs.
Details about the client:
- Multi-national company that owns several separate entities in several countries
- Parent company will not be a part of the project
What are the needs?
- One tenant for all separate companies
- No local infrastructure if possible
- A basic need for Office and security (Antivirus)
- Sharepoint is intended to be a vital part for sharing documents and information to users
- Reduce management of clients to a minimum (Automate as much as possible)
- Cloud-based telephony is desired
- Move companies one by one by country
- Companies need to be separated while in the same tenant
- All companies have a separate IT environment
- There are offices for each company in each country
- Some companies have migrated to Office 365 previously (Hybrid)
- Most use remote solutions for CRM/ERP/etc – This is not part of the project
- All client computers will be upgraded to Windows 10
Now, let’s look at the possibilities regarding the needs of the company vs the infrastructure. I will go in depth in the next parts regarding migrations, configuration of Azure AD, Office 365, Intune and Azure Rights Management
One tenant: Immediately, there is no problem consolidating all these companies into the same tenant. By registering each company as a separate accepted domain, we can distinguish them in the tenant. For example, firstname.lastname@example.org and email@example.com.
No local infrastructure: That’s great. With Azure AD join on Windows 10, Intune automation and SSO experience, the user will experience a fluent setup and access without you, as the IT admin, having to even touch the computer/phone. The immediate problem is “What about printing”. To be honest, that’s always a problem anyways.
A basic need for Office and Antivirus: Intune provides Endpoint Protection, it’s a good antivirus program that saves
lives computers. We can also set up Intune to automatically register the client PC and drop Office in their laps. All through the internet, with you not having to touch the PC. Just create the deployments!
Sharepoint: I will not dive deep here, Sharepoint can be huge if the customer wants, or it can be setup in a couplpe simple steps for a basic experience. There will be a need to segregate the different companies, as they should not be able to see each others files/information.
Reduce management: In this guide, we will intend to automate as much as possible. The only requirements for the user should be:
- Internet access
When the user gets his or her computer (brand new, not touched by IT personell) they should only need to log on with their work account, and Intune/Office 365 will handle the rest. All policies, all accepted updates, all applications will drop in their lap. Regarding printing, I’m thinking of creating a basic script that adds the printers in their offices. I will look at this problem at a later stage.
Cloud based telephony: Well, Office 365 E5 to the rescue.
Companies need to keep being separated even though they’re in the same tenant: This one’s tricky. Why do I say that? Because Microsoft hasn’t really added good functionality for this bit.
If you’re an administrator in Office 365, you’re an administrator for the whole tenant. We can’t separate one company-admin, from another one. You can either give all the access, or nothing at all. Of course you can limit the access by services (Exchange Online, Skype, Sharepoint) but that’s not really the point. There should have been capability to give limited access on different criterias. Management by groups would be the best in our scenario.
For the users, though, there will not be much confusion. We’ll still be able to separate them fairly well. More on this in later posts