Posted on July 21, 2021
Estimated reading time 5 minutes
In March 2020 the pandemic changed the way most of us would work for the next 18 months, if not forever. The situation changed so quickly, we were ordered to work from home by the government not knowing how sustainable long-term remote working would be, or even when we would see our colleagues face-to-face again. Organisations, even those who were already familiar with remote working like ourselves, were frantically trying to adapt to the new situation. The amount of work organisations now had on varied massively too, some taking on more, whilst others much less. During those first few months the volume of work we in the project delivery team were undertaking went through peaks and troughs whilst organisations were trying to figure out the impact the pandemic would have on them. What did however become the new constant was the type of enquiry being asked by many of our customers, all focused on remote working:
“We are finding it difficult to procure laptops and need to allow our users to work from their own devices in the interim. How can we allow this whilst ensuring our systems and data are safe?”
“Now users are working from home we are finding it really difficult to manage their devices. We can no longer push Group Policy settings or even applications to our users. What should we do?”
“To image laptops we’ve always needed to be in the office but we’re not allowed there anymore. How can we build new laptops and get them to our users’ home addresses?”
“What can we do to address the issue of password resets and domain joined Windows devices that don’t have line-of-sight to a domain controller?”
“Our client VPN is coming up for renewal and we don’t want to renew it to save cost. What do we need to do to completely get rid of it?”
“Is it possible to remove my Active Directory and operate entirely in Microsoft 365?”
The answer to all these questions, quite simply, is the Microsoft Modern Workplace. Of all those questions asked, the last is of particular interest, and one that most have considered too complex or complicated to achieve, and to be quite frank, least understood.
Since the pandemic began, I am delighted to say that we in the project delivery team have transformed many organisations, through a programme of works, to become truly cloud-only in Microsoft 365 with absolutely no server infrastructure. We follow our own five step process to get you there, making the assumption that you already have some presence in Microsoft 365 with identities being synchronised from Active Directory to Azure AD with AD Connect. Read below for our five-step journey to becoming truly cloud-only.
We kick off with a discovery and assessment of your environment. Here we work with you to understand your systems and then recommend a transformation path for you. We will also look at your Microsoft 365 licensing to ensure you are making the most of your SKUs and recommend any additional licensing requirements for the transformation. Upon completion of this step we will have a good understanding of your environment and the effort required to get you truly cloud-only in Microsoft 365.
We strongly recommend that Azure AD is hardened before undertaking a transformation like this with our security baselines; a set of security best practises that we’ve gathered over years of working with Azure AD. For the majority of organisations we’ve implemented this for we’ve at least doubled their Secure Score. At very minimum MFA should be enabled for all users and legacy authentication should be blocked due to the inherent risk of weaker authentication protocols. Statistics Microsoft publish are stark for the number of attacks against legacy authentication protocols and it is expected that they will eventually disable these protocols all together some time in the future. After completing this step your Microsoft 365 tenant will be nice and secure and ready to begin migrating into.
Migrate your server workloads to a SaaS option. For Exchange, that means Exchange Online. For file servers, that means SharePoint Online and OneDrive. For third-party applications, that means their SaaS alternative. After completing this step, you will have removed your application and data dependency on Active Directory. Don’t worry if there isn’t a SaaS alternative for your third-party applications, we have a trick up our sleeve: Azure AD Domain Services; a managed Active Directory domain hosted in Azure that you can join servers to.
This tends to be the most intensive part of the transformation programme. It involves configuring Intune by creating compliance policies, creating update rings, packaging applications and enabling Windows 10 security baselines. We have found that the best way to Azure AD Join your Windows 10 devices is to Windows Autopilot them from the out-of-box experience via a EUC refresh programme, or even by using swing kit. Your Windows 10 devices will now be managed from the cloud and the user device dependency on Active Directory has been removed. There is still the matter of unmanaged devices though, or more commonly BYOD. Here we create application protection policies that allow secure access to your Microsoft 365 services and data. By applying protection at the application level, managing the app and not the device, your users are free to use any device they wish to work from.
This is the final step of the journey and not as scary as it may sound. During this step we perform some final tests with you before disabling AD Connect and converting all your directory synchronised objects to ‘in cloud’. Congratulations, you are now truly in the cloud! Once this step has been completed then you are free to go and power off and delete all those virtual machines and servers that you have hosted on-premises, in a co-lo, or even in the public cloud. We obviously highly recommend that you take backups before deleting them though!
Thank you for taking the time to read this blog. If you are looking to become truly cloud-only, are part way there, or are even already there, then we would love to speak to you about your journey. Get in contact with our team below.