Technical high-level modern workplace implementation with Microsoft 365

Thank you for reading my blog about the technical implementation for a Microsoft 365 workplace. In this article I've written a high-level approach of an implementation and shift from a more traditional organisation towards a cloud-focused organization. If you're not totally a fan of the cloud idea, please read The value of Microsoft 365 E3 and E5 and How to build your Zero Trust modern workplace with Microsoft 365 — which totally covers the why cloud and why modern technology.

This blog describes the high-level tech actions to grow to a Microsoft 365 modern organization. I would love to receive feedback in the comments, on LinkedIn or Twitter.

1. Start with Identity Management and extending Active Directory to Azure AD

Install Azure AD Connect and sync your users and groups to Azure AD. You could use Directory and Password Synchronization to bring all identities from your current environment towards Azure AD. I prefer the hybrid scenario and later full cloud scenario — worst case ADDS in Azure — to have the controls shifted and the primary directory in Azure AD.

Why? Microsoft Azure AD is beyond the current 'legacy' integration and is a next-gen identity platform. Make it simple. If you don't need third-party solutions (which always limits new capabilities) don't go for it. Use native Azure AD. It's also a big opportunity to leave things behind and smoothly shift to ADDS or Azure AD.

2. Migrate your Exchange workload with Exchange Hybrid Wizard

It's very easy to shift Exchange workloads as the first load to Office 365.

• Set up Azure AD Connect — sync all identities.
• Change the UPNs if required, same as e-mail preferred. Easier for users.
• Pre-sync all mailboxes to a state of 95%. Throttled — change the maximum in your virtual web services.
• Cut-over migration is best practice under 2,000–5,000 mailboxes for one shift; if more, use a phased approach.
• After the migration over hybrid Exchange, the next step is shifting the relay to O365 direct or alternative solutions. Make it simple — don't over-think, don't create complexity for hybrid mailflow.

3. Migrate personal data to OneDrive

Document data is one of the most important things running in any workplace. Personal data is crucial to take into account for migration. It will help support the shift to M365 when you help people achieve a better collaboration space.

• Use OneDrive Known Folder Move to automatically discover Favorites, Desktop and Documents and place them on OneDrive. People love this feature. Easy to implement, additional value without changing the core.
• Migrate home drives to OneDrive with the SharePoint Migration Tool or other tools when you need more control. Document shift is important to get away from the current systems.

4. Migrate departments to Teams or SharePoint Online

• Assess your current environment and understand the needs.
• Migration of team data → Microsoft Teams Libraries.
• Migration of organisation data → SharePoint Online.
• Personal data (touched by only 1 person) → OneDrive.
• There are great tools on the market to do the assessment. A phased approach is necessary. Standards and building blocks will help with speed of implementation.

5. Voice shift from on-premises to Microsoft 365

There are 4 options for Microsoft Teams voice solutions:

• Phone System with Microsoft's Calling Plan
• Phone System with your own carrier — Direct Routing
• Phone System with own carrier via Skype for Business or Cloud Connector Edition
• Enterprise Voice in Skype for Business with own carrier

Don't go for less. Use Microsoft Teams. If you choose other platforms, think about trust, compliance, adoption, inclusion, security, segmentation and — most importantly — the speed of implementation compared to the easiness of one platform.

6. Microsoft Endpoint Manager

• Implement Microsoft Endpoint Manager for Windows 10 and all mobile devices. The minimum set is described in the related article.
• Onboard all current devices with Hybrid Join or full cloud / Azure AD Join.
• Onboard all new devices with Windows Autopilot.
• Implement MAM for mobile at a minimum. Manage all company-owned devices.

7. Increase basic identity security

• Multi-Factor Authentication or Azure Security Defaults.
• Conditional Access for easier logins and more security.
• Connect devices to Azure AD with Endpoint Manager — Hybrid Join or full cloud.
• Risky User Sign-in policies.
• SSPR — Self-Service Password Reset.
• Create control on lifecycle management of identities: expiration, onboarding, offboarding.
• Automatic password reset or account disablement when breached.
• Shift to primary Azure AD later.

8. Windows Autopilot for enrollment of Windows devices

• Enrol new devices with Windows Autopilot (staging principle).
• Onboard current domain-joined devices with a Group Policy.

9. Software deployment migration

• Microsoft 365 Apps (formerly Office 365 ProPlus) can be quickly deployed via Endpoint Manager.
• Windows Updates can shift to Endpoint Manager ASAP — total control is built in.
• Microsoft Edge delivers great value for browser support, can support old sessions, is Azure AD integrated and is super modern.
• Use third-party mechanisms like PatchMyPC or Chocolatey for simple deployable software. Use custom scripts and packages when necessary.

10. Group Policy Objects (GPO) migration

• Microsoft is working on Policy Analytics which will help migration of GPOs to MDM policies. But keep in mind: many policies exist for legacy. Don't migrate unused GPOs — rethink GPOs → MDM.
• ADMX-backed baselines will help for smooth and faster configuration. When not possible, use OMA-URIs.
• Most importantly: aim to be prepared for 80% of settings to shift authority from GPOs to MDM. Leave the rest in on-premise DCs behind.

11. Windows updates and security improvements

• Create a Windows 10 Update Ring with peer-to-peer caching to avoid saturating the internet breakout or VPN.
• Create segmented pre-test groups to validate the update version in production.
• Use the standard Security Baselines to implement the W10 MDM Baseline and MDATP configuration. Baselines are great — so easy to use.

12. Shift infrastructure to Azure

If you want to do an infrastructure shift, follow the steps below. Otherwise do the assessment, write down all infrastructure and start rearchitecting where possible. When hosting well-known vendor applications, ask if they are planning for SaaS or Azure.

• Create an Azure Migrate project and add the Server Assessment solution.
• Set up the Azure Migrate appliance and start discovery. Each appliance supports discovery of 250 servers — set up more if required.
• Once discovery is complete, create assessments and review the assessment reports.
• Use application dependency analysis to create and refine server groups to phase migration.
• Migrate machines as physical servers to Azure.

13. Migration of legacy Active Directory integration

• Shift applications that use AD Groups or AD Authentication towards Azure AD — worst case ADDS.
• Isolate all applications, monitor active usage of AD and find what you can transform easily.
• For old billing or accounting applications used by few people: don't integrate — isolate and shift with dedicated accounts to Azure IaaS. Write it in the long-term plan and push vendors for integration, or choose other platforms.

14. Build collaboration platforms with Microsoft Teams & SharePoint

We need to leave complex legacy behind. Choose SaaS solutions with future benefits. Don't wait for phasing these out before going cloud. Do cloud and leave legacy behind — or migrate and isolate. And more importantly: long-term strategy.

Always choose long-term. Don't choose non-compliant solutions that are not ready for future compliance requirements. Security complexity and needs are growing — GDPR and ISO27001 are important.

• Build new Microsoft Teams sites for collaboration.
• Create a SharePoint Hub for all SharePoint sites — define a frame, design requirements and visual identity for the full organisation.
• Build out department and long-term SharePoint collaboration spaces.
• Migrate old legacy applications to SharePoint Lists with PowerApps and integrate with Power Platform. Simple apps in Lotus Notes can easily shift their history to SharePoint Lists and PowerApps. Power BI can help with transparent reporting.

15. Rethink on-premises

Rethink the new needs of on-premises. All collaboration spaces are shifted to Office 365. Devices are managed with M365 Endpoint Manager. Documents are shifted to OneDrive, Teams and SharePoint. Authentication and integration with Azure AD is shifted. Printers handled with Universal Print or solutions like Printix. Core applications moved to IaaS and waiting to become SaaS over time.

What else is there?

16. Build security mechanisms that can be automated

• Security Operations and incident response with MDATP. Works in hybrid as a first phase — not the end goal.
• Build the next-level modern workplace with Information Protection — which automatically labels and classifies documents. Use the unified data classification platform.
• Get grip on actionable risks on devices and users with MDATP in combination with Cloud App Security to identify and isolate risks — sometimes with automatic remediation.
• Foundation of identity and risk management as shown in step 7.
• Start with MAM (Mobile Application Management) to isolate corporate applications from personal applications on BYOD devices.
• Evaluate regularly which users have access to data, devices and physical network.
• Work on SecureScore and Azure SecureScore.

---