Thank for reading my blog about: the technical implementation for a Microsoft 365 workplace. In this article I’ve written an high-level approach of an implementation and shift from a more traditional organisation towards a cloud focused organization. If you not totally ‘fan’ of the cloud idea please read this article: The value of Microsoft 365 E3 and E5. and How to build your Zero Trust modern workplace with Microsoft 365 – which totally bring the why cloud and why modern technology.
1. Start with Identity Management and extending Active Directory to Azure AD
Install Azure AD Connect and sync your users and groups to Azure AD.
You could use Directory and password Synchronization to bring all identities from your current environment towards Azure AD. I prefer the hybrid scenario and later full cloud scenario. Worst-case ADDS in Azure. To have the ‘control’s shifted and the primary Directory in Azure AD.
Why? Microsoft Azure AD is beyond the current ‘legacy’ integration and is a next-gen identity platform. Make it simple. If you don’t need third-party solutions (which always limits new capabilities) don’t go for it. Use native Azure AD. Also it’s a big opportunity to leave things behind and smoothly shift to ADDS or Azure AD.
2. Migrate your exchange workload with Exchange Hybrid Wizard
It’s very easy to shift Exchange workloads as first load to Office 365.
- Setup Azure AD connect – Sync all identities.
- Change the UPN’s if required, same as e-mail preferred. Easier for users.
- Pre-sync all mailboxes to a state of 95. Throttled, change the maximum in your virtual webservices.
- Cut-over migration is best-practice under 2000-5000 best one shift, if more phased approach. Approach and instructions here.
- After the migration over hybrid Exchange the next steps is shifting the relay to O365 direct. Or alternative solutions. Make it simple. Not over-think, don’t create complexity for hybrid mailflow. You could keep hybrid-Exchange for the first phase with management to AD en Exchange Online.
3. Migrate personal data to OneDrive
Document data is one of the post important things running in any workplace. Personal data is crucial for taking into account for migration. It will help support the shift to M365 when you help to achieve a better collaboration space for the people.
- Use OneDrive Known Folder move so you can automatically discover your favorites, desktop document and place them on OneDrive’s. People love this feature. It’s easy to implement, and has additional value without changing the core.
- Migrate your homedrives, to OneDrive with the SharePoint migration tool or different tools when you need more control. Document shift is important to get away from the current system(s).
4. Migrate departments to Teams or SharePoint Online
I’m not going super deep into details for document migration. But I will provide the high-levels of migrations of workloads.
- Assess your current environment and understand the needs.
- Migration of team data could result in Microsoft Teams Libraries.
- Migration of organization data could result in SharePoint Online.
- Still personal data could (only touched by 1 person) can land in OneDrive.
- There are great tools on the marked to to the assessment. Phased approach is necessary. Standards & building blocks will help with speed of implementation.
5. Voice shift from on-premises to Microsoft 365 or any other cloud integration solution
There are 4 options of Microsoft Teams voice solution:
- Phone system with Microsoft’s calling plan
- Phone system with your own carrier. (direct-routing)
- Phone system with own carrier via Skype For Business or cloud connector Edition.
- Enterprise voice in Skype for Business with own carrier.
Don’t go for less. Use Microsoft Teams. And if you will choose other platforms think about trust – compliance – think about the adoption. Inclusion, security, segmentation and most important: Think about the speed of implementation comparted to the easiness of one platform.
If there are complex need for voice, callcenter. There are solutions in the marked to help shift to cloud voice with Teams. And keep in mind that Microsoft shifted it’s full organization to Team. I mean, they have a complex organization and multiple flavors of requirements and needs.
6. Microsoft EndPoint Manager
- Implement Microsoft EndPoint manager for Windows 10 + all mobile devices as described above. The minimum set is written in this article.
- Onboard all current devices with Hybrid Join or full cloud join / Azure AD join.
- Onboard all new devices with Windows Autopilot.
- Implement MAM for mobile at least. Manage all your company owned devices at least.
7. Increase basic identity Security
- Multi-Factor Authentication or Azure Security Defaults.
- Conditional Access for easier login’s – and more security.
- Connect your devices to Azure AD with EndPoint Manager. Hybrid Join – Full Cloud. Connect it.
- Risky User Sign-in policies. Define some security policies as written here.
- SSPR or Self-Service Password Reset. Check this out.
- Create control on lifecycle management of identities. Expiration, onboarding, offboarding etc..
- Automatic password reset or disablement of account when breached.
- Shift to primary Azure AD, later.
8. Windows Autopilot for enrollment of Windows devices
- Enroll new device with Windows Autopilot (staging Principe)
- Onboard current domain joined devices with a Group Policy written here.
9. Software Deployment migration
- Microsoft Office 365 ProPlus (now Microsoft 365 Apps) can be quickly deployed by Endpoint Manager.
- Windows Updates can shift ASAP when using endpoint manager. Total control is build-in.
- Microsoft Edge will deliver great value when it comes to browser support, can support old ‘sessions’ as well. Azure AD integrated, great new stuff, super modern.
- Use third-party mechanisms as PatchMyPC or Chocolatey for ‘simple’ deployable software. Use own written scripts and create packages when necessary.
10. Group-Policy-Objects (GPO) Migration
- Microsoft is currently working on policy analytics which will help the migration of GPO’s to MDM policies with controls. But keep in mind, a lot of policy are used for legacy. I don’t believe in migration of GPO. I believe in a basis workplace ‘greenfield’ were you build standards for everyone. Not for groups. And if you do. For 10 groups. and 90% same architecture and flavors. So: Don’t migrate non used GPO’s. Rethink GPO’s -> MDM.
- ADMX backed baselines will help for smooth and faster configuration. Whenever it’s not possible use the OMA-URI’s.
- Most important try to be prepared for 80% to shift the authority from GPO’s to MDM. And leave the GPO’s in your on-premise DC’s behind.
11. Windows updates and security improvements
- Create a Windows 10 update ring with peer-to-peer caching to not kill the internet break out. VPN etc..
- Create segmented of pre-test groups to validate the update version in production.
- Use the standard Security Baselines to implement the W10 MDM Baseline and MDATP configuration. Baselines are great. It’s so easy to use.
12. Shift infrastructure to Azure
Think about: Rehost, Refactor, Rearchitect, rebuild, replace!
If you want to do infrastructure shift follow the next steps. Otherwise do the assessment and write down all infrastructure and start with rearchitecting were possible. When you’re hosting well known vendor applications try to get in touch and ask if they are planning for SaaS, Azure, others.
- Create an Azure Migrate project and add the Server Assessment solution to the project. Tutorial
- Set up the Azure Migrate appliance and start discovery of your server. To set up discovery, the server names or IP addresses are required. Each appliance supports discovery of 250 servers. You can set up more than one appliance if required. Prereq’s
- Once you have successfully set up discovery, create assessments and review the assessment reports.
- Use the application dependency analysis features to create and refine server groups to phase your migration.
- Migrate machines as physical servers to Azure.
- Don’t forget: Rehost, Refactor, Rearchitect, rebuild, replace
13. Migration of legacy Active Directory Integration
- Shift applications that use AD Groups or AD Authentication to authenticate applications towards Azure AD worst case ADDS.
- Try to isolate all applications, monitor the active usage of AD and try to find and understand what you can transform easily.
- Sometimes there is an application which is old for billing or accountants, mostly used by some people. Don’t integrate, isolate and shift with dedicated accounts to Azure IaaS. But write it in the long-term plan and push these vendor for integration of choose other platforms.
14. Build collaboration platforms with Microsoft Teams & SharePoint
I’ve probably missed some ‘crucial’ applications on-premises that are used for 20 years. I’m saying: We need to leave complex legacy behind. Choose SaaS solutions with future-benefits. Don’t wait for phasing these out to go cloud. Do cloud and leave legacy behind. OR migrate and isolate. And more important: Long term strategy.
We are always choosing short-term quick solutions for fixing a problem, integrating on solutions and after 5 years its bombastic. Choose long-term. Don’t choose non compliant solutions that are not ready for the compliance requirements of the future. Security complexity and needs are growing, GDPR, ISO27 is important.
- Build your new Microsoft Teams Sites for collaboration.
- Create a SharePoint Hub for all SharePoint sites – create a frame and design of the requirement and visual for your full organization.
- Build out department and long-term SharePoint collaboration spaces.
- Migrate the old ’20’ years ago applications to SharePoint list, with PowerApps and integrate with power Platform. I’ve seen simple apps in Lotus Notes that can easily shift their history to SharePoint lists and PowerApps. PowerBI can help with the transparent reporting.
15. Rethink on-premises
Rehost, Refactor, Rearchitect, rebuild, replace!
Rethink the new needs of on-premises. All collaborations spaces are shifted to Office 365. Your devices are managed with M365 EndPoint Manger. Documents are shifted to OneDrive, Teams and SharePoint. Authentication and integration with Azure AD is shifted. Printers with universal Print of different solutions as Printix. Core applications are moved to IaaS and are waiting to become SaaS overtime. What else is there?
16. Build security mechanisms than can be automated
Now, only now, when the shift is completed is the time to build your SEC-OPS landscape.
Why? It’s easier. Don’t you want to go fast? Don’t you want to have 1 platform. Don’t you want to integrate with modern technology in Azure AD, M365..
- Security Operation and your incident responds can be done with MDATP. I know it’s working in hybrid – it’s the first phase. Not the end goal.
- Build on the next level modern workplace with Information Protection – which automatic labels classified documents. Use the unified data classification platform.
- Get grip on actionable risks on devices, users with MDATP in combination with Cloud App Security to identity and isolate risks. Sometimes automatic remediation.
- Basis of identity and risk management as shown in step 1 of this article.
- Start with MAM (Mobile Application Management) to isolate corporate applications from personal applications on BYOD Devices.
- Evaluate regularly which users have access to data, devices and physical network. (ref 8)
- Work on SecureScore and azure SecureScore.