Forum Discussion

Anjana_S's avatar
Anjana_S
Copper Contributor
Mar 11, 2019

Migration from Office 365 to Active Directory Domain

Hi, We use Office 365 (Business Premium) for email, sharepoint etc. with close to 120 users. But there is no on-premise Active Directory Domain. We plan to have Active Directory installed and all th...
office 365
Anjana_S's avatar
Anjana_S
Copper Contributor
Mar 12, 2019

Thanks Chris for your reply.

 

Giving more details for you to have a better picture on our scenario. 

 

We are close to 120 in head count and we do use Office 365 and associated services (Outlook, Skype, OneDrive, Share Point etc.).

The machines are not joined to any domain and are part of stand alone work groups. User accounts are created locally on machines for login.

Office 365 credentials are used to access Email (web and outlook client), Skype, Office apps and rest of the resources in cloud.

 

We started as above when we were small in number. As the organization grows, I look forward to have the best way for user identity and centralized management of user and computer accounts.

 

Which option would be the best in this scenario - Onprem AD (with Group Policy, SCCM etc.)and have it synchronized with Office 365 using AD Connect... OR leveraging Azure cloud services itself (Azure AD join and management using a MDM solution or Intune)?

 

If we choose the latter (Azure AD join and MDM) , I wonder if we miss the control, policy and configuration management offered by Group policy (that is offered by on-prem AD - ADDS)

 

Will the latter be a challenge when we grow in head count. Or is there any better way you can suggest.

 

ChrisWebbTech , Spiros Karampinis , Sai Gutta - Your insights would be helpful.

 

Regards,

Anjana

 

ChrisWebbTech's avatar
ChrisWebbTech
MVP
Mar 12, 2019
Since Intune now allows pretty much any admx to be imported and used, the gap has been closed where GPO's are concerned with Cloud joined machine management. If you do not have any onprem resources such as file shares etc. that need it, then I would go the cloud route. The future is heading that way and might as well start there.

The only thing you need to consider is licensing costs will go up a bit if you include Intune, but so would buying any other management tools for on prem usage as well, so you will need to balance that out as well as management / hardware costs etc.

You also will want to have Intune licensed and setup before hand so you can enroll the devices as you join them to azure ad.

Hope this helps.
  • Rick_CC_IT's avatar
    Rick_CC_IT
    Copper Contributor
    Jun 19, 2019

    ChrisWebbTech 


    ChrisWebbTech wrote:
     If you do not have any onprem resources such as file shares etc. that need it, then I would go the cloud route. The future is heading that way and might as well start there.

    I cannot disagree with this more - If you don't have on-prem file shares, why not? I am in the same boat as OP - and our previous admin apparently took this kind of advise.. the result is I have NO CONTROL over any computer owned by the company. I have no way to reset (computer) passwords for users, remote or local. 

    I have begun joining some to the Azure AD but that is EXTREMELY limited and has none of they typical paths an IT Admin might expect. 

     

    Teams and OneDrive are complete nightmares to deal with - I have personal OneDrives and Business OneDrives all mixed and mashed and people sharing files everywhere and everyway but then resorting to DropBox because nothing works the way they expect. My plan is to suck all that back down into a traditional environment where I have some control of at least some of the files and services I'm supporting. I'll still use OneDrive (business) to sync profile files but business critical shares will be secured on-prem and backed up with versioning, etc. 


    I now need to manually build out an AD environment - figure a way to password sync with O365. The good news is I get to build a fresh AD (the right way) - but the bad news is there's no easy path to get this place back on track. I'd love to discuss the issues with @Anjana_S (hopefully you didn't go the "Cloud only" route) and find out what, if anything, has worked for this process. And please, by all means, send me those thoughts and prayers!




    • ChrisWebbTech's avatar
      ChrisWebbTech
      MVP
      Jun 19, 2019
      Sounds to me like you need to brush up on Intune and writeback scenarios. I don't have any of those issues, I can manage machines, and passwords just fine via Cloud.

      As for file shares, pulling that on-prem solves nothing. If you want to have control then setup a SharePoint library/site for them and restrict syncing and sharing, labels, conditional access, you have all kinds of tools at your disposal. Problem is if you go back to file shares, they will use drop box / onedrive even more because they will have no other choice and you'll end up with even more file duplication.

      What it sounds like you need is more user training around their tools, and if dropbox is a problem restricting it's use, especially the client. You don't realize what you are losing by not having your files in SharePoint vs. an old school file share. The big few I'll name off top of my head: Easy version history, Check-in/Out, Co-authoring, anywhere access, sharing(they will do it one way or another),Flow,Approvals the list could go on. If you don't have anyone that can push this stuff then I guess it's a mute point.

      You might want to go understand one side vs. the other before you knock it. If you can't support it, then by all means go the old school route. Neither side is perfect, but I prefer the one that is constantly evolving and providing new features across the entire stack where all development is going into, than being stuck in 20 yr old tech land. If you have deal breakers for certain things then yeah Cloud isn't for everyone, but it's gotten pretty close these days and you can do almost everything Cloud only now vs. On-prem / Old school and then some.
      • Rick_CC_IT's avatar
        Rick_CC_IT
        Copper Contributor
        Jun 19, 2019

        ChrisWebbTech 

         

        You need a local AD in order to use write-back at all..? I'm confused why this was mentioned. 


        The fact that the "cloud" is "constantly evolving" is the problem. The OP is asking HOW TO and you're replying with "DON'T" - I hate that more than I hate updates in the middle of the day (even though my settings say that shouldn't happen). If you don't know "how to", please don't respond. We're both just trying to get an answer to an uncommon scenario. 

        O365 Azure AD does not replace what the traditional AD provides. It may work fine for 10 people or less but not for 100 plus with various needs. I'm not removing the advantages of the Cloud services by having an on-prem AD. There's plenty of good reason to use an on-prem file server, not the least of which is quick access to large files. On Prem AD allows you to push out group policies for things like pre-login messages (as quaint as they are), control aspects of the Internet Browser settings and much more. These things are not available in O365 Azure AD only domains. 

        Users don't change or learn anything new - you should know that if you're in IT. Someone is either a poweruser who knows how to sharepoint or they aren't... (most aren't). This is not something you can change from an IT perspective - if you're not running the whole company there's only so much you can do to train users to do something different.