Apr 12 2018 07:20 AM - edited Apr 12 2018 07:45 AM
Apr 12 2018 07:20 AM - edited Apr 12 2018 07:45 AM
This is my first post, so please be nice :) I apologise in advance if not all questions are relevant and I will move these to different forums if there is a feeling I would get a better response elsewhere.
We about to embark on an Office 365 rollout to the whole organisation and vastly improve our client estate. So I am looking for some suggestions on some challenges on how best we approach these. Apologises in advance for the technical list....
We have an existing tenant setup (****.onmicrosoft.com) in Azure but is based on our old organisation name. We want to create new tenant name to reflect the new organisation name. The name is yet to be decided.
We have a few existing E1 (used) / E3 (not used and recently purchased) under existing tenant and want to understand once new tenant is created, how we would transfer licensing to new tenant. We also have EMS and dynamics 365 licenses setup in existing tenant. We prepared to keep these services in existing tenant and run them simultaneously if that will be the simpler approach.
We currently use Azure AD Connect (formerly DirSync), this connects our on premise AD into Azure, it is setup with Filtering so only some OUs are sync to Azure. Our AD as it stands currently is setup with the old domain name.
Due to incoming requirement for Office 365, our strategy is to create a new AD domain in the same Active Directory forest as we are also doing a Windows 10 deployment so we see this as the perfect opportunity to start with a new domain. It will be two way Domain trust so all resources in existing domain can be trusted in new domain and vice versa. It is our hope we can then create a second on premise Azure AD connect server using filtering to the new AD Domain and we’ll then move users/computers from the old to the new domain once we port users across to Windows 10. Looking at the Topology best practise guidance I believe this is supported as long as the user only appears in one tenant. Would there be a better way to set this up? Our preference is not to create a new AD forest and new domain as the administration and management of this would be far greater.
We plan to use MFA on Office 365, however want to investigate the various avenue’s we can use as not all of our user base have a corporate phone so some will need to use personal phones for SMS or using an authenticator app. Does this need to be setup for all users or can it be switched off at the request of a user? On the back of this we want to investigate the possibility of users resetting their AD passwords through Office 365 so this task can be achieved anywhere on any device without the reliance of internal network. We currently have enabled password write back and password hash sync.
We currently have an ADFS 3.0 setup with Web Application proxy and plan to use this to achieve SSO on the internal network for Office 365.
We currently make use of the Application proxy feature in our existing tenant to make our internal SharePoint 2013 application available externally. Eventually we like to port over the configuration of this to the new tenant. Would this be possible? Going forward we probably want to make use of SharePoint online but are concerned about the considerations we need to take with regards to backup and recovery.
We aware of the security abilities built into Office 365 such as classifications, DLP, data governance, threat management, E discovery. Can these tools be setup after deployment. Is there any requirement to set these up at the start?
We currently use Intune and these are managed via EMS licenses in Office 365. The strategy is to move to using an alternative solution using Trend Micro mobile security solution and decommission Intune.
Finally our plan is to do a phased approach to Office 365, starting off with One Drive and Share point Online and slowly introduce the new technologies as we become more familiar and iron out any deployment issues.
As you can see I have lots of questions and having had a look and done some planning work I sort have an idea of what the options are but its always useful to get some other views on this hence my questions so appreciate any responses on all or some of the questions I have.
Apr 23 2018 07:14 AM
A lot to answer here!
ill start by asking firstly why would you change the old.onmicrosoft.com tenant name? its never used or seen once you register your own custom domain...
secondly why would you stop using intune which is licensed as part of your subscription and fully integrated with your Microsoft 365 infrastructure and PAY for something else?
Finally, nothing you have highlighted here is un-achievable or particularly difficult.
May 30 2018 06:39 AM
Sorry for the delayed response. In answer to your questions:
Our understanding is the tenant name does get exposed when sharing files in either Sharepoint Online or one drive and from a political sense it wouldn't look very professional on us if we were to still be sending files out which references our old organisation name. This is what we have been advised by a MS partner and why I posted on here was to confirm if that was the case. There is some doubt in my mind now however after your post.
In answer to your second question we have invested in a security solution and when we compare and look at the feature set, it was found the other solution would be a better fit for our organisation.
Jun 13 2018 03:22 PMSolution
Microsoft is working on a way to rename the name that is exposed in SharePoint, this is the tenant's name. https://sharepoint.uservoice.com/forums/329214-sites-and-collaboration/suggestions/13217277-enable-r...
This was posted on January 3rd.
With this in the pipeline, I do not think it is needed to create a new tenant and move everything over