Yeah, pretty much, just some things I noticed having to move users around environments where I am.

Thanks Chris for your reply.

 

Giving more details for you to have a better picture on our scenario. 

 

We are close to 120 in head count and we do use Office 365 and associated services (Outlook, Skype, OneDrive, Share Point etc.).

The machines are not joined to any domain and are part of stand alone work groups. User accounts are created locally on machines for login.

Office 365 credentials are used to access Email (web and outlook client), Skype, Office apps and rest of the resources in cloud.

 

We started as above when we were small in number. As the organization grows, I look forward to have the best way for user identity and centralized management of user and computer accounts.

 

Which option would be the best in this scenario - Onprem AD (with Group Policy, SCCM etc.)and have it synchronized with Office 365 using AD Connect... OR leveraging Azure cloud services itself (Azure AD join and management using a MDM solution or Intune)?

 

If we choose the latter (Azure AD join and MDM) , I wonder if we miss the control, policy and configuration management offered by Group policy (that is offered by on-prem AD - ADDS)

 

Will the latter be a challenge when we grow in head count. Or is there any better way you can suggest.

 

@Chris Webb , @Spiros Karampinis , @Sai Gutta - Your insights would be helpful.

 

Regards,

Anjana

 

Since Intune now allows pretty much any admx to be imported and used, the gap has been closed where GPO's are concerned with Cloud joined machine management. If you do not have any onprem resources such as file shares etc. that need it, then I would go the cloud route. The future is heading that way and might as well start there.

The only thing you need to consider is licensing costs will go up a bit if you include Intune, but so would buying any other management tools for on prem usage as well, so you will need to balance that out as well as management / hardware costs etc.

You also will want to have Intune licensed and setup before hand so you can enroll the devices as you join them to azure ad.

Hope this helps.

@Chris Webb 

---

@Chris Webb wrote:
 If you do not have any onprem resources such as file shares etc. that need it, then I would go the cloud route. The future is heading that way and might as well start there.

---

I cannot disagree with this more - If you don't have on-prem file shares, why not? I am in the same boat as OP - and our previous admin apparently took this kind of advise.. the result is I have NO CONTROL over any computer owned by the company. I have no way to reset (computer) passwords for users, remote or local. 

I have begun joining some to the Azure AD but that is EXTREMELY limited and has none of they typical paths an IT Admin might expect. 

 

Teams and OneDrive are complete nightmares to deal with - I have personal OneDrives and Business OneDrives all mixed and mashed and people sharing files everywhere and everyway but then resorting to DropBox because nothing works the way they expect. My plan is to suck all that back down into a traditional environment where I have some control of at least some of the files and services I'm supporting. I'll still use OneDrive (business) to sync profile files but business critical shares will be secured on-prem and backed up with versioning, etc. 

I now need to manually build out an AD environment - figure a way to password sync with O365. The good news is I get to build a fresh AD (the right way) - but the bad news is there's no easy path to get this place back on track. I'd love to discuss the issues with @Anjana_S (hopefully you didn't go the "Cloud only" route) and find out what, if anything, has worked for this process. And please, by all means, send me those thoughts and prayers!

Sounds to me like you need to brush up on Intune and writeback scenarios. I don't have any of those issues, I can manage machines, and passwords just fine via Cloud.

As for file shares, pulling that on-prem solves nothing. If you want to have control then setup a SharePoint library/site for them and restrict syncing and sharing, labels, conditional access, you have all kinds of tools at your disposal. Problem is if you go back to file shares, they will use drop box / onedrive even more because they will have no other choice and you'll end up with even more file duplication.

What it sounds like you need is more user training around their tools, and if dropbox is a problem restricting it's use, especially the client. You don't realize what you are losing by not having your files in SharePoint vs. an old school file share. The big few I'll name off top of my head: Easy version history, Check-in/Out, Co-authoring, anywhere access, sharing(they will do it one way or another),Flow,Approvals the list could go on. If you don't have anyone that can push this stuff then I guess it's a mute point.

You might want to go understand one side vs. the other before you knock it. If you can't support it, then by all means go the old school route. Neither side is perfect, but I prefer the one that is constantly evolving and providing new features across the entire stack where all development is going into, than being stuck in 20 yr old tech land. If you have deal breakers for certain things then yeah Cloud isn't for everyone, but it's gotten pretty close these days and you can do almost everything Cloud only now vs. On-prem / Old school and then some.

@Chris Webb 

 

You need a local AD in order to use write-back at all..? I'm confused why this was mentioned. 

The fact that the "cloud" is "constantly evolving" is the problem. The OP is asking HOW TO and you're replying with "DON'T" - I hate that more than I hate updates in the middle of the day (even though my settings say that shouldn't happen). If you don't know "how to", please don't respond. We're both just trying to get an answer to an uncommon scenario. 

O365 Azure AD does not replace what the traditional AD provides. It may work fine for 10 people or less but not for 100 plus with various needs. I'm not removing the advantages of the Cloud services by having an on-prem AD. There's plenty of good reason to use an on-prem file server, not the least of which is quick access to large files. On Prem AD allows you to push out group policies for things like pre-login messages (as quaint as they are), control aspects of the Internet Browser settings and much more. These things are not available in O365 Azure AD only domains. 

Users don't change or learn anything new - you should know that if you're in IT. Someone is either a poweruser who knows how to sharepoint or they aren't... (most aren't). This is not something you can change from an IT perspective - if you're not running the whole company there's only so much you can do to train users to do something different. 

 

 

The fact you think you can't have login scripts, or change browser settings with cloud only already tells me you lack research and training when it comes to Office 365 services, mainly Intune. Therefore in your case, you're right, your company needs to stay old school.

I've been moving my company to cloud managed devices using InTune and it works just fine, since you can use all ADMX with intune, you have the same GPO functionality and then some now. We are 180+ strong at this point, so 10 users thing gave me a chuckle.

Also I didn't say DON'T, I asked for the scenario and recommended the approach after I had already recommended and told him how he could accomplish what they were doing. Cloud only still isn't 100% there yet, but a mostly Cloud setup is totally viable and setting yourself up now for when it is makes your future transition that much easier. But hey, if you want to keep your skills and your company old school then that's your prerogative.

@Chris Webb 

I meant this cannot be done with the Office 365 Azure AD services included - I believe you need E5 licenses for Intune but if I'm wrong about that I'd love to hear more info. 

I'm till looking for good information on how best to setup a new AD (on prem) and sync with O365. 

I appreciate your efforts. 

Yeah, I was pointing out to original poster that there is some extra cost to managing via Cloud but it makes up for not needing to build out infrastructure and licensing either. You don't need an E5 but an intune license, but I prefer EMS since the pricing is bearly a dollar more per user and you get Azure AD P1 + Intune in it. Or the best license package is Microsoft 365 E3 which includes E3 + EMS + Windows 10 license.

But if you are talking out of the box, E3 or less only then yes, I would not recommend cloud only :).

@Chris WebbI think Chris is on the right track. There are certainly options to either approach but all the future development is going into the predictable recurring revenue models that cloud is giving to Microsoft, Google etc..

 

To clarify one item mentioned earlier you certainly can join/register Windows 10 machines to the Azure service included as part of Office 365 Business Premium. I have done this numerous times. It does not give you all the control an on prem would but you can login with user Office 365 accounts and do some very very basic management (recoverable bitlocker key for example). Full Intune certainly expands on your control options and as Chris said is almost in parity with on prem.

 

The challenge you have is planning out a path that provides a smooth migration with minimal disruptions for your business. That is probably the bigger picture over if one control methods has which bell or whistle for IT. They both provide a way to manage depending on your skill set but in the end one will be sun setting and the other will be getting improved over time.