Mar 11 2019 04:54 AM
Hi,
We use Office 365 (Business Premium) for email, sharepoint etc. with close to 120 users. But there is no on-premise Active Directory Domain. We plan to have Active Directory installed and all the machines joined to domain. Is there any guidelines available as how to do a seamless migration of the user accounts from Office 365 onto the AD domain?
Thank you,
Anjana
Mar 11 2019 06:14 AM
Mar 11 2019 11:12 AM
Agree with Chris that it is unfortunate you have to go back to AD, If it is really just to join computers, you can always join the computers to Azure AD with your office 365 Business Premium ( I am assuming Business Premium allows this) and for more feature you can buy Azure AD Premium licensing as an add-on
@Chris Webb- Notes you have mentioned below is manual process right?
Mar 11 2019 11:14 AM
Mar 11 2019 04:14 PM
Mar 12 2019 03:17 AM - edited Mar 12 2019 04:07 AM
Thanks Chris for your reply.
Giving more details for you to have a better picture on our scenario.
We are close to 120 in head count and we do use Office 365 and associated services (Outlook, Skype, OneDrive, Share Point etc.).
The machines are not joined to any domain and are part of stand alone work groups. User accounts are created locally on machines for login.
Office 365 credentials are used to access Email (web and outlook client), Skype, Office apps and rest of the resources in cloud.
We started as above when we were small in number. As the organization grows, I look forward to have the best way for user identity and centralized management of user and computer accounts.
Which option would be the best in this scenario - Onprem AD (with Group Policy, SCCM etc.)and have it synchronized with Office 365 using AD Connect... OR leveraging Azure cloud services itself (Azure AD join and management using a MDM solution or Intune)?
If we choose the latter (Azure AD join and MDM) , I wonder if we miss the control, policy and configuration management offered by Group policy (that is offered by on-prem AD - ADDS)
Will the latter be a challenge when we grow in head count. Or is there any better way you can suggest.
@Chris Webb , @Spiros Karampinis , @Sai Gutta - Your insights would be helpful.
Regards,
Anjana
Mar 12 2019 11:26 AM
Jun 19 2019 06:14 AM
@Chris Webb wrote:
If you do not have any onprem resources such as file shares etc. that need it, then I would go the cloud route. The future is heading that way and might as well start there.
I cannot disagree with this more - If you don't have on-prem file shares, why not? I am in the same boat as OP - and our previous admin apparently took this kind of advise.. the result is I have NO CONTROL over any computer owned by the company. I have no way to reset (computer) passwords for users, remote or local.
I have begun joining some to the Azure AD but that is EXTREMELY limited and has none of they typical paths an IT Admin might expect.
Teams and OneDrive are complete nightmares to deal with - I have personal OneDrives and Business OneDrives all mixed and mashed and people sharing files everywhere and everyway but then resorting to DropBox because nothing works the way they expect. My plan is to suck all that back down into a traditional environment where I have some control of at least some of the files and services I'm supporting. I'll still use OneDrive (business) to sync profile files but business critical shares will be secured on-prem and backed up with versioning, etc.
I now need to manually build out an AD environment - figure a way to password sync with O365. The good news is I get to build a fresh AD (the right way) - but the bad news is there's no easy path to get this place back on track. I'd love to discuss the issues with @Anjana_S (hopefully you didn't go the "Cloud only" route) and find out what, if anything, has worked for this process. And please, by all means, send me those thoughts and prayers!
Jun 19 2019 07:37 AM
Jun 19 2019 09:24 AM
You need a local AD in order to use write-back at all..? I'm confused why this was mentioned.
The fact that the "cloud" is "constantly evolving" is the problem. The OP is asking HOW TO and you're replying with "DON'T" - I hate that more than I hate updates in the middle of the day (even though my settings say that shouldn't happen). If you don't know "how to", please don't respond. We're both just trying to get an answer to an uncommon scenario.
O365 Azure AD does not replace what the traditional AD provides. It may work fine for 10 people or less but not for 100 plus with various needs. I'm not removing the advantages of the Cloud services by having an on-prem AD. There's plenty of good reason to use an on-prem file server, not the least of which is quick access to large files. On Prem AD allows you to push out group policies for things like pre-login messages (as quaint as they are), control aspects of the Internet Browser settings and much more. These things are not available in O365 Azure AD only domains.
Users don't change or learn anything new - you should know that if you're in IT. Someone is either a poweruser who knows how to sharepoint or they aren't... (most aren't). This is not something you can change from an IT perspective - if you're not running the whole company there's only so much you can do to train users to do something different.
Jun 19 2019 10:18 AM
Jun 19 2019 11:00 AM
I meant this cannot be done with the Office 365 Azure AD services included - I believe you need E5 licenses for Intune but if I'm wrong about that I'd love to hear more info.
I'm till looking for good information on how best to setup a new AD (on prem) and sync with O365.
I appreciate your efforts.
Jun 19 2019 11:05 AM
Sep 03 2019 01:58 PM
@Chris WebbI think Chris is on the right track. There are certainly options to either approach but all the future development is going into the predictable recurring revenue models that cloud is giving to Microsoft, Google etc..
To clarify one item mentioned earlier you certainly can join/register Windows 10 machines to the Azure service included as part of Office 365 Business Premium. I have done this numerous times. It does not give you all the control an on prem would but you can login with user Office 365 accounts and do some very very basic management (recoverable bitlocker key for example). Full Intune certainly expands on your control options and as Chris said is almost in parity with on prem.
The challenge you have is planning out a path that provides a smooth migration with minimal disruptions for your business. That is probably the bigger picture over if one control methods has which bell or whistle for IT. They both provide a way to manage depending on your skill set but in the end one will be sun setting and the other will be getting improved over time.