Achieving productivity without an on-premises infrastructure: Mission Impossible?

SANDER BERKOUWERSENIOR CONSULTANT, SCCT.NL @SANDERBERKOUWER

Current challenges

Total cost of ownership

Source: IDC, 2007

Software

Server hardware

IT Staff Training

Downtime - UserProductivityStaffing

Outsourced costs

The hidden costs of on-premises infraThroughout its vendor-supported lifecycle, a hardware server consumes the same amount of money in energy (including cooling) to run, as it is for an organization to purchase it.

The average price per square foot per month for datacenters, newly leased out in 2007 equalled $10.

Screw that!

Your Wi-Fi network security has been kracked.

On average, it takes 142 days to detect breaches.

Most datacenter racks use keylock number 33.

All Internet browsers are insecure.

All it takes is one stupid colleague…

Paradigm shiftsNTLM and Kerberos have no place on the Internet.

There is no safe internal network.

Modern management allows us to manage any device anywhere, anytime, but doesn’t offer the same policies we’re used to… but did we really need them?

Current Challenges managing devicesHow do you make compliant-only devices access organization-mandated applications only?

Devices disconnected from Domain Controllers don’t get their Group Policies updated, software installed

Offline Domain Join is messy

Road warriors need to connect their Windows devices on-premises or through VPN at least every 60 days

How do we make it run securely on Macs?

Current Challenges embracing cloudsCan we trust all workloads in (public) cloud infrastructures? (Domain Controllers, SQL Servers)

Can we run all workloads in (public) cloud infrastructures? (KMS, DHCP)

How do we exit (public) cloud infrastructures, outsourcing contracts?

What’s the benefit if having a 2-cloud strategy?

Embracing Hybrid

Domain JoinCurrent: Active DirectorySingle Sign-On through Kerberos, NTLM

Computer Password Changes for Secure Channel Maintenance

VPNs/DirectAccess as patches to allow short name resolution and on-premises protocols

Smart Card and other multi-factor authentication challenges

Recommend: Azure ADSingle Sign-On using claims-based authentication and authorization, supporting CYOD and BYOD scenarios

Open, Internet-ready protocols

Azure MFA & Conditional Access

Connected resources available everywhere, from any device, secured through

Conditional AccessIdentity Protection

The evolution of joining devices to your realm

Azure AD JoinBusiness DevicesWindows 10Claims-based authenticationJoin based on device

Domain JoinThe organizations owns the deviceActive Directory Domain ServicesAuthentication protocols for trusted networks(Kerberos, NTLM)

Workplace JoinPersonal DevicesWindows 7, 8.1, iOS and AndroidClaims-based authenticationJoin based on user/device combo

Azure ad Join vs. Workplace Join Windows 10

Four ways to Azure AD Join

Azure ADConnect

Azure AD

Active DirectoryDomain Services

Azure ADConnect

Windows device

Select versions of• Windows 10 • Windows 8.1 • Windows 8• Windows 7• Windows Vista

Out of the Box ExperiencePC Settings - Accounts

1

Windows device• Windows 10 Pro• Windows 10 Enterprise• Windows 10 Education

2

On Premises Active DirectoryFederation Services

3 4

12

Windows 10 device

Active DirectoryDomain Services

iService

Connection Point

Azure ADtenant

Group Policy refresh

GroupPolicy

Claims Issuance

Rules Azure ADConnect

Active DirectoryFederation Services

1

GroupPolicy

2

4

3

5

6

89

10

7

11

TPMCertStore

claim

*****

13

cert

DifferencesAzure AD JoinPersonal devices

Windows 10-only

Interaction neededOut of the Box Experience

PC Settings – Accounts

Local admin rights

Domain Join ++ Business devices

Windows 10+ WorkPlace Join for legacy clients

No interaction needed• Azure AD Connect or AD FS

• Group Policy Setting pre-1607Service Connection Point

Recommendations for Azure AD JoinUse IntuneAzure AD Join & Domain Join ++ give IT departments controlIntune makes sure IT departments stay in control

Device limitsEnd users can Azure AD Join an unlimited amount of devices, default is 20.Intune’s license limit is 15 devices, but default is 5. Change it when neededPre-registration can prevent non-approved devices from being managed

Local Admin rightsAzure AD Join is for BYOD scenarios, so joiner keeps admin rights… fortunately you can always specify more local admins in Azure AD…Domain Join ++ enforces the admin privileges of Active Directory

Device ManagementCurrent: Group Policy, Microsoft ConfigMgr‘Sneakernet’ won’t work in the cloud

Group Policy for domain-joined Windows devices only, not for Macs

System Center Configuration Manager offers enterprise client management and Internet-based management capabilities, using on-premises protocols

Recommend: MDM & MAM(Microsoft Intune)Management for any device, even Windows Phones and BlackBerries

Mobile Device Management (MDM) for complete control over device, useful for CYOD scenarios

Mobile Application Management (MAM) for complete control over applications and their data, useful for BYOD scenarios

Intune as Add-on to Azure AD JoinConditional AccessGranular access to Azure AD-integrated applicationsDomain Joined and/or Managed Device as conditionHealth Attestation as condition

Lifecycle ManagementAzure AD Join does not offer lifecycle managementRenaming devices (think Out of the Box Experience) results in weird situationsOS upgrades are not updated in Azure AD

Integrate with System Center Configuration Manager

Reuse current investments and current client management processes

Intune and ConfigMgr

On Premises

Active DirectoryDomain Servicesjoin

Azure AD directory

On-premisesSystems Management

Cloud-basedSystems Management

join

device

Office ServersCurrent: On-premises Productivity

Office 2007-2013-2016

Exchange Server 2007-2013-2016

SharePoint Server 2007-2013-2016

Groove, OneDrive for Business

Project Server 2007-2013-2016

Groove Server, anyone?

Recommend: Office 365

Office Professional Plus

Exchange Online

SharePoint Online

OneDrive for Business

Project Online

& Azure AD B2B for Partner Collaboration

TelephonyCurrent: PBXs, VoIP and mobiles Traditional phone switchboards, clunky Voice over IP solutions and web conferencing software you need to download clients for…

Mobile Phones with different numbers than office phone numbers, unless you make a deal with your operator

Hefty International call costs

Recommend: Skype for Business and mobilesMicrosoft Skype for Business in a Hybrid setup with Skype Online, or just Skype Online

Mobile Phones with Skype for Business clients, reachable through both numbers.

Local Skype for Business breakouts offering International call routing over your company’s IP/VPN connections

DatacentersCurrent: Outsourced

Virtual Machines hosted by your IT department or an outsourcer, like HPE and managed by you or another outsourcer, like TCS.

Rarely scalable, mostly overcommitted, lenient SLAs

Recommend: Azure PaaS

Leverage Platform-as-a-Service Azure SQL Database & Cosmos DBAzure VPN GatewayAxure App ServiceAzure Key Vault

Or rely on Infrastructure-as-a-Service for hard workloads like SAP and your other Line of Business (LoB) apps

PrintingCurrent: Windows Print ServersPrint Servers hosted by your IT department or an outsourcer, like HPE and managed by you or another outsourcer, like TCS.

32bit, 64bit Printer drivers

Excessive delegation of printing permissions, default printer selections, etc.

Recommend: Hybrid Cloud PrintNew feature in Windows Server 2016

Windows Print Service

Discovery Service

Azure AD as Identity Provider, Discovery endpoints registered with Azure AD, MDM as provisioning mechanism

Seamless side-by-side transition

Azure AD App Proxy for external access

Concluding

AzureOffice365

On Premises

Active DirectoryDomain Services

Azure ADtenant

ConfigMgr ExchangeServer

SharePointServer

Application & FileServers

Azure ADConnect

Intune

Azure ADDomain Services

Infrastructure that remains on-premisesClient computers, just not on a ‘safe network’

Network components like switches, routers, Wi-Fi hotspots, simply because they provide bandwidth

A firewalled Internet connection

Printers

The Really Hard PartsCall centers in terms of telephony

Active Directory * Services, because of physical access

SIEM and auditing solutions

DHCP & the Last Mile

Two-Cloud & Exit Strategies

Thank you!

Thanks to our event sponsors

Silver

Gold