Achieving productivity without an on- premises infrastructure: Mission Impossible? SANDER BERKOUWER SENIOR CONSULTANT, SCCT.NL @SANDERBERKOUWER
Jan 21, 2018
Achieving productivity without an on-premises infrastructure: Mission Impossible?
SANDER BERKOUWERSENIOR CONSULTANT, SCCT.NL @SANDERBERKOUWER
Current challenges
Total cost of ownership
Source: IDC, 2007
Software
Server hardware
IT Staff Training
Downtime - UserProductivityStaffing
Outsourced costs
The hidden costs of on-premises infraThroughout its vendor-supported lifecycle, a hardware server consumes the same amount of money in energy (including cooling) to run, as it is for an organization to purchase it.
The average price per square foot per month for datacenters, newly leased out in 2007 equalled $10.
Screw that!
Your Wi-Fi network security has been kracked.
On average, it takes 142 days to detect breaches.
Most datacenter racks use keylock number 33.
All Internet browsers are insecure.
All it takes is one stupid colleague…
Paradigm shiftsNTLM and Kerberos have no place on the Internet.
There is no safe internal network.
Modern management allows us to manage any device anywhere, anytime, but doesn’t offer the same policies we’re used to… but did we really need them?
Current Challenges managing devicesHow do you make compliant-only devices access organization-mandated applications only?
Devices disconnected from Domain Controllers don’t get their Group Policies updated, software installed
Offline Domain Join is messy
Road warriors need to connect their Windows devices on-premises or through VPN at least every 60 days
How do we make it run securely on Macs?
Current Challenges embracing cloudsCan we trust all workloads in (public) cloud infrastructures? (Domain Controllers, SQL Servers)
Can we run all workloads in (public) cloud infrastructures? (KMS, DHCP)
How do we exit (public) cloud infrastructures, outsourcing contracts?
What’s the benefit if having a 2-cloud strategy?
Embracing Hybrid
Domain JoinCurrent: Active DirectorySingle Sign-On through Kerberos, NTLM
Computer Password Changes for Secure Channel Maintenance
VPNs/DirectAccess as patches to allow short name resolution and on-premises protocols
Smart Card and other multi-factor authentication challenges
Recommend: Azure ADSingle Sign-On using claims-based authentication and authorization, supporting CYOD and BYOD scenarios
Open, Internet-ready protocols
Azure MFA & Conditional Access
Connected resources available everywhere, from any device, secured through
Conditional AccessIdentity Protection
The evolution of joining devices to your realm
Azure AD JoinBusiness DevicesWindows 10Claims-based authenticationJoin based on device
Domain JoinThe organizations owns the deviceActive Directory Domain ServicesAuthentication protocols for trusted networks(Kerberos, NTLM)
Workplace JoinPersonal DevicesWindows 7, 8.1, iOS and AndroidClaims-based authenticationJoin based on user/device combo
Azure ad Join vs. Workplace Join Windows 10
Four ways to Azure AD Join
Azure ADConnect
Azure AD
Active DirectoryDomain Services
Azure ADConnect
Windows device
Select versions of• Windows 10 • Windows 8.1 • Windows 8• Windows 7• Windows Vista
Out of the Box ExperiencePC Settings - Accounts
1
Windows device• Windows 10 Pro• Windows 10 Enterprise• Windows 10 Education
2
On Premises Active DirectoryFederation Services
3 4
12
Windows 10 device
Active DirectoryDomain Services
iService
Connection Point
Azure ADtenant
Group Policy refresh
GroupPolicy
Claims Issuance
Rules Azure ADConnect
Active DirectoryFederation Services
1
GroupPolicy
2
4
3
5
6
89
10
7
11
TPMCertStore
claim
*****
13
cert
DifferencesAzure AD JoinPersonal devices
Windows 10-only
Interaction neededOut of the Box Experience
PC Settings – Accounts
Local admin rights
Domain Join ++ Business devices
Windows 10+ WorkPlace Join for legacy clients
No interaction needed• Azure AD Connect or AD FS
• Group Policy Setting pre-1607Service Connection Point
Recommendations for Azure AD JoinUse IntuneAzure AD Join & Domain Join ++ give IT departments controlIntune makes sure IT departments stay in control
Device limitsEnd users can Azure AD Join an unlimited amount of devices, default is 20.Intune’s license limit is 15 devices, but default is 5. Change it when neededPre-registration can prevent non-approved devices from being managed
Local Admin rightsAzure AD Join is for BYOD scenarios, so joiner keeps admin rights… fortunately you can always specify more local admins in Azure AD…Domain Join ++ enforces the admin privileges of Active Directory
Device ManagementCurrent: Group Policy, Microsoft ConfigMgr‘Sneakernet’ won’t work in the cloud
Group Policy for domain-joined Windows devices only, not for Macs
System Center Configuration Manager offers enterprise client management and Internet-based management capabilities, using on-premises protocols
Recommend: MDM & MAM(Microsoft Intune)Management for any device, even Windows Phones and BlackBerries
Mobile Device Management (MDM) for complete control over device, useful for CYOD scenarios
Mobile Application Management (MAM) for complete control over applications and their data, useful for BYOD scenarios
Intune as Add-on to Azure AD JoinConditional AccessGranular access to Azure AD-integrated applicationsDomain Joined and/or Managed Device as conditionHealth Attestation as condition
Lifecycle ManagementAzure AD Join does not offer lifecycle managementRenaming devices (think Out of the Box Experience) results in weird situationsOS upgrades are not updated in Azure AD
Integrate with System Center Configuration Manager
Reuse current investments and current client management processes
Intune and ConfigMgr
On Premises
Active DirectoryDomain Servicesjoin
Azure AD directory
On-premisesSystems Management
Cloud-basedSystems Management
join
device
Office ServersCurrent: On-premises Productivity
Office 2007-2013-2016
Exchange Server 2007-2013-2016
SharePoint Server 2007-2013-2016
Groove, OneDrive for Business
Project Server 2007-2013-2016
Groove Server, anyone?
Recommend: Office 365
Office Professional Plus
Exchange Online
SharePoint Online
OneDrive for Business
Project Online
& Azure AD B2B for Partner Collaboration
TelephonyCurrent: PBXs, VoIP and mobiles Traditional phone switchboards, clunky Voice over IP solutions and web conferencing software you need to download clients for…
Mobile Phones with different numbers than office phone numbers, unless you make a deal with your operator
Hefty International call costs
Recommend: Skype for Business and mobilesMicrosoft Skype for Business in a Hybrid setup with Skype Online, or just Skype Online
Mobile Phones with Skype for Business clients, reachable through both numbers.
Local Skype for Business breakouts offering International call routing over your company’s IP/VPN connections
DatacentersCurrent: Outsourced
Virtual Machines hosted by your IT department or an outsourcer, like HPE and managed by you or another outsourcer, like TCS.
Rarely scalable, mostly overcommitted, lenient SLAs
Recommend: Azure PaaS
Leverage Platform-as-a-Service Azure SQL Database & Cosmos DBAzure VPN GatewayAxure App ServiceAzure Key Vault
Or rely on Infrastructure-as-a-Service for hard workloads like SAP and your other Line of Business (LoB) apps
PrintingCurrent: Windows Print ServersPrint Servers hosted by your IT department or an outsourcer, like HPE and managed by you or another outsourcer, like TCS.
32bit, 64bit Printer drivers
Excessive delegation of printing permissions, default printer selections, etc.
Recommend: Hybrid Cloud PrintNew feature in Windows Server 2016
Windows Print Service
Discovery Service
Azure AD as Identity Provider, Discovery endpoints registered with Azure AD, MDM as provisioning mechanism
Seamless side-by-side transition
Azure AD App Proxy for external access
Concluding
AzureOffice365
On Premises
Active DirectoryDomain Services
Azure ADtenant
ConfigMgr ExchangeServer
SharePointServer
Application & FileServers
Azure ADConnect
Intune
Azure ADDomain Services
Infrastructure that remains on-premisesClient computers, just not on a ‘safe network’
Network components like switches, routers, Wi-Fi hotspots, simply because they provide bandwidth
A firewalled Internet connection
Printers
The Really Hard PartsCall centers in terms of telephony
Active Directory * Services, because of physical access
SIEM and auditing solutions
DHCP & the Last Mile
Two-Cloud & Exit Strategies
Thank you!
Thanks to our event sponsors
Silver
Gold