Small hybrid office of 30 currently just logging into M365 individually

Velvis

Velvis

Well-Known Member
Reaction score
44
Location
Medfield, MA
Is Azure AD something worthwhile considering?
What does it bring to the table for a small business?
What are the costs involved?
 
This discussion isn't a short answer.

I love it. No server hardware to monitor, maintain, support, etc.
No "early in the morning Windows updates and reboots on the server". "or late night". I always do that once a month of clients server. And..that monthly MSP support cost per server is...at least $100 bucks right there, typically more like $150).
No hardware refreshes on servers every 5-7 years.
No Windows licensing there every 5-7 years
No backup system to manage for the server
Less battery UPS needed (don't need to power a server, now just need to power network hardware)
No extra electricity used by a server (surprisingly..a good amount of $ right there each month)

So....addddddddd all that up...factor in that total cost over the time period....

...and now having monthly M365 Business Premium licensing doesn't seem so bad.

I have a thread over somewhere...long thread (needs updating)...but I list out a lot of automated config profiles from InTune. Basically the cloud version of old on prem server group policies. Just enjoyed those today, had a client get a honking new Thinkpad laptop for graphics work, took it out of the box, unbuckled it, created my local admin account. Ran the Lenovo Vantage updates on it...name it, and then joined AzureAD under her name. Rebooted..sign in as her....rebooted again...and sat back and let the magic happen.
*Company Portal app got push installed
*OneDrive automatically engaged...grabbed the user library, files on demand setting kicked in, along with my custom tweaks (warn for mass file deletions, don't sync *.lnk files, block personal one drive, etc)
*Bitlocker kicked in, backed the key up into the computers account in AzureAD
*MS Office push installed, (would have removed prior versions),
*And....the 365 version of WSUS will push out Microsoft Windows updates.....
*Outlook will be pre configured...including the slide bar for "download all email".
*Defender for Business Endpoint...(the kicked up Defender next gen antivirus)...kicked in and activated.

I just did a few custom touches to her desktop...was so quick and effortless for me :)

And.this lets you consider the computers to be trusted (compliant) devices...so you can better create conditional access policies for them to greatly increase security.
 
Last edited:
I guess I should have clarified that they no longer use an on premise server and just use SharePoint and Teams for file sharing.

There isn't a lot of employee turnover and when someone new comes on board I create a new user and add them to the department groups as needed and download their office subscription. I add shortcuts to their department files and shortcuts to Word and Excel. Might take me 20 minutes.

So I guess my question is I'm not exactly sure what Azure AD brings to the equation for a small group of employees and of it would be worth the additional monthly fees on top of M365 licenses.
 
Velvis said:
So I guess my question is I'm not exactly sure what Azure AD brings to the equation for a small group of employees and of it would be worth the additional monthly fees on top of M365 licenses.
Click to expand...

Personally, I doubt it does bring enough to the equation for the situation you describe. Thirty people is not many. It doesn't sound like there's much of any customizing going on from your end, and file sharing is handled through Teams/SharePoint in consort with the OneDrive client.

I certainly wouldn't be looking at Azure AD in the 5-person business I configured recently with M365 Business and moved their data to Teams/Sharepoint because it's overkill and doesn't add anything of value to that customer. They're just loving what they have now as opposed to what they had in the on-site Windows Server days.
 
britechguy said:
Personally, I doubt it does bring enough to the equation for the situation you describe. Thirty people is not many. It doesn't sound like there's much of any customizing going on from your end, and file sharing is handled through Teams/SharePoint in consort with the OneDrive client.

I certainly wouldn't be looking at Azure AD in the 5-person business I configured recently with M365 Business and moved their data to Teams/Sharepoint because it's overkill and doesn't add anything of value to that customer. They're just loving what they have now as opposed to what they had in the on-site Windows Server days.
Click to expand...
Sounds like you already got them using Azure AD/Entra ID...
 
Velvis said:
So I guess my question is I'm not exactly sure what Azure AD brings to the equation for a small group of employees and of it would be worth the additional monthly fees on top of M365 licenses.
Click to expand...

Whelp, which M365 licenses do you have them on? And...are you using those licenses to the fullest potential?

Security is...important to me...for my clients. Being able to leverage conditional access, beefing up security..."if device is not trusted...then..."
That's...huge. Or...should be huge.

Doing just "Azure Registered"...doesn't allow you to leverage a lot of important CA policies.
AzureAD is much like...good old fashioned on prem active directory. With active directory, you had to join workstations to the domain....and you had created domain user accounts for the users. You then...took a domain user account, and logged onto a domain joined workstation. Without any of those 2 factors....it didn't work. You needed the combination of those 2 things.

Should treat 365 like that...AzureAD joined workstations, with those M365 users...which are...AzureAD users.
 
YeOldeStonecat said:
Whelp, which M365 licenses do you have them on? And...are you using those licenses to the fullest potential?

Security is...important to me...for my clients. Being able to leverage conditional access, beefing up security..."if device is not trusted...then..."
That's...huge. Or...should be huge.

Doing just "Azure Registered"...doesn't allow you to leverage a lot of important CA policies.
AzureAD is much like...good old fashioned on prem active directory. With active directory, you had to join workstations to the domain....and you had created domain user accounts for the users. You then...took a domain user account, and logged onto a domain joined workstation. Without any of those 2 factors....it didn't work. You needed the combination of those 2 things.

Should treat 365 like that...AzureAD joined workstations, with those M365 users...which are...AzureAD users.
Click to expand...
They are just using M365 basic and standard. What potential might they have that I might not be taking advantage of?

So using AzureAD makes it so the user as well as a specific laptop can only access the company's M365 resources thus its more secure?

Is that alone worth the additional expense? are there other solutions?
 
Most of my clients are DYI'ers. They have their own computers, with their own 365 accounts. Sharing files with OneDrive, SP, Teams, Engyte, Dropbox, etc. Most all work remote far from each other too. Even the ones in the offices, don't need print servers or file servers anymore.

No need for the extra Azure/anything. I still can't find a reason for my clients to need it.
 
Velvis said:
They are just using M365 basic and standard. What potential might they have that I might not be taking advantage of?

So using AzureAD makes it so the user as well as a specific laptop can only access the company's M365 resources thus its more secure?

Is that alone worth the additional expense? are there other solutions?
Click to expand...

365 Business Standard has the free version of AzureAD.......it does allow you to join workstations/laptops to the 365 tenant.

Is "security the worth the additional expense?" Or how well InTune can keep Windows and the Office Apps "up to date"? Or...how you help deter/prevent non-trusted devices from accessing the 365 tenant? Not to mention...the vastly superior "Defender P1" protection for email, files, links....over the standard vanilla EOP. Whelp, as an IT guy that solely focuses on businesses for clients, and...who as an IT guy who keeps in touch with the pulse of the IT world for businesses....(and all that goes with it, good or bad)...my answer is a resounding "yes". This allows me to setup their 365 tenant and all computers.....so that they at least have some form of minimum baseline for security. It also standardizes our approach for managing all of our clients, we have some form of "template". I've spent countless hours writing up KB articles in our HUDU system, so that all 6x of us at our company are on the same page for...setting up clients on "this" and "that". A "standard" that we follow. Failure to meet that standard in each and every client is...mediocrity of our work.

I sometimes chuckle and shake my head when I come across new clients that some other "IT person" set up...and I see how poorly things were done, how...half-arsed. And I wonder how they can keep wearing an IT hat with a straight face...doing shoddy work like that. In the old on prem server days, did you ever come across a network that had a server...may or may not have been set up like a DC...and workstations may have been in "workgroup mode" instead of joined to the domain. Or...worse...Windows "Home" edition...so the servers shares had to be configured as "wide open as possible". And malware back then would just get out its knife and fork and put on a bib...and have an absolute feast just pillaging that network! I like "professionalism"...if you're going to do it...do it right.
 
britechguy said:
Doubtful, as the the licenses are two M365 Business Standard and two M365 Business Basic, and that truly fulfils the needs in this shop.
Click to expand...
Your directory of users that you can manage is Azure AD. (Entra ID) The rename will be good in the long run.
 
The rebrand was a huge blessing.

I'm having a conversation with a stake holder and as the subject moves among Active Directory, Azure Active Directory, and Azure Active Directory Domain Services... people get confused.

Now it's Active Directory, Entra ID, and Entra ID Domain Services.

Now the first and the last are both Active Directory, but that's still easier to get through. Entra ID branding gets more use with the Secure Global
Access product that... honestly is late to the table, but I'm still glad to have it.
 
YeOldeStonecat said:
365 Business Standard has the free version of AzureAD.......it does allow you to join workstations/laptops to the 365 tenant.

Is "security the worth the additional expense?" Or how well InTune can keep Windows and the Office Apps "up to date"? Or...how you help deter/prevent non-trusted devices from accessing the 365 tenant? Not to mention...the vastly superior "Defender P1" protection for email, files, links....over the standard vanilla EOP. Whelp, as an IT guy that solely focuses on businesses for clients, and...who as an IT guy who keeps in touch with the pulse of the IT world for businesses....(and all that goes with it, good or bad)...my answer is a resounding "yes". This allows me to setup their 365 tenant and all computers.....so that they at least have some form of minimum baseline for security. It also standardizes our approach for managing all of our clients, we have some form of "template". I've spent countless hours writing up KB articles in our HUDU system, so that all 6x of us at our company are on the same page for...setting up clients on "this" and "that". A "standard" that we follow. Failure to meet that standard in each and every client is...mediocrity of our work.

I sometimes chuckle and shake my head when I come across new clients that some other "IT person" set up...and I see how poorly things were done, how...half-arsed. And I wonder how they can keep wearing an IT hat with a straight face...doing shoddy work like that. In the old on prem server days, did you ever come across a network that had a server...may or may not have been set up like a DC...and workstations may have been in "workgroup mode" instead of joined to the domain. Or...worse...Windows "Home" edition...so the servers shares had to be configured as "wide open as possible". And malware back then would just get out its knife and fork and put on a bib...and have an absolute feast just pillaging that network! I like "professionalism"...if you're going to do it...do it right.
Click to expand...
So, to clarify:
Business Standard can take advantage of a free version of AzureAD
Business Professional adds all the additional MS security features
Business Basic has neither. (a couple of remote users use the Basic suite)

I would assume everyone needs to be on the Pro version for the environment to be protected?
Do you know the price difference from basic/standard to Pro?
Can it just be added and paid for monthly through a reseller like Appriver?
Is there any significant downtime to implement or learning curve to once everyone's accounts have been moved to a Professional license?
Do you feel Intune and MS Defender Pro offers an acceptable level of security?
Does it offer any additional protection for VPN usage? (they currently are using a Ubiquiti USG and two people use it for remote access to their desktops)

Thank you for all your help and knowledge!
 
@Velvis

Incorrect...

Short version:

Basic and Standard get the same stuff as the O365 subscriptions. Premium and M365 E, and F get the upgraded authentication component built in.

Use this, it helps: https://m365maps.com/

Long version:

There are three entitlement levels to Entra ID.

Entra ID Free, Entra ID P1, and Entra ID P2.

Entra ID Free is fundamental to Azure, and exists just because you have an Azure tenant. There are additional features within it that light up once you add any M365 subscription at all. This means, M365 Business Basic, and Standard BOTH have FREE. And yes, both allow you to join devices and users to the Directory. M365 Business Premium upgrades you to Entra ID P1, which lights up Conditional Access, and once the M365 Authentication migration completes (currently Sept of 25) is the only way to enforce the use of MFA on your users.

If you have a user that needs to be cloud only, it's perfectly reasonable to use M365 Business Basic, and add on Entra ID P1 to gain the additional security controls for that user.

NOTE!!! EVERYONE PAY ATTENTION!

As of April 1st, Microsoft has NEW PRICING for M365 subscriptions in effect. These prices are a result of anti-trust action taken against Microsoft in the EU. Thanks to these changes we now have SKUs for Business, F, and E level M365 and O365 subscriptions that EXCLUDE TEAMS and make it available as an addon.

This morning, the F series SKUs were Teams-less only... but as of the time of this writing that's been fixed. E level subs still lack teams for new subscriptions, though existing ones can continue. Teams Enterprise is a new SKU for teams itself priced at $5.25/usr/month. Business SKUs have both options available. Anyone in the EU however is forced to swap to the Teams less version of the subscription at the point of contract renewal... have fun with your price increase thanks to the EU!
 
Last edited:
Velvis said:
So, to clarify:

Do you know the price difference from basic/standard to Pro?
Click to expand...
The prices.. https://www.microsoft.com/en-us/microsoft-365/business?rtc=1#heading-ocb6f5
Velvis said:
Can it just be added and paid for monthly through a reseller like Appriver?
Click to expand...
I'm sure Appriver does their licensing like most other CSPs...where you can manage licenses for all your tenants. Usually, even if you have annual commits on current licenses, most CSPs allow "upgrades" at any time during the license period. Usually you "upgrade/replace" a users license...not really "add-on".
Velvis said:
Is there any significant downtime to implement or learning curve to once everyone's accounts have been moved to a Professional license?
Click to expand...
Guessing you're talking about Microsoft 365 "Business Premium"...(not professional). Well, yes there are many features and services you'll want to learn....so you can best setup/configure/manage your clients tenants and computers. Some of the stuff, I started a long thread on using InTune (which...could probably use some updating now).
Velvis said:
Do you feel Intune and MS Defender Pro offers an acceptable level of security?
Click to expand...
InTune is a tool to manage the computers. Think of it like...the 365 cloud version of Group Policy Management Console. Some of it does involve aspects of security of the computers...like managing Windows updates, or attack surface reduction. 365 Defender for Business is the kicked up next gen endpoint protection (the modern version of antivirus protection on workstations/servers). You can manage it in InTune, or...in the Security Defender console (I prefer managing it in InTune...as this moment...<subject to change>). ALSO in Defender....separate from the endpoint antivirus on the workstations, is the protection of incoming email, storage of files, there's like...6-ish policies in there...equally as important to protection of everything. It's the protection "before" things hit the workstations. And then of course...Conditional Access, which is....a whole 'nother area that's more towards protection of accounts and data. Much greater control than just the basic "security defaults" (which...it replaces, you turn off security defaults when you kick in Conditional Access).
Velvis said:
Does it offer any additional protection for VPN usage? (they currently are using a Ubiquiti USG and two people use it for remote access to their desktops)
Click to expand...
I don't really use VPNs anymore. When you take clients to 365, and mobile laptops, and with most of their LOB apps cloud hosted/Saas now...there is zero need to "VPN/Remote to the office". My laptop here..right now as I sit on my couch at home, I have everything I need on it...no different than if I were at my office. Our offices file shares are accessible in Teams/Sharepoint/OneDrive. For any clients using legacy/on prem software hosted at their office, that remote into workstations, I use Splashtop Business...keeps it incredibly simple to remote in, multi monitor support, great smoth response time, it's MFA'd and just stupid easy to use for people. No clunky VPNs.
 
Two things that should die in a fire...

1.) VPN
2.) RDS (Terminal) servers

If you're using either of these things it's because you haven't modernized a process. I will tolerate the 2nd only in cases where a CMMC & ITAR compliant environment is required, and there must be another native M365 tenant to manage the endpoints that access the GCC High tenant anyway. Note the above applies to all VDI on the shelf too, same crap, different wrapper, still doesn't make any sense for most environments and the investment required to create and maintain it is HIGHER than modernizing the processes such that you don't need it!

Why do we charge our customers to maintain two endpoints per user? Stop it! One endpoint is sufficient!
 
You must log in or register to reply here.

Similar threads

Velvis
What does Azure add to M365?
Replies
2
Views
318
callthatgirl
callthatgirl
HCHTech
M365 Office apps crashing on open
Replies
4
Views
407
HCHTech
HCHTech
HCHTech
Hot-Desking setup
Replies
0
Views
306
HCHTech
HCHTech
HCHTech
Sorting out a GoDaddy cluster*#%@
Replies
9
Views
391
callthatgirl
callthatgirl
HCHTech
Interpreting "Risky Users" in Microsoft Entra admin center
2
Replies
31
Views
1K
britechguy
britechguy
Back
Top