Microsoft 365 is used everywhere but not many know it. This post provides a basic foundation for business decision making at the CTO level or individuals who simply trying to understand the 365 lingo. Already know Azure AD operates and the services Microsoft offers under Microsoft 365?
Email (Office 365)
- The Office 365 Office Suite and Microsoft hosted email is the gateway drug into the Microsoft 365
- Microsoft Office 365 subscriptions are utilized by approximately half of our businesses we support.
- Many businesses “traditional IT” businesses utilize Office 365 Essentials to migrate away from hosting internally their email (Exchange) server.
- An employee’s Windows 10 login username is their email address if they are utilizing Microsoft Azure Active Directory (Azure AD) to centrally manage user logins in their organization’s network.
Computer sign in and authentication (Azure AD)
- Microsoft Azure AD is another major component of the Microsoft 365 ecosystems. This can replace or work in tandem with traditional Active Directory found in almost all Fortune 500 companies for allowing users to communicate with other users and computers within the business’s IT network.
- Microsoft Azure AD is free when your business subscribes to Office 365 Essentials or Office 365 Business Premium.
- Microsoft Azure AD is nothing more than an identity service. The identity service provides single sign using OAUTH2 or SAML. It is one of many components of the Microsoft 365 family.
- Paid versions of Azure AD come in three variations of premium security services and end user profile locked down called Enterprise Mobility + Security or EMS. Choose E1, E3, or E5.
- The barrier to entry for Azure is having Windows 10. Windows 7 and Mac client accessibility is available. Windows 10 is preferred. Windows 7 end of life date is set for January 2019.
- The bare minimum cost for a 10-user environment utilizing the E3 package is approximately a $100mo.
Components of the Microsoft 365 solution
Here are all the Microsoft components for centralize management of a network. AADDS like a traditional domain controller requires VPN. In the end, component 2 became the winning combination for most organizations seeking modern IT success.
Component 1) Azure Active Directory.
The user exists in Azure Active Directory If the user exists in office 365. Azure Active Directory is nothing more than an identity service. The identity service provides single sign using OAUTH2 or SAML. To compare and contrast that, the traditional Active Directory uses LDAP and Radius. AKA Active Directory DIY… (Do It Yourself)
Example: Single Sign-On Sales Forces
- Don’t have Azure Active Directory? Use Federated Services. This is difficult to setup if you never performed the configuration before.
Component 2) Active Directory Server, in Azure or On-Premises (Traditional AD, extend to cloud *** No ADDS)
This is an actual server or VM that running the domain controller role and resides either local hosted onsite with the organization, in a CoLo (Rackspace, AWS, Azure, etc)
- Old school management of the domain and identify/access so it is familiar to you and you aren’t relearning anything.
- Tends to be less expensive in the SMB space due to AADDS licensing costs of the other option.
- Don’t want to confuse you but you can use InTune. It is simply a cloud management system for mobile device and endpoint management, but not required!
Traditional Active Directory server contain GPOs (can use Intune in tandem with traditional AD) and Active Directory (AD) hosted in Azure if you want to extend your local network environment into the (done through Azure AD Connect) cloud. The typical setup is Office 365 for email, Azure AD (free) Connect, and deploy AD server in Azure (VPN to cloud… local hosted on premise server or server spun up in cloud)
- Office 365 is silo 1 and traditional domain would be silo 2
- You can bridge those silos using AD connect. *** extremely common
- Pricing illustrated below plus Office 365 (Exchange email) licenses if you go that route
Component 3) Azure AD Domain Services (AADDS)
All AADDS does is present itself as a pair of domain controllers to a virtual network on Azure.
Create remote desktop server, don’t have a domain but you like to create remote desktop server or RDS server. Create an AADDS instance and you join the RDS server to the domain without having to create a domain controller. The only scenario you would use AADDS would be if you need to join a server to a domain or you want to take advantage Radius authentication and you don’t want to create a domain controller.
The organization does not contain a traditional domain controller environment but would like centrally manage authentication to the Synology file server or NAS. Two options:
- A) create domain controller
- B) Create an AADDS instance
If we choose B, the Synology will be able to authenticate to domain controller in the cloud and manage in Azure AD.
Why not go with AADDS?
- The cost is cheaper with “component 2” AADDS service alone is $110. You may as well have all the added benefits of traditional AD plus merge with “component 1” if you have or would like to go to Office 365.
How about maintaining centrally manage services on a localsamba controller ie Synology?
- You are back to having two silos to manage.
- Office 365 or Gsuite in the cloud
- Managing users in Office 365
Component 3 allows (combines) you to use component 1 to replace component 2.
That price plus AD limitations, though!
- The newer solution where you forego an AD Server and instead use the MS Service completely in the cloud, no servers to manage.
- You MUST use InTune.
- If a VPN is required/preferred then you would need to add the cost ($30-$141 depending on sku).
- ADDS, $110 per month first tier ADDS extra
- Microsoft 365 license $20ea (includes office 365 Exchange – Business Premium)
- VPN ($30-$141 depending on sku)
The Big Difference
The big difference is springing for the higher priced Microsoft 365 Business ($20) that includes InTune or buying individual InTune ($6 add-on) in tandem with Office 365 Business Premium (12.50).
Central File Storage (SharePoint-OneDrive)
Ideally, you get rid of OneDrive and use Microsoft Teams in conjuction with Sharepoint. All these are products are under the Microsoft 365 umbrella.
Note: This is really the starting point for discussing Microsoft Teams AKA Microsoft version of Slack that does modern file sharing and distribution.
- Personal cloud drive storage similar to Drop Box is called Microsoft OneDrive
- OneDrive for Business comes with Office 365. It is also personal storage but for your professional life.
- Central storage that allows you to collaborate on documents or file share among your peers within your organization and outside your network is called Microsoft SharePoint .
- SharePoint comes with office 365 Essentials and Office 365 Business Premium.
Office 365, Azure AD, and SharePoint make up the big three critical components for a small business starting out today if you are not committed to the Apple ecosystem. This whole suite of services is called Microsoft 365.
Additional Microsoft 365 Resources:
Hosted Office 365 Resources:
Exchange or Mail Locally Hosted On-Site Resources:
Hosted or Local Hosted Links: