In the last post I briefly discussed some of the traditional workloads we virtualised for SMB customers, and also started introducing the idea that dependng on how we plan on adopting cloud technologies we aren't necessarily eliminating the need for on-premises virtual machines, but may in some cases need to support more virtual machines. Today I'll cover this in more detail, and will do it by focusing on just one of the offerings that Microsoft has made available through their online services offerings, the Enterprise Mobility Suite.
Now, before anyone calls me out on this, I'm specifically using EMS as the example because it includes mutiple components, and most of them have the ability to provide additional layers of protection inside your existing infrastructure. To many people, EMS is all about managing cloud identities, cloud connected devices and mobile applications, but as you will see, it can do much more than that if you need it to. The four major components of EMS are Azure Active Directory Premium, Microsoft Intune, Azure Rights Management Service and Advanced Threat Analytics. Let's take a look at each of these with a strong focus on their capabilities to extend back inside your customer's environments. If you've been considering EMS for other purposes, maybe these will help to steer you towards leveraging it in more ways than you expected, provided you have the internal Windows Server licensing method that allows this to occur.
Azure Active Directory Premium is a major step up in functionality for those that want to do more than just synchronise users, groups and password hashes to Azure Active Directory, It allows cloud password resets and writeback into on-premises environments, along with the writeback of Azure AD registered devices and Azure AD groups back into your local Active Directory,rather than just being a one way synchronisation from on-premises to the cloud. As mentioned in the previous post, the requirement you have on-premises for this directory synchronisation to occur is Azure Active Directory Connect, the latest in Microsoft's heritage of directory synchronisation tools, of which the 1.1 version was only released last week. Now while this sotware is supported running on a domain controller, it isn't a best practice, so the ability to isolate the workload is deiniftely enhanced if you have a Windows Server license that you can use it with.
Another inclusion with Azure Active Directory Premium is Multi Factor Authentication, where you have the ability to receive a phone call, SMS or mobile app notification to get secure access to resources. This is easy to use with Office 365, but what about if you wan to extend this approach back into your own internal resources? First of all, what type of resources support it? Some examples are the Remote Desktop Gateway for RDS, IIS, LDAP and Windows Authentication, as well as being able to act as the RADIUS server for various VPN solutions. This Azure MFA Server is also a good candidate for its own virtual machine, or if you want to ensure high availability you can deploy multiple instances behind a load balancer or in multi-server mode.
Azure Rights Management works as a great solution for protecting documents that are being created and consumed by Office 365 clients and services, but what if you have kept that file server on site, and maybe still have your own Exchange and SharePoint environments that you are managing? In this case you can install the Azure RMS Connector on-premises, but the catch here, which shouldn't be a surprise, is that it shouldn't be co-located on the physical instance or virtual machine whose workload it is trying to protect. The Azure RMS team also recommends deploying in a high availbility scenario, which means looking at more virtual machines. What's the best way to get more Windows Server virtual machines? You guessed it, by already having that right by having Windows Server 2012 R2 Dataceter edition.
The final inclusion in EMS that I'll cover in this post is the recently added Advanced Threat Analytics. ATA has two main components, which are the ATA Gateway and the ATA Center. These connect to your existing network by mirroring the network traffic to and from your domain controllers, and by looking at Windows events and analyzing the data for attacks and threats. As you've probably already concluded, that' another two virtual machines you are starting with, so again the value of Windows Server datacenter licensing should really start to be appealing.
As I mentioned at the start of this post, I chose EMS deliberately to highlight some of the different ways that cloud services, in this case just one suite from Microsoft, can impact on your on-premises requirements if you want to leverage the best of cloud services while still meeting on-premises solutions that customers want to protect and enhance. In the next post I'll cover one of Windows Server 2012 R2's roles that on its own can require an extensive number of virtual machines to be configured in order to deliver what it is capable of, and is used for 36% of authentications to Azure AD/Office 365 in customers of 500 seats or higher.