In late June I was approached to record some short technical overview videos on Microsoft 365 Business, and now that they are recorded and published, it’s time to review them, and provide some additional resources and any important updates since the content was created. This is the third video in the series, the focus is on cloud identity with Azure Active Directory.
The initial release of Microsoft 365 Business didn't officially support hybrid Active Directory scenarios which meant that cloud identity was the officially supported way to work with the product. With the April 2018 release, which included a whole raft of new security capabilities, was the well received news of support for hybrid Active Directory. All of a sudden this was a product that would make sense to way more people. It's still important to get an understanding what cloud identity provides, even if it's going to be treated as the secondary identity for an organisation.
One of the topics I spend a bit of time covering are the Azure Active Directory capabilities that are included with Microsoft 365 Business. Depending on whether you are a glass half full or glass half empty person, it's either AAD plus, or AAD Premium P1 minus. The main AAD Premium P1 features that get mentioned when people make recommendations for future updates are the password write-back from AAD to AD, as well as Conditional Access. The important thing to remember is that AAD Premium P1 can be added if these are deal breakers for you, the value proposition of Microsoft 365 Business changed quite dramatically with the April 2018 update. I've written about this previously, so you can take a look at the earlier post.
My recommendations when working with Azure Active Directory as part of Microsoft 365 Business is to get a few things set up early - enabling Multi-Factor Authentication, enabling Self-Service password reset, using the Microsoft Authenticator app, configuring SaaS apps for single sign in, and enabling Enterprise State Roaming. You don't have to enable everything at once, but the faster you can start rolling some of these capabilities out the better it will be in the long run. One of the features that is currently in preview for admin accounts is the ability to set up a baseline policy which you should also get familiar with.
Other topics covered include performing Azure Active Directory joins to prepare you to be able to manage the devices. A couple of points on this - you don't want end users doing an out of box Azure Active Directory Join is that the user performing the join ends up as admin, which is not what you want in many cases. The better options would be to either enrol the device for Windows Autopilot, or create a provisioning package in Windows Configuration Designer to enrol the device.