Is it Time to Move Computer Accounts to Azure Active Directory?

[MUSIC PLAYING] Welcome to this great session on how to migrate On-Prem Active Directory Computer Accounts to Azure Active Directory. Today we're going to talk about the history and the challenge associated with these projects because it's got a long history back to the early NT days. We're going to talk about cloud adoption and remote working and the challenges that adds to doing these projects. We're not all in the Office anymore so these endpoints are all over the place, which makes this project even harder in how to deal with. With all the challenges that we have and opportunities, we're going to try to answer the question, is it time to make the switch? A lot of organizations are ready, but we're going to review all the challenges to get there as well. Some orgs aren't ready or some may have to take some half steps to get there. But let's talk about the dream, the dream of migrating your computer accounts to on-prem-- from on-prem to Azure Active Directory. It's a secure world without VPNs. In our modern working environment we're not in offices anymore so users having to connect back to an on-prem virtual private network is really a pain in the neck, it's a lot of wasted hardware, and really quite a challenge. When we talk about managing endpoints it can be a challenge because these users may not touch the VPN. So you may have long gaps before you can do actually management on those devices. We want to do a self service. We want users to be able to set up their own device, automatically connect into the cloud and get all their services and data down. So we really want to ensure that we're getting rid of all these barriers, which, unfortunately, on-prem computer accounts can add barriers and challenges here. We talked about easy device deployment and replacement, we want to collaborate with everyone anywhere without barriers. We want centralized policy control. We mentioned if you're not connecting into the VPN, if you make a change in group policy the user has to connect in to get that change. If they never get in they're never going to get that policy change. So we want to be able to control these devices wherever the users are and we want that configuration to always be current and active. And we need to deal with lost and stolen devices. Again, these are features that you get through Azure Active Directory and some of the features that you get in Endpoint Intune and Management. But to get to that dream we have to make a lot of changes to infrastructure and tooling. So with that, Becky is going to help us out and go over some of the definitions and the tooling that is involved when we talk about the differences and how to get from on-prem Active Directory computer accounts to Azure Active Directory joined devices. Thanks Mike. So let's start talking about the comparisons between Active Directory and Azure Active Directory. With original Active Directory we had this environment where management and deployment is done with Group Policy and maybe even some third party tools or SCCM for being able to push out the updates and perform all of the management of your devices. We also have the standard authentication that we're all used to with NTLM and Kerberos using an LDAP type configuration. And as Mike said, a lot of this configuration with Active Directory requires that VPN connection, especially in today's world where more and more users are working remote. And so, as he mentioned, there is that challenge. If you're trying to push out policies to manage these devices, if your users are no longer connecting into their VPN because everything else that they use is out in Exchange Online or on OneDrive, their devices might not be receiving those really important updates and policies that you want them to receive. So how do we solve this? Well, we've started moving into Azure Active Directory. With Azure Active Directory we now have a little bit more control and everything's out in the cloud. And we're going to introduce this concept of a device identity, which I'm going to go into detail on, but there are some differences for the management and the authentication that we bring in and add when we come out to Azure Active Directory. We've got the idea of Microsoft Endpoint Manager, which has a lot of different tools for managing the devices, pushing out, deploying software, and deploying devices themselves. And then we also introduce conditional access policies, which give you a lot more control for your user identities and those device identities that I want to go into a little bit more deeply. So in Azure AD there are two common divisor identities. You might actually be more familiar with what's called an Azure AD Registered Device, this is what your users have been using for any MDM management for their mobile devices. If a user has a bring-your-own device, whether it's a cell phone or an iPad or any other device that they own, they can still become Azure AD registered. And this lets you perform a little bit of management, maybe push out some Intune policies to those, but they aren't truly joined to your Azure environment. So instead, there's a concept of an Azure AD joined device, this is the device identity that we'd be talking about as we start moving our real devices from that on-prem Active Directory out to Azure Active Directory. So just like being domain joined in AD, you are now going to be Azure AD joined as a device identity, but that's just for cloud only. Most commonly, what we see today, is that you probably have some sort of hybrid environment. You have your original AD and you've deployed Azure Active Directory Connect and it is able to sync up your users, your groups, and