1. A solid synchronization strategy
Most organizations rolling out Office 365 have already used Active Directory (AD) for years, to authenticate users, manage security groups and so on. They may also be moving to Office 365 from an on-premises Exchange system, which integrates with AD (same users, and now with distribution lists too).
Office 365 sits on Azure Active Directory (Azure AD or AAD), which can be thought of as the extension of Active Directory (AD) in the cloud. AAD provides user authentication, security group management, and distribution list management in much the same way that AD does on-premises.
OCG has long been an advocate of synchronization of on-premises assets, but the extension to cloud makes it even more desirable. When we say ‘synchronization’ we mean provisioning and deprovisioning of accounts as well as the maintenance of attributes as they change. This is essential to the proper management of the user lifecycle across HR, AD and various other on-premises systems (like ERP, CRM etc), but also extending to AAD from which it could be available to many other cloud services. In fact AAD has internal processes to synchronize users (and groups) data to Office 365, and some cloud applications also establish a synchronization process when added to Azure AD.
Synchronization ‘engines’ are the beating hearts of your identity and access management system, pumping user and groups objects with their attributes, where they are needed, ensuring that users get the access (licensing and group memberships) as soon as the need it, and that their access is removed just as soon, if necessary.
Why add to your manual processes, when you can automate so much of this with Microsoft Identity Manager (MIM) and Azure AD Connect?
Many organizations – perhaps most – have more than one forest in their on-premises Active Directory (AD) infrastructure, and usually these are separately managed, perhaps because they originated in a different division, or different companies that have been merged in. However, Azure AD is monolithic – an organization will typically have one Office 365 tenancy sitting on one Azure AD tenancy.
These multiple forests can be synchronized with the cloud, but each person must be represented just once, and be uniquely identifiable. Effort put into remediation of the overlaps and duplications of users (and groups) between forests is likely to be worthwhile; failure to do so may have expensive consequences further down the line.
3. Common UPN/email naming policy
Most organizations we work with carry remnants of organic growth – multiple, separately-managed forests (as above), multiple exchange environments, and evolving naming policies.
Identities in the cloud need to be uniquely identified (see Top Tip 2, above). It is a truism that email addresses are unique, so this is a great place to start. Aligning each user’s UPN with their corporate email address is not just a convenience for the user, nor just a useful naming convention; it generally oils the wheels and greases the skids during migration, as well as facilitating effective identity-based cyber security.
Part of your preparatory work should be to agree on the naming policy, and tidying up any existing anomalies and loose ends, so that when users are synchronized into your new, squeaky-clean directory, they do so with UPNs which then become their (cloud) email addresses. If you don’t you may spend an eternity trying to get the toothpaste back in the tube.
Whoa! Didn’t see that one coming did you! Nephophobia is the fear of clouds – or perhaps more correctly we should be talking of fear of the unknown. Your users (and that includes managers and other influencers) are a major success factor. We are all creatures of comfort at some level, and change can be not just scary, but a serious blocker. This is big change, and you need your users onside.
When migrating your identities, make sure that you educate your users so that they are prepared for the change as well. A training schedule and plan that everyone is aware of and understands is vital to a successful migration. This applies to those who will simply use email, to wider Office 365 users who need to understand where to store documents so that they are safe (from loss) and secure (available to the correct users), as well as the people that will manage Outlook and SharePoint Online.
Bite-sized, on-demand videos are an excellent approach to this kind of education, and depending on the number of people involved, these can be off the shelf or (preferably) custom-made for your environment and working practices. As with all education, it is better to start early and embed good practices from day 1, than to try to remediate after bad practices have set in. And what you don’t need, is a flurry of “help!” calls the day you cut over.
5. FINd a great partner to help you
OK, we would say that wouldn’t we! But it has the advantage of being true. Don’t jump into the Office 365 cloud alone – find an expert partner to help you with lots of experience, and also the flexibility to be there when you need it for as long as you need it. A partner like Oxford Computer Group (yes, we are biased!) You can figure a lot of this out for yourself, but you’re only going to do this once and there are a lot of potential pitfalls, so do it right. OCG has been totally focused on identity management for over a decade, and we have over 30 years’ experience of delivering IT training (really!) – so we do know a bit about this!
Call us on +1 877 862 1617 or come and talk to us at our Summit.