Modernizing your identity investments with Microsoft 365 – Part 1

Making sense out of your current estate

The first step when attempting to modernizing your identity estate is to define why you need to modernize.  Maybe it’s because you just purchased Office 365 or Microsoft 365.  Maybe you want to take advantage of AutoPilot, or provide a better employee experience for your users.  Once you have a clear picture on why, stakeholders identified, and project scope defined, it’s time to get started. 

Depending on complexity, process, and overhead you may find several technical and organizational challenges.  Leverage your Enterprise and Business Architects to help navigate this. This is critical to your sucess. They should be able to articulate your organizations broad IT strategy and how identity is fundamental to the execution of this.  Keep in mind your efforts in modernizing your identity story should be grounded in the principles of reducing complexity, cost, improving processes, and user experience.     

Technical Details of your current estate

Document, ask questions, and detail your current IAM processes. This maybe an easy or relatively complex task depending on your organization and documentation available. Below is a list of areas that are relevant to the modernization journey. Keep in mind that this is not exhaustive and further research maybe required:

  • Core Directory
    • Where are your user identities created?
      • What attributes do you populate into AD from your HR Systems?
      • Do you use Extension Attributes to store attributes from your HR systems?
    • What is your Password Policy?
    • Do you have any 3rd party account, or directory auditing tooling in place?
    • Structure
      • How complex is your Active Directory Structure?
      • What is the Functional Forest Level at?
      • How many Domain Controllers are in your environment?
      • What is the Operating System level on your Domain Controllers?
      • How many domains are there?
      • Any trusts established between domains, or additional forests?
      • Are you leveraging AD Sites and Services for service discovery?
    • Federation
      • Is Active Directory Federation Services deployed?
        • What version of Windows Server supports your ADFS farm?
      • Is a 3rd Party Federation provider deployed?
    • Certificates
      • Is there and Enterprise PKI deployed like ADCS?
      • Are certificates deployed to workstations?
      • Are certificates deployed to webservers, or issued to application teams?
      • Do you use CAC or SmartCards?
      • Do you use any Certificates in your authentication flows?
    • Device Identity
      • Do you Join devices to Active Directory?
      • Do you have any Windows devices that are not on Windows 10?
      • Do you have any Virtual Desktops, or use technologies like Citrix, Terminal Services, or VMWare?
      • Do you join macOS to your Active Directory?
      • Do you join Linux/Unix to Active Directory?
      • Do you have any mobile devices?
      • Do you have any ChromeOS devices?
    • Device Management
      • Do you plan on using MEM (Intune + ConfigMgr) to manage Windows 10+?
      • Do you have an existing Windows 10+ estate that need to consume Windows Enterprise E3/E5 license?
      • Where are your settings managed?  Are these in Group Policy, or in ConfigMgr?
      • Do you have shared department drives, or printers mapped?
      • How many GPOs are in the environment?
      • Who can create or edit GPOs?  Is this distributed, or a central IT function?
    • Applications
      • What percentage of your apps are Cloud Apps?
      • What does the next 3-5 years look like from an application perspective?  More SaaS, data center apps?
      • What percentage of your apps live in the data center?
      • What percentage of your apps use protocols like NTLM, or Kerberos?
      • Any applications that use LDAP or LDAPs?
      • Is there any RADIUS usage?
      • What percentage of your apps use Modern Authentication like OAuth, OIDC?
  • Network
    • How do your users access applications in the data center?
    • Are you using Always on VPN, or user-initiated VPN?
      • Are you using Split Tunneling?
    • Are you using a “Hub and Spoke” model to access applications in your data center from your corporate sites?
  • Security Edge
    • What is your security perimeter setup to do?
    • What workloads (TLS Decrypt, DLP, etc) are you currently using at your security edge?
    • What are your zero trust plans for you organization?

Once your existing IAM processes are understood, you can begin to ideate on what your end state could be.  During this process you and your team should be asking for feed back from business stakeholders and incorporating their input into your designs.  Keep in mind you may have a few milestones you need to reach before your end state is achieved.  Document what your end state is to be.  In most cases your end state should be to minimize your on-premises needs. Question your assumptions, lean into why you are doing something today. Doing this will help you build what services your Identity platform needs to be doing in the future.

Recap

Closing out part 1, we gathered some salient points around identity by mapping out current state. In part 2, we look at navigating options to move to cloud identity for Microsoft 365 services.

Share the Post:

Related