The most important tool in Microsoft 365 that you can adopt in 2021Alex Fields
I get it. The universe is expanding so rapidly these days that it can be difficult to know where you should focus your efforts. If you are having trouble “catching up,” do not worry, you are not alone. The IT industry is working on this issue collectively as we move through some growing pains together.
On the one hand, you can rest a little, knowing that you do not have to “stick your neck out” into uncharted territory whenever new software drops. You don’t have to be the one to take on the risk of unknown challenges and adoption hurdles. For example, just announced is a new product called Microsoft Viva, which at first glance appears to be a re-imagined company intranet, with a set of intranet apps built on pieces of Microsoft 365 that have long been available. But who cares? In 6 months this will probably still feel pretty new, and it’s hard to say right now how much value this product will be able to deliver in the SMB space. So let someone else figure that out.
Consider another example: some people will never need to ponder whether they should move to a platform like Windows Virtual Desktop (WVD), because all of their apps already support a native cloud-first, mobile-first experience which allow similar capabilities on any device natively (desktop or mobile). WVD would only be required to support legacy “Windows Server and Desktop-bound” apps. On the other hand, if that does describe you, and want an alternative to the cost and complexity of running VDI in your own datacenter, then maybe you would want to check it out.
Now those two examples aside, what is worth focusing on this year? For the small and mid-sized organizations of the world (who are most often under the care of a Managed Services Provider), I am going to recommend you prioritize exactly one tool, if you haven’t already: Microsoft Endpoint Manager (Intune for the SMB; not ConfigMgr which is more on the Enterprise side). This is included in Enterprise Mobility + Security SKU’s and Microsoft 365 Business Premium or Enterprise E3/E5 plans.
The answer is simple, though there are many reasons for it.
If you look at my teachable courses or any of my other materials on meeting the CIS Critical Security Controls, you will notice that no tool will accelerate you more quickly down the path of modern management with a solid security baseline. Most people want to jump right into the “advanced” security stuff like Microsoft 365 Defender and Azure Sentinel. But you gloss over the basics at your own risk.
For example, ensuring that your hardware and software inventory is square, removing local admin privilege, and enforcing the installation of your security and monitoring tools. For the first time in history, you can guarantee that every device (personal and corporate) is included in your inventory and made compliant with your baseline before granting access to corporate data. This is known as Device-based Conditional Access. That is extremely powerful (especially in this work-from-home era). Most service providers today cannot look me straight in the face and guarantee that every device storing and processing corporate information is properly protected and accounted for in their management tool.
Once you have enrolled devices into the Intune cloud service, organizations can start to make decisions about just how much access they want to extend with regard to Office 365 and other cloud apps connected to to Azure AD. Devices that are not recognized by Azure AD and Intune can be limited or barred from entering certain areas. Customers love that feature.
Intune is also the defacto replacement for Group Policy in the cloud. If you want to push configuration profiles, security policies and so on, then this is how you are going to accomplish it.
I still run into people who claim they cannot do the same “stuff” with Intune that they could with GPO. Really? Remember first of all that you should not attempt to map 1-1 GPO for Intune config. Very often you do not need to bring the relics of yesteryear into the technologies of today. Instead, start fresh by creating the policies you actually care about. Try to find something that cannot be accomplished in Intune. I dare you.
“But it is not as easy,” you might say.
To this I reply, “Even if that sentiment were true (and often I find it is not), so what?”
Nothing is ‘easy’ the first time you do it, but that doesn’t mean you shouldn’t move forward anyway. Like I said, this tool has more than earned its place at the table by this point: it is no longer a new thing, and I would suggest further that there is more risk to ignoring it. We are way past the early adopters. Yet in the SMB space, few have implemented it (and even fewer have done so correctly). Many of us already have Intune as part of their subscription (either via Microsoft 365 Business Premium, or Enterprise Mobility + Security E3), and yet they are not taking advantage of it (or not taking full advantage anyway).
I have two live courses coming up here in February and again in March on Microsoft Endpoint Manager (Intune). The first session will focus on mobile devices and the second on Windows 10. Both will contain some basic tutorials and other materials to help you get familiar with the “basics” of the product. If you are joined up for the full year of learning and expanding your cloud practice with Microsoft 365, then these sessions are already included. If you want to join the practice development year, the registration will only remain open through the end of the month (February 28). All the content we covered in January (Migrating to Azure AD) is also already available in the teachable portal for replay.
If you do this right, then you will have a simple process for enrolling both corporate and personal devices so that you can have control over apps and data on each and every device that connects to your corporate resources in the cloud. If you do it really right, then when a user first unboxes and powers on a new corporate device, all they have to do is sign in with their credentials, and Autopilot will take over from there, delivering all the apps and data that they need directly to their machine. It also shrinks your deployment (and re-deployment) time dramatically. (Note: Autopilot is not ‘magic’; someone has to set it up and get it working properly, and maintain the device and application lifecycles over time–this is a real MRR opportunity).
One more point on this topic: Intune is a critical consideration when expanding your consumption of management and security features in the Microsoft cloud further. So much more opens up once you have this piece in place. It really is the bedrock of your modern management strategy.
Does this replace my RMM?
The short answer is No. There has been some speculation out there to this effect, but it is just not true. Not at this stage in the game, anyway. It does not replace the RMM but it does enhance the RMM. Microsoft has already indicated they would rather work with the RMM vendors to integrate their tools, rather than attempt to re-invent the wheel and become a competitor.
We are looking forward to more development of the Multi-tenant management tool, Microsoft 365 Lighthouse, which will allow service providers to work with devices and policies across all of their customers. Of course, this is still very early stages (it was just announced this past year at Ignite). But, that does not mean you cannot start getting instant benefit from implementing the tool as it stands right now, today. In fact, do you have a multi-tenant tool to manage your GPO’s across all customers for on-prem AD? Probably not. This is no different then, for the time being. In the future, this could all look different, but that’s all speculation today.
The first thing I would suggest you do is get a handle on the basic concepts of MDM, including Compliance policies, and Conditional Access. After that, learn how to deploy device configuration profiles, endpoint security profiles, and finally learn how to push applications and apply app protection policies (MAM). All of this is explained in my Microsoft 365 Best Practices guide, which includes material for Intune, Conditional Access, Azure AD and more. And the live courses I mentioned in February and March will likewise cover these items, with an opportunity for Q+A.
Again, this is no longer a new tool; it has years of history now, and wide adoption (especially in the Enterprise). So do not be afraid of embracing modern management! It is the best and fastest way to establish your complete endpoint inventory, and gain a higher level of confidence in your devices (whether corporate owned or personal).
I leave you with a question: if you are not going to accomplish these outcomes with your Microsoft 365 subscription (such as Microsoft 365 Business Premium or Enterprise plans), then how will you accomplish it? You should have an answer to this. I argue that Intune is going to be the best situated, as it ties in natively with Azure AD, is available in many Microsoft 365 subscriptions (which are ubiquitous), and of course it boasts out-of-box Conditional Access, which is something many other solutions still cannot offer.