Meet Microsoft 365 Business: The new Small Business Server(less) SolutionAlex Fields
I’ve been waiting for this moment for a long time. And I can’t tell you how happy I am that it is finally here. Today we’re going to talk about Microsoft 365 Business (not Office 365).
Actually, I’ve been sitting on it for a while, because I wasn’t sure if it was really “ready.” Now, I have to say this–because most businesses (small or large) do not like being the early adopters. Most of us want to belong to the “middle” or “later-middle” of the adoption bell curve. Neither too early nor too late to the game. Too early and you’re going to be the “lucky” ones discovering all the new challenges, gotcha’s and sometimes even bugs that haven’t been worked out of the system yet. On the other hand, if you’re too late, then your competition has long ago passed you by–and there is risk in that also. So there tends to be this herd mentality, which is only natural for social creatures like us.
Full disclosure: I have no idea how widely this product has been adopted. It’s only been around for a few months at this point, but the thing is, I can’t imagine that this product will do anything but grow. Microsoft has made it clear at their conferences and in their marketing/publications, that the old on-premises Windows Server-based Active Directory deployments are going the way of the Dinosaur–they will simply cease to exist, eventually. How quickly that unfolds is anybody’s guess. But it makes sense.
The Setup: A quick history lesson
Let’s review: for more than a decade, Microsoft solved a lot of Small Business problems with the technologies that were packaged in Windows Small Business Server (SBS). And Windows Server Essentials or Standard Edition after the sun set on SBS (but then most folks were leaping into Office 365). The original bundle of old included:
Active Directory: This technology provided a security boundary for the organization–a place to manage and store information about users & computers, and apply policies from a centralized management interface.
File sharing: The first thing that almost every small business does as soon as they setup a new Small Business Sever with user accounts? Start sharing files of course! This usually meant mapping network-based drives to file shares so that users could see a common file structure and collaborate on documents together. Printers can also be shared in much the same way.
Exchange / Email: Probably the second thing an organization consumed from this product was Exchange server–a slick way to have corporate email with calendar & contact sharing, built-in, and all tied to your domain name, no less.
VPN and/or Remote Desktop: If you are remote from your place of work, you might find that you still need to get at those shared resources sitting back at the office. Drive back in to pull a late night? Hell no! Windows server could enable a VPN and/or a Remote Desktop session, so that you could do your work, even without physically being at your workplace.
SharePoint: Take collaboration and remote access to the next level, with web-based intranet and document sharing, and built-in version control!
Group policy: This is more on the IT/administrative side, but say you want to make a setting or security change for your users. Instead of going around to PC’s individually, you can use GPO’s to assign (and enforce) those changes instead. Now you can be sure that the settings aren’t being changed without your approval, and of course you can do it once (instead once for every person).
And there were other features, but those are the main ones, right? Today, surely most of the important items above can be solved with Office 365–after all, both Exchange and SharePoint come in online flavors, and file sharing is more robust there than it ever was on-premises. And typically the VPN/Remote Desktop bits were only used to get access to these items that were otherwise impossible to reach. But in the cloud that is no longer the case–your file sharing can be done from anywhere with an internet connection. “What the hell is VPN?” Your kids will ask. Most other apps now come in a cloudy flavor too, so accounting software, CRM, ERP systems of all types can be consumed without this other premises-based infrastructure to support it.
Even so, I have previously written about how challenging it can be to completely ditch on-premises Active Directory, using only Office 365. The reason is because nobody, it seems, had produced a “cloudy” product which would solve for the management and security aspects that were previously handled in a robust system such as Active Directory. As though Microsoft were reading my thoughts, they announced Microsoft 365 Business (and of course, there are Enterprise varieties available as well).
Microsoft 365 Business = Serverless Active Directory + Office 365
Do you remember the days of migrating people from Novell Networks to Microsoft? Not all of us are that old, and truth be told neither am I, but nevertheless I have come across it, even during my working career. Well Microsoft didn’t want to become the new Novell, so they are in effect replacing themselves before someone else does. And Microsoft 365 is how they are doing it.
I’m only going to discuss Microsoft 365 Business for now, not the Enterprise versions (which have a few more bells and whistles built-in). Quickly on this topic however, let me just say that Microsoft 365 Business comes with Office 365 Business Premium licensing built-in, whereas the E3 variety includes (you guessed it) Office 365 E3. Make sense?
Okay, so most small businesses will probably do just fine with the “Microsoft 365 Business” tier, which currently retails for $20.00/user/month USD (this compares to 12.50/user/month USD for Office 365 Business Premium). For the extra money, you are getting some pretty bad-ass security and management features, and the idea is that you start using these new tools to manage your devices, retiring the use of Active Directory and Group Policy.
I’ll give you a quick run-down.
Don’t join the on-premises Active Directory, instead join computers to Azure Active Directory (your tenant in the Microsoft cloud runs all of its user accounts off of this already). Update: you should know that it is indeed supported to run this subscription with a Hybrid-Join scenario also, for those still in transition.
Now you will have a policy, or set of polices, which control certain settings and behaviors on these devices (Android, iOS and Windows 10 Pro). From the front page of the 365 Admin portal, there will be a big setup button after you purchase this subscription. Click on Setup to start the below configuration steps. You can expand these and manipulate the options as shown (or to your liking).
From here, you can force users to save files only to “work locations” such as One Drive for Business and SharePoint (note: you can sync SharePoint libraries using the OneDrive client also), and make it encrypted (so lost/stolen devices are protected). Not only that, but you can actually remove work content from devices as well. You can have it automatically expire and remove itself, and of course, as an admin you can remotely wipe corporate content, or just trigger a full wipe/factory reset. This applies not only to mobile devices, but also those Windows 10 Pro computers you manage.
Another pretty amazing capability is restricting copy/paste from Office apps to other, personal apps (on mobile devices). Now in practice, I don’t know how many small businesses I work with would really want or request that. Still pretty cool, though. I’ll see how folks start reacting to this feature, and maybe report back.
And of course we have Office deployment–you can automate it (Creators update or later required) with this little setting right here:
Hopefully we see this continue to develop and expand to include other apps. Now, expanding the heading above that, Secure Windows 10 devices, you can see some familiar favorites like enforcing an automatic screen lock, which is a good way to meet a number of controls in various compliance bodies and standards.
Now the above accounts for all the setup screens, but of course, you can go back and edit your selections at any time from the admin portal. Devices > Policies.
And that’s about it.
Joining a Windows 10 Pro device to Microsoft Azure AD
Note: This requires the Fall Creator’s Update or later.
Make sure your computer is dis-joined from any on-premises Active Directory first. Then proceed with the steps below.
Go to Settings > Accounts > Access work or school. Click on Connect.
Do not fly past this screen–in fact, you don’t have to type in an Email address here. Instead, you will choose Join this device to Azure Active Directory under Alternate actions. If you don’t see this option, make sure you have the Fall Creator’s Update, and that you are not joined to an on-premises Active Directory already.
Now you can sign-in with your corporate / Azure / 365 credentials. Note that the user account being used to sign-into the device is the identity that will be tied to the device in Azure AD. So you should join each device for each user. This means the solution is best for environments without shared PC’s–each user typically uses their own device(s). A shared PC, as of today, is best handled with a “generic” or shared login (and you’d have to own a license for that login)–e.g. “Conference Room PC” could be its own licensed user: firstname.lastname@example.org.
After you have signed in and confirmed, you can switch accounts on the computer.
Now sign-in using the corporate identity. If you return to this area in Settings, you will see that the device is now joined, with all the benefits, such as single-sign on (with Edge or IE, browse to a website like https://portal.office.com and watch how it magically signs you in without needing to provide a password).
From the admin portal, under Devices > Manage, you will find that the device is also presented here.
If we click on this new device (type: Pro), we have the option to Remove the company data, or Factory reset the whole device.
The Managed Device
Check out your device system settings now. You no longer have Windows 10 Pro, but Windows 10 Business.
Furthermore, you can see that several settings are now “Managed by your Administrator” (meaning no one can change them except from the 365 admin portal).
And that is everything I have to show you (because that’s essentially all there is to it).
So, does this product solve for everything?
No. Of course not. See conversation above. But that is where you come in, my friend. Because this still solves an awful lot, and what it doesn’t, perhaps you can supplement (or you can at least get engaged and provide MS with more feedback to keep developing it in the “right direction”). Most managed service providers would still want their own agents installed on these PC’s, to manage them. But this allows you to have a common security boundary and identity management solution, without an on-premises server or the complexity of Directory Synchronization. I call that a win.
And no, it doesn’t do everything that Group Policy once did. Not yet (and maybe not ever). But it does some stuff that Group Policy never could do, too. So things are changing. I am sure I will have more to say about this product line in the future. I will include some other resources below as well, so you can check out more about it yourselves.
Kudos to Microsoft for granting yet another one of my long-standing wish-list items. I am excited to continue participating in this adventure, as it seems like the new device management stuff is really going to be the way of the future, while Group Policy and on-premises AD begins to fade into distant memories. Like Novell. It won’t happen overnight by any means. But I think it could happen more quickly in the small business, than the Enterprise… it just requires a little investment from us partners.
Aside: This is not the same as registering a Windows 10 device against Azure AD, which many people have been doing even with Office 365 subscriptions. That action gives you no real leverage over the device. This on the other hand, is true device management. Think of it is Group Policy light if you like (and eventually, I think it will eclipse GP).
It’s great that Microsoft is introducing some additional features, but many of these are already available with Office 365. You can already join a device to Azure AD, simply using any flavor of Office 365, without purchasing any additional licenses.
I was really hoping you were going to tell me that they added some type of Group Policy or additional Active Directory “light” features, but it doesn’t sound like there is much to this yet. Some of those additional configuration items are great features, but not sure they are worth the additional $$.
Yes, you could register a Win 10 Pro device against Azure AD with Office 365. But NO, you could not previously join the device fully, and manage it like you can with this subscription.
E.g. Wipe the Windows 10 device, deploy Office remotely, control certain security policies (Defender settings, screen lock, etc.). Now you did previously have MDM (for mobile devices only), but not Windows 10 Pro management or application management. So this really is starting to look like Group Policy light, IMO (very light right now, I’ll hand you that). Also, it is pretty clear already that GP is going to be replaced by this Device Management stuff eventually. I should highlight the other pieces that are coming with this subscription in another article perhaps. There is more to the extra cost than just this, it’s just that the Azure AD join piece is my favorite part.
You mention MSPs, which commonly rely upon agents such as Solwarwinds, Labtech and Kaseya.I work for an MSP, and there is no way we’re going to abandon monitoring and management agents any time soon. Do you know if you can deploy these agents with Microsoft 365? I know you can deploy certain MSI packages with Intune, but I haven’t had a chance to test this and I’m not sure how this interacts or ties in with MDM/Intune.
Yes, it is not an included feature (yet). I would love to see it though. So far, just the ability to deploy Office, but nothing else.
they can combine with an SSCM or a logon scripts ?
you can still publish app on the business portal with azure that i am aware of or just put the script in a share and tell the user to run it as soon as their computer are launched and deployed ?
PS : Alex you miss on point i like very much about Microsoft 365 you can pre-configured the machine in the domain with a call to the reseller with a specific AD. the client doesn’t have to add the computer to the domain it ll be done automatically OOB,the users will just need to connect his microsoft 365 account (preconfigured by IT services ) , let the internet connexion and automatized deployement make the rest ….. and “voila” !
Firstly, thanks for the great articles on Windows Server Essentials. I do IT support part-time for some small businesses in the UK and the move towards removing the need for on-premise servers has intrigued me and to find out it maybe on its way with MS 365 Business was very interesting.
Anyway, one aspect of supporting small businesses with single, on premise servers running either 2012 or 2016 Essentials is the apparent lack of an affordable service which would allow a replicated server located in the cloud to be switched on (either as a hot or cold standby) temporarily if the on-premise server was to fail. I say “lack of” because I am aware that various options do exist but they seem to require the purchase of additional Server hardware/ licences / CALS which make it an expensive option when it may never be used. Anything out there currently seems to require / be aimed at covering multiple on-premise servers which most small businesses do not have or require.
Maybe Microsoft 354 Business is a step in the direction of providing such a facility?
Yes I think the less that Small businesses have to “build” their IT on servers in house, and the more they can move toward simply consuming/buying the services is probably going to be good for them–because they don’t want to be in the datacenter business, if they can avoid it. It is surprising that a number of small business problems still comes back to having some kind of server-based component, but those will continue to become fewer and further between. Azure Site Recovery might be worth looking at, however–it should not require you to own an additional license. Running a VM in Azure will usually include the licensing, and it is possible to “BYO” license also, saving on the runtime costs.
Can you leverage user and group membership in the same manner as on a traditional AD server? Or does that still require an on site AD server?
Nothing is exactly the “same” as the on-premises server. SharePoint permissions for example can be managed a bit differently. But, in general there are still groups in Office 365 of various types, including security groups (and Distribution, and Dynamic Distribution and Mail-enabled security groups, etc.). It is possible to assign permissions to certain resources or features by group.
Now, after COVID-19 showed that WFH is here to stay, this is even more relevant. I would be very interested to revisit the topic and check on the updates. For many companies, this could become the new standard. That will save CapEx and reduce infrastructure expenses.