Meet Microsoft 365 Business: The new Small Business Server(less) SolutionAlex Fields
I’ve been waiting for this moment for a long time. And I can’t tell you how happy I am that it is finally here. Today we’re going to talk about Microsoft 365 Business (not Office 365).
Actually, I’ve been sitting on it for a while, because I wasn’t sure if it was really “ready.” Now, I have to say this–because most businesses (small or large) do not like being the early adopters. Most of us want to belong to the “middle” or “later-middle” of the adoption bell curve. Neither too early nor too late to the game. Too early and you’re going to be the “lucky” ones discovering all the new challenges, gotcha’s and sometimes even bugs that haven’t been worked out of the system yet. On the other hand, if you’re too late, then your competition has long ago passed you by–and there is risk in that also. So there tends to be this herd mentality, which is only natural for social creatures like us.
Full disclosure: I have no idea how widely this product has been adopted. It’s only been around for a few months at this point, but the thing is, I can’t imagine that this product will do anything but grow. Microsoft has made it clear at their conferences and in their marketing/publications, that the old on-premises Windows Server-based Active Directory deployments are going the way of the Dinosaur–they will simply cease to exist, eventually. How quickly that unfolds is anybody’s guess. But it makes sense.
The Setup: A quick history lesson
Let’s review: for more than a decade, Microsoft solved a lot of Small Business problems with the technologies that were packaged in Windows Small Business Server (SBS). And Windows Server Essentials or Standard Edition after the sun set on SBS (but then most folks were leaping into Office 365). The original bundle of old included:
Active Directory: This technology provided a security boundary for the organization–a place to manage and store information about users & computers, and apply policies from a centralized management interface.
File sharing: The first thing that almost every small business does as soon as they setup a new Small Business Sever with user accounts? Start sharing files of course! This usually meant mapping network-based drives to file shares so that users could see a common file structure and collaborate on documents together. Printers can also be shared in much the same way.
Exchange / Email: Probably the second thing an organization consumed from this product was Exchange server–a slick way to have corporate email with calendar & contact sharing, built-in, and all tied to your domain name, no less.
VPN and/or Remote Desktop: If you are remote from your place of work, you might find that you still need to get at those shared resources sitting back at the office. Drive back in to pull a late night? Hell no! Windows server could enable a VPN and/or a Remote Desktop session, so that you could do your work, even without physically being at your workplace.
SharePoint: Take collaboration and remote access to the next level, with web-based intranet and document sharing, and built-in version control!
Group policy: This is more on the IT/administrative side, but say you want to make a setting or security change for your users. Instead of going around to PC’s individually, you can use GPO’s to assign (and enforce) those changes instead. Now you can be sure that the settings aren’t being changed without your approval, and of course you can do it once (instead once for every person).
And there were other features, but those are the main ones, right? Today, surely most of the important items above can be solved with Office 365–after all, both Exchange and SharePoint come in online flavors, and file sharing is more robust there than it ever was on-premises. And typically the VPN/Remote Desktop bits were only used to get access to these items that were otherwise impossible to reach. But in the cloud that is no longer the case–your file sharing can be done from anywhere with an internet connection. “What the hell is VPN?” Your kids will ask. Most other apps now come in a cloudy flavor too, so accounting software, CRM, ERP systems of all types can be consumed without this other premises-based infrastructure to support it.
Even so, I have previously written about how challenging it can be to completely ditch on-premises Active Directory, using only Office 365. The reason is because nobody, it seems, had produced a “cloudy” product which would solve for the management and security aspects that were previously handled in a robust system such as Active Directory. As though Microsoft were reading my thoughts, they announced Microsoft 365 Business (and of course, there are Enterprise varieties available as well).
Microsoft 365 Business = Serverless Active Directory + Office 365
Do you remember the days of migrating people from Novell Networks to Microsoft? Not all of us are that old, and truth be told neither am I, but nevertheless I have come across it, even during my working career. Well Microsoft didn’t want to become the new Novell, so they are in effect replacing themselves before someone else does. And Microsoft 365 is how they are doing it.
I’m only going to discuss Microsoft 365 Business for now, not the Enterprise versions (which have a few more bells and whistles built-in). Quickly on this topic however, let me just say that Microsoft 365 Business comes with Office 365 Business Premium licensing built-in, whereas the E3 variety includes (you guessed it) Office 365 E3. Make sense?
Okay, so most small businesses will probably do just fine with the “Microsoft 365 Business” tier, which currently retails for $20.00/user/month USD (this compares to 12.50/user/month USD for Office 365 Business Premium). For the extra money, you are getting some pretty bad-ass security and management features, and the idea is that you start using these new tools to manage your devices, retiring the use of Active Directory and Group Policy.
I’ll give you a quick run-down.
Don’t join the on-premises Active Directory, instead join computers to Azure Active Directory (your tenant in the Microsoft cloud runs all of its user accounts off of this already). Update: you should know that it is indeed supported to run this subscription with a Hybrid-Join scenario also, for those still in transition.
Now you will have a policy, or set of polices, which control certain settings and behaviors on these devices (Android, iOS and Windows 10 Pro). From the front page of the 365 Admin portal, there will be a big setup button after you purchase this subscription. Click on Setup to start the below configuration steps. You can expand these and manipulate the options as shown (or to your liking).
From here, you can force users to save files only to “work locations” such as One Drive for Business and SharePoint (note: you can sync SharePoint libraries using the OneDrive client also), and make it encrypted (so lost/stolen devices are protected). Not only that, but you can actually remove work content from devices as well. You can have it automatically expire and remove itself, and of course, as an admin you can remotely wipe corporate content, or just trigger a full wipe/factory reset. This applies not only to mobile devices, but also those Windows 10 Pro computers you manage.
Another pretty amazing capability is restricting copy/paste from Office apps to other, personal apps (on mobile devices). Now in practice, I don’t know how many small businesses I work with would really want or request that. Still pretty cool, though. I’ll see how folks start reacting to this feature, and maybe report back.
And of course we have Office deployment–you can automate it (Creators update or later required) with this little setting right here:
Hopefully we see this continue to develop and expand to include other apps. Now, expanding the heading above that, Secure Windows 10 devices, you can see some familiar favorites like enforcing an automatic screen lock, which is a good way to meet a number of controls in various compliance bodies and standards.
Now the above accounts for all the setup screens, but of course, you can go back and edit your selections at any time from the admin portal. Devices > Policies.
And that’s about it.
Joining a Windows 10 Pro device to Microsoft Azure AD
Note: This requires the Fall Creator’s Update or later.
Make sure your computer is dis-joined from any on-premises Active Directory first. Then proceed with the steps below.
Go to Settings > Accounts > Access work or school. Click on Connect.
Do not fly past this screen–in fact, you don’t have to type in an Email address here. Instead, you will choose Join this device to Azure Active Directory under Alternate actions. If you don’t see this option, make sure you have the Fall Creator’s Update, and that you are not joined to an on-premises Active Directory already.
Now you can sign-in with your corporate / Azure / 365 credentials. Note that the user account being used to sign-into the device is the identity that will be tied to the device in Azure AD. So you should join each device for each user. This means the solution is best for environments without shared PC’s–each user typically uses their own device(s). A shared PC, as of today, is best handled with a “generic” or shared login (and you’d have to own a license for that login)–e.g. “Conference Room PC” could be its own licensed user: [email protected].
After you have signed in and confirmed, you can switch accounts on the computer.
Now sign-in using the corporate identity. If you return to this area in Settings, you will see that the device is now joined, with all the benefits, such as single-sign on (with Edge or IE, browse to a website like https://portal.office.com and watch how it magically signs you in without needing to provide a password).
From the admin portal, under Devices > Manage, you will find that the device is also presented here.
If we click on this new device (type: Pro), we have the option to Remove the company data, or Factory reset the whole device.
The Managed Device
Check out your device system settings now. You no longer have Windows 10 Pro, but Windows 10 Business.
Furthermore, you can see that several settings are now “Managed by your Administrator” (meaning no one can change them except from the 365 admin portal).
And that is everything I have to show you (because that’s essentially all there is to it).
So, does this product solve for everything?
No. Of course not. See conversation above. But that is where you come in, my friend. Because this still solves an awful lot, and what it doesn’t, perhaps you can supplement (or you can at least get engaged and provide MS with more feedback to keep developing it in the “right direction”). Most managed service providers would still want their own agents installed on these PC’s, to manage them. But this allows you to have a common security boundary and identity management solution, without an on-premises server or the complexity of Directory Synchronization. I call that a win.
And no, it doesn’t do everything that Group Policy once did. Not yet (and maybe not ever). But it does some stuff that Group Policy never could do, too. So things are changing. I am sure I will have more to say about this product line in the future. I will include some other resources below as well, so you can check out more about it yourselves.
Kudos to Microsoft for granting yet another one of my long-standing wish-list items. I am excited to continue participating in this adventure, as it seems like the new device management stuff is really going to be the way of the future, while Group Policy and on-premises AD begins to fade into distant memories. Like Novell. It won’t happen overnight by any means. But I think it could happen more quickly in the small business, than the Enterprise… it just requires a little investment from us partners.
Aside: This is not the same as registering a Windows 10 device against Azure AD, which many people have been doing even with Office 365 subscriptions. That action gives you no real leverage over the device. This on the other hand, is true device management. Think of it is Group Policy light if you like (and eventually, I think it will eclipse GP).