Identity Phase-Describe Microsoft 365 apps and services

In the Identity phase of a deployment, administrators create the Azure AD accounts that will be needed for users to access Microsoft cloud services and applications. These accounts can be for the organization’s internal users or for partners, vendors, and consultants outside the organization. For organizations without an on-premises infrastructure or for users who only require cloud services, administrators can create accounts directly in Azure AD. If the organization has an internal infrastructure based on Active Directory Domain Services, the administrators can synchronize the existing AD DS accounts to Azure AD.

Administrators should also plan how they will group users in the organization and how they will use Microsoft 365 groups for network administration. For example, Microsoft 365 supports group-based licensing, in which group members are automatically granted licenses for specific products. As with AD DS, assigning permissions to groups is possible, allowing the members access to SharePoint team sites and other resources. Azure AD also supports dynamic group membership, in which user accounts with specific properties, such as a department or country name, are automatically added to a group.

In this phase, administrators also configure protection for administrative accounts. Global administrator accounts, the most privileged in Microsoft 365, should be configured with the strongest passwords that are practical and also use multifactor authentication (MFA). In addition to the password, MFA can call for a biometric attribute, such as a fingerprint, or a verification code sent to a smartphone. Other administrator accounts, such as those for specific services, and even standard user accounts, might require a similar level of MFA protection.

When an organization has an existing AD DS infrastructure, administrators can conceivably create duplicate accounts in Azure AD, but they would have to manually make any future changes to both directories. A more streamlined solution is available in the creation of hybrid accounts. Hybrid accounts are AD DS accounts that are synchronized with Azure AD accounts, using a tool called Azure AD Connect. Running on an internal server, Azure AD Connect polls AD DS for changes in accounts and groups and replicates them to Azure AD, as shown in Figure 2-60.

FIGURE 2-60 Azure AD Connect hybrid account maintenance

Windows Deployment Phase

The process of deploying Windows 10 or 11 Enterprise can vary depending on the current condition of the network and the tools administrators use to manage the workstations. For an enterprise that has workstations already running Windows 7 or Windows 8.1, it is possible to perform an in-place upgrade to Windows 10 or 11 Enterprise and automate the process using Microsoft Configuration Manager.

Administrators can use Windows AutoPilot to customize the workstation configuration for new Windows workstations, including changing the Windows 10 or 11 edition from Pro to Enterprise.

To begin the process, administrators must first configure AutoPilot by creating a deployment profile and registering the workstations to be deployed. This can include modifying the Out of Box Experience (OOBE) with company branding and other specific installation settings and configuring enrollment of the workstations in Windows Intune. As noted earlier in this chapter, once AutoPilot is properly configured, workstation users have to sign on using only their Microsoft 365 account credentials. AutoPilot then completes the rest of the deployment process.

Leave a Reply

Your email address will not be published. Required fields are marked *