Introduction
In Part 1 of this series, we talked about how EMS – Microsoft’s new adaptable accessory administration band-aid – offers organizations a added mobile, cloud-centric way of accomplishing business. We discussed the apparatus of EMS: Microsoft Active Directory Premium, Microsoft Intune and Microsoft Azure Rights Administration and we provided an overview of what anniversary one is and does and how it fits into the solution.
Deploying Azure AD Premium
Azure AD provides your alignment with an Active Agenda that lives in the cloud, alms the aforementioned casework that your on-premises Active Agenda does, and in actuality you can accord your on-premises AD with Azure AD and alike set up a amalgamated assurance amid the AD that runs on your bounded area controllers and the AD that runs on the Azure DCs.
Office 365 and some of Microsoft’s added billow casework assignment with Azure AD. The user annual that you use to assurance into Office 365 is an Azure AD account. Anniversary alignment that has an Office 365 annual has an Azure AD that is set up for it. The ambassador of the Office 365 annual can add users to its AD, administer their passwords, accredit roles and set permissions for them, as a area admin does for users through the bounded AD. Users get distinct sign-on (SSO) beyond all of the Office 365 applications through their Azure AD accounts. Note that the Azure AD included with Office 365 does not accept to be purchased or deployed separately; it’s allotment of the Office 365 subscription.
So what abroad can you do with Azure AD? You can extend your absolute on-premises Active Agenda into the cloud, by synchronizing it with the Azure AD appliance the DirSync tool. This allows Active Agenda to assignment in a amalgam billow ambiance so that you can use billow based applications and casework afterwards affecting the user acquaintance for accessing on-premises resources. Back you set up a amalgamated assurance amid the two directories and use Active Agenda Amalgamated Casework (AD FS), the user accounts are still created and managed via your on-premises area controllers.
Although the Azure AD can calmly accommodate with your on-premises AD, the two are not identical; that is, Azure AD isn’t aloof a Windows Server AD that’s active on a apparatus in the cloud. Microsoft fabricated a cardinal of changes to ensure that Azure AD would be added scalable and awful available. Azure AD was redesigned to be able to affix to abounding alien applications that are managed by third parties and the new agenda blueprint interface allows developers to actualize applications that accommodate with Azure AD. Azure AD was advised aboriginal in its actuality to accommodate with the Microsoft annual service, Google, Yahoo and Facebook.
If you’re accustomed with billow casework and multi-tenancy, you already apperceive that it’s an architectural appellation that is acclimated to alarm one software appliance or annual that is acclimated by assorted customers, but with anniversary instance abandoned from the others. The addressee is the accumulation of users that allotment access.
The aboriginal footfall in deploying Azure AD is to admission a tenant, which in the ambience of Azure AD refers to your company’s committed instance of the Active Agenda that you get back you subscribe to Azure, Office 365, Intune, etc. and is of advance one of the three apparatus of Microsoft Enterprise Mobility Suite. The addressee is area all of your users’ advice (such as their user names, passwords, contour advice and admission permissions) are stored. Users aural a addressee can admission the applications that are registered and appear there.
You’ll charge to accredit licenses to your users back you add them to the directory. If it’s your aboriginal time to acquirement a authorization plan, you may charge to actuate the authorization plan by afterward the instructions in the email that you accept afterwards the acquirement of the aboriginal authorization plan. This will absorb commutual a contour to up Microsoft Online Services.
You get addition email bulletin afterwards the licenses accept been provisioned to your Active Directory. If you already accept an Azure account, go to the administration aperture and assurance in. If not, you’ll charge to go through the articulation on the email or the Admission to Azure Active Agenda activation page. This will airing you through the all-important accomplish to admission your directory.
You’ll be asked to accommodate a adaptable buzz cardinal to be acclimated for multi-factor authentication. You can accept to accept Azure accelerate you a argument bulletin or alarm you to validate the buzz number. The admission will again be activated and you can go to the administration aperture to configure and administer your Azure AD.
Now you’ll charge to accredit anniversary of the users in your alignment a authorization for them to use the Premium appearance of Azure AD. This is done by signing into the aperture as a all-around admin, selecting Active Agenda and the agenda in which you demand to accredit licenses to users, and again baddest the Licenses tab. Here you baddest Enterprise Mobility Suite and bang Assign. You can baddest assorted users by checkmarking them. Now you’re accessible to use AD Premium.
Deploying Microsoft Intune
Intune is Microsoft’s band-aid for cloud-based adaptable accessory administration (MDM) and computer management, accumulated in one service. Intune uses the Azure AD, which houses users’ accounts and annual information, as do added Microsoft services. Not alone can you administer Windows accessories with Intune, but additionally iOS and Android adaptable devices. It is configured and managed through a web portal.
Intune can additionally be chip with Configuration Manager. If you go this route, you will accept to administer adaptable accessories from the Configuration Manager animate rather than through Intune’s administration portal. There are advantages and disadvantages to amalgam with Configuration Manager. We will accept actuality that you are deploying Intune as a standalone band-aid rather than amalgam with Configuration Manager.
Your aboriginal footfall is to assurance into Intune with your aggregation annual and again set Intune to be your adaptable accessory administration authority. Alone one administration annual can be set to be the authority. To set Intune as the MDM authority, in the animate go to Admin and again Adaptable Accessory Management, and in the Tasks list, bang Set Adaptable Accessory Administration Ascendancy and analysis the box for Microsoft Intune, again bang Yes.
Next you accept to accredit adaptable accessory acceptance for whichever operating systems run on the accessories that your users will be using. You can set up Windows computers, Windows Phone OS, Android and iOS devices. Abounding of the accomplish are the same, but they do alter depending on the OS. We’re activity to attending at how to set up Windows computers and I’ll accommodate links for ambience up acceptance for added operating systems.
You ability demand to set up a DNS alias for the abode of the acceptance server to accomplish it easier for users to accept their devices, but this is optional. To do this, you verify and actualize a DNS CNAME. You additionally ability or ability not demand to accredit sideloading of apps (installing apps from sources added than the Windows Store).
Before any accessories can be enrolled, you accept to add users to Intune. This is done through the Add Users advantage in the Intune administration portal. You can add one user at a time or you can do a aggregate add, by creating a breach afar ethics (.csv) book and importing it. You can additionally use the DirSync apparatus to accord your on-premises Active Directory with the Azure AD.
You again accept several options. You can actualize groups if you want, add polices for accessories to ascendancy their features, and set a absolute on how abounding accessories anniversary user can accept through the Acceptance Rules in the MDM Administration area of the admin portal. You can additionally adapt the aperture with your company’s name and added advice such as the acquaintance advice for the IT department, the organization’s aloofness statement, web armpit name and so forth. You can broadcast agreement and altitude to which your users accept to accede back they initially assurance into the aggregation portal.
Now users can accept their own accessories through the aggregation aperture web armpit or aggregation aperture app, and you can accept accumulated accessories application the Accessory Acceptance Manager that’s in Intune. After the accessories are enrolled, you will be able to advance Intune’s appearance to get accessory account information, arrange apps to adaptable devices, administer the settings and appearance on devices, ascendancy admission to your organization’s assets and use alien clean and alien lock to assure the accessories and the aggregation arrangement if a accessory is lost, baseborn or the user leaves the company.
Summary
In this, Part 2 of our commodity alternation about accepting to apperceive Microsoft Enterprise Mobility Suite, we went added into specifics of how to arrange the aboriginal two of its three services: Azure Active Directory and Microsoft Intune. We’ll blanket up the alternation in Part 3 with a attending at how to arrange Microsoft Azure Rights Management
EmoticonEmoticon