These days many clients are looking at hybrid networks to help solve data scaling. It also solves security and license control challenges. Hybrid networks give a company the ability to have users present in the cloud and on-premises. This ensures everyone can grab a license when needed. It also ensures the correct security policies are implemented. At the same time, it helps an organization make full use of Microsoft features. These offerings include Azure, which can run applications, firewalls, VMs, and instances in the cloud.
Imagine you manage 5000 users and all of them need to move to the cloud. Well, that’s not a problem, but doing things manually takes considerable time to do. Everything can be automated with PowerShell scripts. This includes creating users, groups, and assigning licenses. In this article I’ll cover all these processes so you can focus on other tasks.
First, let’s take a brief look at what Office 365 Active Directory (AD) integration is.
Office 365 Active Directory Integration
As an organization grows, it will eventually need Active Directory (AD) to store user data. AD servers can be local, remote or cloud based and provide various enterprise software with a user list. These lists include personal details, roles, groups and policies associated with each user. You can think of AD as a user management tool that stops the need to duplicate user data in each software needing user information.
In this article, I will talk about Office 365 using a company's AD solution to find users and define policies based on groups. Here we're assuming that your AD is onsite and you're considering migrating to a hybrid solution. This will Help with license persistence and accessibility.
1. Creating Security Groups in AD for Office 365 to utilize
It’s likely that you’ve already created AD security groups for Office 365 for your on-site AD already. If you haven't, here are a range of options that you can implement. These are subscription plans and provide different features for your enterprise users.
Office 365 Apps for Enterprise
This option provides you with cloud-based storage along with Office apps for your enterprise. It’s a useful all-round option but doesn’t include some of the niche options you may need to take advantage of.
Office 365 E1
Office 365 E1 provides email, file storage and enables you to share content between users. Office on the web along with conference calls and messaging tools are also included. This option doesn’t include Office apps and hence why it’s a lower price-point offering. This option has the potential to cost you more in terms of reduced productivity compared with other options. Also take a look at your existing Office app premiums and use-cases to see if using this option is beneficial to you.
Office 365 E3
Microsoft's pricing plans normally bundle value adding items in more expensive offerings. The premise is that once you have an option like Office 365 E3 or E5 then you don’t have future pain points changing to another option. Office 365 E3 provides you with all Office 365 apps and Office 365 E1. It also offers security and compliance that helps enable business to business dealings. For instance, if you work in an aerospace company that acts as a vendor in a supply-chain, you’ll need this to even be considered for tender. You can consider this as a de-facto industrial standard that all B2B companies need to conform to.
Office 365 E5
Office 365 offers everything that E3 provides security analytics. This can help you spot bad actors and threats more efficiently to help reduce the risk to your business. As cyberattacks are increasing, within the next 10 years you'll be at some point targeted by cybercriminals. Whether you buy into this or not, this option could be useful if you don’t utilize other 3rd party security analytics.
If you wish to use this functionality you can check out all the plans here. Setting security groups can be done either before or after the AD migration process. It’s up to you how you want to manage this adoption process.
Now you know what options you have for Office 365 AD integration for a hybrid solution, let’s take a look at how you assign licenses.
2. Assigning Licenses
The groups you create will have a license assigned to it in Office 365. Once you create a group you can assign a specific license for each application easily. This means you don’t need to buy everyone an E5 license. I suggest that you consider licenses and security based on whether the user is private or public and the security zone they operate in within the organization.
The process of adding and maintaining licenses is easy. Once you have added a user to a group, once the next sync happens, the user will get their licenses assigned to them. When working with Teams, it can take up to 24 hours to get a license assigned.
For Teams to work for the user and the administrator, you cannot run scripts or commands to assign international numbers etc. until the sync has completed. In some instances, the sync happens within 30 minutes.
Typically, sync delays will occur based on the type of backup and mirroring systems used, bandwidth or multi-site timezones impacting this process. Ensure you notify users how the process works. If you don’t they will blame you for the long wait: reduce ambiguity where possible!
Now you know how to handle licenses, let's turn our attention to how to automate user migration to the cloud.
Office 365 User Migration Automation
Now that you have an up and running Office 365 system with the correct licenses let’s look at migrating AD to the cloud. First you need a PowerShell script, so let’s take a look at what the script needs to do inorder for this automation process to be successful. Remember that it may be useful to program in custom error messages to ensure any runtime exceptions are caught.
What Your PowerShell Script Needs to Do
Here are the top-level steps a PowerShell script needs to complete:
- Create a user account in Active Directory
- Wait for replication before the next step
- Create a user Mailbox
- Wait for replication
- Assign the user to all the groups needed
- Assign a manager to a user, telephone number, department, etc.
Once the above has been completed, you’ll need to wait for:
- Active Directory Replication
- Azure ADConnect Sync to Office 365
- Office 365 sync (once the licenses have been assigned)
- Everything to update on the cloud
Office 365 MailBox
In the previous section, I mentioned creating a user mailbox. If you’re running Active Directory and Exchange 2013, Exchange 2016, or Exchange 2019 in split permission, you need to manually create everything due to permission requirements.
If you have the traditional setup, you can create the mailbox and the AD account will be created as well.
As you can see, automation with PowerShell can make life easy instead of logging into the portal to assign licenses to a user. You may need to login for one or two accounts that need additional items, however you’re still saving a lot of time!
Reversing the Automation Process
The same automation can work in reverse. When a user resigns, retires, or get’s canned, your script can go and remove them from all groups. This will free-up licenses from that user account. Once the account is deleted, it’s located in the dumpster for 30 days by default and purged completely after this time period.
Azure Steps to Migrate Users
Here are the steps in Azure AD to assign the licenses. This is based on the groups you created in Active Directory:
- Log in to https://portal.azure.com
- Click on Azure Active Directory on the left and then Groups on the next tab that appears
- Click on the Group name to open it
- Click on Licenses on the menu under Manage
- Click the ‘+’ button next to Assignments on the right-hand side
- Select what license you want to assign to the group
- Click Save at the bottom left
When you’ve finished assigning licenses you’ll need to wait for replication and wait for everything to be processed. Depending on your infrastructure, some organizations will find it quicker than others.
Hybrid enterprise solutions are now the norm for many businesses who wish to manage key data on-site while leveraging cloud-based accessibility. Connectivity for licenses with Office 365 being one of many solutions that can benefit from this change.
By selecting the right Office 365 licenses you can ensure your enterprise overheads are much lower than a shotgun approach.
Use PowerShell scripts to migrate users to help drastically speed up your productivity. Ensure you make a note of sync times and wait between each script step. You can use scripts to add or remove users from AD easily. The only reason you’ll need to login to the portal is to update additional information for some users.
No matter why you are migrating Office 365 users, always ensure you backup your system first. This includes the AD system and checking your output log files from dumps.
What is Office 365?
Microsoft released Office 365 as a subscription based office suite you can access through a web or application interface. The internet version has a few less features in general for all applications due to how the backend works. The web version can be useful if you’re not at your own computer and you need to work on a project. Share and modify Office documents in real-time; making it useful for team productivity. Both access routes require the user to log in with an assigned license. Office 365 has been recently rebranded to Microsoft 365.
What’s an active directory?
Active directory is hosted on its own tier or server. It stores a list of users and their details in groups similar to the organization using it. This enables administrators to apply security rules and licenses very easily over thousands of users. AD is useful for adding one or more enterprise solutions that need the same list for each application. If AD didn’t exist the administrator would need to duplicate efforts across platforms to maintain the system, allowing for errors to occur.
Why are hybrid solutions popular?
Hybrid solutions are where part of an organization is hosted in the cloud and the rest of it retained on-site. This is great to enable users to connect remotely and for licenses to persist when it’s impossible to get an on-site connection. This can be useful for global organizations or where VPNs cannot be used. Hybrid networks also help a company scale quickly and ensure data is updated across connected platforms. Economies of scale make cloud based data management much more economical, energy efficient and reduce on-site presence of onsite networks.
Why do licenses take time to sync?
When you add or remove a license for a user it takes time for this to propagate. Many reasons exist for this and the time can vary between organizations. Everything from data backup strategies, the location of multi-site organizations, and timezones can impact this time. In general, you can expect sync’s to occur between 15 minutes to 2 hours in most organizations for most software. Microsoft Teams can take 24 hours to sync changes.
How can users make the most of Office 365 and be more productive?
To help get the best out of Office 365, ensure you use a cloud based licensing strategy. If you have a site based AD that controls licensing it may be good to migrate user lists to the cloud. This will make it easier for a user to grab and retain a license when a VPN isn’t possible. Users will be able to also store and share documents online to further help team productivity.
TechGenix’s Microsoft 365 Security Article
Find out more about Microsoft 365 security in this article.
TechGenix’s Email Alias Article
Read how to add an email alias here for multisite and multi-enterprise solution environments.
TechGenix’s Office 365 Tips and Tricks Article
Make users efficient with this Office 365 tips and tricks article here.
TechGenix’s Altaro Backup Article
Read about how to backup Office 365 content in this article.
TechGenix’s Domain Improvements Article
Discover how to make Office 365 domain errors go away with this article.
Post Views: 115