What a great time to be an IT pro. I mean really, who has it better than us? On any given day there is so much going on, so much to learn, so much to improve, I do really enjoy my job(s). As I think about how to open this blog post, it occurs to me that I’ve had some great opportunities in my career. Sort of a “as one door closes, another one opens” sort of thing.
I have spent most of my career as an “email guy”. I started as a Banyan Vines administrator, moved through numerous evolutions of the email concept, and now I find myself at a place where email is being deemphasized. I don’t mean to say email is “done”. I don’t by into that nonsense that Yammer, Slack, Teams, Skype, or any other alternative collaboration platform is ever going to replace what email. Email provides a platform that none of those others can replace. They can add-on and improve the overall enterprise collaboration experience, but I don’t see replace an option that will ever happen.
But I digress. This blog post is going to be about authentication. I’m coming to a point in my career where I think authentication is the frontier for learning and expanding my capabilities. I think authentication is the lynch pin of the new enterprise. I think authentication is where it all starts. In this blog post I want to take the space I have been given to talk about how I like to think about authentication as I start a new migration project. I’m going to talk about the things I like to think about, and the things I think it’s important for my customers to think about as they enter a Microsoft centered project. This isn’t going to be a technical blog post showing you where to click to make a cool new feature work.
I handle several different project types these days. Exchange migration projects are still a significant part of overall workload, but I find more and more the actual mailbox migration portion of those projects is less and less an area of concern for me and my customers.
The process of moving mailboxes into and around within Exchange Online has become close to rote at this point. In my experience the work that needs to be done is around how to secure that data within Office 365 while ensuring that the end-users who need to access that data can do so quickly and easily.
For me, all these projects need to start with the source of authority for user accounts. Most enterprise organizations have multiple layers of authentication and user management tools now. There are many different places that an IT staff can end up managing user accounts, and in my some-what-less-than-humble-opinion it’s important to identify and codify a single source of authority as the center of every enterprise’s authentication strategy.
For most enterprise organizations that single source of authority needs to be Active Directory. Deploying and maintaining a strong, healthy, well-organized Active Directory is a vital step that is surprisingly easy to overlook. The great strength of Active Directory is that it’s very easy and very flexible to configure and maintain. It’s also important to point out that strength is also Active Directory’s greatest weakness. Active Directory is so easy to deploy and so forgiving that it can be very easy to make a mess of your AD forest. I find it vitally important to take the time to review Active Directory and ensure it is in good working order. I know it can be a terrible hassle to ensure that everyone has all their phone numbers, addresses, offices, managers, and other information entered properly into Active Directory but as we expand our authentication options these “extra” bits of information can be important to making our end-user experience the best it can be.
Once we have a healthy and well-organized Active Directory, the next step is to define our requirements. Who should be able to access what data when, where, and on what devices? I find it best to encourage customers to give me a dream scenario with no consideration for what is possible. I find that limiting ourselves (me included) to what we “know” is possible with the current state of technology can lead us to overlooking new configurations and possibilities that have become available.
It’s hard to define this process in a way that works consistently. I like to just ask a series of questions about the different groups of users and how the customer sees the authentication management problems that group of users has being solved. Maybe the customer needs to ensure that only authorized devices are used to access organizational data. Maybe the customer needs to ensure that groups of users are only able to access data from specific locations. What ever the requirement I find it helpful to lay them out and get them documented early in the process. A good set of requirements can go a long way ensuring a project that everyone is happy with in the end.
Once the source of authority is established and clean, and the project requirements are clearly documented, we can start the actual work of designing a solution. For me, designing a good authentication solution is always about finding the tools that meet requirements laid out by the customer. Far too often I do projects where the tools have already been decided on before the project starts and I need to find a way to change the requirements to meet the options l we have in the pre-selected tools. I think the main problem is the sales cycle tends to focus on selling specific products and services to a specific budget. I understand sales cycles and budgets are important, but it’s also important to fit the tools to the organization’s requirements. I don’t have a solution for you, except to point out the problem and encourage you to keep it in mind.
This ended up being more of a blog post about the process of defining an authentication solution than a technical blog about how a new authentication solution works. I’m fine with that, and I think it’s important to consider the process before we consider the technical solutions.
Hopefully you’ve found something you can take away from this blog to make your next project go a bit more smoothly.
Monitor Your Hybrid - Office 365 Environment with ENow
ENow’s solution is like your own personal outage detector that pertains solely to your environment. ENow’s solution monitors all crucial components including your hybrid servers, the network, and Office 365 from a single pane of glass. Knowing immediately when a problem happens, where the fault lies, and why the issue has occurred, ensures that any outages are detected and solved as quickly as possible.