May 7, 2015

MS Ignite Day 3 Recap

They were right - the Ignite sessions went 300/400 level on Day 3 and didn't disappoint. There are a lot of things still to be decided and a few teams don’t appear to be communicating between themselves but that's to be expected. In all, today was a varied day that covered Mobile Device Management, AMAZING new features and capabilities with Azure Active Directory and, just for fun (because it isn't at all my space), a new unified REST API for building applications on Outlook, O365 Outlook, Here's a recap:

Azure AD Connect is the "new new to replace all the previous new" tools which replaced etc…the team has learned some painful lessons and in an effort to provide a more unified experience that covers connecting on prem to the cloud ADs of all shapes and sizes, the new AADC tool, currently in preview, shall rule them all! The session was incredible as it depicted in intricate detail the variety of solutions that can be brought together in a single wizard (all baked on top of PowerShell for the not faint of heart) which includes setting up simple forests as well as complex multi-domain, multi-forest hardened attribute syched goo in AAD. The new wizard also can take of annoyances from the past like installing and configuring ADFS and ADFS proxies which is a welcome respite. My other new favorite things:

  1. New guidance on Password Hash mode (default and recommended)
  2. Password write back support enhanced for cloud based password changing
  3. Group write back support to enable support for Office 365 groups and coexistence (preview) - note that it doesn't yet support DLs or Security Based Mail Enabled Groups but that is coming
  4. User write back support (preview) - a user object created in AAD will now write back to on prem AD - this is HUGE for orgs that use SaaS services like WorkDay or SalesForce or some other HRM to 'source' their employees. Also works if you just create the user in O365 or AAD - no more "its gotta be created in AD first!"
  5. New filtering of sync'ed users options.
  6. Bring your own attributes - including extensions but ewe - this is useful for orgs that populate non-standard AD schema fields like "Division" or other things that aren't obvious because they don't show up in ADUC. Also, the wizard lets you override specific attribute sync operations for things like O365 to reduce the perceived attack surface (emphasis on the perceived). This is a great feature though because it marks the first time that you can actually extend the AAD Graph with custom domain schema changes.
  7. Source Anchor and UPN support for non-default (read: crazy people mode) for unique identification of users in the cloud. This is useful if you have a complex multi-forest topology where there isn't standard uniqueness.

Azure Site Recovery - I'm still amazed at what MSFT is doing across the board in working with fierce competitors - this one is particularly huge. Coming very soon: the ability to replicate your on prem VMWARE environment into Azure as your secondary datacenter. VMWARE!!! I see a great deal of value here because no other cloud provider has support for crossing the hypervisor boundary like MSFT is doing and will enable great workload transition into the cloud. And it also helps MSFT in that it moves more consumption to Azure but, the feature is really great. Imagine being able to shut off your secondary datacenter, saving potentially millions of dollars in the process for a fully automated, low RTO/RPO DR and BC strategy that not only works, but can be tested without the risk of blowing up the primary datacenter!

Mobile Device Management for Office 365 - this is a feature that is rolling out, at no additional cost to all E3 subscribers that allows organizations to leverage some of the powerful mobile device management tools that Enterprise Mobility Suite offers. The key here is that the solution provides organizations the ability to control via conditional access to mobile devices - primarily targeting those that need to continue using Exchange ActiveSync, but it can be used for a few additional things before you run up on the need to leverage the full Enterprise Mobility Suite. This can be thought of as the evolution of EAS policies plus a few more items like device enrollment and management. Very very cool and can't beat the price!

At the end of the whirlwind tour of sessions, the Slalom Dallas team got together for cheeseburgers at a local watering hole, swapped nerd stories and then some went on to see Avengers - I went back to the hotel room and did some labs cause…NERD