When migrating Office 365 tenancies for acquisitions, mergers, or divestitures; there needs to be a good amount of consideration given to the back-end identity infrastructure supporting each Office 365 tenant.

• Office 365 Active Directory Plan
• Office 365 Sync Active Directory
• Office 365 Active Directory Login
• Office 365 Active Directory Sync
• Office 365 Active Directory Attributes

Microsoft 365 Groups (formerly known as Office 365 Groups) is a cross-application membership service in Microsoft 365. Each Microsoft 365 group lives in Azure Active Directory, has a list of members, and is attached to that group’s related Microsoft 365 workloads, including a SharePoint team site, Exchange mailbox, Planner, Power BI, OneNote. With CyberArk Identity, administrators can deploy Office 365 so that installation of ADFS in not required. The CyberArk service handles the authentication and communication with Active Directory automatically. You can provide single sign-on (SSO) to users in Active Directory, LDAP, the CyberArk Cloud Directory, or any combination of those sources. Azure Active Directory provides an identity platform with enhanced security, access management, scalability, and reliability. How does Azure AD support Office 365. Manage your Active Directory data in the Office 365 SharePoint contacts list. Now take a look at your list. All items are in there, after running the connection. Fig.: Sample data destination contact list in the Office 365 cloud. Please note: We have added a calculated column 'Letter' with text data type and set to Left(LastName,1).

Active Directory Directory Services (AD DS) is generally the identity store that connects Enterprise to Office 365 Azure Active Directory. There can be various ways the on-premises Active Directory is connected to Azure Active Directory based on each customers’ individual configuration. There could also be a 3rd party Identity provider in the configuration such as Okta, Ping, etc.

• How are accounts being provisioned today? And how do you integrate that process before, during, and after the migration?
• How do we provide identity coexistence during the tenant to tenant migration?
• How do we move computers and identities between domains and still provide a seamless transition for users?
• Do you want to move your users to the target Active Directory before, during, or after the Office 365 migration?
• Will the network connection structure affect the Active Directory migration?
• How will the use of a 3rd party identity provider impact the migration of Active Directory?

These are items that have to be thought about in addition to the tasks for Office 365 tenant migration. These will be important based on the business and technical requirements of the migration. Identity synchronization and merging of identities into the target Active Directory and Office 365 tenant will be considerations that need to be understood during the migration coexistence planning. Unless there are a small amount of accounts and services migrating to the target Office 365 tenancy, there will likely be a “coexistence” period during the migration.

The Essential Guide to Microsoft Teams End-User Engagement

We take you through 10 best practices, considerations, and suggestions that can enrich your Microsoft Teams deployment and ensure both end-user adoption and engagement.

Another consideration is what migration tool will be used to migrate Active Directory objects? There are various tools to do computer and user migrations for Active Directory. We have used all the leading tool sets to perform migrations for Active Directory. Some work well as others have some issues. Those considerations would be planned for during migration design sessions.

The following steps are the basics of Active Directory migration. They are the high-level steps needed during a tenant to tenant migration.

1. Network connectivity between source and target Active Directory forest/domains is established
2. Forest or domain trusts in place for best experience with Active Directory migration
3. Synchronize users as mail-enabled users and groups from source to target Active Directory via software migration tool or other solution (script, directory sync process, etc.)
4. Update permissions for source servers with synchronized account information (usually done with a migration tool)
5. Migrate users workstations to target Active Directory domain
6. Migrate source servers to target Active Directory

A high level diagram is shown below of a generic environment:

We can see that there are many things to consider when migrating Active Directory along with a tenant to tenant Office 365 migration. We have experience with many different scenarios for tenant to tenant and Active Directory migrations. If you have questions or need help planning and executing a tenant to tenant and/or Active Directory migration, please connect with us to learn how Perficient can help you and your organization maximize these tools and solutions.

A very common question/decision point for IT departments embracing Office 365 and SharePoint is whether to rely on Active Directory Groups or SharePoint Groups when managing security in SharePoint. Both methods have their pros and cons. In this blog I would like to explain the difference between the 2 methods and provide a recommendation. Before we do that, let me first explain what all this terminology means.

What is Active Directory?

In simple, not-technical terms, Active Directory (AD) is an application (database) that keeps track of company’s user accounts, passwords and other user information (role, manager, etc). It is essentially a master source of all user accounts. Anytime employee joins or leaves the organization or changes a role, appropriate changes are made in AD first as a result. All the other systems (email access, login to company laptop, access to network folders) rely on AD. So for example, if you leave the organization, your AD account is deactivated and you will no longer be able to login to company’s PC or check work email.

What are Active Directory groups?

In addition to storing individual user info, Active Directory also allows IT Administrators to create groups of users. Those groups can be assigned various access rights within your organization (i.e. security group “Finance” will have access to Finance folder on your network drive).

Active Directory and Office 365

Since AD has become the golden standard in user management for many organizations, Office 365 allows synchronization of Active Directory to its online service. That means that all users and security groups from AD are available in SharePoint and Office 365. Say, a new employee joins your organization. By setting up a user in AD and adding him or her to corresponding AD group, he or she automatically becomes available as a user in Office 365 as well. All you have to do is assign a proper Office 365 license (assign Mailbox, SharePoint privileges, etc.) That is a huge time-saver for IT and usually fits very well the established on-boarding (HR) business processes.

What are SharePoint Groups?

SharePoint groups are security groups within SharePoint environment and is how SharePoint manages access to the sites. I have written a detailed blog post on how to properly setup security for a SharePoint site using SharePoint security groups. By default, every SharePoint site has 3 security groups:

• [Site Name] Visitors – these are users with Read Only access to the content
• [Site Name] Members – these are users with Add/Edit/Delete access to the content
• [Site Name] Owners – these are users with Full Control access to the whole site.

Office 365 Active Directory Plan

Once again, you can read more about proper setup and settings in this blog post.

So, Active Directory Groups or SharePoint Groups?

To help make you the right decision, let’s look at pros and cons of each approach…

Active Directory Groups

PROS

• Maintained regularly by IT folks. Because AD controls user access to the rest of company properties (email, laptop, network drives), AD is usually pretty well maintained
• Can be nested.That means you can embed 1 AD group inside of the other AD group. This is useful when you want to build hierarchical security structure (various groups within the department)

CONS

• Managed by IT department. This means that if you need to add a user to the site (in other words, you first need to add user to an AD group) on the fly, you need to be good friends with IT guys within your organization if you want this to be done quickly
• Can’t see members inside of an AD group in SharePoint. If you add AD group to the site, you can’t drill inside of it and see who are its members. For that, you will need to contact IT
• Can only contain members that are part of the organization (employees). Since AD group controls access to company Intellectual Property (IP), it is rarely used to store account information of non-employees. In SharePoint, that means that you will need to rely on SharePoint group for external sharing.

SharePoint Groups

PROS

• Managed by SharePoint Site Owner. That means that users can be added to the group relatively easily “on the fly” by the site or group owner.
• You can see members inside of the SharePoint groups.This depends on how SharePoint security groups is setup, but typically, you can see who the members of the given SharePoint group are
• You can easily check individual user’s permissions to the site. If your members are part of a SharePoint group, you can easily check their site access using Check Permissions functionality. You can’t do that when your users are part of an AD group.
• Can contain non-employees. SharePoint groups can and will contain external users when you share your site externally

CONS

• Cannot be nested like an AD group.SharePoint groups are flat. Each site contains 1 level of groups and you cannot nest 1 SharePoint group inside of the other SharePoint Group.
• Many SharePoint groups are not kept up to date. Due to de-centralized approach and relative simplicity of site/group creation, SharePoint group membership is usually not kept up to date in many cases. Since maintenance of these groups usually falls on the shoulders of the business (site) owners, there is usually a lot of unnecessary group duplication, very little standardization, lack of common naming convention, etc.

So, now that we have this information, what is the recommended approach?

Well, like with many things in life, it depends…

Option 1: Use Active Directory Groups if…

Office 365 Sync Active Directory

• You already have established AD groups and are keeping them up to date and…
• You want to have strict control over security in your SharePoint environment and…
• Your information architecture/site security model relies on established company verticals/departments (i.e. HR Department, IT Department, Finance, etc.)

NOTE: If you do decide to use AD groups within SharePoint, follow the same best practices as with the individual users. Do not add AD group directly to the site! Create a SharePoint group and add an AD group inside of a SharePoint group. This way, if you need to add additional users to your site in addition to those that already exist in AD group, you can add them easily by adding individual users to the SharePoint group, alongside the AD group.

Option 2: Use SharePoint Groups if…

• You currently do not have AD groups stabled or IT does not maintain them on an ongoing basis or…
• Your governance model shifts control to the site owners and allows them to be in charge of who can have or cannot have access or…
• You are a matrix-type organization. For example, if you have SharePoint Department sites, and established AD groups, 1 for each department, you can easily add those AD groups to those sites. However, if you have, say a project site and the team is comprised of users from various departments, it is impractical to maintain AD groups for those “mixed” team sites. Your IT will be overwhelmed with its maintenance. In this case, rely on SharePoint groups exclusively!

Office 365 Active Directory Login

Option 3: Use both, the AD groups and SharePoint groups if…

Office 365 Active Directory Sync

• You want to rip benefits from both methods. That usually ends up a good and viable option for many organizations.

Office 365 Active Directory Attributes

As you can see, there is no right or wrong solution here. When making the decision on whether to use AD Groups or SharePoint Groups, choose the option that makes the most sense to your organization depending on the circumstances and company culture.