Use Microsoft Enterprise Mobility + Security to build out PaaS or IaaS?

One of the questions I’ve been trying to answer lately is what options we have for moving from Self-Hosted/On-Prem towards IaaS, PaaS, and SaaS (a good descriptor of the Azure/AD Self-Hosted/IaaS/PaaS/SaaS). We’re already using Google Apps GSuite. So, I’ve been looking into my Office 365 options, including Office and Authentication. I hear Azure AD Premium mentioned, but by itself, it seems to be pricey and complicated for non-profits (for now at least). Then I ran across this:

Does anyone have experience with the ‘Enterprise Mobility + Security’ toolset? Could this be an option for providing central auth to devices, but BYOD-style, i.e. no more local domain join? Just install Win10, connect to Enterprise Mobility + Security, Go! The Enterprise Mobility + Security and an Azure AD VM infrastructure (using the 501c3 $5k/yr Philanthropies credit) could also talk to each other maybe? Then we wouldn’t have to maintain on-prem systems if we don’t want to

Enterprise Mobility + Security includes:

  • Microsoft Intune
  • Microsoft Advanced Threat Analytics
  • Azure Active Directory Premium P1
  • Azure Information Protection Premium P1


Very interesting. Intune + AAD Premium can be pretty powerful for managing Windows 10.

Exactly @codatory. So if I can manage Windows 10 using all the new built-in MDM-style features, that would provide a pretty compelling option for managing the endpoints? I guess we just need to figure out the rest of the identity piece (my thought is the philanthropies credit could provide that). As I’ve let it stew, here’s where I’m at

Here’s my initial list of what I would need setup to test it out:

  • 2x VM’s w/ AD DC role, etc. to create the AD
  • 1x VM for AD → Azure AD Premium connection?
  • A VM for System Center Configuration Manager (not a must-have, but providing Intune integration & software deployment)
  • Licensing for SCCM endpoints
  • A license of Enterprise Mobility + Security
  • A Windows 10 instance (VM or machine) for testing
  • and…???

I lack the mental bandwidth to meaningfully contribute to this conversation for a bit, but being that I feel guilty for leaving my thoughts over in slack…

Having machines which are simultaneously joined to an ad domain and azure ad at the same time requires a lot of setup.

Not the least of which is managing a (working) certificate/PKI setup.

You also do need SCCM

more details on prerequisites here:

This shouldn’t scare you, but I’ll ask you to step back and figure out what AD is doing for you.

If it will shortly become just an SSO identity manager to get you into the nextgen microsoft EcoSystem (Office 365, Windows 10, Intune, Azure Marketplace Active Directory Compatible apps, or apps that can be extended or configured to leverage Azure Active Directory SSO capabilities, then maybe you don’t need it at all?

If you do need a bit more than you can get with just AAD, but you are still purely cloud based, you could also use Azure Active Directory Directory Services (AAD-DS) and join an Azure Server VM today. This might be a great way to host a legacy app server that presents itself as a web front end but needs to integrate with AD-credentials, or maybe a “traditional” SQL server using AD credentials. You get the idea.

I guess the best thing I can add to this conversation is that we are really close to being able to do this in some circumstances, and very far in others. You need to define precisely what you need to do today, and have a very clear picture of where you want to be in 18~24 months from now.

With that information, the path will become a little more clear.


1 Like

I’m with Karl on this one. The biggest thing I will say about EM+S right now is, based on our testing so far, I would NOT consider it ready for prime-time usage, especially in the SMB (small/medium business) space. There are still several rough edges. Some of the pieces are solid and “good to go” but the package as a whole still needs a bit of maturity to be cohesive and easy (for both users and admins).

But I think Karl is absolutely on the right track in his thinking. My expectation is that most of our church clients can probably operate 100% ‘in the cloud’ in the next 2-3 years using this Microsoft ecosystem (without losing functionality they enjoy today). Certainly it’s possible to operate with no on-prem server infrastructure today. We have clients that do it. But there are definitely trade-offs today when doing that (manageability, supportability, cohesiveness/consistency).

With all of that said, $1.65/user/month is a great price, even if you only wanted to use Azure AD Premium (with password write-back from O365 to on-prem AD) for now.

1 Like