EMS is Bigger Than You Think

2016 has been off to an amazing start. Since we held our Cloud. 2016 conference, we've seen tremendous interest in Microsoft's Enterprise Mobility Suite (EMS). In fact, Microsoft recently released a (loooong) video in which one of their VPs said it's the fastest growing product in the history of the company. EMS is big.

While it should be easy to identify the "most popular" feature, in looking back at the projects we've done this year, there is no one single most popular feature. We've seen just about equal amounts of traction with Azure AD Premium, MFA, rights-management, MDM, and even Advanced Threat Analytics. But while we've seen good traction from all the constituent components, we don't typically roll them out as a whole package. And that's interesting, because in many cases there has been a tremendous amount of confusion around two key elements of EMS, Azure AD Premium and MFA.

EMS works best when viewed as a holistic solution. You need to protect your devices, apps, and data, and you need to provide a similar (if not identical) logon & work experience for your users, whether they're local or remote, connecting via PC, tablet, or phone. Because--as Microsoft has rightly identified--it's not the device that makes the user mobile: it's the user that is mobile. And the user doesn't have time to fiddle with disparate environments.

Taking EMS down to its constituent components is perfectly valid and there are myriad business requirements to do so, but you lose a bit of the big-picture focus, which again is devices/apps/data. Hammer that home: devices/apps/data.

In an on-premises world, all of that protection comes from Active Directory. Authentication and access are governed by the same system, and newer versions of Windows can extend limited protection to the applications themselves. So it seems a very logical leap to assume these same protections work using Azure as the Active Directory solution. Unfortunately this is very rarely the case.

While Windows 10 and some Azure VM's can natively authenticate to it, Azure AD is not the cloud equivalent of on-prem AD, and it is not an extension of your on-prem AD. Azure Active Directory is Identity Management for Azure and Microsoft cloud solutions. It might have been easier if Microsoft had chosen an entirely different name for it. Something like Azure Identity Services. In fact: let's call it that. For the rest of this discussion, Azure AD is AIS.

AIS differs from AD in that in most cases, the user is already authenticated to the device. This is a really important distinction, and the single biggest cause of confusion. You cannot use AIS to govern local logon to 100% of a user's devices. We're accustomed to that when supporting tablets and phones, but now we need to get used to the idea that even PC users will need to bring their own local identity.

That identity can come from another managed solution, like an on-prem Active Directory. And that identity provider can even be extended into Azure or AWS through hosted VM's and site-to-site network connections, but AIS is not the local logon identity provider.

Added to all of this confusion, AD is typically replicated to AIS through Azure AD Connect to provide a same-signon username & password experience--but it's a replica only, not an extension or a separate site.

So what, then, is the point? AIS is highly extensible and offers reporting that is likely better than you're currently getting from your on-prem AD monitoring solutions today. AIS supports federation with other cloud-based identity and solutions providers, and has somewhere close to 3000 external cloud-based apps that it can natively integrate with, in many cases including provisioning user accounts within those apps. But more importantly, AIS governs the technologies that protect the devices, apps, and data we talked about earlier.

Looking at that devices/apps/data model through an EMS lens, we see Intune as the /devices/ component. Mobile devices and Windows computers enrolled in Intune are governed by policies that ensure minimum protection levels are enforced and maintained across your company's range of systems. Intune offers antivirus/antimalware, patch management, and can publish and assign applications to users and devices. Intune now offers selective wipe and device encryption, as well, making it a solid competitor in the MDM space.

Which brings us to multi-factor authentication, which is the /apps/ protection component. We have seen a tremendous amount of interest in MFA. Many companies have seen great success with on-prem MFA. Some have used hard tokens like RSA, some have leveraged soft-tokens. In most cases, the adoption is tricky, but the users get accustomed to it.

Azure MFA, much like AIS, however, doesn't do much at the device level. Again, the user has already provided local credentials to access the device, but now they want to open mail. They want to access your company SharePoint site. They want to fire up Skype for Business, or edit a document using your subscription-licensed copy of Office ProPlus.

These applications are authenticated separately from the Windows authentication. Newer versions of most Microsoft applications can play natively with Azure MFA. The user opens Outlook on the Web, SharePoint, or even a local installation of Word 2016, and they may be challenged for their username, password, and then a secondary challenge for a soft-token of some sort (Azure MFA supports phone calls, texts, or the Azure Authenticator App for mobile devices). Once that second challenge is accepted, the user gets access into the app. If no other security structures are governing the data inside the app, the user then has free reign to do what they need.

Finally, we come to the /data/ component of our EMS solution. If Intune is the quasi-AD-authentication equivalent, and AIS is the AD-apps protection equivalent (only better, because that's not really a thing outside of PowerShell), Azure Rights Management is NTFS + action control. Can you access and/or edit the file? That was just about the limit of traditional NTFS permissions, but rights management takes those questions and adds: can you copy data within the file? If so, where can you put that copied data? Can you forward that data outside the organization? Should these governances apply to all files, or only files that meet specific company-specified criteria?

And the really cool thing about Azure Rights Management is that it has recently been extended beyond just Exchange Online and SharePoint Online to now include Skype for Business. So now the company file that you just dumped into the chat window of a big meeting with both internal and external audience members? No worries: rights management has you covered.

The really brilliant thing about EMS, as a package solution, is that with one license you can govern your mobile users from end-to-end. BYOD is easy: just enroll your device and you're off to the races. We're even seeing BYOD extend to laptops in a few cases, and the ability to let the user manage their own local authentication gives companies the freedom to let users use the systems they're already comfortable with. But the even brillianter(er) thing is that, just like every other element of Office365 and Azure, you aren't limited to an all-or-nothing approach: If you're only half-way through a 36-month contract for an MDM or antivirus solution, you can still leverage rights management and Azure AD Premium and just spin up your Intune clients when you're ready.