What do you think of the integration of Azure AD Services, Defender for Endpoint, and Intune as comprehensive security solutions?
I have demoed these solutions together. There are as well other alternatives that integrate with SaaS services.
Thank you for your help.
Sr. Solutions Sales Executive - Commercial/Charity/Healthcare/SMB Individual Contributor at Hypertec Direct
Feb 15, 2023
I believe it is a good first step, and I would say even a requirement, but in no way is it a comprehensive security solution, even for endpoints.
There are many things that need to be addressed for security. In addition to this, there is XDR, MDR, more comprehensive AV for endpoints & Servers that stop attacks, Threat Hunting, Mitigation, PEN Testing, Security Training for end users, Multi-Factor Authentication (Microsoft's MFA is good but only for Microsoft products), Patch Management for Endpoints, Servers and Cloud Workloads, Network Access Control, Firewalls for On-Premise and Cloud server workloads, Network Segmentation, Password Management, Data Backups (3-2-1-1 Rule) with Immutable Backups, Power Backups, Physical Security, Monitoring, NOC/SOC services, and working towards a Zero Trust architecture...
But there are no single-point solutions that will make you secure, so don't get complacent. And you can outspend your profits if you do everything. Just remember it's best to have a layered approach that works together and looks at everything from a security perspective and how it integrates with your overall security plans and objectives to help identify holes and possible mitigations.
Healthcare must do Risk Assessments by law, but I recommend that all companies of all sizes do at least annual risk assessments since there is so such thing as being too small or inconspicuous to be hit with malware or have a cyber security attack since much of the delivery is automated and not just by the script-kiddies of years gone by... Nation States are actively engaging in cyber warfare daily, along with terrorists, and opportunists looking to make big money from you...
Senior Associate Specialist at a financial services firm with 1,001-5,000 employees
Feb 16, 2023
It depends on your company's infrastructure. Check with your cyber team whether you can sync your endpoints to Cloud using Azure AD as Azure Registered/ Azure Hybrid AD join/ Azure AD join, etc.
1. So, if the ask is only to enroll them in Intune to leverage defender/BitLocker services - go directly to Azure AD's join approach.
2. If you still want to manage patch management/mcm BitLocker but Defender via cloud, the approach should be Azure Hybrid AD join.
3. You can still use autopilot using both of these approaches.
PeerSpot’s crowdsourced user review platform helps technology decision-makers around the world to better connect with peers and other independent experts who provide advice without vendor bias.
Our users have ranked these solutions according to their valuable features, and discuss which features they like most and why.
You can read user reviews for the Top 8 Single Sign-On (SSO) Tools to help...
CTO at NATIONAL MOTOR FREIGHT TRAFFIC ASSOCIATION INC
Jun 3, 2022
It was interesting not to see Okta on this list. Did it make a broader list, but not the top tools?
I have implemented Okta, and I have implemented a dual-headed Okta in the past with ease, so I was a little surprised. The other tool I use is Thycotic Secret Server for Admin passwords, though they are now part of a new company.
Search Engine Optimization Specialist at LoginRadius
Aug 17, 2022
SSO is an essential feature of an Identity and Access Management (IAM) access control platform.
User identity authentication is important when it comes to understanding which permissions a user will have.
The only improvement would be for everything to be instant in terms of applying changes and propagating them to systems.
I would like them to improve the dashboard by presenting the raw data in a more visual way for the logs and events. That would help us understand the reports better.
Using wild imagination, I am thinking about to what extent AAD can integrate with products in a seamless way, such as applications that are running on-premises and making use of on-premises directory services. The most common, of course, is Azure Active Directory Domain Services. To what extent can it be used to replace the on-premises Active Directory Domain Services? Even though they are similar in concept, they are totally separate products. I would like to see applications that make use of on-premises Active Directory Domain Services have the ability to also seamlessly make use of Azure Active Directory. And when it comes to identity and access life cycle management for applications that are run on-premises, as well as access governance, if those kinds of capabilities could be built into Azure Active Directory, that would be good.
Microsoft services and most familiar third-party applications are currently supported, but we can't find many other platforms that integrate with Office 365 or Azure Active Directory. Microsoft should develop connectors for different applications and collaborate more with other vendors to cover a broader range of applications.
I want to see new functionalities for the active directory. I would like to be able to establish that when you log into computers locally, it is installed on a laptop and you can enable the MFA feature that is currently not available for local computers or Windows on-or off-premise - thus being one of the characteristics that can give greater added value to information security issues. If this feature was available on computers, it would help us in the future to avoid security breaches, information loss, or data backup vulnerabilities. In many cases, this could generate a complication. However, we always want to innovate, and the Innovation part is always to ensure that any place, device, or management that we are going to establish at the computational level is 100% secure.
When we add some user groups, at times they will not be properly configured. Also, sometimes Azure AD is not aware of the group policy, like the control, device functions, and settings, in detail. For example, you cannot configure these settings through mobile devices. It doesn't provide the flexibility to do that. The other challenge is that a third-party application may provide access without authorization. Microsoft should focus on improving the group policies at the user policy level. Functional-level improvements are also required. They have to configure the policies according to user requirements, providing the best policies that can be adopted by using Azure AD.
What could be improved is the environment. It still has administration centers in Office 365, and the same is true for Azure in general. You can manage the users from the Office 365 administration center, and you can manage them from Azure Active Directory. Those are two different environments, but they do the same things. They can gather the features in one place, and it might be better if that place were Azure.
Compared to what we can do on-prem, Azure AD lacks a feature for multiple hierarchical groups. For example, Group A is part of group B. Group B is part of group C. Then, if I put someone into group A, which is part of already B, they get access to any system that group B has access to, and that provisioning is automatically there. Geo-filtering is not that strong in Azure AD, where we need it to identify and filter out if a request is coming unexpectedly from a different country.
One area where it can improve is connectivity with other systems. Not all systems are connected and you have to do coding to establish a point of connectivity. It supports certain vendors and it supports certain protocols. It is limited in many other aspects at the attribute level. Also, some of the provisioning filters are not capable enough. You cannot do a date filter on the provisioning. Perhaps they could also have easy protocols to create the accounts. Instead of just a file upload, they should have an easy connector to do the provisioning part.
I would like to see a better delegation of access. For instance, we want to allow different groups within the company to manage different elements of Azure AD, but I need more granularity in delegating access.
We would like to see more system updates. They should happen more frequently.
Many people believe that the Azure Active Directory is overly complicated and antiquated. Active Directory Windows hasn't evolved that much in over 20 years. Azure Active Directory, has a few nuanced elements. It's fairly straightforward.
The ability to manage and authenticate against on-premises solutions would be beneficial.
Azure Active Directory could improve the two-factor authentication.
Its price should be improved. It is very expensive for Turkish people.
If your organization requires additional security then the subscription will be more expensive.
I would not recommend any changes or improvements right now, in terms of the organization. I think something that is key would be the group policies replication over the cloud, in order to prevent or to avoid relying on the on-premise Active Directory servers and to manage group policies.
The licensing model makes it difficult to understand the real cost of the solution, especially because it changes all the time.
Azure Active Directory could be made easier to use. We have large amounts of data and storage. We are looking for video files and media content for applications, we will think about options, such as cloud storage or a CDN.
Reading documentation could be simplified. Technical support could also be faster.
The on-premises AD comes with a lot of options and group policies. With the group policies, we are using screen saver a lot, and it is messing up Azure AD and isn't working effectively. We are also using MDM technology through Azure. For Android the MDM technology is okay, but it doesn't work properly on iPhones. When we do a screen share and screenshots, it doesn't work on the iPhone. For Android, it will only work for Outlook, which is provided in the company portal. I would like to see the group policies on the same platform on cloud.
The downside is that we now have all our eggs in one basket with Microsoft. We have this great authentication and single sign-on, but if Microsoft has an outage in North America or globally, on Outlook or Teams, we're dead in the water. There is no drop-back-and-punt. There is no "Plan B." The bottom line is that if their services go down, our productivity goes with it. Working with them when we have outages can be very frustrating. We get some type of hiccup once a quarter. We get service notifications from them all the time that the services are under investigation or that there is some type of issue. More than the headache of not completely understanding the severity, we have to make sure that we communicate with our end-users. We get to the point where we're potentially "crying wolf." We're telling them there's a problem but some people don't have the problem. Then they get to the point where they just ignore our communication. Outages can last hours, but never more than a day. They can be regional outages where one area is affected and other areas aren't. The advantage is that it could be evening or night in the area that is down, so it's less impactful.
Azure Active Directory currently supports Linux machines. However, the problem is that you get either full or minimal access. It would be very nice if we could have some granular authorization modules in Azure Active Directory, then we could join it to the Linux machine and get elevated access as required. Right now, it is either full or nothing. I would like that to be improved. We have the ability to join Windows VMs to Azure. It would be nice if we could have some user logs, statistics, and monitoring with Azure Active Directory. When we subscribe to MFA, the users get MFA tokens. However, it is not a straightforward process to embed any of the OTP providers. It would be good if Microsoft started embedding other third-party OTP solutions. That would be a huge enhancement.
I don't think the documentation is where it needs to be yet, for user journeys and that type of flow. There is still trial and error that I would like to see cleaned up. Also, they do have support for SAML 2.0 and it's very easy to set up linkages to other Active Directory customers. But if somebody is using an IdP or an identity solution other than Active Directory, that's where you have to start jumping through some hoops. So far, our largest customers are all using Active Directory, but I don't think the solution is quite as third-party-centric as Okta or Auth0. Those solutions have a lot of support for all kinds of IdPs you want to link up to. Finally, a couple of months ago I was on a team that was looking at low-cost MFA for SSO, where we would control the MFA on our side, instead of having the remote database handle it. In those kinds of flows, there aren't as many off-the-shelf options as I would like. There were cost implications, if I recall, to turn on 2FA. Also, the linkages that they had set up off-the-shelf—obviously they had the Authenticator app—meant that if you wanted to do something with Duo Mobile or any of the other popular 2FA providers, it seems it might have taken us more time than we wanted to put into it.
Active Directory could always be more secure. Right now, we've got two-factor authentications. All services based on Active Directory have a username and password. If somebody hacked our username, they could easily get all the data from our side. So I want two-factor authentication and a stronger password policy from Active Directory. The domain controllers should be more secure as well.
The solution has not saved costs. While we’ve eliminated some tools, there are some other features that we are dependent on as admin, which is not yet integrated with Azure AD. Other features have a broader scope and are covered under Azure. If, for example, I want to create a workflow, that cannot be done in Azure AD. That is something that is done in the Azure function or Azure logic app. Parts have to be covered in other functions. Longer-term, there are some features which might be added, such as admin features similar to Google admin. If I'm an employee and I'm exiting the company, for example, I need to transfer that data from myself to my manager. For that, maybe they could include a feature where they can transfer the data from the user directly and we don't have to rely on any admins.
I can't speak to many aspects of the solution that need improvement. The dashboard and interface could be better. It would be ideal if it was easier to use.
The solution has certain limitations. For example, it has very little governance functionality. This is, of course, a choice made by Microsoft to see which areas they want to have deep functionality, and which areas they believe are more profitable for them.
The security needs to be improved. For example, in terms of changing from one version to the latest, meaning going from 2008 to 2012, or 2016 to 2019, you need to get rid of all the operating systems and they need to ensure the security is upgraded and improved. They need to bring BitLocker into the VMs and the servers. LAPS could also be improved. LAPS are used to rotate passwords on a server. That can be improved upon to increase security levels. Protocols SSL 2.0 and SSL 3.0 need to be removed and they should change my TLS 1.2 for every application.
Azure Active Directory could benefit by adding the capability for identity life cycle for the on-premise solution. For example, an HR solution, which is built on-premise or, in general, better on-premise capable solutions.
One thing that bothers me about Azure AD is that I can't specify login hours. I have to use an on-premises instance of Active Directory if I want to specify the hours during which a user can log in. For example, if I want to restrict login to only be possible during working hours, to prevent overtime payments or to prevent lawsuits, I can't do this using only Azure AD.
From my personal experience, I'd say that the features need to be more visible to make the product easier to explore for new users. They need to make it possible for someone with very little knowledge to come in and find things. The product needs to be more user-friendly. The solution needs to update documentation much more regularly. They need to just come out and update the documentation to reflect new features and make sure the updates are included in the already existing documentation so that someone like me can just pick up the documentation, read it, and know that it is very up-to-date listed and has all the new features contained within it.
I would like to see improvements made when it comes to viewing audit logs, sign-in logs, and resource tags.
It doesn't function the same way as Active Directory inside of a physical infrastructure. Even VMware Active Directory doesn't function the same way in the cloud. Cloud is all flat. That's one of the disadvantages. You can authenticate through Active Directory through Federated Services, but it's mainly like an IIS web frontend and bulk storage. It's all record based.
Some of the features related to authentication could be made clearer. In my last organization, I tried to integrate a third-party education solution with Azure AD, but it was a bit difficult to configure. I would like it to be easier to integrate third-party applications.
Honestly speaking, I haven't thought about where areas of improvement might be necessary. Everything was very smooth every time we used Azure AD. In other Microsoft solutions, we come across some bugs or workarounds, et cetera. However, as far as Azure AD is concerned, or maybe, to the extent that we are using it at least, we haven't come across any issues. In terms of identity and access management and concerns, all of our needs are provided by the existing implemented features.
Recently, Microsoft has developed lightweight synchronization software, the Cloud Provisioning Agent, to do the job of the preceding, heavier version called AD Connect. You can do a lot more with AD Connect, but it can take a lot of expertise to manage and maintain it. As a result, customers were raising a lot of tickets. So Microsoft developed the lightweight version. However, there are still a lot of features that the Cloud Provisioning Agent lacks. I would like to see it upgraded. The Cloud Provisioning Agent cannot provision a lot of the information that AD Connect does. For starters, the lightweight version cannot synchronize device information. If you have computers on-premises, the information about them will not be synchronized by the Cloud Provisioning Agent. In addition, if you have a user on the cloud and he changes his password, that information should be written back to the on-premises instance. But that workflow cannot be done with the lightweight agent. It can only be done with the more robust version. I believe the Cloud Provisioning Agent will be upgraded eventually, it's just a matter of time.
A lot of aspects can be improved and Microsoft is constantly improving it. If I compare Azure AD today with what it was like five years ago, or even three years ago, a lot of areas have been improved, and from different angles. There have been improvements that offer more security and there have been some improvements in the efficiency domain. Azure AD is not a small product. It's not, say, Acrobat Reader, where I could say, "Okay, if these two features are added, it will be a perfect product." Azure is a vast platform. But if we look at multi-factor authentication, can it be improved? Yes. Perhaps it could cope with the newest authentication protocols or offer new methods for second or third factors. I'm also willing to go towards passwordless authentication. I don't want anyone to have passwords. I want them to authenticate using other methods, like maybe biometrics via your fingerprint or your face or a gesture. These things, together with the smart card you have, could mean no more passwords. The trends are moving in that direction. When it comes to identity governance, the governance features in Azure AD are very focused on Microsoft products. I would like to see those governance and life cycle management features offered for non-Microsoft products connected to Azure AD. Currently, those aspects are not covered. Microsoft has started to introduce Identity Governance tools in Azure AD, and I know they are improving on them. For me, this is one of the interesting areas to explore further—and I'm looking to see what more Microsoft offers. Once they improve these areas, organizations will start to utilize Microsoft more because, in that domain, Microsoft is a bit behind. Right now, we need third-party tools to complete the circle. In addition, sometimes meeting the principle of least privilege is not easy because the roles are not very granular. That means that if you are an administrator you need to do small things connected to resetting passwords and updating certain attributes. Sometimes I have to grant access for the purposes of user management, but it includes more access than they need. Role granularity is something that can be improved, and they are improving it. Again, if I compare Azure AD today to what it was like three years ago, there have been a lot of improvements in all these domains. But we could also pick any of these specific feature domains in Azure AD and have in-depth discussions about what could be improved, and how.
In terms of what could be improved, I would say its interface is not very flexible, as opposed to AWS. The services are very clear, but the user admin interface needs to be better. That's all.
There is no documentation about how Microsoft will scale Azure AD for customers. It only mentions that it will scale out if you have a lot of requests but does not mention how in detail. More documentation on some complete scenarios, such as best practices to integrate forests into Azure AD when a customer has several on-premises forests, would be helpful.
We had some issues with the migration of users from the local user accounts to Azure AD. It was more like a local issue and had nothing to do with the Azure AD itself. It works fine for SSO, the Single Sign On. We were not able to do the integration very easily with ADP, so that was a challenge, but later on it was resolved. We had to do a lot of things to have that on the configuration. Some systems do not integrate very well with Azure AD. We thought of going for Okta, but later on we were able to achieve it, but not the way we wanted. It was not as easy as we thought it would be, the integration was not very seamless. Additionally, it would be great if they added support for more applications in terms of integration for SSO. That's the only thing that I find missing for Azure AD.
There are some difficulties in the hybrid version, things to do with firewall security, inside the organization. They need to work on that more. In addition, everything should be in one package. There are so many different packages. They need to provide guidance because there are so many features and we don't know how to implement them in our organization. I'm also expecting a Windows 365 virtual desktop. I would be interested in that feature.
Generally, everything works pretty well, but sometimes, Azure Active Directory has outages on the Microsoft side of things. These outages really have a very big impact on the users, applications, and everything else because they are closely tied to the Azure AD ecosystem. So, whenever there is an outage, it is really difficult because all things start failing. This happens very rarely, but when it happens, there is a big impact.
The management interface has some areas that need improvement. It doesn't give you an overview similar to a dashboard view for Azure Active Directory. The view can be complicated. There are many different tabs and you have to drill down into each individual area to find additional information. There are too many features available, more than we can use.
The biggest thing is if they could integrate with their IPS/IDS processes as well as have integration with another app, like a third-party application. Varonis was another solution that my customers are trying to integrate with ADFS. For some reason, they were seeing some difficulties with the integration. There is a case open with Microsoft on this particular thing. The only issue is the OU is not properly synced. Therefore, you have to do a manual sync sometimes or you might lose the connector due to AD Connect or sync servers.
The documentation, and the way that people are notified of updates, are things that can be improved. I'm a big fan of Microsoft products but the way they document is not that great.
The conditional access rules are a little limiting. There's greater scope for the variety of rules and conditions you could put in that rules around a more factual authentication for other users. If you have an Azure AD setup, you can then connect to other people's Azure AD, but you don't have a huge amount of control in terms of what you can do. Greater control over guest users and guest access would be better. It's pretty good as it is but that could be improved.
The provisioning capability is a two-edged sword because it is very useful, but it also needs some improvement. When you start to deal with legacy applications, provisioning is not as intuitive. Legacy applications, a lot of times, were based on an on-premise Active Directory and you had to use it to provision users or grant access to the product. I don't know of a way to make Azure Active Directory act as an on-premises version to connect to those legacy applications. The speed and responsiveness of the technical support are things that could use some improvement.
The problem with this product is that we have limited control, and can't even see where it is running. If Microsoft can give us a way to see where this product is running, from a backend perspective, then it would be great. I would like to see Microsoft continue to add new features gradually, over time, so that we can introduce them to our customers.
Better deployment management and visibility functionality would be helpful. There is a lot of room for improvement in our infrastructure, and in particular, when we create something, we have to visit a lot of websites. This makes life more difficult for us. When we deploy new infrastructure, it begins with a lengthy approval process. For example, as an administrator, I may receive an infrastructure request from one of our developers. The developer might need access to our front-end, where all of the servers are deployed. The problem is that we don't know exactly what has been deployed within our servers, so better visibility would be helpful. It's a closed infrastructure, and every developer gets an individualized container. We don't know exactly which features have been provided to them and it's a roundabout process to log back into Active Directory and see exactly what permissions have been assigned. It requires returning to a specific feature and looking at the specific user.
The synchronization process for on-premises and Sentinel Azure AD could be easier. The support for identification to the application environment could be improved, e.g., Active Directory Federation Services should be implemented in other applications. They need something like software development kits (SDKs) for integration with our own applications, which is not so easy to implement. We would also like synchronization of identities between identities in applications like Azure.
The thing that is a bit annoying is the inability to nest groups. Because we run an Azure hybrid model, we have nested groups on-premise which does not translate well. So, we have written some scripts to kind of work around that. This is a feature request that we have put in previously to be able to use a group that is nested in Active Directory on-premise and have it handled the same way in Azure. That is something that is actively being worked on. One of the other things that we felt could be improved upon is from an Application Proxy perspective. We have applications native to SSH, and we want to be able to do app proxy to TCP/IP. It sounds like that is actively on the roadmap now, which was amazing. It makes us very excited that it is coming, because we do have use cases with that as well.
The Azure AD Application Proxy, which helps you publish applications in a secure way, is really good, but has room for improvement. We are moving from another solution into the Application Proxy and the other one has features that the App Proxy doesn't have. An example is where the the role you're signing in as will send you to different URLs, a feature that App Proxy doesn't have (yet). With Azure AD, if you look in detail on any of the features, you will see 20 good things but it can be missing one thing. All over the place there are small features that could be improved, but these improvement is coming out all the time. It's not like, "Oh, it's been a year since new features came out." Features are coming out all the time and I've even contacted Microsoft and requested some changes and they've been implemented as well.
The user administration has room for improvement because some parts are not available within the Azure AD portal, but they are available within the Microsoft 365 portal. When I want to assign that to a user, it would be great if that would be available within the Azure AD portal. It would be awesome to have a feature where you can see the permissions of a user in all their Azure subscriptions. Right now, you have to select a user, then you have to select the subscription to see which permissions the user has in their selected subscriptions. Sometimes, you just want to know, "Does that user have any permissions in any subscriptions?" That would be awesome if that would be available via the portal.
We have a custom solution now running to tie all those Azure ADs together. We use the B2B functionality for that. Improvements are already on the roadmap for Azure AD in that area. I think they will make it easier to work together between two different tenants in Azure AD, because normally one tenant is a security boundary. For example, company one has a tenant and company two has a tenant, and then you can do B2B collaboration between those, but it is still quite limited. For our use case, it is enough currently. However, if we want to extend the collaboration even further, then we need an easier way to collaborate between two tenants, but I think that is already on the roadmap of Azure AD anyway.
The integration between the Azure active directory and the traditional active directory could be improved upon. We have two active directories that are installed on virtual machines, which are traditional active directories. The interactions between the two are very limited. For example, I could modify users in our own private instances of AD, however, they won't propagate up to the Azure active directory and vice versa. For us, the integrations are the biggie between the on-prem or the self-hosted AD versus Azure AD. The traditional AD instances that we maintain have UIs that are very archaic and monolithic and very difficult to navigate. They should update the UI to make it easier to navigate and make it overall more modern.
Overall, it's not a very intuitive solution. When you have an Office 365 enterprise subscription, it comes with Azure Active Directory. We don't have a subscription to Active Directory, but our Active Directory connector puts our credentials into the Azure Active Directory. On the Office 365 side, we're also in the GCC high 365, so it's a lot more locked down. There are a few things that aren't implemented which make things frustrating. I don't blame the product necessarily, but there are links and things within there that still point back to the .com-side and not the .us-side. There's a security portal and a compliance portal. They're being maintained, but one's being phased in and the others are being phased out. Things continue to change. I guess that's good, but it's just been a bit of a learning curve. Our Office 365 subscriptions are tied to our on-prem domain — I have a domain admin there. With our Active Directory connector, our on-prem credentials are being pushed to the cloud. We also have domain credentials in the cloud, but there's no Office subscription tied to it, just to do the administration stuff. I moved my sync credential to have a lot more administrative privileges. Some of the documentation I was reading clearly showed that when you have this particular ability right on the Azure side, and then you have another ability on the Office side, that intuitively, the Microsoft cloud knows to give you certain rights to be able to do stuff. They're just kind of hidden in different places. Some things are in Exchange, and some things are in the Intune section. We had a few extra light subscriptions that weren't being used, so I gave my microsoft.us admin account a whole other subscription. In the big scheme of things, it's roughly $500 a year additionally — it just seems like a lot. I didn't create a mailbox for that and I was trying to do something in Exchange online and it said I couldn't do it because I didn't have a mailbox. You can expect a different user experience between on-prem and online. Through this cloud period, we have premiere services, we have a premiere agreement and we had an excellent engineer help us with an exchange upgrade where we needed a server. We needed an OS upgrade and we needed the exchange upgrade on the on-prem hybrid server. We asked this engineer for assistance because my CIO wanted to get rid of the on-prem exchange hybrid server, but everything that I was reading was saying that you needed to keep it as long as you had anything on-prem. We asked the engineer about it and he said, "Yeah, you want to keep that." In his opinion, it was at least going to be two years. So at least I got my CIO to stop talking about that. It's just been an interesting time in this transition between on-prem and in the cloud. In a secure environment, a lot of this stuff is PowerShell, which is fine. It's a learning curve, but if you don't use it all time, then it's a lot of back and forth with looking at the documentation and looking at other blogs. If you're in a secure environment, the Windows RM (remote management) stuff can be blocked, and that's frustrating, too.
It's not intuitive and we use it mainly for our hybrid capability now and are expanding our footprint in Microsoft 365. The integration between on-prem and Online is interesting. However, the learning curve is high. When you have an Office 365 enterprise subscription, it comes with Azure Active Directory, however, you don't have an Azure subscription. Yet, all of our active directory connectors put our credentials into the Azure Active Directory. There are enough things that aren't implemented on our side and we are in the middle of this transition. I don't blame the product necessarily for that. However, there are links and items within Microsoft 365 that still point back to the .com side. Items seem to continue to move, such as security and compliance. Now there's a security portal and a compliance portal, and all three are still being maintained, however, one's being phased in and the others are being phased out. Things continue to change. It's just been a bit to learn. There's a lot to keep track of. There should be a bit more transparency. The Office 356 subscriptions are a bit confusing with a hybrid environment with what credential has an Microsoft 365 subscription. However, then some of the documentation I was reading this week was where I ran into a wall. This particular document clearly showed that when you have a particular ability on the Azure side, and then you have another ability on the Office side, intuitively the Microsoft cloud knows to give you certain other rights, to be able to do stuff. This settings and configurations are in different places. Some things are then in the Exchange Online, some things are in the Intune section, etc. I am not sure if the intent is to have an Microsoft 365 administrator with a second subscription for a cloud admin account or not. I was trying to do something in Exchange online and received a message that I couldn't do it because I didn't have a mailbox. It's frustrating and confusing at times. There are things like that just are a different user experience between on-prem and online. The Microsoft Premier Agreement we have has been very beneficial and we have had an excellent experience with a couple of different short cycle projects.
The licensing could be improved. There are premium one, premium two or P1, P2 licensing right now and a lot of organizations are a little bit confused about the licensing information that they have. They want to know how much they're spending. It's not really clear cut. Transitioning to the cloud is very difficult. They need the training to make it easier. They should probably put in more training or even include it on the licensing so that there are people that manage their environment have somewhere to come to learn on their own. Maybe there could be some workshop or training within Azure. The solution could offer better notifications. They do upgrades once or twice a year. They need to do a better job of alerting users to the changes that are upcoming - especially on the portal where you manage your users and accounts. There needs to be enough time to showcase the new features so your organization is not surprised or put off by sudden changes.
The only issue with Azure AD is that it doesn't have control over the wifi network. You have to do something more to have a secure wifi network. To have it working, you need an active directory server on-premises to take care of the networks.
The onboarding process for new users can be improved. It can be made simpler for people who have never registered to Azure AD previously and need to create an account and enable the MFA. The initial setup can be made simpler for non-IT people. It should be a bit simpler to use. Unless you get certifications, such as AZ-300 and AZ-301, it is not a simple thing to use at the enterprise scale.
Technical support could be faster.
We find that most of the new features are in preview for too long. It gives you the announcement that there's a new feature and yet, most of the time, it takes more than one year to have it generally available. Often we have to go and sometimes just use a preview without support. We cannot run all the configurations from the APIs. I would like to have something that has code and to just be able to back up and apply my configuration. Right now, we are managing more Azure tenants. It's hard to keep all of those configurations at the same level, the same value. We would like to have more granularity in the Azure conditional access in order to be able to manage more groups for applications. That way, when adding a new applications I don't have multiple conditionnal access to modify. One of the main requests from our security team is the MFA challenge. Azure, by default, is more user-friendly. We have a lot of debates with the security team here as the MFA doesn't pop up often enough for them. From an end-user perspective, it's a better user experience, as users generally prefer fewer pop-ups, however, security doesn't like it. It's hard for security to add. We don't have Azure Premium P2 yet, however, most of the advanced security features are in the P2, and it costs a lot more money.
I think the documentation and configuration are both areas that need improvement. The product changes and gets updated, but the documentation doesn't keep pace. The initial setup could be simplified. I would like to see a better UI tool.
It would be ideal if the solution moved to a passwordless type of environment. It's the future of authentification. It's also more secure and convenient.
Microsoft has a feedback page, in which if anyone has any suggestions or feedback, you can send them to them. They have all of the technical resources available on the internet, on their website. In case you need the support, you can easily open a ticket with them because you already have a subscription and you are eligible to open a ticket.
My only pain point in this solution is creating group membership for devices. This is something that could be improved. Essentially, I want to be able to create collection groups, or organizational units and include devices in there. I should be able to add them in the same way that we can add users. We want to be able to create members as devices in groups, without having to leverage a dynamic group membership with queries. I want to be able to just pick machines, create a group, and add them.
Microsoft needs to add a single setup, so whenever resources join the company or are leaving the company, all of the changes can be made with a single click. I would like to see a secure, on-premises gateway that offers connectivity between the physical servers and the cloud. The capability already exists, but it is not secure enough when the setting is marked private.
The SSO MyApps interface is very basic and needs better customization capabilities.