Best way to facilitate roaming users for M365

Velvis

Velvis

Well-Known Member
Reaction score
46
Location
Medfield, MA
Someone reached out to me who currently is using a citrix environment but needs to move to M365. His concern is having users be able to securely log into their own accounts regardless of what PC they are using and to make sure a user doesn't login to (or have a computer logged on already) to another users account.

So if I understand it correctly he is really looking for a cloud based domain. If I am not mistaken the higher levels of M365 provide this functionality, correct?

Can anyone recommend some good resources on this?


Thanks!
 
Microsoft 365 Business Premium...so you can leverage Azure P1, as well as InTune configuration profiles to "push out" enforcing things like ...OneDrive...with settings that you wish. Also there is a roaming user state setting in Azure...which pushes out some more user state settings.
 
YeOldeStonecat said:
Microsoft 365 Business Premium...so you can leverage Azure P1, as well as InTune configuration profiles to "push out" enforcing things like ...OneDrive...with settings that you wish. Also there is a roaming user state setting in Azure...which pushes out some more user state settings.
Click to expand...
This guy seems a little on the cheap side, what's the most inexpensive way to implement it? and by cutting those corners what is he going to be missing?
 
Without InTune...you lose automation. SO...things have to be done "manually"...each time a user wants to log in.
InTune also ensures settings get driven hope each time a user logs into a computer. InTune is really like the 365 version of Group Policies.

Yes the licensing costs more. But it's much much MUCH cheaper than...paying you to hover over the computers all the time to configure for users each time. And frequently remote in to fix things that break...because end users will do that..and there is no InTune profiles in place to drill those settings back home. How much do you have per hour?

You also get Conditional Access policies...so you can do things like only allow login from IP range of the citrix servers. CA policies...don't come with lower subs. CA policies...are important for security.

You also get Defender P1...which is very important for security....

Yeah...Business Premium is a lot of "bang for the buck".
 
Roaming Profiles only work when you have a target to store them. They are not cloud capable.

However, within M365 you have OneDrive services for each user, and when the backup for OneDrive is enabled it syncs up the Documents, Desktop, and Pictures folders.

In addition, it syncs Outlook Signatures.

Edge supports use of M365 logins for backing up passwords, history, and cookies.

The combination of the three things means that an endpoint the user logs into these services will give you most of the functionality granted from a roaming profile. But it's very much NOT a roaming profile, and you do not want to support roaming profiles... ever.

Limiting access to M365 services to company owned devices is a very wise policy, and as mentioned previously it requires at a minimum Entra ID P1. You must configure Conditional Access policy to enforce Entra ID membership to allow login. This foregoes the Intune requirement while filling the security objective.

Beware, Conditional Access policies while not hard, are detailed. Make a mistake and you can lock yourself out of the tenant. Make a mistake and you can not enforce MFA and let the bad guys in. Tread lightly!
 
Could someone explain how Azure P1 would work if the user needed to use a random computer unrelated to the business. For example the employee is at home and needs to use their kids computer. Are they able to login and have all their shared drives and file access available directly in the OS (vs through the web browser) and if so how long does that take to get going and when they log out does it just all disappear?
 
That would be an "Azure AD Registered" computer...instead of an "Azure AD Joined"
So you get less control, less security, less automation. Many things will have to be done manually.

You "could" still manually install the Office suite
You "could" still manually sync OneDrive...thus begin to allow company files/data to exist on their personal computer (but do you want that, what if they get fired, or leave)
You "could" still manually install Teams
You "could" still manually sync the Teams/SP libraries (same question as above)

....but remember....that data is on a personal computer. Possibly with some horrible cheapo antivirus like mcafee or webroot...or whatever the local best buy is pushing. Likely expired. Possibly nothing. No management of Bitlocker. No other security software on it...thus quite likely to fall to a "token theft attack'.

IMO....kinda better off enforcing "browser only access" to personal computer/BYODs....instead of letting them sync company data local. They can still get a lot of stuff done, still access their work computers OneDrive through the web version, still access email through OWA, still access Teams through the web version.
 
All Stonecat said is absolutely true, Conditional Access Policy is a very deep well, and it's a critical component of developing your Identity pillar in your Zero Trust model.

Is your pillar a stack of rocks? Or it is a Roman Pillar, pristine, and the type that will baffle archaeologists in a thousand years because it's still there?

The platform has the room to support both ideas, and each organization gets to figure out how it wants to slice it. For my part, I'm usually sticking to the basics, and I try to steer away from "phishing resistant" MFA types, because that's when we start limiting access to trusted hardware. I'd rather have companies investing in our SOC to gain that level of control, because it's a more fluid solution. Automating this process requires process maturity on the part of the business I'm working with, and most just aren't ready!

Because yes, if you tell Conditional Access you have to have an Entra ID Joined device, then registered devices no workie no more. Which is THE POINT of such a policy.

But if you don't know the difference between: Entra ID Joined, Entra ID Hybrid-Joined, and Entra ID Registered... you're already out of depth. I suggest the study material for the SC-900 exam. There are some basics that you have to focus on, and again diving into Conditional Access is DEEP, but it's also a very VERY important dive. We need as many Conditional Access experts as we can possibly get on this planet.
 
So your post asks about Roaming Profiles.
But first...think about what it is...that you want to have follow the user...from device to device.

Some people used roaming profiles way in the old days....only to really use it to back up the Docs and Desktop folders....but that got replaced with the much more efficient "folder redirection" of group policy. Didn't need to move all of the "junk" also included under the users profile.

Others used it a bit more advanced..to have things like Outlook...already configured, signature, nickname cache, browser stuff, desktop, blah blah, etc etc.
Yeah there are some things that can live in "appdata"....as time went on, less and less leaned on that.

But honestly...most of that stuff is already replaced with existing stuff in 365.
OneDrive takes over folder redirection.
Browser stuff...saved in Chrome..and better yet...Edge...and Edge ties in with the users 365 account.
Printers...pushed out via Universal Print in 365
For Outlook...signatures are now stored upstream in the mailbox. And for quite a few years now...nickname cache is also already kept upstream in the mailbox. And Outlook is just so darned easy to auto configure...a caveman can do it...but if you want more, InTune can push out a true Outlook autoconfig with custom settings (like download all email)
InTune can push out software installs from the Microsoft Store (and more)
InTune can enforce bitlocker encryption
InTune can auto configure syncing Teams/SP libraries.
InTune can auto configure OneDrive...with custom settings like exclude certain file types, enforce files on demand, warn users of large volume file deletions, etc.


InTune is your new group policy tool.

Also...365 has a feature called Enterprise State Roaming...which does bring along some more customized user stuff. Caveat is...software that supports it is required, usually most modern apps gotten from the Microsoft Store do...but there are other things this piles on.
1734714968574.png

Now, granted, all this fun "InTune" stuff doesn't apply to your home/BYOD users....because if their computers are not "joining the domain" of AzureAD...AzureAD doesn't have the power and permissions needed to apply "most stuff". Sorta like the old days of an on prem server with active directory, you joined a workstation to the domain...so that the domain controller was "the boss" of not only the users...but also of the "computers". And you could then leverage stuff like login scripts, group policies, system management, etc. It's....similar with 365. It becomes more powerful as you set things up with AzureAD...properly "joining"..and things like InTune can come into play.

Now, with CA policies, (conditional access policies)...you can leverage some enforcement of basic security. Say you wanted to block the ability for apps like OneDrive to sign in and sync files locally...you can do that! Some businesses may not ever want to allow business documents to sync/show up on end user personal computers at their house. Just think of the "housekeeping" best practices that breaches, also possible compliance issues depending on the type of business.
 
YeOldeStonecat said:
But honestly...most of that stuff is already replaced with existing stuff in 365.
OneDrive takes over folder redirection.
Browser stuff...saved in Chrome..and better yet...Edge...and Edge ties in with the users 365 account.
Printers...pushed out via Universal Print in 365
For Outlook...signatures are now stored upstream in the mailbox. And for quite a few years now...nickname cache is also already kept upstream in the mailbox. And Outlook is just so darned easy to auto configure...a caveman can do it...but if you want more, InTune can push out a true Outlook autoconfig with custom settings (like download all email)
InTune can push out software installs from the Microsoft Store (and more)
InTune can enforce bitlocker encryption
InTune can auto configure syncing Teams/SP libraries.
InTune can auto configure OneDrive...with custom settings like exclude certain file types, enforce files on demand, warn users of large volume file deletions, etc.
Click to expand...
Is there an exam that covers this, and related study material like @Sky-Knight mentioned above where he recommended SC-900 exam materials?
 
timeshifter said:
Is there an exam that covers this, and related study material like @Sky-Knight mentioned above where he recommended SC-900 exam materials?
Click to expand...
SC-900 is the level 0 test for all Microsoft Security Products, it introduces a TON of concepts that everyone here needs to know to even think about interfacing with M365 and Azure.

The exam you're asking about is the SC-300, completion of which earns you:

Microsoft Certified: Identity and Access Administrator Associate​

learn.microsoft.com

Microsoft Certified: Identity and Access Administrator Associate - Certifications

Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.
learn.microsoft.com

All of the security exams are in this blog post: https://techcommunity.microsoft.com/blog/microsoftlearnblog/introducing-microsoft’s-new-security-certifications/2147106
 
That said...my learning was most productive via YouTube channels some some 365 specialists put out.
And a lot of hands on playing.
If you used to have an understanding of Group Policy in old on prem active directory, you can easily adjust to InTune.
 
Conditional Access is not related to Intune.
Intune Configuration Policies are similar to, but not the same as Group Policy objects.
Intune Compliance Policies have no analog in Active Directory, but have a similar structure to Intune Configuration policies.

All of these things are indeed similar, and all of them require testing and hands on to sink in. The tests are great, but I will again echo Stonecat, there is no replacement for a lab. You've got to get your hands in this and see it work.
 
But how do load up a tenant that’s not live with lots of data? Some YouTubers seem to have access to famous Contoso corp. I looked into get that sample company for 365 buy didn’t have any success.
 
timeshifter said:
But how do load up a tenant that’s not live with lots of data? Some YouTubers seem to have access to famous Contoso corp. I looked into get that sample company for 365 buy didn’t have any success.
Click to expand...
You don't, you use yourself as a lab like a sane person: https://learn.microsoft.com/en-us/partner-center/membership/partner-launch-benefits

Partner Launch Benefits is $400 / year and contains 5 seats of Business Premium.
Partner Success Core Benefits is $900 / year and contains 15 seats of Business Premium and a ton of on premise stuff.

I'm buying the latter for just myself, just so I have sufficient seats to use my M365 estate as my lab correctly.

These expenses are a rounding error on the year, go get them... play... learn. Get yourself to a place where you're making full use of M365 Business Premium and you'll know most of the Defender Suite, and be quite proficient with Conditional Access.

If nothing else... YOU are in a better place.
 
Last edited:
Sky-Knight said:
Partner Launch Benefits is $400 / year and contains 5 seats of Business Premium
Click to expand...
Damn, that's a steal. I'm already paying $12.50 per month plus another $2.00 for BP and EOP1. At $400 that's only a $226 premium. And, it's actually $345 according to the page you linked, or $171 more than what I'm paying now.

I presume I'm free to use those licenses how I want in my business, for my business. Of course, not resell any of them or rent them out
 
timeshifter said:
Damn, that's a steal. I'm already paying $12.50 per month plus another $2.00 for BP and EOP1. At $400 that's only a $226 premium. And, it's actually $345 according to the page you linked, or $171 more than what I'm paying now.

I presume I'm free to use those licenses how I want in my business, for my business. Of course, not resell any of them or rent them out
Click to expand...
Yep! That's how I do my M365 licensing for my own tenant. You get the partner deal, and apply it via coupon code to your M365 tenant and the licensing is golden.

I used the crap out of the Action Pack previously, which was a little more money for similar things. But the new Cloud Focused partner stuff starts this month, because the Action Pack is dead as of January. And these new programs are SO MUCH BETTER.

I went for the $1,000 one (taxes yay), because it leaves in some of the on premise stuff. It also pushes the Azure credits to $200 / month, which is some serious cash to trial run the Azure space stuff too. It's an absolute steal for your lab, even for just me. But for anyone that is cost averse... you really don't have an excuse not to get the Launch benefits.

The part that sucks? No more desktop license... I used the 10 Pro seats... those are gone now. So I get to buy new Windows 11 licenses for all my junk. That's another $1400... but it's more of a one time thing. I've got 2 of those down now, will work through the rest over the next year.
 
You must log in or register to reply here.

Similar threads

HCHTech
Sorting out a GoDaddy cluster*#%@
Replies
9
Views
829
callthatgirl
callthatgirl
HCHTech
Hot-Desking setup
Replies
0
Views
557
HCHTech
HCHTech
HCHTech
GoDaddy M365 account as MS account for computer?
Replies
7
Views
2K
Diggs
Diggs
Porthos
[WARNING] Outlook Is Down, Users Are Experiencing Sign-in Failures
Replies
14
Views
1K
Sky-Knight
Sky-Knight
thecomputerguy
Best way to share data using OneDrive for Business?
2
Replies
30
Views
3K
Slaters Kustum Machines
Slaters Kustum Machines
Back
Top