New Microsoft 365 Business Capabilities – Identity Enhancements
There are some new scenarios supported with Microsoft 365 Business which help to address one of the main concerns that I encountered when talking to others about the product. This new supported scenario is the use of Azure Active Directory (AAD) Connect to synchronise Active Directory objects to Azure Active Directory, and the flow on effect of Hybrid Azure Active Directory join capabilities.
What are the benefits of these changes in support for AAD Connect with Microsoft 365 Business? The first is that it expands the market for Microsoft 365 Business dramatically, turning it from a smaller niche solution that really focused on cloud only organisations (or those well on the way there) but now is much more inclusive of those who need to keep existing workloads running. On-premises line of business apps, file servers and extensive group policy settings were some of the common requirements that may have previously kept Microsoft 365 Business out of consideration, but now it's definitely worth re-evaluating.
The second set of benefits provided by Hybrid Azure Active Directory Join include enhanced single sign on capabilities, enterprise state roaming via AAD, and Business Store access using AAD credentials. Here are the articles you should read to get started with Hybrid Azure Active Directory Join.
Azure AD + Domain Join + Windows 10 (this one is from over two years ago but is a good starting point)
Enable domain-joined Windows 10 devices to be managed by Microsoft 365 Business (I think this might the first official reference to Microsoft 365 Business officially supporting this capability)
Set up hybrid Azure AD joined devices Enroll a Windows 10 device automatically using Group Policy
What's important to note is that this Microsoft 365 Business includes enhanced AAD capabilities versus Office 365 Business Premium, but it's not AAD Premium P1. For those of you familiar with AAD Premium P1, it includes additional capabilities such as Conditional Access and self service password reset with on-premises writeback, amongst others. Here's a list from the Microsoft 35 Business Service Description that I've massaged a little to suit the purposes of this post.
Identity and Access management features | Office 365 Business Premium | Microsoft 365 Business | AAD Premium P1 |
Single Sign On (SSO) for > 10 apps | No | Yes | Yes |
Multi-Factor Authentication (MFA) | No | Yes | Yes |
Administrative Units (Preview) | No | No | Yes |
Cloud app discovery | No | No | Yes |
Dynamic Groups | No | No | Yes |
Self-service password reset for cloud identities | Yes | Yes | Yes |
Self-service password reset with on-premises AD write-back | No | No | Yes |
Device objects two-way synchronization between on-premises directories and Azure AD (device write-back) | No | No | Yes |
Conditional access | No | No | Yes |
Company branding (logon pages/access panel customization | Yes | Yes | Yes |
Application policy | No | No | Yes |
Connect Health | No | No | Yes |
SLA 99.9% | Yes | Yes | Yes |
Now that Microsoft 365 Business includes additional value with Office 365 Advanced Threat Protection, Exchange Online Archiving and Azure Information Protection P1, it might still make sense to add AAD P1 if you need any of these additional capabilities, while still ending up at a lower price per user than not starting with Microsoft 365 Business. This story has changed quite a bit with this release, especially considering that you also now get full Intune capabilities rather than a subset.