Microsoft Enterprise Mobility Suite (EMS) is a relatively new product combination that packs a punch when it comes to creating value and managing access to the cloud. Many customers ask if they can replace their on-premise domain controller with Azure Active Directory Premium (AADP), so today we will take a look at the components that make up EMS to carefully answer that question.
Azure Active Directory Premium:
AADP is a single sign-on user management system that provides access to thousands of cloud applications. AADP by itself does not replace a domain controller, but functionality increases when it’s combined with the other products in the Azure suite. AADP is the bridge between your customers’ on-premise directories and the cloud-based applications they are using. You can perform two-way synchronization with your on-premise directory using the Azure Active Directory Sync tool (Azure AD). While your domain controller still manages access and identity to the traditional line of business (LOB) applications that your customers may use, Azure AD provides you a level of access and control to platforms like Microsoft Office 365, SalesForce, Box, LinkedIn, Facebook, and more—2,495 to be exact! Azure AD allows you to provide customers and end users with single sign-on, multi-factor authentication (MFA), and self-service password reset with on-premise write-back. Additionally, you can always count on quality service with a 99.9 percent service-level agreement (SLA).
Advanced Threat Analytics:
With Microsoft Advanced Threat Analytics (ATA), we have the ability to look beyond a simple login and monitor the behavior of users by tracking everything from work schedules to login location. If something unusual occurs, a multi-factor request can be triggered through ATA to confirm the user’s identity.
We have discussed our users and their experience, but what about the devices and software? This is where the second piece of the suite, Microsoft Intune, comes into play. Now that your directories are synced with Azure AD and your user objects have transferred to Intune, you can begin managing laptops, desktops and mobile devices through the program. Microsoft Intune gives you the ability to remote wipe information from user’s device after they leave the company. It also enables you to control access to corporate applications and data, push out software, or monitor a user’s mobile device health. The best part is, with the advent of Windows 10, you can now connect your machines to Azure AD and Microsoft Intune directly from the account settings within the operating system. This simplifies the process for both the user and the IT administrator and ensures that devices are always connected and policies are active.
Azure Rights Management (Email Encryption):
Now that we have discussed both the users and the devices, we’re starting to develop a positive story surrounding replacing your on-premise directories. Microsoft added Azure Rights Management (Azure RMS), which allows you to set various rules and policies on how data is transmitted via Microsoft Exchange, while ensuring that only the approved users can view the data. This is a product we see solutions providers add to their Microsoft Office 365 plans all the time!
To top it all off, Microsoft has thrown in rights to Window’s Server Client Access Licenses (CALs) and System Center Configuration Manager (SCCM) and discounted the price of these combined products. When purchasing these products individually, it would cost $19.25, but when purchased as EMS the cost is sub $10 per user, per month.
The solutions and additional services you can wrap around an offering like EMS are extensive. Every single cloud customer, Microsoft Office 365 customer and mobile device user should have the suite. When you implement EMS, you will start the conversation around other Azure services.
As a quick recap and to cover key takeaways:
- This product alone amplifies security, user experience and device management.
- EMS bridges cloud and on-premise solutions, allowing you to close the gap.
- If you have customers that are “born in the cloud,” then the answer is yes—you could very easily use this product in place of a domain controller.
- EMS and related services can be implemented by nearly any customer that is utilizing cloud-based applications.