This is a post about using PowerShell and Microsoft Graph to access data in Azure AD, Intune and Office 365. The GUI management of these Microsoft 365 technologies is constantly evolving, but there will always be things that can’t be done that way. Microsoft Graph approaches the problem from the other direction. It provides an endpoint and API to access the entire dataset. You can then write your own scripts or applications, using the object model of the whole of the Microsoft 365 suite of products.
As well as doing large scale IT infrastructure projects, I also support a few small businesses run by friends. In one of them, for over a decade, they have had a server on site. Now they don’t. Everything is done in Azure.
They started with Microsoft Small Business Server. This provided Active Directory, Exchange, and File and Print. Over several years we moved to hosted e-mail, then Office 365. In this last stage we moved the PC’s from the local domain to the Azure domain. Users now sign in with Windows Hello, using a PIN. All the shared data is in SharePoint Team Site. All the personal data is in OneDrive. The local Special Folders on the PC are redirected to OneDrive. They use Skype, Yammer, Delve to work together, on iPad or PC. They can work at home or in the Office. Management of the PC’s is done with Intune.
Most of all, the server is switched off. No-one needs to come on site for hardware problems. Anyone can provide support, from anywhere, if they know Office 365 and Azure.
The Azure domain is not quite the same as a local domain. There is no Group Policy. If you wanted, you could add GPO’s with Azure Active Directory Premium, but it is not cheap, and of course you need some skills to manage it. It got me thinking about how we could replace GPO’s.
In one of my large scale assignments recently, where we rolled out a new global desktop, we actually needed only a few GPO’s. We had a big and complex policy to make Internet Explorer compliant with security standards. We had policies for certificates, wireless networking, passwords. But it was not very many. Without GPO’s we would need another way to do these configurations. But it would not be enough to justify keeping a global Active Directory infrastructure.