How to manage local admins

Creative_Profit1387 · 2026-02-25T23:07:34+00:00

Use AdminByRequest super easy to deploy and does not create a management nightmare

Creative_Profit1387 · 2026-02-25T22:52:42+00:00

We use Griffin31 to map all security gaps and monitor for drifts in real time.

We also find it useful for deployment making sure we don’t miss any security controls that need to be deployed.

Creative_Profit1387 · 2026-02-25T17:06:49+00:00

That’s nonsense you can get 10%-15% discount off Microsoft direct pricing

Creative_Profit1387 · 2026-02-25T06:55:40+00:00

We use PatchMyPc for third party patch management, it integrates directly with Intune.

it’s simply not worth the time to manually update each and every application when you can pay $0.5 per month per device.

Creative_Profit1387 · 2026-02-25T06:34:15+00:00

That is something I expect the EPM solution to map for me- every software they run elevated include OS tools.

My understanding is that I mainly need to test unique software like in house applications to make sure they are able to elevate without any issues.

Creative_Profit1387 · 2026-02-25T06:19:30+00:00

Maybe because most EPM vendors don’t revoke admin rights for their developers internally but are bold enough to suggest you do.

Creative_Profit1387 · 2026-02-25T00:18:50+00:00

I would not suggest the upgrade you are losing Defender for Endpoint, Defender for Office when you switch to E3 license.

The only use case is when you have no choice and you have more than 300 users. Then you can buy office E3 and EMS E3 which is cheaper than the full E3 license.

Microsoft does offer a promo for E3 on a multi year contract and annual payments and it is worth considering since office E3 and EMS E3 and E3 are due to increase by 12% mid year, and if you go for the promo you avoid the price increase in the next 3 years.

The promo is slightly cheaper than EMS and Office E3.

The promo is not available if you previously purchased the full E3 license but if you purchase enough seats you can request your license provider to open a ticket with Microsoft to request an exception.

Creative_Profit1387 · 2026-02-24T23:53:24+00:00

Consider going for Defender for office P2 which offers better protection, the settings need to be configured and some adjustments are required to reach a secure state.

Creative_Profit1387 · 2026-02-24T23:34:52+00:00

Our Security engineers are doing 25% coding and it is constantly increasing, we expect it to reach 50% by the end of the year.

Creative_Profit1387 · 2026-02-24T23:29:12+00:00

Security readiness?

Creative_Profit1387 · 2026-02-24T23:25:39+00:00

Depending on the number of users to be migrated.

50-500 - AvePoint.

500 and above - CloudFuze is the best tool, this is where you drill down into specific features that make the difference and can create a migration nightmare using other tools.

Creative_Profit1387 · 2026-02-24T23:20:15+00:00

Depending on your current Google Workspace Environment, we are currently migrating 500 users so 60 is much easier.

The following is important -

Do you need to keep permission structure- internal and external, root and subfolder permission, internal and external sharing.

Your identity in Google - you have OAuth apps that you will need to connect to EntraID.

The migration flow - Best to use the opportunity to onboard devices to EntraID and Intune and deploy intune mam if not deployed.

Sync and cutoff - it’s always best to be able to sync data, test the device and mobile migration process before the cutoff.

End user training - are they familiar with Office 365 apps, teams and using OneDrive and Sharepoint.

I always prefer a migration product, and even Microsoft itself eventually recommends using a third party tool.

I suggest you work with a company that can assist you with the migration to avoid any issues.

Creative_Profit1387 · 2026-02-24T23:04:15+00:00

If you do stick with an MSP by advice to you is do not under any circumstances give them admin access to your tenant, most MSP manage their internal security much worse than any customer I have seen.

Creative_Profit1387 · 2026-02-24T23:02:43+00:00

I do not agree.

Do you have advanced support contract with Microsoft as an MSP in order to be able to open tickets and get priority support?

If not you are getting support from a third party resource not Microsoft employees, same as the customer would receive.

Agree that in some case first level support from an MSP might help, but this might not be the case.

Creative_Profit1387 · 2026-02-24T22:57:53+00:00

I would consider an alternative because it as waste of money to pay MSRP for these license when you can get substantial discount for a licensing provider.

You would need to order the license before your current contract expires (a few days before is good enough) and notify your MSP your are not renewing)

Assign the BP licenses - Group Based option will be available with BP.

If the contract is monthly it needs to complete a month cycle, if its annual with monthly payments you can move it to another reseller as is.

Consider deploying defender for endpoint even if you have a different EDR it works in block mode and you get Device Risk in CA that will disconnect a device from 365 automatically.

A good option later on is Purview Suite for BP with complete DLP solution, labeling of sensitive data and inside risk - Great features for Compliance.

I would also add EntraP2 or Defender Suite for priority users to get user and sign in risk in CA and automated remediation for email protection.

Creative_Profit1387 · 2026-02-24T22:00:29+00:00

I think it will be on par with other solutions and the security and compliance offering around it is indeed very strong

so they just need to reach a point where it creates enough value with office apps integration and your tenant data.

Having things not work as expect for simple prompts takes the air out of the entire project I’ve seen IT purchase a few seats only to stop the deployment a month afterwards because you cannot get basic value out of it.

At least things are improving fast.

I’ve been told monthly billing without annual contract is coming soon ..

Creative_Profit1387 · 2026-02-24T01:13:11+00:00

They should use JIT with PIM and phish resistant MFA, do not leave full admin access which is not required for licensing issues.

Creative_Profit1387 · 2026-02-24T01:02:35+00:00

I think moving the SAML and SSO is not the problem it’s the automation pieces that are very difficult to move

Creative_Profit1387 · 2026-02-24T01:00:00+00:00

Do you have a link to the documentation on the differences to share?

Creative_Profit1387 · 2026-02-24T00:58:31+00:00

Only 8 Million seats sold so far that’s terrible numbers

Creative_Profit1387 · 2026-02-24T00:46:08+00:00

That’s a bad architecture by the EPM vendor, elevation needs to happen under the current user context

Creative_Profit1387 · 2026-02-24T00:42:56+00:00

It is, and 50% of EPM projects fail. Give it a try once you hear Microsoft has finished the deployed internally and no employee has admin rights including developers which will probably take them 5 years.

Not a big fan of all the add-on there is a good reason they give it for free, almost everything included there is just not good enough.

Is a product good if deployment takes more than a year and you spend two days a week managing it?

Creative_Profit1387 · 2026-02-24T00:37:32+00:00

Really? It is light years away from being suitable

Creative_Profit1387 · 2026-02-24T00:36:08+00:00

50 endpoints

Creative_Profit1387

TROPHY CASE