Baker Tilly Canada Cooperative is a group of 19 accounting firms with some 1,500 users operating under one brand. The company migrated to Microsoft Office 365 beginning in 2018. That raised two key issues – the company wanted to easily manage O365, and give each of the 19 member firms IT independence. The answer to both came in the form of solutions from CoreView.
CoreView’s Doug Barney spoke with Stephen Chris, chief operating officer for Baker Tilly Canada Cooperative, and Brian J. Lobb, national director of technology for Baker Tilly Canada Cooperative about the O365 migration, and the move to CoreView management and security.
CoreView: Tell us about Baker Tilly Canada.
Chris: We are a cooperative of professional chartered accounting firms with 19 CPA firms all operating under the Baker Tilly Canada brand, and, through Baker Tilly International, globally represented in over 140 countries. Up until this point, our Canadian entity was primarily decentralized when it came to IT infrastructure.
CoreView: How was the migration to O365?
Chris: It was a bit of a migration and a consolidation, progressively bringing firms across as each of those firms had a different starting point for their IT infrastructure.
We worked with a vendor, Softchoice, to put the infrastructure in place to make the migration happen. That required significant discussion, planning, and build-out, including leveraging Microsoft’s Azure infrastructure. Our migration was anything but simply a migration to O365. It was a combination and a consolidation of IT infrastructure into a single tenant on O365, plus other pieces built in Azure.
Lobb: The rationale was that we were dispersed entities all independently run and owned.
Chris: We looked at tenant management products for a solution offering added granularity for service management, user management, and security. At first, we thought we could build this with the tools built inherently into O365, such as role-based access control (RBAC) rules in Exchange, for instance. We thought we could layer a level of security on top of O365 without a third party solution.
We quickly realized that the granular security management in O365 was not all that granular. Things came in big buckets and chunks, rather than having the granularity, or the feature segmentation we needed.
CoreView: Microsoft has RBAC, where you can assign an Exchange or license administrator, for instance. However, they do not have what we are starting to call functional access control, where you can assign even a small subset of functions. You could assign a Teams’ voice manager for a department. Microsoft also does not have the virtual tenant capabilities. If you are an Exchange administrator under Microsoft O365 Admin Center, you have control over the entire environment, the entire tenant. CoreView has access controls and we have virtual tenants, which limits how many people that admin can reach and control.
Chris: Part of our build-out was deciding whether to go multi-tenant, or single tenant. We are functionally independent organizations that all wanted to share a common domain name. That factor of sharing a common domain name, required us to have a single tenant environment within O365.
How do we operate as a multi-tenant environment while, from Microsoft’s perspective, exist on a single tenant. CoreView brought all of that to the table with the V-tenant capabilities. We can slice and dice administration into functional areas. We can have user managers, Teams managers, Teams administrators, or security administrators. All of those functions and feature sets are critical to the solution we have today.
CoreView: Did you have CoreView in place during the move to Office 365? We find that, while we are not a migration tool per se, our virtual tenants offer a better way of managing O365. It is easier and a much healthier situation to migrate while having CoreView in your back pocket.
Chris: We agree 100%. Our expectations of what Microsoft was going to bring to the table were proven to be underwhelming. We initially felt that Microsoft has to have this nut cracked. It was somewhat inconceivable that a third party company, external to Microsoft, built a better interface to O365 than Microsoft did.
We quickly realized that sub-tenanting, or sub-administration of users just was not going to exist with native O365 Admin Center to enforce the migration. We would have much rather had CoreView in place from the early days. That would have alleviated a lot of the pain that we had in those early days with user management and tenant administration.
With the native O365 Admin Center, you have rights inside RBAC. However, when you give somebody license administrator rights, you are giving them control over the entire tenant’s licensing. That was problematic because we have stringent controls for billing issues and licence allocations which we need to deal with. We heavily utilize CoreView’s licensing pools, and licensing segmentation. That is our point of truth when it comes to where our allocations are, where costs are calculated, and how we do license allocations.
This gets back to that whole notion that CoreView brought to the table. We, as initial consumers of O365, thought O365 should have these features inherently out of the box, and which Microsoft was unable to deliver on.
CoreView: How are your license pools set up? Does each group under that Baker Tilly Canada umbrella have its own license pool?
Chris: We are segmented into 19 virtual tenants. Each one of those 19 virtual tenants has their own license pool. We manage the license pools nationally so the adding and exchanging of licenses happens in a centralized way. However, the allocation of licenses to users within the V-tenants is done on an office-by-office basis. They manage all their licenses, and we manage the tenant license pool.
CoreView: How does CoreView help you do a better job of buying the right amount of licenses? Seems like with your license pools, from the beginning you have been able to buy the more correct amount of licenses.
Chris: CoreView gives our offices the ability to manage licenses, see how they are consuming their licenses, where those licenses are being allocated, and what additional licenses could or should be available to them. CoreView gives them insight into licensing, and right-sizing of licensing, they would not have otherwise inside of the O365 tenant.
CoreView: So you have a deeper understanding of licenses?
Chris: If it is one big pot of licenses, I guarantee you regional departments managing licenses out of one big pot would result in everybody’s grabbing more licenses than they are entitled to. Your license count can get out of control — if you don’t have something like CoreView that shows on a day-to-day basis what you’re consuming, what you’re allocated, and how many available licenses you have inside of those allocations.
From an internal billing perspective, we move licenses amongst those license pools and amongst those billing centers. If we find that there is a surplus of licenses in Center A, we can simply move those over to Center B and facilitate that process on their behalf. Super easy to do inside of the CoreView system. It is just a visual interface — increase the number in one V-tenant and decrease in another.
CoreView: Will this help during EA renewal or license True Up time? Will CoreView put you in a better position to negotiate the renewal, and make sure you are not over spending?
Chris: At EA renewal time, that will be helpful. Also at True Up time on an annual basis. We can hand our offices, effectively, a spreadsheet that shows their current consumption, and ask them to put a yes or no as to whether we need to decrease or increase licenses. With Microsoft EA subscriptions, you can only drop licenses at a True Up time. CoreView is a very handy tool showing offices what they have today, what they are committing to for the next 12 months, and how that relates to their actual consumption.
Security via Virtual Tenants
CoreView: With a single tenant, there are certainly security issues. You do not want an admin in one of your virtual tenants messing with another one of the tenants. At the same time, local admins have a feeling of control of their own destiny because they are semi-independent groups. Finally, they are more responsive because they are local to their user base.
Chris: When you come from a decentralized IT environment, and ask everybody to come on board with a common platform, that is asking people to put their eggs in one basket. We have the assurance, with Coreview, that administrator A cannot do something nefarious or accidental to administrator B’s users. That is a huge comfort for IT administrators across the country.
CoreView: What CoreView solutions are you using?
Chris: We have CoreAdmin, CoreSecurity and CoreLearning. We are looking to heavily leverage CoreView going forward for cyber security — something as simple as facilitating confirmation that our mandate to have multifactor authentication enabled for all users on our tenants is actually in place.
It’s easy in CoreView for an administrator to go into their user base, create a query and do a sort on who’s got MFA enabled or not.
We are working on building out an entire cybersecurity compliance dashboard. We are identifying the 15 to 20 core variables they should look at regularly. We are pre-building those queries, giving them access to those queries, and access to the V-tenant report of where they sit in the realm of compliance and non-compliance.
Over the next six months, that is something we are going to be heavily leveraging.
CoreView: What other things in CoreSecurity are you finding interesting? I’m thinking of suspicious log-ins. We have a global map where you see all the people, say from China, trying to get into your tenant.
Chris: We use CoreView to identify suspicious log-ins, and bring them to the attention to the appropriate IT administrators. We find more times than not, there is some rationalization behind them. You get odd log-ins from a foreign country, contact the office to let them know, and sure enough, they have somebody traveling in that foreign country. However, it gives you comfort that you are identifying these anomalies, and identifying the anomalies in an easy way.
Without CoreView, we cannot expose our local office administrators to that level of granularity and detail on their subset of users. They can manage that subset, and see their own list of abnormal log-ins.
Chris: I think about the Microsoft wheel, and how little of it we are actually leveraging on a day-to-day basis. It is a full time job just to stay in tune with what Microsoft is capable of doing, and figuring out how to roll that out. How do we leverage Teams, implement Teams, and make Teams that default the adoption process as opposed to going email, to some third party conferencing system, or some other voice over IP solution. There are additional functionalities within CoreView that we expect to leverage as our implementation becomes more mature.
CoreView: How does CoreView’s version of RBAC help granularly distribute admin work?
Lobb: Here is an example. What used to happen when we made an email request to BakerTilly.ca for an email address is the IT team would do it and create a link. If there was a problem, it would be a back and forth to set it up.
Using CoreView, someone, say a receptionist, can create an email address and a user, license them and have them ready to roll. They do not have to write a PowerShell script in order to add people to a group. They just go in — click, click, click, and done
Get your Office 365 user workload usage and security profile FREE with our new CoreDiscovery solution.
You can get your free software now at the CoreDiscovery sign up page: https://www.coreview.com/core-discovery-sign-up/