Plan your architecture
To move your Universal Print deployment from proof of concept to a secure, performant, and reliable solution that your organization can depend on, there are some important architecture decisions to make.
Continue reading to understand how Universal Print works, and which important decisions you should make thoughtfully while you plan & roll out Universal Print.
How does Universal Print work?
Universal Print is a cloud printing service that replaces print servers with the Microsoft cloud. Instead of users connecting to printers using on-premises print servers (maybe through a costly VPN), printers can be accessed over the internet with any additional setup from users.
The same infrastructure that runs mission-critical services like Exchange, Teams, and Office, ensures high availability and the utmost security for your print environment.
Universal Print embraces modern and extensible standards to maximize interoperability, making it truly "universal". Universal Print supports the IPP INFRA protocol for discovery and printing, and also provides an extensive Microsoft Graph API with similar capabilities.
Universal Print ready vs. connector printers
For each printer, you'll need to choose whether to register it as a Universal Print ready printer, or by using the connector.
Register as Universal Print ready when
- The printer model is in the list of Universal Print ready printers
- You want to fully eliminate intermediate infrastructure
- You can register each printer individually
Register using the connector when
- The printer model is not in the list of Universal Print ready printers
- You're okay running the connector on an on-prem machine or using an Azure VM
- You want to register many printers in bulk
Connector considerations
Should I run the connector on-prem or on an Azure VM?
- If you already have an on-prem server that's used for non-printing needs, you could easily run the connector on the existing server.
- If you'd prefer to get rid of all on-prem infrastructure, or if you want to easily distribute and manage the connector in different geographic locations, you could spin up Azure VM(s) in appropriate regions with access to your WAN, and host the connector there.
Do I need multiple connectors or can I use one for all my printers?
- If you have many printers, consider distributing them across multiple connectors to avoid overloading the host machine. See the recommended maximums.
- If your users are distributed across distant geographies, consider hosting connector(s) near your users.
Identity considerations (users, groups, and admin roles)
Who should I assign each admin role to?
To maximize security, always follow the principle of assigning least privilege:
- Limit the use of the Global Administrator role when possible
- Assign administrators the least-permissive Universal Print administrator role role that allows them to perform their job function.
Important
Over-assigning high privilege roles introduces risk of accidental or malicious configuration changes that can harm your print environment.
What are the best practices for assigning printer access in Universal Print?
When assigning access to printer shares, minimize new user groups that are created.
- When assigning individual users access to a printer share, Universal Print creates a group behind-the-scenes to manage access control. If too many groups are created, it can cause scale issues in large tenants.
- When possible, use existing groups to give access to printer shares. This makes it easy to edit access in bulk later.
- When a printer can be used by everyone in the tenant, use the "Allow all users" toggle instead of adding users & groups manually.