Understanding Cloud Identity Models for Office 365 and Azure Active Directory:
Office 365 uses Azure Active Directory to manage users. You can choose from three main identity models in Office 365 when you set up and manage user accounts
Cloud identity. Manage your user accounts in Office 365 only. No on-premises servers are required to manage users; it’s all done in the cloud. Which is actually all users are provisioned in Azure AD.
Synchronized identity. Synchronize on-premises directory objects with Office 365 and manage your users on-premises. You can also synchronize passwords so that the users have the same password on-premises and in the cloud, but they will have to sign in again to use Office 365. Which is actually synchronizing Azure AD and On premise. Main synchronization engine used behind is almost same as FIM, MIM synchronization engine.
Federated identity. Synchronize on-premises directory objects with Office 365 and manage your users on-premises. The users have the same password on-premises and in the cloud, and they do not have to sign in again to use Office 365. This is often referred to as single sign-on. Basically leveraging federation technologies that uses SAML, WS-Federation, OpenId etc.
It’s important to carefully consider which identity model to use to get up and running. Think about time, existing complexity, and cost. These factors are different for every organization; this topic reviews these key concepts for every identity model to help you choose the identity you want to use for your deployment.
You can also switch to a different identity model if your requirements change.
In this model, you create and manage users in the Office 365 admin center and store the accounts in Azure AD. Azure AD verifies the passwords. Azure AD is the cloud directory that is used by Office 365. No on-premises servers are required — Microsoft manages all that for you. When identity and authentication are handled completely in the cloud, you can manage user accounts and user licenses through the Office 365 admin center or Windows PowerShell cmdlets.
The following figure summarizes how to manage users in the cloud identity model.
In step 1, the admin connects to the Office 365 admin center in the Microsoft cloud platform to create or manage users.
In step 2, the create or manage requests are passed on to Azure AD.
In step 3, if this is a change request, the change is made and copied back to the Office 365 admin center.
In step 4, new user accounts and changes to existing user accounts are copied back to the Office 365 admin center.
When would you use cloud identity? Cloud identity is a good choice if:
- You have no other on-premises user directory.
- You have a very complex on-premises directory and simply want to avoid the work to integrate with it.
- You have an existing on-premises directory, but you want to run a trial or pilot of Office 365. Later, you can match the cloud users to on-premises users when you are ready to connect to your on-premises directory.
- It is often first step in journey to Office 365 and Cloud. It is the easiest model for administration.
If you have an existing directory environment on-premises, you can integrate Office 365 with your directory by using either synchronized identity or single sign-on and federated identity to create and manage your users in Office 365.
In this model, you manage the user identity in an on-premises server and synchronize the accounts and, optionally, passwords to the cloud. The user enters the same password on-premises as he or she does in the cloud, and at sign-in, the password is verified by Azure AD. This model uses a directory synchronization tool to synchronize the on-premises identity to Office 365.
To configure the synchronized identity model, you have to have an on-premises directory to synchronize from, and you need to install a directory synchronization tool. You’ll run a few consistency checks on your on-premises directory before you sync the accounts.
When to use synchronized or federated identities:
In step 1, you install a Microsoft Azure Active Directory Connect. For instructions, see Set up directory synchronization in Office 365. For more information about Azure Active Directory Connect, see Integrating your on-premises identities with Azure Active Directory.
In steps 2 and 3, you create new users in your on-premises directory. The synchronization tool will periodically check your on-premises directory for any new identities you have created. Then it provisions these identities into Azure AD, links the on-premises and cloud identities to one another, synchronizes passwords, and makes them visible to you through the Office 365 admin center.
In step 4, as you make changes to the users in the on-premises directory, those changes are synchronized to Azure AD and made available to you through the Office 365 admin center.
To get started with synchronized identity, see Prepare to provision users through directory synchronization to Office 365, and Set up directory synchronization in Office 365.
This model requires a synchronized identity but with one change to that model: the user password is verified by the on-premises identity provider. This means that the password hash does not need to be synchronized to Azure AD. This model uses Active Directory Federation Services (AD FS) or a third-party identity provider.
The reasons for using a federated identity include:
- Existing infrastructure
- If you already have AD FS deployed for some other reason, you will likely want to use it for Office 365 also.
- If you already use some other identity provider, you will want to use federated identity with Office 365. Microsoft provides a list of identity providers that work with Office 365.
- If you use Forefront Identity Manager, you will also want to use federated identity with Office 365.
- Technical requirements
- You have multiple forests in your on-premises Active Directory Domain Services (AD DS).
- You have an on-premises integrated smart-card solution.
- You have an existing custom hybrid application, for example with SharePoint or Microsoft Exchange Server.
- Policy requirements
- You require sign-in audit and/or immediate disable.
- You require single sign-on.
- You have sign-on restrictions by network location or work hours.
- You have other policies in place that require federated identity.
The following diagram shows a scenario of federated identity with a hybrid on-premises and cloud deployment. The on-premises directory in this example is AD FS. The synchronization tool keeps your on-premises and in-the-cloud corporate user identities synchronized.
In step 1, you install Azure Active Directory Connect (find more information and download instructions here). The synchronization tool helps to keep Azure AD up-to-date with the latest changes you make in your on-premises directory.
In steps 2 and 3, you create new users in your on-premises Active Directory. The synchronization tool will periodically check your on-premises Active Directory server for any new identities you have created. Then it provisions these identities into Azure AD, links the on-premises and cloud identities to one another, and makes them visible to you through the Office 365 admin center.
In steps 4 and 5, as changes are made to the identity in the on-premises Active Directory, those changes are synchronized to the Azure AD and made available to you through the Office 365 admin center.
In steps 6 and 7, your federated users sign in with your AD FS. AD FS generates a security token and that token is passed to Azure AD. The token is verified and validated and the users are then authorized for Office 365.
This article mainly uses Office 365 documentation below
Originally published at https://www.linkedin.com.