5 Methods of Office 365 Identity Management Explained

Do you want to deploy Office 365? One of the first things to do is to create user identities. What are the options, which one to choose, what else must you also consider? We will give you an overview of Office 365 Identity Management in this post.

First of all, there are three types of identities: cloud identity, synchronised identity and federated identity.

Cloud Identity

It is basically all about a user account that is created and managed entirely in Office 365. You can use a web browser or PowerShell to do it. User information and password are stored in Azure AD. This is the simplest scenario for smaller deployments.Now, let’s see how to create a new user account:

1. Log into Office 365
2. Go to the admin center
3. We have a shortcut here for creating a user
4. Enter some basic user information here such as First name, Last name
5. The location is important because it determines a physical location of user data
6. Next, we have a password which can be autogenerated or input manually
7. Then we assign the proper license for the user, e.g. E5.

Now, let's check what it looks like for your user:

1. First, go to the Office login page
2. When you type your login, the portal shows your company branding – notice the URL stayed the same.
3. Just type your password, and the user can access cloud services. Remember it can take some time for all services such as Teams or SharePoint to configure for that user.

Synchronised Identity

If you already have a couple of hundreds of users, you probably have their information in another system such as Active Directory. You can synchronise their accounts to the cloud using a tool called Azure Active Directory Connect.In this case, all user information is managed in Active Directory and synced to the cloud. You can also choose to sync user passwords. Don’t worry, it’s safe. AD stores password hash. Hash of that hash is sent to the cloud.What is nice here is that you can manage user identities in one place such as AD. Nothing in your IT operations changes. You create your users in AD. You reset their passwords in AD.To enable sync, your systems must meet some technical requirements. First – AD must be in a particular version which is 2003. Second, specific attributes in AD must have values – for example, user email. To check if your AD is compliant, you can use a Microsoft tool called ID Fix.

Federated identity

The third and last option is federation. To configure it you must have Active Directory Federation Services or similar software. We won’t go into details here since there are tons of articles on the Internet.When a user tries to log on to the cloud, they are redirected to your on-premises systems. Your AD authenticates the user and generates their token. This token is used to access Office 365.This is often seen as more secure because your infrastructure authenticates the user. No password is saved or managed in the cloud. A prerequisite for this scenario is user account synchronisation.Federated Identity is often sold as a single sign-on solution. Well, this is only partially true. It doesn’t give the exact same experience as local Active Directory. Let’s say that in 87% of scenarios a user won’t have to type in their credentials.There is also one big drawback. If your infrastructure stops working, no one can access cloud services. Remember to build a highly available environment and test your disaster recovery procedures.These are the three options for users management. There are also two additional scenarios you might wish to consider.

Multi-factor authentication

Multi-factor authentication allows you to increase the security of your environment. When you enable it, your employees will be required to provide additional authentication factor together with the password.Some time ago, text messages were popular; now the trend is to use mobile applications since it’s more secure. Of course, you can configure when the user is asked for the second factor: for example, when they work from outside of the office.Let's see what federated identity looks like with multi-factor authentication.We have a Microsoft Account. When going to the login page and typing the email, we're redirected to the ADFS servers with custom branding. In this case, it’s a Microsoft page. We're authenticated against Microsoft Active Directory here, but the additional authentication factor is required.We must confirm that we're logging in, using the Authenticator app on a mobile phone. What is quite nice here is that we can use Apple Touch ID and don’t have to type in our PIN.

Password reset

The next scenario is password reset. It is often one of the most time-consuming tasks for the helpdesk. Why waste time on something that users can do by themselves? In Office 365, password reset comes in two flavours.First – when you use only Cloud Identities – it’s out of the box, and you don’t have to configure it.Second – when you use synchronised identities, you can enable something called password writeback. During configuration, you can choose from a couple of authentication methods such as office phone, mobile phone, alternate email or security questions. It’s recommended to enable at least two of them before resetting a password.When a user resets their password, it’s sent from the cloud to your local Active Directory. Be sure to configure your infrastructure accordingly. You'll probably ask if this is safe – in the end, it writes passwords to your Active Directory. Well, when it comes to an end-to-end password reset, you must give users the ability to do it from outside of your network. In such case, you will either build your custom solution or use one that is delivered for example by Microsoft. We believe the second option is much safer.This should give you a good overview of identity management options in Office 365. So that’s it for today. If you need help or have some questions, don’t hesitate to contact us.