Now you have decided to move your organisation into the Microsoft cloud; your next step should be to decide which identity management model you are going to adopt.
What do we mean by identity management? In broad terms, this covers the method by which your users accounts are managed, authenticated, and where that authentication takes place. Active Directory (AD) is at the core of most enterprise approaches to identity management, and therefore we have focused on AD based approaches for this document, whether on-premises or the cloud version; Azure AD.
It’s important to make the right choice at the start of your journey to Office 365, as this will affect which migration method you use and the future administration of your users and services. You should also take into consideration any other local infrastructure you have, such as Exchange. The decision you make now, however, is not set in stone; you can transition to a more advanced model as your organisational needs develop.
What are the options?
There are four AD based identity management scenarios to consider when moving to Office 365, each is discussed in more detail below.
1. Cloud Identity
In this scenario, all of your user accounts are created and managed directly within Office 365, with no requirement for on-premises infrastructure. This scenario is ideal for small businesses with no existing, on-premises Active Directory.
2. Synchronised Identity
In this scenario, your on-premises AD objects are synchronised with your Office 365 account using Microsoft’s Azure AD Connect (AADC) software, installed on your infrastructure. You can choose to synchronise user passwords as well, meaning your users will have the same password locally as their Office 365 account, although they will still be prompted to login when accessing any Office 365 services. Azure AD handles authentication for Office 365 services in this scenario. Once in place, you’ll continue to manage your users and objects from your on-premises AD.
This scenario is ideal for an organisation which has an on-premises AD but no immediate requirement for anything more complex, or for those looking to set up a hybrid deployment, but it can also be an intermediate step to adopting a more advanced identity model.
3. Pass through Authentication
This is the latest addition to Microsoft’s identity management portfolio, which takes the features of the Synchronised model and adds the local AD authentication feature from the Federated model. This scenario is simple to setup and requires little additional infrastructure, and may suit those customers who do not wish for their account passwords (albeit in hashed form) to be stored in Microsoft’s cloud.
4. Federated Identity
As for options 2 and 3, the federated identity model uses AADC to synchronise your on-premises AD objects with your Office 365 account. However, user authentication will continue to be performed with your on-premises AD. Your users won’t have to sign in again to Office 365 – this is often referred to as seamless single sign-on (SSO).
Federation requires local installation of Active Directory Federation Services (ADFS), plus the ADFS Web Proxy service if you have remote/home workers. There are several server topology options here, but for brevity, we won’t discuss these in this article. It should be noted though that once in place, ADFS is critical for access to Office 365 and, consequently, implementing a redundant solution is highly recommended.
User authentication requests are passed from Office 365 to ADFS (or the ADFS Web Proxy), which in turn sends the request to your AD servers. Once AD has authenticated the user, ADFS issues a token to the user’s client, which Office 365 verifies and then allows access to the requested service or app.
As in the synchronised scenario, once federation is in place, you manage your user accounts and other objects from your on-premises AD.
This scenario is ideal for customers with large AD deployments with multiple forests, those looking to set up a hybrid with on-premises services, those who want single sign-on, or those with specific requirements for user account security. An additional benefit is that once ADFS is in place, it can be used for other applications and services that support it.
As highlighted, there are several options for identity management and deciding which one to adopt for your organisation will be critical to your migration plan and future user administration.
At Claranet, we’re experts in setting up and managing Active Directory, and in migrating businesses to Office 365 – talk to us
for advice on the right path to Office 365, and see how we can help you make this change in the right way, and enable your organisation to do amazing things with Office 365.