You can choose from three main identity models in Office 365 when you set up and manage user accounts:
Manage your user accounts in Office 365 only. No on-premises servers are required to manage users; it is all done in the cloud. |
Synchronize on-premises directory objects with Office 365 and manage your users on-premises. You can also synchronize passwords so that the users have the same password on-premises and in the cloud, but they will have to sign in again to use Office 365. |
Synchronize on-premises directory objects with Office 365 and manage your users on-premises. The users have the same password on-premises and in the cloud, and they do not have to sign in again to use Office 365. This is often referred to as single sign-on. |
It is important to carefully consider which identity model to use to get up and running. Think about time, existing complexity, and cost. These factors are different for every organization; this topic will review these key concepts for every identity model to help you to choose the identity you want to use for your deployment.
You can also switch to a different identity model if your requirements change.
In this model, you create and manage users in the Microsoft Office Portal and store the accounts in Azure AD. Azure AD verifies the passwords. Azure AD is the cloud directory that is used by Office 365. No on-premises servers are required — Microsoft manages all of that for you. When identity and authentication are handled completely in the cloud, you can manage user accounts and user licenses through the Microsoft Online Portal or Windows PowerShell cmdlets.
The following graphic summarizes how to manage users in the cloud identity model.
The admin connects to the Microsoft Online Portal in the Microsoft cloud platform to create or manage users.
The create or manage requests are passed on to Azure AD.
If this is a change request, the change is made and copied back to the Microsoft Office Portal
New user accounts and changes to existing user accounts are copied back to the Microsoft Office Portal.
When would you use cloud identity? Cloud identity is a good choice if:
If you have an existing directory environment on-premises, you can integrate Office 365 with your directory by using either synchronized identity or single sign-on and federated identity to create and manage your users in Office 365.
In this model, you manage the user identity in an on-premises server and synchronize the accounts and, optionally, passwords to the cloud. The user enters the same password on-premises as he or she does in the cloud, and at sign-in, the password is verified by Azure AD. This model uses a directory synchronization tool to synchronize the on-premises identity to Office 365.
To configure the synchronized identity model, you have to have an on-premises directory to synchronize from, and you need to install a directory synchronization tool. You'll run a few consistency checks on your on-premises directory before you sync the accounts.
When to use synchronized or federated identities:
This model: |
Works in these situations: |
Synchronized identities |
When you have an on-premises directory and you want to synchronize user accounts and optionally passwords. If you also synchronize passwords, your users will use the same password to access on-premises resources and Office 365. When you ultimately want federated identities, but you are running a pilot of Office 365 or, for some other reason, you aren’t ready to dedicate time to deploying the Active Directory Federation Services (AD FS) servers yet. |
Federated identities |
When you need an advanced scenario, such as: existing federation, policy, or technical requirements |
The following diagram shows a synchronized identity scenario with a password synchronization. The synchronization tool keeps your on-premises and in-the-cloud corporate user identities synchronized.
You install a Microsoft Azure Active Directory Connect.
You create new users in your on-premises directory.
The synchronization tool will periodically check your on-premises directory for any new identities you have created. Then it provisions these identities into Azure AD, links the on-premises and cloud identities to one another, synchronizes passwords, and makes them visible to you through the Microsoft Office Portal.
As you make changes to the users in the on-premises directory, those changes are synchronized to Azure AD and made available to you through the Microsoft Office Portal.
This model requires a synchronized identity but with one change to that model: the user password is verified by the on-premises identity provider. This means that the password hash does not need to be synchronized to Azure AD. This model uses Active Directory Federation Services (AD FS) or a third-party identity provider.
The reasons for using a federated identity include:
Existing infrastructure
Technical requirements
Policy requirements
The following diagram shows a scenario of federated identity with a hybrid on-premises and cloud deployment. The on-premises directory in this example is AD FS. The synchronization tool keeps your on-premises and in-the-cloud corporate user identities synchronized.
You install Azure Active Directory Connect The synchronization tool helps to keep Azure AD up-to-date with the latest changes you make in your on-premises directory. You will need to use a custom install of Azure AD Connect to set up single sign-on.
You create new users in your on-premises Active Directory.
The synchronization tool will periodically check your on-premises Active Directory server for any new identities you have created. Then it provisions these identities into Azure AD, links the on-premises and cloud identities to one another, and makes them visible to you through the Microsoft Office Portal.
As changes are made to the identity in the on-premises Active Directory, those changes are synchronized to the Azure AD.
These changes are made available to you through the Microsoft Office Portal.
Your federated users sign in with your AD FS.
AD FS generates a security token and that token is passed to Azure AD. The token is verified and validated and the users are then authorized for Office 365.