Wednesday, October 15, 2014

Office 365 Identity Model Options

Most of us talking about Office 365 solution to our customers, and most of the time we are confused which identity management option is suitable for customer.
Identity management is the process of identity individuals in a system and controlling access to the resources in that system, and which of these models you can choose will impact where you manage users account for Office 365 and how those user sign-in password are verified.
In Office 365, there are three main model for identity options available- Cloud Identity, Directory Synchronization and Federation Identity.

Cloud Identity 
In Cloud Identity model a user is created and managed in Office 365 and stored in Azure Active Directory, and password is verified by Azure Active Directory and managed via the Office 365 Admin Portal or PowerShell.  Users are completely managed and stored in the cloud and not associated with any on-premises identity provider like on-premises Active Directory.

When to choose the Cloud Identity
This model is best for small environment where there is no on-premises identity configuration to do, all we have to do in Office 365 admin center. Also you can choose the Cloud Identity model if you have no on-premises directory, if you have very small number of users and on-premises directory is undergoing significant restructuring, or if you are trailing or piloting Office 365.

Directory Synchronization (With password Sync)
 This model mostly used when you have an existing on-premise Active Directory and want those same users to have access to Office 365. The user enters the same password on-premises as they do in the cloud, and at sign-in the password is verified by Azure Active Directory. For this model we need to install Microsoft Active Directory Sync Tool (DirSync). User identity and password are created and managed on-premises and synchronized to the cloud.

When to choose the Cloud Identity
This model you would choose the Synchronized Identity model if you have an on-premises directory and you don’t need any of the specific scenarios that are provided for by the Federated Identity model. The Synchronized Identity model is also very simple to configure. It requires you to have an on-premises directory to synchronize from, and it requires you to install the DirSync tool and run a few other consistency checks on your on-premises directory.

Federated Identity 
This Model require a synchronized identity but with one change to that model is user password is verify by the on-premises identity provider. This model also known as Single Sign-On, this is commonly done with on-premises Active Directory using Active Directory Federation Services (ADFS) or some third party identity provider.

When to choose the Federated Identity
In This model all of the configuration for the Synchronized Identity model is required for the Federated identity model. Federated Identity model just so that their users can have the same password on-premises and in the cloud.

The following scenarios are good for implementing the Federated Identity model.

  • If you have already have an AD FS Deployment.
  • You already use a third party federated identity provider
  • You use forefront identity Manager 2010 R2
  • If you have multiple forest in your on-premises Active Directory
  • You have an on-premises integrated smart card on multi-factor authentication.
  • If you have Custom hybrid applications or hybrid search is required
  • If you have Web-accessible forgotten password reset.
  • If you require sign-in audit or immediate disable
  • Single sign-on is required
  • If you require client sign in restrictions by network location or work hours
  • Policy preventing synchronizing password hashes to Azure Active Directory