Do you want to deploy Office 365? One of the first things to do is creating user identities. What are the options, which one to choose, what else you must also consider? I will give you an overview of Office 365 Identity Management in the video.
First of all, there are three types of identities. Cloud Identity, Synchronized Identity, Federated Identity.
It is basically all about a user account that is created and managed entirely in Office 365. You can use a web browser or PowerShell to do it. User information and password are stored in Azure AD. This is the simplest scenario for smaller deployments.
Now, let’s see how you can create a new user account:
- Log into Office 365
- Go to the admin center
- I have a shortcut here for creating a user
- We have some basic user information here such as First name, Last name
- The location is important because it determines a physical location of user data.
- Next, we have a password which can be autogenerated or put manually.
- Then we assign the proper license for user – let’s choose E5. Notice how many sublicenses E5 subscription has.
Now let’s check what it looks like for you user:
- First, go to Office login page
- When you type your login, the portal shows your company branding – notice the URL stayed the same.
- Just type your password, and the user can access cloud services. Remember it can take some time for all services such as Skype for Business or SharePoint to configure for that user.
If you already have a couple of hundreds of users, you probably have their information in another system such as Active Directory. You can synchronize their accounts to the cloud using a tool called Azure Active Directory Connect.
In this case, all the user information is managed in Active Directory and synced to the cloud. You can also choose to sync user passwords. Don’t worry, it’s safe. AD stores password hash. Hash of that hash is sent to the cloud.
What is nice here is that you can manage user identities in one place such as AD. Nothing in your IT operations changes. You create your users in AD. You reset their passwords in AD.
To enable sync, you must have to some technical requirements. First – AD must be in particular version which is 2003. Second specific attributes in AD must have values – for example, user email. To check if your AD is compliant, you can use a Micros oft tool called ID Fix.
The third and last option is a federation. To configure it you must have Active Directory Federation Services or similar software. I won’t go into details here since there are tons of articles on the Internet.
When a user tries to log on to the cloud, he is redirected to your on-premise systems. Your AD authenticates the user and generates his token. This token is used to access Office 365.
This is often seen as more secure because your infrastructure authenticates the user. No password is saved or managed in the cloud. Prerequisite for this scenario is user accounts synchronization.
Federated Identity is often sold as a single sign-on solution. Well, this is only partially true. It doesn’t give the exact same experience as local Active Directory. Let’s say that in 87% of scenarios user won’t have to give type his credentials.
There is also one big drawback. If your infrastructure stops working, no one can access cloud services. Remember to build highly available environment and test your disaster recovery procedures.
These are three options for users management. There are also two additional scenarios you should consider.
Office 365 Identity Management advanced scenarios – multi-factor authentication
Multi-factor authentication allows you to increase the security of your environment. When you enable it, your employees will be required to provide additional authentication factor together with the password. Some time ago SMS were popular; now the trend is to use mobile applications since it’s more secure. Of course, you can configure when the user is asked for the second factor. For example when he works from outside of the office.
Let’s see how federated identity looks like with multi-factor authentication.
I have a Microsoft Account. When I go to the login page and type my email, I’m redirected to the ADFS servers with custom branding. In this case, it’s Microsoft page. I’m authenticated against Microsoft Active Directory in that case, but the additional factor is required. I must confirm that I’m logging in on Authenticator app on my mobile. What is quite nice here is that I can use Apple Touch ID and don’t have to type my PIN.
Advanced scenarios – password reset
Next scenario is password reset. Password reset is often one of the most time-consuming tasks for the helpdesk. Why waste time for something that users can do by themselves? In Office 365 password reset comes in two flavors.
First – when you use only Cloud Identities – it’s out of the box, and you don’t have to configure it.
The second one – when you use synchronized identities, you can enable something called password writeback. During configuration, you can choose from a couple of authentication methods such as Office Phone, Mobile Phone, Alternate email or Security questions. It’s recommended to enable at require two of them before resetting a password.
When a user resets his password, it’s sent from the cloud to your local Active Directory. Be sure to configure your infrastructure accordingly. You probably ask if this is safe – at the end, it writes passwords to your Active Directory. Well, when it comes to an end to end password reset you must give users ability to do it from outside of your network. In such case, you will either build your custom solution or use one that is delivered for example by Microsoft. I believe the second one is much safer.
We went through identity management scenarios in Office 365. To sum up:
- You can manage your users only in Office 365
- In most our projects, we synchronize local AD with Azure AD using AAD Connect. It allows syncing user information and password hash.
- You can federate Office 365 with your AD. It allows users to authenticate in your AD. No password is stored in the cloud.
- To increase security or lower number of password reset tickets deploy multi-factor authentication or password reset. You have it out of the box in the cloud.
I believe this gives you a good overview of identity management options in Office 365. So that’s it for today. If you need help or have, some questions don’t hesitate to contact us or just give a comment below.
And if you enjoyed the trip through Office 365 Identity Management in this video, share it with your colleagues. Remember that we publish articles and video regularly so make sure you follow us on Facebook or Youtube. See you in the next episode of Predica TechLab!