How to Manage Office 365 Identity Models?
- Most basic identity used in Office 365
In this model, users are created and managed completely in the cloud through Office 365 (Azure Active Directory). The user’s identity—usernames and passwords—will be stored in Azure Active Directory, and the authentication will take place from there. All applications they access will be completely in the cloud.
There is no on-premises infrastructure in this model. An admin can manage users directly from the Office 365 admin portal, Azure Active Directory portal, or Windows Azure Active Directory PowerShell by connecting to Microsoft Online Services using the Connect-MsolService cmdlet.
- Office 365 Identity Models 2: Synced with Active Directory – Managed user type
This is the second identity model for Office 365.
It’s used when you have an existing on-premises environment with Active Directory and want to either migrate your existing users to Office 365 Cloud or access services from Office 365 while keeping the same users in both your on-premises Active Directory (AD) and Office 365.
Under this model, users and their attributes are synchronized from your on-premises AD to Office 365 (Azure AD) using a tool known as Azure Active Directory Connect. You can install this tool on either a domain controller or a member server in your on-premises AD.
Users are created, managed, and deleted only from your on-premises AD. Any changes to a user’s attributes are made in your on-premises AD and synchronized with Office 365 after an automatic or manual Delta Sync or Full Sync.
- Office 365 Identity Model 3: Federated user type
This is the third and final identity for Office 365 users.
Federated users are also considered to be Synced with Active Directory user accounts. These are the same user accounts that are synchronized from your on-premises AD to Office 365. However, the difference is in the authentication process when signing in to Office 365.
There are times when some organizations don’t even want the hash of a user’s password to leave their internal network due to their own security and compliance policies; they may want their users to get authenticated from their on-premises AD instead. In such cases, you can use a federated identity to essentially build a trust relationship between your on-premises AD and Office 365.
- Cloud identity: Everything is done in the cloud, so there is no need for on-premises servers. This is the simplest option to manage.
- Synchronized identity: Sync on-premises directory objects with Office 365 and then manage users on premises. You can synchronize users’ passwords for the cloud and on premises. But they will have to sign in again to use Office 365.
- Federated identity: Sync on-premises directory objects with Office 365 and then manage users on premises. Users keep the same password for the cloud and on premises and will not have to sign in again to use Office 365. This is sometimes called as single sign-on.