Do you want to deploy Office 365? One of the first things to do is to create user identities. What are the options, which one to choose, what else must you also consider? I will give you an overview of Office 365 Identity Management in this post and video.
First of all, there are three types of identities: cloud identity, synchronized identity and federated identity.
It is basically all about a user account that is created and managed entirely in Office 365. You can use a web browser or PowerShell to do it. User information and password are stored in Azure AD. This is the simplest scenario for smaller deployments.
Now, let’s see how you can create a new user account:
Now, let’s check what it looks like for your user:
If you already have a couple of hundreds of users, you probably have their information in another system such as Active Directory. You can synchronize their accounts to the cloud using a tool called Azure Active Directory Connect.
In this case, all user information is managed in Active Directory and synced to the cloud. You can also choose to sync user passwords. Don’t worry, it’s safe. AD stores password hash. Hash of that hash is sent to the cloud.
What is nice here is that you can manage user identities in one place such as AD. Nothing in your IT operations changes. You create your users in AD. You reset their passwords in AD.
To enable sync, your systems must meet some technical requirements. First – AD must be in a particular version which is 2003. Second specific attributes in AD must have values – for example, user email. To check if your AD is compliant, you can use a Microsoft tool called ID Fix.
The third and last option is federation. To configure it you must have Active Directory Federation Services or similar software. I won’t go into details here since there are tons of articles on the Internet.
When a user tries to log on to the cloud, they are redirected to your on-premise systems. Your AD authenticates the user and generates their token. This token is used to access Office 365.
This is often seen as more secure because your infrastructure authenticates the user. No password is saved or managed in the cloud. A prerequisite for this scenario is user account synchronization.
Federated Identity is often sold as a single sign-on solution. Well, this is only partially true. It doesn’t give the exact same experience as local Active Directory. Let’s say that in 87% of scenarios user won’t have to type in their credentials.
There is also one big drawback. If your infrastructure stops working, no one can access cloud services. Remember to build a highly available environment and test your disaster recovery procedures.
These are the three options for users management. There are also two additional scenarios you should consider.
Multi-factor authentication allows you to increase the security of your environment. When you enable it, your employees will be required to provide additional authentication factor together with the password. Some time ago SMS were popular; now the trend is to use mobile applications since it’s more secure. Of course, you can configure when the user is asked for the second factor. For example when they work from outside of the office.
Let’s see what federated identity looks like with multi-factor authentication.
I have a Microsoft Account. When I go to the login page and type my email, I’m redirected to the ADFS servers with custom branding. In this case, it’s a Microsoft page. I’m authenticated against Microsoft Active Directory in that case, but the additional factor is required. I must confirm that I’m logging in on the Authenticator app on my mobile. What is quite nice here is that I can use Apple Touch ID and don’t have to type in my PIN.
The next scenario is password reset. It is often one of the most time-consuming tasks for the helpdesk. Why waste time for something that users can do by themselves? In Office 365 password reset comes in two flavors.
First – when you use only Cloud Identities – it’s out of the box, and you don’t have to configure it.
The second one – when you use synchronized identities, you can enable something called password writeback. During configuration, you can choose from a couple of authentication methods such as office phone, mobile phone, alternate email or security questions. It’s recommended to enable at least two of them before resetting a password.
When a user resets their password, it’s sent from the cloud to your local Active Directory. Be sure to configure your infrastructure accordingly. You probably ask if this is safe – in the end, it writes passwords to your Active Directory. Well, when it comes to an end-to-end password reset, you must give users the ability to do it from outside of your network. In such case, you will either build your custom solution or use one that is delivered for example by Microsoft. I believe the second option is much safer.
I believe this gives you a good overview of identity management options in Office 365. So that’s it for today. If you need help or have some questions, don’t hesitate to contact us.
And if you enjoyed the trip through Office 365 Identity Management in this video, share it with your colleagues. Remember that we publish articles and videos regularly, so make sure you follow us on Facebook or YouTube. See you in the next episode of Predica TechLab!
We went through identity management scenarios in Office 365. To sum up:
I covered security in GitHub last time. But some of you likely use Azure DevOps for building your products, so let’s t...
Sometimes it feels like I'm pushing too much with security and software development, but then you prove me wrong. Rec...