If you are considering Office 365, you will inevitably start thinking about authentication. You have your physical computers and devices, but Office 365 is this service in the cloud, and the logical question is how do you authenticate to this thing?
Office 365 stores user credentials in the Azure cloud. The Microsoft Azure cloud is just a marketing term for a specific Microsoft offering. Azure includes a component called Azure Active Directory, which is where the credentials for Office 365 users are stored. In another blog post we will go into the differences between Azure and Office 365 (both considered parts of the Microsoft cloud), but in this post you just need to know the names. In a nutshell Azure is more the behind-the-scenes services that IT Professionals use, and Office 365 is more the on-the-surface services that users use such as email.
There are three primary ways to manage the user credentials for Office 365 users. The first, and easiest, is to use the Office 365 administration portal, which is shown in the figure. For the majority of small organizations, this is all you will ever need. The main downside is that the credential you use to log into your computer is different than the one you use to log into Office 365. This isn’t so bad in reality because your computer caches your credential and you can streamline logins with tools such as LastPass (www.lastpass.com). This approach is similar to how you manage your LinkedIn, Facebook or personal email account such as Hotmail or Gmail. Sure, your users might need to reset their password every once in a while, but the burden is just someone logging into the Office 365 administration portal and resetting it.
As organizations get larger it is often desirable to streamline the credentials that are used for different systems. For example, a user might use different credentials to login to their computers, a timesheet application, an expense application, and on and on. Organizations could use the local credential mechanism for each system, but it is more common to standardize on a centralized credential management system. In the Microsoft world the product for doing this is called Active Directory and it is usually located on servers located somewhere around the office. This brings us to the next question. Wouldn’t it be nice to use the same login for Office 365 that organizations use for their local Active Directory? The answer, of course, is yes, definitely. This leads us to our second method for managing Office 365 users: directory synchronization.
Directory synchronization lets IT administrators manage users in the local Active Directory and sync those users with Office 365. This works great since users have the same username for their local computer and local systems as they do for Office 365. Think of it as copying all of the local users up to Office 365 (actually to Azure Active Directory, which is what Office 365 uses for credentials). You can make this possible by enabling password synchronization in the DirSync tool. The DirSync wizard is shown in the figure.
Finally, you can manage Office 365 users using full federation. Federation means that Office 365 “trusts” your local Active Directory so that people in your organization can easily use Office 365 whenever they need to. Office 365 sees your local Active Directory as a peer and trusts it without ever knowing or caring about the actual password. The same DirSync tool that is used for directory synchronization is used to set up federation along with a component of Active Directory called Federation Services (ADFS). ADFS is separate from the DirSync tool and is a component of Active Directory designed specifically for providing trust relationships between organizations.
- Office 365 Administration Portal
- Active Directory Synchronization
- Active Directory Federation
To conclude, the simplest and easiest method for managing Office 365 users is the Office 365 administration portal. As organizations get larger they often have a centralized repository on their local premises for managing users. This local repository can be copied to Office 365 using directory synchronization. Finally, the local Active Directory can be federated, or trusted, with Office 365 so that Office 365 essentially becomes another component of the company network even though it is hosted in the Microsoft data centers.