How does Office 365 know who I am? : The importance of identity management for migration planning

Now you have committed to move your organisation into the Microsoft cloud, your next decision is to think about identity management. But what exactly is this and what are the issues?


In broad terms, identity management covers the method by which your users' accounts are managed, authenticated, and where that authentication takes place. Active Directory (AD) is at the core of most enterprise approaches to identity management, whether on-premise or in Azure.

It’s important to make the right choice at the start of any migration to Office 365, as this will affect which migration method is used and the future administration of users and services. We should also take into consideration any other local infrastructure, such as Exchange.

The decision made now, however, is not set in stone. That is because it always possible to transition to a more advanced model if this is needed in the organisation.

What are the options?

There are four AD based identity management scenarios to consider when moving to Office 365:

1. Cloud Identity
In this model, a user is created and managed in Office 365 and stored in Azure Active Directory, and the password is verified by Azure Active Directory.

In this scenario, all user accounts are created and managed directly within Office 365, with no requirement for on-premise infrastructure. This is ideal for small businesses with no existing, on-premise Active Directory.

2. Synchronised Identity
In this model, the user identity is managed in an on-premise server, and the accounts and password hashes are synchronised to the Cloud.

On-premise AD objects are synchronised with your Office 365 account using Microsoft’s Azure AD Connect (AADC) software, installed on your infrastructure. You can choose to synchronise user passwords as well, meaning users will have the same password locally as their Office 365 account - although they will still be prompted to log in when accessing any Office 365 services. Azure AD handles authentication for Office 365 services with this set-up. Once in place, you’ll continue to manage users and objects from your on-premise AD.

This configuration is ideal for organisations that have an on-premise AD but no immediate requirement for anything more complex, or for those looking to set up a hybrid deployment. It can also be an intermediate step to adopting a more advanced identity model.

3. Pass-through Authentication
This is the latest addition to Microsoft’s identity management portfolio, which takes the features of the Synchronised model and adds the local AD authentication feature from the Federated model. This scenario is simple to set up and requires little additional infrastructure, and may suit those organisations who do not want their account passwords to be stored in Microsoft’s Cloud (albeit in hashed form).

4. Federated Identity
This model requires a synchronised identity when the user password is verified by the on-premise identity provider.

As for options 2 and 3, the federated identity model uses AADC to synchronise your on-premise AD objects with your Office 365 account. However, user authentication will continue to be performed with your on-premise AD. This means users won’t have to sign in again to Office 365 and is often referred to as seamless single sign-on (SSO).

Federation requires local installation of Active Directory Federation Services (ADFS), plus the ADFS Web Proxy service when remote/home workers are involved. There are several server topology options here, but for brevity, we won’t discuss these in this article. It should be noted though that once in place, ADFS is critical for access to Office 365 and, consequently, implementing a redundant solution is highly recommended.

User authentication requests are passed from Office 365 to ADFS (or the ADFS Web Proxy), which in turn sends the request to your AD servers. Once AD has authenticated the user, ADFS issues a token to the user’s client, which Office 365 verifies and then allows access to the requested service or application.

As in the synchronised scenario, once federation is in place you can manage your user accounts and other objects from your on-premise AD.

Federation is ideal for businesses with large AD deployments with multiple forests, those looking to set up a hybrid with on-premises services, those who want single sign-on, or those with specific requirements for user account security. An additional benefit is that once ADFS is in place, it can be used for other applications and services that support it.

Key takeaways:

  • There is no such thing as a ‘one-size-fits-all’ approach with identity management.
  • Deciding which one to adopt for your organisation is a critical factor in your migration plan.
  • Setting up and managing Active Directory can be complex and time-consuming.