The good people at ENow asked me to do a webinar on Identity and Authentication Management for Office 365, which I presented live on November 18. I’m adding this blog post as a companion piece to that webinar, which can be found at this link.
One of the most important parts of any migration to Office 365 is the identity and authentication management piece. Microsoft wants Office 365 to be a flexible platform that can meet the requirements of any organization. In order to meet wildly varying requirements, Microsoft has had to build quite many options into the identity and authentication management platforms for Office 365.
While options are great, they do mean complexity, and complexity is the enemy of availability. No one should plan a migration to Office 365 without a thorough understanding on the options, and how the choices you make will affect your Office 365 deployment years down the road.
Active Directory Federation Services
AD FS is the on-premises tool that allows your Office 365 tenant to authenticate users against your Active Directory. This allows your organization to control your users' passwords without those passwords ever being visible to Microsoft in any form.
In addition to providing control over your users' passwords, AD FS also provides more granular control over your users' entire authentication process. If your organization requires that certain users only be able to log into Office 365 from specific locations, or at specific times of day, AD FS can enable that configuration.
Single Sign-on is another big reason to use AD FS. The single sign-on story for Office 365 has never been straightforward, but in the cases where it works it can be a great benefit to users.
Directory Synchronization is the process of copying the accounts from your on-premises Active Directory into Azure Active Directory in a way that keeps the association between the on-premises and cloud accounts intact. This allows your organization's on-premises Active Directory accounts to be the “master” version so that changes made on-premises are reflected in the cloud.
Microsoft has provided quite a few different tools to enable directory synchronization in just 4 years; DirSync, Forefront Identity Manager, Azure Active Directory Sync, Microsoft Identity Manager, and Azure Active Directory Connect. All these tools provide different features, and different limitations. In most cases, Office 365 customers should be using Azure Active Directory Connect to provide directory synchronization with Azure Active Directory, but that is not an absolute. In some cases, MIM or even DirSync may be the best choice.
Directory synchronization is a requirement for several of the 1st party migration paths into Office 365, including hybrid. In addition, directory synchronization makes user management much easier by making your on-premises Active Directory your single place to manage accounts and groups. Directory synchronization also gives you a unified global address list, or GAL, for users with on-premises mailboxes as well and for users with cloud mailboxes.
High Availability and Disaster Recovery
Both AD FS and directory synchronization are vital to your Office 365 deployment. As such, it is vital that your organization is prepared to deal with unexpected outages to either service. Understanding your options before you have an outage is a must.
AD FS can be deployed in a number of multi-server configurations to ensure service is not interrupted because of an outage.
The various directory synchronization servers all lack any high avaibility configurations, but Azure Active Directory Connect does allow you to configure a “hot standby” server that can be activated in moments if your primary AAD Connect server goes offline.
Identity and Authentication management is more complex than you might think, and it is absolutely vital for a successfully Office 365 deployment. In this webinar, I cover all the information you’ll need to know to ensure you get identity and authentication correct for your Office 365 deployment.