Identities in Office 365 – Understanding the Cloud and On-Premises (Azure AD and AD DS) Identities Used in Office 365!
Identities in Office 365
What identities mean and how you can effectively manage them depends on your preferences and the needs of your corporation. Before creating identities and syncing them across the different kinds of directories, it is crucial to understand identities and how they work. They determine how users will log in, how they will reset the password, and more.
There are three most common types of identities: cloud-only, synchronized, and Federated. Synchronized identities are also now called hybrid. Office 365 uses Azure Active Directory (Azure AD) to manage the identities and sync them across different servers (such as on-premise Windows server active directory).
What is an Identity:
In simple terms, an identity is a user account and the profile associated with it. It includes the password, privileges assigned (user, administrator, security, billing, etc.)., authentication management, and logging information.
What are Cloud-Only Office 365 identities
This is the simplest of all. Such an identity remains in the cloud and is not synchronized with on-premises servers. Since, the information of cloud-only identities remains exclusive, any changes (like password resetting) does not affect your other Windows server active directories.
Few important things to remember:
- When you set up your Office 365 subscription for the first time, that default account is always configured as a cloud user
- It’s always better to have one administer identity as a cloud-only identity, in case something bad happens to on-premise active directory.
- Cloud-only identities require no infrastructure (since it is in cloud), making it the best choice for small organizations
- These identities are actually stored in Azure AD, which is part of Office 365
- When users sign-in, they are authenticated using Azure AD
- These are created manually from within the Office 365 admin center or from PowerShell
What are Hybrid or Synchronized Office 365 Identities
Hybrid or synchronized office 365 identities are those that are stored both on premises Active Directory Domain Service (AD DS) and cloud (Azure AD). Although, it is important to realize that the synchronization happens only from AD DS to Azure AD (with very few exceptions), essentially making a copy of the identities stored on premises.
What this means to you is that the accounts created manually on cloud using Office 365 admin center (and therefore, on Azure AD) are not synced to AD DS on premises server, but the accounts created on AD DS do get saved to Azure.
Few points worth noting:
- If you create an AD DS account, you can only manage it from AD DS tools such as Active Director administration center or PowerShell. The modifications will get synced to Azure AD.
- There are two kinds of authentication: Managed and Federated. With ‘Managed,’ Azure AD handles the authentic process and in ‘Federate,’ it is redirected to another identity provider.
We hope you have a clear basic idea about the meaning of these identities and can choose which one fits your needs well. In most cases, if you do not have on-premises users and infrastructure, cloud-based (Azure AD) identities will do the job. They are simple to create and manage. But with synchronized or hybrid identities, you get a host of other features and services such as Azure AD Seamless Single Sign-On (SSO) and many others.
While setting up identities for the first time, we suggest taking your time to understand and organize identities and user accounts because it is very crucial for efficient management later on.