- Cloud Identity: Under this model, businesses have a siloed set of identities inside an Azure Active Directory (AD) tenant that comes with Office 365. In other words, there’s yet another set of usernames and passwords to manage.
- Synchronized Identity: This model is a one-way sync between your on-premises Active Directory and Office 365. It’s an improvement over Cloud Identity as users are using the same username and password, but they do have to re-enter them.
- Federated Identity: In this model, Active Directory stores and controls security policy. When users are authenticating, there’s a real-time check against AD. In other words, users don’t have to re-authenticate if they are on the corporate network.
If you want real-time authentication based on AD, are looking for desktop SSO (Integrated Windows Authentication), have a complex directory infrastructure, or require more advanced compliance reporting capabilities, then federation is probably where you’re going to end up. Assuming you’ve made the choice to go the federated route, then there are two main “Microsoft sanctioned” options as shown in the graphic below from Microsoft: Works-with-Office-365-vs-ADFS
Microsoft’s native solution based on integrating Active Directory Federation Services (AD FS) and Azure AD
Depending on your specific needs, there can be a lot of pieces to the Microsoft puzzle that complicate federation. In order to federate Active Directory to Azure AD and Office 365, you’re still going to need AD FS, and other Microsoft components such as DirSync, Forefront Identity Manager (to handle mixed directory types), and MFA Server. Also, AD FS requires more of a developer skillset vs. IT administration. Also, keep in mind that the 99.9%+ uptime guarantees with your SaaS vendors are meaningless unless you’re able to achieve the same uptime with your AD FS infrastructure. A highly available AD FS deployment is predicated on load balancing multiple sets of servers, and may even require deploying SQL Server (or a SQL Server Cluster), a storage solution, and a global traffic management solution. For many, federating AD to Office 365 with the Microsoft stack is cost and time prohibitive. The burdens of integrating disparate pieces of hardware and software, and coordinating specialized teams too much to bear.
Microsoft’s Works with Office 365 Program
Microsoft also supports integration with third parties through a program called Works with Office 365. Identity providers that have been accepted into this program have passed a series of federated identity and single sign-on interoperability tests across different Office 365 clients. OneLogin is one such company. However, unlike other firms in the program OneLogin does not require additional on-premises servers to enable things like Desktop SSO.
Identity Management Paradox for Office 365?
A key advantage of moving your business to the cloud is to simplify IT operations. So, why would you ever want to double down on setting up a complex set of highly available, on-prem infrastructure as part of your Office 365 migration? Why would you want to spend the resources to stand up a full on-prem Microsoft stack for federating Active Directory to Office 365? Of course, there could be excellent reasons for this, but just go in with your eyes wide open, which means understanding all of your options.
That’s why in the final post of our series, we’ll demonstrate how OneLogin cuts out all the complexity of federating Active Directory to Office 365, allows you to beat the Office 365 uptime SLA, and provides your business with stronger security and compliance. You get all of the security without the complexity and high costs. For a demonstration of how easy federation to Office 365 can be without ADFS, go there now.