This topic focus on the Identity and Authentications options available in Microsoft 365.
What are the Identity models available in Office 365?
Office 365 uses cloud-based user authentication service Entra Active Directory to manage user accounts. There are two identity models to setup and manage user accounts.
Cloud-Only Identity: User accounts are created and managed only in Office 365 (Entra AD). No On-Premise servers required to manage users. All the user management like creation and management happens only in Cloud.
Hybrid Identity: In Hybrid Identity model user accounts are managed in Active Directory. There are two options in Hybrid Identity.
Synchronized Identity: User accounts and Passwords (Password Hashes) are synchronized from on-premises directory to Entra ID using Entra Connect Servers and the user account management done at On-Premise AD. Users has the same password both in On-Premises and in the cloud. Password validation is done by Azure AD from the Password Hash Synced from AD
Federated Identity: Identities synchronized from on-premises directory to Office 365 (Entra AD). Users sign in using their on-premises credentials, and authentication is handled by a federation service, like ADFS, which verifies the credentials against the on-premises AD.
How to integrate On-Premise environment with Microsoft 365?
To integrate On-Premise services like Exchange and SharePoint with Microsoft 365 services,
- Synchronize On-Premise directory information with Office 365 (Entra Active Directory) using Entra Connect Tool.
- Once the directory sync completed, SSO implementation is optional so that users can log on both environments with their on-premises credential. It can be implemented using ADFS / ADFS Proxy combination or we can use Entra connect.
- Create hybrid environment to migrate users from On-Premise to cloud by running the Hybrid Configuration Wizard in Exchange Server. You can keep few of the users in Cloud and others in On-Premise based on the requirement.
This Content Is Only For Subscribers
What kind of Identity Model you are using in your company?
If your environment is purely in Office 365 and don’t have an On-Premise AD, then you can inform the interviewer that it is a Cloud Identity and you are managing every object creation in Azure AD.
If you are Using AD Connect then it is a Hybrid Identity Model, it can be either Synchronized Identity model and if ADFS configured, then you will be using Federated Identity. In Hybrid, Identity management will be done in On-Premise Active Directory.
What Identity Model you prefer and why companies preferred to use Federated Identity Model?
Though it is complex to setup Federated Identity Model, I prefer Federated Identity. With Federated Identity Model, Object creation and authentication will happen in On-Premise AD for the services enabled for a user in Office 365.
Companies prefer to manage their objects in their On-Premise AD and also the Authentication via ADFS infrastructure.
Federation allows for more advanced authentication scenarios and control.
Since the cost involved in setting up the ADFS environment is high, organizations are moving to Passwordless authentication or Pass through authentication.
What is DirSync, Azure AD Sync and Entra connect?
DirSync, Azure AD Sync and Azure AD connect used to synchronise On-Premise AD objects to Office 365 (Entra Active Directory) which is required for Federated Identity.
DirSync is the commonly known product to synchronize on-premise directory to azure active directory. DirSync does not support Multi forest directory synchronization.
Azure AD Sync is the next version of DirSync, it supports multi-forest directory synchronization and Password write back.
Entra Connect is the latest version of Directory Synchronization software from Microsoft. Entra Connect recommended for larger organization with large number objects and it is having additional features like SSO and group write back feature.
Why we need to Sync AD objects to Azure AD?
To have a Single Sign On experience and to enable the services like Exchange Online \ SharePoint Online by assigning a license on account, we need an Object in Azure. Once the objects are Synced, license will be assigned on the respective user account to enabled the Microsoft 365 services. When user access the Microsoft 365 services like Exchange online \ SharePoint online, the user account will be validated for license and based on the Identity model used, authentication will be validated and the services will be allowed.
How you will ensure the On-Premises objects can be Synced to Entra ID?
Before the AD Objects Sync to Entra ID, it is better to validate whether the objects are ready to be Synced with Azure AD. We can run the ID FIX tool before the Entra connect configuration to validate whether the AD objects are good to synchronise from On-Premise to Azure.
ID FIX tool helps to validate whether any duplicate object entries or any duplicate SIP address etc.
What are the prerequisites to Deploy Entra Connect? Or prerequisite for Integrating On-Premise Exchange environment with Office 365?
To integrate On-Premise Exchange, we need to Sync the On-Premise Objects to Azure AD to enable the licenses on the access which allows the user to access the required services. Once the AD connect configuration completed and the Sync started, we need to deploy ADFS for Authentication.
Below the prerequisites to consider before the Azure AD Connect installation which synchronize On-Premise directory to Office 365 (Azure Active Directory)
Azure subscription is required; if you register for Office 365 subscription then in the backend, you have Azure AD for directory services.
Add and verify the domain yourcompany.com from which you are going to synchronize the objects to Azure AD. If office 365, yourcompany.onmicrosoft.com is going to be default domain when you get the Office 365 subscription, along with that your On-Premise AD domain name to be added and verified.
We can run IdFix tool to find errors like duplicates and formatting problems in your directory. Errors highlighted using IDFix be fixed so that objects can synchronize with Azure AD
AD Schema version and forest functional level must be Windows Server 2003 or later. Password writes is supported on Windows Server 2008 Service pack or later and apply KB2386717. Writable DC is required and RODC is not supportable. Enable AD recycle bin.
Group Managed Service account is supported on Windows 2012 or later.
If ADFS feature is going to be enabled in Azure AD Connect, then the ADFS or Web Application Proxy are installed on Windows 2012 R2 or later.
Azure AD Connect requires a SQL Server Database to store Identity Data. Default installation of SQL express supports only 10 GB and a Max of 100K Objects only. Select an SQL server based on your requirement.
Global Admin account from Azure AD and Enterprise Administrator account from On-Premise is required to setup Azure AD Connect
.NET Framework 4.5.1 and Windows Management Framework 4.0 required for Azure AD Connect installation.
Internet access required from Azure AD Connect Server to On-Premise AD and Azure AD.
What is the limit of objects that can be Synced to Azure AD?
Default limit is 50K when we get the Office 365 Subscription. In addition, 300K Objects can be Synchronized to Azure AD. If there is a requirement to Sync more than 300K Object, we can contact Microsoft to increase the limit. I know a company who is allowed to Sync 1500K objects to Azure AD.
Why we need to add and verify the domains in Office 365?
On-Premise Active Directory domain to be added and verified in Azure AD for the directory synchronization to occur and adding the domain will increase the default 50K Objects limit to 300K Objects.
On-Premise exchange will have email address like xyz.com, we need to add the domain in Office 365 to get the same email address for Exchange Online users. If we want to add an Additional external email addresses in On-Premise Exchange, we need to add and verified so that Office 365 create that domain as accepted domain in Exchange online.
