Office 365 Partner Community: focus on Identity Integration – Federated identity model


clip_image001by Michael Panciroli – Partner Technology Strategist for Office 365

The Office 365 Partner Community is led by National Partner Technology Strategists from the Microsoft US Partner Team. Partner Community activities include blog posts, discussions on Yammer, newsletters, and community calls.

 

This is part 3 of our Office 365 Partner Community series about Identity and User Management. You can read part 1 here, and part 2 here.

In the first two blog posts in this October series about Identity Integration, I introduced the three identity models in Office 365 and explained the cloud identity and synchronized identity models. In this post, I will wrap things up with the federated identity model and provide you with guidance for choosing between the different identity models.

Federated identity model

image

In the federated identity model, the key point is that authentication occurs on-premises, not in Office 365. Similar to the synchronized model, you still have the DirSync tool and you can still synchronize password hashes. In addition, we have an Active Directory Federation Services (ADFS) server. Even though authentication is happening on-premises, you will still synchronize the passwords, because there is a recent option available to use those as a temporary backup in case of an interruption to your on-premises ADFS configuration. It can take a couple of hours to switch from federated identity to synchronized identity, so think of it more as a disaster recovery option and not a high-availability option.

With federated identity, the login steps are that the user is presented with a login screen from the organization and is signed in with the on-premises directory servers. If the user and password are valid, it provides a token back to Azure Active Directory and then is made available to Office 365 so the user can be signed in.

In a classic configuration, you will have an ADFS server on-premises connected to your AD server and you will also most likely have a proxy server that runs in the DMZ. This requires a port to be opened on the firewall, which allows the proxy server to make the connection between Azure AD in the cloud and the ADFS server on-premises, which shows the login UI and makes the request to the directory.

Typically, you will be required to have a geo-redundant backup of the configuration. If your users are signing in and one of the parts in this process goes down, and your AD server is unavailable users can't sign on at all. The resulting architecture can require between 4 and 6 servers because your usually installing additional domain controllers as well to go with that configuration. It is becoming more common to deploy at least one of these sets of servers in Azure VM's. The configuration is similar to DirSync, and involves connecting a VPN from on-premises up into your collection of servers in Azure IaaS. Azure then becomes one of those nodes so that you achieve your geo-redundancy. This TechNet article shows you how to do this: Deployment scenarios for Office 365 with single sign-on and Azure.

ADFS does require additional configuration and time to deploy. Installing and configuring ADFS can be challenging but the experience is streamlined by a new tool called Azure AD Connect.  If you have not heard about it you can read the announcement on the Active Directory Team blog.  For further reading on implementing ADFS to manage single sign-on you can more information on the different options and guidance here.

How to choose an identity model

In this series we have described the differences between the three identity management models for Office 365. Below, I have provided scenario-based guidance for choosing the right model for your customers. Choose the simplest model to meet a customer’s needs.

Cloud identity model

Choose this model if:

  • Customer has no on-premises directory 
  • There is on-premises directory restructuring 
  • Customer is in pilot with Office 365
Synchronized identity model

Choose this model if the customer has an on-premises directory.

Password hash sync means federation is not required just to have the same password on the cloud

  • Same sign-on. The username and password is the same in the cloud as on-premises 
  • Single sign-on. You log on to the PC and
    no password is required for cloud services

Choose password hash sync unless the customer has one
of the scenarios that requires federation.

Federation identity model

Choose this model if:

  • Customer already has an ADFS deployment
  • Customer already uses a third party federated identity provider 
  • Customer has multiple forests in their on-premises AD 
  • Customer has an on-premises integrated smart card or multi-factor authentication (MFA) solution 
  • Custom hybrid applications or hybrid search is required
  • Customer requires sign-In audit and/or immediate disable 
  • Single sign-on is required 
  • Customer requires client sign-in restrictions by network location or work hours 
  • There is a policy preventing synchronizing password hashes to Azure AD

imageRegister today for the US Office 365 Partner Community call on November 6, where we’ll talk in-depth about the topic of identity models. Joining me on the call is Paul Andrew, a Senior Technical Product Manager for Office 365.

Comments (14)

  1. Anonymous says:

    Welcome to this issue of the US Partner News Online! Each week, we’ll bring you the latest news and information

  2. Anonymous says:

    Welcome to this issue of the US Partner News Online! Each week, we’ll bring you the latest news and information

  3. Anonymous says:

    by Nick Johnson, PMP US Partner Technology Strategist for Microsoft Azure The Microsoft Azure Partner

  4. Anonymous says:

    by Nick Johnson, PMP US Partner Technology Strategist for Microsoft Azure The Microsoft Azure Partner

  5. Anonymous says:

    by Mattia Tocco Lead PSC for Unified Communications Global Partner Services Delivery The Office 365 Partner

  6. Anonymous says:

    by Mattia Tocco Lead PSC for Unified Communications Global Partner Services Delivery The Office 365 Partner

  7. Anonymous says:

    by Michael Panciroli US Partner Technology Strategist for Office 365 The Office 365 Partner Community

  8. Anonymous says:

    by Michael Panciroli US Partner Technology Strategist for Office 365 The Office 365 Partner Community

  9. Anonymous says:

    by Michael Panciroli US Partner Technology Strategist for Office 365 The Office 365 Partner Community

  10. Anonymous says:

    by Michael Panciroli US Partner Technology Strategist for Office 365 The Office 365 Partner Community

  11. Anonymous says:

    by Michael Panciroli US Partner Technology Strategist for Office 365 The Office 365 Partner Community

  12. Anonymous says:

    by Michael Panciroli US Partner Technology Strategist for Office 365 The Office 365 Partner Community

  13. Anonymous says:

    by Michael Panciroli US Partner Technology Strategist for Office 365 The Office 365 Partner Community

  14. Anonymous says:

    by Michael Panciroli US Partner Technology Strategist for Office 365 The Office 365 Partner Community

Skip to main content