Connecting Technology and Business.

Signing in to O365 - three identity models

‚ÄčThe three identity models you can use with Office 365 range from the very simple with no installation required to the very capable with support for many usage scenarios. By starting with the simplest identity model that meets your needs, you can quickly and easily get your users on-boarded with Office 365.

Identity Models in O365.png 

In the diagram above the three identity models are shown in order of increasing amount of effort to implement from left to right. Microsoft's recommendation for successful Office 365 on-boarding is to start with the simplest identity model that meets a business's needs so that users can start using Office 365 right away. Then, as the business determines additional necessary business requirements, they can move to a more capable identity model over time. The way to think about these is that the Cloud Identity model is the simplest to implement, the Federated Identity model is the most capable, and the Synchronized Identity model is the one we expect most customers to end up with.

Cloud Identity model

In this model a user is created and managed in Office 365 and stored in Azure Active Directory, and the password is verified by Azure Active Directory. Azure Active Directory is the cloud directory that is used by Office 365. There is no equivalent user account on-premises, and there is nothing that needs to be configured to use this other than to create users in the Office 365 admin center.

Synchronized Identity model

In this model the user identity is managed in an on-premises server and the accounts and password hashes are synchronized to the cloud. The user enters the same password on-premises as they do in the cloud, and at sign-in the password is verified by Azure Active Directory. This model uses the Microsoft Azure Active Directory Sync Tool (DirSync).

Federated Identity

This model requires a synchronized identity but with one change to that model: the user password is verified by the on-premises identity provider. This means that the password hash does not need to be synchronized to Azure Active Directory. This model uses Active Directory Federation Services (AD FS) or a third- party identity provider.

Enterprises using O365 can switch between models depending on the changing needs of the business.

-Office Blogs - Andy O'Donald