Plan for managing Office 365 user accounts using Azure Active Directory
Applies to: Office 365 Enterprise
Topic Last Modified: 2014-04-30
Summary: Describes three ways to manage user accounts: Manage in Office 365, synchronize on-premises directory objects with Office 365, or use AD FS.
Planning your Office 365 user management is fundamental to deploying Office 365. To understand how user management works, it’s important to first understand that Office 365 uses the user authentication service of Azure Active Directory to provide authentication to Office 365 services (such as Exchange Online, Lync Online, SharePoint Online, and so on). This means Office 365 uses the identity that is synchronized with Azure AD to provide authentication. This flexible model allows you to use one of the following three methods to manage your accounts:
First method: Manage user accounts in Office 365
Second method: Synchronize on-premises directory objects with Office 365
Third method: Use Active Directory Federation Services (AD FS) to manage users
The first method is the easiest one and allows you to get up and running quickly. Of course, choosing the first method doesn’t mean that you can’t add either of the other two methods later if you find you need synchronization or identity federation.
The second method is nearly as straightforward as the first method. Most of the additional work involves installing the synchronization software and ensuring your on-premises accounts synchronize correctly.
The third method is an extension of the second method. After directory synchronization is up and running, installing software to perform identity federation requires additional effort and planning.
It’s important to carefully consider which method (or more than one method) to use to get up and running. Think about time, complexity, and cost. These factors are different for every organization; there are several key concepts that influence these factors. We’ll review these key concepts so that you can understand what influences they would have on your deployment.
The three important concepts to account and identity planning include the following:
Sign-on experience. Includes password management and single sign-on (SSO)
Identity provisioning. Includes single identity creation, bulk identity creation, and identity synchronization
Identity activation. Includes single- and bulk-licensing activation