Office 365 offers several different identity options. Well known are the options to use “cloud identities” or directory synchronization from your on-premises Active Directory. For authentication, Microsoft offers the option to use “password hash sync” or Active Directory Federation Services (AD FS) along with your on-premises Active Directory.
There is, however, another option when it comes to identity. There are several third-party identity providers (IdPs) that are validated for use with Office 365.
When does it make sense to use a third-party IdP?
What should you look for when considering one?
Considerations
Availability: Important to understand is that your authentication mechanism for Office 365 is critical for access to the services. If you can’t authenticate, you can’t access the service. For this reason, whether you’re using AD FS or a third-party IdP, it needs to be highly available.
For directory synchronization and AD FS, a typical high-availability deployment looks like the diagram below.
We generally have a single directory sync server (AAD Sync) and then a minimum of two internal AD FS servers, two AD FS proxies and some load balancing infrastructure. At times, this can be one of the tougher parts of my role. It takes some time to explain that moving to the cloud could require five or more servers on-premises. That’s not to say that you shouldn’t use AD FS, it’s still a solution that is well tested and provides for a good user experience, but there can be a significant on-premises footprint.
Requirements: While you might assume that every organization has Active Directory, I have run across some that do not. While there are plans to support other LDAP directories in the future, AAD Sync requires Active Directory as a source today. For these organizations, a third-party IdP is an attractive option.
Compatibility: If there are other cloud services in your plans, look at what authentication options they support. You may be able to reduce logins for your users by deploying one authentication solution for all cloud services.
What To Look For
When it comes to third-party IdPs and Office 365, one of the most important things to look for is support. Microsoft has a program called “Works with Office 365” where they test and certify third-party IdPs. Make sure that the product you’re considering is on that list. Beyond just being on the list, make sure you understand the difference between the “WS-Federation” and “WS-Trust” authentication types. It’s important to look at the vendor’s support for each authentication type and make note of any potential limitations.
Summary
- There’s no “one size fits all” solution for every organization
- Remember that high-availability is necessary
- Consider the on-premises footprint
- Keep in mind future cloud applications that might be on your roadmap
- Make sure to use a product that is supported for all required client types
Learn More
If you’d like to learn more about this topic, you can tune in to an on-demand webinar where Chris Webber and I shared our thoughts around Office 365 migrations, security and management. We partner with Centrify to help companies rapidly deploy and fast-track Office 365 service consumption. Centrify Identity Service (CIS) for Office 365 runs on the Microsoft Azure cloud platform and is a comprehensive solution for Active Directory-based SSO, user provisioning and mobility management. Chris also blogs quite a bit over at Centrify – here’s his most recent post with highlights from the session.
Did you find this article helpful?
Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.
Looking to do some more reading on Office 365?
Catch up on my past articles here: Joe Palarchio.