May 23, 2022
min read
Kas Nowicka
Kas has spent the last decade working with Microsoft’s cloud solutions and sharing governance, adoption, and productivity best practices with the MVP community.

One of the core elements of a fully secured Microsoft 365 deployment is effective office 365 identity and access management (IAM). Below, we’ll explore what identity and access management are, how they are distinct from one another, and how identity management is handled in both cloud and hybrid deployments of an M365 tenant.

What is Identity Management in Office 365?

Identity management is the system by which individual users within a given software system are distinguished from one another and the system that confirms a user is who they say they are – i.e., authentication.

An essential element of maintaining system security comes in the form of knowing exactly who has access to that system. This process must be continually managed, because new users are added and former employees, likewise, must be removed continuously.

Failure to maintain accurate records of current users can result in all manner of security concerns, but they ultimately boil down to a user’s inability to access his or her workspace, or a user still having access to resources that he or she shouldn’t.

How is Identity Management Different than Access Management?

Access management differs from identity management, and by extension, authentication in that it is a set of rules that determine the level of access a given, authenticated user ought to have.

That is, access management rules are not concerned with who a user is, but rather what a given, known user is to be allowed to do once they have gained access to the system.

That said, these two elements are generally described as being two parts of a whole, which is well illustrated by the industry-standard abbreviation IAM – identity and access management.

Who is Responsible for Identity Management in an M365 Tenant?

Microsoft holds itself responsible for maintaining certain elements of a secure deployment of M365.

Moreover, it provides administrators with the tools required for them to successfully implement the remaining requirements that fall outside the scope of Microsoft 365 Shared Responsibility Security Model to this end.

Specifically, Microsoft’s position is that although there are certain security elements Microsoft itself is responsible for, such as physically securing the servers and networks on which a given M365 deployment runs, “the customer continues to be accountable; they must ensure that data is classified correctly, and they share a responsibility to manage their users and end-point devices.”

Meaning it is the responsibility of IT staff to ensure that users are identified in the system correctly and that those same users are granted appropriate permissions levels.

How Does Office 365 Handle Identity Management?

Office 365 identity management comes in two forms – cloud-only identities and hybrid identities. In both cases, M365 makes use of Azure Active Directory to maintain records of users and thus identify them within the larger system. However, they differ in terms of the services they can control access to, and in terms of who they are each best suited to.

Cloud-Only Identities

Cloud-only identities are stored in the Azure AD tenant associated with your M365 deployment. Users are authenticated for access to M365 with this account, and this approach is best suited to smaller organizations that do not maintain on-prem data centers that serve M365 resources.

The core value proposition of cloud-only identity management is that it is relatively simple to use and maintain with tools such as Microsoft 365 admin center and Windows PowerShell. Moreover, all authentication actions are carried out with credentials stored in the cloud.

Hybrid Identities

Conversely, the source of truth for hybrid identities is found in an on-premises Azure AD deployment, but a copy is kept in the M365 tenant for identity management as needed.

Azure AD Connect provides the mechanism for synchronizing the data stored in each of these locations, which constitutes an ongoing effort, as most identity management tasks are carried out on-premises and are then synched with M365 cloud resources.

Authentication can be executed in two ways – managed authentication and federated authentication. When an organization opts for managed authentication, its user authentication is directed to the on-premises Azure AD server.

Federated authentication is best suited to larger organizations with more complex authentication requirements, as it involves redirecting a given authentication request to an external service selected by the organization.

What is the Value of Effective IAM in Office 365?

The ultimate goal of effective IAM in M365 is that an organization’s employees should be able to perform the tasks their specific role within the organization calls for, but that they are not granted permissions beyond the scope of what is necessary for them to be effective in their respective roles.

To this end, Microsoft 365 is equipped with administrative tooling required to manage IAM, but it is the IT staff of the organizations that use M365 tenants that is responsible for ensuring that these tools are implemented effectively for their respective environments.

When user types are identified and differentiated precisely within M365, it becomes a much simpler task to grant them the specific permissions they need to do their work, because

Why Might Native M365 Tools not be Enough for Effective IAM?

M365 tools for managing user identification and assigning permissions according to user type are certainly available and are a good option for achieving the requisite degree of security in most cases.

However, M365 IAM configuration can also lack the degree of granularity required to achieve both of the aforementioned objectives surrounding effective IAM – i.e., providing user access that is both sufficient for sincere productivity within the organization and that is limited to only the permissions required for exactly that.

This often means that users have too few permissions to perform a given task, so a more senior IT member needs to complete the task.

Or they are granted full permissions within the system, which is the root of significant security concerns.

How Can CoreView Help to Solve this Problem?

CoreView can help your team get identity and access management under control by providing a simple interface that multiplies the powers M365 ships with. CoreView helps teams address this issue from multiple angles to provide exceptional results.

From one end, CoreView empowers IT teams to establish and enforce security policies that result in true “Least Privilege Access” to keep your employees productive in their specific roles without granting full admin privileges willy-nilly. And from the other end, CoreView helps you ensure that those policies are working with deep forensics and security auditing capabilities, and detailed reporting to boot.

Get a personalized demo today

Created by M365 experts, for M365 experts.