November 15, 2022
min read
Kas Nowicka
Kas has spent the last decade working with Microsoft’s cloud solutions and sharing governance, adoption, and productivity best practices with the MVP community.
Young female developer and two colleagues working over a laptop

The purpose of Identity Management is to protect, manage, and authorize access to software systems by only approving access after the username and password have been validated. 

According to IDSA figures, an eye-watering 84% of firms experienced identity-type breaches in the last year. So, it’s fair to say identity management needs a major overhaul for most companies. 

But what is identity management? 

And which option is best for your business? 

What is Microsoft 365 Identity Management? 

There are 3 different Microsoft 365 identity types you can deploy, depending on your company's needs and the infrastructure you have in place. 

The identity type you choose impacts how your users log in. And it determines how you integrate your Microsoft 365 directory with your existing user accounts, such as Windows Server Active Directory. This is an identity platform commonly used by major organizations to manage user accounts. 

Azure Active Directory (AD) is Microsoft 365’s cloud-based identity platform, which comes free with your subscription.  

This is where you manage and maintain your list of Microsoft user accounts, including credentials like usernames and passwords. Allowing users to get access to the applications and services they need. It’s also where you assign licenses and permissions, either in the admin center or with Microsoft 365 PowerShell

So which Microsoft 365 identity type is right for you? 

That depends on whether your business needs a cloud-based or on-premises solution. 

1. Keep it simple with cloud-only identity 

All Microsoft 365 user accounts and their passwords are stored, managed, and verified in the cloud-based Azure AD tenant.  

Because Azure AD doesn’t sync with other company systems, any time a user resets their Microsoft 365 password, it doesn’t impact their other account logins.  

Also, users must log in to Microsoft 365 separately, so using the same username to log in to their computer can help. 

2. Get the best of both worlds with synchronized identity 

Synchronized identity should be used if you’re already using Windows Server AD for your central list of user accounts. Or if you want to leverage Multi-Factor Authentication (MFA) with Azure AD. 

Azure AD Connect's software utility synchronizes Active Directory Domain Services (AD DS) user accounts into Azure AD.  

So, users log into Microsoft 365 with the same credentials. This makes for a better user experience, but the sync only flows 1 way. User accounts must always be managed in AD DS with tools such as Active Directory admin center, or Microsoft PowerShell. 

Also, you need to decide where the authentication occurs.  

2 options allow seamless single-sign-on to Microsoft 365 with AD DS credentials, but the difference is where the authentication occurs. Whether in the cloud or on-premises.

  1. Password Hash Synchronization (PSH) is cloud authenticated. AD Azure authenticates a hash of a hashed version of both the user account name and the password. 
  2. Pass-through Authentication (PTA) is authenticated on-premises with AD DS. Azure AD Connect first synchronizes that account without hashed passwords and passes authentication credentials to AD DS for validation. It’s a good option where stricter authentication or compliance regulations are needed.

3. Get hardened security with federated identity 

Federated Identity requires Active Directory Federation Services, (AD FS) to be in place. It’s more suitable for large enterprise organizations with scalable infrastructure. And companies with enhanced security requirements, such as smart cards, work-hour restrictions or fingerprint identification. 

With federated identity, a partnership, or federation is formed between your on-premises Windows Server AD and Azure AD in the cloud.  

AD FS automatically synchronizes user accounts and attributes with Azure AD Connect but accounts are maintained through Windows Server AD or your third-party tool. 

User experience is improved with federated identity, as users use single sign-on like the PTA authentication above. However, unlike cloud identity, federated identity is environment dependent so any on-premises issues will impact Microsoft 365 connectivity. 

For this reason, both synchronized and federated identities should have a cloud administrator account configured to ensure Microsoft 365 is always accessible.   

Increased Identity Protection 

You can also reinforce your Microsoft 365 identity management with the following measures:  

Setup cloud-based privileged accounts, to be used only when necessary 

MFA configuration to provide extra strength secondary authentication via phone call or text message verification codes sent to privileged accounts 

Extra protection with Zero Trust identity and device access recommendations 

Digital transformation is hurtling along at breakneck speed, and with that comes increasing cyber security threats and phishing attacks. Tightening up your identity management now can protect against this and provide users with secure and stable access to the resources they need. 

If you’re interested in beefing up your company’s identity management process, schedule a CoreView demo today to discuss the best option for your company.

Get a personalized demo today

Created by M365 experts, for M365 experts.