Getting Started with Cloud User Identity (Active Directory) for Office 365

Moving to Office 365? The user experience is bound to shift, with one of the biggest changes coming to the login process.

Each workstation might previously have had Office software installed locally, so once users signed in, they were free to launch and work on Word or answer e-mails in Outlook. With Office 365, you’ll have to configure user identity settings in a specific way to replicate this — or you can go the cloud-only route and have them sign-in again online in order to access these programs.

Here are some of the factors you’ll have to consider when setting up user identity management in Office 365.

SSO or no?

The “double login” question is one of the first you’ll need to address. Is it OK if users log into their workstation and then have to enter another set of credentials online to access Office apps and e-mail? Are you comfortable managing multiple sets of credentials for each user?

If you already have Active Directory Federation Services configured locally, you can use that to authenticate Single Sign On (SSO) with O365. With ADFS, you can configure local user accounts on your Windows servers and then sync them to O365. However if you don’t already have an ADFS server, you’ll need to setup and configure one. 

Another option to connect on-premise Active Directory accounts to a new O365 deployment is to use the Azure Active Directory Connect tool. 

This software scans and uploads your AD to the cloud and is ideal for hybrid implementations where you may need to move users to and from cloud services. It also includes encryption during the transfer process. Azure Active Directory Connect does not implement SSO, however — users will still need to enter their username and password (which are the same as their workstation credentials) a second time on the O365 login page.

Cloud-only option

Finally, you can set up and administrate your user credentials entirely via O365. This cloud identity option is simple as far as initial deployment, but you are stuck with the Azure Active Directory password policy, so you might not meet a more strict corporate security standard if you have one.

This requires additional management on your part and on the user side as well, as they will each be in charge of managing their own cloud account. Unless you have a small workforce that is comfortable with technology, this option is not ideal. In this case, cloud credentials may be completely different from workstation credentials, and the user will have to login twice.

Third party software can also be used to provide a more seamless SSO for your users, with one set of credentials used for all software rather than just Windows and Office.

Two-step verification

Multi-factor authentication may be a good policy to implement with cloud-based tools like O365. There is a native multi-factor authentication option for Office 365 that will send users a code via phone call, text message, or application notification on a mobile device. This is to help ensure that the user logging in is in fact the correct individual. Read more about multifactor authentication for O365 here, but note that desktop client software will not be usable by default — you must enable an “app password” first.

Ultimately, the route you choose for identity management in Office 365 will likely depend on how dependent you are on any existing Active Directory on your premises. If you aren’t sure how to begin, contact us today for ongoing assistance with managing your O365 environment and users.