(Editor's note: This article was originally published on June 29, 2017.)
Recently I covered the top 5 considerations for planning your Office 365 migration; today I am going to dive into the identity management aspects. When adopting Office 365, the options you choose will affect the user experience, so what will you provide? From cloud-only, SSO, Active Directory Federation Servers, and third-party options, we’ll go over the insights you need to be successful.
What should you do?
Well, I unfortunately need to give you the consulting answer—it depends! Your organizational culture and business expectations are the driving force behind the answer. So, the real question for you is, what are my options and what should I be thinking about?
I put together a checklist of questions that you should start with. Make sure you answer these before you begin any planning, and if you don’t have an answer, do the necessary research to find it. This will help tremendously moving forward.
- Is this a pilot or POC? If yes, how close to a production example does this need to be?
- Are you okay with users logging in twice? I.e., once to their computer, and then again to access their email and Office applications?
- Do you already have Active Directory Federation Services deployed?
- Do you want SSO (single sign on) and/or seamless logon for Office 365 and other applications?
- Are you okay with managing two sets of user accounts, on-premises and in the cloud?
- Do you want users to manage their own cloud accounts?
- Will you synchronize your accounts from on-premises Active Directory to the cloud?
- Will you use two-factor authentication? (Soft-token, key fob, or biometrics?)
Now that you have answered these questions, review the options below to determine the right path for your enterprise.
Native Microsoft options
To get started, let’s look at the native Microsoft options for identity management. I am a huge fan of using native tools before spending money on third-party options, and would recommend that you do as well.
Cloud only approach: With this option, the accounts are created in Office 365, and two separate accounts are maintained—a user will have one local account and one in the cloud. Users will have to maintain their own cloud accounts, which may not be a good option. In addition, the experience is not completely seamless, since the user must log in a second time, likely with completely different credentials than they have on-premises.
I find that many organizations do not choose this as their final deployment option, but they do find it useful when they are trialing Office 365. If your organization doesn’t end up implementing Office 365, then there isn’t any integration that needs to be removed from your on-premises deployment.
Synchronized: The synchronized option is the one that you may have heard the most about, because it is the most common choice for Office 365 migrations. It is typically used in hybrid migrations, and provides a rollback option if you change your mind. A tool called Azure Active Directory Connect is implemented and synchronizes your on-premises accounts into Office 365. This connector has built-in hash protection to secure your information over the wire during the synchronization process.
From an impact perspective, synchronized accounts allow your team to use the same account and login information that they use on-premises. However, I have found that this with option, users will still have to login twice—once to their PC, and then again to Office 365. Most organizations also choose to continue to provision accounts on-premises, which is less disruptive to internal workflows.
Active Directory Federation Services (ADFS): More and more organizations are looking to federation only when they already have ADFS deployed. You may have done this if you are federating third-party Active Directory accounts in a business-to-business collaboration scenario. So, if this is the case today, there are some key benefits. By configuring ADFS for Office 365, your accounts can be provisioned on-premises, and when users login they only login once for everything, creating a truly seamless user experience.
I find that when organizations do not already have ADFS, but want a seamless experience, will then typically look to third-party tools instead. The reason is that the complexity of setting up ADFS for Office 365 doesn’t have a time-to-cost benefit.
I am not going to make any specific vendor recommendations, but what I am seeing in industry is that if your end-user experience goal is to provide an option that is as seamless as possible, then you should be strongly consider third-party options. They can enable just one password to login to everything, with a fully seamless SSO experience. With many of the choices out there, you can start with just Office 365, and then expand to other applications as it makes sense for your organization. Your account provisioning can also remain on-premises with third-party tools, so that workflow is not disrupted, either.
As IT shifts in the direction of giving higher priority to the user experience, planning and deployment should be more thoughtful than ever. Not that careful planning ever wasn’t important, but there used to be a time when user interruption was the norm. Those days are gone, and choosing the right identity management solution for your Office 365 deployment is very important to being successful.