User management and authentication for O365: Microsoft or 3rd party?

Office 365 (O365) adoption is continuing across organizations, now with more than 100 million active users. These organizations will reap the benefits of a cloud service – freed up internal resources, and easy access to updates with minimal maintenance – but, they can’t ignore the inevitable complications of hybrid identities. Whether using the cloud, synchronized, or federated identity model, many find themselves in the middle of a hybrid identity game.

Creating an O365 account automatically creates a tenant in Azure AD, and introduces new authentication and user management processes for IT departments. Before embarking on the journey, they’ll need to answer:

  • Where is it best to manage users (cloud or on-premises)?
  • How should users authenticate to O365?

If your organization is regulated, you may not have much choice. You will need to integrate your on-premises directory to extend password policies, and other controls. You will also need to decide whether you’ll use Microsoft Azure AD Connect, or a 3rd party offering. Many organizations, regulated or not, connect their on-premises user directory (for the majority, this is Active Directory) with O365. This allows them to benefit from existing user management processes. Active Directory integration not only extends on premises security controls, but also eliminates redundancies in user management. However, it’s not without its own challenges.

Going hybrid using free Microsoft offerings, comes with complexity, added administration time, and the likelihood of end-user disruption. This post will discuss challenges associated with Azure AD Connect, to help you make an informed decision when choosing between Microsoft, and 3rd party offerings. Many of the findings here are based on our peer survey results.

How do you want to create, and manage users?

First things first! Whether going cloud or hybrid, you’ll need to decide how and where you want to manage users. There are benefits and drawbacks to both, but if you want to extend on-premises controls to O365, you’ll need to connect to Active Directory. Remember that how you decide to manage users will affect authentication options. This will be detailed in the authentication section of the post.

Depending on your environment, and deployment goals, you will have to decide what makes the most sense for your organization. Industry analyst firms, such as Gartner, recommend integrating existing on-premises directories for truly integrated user management. The current state of your Active Directory environment will drive this decision as connecting to O365 requires preliminary work to ensure smooth migration. Microsoft offers some guidance, and a free tool (IdFix) to help. Unfortunately, it’s not all encompassing, and will require scripting to pin point errors outside of the tool’s scope.

To further guide your decision, the following table summarizes some of your options, as well as any considerations.

User ManagementOutcomeConsideration
Cloud – O365 directly Users are managed in O365. Accounts will need to be created, and maintained separately. Depending on how many users need to be added, this can be time consuming. Since user management will be separate from the existing process, account deletions and updates will be manual. This can lead to orphaned accounts and errors related to permissions.
Synchronized – Azure AD Connect Sync ServicesActive Directory users and groups are synchronized to O365.Requires high availability, extra servers on-premises, and scheduled sync cycles, as synchronization of Active Directory updates are not reflected automatically. Furthermore, license assignment can be a manual and time consuming process.
Synchronized – 3rd party tool like Specops Authentication for O365 Users are automatically created in O365. Updates are captured in real-time using Group Policy settings. No sync cycles or additional server required. All sensitive information stays in Active Directory. A light agent is installed in Active Directory to obtain user and group membership information. When a user logs in to O365, their account is created and the appropriate license is assigned.
Synchronized – 3rd party tool like OktaUsers are automatically created in O365. Updates in captured in real-time using Group Policy setting.Same as above, however to provision users to O365, Active Directory user and group data gets duplicated to Okta’s cloud directory, from there the data is synced to O365.

How do you want users to authenticate to O365?

How users are provisioned and managed will drive your authentication options. Because O365 is a valuable target for hackers, securing authentication by strengthening passwords, in combination with multi-factor authentication (MFA), is best practice.

Microsoft provides MFA for O365, both free and paid, via an Azure AD premium subscription.  However, depending on your deployment mode there are a few key differences. Consider the following questions:

  • Do you want to remove the use of passwords?
  • Do you want to enable federated single sign-on (SSO)?
  • Do you want to extend existing 3rd party MFA to O365?
  • Do you want to rely only on phone-based factors?

The following table outlines Microsoft and 3rd party authentication options.

User ManagementSign in optionsMFAConsiderations
Cloud – Office 365 directly O365 Password0365 MFA or Azure AD MFA- The O365 password is at play and IT loses control over policy complexity settings
- The O365 password is used as the first authentication factor
- MFA options are all phone-based with no support for 3rd party MFA
Synchronized – Azure AD Connect Sync ServicesSynchronized AD passwordO365 MFA or Azure AD MFA- AD password is stored in the cloud
- The AD password is used as the first authentication factor
- MFA options are all phone-based with no support for 3rd party MFA
AD password relay via PassThroughO365 MFA or Azure AD MFA- AD password not stored in the cloud as delegated SSO is enabled
- The AD password is used as the first authentication factor
- MFA options are all phone-based with no support for 3rd party MFA
Federated AD password via Active Directory Federation Services ADFSMFA Server- AD password is not stored in the cloud as federated SSO is enabled
- Additional on-premises servers and complex configuration is required
- The AD password is used as the first authentication factor
- 3rd party identity providers are supported
Synchronized – 3rd party tool like Specops Authentication for O365Federated AD password Specops Dynamic MFA- AD password and other sensitive information is stored in AD
- Does not require additional servers
- OOTB support for 3rd party identity providers
- MFA does not require the AD password as the first authentication factor
Synchronized – 3rd party tool like OktaFederated AD passwordOkta MFA- Same as above except that MFA does not remove password as first factor

The reality…

The adoption of O365 creates user management and authentication challenges, regardless of the deployment model.  Many organizations prefer hybrid deployments that integrate O365 with Active Directory. However, as we’ve shown here, doing so with Microsoft provided tools has its drawbacks. If you want a hybrid O365 deployment, minus the extra administration time, and security compromise, consider evaluating a 3rd party provider.

Start a free trial of Specops Authentication for O365!

  • Was this Helpful ?
  • Yes   No

Tags: , , ,

Back to Blog

Related Articles

© 2018 Specops Software. All rights reserved. Privacy Policy