Understanding Azure AD/Office 365 identity models

Understanding Azure AD/Office 365 identity models

Office 365 uses Azure Active Directory (Azure AD), a cloud-based user identity and authentication service that is included with your Office 365 subscription, to manage identities and authentication for Office 365. Getting your identity infrastructure configured properly is vital to managing office 365 user access and permissions for your organization.

Office 365 identity models

To plan for user accounts, you first need to understand the two identity models in Microsoft 365. You can maintain your organization’s identities only in the cloud, or you can maintain your on-premises Active Directory Domain Services (AD DS) identities and use them for authentication when users access Microsoft 365 cloud services.

Cloud-only identity

A cloud-only identity uses user accounts that exist only in Azure AD. Cloud identity is usually used by small organizations that don’t have on-premises servers or don’t use AD DS to manage local identities.

Here are the basic components of cloud-only identity.

Both on-premises and remote (online) users use their Azure AD user accounts and passwords to access.

If users are accessing Azure AD/Office 365 from home or from any computer not connected to the corporate network, they will also still have access to Azure AD/Office 365 using their corporate credentials. Such a user sign-in experience is awaited by several organizations:

Work computer on a corporate network

When users are at work and signed in to the company network, single sign-on enables them to access Azure AD/Office 365 without signing in again;

Roaming with a work computer.

For users WHO are logged on to domain-joined computers with their corporate credentials, but who are not connected to the corporate network (for example, a work computer at home or at a hotel), single sign-on enables them to access Azure AD/Office 365 without signing in again as well;

Home or public computer.

When the user is using a pc that is not joined to the corporate domain, the user must sign in with corporate credentials to access Azure AD/Office 365. This is still an advantage since they will only have to remember one set of credentials for their company and Azure AD/Office 365 accesses.

Mobile device.

On a mobile device (phone or tablet), in order notably to access Microsoft Exchange Online using Microsoft Exchange ActiveSync (EAS), the users must sign in with their corporate credentials.