To be allowed into Office 365 a user needs to be authenticated. Authentication means verifying that the user is who he/she claims to be. Once authenticated we can decide what actions the user is authorized to perform in Office 365.
Identity management deals with identifying individuals in a system and controlling access to the resources in that system.
In Office 365 we support three core customer scenarios for identity management:
Different benefits and limitations exist for these three core scenarios (see also 'Key terminology' at the end of this article):
1. Cloud IDsWith Microsoft Online Services cloud IDs (Cloud Identity), user credentials for signing into Office 365 services are stored in the cloud
2. Cloud IDs with directory synchronization For larger organizations that may want to streamline provisioning, the Microsoft Online Services Directory Synchronization Tool can be used to replicate existing Active Directory user accounts (and other Active Directory objects) into the Office 365 Cloud ID. Unlike manually created accounts, accounts created by the Directory Synchronization Tool are fully populated with user account information from Active Directory (for example, department, and phone number).
3. Federated IDs with directory synchronizationFederated IDs (Federated Identity) is a more sophisticated approach for larger organizations. In companies with Federated Identity set up, users can sign into Office 365 services using their Active Directory credentials. The corporate Active Directory authenticates the users, and stores and controls the password policy. With federated Identity, credentials are authenticated by on premises Active Directory Federation Services 2.0 server and a logon token is obtained by the user so that the Office 365 sign-in service can verify them. While this model may require some server investments and deeper architectural decision making, it does allows support for richer single sign on with your corporate credentials, integration with on-premises multi-factor authentication and a configurable password policy.
Sign-On Experience with Federated ID
End-users can use their AD credentials to access online resources, through ADFS. The experience they have will vary depending on the client types, access methods (inside or outside corporate network) and whether the device has joined the domain
See the Office 365 Identity Service Description "Signing In to Office 365" section for more information
To learn more about these Identity Management options you can go to the Office 365 Community Wiki “Office 365 Identity Management”