I often get questions about the identity management options with Office 365. Identity management is the process of identifying individuals in a system and controlling access to the resources in that system. With Office 365, there are three main identity options you have available – Cloud Identity, Directory Synchronization (with Password Sync), and Federated Identity.
Cloud Identity is the simplest method for providing user authentication in Office 365. Users are completely managed and stored in the cloud. Specifically, users are stored in the cloud in Windows Azure Active Directory and managed via the Office 365 Admin Portal or via PowerShell. In this model users are only stored in the cloud and are not associated with any on-premises identity provider like an on-premises Active Directory.
Directory Synchronization (with Password Sync)
Directory Synchronization is used when you have an existing on-premise Active Directory and you want those same users to have access to Office 365. By installing the DirSync tool, it will periodically sync the user profiles up to Office 365. It eliminates the need to manually create and manage users in the cloud. And with the recent release of Password Sync, it also eliminates the need to manage user passwords in two different locations. User identities and passwords are created and managed on-premises and synchronized to the cloud.
With Federated Identity, also known as Single Sign-On, you authenticate to Office 365 using your on-premises identities. This is commonly done with on-premises Active Directory using Active Directory Federation Services (ADFS). ADFS requires deploying additional servers both internally and Internet-facing. See here for more details. In this scenario, if for any reason users are unable to authenticate via their local AD, then users will not be able to authenticate to Office 365 and will not be able to access any of the Office 365 services. Therefore, it is highly recommended to deploy this scenario with high-availability / redundancy in mind. With the recent release of Azure IaaS, customers are also starting to look at hosting ADFS infrastructure within Azure to solve the high-availability issue. There is a good White Paper that talks through the story of hosting ADFS infrastructure within Azure - you can find it at Office 365 Adapter: Deploying Office 365 Single Sign-On using Windows Azure. In addition, there are some third-party providers offering hosted ADFS services within Azure.
Because of the additional cost and complexity of deploying additional servers and high-availability with Federated Identity, many customers (especially in the SMB space) are choosing to implement Directory Synchronization (with Password Sync) instead. However, there are some reasons why customers will still prefer ADFS and directory federation over DirSync with Password Sync. Some of these reasons include:
Thanks for reading and I hope this information was helpful!