Office 365 identity models – Introduction
It’s the first decision for an organization that wants to move to the cloud.
The authentication method is a critical component of an organization’s presence in the cloud. It controls access to all cloud data and resources.
It’s the foundation of all the other advanced security and user experience features in Azure AD.
Identity is the new control plane of IT security, so authentication is an organization’s access guard to the new cloud world. Organizations need an identity control plane that strengthens their security and keeps their cloud apps safe from intruders.
Identity models available in Office 365
Office 365 uses cloud-based user authentication service Azure Active Directory to manage user accounts. There are three identity models to setup and manage user accounts.
Cloud Identity User management will be only in Office 365 (Azure AD). No On-Premise servers required to manage users. All the user management like creation done only in Cloud.
Synchronized Identity Identities synchronized from on-premises directory to Office 365 (Azure AD) and user management done at On-Premise AD. Passwords can be synched so that users have the same password on-premises and in the cloud. Users has to sign in on both On-Premise and Office 365, no single sign on experience.
Federated Identity Identities synchronized from on-premises directory to Office 365 (Azure AD) and user management done at On-Premise AD. Users have same password on-premise and in cloud no need to sign in again to use Office 365. Also known as single sign-on.
Cloud Identity
In this model a user is created and managed in Office 365 and stored in Azure Active Directory, and the password is verified by Azure Active Directory. Azure Active Directory is the cloud directory that is used by Office 365. There is no equivalent user account on-premises, and there is nothing that needs to be configured to use this other than to create users in the Office 365 admin center.
The most basic option is to not implement single sign-on at all, which might make sense for smaller implementations. In this scenario, user accounts are provisioned on Office 365 and users logon independently of their local Active Directory.
Pros:
- Quick implementation
- Self-service password reset is available for Office 365 accounts
- No need to dedicate servers or infrastructure for SSO
- Can be used if Active Directory is not deployed or most clients are not AD joined
Cons:
- No SSO for end users

Synchronized Identity
Synchronized identity is the most popular identity model for many organizations with an on-premise directory infrastructure. In this model, your on-premise directory gets connected to the AAD with an Azure AD Connect (AAD Connect) server. The AAD Connect server synchronizes on-premise directory objects (user accounts, groups, contacts, etc.) based on the synchronization rules configured in the AAD Connect server.
There are two types of synchronized identity models available
- Password synchronization
- Pass-through Authentication

Password synchronization
Microsoft provides a tool called Azure Active Directory (AD) Connect to synchronize user data from on-premise Active Directory to Azure AD. This saves provisioning user accounts on Office 365 while also giving the ability to synchronize a hash of the end user’s password. The end user’s full password is not synced, and a password change on-premise will trigger a sync. In this scenario, users on the network will receive a Kerberos challenge and be able to pass that token to Azure AD for authentication. Users who are outside of the network will login with their AD credentials.
Pros:
- Provides SSO without additional resources
- Users will still be able to sign-in if there are issues with on-premises resources
- ADFS (Active Directory Federation Services) SSO apps can be moved to Azure AD
- Users have one password to remember for on-premise and Microsoft cloud services
- The same server that syncs user data also syncs passwords which minimizes on-premises infrastructure footprint
- AD infrastructure or Internet can be down without restricting the ability to logon to Office 365
Cons:
- Since logons terminate in Azure AD, you lose the ability to have more granular logon restrictions that come with full Active Directory such as restricting logon times which can be critical for some businesses due to changes in federal labor regulations regarding hourly employees.
- Self-service password reset for Office 365 accounts is unavailable without purchasing Azure AD Premium or Enterprise Mobility + Security Suite licenses.
Pass-through Authentication
Provides a simple password validation for Azure AD authentication services by using a software agent that runs on one or more on-premises servers. The servers validate the users directly with your on-premises Active Directory, which ensures that the password validation doesn’t happen in the cloud.
Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours might use this authentication method
Another option for SSO is to use pass-through authentication with Azure AD Connect. The latest version of the Azure AD Connect tool includes an agent that opens and maintains an outbound connection to Azure AD (no DMZ or firewall rules required). When this option is enabled, user logons to Office 365 are passed back through this open tunnel to your on-premise Active Directory where they are authenticated live. This means you have access to logon time restrictions. The good news is that you can deploy additional agents which ideally would use separate internet connections. Of course, the downside of having machines authenticate against your local AD is that you need to provide high availability.
The best part is that pass-through authentication means that we can now have domain joined machines pass through their domain credentials seamlessly. This takes place automatically in most web browsers (IE, Chrome and Firefox). If you have Outlook 2013 or later deployed and modern authentication enabled, Outlook can take advantage of seamless single sign-on as well.
Pros:
- True single sign-on for domain joined PCs in Outlook (2013 or later) and in the web browser – no password needed.
- Similar experiences to password sync for external or non-domain joined PCs.
- Built into Azure AD Connect which minimizes infrastructure footprint.
- Can deploy additional agents for redundancy.
- Some organizations have security requirements that prohibit syncing a password hash
Cons:
- Building enough redundancy can be a challenge for companies with a single data center and internet connection.
Reference below Microsoft’s link for detailed study