T here are three identity options available for Office 365.
The first option, Microsoft online IDs, is best suited to small businesses. The second, Microsoft online IDs with directory synchronization, works well for medium to large companies. However, if you have a business case that requires two factor authentication, federated identities with directory synchronization is the only way to go. This third option is best suited to large and enterprise organizations, but it’s also the only one that offers two factor authentication - making it your only choice if your business requires two factor authentication.
Microsoft online IDs
Microsoft online IDs can be used independently for user identification. However, this solution is best suited to small organizations without Active Directory on premises. On the plus side, there’s no requirement for on-premise servers. On the other hand, there is also no option for two factor authentication. Similarly, there is no single sign on (SSO) option for on-premises applications and two sets of credentials will be required (one for on-premises and one for cloud access). These different password policies can become difficult to manage as your organization grows larger. Office 365 IDs will be created and managed in the cloud while on-premises access is managed locally. Mid-size and large organizations should consider one of the other two Office 365 identity options available.
Microsoft online IDs with directory synchronization
When an organization outgrows the basic Microsoft online ID option, adding directory synchronization is the solution. Mid-size and large organizations with Active Directory on premises can administer users and groups with on-premises Active Directory synchronization. Unfortunately, two factor authentication is not available with this configuration either. If you have a business case which requires two factor authentication then you will need to utilize the third Office 365 identity option listed below. However, if you don’t require two factor authentication, Microsoft online IDs with directory synchronization will allow you to continue using existing processes. You will still have different password policies on-premises versus in the cloud, no SSO for on-premises applications, and your organization will need an additional server for active directory synchronization. Many of the features lacking with this configuration can be achieved with federated identities with directory synchronization.
Federated identities with directory synchronization
Large organizations and enterprise class corporations can take advantage of on-premises Active Directory to setup federated identities with directory synchronization. This will allow you to administer, create, and manage IDs on-premises and control these password policies. Additionally, you can utilize two factor authentication and certain hybrid scenarios. Your team will have a single sign on (SSO) for cloud and on-premises applications which utilizes corporate credentials that are managed on-premises. However, additional servers will be required. These will be used to enable Active Directory Federation Services (ADFS) and Directory Synchronization (DirSync). In exchange for these additional resources and administration requirements, your organization can utilize two factor authentication and SSO.
The most common method of configuring two factor authentication is with an RSA SecurId, which we cover in more detail in another article here.