November 26, 2014 By Manukrishna TS 3 min read

Early successes of directory management for Office 365 access, Microsoft’s cloud subscription suite for email and collaboration, were due in large part to its adoption among smaller companies. However, the solution is quickly scaling up among Microsoft’s enterprise customers, riding on numerous large Office 365 deployments among businesses, government agencies and universities over the past few years. As enterprise IT decision-makers opt for Office 365 to move to the cloud for email and social collaboration, there are a few important issues to consider. Among the most significant of these is the need for organizations to understand user management for this important cloud application.

Challenges to Security and Access Control

In the world of social software, here is where everything starts: A user logs in or gets logged in to a social software application via an enterprise single sign-on (SSO) service. Most social software packages will tie into existing corporate directory systems — such as Lightweight Directory Access Protocol (LDAP) servers — for basic authentication, while providing authorization (entitlements) within the system itself. However, it should be noted that the way they do so will vary markedly among different products. For example, some products will access an LDAP repository in real time, while others require that the LDAP server sync up with, or cache credentials within, the product’s own access control lists on a regular basis.

To understand how directory management for Office 365 access works, it is vital to note that Office 365 employs the user authentication service of Azure Active Directory (AD) to provide authentication to Office 365 services such as Exchange Online, Lync Online, SharePoint Online and Office applications. This means Office 365 uses the identity that is synchronized with Azure AD to provide authentication.

Directory Management for Office 365 Access

In today’s large, borderless enterprises, it is typical that directory environments have become complex over time. These environments can quickly become harder to manage, either through the organic addition of business unit domains or through the amalgamation of environments during mergers and acquisitions. Microsoft recommends that if you have multiple domains and multiple forests, you are best served by consolidating and simplifying your directory structure. However, many organizations have valid administrative reasons to not consolidate their on-premise AD environment. Furthermore, it is often possible that the on-premise directory environment is not based on AD, but the organization would still like to leverage Office 365 and Azure AD. In these cases, it may not be possible to directly provide the simple, singular view of identities that Azure AD requires.

Authentication and Authorization Needs

In addition to directory considerations, an IT organization also needs to determine how users will access Office 365. Varying from simple to complex, authentication and federated SSO approaches are important identity and access management considerations in the context of Office 365 and software-as-a-service (SaaS). Typically, organizations that have a heterogeneous group of systems and federation requirements may have more complex federation needs. For instance, they may need federated access to multiple cloud applications such as Google Apps, Salesforce.com or Kenexa; they may be looking for social logins for applications with lower security imperatives. In such scenarios, it is recommended that they opt for a solution that can mediate between a wide variety of federation protocols and between multiple federated environments.

Directory Integration and Federated Access for Complex Office 365 Deployment

Directory integration technologies have proven extremely efficient when used to keep multiple, disparate identity repositories that share common identity information in sync with each other. They help achieve this while still preserving the disparate, native schemata and data formats of each of these repositories. They can also provide a means by which a persistent, normalized view of the common identity information can be maintained. This means that an organization with a complex, on-premise AD environment can retain this necessary complexity while also generating the consistent, consolidated view that Office 365 requires.

For authentication, many complex IT organizations need a federated SSO solution that supports directories other than AD or a solution that can also work with services that do not use the standards supported by Active Directory Federation Services. It is seen in such cases that third-party federation offerings that provide comprehensive federated SSO capabilities are warranted. With a federated approach provided by a competent access management solution, end users can have a seamless sign-on experience to on-premise and Azure AD applications, helping to eliminate the need to provide multiple user IDs and passwords. An identity mediation service for cloud, SaaS and Web services implementations will help reduce administrative costs, establish trust and facilitate compliance by managing, mapping and propagating user identities.

More from Identity & Access

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today