Early successes of directory management for Office 365 access, Microsoft’s cloud subscription suite for email and collaboration, were due in large part to its adoption among smaller companies. However, the solution is quickly scaling up among Microsoft’s enterprise customers, riding on numerous large Office 365 deployments among businesses, government agencies and universities over the past few years. As enterprise IT decision-makers opt for Office 365 to move to the cloud for email and social collaboration, there are a few important issues to consider. Among the most significant of these is the need for organizations to understand user management for this important cloud application.
Challenges to Security and Access Control
In the world of social software, here is where everything starts: A user logs in or gets logged in to a social software application via an enterprise single sign-on (SSO) service. Most social software packages will tie into existing corporate directory systems — such as Lightweight Directory Access Protocol (LDAP) servers — for basic authentication, while providing authorization (entitlements) within the system itself. However, it should be noted that the way they do so will vary markedly among different products. For example, some products will access an LDAP repository in real time, while others require that the LDAP server sync up with, or cache credentials within, the product’s own access control lists on a regular basis.
To understand how directory management for Office 365 access works, it is vital to note that Office 365 employs the user authentication service of Azure Active Directory (AD) to provide authentication to Office 365 services such as Exchange Online, Lync Online, SharePoint Online and Office applications. This means Office 365 uses the identity that is synchronized with Azure AD to provide authentication.
Directory Management for Office 365 Access
In today’s large, borderless enterprises, it is typical that directory environments have become complex over time. These environments can quickly become harder to manage, either through the organic addition of business unit domains or through the amalgamation of environments during mergers and acquisitions. Microsoft recommends that if you have multiple domains and multiple forests, you are best served by consolidating and simplifying your directory structure. However, many organizations have valid administrative reasons to not consolidate their on-premise AD environment. Furthermore, it is often possible that the on-premise directory environment is not based on AD, but the organization would still like to leverage Office 365 and Azure AD. In these cases, it may not be possible to directly provide the simple, singular view of identities that Azure AD requires.
Authentication and Authorization Needs
In addition to directory considerations, an IT organization also needs to determine how users will access Office 365. Varying from simple to complex, authentication and federated SSO approaches are important identity and access management considerations in the context of Office 365 and software-as-a-service (SaaS). Typically, organizations that have a heterogeneous group of systems and federation requirements may have more complex federation needs. For instance, they may need federated access to multiple cloud applications such as Google Apps, Salesforce.com or Kenexa; they may be looking for social logins for applications with lower security imperatives. In such scenarios, it is recommended that they opt for a solution that can mediate between a wide variety of federation protocols and between multiple federated environments.
Directory Integration and Federated Access for Complex Office 365 Deployment
Directory integration technologies have proven extremely efficient when used to keep multiple, disparate identity repositories that share common identity information in sync with each other. They help achieve this while still preserving the disparate, native schemata and data formats of each of these repositories. They can also provide a means by which a persistent, normalized view of the common identity information can be maintained. This means that an organization with a complex, on-premise AD environment can retain this necessary complexity while also generating the consistent, consolidated view that Office 365 requires.
For authentication, many complex IT organizations need a federated SSO solution that supports directories other than AD or a solution that can also work with services that do not use the standards supported by Active Directory Federation Services. It is seen in such cases that third-party federation offerings that provide comprehensive federated SSO capabilities are warranted. With a federated approach provided by a competent access management solution, end users can have a seamless sign-on experience to on-premise and Azure AD applications, helping to eliminate the need to provide multiple user IDs and passwords. An identity mediation service for cloud, SaaS and Web services implementations will help reduce administrative costs, establish trust and facilitate compliance by managing, mapping and propagating user identities.