Entitlement Management. Its purpose is to execute IT access policies to structured/unstructured data, devices and services. Entitlement management can be delivered by different technologies, and is often different across platforms, applications, network components and devices. Assigned a unique user ID. The User ID format is last name, first initial and typically a four digit number (e.g. Roles Exostar’s Identity Access and Management (MAG) Platform is a role-based solution. Users can be assigned a single role or multiple roles. Once the organization is established, roles can be added or removed.
What Is Identity Management (IDM)?
The explosive growth of the cloud and, in particular, Software-as-a-Service (SaaS) applications, like those becoming popular in the collaboration or project management space, has changed the way companies do business. Deploying software as a managed service delivered via the cloud means lower maintenance costs, increased uptime, faster feature rollout, and the reduced need for on-site hardware. Those are just some of the reasons why cloud-based SaaS solutions are making deep and fast inroads to tasks that were formerly dominated solely by in-house IT staff.
But to fully realize the savings offered by SaaS apps, businesses need a way to easily create and manage users (aka, identities) across their entire portfolio of cloud apps—portfolios that usually span multiple platforms and can change often. IT administrators need to give users Single Sign-On (SSO) capability across the organization's entire portfolio of apps, but that's only part of the problem. Controlling the depth of access in SaaS apps is just as important as it is for on-premises apps. So not just who gets access to the app, but exactly what they can access once they're using that app. This can be critical in many business apps, as is defining the user's role, cross-app authentication, and more advanced security measures such as multi-factor authentication (MFA), which refers to building authentication mechanisms that require more than just a single step, like entering a user name and password, but also require additional steps, such as a physical token of some kind (a smart card or USB stick, for example) or a biometric measure (a fingerprint scan, for instance).
Equally as important is the management of existing Identity Providers (IDPs) such as Microsoft Active Directory (AD) or human resources (HR) software. In many cases, identity information may be sourced from multiple repositories, requiring a system to not only manage identities in different systems but also be able to synchronize information between these systems, and provide a single source of truth when required.
To make all of this happen, admins need the ability to manage users in a fast-changing environment without having to manually perform actions that for decades have been distilled down to simple changes to a user's group membership properties in Microsoft AD. Having to manually adjust permissions, access, and control properties across dozens, hundreds, or even thousands of users every time a new SaaS service is made available can be prohibitively cumbersome, even if IT takes advantage of automation technologies such as scripting. Identity-Management-as-a-Service (IDaaS) solutions are rapidly becoming a critical aspect of the corporate infrastructure, for a myriad of reasons we'll detail through the course of this article. Ironically, perhaps the ideal answer to this problem, at least in part, is to dip into the SaaS well again and use an IDaaS provider.
Connecting Identities in the Cloud
Most IDaaS providers use a common method to handle authentication by using identities contained in your organization's existing network directory. The most prevalent option is to have a piece of software installed on your local network, known as an agent, which allows the IDaaS provider to communicate with your directory. That way, admins can keep using the same directory tools they always have, yet seamlessly access apps and resources outside the company network.
This communication is typically a combination of synchronization (where directory users and groups are pulled up to the service) and on-demand communication (known as federation) in order to perform authentication requests back against the directory. Most IDaaS solutions offer the ability to customize the synchronization process, particularly which user attributes are allowed to be synchronized. A couple of reasons why you would customize attribute synchronization are either security- or privacy-related (e.g., in case you have attributes that may contain confidential data) or due to functionality (e.g., if you need to make custom attributes available to the IDaaS provider in order to use them within the service).
Another common method of connecting your on-premises directory with an IDaaS solution is to expose a standard directory protocol or authentication provider to the IDaaS. Some examples of this are the Lightweight Directory Access Protocol (LDAP), an open standard, or Active Directory Federation Services (ADFS), a popular but proprietary technology available from Microsoft and popular due to its easy integration with Microsoft's very popular Active Directory. LDAP is a standards-based method of communicating with a directory (either AD or one of several alternatives) while ADFS is a role in Windows Server tailored more towards allowing web apps to glean specific information from AD. Not all IDaaS providers support these options and, in most cases, these options require a high level of configuration, including firewall rules.
But these options may be a better solution for some business cases. For example, organizations with increased security requirements or privacy regulations may need to limit the software installed on domain controllers or have increased control over what data is available to an external IDaaS solution that is essentially running on someone else's servers.
Connecting With Customers and Partners
A business isn't worth much without relationships to partners, and more importantly, customers. In this age of technology and instant gratification, the ability to collaborate with partners or provide customers access to their information, while simultaneously respecting their privacy and security, is a critical aspect of doing business. Many of the IDaaS solutions we've reviewed offer the ability to provide business partners SSO access to apps through a portal functionally identical to the one available to normal corporate users. This allows your business to foster business relationships without having to automatically provide partners direct access to your corporate network or even standing up a new app specifically for partner access.
Customer management is another area in which IDaaS solutions can offer value. Most customers already have one or more identities established on social media or other popular websites. Many of the solutions we've reviewed offer a consumer IDaaS aspect, which is typically licensed separately from the core IDaaS product due to the potential for a high volume of authentications. Typically, a consumer IDaaS will allow a user to register by using an account they already own, such as a Facebook or Google account, which will then provide them access to the resources you authorize. Depending on your corporate use case, this authentication process could allow users access to a custom web app designed to provide information specific to them, or users could be redirected to the customer area of a customer relationship management (CRM) solution. In most cases, the IDaaS platform gives you options over how the authentication request is processed, which allows you to use a standard protocol or provide an application programming interface (API) for developers to access through custom code.
Augmenting Existing Infrastructure
In many cases, an IDaaS solution can provide significant benefits to your existing infrastructure over and above the inherent benefits offered by using cloud apps. One major benefit is an obvious one: managing identities. The larger a business, the more identities there are to manage, and often, these identities begin to reside in multiple places. Frequently, there are software apps that manage employees, their pay, and their organizational structure. Likewise, one or more corporate directories often contain similar information. Companies with multiple business interests or branches can often require separate identity stores; likewise, businesses (such as hospitals or industrial complexes) can often also require segregation of network resources for compliance or safety reasons.
An IDaaS solution can ease the management of these identities in multiple source locations, including providing self-service capabilities, delegation, approval workflows, and automation. Each of these features can also provide a logging element for reporting and compliance audit purposes. In many cases, the IDaaS app can also provide synchronization or translation capabilities with automation, which lets you manage an identity once and have those changes flow to other systems where appropriate.
Another way IDaaS solutions can help with your existing infrastructure are with apps that are hosted within the local network. In many cases, these apps are core to the company business, and providing access to off-site users requires either exposing the app to the internet with a firewall rule or first requiring the user connect to a virtual private network (VPN) tunnel. While either of these scenarios have their place and are perfectly suitable for many situations, some IDaaS tools offer another option. By using a software-based agent installed inside the corporate network, an app can be accessed through an IDaaS SSO portal in the same way you would a SaaS app hosted in the cloud. Most of the heavy lifting in this scenario is handled by an encrypted tunnel between the IDaaS provider and the software agent installed on your network.
IDM Security Considerations
Clearly, there are a number of security concerns for IT shops looking into using SaaS apps and IDaaS solutions. In some situations, avoiding the use of SaaS apps is next to impossible, so finding the best method to manage and secure the accounts needed to use these apps is imperative. Other organizations may not be considering SaaS apps out of necessity, so security concerns must be weighed against convenience and efficiencies.
Overall, there are four core areas of security to consider when evaluating IDaaS providers. The connection method used to integrate an existing corporate directory is the first area to consider. Software-based synchronization agents support a secure connection between your directory and the IDaaS provider but many IT shops will (rightly) have hesitations about installing an agent on their domain controllers. Considering an IDaaS solution that supports an authentication standard such as LDAP or ADFS might be a better option as they offer increased control over authentication and security.
The second area of concern for corporations looking into any kind of cloud service is the data stored within the service which, in the case of an IDaaS solution, will be corporate users and groups. In general, IDaaS solutions don't sync and store password hashes from your users; however, several IDaaS providers do offer this as an option in order to maintain the same passwords between multiple accounts (local directory, IDaaS, and even SaaS apps). These options should be carefully evaluated from security and legal points of view. Additionally, each of the IDaaS providers does have to store passwords related to SaaS apps in order to perform SSO functionality.
Third, consider the communication between your IDaaS provider and your entire portfolio of SaaS apps. Without exception, the IDaaS options tested here use a combination of Security Assertion Markup Language (SAML) and password vaulting. SAML is an extensible markup language (XML)-based authentication standard by which the identity provider and SaaS app can handle authentication, without requiring interaction from a user or the population of a web form. The ability for an IDaaS provider to authenticate your users to their SaaS apps is dependent upon the SaaS app to support the SAML standard for authentication. In cases in which SAML isn't supported by a SaaS app, most IDaaS providers will revert back to password vaulting, which essentially handles the process of completing and submitting a login form on a webpage.
In terms of security, SAML can offer increased security in the form of a mutually authenticated connection through the use of SSL certificates tying the two services together. As with SAML itself, these additional security features are dependent upon support from both the SaaS and IDaaS provider. For my part, I tag SAML as the preferred authentication method for SSO from an IDaaS provider; in fact, I'd say you probably shouldn't even consider a solution that doesn't leverage that standard.
The last critical aspect to the IDaaS security picture is locking down the sign-on process for users. One feature that is common among all of the IDaaS players is support for MFA, which helps prevent security breaches due to a compromised password by requiring a second form (multiple factors) of authentication such as a randomly generated password or a hardware key.
Another common scenario is to require different levels of security based on the user's network location (typically handled based on IP address), such as allowing a basic username or password login when connecting through the corporate network but requiring MFA when using another connection. In general, both MFA and IP address restrictions are handled by using security policies, which is another must-have feature for an IDaaS provider. In fact, you probably want to look for an option that lets you configure multiple policies as not all apps or users have the same security needs.
Single Sign-On
From a users perspective, the primary purpose of having an IDaaS solution is to make signing into web apps easier. A user portal that provides quick SSO access to SaaS apps is a feature in the majority of IDaaS options. Most solutions also offer plug-ins for the major web browsers as well as mobile apps that mirror the functionality of the SSO portal.
In most cases, the user portal is presented as a grid or list of icons indicating the apps available to a user. This list is populated based on the SaaS apps assigned to the user by the IDaaS admins, either manually or through automated means such as membership in an AD group. The ideal provisioning method in terms of efficiency is based on the System for Cross-domain Identity Management (SCIM), a set of standards-based interfaces that allow for user provisioning within SaaS apps, though many IDaaS providers will make use of app-specific application programming interfaces (APIs) to handle provisioning. If supported by both the IDaaS and SaaS provider, then users can be automatically provisioned in the SaaS app based on conditions you define in the IDaaS solution. Often, this condition is simply membership in an AD group or based on an attribute of your choosing.
Big Data, Compliance, and Reporting
Let's face it: Many companies aren't going to invest in a tool just because it makes life easier for corporate users. But, if there's a security benefit or if the solution can help satisfy compliance requirements, then that's a different story.
Consider a scenario in which an IT admin team has to not only manage users in several SaaS apps, but must also provide detailed reports containing usage information, user login history, security changes, and other potential audit factors. Trying to gather this sort of information from multiple different locations is going to be a significant task. The ideal solution to gather and provide these audit artifacts is to use IDM to track each factor across multiple apps automatically. Many of the offerings we've reviewed offer comprehensive reporting solutions that get into detail on authentication events, even down to the user's geographic location and what sort of device he or she used. Often, these reports can be exported to Microsoft Excel or some other reporting or business intelligence (BI) tool where you can perform further analysis or get the numbers properly organized for an audit.
Some of the solutions we reviewed will even proactively monitor your identities exposure to current security breaches, such as credentials for sale on the internet or monitor for things such as simultaneous logins from opposite ends of the globe. These solutions can use this sort of advanced analytics and machine learning to impact the security score for your identities. This gives you the power to require increased authentication security such as MFA or use of a registered device.
Don't Let The Cloud Ex-SaaS-perate You
SaaS apps simply offer too many benefits in terms of cost-savings and ease of use for any business to ignore the trend. But, without proper user and resource organizations, a SaaS portfolio can quickly sprawl and degenerate into a chaotic mess. Understanding IDaaS solutions and what they can offer is a big first step toward gaining the full benefits of moving key workloads to SaaS, rather than taking on the burden of managing separate identities for every user across a half dozen cloud apps scattered across the web. If SaaS is on your horizon (or already on your users' desktops in quickly growing numbers as it is in most organizations), then do yourself a favor and learn the pros and cons of cloud-based identities.
Featured Identity Management Software Reviews:
Microsoft Azure Active Directory Review
MSRP: $0.50Pros: Best-in class integration with Windows Server Active Directory. Tight integration with Microsoft's array of cloud services. Identity Protection allows for security policies based on Big Data and machine learning (ML).
Cons: Some competitors have better integration with third-party directories and SaaS platforms. Advanced reporting capabilities only available in Premium pricing tiers.
Bottom Line: Microsoft's Azure Active Directory (AD) gets a leg up on its Identity-Management-as-a-Service (IDaaS) competition due to tight integration with Windows Server Active Directory and Office 365. Azure AD also offers the lowest entry-level pricing for handling multi-factor authentication, and offers advanced toolsets for managing identities and the cloud apps used by your organization.
Read ReviewOkta Identity Management Review
MSRP: $2.00Pros: Support for mobile device management (MDM) and geographic zones make this a solid offering. Reporting functionality is much improved, particularly geographic functionality. Ability to manage the flow of identity/attribute information between multiple identity providers is among the best in the category.
Cons: Consumer Identity-Management-as-a-Service features are still in early access. Authentication to on-premises apps requires expensive hardware.
Bottom Line: It's no surprise that Okta Identity Management is so well-respected in the Identity-Management-as-a-Service (IDaaS) arena. Having both a features list that includes security policies that support MDM and geolocation, the ability to integrate multiple sources of identity data, and all packaged in a solution that is relatively easy to use, makes Okta Identity Management one of the top IDaaS solutions on the market.
Read ReviewEmpowerID Review
MSRP: $1.70Pros: On-premises installation offers increased flexibility. Compliance and security benefits to on-premises architecture. Workflow-based approvals add efficiency. Additional value in managing existing Active Directory identities. Comprehensive reporting functionality.
Cons: Management workload and setup cost greatly increased over cloud-based options. Mobile website isn't a suitable replacement for mobile apps for all organizations.
Bottom Line: EmpowerID offers a comprehensive Identity-Management-as-a-Service (IDaaS) solution both for managing identities online and within your existing corporate directory, but at a significant increase in both initial setup complexity and ongoing maintenance requirements.
Read ReviewOneLogin Review
MSRP: $2.00Pros: Provisioning into AD from HR services is the ideal scenario. Mappings help streamline user and role management. Proxy agents offer easy support for on-premises applications. Configuring email notifications is straightforward.
Cons: AD Groups are not synchronized. Provisioning limited to highest pricing tier.
Bottom Line: OneLogin sports a nice feature set, including risk-based authentication policies, integration with HR apps, and event monitoring platforms. It's a well-rounded IDM approach where the only real complaint concerns how groups are managed.
Read ReviewOptimal IdM Review
MSRP: $25000.00Pros: The highest service level requires less technical knowledge from the customer than other systems. Private cloud configuration provides security, performance, and reliability. Virtual Identity Server offers a streamlined method of serving up corporate identities from various sources. LDAP firewall allows for separation between applications and the identity store.
Cons: Pricing reduces the legitimate customer base to large businesses. Zero visibility into SaaS provisioning configuration. Limited ability for users to customize their SSO portal.
Bottom Line: Optimal IdM checks all the major boxes needed in an Identity-Management-as-a-Service (IDaaS) solution, but at a serious premium. With monthly costs easily running in the $25,000-$30,000 range, most businesses are going to compare the cost of Optimal IdM to competitors such as Microsoft Azure Active Directory and Okta Identity Management plus one or two full-time employees.
Read ReviewBitium Review
MSRP: $2.00Pros: Provisioning support is among the best in class. Ability to leverage Google SSO is excellent. Self-service features, like mobile password reset, can save time and money. Bookmarks into SaaS apps makes life easier for users.
Cons: No consumer IDM support. Limited value for existing on-premises corporate apps. Support for multiple identity sources lags behind industry leaders.
Bottom Line: Bitium offers a wealth of sweet features for users, including mobile password reset and bookmarks to specific locations in third-party SaaS apps. Unfortunately, critical features for admins are a mixed bag: SSO through Google has a lot of upside, but a lack of consumer identity support and limited toolsets for multiple directories are potential deal-breakers.
Read ReviewCentrify Identity Service Review
MSRP: $4.00Pros: Full-featured reporting capabilities, including dashboards. On-premises app easy to use and uses the same software agent as AD connectivity. Quick integration with user identities from social networks. Risk-based authentication leverages machine learning for additional cost.
Cons: Inability to reference AD users and groups prior to provisioning imposes limits. Scripting requires a developer-level skill set. Workflow approval is app-configured but results in role assignments.
Bottom Line: Centrify offers features that simply aren't offered by the competition, and also manages to check key boxes such as user provisioning, reporting, support for consumer identities, and easy access to on-premises applications.
Read ReviewPing Identity PingOne Review
MSRP: $2.00Pros: Setup is relatively easy regardless of the connector type used. App catalog is comprehensive for SSO purposes. Making app assignments to groups takes minutes at most.
Cons: SaaS provisioning support doesn't even extend to Microsoft Office 365. Limited reporting capabilities.
Bottom Line: Ping Identity has been a major name in the Identity-Management-as-a-Service (IDaaS) arena for a number of years, but its PingOne solution is sorely behind the curve in some key categories. User provisioning into SaaS apps is the most glaring weak spot, though not a complete absence.
Read ReviewLastPass Enterprise Review
MSRP: $48.00Pros: Huge number of security policies and MFA providers. Shared folders give users the ability to self-manage some shared credentials. Splunk integration and email notifications make for easy monitoring.
Cons: AD integration provides the bare minimum in functionality. SAML provisioning only supports a handful of apps, and is missing some key options. Reporting capabilities are limited.
Bottom Line: LastPass Enterprise has made major improvements over the last two years, but still lags behind competitors in key categories. Still, features like shared folders and numerous MFA options make LastPass Enterprise plausible for small businesses looking for an easy security upgrade.
Read ReviewIdentacor Review
MSRP: $1.00Pros: Desktop single sign-on lets you keep authentication traffic local when a request initiates inside a corporate network. Entry-level price point very reasonable, particularly with SaaS provisioning.
Cons: Manual group management completely wrong for streamlining cloud app management. No support for LDAP directories. Multifactor options very limited.
Bottom Line: Identacor is missing too many features for us to consider it a prime contender in the Identity-Management-as-a-Service (IDaaS) space. Dynamic groups are the most glaring omission, but a lack of options for multi-factor authentication and even support for third-party LDAP directories are other notable areas in need of work.
Read ReviewVMware Workspace One Review
MSRP: $6.00Pros: Key integration with AirWatch allows for enforcement of device compliance. Ability to provide authentication to virtual apps or desktops through Horizon integration. Policies allow for various combinations of authentication methods, providing support for multifactor or fallback authentication.
Cons: Integration with Active Directory or LDAP requires configuration of several layers. Reporting tools are barebones and may not meet the minimum requirements for some businesses.
Bottom Line: Key integrations with AirWatch and Horizon make Workspace One a tempting proposition for companies already invested in the VMware ecosystem. Shortcomings in areas like reporting or a simplified setup path may have the opposite effect on potential customers that don't already have an investment in VMware.
Read ReviewPortalGuard Review
MSRP: $455.00Pros: Pricing is very competitive for enterprise customers with large user bases. On-premises installation offers additional level of control. Risk-based authentication allows for complex authentication policy rules.
Cons: Completely missing any SaaS provisioning capability. No support for consumer identities.
Bottom Line: Provisioning to Software-as-a-Service (SaaS) apps, a key component of modern Identity-Management-as-a-Service (IDaaS) solutions, is missing from current builds of PortalGuard. Pricing for large businesses is competitive and may make PortalGuard worth a look for enterprises that don't necessarily need SaaS provisioning from their IDaaS solution.
Read Review
Microsoft Office 365 supports the following methods for creating, managing, and authenticating users.
Note
This topic does not include information about security features that allow or prohibit access to individual Office 365 resources (for example, role-based access control in Microsoft Exchange Online or configuring security in Microsoft SharePoint Online). For details about these features, see the Exchange Online Service Description and the SharePoint Online Service Description.
If you need information about tools that can help you perform administrative tasks, see Tools to manage Office 365 accounts. To learn how to perform day-to-day management tasks, see Common management tasks for Office 365.
Need help signing in, installing or uninstalling, or canceling your subscription?
Get help with signing into Office 365 | Installing or uninstalling Office | Canceling Office 365
For other issues with Office 365 visit the Microsoft support center. To get support for Office 365 operated by 21Vianet in China, contact the 21Vianet support team. For Office 365 Germany, contact the Office 365 Germany support team.
Sign-in options
Office 365 has two systems that can be used for user identities:
Work or school account (cloud identity) Users receive Azure Active Directory cloud credentials—separate from other desktop or corporate credentials—for signing into Office 365 and other Microsoft cloud services. This is the default identity, and is recommended in order to minimize deployment complexity. Passwords for work or school accounts use the Azure Active Directory password policy.
Federated account (federated identity) For all subscriptions in organizations with on-premises Active Directory that use single sign-on (SSO), users can sign into Office 365 services by using their Active Directory credentials. The corporate Active Directory stores and controls the password policy. For information about SSO, see Single sign-on roadmap.
The type of identity affects the user experience and user account management options, as well as hardware and software requirements and other deployment considerations.
Custom domains and identity options
When you create a new user, the user's sign-in name and email address are assigned to the default domain as set in the Microsoft 365 admin center. To learn more, see Add your users and domain to Office 365.
By default, the Office 365 subscription uses the < company name> .onmicrosoft.com domain that was created with the account.* You can add one or more custom domains to Office 365 rather than retaining the onmicrosoft.com domain, and can assign users to sign in with any of the validated domains. Each user's assigned domain is the email address that will appear on sent and received email messages.
You can host up to 900 registered Internet domains in Office 365, each represented by a different namespace.
For organizations using single sign-on, all users on a domain must use the same identity system: either cloud identity or federated identity. For example, you could have one group of users that only needs a cloud identity because they don't access on-premises systems, and another group of users who use Office 365 and on-premises systems. You would add two domains to Office 365, such as contractors.contoso.com and staff.contoso.com, and only set up SSO for one of them. An entire domain can be converted from cloud identity to federated identity, or from federated identity to cloud identity.
For more information about domains in Office 365, see the Domains service description.
* If you are using Office 365 operated by 21Vianet in China, the default domain is <companyname> .onmsChina.cn. If you are using Office 365 Germany, the default domain is <companyname> .onmicrosoft.de
Authentication
With the exception of internet sites for anonymous access created with SharePoint Online, users must be authenticated when accessing Office 365 services.
Modern authentication Modern authentication brings Active Directory Authentication Library (ADAL)-based sign-in to Office client apps across platforms. This enables sign-in features such as Multi-Factor Authentication (MFA), SAML-based third-party identity providers with Office client applications, and smart card and certificate-based authentication. It also removes the need for Microsoft Outlook to use the basic authentication protocol. For more information, including the availability of modern authentication across Office applications, see How modern authentication works for Office 2013 and Office 2016 client apps and Using Office 365 modern authentication with Office clients.
Modern authentication is not turned by default for Exchange Online. To learn how to turn it on, see Enable Exchange Online for modern authentication.
Cloud identity authentication Users with cloud identities are authenticated using traditional challenge/response. The web browser is redirected to the Office 365 sign-in service, where you type the user name and password for your work or school account. The sign-in service authenticates your credentials and generates a service token, which the web browser posts to the requested service and logs you in.
Federated identity authentication Users with federated identities are authenticated using Active Directory Federation Services (AD FS) 2.0 or other Security Token Services. The web browser is redirected to the Office 365 sign-in service, where you type your corporate ID in the form a user principal name (UPN; for example, [email protected]). The sign-in service determines that you are part of a federated domain and offers to redirect you to the on-premises Federation Server for authentication. If you are logged on to the desktop (domain joined), you are authenticated (using Kerberos or NTLMv2) and the on-premises Security Token Service generates a logon token, which the web browser posts to the Office 365 sign-in service. Using the logon token, the sign-in service generates a service token that the web browser posts to the requested service and logs you in. For a list of available Security Token Services available, see Single sign-on roadmap.
Office 365 uses forms-based authentication, and authentication traffic over the network is always encrypted with TLS/SSL using port 443. Authentication traffic uses a negligible percentage of bandwidth for Office 365 services.
Multi-Factor Authentication for Office 365
With Multi-Factor Authentication for Office 365, users are required to acknowledge a phone call, text message, or an app notification on their smartphone after correctly entering their password. Only after this second authentication can the user sign in. Office 365 administrators can enroll users for multi-factor authentication in the Microsoft 365 admin center. Learn more about Multi-Factor Authentication for Office 365.
Rich client authentication
For rich clients such as Microsoft Office desktop applications, authentication can occur in two ways:
Microsoft Online Services Sign-In Assistant The Sign-in assistant, which is installed by Office 365 desktop setup, contains a client service that obtains a service token from the Office 365 sign-in service and returns it to the rich client.
If you have a cloud identity, you receive a prompt for credentials, which the client service sends to the Office 365 sign-in service for authentication (using WS-Trust).
If you have a federated identity, the client service first contacts the AD FS 2.0 server to authenticate the credentials (using Kerberos or NTLMv2) and obtain a logon token that is sent to the Office 365 sign-in service (using WS-Federation and WS-Trust).
Basic/proxy authentication over SSL The Outlook client passes basic authentication credentials over SSL to Exchange Online. Exchange Online proxies the authentication request to the Office 365 identity platform, and then to on-premises Active Directory Federation Server (for SSO).
To ensure proper discovery and authentication of Office 365 services, administrators must apply a set of components and updates to each workstation that uses rich clients (such as Microsoft Office 2010) and connects to Office 365. Office 365 desktop setup is an automated tool to configure workstations with the required updates. For more information, see Use my current Office desktop apps with Office 365.
Sign-in experience
The sign-in experience changes depending on the type of Office 365 identity in use:
Cloud Identity | Federated Identity | |
---|---|---|
Outlook 2016 | Sign in each session 1 | Sign in each session 2 |
Outlook 2013 | Sign in each session 1 | Sign in each session 2 |
Outlook 2010 or Office 2007 on Windows 7 | Sign in each session 1 | Sign in each session 2 |
Outlook 2010 or Office Outlook 2007 on Windows Vista | Sign in each session 1 | Sign in each session 2 |
Microsoft Exchange ActiveSync | Sign in each session 1 | Sign in each session 2 |
POP, IMAP, Outlook for Mac | Sign in each session 1 | Sign in each session 2 |
Web Experiences: Office 365 portal / Outlook Web App/ SharePoint Online / Office Online | Sign in each browser session4 | Sign in each session 3 |
Office 2010 or Office 2007 using SharePoint Online | Sign in each SharePoint Online session 4 | Sign in each SharePoint Online session3 |
Skype for Business Online | Sign in each session 1 | No prompt |
Outlook for Mac | Sign in each session 1 | Sign in each session 2 |
Note
1 When first prompted, you can save your password for future use. You will not receive another prompt until you change the password. > 2 You enter your corporate credentials. You can save your password and will not be prompted again until your password changes. > 3 All apps require you to enter your username or click to sign in. You are not prompted for your password if your computer is joined to the domain. If you click Keep me signed in you will not be prompted again until you sign out. > 4 If you click Keep me signed in you will not be prompted again until you sign out.
Creating user accounts
There are multiple ways for you to add users to Office 365. To learn more, see Add users individually or in bulk to Office 365 - Admin Help and Add, remove, and manage users in Microsoft 365 admin center Preview. If you are using Office 365 operated by 21Vianet in China, see Create or edit user accounts in Office 365 operated by 21Vianet - Admin Help.
Deleting accounts
How you delete accounts depends on whether or not you are using directory synchronization:
If you are not using directory synchronization, accounts can be deleted by using the Office 365 Admin page or by using Windows PowerShell.
If you are using directory synchronization, you must delete users from the local Active Directory, rather than from Office 365.
When an account is deleted, it becomes inactive. For approximately 30 days after having deleted it, you can restore the account. For more information about deleting and restoring accounts, see Delete or restore users in Office 365 or, if you are using Office 365 operated by 21Vianet in China, see Create or edit user accounts in Office 365 operated by 21Vianet - Admin Help.
Password management
The policies and procedures for password management depend on the identity system.
Cloud identity password management:
When using cloud identities, passwords are automatically generated when the account is created.
For cloud identity password strength requirements, see password policy.
To increase security, users must change their passwords when they first access Office 365 services. As a result, before users can access Office 365 services, they must sign into the Office 365 portal, where they are prompted to change their passwords.
Admins can set the password expiration policy. For more information, see Set a user's password expiration policy.
There are several tools for resetting passwords for users with cloud identities:
Admin resets password If users lose or forget their passwords, admins can reset users' passwords in the Office 365 portal or by using Windows PowerShell. Users can only change their own password if they know their existing password.
For Enterprise plans, if administrators lose or forget their passwords, a different administrator with the Global Administrator role can reset administrators' passwords in the Microsoft 365 admin center or by using Windows PowerShell. For more information, see Reset passwords for admins. If you are working in Office 365 operated by 21Vianet in China, see Change or reset passwords in Office 365 operated by 21Vianet.
User changes passwords with Outlook Web App The Outlook Web App options page includes a Change password hyperlink, which redirects users to the Change Password page. The user must know their previous password. For more information, see Change password. If you are using Office 365 operated by 21Vianet in China, see Change or reset passwords in Office 365 operated by 21Vianet.
Role-based reset password rights For Enterprise plans, authorized users such as helpdesk staff can be assigned the Reset Password user right and the right to change passwords by using the Office 365 predefined or custom roles without becoming full services administrators. By default in Enterprise plans, admins with the Global Administrator, Password Administrator, or User Management Administrator role can change passwords. For more information, see Assigning admin roles.
Reset passwords using Windows PowerShell Service administrators can use Windows PowerShell to reset passwords.
Federated identity password management:
When using federated identities, passwords are managed in Active Directory. The on-premises Security Token Service negotiates the authentication with Office 365 Federation Gateway without passing users' local Active Directory passwords over the Internet to Office 365. Local password policies are used, or, for web clients, two-factor identification. Outlook Web App does not include a Change Password hyperlink. Users change their passwords using standard, on-premises tools or through their desktop PC logon options.
If you have Directory Sync with single sign-on (SSO) enabled in your Office 365 environment and there is an outage that impacts your federated identity provider, Password Sync Backup for Federated Sign-in provides the option to manually switch your domain to Password Sync. Using Password Sync will allow your users to access Office 365 while the outage is fixed. Learn how to switch from Single Sign-On to Password Sync.
License management
An Office 365 license gives a user access to a set of Office 365 services. An administrator assigns a license to each user for the service they need access to. For example, you can assign a user access to Skype for Business Online, but not SharePoint Online.
Office 365 billing admins can make changes to subscription details like the number of user licenses and number of additional services your company uses. Check out Assign or remove a license in Office 365. If you are using Office 365 operated by 21Vianet, see Assign or remove licenses in Office 365 operated by 21Vianet.
Group management
Security groups are used in SharePoint Online to control access to sites. Security groups can be created in the Microsoft 365 admin center. For more information about security groups, see Create, edit, or delete a security group.
Administrator roles
Office 365 Enterprise follows a role-based access control (RBAC) model: permissions and capabilities are defined by management roles. The person who signs up for Office 365 for his or her organization automatically becomes a global administrator, or top-level administrator. There are five administrator roles: global administrator, billing administrator, password administrator, service administrator, and user management administrator. For more information about administrator roles in Office 365 Enterprise, including how they apply to Exchange Online, SharePoint Online, and Skype for Business Online administration, see Assigning administrator roles. If you are using Office 365 operated by 21Vianet in China, see Assign admin roles in Office 365 for business.
Delegated administration and support for partners
Partners can be authorized to administer accounts on behalf of customers. The customer does not require a user account for the partners use and does not consume an Office 365 license when granting delegated administration authority. Partners can assign full or limited access to users within their organization. Limited access includes rights to reset passwords, manage service requests, and monitor service health.
Note
Ability to use and specify a partner as a delegated administrator varies by region.
Azure Active Directory services
Azure Active Directory (AD) brings comprehensive identity and access management capabilities to Office 365. It combines directory services, advanced identity governance, application access management and a rich standards-based platform for developers. To learn more about AD features in Office 365, see Sign in page branding and cloud user self-service password reset. Learn more about the Free, Basic, and Premium editions of Azure Active Directory.
Feature availability
To view feature availability across Office 365 plans, standalone options, and on-premise solutions, see Office 365 Platform Service Description.