What are the identity models available in Office 365?
Office 365 uses cloud-based user authentication service Azure Active Directory to manage user accounts. There are three identity models to setup and manage user accounts.
- Cloud Identity: User management will be only in Office 365 (Azure AD). No On-Premise servers required to manage users. All the user management like creation done only in Cloud.
- Synchronized Identity: Identities synchronized from on-premises directory to Office 365 (Azure AD) and user management done at On-Premise AD. Passwords can be synched so that users have the same password on-premises and in the cloud. Users has to sign in on both On-Premise and Office 365, no single sign on experience.
- Federated Identity: Identities synchronized from on-premises directory to Office 365 (Azure AD) and user management done at On-Premise AD. Users have same password on-premise and in cloud no need to sign in again to use Office 365. Also known as single sign-on.
How to integrate On-Premise environment with Office 365?
To integrate On-Premise services like Exchange, Skype for Business and SharePoint with Office 365,
- Synchronize On-Premise directory with Office 365 (Azure Active Directory) using DirSync or Azure AD Sync or Azure AD Connect.
- Once the directory sync completed, SSO implementation required so that users can log on both environments with their on-premises credential. It can be implemented using ADFS / ADFS Proxy combination or we can use Azure AD connect.
- Create hybrid environment to migrate users from On-Premise to cloud by running the Hybrid Configuration Wizard in Exchange Server. You can keep few of the users in Cloud and others in On-Premise based on our requirement.
What kind of Identity Model you are using in your company?
If your environment is purely in Office 365 and don’t have an On-Premise AD, then you can inform the interviewer that it is a Cloud Identity and you are managing every object creation in Azure AD.
If you are Using AD Connect and ADFS then you will be using Federated Identity. Object management will be done in On-Premise Active Directory.
What Identity Model you prefer and why companies prefer to use Federated Identity Model?
Though it is complex to setup Federated Identity Model, I prefer Federated Identity. With Federated Identity Model, Object creation and authentication will happen in On-Premise AD for the services enabled for a user in Office 365.
Companies prefer to manage their objects in their On-Premise AD and also the Authentication via ADFS infrastructure.
What is DirSync, Azure AD Sync and Azure AD connect?
DirSync, Azure AD Sync and Azure AD connect used to synchronized On-Premise AD objects to Office 365 (Azure Active Directory) which is required for Federated Identity.
DirSync is the commonly known product to synchronize on-premise directory to azure active directory. DirSync does not support Multi forest directory synchronization.
Azure AD Sync is the next version of DirSync, it supports multi-forest directory synchronization and Password write back.
Azure AD Connect is the latest version of Directory Synchronization software from Microsoft. Azure AD Connect recommended for larger organization with large number objects and it is having additional features like SSO and group write back feature.
Why we need to Sync AD objects to Azure AD?
To have a Single Sign On experience and to enable the services like Exchange Online \ SharePoint Online by assigning a license on account, we need an Object in Azure. Once the objects are Synced license will be assigned on the respective user account to enabled the Office 365 services. When user access the office 365 services like Exchange online \ SharePoint online, the user account will be validated for license and based on the Identity model used, authentication will be validated and the services will be allowed.
How you will ensure the On-Premises active directory objects can be Synced to Azure AD?
Before the AD Objects Sync to Azure AD, it is better to validate whether the objects are ready to be Synced with Azure AD. We can run the ID FIX tool before the AD connect Installation to validate whether the AD objects are good to Synchronize from On-Premise to Azure.
ID FIX tool helps to validate whether any duplicate object entries or any duplicate SIP address etc.
What are the prerequisites to Deploy Azure AD Connect? Or prerequisite for Integrating On-Premise Exchange environment with Office 365?
To integrate On-Premise Exchange, we need to Sync the On-Premise Objects to Azure AD to enable the licenses on the access which allows the user to access the required services. Once the AD connect configuration completed and the Sync started, we need to deploy ADFS for Authentication.
Below the prerequisites to consider before the Azure AD Connect installation which synchronize On-Premise directory to Office 365 (Azure Active Directory)
- Azure subscription is required; if you register for Office 365 subscription then in the backend, you have Azure AD for directory services.
- Add and verify the domain yourcompany.com from which you are going to synchronize the objects to Azure AD. If office 365, yourcompany.onmicrosoft.com is going to be default domain when you get the Office 365 subscription, along with that your On-Premise AD domain name to be added and verified.
- We can run IdFix tool to find errors like duplicates and formatting problems in your directory. Errors highlighted using IDFix be fixed so that objects can synchronize with Azure AD
- AD Schema version and forest functional level must be Windows Server 2003 or later. Password writes is supported on Windows Server 2008 Service pack or later and apply KB2386717. Writable DC is required and RODC is not supportable. Enable AD recycle bin.
- Group Managed Service account is supported on Windows 2012 or later.
- If ADFS feature is going to be enabled in Azure AD Connect, then the ADFS or Web Application Proxy are installed on Windows 2012 R2 or later.
- Azure AD Connect requires a SQL Server Database to store Identity Data. Default installation of SQL express supports only 10 GB and a Max of 100K Objects only. Select an SQL server based on your requirement.
- Global Admin account from Azure AD and Enterprise Administrator account from On-Premise is required to setup Azure AD Connect
- .NET Framework 4.5.1 and Windows Management Framework 4.0 required for Azure AD Connect installation.
- Internet access required from Azure AD Connect Server to On-Premise AD and Azure AD.
What is the limit of objects that can be Synced to Azure AD?
Default limit is 50K when we get the Office 365 Subscription. In addition, 300K Objects can be Synchronized to Azure AD. If there is a requirement to Sync more than 300K Object, we can contact Microsoft to increase the limit. I know a company who is allowed to Sync 1500K objects to Azure AD.
Why we need to add and verify the domains in Office 365?
On-Premise Active Directory domain to be added and verified in Azure AD for the directory synchronization to occur and adding the domain will increase the default 50K Objects limit to 300K Objects.
On-Premise exchange will have email address like xyz.com, we need to add the domain in Office 365 to get the same email address for Exchange Online users. If we want to add an Additional external email addresses in On-Premise Exchange, we need to add and verified so that Office 365 create that domain as accepted domain in Exchange online.