Does migrating to Office 365 have to be so difficult? IT certainly seems to think so. At the Gartner Catalyst conference in San Diego earlier this month, analyst Mary Ruddy outlined ten mistakes organizations tend to make when deploying identity and access management (IAM) for Office 365. One snag is how to connect to Azure Active Directory.
Azure Active Directory is Microsoft’s cloud-based directory, which is the recommended for connecting into Office 365. Active Directory is the near-ubiquitous on-premises directory that’s been widely used since Windows Server 2000.
She outlined two common use cases for managing identity for Office 365, and a third use case that most have not (but should) consider:
- Authenticating directly into Azure Active Directory, or
- Using Azure AD Connect to synchronize identities between the on-premises Active Directory and cloud-based Azure Active Directory, and authenticating users into Azure Active Directory with Active Directory Federation Services (AD FS).
- Using a third-party tool
Authenticating directly to Azure Active Directory
At dinner, an IT director told me me how she had successfully migrated her government agency to Office 365. It was easy because they had never used on-premises Active Directory. Instead, her users authenticated directly to Azure Active Directory. According to Microsoft, 56 percent of daily authentications to Azure Active Directory are from the cloud. This use case is pretty straightforward.
But then she changed jobs, and is at a larger organization that uses on-premises Active Directory. This time, the Office 365 migration has got her a bit worried. She would have to go with use case 2, or 3.
Synchronizing identity between directories
When there is an existing Active Directory, we’re told we need to sync all those user identities and their multitude of attributes out to Microsoft’s cloud-based Azure AD using a tool called Azure AD Connect. This makes Azure Active Directory the source of user identity for Office 365.
Authenticating users to Azure Active Directory
But synchronization is only half the battle. We still have to authenticate the users. If we want to avoid users having to authenticate sign twice —to Active Directory and Azure AD, we have to synchronize their (hashed) passwords between the two directories, or use a tool called Active Directory Federation Services (AD FS) to get single sign-on to Office 365. AD FS uses a temporary token-based exchange instead of passwords to validate Active Directory users into Azure Active Directory. But it also requires significant IT support to install, configure, and manage on-premises servers. Outsourcing an AD FS deployment can also cost a couple thousand dollars in professional services.
You may be wondering why should we have to sync users between on-premises and cloud directories? What if we want to keep Active Directory as the single source of user identity?
And what if an organization doesn’t want to pay for the infrastructure build-out and support required for AD FS?
The third party option
Ms. Ruddy said that it’s a mistake to think that AD FS is the only authentication/single sign-on option for Office 365. IT organizations should consider their pain threshold for managing the infrastructure needed for AD FS, She even said it is “entirely appropriate” to use a third party tool instead of AD FS.
Centrify Identity Service, is a cloud-based Identity-as a-Service solution that Microsoft has certified as “works with Office 365.”
No Azure AD Sync and no AD FS required
Centrify’s cloud-based solution eliminates synchronization problems between Active Directory and Azure AD. That’s because Centrify proxies a minimum set of user attributes directly from Active Directory — in real time to Office 365.
Instead of requiring a complex hardware setup and AD FS to authenticate users, Centrify’s cloud service authenticates Office 365 users to Active Directory using the WS-Fed sign-in protocol.
The rest of the magic — automated user account provisioning and deprovisioning, granular license management, single sign-on, Mac and mobile device management, and multifactor authentication — is built into Centrify Identity Service. Installing the software that connects Active Directory to the Centrify cloud takes only a few minutes. And our customers typically deploy Office 365 in a few days, not months that other approaches recommend.
So, to answer the question: Migrating to Office 365 doesn’t have to be so difficult. We just have to think about IAM in a different way. Gartner recognizes Centrify’s “third party” approach as a valid option.
To understand more about Office 365 and Centrify together, read Eight Great Reasons to Choose Centrify for Office 365.