When working with any Microsoft Online systems in the cloud, such as Exchange Online, CRM Online, or SharePoint Online, they come with Office 365, which is a portal for managing users, domains, licensing, services and other admin-related matters.
Office 365 can be accessed via https://portal.microsoftonline.com.
There are different ways you can manage user accounts in Office 365. The diagram below summarizes the differences.
- Users are created and managed in Office 365 (level: Easy).
Users are created in the Office 365 by assigning login names @orgname.onmicrosoft.com by default, or @yourdomain.com. User information, such as names, job title, and password is stored in Office 365.Suitable for small-sized businesses with no on-premises Active Directory, or no IT team.
- Users are created and managed in on-premises Active Directory, and synchronized to Office 365 (level: Medium).
On-premises Active Directory is the source of truth. Using Directory Sync installed on an on-premises machine (may be the same server as the Active Directory), users, including their usernames and passwords, are copied from the on-premises Active Directory to Office 365, allowing them to login to Microsoft Online services (Exchange, CRM Online, SharePoint Online, etc.) using their Active Directory credentials.Suitable for medium-sized businesses with on-premises Active Directory, but small or minimal IT team.
- Like #2, plus Single Sign-On (level: Advanced).
In the option #2, the users still need to type in the passwords to login to Microsoft Online services, the same passwords stored in the on-premises Active Directory.In the Single Sign-On approach, authentication is done via Active Directory Federation Services (ADFS). In addition to on-premises Active Directory, in this approach you need to have another server setup for ADFS. You create a relying trust between ADFS (on-premises, accessible from the external network) with Office 365. When logging in to Microsoft Online Services and typing email@example.com, the login page will immediately redirect you to the ADFS server for authentication. For the users within the company’s network, they will be authenticated straight away without having to type in their passwords. Otherwise, they will be prompted for password on the Security Token Service (STS) page served by ADFS.To see what the user experience is like, try logging on as a Microsoft employee – firstname.lastname@example.org.Suitable for enterprise-sized businesses with on-premises Active Directory, and professional IT team.