Posted by: John Ferringer | July 29, 2011

Who Are You and How Did You Get in Here? An Intro to Identities in Office 365

Something I quickly realized back in 2008 about the first incarnation of Office 365, Microsoft Online Services/Business Productivity Online Services (MSO/BPOS, can you blame them for re-branding it?) was that you have to put some forethought into user accounts before you really get too far with anything else. If you didn’t want to have a painfully long domain name for your accounts (I initially always had to log in with “” to administer my first BPOS demo environment, that was a treat), you had to make sure to register your own domain before you started creating any other accounts otherwise it was a hot mess, and that was just the tip of the iceberg.

So here we are now with the second edition of MSO, Office 365, and user accounts are just as important, if not even more so. In general, the very first thing you need to work on when getting into Office 365 is how you’re going to tackle Identity in the Cloud. How will your users log into the new Office 365 service? Will they use new accounts managed directly through Office 365, or will you use existing accounts that currently reside in an Active Directory your organization is already managing?

The thing I like about Identity in Office 365 is that there is flexibility in the options you have available to get your users into the Office 365 Cloud, but its not without its challenges as well. To me, the biggest challenge is sorting through all of the available choices you can make in this area, because it can get really confusing when you start to take a look at things like Identity Federation (which allows your users to log in with their local Active Directory accounts) and Lync Online Federation (which allows users in your organization to communicate via instant message with users in other organizations), which are two very different technical options that use the same terminology. Then there’s the fact that some of the choices that Microsoft had to make in preparing Office 365 for RTM have even further muddied these waters (here’s an example I’ve blogged about: All Live IDs are Equal, Some are Just More Equal than Others, and Why that Matters with Office 365).

As I mention in the headline for this post, this is just an introduction to Identity in Office 365, so I’m going to try to keep this brief (something I’m terrible at)… the list below outlines the various Identity options and decision points I’m aware of in Office 365 right now. My plan in the coming weeks is to try to dive into each of these topics and help explain what they are, why they’re important, and what you need to think about when deciding how you want to incorporate them into your Office 365 environment:

  • Account Management– Organizations have two options for where the accounts that their users will log into Office 365 live:
    • Managed IDs – these are also known as “MSO IDs” or “Cloud IDs”, accounts which you create directly in Office 365 and manage there as well.
    • Federated IDs – these are accounts based in a local Active Directory environment that you manage. It requires that you configure federation between your AD and the Office 365 Cloud, but allows users to log in with accounts they’ve already been using and maintain a single username and password for both on-premise and Cloud systems.
    • DirSync without Federation UPDATE: As my friend Mike Holcomb pointed out in an excellent comment on Google Reader, there is a third option organizations can consider, synchronizing accounts up to Office 365 via DirSync without configuring AD Federation. It is less complicated to configure than AD Federation, but only synchronizes accounts to the cloud, not passwords. Thanks Mike for the feedback!
  • Account Roles– in BPOS, you had users and you had administrators, and that was it. Office 365 now allows you to assign a wider variety of roles to your users to delegate responsibilities:
    • Company Administrators
    • Billing Administrators
    • Password Administrators
    • User Management Administrators
    • Service Support Administrators
    • End Users (no elevated rights)
  • External Access – Another new feature with Office 365 is the ability to allow users external to your organization access to your SharePoint Online site collections without having to provision a User Subscription License (USL, a purchased “seat” that you pay for each month per user) for that external user. Lots of interesting stuff to talk about here, and this is one area where it will be important to know when a “Live ID” isn’t exactly a “Live ID”.
  • Lync Federation (this term is very confusing to use, but it best describes what this is… I’ll try to limit how much I use the term and will definitely explain it out in a subsequent post) – Lync Online is the new enterprise instant messaging component in Office 365, and there’s a lot of interesting stuff you can do with it:
    • On-Premise Integration: seamlessly federate an existing on-premise Lync Server implementation with users on the Lync Online service
    • External Organization Integration: allows Lync Online users in your organization to exchange IMs with users in other organizations (think of it as Foo Corp users chatting securely with Bar Corp users)
    • External Network Integration: allows Lync Online users in your organization to exchange IMs with users in other IM networks (think of it as Foo Corp users chatting securely with MSN IM users)

Whew! See what I mean about my complete and utter inability to be brief??!? Ok, I’m going to wrap it up here for now. Hopefully in the next few days I’ll dive into these items in more depth, but it’s a start Smile



  1. […] ID or an ID from your own local environment that is federated with Office 365 (my previous post on Identity in Office 365 for an introduction to those two options; over time I’ll be updating it with links to more […]

  2. […] Roles in Office 365 I realize its been a while since I started this series on Identity in Office 365, but I’d really like to get back to it and make a point of wrapping it up before I get into […]

  3. […] Users in Office 365 Moving on to the fourth item I outlined in my series on Identity in Office 365, let’s talk about something that Microsoft calls “External Access.” Office […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: