Active Directory and Office 365 coexistence
Office 365 comes with an own portal and therefore requires an own user administration. Most companies, however, already have their individual AD infrastructures 211.
Is it possible to use or integrate Active Directory and Office 365 parallel? Yes, it is. But there is no standard way to do so.
- What are the possibilities?
- What are advantages and disadvantages?
- What does it mean for users and administrators?
Company View and User View
A lot of big and small companies think about whether or not they should switch to Office 365. From a company’s point of view, new opportunities and functions might be interesting.
Looking at Office 365 from a user’s perspective, there might come up the following questions:
- Do I have to deal with yet another system?
- What advantages does Office 365 have for me?
- Will everything be more complex?
- Will I get a new user name?
- How is the new system linked to already existing applications?
- Is Office 365 as transparent and available as company applications?
- How can I get my mails, contacts etc. in Office 365?
Added value for the user or just another account?
The list can be expanded with quite a lot of valid points. Basically, we IT-administrators should focus on providing solutions to our users with an added value and refrain from making things more complex.
But that exactly is what happens in many cases. The user just gets another Office 365 account. Not only do we enrage the user with that strategy, but we also generate more work for ourselves. This leads to a declining user satisfaction.
Many Identity Management providers offer solutions in that area. However, they have their own complexity and require the payment of some decent license fees.
Office 365 and Active Directory – 3 possibilities for parallel usage
Basically, there are three possibilities for the coexistence of an on-premise Active Directory architecture and Office 365:
1. Double Administration
3. Synchronization and AD FS
Users need to be managed in both the on-premise Active Directory and Office 365.
User accounts in the Active Directory are synchronized with those in Office 365. Optionally, a password-sync is possible.
User accounts in the Active Directory are synchronized with those in Office 365. Active Directory is used for authentication in Office 365.
The main advantage of this strategy is the easy implementation because no additional services have to be installed. But there are no advantages for users.
The user gets the advantage of having only one user name and password. Implementation is possible with a synchronization tool from Microsoft.
The greatest advantage of this solution is the transparency it provides for the user. A separate login is not necessary and passwords do not have to be synchronized via Internet. Functionality can be provided by free Microsoft tools as well.
Users have to login twice and might have two different user names which makes the application appear complex. Administrators have a disadvantage because of the double workload. Problems like “dead” accounts and inconsistencies are predestined. The possibility of security issues rises.
The main disadvantage is that a synchronization tool has to be implemented. Security issues should be examined as passwords are frequently synchronized between the Active Directory and Office 365.
The main disadvantage is the complexity of the implementation. A synchronization as well as a federation between Active Directory and Office 365 is necessary.
All three solutions mean additional workload for the admin. User management happens partly in the Active Directory and partly in Office 365. Depending on the solution includes sync or not the user management workload can double. Microsoft does not offer a free and easy “out of the box” solution here.
I personally prefere solution 3, as I think that usability should remain in focus: better functionality without raising complexity and simultaneously not losing the grip on security.