32.1
User authentication and access management
Office 365 has two systems that can be used for user identities:
Organizational account (cloud identity) Users receive Azure Active Directory
cloud credentials—separate from other desktop or corporate credentials—for signing into Office 365 and other Microsoft cloud services. This is the default identity, and is recommended in order to minimize deployment complexity. Passwords for work accounts use the Azure Active Directory password policy.
Federated account (federated identity) For all subscriptions in organizations
with on-premises Active Directory that use single sign-on (SSO), users can sign into Office 365 services by using their Active Directory credentials. The corporate
Active Directory stores and controls the password policy. For information about SSO, see Single sign-on roadmap.
The type of identity affects the user experience and user account management options, as well as hardware and software requirements and other deployment considerations. With the exception of internet sites for anonymous access created with SharePoint Online, users must be authenticated when accessing Office 365 services.
Cloud identity authentication Users with cloud identities are authenticated using traditional challenge/response. The web browser is redirected to the Office 365 sign-in service, where you type the user name and password for your work account. The sign-in service authenticates your credentials and generates a service token, which the web browser posts to the requested service and logs you in.
Federated identity authentication Users with federated identities are authenticated using Active Directory Federation Services (AD FS) 2.0 or other Security Token Services. The web browser is redirected to the Office 365 sign-in service, where you type your corporate ID in the form a user principal name (UPN; for example, [email protected]). The sign-in service determines that you are part of a federated domain and offers to redirect you to the on-premises
Federation Server for authentication. If you are logged on to the desktop (domain joined), you are authenticated (using Kerberos or NTLMv2) and the on-premises Security Token Service generates a logon token, which the web browser posts to the Office 365 sign-in service. Using the logon token, the sign-in service generates a service token that the web browser posts to the requested service and logs you in.
Commercial in Confidence Page 62
Multi-Factor Authentication for Office 365
With Multi-Factor Authentication for Office 365, users are required to acknowledge a phone call, text message, or an app notification on their smartphone after correctly entering their password. Only after this second authentication can the user sign in. Office 365 administrators can enroll users for multi-factor authentication in the Office 365 admin center. Learn more about Multi-Factor Authentication for Office 365.
Creating and managing user accounts
Office 365 provides five ways to create user accounts. Add single user
You can manually create user accounts and assign licenses in the Office 365 portal. The type of license you assign determines which services the user can access. When you assign the license, a temporary logon password is generated. As part of creating a user account, you can enter user details, including job title, department, phone numbers, and other properties that appear in the Global Address List. You can then view the new user’s password and optionally mail it to their email address. For more information, see Create or edit users in Office 365.
Commercial in Confidence Page 63
The Bulk add users wizard in the Office 365 admin center helps you upload existing .csv files or edit a blank .csv template in a text editor (for example, Notepad). The wizard also includes a sample .csv file that provides a correctly formatted example containing sample user data. To import .csv files, you must assign licenses to new users. You can then view the new users’ passwords and optionally send them to users’ email addresses. For more information, see Add multiple users with a CSV file.
Active Directory synchronization
You can use the Azure Active Directory Sync tool to replicate Active Directory user accounts (and other Active Directory objects) in Office 365. Unlike manually created accounts, accounts created by the Directory Sync tool are fully populated with user account information from Active Directory (for example, department and phone number). The Directory Sync tool can be used with or without SSO. For more information, see Directory synchronization roadmap.
When using the Active Directory, the online account is a copy of the on-premises user account and can’t be edited in Office 365. Accounts created with the Directory Sync tool remain inactive until you activate them. As a result, Office 365 licenses are not consumed when user accounts are created by the tool. When you activate a user account from the Office 365 admin center (or by using Windows PowerShell), a service license is assigned and an initial password is generated.
Commercial in Confidence Page 64
32.2
User access control through support channels
Delegated access can be provided to support channels
33.
Separation and access control within management interfaces
33.1
User access control within management interfaces
Users can Office 365 through a web management portal in which all services the user is licensed for, are exposed such a Outlook, Calendar, People, Yammer, OneDrive, Delve and so on. Depending on whether the user is an Office 365 Admin or not, will determine what the user can or cannot do from within the portal for managing the service.
33.2
Administrator permissions
You can assign admin permissions to additional people in your organization to help distribute the workload and make sure that user can always get the help they need. Determine who you will assign permissions to as part of your planning process. For example, you can assign permissions that let other admins help with user management, password resets, service management, and tasks such as billing and licensing.
Commercial in Confidence Page 65
You can also outsource management of Office 365 to allow a partner to manage on your behalf.
The first account created in Office 365 is an admin. That account grants permissions to other accounts by assigning admin roles.
You can assign admin roles that allow management of Office 365 and roles that allow management of Exchange Online, SharePoint Online, and Lync Online. Certain admin roles in Office 365 for enterprises also have an automatic admin role in Exchange Online, SharePoint Online, and Lync Online.
To manage services, see: Exchange Online: Permissions Lync Online: Assigning admin roles
SharePoint Online: Introduction: Control user access with permissions
33.3
Management interface protection
Only user that are licensed can access the service. Only users with delegated Admin roles can managed the various services from within the portal and from within PowerShell