Lets understand that office 365 and Azure are tied together by Azure Active Directory (Azure AD or AAD).
So to manage identity you are splitting the management across Azure and Office 365.
Office 365 uses the cloud-based user identity and authentication service Azure Active Directory (Azure AD) to manage users.
Take care when deciding on how best to manage your identity as identity is the building block to your entire cloud environment and link to your on-prem. Making changes at a later stage can be very very painful and costly. So getting it right is worth the investment for a much better cloud experience.
Azure Active Directory (AAD)
Azure Active Directory comes in three editions: Free, Basic, and Premium. The Free edition is included with an Azure subscription. The Basic and Premium editions are available through a Microsoft Enterprise Agreement, the Open Volume License Program, and the Cloud Solution Providers program.
Azure AD Premium is also included in the Enterprise Mobility and Security (EMS). EMS is a cost-effective way for organizations to use Microsoft Intune, Azure Rights Management (Azure RMS), and the Azure AD Premium services together under one licensing plan
There are 3 main options:
- Cloud Identity
- Synced Identity
- Federated Identity
Azure AD Only. With the cloud-only model, you manage your user accounts in Office 365 only. No on-premises servers are required; it’s all handled in the cloud by Azure AD.
The cloud-only model is typically a good choice if:
- You have no other on-premises user directory
- You have a very complex on-premises directory and simply want to avoid the work to integrate with it.
- You have an existing on-premises directory, but you want to run a trial or pilot of Office 365. Later, you can match the cloud users to on-premises users when you are ready to connect to your on-premises directory.
This component (of ADConnect) is responsible for creating users, groups, and other objects. It is also responsible for making sure identity information for your on-premises users and groups is matching the cloud
Password hash sync with seamless single sign-on
Manage your users on-prem. The simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud.
Pass-through authentication with seamless single sign-on
More secure. Hashes don’t get sent to AAD. Provides a simple password validation for Azure AD authentication services using a software agent running on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Allows your users to sign in to both on-premises and Office 365 resources and applications using their on-premises account and password. This configuration validates users’ passwords directly against your on-premises Active Directory without sending password hashes to Office 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and logon hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
Good for large complex environments with complex authentication requirements. Requires an existing AD on-prem by using federated authentication to manage authentication and identity services for your users in Office 365. on-premises directory objects are synchronized with Office 365 and users accounts are managed on-premises. This federated authentication model can provide additional authentication requirements, such as smartcard-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD.
AAD Premium – https://portal.office.com/onboarding/azureadpremium#/