Beruflich Dokumente
Kultur Dokumente
Office 365 uses Azure Active Directory (Azure AD), a cloud-based user identity and authentication service that is included
with your Office 365 subscription, to manage identities and authentication for Office 365. Getting your identity infrastructure
configured correctly is vital to managing Office 365 user access and permissions for your organization.
Before you begin, watch this video for an overview of identity models and authentication for both Office 365 and Microsoft
365.
https://docs.microsoft.com/en-us/office365/enterprise/about-office-365-identity 1/6
8/29/2019 Office 365 identity models and Azure Active Directory | Microsoft Docs
Here are the two types of identity and their best fit and benefits.
Definition User account only exists in the Azure User account exists in AD DS and a copy is also in the Azure AD tenant
Active Directory (Azure AD) tenant for for your Microsoft 365 subscription. The user account in Azure AD
your Microsoft 365 subscription. might also include a hashed version of the user account password.
How Microsoft The Azure AD tenant for your Microsoft The Azure AD tenant for your Microsoft 365 subscription either handles
365 365 subscription performs the the authentication process or redirects the user to another identity
authenticates authentication with the cloud identity provider.
user account.
credentials
Best for Organizations that do not have or need Organizations using AD DS or another identity provider.
an on-premises AD DS.
https://docs.microsoft.com/en-us/office365/enterprise/about-office-365-identity 2/6
8/29/2019 Office 365 identity models and Azure Active Directory | Microsoft Docs
Greatest Simple to use. No extra directory tools Users can use the same credentials when accessing on-premises or
benefit or servers required. cloud-based resources.
Cloud-only identity
A cloud-only identity uses user accounts that exist only in Azure AD. Cloud identity is typically used by small organizations
that do not have on-premises servers or do not use AD DS to manage local identities.
Both on-premises and remote (online) users use their Azure AD user accounts and passwords to access Office 365 cloud
services. Azure AD authenticates user credentials based on its stored user accounts and passwords.
https://docs.microsoft.com/en-us/office365/enterprise/about-office-365-identity 3/6
8/29/2019 Office 365 identity models and Azure Active Directory | Microsoft Docs
Administration
Because user accounts are only stored in Azure AD, you manage cloud identities with tools such as the Microsoft 365 admin
center and Windows PowerShell with the Azure Active Directory PowerShell for Graph module.
Hybrid identity
Hybrid identity uses accounts that originate in an on-premises AD DS and have a copy in the Azure AD tenant of a Microsoft
365 subscription. However, most changes only flow one way. Changes that you make to AD DS user accounts are
synchronized to their copy in Azure AD. But changes made to cloud-based accounts in Azure AD, such as new user accounts,
are not synchronized with AD DS.
Azure AD Connect provides the ongoing account synchronization. It runs on an on-premises server, checks for changes in the
AD DS, and forwards those changes to Azure AD. Azure AD Connect provides the ability to filter which accounts are
synchronized and whether to synchronize a hashed version of user passwords, known as password hash synchronization
(PHS).
When you implement hybrid identity, your on-premises AD DS is the authoritative source for account information. This
means that you perform administration tasks mostly on-premises, which are then synchronized to Azure AD.
https://docs.microsoft.com/en-us/office365/enterprise/about-office-365-identity 4/6
8/29/2019 Office 365 identity models and Azure Active Directory | Microsoft Docs
The Azure AD tenant has a copy of the AD DS accounts. In this configuration, both on-premises and remote users accessing
Microsoft 365 cloud services authenticate against Azure AD.
7 Note
https://docs.microsoft.com/en-us/office365/enterprise/about-office-365-identity 5/6
8/29/2019 Office 365 identity models and Azure Active Directory | Microsoft Docs
You always need to use Azure AD Connect to synchronize user accounts for hybrid identity. You need the synchronized
user accounts in Azure AD to perform license assignment and group management, configure permissions, and other
administrative tasks that involve user accounts.
Administration
Because the original and authoritative user accounts are stored in the on-premises AD DS, you manage your identities with
the same tools as AD DS, such as the Active Directory Users and Computers tool.
You don’t use the Microsoft 365 admin center or Windows PowerShell to manage synchronized user accounts in Azure AD.
Next step
If you need the cloud-only identity model, see Cloud-only identities.
Video training
See the video course Office 365: Manage Identities Using Azure AD Connect, brought to you by LinkedIn Learning.
Yes No
https://docs.microsoft.com/en-us/office365/enterprise/about-office-365-identity 6/6