In the first part of our Microsoft Office 365 (opens in new tab) Identity Services (opens in new tab) series we looked at the types of authentication supported by Office 365, creation of user accounts and modes of authentication.
Two-Factor Authentication for Office 365
Two-Factor authentication provides enhanced security via a username/password combination with a token or a certificate. Office 365 supports this type of authentication if the organisation already has a two-factor authentication system in place. When users are outside the corporate network they can be forced to use Two-Factor authentication in two ways - by Integrating the Active Directory Federation Service 2.0 proxy logon page with the existing two-factor authentication provider or using Microsoft Forefront Unified Access Gateway server.
The proxy logon page of the Active Directory Federation Service can be modified to include extra fields that would enable the organisation to collect the two-factor credentials, thus enabling the two-factor server/system to authenticate the users.
We have already looked at user management and discussed the two types of user identities. The password management also differs depending on which type of user identity is employed. In the case of Cloud Identity, the users manage their passwords through their Office 365 web interface, while for Federated Identities, users need to manage passwords through Active Directory.
Users with Cloud Identities are prompted to change their password (opens in new tab) when they first login - if they choose not to create a new password, access is denied. Cloud Identity Users can also change their password through a link on Outlook Web App.
With Federated Identities user passwords can only be changed via the standard on-premises change password option (Ctrl + Alt + Del). Since password management is local with Federated Identities, passwords can't be changed using the Outlook Web App.
The ability to reset passwords can be assigned to users without granting them full administrator access. This can help take needless load off IT managers, with department heads able to reset passwords for staff that forget their login details.
Windows Power shell can also be used to reset passwords. Administrators can even execute scripts to reset passwords - this is particularly useful when a bulk password reset is required for a number of accounts.
One important thing to keep in mind here is that Office 365 doesn’t provide for synchronisation of local authentication credentials with that of the Cloud Identities.
Active Directory Synchronization
Organisations opting for Office 365 with local Active Directory setup can synchronise users through Microsoft's Online Services Directory Synchronization Tool, which lets administrators keep Office 365 users, contacts and groups updated in line with changes made in the Active Directory.
The synchronisation tool offers different options. One-Way push synchronisation replicates Active Directory objects within Office 365. Any changes made in Active Directory will be reflected in Office 365 the next time the tool is executed. However, changes are made via Office 365 are not reflected in Active Directory.
If an organisation wants a two way mechanism where changes made on one side reflect on the other, it should consider the write-back capabilities offered by the synchronisation tool.