Top 10 Office 365 Identity and Access Management Mistakes

Here's how to avoid the most common pitfalls when moving to Office 365.

Organizations typically have problems moving to Office 365 because of identity and access management (IAM) issues, and mostly because they must connect with Azure Active Directory (AD).

That view comes from a poll conducted by Gartner Inc., as noted by Mary Ruddy, a research director at Gartner Inc. Ruddy, who is part of Gartner's directory and access management team, described common fumbles that organizations experience during Gartner's Catalyst event in San Diego. Her Tuesday session was titled, "Top 10 Pitfalls and Remedies for Deploying Identity and Access Management for Office 365."

Synchronization and Authentication
Ruddy noted that Azure AD, Microsoft's cloud-enabled IAM solution, is not equivalent to the premises-based Active Directory. Organizations broadly experience two types of challenges connecting with Azure AD. They can have issues synchronizing premises-based AD and they can have issues when authenticating with Azure AD.

Microsoft's main tool for synchronization is Azure AD Connect, but there are some points to consider about the sync process. If an organization merely synchronizes from premises-based AD to cloud-based Azure AD, then users have to first authenticate and then sign in to access Azure AD, and that's a bit awkward, Ruddy explained. One way around that scenario is to use password synchronization, which permits the use of the same password, or single sign-on.

Some companies authenticate with Azure AD by using Active Directory Federation Services (ADFS), a solution that's part of Windows Server. Others use a third-party software tool for the purpose.

However, Gartner's poll found that many organizations (56 percent) are just doing direct logins to Azure AD, likely because a lot of them are smaller organizations, Ruddy said. Just 32 percent of organizations polled were using ADFS for Azure AD authentications.

Top 10 IAM Pitfalls
Ruddy outlined ten common mistakes when trying to connect with Azure AD, along with some suggestions.

Mistake 1: Assuming no federated single sign-on tool is needed. Organizations likely will need a federated single sign-on tool to make Azure AD connections, Ruddy explained. Some capabilities, such as conditional access, which ensures that users have the right credentials, require using ADFS or a third-party tool.

Mistake 2: Not aligning IAM and overall schedules. A lot of companies are behind in their Office 365 planning because there's a lot of work that the IAM team has to do. Ruddy recommended getting the team involved early. They should understand the IAM steps that tend to take longer to implement. They can use IdFix (a free Microsoft identity object discovery and remediation tool) to uncover data sync issues. If an organization needs to synchronize just some users, then there should be extra time planned to make that happen. Time is also needed for deploying ADFS or its equivalent. Organizations that have been using premises-based AD for years will have some stuff to clean up, such as pound signs, she explained. If an organization doesn't already have a single sign-on tool in place, it can take a lot of time to implement one, depending on the tool used, she added.

Mistake 3: Not assessing organizational readiness for operating ADFS. ADFS comes for free with windows server and so people think it's the default approach, but it's not for everyone, Ruddy said. ADFS has to have the same high availability as your apps. Organizations will need to consider configuring and running proxy servers. They'll have to install and manage a server with ADFS. And they'll need to support the Server Name Indication (SNI) protocol.

Mistake 4: Expecting ADFS to be the right single sign-on solution. It's very important to consider the total cost of ownership when choosing a single sign-on tool. Depending on what kind of connectors you need, Microsoft's solutions might not be the lowest cost option, Ruddy said. Microsoft lists compatible third-party providers of single sign-on solutions in this TechNet library article.

Mistake 5: Using Azure AD Sync and forgetting that it only works with AD. If you are using non-Microsoft solutions, you'll need a metadirectory tool, Ruddy said. Microsoft has its Microsoft Identity Manager product to that end. RadiantLogic also provides a tool, she said.

Mistake 6: Assuming that all AD setups will directly sync with Azure. Organizations sometimes have multiple Exchange organizations, as represented by different URLs, such as and They can use Azure AD Connect to synchronize or they can use a third-party software product with metadirectory or virtual directory capabilities.

Mistake 7: Organizations want to collaborate between hosted tenants. Some people want to federate with partners and they want to provide access to the tenant. This scenario is messy now. Ruddy said to hold off, unless an organization wants to be on the bleeding edge.

Mistake 8: Security as an afterthought. Organizations should think about what data they are moving to the cloud and IAM should be the first line of defense. They'll need to stop employees from downloading data from the cloud, for instance. Microsoft supports device registration with adaptive access with ADFS. If a device is not on the list, you can enforce multifactor authentication to verify the user's identity.

Mistake 9: Assuming Azure AD has everything you need. Microsoft has been beefing up Azure IAM as a service but it doesn't have all of the features that organizations will want or they are not at the "general availability" release stage. Enterprises are finding that Azure AD doesn't have all of the features to replace existing IAM solutions.

Mistake 10: Failing to track Microsoft's new rhythm. It used to be that Office 365 would have new releases every few years, but things are moving more quickly. Now you have to be more mindful of Microsoft' new release rhythm. Still, some of the new capabilities will have a long incubation time. Ruddy recommended paying attention to Microsoft's releases announced at the Active Directory team blog, but organizations shouldn't get distracted by them.

In general, organizations should align their IAM schedules with their Office 365 schedules. They should watch for Microsoft's announcements and take advantage of Azure advances.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube