Identity infrastructure for Microsoft 365
A well-planned and executed identity infrastructure provides stronger security and access by
authenticated users and devices to your productivity workloads and their data.
Microsoft 365 for Azure Active Directory (Azure AD) Premium P1
Azure AD Premium P2
Key features include:
enterprise plans
Azure Multi-factor Authentication Self-Service Password Reset Identity Protection
E3 and F3 provide core identity services. Conditional Access Device Write-back Privileged Identity Management
E5 provides advanced identity services.
Azure AD Join for Windows 10 Connect Health Access Reviews
E3 and F3
E5 or E3 with the Identity & Threat
Protection add-on
Azure AD provides Identity as a Service (IDaaS)
Azure AD offers a common set of services
for Microsoft 365, SaaS and PaaS apps,
and business partners and customers, and Business
Customers
can be synchronized with Active Directory partners
Microsoft 365 (B2C)
Domain Services (AD DS) accounts. (B2B)
cloud apps Microsoft Intune Other SaaS and
On-premises PaaS apps
Common set of identity services
Ongoing
synchronization
Azure AD
AD DS
Identity infrastructure
Many organizations have an on-premises AD DS The Azure AD tenant of your Microsoft 365 subscription serves
forest and use Azure AD Connect to synchronize Microsoft 365 and Intune services, stores objects and settings,
objects to Azure AD. Additional agents and and hosts subservices that extend Azure AD functionality.
servers facilitate Azure AD subservices.
Your Microsoft 365
Your organization subscription
Accounts
Microsoft 365
cloud apps
AD DS
Microsoft Intune
Domain controllers running agents
for Azure AD Connect Health
Ongoing
synchronization
Server running
Azure AD Connect Azure AD
Objects Settings Subservices
• Users • Domain names • Azure AD Connect
On-premises users • Groups • Azure Multi- • Privileged Identity
• Devices Factor Management (PIM)
• Apps Authentication • Identity Protection
• Conditional • Application Proxy
Access • Connect Health
Remote users • Authentication • Diagnostics
Application Connector methods
server server
Application Proxy
For deployment guidance, visit aka.ms/m365edeployid. © 2019 Microsoft Corporation. All rights reserved.
September 2020
�Identity infrastructure for Microsoft 365
Authentication infrastructure configurations for Microsoft 365 for enterprise
Cloud-only Watch the video at aka.ms/m365edeployid.
Azure AD performs authentication using its own set of accounts.
Your organization Your Microsoft 365 subscription
Accounts
On-premises users Passwords
Remote users Azure AD
Hybrid with Password Hash Synchronization (PHS)
Azure AD performs authentication using a synchronized set of accounts.
Your organization Your Microsoft 365 subscription
Accounts
AD DS Synchronized
accounts
Ongoing Hashed
synchronization passwords
Server running Azure AD
Azure AD Connect
Hybrid with Pass-Through Authentication (PTA)
Azure AD performs authentication by passing the credentials to AD DS through an on-premises agent.
Your organization Your Microsoft 365 subscription
Accounts
AD DS Synchronized
accounts
No
Azure AD passwords
Server running Server
Azure AD Connect running agent
Hybrid with federated authentication
Azure AD refers authentication to a federation service.
Your organization Your Microsoft 365 subscription
Accounts
AD DS Synchronized
accounts
No
Azure AD passwords
Server running Federation
Azure AD Connect service
For more details on these authentication configurations, © 2019 Microsoft Corporation. All rights reserved.
visit aka.ms/m365goldenconfig. September 2020
