Managing Identity Lifecycles at Scale

Microsoft Azure™ Active Directory Deployment Guide

for Retail Industry Customers

Abstract
This guide helps you deploy a unified identity and access management solution with Microsoft Azure Active Directory. The
primary emphasis is on managing identity lifecycle across your corporate employees and thousands of seasonal and
temporary staff.

Intended Audience
Identity Architects, Deployment Advisors, and System Integrators
 Microsoft Corporation
Managing Identity Lifecycles at Scale

The information contained in this document represents the current view of Microsoft Corporation on the
issues discussed as of the date of publication. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft
cannot guarantee the accuracy of any information presented after the date of publication.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN

THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights
under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.

The descriptions of other companies’ products in this document, if any, are provided only as a
convenience to you. Any such references should not be considered an endorsement or support by
Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the
descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For
authoritative descriptions of these products, please consult their respective manufacturers.

© 2016 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without
express authorization of Microsoft Corp. is strictly prohibited.

Microsoft and Windows are either registered trademarks of Microsoft Corporation in the United States
and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective
owners.

Microsoft Azure Active Directory Deployment Guide Page ii

 Microsoft Corporation
Managing Identity Lifecycles at Scale

Table of Contents
Overview ................................................................................................................................... 4

Key Concepts ............................................................................................................................ 6

Azure AD Connect ....................................................................................................................................................................... 6
Partner Managed Identities (B2B) ......................................................................................................................................... 6
Consumer Identities (B2C)........................................................................................................................................................ 6
Single Sign-On .............................................................................................................................................................................. 6
Same Sign-On ............................................................................................................................................................................... 7
User Principal Name ................................................................................................................................................................... 7
Identity Namespace .................................................................................................................................................................... 7
Tenant Name ................................................................................................................................................................................. 7
Kiosk Worker ................................................................................................................................................................................. 7
Information Worker .................................................................................................................................................................... 7
Identity Lifecycle........................................................................................................................................................................... 8

Configure the Prerequisites ....................................................................................................... 9

Build Your Identity Organization Teams .................................................................................... 9

Architectural Options for Azure AD Identity Solutions ............................................................. 12

Onboarding new off-premises identities (Kiosk Workers) ....................................................................................... 12
Synchronize on-premises identities (Information Workers) .................................................................................... 17
What to expect during each phase of the Identity Lifecycle ................................................................................... 21

Key Infrastructure Design Considerations................................................................................ 23

Tenant Name Design ............................................................................................................................................................... 23
User Principal Name (UPN) patterns ................................................................................................................................. 24
Sign-in Experience .................................................................................................................................................................... 25
Organizational Security .......................................................................................................................................................... 25

Reference ................................................................................................................................ 27

Microsoft Azure Active Directory Deployment Guide Page 3

 Microsoft Corporation
Managing Identity Lifecycles at Scale

Overview
Azure Active Directory (AD) Premium enables you to create a unified identity and access management
(IAM) system that integrates different kinds of identities from multiple sources within your organization.
Azure AD Premium makes it easier to cope with typical IAM challenges such as the following:

▪ Multiple identity repositories. Without a single authoritative source of identity, such as an Active
Directory forest, Human Resources (HR) system, Lightweight Directory Access Protocol (LDAP)
directory, relational database, and so on, some organizations have no unique identity for employees,
particularly casual workers.
▪ Different identity types. Different categories of people, such as kiosk workers, full-time employees,
hourly wage workers, consumers, suppliers, partners and so on have differing identity needs and
characteristics.
▪ Disjointed or ad-hoc tools and solutions. The typical organic evolution of many organizations’ IT
systems results in multiple, often incompatible solutions to address IAM challenges like group
management, remote access, password management, provisioning, business to business collaboration
and so on.
▪ Differing regulatory requirements. Specific industry sectors may need to address defined regulatory
requirements. One example in the retail industry is Payment Card Industry (PCI).
▪ Multiple stakeholders. To compete effectively, modern agile organizations may define multiple
reporting lines and areas of responsibility that span different business units within in the organization.

Azure AD gives you effective solutions for extending on-premises identities into the cloud through single
sign-on or same sign-on authentication techniques in order to address the above challenges.

The following illustration provides an example of the “identity lifecycle at scale” solution that uses Azure
AD cloud services to integrate with a complex retail on-premises infrastructure.

Microsoft Azure Active Directory Deployment Guide Page 4

 Microsoft Corporation
Managing Identity Lifecycles at Scale

Figure 1: Identity Lifecycle at Scale

Microsoft Azure Active Directory Deployment Guide Page 5

 Microsoft Corporation
Managing Identity Lifecycles at Scale

Key Concepts
The following sections provide background to help you understand the benefits and technical
considerations of deploying and managing Azure AD.

Azure AD Connect
Azure AD Connect integrates on-premises identity systems, such as Windows Server Active Directory,
LDAP directories and transactional databases, with Azure Active Directory. It also connects and
authenticates your users to Office 365, Azure and thousands of Software as a Service (SaaS) applications.
This integration includes on-premises identity synchronization to and from the cloud and, optionally,
single sign-on configuration with Active Directory Federation Services (AD FS).

Learn More: Microsoft Azure – Azure AD Connect

Partner Managed Identities (B2B)

Partner Managed Identities, such as suppliers and contractors, are not part of your organization but have
a business relationship with it. An Identity-as-a-Service (IDaaS) solution would grant these identities
access to your resources on a restricted basis only, with authentication through the partner organization’s
credentials.

Learn More: Azure AD Business to Business collaboration (B2B)

Consumer Identities (B2C)

Consumer Identities represent customers to whom you want to provide services directly. In most cases,
consumers either choose an existing social identity, such as Facebook, a Microsoft account or Twitter, or
sign up for an account directly, typically using their email address as an identity. A retail example would
be a grocery delivery application, where customers log in and place orders online. Consumer identities
can scale to large numbers.

Learn More: Azure AD Business to Consumer (B2C)

Single Sign-On
Single sign-on lets you access all the resources you need to do business by signing in once using a single
user account. After signing on via password, Personal Identification Number (PIN), or smartcard, you can
run any of your authorized applications or connect to shares and data stores without having to
authenticate a second time.

Learn More: Azure AD – Single Sign On

Microsoft Azure Active Directory Deployment Guide Page 6

 Microsoft Corporation
Managing Identity Lifecycles at Scale

Same Sign-On
Same Sign-On enables use of the same set of credentials to access multiple resources. For example, an
information worker logged onto his Windows computer with a username and password can go to a cloud
resource and supply the same username and password to get access. Azure AD enables same sign-on
through password hash synchronization.

User Principal Name

A User Principal Name (or UPN) identifies an object uniquely within Azure Active Directory. UPNs typically
have a structure similar to email addresses, such as bob@contoso.com.

Identity Namespace
The Identity Namespace is the suffix of the UPN. In the case of bob@contoso.com, the identity
namespace is “contoso.com.” The Identity Namespace is also known as the domain or UPN suffix.

Tenant Name
The Azure AD Tenant name is a string, e.g., “Contoso,” that you set when creating a tenant account in the
Azure management portal. The tenant name is prepended to the onmicrosoft.com domain to create the
initial tenant domain and UPN, in the form contoso.onmicrosoft.com. This name will be exposed to end
users in some scenarios, so selecting the tenant name is a critical factor in the user experience. See Key
Considerations – Tenant Name

Kiosk Worker
Kiosk workers are users whose primary job does not involve the continual use of a dedicated device or
computer. Examples include sales staff in retail stores, factory workers, or stores operatives. Typically,
these employees do not require access to on-premises resources. Therefore, they might not even have an
account in Active Directory—their identities are instead stored in the HR system. Azure AD enables these
users to complete tasks like accessing SaaS applications for time card management (clocking in and out),
collaborating, or initiating self-service HR queries such as holiday requests.

Information Worker
Information workers are typically full-time employees. These users create and consume internal
information and therefore require access to corporate data. Information workers include members of the
marketing, sales or design departments and so on, and may manage other employees. They use
dedicated devices or computers joined to the on-premises directory, and their identities are stored in
Active Directory or another directory service.

Microsoft Azure Active Directory Deployment Guide Page 7

 Microsoft Corporation
Managing Identity Lifecycles at Scale

Identity Lifecycle
The Identity Lifecycle consists of phases within the IDaaS solution. These phases include the following
elements:

Figure 2: Identity Lifecycle

Microsoft Azure Active Directory Deployment Guide Page 8

 Microsoft Corporation
Managing Identity Lifecycles at Scale

Build Your Identity Organization

Teams
Identity Organization teams and responsibilities
Team Responsibilities
Identity Architecture / Development ▪ Designs the solution in cooperation with the stakeholders.
team ▪ Owns the development process and creates the user acceptance environments.
▪ Implements prototypes and drives approvals.
▪ Documents the solution design and operational procedures for hand-off to the
operations team.
On-premises Identity Operations ▪ Manages on-premises identity sources such as Active Directory Forests, LDAP
team directories, HR systems, and Federation Identity Providers.
▪ Perform any remediation tasks needed before synchronizing objects to the cloud.
▪ Provide the service accounts required for directory synchronization to take place.
▪ Provide access to configure federation to Azure AD.
Application Technical Owners ▪ Own the cloud apps and services that will integrate with Azure AD.
▪ Provide the applications’ identity attributes that need to be synchronized.
Azure AD Administrator ▪ Manages the Azure AD configuration.
▪ Provides credentials to configure the synchronization service.
Database team ▪ Owns the database infrastructure.
▪ Procures any SQL Server instance(s) that a deployment requires, based on
corporate standards.
Network team ▪ Owns the network infrastructure.
▪ Provides the required access at the network level for the synchronization service
to access the data sources and cloud services (firewall rules, ports opened, IPsec
rules and so on).
Privacy and Compliance team ▪ Certifies that the solution meets the organizational or governmental regulatory
and information security requirements.
▪ Provides the necessary security oversight and approves the data being
synchronized.
Help Desk ▪ Manages the support incidents connected to the migration process.
Azure Subscription Administrator ▪ Manages the Azure AD subscriptions in the company.

Learn More: Assign administrator roles in Azure Active Directory, Office 365

Microsoft Azure Active Directory Deployment Guide Page 9

 Microsoft Corporation
Managing Identity Lifecycles at Scale

Configure the Prerequisites

Before you design your Identity Lifecycle at Scale solution, review the following process for configuring
the prerequisites:

Process for configuring prerequisites

Setup Common Infrastructure
1. Create Azure AD Tenant(s). Get an Azure AD Tenant
Azure AD Tenant is the home for your organization’s directory in the cloud.
2. Create and configure custom domains. Add Domain
Users reach your cloud and on-premises resources through domains.
3. Identify Information Worker (B2E) identities and separate them from B2B Azure AD B2B collaboration
(partner) and B2C (consumer) identities that might be present in on-premises Azure AD B2C
directories.
Different identities have different roles in your organization.
4. Identify the on-premises directories to synchronize with Azure AD. Connectors
Examples include on-premises Active Directory Forest(s), HR databases etc. Topologies for Azure AD Connect
Kiosk Worker
5. Identify data sources for kiosk worker identities.
These are the repositories that store the kiosk employees’ information. Examples
include HR systems, relational databases, or even text files or spreadsheets.
6. Identify SaaS applications for kiosk workers.
Applications have different requirements for user information, expressed as identity
claims, and may support user provisioning.
7. Identify the attributes of kiosk worker identities and normalize them across all
sources.
Identify name, phone number, employee ID, and so on, on each data source, and
record the semantics and possible values of each.

Information Worker
8. Filter out accounts that do not need to be synchronized. Prepare for directory sync
Only specific users, groups and device objects needs to be synchronized with Azure Azure AD Connect sync: Configure
AD. Filtering
9. Define a strategy to identify objects uniquely. Azure AD Connect: Design concepts
This establishes the immutable link between an on-premises object and its
manifestation in the cloud.
10. Identify the attributes of initial Azure AD workloads. Azure AD Connect sync: Attributes
Define the information on each object that you want to be available in the cloud. synchronized to Azure Active
Directory
11. Define features for Azure AD synchronization for on-premises objects. Integrating your on-premises
Check items such as whether to write back passwords/devices, synchronize identities with Azure Active Directory
passwords, or propagate accounts to the cloud automatically.
12. Define the authentication approach (Federation or password hash sync). Federated Identity Pattern
Determine whether you want Azure AD or the on-premises federation service to Implementing password
perform authentication. In addition, determine whether you want to keep the on- synchronization with Azure AD
premises usernames and domain names or clean them up. Connect sync
13. Remediate on-premises identities. Prepare directory attributes for
Prepare all identities for error-free synchronization to the cloud. synchronization with Office 365 by
using the IdFix tool

Microsoft Azure Active Directory Deployment Guide Page 10

 Microsoft Corporation
Managing Identity Lifecycles at Scale

Setup Common Infrastructure

Azure AD service limits and
restrictions

Microsoft Azure Active Directory Deployment Guide Page 11

 Microsoft Corporation
Managing Identity Lifecycles at Scale

Architectural Options for

Azure AD Identity Solutions
Three main design aspects apply when managing identities at scale:

▪ How to onboard new identities that are not on-premises (kiosk workers)
▪ How to synchronize identities that are already on-premises (information workers)
▪ What to expect during each phase of the identity lifecycle

Onboarding new off-premises identities

(Kiosk Workers)
The option of a cloud directory opens up a new set of use cases; specifically, enabling identity
management for users, such as kiosk workers, who are traditionally not represented in on-premises
identity stores, but may have identities stored in the company HR system. This section presents options to
create these new identities and enable the new use cases.

The options described assume that the provisioning and de-provisioning of these new identities ties into
the company’s HR application as the authoritative identity source. In the following diagrams, the on-
premises synchronization component is a generic process replaceable with any of the options described
in the subsequent section Synchronize on-premises identities (Information Workers).

Microsoft Azure Active Directory Deployment Guide Page 12

 Microsoft Corporation
Managing Identity Lifecycles at Scale

Option 1: Single HR system to Azure AD integration

The kiosk worker identity gets copied from the master HR system to Azure AD through an integration
layer. Microsoft Identity Manager manages this layer using programmatic interfaces such as Azure AD
PowerShell or Azure AD.

Figure 3: Single HR system to Azure AD integration

Advantages
▪ Kiosk Worker identities now stored in Azure AD, while the
HR system remains the authoritative source.
Tradeoffs
▪ Additional effort to design, implement, test and maintain
the integration layer.
▪ Disparate tools and workflows required to manage the
identity lifecycle for all the relevant identities.

Microsoft Azure Active Directory Deployment Guide Page 13

 Microsoft Corporation
Managing Identity Lifecycles at Scale

Option 2: Direct inbound provisioning with Workday

With inbound provisioning, every time a new kiosk worker identity is created in Workday, it is
automatically added to Azure AD.

Figure 4: Direct inbound provisioning with Workday

Advantages Tradeoffs
▪ Simple integration, fully automated through the SaaS HR ▪ Inbound provisioning limited to Workday as the data
application. source and a very narrow set of attributes.
Learn More: Inbound Provisioning
▪ Disparate tools and workflows required to manage the
identity lifecycle for all identities.

Microsoft Azure Active Directory Deployment Guide Page 14

 Microsoft Corporation
Managing Identity Lifecycles at Scale

Option 3: Multiple HR systems to Azure AD integration

In some cases, such as mergers and acquisitions, multiple HR systems must be integrated into Azure AD.
The kiosk worker identity is copied from various source repositories into a single view (metaverse)
through an integration layer. Microsoft Identity Manager manages this layer using programmatic
interfaces such as Azure AD PowerShell and Azure AD.

Figure 5: Multiple HR systems to Azure AD integration

Advantages
▪ Kiosk worker identities only present in Azure AD.
▪ Write-back opportunity through the MIM connector
infrastructure.
Tradeoffs
▪ Additional complexity from designing, implementing,
testing and maintaining the MIM 2016 connectors and
rules.
▪ Disparate tools and workflows required to manage the
identity lifecycle for all identities.

Microsoft Azure Active Directory Deployment Guide Page 15

 Microsoft Corporation
Managing Identity Lifecycles at Scale

Option 4: Kiosk and information workers consolidated on-premises

and synchronized to Azure AD
Companies that want to provide a consistent management experience for kiosk and information workers
can integrate both kinds of identities into on-premises Active Directory, and use a common
synchronization mechanism to propagate the identities into the cloud.

Learn More: Synchronize Information Worker

Figure 6: Kiosk and information workers consolidated on-premises and synchronized to Azure AD

Advantages
▪ Single cloud synchronization strategy through Azure AD
Connect.
▪ Common tools to manage all identities in on-premises
Active Directory.
▪ Common tools to unify the user experience, such as
federated login, password management, and so on.
▪ Provision of additional features through MIM connector
infrastructure.
Tradeoffs
▪ Additional complexity from designing, implementing,
testing and maintaining the MIM 2016 connectors and
rules.
▪ Greater loading on the on-premises Active Directory from
the kiosk identities, which affects factors such as the size of
the directory information tree and replication latency.
▪ More identities on-premises, generating more risk of
unintended access to on-premises resources.

Helpful Tips
Since kiosk users will not log onto the on-premises Active Directory, consider the aspects below for Password Hash Sync domains:
Run the following PowerShell cmdlets from the Azure AD Connect Server to synchronize the passwords of kiosk workers who
are marked as “users must change password at next logon” (common case when creating new user accounts):
Import-Module ADSync
Set-ADSyncAADCompanyFeature `
-ConnectorName "<case sensitive aad connector name>" `
-ForcePasswordResetOnLogonFeature $true
Contact Microsoft Support to enable expiration of the password in the cloud. This is needed because passwords in the cloud
are marked to never expire when synchronized from on-premises.

If you disable the Kiosk workers’ user accounts on premises based on your security policies, then you need to perform the
following steps to allow users to change their passwords in the cloud and write back on-premises:
1. Re-execute the Azure AD Connect wizard, unchecking the password write back checkbox.

Microsoft Azure Active Directory Deployment Guide Page 16

 Microsoft Corporation
Managing Identity Lifecycles at Scale

2. Update the file “%ProgramFiles%\Microsoft Azure AD Sync\

Bin\Microsoft.CredentialManagement.OnPremisesPasswordReset.Library.dll.config” to contain the following value:
<add key="ConvertChangePasswordToResetPasswordForDisabledUser" value="true"/>
3. Re-execute the Azure AD Connect wizard, checking the password writeback checkbox

Synchronize on-premises identities

(Information Workers)
The following three options enable you to synchronize existing on-premises identity stores—either
traditional LDAP-based directories or a custom store, such as a relational database—with Azure AD. The
following scenarios apply equally to identities from single or multiple stores.

Option 1: Integrate all repositories to the cloud with Azure AD

Connect
You can engage the services of the Azure AD product group, such as Microsoft Premier Support,
Microsoft Consulting Services or a Microsoft Partner to assist you in deploying an advanced customization
of Azure AD Connect.

Figure 7: Integrate all repositories to the cloud with Azure AD Connect

Advantages
▪ MIM supports multiple types of connectors so you can
connect directly to multiple data sources.
Learn More: Connectors
▪ You benefit from optimizations and investments in Azure
AD Connect. Improvements come automatically.
Tradeoffs
▪ Initial deployment and ongoing maintenance requires a
complex engagement from the Azure AD product group,
Microsoft Premier Support, Microsoft Consulting Services,
or a Microsoft Partner.

Microsoft Azure Active Directory Deployment Guide Page 17

 Microsoft Corporation
Managing Identity Lifecycles at Scale

Option 2: Integrate all repositories to the cloud with MIM

Instead of using Azure AD Connect, this option uses the MIM connector for Azure AD.

Figure 8: Integrate all repositories to the cloud with MIM

Advantages
▪ This option is easier to implement if you have already
deployed MIM in your organization.
▪ You benefit from optimizations and investments in Azure
AD Connect. Improvements come automatically.
Tradeoffs
▪ Capabilities of the MIM connector to the cloud are limited
compared to Azure AD Connect, which has features such
as write-back.
▪ May not be a future-proof solution.

Microsoft Azure Active Directory Deployment Guide Page 18

 Microsoft Corporation
Managing Identity Lifecycles at Scale

Option 3: Integrate multiple repositories to Active Directory with

MIM and use Azure AD Connect to connect to the cloud
This approach combines multiple identity repositories into an Active Directory Forest using Microsoft
Identity Manager. The on-premises Active Directory then synchronizes to the cloud through Azure AD
Connect.

Figure 9: Integrate multiple repositories to Active Directory with MIM and use Azure AD Connect to connect to the cloud

Advantages Tradeoffs
▪ MIM supports multiple types of connectors so you can ▪ You need enough Client Access Licenses (CALs) to
connect directly to multiple data sources. incorporate users who have lacked on-premises accounts
Learn More: Connectors into your directory.
▪ You benefit from optimizations and investments in Azure ▪ Additional Infrastructure may be required.
AD Connect. Improvements come automatically.
▪ New identities from disparate HR systems get the same
authentication experience once they are integrated into
the on-premises Active Directory.

Helpful Tips
Since kiosk users will not log onto the on-premises Active Directory, consider the aspects below for Password Hash Sync domains:
Run the following powershell cmdlets from the Azure AD Connect Server to synchronize the passwords of kiosk workers who
are marked as “users must change password at next logon” (common case when creating new users):
Import-Module ADSync
Set-ADSyncAADCompanyFeature `
-ConnectorName "<case sensitive aad connector name>" `
-ForcePasswordResetOnLogonFeature $true
Contact Microsoft Support to enable expiration of the password in the cloud. This is needed because passwords in the cloud
are marked to never expire when synchronized from on-premises.
If you disable the Kiosk worker user accounts on premises based on your security policies, then you need to perform the
following steps to allow users to change their passwords in the cloud and write back on-premises:
1. Re-execute the Azure AD Connect wizard, unchecking the password writeback checkbox.
2. Update the file “%ProgramFiles%\Microsoft Azure AD
Sync\Bin\Microsoft.CredentialManagement.OnPremisesPasswordReset.Library.dll.config” to contain the following
value:
<add key="ConvertChangePasswordToResetPasswordForDisabledUser" value="true"/>
Re-execute the Azure AD Connect wizard, checking the password writeback checkbox

Microsoft Azure Active Directory Deployment Guide Page 19

 Microsoft Corporation
Managing Identity Lifecycles at Scale

Microsoft Azure Active Directory Deployment Guide Page 20

 Microsoft Corporation
Managing Identity Lifecycles at Scale

What to expect during each phase of the

Identity Lifecycle
Azure AD helps IT departments ensure that individual accounts are properly maintained during the
identity lifecycle, while following the organization’s policies and procedures for account creation,
termination, and other events. This section describes each aspect of the identity lifecycle and what it takes
to deliver the corresponding user experience.

Creating new identities

Action: Create New Identity
Action
User can log in to Azure AD
Identity entitlements are
configured
Identity profiles created for
Office 365 (Exchange Online,
SharePoint, Skype for
Business, etc.)
Identity profiles created for
SaaS applications that
support provisioning
Identity profiles created on
SaaS Applications that do not
support provisioning.
Cloud-only Identity On-premises Identity In Workday
Immediately After on-premises sync cycle After Workday – Azure AD
occurs sync cycle occurs
Immediate if using attribute- Immediately after an identity is in Azure AD, if using attribute-
based access control. Other based access control. Other techniques require manual
techniques require manual intervention.
intervention.
Once the identities are in the Azure AD Directory, you can assign office 365 licenses which in
turn trigger the provisioning process. Learn more: Assign or remove licenses for Office 365 for
business
Immediate if using attribute-based access control. Other techniques require manual
intervention.
Manual intervention required.

Servicing
Expected experience on password lifecycle events with self-service password management enabled.

Action: Update Expired Password

Action Cloud-only Identity On-premises Identity
Redirect to Azure AD password change Immediate For password hash sync tenants, the
at login cloud account password is set to "Never
Expire” for users whose passwords
synchronize to the cloud. Users can then
continue to sign in to cloud services
using a synchronized password, even if
it has expired in your on-premises
environment. The cloud password
updates when the password changes in
the on-premises environment.
For federated tenants, users need to
update their password when logging in
to the cloud.

Microsoft Azure Active Directory Deployment Guide Page 21

 Microsoft Corporation
Managing Identity Lifecycles at Scale

Action Cloud-only Identity On-premises Identity

Redirect to Azure AD password change
on existing Azure AD sessions
Password change on SaaS application
session are redirected to Azure AD
Windows receives the new password
after it has changed in the cloud
Immediate
Dependent on the application. Azure AD
cannot control the cookie lifetime of
applications.
Dependent on the application. Azure AD
cannot control the cookie lifetime of
applications.
After a password sync cycle (near real
time – within minutes)

Action: Password Reset and Change

Action Cloud-only Identity On-premises Identity
User can login to cloud resources with Immediate After a password sync cycle
the new password (near real time – within minutes)
User can login to on-premises resource N/A After a password sync cycle
with the new password (near real time – within minutes)

Action: Disable / Delete Identities

Cloud-only Identity On-premises Identity In Workday
synchronized via synchronized via
password hash sync federation

Mark account as disabled/deleted Immediate After a sync cycle After a sync cycle After a sync cycle
in Azure AD with on-premises with on-premises from HR SaaS app

Block new logins to Azure AD Immediate After a sync cycle Immediate After a sync cycle
with on-premises from HR SaaS app
Invalidate existing Azure AD Immediate
sessions
Invalidate existing SaaS Dependent on the application. Azure AD cannot control the cookie lifetime of
Application sessions applications.
Disable/Delete user profiles in 5 minutes by default, after the account is marked as disabled in Azure AD. (Configurable
SaaS applications that support through provisioning properties.)
outbound provisioning
Disable/Delete user profiles in Manual clean-up required.
SaaS applications that do not
support outbound provisioning

Helpful Tips
Modeling access to resources through Azure AD groups will give you self-service group management, delegated
administration and attribute-based access control to applications and license assignment.
Learn More: Managing access to resources with Azure Active Directory groups
Control functions such as auditing and attestation are built into Azure AD reporting.
Learn More: Azure Active Directory audit report events
Password management available through Azure AD for both on-premises and cloud identities. enables self-service password
reset and change, as well as account unlock, freeing up help desk resources.
Learn More: Getting started with Password Management

Microsoft Azure Active Directory Deployment Guide Page 22

 Microsoft Corporation
Managing Identity Lifecycles at Scale

Key Infrastructure Design

Considerations
This section covers key considerations and techniques for creating a robust identity infrastructure
implementation plan for the future.

Tenant Name Design

The tenant name appears in multiple use cases. For branding purposes, it therefore needs to be
considered carefully. Assuming a tenant name of rcdemosnet.onmicrosoft.com, information and kiosk
workers will see the following:

SharePoint

Figure 10: SharePoint namespace sample

Figure 11: SharePoint namespace sample

Yammer

Figure 12: Yammer namespace sample

Microsoft Azure Active Directory Deployment Guide Page 23

 Microsoft Corporation
Managing Identity Lifecycles at Scale

User Principal Name (UPN) patterns

Since cloud identities sign in with a User Principal Name (UPN), defining requirements around domain
and user naming is crucial to avoid the cost of having to rework the tenant account later.

Having on-premises domain names or user accounts that should not be moved to the cloud is common.
For example, names associated with old branding, domain names from acquired companies, domains
from unused geographies or cost centers and bad usernames should not be migrated or synchronized
with the cloud.

The following table provides typical requirements, how they can be met with Azure AD, and the tradeoffs
of each option:

Typical namespace requirements and tradeoffs

Requirements
▪ Clean up the on-premises namespace to use
consistent branding
▪ Clean up the information worker usernames
used on-premises
For example: Instead of
jx79872@NA.contoso3928.com, sign in as
joe.smith@contoso.com)
▪ Clean up cloud user names and namespace
▪ Do not change on-premises UPNs to avoid
impacting legacy applications
How to Accomplish
Clean up the UPN attribute on-
premises
Deploy alternate login ID using AD
FS + Azure AD Connect.
Learn More: Configuring Alternate
Login ID
Tradeoffs
▪ Each on-premises forest must
have a different namespace.
▪ Additional testing required of on-
premises applications that might
have taken a dependency on UPN
attribute.
Significant complexity added to the
information worker’s user experience
causes challenges in hybrid Office
365 scenarios.
Learn More: Configuring Alternate
Login ID

The following table captures login experience implications with namespaces:

Namespace implications for login experience

Requirements
▪ Single Sign-On using on-premises
credentials for information workers
▪ Same Sign-On for information workers
▪ Common namespace for kiosk and
information workers
▪ Single Sign-On for information workers
▪ Consistent identity tools and management
for both kiosk and information workers
How to Accomplish
Provision kiosk workers in a different
domain. Federate information
workers and use AD FS.
Use password hash sync for
information workers, and provision
kiosk workers in the same domain.
Synchronize kiosk workers to on-
premises AD, and use the same tools
for kiosk and information workers
Tradeoffs
Kiosk workers and information
workers will have different
namespaces.
For example: susie@contoso.com,
sbob@stores.contoso.com)
▪ Write back capabilities will not be
available.
▪ Information workers will not be
able to use desktop SSO
▪ On-premises AD grows with
identities that will never log in
on-premises.
▪ New accounts might
inadvertently have access to
some on-premises resources.

Microsoft Azure Active Directory Deployment Guide Page 24

 Microsoft Corporation
Managing Identity Lifecycles at Scale

Sign-in Experience
Deploying the cloud identity solution gives users single sign-on to SaaS applications including Office 365
and other services configured by the Azure AD tenant owner. The following table lists some important
items to consider when you get close to launching the solution’s infrastructure for your information and
kiosk workers:

Cloud Identity Solution pre-deployment considerations

Item
Password policy for cloud identities
Consideration
Cloud identities and on-premises identities have the following password policy
differences:
▪ As an administrator, you can configure the following for cloud identities:
− Password expiration duration
− Password expiry notification
− Password never expires
▪ Azure AD manages the following aspects of the cloud identity password policy:
− Length requirements
− Complexity requirements
− Password history (duration and how many previous passwords are allowed)
− Account lockout
Learn More: Password policy in Azure AD
▪ Azure AD allows to configure the password validity and notification window using
PowerShell.
Learn More: Set-MsolPasswordPolicy

User Interface look and feel
Before launching your cloud identity solution, it is important to determine branding,
and appreciate its effect on the user experience. Ideally, you want to provide branding
for information workers and kiosk workers that resembles their on-premises login
experience.
Learn More: Add company branding to your sign-in and Access Panel pages

Organizational Security
Using Azure AD, IT administrators can more easily identify and mitigate security threats, address
regulatory compliance requests, and meet the reporting requirements of business owners.

For a general discussion of security in the cloud, see the following articles:

▪ Azure AD Connect account privileges

▪ Azure AD Connect prerequisites
▪ URLs and Ports used by Azure AD Connect
▪ Security considerations for password hash sync
▪ Security considerations for Azure Cloud
▪ Classic Metadirectory Walkthrough: Administering MIIS 2003 Infrastructure

Microsoft Azure Active Directory Deployment Guide Page 25

 Microsoft Corporation
Managing Identity Lifecycles at Scale

▪ Azure AD Connect Health - Frequently Asked Questions (FAQ)

Mapping Azure AD Connect Roles to Identity Organization Teams

The following table maps Azure AD Connect roles to organizational team structure.

Azure AD Connect roles and recommended responsibilities

Azure AD Connect Role Recommended Responsibility
ADSyncAdmins Have full access to everything in the Sync Engine. Identity Architecture / Development
team
ADSyncOperators Have access to Operations in the Sync Engine only. On-Premises Identity Operations team
Can run management agents, view synchronization
statistics for each run, and save the run histories to a
file.
ADSyncBrowse Hold permission to gather information about a On-Premises Identity Operations team
(Password Sync Service user's lineage when resetting passwords using
Only) Windows Management Interface (WMI) queries.
ADSyncPasswordSet Hold permission to perform all operations using On-Premises Identity Operations team
(Password Sync Service WMI password management interfaces.
Only)

Support for Privacy, Compliance, and Operations

Because the identity system controls access to many high-value business assets, the identity service
should be considered a key security asset and a likely target for attack. Organizations need to implement
appropriate controls to protect their sensitive data, whether this data is hosted on-premises or in the
cloud. Learn more via the links provided:

Privacy

▪ Which attributes are sent to the cloud? Azure AD Connect sync: Attributes synchronized to Azure
Active Directory
▪ How is privacy managed in the Azure Cloud? Microsoft Trust Center- Privacy

Compliance

▪ What cloud certifications does Azure have? Microsoft Trust Center- Compliance
▪ What cloud certifications does Azure have for the retail industry? Microsoft Trust Center- PCI

Operations

▪ Operational guide for Azure AD Connect. Azure AD Connect sync: Operational tasks and consideration
▪ Azure AD Connect Health. Monitor your on-premises identity infrastructure and synchronization
services in the cloud

Microsoft Azure Active Directory Deployment Guide Page 26

 Microsoft Corporation
Managing Identity Lifecycles at Scale

Reference
For more information about Azure Active Directory, see https://azure.microsoft.com/en-
gb/services/active-directory/

Microsoft Azure Active Directory Deployment Guide Page 27