White tablet in front of a bright sky, slightly enveloped by a white cloud.

The Secure Future Workplace? Just Hybrid, Please!

January 31 2020Marten Bütow

Buzzwords like “public cloud first” or even “public cloud only” are all the rage. Agile, innovative, forward-looking companies hardly have a choice: they all rely on the public cloud. Its advantages are well-known: simplicity, dynamism, cost-effectiveness. Agility is great for new, internal applications in core processes. But when companies bet on reliability, they have to go whole hog. That means the collaboration tools for the future workplace cannot lag behind. So off to the public cloud we go.

The future workplace – from the cloud

The workplace of the future comes from the cloud – but not only from there. People who use Microsoft Office for business need to be able to do so in both online cloud mode and in (disconnected) local mode. But the user must be recognized accordingly in both modes – locally and when working in the public cloud.

In contrast to consumer applications, companies cannot rely solely on a public cloud solution for identity management. In the home network, we can use the central Microsoft services for this with a clear conscience. In the enterprise domain, however, we usually need a separate Active Directory for identity management.

Or, to put it metaphorically: agile workplaces from the public cloud are like high-performance race cars, with all the bells and whistles, but unfortunately without seat belts – and locks that can be picked with a paperclip are optional. Apropos: did Marty McFly always have a car key with him?

And now the crucial question: where is the Active Directory stored?

Microsoft offers Cloud Identity, an identity management solution for users who want to use Office 365 and don’t have a local Active Directory. The advantage: no need for administration or infrastructure on the user’s end. The simplicity of the cloud beckons. The user accounts are managed exclusively in an Azure Active Directory. And it is hosted by Microsoft – as are the passwords. For users, this means goodbye single sign-on. But the lack of control over password policies and user administration means this isn’t a good fit for every company.

The next step involves using synchronized identities. To enable it, the Office 365 user needs a separate Active Directory – which means they’re already entering the hybrid world at this low level. Because the user can run this Active Directory at home or, alternatively, in a private cloud run by another trusted provider. Of course, this Active Directory must be continually synchronized with Microsoft’s. This is done using Azure AD Connect, which copies the password hashes and other credentials to the cloud.

Federated identity enables secure, easy work

But if you want to use the same password locally and in the public cloud, avoid having to log on all the time, store your passwords locally, or even use two-factor authorization, synchronized identity isn’t a good fit for you. Particularly since these “features” hardly contribute to improving the user experience in the future workplace. Neither security nor convenience is optimized. This is where federated identity comes in.

This requires a few more components: an Active Directory Federated server, a WAP proxy, and AAD (Azure Active Directory) Connect. The passwords stay in-house and users don’t even have to log on. It’s an elegant, secure solution.

What? Email too?

The federated identity approach is particularly significant for the future digital workplace, especially for Exchange. To put it bluntly: If you want to use Outlook services like email and calendars securely (and I can’t imagine many companies that don’t want to do that…), there’s no way around running your own Active Directory. No customer can use Exchange without this in-house Exchange installation – which should be implemented redundantly (including backup), by the way.

The only (practical and supported) way to maintain attributes on the AAD is through the Exchange management tools: Exchange Admin Center and Exchange PowerShell. AADSync lets the local Active Directory declare itself the master of all the things. The attributes of the external Azure Active Directory become “read-only” in this case. Attributes are changed exclusively on the separate, in-house AD, while the changes are merely passed on to the Azure AD.

Into the hybrid world – automatically

his means: Even if all the mailboxes (and their data) are in Office 365, the configuration is still local under an activated AADSync. So it’s automatically hybrid. Only the hybrid approach enables professional use of Office 365 from the public cloud. And just like that, the future workplace makes the dream of the hybrid collaboration world come true.

About the author

Marten Bütow

Senior Solution Sales Manager, T-Systems International GmbH

Show profile and articles
Do you visit t-systems.com outside of Germany? Visit the local website for more information and offers for your country.