Gartner Research

Guidance for Microsoft Office 365 Identity Management

Published: 17 April 2020

ID: G00465339

Analyst(s): Paul Rabinovich


Identity management for Microsoft Office 365 is challenging. Implementing hybrid identity and protecting employee, administrator and partner access can be daunting. This document provides security and risk management technical professionals with guidance on best practices for Office 365 IAM.

Table Of Contents

Problem Statement

The Gartner Approach

The Guidance Framework

  • Prework Step 1: Selecting the Tenancy Model
  • Prework Step 2: Selecting Azure AD Licensing Plans
  • Foundational Step 1: On-Premises Preparation
    • Action 1: Assess the Need for AD Consolidation
    • Action 2: Prepare Nonroutable AD Domains for Synchronization
    • Action 3: Clean Up Users and Groups Being Synchronized to Azure AD
    • Action 4: Harmonize UPNs and Email Addresses for All Users
    • Action 5: Designate an Immutable Identifier Attribute
    • Action 6: Decide on Attributes to Be Synchronized to Azure AD
    • Action 7: Clean Up AD Data and Set Up Maintenance Processes
    • Action 8: Migrate to Clients That Support Modern Authentication
  • Foundational Step 2: User Management
    • Cloud-Only Identities
    • AD-Managed Identities
    • Identities Managed by Third-Party IGA Tools
    • Identities Managed by Third-Party SaaS-Delivered AM Tools
  • Foundational Step 3: User Login, Single Sign-On and Password Management
    • Cloud Passwords
    • Azure AD Cloud Authentication
    • Identity Federation
    • Modern Authentication vs. Legacy Authentication
    • Passwordless Authentication
  • Foundational Step 4: Mobility
  • Foundational Step 5: Conditional Access and Multifactor Authentication
    • Azure AD MFA
    • Conditional Access
  • Advanced Step 1: External Collaboration
    • External Collaboration Capabilities in Office 365
  • Advanced Step 2: Identity Governance and Administration
  • Advanced Step 3: Privileged Access Management
    • Principle 1: Track and Secure Every Privileged Account
    • Principle 2: Govern and Control Access
    • Principle 3: Record and Audit Privileged Activity
    • Principle 4: Operationalize Privileged Tasks
  • Related Guidance

Gartner Recommended Reading

©2021 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. It consists of the opinions of Gartner’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see Guiding Principles on Independence and Objectivity.

Already have a Gartner Account?

Become a client

Learn how to access this content as a Gartner client.