Identity models and authentication in Microsoft Teams

Microsoft Teams support all the identity models that are available with Office 365. Supported identity models include:

  • Cloud Identity: In this model, a user is created and managed in Office 365 and stored in Azure Active Directory, and the password is verified by Azure Active Directory.

  • Synchronized Identity: In this model, the user identity is managed in an on-premises server, and the accounts and password hashes are synchronized to the cloud. The user enters the same password on-premises as they do in the cloud, and at sign-in the password is verified by Azure Active Directory. This model uses the Microsoft Azure Active Directory Connect Tool.

  • Federated Identity: This model requires a synchronized identity with the user password is verified by the on-premises identity provider. With this model, the password hash does not need to be synchronized to Azure AD, and Active Directory Federation Services (ADFS) or a third-party identity provider is used to authenticate users against the on-premises Active Directory.

Configurations

Depending on your organization’s decisions of which identity model to implement and use, the implementation requirements may vary. Refer to the requirements table below to ensure that your deployment meets these prerequisites. If you have already deployed Office 365 and have already implemented the identity and authentication method, you may skip these steps.

Identity Model Deployment Checklist Additional Information
All
  1. Compare Office 365 Plan Options and obtain a subscription
  2. Create an Office 365 tenant
  3. Assign Office 365 licenses to the tenant
  4. Configure Domains and admin users
  5. Continue with Identity Model specific instructions
Cloud Identity
  1. Create users using Office 365 Admin Portal
Synchronized Identity
  1. Install Azure AD Connect
  2. Configure Directory Synchronization
  3. Create users using on-premises Active Directory management tools
Federated Identity
  1. Install Azure AD Connect
  2. Configure Directory Synchronization
  3. Install and configure a Federated Identity Provider (ADFS recommended)
  4. Create users using on-premises Active Directory management tools

Refer to Choosing a sign-in model for Office 365 and Understanding Office 365 identity and Azure Active Directory guides for additional details.

Multi-Factor Authentication

Office 365 plans support Multi-Factor Authentication (MFA) that increases the security of user logins to Office 365 services. With MFA for Office 365, users are required to acknowledge a phone call, text message, or an app notification on their smartphone after correctly entering their password. Only after this second authentication factor has been satisfied, can a user sign in.

Multi Factor authentication is supported with any Office 365 plan that that includes Microsoft Teams. The Office 365 subscription plans that include Microsoft Teams are discussed later in the Licensing section below.

Once the users are enrolled for MFA, the next time a user signs in, they see a message that asks them to set up their second authentication factor. Supported authentication methods are:

Tenant Type Available MFA Second Factor options Notes
Cloud Only MFA for Office 365
  • Phone Call
  • Text Message
  • Mobile App Notification
  • Mobile App Verification Code
Plan for multi-factor authentication for Office 365 Deployments
Hybrid setup (Synchronized or Federated Identity model)
  • MFA for Office 365
  • Azure MFA module (ADFS integrated)
  • Physical or virtual smart card (ADFS integrated)
Note: Additional MFA solutions are available with Identity providers that are compatible with Azure AD federation