Identity models and authentication for Microsoft Teams
Microsoft Teams supports all the identity models that are available with Microsoft 365 and Office 365, which include:
Cloud-only: User accounts are created and managed in Microsoft 365 or Office 365 and stored in Azure Active Directory (Azure AD). User sign-in credentials (account name and password) are validated by Azure AD.
Hybrid: User accounts are typically managed in an on-premises Active Directory Domain Services (AD DS) forest. Depending on the configuration, credential validation can be done by Azure AD, AD DS, or a federated identity provider. This model uses directory synchronization from AD DS to Azure AD with Azure AD Connect.
For more information, see Microsoft 365 identity models and Azure AD.
Depending on your organization's decisions of which identity model and configuration you use, the implementation steps may vary.
If you haven't already deployed Microsoft 365 or Office 365 and an identity model, use this table.
|Identity Model||Deployment Checklist||Additional information|
Microsoft FastTrack is available to assist you.
|Hybrid identity with federated authentication||
Passwords are the most common method of authentication for signing in to a computer or online service, but they are also the most vulnerable. People can choose easy passwords and use the same passwords for multiple sign-ins to different computers and services.
To provide an additional level of security for sign-ins, use multi-factor authentication (MFA), which requires both a password and an additional verification method such as:
- A text message sent to a phone that requires the user to type a verification code.
- A phone call.
- The Microsoft Authenticator smart phone app.
- Other methods available with hybrid identity and federated authentication.
MFA is supported with any Microsoft 365 or Office 365 plan that includes Microsoft Teams. It is highly recommended that at a minimum you require MFA for that accounts that are assigned administrator roles, such as Teams service admin.
You should also roll out MFA to your users. Once your users are enrolled for MFA, the next time they sign in, they will see a message that asks them to set up their additional verification method.
For more information, see Multi-factor authentication for Microsoft 365.