Identity models and authentication for Microsoft Teams

• Applies to:

  Microsoft Teams

Microsoft Teams supports all the identity models that are available with Microsoft 365 and Office 365, which include:

• Cloud-only: User accounts are created and managed in Microsoft 365 or Office 365 and stored in Microsoft Entra ID. User sign-in credentials (account name and password) are validated by Microsoft Entra ID.

• Hybrid: User accounts are typically managed in an on-premises Active Directory Domain Services (AD DS) forest. Depending on the configuration, credential validations are done by Microsoft Entra ID, AD DS, or a federated identity provider. This model uses directory synchronization from AD DS to Microsoft Entra ID with Microsoft Entra Connect.

For more information, see Microsoft 365 identity models and Microsoft Entra ID.

Configurations

Depending on your organization's decisions of which identity model and configuration you use, the implementation steps may vary.

If you haven't already deployed Microsoft 365 or Office 365 and an identity model, use this table.

Identity Model	Deployment Checklist	Additional information
All	Compare Microsoft 365 and Office 365 plan options and obtain a subscription and a tenant. Create a Microsoft 365 or Office 365 organization for your tenant. Purchase Microsoft 365 or Office 365 licenses for the tenant Configure domains and admin user accounts.	Office 365 plan options Compare Microsoft 365 for business Plans Buy or remove subscription licenses Add licenses to a subscription Set up Microsoft 365 for business Add a domain with the setup wizard Microsoft FastTrack is available to assist you.
Cloud identity	Create user accounts with the Microsoft 365 admin center	Add users and assign licenses
Hybrid identity	Install Microsoft Entra Connect. Configure directory synchronization. Manage users and groups with AD DS tools.	Set up directory synchronization
Hybrid identity with federated authentication	Install and configure a federated identity provider such as AD FS. Install Microsoft Entra Connect and configure directory synchronization and federated authentication. Manage users and groups with AD DS tools.	Plan your AD FS deployment Checklist: Deploy your federation server farm Configure extranet access for AD FS Set up a trust between AD FS and Microsoft Entra ID Verify and manage single sign-on with ADFS Set up directory synchronization

Multifactor authentication

Passwords are the most common method of authentication for signing in to a computer or online service, but they're also the most vulnerable. People can choose easy passwords and use the same passwords for multiple sign-ins to different computers and services.

To provide an extra level of security for sign-ins, use multifactor authentication (MFA), which requires both a password and an other verification method such as:

• A text message sent to a phone that requires the user to type a verification code.
• A phone call.
• The Microsoft Authenticator smart phone app.
• Other methods available with hybrid identity and federated authentication.

MFA is supported with any Microsoft 365 or Office 365 plan that includes Microsoft Teams. It's highly recommended that at a minimum you require MFA for that accounts that are assigned administrator roles, such as Teams service admin.

You should also roll out MFA to your users. Once your users are enrolled for MFA, the next time they sign in, they'll see a message that asks them to set up their extra verification method.

For more information, see multifactor authentication for Microsoft 365.