Identity models and authentication for Microsoft Teams

Microsoft Teams supports all the identity models that are available with Microsoft 365 and Office 365, which include:

  • Cloud-only: User accounts are created and managed in Microsoft 365 or Office 365 and stored in Microsoft Entra ID. User sign-in credentials (account name and password) are validated by Microsoft Entra ID.

  • Hybrid: User accounts are typically managed in an on-premises Active Directory Domain Services (AD DS) forest. Depending on the configuration, credential validations are done by Microsoft Entra ID, AD DS, or a federated identity provider. This model uses directory synchronization from AD DS to Microsoft Entra ID with Microsoft Entra Connect.

For more information, see Microsoft 365 identity models and Microsoft Entra ID.


Depending on your organization's decisions of which identity model and configuration you use, the implementation steps may vary.

If you haven't already deployed Microsoft 365 or Office 365 and an identity model, use this table.

Identity Model Deployment Checklist Additional information
  1. Compare Microsoft 365 and Office 365 plan options and obtain a subscription and a tenant.
  2. Create a Microsoft 365 or Office 365 organization for your tenant.
  3. Purchase Microsoft 365 or Office 365 licenses for the tenant
  4. Configure domains and admin user accounts.

Microsoft FastTrack is available to assist you.
Cloud identity
  • Create user accounts with the Microsoft 365 admin center
Hybrid identity
  1. Install Microsoft Entra Connect.
  2. Configure directory synchronization.
  3. Manage users and groups with AD DS tools.
Hybrid identity with federated authentication
  1. Install and configure a federated identity provider such as AD FS.
  2. Install Microsoft Entra Connect and configure directory synchronization and federated authentication.
  3. Manage users and groups with AD DS tools.

Multifactor authentication

Passwords are the most common method of authentication for signing in to a computer or online service, but they're also the most vulnerable. People can choose easy passwords and use the same passwords for multiple sign-ins to different computers and services.

To provide an extra level of security for sign-ins, use multifactor authentication (MFA), which requires both a password and an other verification method such as:

  • A text message sent to a phone that requires the user to type a verification code.
  • A phone call.
  • The Microsoft Authenticator smart phone app.
  • Other methods available with hybrid identity and federated authentication.

MFA is supported with any Microsoft 365 or Office 365 plan that includes Microsoft Teams. It's highly recommended that at a minimum you require MFA for that accounts that are assigned administrator roles, such as Teams service admin.

You should also roll out MFA to your users. Once your users are enrolled for MFA, the next time they sign in, they'll see a message that asks them to set up their extra verification method.

For more information, see multifactor authentication for Microsoft 365.