Overview
Practice Protect delivers team members a single set of login credentials (SSO) across cloud apps, online portals, client apps, and email/file systems. We refer to integrating SSO into email and file systems as Email Integration.
From a technical standpoint, there are several deployment types for enabling this security integration depending on your firm’s current tech stack configuration. The following guide provides an overview of our standard deployment options for mail integration, and which will suit your firm.
We will identify the relevant deployment type ahead of, or early in the onboarding process. It can also be the technical personnel in the firm to select the best option.
For current deployments that would like to migrate to a different directory source, please contact our support team to scope a migration with the project team. support@practiceprotect.com
Cloud & SMB Firm Deployment Types (two options)
1. Practice Protect as Source Identity (Microsoft 365 or Google Workspace)
This deployment suits full cloud firms using Microsoft 365 or Google Workspace (G-Suite) that don’t currently have Multi-Factor Authentication or conditional access security over their mail system. Typically adopted by firms with 15 or fewer team members that manage user setups internally.
In this Identity Architecture, Practice Protect is the Source Identity of the User accounts meaning users are managed from within Practice Protect and User Account Changes/Modifications are synchronised to Microsoft 365 from Practice Protect.
Pros:
- Policies Set in Practice Protect Govern all Cloud App Logins and Email Authentication
- Email Authentication Policy Protection (WS-Federation)
- Central Identity Management & User Provisioning
- Entra ID Joined Computers should use their Practice Protect Account for Sign-In
Cons:
- No Local Active Directory – Users will have a separate login account to their computers.
- Managed Services Providers are required to modify users inside Practice Protect (not via Entra ID or Google Workspace)
More Information: Setup Office 365 Federation & Provisioning
2. Microsoft Entra ID /Google Workspace as Source Identity
This deployment suits firms that already have Conditional Access policies in place and Email Authentication is already restricted by Multi-Factor Authentication. Typically adopted by firms with 15 or more team members that work closely with a proactive outsourced managed services provider for user setups.
In this Identity Architecture, Entra ID/Microsoft 365 is the source of the Identity of Users. The Entra ID accounts are used to authenticate into Practice Protect and are managed by the firm’s Microsoft 365/Entra ID Administrator from the Entra ID console.
Pros:
- Same Username/Password across Computer/Practice Protect/Microsoft 365 (If the Computer is Entra ID joined)
- Decommissioning of Local Active Directory doesn’t require a Re-onboarding of User in Practice Protect. (Source of Identity would move to Entra ID directory).
Cons:
- Email Integration is not possible (Conditional Access is required for email login Control)
- Practice Protect Support cannot assist with User Account Changes/Modifications.
More Information: Add Microsoft Entra ID as a Directory Source
Other Identity Deployment Options
In Cloud Only
Preferred deployment types for non-firmwide rollouts of Practice Protect such as offshore team member only or for firms with non-business grade email systems. This deployment does not provide a Single Sign On between email, files, and cloud apps meaning a lower level of security therefore is not typically recommended.
In this Identity Architecture, Practice Protect is the Source Identity of the User accounts and is not connected to Microsoft 365/Entra ID, Google Workspace, or any other directory systems for Email Integration. Only Web Apps stored in the Practice Protect portal will be governed by Practice Protect Polices
Source/Account Control: Practice Protect – User Account Changes/Modifications local to Practice Protect
Medium and Large Firm Deployment Methods (less common)
4. Practice Protect Connector + Entra ID Connect + Email Integration (typically only for firms with 25+ users)
In this Identity Architecture, the local Active Directory is the source of the Identity of Users. The identity of the users is replicated from the local Active Directory to both Practice Protect and Entra ID/Microsoft 365. All user account changes are made in the local Active Directory by the Administrator.
Best suited for Firms that plan to stay on the local Active Directory and have the Local Active Directory already syncing to Entra ID/Microsoft 365.
Not suitable to Companies looking to move to the Cloud in the near term.
Source/Account Control: local Active Directory
- User Account Changes/Modifications managed by Active Directory Administrator
Pros:
- Same Username/Password across Computer/Practice Protect/Microsoft 365
- Easier Onboarding of User Accounts
- Email Integration is very straightforward as GUID/SID of Account is already synced between all systems.
- Entra Joined Computers can use Practice Protect MFA
Cons:
- Requires re-onboarding of Users in the Event of Active Directory decommissioning
- Requires a Domain Controller online to access Practice Protect/Microsoft 365
- Advise to run connector on two Domain Controllers hosted at different locations
More Information: Configure Practice Protect Active Directory connector
5. Microsoft Entra ID Connect + Microsoft Entra ID Source Directory (typically only for firms with 25+ users)
In this Identity Architecture, the local Active Directory is the source of the Identity of Users. The identity of the users is replicated from the local Active Directory to Entra ID. The Entra ID accounts are used to authenticate into Practice Protect.
Best suited for firms that sync local Active Directory to Microsoft 365 and already have Conditional Access policies in place.
Source/Account Control: Local Active Directory
- User Account Changes/Modifications managed by Active Directory Administrator
Pros:
- Same Username/Password across Computer/Practice Protect/Microsoft 365
- Easier onboarding of User Accounts
- Email Integration is very straightforward as GUID/SID of Account is already synced between all systems.
- Decommissioning of local Active Directory does not require re-onboarding of User in Practice Protect. (Source of Identity would move to Entra ID directory).
Cons:
- Email Integration is not Possible (Conditional Access is required for email login control)
- Practice Protect support cannot assist with User Account changes/modifications.
More Information: Add Microsoft Entra ID as a Directory Source
6. Practice Protect Connector + Email Integration + Provisioning (typically only for firms with 25+ users)
In this Identity Architecture, the local Active Directory is the source of the Identity of User accounts. The Identity of the users is replicated from the local Active Directory to Practice Protect and then to Entra ID/Microsoft 365
Best suited for companies that are already syncing Local Active Directory to Microsoft 365 and plan to stay on local Active Directory for the foreseeable future. Not suitable for companies looking to move to the Cloud and migrate away from local Active Directory.
Source/Account Control: Local Active Directory
- User Account changes/modifications managed by Active Directory Administrator
Pros:
- Requires only Practice Protect Connector to be installed in the local Active Directory to sync accounts to Microsoft 365.
- Same Username/Password across Computer/Practice Protect/Microsoft 365
- User Accounts pre-populate in Practice Protect from Active Directory
- Email Integration is very straightforward as GUID/SID of Account is already synced between all systems.
- AD Joined Computers can use Practice Protect MFA
Cons:
- Requires re-onboarding of Users in the event of Active Directory decommissioning.
- Requires a Domain Controller online to access Practice Protect/Microsoft 365
- Advise to run connector on two Domain Controllers hosted at different locations
More Information: Configure Practice Protect Active Directory connector