Business users may find the productivity-boosting potential of Office 2013 tantalizing; its ties to the cloud and support for devices beyond PCs means on-the-go users are never far from their important documents. IT admins, on the other hand, may feel more wary than excited by Microsoft's move to untether its ubiquitous productivity suite from the desktop because it represents a significant shift from traditional end-user security.
Microsoft summarizes the nature of the shift pretty well in a security overview of Office 2013: "[This release] makes a fundamental change from computer-centered identity and authentication to user-centered identity and authentication. This shift enables content, resources, most recently used lists, settings, links to communities, and personalization to roam seamlessly with users as they move from desktop, to tablet, to smartphone, or to a shared or public computer."
What that means is Office 2013 Preview lets users sign in once, after which they can work on and access local and cloud-based Office files, as well as connected services without having to enter new credentials along the way, according to Microsoft. Those connected services might include an organization's SkyDrive account or a user's personal cloud storage service. They also might include a user's Facebook or LinkedIn account. This is true regardless of the identity provider or the authentication protocol used by a given app, per Microsoft. Supported protocols include OAuth, forms based, claims based, and Windows Integrated Authentication.
The ability to access any and all apps, services, and data from any device via single sign-on is all well and good for users, but from a security perspective, it means those apps and data could be just a successful phishing campaign, password crack, or malware infection away from falling into a malicious hacker's hands. End-users generally can't be trusted to perform the necessary due diligence to secure their devices and accounts, either.
Microsoft is attempting to equip IT admins with the necessary tools to comfortably and securely manage this new identity-centric Office paradigm. Generally speaking, admins will have the ability to control password policies across devices and services; the ability to use Group Policies to configure the operating environment; and the ability to manage using FIM (Forefront Identity Manager) or ADFS (Active Directory Federation Services). Active Directory is central to the system, but companies don't need to run AD on-site.
Companies have choices: The bare minimum approach would simply put the management in Microsoft's hands, though admins could still provision or de-provision identities and service access via a management portal or PowerShell cmdlets. Organizations also could use the Microsoft Online Directory Synchronization service for identity provisioning; authentication would take place in the cloud. Larger companies might add federated authentication to the mix via Active Directory Federation Server 2.0.