The document compares three options for providing identity and access management for Microsoft Online services: 1) MS Online IDs only, 2) MS Online IDs with on-premise directory synchronization, and 3) Federated IDs with on-premise directory synchronization. It provides pros and cons of each option, with the third option being most appropriate for larger enterprises as it allows for single sign-on using on-premise credentials, centralized user management, and password policies controlled on-premise while also enabling co-existence with cloud-based identities. The document also includes diagrams illustrating authentication flows and potential federated identity deployment architectures between an on-premise Active Directory and Microsoft Online services.