O365 Authentication with AD FS
A traditional configuration of O365 with single sign-on allows users to authenticate to O365 by using their corporate username and password. To enable this process, two components needed to be in place:
- DirSync. This component replicates information from the on-premises AD to O365. This allows on-premises user accounts to be automatically created in the cloud.
- AD FS. This component is a service that provides authentication for external services that use the on-premises AD as a source for user accounts. For example, when you authenticate to O365, the credentials you provide are passed to AD FS in your organization for authentication. If AD FS indicates that your username and password are correct, then you are given access to your O365 account. Basically, it allows authentication to be outsourced from the location hosting the application.
- If AD FS is not available, you could not authenticate to O365. So, if the corporate internet connection was down or if AD FS experienced any issues at all, your access to O365 was in jeopardy. When a selling feature of cloud-based services is high availability, this makes AD FS a major weak point.
- AD FS is relatively complex to setup and configure if you want it to be highly available. At minimum, the recommended solution requires two AD FS servers and two AD FS proxies combined with load balancing for each level.
How Does the New DirSync Help
The new version of DirSync has an option to synchronize passwords from the on-premises AD to O365. Once the password has been synchronized, you authenticate only within O365. This can be used with hybrid deployments of Exchange Server.
To me this provides two big benefits:
- The complexity and cost of AD FS is avoided.
- O365 accounts can be authenticated even when the on-premises network is unavailable.
Nothing is a completely free ride. So, there are things that you need to consider when selecting password synchronization over AD FS:
- How paranoid are you? Your AD password information being replicated into the O365. This is done by replicating the hash value of the password, not the actual password, but if someone got the hash value, they could run a brute force attack on the hash and might be able to get the password.
- Users will be prompted for credentials. AD FS provides single sign-on. For domain joined computers, this meant that access to O365 could be made seamless by passing workstation credentials to O365 for authentication. When you use password synchronization, users will be prompted for a password when starting Outlook. At least until you save the credentials during logon to O365.
- Password synchronization from AD to O365 is not immediate. Password synchronization takes place outside the standard 3 hour interval for synchronization. Typically, password synchronization is complete within a few minutes, but it is not immediate.
- This tool has apparently been available on the eduction side of O365 for a while. So, it's not completely new. That makes me feel better about looking at implementing it sooner rather than later.
- You can convert from an AD FS federated domain to using password synchronization fairly easily by using Convert-MsolDomainToStandard.
Here are some additional resources that will help you evaluate whether password synchronization is right for your organization:
- New Azure Active Directory Sync tool with Password Sync is now availablehttp://blogs.technet.com/b/educloud/archive/2013/06/03/new-azure-active-directory-sync-tool-with-password-sync-is-now-available.aspx
- Implement Password Synchronization
- Install or upgrade the Directory Sync tool