Friday, June 7, 2013

New DirSync Does Not Require ADFS for O365

On June 3rd, Microsoft released a new version of DirSync (Windows Azure Directory Sync Tool) that can synchronize on-premises password up to Office 365. With the addition of this functionality, you can have users log on to Office 365 without the requirement to configure Active Directory Federation Services (AD FS). Let me give a fairly long explanation as to why this is a good thing. First, how did it look with AD FS.

O365 Authentication with AD FS
A traditional configuration of O365 with single sign-on allows users to authenticate to O365 by using their corporate username and password. To enable this process, two components needed to be in place:
  • DirSync. This component replicates information from the on-premises AD to O365. This allows on-premises user accounts to be automatically created in the cloud.
  • AD FS. This component is a service that provides authentication for external services that use the on-premises AD as a source for user accounts.  For example, when you authenticate to O365, the credentials you provide are passed to AD FS in your organization for authentication. If AD FS indicates that your username and password are correct, then you are given access to your O365 account. Basically, it allows authentication to be outsourced from the location hosting the application.
There were two main issues with using AD FS:
  1. If AD FS is not available, you could not authenticate to O365. So, if the corporate internet connection was down or if AD FS experienced any issues at all, your access to O365 was in jeopardy. When a selling feature of cloud-based services is high availability, this makes AD FS a major weak point.
  2. AD FS is relatively complex to setup and configure if you want it to be highly available. At minimum, the recommended solution requires two AD FS servers and two AD FS proxies combined with load balancing for each level.

How Does the New DirSync Help
The new version of DirSync has an option to synchronize passwords from the on-premises AD to O365. Once the password has been synchronized, you authenticate only within O365. This can be used with hybrid deployments of Exchange Server.

To me this provides two big benefits:
  1. The complexity and cost of AD FS is avoided.
  2. O365 accounts can be authenticated even when the on-premises network is unavailable.
Things to Think About
Nothing is a completely free ride. So, there are things that you need to consider when selecting password synchronization over AD FS:
  1. How paranoid are you? Your AD password information being replicated into the O365. This is done by replicating the hash value of the password, not the actual password, but if someone got the hash value, they could run a brute force attack on the hash and might be able to get the password.
  2. Users will be prompted for credentials. AD FS provides single sign-on. For domain joined computers, this meant that access to O365 could be made seamless by passing workstation credentials to O365 for authentication. When you use password synchronization, users will be prompted for a password when starting Outlook. At least until you save the credentials during logon to O365.
  3.  Password synchronization from AD to O365 is not immediate. Password synchronization takes place outside the standard 3 hour interval for synchronization. Typically, password synchronization is complete within a few minutes, but it is not immediate.
  4. This tool has apparently been available on the eduction side of O365 for a while. So, it's not completely new. That makes me feel better about looking at implementing it sooner rather than later.
  5. You can convert from an AD FS federated domain to using password synchronization fairly easily by using Convert-MsolDomainToStandard.
Additional Resources
Here are some additional resources that will help you evaluate whether password synchronization is right for your organization:


  1. What if you do not have an on-premise AD? We use O365 exclusively, and use Azure for VMs. We would like to use 365 credentials to log into the Azure portal (for admins) and have users use 365 credentials for VM access.

  2. To implement that scenario, you'll need to put AD and AD FS in your Azure VM environment. Then treat it just like on-premises. You'd sync the passwords from AD in your VM environment to Azure AD. I'm not aware of any method to sync the passwords from O365 (Azure AD) back out.