Understanding Office 365 And Directory Synchronization

There will be several occasions where we might come across the need for Active Directory synchronization with Office 365 or Azure Active Directory for enabling Single Sign On (SSO).

There is one thing that we need to keep in mind: Azure Active Directory is not a replacement of the On-Premise Active Directory server, but it provides a way to organizational entities to access cloud resources with remembering additional accounts and passwords.

Now, this scenario can be cumbersome if we are not aware of different aspects of this integration/ synchronization. There are many people out there talking about,

  1. DirSync Tool
  2. Azure AD Connect

Both of the above tools might be confusing to someone regarding which one to choose. So, let’s make it simple, Azure AD Connect is the latest tools used to synchronization while DirSync tool is the older version of the same.

There are Different Options by which we can configure SSO,

  1. Cloud users
  2. Password synchronization
  3. Pass-through Authentication
  4. Federated Identity (ADFS)

Cloud users
  • This the basic option and default option available to use, where all the users are created in cloud (Office 365) as different identities.

Pass-through Authentication
  • With this authentication method we can enable SSO. We can configure Pass-through authentication using latest version of Azure AD Connect.
  • This method uses secure outbound communications so there is no need of DMZ. After configuring this option, Office 365 logons are authenticated with On-Premise Active Directory.
  • The system works by passing the password entered on the Azure AD login page down to the on-premises connector. That connector then validates it against the on-premises domain controllers and returns the results.

Password Synchronization
  • With passwords synchronization, hash store of password is stored in Azure AD. We can use passwords synchronization in conjunction with Pass-through Authentication method.
  • In Pass-through Authentication method, passwords are not stored anywhere in the cloud, users are authenticated through On-Premise active directory and if local AD is down then, users may face some issues with authentication.
  • But, if we are enabling Password Synchronization with Pass-through Authentication, passwords hashes are stored in Azure AD. So, if in case, local AD is down, then also, user can login to portal as Azure AD has password hashes for all user. These passwords hashes are secure and safe in Azure AD.
Federated Identity (ADFS)
  • Active Directory Federation Service offers best overall SSO experience to users.
  • For configuring ADFS, we require additional servers for ADFS service in out on-premise network. ADFS deployment would be a two-server farm at separate sites. Two additional servers are needed in a DMZ to securely publish ADFS to the internet.
  • In ADFS, whenever user attempts to login, they are redirected to ADFS server to complete their authentication process.
  • Using ADFS, we can also restrict access Microsoft services based on IP address. With ADFS, we also have capabilities of enabling multi factor authentication.