Over the past 12 months of live usage with Office 365 and Windows Azure Active Directory (AD) one of the top requests Microsoft received from customers and partners is for a simpler way to connect their on-premise Windows Server Active Directory with Windows Azure Active Directory.
Many companies would like to have their employees use the same username and password on premise as in the cloud. But up until now, doing this seamlessly with Windows Azure AD has required deploying and running a set of ADFS servers on-premise or using a 3rd party solution.
Microsoft announced this week that as of last Friday (31/5) they made it dead simple to connect AD to Azure AD, enabling users to log into Office 365, Windows Azure and any other cloud app integrated with Windows Azure AD using their on-premise username and password. They have done this by updating Windows Azure Active Directory Sync Agent (a.k.a. DirSync) adding the ability to sync hashes of users’ on-premise AD passwords into Windows Azure AD.
This new password sync capability has many advantages over existing 3rd party solutions that synchronize your on-premises passwords to Azure AD/Office 365:
This process does not sync plaintext passwords – The solution syncs hashes of hashes of user’s passwords greatly reducing the risk of a password leaking.
Companies don’t need to install any new software on their Domain Controllers OR reboot their DCs.
Users don’t need to change their password in order for their password to initially sync to Azure AD.
This new password sync is another feature of DirSync. If you are already running DirSync, you’ll need to download and install the new DirSync build. When you set up DirSync, enabling password sync is simple as checking the “Enable Password Sync” checkbox in the DirSync Configuration Wizard. No additional hardware, no additional installation steps:
Even simpler with improved updating:
They have also updated DirSync so that you’ll no longer have to uninstall and reinstall to get the newest features. In the future, you’ll only need to download the latest version of DirSync and run it on your existing deployment to upgrade to the latest and greatest configuration!
So, when should you use Password Sync?
This is a great question. Windows Server ADFS still offers benefits to customers that Password Sync doesn’t. You need to analyze your business requirements and determine which solution (Password Sync or ADFS) fits your organizations need best.
Password Sync offers customers what MicroSoft call “Same Sign-On”, which is not the same as “Single Sign-On” that ADFS offers. With Password Sync, users that have their passwords sync’d to AAD and will be able to use the same username and password to log into their Azure AD services as well as their on-premises resources. But they will be prompted to sign in to their cloud resources, even if they are already logged in to your corporate network. With ADFS, users get true single sign-on where they are not prompted to enter their credentials if they have are already logged into their Windows PC’s.
Additionally ADFS supports
Support for custom 2 factor authentication mechanisms deployed on-premises
The Ability to make policy based access control decisions
So there are definitely some compelling reasons to use Windows Server ADFS.
If you want to talk to us here at Positive Computing about which model is right for your company then please do call.