Interlink Cloud Blog

facebooktwitterlinkedin

Active Directory Federation Services (ADFS) vs. Password Sync

There are a number of different ways to provide Single Sign-On (SSO) in a Microsoft Cloud environment. The two most popular ways are: Active Directory Federation Services (ADFS) and Password Sync, which is part of the Azure Active Directory Connect  (DirSync) tool. Microsoft includes either technology within the Office 365 licensing. However, both tools require the proper Windows server licensing.

ADFS with federated login provides true Single Sign-On (SSO) with Office 365 whereas DirSync with Password Sync allows for Same Sign-On which implies users will be prompted for credentials when accessing Office 365 even in domain joined scenarios. ADFS also allows for better access control based on IPs, etc.

With DirSync with Password Synchronization, you enable your users to use the same password they are using to log-on to your on premise Active Directory to log-on to Windows Azure Active Directory. The users' accounts and passwords are authenticated by Office 365, but for SSO with ADFS, the credentials are authenticated by the on premise ADFS server.


Pros of ADFS

  • ADFS can be configured such that users who are already logged on to a domain joined and connected machine do not require any password re-entry to sign in at Office 365. This gives you true single sign-on since re-entry of the password is not required. With DirSync and password hash synchronization a user must still re-enter their password, although it will be the same password as they use on-premises.  This is especially important for SharePoint Online while users may need to go there dozens of times per day.
  • ADFS allows for client access filtering, which restricts access to Exchange Online to users based on their IP address. Customers frequently use this control to limit hourly workers to only checking mail while onsite. Find more details here: Can I Limit Access to Office 365 for Remote or Hourly Users?
  • ADFS will honor Active Directory configured login time restrictions for users.
  • ADFS can include web pages for users to change their passwords while they are outside the corporate network.
  • With ADFS the authentication decision is always made on-premises and no password hashes are synchronized to the cloud. This may be obvious but can be sometimes a security policy requirement.
  • With ADFS an administrator can immediate block a user to remove access where-as DirSync synchronizes these changes every three hours. Only password changes are synchronized by DirSync every two minutes.
  • ADFS permits use of on-premises deployed multi-factor authentication products. Note that Azure AD supports multi-factor authentication but many third party multi-factor authentication products require on-premises integration.
  • Where Microsoft Forefront Identity Manger (FIM) is required for some other FIM capability. FIM directory synchronization does not include password hash synchronization so ADFS will still be required for SSO login.
  • Some on-premises to cloud hybrid scenarios require ADFS such as hybrid search.

If you need any of these functionalities then Active Directory Federation Services is still the best option.

Cons of ADFS:

  • Additional infrastructure needed to deploy.
  • Added point of failure (even if multiple servers are deployed, this option brings in more dependencies for the setup to work).
  • Additional cost involved with this setup.
  • SSL certificate from a public CA is needed and needs to be renewed on a periodic basis (cost/administrative work involved).

Click here to read more from the: Password Hash Sync Article

 
New Exchange Online Protection Features
Can you have 15 Copies of Microsoft Office on a si...

Related Posts

Welcome to the Interlink Cloud Blog

All content provided on this blog is for informational purposes only. The owner of this blog makes no representations or warranties regarding the information from our partners or other external sources.

Blog Categories

Interlink Cloud
Interlink Cloud
5 post(s)
Tips and Tricks
Tips and Tricks
1 post(s)
Outlook
Outlook
2 post(s)
Reporting
Reporting
1 post(s)
Cloud Storage
Cloud Storage
1 post(s)
Webinars
Webinars
9 post(s)
OneDrive
OneDrive
5 post(s)
Yammer
Yammer
3 post(s)
Azure
Azure
11 post(s)
SharePoint
SharePoint
9 post(s)
Microsoft
Microsoft
5 post(s)
Lync
Lync
8 post(s)
Office 365
Office 365
47 post(s)

Blog Archive