Interlink Cloud Blog

facebooktwitterlinkedin

Mike Wilson

Active Directory Federation Services (ADFS) vs. Password Sync

Active Directory Federation Services (ADFS) vs. Password Sync

Figuring out the best way to implement Single Sign-On (SSO) in a Microsoft cloud environment can be challenging given how the options have evolved over time, but it’s a key component of any successful Office 365 or Azure deployment. There are four main options on how you can configure SSO: 

Each of these options are available with all flavors of Office 365 licensing, but they have advantages and disadvantages that we’ll want to understand before making our decision. Let’s review each of them in order. 

Cloud-only passwords 

The most basic option is to not implement single sign-on at all, which might make sense for smaller implementations. In this scenario, user accounts are provisioned on Office 365 and users logon independently of their local Active Directory. 

Pros: 

  • Quick implementation 
  • Self-service password reset is available for Office 365 accounts 
  • No need to dedicate servers or infrastructure for SSO 
  • Can be used if Active Directory is not deployed or most clients are not AD joined 

Cons: 

  • No SSO for end users 

Password Synchronization 

Once we’ve made the decision to implement SSO, password sync is our most basic option. Microsoft provides a tool called Azure AD Connect to synchronize user data from our on-premise Active Directory to Azure AD. This saves us from provisioning user accounts on Office 365 while also giving us the ability to synchronize a hash of the end user’s password. The end user’s full password is not synced and a password change on-premise will trigger a sync. In this scenario, users will logon to Office 365 with their email address/UserPrincipalName and then enter the same password they use in their on-premise Active Directory. 

Pros: 

  • Users have one password to remember for on-premise and Microsoft cloud services 
  • The same server that syncs my user data also syncs passwords which minimizes my on-premises infrastructure footprint 
  • My AD infrastructure or Internet can be down without restricting the ability to logon to Office 365 

Cons: 

  • Domain-joined clients will still be prompted for passwords although Outlook does can check a box to save their password 
  • Since logons terminate in Azure AD, we lose the ability to have more granular logon restrictions that come with full Active Directory such as restricting logon times which can be critical for some businesses due to changes in federal labor regulations regarding hourly employees. 
  • Self-service password reset for Office 365 accounts is unavailable without purchasing Azure AD Premium or Enterprise Mobility + Security Suite licenses. 

Pass-through Authentication 

With pass-through authentication, we’re finally getting to true SSO. Microsoft released this option in December, 2016 and it’s currently in public preview as of January 15. The latest version of the Azure AD Connect tool includes an agent that opens and maintains an outbound connection to Azure AD (no DMZ or firewall rules required). When this option is enabled, user logons to Office 365 are passed back through this open tunnel to your on-premise Active Directory where they are authenticated live. This means we have access to logon time restrictions. Of course, the downside of having machines authenticate against your local AD is that we need to provide high availability. The good news is that we can deploy additional agents which ideally would use separate internet connections. 

The best part is that pass-through authentication means that we can now have domain joined machines pass through their domain credentials seamlessly. This takes place automatically in most web browsers (IE, Chrome and Firefox). If we have Outlook 2013 or later deployed and modern authentication enabled, Outlook can take advantage of seamless single sign-on as well. 

Pros: 

  • True single sign-on for domain joined PCs in Outlook (2013 or later) and in the web browser – no password needed. 
  • Similar experiences to password sync for external or non-domain joined PCs. 
  • Built into Azure AD Connect which minimizes my infrastructure footprint. 
  • Can deploy additional agents for redundancy. 
  • Some organizations have security requirements that prohibit syncing a password hash 

Cons: 

  • Building sufficient redundancy can be a challenge for companies with a single datacenter and internet connection. 
  • Browser based single sign-on still requires an initial “challenge” to determine where to redirect authentication. If I logon to my SharePoint online site or the Office 365 portal, I get prompted for my username. When I enter that, I get redirected to the pass-through authentication mechanism which then passes my credentials through seamless. Our next option, federated identity, offers a solution to this challenge. 

Federated Identity 

Federated identity offers the best overall end user SSO experience in the Microsoft cloud and offers some unique security options not available in other scenarios, but it also has the most requirements in terms of server infrastructure to implement. To enable federated identity, we need to deploy Active Directory Federation Services (ADFS) in our on-premise network. A typical deployment would be a two-server farm at separate sites (Azure is an option to add a second site for single datecenter customers). Two additional servers are needed in a DMZ to securely publish ADFS to the internet. Once ADFS is in place, federated identity can be enabled with a few powershell commands. 

Similar to pass-through authentication, user logon attempts are passed back to the ADFS farm to validate against your local active directory. Outlook 2013 or later will leverage modern authentication to communicate with ADFS. Web browsers will get redirected to the ADFS server to complete their authentication. This lets us use what’s called SmartLinks technology to allow users to logon directly to SharePoint online without entering a username or password. 

We also have access to security features not available in other scenarios. We can enable client access filtering which lets us restrict access to Microsoft cloud services based on IP address (commonly used when we have hourly employees that shouldn’t be able to check email from home). We can also integrate with on-premise multifactor authentication servers (although you should be looking at Microsoft Azure options for MFA). 

Pros: 

  • Full SSO capabilities in the web browser and Outlook. 
  • Advanced security configurations available including the ability to filter connection on source IP address. 
  • No need to sync a password hash. 
  • ADFS farm can be reused with other cloud services that support SAML. 

Cons: 

  • Additional infrastructure requirements. 
  • Additional points of failure. 
  • Additional cost to setup. 
  • SSL certificate from a public CA is required which will require periodic updating. 

 

Learn more from the blog article: Understanding Office 365 identity and Azure Active Directory

 


Think you are interested in SSO but want to talk with an expert about which option is best for your company and environment? Contact us today! 

 
Recent comment in this post
Guest — Ron
Great concise and to the point article. Exactly what I was looking for: Pro/con's and differences in each technology. Thank you Ma... Read More
Tuesday, 02 June 2015 6:06 PM
Sarah Bunt

On-Demand Webinar | How to Stay Secure & Productive with Microsoft’s Enterprise Mobility + Security Suite

On-Demand Webinar | How to Stay Secure & Productive with Microsoft’s Enterprise Mobility + Security Suite

On-Demand Webinar & Slides

view ems e5 webinar


Are you looking to add a tighter level of security to your environment? Do you want to stay secure and productive on your favorite apps and devices?

In this on-demand event, Microsoft and Interlink Cloud Advisors show you the powerful new capabilities of Microsoft Enterprise Mobility + Security and how it ensures your critical company data is protected.

During this online event, see what’s new through a live demo of EMS’s E5 functionality and how it allows you to:

  • Lockdown your valuable data: Automatically classify information to better protect intellectual property with Azure Information Protection. Lock it down so, your competitors can see it and your existing sales people can’t take it with them!
  • Secure the cloud: Drive security policies and reporting across Microsoft and non-Microsoft cloud services with Cloud App Security. Your data is being dispersed all over the global by using various SAAS services. Take back control and visibility – we’ll show you how!
  • Control Administrator Account Access: Ensure that powerful rights are utilized appropriately. Privileged Identity Management gives the ability to grant access to admins only when required and limited to the resources needed.
  • Use Identity Protection: Ensure that users are accessing your environment following the policies that are required for your business. Automatically identify risky scenarios, take appropriate actions, and provide reporting.

In addition, we provide an in-depth licensing overview and comparison of EMS E5 vs. EMS E3 features and functionality. You’ll also see how you can leverage Microsoft paid assessments and proof of concepts to see if EMS E5 is the right solution for your business!

video ems e5 webinar

Click to instantly watch this information-packed webinar and download the slide deck.


PRESENTERS

Eric Inch

Eric Inch

Eric Inch is a Technical Solutions Specialist - Mobility & Security for the Microsoft Corporation. He is responsible for helping clients deploy the EMS offering across their corporate account base.

Eric Brophy

Eric Brophy

Eric Brophy is a Senior Consultant for Interlink who has helped more than a hundred clients migrate their workloads to the cloud.  He is badged by Microsoft and certified in their cloud technologies.

 

 

Matt Scherocman

How Does Archiving in Office 365 Work?

Immutability is the industry-standard term for “preserving data in the system so that it is discoverable, and cannot be destroyed or altered."

With Exchange Server 2016, and Exchange Online, Microsoft enables organizations to preserve individual or all mailbox items for discovery natively, keeping those items within the Exchange infrastructure. This approach is called, In-Place hold.

One significant benefit of hold as opposed to separate, read-only storage is that items are preserved within the Exchange infrastructure, preserving more of the information including metadata and making management easier for IT admins. Users benefit because they can manage their mailboxes using the familiar Outlook interfaces. From an IT-perspective, In-Place Hold eliminates the necessity and complexity of maintaining a separate infrastructure and potentially storage for Exchange items.

Exchange gives organizations the flexibility to choose the architecture that can help meet their immutability requirements whether that is on-premises, online, or a hybrid of both, and supports the ability to store archived items in a separate physical location.

In Exchange Online, you can use In-Place Hold or Litigation Hold to accomplish the following goals:

  • Enable users to be placed on hold and preserve mailbox items immutably
  • Preserve mailbox items deleted by users or automatic deletion processes such as MRM
  • Protect mailbox items from tampering, changes by a user, or automatic processes by saving a copy of the original item
  • Preserve items indefinitely or for a specific duration
  • Keep holds transparent from the user by not having to suspend MRM
  • Use In-Place eDiscovery to search mailbox items, including items placed on hold

Additionally, you can use In-Place Hold to:

  • Search and hold items matching specified criteria
  • Place a user on multiple In-Place Holds for different cases or investigations

How does Litigation Hold work?

In the normal deleted item workflow, a mailbox item is moved to the Deletions subfolder in the Recoverable Items folder when a user permanently deletes it (Shift + Delete) or deletes it from the Deleted Items folder. A deletion policy (which is a retention tag configured with a Delete retention action) also moves items to the Deletions subfolder when the retention period expires. When a user purges an item in the Recoverable Items folder or when the deleted item retention period expires for an item, it's moved to the Purges subfolder in the Recoverable Items folder and marked for permanent deletion. It will be purged from Exchange the next time the mailbox is processed by the Managed Folder Assistant (MFA).

When a mailbox is placed on Litigation Hold, items in the Purges subfolder are preserved for the hold duration specified by the Litigation Hold. The hold duration is calculated from the original date an item was received or created, and defines how long items in the Purges subfolder are held. When the hold duration expires for an item in the Purges subfolder, the item is marked for permanent deletion and will be purged from Exchange the next time the mailbox is processed by the MFA. If an indefinite hold is placed on a mailbox, items will never be purged from the Purges subfolder.

The following illustration shows the subfolders in the Recoverable Items folders and the hold workflow process.

Archiving in Office 365

See this technet article for additional information, or you can view the general sales site from Microsoft here.

Contact Interlink today for help in defining your needs, which licensing options would be the best fit, and actually getting the service configured correctly to ensure the right data is being kept and deleted.  

Matt Scherocman

Six Reasons Microsoft Azure SQL Database Provides the Best Data Security Around

Six Reasons Microsoft Azure SQL Database Provides the Best Data Security Around

Companies leveraging the cloud for business have a multitude of options. They also have a lot of security concerns when transitioning their data to the cloud. Microsoft has built on the SQL Server foundation, bringing a new level of security to help ease the mind of these cloud-driven companies with six enhancements. All of which are crucial reasons to consider Microsoft Azure SQL Database as your company’s cloud platform of choice:

  1. Always Encrypted: Exactly how it sounds, Always Encrypted means your data remains encrypted…all the time to help you protect sensitive data. Data is encrypted in transit, in memory, on a disk, and during query processing.

  2. Transparent Data Encryption: For those of us constantly keeping up on compliance regulations and requirements, this encrypts databases with associated backups as well as transaction log files without needing changes to your applications. The audit trail is clear in order to stay in compliance while keeping data safe from any breach.

  3. Row-Level Security: This feature can limit access to individual rows of data based on a user's identity, role, or query execution context to ensure only the right people can view that data. This also simplifies the application code so that data isn’t accidently shared in any situation.



  4. Azure Active Directory (AD) Authentication: Different from SQL Authentication, Azure AD
    Authentication simplifies password management by allowing you to access a number of Azure services using the same identity. This does not compromise the level of security. It reduces the amount of IT time spends on retrieving lost passwords and login details while maintaining access control every step of the way.

  5. Dynamic Data Masking: Another, more sophisticated, form of encryption allows users to define masking patterns on actual database columns. For example, users can set a masking rule that masks all but the last four digits of any social security number in the result set of any query to ensure that sensitive data is truly safe.

  6. SQL Database Threat Detection: This feature alerts set users of any suspicious database activities automatically and complements Azure SQL Database Auditing, which records database events and writes audited events to an audit log in the Azure Storage account. 

    Microsoft Azure SQL Database Security

Both features are great examples of how users can monitor and quickly respond to risk. Advanced Threat Analytics is yet another approach to helping users stay ahead of sophisticated malware attacks.

Another (bonus) reason to consider Azure SQL Database that’s best shared through this diagram, courtesy of Microsoft Azure, is that SQL Server’s track record speaks for itself. When you’re in the cloud, you can’t be vulnerable and SQL Server lives up to that motto…six years running!

microsoft azure sql database unparalleded security

Data security in the cloud isn’t a set it and forget it process. It is a constant work in progress because the security risks keep changing and technology keeps advancing. Choosing Microsoft as your partner in mitigating those risks is a smart and educated decision in keeping your data safe.

Learn more about these security enhancements by downloading the Security and Azure SQL Database whitepaper and contact us at Interlink for more information.

SQL Modernization Assessment Ad

 

Matt Scherocman

How is Microsoft Protecting Your Data From Government Snooping?

There have been a growing number of stories related to government surveillance of internet data in recent days. Our customers have taken notice and we have heard a number of concerns related to the privacy of their data in Microsoft’s Cloud.

While we share in these concerns, the bottom line is Microsoft is doing everything they can to keep your data safe. More importantly, there is no indication that any of Microsoft’s data has been breached by the government. We are told that on the business platforms, Microsoft has had only a handful of requests to share data with the government and was able to work with clients to provide notice and assistance in the vast majority of the cases.

A recent press release explains what Microsoft is doing to keep your data private.

Highlights include:

Expanding Encryption:

  • Microsoft is expanding or strengthening encryption across all of its services; particularly while data is transmitted over the internet
  • If you are on Office 365, Microsoft already encrypts all information moving between your business and Microsoft, and Microsoft’s internal data centers by default
  • These communication channels are protected by best-in-class cryptography including Perfect Forward Secrecy and 2048-bit Key lengths
  • All information which is stored in a Microsoft data center is protected by industry leading encryption and security protocols

Reinforcing legal protections:

  •  Committed to notifying any company when Microsoft receives a government request for access to their information
  • Working with other cloud providers to make the government go directly to an individual company, rather than a cloud provider, to obtain data

Increasing Transparency:

  •  Increasing the transparency of their software code, making it easier for customers to see for themselves that Microsoft products do not contain back doors.
  • Opening a network of transparency centers in the US, America and Asia

 

For more information or to read the full press release, please see this article from Microsoft

Welcome to the Interlink Cloud Blog

All content provided on this blog is for informational purposes only. The owner of this blog makes no representations or warranties regarding the information from our partners or other external sources.

Blog Categories

Interlink Cloud
Interlink Cloud
5 post(s)
Tips and Tricks
Tips and Tricks
1 post(s)
Outlook
Outlook
2 post(s)
Reporting
Reporting
1 post(s)
Cloud Storage
Cloud Storage
2 post(s)
Webinars
Webinars
11 post(s)
OneDrive
OneDrive
5 post(s)
Yammer
Yammer
3 post(s)
Azure
Azure
16 post(s)
SharePoint
SharePoint
9 post(s)
Microsoft
Microsoft
6 post(s)
Lync
Lync
8 post(s)
Office 365
Office 365
49 post(s)

Blog Archive