Implementing Office 365: Password Sync vs. ADFS

Process of Sharepoint site administrator searching the People Picker

Apr 10, 2014 by Drew Haney

ADFSSo you’ve heard about Office 365 and all it has to offer, perhaps even from us.

You want to take advantage of the new plans and pricing, Office for iPad, and the power of one of the largest Exchange implementations in existence. So what is it going to take to get started?

There’s some work to be done in the Office 365 Admin Portal, such as setting your domains up, and of course, the Partner of Record. Now you’ve come to the point where you need to get users provisioned up in the cloud. This is where Microsoft Azure Active Directory Synchronization, or DirSync, comes into play.

Here is a comparison of Password Sync vs. ADFS:

DirSync and ADFS

If you’re here, you’re probably looking for guidance on exactly what to do when it comes to DirSync. Do you need Federation Services with it? How many servers do you need? Why would I expand my on-prem infrastructure in order to utilize my cloud services? All these are valid questions and I’d like to address them for you.

My goal in general is to not offer opinions, but perspectives.  In keeping with that, I’d like to explain one of the relatively new features available in DirSync that might make you reconsider adding Active Directory Federation Services (ADFS) to your infrastructure.

For those who don’t know, ADFS can be used in tandem with DirSync to provide an unprompted login experience for your users in some apps. It does this by creating a trust relationship between your Office 365 tenant and your Active Directory infrastructure, allowing you to access the cloud’s featureset with your normal Windows login.

It’s a great setup, but comes with an increase in necessary resources. Before, it required at least one separate server and two if you wanted High Availability/Resiliency. Now it can be collocated with your Domain Controller if it’s running Server 2012 but still requires additional overhead regarding system resources.

Password Sync

Last fall, Microsoft added a Password Synchronization feature to the Active Directory Synchronization tool. What this does is synchronize a hashed version of your Active Directory password to the Office 365 cloud alongside your other user attributes. The synchronization occurs every three hours, so if you change your password in Active Directory (AD), it syncs with the cloud in at most three hours.

Your bottom line and your burgeoning Office 365 infrastructure

Password Sync provides the same consistent logon experience as ADFS without requiring ADFS to be set up in your environment.  The primary differences between the two are how ADFS works and the unprompted experience mentioned earlier.

ADFS provides a seamless login to apps like Internet Explorer (Sharepoint, Online Web Application), Outlook, and Lync when accessing your cloud services. With Password Sync, you receive a login prompt when accessing the services, because you’re technically logging in with a separate, albeit synchronized, account.

The other difference is that ADFS actually authenticates against your domain rather than Office 365. Meaning if your AD is inaccessible for whatever reason (power issues, meteor strike), your remote users can’t access Office 365.

So the choice is yours, really. If you’re a small or mid-size business that doesn’t mind a prompted experience and doesn’t have the resources to spare for ADFS, you have options. If you’re a larger organization where the unprompted experience is important, the newest versions of ADFS have a lot to offer you as well.

As always, big or small, our expertise is here to help. Call us today, 877-552-0404, for help migrating to Office 365!

Press enter to search