Deploy Office 365 Single Sign On with AD FS 3.0

By | October 27, 2016
 A question that gets asked more often by Office 365 customers is that what kinds of authentication methods does it offer? With Office 365, you have below 3 modes of providing identities to users of an organization.
  1. Cloud identity
  2. Synchronized identity
  3. Federated identity

Out of these, security concerned organizations most of the time opt in to using federated identities. This helps them in having a greater control over how users authenticate and use cloud services. When it comes to federated identities, Active Directory Federation Services (AD FS) is a primary choice for many customers. However, there are other third party identity providers that can be used to enable federated identities with Office 365.

Cloud identity

Cloud Identity Model

Cloud Identity Model – Photo Courtesy of Office Blogs

The most basic model that uses Azure Active Directory to create and manage users and their credentials. This mode is best suited for small organizations who doesn’t have enough budget to maintain on-premises infrastructure.

Synchronized identity

Synchronized Identity Model

Synchronized Identity Model – Photo Courtesy of Office Blogs

Most common sign-on model implemented in place by many organization who has an on-premises identity provider, most commonly Active Directory. Identities are managed on-premises and requires Azure Active Directory Connector to synchronize accounts and password hash to Azure Active Directory.

Federated identity

Federated Identity Model

Federated Identity Model – Photo Courtesy of Office Blogs

This is implemented with synchronized identity model, but without the password hash synchronization. With this model, user authentication is verified by the on premises identity provider. To federate identities, you can use Active Directory Federation Services (AD FS) or a third party federation service provider. Also, this model helps you further control and/or to limit accessing Office 365 services by your users.

These identity models are capable of switching between each other and Microsoft recommends that you implement the most simplest model that meets your requirement. I will not be discussing in detail about these sign-in models and when to chose them in this blog post. There’s a well written blog post over at Office Blogs which you can access by clicking here.

I have put together a document with step by step instructions on how to deploy AD FS 3.0 and integrating it with Office 365 for the purpose of authentication. You can access the document over at the TechNet Gallery by clicking here.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.