Office 365 ADFS and Directory Sync

Office 365 is here to stay, and will become increasingly popular. The power of Office 365 is really evident when you use it to you extend your on premise network. This allows you to run migrations to Office 365 or run hybrid environments with some users on premise and some users on Office 365. When you are talking about on premise and Office 365 and hybrid environments you are actually talking about identity management. Identity management use to be the domain of Forefront Identity Manager. Where Forefront Identity Manager could be very complex and tricky working with multiple domains , Office 365 identity management has been made much more manageable with some tools provided by Microsoft.

What does identity management mean with regard to Office 365? Office 365 makes use of Azure Active directory. When you sign up for an Office 365 account, you are assigned a Microsoft domain that looks something like If you want to use your own domain, you would set that up inside of Office 365. Now it is unlikely you would want your domain to be used inside of Office 365 but create all new users and manage that separately. This is where identity management comes into place. Since you’ve made significant investment in your local active directory you want to extend and use it with Office 365. There are two tools provided that will help you do this.

Directory Sync Tool (with password sync)

The Directory Sync Tool is really two tools. The Directory Sync tool which syncs your active directory objects to Azure AD within Office 365 and the password sync which retrieves your password hash from active directory and sync’s it to Azure AD. When both of these tools are used it makes it possible for users to keep the same password in their local domain as well as Office 365. The Directory Sync Tool is flexible in that you have the option to sync your entire directory or only a portion of your active directory, a particular OU for example.




Active Directory Federation Services

Active Directory Federation Services V3 is now a Windows Role on Windows 2012 R2 and does not need to be downloaded separately as previously required. Active Directory Federation Services makes it possible to expose your Active Directory for Authentication purposes to the outside world. You might be asking “What about security?”. It is secured via SSL and exposed in most cases only via proxy server. ADFS also configures into a farm, which means that it can span across many servers for load balancing and redundancy purposes. To Office 365, ADFS offloads authentication back to your domain. This primarily used in single sign on scenarios, where you need your domain name to authenticate against. Office 365 doesn’t care about your actual domain per se when it comes to authenticating, it really only cares about your user name and password and will only authenticate UPN’s ( If you need to use single sign on and down level network names (domain\username) you will require ADFS.


In most cases going with a Directory Sync server will suffice and be much easier to manage. Directory Sync can pretty much sit on any server, as long as you don’t have a problem with it having a domain admin account associated to it as it does need access to Active Directory. Where ADFS becomes more difficult to manage is that it really becomes integral to your cloud strategy and it’s uptime is crucial. If you lose your Directory Sync server, you could essentially rebuild it and resync. If you lose an ADFS server, your users will NOT be able to authenticate. Thus it becomes to add redundancy and depending on your traffic even load balancing to your ADFS proxy and ADFS environment.

Quick Summary

DirSync with Password Sync

  • Synchronizes username and password hash to Office 365
  • Requires only 1 server
  • If DirSync server is down, users can still log on.
  • Allows users to authenticate to Office 365 with on premise credentials
  • Does NOT allow for single sign on
  • Does NOT provide a mechanism for authentication
  • Credentials are managed on premise, if an account is deleted or disabled account on Office 365 will follow.


  • Requires Directory Sync to sync usernames and passwords to Office 365
  • Authenticates to on premise Active Directory
  • Is essential to system, redundancy and load balancing recommended
  • Is essential for single sign on, especially through a web browser for Office 365 portal access

Leave a comment

Your email address will not be published.