Identity Management: Deploying ADFS in Office 365

October 11, 2011  |  2 Comments  |  by Thomas   |  Blog, News

Deploying ADFS

The jargon used by Microsoft regarding hybrid deployments and federated sign-on can very quickly become overwhelming for an end-user to understand. This blog entry will attempt to penetrate some of that fog in simple English. The topic of focus here is: single sign-on (previously known as federated sign-on)


First, a few definitions:

Term

Description

Single sign-on

The process that lets your users use their existing Active Directory corporate credentials (user name and password) to access services in Office 365 for enterprises. Also called identity federation, single sign-on in Microsoft Office 365 uses Active Directory Federation Services 2.0 (AD FS).

Identity federation

Also used to describe “single sign-on”, this term is used in Microsoft Office 365 documentation but will be phased out in favor of “single sign-on”.

Hybrid server

A computer that is running a Hybrid Edition of Exchange Server 2010 and is installed in an Exchange Server 2007 or Exchange Server 2003 organization for the purpose of enabling a hybrid deployment. This was previously referred to as a “coexistence server” in some documentation.

Hybrid deployment

The full-featured deployment of a cross-premises Exchange messaging solution with Office 365 for enterprises and Exchange Online. Features include:

  • Mail routing between on-premises and cloud-based organizations
  • Mail routing with a shared domain namespace.
  • A unified global address list, also called a “shared address book”

  • Free/busy and calendar sharing between on-premises and cloud-based organizations
  • Centralized control of mail flow. The on-premises organization can control mail flow for the on-premises and cloud-based organizations.
  • A single Outlook Web App URL for both the on-premises and cloud-based organizations

  • The ability to move existing on-premises mailboxes to the cloud-based organization
  • Centralized mailbox management using the on-premises Exchange Management Console (EMC)
  • Message tracking, MailTips, and multi-mailbox search between on-premises and cloud-based organizations

In the Microsoft Office 365 Deployment Wizard, Exchange Server Deployment Assistant, and Office 365 for enterprises documentation, hybrid deployment is called “rich coexistence”, but we’ll update the term for general availability.

Identity Management

When managing users in a hybrid environment you have two options regarding how they securely verify their identity and access the Office 365 cloud services.

  • Non-federated identity
  • Single Sign-On

Non-Federated Identity

With a non-federated setup, you can still access everything you need to on multiple servers (at least one of those being your online Exchange with Office 365). The difference is that the services do not function in unison, creating redundant use of resources, redundant tasks for your employees, and general inefficiencies throughout your workflow.

Users will have a set of credentials for logging into the online server resources. They will also have a separate set of credentials for the on-premises features.

The advantage of this is that there is less overhead in terms of initial deployment cost of setting up the Office 365 solution.

The disadvantage is perhaps less clear, but more dangerous. With more user identities and functionality differences there is a higher long term cost to ownership. Higher training costs for end-users, higher complexity in administration of the network going forward, and the simple loss of user productivity from redundant functions. For mid-size businesses and up, the long term management and helpdesk costs make single sign-on a ‘no brainer’. For small businesses, it is important to carefully consider your specific circumstances and make an educated call.

Single Sign-On

When effectively deployed, all users will have their on-premises credentials sync’ed to the cloud for a uniform experience. Specifically, the Active Directory credentials access both cloud and on-premises resources in a single swoop (from the end-user perspective). You will then manage all users and resources from your current on-premises Active Directory, hence the term ADFS (Active Directory Federated Services).

From the on-prem Active Directory admins will have a single point for policy control, access control, and security management. This leads to reduced support calls and stronger user authentication.


Helpful Resources:

Preparing for single sign on

Plan for and deploy Active Directory Federation Services 2.0 for use with single sign-on

Configuring advanced options for ADFS


Return to Office 365 Consulting Homepage


Posted in Blog, News and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *