Up to now, if you deployed Office 365, you only had two real options for authenticating using your Active Directory credentials – AD Connect Password Sync or Active Directory Federation Services (ADFS). The Password Sync solution works OK but isn’t entirely seamless whilst the ADFS solution is seamless but requires significant infrastructure.
Microsoft has now added two new improved authentication functions to AD Connect, which may be a benefit to some organisations; Pass-Through Authentication and Single Sign-On (SSO).
What were the original sign-on solutions?
Password Sync copies an encrypted version of the users’ passwords into Azure Active Directory (which Office 365 uses to authenticate). When the user logs on, they type in their username and password and Office 365 checks that the password matches the copy it has stored. This is known as same sign-on. That is, the on-premises and Office 365 identities are independent but they appear to be the same to the user.
The user experience in this configuration is only somewhat seamless, providing credentials are saved. However, if the on-premises password changes then the user will be prompted for the new password (by every application). The other issue (at least for some organisations) is the storing of the password outside the organisation boundaries (even though it is a non-reversible encrypted version of the password).
Logging into Office 365 with ADFS
By contrast, ADFS provides a true single sign-on solution. When logging onto Office 365 in an ADFS scenario, the username and password are validated directly against the on-premises Active Directory. If you are on a domain-joined Windows desktop and using a supported browser, Office 2013 or Office 2016 then you will be seamlessly logged into Office 365. There is no interruption at password change time because the logon is always validated against the on-premises directory.
The biggest issue with ADFS is that it requires a minimum of four servers to deliver a highly available solution; two ADFS servers and two proxy servers. Some organisations, particularly smaller ones, are not keen on this.
How do the new features make a difference?
The goal for most organisations is to make it as simple as possible for users to use the IT systems and applications. In this respect, single sign-on (SSO) is the most desirable option but, since this has only been achievable with ADFS previously, some organisations were put off by the infrastructural requirements. They would make do with AD Connect and Password Sync but this is not seamless and they might not have liked the idea of transferring password hashes to Microsoft.
The enablement of pass-through authentication removes the problem of transferring password hashes to Microsoft but it doesn’t make the login process any different. Luckily, the addition of SSO does.
The combination of these two functions makes a deployment of AD Connect act pretty much like its bigger ADFS brother but with only one server instead of four. Users are authenticated directly against the Active Directory and they are signed into applications seamlessly (at least when they are on a company desktop).
Is ADFS dead, then?
A valid question at this point is whether these new AD Connect features make ADFS redundant. Well, no, they don’t. There is still a place for ADFS because it provides functions that AD Connect cannot. For example, if your organisation wishes to authenticate against other applications, like Salesforce or ServiceNow, then you will need ADFS. Alternatively, you may want to enable some security controls such as restricting the locations or device types from which users authenticate. Again, AD Connect cannot do this.
What happens if I implement AD Connect now but want to authenticate to another cloud service later?
If you are currently only using Microsoft cloud and AD Connect with SSO is attractive, but you might add another cloud service later on, which requires ADFS to authenticate, there is no problem since you just add ADFS to your environment. AD Connect is a requirement even in an ADFS configuration.
How can I implement this new functionality?
If you are not running the latest version of AD Connect then you will need to download, upgrade and enable the new features. Note that they are still in preview at this time so you may want to wait until they become generally available.
If you have ADFS and were only using it in basic mode to authenticate to Office 365 then you can decommission it.
Of course, if you are not comfortable doing any of this then please contact us and we will be happy to help! Use the attached form and someone will be in contact with you very soon.