By Chris Chesley, Solutions Architect
My last blog post was part 1 of moving your Email to the Cloud with Office 365. Here's the next installment in the series in which I will be covering the 3 methods of authenticating your users for Office 365. This is a very important consideration and will have a large impact on your end users and their day to day activities.
The first method of authenticating your users into Office 365 is to do so directly. This has no ties to your Active Directory. The benefits here are that your users get mail, messages and SharePoint access regardless of your site’s online status. The downside is that your users may have a different password than they use to get into their desktop/laptops and this can get very messy if you have a large number of users.
The second way of authenticating your users is full Active Directory integration. I will refer to this as the “Single Sign On” method. In this method, your Active Directory is the authoritative source of authentication for your users. Users log into their desktop/laptop and can access all of the Office 365 applications without typing their password again, which is convenient. You DO need a few servers running locally to make this happen. You need an Active Directory Federation Server (ADFS) and an Azure Active Directory Sync Sever. Both of these services are needed to sync your AD and user information to Office 365. The con of this method is that you need a redundant AD setup because if it’s down your users are not going to be able to access mail or anything else in the cloud. You can do this by hosting a Domain Controller, and the other 2 systems I mentioned, in a cloud or at one of your other locations, if you have one.
The third option is what I will refer to as “Single Password.” In this setup, you install an Azure Active Directory Sync server in your environment but do not need an ADFS server. The Sync tool will hash your user’s passwords and send them to Office 365. When a user tries to access any of the Office 365 services, they are asked to type in their password. The password is then hashed and compared to the stored hash and they are let in if they match. This does require the users to type their password again, but it allows them to use their existing Active Directory password and anytime this password changes, it is synced to the cloud.
The choice of which method you use has a big impact on your users as well as how you manage them. Knowing these choices and choosing one that meets your business goals will set you on the path of successfully moving your services to the cloud.
Download this free ebook on the evolution of the corporate IT department