- Azure Sentinel—A real-world example - Tue, Oct 12 2021
- Deploying Windows Hello for Business - Wed, Aug 4 2021
- Azure Purview: Data governance for on-premises, multicloud, and SaaS data - Wed, Feb 17 2021
There are three flavours of user authentication in O365: Microsoft Online credentials separate to on premise accounts, Directory Synced (Dirsync) accounts which requires Active Directory (AD) but which still keeps separate password policies or Rich Coexistence which needs AD; Dirsync and AD Federation Services 2.0 (ADFS).
Authentication and user accounts
The first flavour is eminently suited to small businesses; there’s no correlation between the on premises login and the login for cloud services. Note that the BPOS sign in client isn’t available for O365 so users simply enter their password in the individual applications that connect to O365 (Outlook, Lync etc.). This will also work very well for really small businesses that don’t have on premises AD as they’ll only need to maintain the O365 user accounts.
When you add a new user you can send them an email with their temporary password and other information.
Directory Synchronisation
As can probably be guessed the other two flavours are best suited for medium to large organisations. Dirsync requires one server onsite; its job is to copy the onsite AD user and group accounts to O365. There’s still no actual co-existence as such, it’s still two separate environments but one is a copy of the other. In this setup all account management has to be done on premise.
There are some limits to keep in mind, user accounts have to be entered in User Principal Name (UPN) format, i.e. name@domain.something and it can’t have a “.” just before the @ sign. Today there’s no support for multi forest federation (account forests and resource forests) but this will be addressed in the future. All subdomains in the forest are automatically federated. If your domain is in 2008 R2 mode you can’t use the AD recycle bin feature and the Dirsync application today is 32 bit only (a 64 bit version is coming). Dirsync also requires schema extensions for AD, something that wasn’t necessary in BPOS; it’s also a long term commitment as you can’t turn off Dirsync (although that’s also coming in the future). Dirsync comes with SQL Server Express (10 GB database size limit); if you have more than 50,000 users it’s recommended to implement full SQL server.
Dirsync uploads are limited to 10,000 objects, if you have more users and groups than that you have to open a support request to increase the limit. All synchronisations after the first one are incremental; there can be up to three hours delay in account changes on premise being reflected in O365. Hence, if there’s a time sensitive operation such as someone being fired and their account needs to be disabled you can initiate a sync manually. There’s an O365 pre migration tool that checks your AD for issues that can affect a synchronisation. In BPOS there was a filter file available that allowed you to control which parts of your directory was synced to the cloud, in O365 this capability has been removed as it was found to cause too many problems. Another operational issue to be aware of is that if a user is deleted in AD their Exchange online mailbox remains disconnected in the cloud for 30 days so it can be retrieved if necessary.
Single Sign On
It’s recommended that if you’re going through the work of setting up Dirsync you also take the next step and implement AD FS for true single sign on. This is best implemented with a Highly Available ADFS implementation requiring two ADFS servers in the backend as well as two ADFS proxy servers at the perimeter along with a Dirsync server. Trust is established between the directories; O365 relies on Microsoft’s Identity Lifecycle Manager (ILM) which will be upgraded to support Forefront Identity Manager (FIM) in the future. With ADFS you get true single sign on (SSO), users login to their computers and are automatically authenticated to Office 365 with little changes to your current enterprise account management processes.
Planning for how you’re going to manage authentication for Office 365 is critical and the Office 365 deployment planning wizard helps out.
In the next part of the series we’ll look at Exchange in Office 365, which features from Exchange on premise that are included and which are not as well as how Exchange Online is administered and how Unified Messaging can be integrated.
Can you be more specific about the schema changes required by DirSync? To my knowledge, they are not required. Unless you mean Exchange schema extensions (SP1) for hybrid coexistence of course…
Regards
Hi Geert,
I apologise for the delay in answering your question. As far as I’ve been able to find out (the comment about Dirsync requiring schema changes was made in the online series of videos that MS recorded a couple of months ago, see here https://www.eventbuilder.com/microsoft/event_desc.asp?p_event=x8f7i41r)the requirement of AD schema changes are only if you want the hybrid scenario which requires a Exchange 2010 CAS server on premise. This will of course require the schema updates for Exchange 2010.
Hope this helps,
Paul