The Office 365 Partner Community is led by National Partner Technology Strategists from the Microsoft US Partner Team. Partner Community activities include blog posts, discussions on Yammer, newsletters, and community calls.
- Register for the November 6 US Office 365 Partner Technical Community call
- Read the US Office 365 Partner Community blog posts, including the September series about FastTrack
- Join the US Office 365 Partners Group on Yammer
- Sign up for the US Office 365 Partner newsletter
In the first two blog posts in this October series about Identity Integration, I introduced the three identity models in Office 365 and explained the cloud identity and synchronized identity models. In this post, I will wrap things up with the federated identity model and provide you with guidance for choosing between the different identity models.
Federated identity model
In the federated identity model, the key point is that authentication occurs on-premises, not in Office 365. Similar to the synchronized model, you still have the DirSync tool and you can still synchronize password hashes. In addition, we have an Active Directory Federation Services (ADFS) server. Even though authentication is happening on-premises, you will still synchronize the passwords, because there is a recent option available to use those as a temporary backup in case of an interruption to your on-premises ADFS configuration. It can take a couple of hours to switch from federated identity to synchronized identity, so think of it more as a disaster recovery option and not a high-availability option.
With federated identity, the login steps are that the user is presented with a login screen from the organization and is signed in with the on-premises directory servers. If the user and password are valid, it provides a token back to Azure Active Directory and then is made available to Office 365 so the user can be signed in.
In a classic configuration, you will have an ADFS server on-premises connected to your AD server and you will also most likely have a proxy server that runs in the DMZ. This requires a port to be opened on the firewall, which allows the proxy server to make the connection between Azure AD in the cloud and the ADFS server on-premises, which shows the login UI and makes the request to the directory.
Typically, you will be required to have a geo-redundant backup of the configuration. If your users are signing in and one of the parts in this process goes down, and your AD server is unavailable users can't sign on at all. The resulting architecture can require between 4 and 6 servers because your usually installing additional domain controllers as well to go with that configuration. It is becoming more common to deploy at least one of these sets of servers in Azure VM's. The configuration is similar to DirSync, and involves connecting a VPN from on-premises up into your collection of servers in Azure IaaS. Azure then becomes one of those nodes so that you achieve your geo-redundancy. This TechNet article shows you how to do this: Deployment scenarios for Office 365 with single sign-on and Azure.
ADFS does require additional configuration and time to deploy. Installing and configuring ADFS can be challenging but the experience is streamlined by a new tool called Azure AD Connect. If you have not heard about it you can read the announcement on the Active Directory Team blog. For further reading on implementing ADFS to manage single sign-on you can more information on the different options and guidance here.
How to choose an identity model
In this series we have described the differences between the three identity management models for Office 365. Below, I have provided scenario-based guidance for choosing the right model for your customers. Choose the simplest model to meet a customer’s needs.
|Cloud identity model||
Choose this model if:
|Synchronized identity model||
Choose this model if the customer has an on-premises directory.
Password hash sync means federation is not required just to have the same password on the cloud
Choose password hash sync unless the customer has one
|Federation identity model||
Choose this model if:
Register today for the US Office 365 Partner Community call on November 6, where we’ll talk in-depth about the topic of identity models. Joining me on the call is Paul Andrew, a Senior Technical Product Manager for Office 365.