Deploying Office 365 Single Sign-On using Windows Azure

In a cloud world, Single-Sign-On is becoming increasingly important, as users want to sign in to their applications with a single set of credentials, whether inside or outside of the firewall.  Active Directory Federation Services is the glue that allows you to connect your on-premises Active Directory with Office 365 and Windows Azure.  While extraordinarily powerful, it can also serve as a single point of failure if your deployment is not properly designed.  More and more, we have seen Partners and Customers looking at options for scaling ADFS to the cloud. With the introduction of Windows Azure Virtual Machines, customers who require Active Directory federation have another Microsoft-supported choice for hosting these services.

Running infrastructure components in Windows Azure has multiple benefits that include:

  • Cloud strategy. Better aligns with your cloud strategy, helping to reduce on-premises hardware investments.
  • Potential for reduced cost for hardware and software. Includes the potential to expand the conversion from capital expenditures to operational expenditures for the infrastructure services that are supporting your Office 365 deployment. You won’t have to purchase additional servers and run them in your data centers or from a remote location.
  • Rapid deployment. Infrastructure components can be deployed in a relatively short time, requiring little to no additional on-premises hardware resources.
  • Improved business continuity. Federated users can continue to sign in to Office 365, even when the on-premises environment is temporarily unavailable.
  • Scalability on-demand. If you require expansion or changes to your directory integration in the future, Windows Azure gives you the flexibility to make these changes rapidly, without additional on-premises investments.
  • Site resiliency and disaster recovery. Possible scenarios include disaster recovery where Windows Azure is hosting redundant critical services for your infrastructure. This enables a failover in case there’s an on-premises disaster.
  • Flexibility. Components may be relocated, load-balanced, and distributed across multiple geographic regions. This reduces dependency on the corporate network.

image

Integrating Office 365 with your existing on-premises platforms requires careful planning, regardless of whether they’re implemented on-premises or in Windows Azure. Planning the implementation and management of these infrastructure components in the cloud is almost identical to the on-premises infrastructure.

The excellent Deploying Office 365 Single Sign-On using Windows Azure white paper was written for system architects and IT professionals who want to understand the architecture and deployment options for extending the on-premises Active Directory infrastructure with Windows Azure Virtual Machines to implement directory synchronization and single sign-on for Office 365.   Topics covered include:

1 Executive Summary. 5

2 Introduction.. 6

3 Deployment Scenarios. 7

3.1 Introduction. 7

3.2 Before you start–is this right for your organization?. 7

3.3 Windows Azure Active Directory. 8

3.4 High-level design considerations. 9

3.5 Scenario 1: Office 365 directory integration components deployed on-premises. 11

3.6 Scenario 2: Office 365 directory integration components deployed in Windows Azure. 13

3.7 Scenario 3: Office 365 directory integration components deployed in Windows Azure for disaster recovery. 16

3.8 Checkpoint: key requirements. 20

3.9 Risks and mitigations. 22

4 Deployment Considerations. 25

4.1 Costs associated with Windows Azure. 25

4.2 Virtual Machine operating system requirements. 25

4.3 Virtual Machine sizing. 26

4.4 VPN network requirements. 27

4.5 IP Addressing and name resolution. 27

4.6 Active Directory Domain Services. 28

4.7 Directory synchronization server. 29

4.8 Deployment to multiple Windows Azure data centers. 30

5 Operational Considerations.33

Download here: Deploying Office 365 Single Sign-On using Windows Azure

For more information about AD FS, see the Active Directory Federation Services TechCenter web page (https://go.microsoft.com/fwlink/?LinkId=194245).