Office 365 and Single Sign On. The Myth and the Reality.

Post to Twitter Post to Facebook Post to StumbleUpon

Office 365 presents several different options for configuring co-existence between your onsite servers and the Office 365 servers. Configuring the way your clients sign in becomes a maze full of choices and confusing lexicon. There are several different methods that you can choose when it comes to configuring the client experience after subscribing to Office 365.

First, let’s talk about the SignIn Assistant and the Office 365 Desktop Setup tool. The Office365DesktopSetup is a dot net based tool that launches and checks to see if you have a valid copy of Office, and if you need to install the Sign In Assistant. It also installs updates and the office social connectors. You launch the Office 365 Desktop Setup Tool from the Downloads page of your Office 365 Account. You enter your username and password and then it searches for the necessary updates and installs them. You are prompted to download and install the Microsoft Online Services Sign-In Assistanonfiguring Office 365 on the desktop using is still a manual process. You are still required to enter your password for Lync (you have the option to save it) on the first run, but the settings are all configured for you. You are prompted to log in to the SharePoint Team Site. Outlook profiles are automatically configured you need to enter your username and password. Overall, the Desktop Setup tool improves the speed and accuracy of setting up Office 365 Client Applications. The Sign-In Assistant helps ensure that your users are prompted “less” for a username and password, but it does not provide any sort of single sign on experience.

The next option often talked about is DirSync. Dirsync is a process that allows you to sync your Active Directory to the Office 365 Cloud. It does exactly that. If you have large amounts of users, security groups, or distribution Groups DirSync is the tool for you. DirSync does NOT synchronize passwords. Dirsync does NOT change the client sign on experience. You need to still set up the desktop applications the way that I mentioned before, either manually, or by using the Office 365 Desktop Setup tool. If you have a many different distribution groups and memberships in these groups, DirSync takes the on premises directory structure and puts it in the cloud. Dirsync CAN NOT be installed on a domain controller. Passwords can still be out of sync if they are not changed to match in both locations. With DirSync you must have your clients UPN match the SMTP address for it to work as well, if it does not, users will get a default email address. Dirsync also installs Forefront Identity Manager, and SQL 2008 Express. Using DirSync give the users a common sign in name for both On Premises servers and Office365. For example, a user can sign in as to his desktop and to Office 365. This can be problematic, if Roberts password are different in each location so when using Dirsync you need to make sure that your password expiration policies match of both ends.

Federation and Single Sign On is the next often talked about feature for Office 365. This truly does change the users sign on experience, as they get a seamless sign on experience. Configuration of the desktop applications can be done automatically, and the user gets no prompts for a username and password. This is because a Trust is created between the on premises domain, and the Office 365 domain. This is the most complicated setup of any Office 365 deployment. This requires a Federation server. This requires an ADFS Proxy Server. This requires a Domain Controller. This also requires DirSync This is a dead minimum of three servers in addition to your domain controller. All request are being authenticated by the on premises Active Directory Domain Controllers, so if the on premises servers are down, no one is able to log into Office 365.

Another option you have is using the SBS2011 Essentials Office Integrations Module (OIM). The OIM is a dashboard widget for SBS2011E that provides Password Synchronization between the SBSE installation and the Office 365 Subscription. It is important to understand that this is not Single Sign On, it is synchronization. The OIM allows you to create Office 365 Accounts, manage Office 365 Accounts and sign into the Office 365 service using the same username and password that they use on the desktop. If a user changes the password on the desktop or using Remote Web Access, it is pushed to the Office 365 Service. It is important to note that the user should not change their password on the Office 365 service, as this will break the synchronization between the OIM and Office 365 . The OIM is also available in the new Server 2012 Essentials and will provide the same functionality. You should still deploy the Sign In Assistant on each client so that you can ensure the applications are setup and configured properly. While this is the easiest way to synchronize the passwords between your on premises server and Office 365, it is only currently available on SBS2011 Essentials and is limited to twenty five users. It is recommended to disable the password expiration on Office365 if you only have users that are created by Essentials. If you have users that are not in the Essentials domain, they make sure the password policy matches on both your on premises server and the Office 365 Server

As you can see, there are four different options when it comes to working with Office 365 in your current Active Directory environment. Everyone can setup and maintain separate accounts from AD and Office 365. Dirsync adds the ability to ‘push’ AD Attributes to the Office 365 service, but requires a server that is not a Domain Controller. Federation offers Single Sign On, but it requires a complex setup and for optimal results should have several layers of redundancy. The OIM for the Essentials line of products is the most promising for the smaller businesses that want the benefits of an on premises directory server, while hosting productivity services in the cloud. The OIM offers basic password synchronization that helps users be able to easily sign to the service.

Leave a comment

Your email address will not be published. Required fields are marked *

This blog is kept spam free by WP-SpamFree.

0 thoughts on “Office 365 and Single Sign On. The Myth and the Reality.

  • Peter

    Is it possible to use OIM along with DirSync ?

    I really just need what DirSync does, but I want it to also sync passwords. I don’t care about SSO – it’s OK if users have to login again, I just don’t want them to have to change a password in two places.

  • Jason


    Just plain crackers, PCNS and FIM2010 in Live@Edu was a pain but it was at least based on having only one new server to sync changes. I have setup Live@Edu for schools with only ONE SERVER and NO IT STAFF in the whole school.

    Surely this is the flipping point of signing up for cloud services, to reduce on site tech no?

    MS have really crapped on the little guy with this nonsense… I was looking forward to helping schools become “server less” schools, to have to rely on a complicated enterprise setup to simply sync passwords just seems so dumb. A great idea for schools down the tubes…