Essential Guide

The essential Office 365 migration guide

A comprehensive collection of articles, videos and more, hand-picked by our editors

Is Password Sync better than AD FS for Office 365 identity management?

Can DirSync's Password Synchronization feature compete with AD FS for Office 365 identity management?

Exchange admins have a couple choices when it comes to Office 365 identity management. In the Password Synchronization...

versus AD FS battle, which tool will come out on top for your needs?

Last year, Microsoft updated its Windows Azure Active Directory synchronization tool, or DirSync, which included a feature called Password Synchronization that helps organizations synchronize end users' passwords. Before the update, however, Active Directory Federation Services was the only option for Office 365 end users to access services with on-premises passwords.

To help decide which password sync feature is the better fit, let's take a closer look at each option and compare the Password Synchronization feature in DirSync with AD FS.

The differences between Password Sync and AD FS

Before delving into the specifics of Password Synchronization, it's important to understand its key differences from AD FS. Comparing the Password Sync feature to AD FS on a technical level would be like comparing apples and oranges. Both tools deliver similar end-user experiences. For example, end users can access Office 365 services with their on-premises password.

But AD FS works in an entirely different way from password synchronization. The best way to illustrate this difference is to walk through the log-on process for each option.

Consider a scenario in which an end user logs in to the Office 365 portal (portal.microsoftonline.com). If an account is federated and uses AD FS, the following happens:

  1. The user types his username (User Principal Name) into the username field.
  2. As soon as the username is typed, Office 365 will check whether the domain name derived from the User Principal Name is a regular or federated domain.
  3. The authentication platform, Windows Azure, finds that the domain is federated and will redirect the user's browser to their AD FS endpoint to "fetch" an AD FS token.
  4. The user authenticates against the AD FS server, which is validated against Active Directory, and receives a logon token from AD FS if the credentials are valid. The end user is redirected to the Office 365 authentication platform.
  5. The Windows Azure authentication platform will now accept the AD FS token and use that to authenticate the end user.
  6. The end user is authenticated and redirected to the portal.

The process is different for the Password Sync feature. The key difference in these scenarios is that when AD FS is used, the on-premises Active Directory is the identity provider and validates the credentials. Unlike AD FS, Windows Azure is the identity provider in password sync, as it validates the user's credentials against the values known in its database.

  1. The user types his username (User Principal Name) into the username field.
  2. As soon as the username is typed in, Office 365 will check whether the domain name derived from the User Principal Name is a regular or federated domain.
  3. The authentication platform, Windows Azure, finds that the domain is a non-federated domain and won't take any action.
  4. The end user enters his password in the password field and clicks the Sign in button. The authentication platform receives the user's credentials and will validate them against the username/password in its database. Since the password was synchronized on-premises, it will be the same as the user's Active Directory password.

Apart from some configuration differences, the end-user experience is almost identical in each scenario. A synchronized password overrides cloud-based password complexity requirements as well as password age requirements, just like AD FS. So if the experience is almost similar, why choose AD FS, which requires one or more on-premises servers, over the Password Sync feature integrated with the DirSync tool?

Password Sync vs. AD FS: advantages and disadvantages

With AD FS, you can granularly control who's allowed to authenticate using Client Access Policies; this isn't possible with Password Sync.

The Password Sync feature can also lead to confusing situations in which the password stored in Windows Azure is different from the on-premises password, despite its synchronization, such as when an administrator resets an end user's password in Office 365. At that point, the user's password in Windows Azure will change and DirSync won't trigger a new password synchronization until the end user changes his on-premises password.

There's also the question of scalability. The Password Sync feature makes sense for smaller environments, since password changes are picked up fairly quickly. In my personal tests, I haven't been able to outrun password synchronization; every time I changed my password on-premises, it was changed in Office 365 by the time I got to the portal to log in. Despite this observation, it's good to question if the experience would be similar in larger environments. Until more companies implement it and more information is publicly available, AD FS is a safe choice, because a single AD FS server can easily serve thousands of end users.

Is Password Sync security a concern?

The term "password synchronization" makes many security managers unnecessarily shiver with fear. At no point is the actual password synchronized between your on-premises environment and the cloud; it's a secure key derived from a hash of a hash of the password being synced. All communications are also encrypted because the communication happens over SSL. Even when a hacker could break the SSL channel, he would end up with a hashed value of the password, which is completely useless.

Other than obvious technical differences between AD FS and the Password Sync feature, there are a lot of nuances to make each option stand out, depending on your needs. We only scratched the surface of each option, and there are many factors to take into account when choosing either option. I recommend enterprises look into Password Synchronization; I believe many companies could benefit from Password Sync over AD FS.

About the author:
Michael Van Horenbeeck is a technology consultant, Microsoft Certified Trainer and Exchange MVP from Belgium, mainly working with Exchange Server, Office 365, Active Directory and a bit of Lync. He has been active in the industry for 12 years and is a frequent blogger, a member of the Belgian Unified Communications User Group Pro-Exchange and a regular contributor to The UC Architects
podcast.

This was last published in January 2014

PRO+

Content

Find more PRO+ content and other member only offers, here.

Essential Guide

The essential Office 365 migration guide

Join the conversation

10 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Do you prefer Password Sync or AD FS for identity management in Office 365? Why?
Cancel
ADFS (Federation) is better for security reasons. If a person's Active Directory account is disabled or deleted you cannot achieve single signon (i.e., use ADFS) to get access to O365. However, if you are using password synchronization it would be possible to be disabled in your corporate Active Directory but still be able to logon to O365.

ADFS is "simpler" from the overall mechanics of the solution. The only down side is for ADFS a company needs some expertise to set it up *or* they need to purchase a commercial solution. In smaller companies this may be a drawback and a rationale for password synchronization. You just need to understand the security ramifications of using password sync.

Jackson Shaw
Dell Software
Cancel
I prefer ADFS, not sure about the SSO when using ADFS in Windows 2012. I have a test environment using ADFS 3.0 and Web Application Proxy (Windows 2012R2) and I'm sure I will lose the SSO between different SharePoint WebApps and Outlook Web Access With only password sync
Regards,
Arnstein Fuglemsmo
Enable AS - http://www.enable.no
Trondheim - Norway
Cancel
About my last post. The Win2012R2 thing is only when you have SharePoint and Exchange on-premise. But I'm still curious about SSO and drawbacks when using password sync?

Arnstein Fuglemsmo
www.enable.no
Cancel
Security policies are driving factors for such discussions in the enterprise world where federation might be a requirement for the reason provided by JacksonS below.
I would also recommend to look beyond web apps because desktop rich clients (Outlook) need to be considered from a user experience perspective. As far as SSO from outlook is concerned, I presume that the note from Arnstein holds true.
Cancel
 your only online service is Office365 having to type in their passwords repeatedly then you probably don't need ADFS gives you Single Sign On, meaning that when you are on a computer and have
already authenticated an SSO token  stored on your computer and when you access Office 365 services your computer
will transmit the token to the Office365 service, which means that you usually
won't need to type in your username and password. That is Single Sign On you
signed on a single time and can now access many services
Cancel
Public Cloud servers have Security issues, Three-Letter agency access.
Cancel
If you configure you corporate internet explorer policy correctly you can use the credentials of the local user to sign in to adfs thus removing the need to actually sign in. To some extent creating a single sign on experience.
Cancel
What about SSO when using password sync?
Web Application Proxy in conjuction With ADFS 3.0 in Win2012R2 introduce SSO between different Application, eg between SharePoint web apps - Outlook WebApp.
Cancel
About my last post. The Win2012R2 thing is only when you have SharePoint and Exchange on-premise. But I'm still curious about SSO and drawbacks when using password sync?

Arnstein Fuglemsmo
www.enable.no
Cancel

-ADS BY GOOGLE

SearchWindowsServer

SearchEnterpriseDesktop

SearchCloudComputing

SearchSQLServer

Close