Should I Use Active Directory Synchronization or Federation?
Should I Use Active Directory Synchronization or Federation?
In the last few months, I’ve had many customers looking to move to Office 365 ask what the difference was between Active Directory Synchronization and Active Directory Federation. These customers needed to manage user identities and credentials in the cloud and wanted to know how these alternate solutions stack up in terms capabilities, cost and user experience. Below is a quick overview on the differences between Active Directory Synchronization and Federation.
What is Directory Synchronization?
Directory Synchronization is the integration of your On-premises Active Directory with an instance of Active Directory running in the Azure cloud. Synchronization essentially makes a copy of the on-premises directory objects and then propagates them to an Active Directory instance in the Azure cloud. After that, synchronization runs on a scheduled basis to push changes from the on-premises directory to the cloud instance. With few exceptions, synchronization only goes from on-premises to the cloud. If one were to create a new user on the Azure Active Directory tenant, that user would live only in the cloud and would never be propagated down to the on-premises directory. This would create a Cloud (only) Identity (see below) which would have its own login credentials and identity for Office 365 applications.
Over the years, there have been several products to effect directory synchronization. FIM, Microsoft's Directory Synchronization (affectionately known as DirSync) and Azure Active Directory Sync Services tools (commonly referred to as AAD Sync). AAD Sync was the replacement for DirSync; however, both tools are being deprecated by Microsoft in favor of Azure Active Directory Connect. Learn more about Microsoft's directory synchronization tools.
Since directory synchronization is much simpler to configure than single sign-on (SSO), the benefits of synchronization make it a great choice for many customer scenarios.
What is Federation?
Active Directory Federation Services (AD FS) can be used to provide federation and single sign-on capabilities for end users who want to access Office 365 applications. Windows Server 2012 R2 includes an AD FS role that can function as an identity provider or as a federation provider. An identity provider authenticates users to provide security tokens to applications that trust AD FS (e.g. Office 365 applications). A federation provider consumes tokens from other identity providers and then provides security tokens to applications that trust AD FS.
Comparison Summary
AAD Connect
Solution Advantages | Disadvantages |
---|---|
|
|
ADFS
Solution Advantages | Disadvantages |
---|---|
|
|
What is the end user experience?
Directory synchronization does not provide SSO because a user that is already logged in on-premises will still have to log in separately to Office 365. However, since the end user will only have to remember one login and password, it will appear very similar (even though in reality there are two different credentials). It will prompt for credentials when, for instance, a user accesses his mailbox in Exchange Online even though he is logged onto a domain-joined client. When the application supports “remembering” or caching the login credentials (such as Outlook), the experience is even more similar because the only time the user is prompted for credentials is on the first connection, after a password change or possibly after a configuration change.
Synchronization should not be seen as a replacement for AD FS, but as an alternative for those that find it sufficient that users have the same password in Office 365 as they do on-premises.
Expected Application Experience
Outlook Web Access (OWA) | Outlook 2010/2013 | ActiveSync | SharePoint, OneDrive, Office Web Apps | Skype for Business | |
---|---|---|---|---|---|
Cloud Identity | Prompt for credentials on first connect, Prompt for credentials on password change, Can remember credentials | Prompt for credentials on first connect, Prompt for credentials on password change, Can remember credentials | Prompt for credentials on first connect, Prompt for credentials on password change, Can remember credentials | Prompt for credentials on first connect, Prompt for credentials on password change, Can remember credentials | Prompt for credentials on first connect, Prompt for credentials on password change, Can remember credentials |
AAD Sync/Connect | Prompt for credentials on first connect, Prompt for credentials on password change, Can remember credentials | Prompt for credentials on first connect, Prompt for credentials on password change, Can remember credentials | Prompt for credentials on first connect, Prompt for credentials on password change, Can remember credentials | Prompt for credentials on first connect, Prompt for credentials on password change, Can remember credentials | Prompt for credentials on first connect, Prompt for credentials on password change, Can remember credentials |
AD FS (3.0) | Internal: Transparent, External: Forms Based Prompt | Prompt for credentials on first connect, Prompt for credentials on password change, Can remember credentials | Prompt for credentials on first connect, Prompt for credentials on password change, Can remember credentials | Internal: Pop up to sign in, External: Forms Based Prompt | Transparent |
How complex is your environment?
Many clients find that the added complexity, cost and maintenance effort of AD FS outweigh the almost imperceptible differences between synchronization and federation for straightforward use cases. However, that might change for clients who have more complex use cases requiring multiple identity providers or who have applications hosted in multiple cloud environments. The good news is that you can start with synchronization and then federation can be added as requirements dictate.
SHARE