Stellark Home » DirSync to the Rescue

DirSync to the Rescue

2014-05-01_13-22-11

Dirsync with “password sync” combined with Office 365 Multi-Factor authentication offers the ability to utilize and enjoy a SIMILAR sign-on experience as Single Sign On without having to undertake the arduous task of setting up an AD FS infrastructure.

Recently I began poking around to familiarize myself with AD FS 2012 R2 (v3.0) and I was surprised by all the forum posts I came across where customers asked “How do I migrate from AD FS to DirSync?”   “How do I Un-Federate?”

It was only in June 2013 that Office 365’s Directory Synchronization tool (DirSync) became capable of a new feature “password sync”.  This allowed for the ability to synchronize and match local AD passwords with Office 365.  Before this version release the only means to configure this feature was to either install SSO which meant AD FS or find a third party password tool.

I set out to compare the two forms of sign-on.  DirSync offered “same-sign on” whereby a user could login to Office 365 with their Same local AD account password and AD FS offered “single-sign on” allowing a user to access domain dependant web and desktop apps without having to enter their credentials after they had already authenticated to the domain.  The latter being achieved through the federated trust between AD and the application.

So, why do Federated users want to switch to DirSync?

An AD FS set up, even with the new features in AD FS 2012 R2, is still or is recommended to be a multi server, high availability, fault tolerant, load balanced and sometimes even replicated environment.  Based on only 2 servers per role this could mean up to 4 servers (and 6 if you decide to use SQL in a cluster).  Then if you decide to replicate this for even greater fault tolerance you’ve got 12 servers notwithstanding the load balancers and firewalls that would need to be implemented as well.  This also assumes you installed AD FS 2012 R2 and Dirsync on the domain controllers, which you can do now.

DirSync on the other hand installs nicely on a Domain Controller (recently supported by MS) or you can opt to install it on a standalone domain joined machine.  This alone is a great reason to opt for DirSync with “password sync”.  Here are some other reasons:

  • With DirSync installed the source of authority is AD which means user accounts are managed and mastered on-premises.
  • DirSync with “password sync” eliminates the task of managing two password policies and keeps the policy on-premises.
  • DirSync was designed to be “set it and forget it” model.  Very little administration.

Combined with Office 365 Multi-Factor Authentication features you get the benefit of these security services as a 2nd factor authentication:  http://blogs.office.com/2014/02/10/multi-factor-authentication-for-office-365/

  • Call my mobile phone. The user receives a phone call that asks them to press the pound key. Once the pound key is pressed, the user is logged in.
  • Text code to my mobile phone. The user receives a text message containing a six-digit code that they must enter into the portal.
  • Call my office phone. This is the same as Call my mobile phone, but it enables the user to select a different phone if they do not have their mobile phone with them.
  • Notify me through app. The user configured a Smartphone app and they receive a notification in the app that they must confirm the login. Smartphone apps are available for Windows Phone, iPhone, and Android devices.
  • Show one-time code in app. The same Smartphone app is used. Instead of receiving a notification, the user starts the app and enters the six-digit code from the app into the portal.

And you can also opt to enable App Password for the 2nd factor authentication:

Users who are enrolled for multi-factor authentication are required to configure App Passwords in order to use Office desktop applications, including Outlook, Lync, Word, Excel, PowerPoint, and SkyDrive Pro.

So, as I said above, DirSync with “password sync” combined with Office 365 Multi-Factor Authentication provides an option SIMILAR to AD FS with SSO with little to set up but lots to gain in terms of security and ease of management.