Stephanie Kahlam
In a recent Blog from Blogs.office.com, “Choosing a Sign-in Model for Office 365” we are informed that DirSync with password sync can now be used as a “backup sign-on” in the event our existing on-premises single sign-on infrastucture becomes unavailable.
This is great news considering that if we lost the functionality of SSO or suffered from some catastrophic failure in our Federated environment then we would lose the ability to authenticate to Office 365 or any Web Applications we might have published via WAP. Earlier our recourse would have been to switch to Password Sync exclusively (unfederate our domains) while troubleshooting the cause of our failed SSO infrastructure. Now we are able to “switch” to using the synchronized password hashes for user sign-in while you resolve your infrastructure incident on a per-domain basis.
Should you elect to or need to switch temporarily the process is as simple as part of one Powershell commandlet:
If you are temporariliy switching to use synchronized passwords while you are repairing your SSO infrastructure, set –SkipUserConversion to be $true.
If you are permanently decommissioning your SSO Infrastructure, set -SkipUserConversion to $false to ensure users are converted correctly.
Full details on Exclusive and Temporary switching form SSO to Dirsync with password sync can be found HERE