Aaron Russo - Senior Manager for Tech Sales Data Center
Aaron Russo
Senior Manager for Tech Sales Data Center
Jeff Stork - Software Delivery Practice Manager
Jeff Stork
Senior Service Manager
Lane Shelton - Vice President of Software Business Development
Lane Shelton
Vice President of Software Business Development
Tony Dancona - Vice President of VMware EUC
Tony Dancona
VP VMware EUC, Solutions and Services
»See All Authors
Patrick Renzi - Partner Development Specialist

Is Single Sign-On Right for Your Users?

How Microsoft Online Services Can Fit into Your Organization

|

Efficiency is important in business at all levels. The last thing a business needs to do is introduce complications into their day-to-day operations. Unfortunately, upgrading the technology your business operates on can have this effect. However, if you’re switching to Microsoft online services, Azure Active Directory is here to alleviate that complexity.

536373-IsSingleSign-OnRightforYourUsers_MediumWhen implementing any of Microsoft user-centric cloud services (their SaaS line of cloud apps) one of the first things you should consider is your users’ credentialing habits and how they normally prefer to access applications. As the most popular and widely adopted SaaS platform Microsoft has, Exchange Online will serve as our example. Exchange servers being run locally require that your infrastructure have Active Directory control and administer your user identities and credentialing. This makes the email access process very simple on the user’s end of things. Simply log into your system in the morning, and the authentication handles both access to network services as well as your Exchange mailbox. Mail will simply flow to the client as you’d expect, and you are free to work using this one login. How does moving the Exchange service off site affect this?  

 Since your Exchange user’s credentials now exist on a separate Active Directory Domain (Azure AD) than their primary identities, they won't natively communicate. It’s here that you need to make a few decisions. Microsoft currently allows two unique credentialing habits that your users can take advantage of:

1. Cloud Only Accounts 

2. AD Connect:

  • AD Connect with password sync
    • AD Connect with pass-through authentication
  • Federated single sign-on with Active Directory Federation Services (ADFS)

 

Each option provides benefits as well as challenges that need to be considered:

  • Cloud Only Accounts: Your users have separate identities and passwords for user accounts within the Office 365 cloud with no association to on-premises AD identity. This is the easiest method to enable, but it also affords the least familiarity for users. User accounts will remain separate, and two separate login scripts need to happen. Although Outlook login can remain “remembered” for ups to 90 days, passwords can fall out of sync with on-premises accounts. 
  • AD Connect with password sync: Setting up the AD Connect tool requires you to enable a separate VM environment, but allows for users to have a familiar login experience, using their existing email address and on-premises domain password to log into their exchange online mailbox. Passwords remain connected to on-premises policy using the AD Connect ongoing sync feature.
  • AD Connect with pass-through authentication: A new feature of Azure AD Connect that is currently in preview, pass-through authentication allows organizations to have a single sign-on experience without the need to either sync passwords off premises or require costly ADFS infrastructure. Pass- through authentication allows users to authenticate directly to an Azure Active Directory sign-on page. The sign-on attempt gets routed for validation from the AD Connect tool, and when it is validated successfully, a sign-on token is generated for the user to open access to local services.
  • Federated single sign-on with ADFS: Using ADFS for identity federation requires the most infrastructure, but does still allow a few features over the new pass-through authentication capability of AD Connect. Users will authenticate to the ADFS login page directly, and the ADFS application then requests validation from your local Domain Controller. Assuming it is validated successfully, a simultaneous sign-on request is routed to the Azure Active Directory sign-on page as well as any third-party LDAP you have federated.  

  

Given what we've covered, it’s easy to see why cloud technologies can have a big impact on your users’ day-to-day work. The experts on Connection’s Microsoft Cloud Team are ready to help you achieve your goals from start to finish. Contact an Account Manager today to learn how we can take you from “What else do we need to know?” to “What else can we accomplish?” 


For more than 30 years, the Connection family of companies has been trusted to provide and transform technology into complete solutions. For more information, drop us a line.