In May 2014 Microsoft made available an important update for federated authentication to Office 365 and Microsoft Azure. This update is not very known so far so I hope this blog helps to understand the benefit of this update!
Lets start with some basics about authentication for Microsoft cloud based services.
Authentication for Microsoft online cloud based services like Office 365 and Microsoft Azure can be performed using three models:
- Cloud Identity (also known as Standard authentication) using cloud based username and password stored in Windows Azure Active Directory. Usernames are typically useraccount@<organization>.onmicrosoft.com
- Synchronized Identity (also known as Managed Authentication) allowing synced usernames and passwords with on-premises Active Directory as source
- Federated identity (Federated Authentication) allowing Single Sign-On to Microsoft Office 365 & Azure because of a federation with an on-premisis Active Directory
A very good post by Microsoft on identify is titled Choosing a sign-in model for Office 365.
Federated identity enables users which are authenticated to on-premises Active Directory to access Office 365 and Azure without additional authentication (Single Sign-On). To enable such a scenario several servers are required to be installed in the on-premises environment. In many cases redundancy of roles like Active Directory Federation Services (AFDS) is required. The reason for this is that if ADFS is not available users will not be able to authenticate to Office 365 and Azure. Active Directory is the single source for authentication in this scenario.
This has changed now! Since May 2014 Synchronized Identity can be used as a backup in case Federated identity is not available because of a failure (server crash, internet connection to on-premises failed, power failure etc).
Introducing Synchronized Identity
Synchronized Identity enables users to use their AD username and password to sign in to Office 365, Azure etc.
Synchronized Identity is enabled by installing a free Microsoft tool called Dirsync. Dirsync will synchronize useraccounts plus passwords from AD to Windows Azure Active Directory (WAAD). WAAD is a multi-tenant implementation of Active Directory. It is used for authentication services by Office 365 and Microsoft Azure. Dirsync hashes the password. Dirsync is very easy to install and straightforward to use. There are hardly any issues reported.
Dirsync however does not allow Single Sign on.
To make life easier for users Federated Identity can be used. Configuration for this model is not as easy as using Dirsync. Several servers are required to be installed on-premises.You need dedicated IPs, proxies, certificates, load balancers which are not free, and set quite a few security policies.
Before Microsoft added the Password sync option in Dirsyc the only userfriendly way tp authenticate to Office 365 was using ADFS.
Dirsyc is required for Federated Identity. At sign in a check is performed if a valid useracount is used for authentication. Federated Identity does not check the password to WAAD. WAAD trusts the on-premises ADFS as a ‘password’ provider.
You now understand availability of ADFS is critical! If it does not work your users will not be able to authenticate as there is no way to check the password. Even when the hashed password of the user is stored in WAAD, it would not be used if the domain was configured for Federated Identity.
However in May 2014 Microsoft made a change in WAAD. User accounts can now be configured for BOTH Single Sign-on as well as for password synchronization (. This enables a fall back if ADFS Federated Identity is not available.
How to perform a temporary switch to Synchronized Identity
WAAD will not automatically fall back to Synchronized Identity when Single Sign-On is not possible because of a failure in connecting to ADFS. Administrators will have to manual switch back to Synchronized Identity.
The temporary switch from Federated Identity to Synchronized Identity takes two hours plus an additional hour for each 2,000 users in the domain.
You will need to use the Windows Azure Active Directory Module for Windows PowerShell to switch a namespace from Federated (Single Sign-On) to Managed (password sync).
Use this PowerShell command for a temporary switch to Synchronized Identity
Convert-MSOLDomainToStandard –DomainName <federated domain name> -SkipUserConversion $true -PasswordFile c:userpasswords.txt
For detailed instructions read this post