Back

Single Sign-On Between Azure and Office 365 with AD Sync

A lot of people dont realize there will be 2 very interesting features in Office 365 which makes connecting the dots with your onpremise environment...

4 min read
Published on Mar 13, 2011
Single Sign-On Between Azure and Office 365 with AD Sync

A lot of people don’t realize there will be 2 very interesting features in Office 365 which makes connecting the dots with your on-premise environment and Windows Azure easy. The 2 features are directory sync and federation. It means you can use your AD account to access local apps in your on-premise environment; just like you always have. You can also use the same user account and login process to access Office 365 up in the cloud, and you could either use federation or a domain-joined application running in Azure to also use the same AD account and achieve single-sign-on.

Extending the model to the cloud

Windows Azure Connect (soon to be released to CTP) allows you to not only create virtual private networks between machines in your on-premise environment and instances you have running in Windows Azure, but it also allows you to domain-join those instances to your local Active Directory. In that case, the model I described above works exactly the same, as long as Windows Azure Connect is configured in a way to allow the client computer to communicate with the web server (which is hosted as a domain-joined machine in the Windows Azure data centre). The diagram would look like this and you can followed the numbered points using the list above:

Extending the model to the cloud

Diagram 2: Extending AD in to Windows Azure member servers

Office 365

Office 365 uses federation to “extend” AD in to the Office 365 Data Centre. If you know nothing of federation, I’d recommend you read my federation primer to get a feel for it.

The default way that Office 365 runs, is to use identities that are created by the service administrator through the MS Online Portal. These identities are stored in a directory service that is used by Sharepoint, Exchange and Lync. They have names of the form:

[email protected]

However if you own your own domain name you can configure it in to the service, and this might give you:

[email protected]

…which is a lot more friendly. The thing about MSOLIDs that are created by the service administrator, is that they store a password in the directory service. That’s how you get in to the service.

Directory Synchronization

However you can set up a service to automatically create the MSOLIDs in to the directory service for you. So if your Active Directory Domain is named plankytronixx.com then you can get it to automatically create MSOLIDs of the form [email protected]. The password is not copied from AD. Passwords are still mastered out of the MSOLID directory.

Directory Synchronization

Diagram 3: Directory Sync with on-premise AD and Office 365

The first thing that needs to happen, is that user entries made in to the on-premise AD, need to have a corresponding entry made in to the directory that Office 365 uses to give users access. These IDs are known as Microsoft Online IDs or MSOLIDs. This is achieved through directory synchronization. Whether directory sync is configured or not – the MS Online Directory Service (MSODS) is still the place where passwords and password policy is managed. MS Online Directory Sync needs to be installed on-premise.

When a user uses either Exchange Online, Sharepoint Online or Lync, the Identities come from MSODS and authentication is performed by the identity platform. The only thing Directory Sync really does in this instance is to ease the burden on the administrator to use the portal to manually create each and every MSOLID.

One of the important fields that is synchronised from AD to the MSODS is the user’s AD ObjectGUID. This is a unique immutable identifier that we’ll come back to later. It’s rename safe, so although the username, UPN, First Name, Last Name and other fields may change, the ObjectGUID will never change. You’ll see why this is important.

Read the complete article @> Single-sign-on between on-premise apps, Windows Azure apps and Office 365 services. - Plankytronixx - Site Home - MSDN Blogs

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

Critical Data Backup in Azure | Identify & Protect What Matters

Identifying Critical Data and Applications for Backup in Azure

Learn how to identify and prioritize your critical data and applications for backup in Azure to reduce risk, ensure business continuity, and meet compliance requirements.

Oct 3, 2025
5 min read
Microsoft 365 Backup Compliance | Key Risks & Best Practices

Compliance Considerations When Backing Up Microsoft 365 Data

Ensure your Microsoft 365 backups meet compliance requirements for CMMC, NIST 800-171, and other regulations. Learn key considerations to avoid violations.

Oct 3, 2025
6 min read
Azure Backup Needs Assessment | Plan Your Cloud Data Protection

Assessing Your Organization's Backup Needs for Azure Workloads

Learn how to assess your backup needs for Azure workloads, from compliance and recovery objectives to choosing the right tools for data protection and resilience.

Sep 26, 2025
6 min read
CUI Compliance and the Role of MSPs

Overview of CUI Compliance and the Role of MSPs

Explore the essentials of CUI compliance and how MSPs support DFARS, NIST 800-171, and ITAR requirements through secure IT services and expert guidance.

Sep 26, 2025
7 min read
Evaluating Data Retention Policies for Microsoft 365 and Azure

Evaluating Data Retention Policies for Microsoft 365 and Azure

Learn how to evaluate and manage data retention policies in Microsoft 365 and Azure to meet compliance, security, and operational needs.

Sep 26, 2025
6 min read
How MSPs Help Meet CUI Compliance Requirements

How MSPs Help Organizations Meet CUI Compliance Requirements

Learn how MSPs help organizations meet CUI compliance by offering expertise, secure environments, and ongoing support for DFARS and NIST 800-171 standards.

Sep 26, 2025
7 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don’t want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122