Back

Single Sign-On Between Azure and Office 365 with AD Sync

A lot of people dont realize there will be 2 very interesting features in Office 365 which makes connecting the dots with your onpremise environment...

4 min read
Published on Mar 13, 2011
Single Sign-On Between Azure and Office 365 with AD Sync

A lot of people don’t realize there will be 2 very interesting features in Office 365 which makes connecting the dots with your on-premise environment and Windows Azure easy. The 2 features are directory sync and federation. It means you can use your AD account to access local apps in your on-premise environment; just like you always have. You can also use the same user account and login process to access Office 365 up in the cloud, and you could either use federation or a domain-joined application running in Azure to also use the same AD account and achieve single-sign-on.

Extending the model to the cloud

Windows Azure Connect (soon to be released to CTP) allows you to not only create virtual private networks between machines in your on-premise environment and instances you have running in Windows Azure, but it also allows you to domain-join those instances to your local Active Directory. In that case, the model I described above works exactly the same, as long as Windows Azure Connect is configured in a way to allow the client computer to communicate with the web server (which is hosted as a domain-joined machine in the Windows Azure data centre). The diagram would look like this and you can followed the numbered points using the list above:

Extending the model to the cloud

Diagram 2: Extending AD in to Windows Azure member servers

Office 365

Office 365 uses federation to “extend” AD in to the Office 365 Data Centre. If you know nothing of federation, I’d recommend you read my federation primer to get a feel for it.

The default way that Office 365 runs, is to use identities that are created by the service administrator through the MS Online Portal. These identities are stored in a directory service that is used by Sharepoint, Exchange and Lync. They have names of the form:

[email protected]

However if you own your own domain name you can configure it in to the service, and this might give you:

[email protected]

…which is a lot more friendly. The thing about MSOLIDs that are created by the service administrator, is that they store a password in the directory service. That’s how you get in to the service.

Directory Synchronization

However you can set up a service to automatically create the MSOLIDs in to the directory service for you. So if your Active Directory Domain is named plankytronixx.com then you can get it to automatically create MSOLIDs of the form [email protected]. The password is not copied from AD. Passwords are still mastered out of the MSOLID directory.

Directory Synchronization

Diagram 3: Directory Sync with on-premise AD and Office 365

The first thing that needs to happen, is that user entries made in to the on-premise AD, need to have a corresponding entry made in to the directory that Office 365 uses to give users access. These IDs are known as Microsoft Online IDs or MSOLIDs. This is achieved through directory synchronization. Whether directory sync is configured or not – the MS Online Directory Service (MSODS) is still the place where passwords and password policy is managed. MS Online Directory Sync needs to be installed on-premise.

When a user uses either Exchange Online, Sharepoint Online or Lync, the Identities come from MSODS and authentication is performed by the identity platform. The only thing Directory Sync really does in this instance is to ease the burden on the administrator to use the portal to manually create each and every MSOLID.

One of the important fields that is synchronised from AD to the MSODS is the user’s AD ObjectGUID. This is a unique immutable identifier that we’ll come back to later. It’s rename safe, so although the username, UPN, First Name, Last Name and other fields may change, the ObjectGUID will never change. You’ll see why this is important.

Read the complete article @> Single-sign-on between on-premise apps, Windows Azure apps and Office 365 services. - Plankytronixx - Site Home - MSDN Blogs

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

Standard Form SF-XX: A Contractor’s Guide to FAR Compliance

Standard Form SF-XX in FAR Contracts: What Contractors Need to Know

Understand the role of Standard Form SF-XX in FAR contracts. Learn how to complete it, key compliance requirements, and why it matters for government contractors.

Aug 25, 2025
6 min read
Why Hire an MSP to Manage CUI Compliance

Why Hire an MSP to Manage CUI Compliance?

Discover how hiring an MSP to manage CUI compliance streamlines security, meets DFARS and NIST 800-171 requirements, and reduces internal IT burden.

Aug 23, 2025
9 min read
What is FAR CUI and How Does It Affect Contractors?

The FAR CUI: What It Means for Contractors and How to Stay Compliant

Learn about the FAR CUI, its security requirements, and how it impacts federal contractors. Understand the key compliance measures and steps to align with Federal Acquisition Regulation (FAR) guidelines.

Aug 22, 2025
8 min read
What Is Cloud Backup for Microsoft 365 and Azure?

What Is Cloud Backup for Microsoft 365 and Azure?

Learn what cloud backup means for Microsoft 365 and Azure, why native retention isn't enough, and how secure backups protect your critical data.

Aug 21, 2025
6 min read
What Are the Requirements for FAR CUI Compliance?

Understanding the Requirements for FAR CUI Compliance

Learn the key requirements for FAR CUI compliance, including security controls, NIST 800-171 guidelines, and who needs to comply with the Federal Acquisition Regulation (FAR).

Aug 20, 2025
6 min read
GCC High Migration Project Timeline & Phases

Timeline and Phases of a GCC High Migration Project

Discover the timeline and core phases of a successful GCC High migration project—from planning and validation to execution and post-migration governance.

Aug 15, 2025
7 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation