Microsoft Online IDs

End user sign-in experience

IT Administrator considerations

| Microsoft Confidential

Contoso customer

premises

AD

MS Online

Directory Sync

Provisioning

platform Lync™

Online

SharePoint®

Online

Exchange

Online

Federation

Gateway

Active Directory

Federation

Server 2.0

Trust

IdP Directory

Store

Admin Portal

Authentication

platform IdP

Service

connector

Microsoft Online Services

8 | Microsoft Confidential

1. MS Online IDs

Appropriate for

• Smaller orgs without AD on-premise

Pros

• No servers required on-premise

Cons

• No SSO

• No 2FA

• 2 sets of credentials to manage with differing password policies

• IDs mastered in the cloud

2. MS Online IDs + DirSync

Appropriate for

• Medium/Large orgs with AD on-premise

Pros

• Users and groups mastered on-premise

• Enables co-existence scenarios

Cons

• No SSO

• No 2FA

• 2 sets of credentials to manage with differing password policies

• Server deployment required

3. Federated IDs + DirSync

Appropriate for

• Larger enterprise orgs with AD on-premise

Pros

• SSO with corporate cred

• IDs mastered on-premise

• Password policy controlled on-premise

• 2FA solutions possible

• Enables co-existence scenarios

Cons

• High availability server deployments required

9 | Microsoft Confidential

Small company Long-term coexistence Small to medium-size

company

• Just provision users and

GO !

• MOAC

• Everyone onboarded at

once

• No retention of legacy

mailbox data

• Pro: Easy to deploy, good

for smaller organizations

• Con: Loss of old content

• Provision users in bulk

(Office 365 APIs)

• Pro: Easy to onboard a

larger number of users

• Con: End-user satisfaction

with missing data

• Con: No coexistence

• Admin implements DirSync

and DirSync provisions all

users, groups, and contacts

to MSO

• Pro: Identities managed on

premises

• Pro: Includes coexistence

• Pro : Free/Busy coexistence

• Con: Requires an appliance

on-premises as a long-term

commitment.

DirSync should be viewed as a long-term commitment – the customer has chosen to

enable identity coexistence and master their identities on premises

Microsoft Online Directory Service

MSO ID

AD FSDC

On Premises AD Forest

active

(1) Run MSO Federation Config cmdlet: • “Add-MsolFederatedDomain –DomainName

“contoso.com”

pending

(3) Rerun MSO Federation Config cmdlet: • “Add-MsolFederatedDomain –DomainName

“contoso.com”

*This verifies domain proof of ownership*

(4) New Registered Domains propagate out

to MSO ID • MSO ID reserves the namespace as a “Federated

Namespace”

• MSO ID sets the AD FS endpoint for the

namespace to

“https://adfs.contoso.com/adfs/ls/”

Namespace Type Endpoint

contoso.com Federated https://adfs.contoso.com

(2) Create Domain Proof of Ownership

DNS Record e.g.

ms1234567.contoso.com > ps.microsoftonline.com

Federated vs. Non-Federated Summary Outlook

2010

Win 7 Vista/XP

Federated IDs,

domain joined

MS Online IDs

Outlook Web

Application

No prompt No prompt

Each session

ActiveSync®,

POP, IMAP, Entourage

Once at setup

No prompt

Outlook

2007

No prompt

Once at setup Each session Each session Each session

Outlook 2007

or 2010

Win 7

Online ID Online ID Online ID Online ID Online ID

AD credentials

Win 7/Vista/XP

No prompt

Each session

Office 2010, or

Office 2007 SP2 SharePoint Online

Online ID

AD credentials AD credentials AD credentials AD credentials AD credentials

Authentication flow (passive profile)

`

Client

(joined to CorpNet)

Federation GatewayAD FS 2.0 Server

Exchange Online or

SharePoint Online

Active Directory

Customer Microsoft Online Services

Authentication flow (active profile)

`

Client

(joined to CorpNet)

Federation GatewayAD FS 2.0 Server

Exchange Online

Active Directory

Customer Microsoft Online Services

AD FS 2.0 Deployment Options

Enterprise

Perimeter

Network

AD FS 2.0

Server Proxy

External

user Internal

user

Active

Directory

AD FS 2.0

Server

AD FS 2.0

Server

AD FS 2.0

Server Proxy

http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff637606.aspx