Contoso customer
premises
AD
MS Online
Directory Sync
Provisioning
platform Lync™
Online
SharePoint®
Online
Exchange
Online
Federation
Gateway
Active Directory
Federation
Server 2.0
Trust
IdP Directory
Store
Admin Portal
Authentication
platform IdP
Service
connector
Microsoft Online Services
8 | Microsoft Confidential
1. MS Online IDs
Appropriate for
• Smaller orgs without AD on-premise
Pros
• No servers required on-premise
Cons
• No SSO
• No 2FA
• 2 sets of credentials to manage with differing password policies
• IDs mastered in the cloud
2. MS Online IDs + DirSync
Appropriate for
• Medium/Large orgs with AD on-premise
Pros
• Users and groups mastered on-premise
• Enables co-existence scenarios
Cons
• No SSO
• No 2FA
• 2 sets of credentials to manage with differing password policies
• Server deployment required
3. Federated IDs + DirSync
Appropriate for
• Larger enterprise orgs with AD on-premise
Pros
• SSO with corporate cred
• IDs mastered on-premise
• Password policy controlled on-premise
• 2FA solutions possible
• Enables co-existence scenarios
Cons
• High availability server deployments required
9 | Microsoft Confidential
Small company Long-term coexistence Small to medium-size
company
• Just provision users and
GO !
• MOAC
• Everyone onboarded at
once
• No retention of legacy
mailbox data
• Pro: Easy to deploy, good
for smaller organizations
• Con: Loss of old content
• Provision users in bulk
(Office 365 APIs)
• Pro: Easy to onboard a
larger number of users
• Con: End-user satisfaction
with missing data
• Con: No coexistence
• Admin implements DirSync
and DirSync provisions all
users, groups, and contacts
to MSO
• Pro: Identities managed on
premises
• Pro: Includes coexistence
• Pro : Free/Busy coexistence
• Con: Requires an appliance
on-premises as a long-term
commitment.
DirSync should be viewed as a long-term commitment – the customer has chosen to
enable identity coexistence and master their identities on premises
Microsoft Online Directory Service
MSO ID
AD FSDC
On Premises AD Forest
active
(1) Run MSO Federation Config cmdlet: • “Add-MsolFederatedDomain –DomainName
“contoso.com”
pending
(3) Rerun MSO Federation Config cmdlet: • “Add-MsolFederatedDomain –DomainName
“contoso.com”
*This verifies domain proof of ownership*
(4) New Registered Domains propagate out
to MSO ID • MSO ID reserves the namespace as a “Federated
Namespace”
• MSO ID sets the AD FS endpoint for the
namespace to
“https://adfs.contoso.com/adfs/ls/”
Namespace Type Endpoint
contoso.com Federated https://adfs.contoso.com
(2) Create Domain Proof of Ownership
DNS Record e.g.
ms1234567.contoso.com > ps.microsoftonline.com
Federated vs. Non-Federated Summary Outlook
2010
Win 7 Vista/XP
Federated IDs,
domain joined
MS Online IDs
Outlook Web
Application
No prompt No prompt
Each session
ActiveSync®,
POP, IMAP, Entourage
Once at setup
No prompt
Outlook
2007
No prompt
Once at setup Each session Each session Each session
Outlook 2007
or 2010
Win 7
Online ID Online ID Online ID Online ID Online ID
AD credentials
Win 7/Vista/XP
No prompt
Each session
Office 2010, or
Office 2007 SP2 SharePoint Online
Online ID
AD credentials AD credentials AD credentials AD credentials AD credentials
Authentication flow (passive profile)
`
Client
(joined to CorpNet)
Federation GatewayAD FS 2.0 Server
Exchange Online or
SharePoint Online
Active Directory
Customer Microsoft Online Services
Authentication flow (active profile)
`
Client
(joined to CorpNet)
Federation GatewayAD FS 2.0 Server
Exchange Online
Active Directory
Customer Microsoft Online Services
AD FS 2.0 Deployment Options
Enterprise
Perimeter
Network
AD FS 2.0
Server Proxy
External
user Internal
user
Active
Directory
AD FS 2.0
Server
AD FS 2.0
Server
AD FS 2.0
Server Proxy
http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff637606.aspx