365-command-logoADFS?  Not so fast!

 

ADFS and its integration with Office 365

Take Free Trial of 365 CommandDesigned to Quickly Enable You to Manage Microsoft Office 365 Online Services Better: You will Save time & money with advanced Office 365 management tools, analytics, reports, security insights & more.

Active Directory Federation Services (ADFS) was introduced by Microsoft as a part of Windows 2003 R2 as a method to “link” two unlike Active Directory domains as a means to simplify access to systems and applications (for example, within a partner’s network/organization) through web-based services using Single-Sign On (SSO) technology.

Microsoft now offers it up as a means to accomplish the same SSO capabilities with Office 365.

I have been a part of many ADFS deployments with respect to Office 365, and I can say that it works quite well once it is up and running.  However, I feel that there are a lot more negatives or “cons” with an ADFS deployment, especially in comparison to other tools that are now available to similarly accomplish SSO, namely our Password Synchronization tool from MessageOps.

Here is a table that lists the PROs and CONs for ADFS and Office 365:

ADFS – PROs

ADFS – CONs

  • Able to gain SSO capabilities between Office 365 and your on-premises AD environment.
  • Password management and Password polices are all handled within the local/on-premises AD environment.
 Complex to setup.

  • Complex to setup
  • Requires you to use/integrate Microsoft Active Directory Synchronization (MS DirSync)
  • Requires at least three (3) dedicated servers on-premises. (Two for ADFS and one for MS DirSync)
  • Requires at least five (5) dedicated servers on-premises for true High Availability (HA) and Fault Tolerance (FT).  (Four for ADFS and one for MS DirSync)
  • Requires the purchase of an SSL certificate.
  • Requires you to use/integrate Microsoft Active Directory Synchronization (MS DirSync)
  • The servers require regular maintenance and up-keep along with any other servers in your on-premises environment.

Most importantly,

  • Keeps a dependency on the integrity and availability of systems within the on-premises environment in order to sustain connectivity/communication with your email/messaging environment.

The last bullet point within the CONs section is the most significant.  Once ADFS is configured, online, and connected to your Office 365 tenant, it now becomes a permanent fixture in your messaging solution.

If a component of your ADFS environment is down/offline, your users WILL NOT be able to access their mailboxes (email/calendars/contacts, etc.)

What this means, is that if the ADFS Proxy server is down or unavailable, then user authentication requests will not get passed down to the back-end ADFS server and subsequently not to the domain controllers, thus users’ can’t log in.  Obviously, if the main back-end ADFS server (which houses the database) is down/offline, then user’s can’t log into the Office 365 environment (MS Outlook and OWA) as well.

Isn’t one of the main reasons to move an email/messaging environment to the cloud is to avoid or remove these on-premises dependencies?  When you deploy ADFS, you are essentially shifting the on-premises dependency from your on-premises Exchange/GroupWise/Lotus Notes servers to these ADFS servers?

I have also worked first-hand with customer that have experienced problems/issues with their ADFS servers, and they are “dead in the water” with regard to email until these servers get fixed/back online.  Now, keep in mind that even when ADFS is down, email is still being delivered to your user’s Inboxes as they don’t affect mail flow, which would obviously be affected in the case of an on-premises email server crash; however your phone and the phones of your IT staff colleagues will still be getting blown-up by users who can’t get to their email.

Password Synchronization Tool:

So, if you are wondering how you can still achieve SSO without all of the CONs listed above and having a dependency on your on-premises environment, we at Champion/MessageOps have the solution for you.

Use this link that explains the Password Sync tool in more detail and all of the specs/requirements for it.

The most important thing about this tool, is that if the Password Sync server encounters an issue, it DOES NOT affect users’ abilities to access their Office 365 mailboxes.

Conclusion:

The bottom line is that you should seriously weigh all of your options before investing in ADFS to be a part of your Office 365 solution.  Especially for small and medium-sized organizations, the better option may be to either utilize a tool like Password Synchronization or perhaps not even go with an SSO solution at all.

….and that is Justin’s Tech Tip of the Week.