Kloud has helped many Australian businesses leverage Microsoft cloud services such as Office 365, Intune and Microsoft Azure and most have implemented Active Directory Federation Services (AD FS) to provide a highly available Single Sign-On (SSO) user experience. In mid-2013, the Windows Azure Active Directory Synchronization Tool was updated to support password synchronisation with Azure Active Directory, which provided an alternative way to leverage on-premises authored identities with Microsoft’s cloud services.
Password synchronisation is a feature of the Azure Active Directory Sync Tool that will synchronise the password hash from your on-premises Active Directory environment to the Azure Active Directory. In this scenario users are able to log into Office 365 using the same password as they use in the on-premises environment, similarly to when using AD FS, however unlike AD FS there is no automatic sign in capability so users will still be prompted to enter credentials on a domain joined device.
For those that have already deployed AD FS or indeed those that are intending to implement AD FS in the future, one of the least publicised feature improvements in the May 2014 update to Office 365 is support for using the password sync feature as a temporary fall-back option for the primary AD FS service and federated authentication.
Another scenario now supported is the ability to have some domains configured for Password Sync while others within the same tenant are enabled for Federated Authentication with AD FS.
Mixing Password Sync and Federated Authentication
It’s quite a common scenario across many Office 365 implementations that I’ve done for customers to have a primary brand and domain such as contoso.com where the majority of users reside and is configured for federated authentication with AD FS. Contoso also owns a subsidiary called Fabrikam and there is no requirement for federated authentication or single sign on.
Previously this scenario would mean that for users with a primary SMTP address of fabrikam.com would either have to maintain a separate password within the Office 365 tenant or have a sub-optimal login experience and be configured for sign in with a UserPrincipalName in the @contoso.com format.
The recent changes to Office 365 allow for the mixed use of federated and password sync enabled domains.
Password Sync as a Temporary Fall-Back for Active Directory Federation Services
A number of smaller organisations I’ve worked with have elected to use a single instance of AD FS, taking advantage of the Single Sign-On capabilities but not including any high availability or site resilience. The Azure Active Directory Synchronization Tool is already a core component of the AD FS infrastructure so enabling Password Sync to provide a backup solution for the Single Sign-On service makes a lot of sense – and it’s free!
If you haven’t already (and you really, really should), deploy the most recent version of the Dirsync tool and enable the Password Sync option when prompted in the Configuration Wizard. A good TechNet article describing the Password Synchronization feature and how to implement it can be found here.
How to Temporarily “Switch” from Federated Authentication to Synchronised Password
The fall-back option is not automatic and requires manual configuration. Federated authentication can be changed to synchronised password authentication on a per-domain basis in the event of an outage to the AD FS infrastructure.
Detailed steps are as follows:
- Run the Windows Azure Active Directory Module for Windows PowerShell as an Administrator
-
Run the following commands from the primary AD FS server:
- $Cred = Get-Credential
#Enter non-federated Office 365 administrator credentials when prompted - Connect-MsolService –Credential $Cred
- Convert-MsolDomainToStandard –DomainName <federated domain name> -SkipUserConversion $true -PasswordFile C:\Temp\passwordfile.txt
- $Cred = Get-Credential
-
Once the outage is over use the following command to convert the domain back to federated:
- Convert-MsolDomainToFederated –DomainName <federated domain name> -SupportMultipleDomains
- Convert-MsolDomainToFederated –DomainName <federated domain name> -SupportMultipleDomains
It is recommended that you do not change UserPrincipalNames or ImmutableIds after converting your domain to the managed state for users that have been switched to use synchronised passwords.
It is worth noting that switching between Federated Authentication and Synchronised Password Authenication for sign in to Office 365 is not instant and will likely interrupt service access. This may not be a factor in the initial activation (as it’s likely an outage scenario) however it is something to bear in mind when cutting services back to Federated Authentication.