Active Directory Federation Questions

[DrPeirson]

Hey guys/gals
Just doing some research into switching onto AD FS and was wondering if you could tell me how the passwords work after the sync has finished.. Is everyone stuck with two passwords or does it just switch EVERYONE over to their online login details (What they use for Lync, outlook and 365 a so on..?

 

[El Pew]

What are you connecting to with ADFS? Sounds from your description like you're using DirSync to sync your ground based accounts to an Office 365 instance?

With ADFS you don't strictly need to sync passwords or even user accounts, the idea is that you are setting up a trust relationship between two domains such that (in a ground/cloud relationship) if your ground AD authenticates a user, the cloud based directory accepts and honours that authentication without that user having to re-authenticate at the cloud layer. This works even if the user account does not exist at the cloud layer (in theory anyway). It's kinda like a Kerberos ticket that works out on the internet.

DirSync, if that's what you're using, is just a way of copying all your user accounts up to the cloud O365 instance so you don't have to use ADFS if you don't want. I don't think it copies passwords to the cloud accounts unless you install the Password Change Notification Service and configure it to send passwords to O365.

 

[PoD]

If you create a login in either system after dir sync then it will appear in the other.

The domain level passwords do not automatically activate when you create them, so you dont need to worry about licencing issues by creating AD users.

You need a separate machine to act as an upload to Office 365 from your domain and for the love of god make sure you do include a backup device. Failure to connect to your adfs server will leave you without any ability to connect externally.