Monday, March 10, 2014

Moving from ADFS to Dirsync Password Hash!

I have already written few posts on ADFS and Dirsync and the most important one is the comparison article "ADFS Vs Password Hash" where I referenced a TechTarget post written by MVP Michael Van Horenbeeck which explains clear details on variation between the two and how they function along with my earlier posts on the two which gives you more insight on the products.  If you read this you will get to know more on these and decide which one to utilize based on the requirement.

Dirsync Password Hash is a new feature and many Organizations even the smaller ones need to deploy ADFS for Single Sign-On but they actually need that only for accessing O365 resources and it was just a Same-Sign On requirement as there are only few users and does not rely more as a larger enterprise to deploy ADFS and post the availability of DirSync password Hash some Organizations started to think about enabling this feature and remove the ADFS servers and doing this is not a easy task as it requires proper planning and implementation.

Today I saw an excellent post from Office 365 Tip of the Day blog from our renowned MVP Jethro Seghers, inhere he clearly explains about the detailed steps to follow to move from ADFS to Dirsync Password Hash with the proper steps to convert the existing federated domain to non federated and provides us a script which will check and convert all our user accounts to non federated accounts, post which we can perform the rest of the tasks in implementing Dirsync Password Hash and remove the ADFS servers.


Additionally, check this Office 365 Community Blog on the topic from Microsoft which discuss more on this switch-over and references to get this setup.

Switching from ADFS to using Password Hash Synchronization

Also its still possible to use Set-MsolDomainAuthentication cmdlet to Change the domain authentication between standard identity and single-sign on, but the above Method is recommended.

In scenarios when your ADFS Environment is completely unavailable only above Set-MsolDomainAuthentication method works and more information in detail is explained in the below article.

Office 365 – Using Password Sync as a Backup to AD FS

*There are certain gotchas to watch out for once you move to Dirsync Password Hash and knowing this will help you manage your environment at ease without compromising Information Security, to know more on this read the below excellent post from Perficient. 

Office 365 – DirSync Password Sync: Did You Know?

Security plays a major role when you sync passwords and below post from Cogmotive explains how secure Dirsync Password Hash feature descriptively.

How Secure is DirSync with Password Synchronisation?

Also Read the below post over Encryption limitations.

AAD Password Sync, Encryption and FIPS compliance 

Also on a future plan Microsoft team is working making both of this feature work hand in hand for Disaster Recovery scenario. I have got this update from the latest Office365 FM podcast where Microsoft Senior Program Manager "Jono Luk"provided an insight on the same and you can check my earlier post "Microsoft Future RoadMap for Identity and Access Management with O365"  for more details.


As stated above Microsoft team now made Password hash work as a backup for ADFS to provide a highly available Single Sign-on infrastructure and the below TechNet Wiki post is updated reflecting this with other recent enhancements and step by step walk-through instructions to achieve this covering various key scenarios.

Check here: DirSync: How To Switch From Single Sign-On To Password Sync

In scenarios when the ADFS infrastructure is completely down and no connectivity possible between the ADFS environment and MSOL then Set-MsolDomainAuthentication method is alone reliable which is discussed and explained in the comments section of the above Wiki post.

This really makes us feel Microsoft is doing a great deal of home work in analyzing possible ways of providing highly available service  as promised, that makes customers to adopt their service and consistently have a better support experience.

No comments:

Post a Comment