Digital White Papers

O365

publication of the International Legal Technology Association

Issue link: https://epubs.iltanet.org/i/914682

Contents of this Issue

Navigation

Page 16 of 33

17 WWW.ILTANET.ORG | ILTA WHITE PAPER OFFICE 365 Staying in Sync: How to Choose an Office 365 Authentication Method restrictions. And while Azure's cloud multi-factor authentication (MFA) solution integrates with this topology, certain conditional access features (especially for legacy Windows clients) and third- party MFA providers will only work with ADFS. Another issue is there is no true high availability for password sync. You can have only a single server running Azure AD Connect in synchronization mode. If this server fails, all synchronization to the Azure AD will fail and user data could become stale. Users will not be restricted from logging in, but may find that properties are not updated. If they changed their password on-premises the old password would still be required for cloud resources. Newly added accounts would not sync to the cloud and accounts disabled on-premise would continue to function in the cloud until synchronization was restored. You can set up an additional Azure AD Connect server in staging mode but it would require manual administrative intervention to replace the problematic server. Finally, if your organization has security or compliance guidelines that restrict the use of password synchronization, even with only double-hashed values being stored, or if there is a requirement that authentication take place on-premises, then this method will not work for you. ADFS: True Single Sign-On If password synchronization does not meet your requirements or adhere to your organization's compliance guidelines, or if you already have the required infrastructure components in place, true single sign-on with ADFS may suit your needs beer. With ADFS, your authentication request is serviced by a domain controller on your Authentication Options Keep It Simple: Password Synchronization with Azure AD Connect The simplest and least expensive authentication method is to synchronize your passwords with Office 365 using the Azure AD Connect tool that already synchronizes your identities. This method is oen referred to as password synchronization, but you never actually synchronize your passwords with Office 365. Instead, you are synchronizing a PBKDF2 key derived from an irreversible salted SHA-256 hash of the MD4 hash of your password. The transmission of this hash is always performed over an encrypted SSL connection. The same process is used to hash your password when you log into Office 365, and the hashes are compared to authenticate users. While the solution is easy and secure, it has its disadvantages. First, this is not a true "single sign-on" solution but rather a "same sign- on" solution, meaning that even on a domain-joined machine you will need to authenticate with Office 365 resources separately as you cannot use Windows Integrated Authentication. You can check the box that says "Remember my password," but this will cause the user experience to differ from how it was when resources were local. Some users may find it jarring and frequent calls to the help desk may ensue. Next, Azure AD Connect can automatically sync on-premises AD cloud accounts only as frequently as every thirty minutes, meaning that a user whose account is disabled may still access Office 365 resources for up to half an hour. Password updates, however, are synced immediately, so users will not need to wait that long aer changing their passwords to log in with their new credentials. There are also certain features and levels of granularity that password synchronization does not offer, such as user logon time There are two ways to synchronize. All Azure AD accounts are classified as either "in cloud" or "synced" with Active Directory.

Articles in this issue

Links on this page

Archives of this issue

view archives of Digital White Papers - O365