publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/914682
18 WWW.ILTANET.ORG | ILTA WHITE PAPER OFFICE 365 Staying in Sync: How to Choose an Office 365 Authentication Method network. Office 365 is configured for federated authentication and will refer you to your organization's ADFS when a user connects to an Office 365 resource. ADFS will verify your password and issue a SAML token to Office 365, completing the sign-in process. Because you are being referred to your on-premise infrastructure, there is no requirement to store the password hash in Azure AD. In contrast to password synchronization, this is a true single sign-on solution. The credentials used to log into a domain-joined workstation are passed to the application so no additional credentials are needed. Users are authenticated against the local Active Directory and seings within AD are honored. When an account is disabled, access is immediately restricted. Further, ADFS offers several features that are not available with password synchronization. You can, for instance, restrict access to Office 365 resources to domain-joined machines without needing to register clients in Azure AD. You can integrate with an array of MFA providers or restrict access to Office 365 resources based on location. There are, however, downsides to using ADFS. First, because you are being referred to your ADFS infrastructure, your access to Office is predicated on that infrastructure functioning correctly. If ADFS fails, so does your organization's access to Office 365. To combat this, it is highly recommended that you deploy ADFS in a resilient topology that includes local high availability and site resiliency, which leads to the second issue with ADFS. A highly available ADFS infrastructure will require at least two ADFS servers and two web application proxies with load balancers in front of both sets of components. Depending on your organization's needs, this architecture may need to be replicated at a second location to provide site resiliency. There will be administrative overhead in addition to the server resources (power, Windows license, CPU, RAM, etc.). ADFS can be somewhat tricky to configure properly and difficult to troubleshoot should issues arise. Implementation of some of ADFS's more advanced features may require a different skill set than your IT staff possesses. If your organization is deploying ADFS to leverage the more advanced feature set it provides and has no security or compliance issues with password synchronization, you can use password synchronization as a backup. In this topology, Azure AD Connect is configured to synchronize password hashes. If an ADFS failure occurs, an administrator can switch the Azure AD tenant from managed authentication to federated authentication. The more advanced features provided through federation would not be available, but users could access their resources until ADFS is fixed. If you are using a third party for MFA it would also break, so be sure that you fully understand the implications and how they match up to your security and compliance needs. The Future Option: Pass-Through Authentication A few months ago the story would have ended here, but Microso is ready to provide an additional topology. Pass-through authentication provides a true single sign-on experience similar to ADFS without the need for the additional infrastructure. With pass-through authentication, usernames and public key encrypted passwords are placed in a queue when users log in. An on- premises agent makes an outbound request to the queue to retrieve credentials that are ready for authentication. Using its private key, As time goes on and Microsoft forces you to update your clients to versions that support ADAL, all signs point to modern authentication becoming the default standard for any firm that does not already have ADFS.