ADFS vs DirSync with Password Sync: The User Experience

I promised to do a comparison and pro/con around using ADFS with Single SignOn (SSO) and at the time the newly released Password Sync with the new DirSync tool. Well finally here it is, and with thanks to a fellow co-worker, JC Warner for developing the below table based on research and his experience using both. JC also used the following Microsoft white paper “Office365-Single Sign-On-with-AD-FS2.0-v1.0a

So here is the Table that compares the end user experience using ADFS and DirSync with Password Sync enabled:

Access Method ADFS DirSync w/ Password Verdict
Outlook 2010/2013 Prompted for credentials on first connection (and at each password change) with checkbox to remember them. Prompted for credentials on first connection (and at each password change) with checkbox to remember them. Draw, both have the same experience
ActiveSync, POP, IMAP Prompted for credentials on first connection (and at each password change) with checkbox to remember them. Prompted for credentials on first connection (and at each password change) with checkbox to remember them. Draw, both have the same experience
MS Online Portal, SharePoint Online, Office Web Apps Internal: Pop up offers click to sign in with no credentials required (External Forms Based Prompted) Prompted for credentials on first connection (and at each password change) with checkbox to remember them Better experience for ADFS while internal to company network, draw when external
OWA Internal: Seamless (External Forms Based Prompted) Prompted for credentials on first connection (and at each password change) with checkbox to remember them Better experience for ADFS while internal to company network, draw when external
Lync 2010/2013 Seamless (with Sign on Assistance installed for Lync 2010) Prompted for credentials on first connection (and at each password change) with checkbox to remember them. Better experience for ADFS

As you can see above, overall for an end user experience when the user is internal to the company network ADFS offers a better experience. But when you take into account the additional administrative and server overhead needed to implement ADFS and SSO, I still would recommend Password Sync to a company. This is especially relevant to small companies who are moving to Office 365 to remove on-premises servers and resources from their environment. The caveat to this would be if a company already has ADFS deployed for another reason, federation with a partner or other SaaS provider, then using ADFS for Office 365 makes sense.

I will always lead with Password Sync versus ADFS and SSO. I just think with the cloud movement removing reliance on on-premises infrastructure for authentication is the right move. Now with Password Sync companies can reduce the sever footprint on-premises and fully ensure that if on-premises infrastructure goes dark that user can still access and authenticate to Office 365 resources.

DirSync Update: it can be installed on a Domain Controller

Since the beginning of Office 365 we have DirSync, which is a light FIM installation that is going to sync your users, groups and contacts to Windows Azure Directory.

In the first version we had only sync. After a while it was supported to do filtering on OU, domain & attribute. In June 2013 we receive the DirSync with password synchronization. But still DirSync had to be installed on a separate, domain joined server. It could not be installed on a Domain Controller.

Well, that issue has been solved too. In this new version you are allowed to install it on a Domain Controller at this time for ‘development purposes’, as also stated in the Best Practices of the Windows Azure Active Directory Sync Tool: http://social.technet.microsoft.com/wiki/contents/articles/17370.best-practices-for-deploying-and-managing-the-windows-azure-active-directory-sync-tool.aspx#A11

Read more on: http://social.technet.microsoft.com/wiki/contents/articles/18429.windows-azure-active-directory-sync-tool-version-release-history.aspx

Download the new version on: http://go.microsoft.com/fwlink/?LinkID=278924