Friday, April 1, 2011

Active Directory Federation Services (ADFS) 2.0 with Office 365: Part 1 – Planning

This subject will be looking at what ADFS is, what are the environmental requirements, and how to configure it with Office 365. Note: this post is based on the Office 365 Beta for Enterprises. The post will be split into the following two parts:

Office 365 supports identity federation which allows true single sign-on capabilities. This is achieved through Active Directory Federation Services (ADFS) 2.0. With identity federation, users can enter their Active Directory credentials to access Office 365 services.

An ADFS 2.0 solution consists of the following components:

  • ADFS server(s) (internal network joined to AD forest)
  • ADFS Proxy Server(s) (perimeter network used to support remote users)


There are three basic ADFS 2.0 deployment options for Office 365 with differing levels of access and availability:

  1. Single server configuration
  2. ADFS 2.0 server farm and load-balancer
  3. ADFS 2.0 Proxy server(s) for offsite users

Benefits of implementing ADFS:

  • Improves user productivity by enabling true single sign-on to domain joined computers
  • Reduces usability issues by allowing users to use AD credentials to access all Office 365 services and not have to remember two identities and two passwords
  • Allows administrators the ability to enforce the organization’s password policies and account restrictions in both the on-premises and cloud-based organizations
  • Increases security of AD credentials since passwords are never synced to the cloud, all authentication happens on-premises
  • Reduces overall administration time and costs associated due to the above points

The following are different sign-on experiences when using Federated Identity depending on location and status of computer:

Environment Sign-in Experience
Outlook 2010 on Windows 7 No prompt***
Outlook 2007 on Windows 7 Sign in each session*
Outlook 2010/2007 on Windows Vista or XP Sign in each session**
Exchange ActiveSync Sign in each session**
POP, IMAP Sign in each session**
Web Experiences: Office 365 Portal, Outlook Web App, SharePoint Online, Office Web Apps No prompt
Office 2010/2007 using SharePoint Online No prompt
Lync Online No prompt
Outlook for Mac 2001 Sign in each session**

* – Outlook 2007 will be updated after Office 365 has been made generally available to have same experience as Outlook 2010 on Windows 7

** – When first prompted, you can save your password for future use.  You will not receive another prompt until you change the password

*** – In beta period, you will be prompted when first accessing the services

Authentication Mechanisms when using Federated Identity:

Application Authentication Mechanism
Web browser Web sign in, WS-Trust and WS-Federation (ADFS 2.0)
Outlook 2010 on Windows 7 Web sign in, WS-Trust and WS-Federation (ADFS 2.0)
Outlook 2007 on Windows 7 Basic over SSL, authenticated via the ADFS 2.0 proxy
Outlook 2010/2007 on Windows Vista and XP Basic over SSL, authenticated via the ADFS 2.0 proxy
Exchange ActiveSync Basic over SSL, authenticated via the ADFS 2.0 proxy
POP/IMAP/SMTP client Basic over SSL, authenticated via the ADFS 2.0 proxy
Lync Online Web sign in, WS-Trust and WS-Federation (ADFS 2.0)

Note that Outlook 2007 is planned to be backported to support WS-Trust and WS-Federation after the beta period.

Two-Factor Authentication can be achieved for Office 365.  The Office 365 Beta Identity Service Description describes the requirements.

The following are requirements of ADFS 2.0:

  • Microsoft Online Services Directory Synchronization tool (DirSync) is installed
  • ADFS servers must have Windows 2008 or Windows 2008 R2 Server operating system installed
  • Client computers must be running the latest updates of Windows 7, Windows Vista, or Windows XP (running the Office 365 Desktop Setup from the Office 365 portal will automatically install necessary updates)
  • Public SSL certificate to secure traffic associated with ADFS
  • Microsoft Online Services Identity Federation Management Tool to establish trust with Office 365

Capacity Planning

When identity federation is enabled and configured in Office 365 there is no fall-back to a different form of authentication if ADFS servers fail. This means that if ADFS servers are not available, users will not be able to authenticate with Office 365 servers. It is very important to configure a highly available ADFS solution utilizing multiple servers and hardware or software load balancing. It is also critical to implement a monitoring solution for the ADFS servers. This includes both the internal ADFS servers and the ADFS proxy servers.

Namespace Planning

ADFS currently only allows for one namespace per ADFS farm/instance. If your company will support multiple namespaces for authentication, you will need to implement an ADFS infrastructure for each. Only internet routable domains that have been validated within Office 365 can be used in an ADFS deployment. If your organization has a non-routable domain for the AD infrastructure (such as .local, .priv, etc), you will need to add a UserPrincipalName (UPN) suffix in AD and configure each user with that UPN suffix (discussed in Part 2).


Part 1 of this post introduced ADFS 2.0 in relation to Office 365 and discussed environmental requirements required to implement.  Part 2 will walk through the configuration of ADFS 2.0 and Office 365.



  1. statement on "Outlook 2010 on Windows 7" is not longer correct, even after GA you have to sign in each session

  2. Could someone confirm this please?

  3. Why not place the entire AD and ADFS with SQL backend as well in the cloud using in Azure and SQL Azure?

    1. How do you then utilise that for logging into desktop machines?

  4. I need to authenticate to o365 and I can authenticate using ADFS 2.0. What I was wondering if I can authenticate with out a password.

    If I am reading it properly from the contexts I can. I assume that I can do authentication with X509 but I have not seen any examples or any information on how to use it.


  5. Providing services to user needs proper planning and maintenance These steps are really helpful and beneficial to know better about this federation services.

    SSO Authentication

  6. Thank you very useful information admin, and pardon me permission to share articles here may help :

    Cara Menghilangkan Benjolan Di Belakang Telinga
    Cara mengobati pengapuran tulang lutut


  7. I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article

    penyebab haid tidak lancar
    cara mengobati diare
    cara mengobati mata bengkak
    cara menurunkan darah tinggi
    cara menyembuhkan cacar air
    cara mengobati usus buntu
    obat fistula ani

  8. Sharing valuable content, this is what I need to know. Thank you once again, i thanks for sharing this good content here.

    cara menurunkan kadar gula darah

  9. Awesome blog, Get the best Search Engine Optimization Services by Ogen Infosystem in Delhi, India.
    SEO Service in Delhi

  10. Awesome blog, visit mutualfundwala for Best Performing Mutual Fund, Investment Advisor in Delhi and Mutual Fund Companies.
    Mutual Fund Companies

  11. Agar aap apne husband se pareshan hai or uss se door rhana cahati hai toh aap Talaq lene ki dua ko kijiye aap pati aapko khud ba khud talaq de dega