This content is part of the Essential Guide: The essential Office 365 migration guide
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Is Password Sync better than AD FS for Office 365 identity management?

Can DirSync's Password Synchronization feature compete with AD FS for Office 365 identity management?

Exchange admins have a couple choices when it comes to Office 365 identity management. In the Password Synchronization...

versus AD FS battle, which tool will come out on top for your needs?

Last year, Microsoft updated its Windows Azure Active Directory synchronization tool, or DirSync, which included a feature called Password Synchronization that helps organizations synchronize end users' passwords. Before the update, however, Active Directory Federation Services was the only option for Office 365 end users to access services with on-premises passwords.

To help decide which password sync feature is the better fit, let's take a closer look at each option and compare the Password Synchronization feature in DirSync with AD FS.

The differences between Password Sync and AD FS

Before delving into the specifics of Password Synchronization, it's important to understand its key differences from AD FS. Comparing the Password Sync feature to AD FS on a technical level would be like comparing apples and oranges. Both tools deliver similar end-user experiences. For example, end users can access Office 365 services with their on-premises password.

But AD FS works in an entirely different way from password synchronization. The best way to illustrate this difference is to walk through the log-on process for each option.

Consider a scenario in which an end user logs in to the Office 365 portal ( If an account is federated and uses AD FS, the following happens:

  1. The user types his username (User Principal Name) into the username field.
  2. As soon as the username is typed, Office 365 will check whether the domain name derived from the User Principal Name is a regular or federated domain.
  3. The authentication platform, Windows Azure, finds that the domain is federated and will redirect the user's browser to their AD FS endpoint to "fetch" an AD FS token.
  4. The user authenticates against the AD FS server, which is validated against Active Directory, and receives a logon token from AD FS if the credentials are valid. The end user is redirected to the Office 365 authentication platform.
  5. The Windows Azure authentication platform will now accept the AD FS token and use that to authenticate the end user.
  6. The end user is authenticated and redirected to the portal.

The process is different for the Password Sync feature. The key difference in these scenarios is that when AD FS is used, the on-premises Active Directory is the identity provider and validates the credentials. Unlike AD FS, Windows Azure is the identity provider in password sync, as it validates the user's credentials against the values known in its database.

  1. The user types his username (User Principal Name) into the username field.
  2. As soon as the username is typed in, Office 365 will check whether the domain name derived from the User Principal Name is a regular or federated domain.
  3. The authentication platform, Windows Azure, finds that the domain is a non-federated domain and won't take any action.
  4. The end user enters his password in the password field and clicks the Sign in button. The authentication platform receives the user's credentials and will validate them against the username/password in its database. Since the password was synchronized on-premises, it will be the same as the user's Active Directory password.

Apart from some configuration differences, the end-user experience is almost identical in each scenario. A synchronized password overrides cloud-based password complexity requirements as well as password age requirements, just like AD FS. So if the experience is almost similar, why choose AD FS, which requires one or more on-premises servers, over the Password Sync feature integrated with the DirSync tool?

Password Sync vs. AD FS: advantages and disadvantages

With AD FS, you can granularly control who's allowed to authenticate using Client Access Policies; this isn't possible with Password Sync.

The Password Sync feature can also lead to confusing situations in which the password stored in Windows Azure is different from the on-premises password, despite its synchronization, such as when an administrator resets an end user's password in Office 365. At that point, the user's password in Windows Azure will change and DirSync won't trigger a new password synchronization until the end user changes his on-premises password.

There's also the question of scalability. The Password Sync feature makes sense for smaller environments, since password changes are picked up fairly quickly. In my personal tests, I haven't been able to outrun password synchronization; every time I changed my password on-premises, it was changed in Office 365 by the time I got to the portal to log in. Despite this observation, it's good to question if the experience would be similar in larger environments. Until more companies implement it and more information is publicly available, AD FS is a safe choice, because a single AD FS server can easily serve thousands of end users.

Is Password Sync security a concern?

The term "password synchronization" makes many security managers unnecessarily shiver with fear. At no point is the actual password synchronized between your on-premises environment and the cloud; it's a secure key derived from a hash of a hash of the password being synced. All communications are also encrypted because the communication happens over SSL. Even when a hacker could break the SSL channel, he would end up with a hashed value of the password, which is completely useless.

Other than obvious technical differences between AD FS and the Password Sync feature, there are a lot of nuances to make each option stand out, depending on your needs. We only scratched the surface of each option, and there are many factors to take into account when choosing either option. I recommend enterprises look into Password Synchronization; I believe many companies could benefit from Password Sync over AD FS.

About the author:
Michael Van Horenbeeck is a technology consultant, Microsoft Certified Trainer and Exchange MVP from Belgium, mainly working with Exchange Server, Office 365, Active Directory and a bit of Lync. He has been active in the industry for 12 years and is a frequent blogger, a member of the Belgian Unified Communications User Group Pro-Exchange and a regular contributor to The UC Architects

Dig Deeper on Exchange Server setup and troubleshooting