Active Directory Federation Services (ADFS) 2.0 with Office 365: Part 1 – Planning | Quisitive
Active Directory Federation Services (ADFS) 2.0 with Office 365: Part 1 – Planning
April 1, 2011
Introducing ADFS 2.0 in relation to Office 365 and environmental requirements

Note: This post looks at the planning phase for ADFS 2.0 on Office 365 Beta for Enterprises. Configuring is covered in a separate post.

Office 365 supports identity federation which allows true single sign-on capabilities. This is achieved through Active Directory Federation Services (ADFS) 2.0. With identity federation, users can enter their Active Directory credentials to access Office 365 services.

An ADFS 2.0 solution consists of the following components:

  • ADFS server(s) (internal network joined to AD forest)
  • ADFS Proxy Server(s) (perimeter network used to support remote users)

There are three basic ADFS 2.0 deployment options for Office 365 with differing levels of access and availability:

  1. Single server configuration
  2. ADFS 2.0 server farm and load-balancer
  3. ADFS 2.0 Proxy server(s) for offsite users

Benefits of implementing ADFS:

  • Improves user productivity by enabling true single sign-on to domain joined computers
  • Reduces usability issues by allowing users to use AD credentials to access all Office 365 services and not have to remember two identities and two passwords
  • Allows administrators the ability to enforce the organization’s password policies and account restrictions in both the on-premises and cloud-based organizations
  • Increases security of AD credentials since passwords are never synced to the cloud, all authentication happens on-premises
  • Reduces overall administration time and costs associated due to the above points

The following are different sign-on experiences when using Federated Identity depending on location and status of computer:

EnvironmentSign-in Experience
Outlook 2010 on Windows 7No prompt***
Outlook 2007 on Windows 7Sign in each session*
Outlook 2010/2007 on Windows Vista or XPSign in each session**
Exchange ActiveSyncSign in each session**
POP, IMAPSign in each session**
Web Experiences: Office 365 Portal, Outlook Web App, SharePoint Online, Office Web AppsNo prompt
Office 2010/2007 using SharePoint OnlineNo prompt
Lync OnlineNo prompt
Outlook for Mac 2001Sign in each session**

* – Outlook 2007 will be updated after Office 365 has been made generally available to have same experience as Outlook 2010 on Windows 7

** – When first prompted, you can save your password for future use.  You will not receive another prompt until you change the password

*** – In beta period, you will be prompted when first accessing the services

Authentication Mechanisms when using Federated Identity:

ApplicationAuthentication Mechanism
Web browserWeb sign in, WS-Trust and WS-Federation (ADFS 2.0)
Outlook 2010 on Windows 7Web sign in, WS-Trust and WS-Federation (ADFS 2.0)
Outlook 2007 on Windows 7Basic over SSL, authenticated via the ADFS 2.0 proxy
Outlook 2010/2007 on Windows Vista and XPBasic over SSL, authenticated via the ADFS 2.0 proxy
Exchange ActiveSyncBasic over SSL, authenticated via the ADFS 2.0 proxy
POP/IMAP/SMTP clientBasic over SSL, authenticated via the ADFS 2.0 proxy
Lync OnlineWeb sign in, WS-Trust and WS-Federation (ADFS 2.0)

Note that Outlook 2007 is planned to be backported to support WS-Trust and WS-Federation after the beta period.

Two-Factor Authentication can be achieved for Office 365.

The following are requirements of ADFS 2.0:

  • Microsoft Online Services Directory Synchronization tool (DirSync) is installed
  • ADFS servers must have Windows 2008 or Windows 2008 R2 Server operating system installed
  • Client computers must be running the latest updates of Windows 7, Windows Vista, or Windows XP (running the Office 365 Desktop Setup from the Office 365 portal will automatically install necessary updates)
  • Public SSL certificate to secure traffic associated with ADFS
  • Microsoft Online Services Identity Federation Management Tool to establish trust with Office 365

Capacity Planning

When identity federation is enabled and configured in Office 365 there is no fall-back to a different form of authentication if ADFS servers fail. This means that if ADFS servers are not available, users will not be able to authenticate with Office 365 servers. It is very important to configure a highly available ADFS solution utilizing multiple servers and hardware or software load balancing. It is also critical to implement a monitoring solution for the ADFS servers. This includes both the internal ADFS servers and the ADFS proxy servers.

Namespace Planning

ADFS currently only allows for one namespace per ADFS farm/instance. If your company will support multiple namespaces for authentication, you will need to implement an ADFS infrastructure for each. Only internet routable domains that have been validated within Office 365 can be used in an ADFS deployment. If your organization has a non-routable domain for the AD infrastructure (such as .local, .priv, etc), you will need to add a UserPrincipalName (UPN) suffix in AD and configure each user with that UPN suffix (discussed in Part 2).


Part 1 of this post introduced ADFS 2.0 in relation to Office 365 and discussed environmental requirements required to implement.  Part 2 will walk through the configuration of ADFS 2.0 and Office 365.