To save confusion and increase productivity, many customers want the same password for local networks and the cloud. “Dirsync” is a Microsoft Azure Active Directory Sync tool that synchronizes user passwords from your on-premises Active Directory to Azure Active Directory (“Azure AD”). This feature enables your users to log into their Azure Active Directory services (such as Office 365, InTune, CRM Online, etc.) using the same password as they use to log into your on-premises network. It is important to note that this feature does not provide a Single Sign-On (SSO) solution.
For existing on-premises infrastructure, the Azure Dirsync tool is deployed on one domain controller. Then Azure Active Directory is simply linked to the local Active Directory and synchronization verified. When synchronizing passwords using the password sync feature, the plain text version of a user’s password is neither exposed to the password sync tool nor to Azure AD or any of the associated services. Additionally, there is no requirement on the on-premises Active Directory to store the password in a reversibly encrypted format. When you enable password sync, the password complexity policies configured in the on-premises Active Directory override any complexity policies that may be defined in the cloud for synchronized users.
Deploying Active Directory synchronization is the recommended scenario for customers wishing to have the same password in the cloud and on the network. Unlike 6 servers required for true SSO, this approach requires no integration of VPN or virtual machine components at Microsoft Azure. When Microsoft fully implements Active Directory Premium, customers may deploy single sign-on for Active Directory and third-party services without virtual machines for an anticipated $6 per user per month.
Dirsync allows you to effectively support any Microsoft Online Services with the same local password hash, without complex infrastructure integration. Azure Single Sign-On or Active Directory Premium may always be added in the future. With this scenario, the customer avoids a site to site VPN and can access both the local directory and Microsoft Online Services if directory synchronization is interrupted.
For more information see the Microsoft TechNet article Planning for Directory Synchronization.
Leave a Reply