Deployment scenario: Office 365 directory integration components deployed in Azure
Applies to: Office 365
Summary: Describes an Office 365 deployment scenario in which directory integration components are deployed on Azure Virtual Machines.
Deploying Office 365 directory integration components in Microsoft Azure is the second deployment scenario. The effect on the existing on-premises infrastructure is minimal. But the deployment of the directory integration components is faster because of the ability to deploy Azure Virtual Machines on-demand. This option allows you to effectively support Office 365 federated identities without adding hardware to your on-premises infrastructure.
Office 365 directory integration components deployed in Azure
We recommend this scenario for customers who want directory integration and need the agility of deploying these components online. Customers must also be able to manage the integration of Azure with their existing environment.
The following figure shows the high-level architecture for this scenario. We also have an article that contains more detailed instructions on how to deploy Office 365 directory synchronization in Microsoft Azure
Figure 3. High-level architecture of directory components deployed in Azure for this scenario
.jpg "Directory components deployed in Azure")
In this topology, customers deploy and operate Office 365 directory integration components on Virtual Machines. AD FS is published to the Internet through AD FS proxies in Azure. Client authentication traffic, for users that are connecting from any location, is handled by AD FS servers and proxies that are deployed on Azure. This topology includes the Office 365 directory integration components as shown in the following table.
| Component | Quantity | Location |
|---|---|---|
Active Directory domain controllers |
Two per Active Directory domain |
Azure |
Directory synchronization server |
One |
Azure |
AD FS servers |
Two or more |
Azure |
AD FS proxy |
Two or more |
Azure |
Virtual Private Network (VPN) router |
One or two |
Customer corporate network |
We recommend at least two servers for all the components that support redundancy as shown in the previous table. Your server capacity demand may require additional virtual servers. For detail, see AD FS capacity planning.
Note
If your forest contains multiple domains, you need to deploy at least one domain controller for each domain into Azure to ensure uninterrupted access to the service. For redundancy reasons, we recommend a pair of domain controllers for each Active Directory domain. This also reduces the authentication traffic traversing the VPN tunnel.
We strongly recommend that you configure Federation Services so that internal users access the external AD FS proxy endpoints instead of internal AD FS endpoints. Using only external endpoints removes the VPN connection as a single point of failure for internal user authentication to Office 365. Using only external endpoints also means that additional authentication prompts may occur for users because AD FS treats all authentication requests as coming from users on the Internet.
The alternative to the recommended approach is to direct internal AD FS traffic over the VPN either directly or through the use of a DNS record or virtual IP. This removes the additional authentication prompts; however, it’s not the approach we recommend because it introduces the VPN as a single point of failure in the authentication path. Using a DNS record or virtual IP would allow quick remediation if VPN was unavailable. For more information about services failover in the event that VPN is unavailable, see Deployment scenario: Directory integration components in Azure for disaster recovery.