Single sign-on with hybrid deployments
Applies to: Exchange Online, Exchange Server 2013, Exchange Server 2016
Topic Last Modified: 2016-01-29
Single sign-on enables users to access both the on-premises and Office 365 organizations with a single user name and password. It provides users with a familiar sign-on experience and can allow administrators to easily control account policies for Exchange Online organization mailboxes by using on-premises Active Directory management tools. While you don't have to configure a hybrid deployment with single sign-on enabled, we strongly recommend that you do. Without single sign-on, users will need to remember two different sets of credentials, one for your on-premises organization, and one for Office 365. Here are a few other advantages to single sign-on:
Exchange Online Archiving When single sign-on is deployed, on-premises Outlook users are prompted for their credentials when accessing archived content in the Exchange Online organization for the first time. However, users can then temporarily avoid future credential prompting by choosing “save password” and then will only be prompted for credentials again when their on-premises account password is changed. If single sign-on isn’t deployed in Exchange organizations and Exchange Online Archiving is enabled, the on-premises user principal name (UPN) must match their Exchange Online account and users will always be prompted for their on-premises credentials when accessing their archive.
Policy control You can control account policies through Active Directory, which gives you the ability to manage password policies, workstation restrictions, lock-out controls, and more, without having to perform additional tasks in your Office 365 organization.
Reduced support calls Forgotten passwords are a common source of support calls in all companies. If users have fewer passwords to remember, they are less likely to forget them.
You have a couple of options when deploying single sign-on: password synchronization and Active Directory Federation Services (AD FS). Both options are provided by Azure Active Directory Connect. We strongly recommend using the password synchronization method unless you have a specific need that requires AD FS. Password synchronization provides many of the same benefits of AD FS without the complexity of its deployment. The following table provides some common advantages and disadvantages for each option.
|By default, if you deploy AD FS and your on-premises AD FS servers aren't reachable from the Internet for any reason, Office 365 will fall back to password synchronization to authenticate users. This allows users with Office 365 mailboxes to continue working uninterrupted even if your on-premises servers aren't available.|
To learn more about each option, see Azure AD Connect User Sign-on options
Single sign-on method
Password synchronization (recommended)
| || |
| || |