Skip to main content

Microsoft

Office 365 – Using Password Sync as a Backup to AD FS

For organizations that deploy AD FS for single sign-on with Office 365, it is as critical of a component as their on-premises Active Directory. While you may have your mailboxes residing in Exchange Online in the cloud, if your on-premises AD FS is not available, users cannot authenticate to access their mailbox.
There are a number of ways to create a highly available environment, starting with multiple servers in a single datacenter, then spreading them across multiple datacenters and then possibly even extending your AD FS farm into Azure IaaS.
Another option, with zero added infrastructure costs, is to use the “Password Sync” feature of DirSync / AADSync as a disaster recovery option should your AD FS become unavailable.

Setup

I won’t get into all the details around what Password Sync is or how it works. At a high level, understand that it’s not a sync of a plain text password but rather a sync of the password hash with additional security imposed on that hash. For additional information, check out “How Password Sync Works“.
Enabling Password Sync is very straight-forward, it essentially consists of checking a box in the DirSync / AADSync configuration and then forcing an initial sync. Important to note here is that forcing a “full sync” of DirSync does not initiate a sync of passwords, the password sync process runs out-of-band. To force a sync, checkout the DirSync FAQ on this topic.

Failover

So a disaster has occurred and AD FS is unavailable; perhaps the AD FS farm itself has critical issues or possibly the Internet connectivity to the AD FS farm is experiencing an extended outage. I’ll stress here that this is should be a “disaster” scenario, this is not something you’re doing when you need to update the firmware on your load balancer.
Microsoft has provided guidance on the process to temporarily failover to synchronized passwords from AD FS. This guidance seems to have a critical flaw though as the instructions are dependent upon AD FS being available. If our AD FS farm is up and available, we’re probably not going through this exercise.
The Microsoft guidance says to use the “Convert-MsolDomainToStandard” cmdlet but as you can see below, you’ll receive an error if AD FS is not accessible.

The command you’ll need to use if AD FS is unavailable is:
   Set-MsolDomainAuthentication -DomainName lab1.iwitl.com –Authentication Managed
As you can see below, I started out with my “lab1.iwitl.com” domain being configured as a Federated domain and then was able to successfully change it to a Managed domain.

At this point my users are able to successfully authenticate to Office 365 using their on-premises password that we’ve been syncing in the background.

Failback

Once AD FS is available again, it’s a matter of running the command below to convert the domain back to a Federated domain:
   Convert-MsolDomainToFederated –DomainName lab1.iwitl.com
You may also want to run “Get-MsolFederationProperty” to check the status of the token-signing certificate as well as the usual AD FS health checks.

Additional Notes

The Microsoft guidance states that the switchover can take up to two hours for the domain to convert from Federated to Managed. My experience has been that it takes nowhere near this long however I am working in a lab environment with a limited user count. That said, keep this in mind when making the decision to implement this disaster recovery option.
After switching over to Password Sync, you may find that it works just fine for you. If so, you can check out the “How To Switch From Single Sign-On To Password Sync” article for this process.
You may also want to check out my “DirSync Password Sync: Did You Know?” article as part of your decision making process.
 
Did you find this article helpful?
Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.

Thoughts on “Office 365 – Using Password Sync as a Backup to AD FS”

  1. Damian-
    Yes, since you’re not making changes to the on-premises AD FS, it will work.
    Thanks
    Joe

  2. Wow this article was much more simpler than the Microsoft one. What about all the details in the Microsoft article about updating the users UPN, Skipuserconversion, convert domain to standard…etc all these things

  3. Chau-
    None of those switches should be necessary with this method. Keep in mind this method is designed for when AD FS is not available.
    Thanks for the question.
    Joe

  4. If ADFS is available, is there any benefit to using the Microsoft method, or any downside to using the method you describe here? Your method is much simpler, but curious if there’s any reason to go the MIcrosoft route.

  5. Joe Palarchio

    Scott-
    I’ve seen it done both ways and I haven’t noticed a difference but if AD FS is available, why are you switching over to Password Sync?
    Thanks
    Joe

  6. When I had configured one domainf or Federated, then is it possible to change password for my federated domain users in either in Powershell or web?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Joe Palarchio

More from this Author

Categories
Follow Us