Microsoft Office Tutorials and References
In Depth Information
Single sign-on experience
single sign-on (SSO). AD FS is an optional implementation and is not required for Office
365. However, if your organization decides to implement AD FS, the minimum AD FS
version required by Office 365 is version 2.0; thus, it is often referred to as AD FS 2.0.
However, aside from SSO, there are other benefits of AD FS. Because AD FS facilitates the
authentication of users through AD, you can take advantage of group policies. AD FS can
also control location-based access to Office 365. For example, if you want to allow
employees to be able to access Office 365 only from the corporate environment and not from
external networks, you can do so through AD FS and AD. If you require two-factor
authentication, you must accomplish it with AD FS and SSO.
You can use AD FS for other purposes as well. A common use of AD FS is to federate with
B2B partner networks. If you already have AD FS set up in your environment for other
purposes, you might be able to use the existing AD FS infrastructure for Office 365. Likewise,
after you set up AD FS for Office 365, you might be able to use it for other non-Office 365
Single sign-on experience
Before we begin to install and configure AD FS 2.0, let us first take a look at the end-user
experience when SSO with Office 365 is and is not in place.
Scenario 1: No single sign-on experience
In this scenario, a user is not authenticated through SSO. Each time the user attempts to
access Office 365, he is prompted to supply a valid user name and password, whether he is
attempting to access Office 365 from within the corporate network or from a public
Scenario 2: User is logged on at work
In this scenario, a user is at work and logs on to the corporate network. The enterprise AD
authenticates the user so she has a valid claim token. When the user accesses Office 365
services, by opening Outlook to access email or by opening a browser to access the
corporate intranet that is hosted in SharePoint Online, the Office 365 federation gateway will
acknowledge the claim token and will not produce a logon prompt. This provides an SSO
experience because the user does not need to present her logon credentials again.
Scenario 3: Remote worker on a virtual private network connection
A remote worker or teleworker is one who is not on the corporate network.
Traditionally, these workers will use a technology such as a virtual private network (VPN) client to
securely create an encrypted communication channel between their personal computers