Comparing Active Directory DirSync and User Provisioning Options for Office 365

Last year Tom Kemp wrote several blog posts regarding the core identity scenarios for Office 365 and comparing federated identity options for Office 365, as well as options for federated identity for office 365, part 2. In these posts he went into great detail covering the options for federating user identity from Active Directory to Office 365, namely focusing on how Centrify compares to ADFS. In this blog post I will talk about the differences between what we offer with respect to Office 365 provisioning with the tools and what Microsoft offers, namely DirSync.

But first, while comparing the Centrify User Suite as an alternative to ADFS, Tom walked readers through some of the differences between ADFS and Centrify for Office 365 specific to the on-premise infrastructure and labor required between the two solutions covering the following challenges:

  1. ADFS requires significantly more on-premise infrastructure vis a vis Centrify for Office 365
  2. ADFS requires firewall changes, while the Centrify cloud proxy service installs behind a firewall and does not require any change using only outbound port 443 which is typically open for HTTPS traffic
  3. ADFS requires a 3rd party certificate whereas Centrify does not
  4. ADFS can be difficult to configure for additional 3rd party SaaS apps, while Centrify delivers turnkey integration for 2500+ SaaS, web, mobile and on premise apps
  5. ADFS does not provide a Windows Server Active Directory-based end-user portal for accessing 3rd party SaaS apps as Centrify does
  6. Centrify delivers a robust mobile “Zero Sign-On” experience for Office 365 and other apps

These blog posts were very detailed in how Centrify is a compelling alternative to ADFS for federating corporate users from Active Directory on premise. One drawback to Centrify at the time Tom wrote those blog posts was the fact that DirSync was still required to provide synchronization and provisioning of basic user account, distribution list and contact info from Active Directory to Office 365. DirSync is notorious for requiring AD remediation and often doesn’t fit the bill, and requires a full blown and custom implementation of Forefront Identity Manager.

Centrify has recently announced availability of user lifecycle management and provisioning across cloud and mobile, including for Office 365. In this and subsequent blog posts I will examine the major challenges with DirSync and how Centrify can greatly enhance the deploy-ability and manageability of Office 365. Below are the major reasons why Centrify provides the best solution for provisioning Office 365.

#1 DirSync and/or FIM requires more on-prem infrastructure

For cloud centric organizations, deploying DirSync requires at least an additional server dedicated to running Active Directory synchronization jobs. Also DirSync is just a packaged solution built on Forefront Identity Manager (FIM). For at least some scenarios (such as multi-forest support) a custom implementation of FIM is required. And a full blown FIM implementation may be too complex and requires additional on-premise software and infrastructure, possibly including SQL, SCCM, Sharepoint, Windows clusters and more. The result may be too expensive (for the extra infrastructure and software licenses) and take too long (days to weeks to months for procurement and setup of the hardware and software).

Microsoft tries to soften this truth by drawing simple looking conceptual deployment architectures such as:

Microsoft oversimplifies the nature of federation through ADFS and directory sync through DirSync or FIM
Microsoft oversimplifies the nature of federation through ADFS and directory sync through DirSync or FIM

But in fact the real life complexity of a complete ADFS and DirSync/FIM implementation may look more like this:

Beware of the potential complexity and extensive infrastructure that ADFS and DirSyc or FIM might require

Yikes!

Centrify simplifies and improves the deployability and manageability of Office 365

In contrast, Centrify for Office 365 requires only one piece of software — the Centrify Cloud Proxy Server — that runs inside the customer’s corporate network and does not have to be on a dedicated system. An architectural diagram is shown below, and be sure to compare and contrast it to the ADFS plus DirSync/FIM diagram above. The installation of the Centrify Proxy Service is about 5 minutes.

Notice this is the same diagram as Tom discussed in his previous blog post. In fact we have delivered a complete and turnkey replacement for both ADFS and DirSync in one integrated and lightweight Windows service. So there is little to no cost associated with Centrify vis a vis hardware/resources associated with ADFS and DirSync/FIM. Combine that with the fact that Centrify for Office 365 can be one of the three free supported apps as part of Centrify Express, there is a very significant economic difference between Centrify for Office 365 and ADFS and DirSync/FIM.

#2 Managing Office 365 licenses manually presents a challenge

DirSync only replicates user accounts and attributes to Office 365 requiring that administrators manually assign licenses to every user in Office 365

Another glaring challenge is that DirSync only syncs AD data to Azure AD. Office 365 administrators still have to manually assign correct license(s) to each individual user of Office 365. So for example, if you have 2000 users in your Active Directory and 500 users you need to license for Office 365, then DirSync would sync the 2000 users but the Office 365 administrator would still need to go into Office 365, visit each user’s account, and assign the correct license for each of the 500 users. What a pain!

 

In contrast, Centrify eliminates the need to manually manage licenses by automatically assigning and removing users’ Office 365 licenses by AD group or the user’s role. This means that when a user is assigned to an AD group such as“Sales,” the user is automatically synced to Office 365 and then also assigned an Office 365 license such as “Microsoft Office 365 Plan E3.” This means less manual steps for your IT folks and quicker TTP (time to productivity) for your users.

Centrify for Office 365 automatic license assignment
Centrify simplifies and automates the assignment of Office 365 licenses without having to manually administer each user account

Note also that Centrify uniquely unifies SaaS and mobile management. So not only can Centrify provision your user account in Office 365, including the required license assignment, we can also provision your mobile devices with WiFi and VPN, setup exchange active sync, and even push those nice new rich mobile Office clients to your users’ phones and tablets. This is a great economic and productivity benefit that only Centrify provides.

I should also acknowledge that Microsoft has recently entered the identity and access management as a service (IDaaS) market with their enterprise mobility suite (EMS). You can read more about our thoughts on their direction in a previous blog. Basically Microsoft created a pricing bundle and some marketing around their unintegrated Azure AD premium products. Unfortunately they both require ADFS and DirSync with all of the same limitations that I have covered in my series of blog articles. We admire their validation that there is a larger challenge regarding SaaS and mobile and look forward to more innovation in this space.

In my next blog post I will give some additional reasons why Centrify is the best solution for Office 365 provisioning.