Alternatives to DirSync for Office 365 Provisioning, Part 2

In my last blog I talked about how Centrify User Suite provides a superior alternative to Microsoft’s DirSync for Office 365 provisioning. I discussed how (#1) DirSync requires additional hardware and software is complex and difficult to set up, and (#2) does not handle license management. In this blog post I will give some additional reasons why Centrify is the best choice for Office 365 identity.

#3 Syncing from multiple AD forests requires a custom FIM implementation

Many use cases require the full implementation of FIM which can lead to the requirement for many other components and infrastructure.
Many use cases require the full implementation of FIM

Common to modern enterprises is an Active Directory topology consisting of multiple forests. Perhaps this is due to M&A activity, LOB realities or geographic convenience. This feature provided by Active Directory is not currently supported by DirSync. Dirsync currently only syncs AD data from a single AD domain in a single AD forest. For organizations that have multiple domains or forests, a full forefront identity manager (FIM) implementation is required at this time. The potential complexity of implementing FIM and related components and infrastructure can often dwarf the cost and complexity of the rest of the project:

Centrify, the innovative leader and expert in leveraging Active Directory for identity and policy across datacenter, cloud and mobile automatically support mutliforest out of the box
Centrify automatically supports mutliforest out of the box

Centrify is the innovative leader in extending Active Directory to non-Microsoft native environments. We currently support 450+ plus operating systems, Macs, mobile devices and thousands of on prem, cloud and mobile apps. Centrify understands Active Directory as well as anyone in the industry and, as such, automatically supports multiple domains and trusted forests without additional tools or infrastructure as part of the cloud proxy service.

#4 Mapping internal with external domains isn’t supported by DirSync

Another common scenario is organizations where their AD domain doesn’t exactly match their email domain. For now DirSync is limited to supporting only matching domain names and UPNs for syncing users from AD to Office 365. This reality forces an organization to either refactor their users in AD or to implement custom FIM solutions. In contrast Centrify supports automated domain mapping and has a simple scripting option for supporting local, different or child domain mapping.

Centrify supports common internal vs external domain scenarios
Centrify supports common internal vs external domain scenarios

#5 Flexibility and options for syncing AD changes

Flexibility is essential to ensuring that your projects are successful, complete on time and to reduce stress and uncertainty. DirSync is typically an all or nothing batch-oriented sync tool. This inflexibility leads to integration and rollout challenges. Centrify supports the same sync modes that DirSync provides, and adds flexible options to selectively sync users or groups to sync as AD objects change. A preview report also provides insight into potential issues or problems before sync.

Centrify provides much more flexibility in setting up, previewing and syncing data and provisioning users
Centrify provides much more flexibility in setting up, previewing and syncing data and provisioning users

Viva la difference!

So those are 5 major differences between DirSync and Centrify. Hopefully as you have seen from this blog post, DirSync/FIM and Centrify offer different approaches to Active Directory synchronization and user provisioning for Office 365. Clearly DirSync offers a more limited and on-premise-centric approach while Centrify offers a more cloud-based approach with greater flexibility. In addition, the goal of Centrify is to offer a more out-of-the-box experience for integrating with third party SaaS apps and with mobile devices than what ADFS/DirSync/FIM offers.

In some cases DirSync may be appropriate for some customers (e.g. if they don’t really want to use AD as the authoritative source for identity and simply want to sync their password hashes to Azure AD) and in other cases Centrify may be a better choice. My goal here was to simply lay out the facts and let the customer decide which is best between the two, especially as most Office 365 customers will want to know which options to consider.

As we mentioned in our earlier blog post — clearly Microsoft needs to offer something in this area known as “Office 365 identity,” and their answer is ADFS and DirSync, but given that one size rarely fits all, it does not mean that this offering is perfect for every customer of Microsoft. Centrify makes an Office 365 deployment easier and can deliver a better user and IT experience — that’s the most important value to Microsoft and, even more important, to its customers; let alone introducing ADFS and DirSync/FIM as a new piece of on-premise software that needs to be scaled, managed and maintained. Moving forward, the good news is that Microsoft is looking to evolve DirSync, and Centrify will continue to look to further complement and add value to it while providing its own unique and complementary approach that customers should consider when looking for federated identity and user provisioning for Office 365.