Office 365 Migration and SSO

Our team have worked on a number of Office 365 migration projects now, and one decision is made early in all the projects.  That is whether to go to Single Sign On (SSO), or not.

If you are migrating from an on-premise Exchange environment to Office 365, then SSO might make sense, as your Outlook 2010 users will be used to starting Outlook without entering any user credentials to access their mailbox.   If they use Outlook Web Access (OWA) then they may need to enter credentials – but generally, most users expect a seamless process to get into their mailbox.

Single Sign On requires a reasonable amount of local server infrastructure to support its use, as all authentication requests for Office 365 need to come into your local Active Directory first, and back out to Office 365.   You need Active Directory Federation Services (ADFS), Active Directory Proxy Services, Microsoft Directory Sync – and within each service you may wish to double up to add resilience.  For larger customers you even may need SQL Server !

I have seen some customers end up on Office 365, but with more local servers (supporting SSO) than they would have needed if they had gone to Exchange 2013 on-premise.   Going to the cloud is meant to relieve the need for local servers (physical or virtual).   Microsoft do mention that if you use Azure to host the ADFS & Proxy Servers then that means you have no data centre costs – however, you still need to build, licence, and support the extra servers.

SSO Alternative – Password Sync

Microsoft now support password sync of your AD password to Office 365 via their Directory Synchronization tool.   See this Microsoft TechNet Blog article.     This offers an alternative to using ADFS for this feature – with a much smaller server infrastructure footprint.     For Office 365 customers I will now recommend this solution over ADFS – unless their is a compelling business reason not to.

Office 365 Cost Savings

Customers need to understand the implications of SSO clearly, as the cost-savings of going to Office 365 are not quite as tangible with a significant local server infrastructure to implement and support.

Our advice to customers who want to go to Office 365 is to consider not implementing SSO for their users, and negate the need to deploy new local server infrastructure to support it.   (I am aware that Azure could be used to house these servers, but they still need managing and supporting.)    Users will get used to entering their credentials to get to their email – many will be used to this anyway with web mail being common place for personal email accounts like Gmail and Hotmail.

For Windows devices like Windows 7, the Credentials Manager will happily store Office 365 credentials for Outlook 2010/2013.    Care is needed to ensure password expiry and reset’s processes are well researched and published.

Domino to Office 365 with SSO

For customers migrating from Domino to Office 365, those users will be very used to entering a password to get into Lotus Notes – often many times a day, so it will not be too much to ask for them to enter credentials to get into their new Office 365 mailboxes.


Think clearly before you decide on SSO.  It is a big decision.   Contact Us to discuss your Office 365 migration project, and let us help you decide on the best strategy for your business.   If you are going to use Office 365, then you may as well save as much money as you can as a result.

Leave a comment

Your email address will not be published. Required fields are marked *