Skip Ribbon Commands
Skip to main content
Skip Navigation LinksHome What's New B2B Blog BlogPost

  • Single Sign-On: ADFS or DirSync or FIM or EMS or not at all?
    13 May 2015
    2:47 PM

    Category:Infrastructure and Messaging; Cloud Services; Portals and Collaboration; Enterprise Mobility Suite; Application Development
    Post By:Cherie Knight-Batey

    Single Sign-On (SSO) can be achieved in multiple ways. In this blog, I will go over some of the most popular ways to achieve SSO. The four most popular ways users typically use SSO are: Active Directory Federation Services (ADFS), DirSync (with Password Sync), Forefront Identity Manager (FIM) and Enterprise Mobility Suite (EMS). As with most things in life, there certain advantages and disadvantages to each of these and usually there are one or two options that fit each need the best. Today, I will give a brief description and provide you with some of the benefits and drawbacks to each solution.

    ADFS with federated login provides, what is referred to as, true Single Sign-On with Office 365. I point this out because, other SSO options, like DirSync with Password Sync, only provides Same Sign-on. Same Sign-On means that the user will be prompted to re-enter their credentials when accessing Office 365, even if they have the same credentials.

    DirSync with Password Sync
    As mentioned above, DirSync with Password Sync provides Same Sign-On - where the user must re-enter their credentials even if they are the same. Since ADFS is not deployed in this scenario, DirSync is responsible for periodically synchronizing user profiles to Office 365; thus, there is no need to manually create users in the cloud directory.  

    ForeFront Identity Manager (FIM), also known as Microsoft Identity Manager, uses Microsoft Enterprise Single Sign-On (ESSO) to provide an encrypted store for secondary credentials that a user may have to present to an application in order to be authenticated and authorized by that application. Additionally, FIM helps your organization ensure users have appropriate access to corporate information regardless of where that information is located—in your datacenter or in the cloud. FIM does this by providing self-service identity management, automated lifecycle management across heterogeneous platforms, rich policy framework for enforcing security policies, and detailed audit capabilities. 

    Microsoft’s Enterprise Mobility Suite (EMS) centrally manages identities across your datacenter and the cloud, providing secure single sign-on to all of your applications. This is a cloud-based identity and access management solution on Azure Active Directory.

    ​Active Directory Federation Services• ​Users logged in to a domain-joined machine do not have to re-enter their password when signing in to Office 365

    • Allows for Client Access Filtering (good for limiting access by remote or off-hour users)

    • No password hashes are synched to the cloud; all authentication is managed on-premises

    • Immediately block user access (i.e. when users leave the company)

    • Support for multi-factor authentication
    • ​Additional infrastructure required

    • Multiple points of failure

    • SSL Certificate from a public CA is needed and requires renewal 

    DirSync with Password Sync​• ​Easier and faster to implement and configure

    • Secure password hash-sync feature so that users don't have to enter a separate password
    ​• Automatic DirSync syncs occur every three hours; possible security-access issues

    • Does not provide true "Single Sign On" 

    ​Forefront Identity Manager​• End-User password reset

    • Common identity between applications and heterogeneous platforms

    • Custom solution - often complex and costly

    • Additional infrastructure required; ADFS is no longer required - can use Azure AD Sync Services
    ​Enterprise Mobility Suite
    ​• Create and manage a single-identity across your hybrid enterprise keeping users, groups and devices in sync

    • Enable application-access security by enforcing rules-based Multi-Factor Authentication for both on-premises and cloud applications

    • Self-service password reset and application access requests

    • Secure remote access to on-premises web apps

    • Greater security for mobile devices
    • Highly available​

    • Cost of individual options with the Enterprise Mobility Suite

  • EMS: What It Is AND Why You Need It - Part 3
    04 March 2015
    9:48 AM

    Category:Cloud Services; Enterprise Mobility Suite
    Post By:Jennifer Bluemling

    ​We’re rounding out this three part series on the Enterprise Mobility Suite by covering the last part: Azure Active Directory Premium. Last week, we wrote about Azure Rights Management​ and the first entry covered Windows Intune​. So far, we’ve learned about updating multi-device platforms, keeping them secure and keeping company confidential data in the hands they belong to. But, what about keeping your employees working quickly and securely without a bunch of extra login credentials to deal with? Or how about keeping them secure with multi-point authorization and not bogging down the IT team for resetting passwords?​


    That’s Where Azure AD Premium Comes In

    If your information workers are anything like ours they probably have an average of ten business apps they login to on a daily basis. Each requires a separate password, each is most likely forgotten or the “remember my password” options is chosen (not very safe) or even worse… they keep a passw0rd file on their computer somewhere. Yikes! It’s no wonder that the rise of single-sign options have taken over the Identity Management world. This is the same problem that several consumer-based apps face, hence their reason for implementing the “Sign on with Facebook” option so that people don’t have to remember passwords. You can think of Azure AD Premium as the “Facebook Sign On” power for all of your apps with the encryption and enterprise level security added in. 

    ​Another immensely popular feature of Azure AD Premium is the ability for employees to reset their own passwords when they absolutely have to. We hear all of the time how our client’s IT teams spend a large part of their resources just responding to reset requests. With the multi-touch authentication process, an employee can now do this with a simple online interface that sends them a text to the authorized company cell phone with a special code to enter. It’s that easy! Now, think about all the other projects your IT team could work on with those resources back. 

    Additional Benefits of Azure AD Premium Include: 
    • Group-based provisioning and single sign on for over 1000 SaaS apps
    • Machine learning-driven security reports for visibility and threat management
    •​ Robust sync capabilities across cloud and on-premises directories

    ​For more information on the rest of these features, or to discuss the Enterprise Mobility Suite, please contact us! You can also visit our EMS page​ for further details.

  • EMS: What It Is AND Why You Need It - Part 2
    25 February 2015
    12:05 PM

    Category:Cloud Services; Enterprise Mobility Suite
    Post By:Jennifer Bluemling

    ​As we mentioned last week, we’re on a roll with this series covering the Enterprise Mobility Suite. In our previous entry, EMS: What It Is AND Why You Need It - Part 1, we went over the benefits of Windows Intune, this week we will cover Azure Rights Management, one of the leading solutions in protecting company sensitive data without the hassle of training every employee to be a security & compliance officer, because we all know that won’t happen. 

    So, what exactly is Azure Rights Management? 

    Every company is Internet connected these days to give their employees access to cloud-based resources, email, research tools and collaboration hubs. Given that so much information is shared within your organization and outside of it with key partners, it is vital to make sure that data only stays in the circles it needs to. For example, it’s not uncommon for workers to save documents to their personal Drop Boxes (eek, yes it’s true) and then work on those when they get home. What happens to the control your organization is looking for in that instance? Once it crosses into another environment, it is nearly impossible to protect against outside influences or accidentally share it with the wrong individual.


    In comparison, Azure Rights Management (Azure RMS) can protect your company’s sensitive information in all these scenarios. It uses encryption, identity, and authorization policies to help secure your files and email, and it works across multiple devices—phones, tablets, and PCs. Information can be protected both within your organization and outside your organization because that protection remains with the data, even when it leaves your organization’s boundaries. As an example, employees might email a document to a partner company, or they save a document to their cloud drive. The persistent protection that Azure RMS provides not only helps to secure your company data, but might also be legally mandated for compliance, legal discovery requirements, or simply good information management practices. 

    Of course, we couldn’t leave you hanging from last week’s video of our favorite EMS characters. So, who’s ready for some hamster burritos? Er, hamsters and burritos?


    ​Interested in a Free Trial of EMS? Check out our Enterprise Mobility Page​ to get started. We’ll continue our next post on EMS with Azure AD Premium next week. 

  • EMS Part 1: What It Is AND Why You Need It.
    18 February 2015
    10:45 AM

    Category:Cloud Services; Enterprise Mobility Suite
    Post By:Jennifer Bluemling

    ​We'd like to introduce you to the new collection of services from Microsoft to offer mobile security, cloud-based identity management and rights management, known as the Enterprise Mobility Suite. Previously, the three SKUs were independently purchased with Windows Intune, Azure AD Premium and Azure Rights Management. The cost of all three as been reduced, along with the combination into one license purchase which compliments the rising theme of One Microsoft. Now that you know what it encompasses, let's take a dive into why you need it for your organization.​

    Let's start with Windows Intune.

    We've discussed Intune before​, but it never hurts to recap and give some fresh insights on this particular SaaS product. Given the many capabilities it offers on Mobile Device Management (MDM), Mobile Application Management (MAM) and Multi-Device Management, we'd like to highlight on the following features as key take away points:

    • - Deliver mobile device and application management across popular platforms: Windows, Windows Phone, iOS, and Android

    • - ​Maximize productivity with Intune-managed Office mobile apps

    • - Extend mobile application management to line-of-business apps with the Intune app wrapper

    • - Provide access to corporate resources on devices based upon enrollment and compliance policies

    • - Simplify administration via a single management console in the cloud with Intune or on-premises through integration with System Center 2012 Configuration Manager

    ​Now, before we get into the business scenarios, let's enjoy this fantastically amusing video on Windows Intune. Pubs & Pints, anyone?

    Be honest, haven't you been tempted to finish a report off with a nice pint? We certainly have. For the business user, Intune translates to a reduction in risk by avoiding data breaches if the devices are lost. Why? Because it allows the IT team to remote swipe the device and keep all company data securely away from unknown audiences.

    ​Intune also means that certain apps are only in the hands of employees who need them. Why? Because IT has the means to control who gets access to higher cost applications, inside or outside the Microsoft wheel house. Power BI or Adobe Creative Suite? No problem.

    This solution means a more efficient IT team as well. Ever get caught in the trap of needing to upgrade a system or reset a password, but the IT team is bogged down with a task list they'll never see the end of? With a simplified admin console and self-service password reset, that same IT team can become the heroes of your corporation they've always dreamed of. They want to tackle other projects for you, like setting up a robust ERP system, developing first in-class BI solutions and more. Give them that freedom.

    Interested in a Free Trial of EMS? Check out our Enterprise Mobility Page to get started. We'll continue our next post on EMS with Azure Rights Management next week. ​

Skip Navigation LinksHome What's New B2B Blog BlogPost