Microsoft Office Tutorials: Office 365 integration with on-premises environments

Friday, March 31, 2017

Office 365 integration with on-premises environments

You can integrate Office 365 with your existing directory services and with an on-premises installation of Exchange Server, Skype for Business Server 2015, or SharePoint Server 2013.

When you integrate with directory services, you can synchronize and manage user accounts for both environments. You can also add password synchronization or single sign-on (SSO) so users can log on to both environments with their on-premises credentials.

When you integrate with on-premises server products, you create a hybrid environment. A hybrid environment can help as you migrate users or information to Office 365, or you can continue to have some users or some information on-premises and some in the cloud.

For more information about hybrid environments, see Overview of Office 365 hybrid cloud solutions. You can also use the Azure AD advisors: Azure AD Connect advisor, the AD FS deployment advisor, the Azure RMS Deploymnet Wizard, and the Azure AD Premium setup guidance for customized setup guidance.

Before you integrate Office 365 and an on-premises environment, you also need to attend to network planning and performance tuning for Office 365. You will also want to understand the available identity models in Office 365. See where to manage Office 365 user accounts for a list of tools you can use to manage Office 365 users and accounts.

Back to Set up Office 365 for business.

Integrate Office 365 with directory services

If you have existing user accounts in an on-premises directory, you don't want to re-create all of those accounts in Office 365 and risk introducing differences or errors between the environments. Directory synchronization helps you mirror those accounts between your online and on-premises environments. With directory synchronization, your users don't have to remember new information for each environment, and you don't have to create or update accounts twice. You will need to prepare your on-premises directory for directory synchronization, you can do this manually or use the IdFix tool (IdFix tool only works with Active Directory).

Use directory synchronization to keep on-premises and online user account information synchronized

If you want users to be able to log on to Office 365 with their on-premises credentials, you can also configure SSO. With SSO, Office 365 is configured to trust the on-premises environment for user authentication.

With single sign-on, the same account is available in both the on-premises and online environments

Different user account management techniques provide different experiences for your users, as shown in the following table.

User account management technique	User experience	Tools you can use	Learn more
Directory synchronization with or without password synchronization	A user logs on to their on-premises environment with their user account (domain\username). When they go to Office 365, they must log on again with their work or school account (user@domain.com). The user name is the same in both environments. When you add password sync, the user has the same password for both environments, but will have to provide those credentials again when logging on to Office 365. Directory synchronization with password sync is the most commonly used directory sync scenario.	To set up directory synchronization, use Azure Active Directory Connect. For instructions, read Set up directory synchronization for Office 365, and Use Azure AD Connect with express settings.	Prepare to provision users through directory synchronization to Office 365. Integrating your on-premises identifies with Azure Active Directory
Directory synchronization with SSO	A user logs on to their on-premises environment with their user account. When they go to Office 365, they are either logged on automatically, or they log on using the same credentials they use for their on-premises environment (domain\username).	To set up SSO you also use Azure AD Connect. For instructions, read Use Azure AD Connect with custom settings.	What is application access and single sign-on with Azure Active Directory?

User account management technique

User experience

Tools you can use

Learn more

Directory synchronization with or without password synchronization

A user logs on to their on-premises environment with their user account (domain\username). When they go to Office 365, they must log on again with their work or school account (user@domain.com). The user name is the same in both environments.

When you add password sync, the user has the same password for both environments, but will have to provide those credentials again when logging on to Office 365. Directory synchronization with password sync is the most commonly used directory sync scenario.

To set up directory synchronization, use Azure Active Directory Connect. For instructions, read Set up directory synchronization for Office 365, and Use Azure AD Connect with express settings.

Prepare to provision users through directory synchronization to Office 365.

Integrating your on-premises identifies with Azure Active Directory

Directory synchronization with SSO

A user logs on to their on-premises environment with their user account. When they go to Office 365, they are either logged on automatically, or they log on using the same credentials they use for their on-premises environment (domain\username).

To set up SSO you also use Azure AD Connect. For instructions, read Use Azure AD Connect with custom settings.

What is application access and single sign-on with Azure Active Directory?

Azure AD Connect replaces older versions of identity integration tools such as DirSync and Azure AD Sync. For more information, see Integrating your on-premises identities with Azure Active Directory.

If you want to update from Azure Active Directory Sync to Azure AD Connect, see the upgrade instructions.

See a solution architecture built for Office 365 Directory Synchronization (DirSync) in Microsoft Azure.