Many organizations are unaware that Office 365 includes two powerful features that make it easy to integrate cloud services with an existing on-premises Active Directory environment. These two features are Directory Synchronization and Federation.
Together, these technologies allow users to continue using their existing Active Directory (AD) credentials to access both on-premises applications and cloud-based services such as Office 365. Employees can sign in using the same username and password whether they are working locally or accessing applications hosted in Microsoft Azure or Office 365. This unified authentication model enables true Single Sign-On (SSO) across hybrid environments.
With federation or domain-joined applications hosted in Azure, organizations can extend their existing identity infrastructure to the cloud while preserving the familiar login experience for users.
Extending the Identity Model to the Cloud
Windows Azure Connect (introduced initially as a Community Technology Preview) allows organizations to establish secure virtual private networks between on-premises systems and workloads running in Microsoft Azure. This connectivity also enables Azure-based virtual machines to be joined directly to the on-premises Active Directory domain.
Once Azure virtual machines are domain-joined, the same authentication model used on-premises can be applied in the cloud. As long as Azure Connect is configured correctly to allow communication between client devices and web servers hosted in Azure, users can authenticate using their existing AD credentials without requiring additional accounts.
This architecture allows organizations to extend Active Directory into Azure, creating a seamless hybrid identity environment where both on-premises and cloud-hosted applications operate under the same security and authentication framework.
Office 365 and Federation
Office 365 uses federation services to effectively extend an organization’s Active Directory into Microsoft’s cloud data centers. Federation enables trust between the on-premises identity provider and Office 365, allowing users to authenticate using their corporate credentials.
For those unfamiliar with federation, it functions as a bridge between on-premises identity systems and cloud services, ensuring secure authentication without duplicating password storage across environments.
By default, Office 365 creates user identities through the Microsoft Online Portal. These identities are stored in Microsoft’s cloud directory service and are used by Exchange Online, SharePoint Online, and other Microsoft services. These default user accounts typically follow this format:
planky@plankytronixx.emea.microsoftonline.com
If an organization owns a custom domain, it can configure Office 365 to use that domain instead, resulting in user accounts such as:
This approach provides a more professional and user-friendly login identity. However, in the default configuration, these Microsoft Online IDs (MSOLIDs) store passwords directly within the cloud directory service, and users authenticate using those stored credentials.
Directory Synchronization
Organizations can configure a service that automatically creates Microsoft Online IDs in Office 365 based on their on-premises Active Directory user accounts. For example, if the Active Directory domain is named plankytronixx.com, directory synchronization will automatically generate corresponding MSOLIDs in the format:
In this configuration, the password is not copied directly from Active Directory. Passwords continue to be managed within the Microsoft Online Directory Service (MSODS), unless federation is enabled.
Directory Synchronization must be installed and configured on-premises. Its primary purpose is to synchronize user account information from Active Directory into Office 365, eliminating the need for administrators to manually create and manage cloud user accounts through the portal.
Even when directory synchronization is enabled, MSODS remains responsible for password storage and password policy enforcement. Directory Sync only replicates user objects and selected attributes, not full authentication control.
How Authentication Works with Directory Sync
When users access Exchange Online, SharePoint Online, or other Office 365 services, their identities are validated against the Microsoft Online Directory Service. Authentication is handled by Microsoft’s identity platform.
Directory Synchronization simplifies administrative management by automatically creating and updating cloud user accounts based on the on-premises directory. This ensures consistency between environments while reducing operational workload for IT administrators.
One of the most critical attributes synchronized from Active Directory to MSODS is the user’s ObjectGUID. This value serves as a unique and immutable identifier for each user account.
Unlike usernames or email addresses, which can change over time due to name changes or organizational restructuring, the ObjectGUID never changes. This makes it a reliable reference point for maintaining identity continuity between on-premises Active Directory and Office 365.
The ObjectGUID plays a key role in ensuring that users remain properly linked across both environments, even when attributes such as display name, UPN, or email address are modified.
Summary
By leveraging Directory Synchronization and Federation, organizations can extend their on-premises Active Directory environment into Microsoft Azure and Office 365. This approach provides a unified identity model that allows users to sign in once and securely access both local and cloud-based applications.
This hybrid identity solution improves user experience, simplifies account management, and strengthens security by maintaining centralized identity control. It also allows businesses to transition to the cloud without disrupting existing authentication processes.
