Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2013-02-14
Single sign-on enables users to access both the on-premises and Microsoft Office 365 organizations with a single user name and password. Single sign-on provides users with a familiar sign-on experience and allows administrators to easily control account policies for cloud-based organization mailboxes by using on-premises Active Directory management tools. Deploying single sign-on includes several components that configure the trust relationship between the on-premises Active Directory Federation Services (AD FS) server and the Microsoft Federation Gateway.
Although not a requirement for hybrid deployments, we strongly recommend deploying single sign-on in your on-premises organization to make the account authentication experience seamless and familiar for your users. In addition to users not having to sign in multiple times and having to remember additional passwords when accessing the Office 365 organization, single sign-on also offers the following benefits:
- Exchange Online Archiving When single
sign-on is deployed in Exchange 2010 organizations, on-premises
Microsoft Outlook users aren’t prompted for their credentials when
accessing archived content in the Exchange Online organization. If
single sign-on isn’t deployed in Exchange 2010 organizations and
Exchange Online Archiving is enabled, the on-premises user
principal name (UPN) must match their Exchange Online account. In
this scenario, the user will be prompted for their on-premises
credentials when initially accessing their archive. A user can
temporarily avoid future credential prompting by choosing “save
password”, but the user will be prompted again when their
on-premises account password is changed.
- Policy control The administrator can
control account policies through Active Directory, which gives the
administrator the ability to manage password policies, workstation
restrictions, lock-out controls, and more, without having to
perform additional tasks in the cloud.
- Access control The administrator can
restrict access to Office 365 so that the services can be
accessed through the corporate environment, through online servers,
or both.
- Reduced support calls Forgotten
passwords are a common source of support calls in all companies. If
users have fewer passwords to remember, they are less likely to
forget them.
- Security User identities and
information are protected because all the servers and services used
in single sign-on are administered and controlled on-premises.
- Support for strong authentication You
can use strong authentication (also called two-factor
authentication) with Office 365. However, if you use strong
authentication, you must use single sign-on. There are restrictions
on the use of strong authentication. For more information, see
Configuring Advanced Options for AD FS 2.0 and
Office 365.
Learn more at: Prepare for single sign-on