AD FS SSO vs DirSync with Password Sync

Updated on 28 August 2015

IMPORTANT: AAD Connect has replaced AADSync and DirSync. Reference: Azure Active Directory Sync

AADSync Replaced


I recently spoke to Microsoft Partner Network (MPN) pre-sales support in an effort to gather information for running an AD FS pair in Windows Azure for SSO with Office 365, and regarding AD FS SSO versus DirSync with Password Sync.  Below is a summary of the fraction of info available on the subject. AD FS in Windows Azure Requirements…

  • 3 servers in Azure (minimum)
    • 1-AD FS Proxy
    • 1-AD FS Server
    • 1-Domain controller
  • VPN connection with on premise environment
  • SSL certificate


  • Active/Passive or Active/Active
  • Ask if ISP provides NLB service for geo-load balancing
  • 5000 users or more … suggest site to site connection


  • Do not recommend in secondary datacenter due to potential high latency if no VPN between sites
  • If VPN between sites, recommend HA in secondary datacenter before implementing in Azure due to cost


  • On premise vs Azure
  • How many Azure credits are available to the customer if they have an EA?
  • Cost to run in Azure add up quickly, especially when running 24/7. Consider the following costs to implement AD FS SSO in Azure…
    • Server/CPU
    • Bandwidth
    • Storage
    • Suggest signing up for trial … bring up 2 servers and let run for 1 week (without turning off or shutting down) to determine cost over one month



  • If high number of users and higher availability required
  • Needs to mirror between sites
  • SQL specific licensing to take advantage of replication (mirroring)
  • Cost to implement is high
  • Complex to implement

WID (Windows Internal Database)…


  • Can be implemented with at little as 1 user and has no known limitation on number of users (40,000 or more)
  • However there is a cost factor associated with DirSync vs AD FS…
    • Hypothetical: Assume entering credentials to login takes approx. 2 minutes with DirSync
    • If 40,000 users, that’s a huge unexpected cost in just logging on with DirSync to access Office 365 resources
    • That’s 1333.33 hours lost per day just with logging in via DirSync … WOW!
    • Consider each employee earns $10/hour, that’s over $13,000 a day and nearly $3.5 million a year (based on a 250-day work year) in lost hourly wages with 40,000 users
    • SSO doesn’t require entering credentials after the first time connecting to Office 365 resources
    • How many new users created daily? If a lot, then suggest full FIM implementation vs DirSync with FIM
    • DirSync is not a possibility with multiple forests … must use full version of FIM

Pros and Cons


  • True SSO
  • No user interaction required


  • Expensive
  • Complex to implement
  • If link to O365 goes down, no access to O365 resources
  • FIM required if multiple Exchange organizations are involved
  • HA setup strongly recommended

DirSync Pros

  • Inexpensive to implement
  • Easy to implement
  • Reliable logon solution even when link to O365 resources are down
  • MS focusing efforts on DirSync
  • 95% of all O365 customers only need DirSync and not ADFS
  • No HA setup required

DirSync Cons

  • Possible multiple logins (user interaction required)
  • Full versions of SQL required if more than 15,000 users
  • FIM required if multiple Exchange organizations are involved

I welcome your comments and recommendations if I have missed something.

Have fun!



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s