Office 365 integration with on-premises environments
You can integrate Office 365 with your existing directory services and with an on-premises installation of Exchange Server, Skype for Business Server 2015, or SharePoint Server 2013.
- When you integrate with directory services, you can synchronize and manage user accounts for both environments. You can also add password hash synchronization or single sign-on (SSO) so users can log on to both environments with their on-premises credentials.
- When you integrate with on-premises server products, you create a hybrid environment. A hybrid environment can help as you migrate users or information to Office 365, or you can continue to have some users or some information on-premises and some in the cloud. For more information about hybrid environments, see Office 365 hybrid cloud solutions overview.
You can also use the Azure AD advisors for customized setup guidance:
- Azure AD Connect advisor
- AD FS deployment advisor
- Azure RMS Deployment Wizard
- Azure AD Premium setup guidance
Before you begin
Before you integrate Office 365 and an on-premises environment, you also need to attend to network planning and performance tuning for Office 365. You will also want to understand the available identity models in Office 365.
See where to manage Office 365 user accounts for a list of tools you can use to manage Office 365 users and accounts.
Integrate Office 365 with directory services
If you have existing user accounts in an on-premises directory, you don't want to re-create all of those accounts in Office 365 and risk introducing differences or errors between the environments. Directory synchronization helps you mirror those accounts between your online and on-premises environments. With directory synchronization, your users don't have to remember new information for each environment, and you don't have to create or update accounts twice. You will need to prepare your on-premises directory for directory synchronization, you can do this manually or use the IdFix tool (IdFix tool only works with Active Directory).
If you want users to be able to log on to Office 365 with their on-premises credentials, you can also configure SSO. With SSO, Office 365 is configured to trust the on-premises environment for user authentication.
Different user account management techniques provide different experiences for your users, as shown in the following table.
Directory synchronization with or without password hash synchronization or pass-through authentication
A user logs on to their on-premises environment with their user account (domain\username). When they go to Office 365, they must log on again with their work or school account (firstname.lastname@example.org). The user name is the same in both environments. When you add password hash sync or pass-through authentication, the user has the same password for both environments, but will have to provide those credentials again when logging on to Office 365. Directory synchronization with password hash sync is the most commonly used directory sync scenario.
Directory synchronization with SSO
A user logs on to their on-premises environment with their user account. When they go to Office 365, they are either logged on automatically, or they log on using the same credentials they use for their on-premises environment (domain\username).
To set up SSO you also use Azure AD Connect. For instructions, read Use Azure AD Connect with custom settings.
Learn more about application access and single sign-on with Azure Active Directory.
Azure AD Connect
Azure AD Connect replaces older versions of identity integration tools such as DirSync and Azure AD Sync. For more information, see Integrating your on-premises identities with Azure Active Directory. If you want to update from Azure Active Directory Sync to Azure AD Connect, see the upgrade instructions. See a solution architecture built for Office 365 Directory Synchronization (DirSync) in Microsoft Azure.