Introduction to Office 365 with single sign-on and Azure Virtual Machines


Applies to: Office 365

Summary: Describes deploying directory integration components for Office 365 in the cloud instead of on-premises.

We're listening to your feedback and consolidating all our Office 365 deployment content. On July 1st, 2015, all information in this guide will be moved to, and these pages will be removed from TechNet. As you review the content still on TechNet, you'll notice many have links pointing to the new content already on

To explore content available on, start with the Office 365 for business - Admin Help page.

Directory integration components

Integrating an Office 365 deployment with existing services by using directory synchronization and single sign-on (SSO) has in the past required an investment in on-premises hardware. Deployments that include this level of integration take more time and cost more.

For SSO, Office 365 requires the following core components:

  • Active Directory Domain Services (AD DS)

  • Active Directory Federation Services (AD FS)

  • Directory synchronization services

We refer to these core components collectively as Office 365 directory integration components. To learn about these components, see Prepare for Single Sign On.

In the past, we’ve recommended that customers host these components in one or more datacenters alongside the existing Active Directory components that are often already deployed. With the release of Azure Virtual Machines, you now have the option to deploy some or all these components in the cloud. We’ll guide you through the solution, potential benefits, requirements, and high-level planning tasks.

We’ll focus exclusively on Office 365 infrastructure components that are required to support SSO with Office 365.

The following are outside the scope of these topics:

  • Exchange Server roles that support Exchange hybrid mode. Exchange Server roles that are used to support the Exchange hybrid mode aren’t supported on Azure Virtual Machines. These roles have been intentionally excluded.

  • Hosting Exchange services on Virtual Machines. Deployment of production Exchange servers on Azure Virtual Machines isn’t supported.

  • Shibboleth or other third-party SSO implementations. Azure Active Directory and Office 365 support several security token services, including AD FS, Shibboleth Identity Provider, and other third-party providers. While it may be feasible to deploy Shibboleth or other third-party providers on Azure Virtual Machines, these providers haven’t been tested by Microsoft.

  • Multifactor or strong authentication. AD FS can be configured to enable a multifactor authentication scenario. While it may be feasible, supportability should be validated through the third-party vendors.

  • Multiforest topologies. The Azure Active Directory Sync tool supports only single-forest topologies.

  • Deployment over multiple Azure datacenters. It’s possible to deploy services beyond a single set of Azure fault domains. This allows components to be deployed into multiple geographic regions. In some situations, this may improve authentication performance or increase the overall availability of the solution. Deploying directory integration services to a single Azure datacenter will be sufficient for most Office 365 customers.