Google Apps for Education and Microsoft Office 365 both have the ability to integrate into a district’s existing Active Directory environments with a common username and password or single sign-on (SSO). The approaches can be different, but in the end, the result is the same. . . your staff are able to login to the services using the same username and password they utilize for many other services. Also, there is no manual entry or importing of accounts for new staff.
In order to synchronize accounts from your Active Directory environment to Google, the Google Apps Directory Sync (GADS) utility needs to be installed on one of your Active Directory domain controllers.
The key benefits of GADS, according to the GADS page, are that it:
The GADS utility syncs the user attributes, group information, and other Active Directory data to the Google cloud, but does not handle passwords. The Google Apps Password Sync (GAPS) utility performs synchronization of user passwords. This is a separate utility that must also be installed on a domain controller.
There are many scenarios that can be accounted for, including separate DNS domains for student email addresses and staff or hosting students’ mail accounts in Google mail, while keeping staff email on-premises.
Some caveats when using GADS and GAPS include:
Microsoft has two options when deciding to integrate with Office 365; password synchronization and Active Directory Federation Services. Microsoft’s Azure Active Directory Connect application (formerly known as DirSync) is configured to synchronize Active Directory attributes and, if desired, passwords to Office 365. Microsoft also offers the ability to federate authentication using Active Directory Federation Services (ADFS). Federation is a true single sign-on (SSO) experience where no passwords are passed between the client and Office 365. It requires that the ADFS server(s) is(are) configured by the district. ADFS is more complicated to configure than syncing passwords, but can be used by other services that support SSO.
If you decide to federate using ADFS, the Azure Active Directory Connect application is still used to synchronize and provision accounts in Office 365, and the wizard will help you configure ADFS. The experience of signing into Office 365 using ADFS is different than if you decide to sync passwords. For Office 365 tenants that use ADFS, once the account name for a federated entity is entered in the Office 365 login page, you will be redirected to the ADFS site in order to enter your password. Upon successful login, you will be redirected back to the Office 365 site.
One possible benefit of using Azure Active Directory Connect is the ability to create a two-way synchronization with your Active Directory. This allows you to take advantage of some of the other offerings from Microsoft, including password resets.
Some caveats when configuring Azure AD Connect and ADFS include:
Update-MSOLFederatedDomain –DomainName:<Federated Domain Name> –supportmultipledomain
This will allow your district to change DNS domains from district.k12.pa.us to district.org in the future or have separate DNS domains for staff and students, without having to reconfigure ADFS.
Tech Talk Live is the only conference of its kind in the region specifically designed for IT pros in education.
1020 New Holland Avenue, Lancaster, PA 17601