This scenario uses AD FS to provide the true SSO experience to the end users. With this solution, it is also required to have the synchronization of your on-premises AD with Azure AD using the Microsoft Azure AD Connect.

Most organizations that need an SSO solution use this architecture because besides providing the best possible user experience, it also supports scenarios where companies have security restrictions that, for example, require the authentication to be performed in the on-premises AD infrastructure. With federated identity, a user on a domain-joined computer connected to the company's on-premises infrastructure and logged in to AD will be able to access any of the Office 365 resources and tools transparently, without having to retype a password.

Some features of the federated identity scenario are as follows:

• Single identity and sign-on for on-premises and Office 365 services
• Identities mastered on-premises with a single point of management
• Directory synchronization to synchronize directory objects into Azure AD
• Secure token-based authentication
• Client access control based on IP address with AD FS Proxies
• Strong factor authentication options for additional security with AD FS

The following figure summarizes the architecture for federated identity:

In AD environments, the key features for this scenario are:

• SSO
• Secure token-based authentication
• Support for web and rich clients
• Microsoft supported
• Works with Office 365 hybrid scenarios
• Requires on-premises servers, licenses, and support

The following figure shows a standard design for an AD FS environment. The figure also shows sample scenarios having AD FS infrastructure on premises and AD FS proxies on the DMZ network:

The following figure shows how connections between the on-premises infrastructure and Office 365 are made: