ADFS enables SSO for Office365, as long as the user has an account in both ActiveDirectory and Office365. The reason for the dual account requirement is that the user is always authenticating to an Office365 account, even if SSO is not in place. When SSO is implemented, authentication occurs through a security token rather than through a user directly authenticating to Office 365. Therefore, user accountsare created onpremises in ActiveDirectory, which DirSync then synchronizes to Office365. By synchronizing users and policy settings to WindowsAzureActiveDirectory, DirSync maintains the object source of authority on the onpremises Active Directory, and ensures that the same objects, attributes, and settings are also available when the federation service accesses these objects from Office365.