Setting up Office 365 ADFS 2.0 can be a tricky affair, but for a large organization it is very much worth the effort. If you are wondering exactly what ADFS is, let me refer you to an earlier article on that exact subject:
What is Active Directory Federation Services (ADFS) with Office 365?
In this scenerio, we’re going to be syncing up two domains – the internal active directory domain is going to be called xyz.local, and the external (Office 365) domain is going to be called xyzcorp.com.
To set up Office 365 ADFS, we’re going to start with a clean Windows Server 2008 R2 machine. It can also be done with Server 2008, but for the purpose of this article we’re going to use 2008 R2. As of the time of this article, I have not yet been able to get Windows Server 2012 to work, but that may change in the near future as Microsoft releases an ADFS install for Windows Server 2012.
Adding a UPN Suffix
Once you have a new server or virtual machine with 2008 R2 loaded up, the next step is to create a new UPN within your internal domain to match your external domain. So in this case, log onto a domain controller for the xyz.local domain, open “Active Directory Domains and Trusts”, then within the MMC window, right click on “Active Directory Domains and Trusts” and hit properties. This will open a window that will allow you to add “alternate UPN suffixes”. Add in the UPN suffix of your external domain. In this case, we will add in xyzcorp.com as the suffix.
You will now have to edit all of your users that you will be syncing to use this new UPN. On the domain controller, open up “Active Directory Users and Computers” and navigate to the users you want to change over. To change each user, double click on them to open their properties, then click to the “account” tab. Next to the “username” box is their suffix (which right now will be @xyz.local). Drop down the box and change it to the new UPN you just created – xyzcorp.com. Do that for all users that will be using ADFS. I should mention you can also do this for multiple users at once by selecting all of the users, right clicking, going to “properties”, and then editing the UPN suffix from within there.
Setting up Certificates and DNS
Next you need to install a certificate on your server that can be used on the external domain. For this purpose, we normally recommend a wildcard certificate (it’s just easier and more flexible), but if you absolutely must use a normal certificate, then it will have to be named for the public link that federation will use. So for example, we would be using the external DNS of adfs.xyzcorp.com with a wildcard certificate of *.xyzcorp.com, though an adfs.xyzcorp.com certificate could be used as well.
Now you should add an extra to your external DNS that Office 365 will user to access your federation server. I personally like to use adfs.xyzcorp.com, but it can be anything you’d like. You will also need to forward ports 80 and 443 through your firewall to your ADFS server so that when people go to https://adfs.xyzcorp.com they will hit your server’s default web page with the certificate working correctly.
Installing Required Components, ADFS, and Dirsync
Dirsync and ADFS require .NetFramework 3.5. In some instances I have seen it install automatically during the installation of other programs, in other cases it requires its own install. Just in case you have need of it later on, here is the download link for it: Microsoft .NetFramework 3.5 Download
One last requirement before install ADFS is that you install powershell with Microsoft Online Services module. Besides the fact it is a required component for installing ADFS, you will also be using it to activate and administer much of ADFS, so it is a good thing to have either way! If you do not know how to install it, here is a previous article on the basics of installing and using it: The Basics of Office 365 Powershell
Finally, the time has come to install Office 365 ADFS 2.0. I should note that while ADFS (active directory federation services) is an installable server role, you should not install it using the server role method when using it for Office 365. Instead, Microsoft provides their own download for it. You can get it here – make sure to choose the correct version for your version of windows server. Office 365 ADFS 2.0 Download. Also please note that as of the time of this writing I have not seen an install provided for Server 2012 (and the 2008 R2 installer does not work for it) so Server 2012 may not be supported at this time. Once you have installed and launched it you will land on the home screen for ADFS. You can leave this alone for the moment, as we will come back to it.
Next it is time to activate directory synchronization in the Office 365 administrator portal. Go to the Office 365 Portal and log in using an administrator account. From the administrator overview, click on “Users” (on the left side of the screen). Near of the top of this page, you will see “Active Directory Synchronization” – click on the “set up” button next to it. On step number 3, there is an “Activate” button.
Click the “Activate” button and it will begin activating dirsync.
This can take up to 24 hours (I’ve seen it vary anywhere from a couple hours to close to the full 24).You can continue on through these instructions while it is activating, but you will not be able to complete the AD sync until the above process finishes, so you will hit a roadblock pretty quickly.
The next step is to install the directory synchronization tool. On the same page where you hit the activate button, just below it is a big “download” button for the dirsync tool. Download this now and run the program. It will quickly take you through a setup wizard and install the program before launching into the program itself.
Once the program has installed and the configuration wizard has launched, the first (non-intro) page you will come across asks you for your Office 365 admin credentials – provide them and hit next.
The next page will ask for credentials for your active directory admin account – I recommend providing the service account for federation that you created early, but you can give it a different administrator account if you prefer.
You can ignore the exchange hybrid deployment page (for this example) and continue on to finish the setup. It should run and when you finish it will sync the directories. Remember, if your dirsync has not finished activating, you will not be able to complete this step fully. Log into the Office 365 admin portal and verify that users and groups have all synced up.
Setting Up Office 365 ADFS 2.0
Once you have confirmed that dirsync works, you can return to the ADFS management console from earlier. Start by running the ADFS Federation Server Configuration Wizard.
On the first screen, create a new federation service.
On the next screen, create a new federation server farm. While you can do a stand alone federation server if you’re 100% sure you’ll never need any more, a federation server farm is just as easy, even with a single server.
On the next screen you are asked to choose your certificate. Choose the certificate that you installed earlier, in our case, *.xyzcorp.com
On the next screen, you can create the default database – no need to adjust anything in this case. On the next screen, give it an active directory service account (should be domain admin) for it to use, and then you are done with the install.
Now, you’re back to the main overview page. On the right hand side of it, you should see “edit federation service properties”. Click on this and it will open a new window.
In this window, edit each link to be the same as your external DNS link. So for example, the first two links would become adfs.xyzcorp.com, and the bottom link would be http://adfs.xyzcorp.com/adfs/services/trust
Once you have done this you can save it all and close the ADFS wizard.
The last step is to sign into the Microsoft Online powershell module and activate federation for your domain. Sign in using the usual way (if you don’t know how – instructions are at the end of this article – The Basics of Office 365 Powershell). Once you are signed in, run the following command:
Convert-MsolDomainToFederated -DomainName xyzcorp.com
But obviously replace “xyzcorp.com” with your external domain name. And if you need to convert your domain back from federated, here is the command:
Convert-MsolDomainToStandard -DomainName xyzcorp.com -SkipUserConversion:$true -PasswordFile c:\userpasswords.txt
Now using internet explorer, go to mail.office365.com and try to sign in with a normal user. Test to see if you can log into your webmail using your local domain credentials. You can also test using outlook and your smartphone. This should confirm that Office 365 ADFS is working.
[…] you have recently converted an Office 365 domain to federated then back from federated to standard, you can sometimes forget to convert the users of that domain […]
[…] For more information on setting up federated Office 365, see this earlier article. […]
[…] How do I set up ADFS with Office 365? […]