Configure ADFS for Office 365
External DNS records for example: fs.o365cloudlab.co.za
Internal DNS records for example: fs.thatcloud.com
Valid SSL Certificate
Service Account with Domain Admin rights
More about the requirement can be found here at the Microsoft blog.
To get started we need to install the ADSF roles and features.
Run Windows PowerShell as Administrator and run the following to install the ADFS role and management Tools.
Add-WindowsFeature ADFS-Federation -includeAllSubFeature -IncludeManagementTools -restart
Wait till the server starts back up to continue with the next steps.
One the Server has been restarted we need to start configuring ADFS from the Server Manager Console.
Click on the “Yellow” warning sign and click configure Active Directory Federation Service
Ps. Make sure that the account you are logged in with has Domain Admin rights, alternatively you need to provide the login details of an account which has the needed permissions.
From the Welcome Screen of the Wizard leave all as default and click next.
The next screen is where you can provide alternative login details if the account you are logged in with does not have the needed permissions.
On the next screen we need to provide a valid SSL certificate as well as a Federation Service Name followed by an Friendly Display Name.
Next, we need to provide the credentials of the service account which has been created for ADFS. Then click next.
Depending on the size of the organisation, you can decide the create the ADFS database on SQL or alternatively use Microsoft Internal Database if you have a smaller organisation.
Last but not least we need to verify what we have provided is correct and then click Configure.
Ps. You can click on View Script, to view the PowerShell Script of the process we just did using the GUI.
The PowerShell Script will look as follow.
# Windows PowerShell script for AD FS Deployment
# Get the credential used for performaing installation/configuration of ADFS
$installationCredential = Get-Credential -Message "Enter the credential for the account used to perform the configuration."
# Get the credential used for the federation service account
$serviceAccountCredential = Get-Credential -Message "Enter the credential for the Federation Service Account."
-FederationServiceDisplayName:"O365 Cloud Lab - Welcomes You" `
Once the Prerequisites check completes, Click on Next to start the configuration.
Click on “Close” once the process is completed.
Launch the ADSF Management Console, from the start screen or alternatively can be access from the Administrative tools.
The console will look as follow.
To Test the ADFS Login page, open the following link in a Browser.
Ps. Change the Url above to what you have configured during the setup phase.
Configure Federation with Office 365
From the ADFS Server download and Install the following.
- Microsoft Online Services Sign-In Assistant for IT Professionals RTW
- Windows Azure Active Directory Module for Windows PowerShell
These Tools provide us with the ability to connect to Azure Active Tenant using PowerShell.
Once the Tools has been installed, open Azure PowerShell and run the following and enter the Global Admin User name and Password.
Next type the following to list the Domains configured in Office 365 Tenant, you should see the Primary domain that you would like to Federate with.
As we can see from the image above the domain, O365cloudlab.co.za is a verified Domain. To continue with our next step, we need to change the verified Domain to a Federated Domain by running the following.
Convert-MsolDomainToFederated –DomainName “o365cloudlab.co.za” -SupportMultipleDomain
As we can see the process completed successfully, and now the Domain is marked as an Federated Domain.
To verify that the Domain is Federated, the following can be run. The Authentication should say Federated.
Get-MsolDomain “o365cloudlab.co.za” |Select Name, Authentication
Launch ADFS Management Console, Navigate to Trust Relationship – Relying Party Trust, here you should see Microsoft Office 365 Identity Platform with Enabled Status Yes
Now that we have a Federated Domain configured with ADFS, we can now try and connect to Office 365 Admin Portal. https://portal.office.com
Note that the Login process will fail during this testing with the following error, because we have not yet configured the Azure AD Connect yet.
To install the Azure AD Connect Tool, the Following Link can assist with the Installation and requirements for the AD Connect Tool.
Install Azure AD Connect:
Test Federated user account Login to Office 365 Portal, after the installation of the Azure Ad Connect Tool.
As appose to early because the Sync tool, now the same user is prompted for Username and Password to be authenticated to ADFS.
The user is successfully login and prompted to provide additional security information, before using the Office 365 service.
To view successfully and Failed logins to ADFS, we need to enable Auditing from the ADFS Management Console.
Launch the ADFS Management Console, Then Right Click on AD FS and Select Edit Federated Service properties.
From the Menu select events, and then tick Success Audits and Failure audits.
The successful Logon and Failed events can be viewed from the security logs in Event Viewer on the ADFS Server.
From the event logs we can see that the user successfully logon to the Office 365 service using the Domain Account which was synced to Azure Active Directory.
The following post focuses on ADFS Web Application Proxy. The WAP will allow the users to connect to the ADFS server from any machine on the internet.