Back to Blog

Exchange Hybrid Deployment: AD FS Configuration and O365 Integration

Image of Thomas Stensitzki
Thomas Stensitzki
Exchange Hybrid Configuration banner

After preparing the AD FS requirements and installing the AD FS Server Role in part 1, this article describes the steps to configure the Active Directory Federation Services for further use and the eventual integration with Office 365.

Start the AD FS Management console by selecting the AD FS Management tile on the start screen or be using the link in the Server Manager task list.

ADFS start icon

 
 Run AD FS Management Snap In

Start the AD FS configuration by using the link AD FS Federation Server Configuration Wizard.

ADFS-Management-Console

 

Select Create a new Federation Service and click Next.

ADFS Wizard Welcome

 

As you will not be able to extend a Stand-alone federation server to an HA farm setup it is highly recommended to create a federation server farm, even with just one server. In this example we are not using a dedicated SQL server.

Select New federation server farm and click Next.

ADFS Wizard Select Deployment

 

Even though that we have not assigned the SSL certificate, which has been imported in part 1, to the Default Web Site, it is selected automatically by the configuration wizard.

In this example a wildcard certificate has been used. Therefore the wizard enabled the Federation Service name textbox to enter the full qualified domain name (FQDN) for the service name. The FQDN configured must be correctly configured in DNS as well.

Enter the federation service name and click Next.

Server config pop up

In the next step the federation server farm service account is configured.

Select the service account, enter the account password and click Next.

AD Server config pop up

Review the configuration summary and click Next to start the configuration.

Server config wizard

Verify the configuration results and click Close. Any issues during configuration result in a meaningful description of the issue and will be displayed in the status column of each step.

AD server config wizard

After finishing the configuration you will notice that the AD FS MMC now shows a Service and a Trust Relationship node.

Now AD FS services is ready for the first trusted relying party.

AD FS overview

Verify the certificates configuration by selecting the Certificates node. You’ll notice that the Service Communication uses the imported Third Party certificate. The certificates for Token-decrypting and Token-signing are self-signed certificate by default. This is fine, but you need to keep in mind that self-signed certificates only last for one year. You might change the Token certificates to Third Party certificates as well.

AD FS certificates

Verify that the AD FS service can be accessed from Internet by querying the AD FS web service using a Browser.

https://[AD FS FQDN]/adfs/fs/federationserverservice.asmx

iconcept code

 

As an Enterprise you are interested in integrating Office 365 with your AD infrastructure. Previously we have prepared the on-premise infrastructure for federation with Office 365.

Now you can register with Office 365. Choose the Office 365 account name wisely, as it will be used as part of the Office 365 namespace

[OFFICE365ACCOUNTNAME].onmicrosoft.com

This will be the name domain part of the UPN for local Office 365 accounts. You will need to have one Office license for each dedicated user access Office 365. The Office 365 services (Exchange, SharePoint, Lync) can be assigned separately to each user, depending on the license plan.

In the following example we are going to install the Windows Azure Active Directory Module directly on the on-premise AD FS server. During this example the on-premise AD FS will be configured for the use with Office 365.

After you have registered with Office 365 open the Office 365 admin center and select domains.

O365 admin center

Select Use your own domain to configure your primary external domain for the use with Office 365 federation.

 

O365 choose a domain

 

Continue with the step Specify a domain name and confirm ownership in the basic setup. You will need to have access to the external DNS configuration for this step as you have to create a new DNS resource record to confirm ownership of the domain you specify.

 

O365 domain specify

 

Just enter the domain name you want to add to your Office 365 configuration. It should be noted that you can add more than one domain name, even when you want use just one domain for federation purposes.

 

Add a domain pop up

 

The next step provides detailed information about the required DNS configuration for hosting providers and general instructions.

Add a domain confirmation

The general instructions provide the information to add a new TXT or MX record to verify your ownership of the domain. The DNS resource record can be deleted after successful verification.

Confirm domain ownership

When everything was fine, you can finish this step of the basic setup.

Confirmation success pop up

After setting up the new domain in Office 365 we continue to set up users and licenses.

Add users assign licenses

As we want to use AD FS we select I don’t want to add users right now.

Add users to domain

This brings us right back to the basic setup where we select Start using your services.

Start using services message

Acknowledge the summary by clicking done.

Start using services pop up

Now we are ready to configure federation with Office 365. Select users and groups in the Office 365 admin center and click the Set up link right to Single sign-on.

O365 admin center

Download the 32-bit or 64-bit version of the Windows Azure Active Directory Module for Windows PowerShell and install the software.

single sign-on management

Keep in mind that the Module requires .NET 3.5, which is not installed on Windows 2012 servers by default. Otherwise you will receive an error reminding you to add the feature.

 

Add roles wizard
 
Installer information box

 

The setup of the Windows Azure Active Directory Module for Windows PowerShell is pretty straight forward.

Azure AD Module

As a next step we activate the Active Directory synchronization in Office 365. This just enabled the synchronization component. No user is synchronized until DirSync is installed on-premise. Download the DirSync tool, but do not install it yet.

Activate AD sync
 
AD activate confirmation

After you have installed the Windows Azure Active Directory Module for Windows PowerShell the on-premise AD FS and Office 365 need to be configured. Be sure that you have verified the external access to your AD FS server.

Open the Windows Azure Active Directory Module for Windows PowerShell console and connect to your Office 365 tenant.

$cred=Get-Credentials

Enter your Office 365 credentials as UPN in the challenge dialog and connect by using the follow cmdlet:

Connect-MsolService –Credential $cred

Set the AD FS context to the  server hosting the on-premise AD FS setup. This allows the cmdlets to read and configure the AD FS services running on the given server.

Set-MsolADFSContext –Computer [YOURADFSSERVER]

Verify the configuration status of your domains with

Get-MsolDomain

Convert your domain to a federated domain. This is the major step where all the verification and configuration work is being done.

Convert-MsolDomainToFederated –DomainName [YOURDOMAINNAME]

After federation configuration verify the status of your domains again

Get-MsolDomain

Get credentials code

Open the AD FS management console to check the configuration of the Relying Party Trust

O365 Identity platform

You can check the details of the Office 365 federation property using the following cmdlet

Get-MsolFederationProperty –DomainName [YOURDOMAINNAME]

The result shows the external hostnames which will be used to redirect any authentication request. This host should be highly available to avoid any service interruption to your end users.

External host names code

 

In the next part we will install and configure DirSync to synchronize the on-premise accounts to Office 365.

 


Configuring an Exchange Hybrid Deployment with Office 365 Part 1: AD FS Preparation and Installation

Image of Thomas Stensitzki
Thomas Stensitzki

To configure an Exchange Server 2013 hybrid deployment with Office 365 you need to have Active...

Read more

A Closer Look at Azure AD Connect – Part 2

Image of Michael Van Horenbeeck MVP, MCSM
Michael Van Horenbeeck MVP, MCSM

In the previous part of this article series, we've taken a first look at Azure AD Connect and...

Read more