Active Directory Integration with Office 365: Complete Federation

Welcome back! In the first article of this series we began integrating and installing local Active Directory with Office 365. Verifying local account UPN suffixes was covered as well as downloading and installing Microsoft Active Directory Federation Services 2.0 (AD FS 2.0 for short). It’s time to complete federation and get everything ready for Single Sign-On.

Before putting the cart before the horse, it’s important to verify that some prep work has been completed. First, an SSL Certificate for the domain to be federated is bound to the default website of the server running AD FS 2.0. It’s great if you have an internal certificate authority, but if not I strongly recommend investing in an SSL cert from a commercial authority. They’re relatively cheap, and most importantly they’re easy to get up and going. Note: It’s also necessary to make sure the domain to be federated is added and verified within the Office 365 Admin Center. If either of these tasks is not completed then the instructions in this article will fail miserably.

In the third and final part of this series, I’ll go over how to activate local Active Directory synchronization with Office 365, assign licenses to select users, and test everything for proper operation,

Set Up Single Sign-On

Download and install the Microsoft Online Services Sign-In Assistant for IT Professionals. This software is used to facilitate Single Sign-On on client PCs, but it’s also a requirement for the Windows Azure Active Directory Module for Windows PowerShell, which is a tool we’ll be using.

Active Directory Download Sign-In Assistant

  • Click Download next to the 64-bit version of the software (msoidcli_64bit.msi).
  • Select Run.
  • Click the checkbox to accept the license terms then click Install.

Active Directory Sign-In Assistant Accept License

  • Click Finish.

Download and install the Windows Azure Active Directory Module for Windows PowerShell to the computer running Microsoft Active Directory Federation Services 2.0. This tool leverages the power of PowerShell to complete some of the necessary administration tasks.

  • Open Internet Explorer.
  • Navigate to the Office 365 Admin Center (https://portal.microsoftonline.com).
  • Login with a Microsoft Online Services ID.
  • From the Dashboard, click users and groups.
  • On the users and groups page, click Set up next to Single sign-on.
  • Select the 64-bit version of the Windows Azure Active Directory Module for Windows PowerShell, then click Download.
  • Select Run.
  • Click Next.

Fig 4 - Azure PowerShell Setup

  • Click the radio button to Accept the License Terms and then click Next.

Fig 5 - Azure PowerShell Accept License

  • Click Next to accept the default installation folder.

Fig 6 - Azure PowerShell Location

  • Click Install. After that’s done, click Finish.

Configure AD FS 2.0

The time has arrived to configure Active Directory Federation Services 2.0:

  • Logon to the Domain Controller where AD FS 2.0 is installed using an account with Domain Admin privileges.
  • Launch AD FS 2.0 Management from Administrative Tools.
  • Click the AD FS 2.0 Federation Server Configuration Wizard link.

Fig 8 - AD FS Wizard

  • Select Create a new Federation Service, then click Next.

Fig 9 - AD FS Wizard Start

  • Select New federation server farm. Although there will only be one server at this stage, selecting this option provides the flexibility to add additional servers later for high availability and load balancing.

Fig 10 - AD FS Wizard New Farm

  • Click Browse, select the AD account to use as the AD FS 2.0 service account, and then click Next. Choose any account, but make sure its password is set to never expire.

Fig 11 - AD FS Wizard Account

  • Verify that the SSL certificate and Federation Service name match those created earlier

Fig 12 - AD FS Wizard Certificate

  • Click Next.
  • The wizard will display a list of the steps it will perform. Click Next to let the process complete.

Fig 13 - AD FS Wizard Confirm

  • Review the results and click Close to finish the wizard

Fig 14 - AD FS Wizard Finished

 

Now, it’s better to be safe than sorry. To avoid problems, verify that the domain added earlier to Office 365 Admin Center — in other words, the domain to be federated — is marked active.

  • Open Internet Explorer.
  • Navigate to the Office 365 Admin Center.
  • Login with a Microsoft Online Services ID.
  • From the Dashboard, click Domains.
  • Verify that the domain to be federated is set to Active.

Fig 15 - Verify Domain is Active

Convert Office 365 Domain into a Federated Domain

Now that AD FS 2.0 is configured and the other prerequisites are in place, it’s time to convert the domain added to Office 365 into a federated domain.

  • Logon to the Domain Controller where AD FS 2.0 is installed using an account with Domain Admin privileges.
  • Run the Windows Azure Active Directory Module for Windows PowerShell by right-clicking the icon and selecting Run As Administrator.
  • Enter: $cred = Get-Credential.
  • Enter the Microsoft Online Services ID you would use to sign in to Office 365 and click OK.

Fig 16 - Enter Cred

  • Enter the cmdlet Connect-MsolService -Credential $cred to connect to the Microsoft Online Service.
  • Enter Set-MsolADFSContext -Computer {FQDN of the AD FS 2.0 Computer} to tell the Microsoft Online Service the name of the local computer running ADFS 2.0. In this example the cmdlet is Set-MsolADFSContext –Computer Moody.awssol.com.

Fig 17 - MsolADFSContext

  • Enter Convert-MsolDomainToFederated -DomainName {Domain to be federated}. For this example, the cmdlet is Convert-MsolDomainToFederated –DomainName awssol.com

Fig 18 - Convert-MSOLDomaintoFederated

  • Check to make sure that all is as it should be by using the Get-MsolFederationProperty -DomainName {Office 365 Domain Name} cmdlet. No surprise, the cmdlet for this example is Get-MsolFederationProperty –DomainName awssol.com
  • Review the displayed settings to verify that federation was successful by checking for references to the sts certificate used for AD FS 2.0.

Fig 19 - Get-MsolFederationProperty

Office 365 and the domain name awssol.com are now federated. Next up is to synchronize Active Directory with Office 365, assign licenses to select users, and test everything for proper operation. All this, along with a few extra tips for success, will be covered in the final article of this series. Until then, sit back, relax, and enjoy some of the other great articles here on Petri.co.il!