Step-By-Step: Enabling A Primary AD FS Server in Azure for Office365 Single Sign-On


 Office365SSO

This Step-By-Step will provide instruction to setup a primary AD FS 3.0 server on a Windows Server 2012 R2 virtual machine in Azure.  This post will accomplish the following:

  • Create the Azure Cloud Service

  • Build the Azure virtual machine

  • Install the AD FS 3.0 role

  • Configure AD FS 3.0

  • Federate with Office365

    Microsoft Virtual Academy provides a great precursor to this Step-By-Step entitled: Managing Office 365 Identities and Services

Assumptions:QA

  • Azure account is setup
  • Directory Sync is activated, setup and running
  • Valid SSL certificate is available (with private key)
  • VPN connection setup from Azure to your on premise network

Step 1: Create a New Cloud Service

Because we are going to load balance one or more virtual machines, we need to create a Cloud Service to put them in. Think of it as a bucket to hold your virtual machines. You will require one for the AD FS Servers and one for the Web Application Proxies (AD FS Proxy Servers)

  1. Click New
  2. Select Compute -> Cloud Service -> Custom Create
     
    clip_image002
     
  3. Enter a URL or Name for the Cloud Service. This name must be unique across the .cloudapp.net name space.
  4. Select your Region or Affinity Group
  5. Click OK
     
  6. clip_image004

Step 2: Create the Virtual Machine in Azure

  1. Click New
  2. Select Compute -> Virtual Machine -> From Gallery
     
    clip_image006
     
  3. Choose Windows Server 2012 R2 Datacenter
  4. Click Next
     
    clip_image008
     
  5. Enter Virtual Machine Name
  6. Select Server Tier
  7. Select Server Size
  8. Click Next
     
    clip_image010
     
  9. Select the AD FS Cloud Service that was created earlier. This is very important.

Step 3: Verify Subnet

  1. Drop down to Create an availability set
  2. Enter name for the availability set
     
    NOTE: This does not load balance the servers, it will just place the VM accordingly so that if a rack of servers goes down, all the members of the set will be placed in different fault domains. This ensures that an outage isn’t extended to all the servers in the set.
     
  3. Click Next
     
    clip_image012
     
  4. Click Next
  5. Once the VM is provisioned go to the next step
     
    clip_image014
     

Step 4: Add the Server to the Domain

Since the AD FS server needs to authenticate against Active Directory, they need to be added to the local domain. Add the server to the local domain

Step 5: Install the Azure Active Directory Module for Windows PowerShell

Use this BLOG post to install the Azure Active Directory Module for PowerShell and the required Microsoft Online Services Sign-In Assistant 7.0

Connecting to Office365 with PowerShell

Step 6: Install the AD FS Role

  1. Open Server Manager
  2. Click Add roles and features
     
    clip_image016
     
  3. Click Next
     
    clip_image018
     
  4. Select Role-based or feature-based installation
  5. Click Next
     
    clip_image020
     
  6. Make sure that the AD FS Server is listed as the server to install to
  7. Click Next
     
    clip_image022
     
  8. Select Active Directory Federation Services
  9. Click Next
     
    clip_image024
     
  10. Leave defaults
  11. Click Next
     
    clip_image026
     
  12. Click Next
     
    clip_image028
     
  13. Click Install
     
    clip_image030
     
  14. Wait for the install to complete
     
    clip_image032

Step 7: Import the SSL Certificate

AD FS uses certificate to secure the connection from AD FS to Office365. For this reason, we need a valid SSL certificate. I choose to use GoDaddy, as I find they are a one stop shop for all my domain needs. It’s a personal choice, so use whoever you feel comfortable with. For the purposes of this BLOG post, I will use a multi-name certificate; I DON’T recommend this for a production environment. A couple reasons are that I like to keep things simple and if we have multiple names on the certificate, it starts to get complicated (not technically, but management of the certificate). Secondly, I don’t like to share certificates across services. This cuts down on the cross contamination from the support teams at larger companies. If you lump the AD FS services with the Exchange certificate, AD FS usually gets left in the dust and forgot about when it comes time to renew.

  1. Open the Start Screen
     
    clip_image034
     
  2. Type MMC
  3. Click the MMC app
     
    clip_image036
     
  4. MMC opens
     
    clip_image038
     
  5. Click File
  6. Click Add/Remove Snap-in
  7. Select Certificates
  8. Click Add>
     
    clip_image040
     
  9. Select Computer Account
  10. Click Next
     
    clip_image042
     
  11. Select Local Computer
  12. Click Finish
     
    clip_image044
     
  13. Click OK
     
    clip_image046
     
  14. Expand Certificates
  15. Expand Personal
  16. Right Click Certificates
  17. Select Import
     
    clip_image048
     
  18. Select Local Machine
  19. Click Next
     
    clip_image050
     
  20. Browse to the Exported Certificate
  21. Click Next
     
    clip_image052
     
  22. Enter Password
  23. Mark the key as exportable
  24. Click Next
     
    clip_image054
     
  25. Place in the Personal certificate store
  26. Click Next
     
    clip_image056
     
  27. Click Finish
     
    clip_image058
     
  28. Click OK
     
    clip_image060
     

Step 8: Setup and Configure AD FS 3.0

  1. Open Server Manger
  2. Select AD FS
  3. Click More… where it says Configuration required for Active Directory Federation Servers at…
     
    clip_image062
     
  4. Click Configure the federation service… action on the Post-Deployment Configuration
     
    clip_image064
     
  5. Select Create the first federation server in a federation server farm
  6. Click Next
     
    clip_image066
     
  7. Enter credentials for a user that has domain administrator permissions. This is used to complete the install, it’s not used as the AD FS service account
  8. Click Next
     
    clip_image068
     
  9. Select the SSL certificate that you imported
  10. Select the Federation Service Name
  11. Enter the Federation Service Display Name
     
    NOTE: Since I am using a multi-name certificate these three values don’t match for me. In production I always recommend that you use a single name certificate to keep things simple. If that’s the case then the three values below should all match e.g. sts.domain.com
     
  12. Click Next
     
    clip_image070
     
  13. Enter the AD FS Service Account Name and Password
     
    NOTE: This can be a managed service account or a domain user account designated for AD FS. If you use a domain user account, it does not need any special permissions. The install will give it the permissions required. 
     
  14. Click Next
     
    clip_image072
     
  15. Select Windows Internal Database or the location of a SQL Server Database. The choice is yours, but for most companies the Windows Internal Database works just fine
  16. Click Next
     
    clip_image074
     
  17. Click Next
     
    clip_image076
     
  18. Wait for the Pre-requisite checks to be completed
     
  19. Click Configure
     
    clip_image078
     
  20. Click Close

clip_image080

Step 9: Federate with Office365

  1. Open the Desktop on the AD FS server
  2. Find Azure Active Directory Module for Windows PowerShell
     
    clip_image082
     
  3. Right Click and Run As Administrator
  4. Set the credential variable
     
    $cred=Get-Credential
     
  5. Enter a Global Administrator account from Office 365
  6. Connect to Microsoft Online Services with the credential variable set previously
     
    - Connect-MsolService –Credential $cred
     
  7. Set the MSOL ADFS Context server, to the ADFS server (optional if you are on the AD FS server)
     
    - Set-MsolADFSContext –Computer adfs_servername.domain_name.com
     
  8. Convert the domain to a federated domain
     
    - Convert-MsolDomainToFederated –DomainName domain_name.com
     
  9. Successful Federation
     
    - Successfully updated ‘domain_name.com‘ domain
     
  10. Verify federation
     
    - Get-MsolFederationProperty –DomainName domain_name.com
     

This concludes the setup of the first AD FS server and federation with Office365.

Comments (1)

  1. fred says:

    Excellent article! Thanks for the reference!

Skip to main content