Enabling and Managing Federation

Steps

Action

Configure a remote domain to be used with Office 365

Launch on-premises Exchange Management console (EMC), navigate to Hub Transport and select new remote domain in the actions pane

image

Create a new Accepted domain

Create a new Accepted domain that is authoritative for the namespace

image

Create a new federated trust with the Microsoft Federated Gateway (MFG)

Run the following command to get the Exchange certificate thumbprint

Get-ExchangeCertificate | Where-Object {$_.Services –like “IIS*”} and copy the thumbprint value

Then run New-FederationTrust –Name “Microsoft Federation Gateway” -Thumbprint XXXXXXXXXXXXXXXXXXX (where XXX is the thumbprint value). This creates the following federation trust

image

You will see the similar text displayed from the command specified above:-

To complete the federation configuration, you must add a text (TXT) record in DNS for the domain you want to use as the account namespace and for any other domain you want to add as a federated domain on the Microsoft Federation Gateway. After the TXT records are available in DNS, complete the federation trust configuration by using the Manage Federation wizard in the EMC or the Set-FederatedOrganizationIdentifier cmdlet in the Shell

You then need to prove ownership of the namespace

Run Get-FederatedDomainProof –DomainName ExchangeDelegation.company.com | FL DomainName,Proof and Get-FederatedDomainProof –DomainName company.com | FL DomainName,Proof. Then create a DNS txt record in public DNS to prove ownership of the namespace. Copy the proof output and paste into your public DNS txt record.

Perform an nslookup to verify ownership

Run nslookup

Set q=txt

Company.com

Add the namespaces to the federation trust through the EMC

Edit the ‘Microsoft Federation Trust’ object

image

 

Ensure the enabled certificate is specified as the ‘current certificate’

This wizard lets you to specify a current and next certificate to ensure your certificate does not become invalid. If you have multiple HT servers click on ‘shoe distribution state’ to ensure all servers have the correct certificate installed

image

Add the accepted domains

Add Exchangedelegation and company.com to the manage federation section and then complete the wizard and verify by running Test-OrganizationalRelationship

image

Create the organisation Trust relationship

In the on-premise EMC select ‘Organization Configuration’ and in the actions pane select ‘New Organization Relationship’

Select ‘Enable this organization relationship’

Select ‘enable free/busy information access’

Select ‘free/busy access with time, plus subject and location’ if this the access level you want to grant

image

Configure the external organization settings

Select to ‘automatically discover configuration information’ and specify the online tenant namespace

Written by Daniel Kenyon-Smith