ADFS - O365 - Part3

How To Install AD FS 2016 For Office 365 Part 3 250 Hello https://blogs.technet.microsoft.com/rmilne/2017/05/14/how-to-install-a...
| TechNet Search
(http://technet.microsoft.com/)
Sign in (https://blogs.technet.microsoft.com/wp-login.php?aadsso_action=login)
How To Install AD FS 2016 For Office

Rhoderick Milne
Online
365 Part 3 (https://twitter.com

Rate this article

/RhoderickMilne)
Rhoderick Milne [MSFT] (https://social.technet.microsoft.com/profile

/Rhoderick+Milne+%5BMSFT%5D) 14 May, 2017
(https://www.facebook.com
0 (https://blogs.technet.microsoft.com/rmilne/2017/05/14/how-to-install- /Rhoderick.Milne.Tech)
ad-fs-2016-for-office-365-part-3/#respond)
Share 0 0 0
(https://blogs.technet.microsoft.com
/rmilne/feed/)
(http://ca.linkedin.com
/in/rhoderickmilne)

About Me -
Biography
/rmilne/about/)
/rmilne/about/)
Contact Via Email

Email Blog Author
/rmilne/contact-us/)
Subscribe Via Email

Subscribe to this blog
and receive notifications
of new posts by email
Email Address
Subscribe!
Unsubscribe
Popular Tags
Exchange
/rmilne/tag/exchange/)
1 of 10 15-05-2017 20:52
2 (https://blogs.technet.microsoft.com/rmilne/2017/05/10/how-to-install-ad-fs-2016-for-office- Exchange 2010

365-part-2/) (https://blogs.technet.microsoft.com
/rmilne/tag/exchange-2010/
This post assumes that the domain was previously added as a standard domain, also called managed,
and the domain will require conversion. Now we want to change the Office 365 domain to be a Exchange 2013
federated domain. As discussed in part 1, this means that all of the users who authenticate using this (https://blogs.technet.microsoft.com
domain will become a federated identity and the on-premises AD FS and AD DS infrastructure is /rmilne/tag/exchange-2013/
responsible for authenticating these requests.
Tips N Tricks
Importance Of AD FS When Office 365 Relies

Upon It
/rmilne/tag/tips-n-tricks/)
Office 365
Before we discuss the integration of Office with the on-premises AD FS infrastructure, lets just again be
/rmilne/tag/office-365/)
clear on the criticality of ensuring that AD FS is available when the Office 365 domain is set to use AD FS
authentication. For whatever reason if the AD FS infrastructure is unavailable, then Office 365 cannot PowerShell
complete the authentication process and thus users cannot get access to Office 365. This will cause a (https://blogs.technet.microsoft.com
service impacting outage that will require resolution from you, not Microsofts online services team. /rmilne/tag/powershell/)
For this reason, unless you really need to leverage AD FS please review the Azure AD Connect password Exchange 2013 SP1
hash synchronisation feature. (https://blogs.technet.microsoft.com
Apologies if I sound pessimistic, but I dont want to obviate the requirement for AD FS redundancy! /rmilne/tag/exchange-2013-sp1/
AD FS in Azure
Exchange 2007
/rmilne/tag/exchange-2007/
On the topic of AD FS redundancy one option is to also host a portion of your AD FS infrastructure in
Azure. This is a perfect solution if you do not have sufficient capacity in your current datacentre, or your Windows
datacentres are located in close proximity of each other and a major incident would take both of them (https://blogs.technet.microsoft.com
down. /rmilne/tag/windows/)
There is a whitepaper published for this exact scenario. Please check this link Exchange 2010 SP3
(http://technet.microsoft.com/library/dn509539.aspx). The documentation covers three main scenarios (https://blogs.technet.microsoft.com
to meet the situations discussed above: /rmilne/tag/exchange-2010-sp3/
Scenario 1: All Office 365 SSO integration components deployed on-premises. This is the Hyper-V
traditional approach; you deploy directory synchronization and Active Directory Federation (https://blogs.technet.microsoft.com
Services (AD FS) by using on-premises servers. /rmilne/tag/hyper-v/)
Scenario 2: All Office 365 SSO integration components deployed in Windows Azure. This is
Exchange 2016
the new, cloud-only approach; you deploy directory synchronization and AD FS in Windows
Azure. This eliminates the need to deploy on-premises servers.
Scenario 3: Some Office 365 SSO integration components deployed in Windows Azure for /rmilne/tag/exchange-2016/
disaster recovery. This is the mix of on-premises and cloud-deployed components; you deploy Azure
directory synchronization and AD FS, primarily on-premises and add redundant components in (https://blogs.technet.microsoft.com
Windows Azure for disaster recovery. /rmilne/tag/azure/)

Supportability Dates
This is an example of hosting AD FS in Azure for DR purposes: (https://blogs.technet.microsoft.com
/rmilne/tag/supportability-dates/
AD FS
/rmilne/tag/adfs/)
Windows Server 2012

/rmilne/tag/windows-server-2012/
Exchange Workshop
/rmilne/tag/exchange-workshop/
Exchange 2010 SP2

/rmilne/tag/exchange-2010-sp2/
Windows Server 2012 R2

/rmilne/tag/windows-server-
2012-r2/)
2 of 10 15-05-2017 20:52
Outlook
/rmilne/tag/outlook/)
Recent Posts
How To Install AD FS
2016 For Office 365
Part 3
/rmilne/2017/05
/14/how-to-install-
ad-fs-2016-for-office-
365-part-3/)
Unable to RDP to
Azure VM From Hotel
WiFi
/rmilne/2017/05
/12/unable-to-rdp-
to-azure-vm-from-
hotel-wifi/)
2016 For Office 365
Part 2

/rmilne/2017/05
/10/how-to-install-
AD FS is supported for deployment on Azure Virtual Machines (http://msdn.microsoft.com/en-us/library
ad-fs-2016-for-office-
/azure/jj156090.aspx#BKMK_WhyADFS), but there are AD FS best practices that require technologies
365-part-2/)
beyond what AD FS offers itself, such as load balancing/high availability. In addition to this please also
Office 365 Workshop
consider the pricing for running this IAAS. Read through the deployment caveats in the AD FS Azure
Links May 2017
documentation above and also the additional discussion points here (http://msdn.microsoft.com/en-us
/library/azure/jj156090.aspx#BKMK_ContrastsForADFS).
/rmilne/2017/05
Updating AD FS
/05/office-
365-workshop-links-
may-2017/)
Back to the business at hand updating Office 365 so that it now uses your on-premises AD FS server!
To do this we will need to leverage the Azure AD PowerShell cmdlets.
2016 For Office 365
In the previous posts we reviewed the required pre-requisites. One to circle back on was that the AD FS (https://blogs.technet.microsoft.com
servers will require Internet access to complete the configuration with Office 365. This will require /rmilne/2017/04
outbound access on HTTP and HTTPS using ports TCP 80 and 443 respectively. If this is not open, then /28/how-to-install-
you will receive an error. ad-fs-2016-for-
office-365/)
Note that at the time of writing there are two modules for administering Azure AD. Currently the V1
and V2 modules are available, which are separate modules and installations from one another. The V1
Archives
module is called MSOnline and the V2 is called AzureAD.
May 2017
Azure Active Directory V2 General Availability Module overview information can be found here
(https://docs.microsoft.com/en-us/powershell/azure/overview?view=azureadps-2.0). For detailed
/rmilne/2017/05/)(4)
information on how to install and run this module from the PowerShell Gallery including prerequisites,
April 2017
please review this (https://msdn.microsoft.com/powershell/gallery/readme).
/rmilne/2017/04/)(12)
March 2017
Currently not all of the V1 module commands are present in V2. This gap will be closed over time.
While some tasks need to be accomplished using the V2 module, this post will use the V1 module. The
/rmilne/2017/03/)(6)
below is an example of the V2 module. We can see the name of AzureAD and its version using the
February 2017
below cmdlets:
Get-Module AzureAD /rmilne/2017/02/)(5)
January 2017
Get-Command *AzureADDomain*
/rmilne/2017/01/)(2)
All of 2017
/rmilne/2017/)(29)
All of 2016
/rmilne/2016/)(56)
3 of 10 15-05-2017 20:52
All of 2015
/rmilne/2015/)(72)
All of 2014
/rmilne/2014/)(83)
All of 2013
/rmilne/2013/)(63)
All of 2012
/rmilne/2012/)(51)
(https://msdnshared.blob.core.windows.net/media/2017/05/image158.png) All of 2011

/rmilne/2011/)(20)
We can get the V1 module from Quick Tip: Is There A Shortcut URL To Download Azure AD PowerShell
(https://blogs.technet.microsoft.com/rmilne/2015/06/19/quick-tip-is-there-a-shortcut-url-to-download-
azure-ad-powershell/). Select the Azure Active Directory Connection download page
(http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185)
download, and scroll down to the bottom of the page. Download and install the V1 MSI installation file.
At the time of writing this was version 1.1.166.0.
To run the Azure AD cmdlets we can launch the module by either:
Using the automatically created shortcut

Manually importing the MSOnline module into a regular PowerShell session
The shortcut to the Azure AD module can be found under administrative tools, and also on the desktop.
It should be listed as Active Directory Module for Windows PowerShell.
In order to manually import the Azure AD V1 module we can run the below in PowerShell:
Import-Module MSOnline
Rather than having to type that, in this case we will run the shortcut to the Active Directory Module for
Windows PowerShell on a domain joined server on the corporate network. For reference this machine is
DC-2.wingtiptoys.ca, and the primary AD FS server is ADFS-2016-1.wingtiptoys.ca.
Using Connect-MsolService (http://msdn.microsoft.com/en-us/library/azure/dn194123.aspx) lets

connect to our Azure AD instance. Note that the user interface for providing credentials has changed in
the later builds of the MSOnline module. Provide a set of global admin credentials:
(https://msdnshared.blob.core.windows.net/media/2017/05/image159.png)
We can see the current status of the domains within this tenant. the Get-MsolDomain
(http://msdn.microsoft.com/en-us/library/azure/dn194090.aspx) cmdlet will show the domains, and we
are interested in the first domain Wingtiptoys.ca.
4 of 10 15-05-2017 20:52
Before we can execute the Convert-MsolDomainToFederated (http://msdn.microsoft.com/en-us/library

/azure/dn194092.aspx) cmdlet, we need to also a hook into the local AD FS server (not the AD FS proxy)
so that we can configure it. It is possible to skip this step by installing and using the module on the
primary AD FS server itself.
We connect to the AD FS server using the Set-MsolADFSContext (http://msdn.microsoft.com/en-us

/library/azure/dn194087.aspx) cmdlet. Like the other MSOL cmdlets, this one is as unforgiving. If you
forget to explicitly use the required parameters the MSOL cmdlets typically do not prompt like the
Exchange cmdlets do. Because of this I have a habit of always specifying every option and not relying
on PowerShell to prompt for required options that were missed.
Once we have connected to the AD FS server, we use the Convert-MsolDomainToFederated

(http://msdn.microsoft.com/en-us/library/azure/dn194092.aspx) cmdlet to convert the Office 365
domain from Managed to Federated.
Set-MsolADFSContext -Computer ADFS-2016-1.wingtiptoys.ca
Convert-MsolDomainToFederated -DomainName wingtiptoys.ca
An area of concern should be noted here for customers that have multiple top level domains. Back with
early AD FS 2.0 builds customers with multiple top level UPNs had to deploy separate AD FS instances
for each domain suffix. A rollup (http://support.microsoft.com/kb/2607496) was added to assist with
this and the SupportMultipleDomain switch. Please see here for more details
(http://community.office365.com/en-us/w/sso/support-for-multiple-top-level-domains.aspx) if you have
multiple sign-on domains.
Once converted, we check to see if the change applied:
Yes it did! The wingtiptoys.ca domain is now of type Federated.
The full properties of the domain now look like so:
Get-MsolDomain -DomainName wingtiptoys.ca
Get-MsolDomain -DomainName wingtiptoys.ca | FL
5 of 10 15-05-2017 20:52
Please be aware that it can take up to two hours for domain authentication changes to apply. Go drink
a vat of coffee or play some crossy road!
Testing Access To Office 365 OWA

To test that we are being authenticated to Office 365 OWA via AD FS, lets see what happens now that
the domain has been converted to federated.
Open IE, and navigate to https://outlook.office365.com/wingtiptoys.ca (https://outlook.office365.com

/wingtiptoys.ca) this is the neat shortcut that we can use to access OWA. Change the domain name to
match your own.
When we go to the browser is redirected to our on-premises AD FS server, at the sts.wingtiptoys.ca

URL.
We then sign in to the on-premises AD FS server. AD FS passes the credentials to AD DS which

authenticates us. Assuming that the password is not fat-fingered, and then AD FS verifies our claims
(who we are) to Office 365 to let us access OWA:
6 of 10 15-05-2017 20:52
The astute reader will notice that Edge in-private mode was used. This keeps my testing separate from
the other IE Instances running on my laptop.
One thing to note, when testing this connectivity please do so on a regular client machine that has the
proper access to the Internet and where the browser is not totally locked down. For example on a
Server 2008 R2 SP1 server, when browsing to https://outlook.office365.com/wingtiptoys.ca
(https://outlook.office365.com/wingtiptoys.ca) the user experience is very different from the screenshots
above.
For lab purposes, you can relax the browser hardening from the default level so that you can test Office
365 from a Windows Server. Please review this post (https://blogs.technet.microsoft.com/rmilne
/2017/04/21/unable-to-access-owa-or-office-365-portal-on-servers/) for the necessary steps.
Testing Office 365 SSO

Previously you may haved use the TestExchangeConnectivity.com (http://TestExchangeConnectivity.com)
site to test and troubleshoot on-premises issues. The tool has been expanded as now we can also use it
to test and diagnose Office 365 issues.
7 of 10 15-05-2017 20:52
(https://msdnshared.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com
/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/91/09/metablogapi/image_1605BC97.png)
KB 2650717 How to diagnose single sign-on (SSO) logon issues in Office 365 by using Remote
Connectivity Analyzer (http://support.microsoft.com/kb/2650717) discusses using the tool to validate
SSO.
BONUS TIP if you get tired of typing that long URL to get to the site, try http://exrca.com
(http://exrca.com)
Viewing the SSO Shuffle

Using the IE developer tools, that are accessible by pressing F12 we can see the traffic flow. You will
want to click to enlarge the below.
Note that we went to the following URLs. Can you work out why there are three outlook.com ones at
the top?
8 of 10 15-05-2017 20:52
Repairing Office 365 Federated Domain

As discussed in KB 2647048 (http://support.microsoft.com/kb/2647048), there are situations that will
require the Office 365 domain federation to be repaired.
2523494 (http://support.microsoft.com/kb/2523494) (You receive a certificate warning from AD FS

when you try to sign in to Office 365, Windows Azure, or Windows Intune
2618887 (http://support.microsoft.com/kb/2618887) Error when you try to configure a second
federated domain in Office 365: Federation service identifier specified in the AD FS server is
already in use.
2713898 (http://support.microsoft.com/kb/2713898) There was a problem accessing the site
error from AD FS when a federated user signs in to Office 365, Windows Azure, or Windows
Intune
2647020 (http://support.microsoft.com/kb/2647020) Your organization could not sign you in to
this service error and 80041317 or 80043431 error code when a federated user tries to sign in
to Office 365
2707348 (http://support.microsoft.com/kb/2707348) Metadata Exchange (MEX) document
received from AD FS contains an unknown WS-Trust version error after you run the MOSDAL
Support Toolkit
The Federation Service name in AD FS is changed. For more info, go to the following Microsoft
website: AD FS 2.0: How to Change the Federation Service Name
(http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-how-to-change-
the-federation-service-name.aspx)
Additional Reading
I love this KB as it links to so many other articles that are relevant and introduce many of the issues that
can arise with an AD FS deployment.
KB 2647048 How to update or to repair the configuration of the Office 365

federated domain (http://support.microsoft.com/kb/2647048/en-us)
The PFE Platform blog has some great AD FS content:
Introduction to Active Directory Federation Services (AD FS) AlternateLoginID

Feature (/b/askpfeplat/archive/2014/04/21/introduction-to-active-directory-
federation-services-ad-fs-alternateloginid-feature.aspx)
FAQ on AD FS Part 1 (/b/askpfeplat/)
Finally the TechNet Wiki has the AD FS content section.
AD FS Content MAP (http://social.technet.microsoft.com/wiki/contents

/articles/2735.ad-fs-content-map.aspx#Office_365)
Cheers,
Rhoderick
Tags AD FS (https://blogs.technet.microsoft.com/rmilne/tag/adfs/) Office 365
9 of 10 15-05-2017 20:52
(https://blogs.technet.microsoft.com/rmilne/tag/office-365/)
Comments (0)
Name *
Email *
Website
Post Comment
Privacy & Cookies (https://msdn.microsoft.com/dn529288)

(https://www.microsoft.com
Terms of Use (https://msdn.microsoft.com/cc300389) 2017 Microsoft
Trademarks (https://www.microsoft.com/en-us/legal/intellectualproperty/Trademarks/EN-U
10 of 10 15-05-2017 20:52

ADFS - O365 - Part3

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

ADFS - O365 - Part3

Загружено:

Авторское право:

Доступные форматы

How To Install AD FS 2016 For Office 365 Part 3 250 Hello https://blogs.technet.microsoft.com/rmilne/2017/05/14/how-to-install-a...

How To Install AD FS 2016 For Office

365 Part 3 (https://twitter.com

Rhoderick Milne [MSFT] (https://social.technet.microsoft.com/profile

Contact Via Email

Subscribe Via Email

2 (https://blogs.technet.microsoft.com/rmilne/2017/05/10/how-to-install-ad-fs-2016-for-office- Exchange 2010

Importance Of AD FS When Office 365 Relies

Windows Server 2012

Exchange 2010 SP2

Windows Server 2012 R2

To run the Azure AD cmdlets we can launch the module by either:

Using the automatically created shortcut

Using Connect-MsolService (http://msdn.microsoft.com/en-us/library/azure/dn194123.aspx) lets

Before we can execute the Convert-MsolDomainToFederated (http://msdn.microsoft.com/en-us/library

We connect to the AD FS server using the Set-MsolADFSContext (http://msdn.microsoft.com/en-us

Once we have connected to the AD FS server, we use the Convert-MsolDomainToFederated

Set-MsolADFSContext -Computer ADFS-2016-1.wingtiptoys.ca

Convert-MsolDomainToFederated -DomainName wingtiptoys.ca

Once converted, we check to see if the change applied:

Yes it did! The wingtiptoys.ca domain is now of type Federated.

The full properties of the domain now look like so:

Get-MsolDomain -DomainName wingtiptoys.ca

Get-MsolDomain -DomainName wingtiptoys.ca | FL

Testing Access To Office 365 OWA

Open IE, and navigate to https://outlook.office365.com/wingtiptoys.ca (https://outlook.office365.com

When we go to the browser is redirected to our on-premises AD FS server, at the sts.wingtiptoys.ca

We then sign in to the on-premises AD FS server. AD FS passes the credentials to AD DS which

Testing Office 365 SSO

Viewing the SSO Shuffle

Repairing Office 365 Federated Domain

2523494 (http://support.microsoft.com/kb/2523494) (You receive a certificate warning from AD FS

KB 2647048 How to update or to repair the configuration of the Office 365

The PFE Platform blog has some great AD FS content:

Introduction to Active Directory Federation Services (AD FS) AlternateLoginID

Finally the TechNet Wiki has the AD FS content section.

AD FS Content MAP (http://social.technet.microsoft.com/wiki/contents

Tags AD FS (https://blogs.technet.microsoft.com/rmilne/tag/adfs/) Office 365

Privacy & Cookies (https://msdn.microsoft.com/dn529288)

Вам также может понравиться