Monday, April 11, 2011

Active Directory Federation Services (ADFS) 2.0 with Office 365: Part 2 – Configuring

In Part 1 of this post, we introduced ADFS 2.0 in relation to Office 365 and discussed environmental requirements in implement. Part 2 will actually cover the configuration and validation steps needed to implement ADFS 2.0 with Office 365. Note: this post is based on the Office 365 Beta for Enterprises.


  • Domain has been added and verified in the Office 365 Admin portal
  • Directory Sync Tool is installed and configured
  • 2 Windows 2008 R2 servers are built and prepared to install ADFS 2.0
    • Internal ADFS server is joined to the domain
    • Proxy ADFS server is not joined to domain and located in perimeter network
  • Necessary firewall ports are open from the Internet to ADFS Proxy server (port 443)
  • Necessary firewall ports are open from ADFS Proxy server to internal ADFS server (port 443)
  • External DNS record has been implemented for ADFS (our example will use

The following steps are used to prepare the environment:

  1. Add UPN Suffix to AD and configure for each user (this is required if your AD is using a non-routable domain internally like .local or .priv)
    • UPNs used for identity federation can only contain letters, numbers, periods, dashes and underscores.
    • Open AD Domains and Trusts tool
    • Right-click AD Domains and Trusts and click Properties
    • On the UPN suffixes tab, type the alternative UPN suffix for the forest and then click Add
    • UPNSuffix
    • Repeat to add additional UPN suffixes
    • Open user properties, navigate to Account Tab.
    • Select the external namespace UPN for the “User logon name”
    • UPN-Account
  2. Create service account for ADFS – this can be a regular Domain User, no special permissions needed.
  3. Add internal ADFS server(s) to AD forest
  4. Download ADFS 2.0 RTW (HERE). During the install process, the following Windows components will be automatically installed:
    • Windows PowerShell
    • .NET Framework 3.5 SP1
    • Internet Information Services (IIS)
    • Windows Identity Foundation
  5. Download Microsoft Online Services Identity Federation Management Tool (32-bit or 64-bit)
  6. (Optional) Install and configure SQL Server 2005 or 2008 if your organization has more than 30,000 users who will use Office 365
  7. Configure external DNS A record for ADFS Proxy (ex.

Now we are ready to install and configure ADFS 2.0 on internal server:

  1. Double-click AdfsSetup.exe (this is the ADFS 2.0 RTW download)
  2. Click Next on the Welcome Screen and Accept the License Agreement
  3. On the Server Role Option screen, select Federation Server
    • ADFS - Role select - ADFS Server - markup
  4. Finish the rest of the wizard, this will install any necessary prerequisites
  5. At the end of the wizard, uncheck box to Start the ADFS 2.0 Management Snap-in
    • ADFS - install - uncheck box - markup
  6. Request and provision public certificate through IIS
    • ADFS - IIS - cert request - markup
  7. Bind certificate to IIS on port 443
    • ADFS - IIS - bind - markup
  8. Configure ADFS utilizing ADFS 2.0 Management
    • ADFS - start management tool
  9. Select ADFS 2.0 Federation Server Configuration Wizard
    • ADFS - management - wizard start - markup
  10. Select Create a new Federation Service
  11. Select New Federation server farm (this is recommended even if you plan on installing only one server in case in the future you want to add another server)
    • ADFS - management - wizard - farm - markup
  12. Select the public certificate and validate the Federation Service name.  This will automatically fill in the name on the certificate Subject Name.  If a wildcard certificate is used, you must enter the name for the Federation Service.
    • ADFS - management - wizard - name - markup
  13. Enter in the service account credentials that were created earlier
    • ADFS - management - wizard - service account - markup
  14. Finish Wizard
  15. Run Office 365 Desktop Setup from portal
  16. Install Identity Federation Management Tool (FederationConfig.msi, use default install parameters)
  17. Enable Identity Federation within Office 365 portal for your domain
  18. Launch the Identity Federation Management Tool
  19. Type $cred=Get-Credential and press Enter
  20. Enter you Microsoft Online Services administrator logon and password and click ok
    • ADFS - Fed tool - creds - markup
  21. Type Set-MSOLContextcredential –msolAdminCredentials $cred –LogFile c:\logfile.log and press enter
  22. Type Add-MSOLFederatedDomain –domainname
  23. If prompted that the domain already exists as a standard domain, type Convert-MSOLDomainToFederated –domainname
  24. Type Update-MSOLFederatedDomain –domainname
  25. Verify Identity Federation Functionality

Install ADFS 2.0 Proxy server

  1. Export public certificate from ADFS internal server and copy to proxy server
  2. Validate DNS resolution of resolves to internal ADFS server from ADFS Proxy Server (a HOST file can be used for this if needed)
  3. Validate DNS resolution of resolves to external A record from an internet PC
  4. Double-click AdfsSetup.exe (this is the ADFS 2.0 RTW download)
  5. Click Next on the Welcome Screen and Accept the License Agreement
  6. On the Server Role Option screen, select Federation Server Proxy
    • ADFS - Role select - ADFS Proxy Server - markup
  7. Finish the rest of the wizard, this will install any necessary prerequisites
  8. At the end of the wizard, uncheck box to Start the ADFS 2.0 Management Snap-in
    • ADFS - install - uncheck box - markup
  9. Import certificate in IIS and bind certificate to Default Web Site
  10. Configure ADFS proxy by selecting ADFS 2.0 Federation Server Proxy Configuration Wizard
    • Enter the federation namespace (ex.
    • Test connection
    • adfs - proxy - wiz - test conn - markup
    • Service account credentials
  11. Finish Wizard
  12. Log into portal with UPN credentials.  Note that once the UPN login is entered, the password field is grayed out and a link activates to log into the ADFS server
    • ADFS - portal - signin - markup

Hopefully this will help you navigate the ADFS waters in regards to Office 365 Beta. 


  1. I know , it's not recommended to install AD FS 2.0 on domain controller. nevertheless , what if you have a small company with up to 60 people ?
    wouldn't it be better to install it on domain controller ? and saving the necessity for another vm,another windows 2008 license , another server to backup , and yep!! another single point of failure.

  2. I have successfully implemented ADFS 2.0 on a pair of 2008 R2 DC's running NLB. It CAN be done, and is fully supported by MS for fewer than 1000 mailboxes.

    1. Hi,
      Can some one suggest if I can sync the password from on-premises AD to office365.


  3. You can install ADFS 3.0 on a domain controller. However it requires Windows 2012 Server. Otherwise you can host the ADFS server on an Azure VM in the cloud.

  4. Psychology assignment writing projects are very difficult to complete and many students are always searching for Psychology Research Paper Services companies to help them complete their psychology coursework assignments.

  5. Purchase healthcare research paper services and healthcare coursework writing services since students find help when they visit Healthcare Essay Writing Services.

  6. There are many theology & religion coursework writing services and Religious Research Writing Services to choose from for those stuck with their religion assignment writing services and theology essay writing help services.

  7. Public relations research writing services are very difficult to complete and many students are always searching for Public Relations Writing Services to help them complete their public relations coursework services and public relations research writing services.

  8. In any case, it's an extremely basic page without a specific topical continuing for it. It's nonexclusive, even. In any case, clearly a ton of exertion has been placed into making YesPornPlease, so clearly, a page like that absolutely merits a legitimate survey from the unparalleled pornography man.

    You essentially can't observe every one of these recordings in a solitary lifetime

    What I like to see on a page is a wealth of recordings. I'm a person that gets exhausted rapidly, I have a limited ability to focus, and when I need something, I need it at the earliest opportunity. It bodes well, isn't that so? You resemble that yourself, presumably. Particularly with regards to things like pornography. Along these lines, it's ideal to supply individuals like us with heaps of pornography so we don't go on a maniacal frenzy.