Steps
1
Add your email domain name to the Office 365 portal
Start by signing into your Office 365 portal account as admin. Usually this is the assigned admin login in this format. username@domainname.onmicrosoft.com We are really just adding a UPN suffix to this existing domain name so don’t get it complicated in your head Find the Domains area and click Add Domain Add your domain name, (for the this guide I will use domainname.com). Choose the domain registrar and add a registrant name You will need to add a TXT record to your domain DNS to prove you own the domain, this does not have any affect on production services so do this, wait about 15 min and then come back and have Office 365 verify the record exists. Once this process is complete we can move on to the next steps. Hit next and you will be given the choice to let the Office 365 portal login to your registrar and configure the correct DNS records. DO NOT ALLOW THIS ON A PRODUCTION DOMAIN! Email will be redirected to the Office 365 exchange service. If this is a new domain then by all means let the portal do the work. But I am usually working on production stuff so I need to do this manually.
2
Create a separate VM-ADFS server on your VM host
I like to host this service on its own specific server. You can co-locate these services on other servers but it makes troubleshooting a bit more complex when you cannot just reboot servers during the day. This also gives you the flexibility of moving this ADFS server in the perimeter if you have one. If you need help setting up a new Windows VM server, and connecting it to your local AD domain you can search Google as there are numerous guides on the web to help you. Try not to colocate this on your DC, although I have gotten it to work in a pinch it is not “recommended”. I say whatever to that if you need it use it on whatever server you can get your hands on.
3
Install ADFS on the new server
Download ADFS plugin for 2008 or install the ADFS role in 2012
On the server roles when configuring the settings for ADFS you need to choose Federation Server The install should gather the required prerequisites and install them which include: Windows Powershell – 2008 .net 3.5.1 SP1 IIS Windows Identity Foundation Be sure these get installed correctly otherwise you will have issues configuring the next steps. Once complete choose the option to start the ADFS management (2008) or find ADFS in Administrative tools on 2012.
4
GET A 3RD PARTY SSL CERT
I cannot stress this enough, if you had trouble in the past setting up ADFS most likely it was the SSL cert not being 3rd party. Don’t even attempt this if you cannot afford a simple 3rd party SSL. I usually use either the existing WildCard (*.domainname.com) or get a cheap one for (adfs.domainname.com).
5
Request or Assign SSL Cert
After you have gotten permission to get a new SSL cert you need to request or assign your existing wildcard cert to IIS on the new ADFS server. Super easy to do Open IIS on the ADFS server you created Choose the server name in the upper left and then Server Certificates on the Home screen. Either create a new request to send to your 3rd party or import the PFX cert for your wildcard cert. Be sure the request bit length is 2048 or better, Office 365 will not work with lower SSL bit lengths.
6
Bind SSL To The Default Website
Now go to Default Website and on the right, click bindings Add a binding Choose Type = HTTPS IP Address = All Unassigned Port = 443 Host Name = blank SSL certificate – drop down and choose your new cert Hit OK
7
Create an ADFS Login Service Account
Go to AD users and computers and create a new ADFS service account with domain admin, and enterprise admin rights to AD. Don’t be silly and use any easy password, this server is exposed directly to the internet so be smart.
8
Add adfs.domainname.com to DNS
You now need to add adfs.domainname.com to both internal and external DNS for resolution. Internal DNS should point to the LAN IP External DNS should point to the public IP address assigned to port 443 on your firewall.
9
Configure ADFS
Once the SSL cert is installed and bound to the Default Website and all external and internal DNS is setup we can move on to configuring ADFS. Go to Administrative tools and choose ADFS management Once the management window opens choose the ADFS configuration wizard link in on the Home screen. Choose Create New Federation Service – Next Choose New Federation Server Farm – Next Federation Service Name – Drop Down and choose your SSL cert – in the service name box type adfs.domainname.com Hit Next Specify the service account logon we created in the previous step hit next and let ADFS configure – remedy any errors that might show on the Configuration report. Again this is why I like to do this on a fresh box so that the install goes clean and smooth.
10
Office 365 Powershell Plugin
Install the Office 365 Powershell Plugin 32bit OS http://g.microsoftonline.com/0BD00en-US/85 64bit OS http://g.microsoftonline.com/0BD00en-US/126
11
Install the Office 365 Sign on Assistant – Old can be skipped as it is included with DirSync now
Download and install the correct Sign On Assistant for your OS version 32bit http://g.microsoftonline.com/0BX00en/500 64bit http://g.microsoftonline.com/0BX00en/501
12
Configure Trust With Office 365 to enable SSO
Open programs and find the Powershell Icon for Microsoft Online Services Identity Federation Right click on this icon and Run As Administrator Type the following commands For creds use the admin@domainname.onmicrosoft.com account created when you setup Office 365 the first run; Change Domainname.com in the third command to your root email domain name)
$cred=Get-Credential Connect-MsolService –Credential $cred Set-MsolAdfscontext -Computer adfs.domainname.com Convert-MsolDomainToFederated –DomainName domainname.com
If this works you should see = Successfully updated ‘domainname.com’ domain
13
Enable Directory Sync
Now that AD FS is setup and configured you can enable Directory Sync. Open your Office 365 portal and sign in as admin@domainname.onmicrosoft.com Under users choose Set up next to Active Directory Synchronization Steps one and two should already be complete Choose Activate under step 3 – Wait a sec Download the Directory Sync Tool from the same page Install the DirSync.exe tool Choose Next Accept the EULA Choose a install path Check the box to start configuration wizard Hit next Enter your admin@domainname.onmicrosoft.com login Enter your ADFS service account log in If you have an on premise Exchange server and want Hybrid connectivity with your Office 365 Exchange then choose the option for Enable Rich Coexistence. Otherwise leave it unchecked. Once complete the inital Sync should begin. I found a GUI (miisclient.exe) to administrate the Dir Sync but it does not put an Icon on the desktop. Copy a shortcut to the desktop so you can see all the Sync results and specific user errors and initiate a new sync using the GUI. C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe
14
SSO and UPN
In order to get SSO to work you need to be sure you already have the email address UPN suffix on your local AD domain and the users account login UPN suffix has been updated. Otherwise you will notice that the users that get Sync’d to Office 365 will get a username@domainname.onmicrosoft.com login. Adding a UPN Suffix to a Forest
Open Active Directory Domains and Trusts. Right-click Active Directory Domains and Trusts in the Tree window pane, and then click Properties. On the UPN Suffixes tab, type the new UPN suffix (@domainname.com) that you would like to add to the forest. Click Add, and then click OK.
Update the users in your local AD that need SSO Office 365 accounts with the UPN suffix. Use the DIRSync GUI to start a new sync and watch the progress, you can see any specific user errors here. One note I had trouble with some users UPN suffix not updating to Office 365 and only after finding the specific errors in the DIRSYNC GUI was I able to pin it down. The main rub is if the users happend to already be on Office 365 from a previous attempt at ADFS you need to ground the UPN suffix by updating the user login on your local AD to the other UPN suffix (domainname.local), sync the directory to office 365 and wait for it to update the Office 365 login to username@domainname.onmicrosoft.com once it has grounded then you can change the UPN suffix back to user@domianname.com and start another DIRSYNC
15
Add adfs.domainname.com to the Local Intranet Zone
Either manually add adfs.domainname.com to the Local Intranet Zone in IE or use GPO to push this out.
16
Test SSO
You should now be able to sign out and back on to any domain user assigned Office 365 licenses and get a SSO experience. Browse to https://portal.microsoftonline.com Key in a user email that has Office 365 licenses assigned and the user name has been updated by DIRSYNC and you should bypass the password screen and go directly into the office 365 portal.
17
Add Scheduled Task To Update Metadata
Office 365 uses Metadata Tokens to run with ADFS and those tokens will expire from time to time. To automate the token update process you use a little Powershell script to create a scheduled task to do it for you. Download the script here http://gallery.technet.microsoft.com/scriptcenter/Office-365-Federation-27410bdc Open Powershell on the ADFS server by running as Administrator CD to the path with the .ps1 file in it Set-ExecutionPolicy Unrestricted .\O365-Fed-MetaData-Update-Task-Installation.ps1