Active Directory Federation Services with Hosted Applications

Introduction

Authentication Scenarios

No password synchronization

Users must maintain a separate password for a domain login and an Office 365 login. A user must have a password or temporary password assigned to his or her Office 365 account. A temporary password is recommended as the user will be forced to change the password when he or she first logs on.

One-way password hash synchronization

User password hashes are synchronized from the user's Active Directory login to the user's Office 365 logon. The password is not transferred in clear text, only the security hash. The user only needs to remember one password for both accounts, but the user will still have a separate logon for Office 365. Users should refrain from changing a password in the Office 365 portal as the new password will be overwritten during the subsequent synchronization.

Password hash synchronization with write back

The same as One-way password hash synchronization except users can change a password in the Office 365 portal. Changes to a password in the Office 365 portal will be written to Active Directory during the subsequent synchronization.

Federated

Users have a single logon for both the domain and Office 365. This is achieved by having Office 365 defer user authentication for a company's domain user to the company's Active Directory Federation server. A user logged into a domain joined computer using his or her domain credentials will not need to enter his or her password to log into Office 365. Since user authentication is deferred to the company, the company must maintain the availability of federation servers. If the servers are unavailable, domain users will not be able to log in. If the federation servers are permanently unavailable, user access to Office 365 can be restored by switching to a non-federated authentication scenario.

Setting Up Active Directory synchronization

Log in to a server joined to a tenant domain using tenant domain administrator credentials. Download and run the Azure AD Connect installer.

Review the terms, check the check box and click Continue.

Click Customize.

Click Install.

Select Password Synchronization and click Next.

Specify the username and password of a tenant Office 365 admin. Click Next.

Ensure that FOREST is set to the name of the provider's forest. Provide the credentials of a tenant domain administrator, then click 'Add Directory'.

Click Next.

Click Next.

Choose 'Sync selected domains and OUs' and select only the tenant's domain. Click Next.

Click Next.

Click Next.

Check the check box to allow 'Password writeback' if desired. Click Next.

Click Install.

Click Exit.

Setting Up Active Directory Federation Services

Best practice recommendations

  • This document provides for setting up a single Federation Server with a single Proxy server. In order to ensure the availability of federation services, multiple servers should be deployed behind a load balancer.
  • Always have at least one accessible Office 365 administrator logon whose user principal name is not associated with a federated domain.
  • If the federation services go offline, none of the users whose user principal name is associated with a federated domain will be able to log into Office 365.
  • Federation is set per domain. However, a user's principal name does not need to match his or her primary SMTP address.

Preparation

Choose a host name for the federation services

The host name should be in the service provider's domain. For example, in fabrikam.com the host name adfs.fabrikam.com may be used.

Add a DNS A record for the host name

The IP address of the A record should point to the proxy server's public IP address or the public IP address of the proxy server's load balancer.

Purchase an SSL certificate

An SSL certificate should be purchased from a member of the Microsoft Root Certificate Program in good standing with Microsoft. The certificate needs to cover the host name chosen for federation services.

Setup Federation Server

Log on to a server that will be running the ADFS Server role. Import the private SSL certificate into the 'Local Machine' certificate store.

Download and install the 'Microsoft Online Services Sign-In Assistant for IT Professionals RTW'.

http://go.microsoft.com/fwlink/?LinkID=286152

Download and install the 'Azure Active Directory Module for Windows PowerShell'

http://go.microsoft.com/fwlink/p/?linkid=236297

Use the 'Add Roles and Features Wizard' to add the 'Active Directory Federation Services' role.

Start the 'Active Directory Federation Services Configuration Wizard'. Ensure the credentials are for a provider domain administrator, then click Next.

Select the SSL certificate, federation service name and the display name. Click Next.

Choose a service account, enter the password and click Next.

This procedure uses the Windows Internal Database. To use a SQL Server database, specify a host name and instance name. Click Next.

The pre-requisite checks will run. Correct any issues, then click Configure.

Click Close after the configuration is completed.

Setup Federation Proxy

Log into a server that will be running proxy role.

On the federation proxy servers, the federation services DNS name (adfs.fabrikam.com) should resolve to the federation server or the load balancer in front of the federation servers. Externally, the DNS name should point to the public IP address of the proxy server or its load balancer.

Import the private SSL certificate into the 'Local Machine' certificate store.

Launch the 'Add Role and Features Wizard' and add the 'Remote Access' role.

Select the 'Web Application Proxy' service.

Click 'Add Features' and then complete the Wizard.

Start the 'Web Application Proxy Configuration Wizard'. Enter the federation service name and credentials for a provider domain administrator. Click Next.

Select the certificate and click Next.

Click Configure.

Click Close.

Enable Federation on tenant domain.

Save this script as Enable-ADFS.ps1

<#
.SYNOPSIS
Enables ADFS for an Office 365 tenant.
.DESCRIPTION
Enables Active Directory Federation Services on a specified domain.
Note federation is done on a per domain basis.
.PARAMETER AdfsDns
The fully qualified DNS name of the federation services.
.PARAMETER TenantAdminCredential
The credentials of a tenant Office 365 administrator.
.PARAMETER TenantDomain
The tenant's domain on which to enable ADFS.
.EXAMPLE
.\Enable-ADFS.ps1 -AdfsDns adfs.fabrikam.com -TenantAdminCredential $contoso1 -TenantDomain contoso1.com
Enables ADFS on contoso1.com using Fabrikam's federation services at adfs.fabrikam.com.
#>
[CmdletBinding()]
Param([Parameter(Mandatory=$true)][System.String]$AdfsDns,

[Parameter(Mandatory=$true)][System.String]$TenantAdminCredential,

[Parameter(Mandatory=$true)][System.String]$TenantDomain)
Connect-MsolService-Credential$TenantAdminCredential Convert-MsolDomainToFederated -DomainName $TenantDomain -SupportMultipleDomain $cert=Get-AdfsCertificate-CertificateTypeToken-Signing $data=[System.Convert]::ToBase64String($cert[0].Certificate.RawData) Set-MsolDomainAuthentication `
-DomainName$TenantDomain `

-AuthenticationFederated `

-ActiveLogOnUri "https://${AdfsDns}/adfs/services/trust/2005/usernamemixed" `

-PassiveLogOnUri"https://${AdfsDns}/adfs/ls/" `

-MetadataExchangeUri "https://${AdfsDns}/adfs/services/trust/mex" `

-SigningCertificate$certData `

-IssuerUri"http://${AdfsDns}/adfs/services/trust/" `

-LogOffUri"https://${AdfsDns}/adfs/ls/" `
-PreferredAuthenticationProtocolWsFed -Verbose Get-MsolDomainFederationSettings-DomainName$TenantDomain

Open PowerShell and store the credentials of a tenant Office 365 administrator in a variable.

Run the script.

Update Client Settings

The following addresses should be added to the Local intranet zone domain joined desktop computers

  • The federation services host (https)
  • https://login.microsoftonline.com

Testing

Test Scenario: Log in from a domain joined computer

Log into a domain joined computer as a user. Open Internet Explorer and navigate to Office 365. Enter the user principal name.

The browser will be automatically redirected to federation services, logged in automatically then redirected to the Office 365 portal.