Before installing Azure AD Connect, the following things are needed for me to complete this deployment
- An office 365 E3 trial subscription
- Two domain names azureoffice365.com and lyncpro.org.Added and verified this domains in office 365 portal.
- An office 365 account with global administrator permission.
- An on premise user account with Enterprise Administrator permission.
- An AD FS service account.
- A SSL Certificate from Public CA (SAN certificate) matches the federation service name.
- Internal DNS records for the AD FS federation service name (fs.azureoffice365.com).
- External DNS record for the AD FS federation service name (fs.azureoffice365.com).
- One public IP address.
- A domain joined computer with Windows server 2012 R2 operating system for Azure AD Connect server.
- Two domain joined computers with Windows Server 2012 R2 operting systems to create AD FS Farm
- A non-domain computer with Windows Server 2012 R2 operating system located in DMZ.
- One Windows 2008 R2 domain controller in Azure.loc domain.
- One Exchange 2010 server (Hub and CAS role installed)
- One Exchange 2010 mailbox server.
- One KempLoad loadbalancer
Steps followed to deploy Azure AD Connect with AD FS Farm and Web Application Proxy server.
Download the Azure AD Connect software from https://www.microsoft.com/en-us/download/details.aspx?id=47594.
Double click AzureADConnect.msi and click Install.
Wait for the installation to complete
On the Express Settings page Click Customize
Click Install on the Install required components page
Wait for the required components to install
Choose Federation with AD FS in the User sign-in section
Enter Office365 global administrator credentials in Connect to Azure AD page and click Next
Enter on premise enterprise administrator credentials in the Connect your directories page
Click Add Directory
Ensure UPNs suffixes in user names should match one of the verified custom domains in Azure AD
In our case lyncpro.org and azureoffice365.com UPN suffix are verified.
Choose Sync all domains and OUs in the Domain and OU filtering page
Leave the default options in the Uniquely identifying your users page and click Next
Leave the default option in the next page and click next
Select Exchange hybrid deployment in the Optional features.
Select Configure a new Windows Server 2012 R2 AD FS farm in the AD FS farm page
Specify the location of the pfx file.
Select the subject of the AD FS service.
Add the AD FS servers
Click Next by not spefifying Web Application Proxy Servers in the next page ( We will add later)
Enter Domain Administrator credentials to perform installation of federation services
Enter AD FS service account
Click Next on AD FS service account page.
In the Azure AD Domain page select domain in the drop down list
In this scenario azureoffice365.com is selected.
Selected domain will be converted into a federated domain.
Click install on the Ready to configure page
Wait for the configuration to complete
Now the installation is completed
Click verify to check the intranet DNS records required for AD FS farm.
Now the federation service name is verified.
Connect to office 365 using Microsoft Azure Active Directory Module for Windows PowerShell
Execute the command Convert-MsolDomainToFederated –DomainName AzureADDomain to convert other domains to a federated domain.
In this scenario lyncpro.org also converted as a federated domain using Convert-MsolDomainToFederated command
Type get-Msoldomain to list the federated domains.
Deploy Web Application server using Azure AD Connect wizard.
To deploy WP server, double click Azure AD Connect wizard
Select Deploy Web Application Proxy (currently none configured)
Enter Office 365 global administrator credentials
Enter password of pfx file In the prompt box.
Before proceeding next step please
- Ensure the winrm (Windows Remote Management / WS-Management) service is running on the targer WAP server
- Execute the command Enable-PSRemoting –force in azure AD Connect server
- Execute the command Set-Item WSMan:\localhost\Client\TrustedHosts –Value ind-chn-wap101.azure.loc -Force –Concatenate in azure AD Connect server
Enter the Web Application Proxy server name now.
Enter domain administrator credentials
Verify WAP server is added.
Enter AD FS administrator credentials to configure Proxy trust
Wait for component check
Click Configure on the next page
Now the installation is completed
Click Verify to check federation service intranet and extranet DNS records
Intranet configuration is verified
Missed to create CNAME record for extranet name resolution thus received an error message.
Then created a CNAME record fs.azureoffice365.com in public DNS portal.
Now AD FS Extranet confguration is successfully verified.
In the browser page type https://fs.azureoffice365.com/adfs/ls/idpinitiatedsignon.aspx to access the AD FS web page.
Sign in to AD FS web page with organizational account
Now we successfully sign in to AD FS web portal.
Assign Office 365 licences to the synced user objects
Sign in to office 365 portal https://portal.office.com
Type Email address of office 365 user. Here account firstname.lastname@example.org is used
Place the cursor in the password field. We will be redirected to our organization AD FS web portal.
In the AD FS web portal type the on premise user account and password
Click Sign in
Now we are redirected to office 365 portal and view our subscribed features.Please refer the below picture.
Thanks for reading.