Update 8/5/2014 - Microsoft has just released the Microsoft Azure Active Directory Connect (Preview) which will help you configure DirSync and/or Federation in a wizard format.
This will be the official, engineering supported mechanism to do configurations moving forward.
↑ Back to top
Bookmark this page as: http://aka.ms/AD2AAD.
The script is available at: http://aka.ms/AD2AAD-PS
You can continue to read the article and Wiki if you'd like to understand the technical steps which need to go on in a Windows Server 2012 (not R2) environment to accomplish an end-to-end DirSync + ADFS federation to your on-premises AD.
Azure Active Directory (Azure AD) is the fundamental authentication service for Microsoft Online Services such as Office 365 and Windows Intune. It supports both cloud authentication and single sign-on with on-premises Active Directory through Active Directory
Federation Services (AD FS). Single sign-on requires some additional hardware configuration but leads to substantial end-user satisfaction by removing another username and password for the user to remember and maintain.
The purpose of this quick start guide is to provide a general overview and additional requirements and configuration changes necessary to enable an on-premise environment to connect to Windows Azure-based applications and services. More complicated scenarios
are covered in detail in widely available documentation. Rather, this guide, it is hoped, will provide enough support and guidance so that you can configure a simple environment to meet the basic requirements for enabling connectivity to Windows Azure applications
and exploring their capabilities and advantages in greater detail.
This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release. This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied,
in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted,
the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system,
or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
After completing this Quick Start Guide, you will have federated your on-premises Active Directory environment with Windows Azure Active Directory (Windows Azure AD) in a pre-production configuration. This will provide single sign-on capabilities to users
of Windows Azure AD clients such as Office 365 and Windows Intune. The guidance will walk you through using the accompanying script to perform the various tasks to do the necessary work.
If you are starting with an existing cloud service that uses Windows Azure AD such as an Office 365 account, you can later use the same account to add Windows Intune access, or vice-versa. It is strongly recommended that all of your Windows Azure AD services
share the same sign-in configuration by starting with one service, and then adding the other services to the same administrative account. This will substantially improve the end-user and administrative experience.
The audience for this document is an IT professional, tester, or presenter who has experience administering Windows Server 2008 R2 and Windows 7 client systems, as well as familiarity with Windows Server 2012 and Windows 8. This document assumes some familiarity
with Active Directory, Hyper-V, Domain Name Services (DNS), Public Key Infrastructure (PKI), and TCP/IP networking. Specific knowledge of Active Directory Federation Services (AD FS) is not required.
You should know, in particular, how to:
The following is a list of mandatory prerequisites for completion of the tasks in this guide. If you cannot meet these requirements, you will not be able to use this guide to synchronize the on-premise environment with Windows Azure AD.
There are specific scenarios and limitations you should be aware of before you begin. This guide does not provide guidance for the following:
It is possible to use an environment with multiple, top-level UPN suffixes to complete all steps, but it is outside of the scope of this guide. For more information on multiple domain suffixes to federate, please see:
The script package consists of a single Windows PowerShell script (Menu.ps1) found at:
http://aka.ms/AD2AAD-PS. Create a folder on the soon-to-be AD FS server and place the file into that folder. You will later copy the contents of this folder to the AD FS proxy server, but other files will need to be placed
in there by the AD FS server process first.
In this section, you will install basic pre-requisite software on the AD FS server.
Perform all steps in this section on the AD FS server logged in as a Domain Administrator in the on-premises domain and an Enterprise Administrator in the on-premises forest.
If you are configuring Windows Azure Active Directory for Office 365 use, then you should validate your environment before using DirSync. Users of other services (for example, Windows Intune) may also use the tool, but it may report issues that do not matter
for your implementation.
In this section, you will add your domain name to Windows Azure AD.
In this section, you will enable directory synchronization (DirSync) support in Windows Azure AD. This process can take up to 24 hours, although it rarely takes longer than an hour. You will enable the setting here, but not use it until later; this will
give Windows Azure AD time to complete processing the request while you continue with further steps.
In this section you will create a basic on-premises Active Directory Federation Services (AD FS) server configuration. AD FS is used to support single-sign-on (SSO) with Windows Azure AD clients. Although a detailed explanation of this process is outside
of the scope of this document, the important thing to know as an IT professional is that at no point in the process are user credentials for the on-premises environment accessible to the Windows Azure AD client. Instead, authentication tokens with a limited
lifetime are used to represent the authenticated user. This is done using industry-standard processes and protocols and ensures the integrity of on-premises credentials while still supporting single-sign-on.
More detail on the SSO process can be found at
http://community.office365.com/en-us/wikis/sso/727.aspx, How Single Sign-On Works in Office 365. Although this is an entry in the Office 365 wiki, the details of the process are not specific to Office 365 and apply to all Windows Azure AD clients.
The AD FS installation process will create a simple AD FS farm. AD FS farms require the use of a service account.
You can move the account from the default container in Active Directory later, if desired, with no ill effects.
The script does have limited support for using your own certificate. If you would like to do so, install it on the AD FS server in the Local Computer\Personal\Certificates store, and make sure it meets the following requirements:
The script will validate the certificate if it exists.
The self-signed certificate must be available for multiple uses on other machines, so in this step you will create an export of the new certificate.
Perform all of the steps in this section except firewall, external DNS changes,
and client testing on the AD FS proxy server logged in as a local administrator.
1. Select choice 16 from the Menu.ps1 script to Add the ADFS Proxy role to this server.
1. Select choice 17 from the Menu.ps1 script to Configure IIS SSL and authentication using the certificate you imported.
You will be updating the local HOSTS file to direct the proxy server to the internal AD FS server. This allows multiple DNS configurations to work as well as helps with supporting a workgroup member proxy server.
You must be able to access port 443 on the AD FS server from the AD FS proxy server. This is the only port used for direct communication between the servers.
On the external (edge) firewall, publish SSL port 443 on the AD FS proxy server on an external interface.
These steps must be done manually. There are too many variations possible in external access and DNS configuration to support automating these steps.
If you are using Microsoft Internet Security and Acceleration (ISA) Server 2004 or 2006 or Microsoft Threat Management Gateway (TMG) 2010 as your edge firewall, you can find information on publishing the AD FS Proxy at
On the external DNS provider, add the AD FS published address to the outside. Use the hostname adfs in the UPN suffix domain.
Help pages for common DNS providers for adding an A record (DNS address) include:
Perform these steps on a client connected to an external network.
You will next change the Windows Azure AD domain to use federation for SSO support. By default, Windows Azure AD manages accounts and sign ins independent from on-premises accounts. To use SSO, you need to configure the use of federation on the domain, and
then configure Directory Synchronization (DirSync). You are starting with federation, and then finalizing DirSync, as that is the recommended order. Remember that earlier in the process, you started with requesting DirSync to be enabled on the Windows Azure
Perform all of these steps in this section except client testing on the AD FS server logged in as a Domain Administrator in the on-premises domain and an Enterprise Administrator in the on-premises forest.
Next, you will configure and activate Directory Synchronization (DirSync). DirSync is a custom, specialized implementation of Microsoft Forefront Identity Manager that is configured to synchronize accounts between your on-premises domain and a corresponding
Windows Azure AD domain.
Starting synchronization now.
Confirming Import has started.
Running Full Import
Confirming Import has completed.
Export has started.
The cumulative number of objects…
Export has completed.
Perform all steps in this section on the client machine.
This is optional. If you are going to use a "real" certificate from a public certificate authority, or you are going to use an Enterprise Certificate Authority and a domain-joined machine, then you will not need to do this step.
These steps are for a Windows 8 client. They will be different for other operating system, but the concepts will be the same.
In this appendix, you will see how to immediately synchronize your on-premise AD to Windows Azure AD. You will do this using a Windows PowerShell cmdlet to synchronize the change to the Windows Azure AD environment.
Perform these steps on the AD FS server logged in as a Domain Administrator in the on-premises domain and an Enterprise Administrator in the on-premises forest.
Active Directory Federation Services (AD FS): A standards-based service that supports application authentication and authorization against a corporate Active Directory implementation while not exposing credentials to the requesting application.
Single Sign-On (SSO): A single username and password that administrators need to manage in a single location (for example, On-premise AD). End users are able to use this single username and password for authentication with on-premise and cloud applications
such as Office 365. Depending on the client configuration, they may need to type in those same credentials again to authenticate.
DirSync: A customized, limited version of Microsoft Forefront Identity Manager that supports copying selected account information (not including password information) from a corporate Active Directory environment to Windows Azure AD.
User principal name (UPN): A way of expressing the username/domain name combination first introduced in Windows 2000 Active Directory. It is formatted similar to an e-mail address for a user.
Windows Azure Active Directory (Windows Azure AD): A Microsoft-hosted directory service that supports authorization and optionally, authentication for Microsoft Online Services offerings such as Office 365 and Windows Intune.