Move AD FS 3.0 to Azure RRS feed

  • Question

  • The plan is to move the AD FS 3.0 and WAP server to Azure. From what i've been reading it should be pretty simple based on this guide: http://www.concurrency.com/blog/w/migrate-adfs-for-office-365-to-windows-azure

    1. Install a new AD FS and WAP server in Azure

    2. Import the certificate

    3. Run the AD FS wizard

    4. Configure the WAP server

    5. Run this command on the on-premise AD FS server: Convert-MsolDomainToStandard -DomainName concurrency.com -PasswordFile c:passwords.txt

    6. Run this command on the new AD FS server in Azure: Convert-MsolDomainToFederated -DomainName concurrency.com

    7. Change the DNS records, internal and external.

    But i have a few questions about the process:

    1. How long should i wait between running the 'Convert-MsolDomainToStandard' and 'Convert-MsolDomainToFederated' command? There are approx 3000 user accounts.

    2. Also specified a -passwordfile parameter, i assume the passwords will remain the same?

    Wednesday, November 2, 2016 8:19 PM

All replies

  • Nobody has done it before?
    Friday, November 4, 2016 7:53 AM
  • created a test environment, no need to convert the domain back to a standard domain. Running the command to update the federationsettings is sufficient. Will post more details later on.
    Friday, November 4, 2016 2:39 PM
  • Do you simply want to move ADFS and WAP to VM's in Azure?

    In which case, no need for Convert-MsolDomainToStandard. That's when you want to use O365 and want to authenticate locally on-premises with ADFS.

    Sunday, November 6, 2016 6:31 PM
  • Yes indeed. According to the link running Convert-MsolDomainToStandard should be executed. However that didn't make any sense to me since the domain is already federated. So i've ran the command: "Get-MsolFederationProperty -DomainName domain.com" and checked the output. It has the information about the trust, token signing and so on. Running the command "Update-MsolFederatedDomain -DomainName domain.com" on the new AD FS server is sufficient. These are steps I've tested:

    1. Install the new AD FS server
    2. Export and import the certificate used for service communications on the new AD FS server
    3. Run the AD FS configuration wizard
    4. During the wizard you can select the same serviceaccount as being used for the old AD FS server
    5. Install the server that will be configured as the WAP proxy
    6. Import the certificate
    7. Install the Remote Access Role
    8. Configure the WAP proxy (pass-through authentication)
    9. Change the internal and external DNS records to point to the new AD FS server
    10. On the new AD FS server run the command: connect-msolservice (enter in the office365 credentials)
    11. On the new AD FS server run: Set-MsolADFSContext -Computer fqndadfsserver.local (this will automatically create the relying party trust)
    12. On the new AD FS server run: Update-MsolFederatedDomain -DomainName domain.com
    13. Remove the old AD FS by simply removing the roles

    It doesn't seem to be a problem if 2 AD FS servers are still running in the domain right? Also it shouldn't be a problem if the same service account is used?

    Sunday, November 6, 2016 7:40 PM