As per my previous blog post which explained how to setup Windows Azure Networks, Storage and Virtual Machines, This post will now walk you through how to setup Active Directory Federation Services & Directory Sync for Office 365 using Windows Azure.
For the purpose of this blog post I am not extending my existing on premise directory services infrastructure into windows azure, but I will be covering this in my next article. The following is assuming that you are creating a completely new Active Directory Forest within Windows Azure which I understand is not what everyone is going to want to do but the procedure would be the same if you were to extend, I just won't be discussing the extending part in this article.
To get started you need to create 3 Virtual Machines within Windows Azure at a minimum
- Domain Controller
- Active Directory Federation Services Server
- Directory Sync Server
Note: I am not going to be using an AD FS Farm in this particular article and I am not deploying an AD FS Proxy. I will cover this is my next article due to some of the work involved on the azure aspect I've kept this rather brief as the below is a general overview on how to get these services to work in Windows Azure, but the core software configuration is the same as the On Premise Configuration.
Configuration of Office 365 Service
Follow these steps in order to ensure your Office 365 Tenancy is ready to handle Directory Sync & Federation Services
- Add your Private Domain which you are going to use for Federated Services within Office 365 if you have not already done so
- Add the relevant DNS Records in order to use the services within Office 365 i.e. Exchange Online, Lync Online, SharePoint Online
- Create a new DNS A Record for your Private Domain for Example: adfs.yourdomain.co.uk
Windows Azure Virtual Machine Connectivity
- Ensure that your Virtual Machines are in the same Virtual Network when they are created, this will enable the machines to be in the same network subnet and be assigned a relevant IP Address to allow them to communicate with each other.
- Ensure that your Network Adapter DNS Configuration is correct to allow your servers to be added to your domain etc.
- Windows Azure currently does not support a customer reserving a VIP outside of the lifetime of a deployment. At first glance, this appears contradictory to existing Windows Server Active Directory best-practices but because the dynamic IP addresses of Windows Azure virtual machines that are attached to a Windows Azure Virtual Network persist for the lifetime of the virtual machine, the Windows Server Active Directory requirements for IP addressing are met (as are those for DNS if co-located with the DC).
Configuration of Directory Sync Service
To enable replication of your Active Directory Users to Windows Azure Active Directory within Office 365 we need to go ahead and configure Directory Sync. If you have done this On Premise then the configuration is basically the same.
- Login to your Office 365 Portal Administration
- Go to Users and Groups > Activate Active Directory Synchronization (this process can take up to 24 hours)
While you are waiting for this service to be activated, jump over to Windows Azure and login to your Directory Synchronization Server and download (dirsync.exe) which can be located within the Office 365 Management Portal.
Once Downloaded, Ensure that you are logged on with your Domain Admin Account and then launch the Directory Sync Installer, Once this has completed you then need to wait for the service to activate and then you can go ahead and start the Directory Sync Configuration Wizard.
Follow the instructions on the wizard and once completed ensure that Directory Sync has completed, for more information on this you can view the following article: http://technet.microsoft.com/en-us/library/jj151797
Configuration of Active Directory Federation Services
To enable Single Sign On using Active Directory Federation Services, We need to go ahead and deploy a AD FS Server Infrastructure. If you have done this process On Premise then you will find the configuration is very similar the only thing that you need to do different with Azure is ensure that you have created an Endpoint for HTTPS (443) traffic.
I have written an earlier blog post which explain how to configure Active Directory Federation Services on Server 2008R2 which can be found here: http://www.edutech.me.uk/technical/setup-ad-federation-services-with-office-365/. Some changes are to be made for Server 2012.
Although the configuration is the same as mentioned in that article, if your using Server 2012 in windows azure then I will cover the changes below.
- AD FS is now built into Server 2012 and is fully supported with Office 365 which means you no longer have to go ahead and download AD FS 2.0 from the Microsoft Download Centre. All you have to do is add this as a Role within Server Manager or using PowerShell.
- No Hotfix is required now as per AD FS when using Multiple Federated Domains.
Once you have installed the Active Directory Federation Service, You have completed the Configuration Wizard and Tested the Service as per the above article. You will need to login to Windows Azure and Create an Endpoint on this server to allow HTTPS (443) traffic, to do this
- Login to Windows Azure Management Portal
- Select 'Virtual Machines' from the left hand side navigation pane
- Select your Federation Services Virtual Machine
- Select Endpoints
- Click Add Endpoint (& configure as per the image below)
In this article I am not going to talk about setting up an AD FS Farm within Windows Azure, but basically when you want to load balance the machines you do have the option to configure this when you setup a Endpoint. To learn more about this see the following article: https://www.windowsazure.com/en-us/manage/windows/common-tasks/how-to-load-balance-virtual-machines/
You also need to ensure that you point your federation service URL Example: adfs.yourdomain.co.uk to your Virtual Machine Public VIP. In order to obtain the Public IP for your Server do the following:
- Login to Azure Management Portal
- Click on Virtual Machines, and then select the Virtual Machine for ADFS
- Scroll down the dashboard, and then on the right hand side you will see your Public VIP
- Change your DNS A Record to point to this Public VIP
Once you have completed the Configuration of AD FS and Created your Endpoints, As per the article above you need to ensure you convert the domain to a federated domain, again to do this
- Launch MOSM Powershell Console
- Type: $cred=Get-Credential (then type in your local admin credentials on office 365 (administrator.tenancy.onmicrosoft.com)
- Type: $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic –AllowRedirection
- Type: Import-PSSession $Session
- Type: Import-Module MSOnline
- Type: Connect-MsolService –Credential $Cred
- Run – Convert-MSOLDomainToFederated –domainname domain.com -SupportMultipleDomain
- Run – Update-MSOLFederatedDomain –domainname domain.com
*Note: -supportmultipledomain is only required if you plan on adding more than 1 federated domain.
Once you have Deployed AD FS & Dirsync you can go ahead and test the services using http://testexchangeconnectivity.com
and that it's basically, not too complicated once you get your head around Windows Azure Virtual Machines it's practically the same as your On Premise Deployment.
At present this deployment does not contain an AD FS Proxy Server and it is recommended to include one of these in a production environment. In a future blog post I will expand further on how to add an AD FS Proxy Server within Azure (DMZ) and I will also explain how to extend your existing Domain Services Environment into Windows Azure.
If you have any questions be sure to let me know,