Migrate ADFS for Office 365 to Windows Azure

Author by Michael Epping

One of the more common complaints I hear about Single Sign On with Office 365 is that it requires the creation of at least 3 new servers (Dirsync, ADFS, ADFS Proxy), which may exceed the number of Exchange servers that customers get to decommission after migrating mailboxes to Office 365.  Understandably, some customers are frustrated that they have to increase investment in on-premise servers in order to have the best experience with Microsoft's cloud services.  Luckily, Microsoft recently announced that locating your ADFS farm and Dirsync server in Windows Azure is now a supported option, eliminating the need for any new on-premise servers when migrating to Office 365 (http://www.microsoft.com/en-us/download/confirmation.aspx?id=38845). In this blog post I'm going to go through how to move from an existing on-premise ADFS farm to an Azure hosted farm.  If you don't currently use ADFS on-premise then you can skip the parts related to removing the service from on-premise servers. The first thing to be aware of is that there are a few requirements that must be in place before switching to a cloud based ADFS farm:
  • You must have a Windows Azure tenant
  • You must have Site to Site VPN set up between your on-prem environment and the Azure service
  • You should configure a new AD site in AD Sites and Services for Windows Azure and use a separate subnet for Azure VMs
  • You should build a domain controller in Azure and verify that replication to and from your on-premise DCs is functional
  • Build 3 VMs in Azure and join two of them to the domain (the proxy should be a workgroup member)
I'm not going to go over how to configure new AD sites, set up domain controllers, or how to set up site to site VPN with Azure as those topics are covered in depth elsewhere.  If you look at the Azure / Office 365 doc linked to earlier in this post you will notice that it outlines 3 different ways of setting up ADFS:
  • On-premise only
  • Azure only
  • Split between on-premise and Azure
In this example we are only going to worry about the Azure only option since we want to do away with as many on-prem servers as possible.  Here's what that topology will roughly look like: Azure and ADFS You will need to create at least 3 VMs if you want to move both ADFS and Dirsync to Azure.  Below are the sizing guidelines for Azure VMs.  All of my VMs are Small ones since I have under 5,000 users. 2013-06-12 11_06_05 I'm only going to cover ADFS in depth since moving Dirsync is extremely simple.  The high level steps for moving Dirsync are as follows:
  • Build an Azure VM and join it to the domain
  • Install the Dirsync tool following the normal procedure (as if you were installing it on-premise)
  • Run the Dirsync configuration wizard and fill out all the information for your AD service account and your Office 365 admin account
  • Verify synchronization succeeds
  • Disable the synchronization service on your old on-premise Dirsync server and shut it down when ready
The next step is to install the ADFS role on our second VM, which should be domain joined.  I am using Windows Server 2012, so I will install the role from the Add Roles and Features wizard in Server Manager.  If you are using Windows Server 2008 R2 then you will need to download ADFS from http://www.microsoft.com/en-us/download/details.aspx?id=10909 and install updates for it from http://support.microsoft.com/kb/2790338. 2013-06-12 11_19_07 Federation Service is the only Role Service you will need on your ADFS server.  You should also install the .NET Framework 3.5 Feature if you haven't already. 2013-06-12 11_21_11 Next, copy your ADFS certificate onto the ADFS server and open the IIS Manager console.  Expand out the tree in the left pane and click on the name of your server.  Then click on Server Certificates. 2013-06-12 13_13_05 In the Server Certificates menu choose Import from the Actions menu.  Locate your certificate file, enter the password and select the Personal certificate store. 2013-06-12 13_14_51 Next go to Default Web Site in the left pane and then choose Bindings from the Actions pane. 2013-06-12 13_11_02 In the Site Bindings menu the only one you should see is for http port 80.  Click Add and choose HTTPS.  Enter the name on your certificate (in this case mine is adfs.concurrency.com) and then choose the certificate you imported. 2013-06-12 13_25_35 Click OK and close out of the IIS Manager console.  Next, open the ADFS Management console.  Click the link in the middle of the page that says AD FS Federation Server Configuration Wizard.  Since we are replacing the old ADFS farm you should choose Create a new Federation Service and click Next. 2013-06-12 13_30_50 Choose New federation server farm and click next.  If you choose new federation server farm you can always add more ADFS servers later if your capacity needs increase. 2013-06-12 13_31_21 In the Service Name screen make sure that the SSL certificate you imported is selected and that the Federation Service name field is set to match. 2013-06-12 13_33_49 On the next screen input credentials for a service account.  The service account should be set so that its password never expires and the password can't be changed.  Click Next and then click Next on the Summary page.  When the wizard is complete you may close out of the ADFS Management console. Log into your old ADFS server.  Open the Windows Azure Active Directory Module for Windows PowerShell and enter these commands:
  • $cred = Get-Credential
  • Enter your Office 365 administrator credentials from a .onmicrosoft.com account that isn't reliant on the existing ADFS infrastructure for sign in.
  • Connect-MsolService -Credential $cred
  • Get-MsolDomain
2013-06-12 14_39_12 Take note of which domains are federated.  Here I only have one, so I'm only going to need to do the following steps once.  If you have multiple federated domains then you'll need to do the following for each domain.
  • Convert-MsolDomainToStandard -DomainName concurrency.com -PasswordFile c:passwords.txt
  • Change concurrency.com to whatever domain you are converting to a standard domain.  Change c:passwords.txt to some location where you have write access if necessary.  The password file will contain temporary passwords for each user in the domain in case you have problems getting ADFS up and running again.
Log back into your Azure ADFS server.  If you didn't install .NET Framework 3.5 on your new ADFS server earlier, do it now.  Next download and install the Microsoft Online Services Sign In Assistant 7.0 (http://www.microsoft.com/en-us/download/details.aspx?id=28177).  Then install the Windows Azure Active Directory Module for Windows PowerShell (Windows Azure Active Directory Module for Windows PowerShell (64-bit version)).  Open the Windows Azure Active Directory Module for Windows PowerShell and run the following commands:
      • $cred = Get-Credential
      • Enter your Office 365 administrator credentials from a .onmicrosoft.com account that isn't reliant on the existing ADFS infrastructure for sign in.
      • Connect-MsolService -Credential $cred
      • Convert-MsolDomainToFederated -DomainName concurrency.com
      • Again, change concurrency.com to the domain you need to reactivate
Running the Convert-MsolDomainToFederated on the new ADFS server, configures its ADFS database for connection to Office 365.
    Next, change your internal DNS so that the A record pointing to the ADFS service points to the internal IP address of your ADFS server.  In my environment I changed adfs.concurrency.com on the internal DNS to point to the IP address of our Azure ADFS server in its AD Site's subnet.  Change the external DNS entry for your equivalent to adfs.concurrency.com to point to the Public Virtual IP Address for your Azure ADFS Proxy server.  To find this IP address log into manage.windowsazure.com, go to the Virtual machines tab, select your VM, go to the Dashboard for that VM, and look in the quick glance area.
2013-06-12 15_30_53
    Now we need to add an endpoint so the proxy is accessible from the internet on port 443.  While still looking at the proxy server go to the Endpoints tab and click the Add button on the bottom of the screen.  On the first page choose Add Endpoint and click the next arrow.  On the final page give the endpoint a name, choose TCP for a protocol, and assigne 443 as both the private and public port.
2013-06-12 15_49_34 Now log into the Azure ADFS proxy server and go to the Add Roles and Features menu.  Choose Active Directory Federation Services on the Server Roles screen.  On the Role Services screen choose Federation Service Proxy. 2013-06-12 15_54_11 When the installation is complete open the AD FS Federation Server Proxy Configuration Wizard.  On the Specify Federation Service name screen enter the name from the configuration of the ADFS server, which is adfs.concurrency.com in my case. 2013-06-12 15_59_14 Click Test Connection to make sure the proxy can reach your ADFS server.  You need to make sure that the proxy server can contact the ADFS server on port 443.  Another thing to be mindful of is what DNS server the proxy relies on.  If the proxy doesn't use your internal DNS server then it won't know how to find your ADFS server at its internal IP address.  If this is the case you need to create a host file entry on the proxy server so it associates adfs.domain.com with the internal ADFS server and not with the proxy's own public IP. When prompted for credentials enter the credentials of the ADFS service account.  Once the configuration wizard is done your ADFS configuration should be complete.  Make sure that you have your URLs configured for Office 365 (http://www.concurrency.com/blog/configure-urls-for-office-365-using-group-policy-and-the-registry/) and test the Single Sign On functionality.

Michael Epping

Systems Engineer