This blog post will detail the steps to setup Server 2012 R2 ADFS 3.0 for use with Office 365. Many new things have happened with ADFS 3.0 compared to 2.0. The biggest one being that 3.0 does not require IIS, the new ADFS is now built with IIS components it needs. Another big change is that Server 2012 R2 includes a new role for Proxy for ADFS call Web Application Proxy. The 3rd big thing in the ability to easily update the login page for ADFS using PowerShell.

My primary UPN domain is already setup for DirSync with Password Sync, so instead of converting the domain, I decided to go out and get another domain name. I searched for a bit and came up with TheCloudAdvocate.com that was not owned. I bought the domain, added it to my Tenant and setup a user with the @thecloudadvocate.com UPN. DirSync did its thing and I licensed the user.

So here are the steps, I did this all via my lab and servers that are fully hosted on Windows Azure!

Setting up ADFS 3.0 (Server 2012 R2) For Office 365

Install ADFS

Add Server 2012 R2 to the Domain

Select ADFS Role click Next

Click Next

Click Next

Click Restart the destination server automatically if required and accept the popup and then click Install

Wait for completion and reboot

If no reboot, select the Caution sign next to the flag at the top of the Server Manager and ‘Select Configure the federation service’ on this server. Also if you didn’t close the original setup page you can select the same link mentioned.

 

Click Next

I kept the default creds I was logged in with (my account is a member of the Domain Admin Group) click Next

Select the Public Certificate (needed to be added to the server previously) and the then give a Service Display Name and click Next

Create a normal domain user account in AD and then select and enter the passwords for the account, click Next (You can also use a Managed Service Account, read more here http://technet.microsoft.com/en-us/library/hh831782.aspx)

Select the database type, since this is my test lab and a small environment I went with a WID database, Here is some information on using WID or SQL, http://technet.microsoft.com/en-us/library/ee913581.aspx, click Next

Review the settings, you can click on view script to see the script to automate additional server installs

Click Next

Verify prerequisites completed successfully and click Configure

Wait for competition

Once completed you can click Close

To test, go to https://adfs.thecloudadvocate.com/adfs/ls/IdpInitiatedSignon.aspx (obviously change adfs.thecloudadvocate.com to your URL)

You should also ensure that the site is added to the Local Intranet Sites in Internet Explorer

I do a *.domain.com for this and it will enable auto-login for domain joined machines when internal to the network. Best practice would be to configure a GPO to add this to all domain machines.

Install Web Application Proxy (WEP)

Do not add WEP Server 2012 R2 to Domain, should be in your DMZ and in a workgroup, you cannot and should not run WEP on the Federation internal server

WEP is a part of the Remote Access Role, select that and click Next

Click Next

Click Next

Click on Web Application Proxy and a popup will appear and then click on Add Features

Click Next

Review the settings, select Restart if needed and click Install

Wait for completion

Select the ‘Open the Web Application Proxy Wizard’

Click Next

Ensure you have entered the ADFS internal server into the HOSTS file located at c:\windows\systems32\drivers\etc directory pointing to the internal IP

Ensure you have imported the Public Certificate to the WEP server and then give the Service Name and an admin account on the internal ADFS server creds (only used once and not saved) click Next

Select the Imported Cert and click Next

Copy the script if wanted to automate the install and then click Configure

Wait for the Proxy Config to complete

Click Close, the Remote Access Management Console with automatically start

Select Publish on the right side

Click Next

Select Pass-through and click Next

Enter the Name, External URL and select the External certificate and click next (not the backend server URL should automatically match the External URL)

Review the information and click Publish

Click Close

 

Test from an external machine and go to https://adfs.thecloudadvocate.com/adfs/ls/IdpInitiatedSignon.aspx

Configure Federation for your Domain

Do this all on you primary internal ADFS server

You will need to install the Windows Azure Active Directory cmdlts, http://technet.microsoft.com/library/jj151815.aspx (several prerequisites are required)

Setup the Federation trust for your domain, http://technet.microsoft.com/en-us/library/jj205461.aspx

Once completed you should be able to login, with your on-premises credentials, to http://portal.microsoftonline.com

 

Next up, you may want to customize your ADFS Login page using ADFS 3.0, well check out this: http://technet.microsoft.com/en-us/library/dn280950.aspx

After customization, below is what my ADFS Login looks like:

 

GO Broncos! Win the Super Bowl! J