Saturday, January 18, 2014

ADFS 3.0 with Office 365

Today I am writing this post here to bring to readers attention about the new ADFS 3.0 which comes as a part of Windows Server 2012 R2 and how we can utilize the new benefits of this Service by knowing its pros and cons and how to deploy the same in to our Organization and make use of it with Office 365.

Review my earlier blog post ADFS in O365 in a Nutshell to understand the role of ADFS and its deployment considerations and see it in action with the provided references as a start.

Also read this Microsoft Knowledge base article to know the Supported Scenarios for providing SSO with ADFS

Supported scenarios for using ADFS to setup single sign-on in Office 365

Check the below article for a quick preview of Single Sign-On for Office 365

Overview of single sign-on for Office 365

In comparison with other Identity management providers ADFS is the most common implementation for SSO with Office 365.

Organizations that already deployed ADFS either use ADFS 2.0 or ADFS 2.1 in their environment for SSO as this a known deployment method so far with office 365 and an essential prerequisite if you are going have a federated domain. You can provide same sign on experience with the new Dirsync Password hash without having federated Identity, and for true SSO ADFS is the best option, Check my earlier blog post "ADFS Vs Password Hash" to know the differences provided with references.

 ADFS comes as a separate download earlier when Organizations made the deployment and serving millions of customers. As the Technology changes by time, now we no longer need to do a separate installation of ADFS as before and  also other significant changes are made to the federation setup with the arrival of the latest Windows Server 2012 R2. Many Organizations already upgraded their environment to the latest Server platform and still some are in their evaluation stages, As everyone know that Windows Server 2012 R2 is a robust product that it predecessors most of of the IT Infrastructure is getting upgraded to this Version and already it marked it presence in most of the private and public cloud offerings.

Review the new ADFS changes here with TechNet:  Active Directory Federation Services Overview

Lets get back to our topic ADFS 2.x based deployment had both internal ADFS servers and external ADFS proxy relies on the IIS, with this latest update it does not relies on IIS and also the ADFS proxy servers are now being replaced with the WAP ( Web Application proxy) where we can eliminate the need of  ADFS proxy servers and use the WAP to publish the ADFS URL to the internet using any of your traditional Reverse proxy system.

I reviewed the below Excellent post from our Microsoft Consultant Marius Solbakken Mellum on his goodworkaround blog where he explains about the above said information clearly along with other vital topics and visually shows us how to setup federation with ADFS 3.0 and also shows us how to publish the ADFS URL to internet using WAP, along with the O365 configuration steps post deployment.

 Howto - ADFS on Windows Server 2012 R2 with Office 365

Also, ensure that you have the latest Windows Azure Active Directory (WAAD) Module for Windows PowerShell installed on your environment and then proceed with the Office 365 federation configuration as this is mandate and a prerequisite to make things work with ADFS 3.0, Refer the below post from our Henrik Walther on the same.

Office 365 Federation using Windows Server 2012 based ADFS Servers 

* Review this below TechNet Blog post from PFE  Rhoderick Milne [MSFT] on the topic with detailed walk-through and real-time demo. This is the first one in series of posts and watch out for the rest of the upcoming posts on his blog which will get published soon.

How To Install ADFS 2012 R2 For Office 365

*Review this below Excellent Blog post from Jack Stromberg on upgrading your Environment from ADFS 2.0 to 3.0 explained step by step with known issues and facts for a successful upgrade.

[Tutorial] Upgrading from ADFS 2.0 (Server 2008 R2) to ADFS 3 (Server 2012 R2)

*One more step by step walk-through post over migrating AD FS 2.0 to AD FS 3.0 from MVP Kelsey Epps 

Migrating AD FS 2.0 to AD FS 3.0 for Office365 Single Sign-On

*Add-on Read: Along with the above blog post from Rhoderick review his recent one below which is really a great post to read and must read I would say because it is quite crucial as it is over securing ADFS access following which will take the Organization's ADFS deployment to the next level.

Enabling ADFS 2012 R2 Extranet Lockout Protection

*Enable Automatic Certificate Roll-over on your ADFS environment to save time and manual intervention of renewing ADFS Token signing certificate, review the below excellent blog post to know more on this with the threshold limits

Understanding AutoCertificateRollover Threshold Properties

*Be sure to read the below troubleshooting article if you have issues accessing Office 365 Services after token signing certificate rollover in an ADFS 2.0 Environment.

AD FS 2.0 token signing certificate roll over results in loss of access to all Office 365 services

*Also keep an eye on the ADFS federation Metadata updates and install the Federation Metadata Update Tool on all your ADFS servers as stated in the below TechNet blog

Federation Metadata Update Tool should be installed with every ADFS and Office 365 deployment

* Be sure to read the new Certificate Renewal documentation below applies to ADFS 2.0 and later

Renewing Federation Certificates for Office 365 and Azure AD

*New Article from MVP Jeff Guillet on Updating Certificates for AD FS 3.0

How to Update Certificates for AD FS 3.0

One more from Rhoderick Milne MSFT 

Updating Windows Server 2012 R2 ADFS SSL and Service Certificates

* Few other Vital Posts on ADFS listed below from Chicken Soup for the Techie TechNet blog which is a good read, This is more on ADFS 2.0 but some are common issues and walkthroughs that are applicable for ADFS 3.0, I reference here so that you wont miss these essential posts.

More information about SSO experience when authenticating via ADFS

Possible causes of Authentications failures for federated users in Office 365

My Environment is not yet upgraded and soon it will be done and these post will be quite useful for me as well as you to evaluate the changes in the Lab domain and proceed with the production, hope will get additional information when I do that and share it with you soon.


Recently Microsoft team released  a new update for Windows Server 2012 R2 which adds one more great feature to ADFS 3.0 wherein now users can be identified and authenticated to Microsoft Azure and O365 using a new attribute called " Alternate Login ID" in a federated scenario. This adds real benefit for Organizations who are not using UPN same as E-mail address and also for Organizations who are not using publicly resolvable UPN. Refer the below TechNet article for more details, Currently we don't have any walk through available for this apart from this below TechNet article and soon we can expect Microsoft to update us more on this and will post the related content once I came across in mere future, watch out for updates in the below space...

Here is the Microsoft Knowledge base article published with the update details to install and get this feature.

Update enables an alternative logon ID in AD FS in Windows Server 2012 R2

Configuring Alternate Login ID

* Here comes the real time demo of this great feature from our renowned MVP Sean McNeill on his Office 365 Evangelist blog 

Alternate Username for ADFS 3.0 and Office365

* Official announcement from Microsoft team on this feature with required resources below from Office blogs

Alternate login ID for Office 365 reduces dependence on UPN

Finally, Review the below Microsoft PFE Blog post published recently on enabling this "Alternate Login ID" feature explained clearly with guided walk-through and real-time demo.

Introduction to Active Directory Federation Services (AD FS) AlternateLoginID Feature


Alternate Login ID is not supported for Exchange Hybrid deployments, Review the below Excellent write-up on this topic with more details from our renowned Hybrid expert Joe Palarchio, Office 365 Consultant @ Perficient

Review here : Office 365 – The Limitations of Alternate Login ID


ADFS 2016 is now available as a part of Windows Server 2016, that gives you enhanced benefits to meet today's Organization needs for Identity and Access Management

Know more here: What's new in Active Directory Federation Services for Windows Server 2016

Access the below Excellent step by step guide from Rhoderick Milne MSFT on installing and configuring Windows Server 2016 Active Directory Federation Services (AD FS) for use with Office 365.

How To Install AD FS 2016 For Office 365


Read the below blog post to o know more on ADFS SSO and Token Lifetime settings 

Active Directory Federation Services (ADFS) Single Sign On (SSO) and token lifetime settings


Microsoft team made new changes to the Token Lifetime defaults in Azure AD to eliminate multiple Sign-in prompts and improve the end user experience.

Going forward the following defaults will now apply to all new Azure AD Tenants:

  • Refresh Token Inactivity: 90 Days
  • Single/Multi factor Refresh Token Max Age: until-revoked
  • Refresh token Max Age for Confidential Clients: until-revoked

Access the Official Blog post to know more: Changes to the Token Lifetime Defaults in Azure AD

Stay tuned for more updates...

No comments:

Post a Comment