Setting up ADFS (Active Directory Federation Services) for Microsoft 365 for SSO (Single Sign On)

Overview

Many organizations are using Identity Access solutions like ADFS (Active Directory Federation Services) to provide users (internal & external) with seamless SSO access to internet-facing applications or services.

A single sign-on solution can simplify username and password management for both users and administrators. Users no longer have to keep track of different sets of credentials and can simply remember a single more complex password. SSO often enables users to just get access to their applications much faster.

ADFS (Active Directory Federation Services)

Active Directory Federation Services (AD FS) provides simplified, secured identity federation and Web single sign-on (SSO) capabilities for end users who want to access applications within an AD FS-secured enterprise, in federation partner organizations, or in the cloud.

Setting Up ADFS for Microsoft 365

Step 1: Install Active Directory Federation Services (Skip this step if already deployed)

Step 2: Request a certificate from a third-party CA for the Federation server name

Step 3: Configure AD FS

Step 4: Download Microsoft 365 tools

Step 5: Add your domain to Microsoft 365 (If not already added)

Step 6: Connect AD FS to Microsoft 365

Step 7: Sync local Active Directory user accounts to Microsoft 365

Step 8: Configure the client computer for Single Sign-On

Request a certificate from a third-party CA for the Federation server name

Microsoft 365 requires a trusted certificate on your AD FS server. Therefore, you must obtain a certificate from a third-party certification authority (CA).

You can obtain certificate from Let’s Encrypt, see the following link.

https://www.linkedin.com/embeds/publishingEmbed.html?articleId=8757877070876235219&li_theme=light

Configure AD FS

Open up Server Manager -> “Add Roles & Features”

Select “Active Directory Federation Services” , click next and follow the wizard.

Once your setup is complete, open up ADFS Management console to verify.

Sync local Active Directory user accounts to Microsoft 365

1. Azure AD Connect

You need to install Azure AD Connect to Sync on premise users to Azure AD.

If you have on-premises AD Domain like contoso.local then you must add UPN Suffix (contoso.com).

https://www.microsoft.com/en-us/download/details.aspx?id=47594

Connect AD FS to Microsoft 365

Once you have installed Azure AD Connect, configure ADFS.

Run PowerShell as Administrator and execute the command:

Set-AdfsProperties -EnableIdpInitiatedSignonPage $true

Convert Azure AD Domain “Managed” to “Federated”

Enable-PSRemoting
Connect-MsolService 
Set-MsolADFSContext –computer <the FQDN of the AD FS server>
Convert-MsolDomainToFederated –domain <the custom domain name you added into Microsoft 365> 

Configure the client computer for Single Sign-On

After you add the Federation server name to the local Intranet zone in Internet Explorer, the NTLM authentication is used when users try to authenticate on the AD FS server. Therefore, they are not prompted to enter their credentials.

Administrators can implement Group Policy settings to configure a Single Sign-On solution on client computers that are joined to the domain.

https://learn.microsoft.com/en-us/dynamics365/customerengagement/on-premises/deploy/add-the-ad-fs-website-to-the-local-intranet-security-zone?view=op-9-1

When user will navigate to Office 365 it will be redirected to Organization’s SSO Page.

Verify using this URL: [Replace adfs.contoso.com with your FQDN]

https://adfs.contoso.com/adfs/ls/IdpInitiatedSignon.aspx

You can customize this organizational SSO page.