Setup AD FS and Enable Single Sign On to Office 365


Microsoft Office 365 cloud solution is a set of tools designed to propose full or partial Active directory, office 2013 application, Lync and SharePoint.
Full Office365 solution much known as Azure, but in this article we’ll deal with Setting up AD FS and Enable Single Sign On to Office 365, which is basically installing local Active directory and connect it to Office 365 cloud mail solution using Single Sign On. The main idea for using Single Sign On is to replicate passwords so user will not have to deal with two separate passwords for AD and for Office365. The following process will show How to Setup AD FS and Enable Single Sign On to Office 365.

Setup AD FS
1. Install AD FS Server role in Active directory server.
2. Install IIS in AD FS server.
3. Install Active Directory Sync Tool in a separate server in domain (not active directory server).
4. In case you are using internal domain name that doesn’t match the domain name need to be federated with Office 365, add a custom UPN suffix that matches that external name as follow:
a. Open Active Directory Domains and Trusts.
b. Go To “Tree” window pane < Right-click “Active Directory Domains and Trusts” < click “Properties”.
c. Under the “UPN Suffixes” tab, type the new requested UPN suffix.
d. Click “Add” < click “OK”.
e. Set up all requested users in AD with the new UPN (you may do it by multi checking all users in any OU and change the “User logon name” under account properties.

Enable Single Sign On to Office 365.

5. Setup up AD FS third party SSL certificate as follow:
a. Open Server Manager < click “tools” < choose “Internet Information Services (IIS) Manager”.
b. Go to “local server” < Select “Server Certificates” < Click Open Feature < Click “Create           Certificate Request”.
c. Fill certificate request using the format name “”. For example: if you want to create certificate for domain use certificate request “STS.”.
d. Fill in all other details < click “next” < set “Cryptographic service provider” as default < Change the “Bit Length” to 2048 < Select a file location for the request < click “finish”.
e. But a standard certificate from one of the domain registrations companies like Go Daddy. Please be sure to but standard certificate and not wildcard certificate as wildcard will not propagate the request in IIS in windows 2012 servers.

6. Complete the certificate request in IIS as follow:
a. Go to “Internet Information Services (IIS) Manager” < select “local server” < select “Server Certificates” < Click “Open Feature” .
b. Click “Complete Certificate Request” < Select the path to certificate that downloaded from provider in section 5e < Enter a “friendly name” for the certificate < Select “Personal” at the certificate store < see the added certificate under “server certificates”.

7. bind the default website to the server certificate as follow:
a. Go to IIS < Expand “Sites” < Select Default Web Site < Click Bindings < click “add” < Change the type to HTTPS.
b. Select the site certificate from the list <click “OK”.

8. Configure Local AD FS Federation Server as follow:
a. Go to ” Server Manager” < ” Tools” < choose ” AD FS Management” < click ” AD FS Federation Server Configuration Wizard”
b. Check “Create a new Federation Service”
c. Check “New Federation Server Farm” < click “next”.
d. The “SSL Certificate” should be choosing already.
e. In “Federation Service Name” choose the certificate from list.
f. Click “next” < enter the “AD FS service account” name and password.
g. Click “next” <see all process marked with green V < click “close”.

9. Set the active directory email address settings for users in Office 365 as follow:
a. Open active directory users and computers.
b. Right click user < click “properties”.
c. Click “attribute editor” on the bottom pane.
d. Seek for ” ProxyAddress” field.
e. Add the requested mailbox address like this < for the default mail address enter: for example: .
f. Add as many aliases as you want with “smtp” small letters like:

10. Check federation connectivity works as follow:
a. User Active directory sync tool on another server in domain to sync local Active directory users to Office365 cloud. This tool is very easy and all you should do is put the Office 365 admin user and password, local active directory user and password, mark “sync passwords” and make sync. After the sync you should see users in Office 365 marked with “AD synced user”.
b. Change password for one of the users in local Active directory and after 10 minutes to login to Office365 with new user password. That will indicate that the password replicated to cloud.
c. In Office365 cloud < under exchange settings < check users got the current default SMTP address and alternative smtp address to ensure “Proxyaddress” field replicated to cloud.