Azure MFA – ADFS Federating a Domain

This post is part of a series, for the series contents see: Azure MFA

At this point we’ve got all of our ADFS infrastructure in place but before we can make use of it we need to federate our domain.  I think of this step as essentially configuring Azure AD to know that you’ve got federation infrastructure setup and how to offload request to it: i.e. how your ADFS is presented publicly ( in my case).

Federating a Domain

Luckily it’s just a little bit of PowerShell and you’re done.  I ran the PowerShell from my ADFS server (adfs-vm) so first of all I needed to install the Azure AD PowerShell module on there, which I downloaded from:

ADFS Federate Module Download

With that installed, next up I connected to Azure AD using PowerShell and logged in.  The federation operation needs to be performed by an account with Global Admin privileges so I used the account I created earlier, to perform my DirSync operation with AAD Connect, and logged in as:


#Import the AD Module
Import-Module MSOnline

#Login to Azure AD with
#When prompted I logged in with:

Once connected, I then checked the current federation status of my domains with:

#Verify the domain status with

ADFS Federate Domain Check

Then, finally, I federated my domain with:

#Then federate the domain with
Convert-MsolDomainToFederated -DomainName

ADFS Federate Domain

The feedback from the cmdlet is pretty much instant but in reality all that has done is kick off a background process in Azure AD and it will be a another couple of hours before you can start making use of it in earnest.

Testing It Has Worked…

Testing it out is as simple as:

  1. Creating an account in the on premise AD environmentADFS Federation Test AD Account
  2. Synchronising that up to Azure AD with AAD Connect (or waiting for that process to happen automatically):ADFS Federation Test Synch Verify
  3. Giving the account some permissions in the Azure Portal (so that you can login as it)ADFS Federation Test Azure Admin
  4. Then logging in to to prove the pointADFS Federation Test Login

At this point, choosing my test account takes me to my ADFS sign-in page (i.e. my ADFS Proxy server):

ADFS Federation Test ADFS Offload

And then, finally, once the ADFS infrastructure has completed the authentication process you get logged into Azure successfully with a synchronised and federated identity:

ADFS Federation Test Success




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: