Azure MFA – ADFS Federating a Domain

This post is part of a series, for the series contents see: Azure MFA

At this point we’ve got all of our ADFS infrastructure in place but before we can make use of it we need to federate our domain.  I think of this step as essentially configuring Azure AD to know that you’ve got federation infrastructure setup and how to offload request to it: i.e. how your ADFS is presented publicly (sts.irankon.tk in my case).

Federating a Domain

Luckily it’s just a little bit of PowerShell and you’re done.  I ran the PowerShell from my ADFS server (adfs-vm) so first of all I needed to install the Azure AD PowerShell module on there, which I downloaded from:

ADFS Federate Module Download

With that installed, next up I connected to Azure AD using PowerShell and logged in.  The federation operation needs to be performed by an account with Global Admin privileges so I used the account I created earlier, to perform my DirSync operation with AAD Connect, and logged in as:

  • aadsyncsvc@irankon.onmicrosoft.com

#Import the AD Module
Import-Module MSOnline

#Login to Azure AD with
Connect-MsolService
#When prompted I logged in with:
#aadsyncsvc@irankon.onmicrosoft.com

Once connected, I then checked the current federation status of my domains with:


#Verify the domain status with
Get-MsolDomain

ADFS Federate Domain Check

Then, finally, I federated my irankon.tk domain with:


#Then federate the domain with
Convert-MsolDomainToFederated -DomainName irankon.tk

ADFS Federate Domain

The feedback from the cmdlet is pretty much instant but in reality all that has done is kick off a background process in Azure AD and it will be a another couple of hours before you can start making use of it in earnest.

Testing It Has Worked…

Testing it out is as simple as:

  1. Creating an account in the on premise AD environmentADFS Federation Test AD Account
  2. Synchronising that up to Azure AD with AAD Connect (or waiting for that process to happen automatically):ADFS Federation Test Synch Verify
  3. Giving the account some permissions in the Azure Portal (so that you can login as it)ADFS Federation Test Azure Admin
  4. Then logging in to portal.azure.com to prove the pointADFS Federation Test Login

At this point, choosing my test account takes me to my ADFS sign-in page (i.e. my ADFS Proxy server):

ADFS Federation Test ADFS Offload

And then, finally, once the ADFS infrastructure has completed the authentication process you get logged into Azure successfully with a synchronised and federated identity:

ADFS Federation Test Success

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: