This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
As I'm using Hybrid Office 365 and Exchange 2013 environment and the OnPremise AD is synced to Azure AD using Azure AD Connect. version 1.4.18.0
I have successfully configured and deployed multiple ADFS 4.0 (2016) in my corporate WAN environment.
What're the steps I can follow to securely configure the Microsoft 365/Azure SSO with my current ADFS farm to allow SSO for all of my users?
The goal here is to allow the user to login to Microsoft 365/Azure services using their current Windows UPN (Email address) login just once secured by 2FA/MFA.
Hello @EnterpriseArchitect
Here is a step-by-step guide for setting up ADFS 2.0 for Office 365 for Single Sign-On. However, the process is same for ADFS 4.0 as well.
As you have already setup ADFS environment and users are synced to Azure AD, all you need to do is run below commands from the Primary ADFS Server to configure federation between O365 and ADFS.
Install-Module MSOnline
Connect-MsolService
Convert-MsolDomainToFederated –domain < your_domain.com >
Then configure the ADFS Service Name to local intranet zone on all the client computers in your environment. You can use GPO for this purpose as well. This is required to facilitate WIA (Windows Integrated Authentication) so that existing NTLM or Kerberos tickets can be used for authentication and you will not be prompted for authentication.
You can refer to this documentation for configuring ADFS to use Azure MFA for 2nd factor authentication.
For best Seamless SSO experience, I would suggest you to go with hybrid Azure Active Directory join for federated domains
Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.
@amanpreetsingh-msft thank you for the help and assistance man, I appreciate it very much.
@EnterpriseArchitect Your welcome. If you found the information helpful, please Accept the answer. If you have any further question, feel free to tag me in your reply.
@amanpreetsingh-msft what about this document: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-multiple-domains
Because my users have multiple different UPN from one single AD domain:
AD is a single forest domain called: domain.com
The users spread across multiple different OU and company subsidiary:
Head Office UPN and Primary SMTP are:
User.Last1@domain.com
User.Last2@domain.com
User.Last3@domain.com
User.LastX@domain.com
Company A UPN and Primary SMTP is:
User.LastName1@CompanyA.org
User.LastName2@CompanyA.org
User.LastName3@CompanyA.org
Company B UPN and Primary SMTP is:
User.LastName1@CompanyB.com
User.LastName2@CompanyB.com
User.LastName3@CompanyB.com
Would that article applicable?
@EnterpriseArchitect If you have different domains in the UPN Suffix within your environment that you want to federate via same ADFS Server, you need to use -SupportMultipleDomain switch as shown below:
Convert-MsolDomainToFederated –domain < your_domain1.com > -SupportMultipleDomain
Convert-MsolDomainToFederated –domain < your_domain2.com > -SupportMultipleDomain
When the command is run with -SupportMultipleDomain, a new claim rule is created on ADFS under O365 Relying Party to handle federation for multiple domains. This is what's explained in detail here: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-multiple-domains