Enabling and Managing Federation
Steps |
Action |
Configure a remote domain to be used with Office 365 |
Launch on-premises Exchange Management console (EMC), navigate to Hub Transport and select new remote domain in the actions pane |
Create a new Accepted domain |
Create a new Accepted domain that is authoritative for the namespace |
Create a new federated trust with the Microsoft Federated Gateway (MFG) |
Run the following command to get the Exchange certificate thumbprint Get-ExchangeCertificate | Where-Object {$_.Services –like “IIS*”} and copy the thumbprint value |
Then run New-FederationTrust –Name “Microsoft Federation Gateway” -Thumbprint XXXXXXXXXXXXXXXXXXX (where XXX is the thumbprint value). This creates the following federation trust You will see the similar text displayed from the command specified above:- To complete the federation configuration, you must add a text (TXT) record in DNS for the domain you want to use as the account namespace and for any other domain you want to add as a federated domain on the Microsoft Federation Gateway. After the TXT records are available in DNS, complete the federation trust configuration by using the Manage Federation wizard in the EMC or the Set-FederatedOrganizationIdentifier cmdlet in the Shell |
|
You then need to prove ownership of the namespace |
Run Get-FederatedDomainProof –DomainName ExchangeDelegation.company.com | FL DomainName,Proof and Get-FederatedDomainProof –DomainName company.com | FL DomainName,Proof. Then create a DNS txt record in public DNS to prove ownership of the namespace. Copy the proof output and paste into your public DNS txt record. |
Perform an nslookup to verify ownership |
Run nslookup Set q=txt Company.com |
Add the namespaces to the federation trust through the EMC |
Edit the ‘Microsoft Federation Trust’ object |
|
|
Ensure the enabled certificate is specified as the ‘current certificate’ |
This wizard lets you to specify a current and next certificate to ensure your certificate does not become invalid. If you have multiple HT servers click on ‘shoe distribution state’ to ensure all servers have the correct certificate installed |
Add the accepted domains |
Add Exchangedelegation and company.com to the manage federation section and then complete the wizard and verify by running Test-OrganizationalRelationship |
Create the organisation Trust relationship |
In the on-premise EMC select ‘Organization Configuration’ and in the actions pane select ‘New Organization Relationship’ Select ‘Enable this organization relationship’ Select ‘enable free/busy information access’ Select ‘free/busy access with time, plus subject and location’ if this the access level you want to grant |
Configure the external organization settings |
Select to ‘automatically discover configuration information’ and specify the online tenant namespace |
Written by Daniel Kenyon-Smith