Part 3 – Federate with the NEW Office 365

Now that we have the required software installed and the certificate in place, we can finally configure the AD FS role and federate with Microsoft.


Configure Local AD FS Federation Server


  1. Open Server Manager


  2. Click Tools


  3. Click AD FS Management


  4. Click AD FS Federation Server Configuration Wizard


  5. Create a new Federation Service


  6. New Federation Server FarmChoose this option all the time, even if you only plan on deploying one server. If you choose Stand-alone federation server, then you won’t be able to add more servers.


  7. Click Next


  8. SSL Certificate – This should be pre-populated. If it isn’t, go back and assign/bind the third party certificate to the default web site


  9. Federation Service Name – This should match the SSL certificate name


    *** NOTE *** Since I am using a multi-name certificate in a lab environment, my SSL certificate name and Federation Service name don’t match. This is not recommended for production environments. Use best practices always; a single name certificate.


  10. Click Next


  11. Enter the AD FS service account name and password


  12. Click Next


  13. Click Next


  14. All green check marks mean everything is setup correctly


  15. Click Close


Configure Federation Trust with Office 365


Now that we have our side of the federation setup, we can complete the federation with Office 365

  • Open the Desktop on the AD FS server


  • Windows Azure Active Directory Module for Windows PowerShell


  • Right Click and Run As Administrator


  • Set the credential variable
    • $cred=Get-Credential


  • Enter a Global Administrator account from Office 365. I have a dedicated tenant ( service account setup for AD FS and Directory Syncronization.


  • Connect to Microsoft Online Services with the credential variable set previously
    • Connect-MsolService –Credential $cred


  • Set the MSOL ADFS Context server, to the ADFS server
    • Set-MsolADFSContext –Computer


  • Convert the domain to a federated domain
    • Convert-MsolDomainToFederated –DomainName


  • Successful Federation
    • Successfully updated ‘‘ domain.


  • Verify federation
    • Get-MsolFederationProperty –DomainName

This completes the setup for federation to Office 365. Keep in mind that before you can successfully use single sign-on with Office 365, you will need to setup and configure Directory Synchronization. After Directory Synchronization is setup, you will have to license the synchronized user in Office 365. This will provision the services for the user. If they want to access Office 365 from outside the internal network, the AD FS Proxy server needs to be setup and configured.


Complete Series:

Getting to know the NEW Office 365

  1. Does Microsoft have FREE training for the NEW Office 365?
  2. Signing up for the NEW Office 365
  3. Adding and Verifying a Domain for the NEW Office 365
  4. Creating Cloud Users for the NEW Office 365
  5. Configuring Desktops for the NEW Office 365
  6. Exchange 2003 Cutover Migration to the NEW Office 365
  7. Exchange 2007 Cutover Migration to the NEW Office 365
  8. Setting up AD FS and Enabling Single Sign-On to the NEW Office 365
  9. Setting up AD FS Proxy Servers for Single Sign-On to the NEW Office 365
  10. Setting up Directory Synchronization with the NEW Office 365
  11. Activating and Licensing a Synchronized User in the NEW Office 365
  12. Testing Single Sign-on to the NEW Office 365
  13. Making the Single Sign-On Solution Highly Available
  14. Exchange Hybrid Deployment with the NEW Office 365

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me

11 thoughts on “Part 3 – Federate with the NEW Office 365

  1. Octavius

    Hi Kelsey,

    Thanks for the step by step, very useful. Something worth noting is that if you have installed the Azure Active Directory Module on the primary ADFS server and are running the commands from there you do not need to run “Set-MsolADFSContext –Computer” If you do, it will fail and you will then spend an eternity (like I just did) trying to work out why ;-). In this scenario you can move onto converting the domain.

    Great blog



    1. Kelsey EppsKelsey Epps Post author

      What error were you getting? I have followed the same process for all my installs and haven’t had any issues.

    2. Tim

      I am in the middle of a several hour troubleshooting session with Microsoft trying to figure out why I am having the problem Octavius describes above. “Set-MsolADFSContext –Computer” fails. The MSFT engineer says that the necessary directories aren’t being installed in IIS when ADFS is installed.

      Octavius if you could share more info I’d appreciate it.

        1. Tim

          Update. It turns out that between the time I installed ADFS and went to configure it someone popped in the server 2012R2 disk and upgraded the server.

          MSFT says that is a no no. Apparently ADFS servers shouldn’t be upgraded.

          We had to copy Microsoft.IdentityServer.PowerShell.dll from the old ADFS installation to the new ADFS Installation and and removed the registry entry that was added to the registry for Powershell 1.

    1. Kelsey EppsKelsey Epps Post author

      If you have multiple ADFS or WAP servers, they need to be load balanced. Windows NLB is an easy way.

    1. Kelsey EppsKelsey Epps Post author

      It’s good practice to use the commands. In a small shop where you only have one ADFS server or farm, it doesn’t really make a difference. BUT… when you are working in a large enterprise with a large number of ADFS servers and farms, it’s good to make sure that you are connected to the right server.

  2. Vincent Nguyen

    From Microsoft Engineer, he states that “You don’t need to run this command if you are executing this from Primary ADFS server.”

    Set-MsolADFSContext –Computer


Leave a Reply