Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On

This BLOG post covers setting up the primary AD FS 3.0 server on a Windows Server 2012 R2 virtual machine in Windows Azure.


  • Azure account is setup
  • Directory Sync is activated, setup and running
  • Valid SSL certificate is available (with private key)
  • VPN connection setup from Azure to your on-premise network


Create a New Cloud Service

Because we are going to load balance one or more vitural machines, we need to create a Cloud Service to put them in. Think of it as a bucket to hold your virtual machines. You will require one for the AD FS Servers and one for the Web Application Proxies (AD FS Proxy Servers)


Click New

Select Compute -> Cloud Service -> Custom Create


Enter a URL or Name for the Cloud Service. This name must be unique across the name space.

Select your Region or Affinity Group

Click OK



Create the Virtual Machine in Windows Azure


Click New

Select Compute -> Virtual Machine -> From Gallery


Choose Windows Server 2012 R2 Datacenter

Click Next


Enter Virtual Machine Name

Select Server Tier

Select Server Size

Click Next


Selcect the AD FS Cloud Service that was created earlier. This is very important.

Verify Subnet

Drop down to Create an availability set

Enter name for the availability set

***Note*** This does not load balance the servers, it will just place the VM accordingly so that if a rack of servers goes down, all the members of the set will be placed in different fault domains. This ensures that an outage isn’t extened to all the servers in the set.

Click Next


Click Next

Once the VM is provisioned go to the next step


Add the Server to the Domain

Since the AD FS server needs to authenticate against Active Directory, they need to be added to the local domain. Add the server to the local domain


Install the Windows Azure Active Directory Module for Windows PowerShell

Use this BLOG post to install the Windows Azure Active Directory Module for PowerShell and the required Microsoft Online Services Sign-In Assistant 7.0

Connecting to Office365 with PowerShell


Install the AD FS Role


Open Server Manager

Click Add roles and features


Click Next


Select Role-based or feature-based installation

Click Next


Make sure that the AD FS Server is listed as the server to install to

Click Next


Select Active Directory Federation Services

Click Next


Leave defaults

Click Next


Click Next


Click Install


Wait for the install to complete


Import the SSL Certificate

AD FS uses certificate to secure the connection from AD FS to Office365. For this reason, we need a valid SSL certificate. I choose to use GoDaddy, as I find they are a one stop shop for all my domain needs. It’s a personal choice, so use whoever you feel comfortable with. For the purposes of this BLOG post, I will use a multi-name certificate; I DON’T recommend this for a production environment. A couple reasons are that I like to keep things simple and if we have multiple names on the certificate, it starts to get complicated (not technically, but management of the certificate). Secondly, I don’t like to share certificates across services. This cuts down on the cross contamination from the support teams at larger companies. If you lump the AD FS services with the Exchange certificate, AD FS usually gets left in the dust and forgot about when it comes time to renew.


Open the Start Screen

Type MMC

 Click the MMC app

MMC opens

Click File

Click Add/Remove Snap-in

Select Certificates

Click Add>

Select Computer Account

Click Next

Select Local Computer

Click Finish

Click OK

Expand Certificates

Expand Personal

Right Click Certificates

Select Import

Select Local Machine

Click Next

Browse to the Exported Certificate

Click Next

Enter Password

Mark the key as exportable

Click Next

Place in the Personal certificate store

Click Next

Click Finish




Setup and Configure AD FS 3.0


Open Server Manger

Select AD FS

Click More
where it says Configuration required for Active Directory Federation Servers at…


Configure the federation service… action on the Post-Deployment Configuration


Select Create the first federation server in a federation server farm

Click Next


Enter credentials for a user that has domain administrator permissions. This is used to complete the install, it’s not used as the AD FS service account

Click Next


Select the SSL certificate that you imported

Select the Federation Service Name

Enter the Federation Service Display Name

*** Note *** Since I am using a multi-name certificate these three values don’t match for me. In production I always recommend that you use a single name certificate to keep things simple. If that’s the case then the three values below should all match e.g.

Click Next


Enter the AD FS Service Account Name and Password

***Note*** This can be a managed service account or a domain user account designated for AD FS. If you use a domain user account, it does not need any special permissions. The install will give it the permissions required.

Click Next


Select Windows Internal Database or the location of a SQL Server Database. The choice is yours, but for most companies the Windows Internal Database works just fine

Click Next


Click Next


Wait for the Pre-requisite checks to be completed

Click Configure





Federate with Office365


Open the Desktop on the AD FS server

Find Windows Azure Active Directory Module for Windows PowerShell

Right Click and Run As Administrator

Set the credential variable


Enter a Global Administrator account from Office 365.

Connect to Microsoft Online Services with the credential variable set previously

  • Connect-MsolService –Credential $cred


Set the MSOL ADFS Context server, to the ADFS server (optional if you are on the AD FS server)

  • Set-MsolADFSContext –Computer


Convert the domain to a federated domain

  • Convert-MsolDomainToFederated –DomainName


Successful Federation

  • Successfully updated ‘‘ domain


Verify federation

  • Get-MsolFederationProperty –DomainName


This concludes the setup of the first AD FS server and federation with Office365. Please continue through the rest of the series to complete the setup for the rest of the servers.



My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

9 thoughts on “Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On

  1. Pingback: Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365 | Office 365 Technical Support Blog

  2. Sven Minas

    It seems as though this article is no longer valid in some regards as Azure has gone through a face lift. My Azure does not look anything like what you have here

  3. David

    Any chance of re-authoring for the new resource manager – or at least explain briefly what changes are required – ‘Microsoft recommends that you use Resource Manager for new resources, and, if possible, re-deploy existing resources through Resource Manager.’, thanks

  4. Stephen Bell

    This is an excellent series of posts. I set this up in a lab environment and it worked excellent! I am not sure of the date of the original posts – but out of curiousity — if you were writing this for the first time in mid 2016 – would you still take this approach or would you lean toward the newer, ARM approach? If so, how would it differ?

    Thanks again for sharing the knowledge,


Leave a Reply