10. Establishing Trust with Office 365 for SSO
After the federation service is
fully operational, the next step is to configure the trust between AD
FS and Office 365. This is accomplished using the Microsoft Online
Services Module for Windows PowerShell, which installs a set of Windows
PowerShell cmdlets that can be used to configure the trust and enable
SSO for a domain, as described in the following sections.
11. Installing the Microsoft Online Services Module
The Microsoft Online Services Module can be
downloaded directly from the Office 365 site, and is available in both
32-bit and 64-bit versions. Following are the requirements for a system
to run the Microsoft Online Services Module:
• Supported operating systems are Windows 7 or Windows Server 2008 R2.
• .NET Framework 3.5 SP1 must be enabled as a Windows feature.
• Office 365 software updates should be
downloaded and installed from the Office 365 portal to ensure that the
appropriate versions of all software are used.
The Microsoft Online Services Module
also requires administrative access to AD FS 2.0 for the cmdlets to
execute successfully. If the module will not be installed and run
directly on a federation server, remote access to AD FS must be
enabled. You can accomplish this by opening Windows PowerShell as an
administrator on the federation server and executing the cmdlet enable-psremoting.
12. Adding or Converting a Domain for SSO
Each domain that will be used for SSO with
Lync Online/Office 365 must either be added as an SSO domain or be
converted from a standard domain to SSO. The Microsoft Online Services
Module is used to add or convert the domain, which sets up a trust
between the internal AD FS deployment and Office 365.
Use the following procedure to add a new domain for SSO:
1. Open the Microsoft Online Services Module.
2. Execute the command $cred=Get-Credential, and then at the prompt enter the credentials of an Office 365 administrative account.
3. Execute the command Connect-MsolService -Credential $cred, which creates a connection to Office 365, as required to run the remaining cmdlets.
4. Execute the command Set-MsolAdfscontext -Computer <ADFSprimary>, where <ADFSprimary>
is the fully qualified domain name of the primary federation server.
This cmdlet creates a connection to the internal federation service.
Note
If the Microsoft Online Services Module is installed on the federation server, the Set-MsolAdfscontext cmdlet is not required.
5. Execute the command New-MsolFederatedDomain -DomainName <Domain>, where <Domain> is the domain to be added and enabled for SSO.
6. The results of the New-MsolFederatedDomain
cmdlet include information that must be used to verify ownership of the
new domain. Specifically, a new DNS record (either a TXT record or an
MX record) must be created within the zone that will be enabled for
SSO, and this DNS record is used by Office 365 to confirm domain
ownership. Follow through with the instructions to add either the TXT
or the MX record to the public DNS zone, and then wait for the change
to take effect. The amount of time required will depend on DNS
propagation delay, as well as the DNS provider being used.
Note
While either the TXT or the MX record can be
tested for validation for Office 365, the TXT record is the preferred
method of validation. The reason for this is that the MX record
required for validation specifies an address value ending in .invalid, and not all DNS providers support this record. The TXT record, on the other hand, is much more commonly supported.
7. After the DNS verification record has propagated, the New-MsolFederatedDomain cmdlet is executed a second time, specifying the same domain name to finalize the addition of the new SSO domain.
The following procedure
would be used to convert a domain that has already been added to Office
365 from a standard domain to SSO:
1. Open the Microsoft Online Services Module.
2. Execute the command $cred=Get-Credential, and then at the prompt enter the credentials of an Office 365 administrative account.
3. Execute the command Connect-MsolService -Credential $cred, which creates a connection to Office 365, as required to run the remaining cmdlets.
4. Execute the command Set-MsolAdfscontext -Computer <ADFSprimary>, where <ADFSprimary>
is the fully qualified domain name of the primary federation server.
This cmdlet creates a connection to the internal federation service.
Note
If the Microsoft Online Services Module is installed on the federation server, the Set-MsolAdfscontext cmdlet is not required.
5. Execute the command Convert-MsolDomainToFederated -DomainName <Domain>, where <Domain> is the domain to be converted to SSO.
Note
When a domain that has already been added to
Office 365 is converted to SSO, every licensed user automatically
becomes federated for SSO.
