Configuring DirSync and ADFS

Owned by Nathaniel Halbrooks
Jan 10, 2024
7 min read

Overview

DirSync and ADFS provides a single sign on experience. As well it allows users to reside both on premises as well as in the cloud.

You require 1 SSL certificate for the operation of the ADFS Server:

External SSL Unified Communications certificate. Can be purchased online through various different certificate authorities

The external certificate is used to authenticate any requests coming into the ADFS server.

 

 

 

Installing DirSync

  1. To begin setting up DirSync log into https://login.microsoftonline.com/ with your administrator account. Next go to the Dashboard->Active users and click on Setup next to Active Directory Synchronization. 
     

  2. Next the DirSync wizard will begin to ask you questions. In order to install DirSync select at-least 51-250 as shown below and then click Next.

  3. Click Next at the welcome screen. 

  4. Review the check list quickly and then click Next to download the app that will verify the check list for you.

  5. Click Start Scan to begin the check.

  6. Click Run Checks at this screen to continue the automatic check.

  7. Once the Security Warning pops up click Run the Run the application.

  8. Once the check is completed you should see a empty list as shown below. If there is issues on this list review and correct them before proceeding.

  9. Next a scan will be done to check how many objects and domains you have to sync using DirSync.

  10. You will get a summary such as the one below. Typically of course more users/groups and contacts will be populated.

  11. On the Get your domains ready page click Next. 

  12. At this point review the domains you are syncing and click next.

  13. The domains are now ready at this point, but there is a warning here since in this example we are using a .local domain. This will simply convert these users to .onmicorosoft.com domain. 

  14. Download the IDFix to ensure there is no issues lingering around. 

  15. In most cases once you run IDFix the output should be empty as shown below.

  16. Next Azure Active Directory Connect wil need to be installed. Click Next to continue.

  17. At the welcome splash screen click Continue.

  18. Click use Express settings to continue. 

  19. Next log in with your Azure AD administrator account.

  20. Then enter your local AD administrator account details.

  21. Ensure Start the Synchronization process as soon as the configuration completes is checked and then click Install.

 

 

 

Installing Active Directory Federation Services

 

  1. Next go into the Server Manager and the Post-Deployment Configuration warning will be displayed. Click Configure the Federation Service on this Server link.
     

  2. Click Next at the Welcome screen. 

  3. Specify the AD domain administrator account you would like to use. Then click Next to continue.


  4. At this point important your public SSL certificate. Then ensure your Federiation Service name is correct.

  5. At this point enter in a new account name for the Group Managed Service Account. 

  6. Next continue through the wizard by clicking Next. Once the Wizard completes verify everything was succesful. If any issues occurred ensure they are resolved. 

 

 

 

Configuring Single Sign On (SSO) with ADFS

  1. Create a domain administrator account in the on premise active directory. Wait until this account is synced to Azure. Once it is sync it will show up in the Active users list as shown below. Select the account and click Edit Users Roles. 

  2. On the next page you will see the following admin role options. Select Global Administraor and click save. This user is now a local domain administrator and an Office 365 administrator.

  3. At this point now run the commands below. 

$cred = get-Credential
- Enter domain administrator account from steps #1-2. I.E. jenny@sfbsangoma.onmicrosoft.com which is a administrator on premise and in Office 365.
Connect-MsolService -Credential $cred
Convert-MsolDomainToFederated -DomainName sfbsangoma.com -SupportMultipleDomain
- Substitute sfbsangoma.com for your own domain

  1. Next run the command Get-MsolFederationProperty -DomainName sfbsangoma.com to verify the domain has been federated.

  2. Before testing the first user ensure the Windows domain is configured as a FQDN. If you are using a Windows domain name such as "sfbsangoma.local" then simply edit Active Directory Domains and Trusts. Click on Adviace Directory Domains and Trust in the left plane. Next right click in the main plane and click Properties. 

  3. At this point enter the FQDN domain that is being used for Office 365. In this case "sfbsangoma.com" and then click OK. 

  4. At this point edit the user and go to the Account tab. Change the domain part of the UPN to the FQDN domain "sfbsangoma.com". 

  5. At this point go to https://testconnectivity.microsoft.com/ to run the Office 365 Single Sign-On Test.

  6. On this page enter a valid user account to validate. 

  7. Once the test passes then Single Sign On has been completed. If there is any issues resolve these before continuing. 

 

 

Configure Federation between Skype for Business Server 2015 with Skype For Business Online

  1. Run the commands below to configure federation with Skype For Business Online. 
    Set-CSAccessEdgeConfiguration -AllowOutsideUsers 1 -AllowFederatedUsers 1 -UseDnsSrvRouting -EnablePartnerDiscovery 1
    Get-CsHostingProvider
    Remove-CsHostingProvider -Identity "Skype For Business Online" 
    New-CSHostingProvider -Identity LyncOnline -ProxyFqdn "sipfed.online.lync.com" -Enabled $true -EnabledSharedAddressSpace $true -HostsOCSUsers $true -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl https://webdir.online.lync.com/Autodiscover/AutodiscoverService.svc/root

  2. Next log into the Office 365 admin center and select the user you wish to move to Skype For Business Online. Then click Edit next to Assign License. 

  3. On the next page check Office 365 Enterprise E3 license. 

  4. Run the commands below to set the SIP shared address space.
    Import-Module LyncOnlineConnector
    $cred = Get-Credential
    $CSSession = New-CsOnlineSession -Credential $cred
    Import-PSSession $CSSession -AllowClobber
    Get-CsTenantFederationConfiguration
    Set-CsTenantFederationConfiguration -Share dSipAddressSpace $true

  5. Next since sfbsangoma.local is the on premise domain then we will need to add sfbsangoma.com as an alternative UPN suffix. To do this go to into Active Directory Domains and Trusts and right click on the domain. Then select properties. 

  6. At this point enter the FQDN sip domain sfbsangoma.com is used in this example. 

  7. Once this is completed edit the user you are going to move to the cloud and change the domain from sfbsangoma.local to sfbsangoma.com.

Return to Documentation Home I Return to Sangoma Support