Federating Active Directory users with Microsoft Office 365 for use with Clearlogin


Federating Active Directory (AD) users with Microsoft Office 365 for use with Clearlogin be a seemingly daunting task at first, but it's actually very easy to do!

Getting Started

This article is written under the assumption that you have already registered an Office 365 account and deployed an AD environment running on Windows Server 2012 R2 (these instructions should work with older versions of Windows Server as well, however some menu and user interface aspects may be a bit different) that you are using as an Identity Source for Clearlogin.

For step by step instructions on getting started with setting up Active Directory and DNS on your Windows Server, I recommend watching this video.

You will also need to promote your server to a Domain Controller, which is tutorialized in this video.

Make sure that you have Internet Information Services (IIS) installed.  Microsoft explains the steps required to do this here.

A service account for ADFS is also necessary to have.  You can use the default AD Administrator account, however it's not recommended.  For this purpose I have created an AD account with domain administrator privileges called ADFS.

Finally, please make sure that you have Certificate Services installed.  This process is detailed here.

Certificate Services should be installed on a separate server in the same forest if at all possible, since servicePrincipalNames can be duplicated between Server (NetBIOS) Name and the Federation Service Name.

Configuring Office 365

Log into your Office 365 administrator account (this is the yourusername@yourdomain.onmicrosoft.com account that you were first assigned when you created your Office 365 account):  https://login.microsoftonline.com.

Click on the menu button on the top, right-hand corner of the screen.

Select "Admin" from the menu that pops up.

You will be brought to the "Admin Center."  From here you can configure everything from Users and Groups to Billing and Services, etc.

For our needs we're going to be configuring our Domains.

Click on "Settings and then select "Domains" from the drop-down menu.

Click on "Add domain" on the Domains page.

Enter your domain name on the New Domain page and click "Next."

You will be prompted to verify that you won the domain that you've entered.  You can do this by either adding a TXT Record or an MX Record.  Usually it's easier to add a TXT Resource Record to your domain's DNS.

Microsoft provides instructions on how to do this if your DNS hosting provider is eNomCentral.  If you are not using eNomCentral as your DNS host, then please check with your domain's registrar for instructions on how to modify your domain's TXT and MX records.

Once you have added the TXT or MX record, click on "Verify."

If all goes well, you will be brought to the "Set up your online services" screen.

You can either have Office 365 update your DNS records for you, or you can do it manually.  It's recommended to allow Office 365 to automatically modify your DNS records for you if you don't have a website attached to your domain.

If you choose, "I'll manage my own DNS Records," then you will be presented with the following tables to enter into your DNS records:

If you select "Set up my online services for me," you will most likely still have to enter some records in manually after Office 365 finishes configuring your DNS records:

Once all DNS records are entered and you have clicked on the "Verify" button, you should be presented with the following screen, indicating that everything is working as intended:

Click on the "Finish" button to continue.

You will be brought back to the "Domains" page.  As you can see, your newly entered domain has been made into the default domain.  However, we don't want this yet, since in order to initiate Active Directory Federation with Office 365, the domain to be federated must not be the default.

Click on the ".onmicrosoft.com" FQDN.

You will be presented with the domain's configuration summary page.  Click on the "Set as default" button.

The settings will take a moment to take effect, but once they do you will receive a message stating that the default domain has been successfully changed:

Click on "Close" to continue.

Setting Up Active Directory Federation Services

Now that you have your domain properly configured with Office 365, you will need to get Active Directory set up with Active Directory Federation Services (ADFS).

To begin, first open the Server Manager.

Next, click on Manage and then select Add Roles and Features.

You will be prompted with the Add Roles and Features Wizard.

Make sure that Role-based or featured-based installation is selected and click on Next.

Select your server from the server pool and click on Next.

Check the Active Directory Federation Services checkbox and click on Next.  Do not select any other Server Roles.

Leave all the defaults on the Features page and click Next.

Confirm the Server Roll addition and click on Next.

Confirm the installation selections and make sure to check Restart the destination server automatically if required.

Once the feature installation is complete, click on Close.

Generating a Self-Signed Certficiate for ADFS

Only perform the following if you're not going to be purchasing a certificate from a trusted certificate authority:

To begin, start by opening the Server Manager.

Click on Tools and then select Internet Information Services (IIS) Manager.

From the IIS Manager, select your server from under Connections.  You will be brought to the following screen:

Double-click on Server Certificates as shown above.

Under Actions, click on Create Self-Signed Certificate.

On the Create Self-Signed Certificate screen, name your certificate (anything that you want it to be, although something preferably easy to identify) and make sure that Personal is selected for the Certificate Store.  Click on OK to continue.

Right-click on your newly created certificate and then click on Export.

Save the ticket (a .pfx file) to a directory that you will remember it's in.  You can name the file anything that you want.

A password is required as well for exporting.  Please make it something complex that you will remember.

Click on OK when you're done.

To verify that the certificate definitely exists, open a Run prompt  (hold down the Windows key and press R).

Type in certmgr.msc and then press enter.

From the Certificates - Current User tree, navigate to Certificates under Trusted Root Certification Authorities.

Your certificate will be listed with it's friendly name for ease of searching.

You may close this window after verifying the existence of your new certificate.

Configuring Active Directory Federation Services

If you have never configured ADFS before, (as this article assumes) then please click on the) Notifications Flag in the Server Manager, and then select Configuration required for Active Directory Federations Services at [your server].

If you already have used ADFS in the past, then navigate to the Server Manager Dashboard, and click on Tools and then select AD FS Management.

You will be presented with the Active Directory Federation Services Configuration Wizard.

If this is your first time configuring ADFS, leave the Create the first federation server in a federation server farm radio box selected.  Otherwise you may use the Add a federation server to a federation server farm option.

Click on Next to continue.

You will need to select a user that has AD domain administrator privileges.  By default the Administrator account is selected.  Best security practices dictate that you don't use the Administrator account and that you create a separate service account just for this purpose.

Click on Change and then use the login prompt to login with the service account's credentials.

Click on Next to continue.

On the Specify Service Properties page, you will need to select your SSL Certificate.  You can do this from the drop-down menu.  If for some reason you don't see your certificate listed, or if you're not sure which one is the right one, you can use the Import button to the certificate, as long as you exported the certificate from AD CS (as described above).

When importing a certificate, you will be prompted for the password that you creating when exporting the certificate.

Once you have selected or imported your SSL certificate, the Federation Service Name will be automatically filled in.  You will however have to fill in the Federation Service Display Name.  Typically you would want to make this the name of your organization, or "Your Organization's Name - Office 365."

Click on Next after configuring each field.

On the Specify Service Account page you may create a group Manager Service Account (gMSA), or use an existing gMSA account or domain user account.

If you receive the message below that's highlighted in yellow, "Group Managed Service Accounts are not available because the KDS Root Key has not been set." then please refer to Microsoft's documentation on how to set the KDS Root Key.

For our purposes, I'm going to go with the standard admin domain user account that I created earlier.  This can be selected by clicking on the Select button, and then searching for the account.

After clicking on Select, you will be prompted to search for your service account.  Type the service account name in the Enter the object name to select field, and then click on the Check Names button.

After a moment the text field with your username will refresh, and have corrected itself with the display name and domain name.

Click OK to continue.

Type the account's password into the Account Password text field that appears after selecting your account and then click on Next.

On the Specify Configuration Database page, you may either Create a database on this server using Windows Internal Database, or Specify the location of a SQL Server database.

For our purposes, we're going to create a database using Windows Internal Database (the default option), so keep that radio button checked.

Click Next to continue.

You will now be given the option to take a moment to review your selections, and optionally view the PowerShell script that has been created through this wizard.  You may save it by clicking on the View script button and then saving the generated text document (it opens in Notepad).  This is useful to have if you plan on doing multiple installations of this type, since you can just import the script in the future.

Click on Next to continue.

On the Pre-requisite Checks page, as long as all checks complete successfully, click on the Configure button.

The installation/configuring of the Windows Internal Database will begin.  This may take a while, so do not be alarmed if your server hangs on the below screen for up to 15+ minutes:

Click on Close upon completion of the server configuration.

You may receive an error message stating, "An error occurred during an attempt to set the SPN [servicePrincipalName] for the specified service account.  Set the SPN for the service account manually."

This is a common problem that occurs when the Server (NetBIOS) Name is the same as the Federation Service Name (which happens when the certificate is generated on the same server that ADFS is on).

A lot of administrators experience this and don't fix it, since most if not all functions will still work properly.  However, on a more complicated setup it's possible for problems to arise.

As per Microsoft, this usually happens when creating a self-signed certificate on the same server that ADFS is also installed on, without specifying a different Federation Service Name while configuring ADFS for the first time.

There are two ways to fix this:  Either change the computer name to something else, which will remove the duplicate SPN.  You will then be able to add the host SPN for the ADFS service account using the ADSI Edit tool (adsiedit.msc) (with the "-s" switch if you are using the command).

The other option is to change the Federation Service Name, however you will also need to change the certificate's Subject Name to the changed Federation Service Name.

Alternatively you can uninstall ADFS and start over with a different certificate.

Sync'ing Office 365 with Active Directory

Log into your Office 365 administrator account (this is the yourusername@yourdomain.onmicrosoft.com account that you were first assigned when you created your Office 365 account):  https://login.microsoftonline.com.

Click on the menu button on the top, right-hand corner of the screen.

Select "Admin" from the menu that pops up.

You will be brought to the "Admin Center."  From here you can configure everything from Users and Groups to Billing and Services, etc.

Select Directory Synchronization.

Click on "Go to DirSync readiness wizard" on the window that pops up.

You will be redirected to the Office 365 Directory Sync Setup Wizard.  Select your organization's size on the first page and then click on Next.

Click on Next again.

Make sure that you meet the listed requirements (if you're running Server 2012 R2 and are logged into an account with Domain Admin privileges, then you definitely do out of the box) and then click on Next to continue and run Microsoft's application that will scan your local directory and begin the setup process.

Click on "Start scan."

Click on the "Run checks" button to begin the app installation.

Click on "Run."

The app will begin to download.

After downloading, please wait for the evaluation to begin.  It may take a few minutes before the green progress bar appears.

Once the evaluation is complete, you should receive the following message.

Close the tab and you will be brought back to the Office 365 Setup screen, which should have a message stating that the scan is complete.

Click on Next to continue on to the next step.

If the scan results appear correct, then click on Next to continue.

The next step will be to have your on-premises domains verified and added to Office 365.  We've already gone through these steps above, so click on Next to continue.

As you can see, we are effortlessly successful with this process.

Click on Next to keep going.

Click on Next again.

The next step is to verify that there aren't any errors with your local AD environment.

Click on the download link to download IDFix, and run it once to check for and fix any errors that might exist.  Run it a second time to make sure that all errors have been fixed.

Click on OK to continue.

Click on "Query."

As you can see, we don't have any errors, so you don't need to run IdFix a second time.

You may go ahead and close IdFix and then click Next on the "Clean up your environment" page.

For the final step in the Office 365 Setup process, we have to install and run Azure Active Directory Connect.

This is Microsoft's successor to "DirSync" (for those of you that have performed this process in the past) that runs the synchronization service.

Begin by clicking on Download and running the application.

Check the agreement checkbox and then click on Continue.

Since we only have one AD forest, we're going to select "Use express settings."

The installation might take a moment, but don't worry it's not frozen.

Enter your Office 365 credentials (the yourusername@yourdomain.onmicrosoft.com account that you were first assigned when you created your Office 365 account) and then click on Next.

Enter your ADFS service account username and password and then click on Next to continue.  You may also choose to use a separate service account.

After validating your credentials, make sure the "Start the synchronization process when configuration completes" checkbox is checked on the Ready to configure page and then click on Install.

The configuration process might take a while, especially if you have a large AD database.

Once the configuration is complete, you will be presented with the below screen, confirming that the setup is successful:

Next let's make sure that our users' accounts properly sync'd themselves with Office 365:

Log into your Office 365 administrator account (this is the yourusername@yourdomain.onmicrosoft.com account that you were first assigned when you created your Office 365 account):  https://login.microsoftonline.com.

Click on the menu button on the top, right-hand corner of the screen.

Select "Admin" from the menu that pops up.

You will be brought to the "Admin Center."

From here you can see if your Directory/Password Sync actually worked and when the last sync took place:

Click on the icon on the navigation bar that's a picture of a single person and then click on "Active Users" to be brought to a list of your active users.

If all went according to plan, your active users should look something like this:

Congratulations, you have successfully synchronized Active Directory with Office 365!

Federating AD with Microsoft Office 365 for use with Clearlogin

Now for the part you've all been waiting for!  We're going to use Clearlogin's PowerShell script to federate AD users with Office 365 for use with Clearlogin!

To begin, we will need to create an Office 365 App Connector in Clearlogin.

Navigate to your Clearlogin admin panel and log in:  https://admin.clearlogin.com

lick on "Apps" and then select "Add New."

Search for the Office 365 app connector. and select it.

Change the Display Name to anything that you want and add any Access Tags that you might want to use.

Click on the green button that says, "Save Office 365 App" to save your changes.

You will be brought to the App Connection summary page.  Save the Public Certificate by clicking on the green button that says, "Download Certificate."  We're going to need this shortly.

Next, install the Azure AD for PowerShell module from here.

If while installing the Azure AD for PowerShell module you receive an error stating, "In order to install Windows Azure Active Directory Module for Windows PowerShell you must have Microsoft Online Services Sigh-In Assistant version 7.0 or great installed on this computer." then please install Microsoft Online Services Sigh-In Assistant from here.

Next, download and extract msol_clearlogin.ps1, our PowerShell script for federation Office 365 with Clearlogin from either here or the bottom of this page.

Open PowerShell ISE as an Administrator.

Open msol_clearlogin.ps1 in PowerShell ISE (File > Open, or Ctrl +O).

Click on the green run button to run the script.

If you receive an error stating, "File [your path] cannot be loaded because running scripts is disabled on this system." then run the following command:  "Set-ExecutionPolicy unrestricted".

You will be prompted for credentials.  Enter your Office 365 admin account username and password (you@yourdomain.onmicrosoft.com).

The next prompt will be for your Clearlogin subdomain (without the ".clearlogin.com").

You will then be asked to select and upload the public certificate that you obtained from https://admin.clearlogin.com, so go ahead and do that.

Next, the domain in question is the domain that you're federating with Office 365.

And that's it!

Have more questions? Submit a request


Powered by Zendesk