Testing AD FS for Office 365 without Directory Synchronization


Let’s say you’re in one of the following scenarios:

  • You need to set up AD FS for a shared hosting environment and won’t have any identities synchronized from the forest where AD FS will be deployed and want to verify that the AD FS infrastructure is working.
  • You need to stage AD FS before you’re ready to connect to Office 365 and want to verify that the AD FS infrastructure is working.

In either is you need to get an identity in the cloud that can be linked back to an on-premises identity.  It’s actually way easier than it sounds.

Confirm a domain in a tenant

In order to configure federation, you must have a verified domain in a tenant. So, do that.

Add the UPN suffix for the tenant domain to your AD forest

Again, if you’ve been working with Office 365 for a while, this should come as no surprise. If you haven’t done this before:

  1. Launch Active Directory Domains and Trusts.
  2. At the top node (Active Directory Domains and Trusts), right-click and select Properties.
  3. Type the new domain suffix for the domain that you will be testing this AD FS infrastructure against, and click Add.
  4. Click OK to close the UPN suffixes dialog box.

Federate your domain

This is a pretty straightforward process. You’ll need a global admin ID in your Office 365 tenant and to have installed the Azure Active Directory PowerShell cmdlets on your AD FS primary farm server.

  1. Log into the primary AD FS Farm server.
  2. Launch Elevated PowerShell prompt.
  3. Store a credential object.
    $cred = Get-Credential <enter department Global Admin in the form of admin@tenant.onmicrosoft.com>
  4. Connect to Microsoft Online Service.
    Connect-MSOLService -Credential $cred
  5. If you didn’t log into the primary farm server, update the AD FS context:
    Set-MsolAdfsContext -Computer <primary AD FS farm server>
  6. Federate the domain (I usually use the -SupportMultipleDomain switch, even though it adds an extra transform to the configuration)
    Convert-MsolDomainToFederated -DomainName <dept namespace> -SupportMultipleDomain

Create a fake synchronized object

This is the moment we’ve all been waiting for.

  1. Create an identity in the AD FS Active Directory forest (in my case, I named the user testfederation) using the UPN suffix.  I’m creative that way.
  2. Launch the Azure AD PowerShell and connect to Office 365.
  3. Import the ActiveDirectory module.
  4. Convert the user’s objectGUID to the base64 value that will be used in Office 365 using this snazzy one-liner:
    $ImmutableID = [system.convert]::ToBase64String((get-aduser testfederation).objectGuid.ToByteArray())
  5. Create a new user in the federated namespace:
    New-MsolUser -UserPrincipalName testfederation@verifieddomain.com -DisplayName "Test Federation" -FirstName "Test" -LastName "Federation" -ImmutableID $ImmutableID
  6. Test logging in with the federated ID to Office 365.

It’s not solving world peace, but it’s a good step.

Published by Aaron Guilmette

Helping companies conquer inferior technology since 1997. I spend my time developing and implementing technology solutions so people can spend less time with technology. Specialties: Active Directory and Exchange consulting and deployment, Virtualization, Disaster Recovery, Office 365, datacenter migration/consolidation, cheese.

Reader Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.