Mar 24 2018 04:43 AM
Mar 24 2018 04:43 AM
I have setup ADFS SSO for on-premises and integrated it with Azure Traffic Manager.
Now i need to use ADFS SSO with O365 Portal, it means i need to enable federated identity.
Azure AD Connect is already enabled and sync is working for a domain in Azure Portal.
Risk Factor is O365 Portal is in Production use and on-premises AD is already in sync.
Can you please advise how i Plan to Test ADFS SSO with Production Office 365?
Should i add a new separate domain for testing to minimize the impact on Production?
Is there any Downtime involved in testing? Please advise.
Please let me know if need more info. I will appreciate your response.
Mar 24 2018 05:09 AM
If you have your public domain in production please follow the steps in the following article to enable ADFS to Office 365 https://blogs.technet.microsoft.com/canitpro/2015/09/11/step-by-step-setting-up-ad-fs-and-enabling-s...
For testing you will need to create a separate environment to other Office 365 Tenant.
The downtime is almost 0 because after you enable it it's seconds.
You can follow this article also https://blogs.technet.microsoft.com/rmilne/2017/05/14/how-to-install-ad-fs-2016-for-office-365-part-...
Mar 24 2018 06:01 AM
Thanks Nuno for quick reply.
Right now I have 2 domains added in Azure Portal.
abc.com ======= is Primary =====Not Federated
xyz.com ======= is verified =====Not Federated
abc.com is in Production Use.
My goal is to federate xyz.com
While installing AAD Connect, if i choose xyz.com for federation, will it become Primary also?
Please clarify. Thanks.
Mar 24 2018 07:24 AM
If you need more than one domain you will need "SupportMultipleDomain" parameter. Please see the following article https://blogs.technet.microsoft.com/abizerh/2013/02/05/supportmultipledomain-switch-when-managing-ss...
If you want the xyz.com domain as primary you will need to change on Office 365 Portal.
Mar 25 2018 11:38 PM - edited Apr 05 2018 03:07 AM
Thanks Nuno for your help. I will come back to you.
I am collecting requirements for all the things which need to be federated before running AAD Connector. To minimize the risk, I am using pilot group of few users. I will federate this pilot group and move on with other users after success of Pilot Federation.
Mar 26 2018 01:45 PM
Just a note: You need a separate domain name to test 5 users. I you have your principal UPN an unique public domain, once you activate federation is for all users of that domain name.
Apr 02 2018 08:56 AM
To test the federation in your production tenant, you should do the following.
1. Register a new domain to your tenant. You can get one free from www.myo365.site
2. Install and configure AD FS. You do not need to use AAD Connect, you can do that manually. To test, you only need one server, for production you should have at least 2 AD FS servers and 2 proxy servers.
3. Install Azure AD (Office 365) powershell module on AD FS server using following PowerShell cmdlet:
4. Connect to Office 365:
5. Set the federation context to use the current AD FS server:
6. Convert the domain to federated:
Convert-MsolDomainToFederated -DomainName yourdomain.com
And that's it, you are ready to test:
1. Browse to https://portal.office.com
2. Enter any username with the federated domain, such as email@example.com and click next. Now the Office 365 recognizes that the domain is federated and redirects you to your AD FS server.
3. Login in as any user using your actual username & password. And if you have configured your browsers properly, the users will be logged in automatically.
So, the only difference to full production configuration is that you first need to enter "the wrong domain" to get redirected to your AD FS. After testing, you can convert the domain back to standard and convert your production domain to federated.