PowerShell commands to configure single sign-on for hybrid Office 365

The single sign-on configuration process for hybrid Office 365 requires PowerShell to federate to Exchange. Get all the necessary info here.

Welcome to part four of a four-part series on configuring single sign-on for hybrid Office 365. In part one, we

prepped our Active Directory forest. In part two, we configured the Active Directory federation farm. In part three, we configured our federation proxy servers. Now we'll complete the configuration process using PowerShell to join Office 365 with the Active Directory forest.

To start, you must set up a federation trust for every domain you'd like to federate with Office 365. This is accomplished by either adding a domain as a single sign-on domain within Office 365 or converting a domain to be single sign-on from a standard domain. I will detail both processes below.

Setting up a trust is a one-time operation and you do't need to run the Microsoft Online Services Module again if you add more AD FS 2.0 servers to your server farm. The configuration data is stored in the Windows Internal Database, which is replicated between servers in your federation farm.

If you have multiple domains in your Active Directory forest, here are a couple of things you should be aware of:

  • If you have subdomains in your Active Directory forest -- in addition to the root domain (in our series: Kbomb.com.au) -- you must first add the top-level domain in Office 365 before adding subdomains. When the top-level domain is configured for single sign-on, all subdomains are automatically set up for that as well.
  • If you have multiple top-level domains in your Active Directory forest, (i.e., multiple trees in the same forest), you must append the SupportMultipleDomain switch to any cmdlets you use. This includes the cmdlet used in the Add a domain and Convert a domain procedures detailed below.

Install the Microsoft Online Service Module for Windows PowerShell

To begin, download the Microsoft Online Services Module for Windows PowerShell. This software is used to configure both Office 365 and Active Directory federation servers.

Note: You have the option to install the software on your Active Directory federation servers, though it is not recommended.

Before installing the Microsoft Online Services Module for Windows PowerShell, there are a couple of prerequisites.

  • Windows PowerShell and the .NET Framework 3.5.1 must be enabled.
  • You must install the Microsoft Online Services Sign-in Assistant. Follow the links to download and install either the 32-bit or 64-bit version .

After doing so, you can download and install the Office 365 cmdlets contained in Microsoft Online Service Module for PowerShell. Again, select either the 32-bit or 64-bit version based on your operating system architecture.

Note: For more information on managing hybrid Office 365 with PowerShell, there is helpful information in the the Microsoft TechNet article, "Use Windows PowerShell to manage Office 365."

Add a new domain to Office 365

To add a new domain to Office 365 and configure it for federation with your Active Directory forest, perform the following steps:

1. Store your Office 365 credentials in a PowerShell variable using the following command:

$cred=Get-Credential

Store credentials in a PowerShell variable.
Figure 1. Store your Office 365 credentials in a PowerShell variable.

2. You must now use the credentials captured to create a connection to Office 365. This is required before running additional cmdlets in the Microsoft Online Services Module for PowerShell. There may be a short pause while connection is initiated. Use the following cmdlet:

Connect-MsolService -Credential $cred

Connect to Office 365
Figure 2. Begin creating a connection to Office 365.

3. Next, you must connect the PowerShell session to AD FS 2.0. This connection must be made to the FQDN of the primary federation server that holds the writable Windows Internal Database copy. Use the following command:

Set-MsolAdfscontext -Computer <AD FS 2.0 primary server>

Connect PowerShell to Active Directory Federation Services
Figure 3. Connect PowerShell to Active Directory Federation Services.

4. Run the following command to Add the Kbomb.com.au domain to Office 365:

                New-MsolFederatedDomain -DomainName Kbomb.com.au

5. After adding the domain, log into the Office 365 management website to validate the domain. To do so, create a TXT or MX record in your public DNS zone.

Note: I did not run the New-MsolFederatedDomain command because the domain was already created in Office 365. I converted the domain to a federated domain.

How to convert a domain

If you've already created your domain in the Office 365 Web interface, you must convert the domain (Figure 4).

Start converting the domain.
Figure 4. Begin the domain conversion process.

To add a new domain to Office 365 and configure it for federation with your Active Directory forest, perform the following steps:

1. Store your Office 365 credentials in a PowerShell variable using the following command:

$cred=Get-Credential

Store your Office 365 credentials.
Figure 5. Store your Office 365 credentials in a PowerShell variable.

2. Now, use the captured credentials to create a connection to Office 365. This must be done before running additional cmdlets in the Microsoft Online Services Module for PowerShell. You may have to wait a moment while the connection is initiated. Use the following command:

Connect-MsolService -Credential $cred

Make your connection to Office 365
Figure 6. Establish a connection to Office 365.

3. Connect the PowerShell session to AD FS 2.0. This connection must be made to the FQDN of the primary federation server which holds the writable Windows Internal Database copy. Use the following command:

Set-MsolAdfscontext -Computer <AD FS 2.0 primary server>

Connect PowerShell to AD FS 2.0.
Figure 7. Connect PowerShell to AD FS 2.0.

4. Change the domain from standard authentication to single sign-on using the following command:

     Convert-MsolDomainToFederated -DomainName kbomb.com.au

Change the domain to single sign-on.
Figure 8. Change the domain from standard authentication to single sign-on.

5. To view the federation settings, run the following command and enter the domain name when prompted:

Get-MsolFederationProperty

Now view federation settings.
Figure 9. View federation settings.

Note: If you modify settings in AD FS 2.0, you can update the hybrid Office 365 cloud configuration using the Update-MsolFederatedDomain cmdlet.

This was first published in June 2013

Dig deeper on Exchange Server Deployment and Migration Advice

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

1 comment

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchWindowsServer

SearchEnterpriseDesktop

SearchCloudComputing

SearchSQLServer

Close