adfs:
iis w/ ssl certificate
.net framework 3.5.1
windows identity foundation
adfs 2.0 rtw
adfs 2.0 rollup 3

adfs web config files in c:\inetpub\adfs\ls

auto-populate UPN: http://social.technet.microsoft.com/wiki/contents/articles/4184.ad-fs-2-0-auto-populate-the-username-field-of-the-forms-sign-in-page-when-signing-in-to-office-365.aspx

add UPN suffixes to your local domain:
active directory domains and trusts
right-click active directory domains and trusts->properties->upn suffixes->add

dirsync:
c:\program files\microsoft online directory sync\syncbus\uishell\miisclient.exe (dirsync gui)
run c:\program files\microsoft online directory sync\DirSyncConfigShell.psc1
to load the powershell console use: powershell.exe -psconsolefile DirSyncConfigShell.psc1
then Start-OnlineCoexistenceSync (forces a sync)

the dirsync TargetWebService sync needs to be ran with an onmicrosoft.com account that has global administrator rights (user management rights won’t cut it). in the dirsync gui, choose Management Agents then right-click TargetWebService->Properties->Configure Connection Information to verify.

also under Management Agents->SourceAD->Properties->Configure Directory Partitions->Containers..select OUs may be chosen for syncing.
source: http://blogs.msdn.com/b/denotation/archive/2012/11/21/installing-and-configure-dirsync-with-ou-level-filtering-for-office365.aspx

both dirsync and adfs installs will require command line options to use a full SQL server instance

important link: https://portal.microsoftonline.com

installed anywhere management is to be done:
windows azure active directory module (formerly microsoft online services module)
sign-in assistant

windows azure active directory module
*update – this must be done from an ADFS machine OR use Set-MsolAdfscontext -Computer [ADFS server FQDN]*
Connect-MsolService (enter office365 creds, as in the .onmicrosoft.com global admin login)
Get-MsolDomain
Convert-MsolDomainToFederated -DomainName [local domain to be federated] -SupportMultipleDomain (this sets up the relying trust in ADFS)
Get-MsolFederationProperty -DomainName [local domain to be federated]
Get-MsolUser -UnlicensedUsersOnly -All > output.txt
Get-MsolAccountSku

enabling ADFS debug logging:
event viewer->adfs 2.0 tracing->right-click in white-space and choose “show analytic and debug logs”->right-click Debug log on the left and choose enable log

licensing note: for our production wave 14 tenant the SKU was named differently than it was in our test environment. ended up being <domainname>:EXCHANGESTANDARD_STUDENT

there’s a way to change the UPN of a non-federated office365 user with:
Set-MsolUserPrincipalName -UserPrincipalName <currentupn> -NewUserPrincipalName <newupn>
(^i’ve never actually tried this^)
source:
http://support.microsoft.com/kb/2523192

sources:
http://www.messageops.com/documentation/office-365-documentation/ad-fs-with-office-365-step-by-step-guide
*excellent article* step-by-step instructions for setting up ADFS and dirsync

http://www.office365forbiz.com/setting-up-office-365-adfs-and-dirsync/
another adfs/dirsync step-by-step, important details are included

http://mikecrowley.wordpress.com/2011/11/21/office-365-dirsync-x64-installation-walkthrough/
http://social.technet.microsoft.com/wiki/contents/articles/9082.office-365-adfs-active-directory-federation-service-installation.aspx
http://www.messageops.com/documentation/office-365-documentation/active-directory-federation-services-design-planning-for-office-365
http://thelaith.azurewebsites.net/?p=1582#!prettyPhoto

Comments are closed.