Installing and configuring ADFS/DirSync for Windows Intune

This blogpost is all about Active Directory Federation Services (ADFS) and DirSync. To activate Single Sign On in Microsoft Azure, an on-premise ADFS in combination with DirSync are required. DirSync is to sync your on-premise Active Directory with the Microsoft Azure Active Directory. ADFS will be used for handling the on-premise log in credentials to activated SSO.

ADFS is also required to register your (mobile) device for management. This feature is available in Windows RT/8 and is called Workplace.

In this blogpost I describe the installation and the configuration of ADFS and DirSync. I’m telling you about Device registration and how to prepare the ADFS for Windows Intune.

You will need for this blog one server based on Windows Server 2012 R2 Update 1.

NOTE: I have used an Enterprise PKI to create a certificate for ADFS. Read this blog for installing and configuring an Enterprise PKI environment.  

NOTE: This ADFS environment is only accessible inside the network. If you want to use this outside your internal network, you have to change the FQDN into your public domain name while making a new certificate. Don’t forget  to add the necessary DNS records and configure the firewall(s).

Good luck!

Create a group Managed Service Account (GMSA) . Run this on the domain controller.

  • Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)
  • New-ADServiceAccount FsGmsa -DNSHostName w12r2adfs001.systemcenter.local -ServicePrincipalNames http/w12r2adfs001.systemcenter.local

Request a certificate from the PKI server.

MMC -> certificate – Local Computer

Click on the link More Information is required to enroll for this certificate….


  • Common Name: FQDN of your ADFS server, like: w12r2adfs001.systemcenter.local
  • DNS: FQDN of your adfs server
  • DNS: enterpriseregistration.systemcenter.local

Click Ok.

Click Enroll

Verify if listed in the Certificates(local computer) MMC:

Installing ADFS Role:

Configure the ADFS role:

NOTE: Ignore the last warning. You will get this warning if you have installed an ADFS on another server before. I have reinstalled ADFS on a fresh clean Windows Server 2012 R2 server 😉

Enable Device Registration in ADFS:


When prompted for a service account, type <domain>\fsgmsa$


Via Server Manager open ADFS management console.

Enable Device Authentication

Install the Windows PowerShell for single sign-on with AD FS

It’s time to configure the synchronization between on-premise with Microsoft Azure/Windows Intune.


Windows Azure AD Module:

Set up a trust between AD FS and Azure AD

  • Connect-MsolService –Credential $cred.
  • Set-MsolAdfscontext -Computer <AD FS primary server> if you run this on the primary ADFS server, you don’t need to run this command.
  • New-MsolFederatedDomain –DomainName <domain> or
  • Convert-MsolDomainToFederated –DomainName <domain>
  • To verify: Get-MsolFederationProperty –DomainName <domain> 

Add UPN for DirSync:


Installing DirSync:

DirSync needs Framework 3.5 or 4.0

To check the sync status, you can open Synchronization Service Manager tool located in: C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miiclient.exe

And check the Azure admin webconsole: You will see the on-premise users in the webconsole.

The only thing what you have to do is to change the account  to your newly created UPN suffix.

Also in the account webconsole you have to edit the synchronized on-premise accounts. You need to give them access to Windows Intune, otherwise they can’t register a device or installing an app from the Company Portal.


Add a record in DNS:

an A record for the hostname (if not exists) <your adfs hostname> to an IP address

a CNAME record for enterpriseregistration:

If your environment has multiple UPN suffixes, you must create multiple CNAME records, one for each of those UPN suffixes in DNS.

Also one for enterpriseenrollment. This one is target to:


You can test if SSO is working. Go to or and use your on-premise username with the UPN suffix. The website checks and sees your UPN suffix. Now you will be automatically forwarded to the on-premise ADFS website for log in. After that you will be automatically logged in on Windows Intune. You are in the console right now.

That’s all folks. If you have any questions or comments about this blog, please don’t hesitate to leave a message or send me a mail.


8 thoughts on “Installing and configuring ADFS/DirSync for Windows Intune

  1. Michael

    Why do you sync the passwords in dirsync when using ADFS?

    1. Hi Michael, If you want to use your on-premise password in the cloud, then you have to enable that option. Otherwise, you have to use 2 different and that’s not the way what SSO(single sign on) means/will work.

  2. Stuart

    I’ve done everything up to the powershell comand: Initialize-addeviceregistration. I enter “y” and \fsgm$ when prompted but i then get this error: “The current user is not a member of the Enterprise Admins group of the target machine’s domain.” Any ideas?

    1. Hi Stuart, Did you add FSGMA as a service account in the setup, at ‘Specify Service account’ in the wizard? And did you created the fsgma account successful at the beginning, the first step of this blog? I can’t remember that I added the FSMGA in the Enterprise Admins group.

      Please, let me know! 🙂

    2. JD

      I had the same issue. My Problem was that I misinterpreted the -Credential option in the Initialize-ADDeviceRegistration cmdlet. This must not be the credential of the ADFS serviceaccount but of a member of the Enterprise admins. If you are running the command as an Enterprise Admin you dan omit the -Credential Option and just call it like this:
      Initialize-ADDeviceRegistration -ServiceAccountName “domain\ADFSserviceaccount”

      Good Luck,

      1. JD, Thanks for the tip!

  3. Jake S

    This is very helpful. But i still struggled with this, so in the end I found a cheaper and easier alternative to ADFS and DirSync for setting up SSO into InTune. Its from Centrify. See for details, this applies to InTune as well as Office 365.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: