Installing and configuring ADFS/DirSync for Windows Intune

This blogpost is all about Active Directory Federation Services (ADFS) and DirSync. To activate Single Sign On in Microsoft Azure, an on-premise ADFS in combination with DirSync are required. DirSync is to sync your on-premise Active Directory with the Microsoft Azure Active Directory. ADFS will be used for handling the on-premise log in credentials to activated SSO.

ADFS is also required to register your (mobile) device for management. This feature is available in Windows RT/8 and is called Workplace.

In this blogpost I describe the installation and the configuration of ADFS and DirSync. I’m telling you about Device registration and how to prepare the ADFS for Windows Intune.

You will need for this blog one server based on Windows Server 2012 R2 Update 1.

NOTE: I have used an Enterprise PKI to create a certificate for ADFS. Read this blog for installing and configuring an Enterprise PKI environment.  

NOTE: This ADFS environment is only accessible inside the network. If you want to use this outside your internal network, you have to change the FQDN into your public domain name while making a new certificate. Don’t forget  to add the necessary DNS records and configure the firewall(s).

Good luck!

Create a group Managed Service Account (GMSA) . Run this on the domain controller.

  • Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)
  • New-ADServiceAccount FsGmsa -DNSHostName w12r2adfs001.systemcenter.local -ServicePrincipalNames http/w12r2adfs001.systemcenter.local

Request a certificate from the PKI server.

MMC -> certificate – Local Computer

Click on the link More Information is required to enroll for this certificate….

Add:

  • Common Name: FQDN of your ADFS server, like: w12r2adfs001.systemcenter.local
  • DNS: FQDN of your adfs server
  • DNS: enterpriseregistration.systemcenter.local

Click Ok.

Click Enroll

Verify if listed in the Certificates(local computer) MMC:

Installing ADFS Role:

Configure the ADFS role:

NOTE: Ignore the last warning. You will get this warning if you have installed an ADFS on another server before. I have reinstalled ADFS on a fresh clean Windows Server 2012 R2 server 😉

Enable Device Registration in ADFS:

Initialize-ADDeviceRegistration

When prompted for a service account, type <domain>\fsgmsa$

Enable-AdfsDeviceRegistration

Via Server Manager open ADFS management console.

Enable Device Authentication

Install the Windows PowerShell for single sign-on with AD FS

It’s time to configure the synchronization between on-premise with Microsoft Azure/Windows Intune.

 

Windows Azure AD Module:

http://technet.microsoft.com/library/jj151815.aspx

Set up a trust between AD FS and Azure AD

  • Connect-MsolService –Credential $cred.
  • Set-MsolAdfscontext -Computer <AD FS primary server> if you run this on the primary ADFS server, you don’t need to run this command.
  • New-MsolFederatedDomain –DomainName <domain> or
  • Convert-MsolDomainToFederated –DomainName <domain>
  • To verify: Get-MsolFederationProperty –DomainName <domain> 

Add UPN for DirSync:

 

Installing DirSync:

DirSync needs Framework 3.5 or 4.0











To check the sync status, you can open Synchronization Service Manager tool located in: C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miiclient.exe

And check the Azure admin webconsole: You will see the on-premise users in the webconsole.

The only thing what you have to do is to change the account  to your newly created UPN suffix.

Also in the account webconsole you have to edit the synchronized on-premise accounts. You need to give them access to Windows Intune, otherwise they can’t register a device or installing an app from the Company Portal.

accessIntune

Add a record in DNS:

an A record for the hostname (if not exists) <your adfs hostname> to an IP address

a CNAME record for enterpriseregistration:

If your environment has multiple UPN suffixes, you must create multiple CNAME records, one for each of those UPN suffixes in DNS.

Also one for enterpriseenrollment. This one is target to: manage.microsoft.com

Test:

You can test if SSO is working. Go to http://manage.microsoft.com or http://portal.manage.microsoft.com and use your on-premise username with the UPN suffix. The website checks and sees your UPN suffix. Now you will be automatically forwarded to the on-premise ADFS website for log in. After that you will be automatically logged in on Windows Intune. You are in the console right now.

That’s all folks. If you have any questions or comments about this blog, please don’t hesitate to leave a message or send me a mail.