Migrate Office 365 Relying Party Trust to Different ADFS Farm

To migrate Office 365 Relying Party Trust from an existing ADFS Farm to new ADFS Farm, follow the step by step guide. Migrating Office 365 Relying Party Trust will incur a minor disruption to SSO environment.

Prerequisites:

  • Existing ADFS Farm with FQDN sts.domain.com
  • New ADFS Farm with FQDN sts1.domain.com
  • Existing Certificate CN=sts.domain.com or a wildcard certificate
  • New certificate with CN=sts1.domain.com
  • New public IP address for the public CNAME sts1.domain.com
  • A public CNAME record sts1.domain.com
  • An internal CNAME record sts1.domain.com

Note: keep the existing AAD Connect unless you have a requirement to build a new one.

Here are the steps:

Step1: Verify AAD Connect Configuration

  • Open AAD Connect, View Sign-in Option.
  • Check AAD Connect Wizard to make sure you did not configure “Federation with ADFS” Sign-in option. If you have done so then run AAD Connect Wizard again and replace the certificate and ADFS farm details to new ADFS server sts1.domain.com

Step2: Build ADFS and WAP Servers

Build a new ADFS farm side by side with an existing ADFS farm. It would be redundant effort to write another blog. Please follow my previous blog to deploy ADFS and WAP.

Building Multiple ADFS Farms in a Single Forest

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part I

Branding and Customizing the ADFS Sign-in Pages

Step3: Test SSO

Log on to the https://sts.domain.com/adfs/ls/idpinitiatedsignon.aspx using on-premises credentials to make sure you can single sign-on.

Step4: Gather list of existing federated domains from existing ADFS Farm

Log on to the existing primary ADFS Server, Open PowerShell as an Administrator, execute the following cmdlets.

$cred=Get-Credential

Connect-MsolService –Credential $cred

Get-MsolDomain

Record a list of Federated Domains.

Step5: Update Office 365 RP within the new ADFS Farm

Log on to the new primary ADFS Server, Open PowerShell as an Administrator, execute the following cmdlets.

$cred=Get-Credential

Connect-MsolService –Credential $cred

Update-MsolFederatedDomain –DomaiName “Domain.com” –SupportMultipleDomain –Confirm  Execute Update-MsolFederatedDomain Cmdlets if you have additional federated domains such as DomainB.com

GetMsolDomain

Open ADFS Management Console, Make sure Office 365 RP has been created with necessary tokens and permissions. If necessary, clone all incoming and outgoing claims and permission from previous ADFS farm to new ADFS Farm and apply to the newly created Office 365 RP.

Step6: Test SSOOnce you have completed the Step5, wait for Microsoft to update their backend Identity and Federation systems. In my previous implementation work, it took 30 minutes the change to take effect.  Sign on to portal.office.com; you will be redirected to https://sts1.domain.com to authenticate. Once you have sign-in successfully, you have completed the migration work.

Step7: New AAD Connect Server (Optional)Check step1 before running AAD Connect Wizard and reconfigure sign-in options. If you need to change sign-in options, please follow the guide to change Sign-in Option.

Relevant Articles:

Upgrading AD FS to Windows Server 2016 FBL

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part II

Building Multiple ADFS Farms in a Single Forest

Let’s paint a picture, you have an unique requirement to build multiple ADFS farms. you have a fully functional hybrid environment with EXO. you do not want to modify AAD connect and existing ADFS servers. But you want several SaaS applications use different ADFS farm with MFA but their identity is managed by the same Active Directory forest used by existing ADFS farm.

Here is the existing infrastructure:

  • 1 single forest with multiple hybrid UPNs (domainA.com, domainB.com, domainC.com and many…)
  • 2x ADFS servers (sts1.domainA.com)
  • 2X WAP 2012 R2 cluster
  • 1x AAD Connect
  • 1X Office 365 Tenant with several federated domains (domainA.com, domainB.com, domainC.com and many….)
  • 1x public CNAME sts1.domainA.com

Above configuration is working perfectly.

Now you would like to build a separate ADFS 2016 farm with WAP 2016 cluster for SaaS applications. This ADFS 2016 farm will be dedicated to authenticate these SaaS applications. you would also like to turn on MFA on ADFS 2016. Add new public authentication endpoint such as sts2.domainA.com for ADFS 2016 farm.

End goal is that once user hit https://tenant.SaaSApp.com/ it will redirect them to sts2.domain.com and prompt for on-prem AD credentials and MFA if they are accessing from public network.

New ADFS 2016 infrastructure in the same forest and domain:

  • 2X ADFS 2016 Servers (sts2.domainA.com)
  • 2X WAP 2016 Servers
  • 1 X separate public IP for sts2.domainA.com
  • 1X public CNAME for sts2.domainA.com
  • 1X Private CNAME for sts2.domainA.com

Important Note: You have to prepare Active Directory schema to use ADFS 2016 functional level. No action/tasks necessary in existing ADFS 2012 R2 environment.

Guidelines and referrals to build new environment.

Upgrading AD FS to Windows Server 2016 FBL

ADFS 4.0 Step by Step Guide: Federating with Workday

Branding and Customizing the ADFS Sign-in Pages

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part I

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part II

Branding and Customizing the ADFS Sign-in Pages

Branding and promoting Company name and logos are common business practices. You would like to see your own brand whilst signing into to Microsoft Office 365. ADFS provides opportunity for businesses to customize sign in page and promote own brand. Here are the simple steps and procedure to brand ADFS sign in page.

Remote into ADFS Server and implement below steps to customize ADFS Portal.

Change company name

Import-Module ADFS

Set-AdfsGlobalWebContent –CompanyName “Domain Corp”

Change company logo

Create a logo with 260×35 pixels @ 96 dpi with a file size of no greater than 10 KB and save the file into a path e.g. C:\Domain\logo.png. Then execute the PowerShell.

Set-AdfsWebTheme -TargetName default -Logo @{path=”c:\Domain\logo.png”}

Change Illustration

Create an illustration photo to be displayed on the left hand side of the sign in page. Photoshop illustration.png file to be 1420×1080 pixels @ 96 DPI with a file size of no greater than 200 KB.

Set-AdfsWebTheme -TargetName default -Illustration @{path=”c:\Domain\illustration.png”}

Add sign-in page description

Set-AdfsGlobalWebContent -SignInPageDescriptionText “<p>Sign-in to Domain Corp requires you comply with corporate information uses policy. Click <A href=’http://www.Domain.com/policies/’>here</A&gt; for more information.</p>”

Add Help Desk Link

Set-AdfsGlobalWebContent -HelpDeskLink https://www.Domain.com/help/ -HelpDeskLinkText Help

Add Home Link

Set-AdfsGlobalWebContent -HomeLink https://www.Domain.com/home/ -HomeLinkText Home

Add Privacy Link

Set-AdfsGlobalWebContent -PrivacyLink https://www.Domain.com/privacy/ -PrivacyLinkText Privacy

Customize the Update Password page description

Set-AdfsGlobalWebContent -UpdatePasswordPageDescriptionText “This is the Domain Corp Update Password page.”

Customise error page

Set-AdfsGlobalWebContent -ErrorPageGenericErrorMessage “This is a generic error message.  Contact Domain Corp IT Support on 123466 for assistance.”

Build Custom theme

Export current theme using below Cmdlets.

Export-AdfsWebTheme -Name default -DirectoryPath c:\Domain\Theme\Custom

Replace existing theme with Custom Theme.

New-AdfsWebTheme -Name Custom -SourceName default

Open the script file you downloaded from “C:\Domain\Theme\Custom\script\onload.js” in Notepad

Add this line at the bottom of the script to change the placeholder text in the username input box

document.forms[‘loginForm’].UserName.placeholder = ‘username@domain.com’;

Add these blue lines at the bottom of the script to add a text above the login form, this is an example from Microsoft that you can find further down

// Sample code to update the username format test “someone@example.com”.

var userNameInput = document.getElementById(Login.userNameInput);
if (userNameInput) {
// userNameInput element is present, modify its properties.
userNameInput.setAttribute(‘placeholder’, ‘Corp UserName OR EmailAddress’);
}

// Sample code to change “Sign in with organizational account” string.

// Check whether the loginMessage element is present on this page.
var loginMessage = document.getElementById(‘loginMessage’);
if (loginMessage)
{
// loginMessage element is present, modify its properties.
loginMessage.innerHTML = ‘Sign in with your company email address OR Corp UserName and password’;
}

var AppendUPN = function () {
var userName = document.getElementById(Login.userNameInput);

if ((/^\d+$/.test(userName.value)) && userName.value.length == 6)
{
userName.value = ‘Corp\\’ + userName.value;
}
return true;
}

document.getElementById(‘submitButton’).onclick = new Function(“AppendUPN();return Login.submitLoginRequest();”);
document.getElementById(‘loginForm’).onkeypress = function(event){ if(event && event.keyCode == 13) {AppendUPN();Login.submitLoginRequest()}};

When you are done and save changes. Upload the changes to the newly created theme

Set-AdfsWebTheme -TargetName Custom -AdditionalFileResource @{Uri=’/adfs/portal/script/onload.js’; path=”c:\Domain\Theme\Custom\script\onload.js”}

Now apply the changes with this command

Set-AdfsWebConfig -ActiveThemeName Custom

Use these commands to verify your settings

Get-AdfsWebConfig

Get-AdfsGlobalWebContent