Migrate Office 365 Relying Party Trust to Different ADFS Farm

To migrate Office 365 Relying Party Trust from an existing ADFS Farm to new ADFS Farm, follow the step by step guide. Migrating Office 365 Relying Party Trust will incur a minor disruption to SSO environment.


  • Existing ADFS Farm with FQDN sts.domain.com
  • New ADFS Farm with FQDN sts1.domain.com
  • Existing Certificate CN=sts.domain.com or a wildcard certificate
  • New certificate with CN=sts1.domain.com
  • New public IP address for the public CNAME sts1.domain.com
  • A public CNAME record sts1.domain.com
  • An internal CNAME record sts1.domain.com

Note: keep the existing AAD Connect unless you have a requirement to build a new one.

Here are the steps:

Step1: Verify AAD Connect Configuration

  • Open AAD Connect, View Sign-in Option.
  • Check AAD Connect Wizard to make sure you did not configure “Federation with ADFS” Sign-in option. If you have done so then run AAD Connect Wizard again and replace the certificate and ADFS farm details to new ADFS server sts1.domain.com

Step2: Build ADFS and WAP Servers

Build a new ADFS farm side by side with an existing ADFS farm. It would be redundant effort to write another blog. Please follow my previous blog to deploy ADFS and WAP.

Building Multiple ADFS Farms in a Single Forest

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part I

Branding and Customizing the ADFS Sign-in Pages

Step3: Test SSO

Log on to the https://sts.domain.com/adfs/ls/idpinitiatedsignon.aspx using on-premises credentials to make sure you can single sign-on.

Step4: Gather list of existing federated domains from existing ADFS Farm

Log on to the existing primary ADFS Server, Open PowerShell as an Administrator, execute the following cmdlets.


Connect-MsolService –Credential $cred


Record a list of Federated Domains.

Step5: Update Office 365 RP within the new ADFS Farm

Log on to the new primary ADFS Server, Open PowerShell as an Administrator, execute the following cmdlets.


Connect-MsolService –Credential $cred

Update-MsolFederatedDomain –DomaiName “Domain.com” –SupportMultipleDomain –Confirm  Execute Update-MsolFederatedDomain Cmdlets if you have additional federated domains such as DomainB.com


Open ADFS Management Console, Make sure Office 365 RP has been created with necessary tokens and permissions. If necessary, clone all incoming and outgoing claims and permission from previous ADFS farm to new ADFS Farm and apply to the newly created Office 365 RP.

Step6: Test SSOOnce you have completed the Step5, wait for Microsoft to update their backend Identity and Federation systems. In my previous implementation work, it took 30 minutes the change to take effect.  Sign on to portal.office.com; you will be redirected to https://sts1.domain.com to authenticate. Once you have sign-in successfully, you have completed the migration work.

Step7: New AAD Connect Server (Optional)Check step1 before running AAD Connect Wizard and reconfigure sign-in options. If you need to change sign-in options, please follow the guide to change Sign-in Option.

Relevant Articles:

Upgrading AD FS to Windows Server 2016 FBL

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part II

Deploy Work Folder in Azure Cloud

The concept of Work Folder is to store user’s data in a convenient location. User can access the work folder from BYOD and Corporate SOE from anywhere. The work folder facilitate flexible use of corporate information securely from supported devices. The work folder can be deployed on-premises and in Azure Cloud. In this article, I will demonstrate how to deploy Work Folder in Azure. Before that, let’s start with application of Work Folder.

Applications of Work Folder in Corporate Environment

  • Provide a single point of access to work files from a user’s work and personal devices
  • Access the work files online and offline. While accessing offline, the data can be synced back to the Sync Server when the device connected to internet or intranet again
  • Deploy with existing deployments of Folder Redirection, Offline Files, and home folders
  • Use Windows File Server, SMB Share and other CIFS share for example NetApp CIFS share
  • Use file classification and folder quotas, to manage user data
  • Apply security policy and encryption to encrypt Work Folders and use a lock screen password
  • Use Microsoft Failover Clustering with Work Folders to provide a high-availability solution

Enhanced Functionality:

  • Azure AD Application Proxy support
  • Faster change replication
  • Integrated with Windows Information Protection (WIP)
  • Microsoft Office integration

Supported Environment:

  • NetApp CIFS, Windows File Server or Windows SMB Storage as the UNC path of Sync Share
  • Windows Server 2012 R2 or Windows Server 2016 for hosting sync shares with user files
  • A public certificate or internal certificate domain joined computer
  • Windows Server 2012 R2 level AD DS Schema
  • Windows 10 version 1703,
  • Android 4.4 KitKat and later
  • iOS 10.2 and later

Internal DNS records (CNAME records)

  • workfolders.domain.com pointed to syncserver1.domain.com and sycserver2.domain.com
  • sts.domain.com point to ADFS Servers
  • enterpriseregistration.domain.com pointed to ADFS servers

Internal DNS records (Host A Record)

  • syncserver1.domain.com
  • syncserver2.domain.com

Publishing Work Folder for mobile workforce

  • Access from Internet or use Azure Credentials
  • Web Application Proxy
  • Active Directory Federation Services (AD FS) with public DNS record sts.domain.com and enterpriseregistration.domain.com
  • A public DNS record i.e. CNAME = workfolders.domain.com
  • A public certificate from a public CA i.e. CN= workfolders.domain.com SAN=syncserver1.domain.com, syncserver2work.domain.com. There must be private key associated with the certificate which means the certificate must in pfx format before importing into the sync servers.

Deploy Work Folder Server

  1. Log on to Azure Portal, Deploy a Windows Server 2016 from Azure Marketplace. Since we will be using this VM for Sync Share. I would recommend selecting an L series VM which storage optimised VM.
  2. Once the VM is provisioned, attached premium data disk for high I/O and low latency file store.
  3. Build a Windows Server 2016, Configure TCP/IP and Join the server to the domain
  4. Remote into the server using domain admins credential. Open the Add Roles and Features Wizard.
  5. On the Select installation type page, choose Role-based or feature-based deployment.
  6. On the Select destination server page, select the server on which you want to install Work Folders.
  7. On the Select server roles page, expand File and Storage Services, expand File and iSCSI Services, and then select Work Folders.
  8. When asked if you want to install IIS Hostable Web Core, click Ok to install the minimal version of Internet Information Services (IIS) required by Work Folders.
  9. Click Next until you have completed the wizard.
  10. Repeat the steps for all Work Folder Servers.

Install Certificate on the Work Folder Server

  1. On the Windows server 2016 where you want to install the SSL certificate, open the Console.
  2. In the Windows start menu, type mmc and open it.
  3. In the Console window, in the top menu, click File > Add/Remove Snap-in.
  4. In the Add or Remove Snap-ins window, in the Available snap-ins pane (left side), select Certificates and then click Add
  5. In the Certificate snap-in window, select Computer account and then click Next
  6. In the Select Computer window, select Local computer: (the computer this console is running on), and then click Finish
  7. In the Add or Remove Snap-ins window, click OK.
  8. In the Console window, in the Console Root pane (left side), expand Certificates (Local Computer), right-click on the Web Hosting folder, and then click All Tasks > Import.
  9. In the Certificate Import Wizard, on the Welcome to the Certificate Import Wizard page, click Next.
  10. On the File to Import page, browse to and select the file that you want import and then, click Next.
  11. Notes: In the File Explorer window, in the file type drop-down, make sure to select All Files (*.*). By default, it is set to search for 509 Certificate (*.cert;*.crt) file types only.
  12. On the Private key protection page, provide the password when you exported the certificate, check Mark the Private Key exportable for future use, and check import all extended properties.
  13. On the Certificate Store page, do the following and then click Next, Select Place all certificates in the following store and click Browse.
  14. In the Select Certificate Store window, select Web Hosting and click OK.
  15. On the Completing the Certificate Import Wizard page, verify that the settings are correct and then, click Finish.
  16. Repeat the steps for all Work Folder Servers.

Bind the Certificate:

  1. Log on to a jump box where IIS Management Console is installed, Open IIS Management Console, Connect to Work Folder Server. Select the Default Web Site for that server. The Default Web Site will appear disabled, but you can still edit the bindings for the site and select the certificate to bind it to that web site.
  2. Use the netsh command to bind the certificate to the Default Web Site https interface. The command is as follows:

netsh http add sslcert ipport=<IP address of Sync Share Server>:443 certhash=<Cert thumbprint> appid={CE66697B-3AA0-49D1-BDBD-A25C8359FD5D} certstorename=MY

Create Active Directory Security Group

  1. You need minimum two AD security groups for Work Folder. One for Work Folder Admin and another for Work Folder Sync Share. For this article, let’s assume we have a Sync Share. We will create two Security Groups named FS-HRShareUser-SG and FS-HRShareAdmin-SG
  2. Make sure these security group scope is Global not Universal. In the Members section, click Add. The Select Users, Contacts, Computers, Service Accounts or Groups dialog box appears.

Create a Sync Share

  1. In Server Manager, click File and Storage Services, and then click Work Folders.
  2. A list of any existing sync shares is visible at the top of the details pane. To create a new sync share, from the Tasks menu choose New Sync Share…. The New Sync Share Wizard appears.
  3. On the Select the server and path page, specify where to store the sync share. If you already have a file share created for this user data, you can choose that share. Alternatively you can create a new folder.
  4. On the Specify the structure for user folders page, choose a naming convention for user folders within the sync share. Select either User alias or User alias@domain
  5. On the Enter the sync share name page, specify a name and a description for the sync share. This is not advertised on the network but is visible in Server Manager
  6. On the Grant sync access to groups page, specify the group that you created that lists the users allowed to use this sync share.
  7. On the Specify device policies page, specify whether to request any security restrictions on client PCs and devices. Select either Automatically lock screen, and require a password or Encrypt Work Folders based on your requirements.
  8. Review your selections and complete the wizard to create the sync share.

Setup a Tech Support Email Address

  1. In Server Manager, click File and Storage Services, and then click Servers.
  2. Right-click the sync server, and then click Work Folders Settings. The Work Folders Settings window appears.
  3. In the navigation pane, click Support Email and then type the email address or addresses that users should use when emailing for help with Work Folders. Click Ok when you’re

Publish Work Folder using ADFS Server

You can set up and configure the relying party trust for Work Folders, even though Work Folders hasn’t been set up yet. The relying party trust must be set up to enable Work Folders to use AD FS. Because you’re in the process of setting up AD FS, now is a good time to do this step.

To set up the relying party trust:

  1. Log on to ADFS Server. Open Server Manager, on the Tools menu, select AD FS Management.
  2. In the right-hand pane, under Actions, click Add Relying Party Trust.
  3. On the Welcome page, select Claims aware and click Start.
  4. On the Select Data Source page, select Enter data about the relying party manually, and then click Next.
  5. In the Display name field, enter WorkFolders, and then click Next.
  6. On the Configure Certificate page, click Next..
  7. On the Configure URL page, click Next.
  8. On the Configure Identifiers page, add the following identifier: https://workfolders.domain.com/V1. This identifier is a hard-coded value used by Work Folders, and is sent by the Work Folders service when it is communicating with AD FS. Click Next.
  9. On the Choose Access Control Policy page, select Permit Everyone, and then click Next.
  10. On the Ready to Add Trust page, click Next.
  11. After the configuration is finished, the last page of the wizard indicates that the configuration was successful. Select the checkbox for editing the claims rules, and click Close.
  12. In the AD FS snap-in, select the WorkFolders relying party trust and click Edit Claim Issuance Policy under Actions.
  13. The Edit Claim Issuance Policy for WorkFolders window opens. Click Add rule.
  14. In the Claim rule template drop-down list, select Send LDAP Attributes as Claims, and click Next.
  15. On the Configure Claim Rule page, in the Claim rule name field, enter WorkFolders.
  16. In the Attribute store drop-down list, select Active Directory.
  17. In the mapping table, enter these values:
    • User-Principal-Name: UPN
    • Display Name: Name
    • Surname: Surname
    • Given-Name: Given Name
  18. Click Finish. You’ll see the WorkFolders rule listed on the Issuance Transform Rules tab and click OK.
  19. In the AD FS snap-in, select the WorkFolders relying party trust, On the properties, choose the Encryption tab, Remove the certificate encryption
  20. Choose the Signature tab and make sure the Work Folder Certificate was imported
  21. Click Apply, Click Ok.

Set relying part trust options

These commands set options that are needed for Work Folders to communicate successfully with AD FS, and can’t be set through the UI. These options are:

  • Enable the use of JSON web tokens (JWTs)
  • Disable encrypted claims
  • Enable auto-update
  • Set the issuing of Oauth refresh tokens to All Devices.
  • Grant clients access to the relying party trust

Set-ADFSRelyingPartyTrust -TargetIdentifier “https://workfolders.domain.com/V1&#8221; -EnableJWT $true

Set-ADFSRelyingPartyTrust -TargetIdentifier “https://workfolders.domain.com/V1&#8221; -Encryptclaims $false

Set-ADFSRelyingPartyTrust -TargetIdentifier “https://workfolders.domain.com/V1&#8221; -AutoupdateEnabled $true

Set-ADFSRelyingPartyTrust -TargetIdentifier “https://workfolders.domain.com/V1&#8221; -IssueOAuthRefreshTokensTo AllDevices

Grant-AdfsApplicationPermission -ServerRoleIdentifier “https://workfolders.domain.com/V1&#8221; –AllowAllRegisteredClients

Enable Workplace Join

To enable device registration for Workplace Join, you must run the following Windows PowerShell commands, which will configure device registration and set the global authentication policy:

Initialize-ADDeviceRegistration -ServiceAccountName domain\svc-adfsservices$

Set-ADFSGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true

Set up AD FS authentication

To configure Work Folders to use AD FS for authentication, follow these steps:

  1. Log on to Sync Share Server. Open Server Manager.
  2. Click Servers, and then select your Work Folders server in the list.
  3. Right-click the server name, and click Work Folders Settings.
  4. In the Work Folder Settings window, select Active Directory Federation Services, and type in the ADFS URL. Click Apply. In the test example, the URL is https://sts.domain.com.

Publish the Work Folders web application

The next step is to publish a web application that will make Work Folders available to clients. To publish the Work Folders web application, follow these steps:

  1. Import Work Folder Certificate into WAP Servers
  2. Open Server Manager, and on the Tools menu, click Remote Access Management to open the Remote Access Management Console.
  3. Under Configuration, click Web Application Proxy.
  4. Under Tasks, click Publish. The Publish New Application Wizard opens.
  5. On the Welcome page, click Next.
  6. On the Preauthentication page, select Active Directory Federation Services (AD FS), and click Next.
  7. On the Support Clients page, select OAuth2, and click Next.
  8. On the Relying Party page, select Work Folders, and then click Next. This list is published to the Web Application Proxy from AD FS.
  9. On the Publishing Settings page, enter the following and then click Next, use these values:
  1. The confirmation page shows the Windows PowerShell command that will execute to publish the application. Click Publish.
  2. On the Results page, you should see the application was published successfully.

Configure Work Folders on the client

To configure Work Folders on the non-domain join client machine, follow these steps:

  1. On the client machine, open Control Panel and click Work Folders.
  1. Click Set up Work Folders.
  1. On the Enter your work email address page, enter either the user’s email address (for example, user@domain.com) or the Work Folders URL (in the test example, https://workfolders.domain.com), and then click Next.
  2. If the user is connected to the corporate network, the authentication is performed by Windows Integrated Authentication. If the user is not connected to the corporate network, the authentication is performed by ADFS (OAuth) and the user will be prompted for credentials. Enter your credentials and click OK.
  3. After you have authenticated, Click Next.
  4. The Security Policies page lists the security policies that you set up for Work Folders. Click Next.
  5. A message is displayed stating that Work Folders has started syncing with your PC. Click Close.
  6. The Manage Work Folders page shows the amount of space available on the server, sync status, and so on. If necessary, you can re-enter your credentials here. Close the window.
  7. Your Work Folders folder opens automatically. You can add content to this folder to sync between your devices.

To configure Work Folders on the domain joined client machine, follow these steps:

  1. Configure using GPO, use Go to User Configuration > Administrative Templates > Windows Components > Work Folders > Specify Work Folders settings.
  2. Specify Work Folder URL as workfolders.domain.com
  3. Apply the GPO to selected OU.

Relevant Article:

Work Folder FAQ

NetApp CIFS shares not mounting to Windows Server 2012


Configure Azure B2B, Azure Rights Management for on-premises SharePoint, Exchange and File server

Azure Information Protection (Azure RMS) is an enterprise information protection solution for any organization. Azure RMS provides classification, labeling, and protection of organization’s data.

Note: This deployment also enables Azure B2B access for the Published Applications in Azure AD.

Azure Prerequisites

  • A subscription that includes Azure Information Protection. For example, PAYG, EA or E5
  • A global administrator account (@domain.onmicrosoft.com) to sign in to the Azure portal

Minimum On-premises Prerequisites

  • An operational Active Directory Federation Services
  • An operational Azure Active Directory Connect
  • An Active Directory Domain Controller
  • An RMS Connector Server
  • RMS Client version 2.1 or above installed on the SharePoint or File Server or Exchange Server
  • Azure Information Protection for Microsoft Office 2016
  • A matching UPN (dmain.com) which has been federated to Azure AD
  • Publicly routable domains name (domain.com)
  • Publicly routable DNS Records (spirm.domain.com, sts.domain.com)
  • Public certificates with SAN or an wild card certificate
  • Public certificate must have private key or PFX format
  • An operational SharePoint or File Server or Exchange Server to be protected by Azure RMS

Deploy On-prem Infrastructures:

  1. Register and verify domain.com to Azure ARM Portal
  2. Install and configure Active Directory Federation Services
  3. Install and configure Web Application Proxy Server
  • Install and configure Azure Active Directory Connect. AAD Connect installation pretty straight forward. To use Azure RMS you have to select three extra steps in AAD Connect. Either you can modify existing configuration to the below or if you are installing from scratch then you have to select an additional features. To provide the RMS functionality to synced users, Azure RMS has been selected in AAD Connect Wizard along with the Azure AD Apps.
  • On the AAD Connect Installation Page, click Customize to start a customized settings installation.
  • On User Signin Page Select Federation With ADFS.
  • On the Optional feature Page, Select Azure AD App and Attribute Filtering. Make sure you select all features which include Azure RMS
  1. Activate Azure RMS
  • Sign to Azure Portal using a Global Admin user (@domain.onmicrosoft.com)
  • Open Azure Information Protection, Click RMS Settings, Click Activate.
  1. If you are protecting SharePoint Server then you have to the additional steps on ADFS Server and SharePoint Server mentioned below.

Internal CNAME DNS record:

  • domain.com pointed to ADFS Server
  • domain.com pointed to SP Server
  • domain.com pointed to RMS Connector Server

ADFS Configuration:

Add a Claim Provider Trust using Wizard, type the name of the Claim Provider as “AzureAD” Select the URL to import metadata from https://login.microsoftonline.com/domain.onmicrosoft.com/federationmetadata/2007-06/federationmetadata.xml

Right Click on the the Azure AD Claim Provider, Edit Claim Rule and Add a custom claim rule

c:[]  => issue(claim = c);

 Add SharePoint 2013/2016 as a Relying Party Trust with the below properties:

Method to Add RP: Manual

Name: SP

RP Identifier: urn:sharepoint:domain

Enable WS-Federation and provide the following passive reply url: https://spirm.domain.com /_trust/

 Add two Claim Rules

UPN Claim Rule

c:[Type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name”%5D
 => issue(Type = “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn&#8221;, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

B2B User Claim Rule

c:[Type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”%5D
 => issue(Type = “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn&#8221;, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

Specify AzureAD as SharePoint 2013 Claim Provider

Set-AdfsRelyingPartyTrust -TargetName “SP”  -ClaimsProviderName @(“AzureAD”)

Specify Claim Provider for Internal Users:

Set-AdfsProperties -IntranetUseLocalClaimsProvider $true

Add Azure Web Application:

Log on to portal.azure.com, Click Azure AD, On the App registration section, Register an Azure Web Application using the below parameter:

Grant Access to Azure AD user and B2B User to this Application

  • Sign in to the Azure Active Directory admin center with an account that’s a global admin for the directory.
  • Select Azure Active Directory and then Users and groups.
  • On the Users and groups blade, select All users, and then select New Guest user.
  • Go back to newly registered App, Assign access permission to the guest user

Assign RMS Licenses to Azure B2B users:


$AccountSkuId = “domain:ENTERPRISEPACK”

$UsageLocation = “AU”

$Users = Import-Csv c:\temp\userlist.csv

$Users | ForEach-Object {

Set-MsolUser -UserPrincipalName $_.UserPrincipalName -UsageLocation $UsageLocation

Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -AddLicenses $AccountSkuId


Where userlist.csv contain userprincipal name or B2B username in first column. Further references.

Azure Licenses for B2B user https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-licensing

Configure Right Management Connector

  • Download Rights Management Connector on the server where you are going to install the Connector.
  • Create a Service account in Windows Active Directory with federated UPN SVCRMS@domain.com
  • SVCRMS@domain.com is AAD Synced Account.
  • Open AD users and Computers, Add SVCRMS@domain.com as a member of domain admins group.
  • Sign into Azure Portal, Assign SVCRMS@domain.com as global admin, Azure RightsManagement global administrator
  • On the computer on which you want to install the RMS connector, run exe with Administrator privileges. When prompted for credential use SVCRMS@domain.com account and alphanumeric password.

Note: do not install RMS connector on Exchange, File and SharePoint Server.

SharePoint Specific Configuration: Reference1 and reference2

Add-PSSnapIn Microsoft.SharePoint.PowerShell

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“c:\ADFSCertificates\STSTokenSigning.cer”)

New-SPTrustedRootAuthority -Name “Token Signing Cert” -Certificate $cert

$emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming

$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn” -IncomingClaimTypeDisplayName “UPN” -SameAsIncoming

$roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” -IncomingClaimTypeDisplayName “Role” -SameAsIncoming

$sidClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid” -IncomingClaimTypeDisplayName “SID” -SameAsIncoming

$realm = “urn:sharepoint:dealdocs”

$signInURL = “https://sts.dealdocs.com/adfs/ls/”

$ap = New-SPTrustedIdentityTokenIssuer -Name “ADFS” -Description “AD Federation Server” -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $emailClaimMap,$upnClaimMap,$roleClaimMap,$sidClaimMap -SignInUrl “https://sts.dealdocs.com/adfs/ls/” -IdentifierClaim $emailClaimmap.InputClaimType

Download and run GenConnectorConfig.ps1  the below command on SP Server. This command automate changes in registry values.

.\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com -SetSharePoint2013

Configure RMS Connector for SharePoint Server

  1. On the SharePoint Central Administration Web site, in the Quick Launch, click Security.
  2. On the Security page, in the Information Policy section, click Configure information rights management.
  3. On the Information Rights Management page, in the Information Rights Management section, select Use this RMS server type https://rmsconnector.domain.com).
  4. Click OK.
  5. Next step Add users to SharePoint Library

For Exchange Server, Download and run GenConnectorConfig.ps1  on Exchange Server

.\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com -SetExchange2013

Run the below command in Exchange Server

Set-IRMConfiguration -InternalLicensingEnabled $true

For File Server Download and run GenConnectorConfig.ps1  on File Server

.\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com -SetFCI2012

Create classification rules and file management tasks to protect documents with RMS Encryption.


  • Download Azure Information Protection  and protect a document for B2B user
  • Upload the document into SharePoint Library
  • Request the B2B user to access from the invitation you have sent.

Building Multiple ADFS Farms in a Single Forest

Let’s paint a picture, you have an unique requirement to build multiple ADFS farms. you have a fully functional hybrid environment with EXO. you do not want to modify AAD connect and existing ADFS servers. But you want several SaaS applications use different ADFS farm with MFA but their identity is managed by the same Active Directory forest used by existing ADFS farm.

Here is the existing infrastructure:

  • 1 single forest with multiple hybrid UPNs (domainA.com, domainB.com, domainC.com and many…)
  • 2x ADFS servers (sts1.domainA.com)
  • 2X WAP 2012 R2 cluster
  • 1x AAD Connect
  • 1X Office 365 Tenant with several federated domains (domainA.com, domainB.com, domainC.com and many….)
  • 1x public CNAME sts1.domainA.com

Above configuration is working perfectly.

Now you would like to build a separate ADFS 2016 farm with WAP 2016 cluster for SaaS applications. This ADFS 2016 farm will be dedicated to authenticate these SaaS applications. you would also like to turn on MFA on ADFS 2016. Add new public authentication endpoint such as sts2.domainA.com for ADFS 2016 farm.

End goal is that once user hit https://tenant.SaaSApp.com/ it will redirect them to sts2.domain.com and prompt for on-prem AD credentials and MFA if they are accessing from public network.

New ADFS 2016 infrastructure in the same forest and domain:

  • 2X ADFS 2016 Servers (sts2.domainA.com)
  • 2X WAP 2016 Servers
  • 1 X separate public IP for sts2.domainA.com
  • 1X public CNAME for sts2.domainA.com
  • 1X Private CNAME for sts2.domainA.com

Important Note: You have to prepare Active Directory schema to use ADFS 2016 functional level. No action/tasks necessary in existing ADFS 2012 R2 environment.

Guidelines and referrals to build new environment.

Upgrading AD FS to Windows Server 2016 FBL

ADFS 4.0 Step by Step Guide: Federating with Workday

Branding and Customizing the ADFS Sign-in Pages

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part I

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part II

Office 365 Hybrid Deployment with Exchange 2016 Step by Step

Hybrid Configuration Business Case.

  • On-premises IRM- Information Rights Management (IRM) enables users to apply Active Directory Rights Management Services (AD RMS) templates to messages that they send.
  • Antispam and malware protection- Mailboxes moved to Office 365 are automatically provided with antivirus and anti-spam protection by Exchange Online Protection (EOP), a service provided by Office 365. However, for corporate compliance reason, mail must flow through via on-premises anti-spam and firewall devices.
  • Public Folder- You have on-premises public folder and you would like to retain on-premises public folder.
  • Legacy Application- You have legacy applications that only support localised email server instead internet based email server
  • On-prem UM- You have on-premises unified messaging infrastructure or telephony systems that only communicate with localised email servers
  • Use of current CAPEX- You want to utilise current on-premises investment until the equipment expires and you are not ready to move into cloud completely.

In a hybrid deployment when you connect your Office 365 Exchange Online organization to your existing on-premises Exchange organization using the Hybrid Configuration wizard. After configuring the hybrid deployment, the following features are enabled:

  • Secure mail routing between on-premises between the organizations.
  • Mail routing with a shared domain namespace. For example, both on-premises and Exchange Online organizations use the @domain.com SMTP domain.
  • A unified global address list (GAL), also called a “shared address book,” showing full details of recipients.
  • Free/busy calendar information sharing between the organizations.
  • Centralized control of inbound and outbound mail flow. You can configure all inbound and outbound Exchange Online messages to be routed through the on-premises Exchange organization.
  • A single Outlook on the web URL for both the organizations.
  • Automatic Exchange ActiveSync profile redirection when mailboxes are moved to Office 365 (dependent on device support).
  • The ability to move on-premises mailboxes to the Exchange Online organization and vice versa.
  • Centralized mailbox management using the on-premises Exchange Administration Center (EAC).
  • Message tracking, internal MailTips and Out of Office replies, and multi-mailbox search between the organizations.
  • Cloud-based message archiving for on-premises Exchange mailboxes. Exchange Online Archiving can be used with a hybrid deployment

A hybrid deployment involves several different services and components:

  • Exchange 2016 Servers-   The Exchange 2016 Mailbox server role is required in your on-premises Exchange organization. All on-premises Exchange 2016 servers need to have the latest release of Exchange 2016, or the release immediately prior to the current release, installed to support hybrid functionality with Office 365.
  • Office 365-   Hybrid deployments are supported with Office 365 Enterprise, Government and Academic plans.
  • Hybrid Configuration wizard-   Exchange 2016 includes the Hybrid Configuration wizard which provides you with a streamlined process to configure a hybrid deployment between on-premises Exchange and Exchange Online organizations.
  • Azure AD authentication system-   The Azure Active Directory (AD) authentication system is a free cloud-based service that acts as the trust broker between your on-premises Exchange 2016 organization and the Exchange Online organization. On-premises organizations configuring a hybrid deployment must have a federation trust with the Azure AD authentication system. The Hybrid Configuration wizard as part of configuring a hybrid deployment creates the federation trust. A federation trust with the Azure AD authentication system for your Office 365 tenant is automatically configured when you activate your Office 365 service account.
  • Azure Active Directory synchronization-   Azure AD synchronization uses Azure AD Connect to replicate on-premises Active Directory information for mail-enabled objects to the Office 365 organization to support the unified global address list (GAL) and user authentication. Organizations configuring a hybrid deployment need to deploy Azure AD Connect on a separate, on-premises server to synchronize your on-premises Active Directory with Office 365.
  • Active Directory Federation Services- AD FS provides simplified, secured identity federation and Web single sign-on (SSO) capabilities for end users who want to access applications within an AD FS-secured enterprise, in federation partner organizations, or in the cloud.
  • Web Application Proxy Server- The Web Application Proxy under the Remote Access role that allows administrators to securely publish applications for external access. This service acts as a reverse proxy and as an Active Directory Federation Services (AD FS) proxy.

Hybrid infrastructure

To be able to configure your current on-premises Exchange organization for a hybrid deployment, the following components are required.

Exchange Server 2016 with Mailbox Role EXCH2016
Exchange Server 2016 with Edge Transport Role EXCH2016EDGE
Windows Server 2016 with Azure Active Directory Connect (AAD Connect) Installed AADCONNECT
Active Directory Federation Server(s) ADFS2016
Web Application Proxy Server in perimeter EDGE2016
Domain Controller running on minimum Windows Server 2008 R2 DC01
Office 365 Subscriptions with default domain configured i.e. Service tenant FQDN Domain.onmicrosoft.com
Accepted Domain in Office 365 and On-premises Domain.com
On-premises domain type Authoritative
Office 365 Domain Type Internal Relay
User principal name domain and Microsoft Online ID domain @domain.com
External Azure AD Connect with AD FS FQDN sts.domain.com
On-premises Autodiscover FQDN Autodiscover.domain.com
Office 365 Autodiscover Autodiscover.outlook.com

Configuring Hybrid Exchange Server

Step1: Add and validate primary Email domain to Office 365

Perform the following steps to add the primary SMTP namespace to Office 365:

  1. Log on to: Office 365 admin center preview
  2. Click Settings > Domains > Add domain.
  3. Enter the primary SMTP namespace. For example, domain.com. Then, click Next.
  4. Copy the TXT record from the Wizard, go to domain management portal and add a text record ms=msxxxxxxx record and verify the domain. Setup TTL to 10 minutes. When complete, wait 10 minutes and then click Verify. If the wizard says it can’t verify your domain ownership, you might need to wait longer for your DNS records to update across the Internet; this might take several hours. Also verify that the record you created is correct.
  5. On the Required DNS settings page, click Continue setup. Don’t update your DNS records right now. Instead, you’ll update your DNS records later in your hybrid deployment.
  6. On the Set up your online services page, select I’ll manage my own DNS records and click Next.
  7. On the Update DNS settings page, select Skip this step – I have custom DNS records, so I’ll add the records I need later. I understand that some Office 365 services may be unavailable until I manually add the records with my registrar. Click Skip, and then click Finish.

Step2: Setup Primary SMTP Domain to Internal Relay

Definitions of Domain Type

Authoritative – Selecting this option means that email is delivered to email addresses that are listed for recipients in Office 365 for this domain. Emails for unknown recipients are rejected.

Internal relay – Selecting this option means that recipients for this domain can be in Office 365 or your on-premises mail servers. Email is delivered to known recipients in Office 365 or is relayed to your own email server if the recipients aren’t known to Office 365.

Use the Exchange Online EAC to change the domain type

  1. In the EAC, navigate to Mail flow > Accepted domains.
  2. Select the domain and click Edit .
  3. In the Accepted Domain window, in the This accepted domain is section, select the domain type. Edit the domain value to Internal relay.

Step3: Configure Active Directory synchronization

  1. Download Azure Active Directory Connect on the computer where you’ll install it, and then open it.
  2. On the Welcome page, click Next if you agree to the license terms and privacy notice.
  3. On the Express Settings page, click Customize.
  4. On the Install required components page, click Install.
  5. On the User sign-in page, select Federation with AD FS and then click Next.
  6. On the Connect to Azure AD page, enter the username and password for a user account that is a Global Administrator in your Office 365 organization , and then click Next.
  7. On the Connect your directories page, select the Active Directory forest that contains the Exchange organization you want to configure for hybrid deployment, and then enter the username and password for a user account that’s a member of the Enterprise Administrators group in that forest. Click Next.
  8. On the Domain and OU filtering page, select Sync all domains and OUs if you want to synchronize all of your on-premises Active Directory users to Office 365. If you want to select a specific organizational unit (OU), select Sync selected domains and OUs, and then select the Active Directory domains and OUs you want to synchronize. Click Next.
  9. On the Uniquely identifying your users page, make sure that Users are represented only once across all directories is selected, and then click Next.
  10. On the Filter users and devices page, make sure that Synchronize all users and devices is selected, and then click Next.
  11. On the Optional Features page, select Exchange hybrid deployment, and then click Next.
  12. On the AD FS farm page, select Configure a new Windows server 2016 AD FS farm.
  13. In the Certificate File field, browse to the third-party certificate that includes a subject alternative name (SAN) that matches the external FQDN of the AD FS server. This certificate needs to include a private key. In the Subject Name field, select the SAN you want to use, for example sts.domain.com. Click Next.
  14. On the AD FS Servers page, click Browse, select the name of the server where you’re installing Azure AD Connect with AD FS, and then click Add.
  15. On the Web application proxy servers page, click Browse, select the name of the server that will act as a web proxy for external connections, and then click Add.
  16. On the Proxy trust credentials page, enter the username and password of a user account that can access the certificate store on the AD FS server that contains the certificate you specified earlier in these steps, and then click Next.
  17. On the AD FS service account page, select Create a group Managed Service Account, enter the username and password for a user that’s a member of the Enterprise Admins group, and then click Next.
  18. On the Azure AD Domain page, select the domain that matches the custom domain that you added to your Office 365 organization and matches the User Principal Name users with which users will log in. For example, if you added the custom domain domain.com, and usernames are @domain.com, select domain.com from the list. Click Next.
  19. On the Ready to configure page, select Start the synchronization process as soon as the configuration completes, and then click Next.
  20. On the Configuration complete page, click Exit.
  21. Make sure that your firewall is configured to allow connections on TCP port 443 from external sources to your AD FS web proxy server.
  22. At this point, Azure AD Connect will synchronize your on-premises user accounts and their information to your Office 365 organization. Depending on how many accounts need to be synchronized, this might take a while.

Step4: Create Federation with Azure Active Directory

Remote into the Primary ADFS Server, Run the below cmdlets

Set-MsolAdfsContext -Computer “adfsserver.domain.com”
Convert-MsolDomainToFederated -Domain “domain.com” -SupportMultipleDomain

If you have multiple userprincipalname, you have run the below cmdlets to federate with Azure AD.
Convert-MsolDomainToFederated -Domain “domain1.com” -SupportMultipleDomain
Convert-MsolDomainToFederated -Domain “domain2.com” -SupportMultipleDomain
Update-MsolFederatedDomain -Domain “domain1.com” -SupportMultipleDomain
Update-MsolFederatedDomain -Domain “domain2.com” -SupportMultipleDomain

Further reading ADFS Configuration Guide

Step5: Verify tenant configuration

To create a mailbox in the Exchange Online organization, do the following:

  1. Open Active Directory Users and Computers on an Active Directory domain controller in your on-premises organization.
  2. Expand the container or organizational unit (OU) where you want to create a new Active Directory user.
  3. Click Action in the menu bar, and then click New > User.
  4. Enter the required user information. Because this user will be associated with a test mailbox, we recommend that you clearly identify the user as such. For example, name the user “Test User”.
  5. In the User logon name field, provide the user name that the user should specify when logging into their user account. This user name, combined with the user principal name (UPN) in the drop-down box next to the User logon name field, makes up the Microsoft Online Identity of the user. The Microsoft Online Identity typically matches the user’s email address, and the domain suffix chosen should match the federated domain configured in Active Directory Federation Services. For example, testuser@domain.com. Click Next.
  6. Enter a password for the new user, specify any options you want to set, and then click Next.
  7. Click Finish.
  8. Run delta synchronization to synchronize the new user to the Office 365 organization  using this PowerShell Cmdlet. Start-ADSyncSyncCycle -PolicyType Delta
  9. Log on to: Office 365 service administration portal
  10. Assign a E1 or E3 license to the new user.

Step6: Install Edge Transport server

The Edge Transport server role is typically deployed on a computer located in an Exchange organization’s perimeter network and is designed to minimize the attack surface of the organization. The Edge Transport server role handles all Internet-facing mail flow, which provides SMTP relay and smart host services for the on-premises Exchange organization. Use Edge Transport servers if you don’t want to expose internal Exchange 2016 Mailbox servers directly to the Internet.

If you already have an Edge Transport server deployed in your on-premises organization, you can skip this checklist step unless you’d like to install additional Edge Transport servers.

Step7: Configure Edge servers

After installing the Exchange 2016 Edge Transport server, or if you already have an Edge Transport server in your on-premises Exchange organization, you must configure the following services and parameters to enable the Edge Transport server to handle secure communications between the on-premises Exchange servers, clients, and Office 365. If you already have an Edge Transport Server, skip this step.

Follow additional guidelines to Edge Transport Server.

Further References on Edge Transport Server.

Step8: Configure DNS

Hybrid requirement DNS record Record type Value
Required for all hybrid deployments autodiscover.domain.com CNAME or A If using CNAME DNS:  mail.domain.com

If using Host A DNS:  External IP address of an Exchange 2016 Mailbox server or firewall

Recommended as a best practice for all hybrid deployments SPF TXT v=spf1 include:spf.protection.outlook.com ~all
ADFS Public record sts.domain.com A Public IP address of the AD FS web proxy server or firewall
Internal record by editing Hosts File located %SystemRoot%\system32\drivers\etc\HOSTS of WAP server sts.domain.com A Internal IP address of the AD FS Servers

Step9: Firewall Configuration

If your organization uses Office 365 and restricts computers on your network from connecting to the Internet, below you’ll find the endpoints (FQDNs, Ports, URLs, IPv4, and IPv6 address ranges) that you should include in your outbound allow lists to ensure your computers can successfully use Office 365.

Hybrid deployment configuration changes may require you to modify security settings for your on-premises network and protection solutions. Exchange 2016 Mailbox servers must be accessible on TCP port 443, and Edge Transport and Mailbox servers must be accessible on TCP port 25. Other Office 365 services, such as SharePoint Online and Lync Online, may require additional network security configuration changes. If you’re using Microsoft Threat Management Gateway (TMG) in your on-premises organization, additional configuration steps will also be needed to allow full Office 365 integration in the hybrid deployment.

Step10: Configure Exchange Web Services

The external fully qualified domain name (FQDN) of your Internet-facing Exchange 2016 Mailbox server needs to be configured on several virtual directories for a hybrid deployment. By completing this checklist step, the external URL on the Exchange Web Services (EWS), Outlook Address Book (OAB), Outlook Web App (OWA), Exchange Control Panel (ECP), and the Exchange ActiveSync (Microsoft-Server-ActiveSync) virtual directories will be reset to the external FQDN of your Internet-facing Exchange 2016 Mailbox server.

Follow additional guidelines to configure web services.

Further References on Web Services.

Step11: Configure MRS Proxy

The Exchange 2016 Mailbox servers are the internet-facing servers for the organization, with a load balancer distributing traffic across them. Since those servers will be internet-facing for the Hybrid configuration, they need to be MRS Proxy enabled. Currently they are not MRS Proxy enabled, as seen here in the output of Get-WebServicesVirtualDirectory.

GetWebServicesVirtualDirectory ADPropertiesOnly | Where {$_.MRSProxyEnabled ne $true} | SetWebServicesVirtualDirectory MRSProxyEnabled $true

Step12: Configure Exchange certificates

Digital certificates are an important requirement for secure communications between on-premises Exchange 2016 servers, clients, and Office 365. You need to obtain a certificate that will be installed on Mailbox and Edge Transport servers from a third-party trusted certificate authority (CA).

Before you can configure certificates on Exchange servers, you need to get a certificate from a trusted CA. Complete the following task on an Exchange 2016 Mailbox server if you need to generate a request for a new certificate for use with the hybrid deployment.

Follow additional guidelines to install certificates.

Further References on Exchange Certificates.

Step13: Run Hybrid Configuration wizard

The Hybrid Configuration wizard helps you establish your hybrid deployment by creating the HybridConfiguration object in your on-premises Active Directory and gathering existing Exchange and Active Directory topology configuration data. The Hybrid Configuration wizard also enables you to define and configure several organization parameters for your hybrid deployment, including secure mail transport options.

You can use the Hybrid Configuration wizard in the EAC on an Exchange 2016 server in your on-premises organization to create and configure the hybrid deployment.

  1. In the EAC on an Exchange 2016 server in your on-premises organization, navigate to the Hybrid, In the Hybrid node, click Configure to enter your Office 365 credentials.
    At the prompt to log in to Office 365, select sign in to Office 365 and enter the account credentials. The account you log into needs to be a Global Administrator in Office 365.
  2. Click Configure again to start the Hybrid Configuration wizard.
  3. On the Microsoft Office 365 Hybrid Configuration Wizard Download page, click Click here to download wizard. When you’re prompted, click Install on the Application Install, Click Next, and then, in the On-premises Exchange Server Organization section, select Detect a server running Exchange 2013 CAS or Exchange 2016. The wizard will attempt to detect an on-premises Exchange 2016 server. If the wizard doesn’t detect an Exchange 2016 server, or if you want to use a different server, select Specify a server running Exchange 2013 CAS or Exchange 2016 and then specify the internal FQDN of an Exchange 2016 Mailbox server.
  4. In the Office 365 Exchange Online section, select Microsoft Office 365 and then click Next.
  5. On the Credentials page, in the Enter your on-premises account credentials section,  specify a different set of credentials, specify the username and password an Active Directory account you want to use. Whichever selection you choose, the account used needs to be a member of the Enterprise Admins security group.
  6. In the Enter your Office 365 credentials section, specify the username and password of an Office 365 account that has Global Administrator permissions. Click Next.
  7. On the Validating Connections and Credentials page, the wizard will connect to both your on-premises organization and your Office 365 organization to validate credentials and examine the current configuration of both organizations. Click Next when it’s done.
  8. On the Hybrid Features page, select Full Hybrid Configuration and then click Next.
  9. On the Hybrid Domains, select the domain or multiple accepted domains you want to include in your hybrid deployment. In most deployments you can leave the Auto Discover column set to False for each domain. Only select True next to a domain if you need to force the wizard to use the Autodiscover information from a specific domain.
  10. Click Next.
  11. On the Federation Trust page, click Enable and click then Next.
  12. On the Domain Ownership page, click Click copy to clipboard to copy the domain proof token information for the domains you’ve selected to include in the hybrid deployment. Open a text editor such as Notepad and paste the token information for these domains. Before continuing in the Hybrid Configuration wizard, you must use this info to create a TXT record for each domain in your public DNS.
  13. Click Next after the TXT records have been created and the DNS records have replicated.
  14. On the Hybrid Configuration page, select the Configure my Edge Transport servers for secure mail transport option to configure your on-premises Edge Transport servers for secure mail transport with Office 365. Click Next.
  15. If you want Office 365 to send all outbound messages to external recipients to your on-premises transport servers, select the Enable centralized mail transport check box in the More options section.The on-premises transport servers will be responsible for delivering the messages to external recipients. This approach is helpful in compliance scenarios where all mail to and from the Internet must be processed by on-premises servers. If this check box is not selected, Office 365 will bypass the on-premises organization and deliver messages to external recipients directly using the recipient’s external DNS settings.You select this option if you want to use your own Spam Filter.
  16. On the Edge Transport Servers page, select the Edge Transport server you want to configure for secure mail transport. click Next. In this section, you have to provide the public IP addresses of edge servers or public FQDN of edge servers.
  17. On the Transport Certificate page, in the Select a reference server field, select Exchange 2016 Mailbox server that has the certificate you configured earlier in the checklist.
  18. In the Select a certificate field, select the certificate to use for secure mail transport. This list displays the digital certificates issued by a third-party certificate authority (CA) installed on the Mailbox server selected in the previous step. Click Next.
  19. On the Organization FQDN page, enter the externally accessible FQDN for your Internet-facing Exchange 2016 Mailbox server. Office 365 uses this FQDN to configure the service connectors for secure mail transport between your Exchange organizations. For example, enter “mail.domain.com”. Click Next.
  20. The hybrid deployment configuration selections have been updated, and you’re ready to start the Exchange services changes and the hybrid deployment configuration. Click Update to start the configuration process. While the hybrid configuration process is running, the wizard displays the feature and service areas that are being configured for the hybrid deployment as they are updated.
  21. When the wizard has completed all of the tasks it can perform automatically, it’ll list any tasks that you need to address manually before your hybrid deployment configuration is complete.
  22. The wizard displays a completion message and the Close button is displayed. Click Close to complete the hybrid deployment configuration process and to close the wizard.
  23. You’ll probably need to configure the Receive connector on your Edge Transport server by doing the following.
    Open the Exchange Management Shell on your Exchange 2016 Edge Transport server.
    Run the following command to list the Receive connectors on your Edge Transport server. Make note of the Receive connector that’s listening on TCP port 25.Get-ReceiveConnectorRun the following command to configure the Receive connector. Replace the name of the Receive connector in the following command with the name of the connector you identified in the previous step.Set-ReceiveConnector “Edge\Default internal receive connector Edge” -TlsDomainCapabilities mail.protection.outlook.com:AcceptOorgProtocol -Fqdn “mail.domain.com”24. Additional Steps for Centralised Mailflow or Route all inbound-outbound emails through on-premises servers. You need to enable remote mailbox using enable-remotemailbox and set target address using set-remotemailbox for this each mailbox as user1@domain.mail.onmicrosoft.com where domain is your domain name in Office 365. You must run full sync after this on the AAD Connect Server. You must run start-edgesynchronization –Server EXCH2016MailboxServer on the Edge Transport 2016 Server

Step14: Send Connector and Receive Connector Configuration on the on-premises server

Use the EAC to create an Internet Send connector

  1. In the EAC, navigate to Mail flow > Send connectors, and then click Add . This starts the New Send connector
  2. On the first page, enter the following information: Name: To Office 365 and Type: Internet When you are finished, click Next.
  3. On the next page, verify that MX record associated with recipient domain is selected. When you are finished, click Next.
  4. On the next page, In the Address space section, click Add . In the Add domain dialog box that appears, in Fully Qualified Domain Name (FQDN), enter an asterisk (*), and then click Save. This value indicates that the Send connector applies to messages addressed to all external domains. When you are finished, click Next.
  5. On the next page, in the Source server section, click Add . In the Select a Server dialog box that appears, select one or more Edge Transport Servers if you route email through Edge Server if not enter mailbox servers that you want to use to send mail to the Internet. If you have multiple Mailbox servers in your environment, select the ones that can route mail to the Internet. If you have only one Mailbox server, select that one. After you’ve selected at least one Mailbox server, click Add, click OK, and then click Finish.

Use the EAC to Create a Receive Connector to Receive Secure Messages from a Partner

  1. In the EAC, navigate to Mail flow > Receive connectors. Click Add to create a new Receive connector.
  2. On the New receive connector page, specify a name for the Receive connector and then select Frontend Transport for the Role. Since you are receiving mail from a partner in this case, we recommend that you initially route mail to your front end server to simplify and consolidate your mail flow.
  3. Choose Partner for the type. The Receive connector will receive mail from a trusted third party.
  4. For the Network adapter bindings, observe that All available IPV4 is listed in the IP addresses list and the Port is 25. (Simple Mail Transfer Protocol uses port 25.) This indicates that the connector listens for connections on all IP addresses assigned to network adapters on the local server. Click Next.
  5. If the Remote network settings page lists, which means that the Receive connector receives connections from all IP addresses, click Remove 0.0.0- to remove it. Click Add EOP IP Addresses, and Datacentre IP Addresses add the IP address for your partner’s server, and click Save.
  6. Click Finish to create the connector.
  7. Run the below Cmdlets in Mailbox Server

Get-ReceiveConnector “Inbound from Office 365“ | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

  1. Verify Receive Connector using below Cmdlets

Get-ADPermission -Identity “ Inbound from Office 365” -User “NT AUTHORITY\ ANONYMOUS LOGON” | where {($_.Deny -eq $false) -and ($_.IsInherited -eq $false)} | Format-Table User,ExtendedRights

  1. Add Datacentre IP Addresses using this Link
  2. Troubleshoot using this link

Step14: Create a test mailbox

You can use the Office 365 Mailbox wizard in the EAC on an Exchange server to create a test mailbox in Office 365. If you want to create more than one test mailbox, you’ll have to use this wizard for each test mailbox. You can’t use the wizard to create multiple test mailboxes.

  1. Log into the EAC on an on-premises Exchange 2016 server.
  2. In the EAC, navigate to Enterprise > Recipients > Mailboxes.
  3. Expand the menu at the Add  control and select Office 365 mailbox.
  4. On the New Office 365 mailbox page, specify the following settings:
    • First Name   Type the first name of the new user.
    • Initials   Type the initials of the new user.
    • Last Name   Type the last name of the new user.
    • User logon name   Type the user logon name of the new user and select the primary SMTP domain used for your other on-premises users. For example, @domain.com.
    • Mailbox type   Choose the type of mailbox to create. For example, User mailbox.
    • Password   Type the password.
    • Confirm password   Retype the password.
    • Make sure the Create an archive mailbox check box is not selected.
  5. Click Save to continue.
  1. Start-ADSyncSyncCycle -PolicyType Delta

Step15: Move or create mailboxes

You can use the remote move migration wizard in the Office 365 tab in the Exchange admin center (EAC) on an Exchange server to move existing user mailboxes in the on-premises organization to Office 365:

  1. Open the EAC and navigate to Office 365 > Recipients > migration.
  2. Click Add  and select Migrate to Exchange Online.
  3. On the Select a migration type page, select Remote move migration and then click Next.
  4. On the Select the users page, click Add , select the on-premises users to move to Office 365 and click Add, and then click OK. Click Next.
  5. On the Enter the Windows user account credential page, enter the on-premises administrator account name in the On-premises administrator name text field and enter the associated password for this account in the On-premises administrator password text field. For example, “Domain\administrator” and a password. Click Next.
  6. On the Confirm the migration endpoint page, verify that the FDQN of your on-premises Mailbox server is listed when the wizard confirms the migration endpoint. For example, “mail.domain.com”. Click Next.
  7. On the Move configuration page, enter a name for the migration batch in the New migration batch name text field. Use the down arrow  to select the target delivery domain for the mailboxes that are migrating to Office 365. In most hybrid deployments, this will be the primary SMTP domain used for both on-premises and Office 365 mailboxes. For example, user@domain.com. Verify that the Move primary mailbox along with archive mailbox option is selected, and then click Next.
  8. On the Start the batch page, select at least one recipient to receive the batch complete report. Verify that the Automatically start the batch and Automatically complete the migration batch options are selected. Click New.
  9. While the mailboxes are being moved, you will see a status of Synching in the migration status for each mailbox moved to Office 365. After the mailbox move request reaches a status of Completed, the mailbox migration process is complete.

Step16: Test hybrid deployment connectivity

Testing the external connectivity for critical Exchange 2016 and Office 365 features is an important step in ensuring that your hybrid deployment features are functioning correctly. The Microsoft Remote Connectivity Analyzer is a free online web service that you can use to analyze, and run tests for, several Exchange 2016 and Office 365 services, including Exchange Web Services, Outlook, Exchange ActiveSync, and Internet email connectivity.

Upgrading AD FS to Windows Server 2016 FBL

This article will describe how to install new ADFS 2016 farm or upgrade existing AD FS Windows Server 2012 R2 farm to AD FS in Windows Server 2016.


  • ADFS Role in Windows Server 2016
  • Administrative privilege in both ADFS 2012 R2 and ADFS 2016 Server
  • Local Admin rights in both ADFS 2012 R2 and ADFS 2016 Server
  • WAP role in Windows Server 2016
  • Generate new certificate and signed by public certificate authority for new installation
  •   To use existing certificate, export the certificate from ADFS 2012 R2 with private key and import into ADFS 2016 server.

Mixed Mode Farm: A Windows Server 2016 AD FS server can be added to a Windows Server 2012 R2 farm and it will operate at the same FBL as a Windows Server 2012 R2. When you have a Windows Server 2016 AD FS server operating in this fashion, your farm is said to be “mixed”. However, you will not be able to take advantage of the new Windows Server 2016 features until the FBL is raised to Windows Server 2016.

Installation of ADFS Role

  1. Open the Windows Server 2016, Add Roles and Features Wizard and add the Active Directory Federation Services server role
  2. Proceed through the wizard. Click Configure the federation service on this server.
  3. On the Welcome page in the Active Directory Federation Services Configuration Wizard, choose an option for a federation server, and then click Next
  4. Proceed through the wizard. To join to existing farm, specify the farm name and import the certificate or to create a new farm, click create new farm and provide the details. On the Specify Service Properties page, select your TLS/SSL certificate, enter a Federation Service Name, and then enter a Federation Service Display Name
  5. Proceed through and complete the Active Directory Federation Services Configuration Wizard. Close the Add Roles and Features Wizard
  6. If you have not created a host record in DNS for the federation server name you specified in Step 4 previously, do so now.

Upgrade ADFS 2016

To Upgrade to ADFS 2016, Once you have joined the new ADFS server to existing farm, on the Windows Server 2016 server, open PowerShell and run the following cmdlt:

Set-AdfsSyncProperties -Role PrimaryComputer

On the original AD FS Windows Server 2012 R2 server, open PowerShell and run the following cmdlt:

Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName Server2012R2.domain.com

To use ADFS 2016 functionality, you have prepare AD with ADFS 2016 Schema. Mount Windows Server 2016 installation media on a domain controller, open a command prompt and navigate to support\adprep directory. Run the following:

adprep /forestprep


Now Raise farm behavior level to ADFS 2016, Invoke-AdfsFarmBehaviorLevelRaise  PowerShell Cmdlet on the ADFS 2016 primary server.

To test ADFS 2016 signin page, Enable IdP initiated Sign On and RP initiated Sign on using the following cmdlets to ADFS 2016 Server.

Set-ADFSProperties -EnableIdpInitiatedSignonPage $True

Set-ADFSProperties -RelaystateForIdpInitiatedSignonEnabled $True

Open a browser and type https://sts.domain.com/adfs/ls/idpinitiatedsignon

Removing Legacy ADFS and WAP

  • Remote into the servers and uninstall ADFS and Remote Access Role

Installing Federation Proxy

  • Install Windows Server 2016
  • Rename the server
  • Setup IPv4 on the WAP server
  • Install WAP Role using the below PowerShell Cmdlets.
  • Add a host a record of STS in the C:\Windows\systems32\drivers\etc\hosts file of WAP server

Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools
Install-WebApplicationProxy –CertificateThumbprint ‘1a2b3c4d5e6f1a2b3c4d5e6f1a2b3c4d5e6f1a2b’ -FederationServiceName sts.domain.com

Firewall Rules for WAP Servers

Add firewall rules for WAP servers if WAP servers are placed behind firewall. You must allow inbound and outbound rules on port 443 from WAP servers to internet.

Firewall Rules for ADFS servers

ADFS servers are domain joined and placed in internal network but WAP servers are place in different VLANS or DMZ  to secure ADFS servers. You must allow port 443 between ADFS and WAP in both direction.

Firewall Rules for ADFS 2016 with MFA

If your ADFS 2016 servers are behind firewall specially going via Azure Express Route , add the below firewall rules in Azure Network Security Group (NSG) for ADFS 2016 MFA.

10.xx.0.0/24 HTTPS (TCP/443) Allow
10.xx.0.0/24 HTTPS (TCP/443) Allow
10.xx.0.0/24 HTTPS (TCP/443) Allow
10.xx.0.0/24 HTTPS (TCP/443) Allow
10.xx.0.0/24 Custom (TCP/Any) Allow
10.xx.0.0/24 Custom (TCP/Any) Allow
10.xx.0.0/24 Custom (TCP/Any) Allow
10.xx.0.0/24 Custom (TCP/Any) Allow
10.xx.0.0/24 Custom (TCP/Any) Allow
10.xx.0.0/24 Custom (TCP/Any) Allow
10.xx.0.0/24 Custom (TCP/Any) Allow
10.xx.0.0/24 Custom (TCP/Any) Allow