Sunday, July 8, 2012

How to federate existing Office365 users

The most common scenario for federating users that are already using Office365 is when users have transitioned from BPOS to Office 365. The customer/company was waiting to use this excellent feature of Office365 and wanted to implement it once they had transitioned from BPOS to Office365

So in this scenario I will describe how it could be done for 200 users but the same steps apply for any amount of users.

So the first thing to do is to add in a new upn for users. If the customer had an internal domain of contoso.local we will need to add in a new upn of contoso.com. To add the new UPN in , you browse to Active Directory Domains and Trusts and right click on the Active Directory Domains and Trusts icon and select properties and add the new UPN as per the image below.

In this particular scenario , there was no no onpremise exchange , so no email address fields were populated. So we need to modify all user's UPN and add in their email addresses before we implement Directory Sync because DirSync matches the onpremise AD users with the existing Office365 users by their primary SMTP address. This is described in Microsoft KB 2641663

So we use ADMODIFY from Codeplex. You can download it HERE
Download ADMODIFY , Extract the package, Launch Admodify , Connect to AD and select a domain controller.

So firstly we will select all the users we need to modify..Then click add to list and select all and we can now easily modify all the users.

So firstly we will modify all users UPN. All existing users in Office365 have an email address policy of firstname.lastname. So when selecting the UPN tab I enter this variable switch in LegacyAccount tab %'givenname'%.%'sn'% as per the image below.

When we hit apply on the UPN Change , We will need to select all the users again and then go to the email tab we need to enter this string in the add smtp address as per the image below %'givenname'%.%'sn'%@contoso.com


So by adding in this address , admodfy has placed the primary email address on the general tab and updated the required Active Directory proxyAddresses attribute as per the Microsoft KB 2641663 mentioned earlier.

So now we are ready for Dirsync, So when Dirsync runs it will match the active directory user objects with the existing Office365 user accounts and both the Office365 and Active Directory users will have the same immutable ids. To verify the Office365 user's immutable ID you can run the powershell command in the Microsoft Online Services Powershell module and output the query to a text file.

Get-MsolUser -all where {$_.isLicensed -eq $true} select-object userprincipalname,immutableid out-file c:\users.txt

The next step then is to federate the contoso.com domain , this can be done using the Microsoft Online Services Powershell module on the primary adfs server

winrm quickconfig
Connect-MsolService –Credential $cred
Set-MsolAdfscontext -Computer adfsprimary.contoso.local
Convert-MsolDomainToFederatedDomainName contoso.com

So what affect does this have on users?

All user's domain logins remain the same as when we were modifying UPN's we didnt alter the (pre-Windows 2000) value.


Outlook will prompt for a user name and password so the user will enter sean.ofarrell@contoso.com , their ad passord and remember credentials.

Smartphone user names will be the user's priamry email address followed by the users active directory password.

Within the domain via group policy the service name of the adfs farm will be published to each users internet explorer intranet zone which will allow single sign on to the Office 365 portal and Sharepoint.

Lync will auto sign in provided the sign in assistant is installed.

One last thing , dont forget to apply Rollup2 for ADFS 2.0

And also the Exchange Remote Connectivity Analyzer can also troubleshoot Single Sign On as well as ActiveSync and Auto Discover