I had someone ask me about this topic a couple times in the last few weeks so I decided it was time to spin up another blog post. The question is about how you can connect your on premises SharePoint farm to Azure Active Directory (AAD) using ADFS. Now I had blogged about how to do this with ACS some time ago (https://samlman.wordpress.com/2015/03/02/integrating-sharepoint-2013-with-azure-active-directory-part-1-configuration/). However, as most folks know ACS is coming off the Christmas card list as it starts a slow spiral downwards to deprecation and irrelevance. Thus the questions about using ADFS instead. Fortunately this all quite possible, but there are quite a few steps, so it just takes some patience. I’ll supply the steps, you supply the patience. And with that, here we go.
STEP 1: Set up DirSync between Your On Premises Active Directory and Azure AD
I’m not really going to cover this in any detail here because a) I think there are lots of places out there where you can find this info and b) it would really bloat this post and it’s going to be a little long as is.
STEP 2: Add ADFS as an Application in Azure AD
In this step you’re going to add your on premises ADFS server as an application in your Azure AD directory.
- Go to the Azure Management portal
- Click on Active Directory in the left navigation
- Click on the name of your Active Directory tenant in the main pane.
- Click on Applications in the top navigation.
- Click the ADD button to create a new application.
- Click on Add an application my organization is developing
- Type a name for the application and define it as a web application.
- Type the following values on the next page of the wizard to add an application:
- SIGN-ON URL: Use https://%5BYour ADFS Farm Name]/adfs/ls, where “[Your ADFS Farm Name]” is the DNS name of the ADFS farm to which users should be redirected. For example, if your ADFS farm name is “adfs.contoso.com”, then you would enter https://adfs.contoso.com/adfs/ls for this value.
- APP ID URI: Use http://%5BYour ADFS Farm Name]/adfs/services/trust, where “[Your ADFS Farm Name]” is the DNS name of the ADFS farm to which users should be redirected. For example, if your ADFS farm name is “adfs.contoso.com”, then you would enter http://adfs.contoso.com/ adfs/services/trust for this value. IMPORTANT: Make sure you use “http” and NOT “https” when entering this value!
You’re done with this step now; your Azure AD application is configured.
STEP 3: Add Azure AD as an Identity Provider in ADFS
In this step we’re going to add Azure AD as an identity provider in ADFS.
- Open the AD FS Management tool.
- Expand the AD FS…Trust Relationships…Claims Provider Trusts node.
- Click on Add Claims Provider Trust.
- Click the Start button to start the wizard.
- Use the first option to import data about the claims provider. For the Url use https://accounts.accesscontrol.windows.net/%5BYourTenantName%5D/FederationMetadata/2007-06/FederationMetadata.xml, where [YourTenantName] is something like contoso.com. Click the Next button.
- Type a display name for the claims provider, then click the Next button.
- Click the Next button.
- The option to open the Edit Claim Rules dialog should be checked by default; click the Close button to close the wizard and open the Edit Claim Rules dialog.
- Click on Add Rule.
- Select the Transform an Incoming Claim in the Claim Rule Template drop down and click the Next button.
- Configure the rule as follows:
- Claim Name – I called mine “Transform Name to Email”, but you can call it whatever you want.
- Incoming Claim Type – select Name
- Outgoing Claim Type – select E-Mail Address
- Click the Finish button to save your rule. You can ignore the warning dialog that appears when you click the Finish button by clicking Yes.
You’re now done configuring the Azure AD part of this. The next thing you need to do is create a relying party for SharePoint and add a rule to it to pass through the email claim.
STEP 4: Create Relying Party in SharePoint and Add Pass Thru Rule
Okay, now I’m not going to go through the detailed process of creating a relying party for SharePoint in ADFS…for the same reason I didn’t include detailed steps for setting up DirSync. If you have questions about how to do that then you can refer to my earlier post on this topic: https://samlman.wordpress.com/2015/02/28/configuring-sharepoint-2010-and-adfs-v2-end-to-end/. Instead, we’ll assume your relying party is created and we’re going to create the pass through claim rule. Here’s how to do that.
- In the AD FS Management tool, click on the SharePoint relying party to select it, then click on the Edit Claim Rules link.
- Click on the Add Rule… button.
- Select Pass Through or Filter an Incoming Claim in the Claim rule template drop down and click the Next button.
- Configure the rule as follows:
- Claim Name – name it “Pass Through Email Claim” (or whatever you want).
- Incoming claim type – select Email Address.
- Click the Finish button to save the rule.
STEP 5: Create Your SPTrustedIdentityTokenIssuer in SharePoint and Configure
Again, I’m not going to go through every detailed step for this because you can get that from my other post: https://samlman.wordpress.com/2015/02/28/configuring-sharepoint-2010-and-adfs-v2-end-to-end/. The only key takeaway here is that I have only one claim in my claim mappings collection, and that is email address. After you configure the SPTrustedIdentityTokenIssuer, create and configure a web app to use it, and then create a site collection, just add the email address of an AD user to a SharePoint group for the site and try logging in. If everything is configured correctly you should get right in. Here’s what the login process looked like for me:
1. On the ADFS page I selected the Azure Active Directory provider I created as described above:
2. Log into Azure Active Directory:
3. Kaboom – I’m in my SharePoint site!! 🙂