Is it possible to use ADFS Authentication with a Microsoft Exchange 2016 Server? Sure!
A customer asked me that question a few days ago; they have mailboxes on premises and on Exchange Online. ADFS cloud to provide a great way to bring the same login experience to both.

Here are two GIST Files that configured everything for them 😉

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# Execute this on or against your Exchange Server:
# (Get-OwaVirtualDirectory).ExternalUrl.AbsoluteUri
[string]$ExchangeOWAURL = 'FILL_IN_THE_INFO'

# Execute this on or against your Exchange Server:
# (Get-EcpVirtualDirectory).ExternalUrl.AbsoluteUri
[string]$ExchangeECPURL = 'FILL_IN_THE_INFO'

<#
	Disclaimer:
	They use the same URL for internal and external access.
#>

# Create the new Rule
[string]$IssuanceAuthorizationRules = '@RuleTemplate = "AllowAllAuthzRule"

	=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit",
Value = "true");'

# Create the new Rule
[string]$IssuanceTransformRules = '@RuleName = "ActiveDirectoryUserSID"
	c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

	=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"), query = ";objectSID;{0}", param = c.Value); 

	@RuleName = "ActiveDirectoryUPN"
	c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] 

=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value);'

# Apply the new Rules
Add-ADFSRelyingPartyTrust -Name 'Outlook Web App' -Enabled $true -Notes ('This is a trust for {0}' -f $ExchangeOWAURL) -WSFedEndpoint $ExchangeOWAURL -Identifier $ExchangeOWAURL -IssuanceTransformRules $IssuanceTransformRules -IssuanceAuthorizationRules $IssuanceAuthorizationRules
Add-ADFSRelyingPartyTrust -Name 'Exchange Admin Center (EAC)' -Enabled $true -Notes ('This is a trust for {0}' -f $ExchangeECPURL) -WSFedEndpoint $ExchangeECPURL -Identifier $ExchangeECPURL -IssuanceTransformRules $IssuanceTransformRules -IssuanceAuthorizationRules $IssuanceAuthorizationRules

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# Execute this on or against your Exchange Server:
# (Get-OwaVirtualDirectory).ExternalUrl.AbsoluteUri
[string]$ExchangeOWAURL = 'FILL_IN_THE_INFO'

# Execute this on or against your Exchange Server:
# (Get-EcpVirtualDirectory).ExternalUrl.AbsoluteUri
[string]$ExchangeECPURL = 'FILL_IN_THE_INFO'

# Get the URL Info...
# Execute the following on your main ADFS Server:
# Get-ADFSProperties | Select-Object HostName, FederationPassiveAddress
[string]$ADFSURL = 'https://FILL_IN_THE_INFO'

# Get the Signing certificate Thunbprint
# Execute the following on your main ADFS Server:
# dir Cert:\LocalMachine\My
# Get-AdfsCertificate -Thumbprint THUMBFROMABOVE
[string]$AdfsSignCertThumbprint = 'FILL_IN_THE_INFO'

# Define a new Arry
$uris = @($ExchangeOWAURL, $ExchangeECPURL)

# Apply the new Exchange Organisation settings
Set-OrganizationConfig -AdfsIssuer $ADFSURL -AdfsAudienceUris $uris -AdfsSignCertificateThumbprint $AdfsSignCertThumbprint

# Enable AD FS only
Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false -OAuthAuthentication $false

# If you want to revert that
#Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $false -BasicAuthentication $true -DigestAuthentication $true -FormsAuthentication $true -WindowsAuthentication $true -OAuthAuthentication $false
#Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $false -BasicAuthentication $true -DigestAuthentication $true -FormsAuthentication $true -WindowsAuthentication $true

The files above are part of my configuration script, but the only part missing is all the central connection stuff. I used one script that connects to all envolved systems via Remote PowerShell and excecute everything a one big script.

Update:
I published an troubleshooting article!