Back
Featured image of post Enable ADFS Authentication on Exchange 2016

Enable ADFS Authentication on Exchange 2016

Is it possible to use ADFS Authentication with a Microsoft Exchange 2016 Server? Sure!

A customer asked me that question a few days ago; they have mailboxes on premises and on Exchange Online. ADFS cloud to provide a great way to bring the same login experience to both.

Here are two GIST Files that configured everything for them 😉

# Execute this on or against your Exchange Server:
# (Get-OwaVirtualDirectory).ExternalUrl.AbsoluteUri
[string]$ExchangeOWAURL = 'FILL_IN_THE_INFO'

# Execute this on or against your Exchange Server:
# (Get-EcpVirtualDirectory).ExternalUrl.AbsoluteUri
[string]$ExchangeECPURL = 'FILL_IN_THE_INFO'

<#
   Disclaimer:
   They use the same URL for internal and external access.
#>

# Create the new Rule
[string]$IssuanceAuthorizationRules = '@RuleTemplate = "AllowAllAuthzRule"

    => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit",
Value = "true");'

# Create the new Rule
[string]$IssuanceTransformRules = '@RuleName = "ActiveDirectoryUserSID"
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

    => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"), query = ";objectSID;{0}", param = c.Value);

    @RuleName = "ActiveDirectoryUPN"
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value);'

# Apply the new Rules
Add-ADFSRelyingPartyTrust -Name 'Outlook Web App' -Enabled $true -Notes ('This is a trust for {0}' -f $ExchangeOWAURL) -WSFedEndpoint $ExchangeOWAURL -Identifier $ExchangeOWAURL -IssuanceTransformRules $IssuanceTransformRules -IssuanceAuthorizationRules $IssuanceAuthorizationRules

Add-ADFSRelyingPartyTrust -Name 'Exchange Admin Center (EAC)' -Enabled $true -Notes ('This is a trust for {0}' -f $ExchangeECPURL) -WSFedEndpoint $ExchangeECPURL -Identifier $ExchangeECPURL -IssuanceTransformRules $IssuanceTransformRules -IssuanceAuthorizationRules $IssuanceAuthorizationRules
# Execute this on or against your Exchange Server:
# (Get-OwaVirtualDirectory).ExternalUrl.AbsoluteUri
[string]$ExchangeOWAURL = 'FILL_IN_THE_INFO'

# Execute this on or against your Exchange Server:
# (Get-EcpVirtualDirectory).ExternalUrl.AbsoluteUri
[string]$ExchangeECPURL = 'FILL_IN_THE_INFO'

# Get the URL Info...
# Execute the following on your main ADFS Server:
# Get-ADFSProperties | Select-Object HostName, FederationPassiveAddress
[string]$ADFSURL = 'https://FILL_IN_THE_INFO'

# Get the Signing certificate Thunbprint
# Execute the following on your main ADFS Server:
# dir Cert:\LocalMachine\My
# Get-AdfsCertificate -Thumbprint THUMBFROMABOVE
[string]$AdfsSignCertThumbprint = 'FILL_IN_THE_INFO'

# Define a new Arry
$uris = @($ExchangeOWAURL, $ExchangeECPURL)

# Apply the new Exchange Organisation settings
Set-OrganizationConfig -AdfsIssuer $ADFSURL -AdfsAudienceUris $uris -AdfsSignCertificateThumbprint $AdfsSignCertThumbprint

# Enable AD FS only
Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false

Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false -OAuthAuthentication $false

# If you want to revert that
#Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $false -BasicAuthentication $true -DigestAuthentication $true -FormsAuthentication $true -WindowsAuthentication $true -OAuthAuthentication $false

#Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $false -BasicAuthentication $true -DigestAuthentication $true -FormsAuthentication $true -WindowsAuthentication $true

The files above are part of my configuration script, but the only part missing is all the central connection stuff. I used one script that connects to all involved systems via Remote PowerShell and execute everything a one big script.

Update: I published an troubleshooting article!