Skip to content

Enable ADFS Authentication on Exchange 2016

Is it possible to use ADFS Authentication with a Microsoft Exchange 2016 Server? Sure!
A customer asked me that question a few days ago; they have mailboxes on premises and on Exchange Online. ADFS cloud to provide a great way to bring the same login experience to both.

Here are two GIST Files that configured everything for them ๐Ÿ˜‰

# Execute this on or against your Exchange Server:
# (Get-OwaVirtualDirectory).ExternalUrl.AbsoluteUri
[string]$ExchangeOWAURL = 'FILL_IN_THE_INFO'

# Execute this on or against your Exchange Server:
# (Get-EcpVirtualDirectory).ExternalUrl.AbsoluteUri
[string]$ExchangeECPURL = 'FILL_IN_THE_INFO'

<#
	Disclaimer:
	They use the same URL for internal and external access.
#>

# Create the new Rule
[string]$IssuanceAuthorizationRules = '@RuleTemplate = "AllowAllAuthzRule"

	=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit",
Value = "true");'

# Create the new Rule
[string]$IssuanceTransformRules = '@RuleName = "ActiveDirectoryUserSID"
	c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

	=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"), query = ";objectSID;{0}", param = c.Value); 

	@RuleName = "ActiveDirectoryUPN"
	c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] 

=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value);'

# Apply the new Rules
Add-ADFSRelyingPartyTrust -Name 'Outlook Web App' -Enabled $true -Notes ('This is a trust for {0}' -f $ExchangeOWAURL) -WSFedEndpoint $ExchangeOWAURL -Identifier $ExchangeOWAURL -IssuanceTransformRules $IssuanceTransformRules -IssuanceAuthorizationRules $IssuanceAuthorizationRules

Add-ADFSRelyingPartyTrust -Name 'Exchange Admin Center (EAC)' -Enabled $true -Notes ('This is a trust for {0}' -f $ExchangeECPURL) -WSFedEndpoint $ExchangeECPURL -Identifier $ExchangeECPURL -IssuanceTransformRules $IssuanceTransformRules -IssuanceAuthorizationRules $IssuanceAuthorizationRules

# Execute this on or against your Exchange Server:
# (Get-OwaVirtualDirectory).ExternalUrl.AbsoluteUri
[string]$ExchangeOWAURL = 'FILL_IN_THE_INFO'

# Execute this on or against your Exchange Server:
# (Get-EcpVirtualDirectory).ExternalUrl.AbsoluteUri
[string]$ExchangeECPURL = 'FILL_IN_THE_INFO'

# Get the URL Info...
# Execute the following on your main ADFS Server:
# Get-ADFSProperties | Select-Object HostName, FederationPassiveAddress
[string]$ADFSURL = 'https://FILL_IN_THE_INFO'

# Get the Signing certificate Thunbprint
# Execute the following on your main ADFS Server:
# dir Cert:\LocalMachine\My
# Get-AdfsCertificate -Thumbprint THUMBFROMABOVE
[string]$AdfsSignCertThumbprint = 'FILL_IN_THE_INFO'

# Define a new Arry
$uris = @($ExchangeOWAURL, $ExchangeECPURL)

# Apply the new Exchange Organisation settings
Set-OrganizationConfig -AdfsIssuer $ADFSURL -AdfsAudienceUris $uris -AdfsSignCertificateThumbprint $AdfsSignCertThumbprint

# Enable AD FS only
Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false

Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false -OAuthAuthentication $false

# If you want to revert that
#Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $false -BasicAuthentication $true -DigestAuthentication $true -FormsAuthentication $true -WindowsAuthentication $true -OAuthAuthentication $false

#Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $false -BasicAuthentication $true -DigestAuthentication $true -FormsAuthentication $true -WindowsAuthentication $true

The files above are part of my configuration script, but the only part missing is all the central connection stuff. I used one script that connects to all involved systems via Remote PowerShell and execute everything a one big script.

Update:
I published an troubleshooting article!

This content is older than 2 years. It might be outdated.
Published inPowerShell

8 Comments

  1. Sorry, I forgot to mention:
    This will work with Exchange 2013 (Min SP1, or newer) as well. Nevertheless, the customer updated to 2016 a while ago, so I developed it with Exchange 2016 in mind.

    However, I did some tests with Exchange 2013 with CU14.

  2. AL AL

    What about ActiveSync/Outlook/EWS using ADFS with Exchange 2016?

    • Al,
      the Stuff above works with OWA and ECP.
      Honestly, never tried it with EAS (Active Sync) or Outlook (MAPI).
      You have to check the corresponding VirtualDirectory command, if they support “AdfsAuthentication”, you might give it a try. And I think it should work ๐Ÿ™‚

      Honestly, I never tried it. The command above was my idea for a hybrid environment. So the OWA and especially the ECP stuff work with the same login. If not, I have to login separately for on premises and Office 365.

      Let me know if it works for you.

  3. AL AL

    Thanks! I will have to test it out. Most likely it will be some form of pass through authentication or requirement to use modern authentication, but that won’t be available until Exchange 2019.

  4. AuzOZ AuzOZ

    how to setup the wap servers for adfs owa thank you

    • The WAP role is just a Reverse Proxy that doesnโ€™t need any configuration to do this.
      The only reason to use the WAP role instead of an Apache/NGINX or load Balancer: tell the ADFS Service that the traffic is external.

      In plain English: Nothing, it will just work if your WAP is working properly.

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2018 by Joerg Hochwald. All rights reserved. ● Site is powered by Author