Troubleshooting: Federation for Windows Intune


During a Windows Intune proof of concept (PoC) I was facing some issues configuring federation in order to enable Signle Sign On (SSO).

Proxy Authentication

When configuring federation we couldn’t convert the the default domain to a federated domain type. By using the –Verbose –Debug parameters of convert –MsolDomainToFederated cmdlet the root cause became clear. Proxy Authentication was required and therefore we couldn’t convert the domain. One down two to go!

clip_image001_thumb[3]

convert –MsolDomainToFederated – DomainName mydomain.com –Verbose –Debug

image_thumb[2]

Whitelist URL’s

After granting the system internet access through proxy we validated in our internet connectivity which was working fine however we encounterd another issue as the relying party trust couldn’t be configured as part of the domain conversion. After checking the proxy logfiles we noticed that some url’s were blocked. Based on this, two urls should be whitelisted in order to configure federation properly:

  • *.microsoftonline.com
  • nexus.microsoftonline-p.com

So two down one to go…

Use different namespace identity

Two things to keep in mind when converting a domain! User must be member of Windows Intune Global Administrator role in order to convert a Windows Intune domain (namespace) for federation. You can’t be logged in with a user account of the same domain you want convert. We used the initial global administrator user which is not member of the inovativ-cloud.nl namespace in order to convert the inovativ-cloud.nl domain to a federated domain.

image

Set up Federation between AD FS and Microsoft Azure Active Directory/Office365/Windows Intune

1.  Import MSOnline PowerShell CMDlet import-module MSOnline
2.  Connect to Windows Azure AD Connect-MsolService –Credential $cred
3.  Get Domain Get-MsolFederationProperty -DomainName mydomain.com
4.  Add Domain New-MsolFederatedDomain –DomainName mydomain.com
5.  Convert Domain Convert-MsolDomainToFederated –DomainName mydomain.com

User Get-MsolFederationProperty –DomainName yourdomain.com to validate of your domain is succesfully converted and known as federated domain by Azure Active Directory.

image

If you open the Active Directory Federation Service console under Relying Party Trusts Microsoft Office 365 Indentity Platform has been added based on the domain conversion to a federated domain.

image

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s