Creating an ADFS farm on Azure using Azure AD DS

ADFS (Active Directory Federation Service) is a service provided by Microsoft allowing users to single sign on (SSO) on multiple applications. For example, while logged in with his corporate Windows account, a user would be able to access his company’s intranet without further authentication. This service generally relies on a user list contained in an Active Directory.

In Azure, Microsoft provides an alternative process to building your own domain controller infrastructure with Azure Active Directory Domain Services: all the Active Directory infrastructure is then directly usable as a service.

While setting up a new production environment in Azure, we had to setup an ADFS farm that our customers would be able to use to SSO into our application.
Microsoft provides ways to install an ADFS linked to an AD DS on Azure but it requires your SSO users to be part of your Azure Active Directory and this is not what we needed. Thus, we had to manually install our ADFS servers without relying on what was offered by Microsoft on Azure.
During the ADFS installation, the setup wizard (or the Powershell commands you will need to run) will need to be provided with the credentials of a user having domain administrator rights.
In our case, since we needed to install our ADFS farm in Azure while using an Active Directory based on Azure AD DS, this was an issue as we didn’t have access to such users (see: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-administer-domain#administrative-privileges-you-do-not-have-on-a-managed-domain).

Based on: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/install-ad-fs-delegated-admin#using-a-gmsa-as-the-ad-fs-service-account, it seemed possible to build an ADFS server without having a domain administrator user. But even following Microsoft’s procedure, we struggled to make it work.

Here is the full procedure we used:

1) Create user

First of all, we need to create a service user who will hold the ADFS service – let’s call it adfs_admin. You can do it through your Active Directory Users and Computers MMC or using powershell ( https://docs.microsoft.com/en-us/powershell/module/addsadministration/new-aduser?view=win10-ps ).

2) Prepare AD

The goal is to create a specific container in your AD (=a specific Organisational Unit) which will replace the default container used by ADFS, located at the root of the AD and that you can’t access while using Azure AD DS.
In order to do that, we used the script provided by Microsoft on the above link.
In this script, you will need to change the path to the location where you want your OU to be created:

Initial script:
$initialPath = "CN=Microsoft,CN=Program Data," + (Get-ADDomain).DistinguishedName
After modification:
$initialPath = "OU=YOUROU,DC=YOURAZUREDOMAIN,DC=onmicrosoft,DC=com"

Please note that the OU you select can not be located in CN=Microsoft, CN=Program Data as it is not possible to write in that location in Azure AD DS.

Then, you can run the script:
$adminConfig=(C:\scriptlocation\CreateNonDADkmContainer.ps1 "YOURAZUREDOMAIN\adfs_admin")

The result should look like:
OU Name 9530440c-a3f9-4fe6-bc84-8d60162a7bcf
Creating organizational unit with DN: CN=9530440c-a3f9-4fe6-bc84-8d60162a7bcf,CN=ADFS, CN=YOUROU,DC=YOURAZUREDOMAIN,DC=onmicrosoft,DC=com

3) Install ADFS certificates

To be done on all ADFS nodes: install the three certificates (service communications, token-signing and token-decrypting) and their private key in the personal store of the local machine.
Once the certificates are installed, you can retrieve their thumbprint with:
Get-ChildItem -path cert:\LocalMachine\My

4) Install ADFS

Login on the first node as a local admin. Then in a Powershell prompt:
PS:\>$adminConfig = @{"DKMContainerDn"="CN=9530440c-a3f9-4fe6-bc84-8d60162a7bcf,CN=ADFS, CN=YOUROU,DC=YOURAZUREDOMAIN,DC=onmicrosoft,DC=com"} (adjust with the result of the command ran before)
PS:\>$svcCred = (get-credential)
PS:\>$localAdminCred = (get-credential)
PS:\> $SignCertThumbprint = your-signing-cert-thumbprint
PS:\> $CryptCertThumbprint = your-decrypt-cert-thumbprint
PS:\>$CommunicationCertThumbprint = your-communication-cert-thumbprint

Where $svcCred are the credentials of the service user you previously created and $localAdminCred are the ones of the admin you are connected with.

Then:
PS C:\Windows\system32> Install-AdfsFarm -CertificateThumbprint $CommunicationCertThumbprint -FederationServiceName "FSName.domain.com" -ServiceAccountCredential $svcCred -Credential $localAdminCred -OverwriteConfiguration -AdminConfiguration $adminConfig
-Verbose -SigningCertificateThumbprint $SignCertThumbprint -DecryptionCertificateThumbprint $CryptCertThumbprint

Your ADFS should then be up and running and can be configured like any ADFS server through the ADFS MMC (Certificate changes, claims...)

5) Create ADFS farm

To add another server to the farm, you can run from that server:
$svcCred = (get-credential)
$CommunicationCertThumbprint = your-communication-cert-thumbprint
Add-AdfsFarmNode -ServiceAccountCredential $svcCred -PrimaryComputerName ADFS01 -CertificateThumbprint $CommunicationCertThumbprint -overwriteconfiguration -verbose

Your ADFS farm is now ready to be used on Azure!