How to use a recurring Integration Endpoint for importing data
You are here
Powershell To Install ADFS for D365 FFO On Prem
Powershell To Install ADFS for D365 FFO On Prem
Setting up ADFS for D365 On Prem? Easy!
Setting up ADFS for D365 on Prem is now a little easier (hopefully). Below is a script that can be used to configure ADFS for D365. It is assumed that the this is running from the ADFS box from inside the InfrastructureScript folder as a domain adminst in an elevated powershell.
Step 1
Simply run this as is
# Run the following PowerShell script on the machine where AD FS will be deployed, run as domain administrator in an elevated administrator console
Add-Type -AssemblyName System.Net
$fqdn = ([System.Net.Dns]::GetHostEntry('localhost').HostName).ToLower()
$domainName = $fqdn.Substring($fqdn.IndexOf('.')+1)
$null = Add-WindowsFeature RSAT-AD-PowerShell
# If a Kds root key hasn't been setup in AD DS, please run this:
Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)
# Create a managed service account for AD FS:
New-ADServiceAccount ADFS -DNSHostName $fqdn -AccountExpirationDate $null -ServicePrincipalNames "http/$fqdn"
# Create SSL certificate for AD FS
$adfsCert = New-SelfSignedCertificate -CertStoreLocation 'cert:\LocalMachine\My' -DnsName $fqdn, "enterpriseregistration.$domainName", "certauth.$fqdn" -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -Type SSLServerAuthentication
$adfsSslPfxFilePath = Join-Path -Path ([Environment]::GetFolderPath('Desktop')) -ChildPath "$($adfsCert.Thumbprint).pfx"
$sslCertPassword = Read-Host -Prompt 'Enter AD FS SSL PFX Password' -AsSecureString
Enter a password and store it for safe keeping or use later. This is the password for the certificate.
Step 2
execute the following in the same powershell instance
# Import this certificate into trusted root certification authorities on client machines using GPO, certificate services, or any method you choose
Export-PfxCertificate -Cert "Cert:\LocalMachine\My\$($adfsCert.Thumbprint)" -FilePath $adfsSslPfxFilePath -Password $sslCertPassword
Import-PfxCertificate -FilePath $adfsSslPfxFilePath -Password $sslCertPassword -CertStoreLocation 'cert:\LocalMachine\Root'
# Install AD FS feature
$null = Install-WindowsFeature -Name 'Windows-Internal-Database'
$null = Install-WindowsFeature -IncludeManagementTools -Name 'ADFS-Federation'
Import-Module ADFS -ErrorAction Stop
$subDomain = $domainName.Substring(0, $domainName.IndexOf('.'))
$gmasAccount = "$subDomain\ADFS" + '$'
# Deploy AD FS
Install-AdfsFarm -CertificateThumbprint $adfsCert.Thumbprint -FederationServiceName $fqdn -FederationServiceDisplayName $domainName -GroupServiceAccountIdentifier $gmasAccount
# Allow e-mail as authentication input
Set-AdfsClaimsProviderTrust -TargetIdentifier 'AD AUTHORITY' -AlternateLoginID mail -LookupForests $domainName
# Enable user Import
$adfsProperties = Get-AdfsProperties
Set-AdfsProperties -Identifier $adfsProperties.IdTokenIssuer
# Disable Windows Integrated Authentication
Set-AdfsGlobalAuthenticationPolicy -PrimaryIntranetAuthenticationProvider FormsAuthentication, MicrosoftPassportAuthentication
# Restart computer to take effect
Restart-Computer