-1. On the map, select the _Satellite Geography_ location that you want to delete.

-1. Select **Delete location**.

-1. Confirm the deletion by selecting the confirmation check boxes.

-1. Select **Delete**.

-description: "Summary: Configure high availability federated authentication for your Microsoft 365 subscription in Microsoft Azure."

-# Deploy high availability federated authentication for Microsoft 365 in Azure

-This article has links to the step-by-step instructions for deploying high availability federated authentication for Microsoft 365 in Azure infrastructure services with these virtual machines:

-

-Here's the configuration, with placeholder names for each server.

-

-**A high availability federated authentication for Microsoft 365 infrastructure in Azure**

-

-

-All of the virtual machines are in a single cross-premises Azure virtual network (VNet).

-

-> [!NOTE]

-> Federated authentication of individual users does not rely on any on-premises resources. However, if the cross-premises connection becomes unavailable, the domain controllers in the VNet will not receive updates to user accounts and groups made in the on-premises Active Directory Domain Services (AD DS). To ensure this does not happen, you can configure high availability for your cross-premises connection. For more information, see [Highly Available Cross-Premises and VNet-to-VNet Connectivity](/azure/vpn-gateway/vpn-gateway-highlyavailable)

-

-Each pair of virtual machines for a specific role is in its own subnet and availability set.

-

-> [!NOTE]

-> Because this VNet is connected to the on-premises network, this configuration does not include jumpbox or monitoring virtual machines on a management subnet. For more information, see [Running Windows VMs for an N-tier architecture](/azure/guidance/guidance-compute-n-tier-vm).

-

-The result of this configuration is that you'll have federated authentication for all of your Microsoft 365 users, in which they can use their AD DS credentials to sign in rather than their Microsoft 365 account. The federated authentication infrastructure uses a redundant set of servers that are more easily deployed in Azure infrastructure services, rather than in your on-premises edge network.

-

-## Bill of materials

-This baseline configuration requires the following set of Azure services and components:

-

-Here are the virtual machines and their default sizes for this configuration.

-

-|**Item**|**Virtual machine description**|**Azure gallery image**|**Default size**|

-|:--|:--|:--|:--|

-|1. <br/> |First domain controller <br/> |Windows Server 2016 Datacenter <br/> |D2 <br/> |

-|2. <br/> |Second domain controller <br/> |Windows Server 2016 Datacenter <br/> |D2 <br/> |

-|3. <br/> |Microsoft Entra Connect server <br/> |Windows Server 2016 Datacenter <br/> |D2 <br/> |

-|4. <br/> |First AD FS server <br/> |Windows Server 2016 Datacenter <br/> |D2 <br/> |

-|5. <br/> |Second AD FS server <br/> |Windows Server 2016 Datacenter <br/> |D2 <br/> |

-|6. <br/> |First web application proxy server <br/> |Windows Server 2016 Datacenter <br/> |D2 <br/> |

-|7. <br/> |Second web application proxy server <br/> |Windows Server 2016 Datacenter <br/> |D2 <br/> |

-

-To compute the estimated costs for this configuration, see the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/).

-

-## Phases of deployment

-You deploy this workload in the following phases:

-

-These articles provide a prescriptive, phase-by-phase guide for a predefined architecture to create a functional, high availability federated authentication for Microsoft 365 in Azure infrastructure services. Keep the following in mind:

-

-To build a dev/test environment or a proof-of-concept of this configuration, see [Federated identity for your Microsoft 365 dev/test environment](federated-identity-for-your-microsoft-365-dev-test-environment.md).

-

-## Next step

-Start the configuration of this workload with [Phase 1: Configure Azure](high-availability-federated-authentication-phase-1-configure-azure.md).

-description: "Summary: Configure the Microsoft Azure infrastructure to host high availability federated authentication for Microsoft 365."

-# High availability federated authentication Phase 1: Configure Azure

-In this phase, you create the resource groups, virtual network (VNet), and availability sets in Azure that will host the virtual machines in phases 2, 3, and 4. You must complete this phase before moving on to [Phase 2: Configure domain controllers](high-availability-federated-authentication-phase-2-configure-domain-controllers.md). See [Deploy high availability federated authentication for Microsoft 365 in Azure](deploy-high-availability-federated-authentication-for-microsoft-365-in-azure.md) for all of the phases.

-

-Azure must be provisioned with these basic components:

-

-

-

-

-

-## Configure Azure components

-Before you begin configuring Azure components, fill in the following tables. To assist you in the procedures for configuring Azure, print this section and write down the needed information or copy this section to a document and fill it in. For the settings of the VNet, fill in Table V.

-

-|**Item**|**Configuration setting**|**Description**|**Value**|

-|:--|:--|:--|:--|

-|1. <br/> |VNet name <br/> |A name to assign to the VNet (example FedAuthNet). <br/> | <br/> |

-|2. <br/> |VNet location <br/> |The regional Azure datacenter that will contain the virtual network. <br/> | <br/> |

-|3. <br/> |VPN device IP address <br/> |The public IPv4 address of your VPN device's interface on the Internet. <br/> | <br/> |

-|4. <br/> |VNet address space <br/> |The address space for the virtual network. Work with your IT department to determine this address space. <br/> | <br/> |

-|5. <br/> |IPsec shared key <br/> |A 32-character random, alphanumeric string that will be used to authenticate both sides of the site-to-site VPN connection. Work with your IT or security department to determine this key value. Alternately, see [Create a random string for an IPsec preshared key](https://social.technet.microsoft.com/wiki/contents/articles/32330.create-a-random-string-for-an-ipsec-preshared-key.aspx). <br/> | <br/> |

-

- **Table V: Cross-premises virtual network configuration**

-

-Next, fill in Table S for the subnets of this solution. All address spaces should be in Classless Interdomain Routing (CIDR) format, also known as network prefix format. An example is 10.24.64.0/20.

-

-For the first three subnets, specify a name and a single IP address space based on the virtual network address space. For the gateway subnet, determine the 27-bit address space (with a /27 prefix length) for the Azure gateway subnet with the following:

-

-1. Set the variable bits in the address space of the VNet to 1, up to the bits being used by the gateway subnet, then set the remaining bits to 0.

-

-2. Convert the resulting bits to decimal and express it as an address space with the prefix length set to the size of the gateway subnet.

-

-See [Address space calculator for Azure gateway subnets](address-space-calculator-for-azure-gateway-subnets.md) for a PowerShell command block and C# or Python console application that performs this calculation for you.

-

-Work with your IT department to determine these address spaces from the virtual network address space.

-

-|**Item**|**Subnet name**|**Subnet address space**|**Purpose**|

-|:--|:--|:--|:--|

-|1. <br/> | <br/> | <br/> |The subnet used by the Active Directory Domain Services (AD DS) domain controller and directory synchronization server virtual machines (VMs). <br/> |

-|2. <br/> | <br/> | <br/> |The subnet used by the AD FS VMs. <br/> |

-|3. <br/> | <br/> | <br/> |The subnet used by the web application proxy VMs. <br/> |

-|4. <br/> |GatewaySubnet <br/> | <br/> |The subnet used by the Azure gateway VMs. <br/> |

-

- **Table S: Subnets in the virtual network**

-

-Next, fill in Table I for the static IP addresses assigned to virtual machines and load balancer instances.

-

-|**Item**|**Purpose**|**IP address on the subnet**|**Value**|

-|:--|:--|:--|:--|

-|1. <br/> |Static IP address of the first domain controller <br/> |The fourth possible IP address for the address space of the subnet defined in Item 1 of Table S. <br/> | <br/> |

-|2. <br/> |Static IP address of the second domain controller <br/> |The fifth possible IP address for the address space of the subnet defined in Item 1 of Table S. <br/> | <br/> |

-|3. <br/> |Static IP address of the directory synchronization server <br/> |The sixth possible IP address for the address space of the subnet defined in Item 1 of Table S. <br/> | <br/> |

-|4. <br/> |Static IP address of the internal load balancer for the AD FS servers <br/> |The fourth possible IP address for the address space of the subnet defined in Item 2 of Table S. <br/> | <br/> |

-|5. <br/> |Static IP address of the first AD FS server <br/> |The fifth possible IP address for the address space of the subnet defined in Item 2 of Table S. <br/> | <br/> |

-|6. <br/> |Static IP address of the second AD FS server <br/> |The sixth possible IP address for the address space of the subnet defined in Item 2 of Table S. <br/> | <br/> |

-|7. <br/> |Static IP address of the first web application proxy server <br/> |The fourth possible IP address for the address space of the subnet defined in Item 3 of Table S. <br/> | <br/> |

-|8. <br/> |Static IP address of the second web application proxy server <br/> |The fifth possible IP address for the address space of the subnet defined in Item 3 of Table S. <br/> | <br/> |

-

- **Table I: Static IP addresses in the virtual network**

-

-For two Domain Name System (DNS) servers in your on-premises network that you want to use when initially setting up the domain controllers in your virtual network, fill in Table D. Work with your IT department to determine this list.

-

-|**Item**|**DNS server friendly name**|**DNS server IP address**|

-|:--|:--|:--|

-|1. <br/> | <br/> | <br/> |

-|2. <br/> | <br/> | <br/> |

-

- **Table D: On-premises DNS servers**

-

-To route packets from the cross-premises network to your organization network across the site-to-site VPN connection, you must configure the virtual network with a local network that has a list of the address spaces (in CIDR notation) for all of the reachable locations on your organization's on-premises network. The list of address spaces that define your local network must be unique and must not overlap with the address space used for other virtual networks or other local networks.

-

-For the set of local network address spaces, fill in Table L. Note that three blank entries are listed but you will typically need more. Work with your IT department to determine this list of address spaces.

-

-|**Item**|**Local network address space**|

-|:--|:--|

-|1. <br/> | <br/> |

-|2. <br/> | <br/> |

-|3. <br/> | <br/> |

-

- **Table L: Address prefixes for the local network**

-

-Now let's begin building the Azure infrastructure to host your federated authentication for Microsoft 365.

-

-> [!NOTE]

-> The following command sets use the latest version of Azure PowerShell. See [Get started with Azure PowerShell](/powershell/azure/get-started-azureps).

-

-First, start an Azure PowerShell prompt and login to your account.

-

-```powershell

-Connect-AzAccount

-```

-> [!TIP]

-> To generate ready-to-run PowerShell command blocks based on your custom settings, use this [Microsoft Excel configuration workbook](https://download.microsoft.com/download/1/b/7/1b745323-d84d-4fad-9e66-f34f589e5d31/O365FedAuthInAzure_Config.xlsx).

-Get your subscription name using the following command.

-

-```powershell

-Get-AzSubscription | Sort Name | Select Name

-```

-For older versions of Azure PowerShell, use this command instead.

-

-```powershell

-Get-AzSubscription | Sort Name | Select SubscriptionName

-```

-Set your Azure subscription. Replace everything within the quotes, including the \< and > characters, with the correct name.

-

-```powershell

-$subscrName="<subscription name>"

-Select-AzSubscription -SubscriptionName $subscrName

-```

-Next, create the new resource groups. To determine a unique set of resource group names, use this command to list your existing resource groups.

-

-```powershell

-Get-AzResourceGroup | Sort ResourceGroupName | Select ResourceGroupName

-```

-Fill in the following table for the set of unique resource group names.

-

-|**Item**|**Resource group name**|**Purpose**|

-|:--|:--|:--|

-|1. <br/> | <br/> |Domain controllers <br/> |

-|2. <br/> | <br/> |AD FS servers <br/> |

-|3. <br/> | <br/> |Web application proxy servers <br/> |

-|4. <br/> | <br/> |Infrastructure elements <br/> |

-

- **Table R: Resource groups**

-

-Create your new resource groups with these commands.

-

-```powershell

-$locName="<an Azure location, such as West US>"

-$rgName="<Table R - Item 1 - Name column>"

-New-AzResourceGroup -Name $rgName -Location $locName

-$rgName="<Table R - Item 2 - Name column>"

-New-AzResourceGroup -Name $rgName -Location $locName

-$rgName="<Table R - Item 3 - Name column>"

-New-AzResourceGroup -Name $rgName -Location $locName

-$rgName="<Table R - Item 4 - Name column>"

-New-AzResourceGroup -Name $rgName -Location $locName

-```

-Next, you create the Azure virtual network and its subnets.

-

-```powershell

-$rgName="<Table R - Item 4 - Resource group name column>"

-$locName="<your Azure location>"

-$vnetName="<Table V - Item 1 - Value column>"

-$vnetAddrPrefix="<Table V - Item 4 - Value column>"

-$dnsServers=@( "<Table D - Item 1 - DNS server IP address column>", "<Table D - Item 2 - DNS server IP address column>" )

-# Get the shortened version of the location

-$locShortName=(Get-AzResourceGroup -Name $rgName).Location

-# Create the subnets

-$subnet1Name="<Table S - Item 1 - Subnet name column>"

-$subnet1Prefix="<Table S - Item 1 - Subnet address space column>"

-$subnet1=New-AzVirtualNetworkSubnetConfig -Name $subnet1Name -AddressPrefix $subnet1Prefix

-$subnet2Name="<Table S - Item 2 - Subnet name column>"

-$subnet2Prefix="<Table S - Item 2 - Subnet address space column>"

-$subnet2=New-AzVirtualNetworkSubnetConfig -Name $subnet2Name -AddressPrefix $subnet2Prefix

-$subnet3Name="<Table S - Item 3 - Subnet name column>"

-$subnet3Prefix="<Table S - Item 3 - Subnet address space column>"

-$subnet3=New-AzVirtualNetworkSubnetConfig -Name $subnet3Name -AddressPrefix $subnet3Prefix

-$gwSubnet4Prefix="<Table S - Item 4 - Subnet address space column>"

-$gwSubnet=New-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -AddressPrefix $gwSubnet4Prefix

-# Create the virtual network

-New-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgName -Location $locName -AddressPrefix $vnetAddrPrefix -Subnet $gwSubnet,$subnet1,$subnet2,$subnet3 -DNSServer $dnsServers

-```

-Next, you create network security groups for each subnet that has virtual machines. To perform subnet isolation, you can add rules for the specific types of traffic allowed or denied to the network security group of a subnet.

-

-```powershell

-# Create network security groups

-$vnet=Get-AzVirtualNetwork -ResourceGroupName $rgName -Name $vnetName

-New-AzNetworkSecurityGroup -Name $subnet1Name -ResourceGroupName $rgName -Location $locShortName

-$nsg=Get-AzNetworkSecurityGroup -Name $subnet1Name -ResourceGroupName $rgName

-Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $subnet1Name -AddressPrefix $subnet1Prefix -NetworkSecurityGroup $nsg

-New-AzNetworkSecurityGroup -Name $subnet2Name -ResourceGroupName $rgName -Location $locShortName

-$nsg=Get-AzNetworkSecurityGroup -Name $subnet2Name -ResourceGroupName $rgName

-Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $subnet2Name -AddressPrefix $subnet2Prefix -NetworkSecurityGroup $nsg

-New-AzNetworkSecurityGroup -Name $subnet3Name -ResourceGroupName $rgName -Location $locShortName

-$nsg=Get-AzNetworkSecurityGroup -Name $subnet3Name -ResourceGroupName $rgName

-Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $subnet3Name -AddressPrefix $subnet3Prefix -NetworkSecurityGroup $nsg

-$vnet | Set-AzVirtualNetwork

-```

-Next, use these commands to create the gateways for the site-to-site VPN connection.

-

-```powershell

-$rgName="<Table R - Item 4 - Resource group name column>"

-$locName="<Azure location>"

-$vnetName="<Table V - Item 1 - Value column>"

-$vnet=Get-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgName

-$subnet=Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name "GatewaySubnet"

-# Attach a virtual network gateway to a public IP address and the gateway subnet

-$publicGatewayVipName="PublicIPAddress"

-$vnetGatewayIpConfigName="PublicIPConfig"

-New-AzPublicIpAddress -Name $vnetGatewayIpConfigName -ResourceGroupName $rgName -Location $locName -AllocationMethod Dynamic

-$publicGatewayVip=Get-AzPublicIpAddress -Name $vnetGatewayIpConfigName -ResourceGroupName $rgName

-$vnetGatewayIpConfig=New-AzVirtualNetworkGatewayIpConfig -Name $vnetGatewayIpConfigName -PublicIpAddressId $publicGatewayVip.Id -Subnet $subnet

-# Create the Azure gateway

-$vnetGatewayName="AzureGateway"

-$vnetGateway=New-AzVirtualNetworkGateway -Name $vnetGatewayName -ResourceGroupName $rgName -Location $locName -GatewayType Vpn -VpnType RouteBased -IpConfigurations $vnetGatewayIpConfig

-# Create the gateway for the local network

-$localGatewayName="LocalNetGateway"

-$localGatewayIP="<Table V - Item 3 - Value column>"

-$localNetworkPrefix=@( <comma-separated, double-quote enclosed list of the local network address prefixes from Table L, example: "10.1.0.0/24", "10.2.0.0/24"> )

-$localGateway=New-AzLocalNetworkGateway -Name $localGatewayName -ResourceGroupName $rgName -Location $locName -GatewayIpAddress $localGatewayIP -AddressPrefix $localNetworkPrefix

-# Define the Azure virtual network VPN connection

-$vnetConnectionName="S2SConnection"

-$vnetConnectionKey="<Table V - Item 5 - Value column>"

-$vnetConnection=New-AzVirtualNetworkGatewayConnection -Name $vnetConnectionName -ResourceGroupName $rgName -Location $locName -ConnectionType IPsec -SharedKey $vnetConnectionKey -VirtualNetworkGateway1 $vnetGateway -LocalNetworkGateway2 $localGateway

-```

-> [!NOTE]

-> Federated authentication of individual users does not rely on any on-premises resources. However, if this site-to-site VPN connection becomes unavailable, the domain controllers in the VNet will not receive updates to user accounts and groups made in the on-premises Active Directory Domain Services. To ensure this does not happen, you can configure high availability for your site-to-site VPN connection. For more information, see [Highly Available Cross-Premises and VNet-to-VNet Connectivity](/azure/vpn-gateway/vpn-gateway-highlyavailable)

-

-Next, record the public IPv4 address of the Azure VPN gateway for your virtual network from the display of this command:

-

-```powershell

-Get-AzPublicIpAddress -Name $publicGatewayVipName -ResourceGroupName $rgName

-```

-Next, configure your on-premises VPN device to connect to the Azure VPN gateway. For more information, see [Configure your VPN device](/azure/vpn-gateway/vpn-gateway-about-vpn-devices).

-

-To configure your on-premises VPN device, you will need the following:

-

-

-

-Next, ensure that the address space of the virtual network is reachable from your on-premises network. This is usually done by adding a route corresponding to the virtual network address space to your VPN device and then advertising that route to the rest of the routing infrastructure of your organization network. Work with your IT department to determine how to do this.

-

-Next, define the names of three availability sets. Fill out Table A.

-

-|**Item**|**Purpose**|**Availability set name**|

-|:--|:--|:--|

-|1. <br/> |Domain controllers <br/> | <br/> |

-|2. <br/> |AD FS servers <br/> | <br/> |

-|3. <br/> |Web application proxy servers <br/> | <br/> |

-

- **Table A: Availability sets**

-

-You will need these names when you create the virtual machines in phases 2, 3, and 4.

-

-Create the new availability sets with these Azure PowerShell commands.

-

-```powershell

-$locName="<the Azure location for your new resource group>"

-$rgName="<Table R - Item 1 - Resource group name column>"

-$avName="<Table A - Item 1 - Availability set name column>"

-New-AzAvailabilitySet -ResourceGroupName $rgName -Name $avName -Location $locName -Sku Aligned -PlatformUpdateDomainCount 5 -PlatformFaultDomainCount 2

-$rgName="<Table R - Item 2 - Resource group name column>"

-$avName="<Table A - Item 2 - Availability set name column>"

-New-AzAvailabilitySet -ResourceGroupName $rgName -Name $avName -Location $locName -Sku Aligned -PlatformUpdateDomainCount 5 -PlatformFaultDomainCount 2

-$rgName="<Table R - Item 3 - Resource group name column>"

-$avName="<Table A - Item 3 - Availability set name column>"

-New-AzAvailabilitySet -ResourceGroupName $rgName -Name $avName -Location $locName -Sku Aligned -PlatformUpdateDomainCount 5 -PlatformFaultDomainCount 2

-```

-This is the configuration resulting from the successful completion of this phase.

-

-**Phase 1: The Azure infrastructure for high availability federated authentication for Microsoft 365**

-

-

-## Next step

-Use [Phase 2: Configure domain controllers](high-availability-federated-authentication-phase-2-configure-domain-controllers.md) to continue with the configuration of this workload.

-

-## See Also

-[Deploy high availability federated authentication for Microsoft 365 in Azure](deploy-high-availability-federated-authentication-for-microsoft-365-in-azure.md)

-

-[Federated identity for your Microsoft 365 dev/test environment](federated-identity-for-your-microsoft-365-dev-test-environment.md)

-

-[Microsoft 365 solution and architecture center](../solutions/index.yml)

-[Understanding Microsoft 365 identity models](deploy-identity-solution-identity-model.md)

-description: "Summary: Configure the domain controllers and directory synchronization server for your high availability federated authentication for Microsoft 365 in Microsoft Azure."

-# High availability federated authentication Phase 2: Configure domain controllers

-In this phase of deploying high availability for Microsoft 365 federated authentication in Azure infrastructure services, you configure two domain controllers and the directory synchronization server in the Azure virtual network. Client web requests for authentication can then be authenticated in the Azure virtual network, rather than sending that authentication traffic across the site-to-site VPN connection to your on-premises network.

-

-> [!NOTE]

-> Active Directory Federation Services (AD FS) cannot use Microsoft Entra ID as a substitute for Active Directory Domain Services (AD DS) domain controllers.

-

-You must complete this phase before moving on to [Phase 3: Configure AD FS servers](high-availability-federated-authentication-phase-3-configure-ad-fs-servers.md). See [Deploy high availability federated authentication for Microsoft 365 in Azure](deploy-high-availability-federated-authentication-for-microsoft-365-in-azure.md) for all of the phases.

-

-## Create the domain controller virtual machines in Azure

-First, you need to fill out the **Virtual machine name** column of Table M and modify virtual machine sizes as needed in the **Minimum size** column.

-

-|**Item**|**Virtual machine name**|**Gallery image**|**Storage type**|**Minimum size**|

-|:--|:--|:--|:--|:--|

-|1. <br/> | (first domain controller, example DC1) <br/> |Windows Server 2016 Datacenter <br/> |Standard_LRS <br/> |Standard_D2 <br/> |

-|2. <br/> | (second domain controller, example DC2) <br/> |Windows Server 2016 Datacenter <br/> |Standard_LRS <br/> |Standard_D2 <br/> |

-|3. <br/> | (directory synchronization server, example DS1) <br/> |Windows Server 2016 Datacenter <br/> |Standard_LRS <br/> |Standard_D2 <br/> |

-|4. <br/> | (first AD FS server, example ADFS1) <br/> |Windows Server 2016 Datacenter <br/> |Standard_LRS <br/> |Standard_D2 <br/> |

-|5. <br/> | (second AD FS server, example ADFS2) <br/> |Windows Server 2016 Datacenter <br/> |Standard_LRS <br/> |Standard_D2 <br/> |

-|6. <br/> | (first web application proxy server, example WEB1) <br/> |Windows Server 2016 Datacenter <br/> |Standard_LRS <br/> |Standard_D2 <br/> |

-|7. <br/> | (second web application proxy server, example WEB2) <br/> |Windows Server 2016 Datacenter <br/> |Standard_LRS <br/> |Standard_D2 <br/> |

-

- **Table M - Virtual machines for the high availability federated authentication for Microsoft 365 in Azure**

-

-For the complete list of virtual machine sizes, see [Sizes for virtual machines](/azure/virtual-machines/sizes).

-

-The following Azure PowerShell command block creates the virtual machines for the two domain controllers. Specify the values for the variables, removing the \< and > characters. Note that this Azure PowerShell command block uses values from the following tables:

-

-

-

-

-

-

-

-Recall that you defined Tables R, V, S, I, and A in [Phase 1: Configure Azure](high-availability-federated-authentication-phase-1-configure-azure.md).

-

-> [!NOTE]

-> The following command sets use the latest version of Azure PowerShell. See [Get started with Azure PowerShell](/powershell/azure/get-started-azureps).

-

-When you have supplied all the correct values, run the resulting block at the Azure PowerShell prompt or in the PowerShell Integrated Script Environment (ISE) on your local computer.

-

-> [!TIP]

-> To generate ready-to-run PowerShell command blocks based on your custom settings, use this [Microsoft Excel configuration workbook](https://download.microsoft.com/download/1/b/7/1b745323-d84d-4fad-9e66-f34f589e5d31/O365FedAuthInAzure_Config.xlsx).

-```powershell

-# Set up variables common to both virtual machines

-$locName="<your Azure location>"

-$vnetName="<Table V - Item 1 - Value column>"

-$subnetName="<Table S - Item 1 - Value column>"

-$avName="<Table A - Item 1 - Availability set name column>"

-$rgNameTier="<Table R - Item 1 - Resource group name column>"

-$rgNameInfra="<Table R - Item 4 - Resource group name column>"

-$rgName=$rgNameInfra

-$vnet=Get-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgName

-$subnet=Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $subnetName

-$rgName=$rgNameTier

-$avSet=Get-AzAvailabilitySet -Name $avName -ResourceGroupName $rgName

-# Create the first domain controller

-$vmName="<Table M - Item 1 - Virtual machine name column>"

-$vmSize="<Table M - Item 1 - Minimum size column>"

-$staticIP="<Table I - Item 1 - Value column>"

-$diskStorageType="<Table M - Item 1 - Storage type column>"

-$diskSize=<size of the extra disk for Active Directory Domain Services (AD DS) data in GB>

-$nic=New-AzNetworkInterface -Name ($vmName +"-NIC") -ResourceGroupName $rgName -Location $locName -Subnet $subnet -PrivateIpAddress $staticIP

-$vm=New-AzVMConfig -VMName $vmName -VMSize $vmSize -AvailabilitySetId $avset.Id

-$vm=Set-AzVMOSDisk -VM $vm -Name ($vmName +"-OS") -DiskSizeInGB 128 -CreateOption FromImage -StorageAccountType $diskStorageType

-$diskConfig=New-AzDiskConfig -AccountType $diskStorageType -Location $locName -CreateOption Empty -DiskSizeGB $diskSize

-$dataDisk1=New-AzDisk -DiskName ($vmName + "-DataDisk1") -Disk $diskConfig -ResourceGroupName $rgName

-$vm=Add-AzVMDataDisk -VM $vm -Name ($vmName + "-DataDisk1") -CreateOption Attach -ManagedDiskId $dataDisk1.Id -Lun 1

-$cred=Get-Credential -Message "Type the name and password of the local administrator account for the first domain controller."

-$vm=Set-AzVMOperatingSystem -VM $vm -Windows -ComputerName $vmName -Credential $cred -ProvisionVMAgent -EnableAutoUpdate

-$vm=Set-AzVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2016-Datacenter -Version "latest"

-$vm=Add-AzVMNetworkInterface -VM $vm -Id $nic.Id

-New-AzVM -ResourceGroupName $rgName -Location $locName -VM $vm

-# Create the second domain controller

-$vmName="<Table M - Item 2 - Virtual machine name column>"

-$vmSize="<Table M - Item 2 - Minimum size column>"

-$staticIP="<Table I - Item 2 - Value column>"

-$diskStorageType="<Table M - Item 2 - Storage type column>"

-$diskSize=<size of the extra disk for AD DS data in GB>

-$nic=New-AzNetworkInterface -Name ($vmName +"-NIC") -ResourceGroupName $rgName -Location $locName -Subnet $subnet -PrivateIpAddress $staticIP

-$vm=New-AzVMConfig -VMName $vmName -VMSize $vmSize -AvailabilitySetId $avset.Id

-$vm=Set-AzVMOSDisk -VM $vm -Name ($vmName +"-OS") -DiskSizeInGB 128 -CreateOption FromImage -StorageAccountType $diskStorageType

-$diskConfig=New-AzDiskConfig -AccountType $diskStorageType -Location $locName -CreateOption Empty -DiskSizeGB $diskSize

-$dataDisk1=New-AzDisk -DiskName ($vmName + "-DataDisk1") -Disk $diskConfig -ResourceGroupName $rgName

-$vm=Add-AzVMDataDisk -VM $vm -Name ($vmName + "-DataDisk1") -CreateOption Attach -ManagedDiskId $dataDisk1.Id -Lun 1

-$cred=Get-Credential -Message "Type the name and password of the local administrator account for the second domain controller."

-$vm=Set-AzVMOperatingSystem -VM $vm -Windows -ComputerName $vmName -Credential $cred -ProvisionVMAgent -EnableAutoUpdate

-$vm=Set-AzVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2016-Datacenter -Version "latest"

-$vm=Add-AzVMNetworkInterface -VM $vm -Id $nic.Id

-New-AzVM -ResourceGroupName $rgName -Location $locName -VM $vm

-# Create the directory synchronization server

-$vmName="<Table M - Item 3 - Virtual machine name column>"

-$vmSize="<Table M - Item 3 - Minimum size column>"

-$staticIP="<Table I - Item 3 - Value column>"

-$diskStorageType="<Table M - Item 3 - Storage type column>"

-$nic=New-AzNetworkInterface -Name ($vmName +"-NIC") -ResourceGroupName $rgName -Location $locName -Subnet $subnet -PrivateIpAddress $staticIP

-$vm=New-AzVMConfig -VMName $vmName -VMSize $vmSize

-$cred=Get-Credential -Message "Type the name and password of the local administrator account for the directory synchronization server."

-$vm=Set-AzVMOperatingSystem -VM $vm -Windows -ComputerName $vmName -Credential $cred -ProvisionVMAgent -EnableAutoUpdate

-$vm=Set-AzVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2016-Datacenter -Version "latest"

-$vm=Add-AzVMNetworkInterface -VM $vm -Id $nic.Id

-$vm=Set-AzVMOSDisk -VM $vm -Name ($vmName +"-OS") -DiskSizeInGB 128 -CreateOption FromImage -StorageAccountType $diskStorageType

-New-AzVM -ResourceGroupName $rgName -Location $locName -VM $vm

-```

-> [!NOTE]

-> Because these virtual machines are for an intranet application, they are not assigned a public IP address or a DNS domain name label and exposed to the Internet. However, this also means that you cannot connect to them from the Azure portal. The **Connect** option is unavailable when you view the properties of the virtual machine. Use the Remote Desktop Connection accessory or another Remote Desktop tool to connect to the virtual machine using its private IP address or intranet DNS name.

-

-## Configure the first domain controller

-Use the remote desktop client of your choice and create a remote desktop connection to the first domain controller virtual machine. Use its intranet DNS or computer name and the credentials of the local administrator account.

-

-Next, add the extra data disk to the first domain controller with this command from a Windows PowerShell command prompt **on the first domain controller virtual machine**:

-

-```powershell

-Get-Disk | Where PartitionStyle -eq "RAW" | Initialize-Disk -PartitionStyle MBR -PassThru | New-Partition -AssignDriveLetter -UseMaximumSize | Format-Volume -FileSystem NTFS -NewFileSystemLabel "WSAD Data"

-```

-Next, test the first domain controller's connectivity to locations on your organization network by using the **ping** command to ping names and IP addresses of resources on your organization network.

-

-This procedure ensures that DNS name resolution is working correctly (that the virtual machine is correctly configured with on-premises DNS servers) and that packets can be sent to and from the cross-premises virtual network. If this basic test fails, contact your IT department to troubleshoot the DNS name resolution and packet delivery issues.

-

-Next, from the Windows PowerShell command prompt on the first domain controller, run the following commands:

-

-```powershell

-$domname="<DNS domain name of the domain for which this computer will be a domain controller, such as corp.contoso.com>"

-$cred = Get-Credential -Message "Enter credentials of an account with permission to join a new domain controller to the domain"

-Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

-Install-ADDSDomainController -InstallDns -DomainName $domname -DatabasePath "F:\NTDS" -SysvolPath "F:\SYSVOL" -LogPath "F:\Logs" -Credential $cred

-```

-You will be prompted to supply the credentials of a domain administrator account. The computer will restart.

-

-## Configure the second domain controller

-Use the remote desktop client of your choice and create a remote desktop connection to the second domain controller virtual machine. Use its intranet DNS or computer name and the credentials of the local administrator account.

-

-Next, you need to add the extra data disk to the second domain controller with this command from a Windows PowerShell command prompt **on the second domain controller virtual machine**:

-

-```powershell

-Get-Disk | Where PartitionStyle -eq "RAW" | Initialize-Disk -PartitionStyle MBR -PassThru | New-Partition -AssignDriveLetter -UseMaximumSize | Format-Volume -FileSystem NTFS -NewFileSystemLabel "WSAD Data"

-```

-Next, run the following commands:

-

-```powershell

-$domname="<DNS domain name of the domain for which this computer will be a domain controller, such as corp.contoso.com>"

-$cred = Get-Credential -Message "Enter credentials of an account with permission to join a new domain controller to the domain"

-Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

-Install-ADDSDomainController -InstallDns -DomainName $domname -DatabasePath "F:\NTDS" -SysvolPath "F:\SYSVOL" -LogPath "F:\Logs" -Credential $cred

-```

-You will be prompted to supply the credentials of a domain administrator account. The computer will restart.

-

-Next, you need to update the DNS servers for your virtual network so that Azure assigns virtual machines the IP addresses of the two new domain controllers to use as their DNS servers. Fill in the variables and then run these commands from a Windows PowerShell command prompt on your local computer:

-

-```powershell

-$rgName="<Table R - Item 4 - Resource group name column>"

-$adrgName="<Table R - Item 1 - Resource group name column>"

-$locName="<your Azure location>"

-$vnetName="<Table V - Item 1 - Value column>"

-$onpremDNSIP1="<Table D - Item 1 - DNS server IP address column>"

-$onpremDNSIP2="<Table D - Item 2 - DNS server IP address column>"

-$staticIP1="<Table I - Item 1 - Value column>"

-$staticIP2="<Table I - Item 2 - Value column>"

-$firstDCName="<Table M - Item 1 - Virtual machine name column>"

-$secondDCName="<Table M - Item 2 - Virtual machine name column>"

-$vnet=Get-AzVirtualNetwork -ResourceGroupName $rgName -Name $vnetName

-$vnet.DhcpOptions.DnsServers.Add($staticIP1)

-$vnet.DhcpOptions.DnsServers.Add($staticIP2)

-$vnet.DhcpOptions.DnsServers.Remove($onpremDNSIP1)

-$vnet.DhcpOptions.DnsServers.Remove($onpremDNSIP2)

-Set-AzVirtualNetwork -VirtualNetwork $vnet

-Restart-AzVM -ResourceGroupName $adrgName -Name $firstDCName

-Restart-AzVM -ResourceGroupName $adrgName -Name $secondDCName

-```

-Note that we restart the two domain controllers so that they are not configured with the on-premises DNS servers as DNS servers. Because they are both DNS servers themselves, they were automatically configured with the on-premises DNS servers as DNS forwarders when they were promoted to domain controllers.

-

-Next, we need to create an Active Directory replication site to ensure that servers in the Azure virtual network use the local domain controllers. Connect to either domain controller with a domain administrator account and run the following commands from an administrator-level Windows PowerShell prompt:

-

-```powershell

-$vnet="<Table V - Item 1 - Value column>"

-$vnetSpace="<Table V - Item 4 - Value column>"

-New-ADReplicationSite -Name $vnet

-New-ADReplicationSubnet -Name $vnetSpace -Site $vnet

-```

-## Configure the directory synchronization server

-Use the remote desktop client of your choice and create a remote desktop connection to the directory synchronization server virtual machine. Use its intranet DNS or computer name and the credentials of the local administrator account.

-

-Next, join it to the appropriate AD DS domain with these commands at the Windows PowerShell prompt.

-

-```powershell

-$domName="<AD DS domain name to join, such as corp.contoso.com>"

-$cred=Get-Credential -Message "Type the name and password of a domain account."

-Add-Computer -DomainName $domName -Credential $cred

-Restart-Computer

-```

-Here is the configuration resulting from the successful completion of this phase, with placeholder computer names.

-

-**Phase 2: The domain controllers and directory synchronization server for your high availability federated authentication infrastructure in Azure**

-

-

-## Next step

-Use [Phase 3: Configure AD FS servers](high-availability-federated-authentication-phase-3-configure-ad-fs-servers.md) to continue configuring this workload.

-

-## See Also

-[Deploy high availability federated authentication for Microsoft 365 in Azure](deploy-high-availability-federated-authentication-for-microsoft-365-in-azure.md)

-

-[Federated identity for your Microsoft 365 dev/test environment](federated-identity-for-your-microsoft-365-dev-test-environment.md)

-

-[Microsoft 365 solution and architecture center](../solutions/index.yml)

-description: Learn how to create and configure the AD FS servers for your high availability federated authentication for Microsoft 365 in Microsoft Azure.

-# High availability federated authentication Phase 3: Configure AD FS servers

-In this phase of deploying high availability for Microsoft 365 federated authentication in Azure infrastructure services, you create an internal load balancer and two AD FS servers.

-

-You must complete this phase before moving on to [Phase 4: Configure web application proxies](high-availability-federated-authentication-phase-4-configure-web-application-pro.md). See [Deploy high availability federated authentication for Microsoft 365 in Azure](deploy-high-availability-federated-authentication-for-microsoft-365-in-azure.md) for all of the phases.

-

-## Create the AD FS server virtual machines in Azure

-Use the following block of PowerShell commands to create the virtual machines for the two AD FS servers. This PowerShell command set uses values from the following tables:

-

-

-

-

-

-

-

-Recall that you defined Table M in [Phase 2: Configure domain controllers](high-availability-federated-authentication-phase-2-configure-domain-controllers.md) and Tables R, V, S, I, and A in [Phase 1: Configure Azure](high-availability-federated-authentication-phase-1-configure-azure.md).

-

-> [!NOTE]

-> The following command sets use the latest version of Azure PowerShell. See [Get started with Azure PowerShell](/powershell/azure/get-started-azureps).

-

-First, you create an Azure internal load balancer for the two AD FS servers. Specify the values for the variables, removing the \< and > characters. When you have supplied all the proper values, run the resulting block at the Azure PowerShell command prompt or in the PowerShell ISE.

-

-> [!TIP]

-> To generate ready-to-run PowerShell command blocks based on your custom settings, use this [Microsoft Excel configuration workbook](https://download.microsoft.com/download/1/b/7/1b745323-d84d-4fad-9e66-f34f589e5d31/O365FedAuthInAzure_Config.xlsx).

-```powershell

-# Set up key variables

-$locName="<your Azure location>"

-$vnetName="<Table V - Item 1 - Value column>"

-$subnetName="<Table R - Item 2 - Subnet name column>"

-$privIP="<Table I - Item 4 - Value column>"

-$rgName=<Table R - Item 4 - Resource group name column>"

-$vnet=Get-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgName

-$subnet=Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $subnetName

-$frontendIP=New-AzLoadBalancerFrontendIpConfig -Name "ADFSServers-LBFE" -PrivateIPAddress $privIP -Subnet $subnet

-$beAddressPool=New-AzLoadBalancerBackendAddressPoolConfig -Name "ADFSServers-LBBE"

-$healthProbe=New-AzLoadBalancerProbeConfig -Name WebServersProbe -Protocol "TCP" -Port 443 -IntervalInSeconds 15 -ProbeCount 2

-$lbrule=New-AzLoadBalancerRuleConfig -Name "HTTPSTraffic" -FrontendIpConfiguration $frontendIP -BackendAddressPool $beAddressPool -Probe $healthProbe -Protocol "TCP" -FrontendPort 443 -BackendPort 443

-New-AzLoadBalancer -ResourceGroupName $rgName -Name "ADFSServers" -Location $locName -LoadBalancingRule $lbrule -BackendAddressPool $beAddressPool -Probe $healthProbe -FrontendIpConfiguration $frontendIP

-```

-Next, create the AD FS server virtual machines.

-

-When you have supplied all the proper values, run the resulting block at the Azure PowerShell command prompt or in the PowerShell ISE.

-

-```powershell

-# Set up variables common to both virtual machines

-$locName="<your Azure location>"

-$vnetName="<Table V - Item 1 - Value column>"

-$subnetName="<Table R - Item 2 - Subnet name column>"

-$avName="<Table A - Item 2 - Availability set name column>"

-$rgNameTier="<Table R - Item 2 - Resource group name column>"

-$rgNameInfra="<Table R - Item 4 - Resource group name column>"

-$rgName=$rgNameInfra

-$vnet=Get-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgName

-$subnet=Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $subnetName

-$backendSubnet=Get-AzVirtualNetworkSubnetConfig -Name $subnetName -VirtualNetwork $vnet

-$webLB=Get-AzLoadBalancer -ResourceGroupName $rgName -Name "ADFSServers"

-$rgName=$rgNameTier

-$avSet=Get-AzAvailabilitySet -Name $avName -ResourceGroupName $rgName

-# Create the first ADFS server virtual machine

-$vmName="<Table M - Item 4 - Virtual machine name column>"

-$vmSize="<Table M - Item 4 - Minimum size column>"

-$staticIP="<Table I - Item 5 - Value column>"

-$diskStorageType="<Table M - Item 4 - Storage type column>"

-$nic=New-AzNetworkInterface -Name ($vmName +"-NIC") -ResourceGroupName $rgName -Location $locName -Subnet $backendSubnet -LoadBalancerBackendAddressPool $webLB.BackendAddressPools[0] -PrivateIpAddress $staticIP

-$vm=New-AzVMConfig -VMName $vmName -VMSize $vmSize -AvailabilitySetId $avset.Id

-$cred=Get-Credential -Message "Type the name and password of the local administrator account for the first AD FS server."

-$vm=Set-AzVMOperatingSystem -VM $vm -Windows -ComputerName $vmName -Credential $cred -ProvisionVMAgent -EnableAutoUpdate

-$vm=Set-AzVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2016-Datacenter -Version "latest"

-$vm=Add-AzVMNetworkInterface -VM $vm -Id $nic.Id

-$vm=Set-AzVMOSDisk -VM $vm -Name ($vmName +"-OS") -DiskSizeInGB 128 -CreateOption FromImage -StorageAccountType $diskStorageType

-New-AzVM -ResourceGroupName $rgName -Location $locName -VM $vm

-# Create the second AD FS virtual machine

-$vmName="<Table M - Item 5 - Virtual machine name column>"

-$vmSize="<Table M - Item 5 - Minimum size column>"

-$staticIP="<Table I - Item 6 - Value column>"

-$diskStorageType="<Table M - Item 5 - Storage type column>"

-$nic=New-AzNetworkInterface -Name ($vmName +"-NIC") -ResourceGroupName $rgName -Location $locName -Subnet $backendSubnet -LoadBalancerBackendAddressPool $webLB.BackendAddressPools[0] -PrivateIpAddress $staticIP

-$vm=New-AzVMConfig -VMName $vmName -VMSize $vmSize -AvailabilitySetId $avset.Id

-$cred=Get-Credential -Message "Type the name and password of the local administrator account for the second AD FS server."

-$vm=Set-AzVMOperatingSystem -VM $vm -Windows -ComputerName $vmName -Credential $cred -ProvisionVMAgent -EnableAutoUpdate

-$vm=Set-AzVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2016-Datacenter -Version "latest"

-$vm=Add-AzVMNetworkInterface -VM $vm -Id $nic.Id

-$vm=Set-AzVMOSDisk -VM $vm -Name ($vmName +"-OS") -DiskSizeInGB 128 -CreateOption FromImage -StorageAccountType $diskStorageType

-New-AzVM -ResourceGroupName $rgName -Location $locName -VM $vm

-```

-> [!NOTE]

-> Because these virtual machines are for an intranet application, they are not assigned a public IP address or a DNS domain name label and exposed to the Internet. However, this also means that you cannot connect to them from the Azure portal. The **Connect** option is unavailable when you view the properties of the virtual machine. Use the Remote Desktop Connection accessory or another Remote Desktop tool to connect to the virtual machine using its private IP address or intranet DNS name.

-

-For each virtual machine, use the remote desktop client of your choice and create a remote desktop connection. Use its intranet DNS or computer name and the credentials of the local administrator account.

-

-For each virtual machine, join them to the appropriate Active Directory Domain Services (AD DS) domain with these commands at the Windows PowerShell prompt.

-

-```powershell

-$domName="<AD DS domain name to join, such as corp.contoso.com>"

-$cred=Get-Credential -Message "Type the name and password of a domain account."

-Add-Computer -DomainName $domName -Credential $cred

-Restart-Computer

-```

-Here is the configuration resulting from the successful completion of this phase, with placeholder computer names.

-

-**Phase 3: The AD FS servers and internal load balancer for your high availability federated authentication infrastructure in Azure**

-

-

-## Next step

-Use [Phase 4: Configure web application proxies](high-availability-federated-authentication-phase-4-configure-web-application-pro.md) to continue configuring this workload.

-

-## See Also

-[Deploy high availability federated authentication for Microsoft 365 in Azure](deploy-high-availability-federated-authentication-for-microsoft-365-in-azure.md)

-

-[Federated identity for your Microsoft 365 dev/test environment](federated-identity-for-your-microsoft-365-dev-test-environment.md)

-description: "Summary: Configure the web application proxy servers for your high availability federated authentication for Microsoft 365 in Microsoft Azure."

-# High availability federated authentication Phase 4: Configure web application proxies

-In this phase of deploying high availability for Microsoft 365 federated authentication in Azure infrastructure services, you create an internal load balancer and two AD FS servers.

-

-You must complete this phase before moving on to [Phase 5: Configure federated authentication for Microsoft 365](high-availability-federated-authentication-phase-5-configure-federated-authentic.md). See [Deploy high availability federated authentication for Microsoft 365 in Azure](deploy-high-availability-federated-authentication-for-microsoft-365-in-azure.md) for all of the phases.

-

-## Create the Internet-facing load balancer in Azure

-You must create an Internet-facing load balancer so that Azure distributes the incoming client authentication traffic from the Internet evenly among the two web application proxy servers.

-

-> [!NOTE]

-> The following command sets use the latest version of Azure PowerShell. See [Get started with Azure PowerShell](/powershell/azure/get-started-azureps).

-

-When you have supplied location and resource group values, run the resulting block at the Azure PowerShell command prompt or in the PowerShell ISE.

-

-> [!TIP]

-> To generate ready-to-run PowerShell command blocks based on your custom settings, use this [Microsoft Excel configuration workbook](https://download.microsoft.com/download/1/b/7/1b745323-d84d-4fad-9e66-f34f589e5d31/O365FedAuthInAzure_Config.xlsx).

-```powershell

-# Set up key variables

-$locName="<your Azure location>"

-$rgName="<Table R - Item 4 - Resource group name column>"

-$publicIP=New-AzPublicIpAddress -ResourceGroupName $rgName -Name "WebProxyPublicIP" -Location $LocName -AllocationMethod "Static"

-$frontendIP=New-AzLoadBalancerFrontendIpConfig -Name "WebAppProxyServers-LBFE" -PublicIpAddress $publicIP

-$beAddressPool=New-AzLoadBalancerBackendAddressPoolConfig -Name "WebAppProxyServers-LBBE"

-$healthProbe=New-AzLoadBalancerProbeConfig -Name "WebServersProbe" -Protocol "TCP" -Port 443 -IntervalInSeconds 15 -ProbeCount 2

-$lbrule=New-AzLoadBalancerRuleConfig -Name "WebTraffic" -FrontendIpConfiguration $frontendIP -BackendAddressPool $beAddressPool -Probe $healthProbe -Protocol "TCP" -FrontendPort 443 -BackendPort 443

-New-AzLoadBalancer -ResourceGroupName $rgName -Name "WebAppProxyServers" -Location $locName -LoadBalancingRule $lbrule -BackendAddressPool $beAddressPool -Probe $healthProbe -FrontendIpConfiguration $frontendIP

-```

-To display the public IP address assigned to your Internet-facing load balancer, run these commands at the Azure PowerShell command prompt on your local computer:

-

-```powershell

-Write-Host (Get-AzPublicIpaddress -Name "WebProxyPublicIP" -ResourceGroup $rgName).IPAddress

-```

-## Determine your federation service FQDN and create DNS records

-You need to determine the DNS name to identify your federation service name on the Internet. Microsoft Entra Connect will configure Microsoft 365 with this name in Phase 5, which will become part of the URL that Microsoft 365 sends to connecting clients to get a security token. An example is fs.contoso.com (fs stands for federation service).

-

-Once you have your federation service FDQN, create a public DNS domain A record for the federation service FDQN that resolves to the public IP address of the Azure Internet-facing load balancer.

-

-|**Name**|**Type**|**TTL**|**Value**|

-|:--|:--|:--|:--|

-|federation service FDQN <br/> |A <br/> |3600 <br/> |public IP address of the Azure Internet-facing load balancer (displayed by the **Write-Host** command in the previous section) <br/> |

-

-Here is an example:

-

-|**Name**|**Type**|**TTL**|**Value**|

-|:--|:--|:--|:--|

-|fs.contoso.com <br/> |A <br/> |3600 <br/> |131.107.249.117 <br/> |

-

-Next, add a DNS address record to your organization's private DNS namespace that resolves your federation service FQDN to the private IP address assigned to the internal load balancer for the AD FS servers (Table I, item 4, Value column).

-

-## Create the web application proxy server virtual machines in Azure

-Use the following block of Azure PowerShell commands to create the virtual machines for the two web application proxy servers.

-

-Note that the following Azure PowerShell command sets use values from the following tables:

-

-

-

-

-

-

-

-Recall that you defined Table M in [Phase 2: Configure domain controllers](high-availability-federated-authentication-phase-2-configure-domain-controllers.md) and Tables R, V, S, I, and A in [Phase 1: Configure Azure](high-availability-federated-authentication-phase-1-configure-azure.md).

-

-When you have supplied all the proper values, run the resulting block at the Azure PowerShell command prompt or in the PowerShell ISE.

-

-```powershell

-# Set up variables common to both virtual machines

-$locName="<your Azure location>"

-$vnetName="<Table V - Item 1 - Value column>"

-$subnetName="<Table R - Item 3 - Subnet name column>"

-$avName="<Table A - Item 3 - Availability set name column>"

-$rgNameTier="<Table R - Item 3 - Resource group name column>"

-$rgNameInfra="<Table R - Item 4 - Resource group name column>"

-$rgName=$rgNameInfra

-$vnet=Get-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgName

-$subnet=Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $subnetName

-$backendSubnet=Get-AzVirtualNetworkSubnetConfig -Name $subnetName -VirtualNetwork $vnet

-$webLB=Get-AzLoadBalancer -ResourceGroupName $rgName -Name "WebAppProxyServers"

-$rgName=$rgNameTier

-$avSet=Get-AzAvailabilitySet -Name $avName -ResourceGroupName $rgName

-# Create the first web application proxy server virtual machine

-$vmName="<Table M - Item 6 - Virtual machine name column>"

-$vmSize="<Table M - Item 6 - Minimum size column>"

-$staticIP="<Table I - Item 7 - Value column>"

-$diskStorageType="<Table M - Item 6 - Storage type column>"

-$nic=New-AzNetworkInterface -Name ($vmName +"-NIC") -ResourceGroupName $rgName -Location $locName -Subnet $backendSubnet -LoadBalancerBackendAddressPool $webLB.BackendAddressPools[0] -PrivateIpAddress $staticIP

-$vm=New-AzVMConfig -VMName $vmName -VMSize $vmSize -AvailabilitySetId $avset.Id

-$cred=Get-Credential -Message "Type the name and password of the local administrator account for the first web application proxy server."

-$vm=Set-AzVMOperatingSystem -VM $vm -Windows -ComputerName $vmName -Credential $cred -ProvisionVMAgent -EnableAutoUpdate

-$vm=Set-AzVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2016-Datacenter -Version "latest"

-$vm=Add-AzVMNetworkInterface -VM $vm -Id $nic.Id

-$vm=Set-AzVMOSDisk -VM $vm -Name ($vmName +"-OS") -DiskSizeInGB 128 -CreateOption FromImage -StorageAccountType $diskStorageType

-New-AzVM -ResourceGroupName $rgName -Location $locName -VM $vm

-# Create the second web application proxy virtual machine

-$vmName="<Table M - Item 7 - Virtual machine name column>"

-$vmSize="<Table M - Item 7 - Minimum size column>"

-$staticIP="<Table I - Item 8 - Value column>"

-$diskStorageType="<Table M - Item 7 - Storage type column>"

-$nic=New-AzNetworkInterface -Name ($vmName +"-NIC") -ResourceGroupName $rgName -Location $locName -Subnet $backendSubnet -LoadBalancerBackendAddressPool $webLB.BackendAddressPools[0] -PrivateIpAddress $staticIP

-$vm=New-AzVMConfig -VMName $vmName -VMSize $vmSize -AvailabilitySetId $avset.Id

-$cred=Get-Credential -Message "Type the name and password of the local administrator account for the second web application proxy server."

-$vm=Set-AzVMOperatingSystem -VM $vm -Windows -ComputerName $vmName -Credential $cred -ProvisionVMAgent -EnableAutoUpdate

-$vm=Set-AzVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2016-Datacenter -Version "latest"

-$vm=Add-AzVMNetworkInterface -VM $vm -Id $nic.Id

-$vm=Set-AzVMOSDisk -VM $vm -Name ($vmName +"-OS") -DiskSizeInGB 128 -CreateOption FromImage -StorageAccountType $diskStorageType

-New-AzVM -ResourceGroupName $rgName -Location $locName -VM $vm

-```

-> [!NOTE]

-> Because these virtual machines are for an intranet application, they are not assigned a public IP address or a DNS domain name label and exposed to the Internet. However, this also means that you cannot connect to them from the Azure portal. The **Connect** option is unavailable when you view the properties of the virtual machine. Use the Remote Desktop Connection accessory or another Remote Desktop tool to connect to the virtual machine using its private IP address or intranet DNS name and the credentials of the local administrator account.

-

-Here is the configuration resulting from the successful completion of this phase, with placeholder computer names.

-

-**Phase 4: The Internet-facing load balancer and web application proxy servers for your high availability federated authentication infrastructure in Azure**

-

-

-## Next step

-Use [Phase 5: Configure federated authentication for Microsoft 365](high-availability-federated-authentication-phase-5-configure-federated-authentic.md) to continue configuring this workload.

-

-## See Also

-[Deploy high availability federated authentication for Microsoft 365 in Azure](deploy-high-availability-federated-authentication-for-microsoft-365-in-azure.md)

-

-[Federated identity for your Microsoft 365 dev/test environment](federated-identity-for-your-microsoft-365-dev-test-environment.md)

-

-[Microsoft 365 solution and architecture center](../solutions/index.yml)

-description: "Summary: Configure Microsoft Entra Connect for your high availability federated authentication for Microsoft 365 in Microsoft Azure."

-# High availability federated authentication Phase 5: Configure federated authentication for Microsoft 365

-In this final phase of deploying high availability federated authentication for Microsoft 365 in Azure infrastructure services, you get and install a certificate issued by a public certification authority, verify your configuration, and then install and run Microsoft Entra Connect on the directory synchronization server. Microsoft Entra Connect configures your Microsoft 365 subscription and your Active Directory Federation Services (AD FS) and web application proxy servers for federated authentication.

-

-See [Deploy high availability federated authentication for Microsoft 365 in Azure](deploy-high-availability-federated-authentication-for-microsoft-365-in-azure.md) for all of the phases.

-

-## Get a public certificate and copy it to the directory synchronization server

-Get a digital certificate from a public certification authority with the following properties:

-

-

-

-

-Additionally, your organization computers and devices must trust the public certification authority that is issuing the digital certificate. This trust is established by having a root certificate from the public certification authority installed in the trusted root certification authorities store on your computers and devices. Computers running Microsoft Windows typically have a set of these types of certificates installed from commonly used certification authorities. If the root certificate from your public certification authority isn't already installed, you must deploy this to the computers and devices of your organization.

-

-For more information about certificate requirements for federated authentication, see [Prerequisites for federation installation and configuration](/azure/active-directory/connect/active-directory-aadconnect-prerequisites#prerequisites-for-federation-installation-and-configuration).

-

-When you receive the certificate, copy it to a folder on the C: drive of the directory synchronization server. For example, name the file SSL.pfx and store it in the C:\\Certs folder on the directory synchronization server.

-

-## Verify your configuration

-You should now be ready to configure Microsoft Entra Connect and federated authentication for Microsoft 365. To ensure that you are, here's a checklist:

-

-

-

-

-

-

-

-

-Here's an example for the Contoso organization:

-

-**An example configuration for a high availability federated authentication infrastructure in Azure**

-

-

-<a name='run-azure-ad-connect-to-configure-federated-authentication'></a>

-## Run Microsoft Entra Connect to configure federated authentication

-The Microsoft Entra Connect tool configures the AD FS servers, the web application proxy servers, and Microsoft 365 for federated authentication with these steps:

-

-1. Create a remote desktop connection to your directory synchronization server with a domain account that has local administrator privileges.

-

-2. From the desktop of the directory synchronization server, open Internet Explorer and go to [https://aka.ms/Azure AD Connect](https://aka.ms/aadconnect).

-

-3. On the **Microsoft Entra Connect** page, click **Download**, and then click **Run**.

-

-4. On the **Welcome to Microsoft Entra Connect** page, click **I agree**, and then click **Continue.**

-

-5. On the **Express Settings** page, click **Customize**.

-

-6. On the **Install required components** page, click **Install**.

-

-7. On the **User sign-in** page, click **Federation with AD FS**, and then click **Next**.

-

-8. On the **Connect to Microsoft Entra ID** page, type the name and password of a **Microsoft Entra DC admin** account for your Microsoft 365 subscription, and then click **Next**.

-

-9. On the **Connect your directories** page, ensure that your on-premises Active Directory Domain Services (AD DS) forest is selected in **Forest**, type the name and password of a domain administrator account, click **Add Directory**, and then click **Next**.

-

-10. On the **Microsoft Entra sign-in configuration** page, click **Next**.

-

-11. On the **Domain and OU filtering** page, click **Next**.

-

-12. On the **Uniquely identifying your users** page, click **Next**.

-

-13. On the **Filter users and devices** page, click **Next**.

-

-14. On the **Optional features** page, click **Next**.

-

-15. On the **AD FS farm** page, click **Configure a new AD FS farm**.

-

-16. Click **Browse** and specify the location and name of the SSL certificate from the public certification authority.

-

-17. When prompted, type the certificate password, and then click **OK**.

-

-18. Verify that the **Subject Name** and **Federation Service Name** are set to your federation service FQDN, and then click **Next**.

-

-19. On the **AD FS servers** page, type your first AD FS server's name (Table M - Item 4 - Virtual machine name column), and then click **Add**.

-

-20. Type your second AD FS server's name (Table M - Item 5 - Virtual machine name column), click **Add**, and then click **Next**.

-

-21. On the **Web Application Proxy servers** page, type your first web application proxy server's name (Table M - Item 6 - Virtual machine name column), and then click **Add**.

-

-22. Type your second web application proxy server's name (Table M - Item 7 - Virtual machine name column), click **Add**, and then click **Next**.

-

-23. On the **Domain Administrator credentials** page, type the user name and password of a domain administrator account, and then click **Next**.

-

-24. On the **AD FS service account** page, type the user name and password of an enterprise administrator account, and then click **Next**.

-

-25. On the **Microsoft Entra Domain** page, in **Domain**, select your organization's DNS domain name, and then click **Next**.

-

-26. On the **Ready to configure** page, click **Install**.

-

-27. On the **Installation complete** page, click **Verify**. You should see two messages indicating that both the intranet and Internet configuration was successfully verified.

-

- - The intranet message should list the private IP address of your Azure internal load balancer for your AD FS servers.

-

- - The Internet message should list the public IP address of your Azure Internet-facing load balancer for your web application proxy servers.

-

-28. On the **Installation complete** page, click **Exit**.

-

-Here's the final configuration, with placeholder names for the servers.

-

-**Phase 5: The final configuration of a high availability federated authentication infrastructure in Azure**

-

-

-Your high availability federated authentication infrastructure for Microsoft 365 in Azure is complete.

-

-## See Also

-[Deploy high availability federated authentication for Microsoft 365 in Azure](deploy-high-availability-federated-authentication-for-microsoft-365-in-azure.md)

-

-[Federated identity for your Microsoft 365 dev/test environment](federated-identity-for-your-microsoft-365-dev-test-environment.md)

-

-[Microsoft 365 solution and architecture center](../solutions/index.yml)

-[Federated identity for Microsoft 365](https://support.office.com/article/Understanding-Office-365-identity-and-Azure-Active-Directory-06a189e7-5ec6-4af2-94bf-a22ea225a7a9#bk_federated)