Install Windows PowerShell for single sign-on with AD FS
Published: June 8, 2012
Updated: February 28, 2013
Applies To: Office 365, Windows Azure, Windows Intune
|This topic might not be completely applicable to users of Windows Azure in China. For more information about Windows Azure service in China, see windowsazure.cn.|
After you have deployed Active Directory Federation Services, the next step to set up single sign-on is to download and install the Windows Azure Active Directory Module for Windows PowerShell. Once installed, you will use these cmdlets to configure your Windows Azure AD domains as federated domains.
For more information about deploying AD FS for SSO, see Checklist: Use AD FS to implement and manage single sign-on.
The Windows Azure Active Directory Module for Windows PowerShell is a download for managing your organizations data in Windows Azure AD. This module installs a set of cmdlets to Windows PowerShell; you run those cmdlets to set up single sign-on access to Windows Azure AD and in turn to all of the cloud services you are subscribed to.
For instructions about how to download and install the cmdlets, see Windows Azure AD PowerShell
Before you set up single sign-on in your full production environment, you can also run a single sign-on pilot. See the section below for more details.
Before adding or converting a domain as a single sign-on domain, you may want to run a pilot. Performing a staged rollout of single sign-on is not currently possible; all users become federated at the same time. However, you can pilot single sign-on with a set of production users from your production Active Directory forest.
Pilot users should thoroughly test various sign-in scenarios to ensure that single sign-on (and the AD FS deployment) is correctly configured and ready to be rolled out across the entire organization. To test this, have users access the cloud service from browsers as well as rich client applications (such as Microsoft Office 2010) in the following environments:
From a domain-joined computer
From a non-domain-joined computer inside the corporate network
From a roaming domain-joined computer outside the corporate network
From the different operating systems that you use in your company
From a home computer
From an Internet kiosk (browser only)
From a smart phone (for example, a smart phone that uses Microsoft Exchange ActiveSync)
For more information, see How to pilot single sign-on in a production user forest.
Now that you have installed Windows PowerShell for single sign-on with AD FS, the next step is to Set up a trust between AD FS and Windows Azure AD.