Technical Article: Implementing Hybrid Authentication with ADFS, SharePoint On-Premises, and Microsoft 365
Objective
This technical article documents the full journey and configuration steps required to implement a hybrid authentication solution using:
- Active Directory Domain Services (AD DS)
- Active Directory Federation Services (ADFS)
- Microsoft Entra ID (Azure AD / Microsoft 365)
- SharePoint Server On-Premises
The goal is to enable Single Sign-On (SSO) between on-premises and cloud environments, with external access to SharePoint On-Premises secured via HTTPS.
Infrastructure Overview
Virtual Machines (Hyper-V)
| VM Name | Role | IP Address |
|---|---|---|
| DC-01 | Domain Controller, DNS | 10.0.0.10 |
| ADFS-01 | ADFS + Web Application Proxy | 10.0.0.11 |
| SP-APP | SharePoint On-Premises | 10.0.0.20 |
| CLIENT-01 | Domain-joined Windows Client | DHCP or Static |
Networking
- Internal NAT-based network (
10.0.0.0/24) - NAT rules configured on host to expose:
- ADFS (port 443 → 10.0.0.11)
- SharePoint (port 443 → 10.0.0.20)
Step-by-Step Implementation
1. Install and Configure ADDS + DNS
- Installed ADDS role on DC-01
- Promoted to Domain Controller:
corp.local - DNS configured internally: forwarders to 8.8.8.8
2. Install ADFS on ADFS-01
- ADFS installed using default settings
- SSL certificate bound to
adfs.corp.local - ADFS public DNS:
adfs.corp.local → [Public IP] - Port 443 NAT rule created on firewall to ADFS-01
3. Generate SSL Certificate (Let’s Encrypt)
- Used win-acme to generate certificate
- DNS-01 manual verification completed
- Installed into
LocalMachine\Mystore
4. Federate Custom Domain in Microsoft 365
externaldomain.comdomain verified and federated using PowerShell:
Set-MsolDomainAuthentication -DomainName "externaldomain.com" \
-FederationBrandName "Corp Federation" \
-Authentication Federated \
-PassiveLogOnUri "https://adfs.corp.local/adfs/ls/" \
-IssuerUri "https://adfs.corp.local/adfs/services/trust" \
-SigningCertificate "<Base64Certificate>"
5. Configure Microsoft Entra Connect (AD Sync)
- Installed Entra Connect on ADFS server
- Connected to local AD and Microsoft 365
- Selected only OU containing federated users
- Verified synchronization via:
Get-MsolUser -UserPrincipalName user@externaldomain.com
6. ADFS Integration with SharePoint On-Premises
- Exported ADFS public certificate (
.cer) - Registered ADFS as a Trusted Identity Provider:
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\\certs\\adfs-public.cer")
New-SPTrustedIdentityTokenIssuer -Name "ADFS Trusted" \
-Realm "https://adfs.corp.local/adfs/services/trust" \
-ImportTrustCertificate $cert \
-SignInUrl "https://adfs.corp.local/adfs/ls/" \
-IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
- Added alternate access mapping for public access:
Set-SPAlternateUrl -Identity "https://intranet.corp.local" \
-Url "https://portal.externaldomain.com" -Zone Internet
7. Publish SharePoint Externally
- DNS:
portal.externaldomain.com → [Public IP] - Port 443 NAT → 10.0.0.20 (SP-APP)
- Valid certificate bound in IIS
- Internal
hostsused for testing before DNS went live
8. Validate SSO End-to-End
- Login from domain-joined CLIENT-01
- Accessed SharePoint On-Premises: SSO success
- Accessed SharePoint Online: redirected to ADFS and logged in automatically
Summary
This setup demonstrates a full hybrid identity and content access scenario:
- Centralized authentication with ADFS
- Seamless access to both on-premises and cloud content using Single Sign-On
- Secure external publication of on-premises SharePoint with public DNS and SSL
This foundation can now support hybrid workloads, search integration, or migration to Microsoft 365.
Next Steps (Optional)
- Configure Web Application Proxy (WAP) for ADFS
- Enable Hybrid Picker in SharePoint Central Admin
- Configure Hybrid Search and User Profiles
- Implement Conditional Access Policies via Entra ID
edvaldo b. guimarães filho 