Microsoft Office 365 Logo - MFA Integrations for AuthN
How to configure Microsoft 365 with SAML 2.0
idee logo

How to configure Microsoft 365 with WS-Fed

The following guide will walk you through adding IDEE AuthN as an external WS-Fed provider to allow logging in to Microsoft 365 using IDEE AuthN.

Please note: All commands listed in this guide should be run using PowerShell as Administrator.

  • Enable Windows Hello on your PC or TouchID on your Mac for the best user experience.
  • Expertise with Windows Powershell. All commands listed in this guide should be run using PowerShell as Global Administrator.
  • Support for MSOnline in Powershell. To install run this command:

{% c-block language="powershell" %}
Install-Module MSOnline
{% c-block-end %}

Copy
  • You need global administrator rights to the tenant that conatins the domain to be federated. Run this command to make sure you can see that domain:

{% c-block language="powershell" %}
Get-MsolDomain
{% c-block-end %}

Copy
  • The domain to be federated cannot be the primary domain. To make another domain (e.g. onMicrosoft) primary follow these instructions:

    https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/domains-manage

Warning: Start the setup using an admin account that does not belong to the domain being federated. For example, if you are federating acme.com, you should not use admin@acme.com Instead use the admin@acme.onmicrosoft.com root account. This will make sure you do not have a potential lockout.

  • Initiate a connection to Azure Active Directory and login with admin credentials

    {% c-block language="powershell" %}
    Connect-MsolService
    {% c-block-end %}

    Copy

    Note: Use the admin account on different domain from the one you want to federate.

  • Next, set the variable for the domain you want to federate:

    {% c-block language="powershell" %}
    $domain = "<domain you want to federate>"
    {% c-block-end %}

    Copy

    Domain variable should be Azure domain. List of all domains can be obtained like so:

    {% c-block language="powershell" %}
    Get-MsolDomain
    {% c-block-end %}

    Copy
  • While the domain is still managed (before switching to federated), change Immutable IDs of all users to their email address.

    Note: If your AD setup is hybrid, please create a support ticket here, so that our engineers can help you setup SCIM. SCIM is needed to sync the ImmutableIDs between your hybrid AD setup and IDEE.

    Command for one user:

    {% c-block language="powershell" %}
    Set-MsolUser `
    -UserPrincipalName <user UPN> `
    -ImmutableId <lowercase user's email address>
    {% c-block-end %}

    Copy

    To change Immutable IDs for all users of a domain, use:

    {% c-block language="powershell" %}
    Get-MsolUser -All -DomainName $domain | ForEach-Object `
    {Set-MsolUser -UserPrincipalName $_.UserPrincipalName -ImmutableId $_.UserPrincipalName.ToLower()}
    {% c-block-end %}

    Copy

    Note: Prior to running PowerShell on a Windows Server for this domain, please add https://*.getidee.de as a trusted site. Go to Control Panel, Internet Settings, Security, Trusted Sites. Add https://*.getidee.de as a trusted site.

    List of all users for a particular domain can be obtained like this:

    {% c-block language="powershell" %}
    Get-MsolUser -All -DomainName $domain | Select-Object UserPrincipalName,ImmutableID
    {% c-block-end %}

    Copy
  • Once connected and logged in, get the Metadata URL from the AuthN Zero Touch Portal and set the variable in PowerShell:

    {% c-block language="powershell" %}
    $metadataUrl = "https://authn.getidee.de/wsfed/idp/metadata"
    {% c-block-end %}

    Copy
  • Then execute the following commands:

    {% c-block language="powershell" %}
    [xml]$idp = (Invoke-WebRequest -URI $metadataUrl -UseBasicParsing).Content
    $issuerUri = $idp.EntityDescriptor.entityID + "/" + $domain
    $signingCertificate = ($idp.EntityDescriptor.RoleDescriptor.KeyDescriptor[0].KeyInfo.X509Data.X509Certificate | Out-String).Trim()
    $logOnUrl = $idp.EntityDescriptor.RoleDescriptor.PassiveRequestorEndpoint.EndpointReference.Address
    Set-MsolDomainAuthentication `
    -DomainName $domain `
    -FederationBrandName "IDEE IdP" `
    -Authentication Federated `
    -PassiveLogOnUri $logOnUrl `
    -LogOffUri $logOnUrl `
    -SigningCertificate $signingCertificate `
    -IssuerUri $issuerUri `
    -PreferredAuthenticationProtocol "WSFED" `
    -SupportsMfa $true
    {% c-block-end %}

    Copy
  • Switch to the AuthN Zero Touch Portal and enter the federated domain.

  • Click Save.

    Note: To change your federated domain back to a managed domain please use this command:

    {% c-block language="powershell" %}
    Set-MsolDomainAuthentication -DomainName $domain -Authentication managed
    {% c-block-end %}

    Copy