How to configure Microsoft 365 with WS-Fed
The following guide will walk you through adding IDEE AuthN as an external WS-Fed provider to allow logging in to Microsoft 365 using IDEE AuthN.
Please note: All commands listed in this guide should be run using PowerShell as Administrator.
- Enable Windows Hello on your PC or TouchID on your Mac for the best user experience.
- Expertise with Windows Powershell. All commands listed in this guide should be run using PowerShell as Global Administrator.
- Support for MSOnline in Powershell. To install run this command:
{% c-block language="powershell" %}
Install-Module MSOnline
{% c-block-end %}
- You need global administrator rights to the tenant that conatins the domain to be federated. Run this command to make sure you can see that domain:
{% c-block language="powershell" %}
Get-MsolDomain
{% c-block-end %}
- The domain to be federated cannot be the primary domain. To make another domain (e.g. onMicrosoft) primary follow these instructions:
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/domains-manage
Warning: Start the setup using an admin account that does not belong to the domain being federated. For example, if you are federating acme.com, you should not use admin@acme.com Instead use the admin@acme.onmicrosoft.com root account. This will make sure you do not have a potential lockout.
Initiate a connection to Azure Active Directory and login with admin credentials
{% c-block language="powershell" %}
Connect-MsolService
{% c-block-end %}CopyNote: Use the admin account on different domain from the one you want to federate.
Next, set the variable for the domain you want to federate:
{% c-block language="powershell" %}
$domain = "<domain you want to federate>"
{% c-block-end %}CopyDomain variable should be Azure domain. List of all domains can be obtained like so:
{% c-block language="powershell" %}
Get-MsolDomain
{% c-block-end %}CopyWhile the domain is still managed (before switching to federated), change Immutable IDs of all users to their email address.
Note: If your AD setup is hybrid, please create a support ticket here, so that our engineers can help you setup SCIM. SCIM is needed to sync the ImmutableIDs between your hybrid AD setup and IDEE.
Command for one user:
{% c-block language="powershell" %}
Set-MsolUser `
-UserPrincipalName <user UPN> `
-ImmutableId <lowercase user's email address>
{% c-block-end %}CopyTo change Immutable IDs for all users of a domain, use:
{% c-block language="powershell" %}
Get-MsolUser -All -DomainName $domain | ForEach-Object `
{Set-MsolUser -UserPrincipalName $_.UserPrincipalName -ImmutableId $_.UserPrincipalName.ToLower()}
{% c-block-end %}CopyNote: Prior to running PowerShell on a Windows Server for this domain, please add https://*.getidee.de as a trusted site. Go to Control Panel, Internet Settings, Security, Trusted Sites. Add https://*.getidee.de as a trusted site.
List of all users for a particular domain can be obtained like this:
{% c-block language="powershell" %}
Get-MsolUser -All -DomainName $domain | Select-Object UserPrincipalName,ImmutableID
{% c-block-end %}CopyOnce connected and logged in, get the Metadata URL from the AuthN Zero Touch Portal and set the variable in PowerShell:
{% c-block language="powershell" %}
$metadataUrl = "https://authn.getidee.de/wsfed/idp/metadata"
{% c-block-end %}CopyThen execute the following commands:
{% c-block language="powershell" %}
[xml]$idp = (Invoke-WebRequest -URI $metadataUrl -UseBasicParsing).Content
$issuerUri = $idp.EntityDescriptor.entityID + "/" + $domain
$signingCertificate = ($idp.EntityDescriptor.RoleDescriptor.KeyDescriptor[0].KeyInfo.X509Data.X509Certificate | Out-String).Trim()
$logOnUrl = $idp.EntityDescriptor.RoleDescriptor.PassiveRequestorEndpoint.EndpointReference.Address
Set-MsolDomainAuthentication `
-DomainName $domain `
-FederationBrandName "IDEE IdP" `
-Authentication Federated `
-PassiveLogOnUri $logOnUrl `
-LogOffUri $logOnUrl `
-SigningCertificate $signingCertificate `
-IssuerUri $issuerUri `
-PreferredAuthenticationProtocol "WSFED" `
-SupportsMfa $true
{% c-block-end %}CopySwitch to the AuthN Zero Touch Portal and enter the federated domain.
Click Save.
Note: To change your federated domain back to a managed domain please use this command:
{% c-block language="powershell" %}
Set-MsolDomainAuthentication -DomainName $domain -Authentication managed
{% c-block-end %}Copy