The purpose of this document is to provide instructions on how to configure and manage Office 365 to enable SAML integration.
- Adding a domain to Office 365
- Adding the SaaS application to Seqrite ZTNA
- Configuring domain federation for Office 365 using a script
- Configuring domain federation for Office 365 manually
- Removing federation settings by executing the PowerShell command
1. Adding a domain to Office 365
To add the domain in Office 365, refer the following document.
Add a domain to Microsoft 365
2. Adding the SaaS application to Seqrite ZTNA
To add the SaaS application follow these steps:
- Log into Seqrite ZTNA admin console.
- Navigate to the Applications section.
- Navigate to the SaaS Applications tab and click.
- To add Office 365 application click Browse SaaS Application Catalog.
- Click Add + of Microsoft Office 365 application card.
- Enter the Application Name. Provide the Application Description and Logo if any.
- Select the following checkboxes as appropriate to control access from managed laptops, desktops, or mobile devices.
- Allow access from registered Seqrite ZTNA-compliant devices:
Only users with registered Seqrite ZTNA-compliant devices (on which the Seqrite ZTNA agent is installed and active), including both desktops and laptops, can access the applications. - Allow access from Seqrite Workspace:
Mobile users are able to access applications only through the Workspace. To know more about accessing SaaS application through Seqrite Workspace, see Seqrite EMM Documentation.
- Allow access from registered Seqrite ZTNA-compliant devices:
- Click Add to add the application.
- When Azure AD is selected as an identity provider, it effectively blocks the capability to utilize Office 365 as a SaaS application.
- In case of custom SSL certificate, add CNAME record of Site DNS and shpsso.yourdomain.com in your domain’s DNS records.
Note ☛
3. Configuring domain federation for Office 365 using a script
To configure domain federation for Office 365 using a script, follow these steps:
- Download the configuration script from the pop-up menu of Office 365 application.
- Execute the downloaded script in Windows PowerShell with Administrator privileges.
- To configure domain federation for Office 365, select option 1.
- Enter the domain name you want to federate and the script will configure domain federation for Office 365.
- PowerShell will prompt you to log into your Office 365 account. Use your onmicrosoft.com admin email to log in.
- Enter the domain name you want to federate and the script will configure domain federation for Office 365.
- To add new users under the federated domain in Office 365, select option 2.
- Add a single user using PowerShell or upload a CSV file to add multiple users at once.
- Add a single user using PowerShell or upload a CSV file to add multiple users at once.
- Update existing users to work with a federated domain, select option 3.
Note ☛
-
If you run into any problems, you can execute this command to modify the execution policy of PowerShell, which allows the execution of scripts without any restrictions.
Set-ExecutionPolicy -ExecutionPolicy Unrestricted - Doc
- The script must be executed for any modifications to be applied in the aforementioned three steps: Configuring Office, Creating New User, or Updating Existing Users.
4. Configuring domain federation for Office 365 manually
To configure domain federation for Office 365 manually, follow these steps:
- After adding the application, click the Manage option from the popup menu to check the SAML settings.
- Install MS-Online Module by running the following command on Windows PowerShell (Run as administrator)
Install-Module MSOnline
- Connect to the Office 365 account using the following command: You need to log in using the administrator account in Office 365. Note that this admin account needs to be on a different domain than the one that will be federated, such as the Microsoft default domain (For Example, domain.onmicrosoft.com).
Connect-MsolService
- Run the following commands in PowerShell:
Note ☛
By selecting the Manage option from the popup menu, you can access the values for $domain, $LogOnUrl, $LogOffUrl, $SigningCert, and $url (ISSUER URL). -
Execute the following command to set up the above mentioned parameters. Ensure that the command runs without any errors.
Set-MsolDomainAuthentication -DomainName $domain -FederationBrandName $BrandName -Authentication federated -PassiveLogOnUri $LogOnUrl -SigningCertificate $SigningCert -IssuerUri $uri -LogOffUri $LogOffUrl -PreferredAuthenticationProtocol $Protocol
- To confirm the successful configuration of the domain, execute the following command.
Get-MsolDomainFederationSettings -domainname example.com | fl *
- The output should be like this:
- To add the new users to the federated domain, execute the following command:
New-MsolUser -UserPrincipalName martin@yourdomain.com -ImmutableId martin@yourdomain.com -DisplayName "Martin Powell" -FirstName Martin -LastName Powell
- To update the existing users to work with the federated domain, execute the following command:
Set-MsolUser -UserPrincipalName martin@yourdomain.com -ImmutableId martin@yourdomain.com
- To configure domain federation for Office 365, select option 1.
Important ☛
Ensure that the domain you intend to federate is not set as the default domain before executing the script.Navigate to the Office 365 Admin Center and access the domain section. Set the default domain to a Microsoft domain (For Example, domain.onmicrosoft.com).
5. Removing federation settings by executing the PowerShell command
To remove federation settings, run the following PowerShell command.
Set-MsolDomainAuthentication -DomainName $dom -Authentication Managed