Note: The following information below is strictly for an Azure AD/On-Prem AD hybrid environment. If you only use Azure AD and are looking to federate, please refer to the following article - Azure AD - Federating Microsoft 365 domain
How does it work?
Would you like to use Evo as your Identity Provider for your Office 365 domain? You can certainly do so! This article will guide you on how to do that. But before you can, you need to have certain pre-requisites ready as well as a precaution:
- You need to have access to an admin account within your Office 365 domain (ex: admin@yourdomain.onmicrosoft.com)
- The environment must use on-prem AD (Active Directory) or AD FS (Active Directory Federation Services).
- After federation, IT Admins cannot create new users using Azure AD any longer, they will need to use On-Prem Active Directory.
- Only synced users can successfully authenticate. They must reside within the AD.
- Please make sure you change your primary domain to yourdomain.onmicrosoft.com instead of yourdomain.com (see the screenshot at the bottom of the page.)
Note: Federating process is straight forward, but complicated sometimes. Before federating your domain, please feel free to let us know, we will be happy help you directly.
WARNING: Once you federate your domain, you will immediately begin using Evo Security as your identity provider. If you have not configured your users into Evo, please do so before attempting this as you can lock yourself out of your Office 365 environment.
Federating the Domain
1. Using an administrative Powershell window, begin by connecting to Microsoft Online Services by running the command :
Install-Module Microsoft.Graph
Connect-MGGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All"
2. You'll now need to connect to Microsoft Online with your administrator account in your Office 365 domain. Once complete, you'll be connected to the Microsoft Online Service!
3. Head to your Evo Security environment and log in. Once logged in, locate the "Applications" page. This page can be found under "My Company" or under another customer.
4. Once on the Applications page, click the Office 365 Integration tile.
5. You will now see the script you need to run. There is a variable you need to change, so click the "Copy Script" and paste it to notepad or any other text editor of your choice.
NOTE: You can ignore the commented out section near the top of the script. These comments are for informational purposes only.
6. On the text editor, locate this line near the top of the script:
$dom = "yourdomain.com"
Change "yourdomain.com" to the name of your domain, leaving the quotation marks as a string.
7. With this change made, copy and paste this change (including the $dom =) into the Powershell window and run it. You have now set the domain variable for your domain.
8. After setting the variable, it's time to run the certificate. Copy and paste, beginning with $MySigningCert and ending with the final quotation mark after -----END CERTIFICATE-----. You have now run the certificate.
9. Finally, run the rest of the script. Copy and paste, beginning with New-MgDomainFederationConfiguration and ending with enforceMfaByFederatedIdp. You have now finished running the Federation Script!
10. To confirm if your domain has been federated, run this command:
Get-Mgdomain
You should see a list of domains under your administrative account, and the domain you chose should now have the "Federated" status next to it.
Now when you go to log-in to your Microsoft Account, you will be re-directed to Evo Security and must authenticate with Evo!
Defederating the Domain
Defederation is easy! Make sure you are still logged into Microsoft Online Services and run this Powershell command:
Update-MgDomain -DomainId <domain name> -AuthenticationType "Managed"
(make sure you replace yourdomainname.com with the name of the domain you federated!)
You should now be Defederated!
Note: Change your primary domain to yourdomain.onmicrosoft.com in Azure Active Directory
Troubleshooting
Sometime federation process takes longer than expected, please be patient. It could take up to 30-60 minutes. The symptom you may see that when logging to Microsoft, it does not re-direct to Evo Login page, but users also cannot login to Microsoft. This means the federation is taking more time than usual to process.