Skip to main content

Federating Microsoft 365 domain for Azure AD/On-Prem AD Hybrid Environment

Note: The following information below is strictly for an Azure AD/On-Prem AD hybrid environment. If you only use Azure AD and are looking to federate, please refer to the following article - https://support.evosecurity.com/hc/en-us/articles/19195958425371

 

Would you like to use Evo as your Identity Provider for your Office 365 domain? You can certainly do so! This article will guide you on how to do that. But before you can, you need to have certain pre-requisites ready as well as a precaution:

  • You need to have access to an admin account within your Office 365 domain (ex: admin@yourdomain.onmicrosoft.com)
  • The environment must use on-prem AD (Active Directory) or AD FS (Active Directory Federation Services).
  • After federation, IT Admins cannot create new users using Azure AD any longer, they will need to use On-Prem Active Directory.
  • Only synced users can successfully authenticate. They must reside within the AD.
  • Please make sure you change your primary domain to yourdomain.onmicrosoft.com instead of yourdomain.com (see the screenshot at the bottom of the page.)

Note: Federating process is straight forward, but complicated sometimes. Before federating your domain, please feel free to let us know, we will be happy help you directly.

 

Do be aware, once you federate your domain, you will immediately begin using Evo Security as your identity provider. If you have not configured your users into Evo, please do so before attempting this as you can lock yourself out of your Office 365 environment. 

 

So, let's get started!

 

1. Using an administrative Powershell window, begin by connecting to Microsoft Online Services by running the command :

Connect-MsolService

NOTE: If you receive an error here, you will need to install the MSOnline Module. You can do so by running the following command:

Install-Module MSOnline

 

2. You'll now need to connect to Microsoft Online with your administrator account in your Office 365 domain. Once complete, you'll be connected to the Microsoft Online Service!

 

3. Head to your Evo Security environment and log in. Once logged in, locate the "Applications" page. This page can be found under "My Company" or under another customer.

 

4. Once on the Applications page, click the Office 365 Integration tile.

Screenshot_2023-04-19_at_9.57.07_AM.png

 

5. You will now see the script you need to run. There is a variable you need to change, so click the "Copy Script" and paste it to notepad or any other text editor of your choice.

NOTE: You can ignore the commented out section near the top of the script. These comments are for informational purposes only.

 

6. On the text editor, locate this line near the top of the script:

$dom = "yourdomain.com"

Change "yourdomain.com" to the name of your domain, leaving the quotation marks as a string.

 

7. With this change made, copy and paste this change (including the $dom =) into the Powershell window and run it. You have now set the domain variable for your domain.

 

8. After setting the variable, it's time to run the certificate. Copy and paste, beginning with $MySigningCert and ending with the final quotation mark after -----END CERTIFICATE-----. You have now run the certificate.

 

9. Finally, run the rest of the script. Copy and paste, beginning with Set-MsolDomainAuthentication and ending with SAMLP. You have now finished running the Federation Script!

 

10. To confirm if your domain has been federated, run this command:

get-msoldomain

You should see a list of domains under your administrative account, and the domain you chose should now have the "Federated" status next to it.

 

Now when you go to log-in to your Microsoft Account, you will be re-directed to Evo Security and must authenticate with Evo! Congratulations! 

 

 

What if I want to Defederate the domain?

Defederation is easy! Make sure you are still logged into Microsoft Online Services and run this Powershell command:

 

Set-MsolDomainAuthentication -Authentication Managed -DomainName yourdomainname.com

(make sure you replace yourdomainname.com with the name of the domain you federated!)

 

You should now be Defederated!

 

Note: Change your primary domain to yourdomain.onmicrosoft.com in Azure Active Directory

 

 

Was this article helpful?