Note: Have a hybrid Azure AD/On-Prem environment instead? Please refer to the following link for federating a hybrid environment:
Azure AD/On-Prem AD Hybrid Environment - Federating Microsoft 365 Domain
How does it work?
By default, Microsoft does not allow creating new users on Azure AD after federating. It requires on-prem AD (hybrid environment) to support federated domain. However, with this setup Evo will act like an on-prem AD to support this process with ease.
New users in Azure AD should be created using the fallback, or .onmicrosoft.com domain. When users are synced to Evo, Evo will update the user and convert the fallback domain to the custom, federated domain.
Ex: new account user@abc.onmicrosoft.com will be converted to user@yourdomain.com
Please note that the existing users (user@yourdomain.com) will be synced over without any change.
WARNING: If you plan to use this deployment with Entra ID joined machines, new users will not be able to login to the machines after federating. Our team is working on it to support this feature.
Federation Steps
1. Establish Fallback Domain
1.1 Make sure the primary domain on your account is set to the fallback domain, e.g. yourdomain.onmicrosoft.com, instead of your federated domain.
2. Federate your domain
2.1. Using an administrative PowerShell window, begin by connecting to Microsoft Online Services by running the commands:
Install-Module MgGraph
Connect-MGGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All"
2.2. You'll now need to connect to Microsoft Online with your admin@domain.onmicrosoft.com account in your Office 365 domain. Once complete, you'll be connected to the Microsoft Online Service!
** For information on how to connect, see this MS KB: Connect to Microsoft 365 with PowerShell
2.3. Open your Evo Security environment, e.g. https://yourcompany.evosecurity.com, and log in. Once logged in, locate the "Applications" page. This page can be found under "My Company" or under another customer.
2.4. Once on the Applications page, click the Office 365 Integration tile.
2.5. You will now see the script you need to run. There is a variable you need to change, so click the "Copy Script" and paste it to notepad or any other text editor of your choice.
NOTE: You can ignore the commented out section near the top of the script. These comments are for informational purposes only.
2.6. In your text editor, locate this line near the top of the script:
$dom = "yourdomain.com"
Change "yourdomain.com" to the name of the custom domain you wish to federate in Azure, leaving the quotation marks as a string.
2.7. Copy and paste only the $dom = "..." line into a Powershell window and run that line. You have now set the domain variable for your domain.
2.8. Copy the lines beginning with $MySigningCert = ... and ending with the final quotation mark after -----END CERTIFICATE-----. Paste those lines into your Powershell window and execute that statement. You have now set the variable for the signing certificate.
2.9. Finally, run the rest of the script by copying and pasting the lines beginning with New-MgDomainFederationConfiguration and ending with enforceMfaByFederatedIdp into your Powershell window. After executing the statements you just pasted, your domain should be federated.
2.10. To confirm if your domain has been federated, run this command:
Get-Mgdomain
You should see a list of domains under your administrative account, and the domain you chose should now have the "Federated" status next to it.
3. Configure Evo to use federated domain during user syncing.
3.1. To setup the application and complete a sync, please see the article below. If you've already done so, please move to next 3.2.
see: Sync with Azure Active Directory (AAD) – Evo Support (evosecurity.com)
3.2. In the "Azure AD Federation Settings" section, enter your fallback and federated domains.
Ex: Azure AD Fallback Domain: domain.onmicrosoft.com
Azure AD Federated Domain: federatedomain.com (this is the domain you federated earlier)
3.3. After entering all information, please click on "Complete Sync", it will take from 12 to 30 minutes for Microsoft to complete a sync cycle.
Completion
Once the sync process is completed, you can go to People tab and check your user accounts have been synced over. Please note a couple things below.
a. The existing users within your domain will be synced over as it is on Azure AD, nothing changed for existing users (ex: user@yourdomain.com)
b. Like we mentioned earlier that you cannot create new accounts with your domain anymore, you can only create new accounts with user@domain.onmicrosoft.com. However, since you've done the setup on Evo, Evo will convert the user@domain.onmicrosoft.com to user@yourdomain.com and update it on Azure AD.
Creating User Accounts after Federation
Please see the example process how to create a new account after federating below.
- Create a new user with user@domain.onmicrosoft.com on Azure AD.
- Add the user to Evo Sync Group (this is the group you selected during the User Provision process, see the link to this step in 3.1 above).
- Wait for the sync cycle to complete, then you will see the new user user@yourdomain.com on both Evo and Azure AD. Evo has synced the new user to Evo portal and updated it on Azure AD automatically.
Defederating the domain
Defederation is easy! Make sure you are still logged into Microsoft Online Services and run this Powershell command:
Update-MgDomain -DomainId <domain name> -AuthenticationType "Managed"
(make sure you replace <domain name> with the name of the domain you federated!)
You should now be Defederated!
Note: Sometime the federation process takes longer than expected, please be patient. It could take up to 30-60 minutes. One symptom you may see is that when logging into Microsoft, it does not redirect to Evo Login page, but users also cannot log in to Microsoft. This means the federation is taking more time than usual to process.