Note: Have a hybrid Azure AD/On-Prem environment instead? Please refer to the following link for federating a hybrid environment - https://support.evosecurity.com/hc/en-us/articles/14707610712219
How does this work?
By default, Microsoft does not allow creating new users on Azure AD after federating. It requires on-prem AD (hybrid environment) to support federated domain. However, with this setup Evo will act like an on-prem AD to support this process with ease.
New users in Azure AD should be created using the fallback, or .onmicrosoft.com domain. When users are synced to Evo, Evo will update the user and convert the fallback domain to the custom, federated domain.
Please note that the existing users (firstname.lastname@example.org) will be synced over without any change.
1. Make sure the primary domain on your account is set to the fallback domain, e.g. yourdomain.onmicrosoft.com, instead of your federated domain.
2. Federate your domain
2.1. Using an administrative Powershell window, begin by connecting to Microsoft Online Services by running the command :
NOTE: If you receive an error here, you will need to install the MSOnline Module. You can do so by running the following command:
2.2. You'll now need to connect to Microsoft Online with your email@example.com account in your Office 365 domain. Once complete, you'll be connected to the Microsoft Online Service!
** For information on how to connect, see this MS KB: Connect to Microsoft 365 with PowerShell
2.3. Open your Evo Security environment, e.g. https://yourcompany.evosecurity.com, and log in. Once logged in, locate the "Applications" page. This page can be found under "My Company" or under another customer.
2.4. Once on the Applications page, click the Office 365 Integration tile.
2.5. You will now see the script you need to run. There is a variable you need to change, so click the "Copy Script" and paste it to notepad or any other text editor of your choice.
NOTE: You can ignore the commented out section near the top of the script. These comments are for informational purposes only.
2.6. In your text editor, locate this line near the top of the script:
$dom = "yourdomain.com"
Change "yourdomain.com" to the name of the custom domain you wish to federate in Azure, leaving the quotation marks as a string.
2.7. Copy and paste only the $dom = "..." line into a Powershell window and run that line. You have now set the domain variable for your domain.
2.8. Copy the lines beginning with $MySigningCert = ... and ending with the final quotation mark after -----END CERTIFICATE-----. Paste those lines into your Powershell window and execute that statement. You have now set the variable for the signing certificate.
2.9. Finally, run the rest of the script by copying and pasting the lines beginning with Set-MsolDomainAuthentication and ending with SAMLP into your Powershell window. After executing the statements you just pasted, your domain should be federated.
2.10. To confirm if your domain has been federated, run this command:
You should see a list of domains under your administrative account, and the domain you chose should now have the "Federated" status next to it.
3. Configuring Evo to use your federated domain during user syncing.
In the Evo portal, navigate to your customer's directories (Home -> Customers -> [select a customer] -> Directories -> Azure Active Directory tab), and click the "Add New Directory" button.
In the "Add New Directory" form, enter the required fields in the "Authentication Configuration" section.
3.1. For the first part, you need to follow the link below to register an application on Azure AD. If you've already done so, please move to next step.
3.2. In the "Azure AD Federation Settings" section, enter your fallback and federated domains.
Ex: Azure AD Fallback Domain: domain.onmicrosoft.com
Azure AD Federated Domain: federatedomain.com (this is the domain you federated earlier)
3.3. After entering all information, please click on "Complete Sync", it will take from 12 to 30 minutes for Microsoft to complete a sync cycle.
Once the sync process is completed, you can go to People tab and check your user accounts have been synced over. Please note a couple things below.
a. The existing users within your domain will be synced over as it is on Azure AD, nothing changed for existing users (ex: firstname.lastname@example.org)
b. Like we mentioned earlier that you cannot create new accounts with your domain anymore, you can only create new accounts with email@example.com. However, since you've done the setup on Evo, Evo will convert the firstname.lastname@example.org to email@example.com and update it on Azure AD.
Please see the example process how to create a new account after federating below.
1. Create a new user with firstname.lastname@example.org on Azure AD.
2. Add the user to Evo Sync Group (this is the group you selected during the User Provision process, see the link to this step in 3.1 above).
3. Wait for the sync cycle to complete, then you will see the new user email@example.com on both Evo and Azure AD. Evo has synced the new user to Evo portal and updated it on Azure AD automatically.
What if I want to Defederate the domain?
Defederation is easy! Make sure you are still logged into Microsoft Online Services and run this Powershell command:
Set-MsolDomainAuthentication -Authentication Managed -DomainName yourdomainname.com
(make sure you replace yourdomainname.com with the name of the domain you federated!)
You should now be Defederated!
Sometime federation process takes longer than expected, please be patient. It could take up to 30-60 minutes. The symptom you may see that when logging to Microsoft, it does not redirect to Evo Login page, but users also cannot log in to Microsoft. This means the federation is taking more time than usual to process.