Tozny
Tozny
Search
⌃K
Links

Office 365

This describes the steps necessary to complete the Office 365 integration when using the rapid setup guide in TozID.

What You'll Need

  • Your Tozny account - create one free here
  • Admin access to your Office 365 account
  • Custom domain to use for Office 365
  • About 15 minutes to complete the setup

Configure TozID

Create a new client application in TozID by logging into your realm, navigating to clients, select "create" and choose "Office 365".
Create Office 365 Client Screen

Configure Office 365

Login to your Office 365 admin account(https://admin.microsoft.com/). Click "Settings" then "Domains" from the left menu. Click on "Add Domain" and follow the steps to verify it's ownership.
Add domain in Office 365 Admin
Once domain verification is completed and the domain added, then follow below steps.

Step 1: Federate your Office 365 custom domain through PowerShell.

To run script,
  1. 1.
    Install MSOnline Module. Run "Install-Module MSOnline" command
  2. 2.
    Import MSOnline Module. Run "Import-Module MSOnline" command
  3. 3.
    Connect Office 365 account. Run "Connect-MsolService" command, it will open login screen for Office 365 account.
  4. 4.
    Run below script.
Configure the following values in powershell script:
Field
Value
DomainName
Domain name which is added at Office 365 admin.
FederationBrandName
Any Name Example: "MS Office SAML".
Authentication
Static value "Federated".
PassiveLogOnUri
https://staging.id.tozny.com/auth/realms/<realm-name>/protocol/saml
ActiveLogOnUri
https://staging.id.tozny.com/auth/realms/<realm-name>/protocol/saml
SigningCertificate
X.509 Certificate
IssuerUri
https://staging.id.tozny.com/auth/realms/<realm-name>
LogOffUri
https://staging.id.tozny.com/auth/realms/<realm-name>/protocol/saml
PreferredAuthenticationProtocol
Static value "SAMLP".
Replace placeholders(<field-name>) with values in below powershell script and run it.
Set-MsolDomainAuthentication `
-DomainName \<domain-name> `
-FederationBrandName \<federation-brand-name> `
-Authentication Federated `
-PassiveLogOnUri \<passive-log-on-uri> `
-ActiveLogOnUri \<active-log-on-uri> `
-SigningCertificate \<signing-certificate> `
-IssuerUri \<issuer-uri> `
-LogOffUri \<log-off-uri> `
-PreferredAuthenticationProtocol "SAMLP"
Get Signing Certificate from your Realm Settings.
TozID X.509 Certificate File
TozID X.509 Certificate File

Step 2: Add Office 365 users through PowerShell (User email address should be of federated domain)

Field
Value
UserPrincipalName
Email address of the user. Should be of federated domain.
ImmutableId
Immutable Id from Office 365 created inside your realm user.
DisplayName
Fullname of the user.
FirstName
Firstname of the user.
LastName
Lastname of the user.
New-MsolUser `
-UserPrincipalName <email-address> `
-ImmutableId <immutable-id> `
-DisplayName "<full-name>" `
-FirstName <first-name> `
-LastName <last-name> `

ImmutableId

Immutable Id's are unique ID for the user which will be auto created inside your realm user attribute when they try to login before the user is being created. Go to office 365 login in incognito window and put user email address in login screen, it will redirect to "TozID" login page. That's it. ImmutableId will be created for that user inside User Attribute with the key "saml.persistent.name.id.for.urn:federation:MicrosoftOnline".

Step 3: Login to Office 365 admin account and assign licenses to apps for the created users.

Office 365 Assign Licenses

Wrapping Up

Select save and ensure your users are correctly configured in TozID and in Office 365. Once completed, users should be able to sign in to Office 365 account with TozID. Having issues? Reach us at [email protected]
Previous
GSuite
Next - TOZ Id
Customer Identity Management
Last modified 10mo ago