Office 365

This describes the steps necessary to complete the Office 365 integration when using the rapid setup guide in TozID.

What You'll Need

Your Tozny account - create one free here
Admin access to your Office 365 account
Custom domain to use for Office 365
About 15 minutes to complete the setup

Configure TozID

Create a new client application in TozID by logging into your realm, navigating to clients, select "create" and choose "Office 365".

Configure Office 365

Login to your Office 365 admin account(https://admin.microsoft.com/). Click "Settings" then "Domains" from the left menu. Click on "Add Domain" and follow the steps to verify it's ownership.

Once domain verification is completed and the domain added, then follow below steps.

Step 1: Federate your Office 365 custom domain through PowerShell.

To run script,

Install MSOnline Module. Run "Install-Module MSOnline" command
Import MSOnline Module. Run "Import-Module MSOnline" command
Connect Office 365 account. Run "Connect-MsolService" command, it will open login screen for Office 365 account.
Run below script.

Configure the following values in powershell script:

Field

Value

DomainName

Domain name which is added at Office 365 admin.

FederationBrandName

Any Name Example: "MS Office SAML".

Authentication

Static value "Federated".

PassiveLogOnUri

https://staging.id.tozny.com/auth/realms/<realm-name>/protocol/saml

ActiveLogOnUri

https://staging.id.tozny.com/auth/realms/<realm-name>/protocol/saml

SigningCertificate

X.509 Certificate

IssuerUri

https://staging.id.tozny.com/auth/realms/<realm-name>

LogOffUri

https://staging.id.tozny.com/auth/realms/<realm-name>/protocol/saml

PreferredAuthenticationProtocol

Static value "SAMLP".

Replace placeholders(<field-name>) with values in below powershell script and run it.

  Set-MsolDomainAuthentication `
  -DomainName \<domain-name> `
  -FederationBrandName \<federation-brand-name> `
  -Authentication Federated `
  -PassiveLogOnUri \<passive-log-on-uri>  `
  -ActiveLogOnUri \<active-log-on-uri>  `
  -SigningCertificate \<signing-certificate> `
  -IssuerUri \<issuer-uri> `
  -LogOffUri \<log-off-uri> `
  -PreferredAuthenticationProtocol "SAMLP"

Get Signing Certificate from your Realm Settings.

Step 2: Add Office 365 users through PowerShell (User email address should be of federated domain)

Field

Value

UserPrincipalName

Email address of the user. Should be of federated domain.

ImmutableId

Immutable Id from Office 365 created inside your realm user.

DisplayName

Fullname of the user.

FirstName

Firstname of the user.

LastName

Lastname of the user.

New-MsolUser `
-UserPrincipalName <email-address> ` 
-ImmutableId <immutable-id> `
-DisplayName "<full-name>" `
-FirstName <first-name> `
-LastName <last-name> `

ImmutableId

Immutable Id's are unique ID for the user which will be auto created inside your realm user attribute when they try to login before the user is being created. Go to office 365 login in incognito window and put user email address in login screen, it will redirect to "TozID" login page. That's it. ImmutableId will be created for that user inside User Attribute with the key "saml.persistent.name.id.for.urn:federation:MicrosoftOnline".

Wrapping Up

Select save and ensure your users are correctly configured in TozID and in Office 365. Once completed, users should be able to sign in to Office 365 account with TozID. Having issues? Reach us at support@tozny.com

PreviousGSuite NextCustomer Identity Management

Last updated 2 years ago