Integrate Microsoft Entra ID with Identity as a Service

Configure Microsoft Office 365 for Identity as a Service using PowerShell

Open PowerShell.

Enter Connect-MsolService.

Enter your user name and password in the prompt, for example, admin@<domain>.onmicrosoft.com.

Ensure that the domain to be federated with Identity as a Service is not the default domain in Microsoft Office. (The default domain in Microsoft Office cannot be federated through SAML authentication).

If your domain has not previously been federated with an IDP, including Identity as a Service or (Active Directory Federation Services) (AD FS), you can skip to step 6.

If you have already added a Federated Domain and it is federated with an IDP, including Identity as a Service or AD FS, you must break the existing federation by following these steps:

Tip: If you are not using AD FS you can skip steps b-d in this step.

Verify which domains are federated by entering Get-MsolDomain.

Set your credentials to connect to Office 365 and the AD FS server: Set-MsolADFSContext -Computer <ADFS SERVER>

Convert the domain to standard (as opposed to federated).

Enter Convert-MsolDomainToStandard -DomainName <domain to convert> -SkipUserConversion:$true -PasswordFile C:\userpasswords.txt.

Note: The password text file can be given any name.

Set authentication to be managed by Microsoft Office 365: Set-MsolDomainAuthentication -Authentication Managed -DomainName <domain to convert>.

Enter each of the following variables in PowerShell:

$domain="<Microsoft Office 365 domain>"
$issuer="<EntityID>"

Note: Open the metadata file you downloaded in Step 5: Download the Metadata file from Identity as a Service and locate the value for the EntityID.

$logon="https://<Identity as a Service_Domain>/api/saml/SAML2/SSO"
$logoff="https://<Identity as a Service_Domain>/logout.html"

Note: Where Identity as a Service_Domain is the domain of your custom Identity as a Service account URL.

$cert="<ds:X509Certificate>"

Attention: If you are updating the certificate, ensure that the new certificate is set correctly.

Note: Open the metadata file you downloaded in Configure Identity as a Service for Microsoft Office 365 access and locate the value for ds:X509Certificate. You must copy the entire value.

If you enabled ActiveSync in Step 3: Add Microsoft Office 365 to Identity as a Service, enter the following:

$activeLogOnUri="<Active Logon URI>"

If you did not set ActiveSync, set the value as follows:

$activeLogOnUri=$logon

Enter the following:

Set-MsolDomainAuthentication -DomainName $domain -FederationBrandName $domain -Authentication Federated -PassiveLogOnUri $logon -ActiveLogOnUri $activeLogOnUri -IssuerUri $issuer -LogOffUri $logoff -PreferredAuthenticationProtocol SAMLP -SigningCertificate $cert

If the operation is successful, PowerShell does not return a response in the command line. If you receive an error, double check the format and syntax of your commands.

Add users for Microsoft Office 365 access

This procedure describes how to add user accounts on Microsoft Office 365 and Identity as a Service so that single sign-on (SSO) attempts from Microsoft Office 365 to Identity as a Service are successful. You can add users as follows:

Add users one at a time

Add users through external directory synchronization

Add users using PowerShell

Attention: To simplify configuring Active Sync on a mobile device, when creating new users, ensure that the user name is the same as the Identity as a Service User ID. For example, if the User ID in Identity as a Service is agrey assign the user name agrey@mycompany.com to the new user in Microsoft Office 365.

Add users for Microsoft Office 365 access

Create users for Microsoft Office 365 using one of the following methods.

Create users one at a time.

To add users individually to your Microsoft Office 365 account, see  Add users individually or in bulk to Microsoft Office 365 - Admin Help for instructions.

Create users using external Directory Synchronization.

If you are using external Directory Synchronization tools such as AD Connect to create users in Microsoft Office 365, the user’s on-premise directory objectGUID is synchronized as the Microsoft Office 365 ImmutableID and then skip to Step 3.

Note: In cases where your user moves directory forests, the ObjectID will change but the ImmutableID will not. In such cases, you need to manually modify the ImmutableID as described in Understand and Modify Microsoft Office 365 users ImmutableID or Reconnecting Cloud Users with Old/Previous/Moved AD User Objects.

Create users using Powershell.

There are two ways to create users in PowerShell: manually (one-by-one) or bulk importing user profiles using a CSV file.

Manually creating users in PowerShell

To create a user using PowerShell, open PowerShell and enter a command containing the correct LicenseAssignment value. To get the License Assessment value, enter:

Get-MsolAccountSku

Once identified, enter the following to create a new user:

New-MsolUser -DisplayName "<Name>" -FirstName "<First name>" -LastName "<LastName>" -UserPrincipalName <name>@<domain> -ImmutableID <character string> -UsageLocation <Location initials> -LicenseAssignment <License Agreement value>

You can enter any value for <character string>.

The same command structure for creating a user can be used to create a PowerShell script.

Bulk importing user profiles using a CSV file

Follow the steps in described in Create user accounts with Microsoft Office 365 PowerShell. Be sure to include the ImmutableID parameter when creating the users.

Verify that your users have been created by reviewing your list of users in the Microsoft Office 365 UI.

Return to the PowerShell command line interface. Enter the following to get the UserPrincipalName and ImmutableID values:

 Get-MsolUser | Select-Object UserPrincipalName, ImmutableID

Create an Immutable ID for each user that does not have one by entering

Set-Msoluser -UserPrincipalName <user@tenantname.onmicrosoft.com> -ImmutableID <character string>

You can enter any value for <character string>.

Note:  If you have synced with On-premises AD, replace -ImmutableID <character string> with the Identity as a Service user profile ImmutableID value. For example,
-ImmutableID +FELF0aANBcvfWMLSD=

To find the user's ImmutableID, on Identity as a Service, go to Members > Users to display the Users List page. Click the user to view the user profile and scroll to Optional Attributes.

For more information, see Map ImmutableID to directory objectGUID.

Leave the list of user credentials that appear in PowerShell open.

Log in to your Identity as a Service account.

Add the users that you created for your Microsoft Office 365 account on Identity as a Service. You can do this through Active Directory Synchronization, Bulk Import, or adding users individually.

Enter the ImmutableIDs and User Principal Name values listed in PowerShell into the Identity as a Service O365 ImmutableID and User Principal Name attribute fields. To do this:

Click > Members > Users. The Users List page appears.

Click the User ID for the profile you want to edit. The User Profile page appears.

Under Attributes, do the following:

Locate the attribute you created for the O365 ImmutableID and on the line below it, enter the O365 ImmutableID  from PowerShell.

Locate the attribute for the User Principal Name and on the line below it, enter the User Principal Name from PowerShell.

Click Save.