Azure AD/On-Prem AD Hybrid Environment - Federating Microsoft 365 Domain – Evo Security

Note: The following information below is strictly for an Azure AD/On-Prem AD hybrid environment. If you only use Entra ID ( formerly Azure AD ) and are looking to federate, please refer to the following article - Azure AD - Federating Microsoft 365 domain

How does it work?

Would you like to use Evo as your Identity Provider for your Office 365 domain? You can certainly do so! This article will guide you on how to do that. But before you can, you need to have certain pre-requisites ready as well as a precaution:

You need to have access to an admin account within your Office 365 domain (ex: admin@yourdomain.onmicrosoft.com)

The environment must use on-prem AD (Active Directory) or AD FS (Active Directory Federation Services).

After federation, IT Admins cannot create new users using Azure AD any longer, they will need to use On-Prem Active Directory.

Only synced users can successfully authenticate. They must reside within the AD.

Please make sure you change your primary domain to yourdomain.onmicrosoft.com instead of yourdomain.com (see the screenshot at the bottom of the page.)

Note: Federating process is straight forward, but complicated sometimes. Before federating your domain, please feel free to let us know, we will be happy help you directly.

WARNING: Once you federate your domain, you will immediately begin using Evo Security as your identity provider. If you have not configured your users into Evo, please do so before attempting this as you can lock yourself out of your Office 365 environment.

Federating the Domain

1. Using an Administrative PowerShell window, begin by connecting to Microsoft Online Services by running the command :

Install-Module Microsoft.Graph

Connect-MGGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All"

2. You'll now need to connect to Microsoft Online with your admin@domain.onmicrosoft.com account in your Office 365 domain. Once complete, you'll be connected to the Microsoft Online Service!

* For information on how to connect, see this MS KB: Connect to Microsoft 365 with PowerShell

3. Head to your Evo Security environment and log in. Once logged in, locate the "Applications" page under your desired tenant.

4. Once on the Applications page, click the Office 365 Integration tile.

5. Hit Setup Instructions on top right, You will now see the script you need to run. There is a variable you need to change, so click the "Copy Script" at the bottom and paste it to notepad or any other text editor of your choice.

NOTE: You can ignore the commented out section near the top of the script. These comments are for informational purposes only.

6. On the text editor, locate this line near the top of the script:

$dom = "yourdomain.com"

Change "yourdomain.com" to the name of your domain, leaving the quotation marks as a string.

7. With this change made, copy and paste this change (including the $dom =) into the PowerShell window and run it. You have now set the domain variable for your domain.

8. After setting the variable, it's time to run the certificate. Copy and paste, beginning with $MySigningCert and ending with the final quotation mark after -----END CERTIFICATE-----. You have now run the certificate.

9. Finally, run the rest of the script. Copy and paste, beginning with New-MgDomainFederationConfiguration and ending with enforceMfaByFederatedIdp. You have now finished running the Federation Script!

10. To confirm if your domain has been federated, run this command:

Get-Mgdomain

You should see a list of domains under your administrative account, and the domain you chose should now have the "Federated" status next to it.

Configuring Application on Evo

Within that Application you just created you can now hit “Auto-Fill Details”

From here you can upload an XML or input your Metadata URL.

Here’s an XML you can use to populate the Office 365 Application within Evo if needed.

Here’s an example using the XML Above of what it will look like on the Evo side once properly configured.

Now when you go to log-in to your Microsoft Account, you will be re-directed to Evo Security and must authenticate with Evo!

Syncing Multiple Domains to the same Federation (Limit 5)

Evo Security allows multiple domains to be associated with a single Federation configuration by using the Aliases feature within the application setup.

This is useful when:

A customer has multiple Microsoft 365 domains

Multiple verified domains need to authenticate through the same Evo Federation

An additional domain needs to use the same Federation settings as an existing primary domain

A tenant wants several domains to share one Office 365 / Microsoft 365 federation configuration

Limit: Up to 5 domains can be associated with the same Federation.

In the Evo Portal:

Go to Applications

Select the Federation / application you want to update

Under Aliases - Choose Add+ then give it a unique name

Go to “Setup Instructions” and select your Alias on the top

Copy the Federated Data shown for that alias domain

This Federated Data should be used to configure the additional domain the same way the original domain was configured.

Now multiple domains will be associated with the same Federation

Defederating the Domain

Defederation is easy! Make sure you are still logged into Microsoft Online Services and run this Powershell command:

Update-MgDomain -DomainId <domain name> -AuthenticationType "Managed"

(make sure you replace yourdomainname.com with the name of the domain you federated!)

You should now be Defederated!

Note: Change your primary domain to yourdomain.onmicrosoft.com in Azure Active Directory

Troubleshooting

Sometime federation process takes longer than expected, please be patient. It could take up to 30-60 minutes. The symptom you may see that when logging to Microsoft, it does not re-direct to Evo Login page, but users also cannot login to Microsoft. This means the federation is taking more time than usual to process.