Adding Microsoft Office 365 as an SSO App in UniFi Identity Enterprise

Adding a Domain

Note: Microsoft doesn't allow primary or default domains to be set as federated (which is needed to configure it as SAML apps on UniFi Identity Enterprise), you will have to change your default domain to another domain.

1. Sign in to the Microsoft Admin Center and enter the Domains page.
2. Click Add Domain and then enter the domain name.
3. Click Use this domain.
4. Select Add a TXT record to the domain’s DNS records.
5. Click Continue.
6. Use the TXT record provided by Microsoft 365 and add those records to your domain provider.
7. Click Verify.

Adding Microsoft Office 365 as an SSO App in UniFi Identity Enterprise 

1. Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).

2. Go to SSO Apps > Add New App > Microsoft Office 365 > Add.
3. Configure SSO authentication in Microsoft Office 365.
4. Scroll down to the Settings section, name the app, and fill in the domain and other required information.

• For example:
  If your default domain is: example.onmicrosoft.com,
  And the added domain is: example-microsoft365.com (where users from this domain need to be assigned at a later stage).
• Then:
  The Microsoft Tenant Name should be: example.
  The Your Office 365 company domain should be: example-microsoft365.com (Default domain is not allowed in this field).

Configuring Federation Settings Using PowerShell and Microsoft Graph

1. Open PowerShell as Administrator (ensure you have administrative privileges).
2. Enable TLS 1.2.

   [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

3. Install the Microsoft Graph Module (one-time setup). Learn more

   Install-Module Microsoft.Graph -Scope CurrentUser

4. Sign in to Microsoft Graph with the required permissions.

   Connect-MgGraph -Scopes "User.Read.All","Directory.ReadWrite.All","Domain.ReadWrite.All"

5. After successfully executing the Connect-MgGraph command, enter the Microsoft 365 third-party administrator username and password in the prompted login window.

6. Retrieve the federation configuration for your custom domain. Replace the domain name with your own. This will return the "InternalDomainFederationId," which you’ll need later.

   Get-MgDomainFederationConfiguration -DomainId <enter-your-domain-name>

7. Return to Identity Enterprise Manager's Add Microsoft Office 365 page to obtain the information needed for the next step.

   • Sign-On URL
   • Issuer
   • Signing Certificate
   • Your Office 365 company domain

8. Head back to the Powershell window. Update the federation configuration. Run the following command, replacing values as needed. Ensure to use the "InternalDomainFederationId" you obtained earlier.

   Update-MgDomainFederationConfiguration `
   -DomainId "<enter-your-Office-365-company-domain>" `
   -Id "<enter-your-InternalDomainFederationId>" `
   -PassiveSignInUri "<enter-your-sign-on-URL>" ` 
   -IssuerUri "<enter-your-issuer>" `
   -SigningCertificate "<paste-your-signing-certificate-in-one-line>"

9. Enter the InternalDomainFederationId again.

Provisioning Microsoft Office 365 in UniFi Identity Enterprise 

1. Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).

2. Navigate to SSO Apps > Microsoft Office 365 > Provisioning > Integration tab and then turn on Enable API Integration.
3. Click on Authenticate to finish setting up the Microsoft 365 SSO app.
4. After the authentication, navigate to Provisioning > Provisioning to App.
   1. Turn on the Create Users toggle and turn off the Deactivate Users toggle.
   2. Unassign and then re-assign existing users' access to the Microsoft 365 SSO app.