UniFi Identity Enterprise - Add Microsoft Office 365 as an SSO App

Add Domain

Note: Microsoft doesn't allow primary or default domains to be set as federated (which is needed to configure it as SAML apps on UniFi Identity Enterprise), you will have to change your default domain to another domain.

  1. Sign in to the Microsoft Admin Center and enter the Domains page.
  2. Click Add Domain and then enter the domain name.
  3. Click Use this domain.
  4. Select Add a TXT record to the domain’s DNS records.
  5. Click Continue.
  6. Use the TXT record provided by Microsoft 365 and add those records to your domain provider.
  7. Click Verify.

Configurations on UniFi Identity Enterprise 

Add Microsoft Office 365

  1. Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).

  2. Click SSO Apps.
  3. Click the Add New App icon and you will see all the preconfigured applications.
  4. Click Add on the Microsoft Office 365 tab.
  5. Configure SSO Authentication in Microsoft Office 365.
  6. Scroll down to the Settings section, name the app, and fill in the domain and other required information.

For example:
If your default domain is: example.onmicrosoft.com,
And the added domain is: example-microsoft365.com (where users from this domain need to be assigned at a later stage).

The Microsoft Tenant Name should be: example.
The Your Office 365 company domain should be: example-microsoft365.com (Default domain is not allowed in this field).

Configurations on Powershell

  1. Open Powershell as administrator.
  2. Enter the following command:
  • If prompted error says:
connect-msolservice is not recognized as the name of a cmdlet
  • Then enter the following commands in order:
Install-Module MSOnline
Install-Module AzureAD
Import-Module AzureAD
  1. After successfully executing the Connect-MsolService command, on the prompted login window enter the Microsoft 365 third-party administrator username and password.

  2. Go back to UniFi Identity Enterprise's Add Microsoft Office 365 page.

  3. Click View Setup Instructions to get the information needed for the next part.

  4. Head back to the Powershell window, and enter the following commands (commands with $ sign need to be executed one at a time):

$dom = " " (replace with the added domain here instead of the default one)
$BrandName = "Sample SAML 2.0 IDP"
$Protocol = "SAMLP"
$LogOnUrl = " " (use the Sign-on URL in the setup instruction)
$LogOffUrl = " " (use your UID domain name with the https:// prefix)
$MyURI = " " (use the Issuer in the setup instruction)
$MySigningCert = " " (use the Public Certificate in the setup instruction, and make sure to copy the public certificate as one continuous line)
  • If this is the first time this account is setting up the SAML app on Microsoft 365, and the domain name is not federated. Enter the following command (enter all of the commands in one line):
Set-MsolDomainAuthentication -DomainName $dom -Authentication Federated -FederationBrandName $BrandName -PassiveLogOnUri $LogOnUrl -SigningCertificate $MySigningCert -IssuerUri $MyURI -LogOffUri $LogOffUrl -PreferredAuthenticationProtocol $Protocol
Note: This command will change your M365 domain to federated, make sure it’s what you want to do.
  • If this is not the first time that this account has configured the SAML app on Microsoft 365, and the domain name is not federated. Enter this command instead (enter all of the commands in one line):
Set-MsolDomainFederationSettings -DomainName $dom -FederationBrandName $BrandName -PassiveLogOnUri $LogOnUrl -SigningCertificate $MySigningCert -IssuerUri $MyURI -LogOffUri $LogOffUrl -PreferredAuthenticationProtocol $Protocol
  • If the domain is already federated, use the below command:
Set-MsolDomainFederationSettings -DomainName $dom -FederationBrandName $BrandName -PassiveLogOnUri $LogOnUrl -SigningCertificate $MySigningCert -IssuerUri $MyURI -LogOffUri $LogOffUrl
  • If the user prompted the “Sorry, we are having trouble signing you in” after using the command for the domain that hasn't been federated, use the command for the domain that has been federated instead to try again.
  • If the issue persists, you can omit it and continue to configure provisioning on UniFi Identity Enterprise.

Configure Provisioning on UniFi Identity Enterprise 

  1. Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).

  2. Click SSO Apps > Microsoft Office 365.
  3. Go to the Provisioning > Integration tab and then turn on "Enable API Integration".
  4. Click on Authenticate to finish setting up the Microsoft 365 SSO app.
  5. After the authentication, go to Provisioning > Provisioning to App.
    1. Turn on the "Create Users" toggle and turn off the "Deactivate Users" toggle.
    2. Unassign and then re-assign existing users access to Microsoft 365 SSO app.
Note: If you've encountered the error "AADSTS500132: Assertion is malformed and cannot be read.", please make sure the "Create Users" toggle is on.
Was this article helpful?
1 out of 11 found this helpful