EUCHorizon Cloud Services Advanced Integrations Day 4Federating AZURE with Workspace ONE Access and Microsoft 365

Federating AZURE with Workspace ONE Access and Microsoft 365

Introduction

Disclaimer:

FACT : Microsoft Azure Portal is updated every 36 hours. Please do not expect perfection in this guide as you will not get perfection

  • As you might know its becoming increasingly difficult to create Microsoft 365 Developer trial Accounts. As Livefire Instructors we have consumed all our good will on the Microsoft side and we are unable to create any new Microsoft 365 Developer Accounts. For the time being we are  able to use existing trial accounts
  • If you are unsure regarding what to do or your next step or anything related to the Azure console and how it relates to the existing guide. Please ASK, we are happy to help
  • Your understanding related to these challenges will be greatly appreciated

There are now two groups types that will attempt this lab:

  1. Attendees that have managed to register and subscribe to the Developer Microsoft 365 environment
    OR
  2. Attendees that are using a trial account that has been used before
  1. Attendees that have managed to register and subscribe to the Developer Microsoft 365 environment
    • On your Controlcenter server
    • Open a new Chrome Browser session and go to the following URL:
      • https://developer.microsoft.com/en-us/microsoft-365/dev-program
        • Login with your developer account
          • select Join Now
        • This should take you to the Microsoft 365 Developer Program,
          • select Go to subscription
          • Login with your CloudAdmin credentials

The above steps assume you have your own developer account

  1. Attendees that are using a trial account that has been used before
    • On your Controlcenter server
      • Open a new Chrome Browser session and go to the following URL:
        • https://portal.office.com
        • Login with your assigned Cloud Admin Credentials
Part 1: Preparing the Microsoft 365 environment to use a dedicated domain name
  1. In the top left-hand corner off Microsoft 365
    • Select the Select the 9 dotted square
    • Once the Apps pop out expands
      • Select Admin
  1. In the Microsoft 365 admin center window
    • Select Show all
  1. In the Microsoft 365 admin center window
    • Under Support
      • expand  Settings
  1. In the Microsoft 365 admin center window
    • Under Settings
      • select  Domains
  1. In the Domains area
    • Select + Add domain

NOTE: Before moving onto the next section, ensure that you are 100% clear what YOUR registered Domain will be.

  • In the course lab we will use a Domain naming convention based on the location we are delivering at.
  • We will use the convention corpXXX.euc-livefire.com
  • Where XXX is your Assigned Domain, which you will find in Microsoft Teams in the Attendee Accounts sections
  • On the Microsoft 365 admin center  ensure the Connect a domain you already own radio button is selected and below type your registered Domain name
  1. In the Microsoft 365 admin center window
    • In the Add domain area
      • Under Yes, add this domain now
        • enter corpXXX.euc-livefire.com
          • Where XXX is your assigned Domain identifier
      • At the bottom of the page
        • Select Use this domain
  1. In the Microsoft 365 admin center window
    • In the How do you want to verify your domain?
      • Ensure the radio button next to Add a TXT record to the domain's DNS records is enabled (default)
    • Select Continue
  1. In the Microsoft 365 admin center window
    • In the How do you want to verify your domain?
      • Below TXT value
        • Copy the MS= ms ......
          • In the following steps, we will have this value entered into your assigned Zone database in AWS Route 53 using vRealize automation

Do step 9: VRA automation on a separate browser profile.

If you were doing your Azure registration on the Site 1 profile then might be helpful to do the VRA on the Site 2 Profile and have both profiles open side by side.

 

  1. On your Controlcenter desktop,
    • On your Site 2 browser
      • Open a new Tab
    • In the Address bar 
      • enter https://vra.lab.livefire.dev/
      • Select GO TO LOGIN PAGE
  1. In the Workspace ONE Login
    • Under Select your domain
      • Ensure livefire.lab selected
    • select Next
  1. In the Workspace ONE login
    • Under username
      • Enter your assigned dwuser0XX account
        • XX will be your assigned Student Login ID
    • Under password
      • Enter your assigned password
    • Select Sign in
  1. In the vRealize Automation - Cloud Services Console
    • Under My Services
      • Select Service Broker
  1. In the My Resource Usage window
    • Under update TXT  Records
      • Select REQUEST
  1. In the New Request page
    • Update the following next to:
      • Sub Hosted Zone Prefix* enter your domain
        • enter CorpXXX, XXX represents your assigned domain
      • TXT record value* Paste your TXT value (from step 7)
    • Select SUBMIT
  1. On your Microsoft 365 admin center page
    • When the vrealize automation is complete
    • Select Verify
  1. In the Microsoft 365 admin center window
    • In the Add users and assign licenses page
      • At the bottom of the page
        • Select Do this later
  1. In the Microsoft 365 admin center window
    • In the  Connect domain section
      • At the bottom of the page
        • Select Continue
  1. In the Microsoft 365 admin center window
    • In the  Connect domain > ADD DNS records section
      • Next to MX records (1)
        • Expand the dropdown
        • Under Points to address or value and in line with Expected
          • Copy the output
  1. Switch back to your Service Broker session
    • Select the Catalog tab
  1. In the Catalog area
    • Under Update MX Records
      • select REQUEST
  1. In the Service Broker
    • New Request
      • Update MX Records page
      • Next to:
        • Sub Hosted Zone Prefix* enter corpXXX
          • Where XXX is your assigned Domain identifier
        • MX record value* paste your MX record
    • Select SUBMIT
  1. On the Connect domain page
    • At the bottom
      • Select Continue
  1. In the Microsoft 365 admin center window
    • In the Setup is Complete  page
      • Offer a 5 star rating
    • Select Submit
  1. In the Microsoft 365 admin center window
    • In the Thank you for your feedback  page
      • At the bottom of the page
        • Select Go to admin center
  1. In the Microsoft 365 admin center window
    • In the left-hand pane Inventory
      • Select ... Show all
  1. In the Microsoft 365 admin center window
    • In the left-hand pane Inventory
      • Expand Settings
  1. In the Microsoft 365 admin center window
    • In the left-hand pane Inventory
      • Under Settings
        • Select Domains

If you are using an existing account, its very likely you wont have to change your default domain. Validate and if necessary do the change

  1. In the Domains area
    • Under Domain name
      • Next to your unique *.onmicrosoft.com domain
        • select the checkbox
      • Under Domains , in the Task area
        • Select Set as default
  1. In the Set this domain as default? window
    • Select Set as default

 

  1. In the Domains page
    • Validate your default configuration

Your assigned domain should NOT be your (Default) domain. Your setup should look like the above example

Part 2: Setting the authentication status of Azure from Managed to Federated.
  1. On your ControlCenter server
    • Open a new browser tab
    • Enter your Workspace ONE Access tenant url
    • Log in with your Sysadmin credentials
      • To the right of the Intelligent Hub Console console
        • Select and right-click TA
        • Select Workspace ONE Access Console

 

  1. In the Workspace ONE Access Console
    • Select Resources
      • In the left menu
        • Select Web Apps
  1. In the Workspace ONE Access console
    • In the right-hand side of the Web Apps area
      • Select SETTINGS
  1. In the Settings window
    • Select SAML Metadata
  1. In the SAML Metadata area
    • In the right-pane, scroll down until you find Signing Certificate
    • Below Signing Certificate
      • Select DOWNLOAD
      • In the bottom left-corner of your browser
        • When prompted to keep a potentially harmful file
          • Select Keep
  1. On your ControlCenter server
    • On the Desktop
      • Select the START button
        • From the Start Menu
          • select the Windows  Powershell ISE Shortcut
  1. In the Azure Powershell ISE module
    Enter the following:-
    • Install-Module -Name MSOnline
      • with your keyboard
        • select ENTER
      • When prompted; with the :-
        • " NUGET provider is required to continue " window
          • select Yes
      • When prompted;  with the : -
        • "Untrusted repository" window
          • select Yes to All
  1. In the Azure Powershell ISE module
    • Enter the following:-
      • Connect-MsolService
        • with your keyboard
          • select ENTER
  1. In the Sign-in to your account window
    • Under Sign in
      • enter your Cloud Admin account
    • Select Next
  1. In the Sign in to your account window
    • Under Enter password
      • Enter your Cloud Admin Password
    • Select Sign in
  1. In the Sign in to your account window
    • Select Skip for now (14 days until this is required)

If you are using your own account you will get this, If you are using an assigned account ignore this

  1. In the Azure Powershell  ISE module
    • Enter the following:-
      • Get-MsolDomain
        • with your keyboard
          • select ENTER
  • Note that both your Domains are Authentication status are Managed
  • When we are done
    • our aim is to change the status of your custom domain to Federated
  • We will now proceed step-by-step to achieve this goal

Disable Clickable Link Settings in Notepad++

Select Settings > Preferences >

Select Cloud & Link

Under Clickable Link Settings

Next Enable

Uncheck the checkbox

  1. On your ControlCenter server
    • Copy and Paste the below commands into Notepad++
      • Where you have YOURACCESSHOST
        • Replace with your Workspace ONE Access Tenant Identifier
      • Where you have CorpXXX
        • Replace with your assigned Domain Identifier
      • $Cert = We will look at this later
        1. $Metadata = 'https://YOURACCESSHOST.vidmpreview.com/SAAS/auth/wsfed/services/mex'
        2. $Brand = 'corpXXX'
        3. $Domain = 'corpXXX.euc-livefire.com'
        4. $ActiveSO = 'https://YOURACCESSHOST.vidmpreview.com/SAAS/auth/wsfed/active/logon'
        5. $PLUri = 'https://YOURACCESSHOST.vidmpreview.com/SAAS/API/1.0/POST/sso'
        6. $IssuerUri = 'YOURACCESSHOST'   (without vidmpreview.com behind)
        7. $Cert =

 

  1. On your ControlCenter server
    • Switch back to your Azure Powershell  ISE module
      • Copy your first variable from Notepad++
        • Paste into Powershell
          1. $Metadata = 'https://YOUR VERSION.vidmpreview.com/SAAS/auth/wsfed/services/mex'
            • With your Keyboard
              • select Enter`
  1. On your ControlCenter server
    • Copy your second variable from Notepad++
      • Paste into Powershell
        1. $Brand = 'corpXXX'
          • Where XXX is your assigned Domain Identifier
            • With your Keyboard
              • select Enter
  1. On your ControlCenter server
    • Copy your third variable from Notepad++
      • Paste into Powershell
        1. $Domain = 'corpXXX.euc-livefire.com'
          • Where XXX is your assigned domain identifier
            • With your Keyboard
              • select Enter
  1. On your ControlCenter server
    • Copy your Fourth variable from Notepad++
      • Paste into Powershell
        1. $ActiveSO = 'https://YOUR VERSION.vidmpreview.com/SAAS/auth/wsfed/active/logon'
          • With your Keyboard
            • select Enter
  1. On your ControlCenter server
    • Copy your Fifth variable from Notepad++
      • Paste into Powershell
        1. $PLUri = 'https://YOUR VERSION.vidmpreview.com/SAAS/API/1.0/POST/sso'
          • With your Keyboard
            • select Enter
  1. On your ControlCenter server
    • Copy your sixth variable from Notepad++
      • Paste into Powershell
        1. $IssuerUri = 'YOUR VERSION'
          • With your Keyboard
            • select Enter`
  1. On  your ControlCenter server
    • Open your DOWNLOADS folder
      • Select the signingCertificate.cer
        • right-click and select Edit with Notepad++

 

  1. In Notepad++
    • Remove the
      • -----BEGIN CERTIFICATE-----
        • and  
      • -----END CERTIFICATE-----
    • lines from the certificate.
  1. In Notepad++
    • We will now remove all carriage returns the document
      • Select ALL of the certificate portion of the file
      • Select ctrl + F
        • In the Find window
          • Select  the Replace tab
            • Next to Find what:
              • clear all entries (if necessary)
              • enter \n
            • Next to Replace with:
              • leave blank
        • At the bottom of the Replace window.
          • In the Search Mode area
            • Next to Extended.
              • select the radio button  
        • Select Replace All.  
  1. In Notepad++
    • Switch back to your sample scripts
      • Copy the following:    $Cert =
        • Switch back to the tab with your Signing Certificate
          • On your ControlCenter server In Notepad++
            • In front of your certificate with no carriage returns
              • Insert and Paste $Cert =
              • Insert a  single Quotation at the beginning and end of your certificate
            • In Notepad++
              • Select All (Ctrl + A ) and copy (Ctrl + C )
  1. On your ControlCenter server
    • Switch back your Powershell
      • Paste into Powershell
        • $Cert = 'XX' signing cert
          • Where XX is your cert string version
      • With your Keyboard
        • select Enter`
  1. In the Azure Powershell  ISE module window
    • Using the below code

Set-MsolDomainAuthentication –DomainName $Domain -Authentication Federated -FederationBrandName $brand -PassiveLogOnUri $PLUri -SigningCertificate $Cert -IssuerUri $IssuerUri -ActiveLogOnUri $ActiveSO -LogOffUri $PLUri -MetadataExchangeUri $metadata

  1. In the Azure Powershell  ISE module
    • Enter the following:-
      • Get-MsolDomain
  1. In the Azure Powershell  ISE module
    • Notice that your Custom Domain now Verified as Federated
Part 3: Setting up Workspace ONE Access for Azure Federation
  1. In your Workspace ONE Access SAAS Admin Console
    • Under Resources > Web Apps
    • In the Web Apps area
      • select NEW
  1. In the New SaaS Application window
    1. In the Definition area
      • Under Search
        • Enter Office
      • From the dropdown
        • Select Office365 with Provisioning
      • In the bottom right corner
        • Select NEXT

Go back to Notepad++ and copy the value for $IssuerUri = 'aw-livefirernpod26'    {without the quotes}

  1. In the New SaaS Application window
    1. Configuration area
      • Scroll down until you find Application Parameters
        • Under Name , you have two parameters
          • tenant
          • issuer
            • In line with tenant, under Value
              • enter your Azure domain FQDN.
                • e.g. CorpXXX.euc-livefire.com
                  • where XXX is your assigned domain identifier
            • In line with issuer, under Value
              • enter your Workspace ONE Access name without vidmpreview.com
                • e.g. If your tenant name is aw-livefirernpod31.vidmpreview.com
                  • then your you will enter aw-livefirernpod31
            • Expand Advanced Properties
  1. In the New SaaS Application window
    • In the Configuration area
      • Scroll down to Custom Attribute Mapping
        • Under Name
          • In the with UPN row
            • Under the Value column
              • validate that the configuration is:-
                • ${user.userPrincipalName}
          • In the ImmutableID row
            • Under the Value column
              • Replace ${user.objectGUID}
                • with ${user.ExternalId}
      • Select NEXT
  1. In the New Saas Application window,
    • In the Access Policies section
      • Select NEXT
  1. In the New Saas Application window,
    • In the Summary section
      • Select SAVE & ASSIGN
  1. In the Assign window
    • Under Users / Groups
    • Under Deployment type
      • From the dropdowns
        • Ensure both Sales and Marketing are set to
          • Automatic
    • In the bottom right corner
      • select SAVE
  1. In your Workspace ONE Access Console
    • select the Integrations tab
      • You will notice it takes you to the Directories area by default
  1. Under Directories
    • Under Integrations
      • select Directories
      • select EUC-Livefire
  1. In the euc-livefire.com Directory
    • In the Directory Sync and Authentication area
      • next to External ID*
        • validate that objectGUID is the value
  1. In the euc-livefire Directory
    • Under Sync
      • Select Sync Settings
  1. In the Sync settings window
    • Select Mapped Attributes
  1. In the Mapped Attributes window
    • Scroll down until you find sourceAnchor
    • To the right of sourceAnchor
      • Edit the existing value objectGUID
        • From the dropdown
          • select Enter Custom Input
        • In the Enter Custom Input area
          • enter  mS-DS-ConsistencyGuid
    • At the bottom of the Mapped Attributes area
      • select Save
      • select Close
Part 4. Configuring domain trust
  1. On your ControlCenter server
    • In the bottom left corner
      • Select the Start button
    • In the Start Menu
      • Select Windows Administrative Tools
  1. In the Administration Tools menu
    • Select the Active Directory Domains and Trusts shortcut
  1. In  Active Directory Domains and Trusts
    • In the Inventory
      • Select and right click
        • Active Directory Domains and Trusts
          • Select Properties
  1. In the Active Directory Domains and Trusts window
    • Under Alternative UPN Suffixes
      • Enter the FQDN of your Azure Domain
        • e.g. CorpXXX.euc-livefire.com
          • where XXX is your assigned Domain Identifier
      • Select Add
  1. In the Administrative tools folder
    • Select Active Directory Users and Computers shortcut
      • Select open
  1. In the Active Directory Users and Computers Console
    • Expand the euc-livefire.com hierarchy
      • Select Corp OU and expand
        • Select Sales
  1. In the Active Directory Users and Computers Console
    • Select the Mark Debio user object
      • Select Properties
  1. In the Mark Debio properties
    • To the right and In line with Mark
      • From the Dropdown
        • Select your Alternate suffix eg. CorpXXX.euc-livefire.com
          • where XXX is your assigned Domain ID
    • To close Mark Debio Properties
      • Select OK
  1. In the Active Directory Users and Computers Console
    • Repeat the above mention steps for at least these accounts :
      • In the Sales OU :- Jill Vernio
      • In the Marketing OU: - Fernando Dusello
      • In the Marketing OU: - Tom Marios
      • In IT Support OU: - Kim Markez
  1. On your ControlCenter server
    • Switch to your Chrome Browser
    • Select your Workspace ONE Access session
    • In the Integrations >  Directories area > EUC-Livefire area
  1. In the EUC-LIvefire Directory
    • Next to Sync
      • Select the Dropdown
        • Select Sync without Safeguards
  1. In the EUC-LIvefire Directory
    • In the Import Status: Sync started pop up
      • select Sync Log
  1. In the Sync Log
    • Validate that sync was successful

A green tick is a validation that sync was successful  A red cross indicates sync failure

  • Ignore the Alerts
Part 5: Using Azure AD Connect for user provisioning to Azure
  1. On your ControlCenter server
    • Open the Software shortcut
      • Navigate to the Applications > Azurefiles >ADConnect folder.
    • Double- click the AzureADConnect.msi
      • On the Open File - Security Warning window
        • Select Run
  1. On the Welcome to Azure AD Connect window
    • Next to I agree to the license terms and privacy notice
      • Enable the check box
      • Select Continue
  1. In the Express Settings window
    • Select Use express settings
  1. On the Connect to Azure AD window,
    • Under USERNAME
      • Enter your documented Azure Cloud Admin account
    • Under PASSWORD
      • Enter your documented Azure Cloud Admin password
    • Select Next
  1. On the Connect to AD DS window,
    • Under USERNAME
      • Enter EUC-Livefire\administrator
    • Under PASSWORD
      • Enter VMware1!
    • Select Next
  1. On the Azure AD sign-in configuration page
    • Validate that your custom Azure Domain has been Verified
    • Next to Continue without matching all UPN suffixes to verified domains
      • Select the Check box
    • Select Next
  1. On the "Ready to configure" window
    • Next to Start the synchronization process when configuration completes
      • Enable the check box
    • Select Install.
      • Getting to the next step could take a few minutes.
  1. On the Configuration complete window
    • Select Exit
Part 6: Configuring Microsoft 365 licensing
  1. On your ControlCenter server
    1. Using the following URL
      • https://admin.microsoft.com/Adminportal/Home?source=applauncher#/homepage
    2. Login back to your Microsoft 365 Tenant
      • With cloudadmin username
      • With your CloudAdmin password
  1. In the Microsoft 365 Admin center
    • In the left-hand pane under Home,
      • Select Users
        • Select Active users.
  1. In the Active Users area
    • Notice that you have Licensed and Unlicensed users
      • It appears that in addition to us syncing in our account Microsoft creates dummy accounts for use
      • The dummy user accounts have already been licensed and we only can have up to 25 licensed users
      • Ensure you select only DUMMY accounts with Microsoft 365 E5 Developer licensing
      • At the top of browser select Delete user
      • DO NOT Delete your Cloudadmin account

This process is purely to keep it clean with euc-livefire accounts.

It wont be necessary to do this step if you have a pre-assigned account

  1. In the Active Users area
    • Select the radio buttons next to
      • Fernando Dusello
      • Jill Verneo
      • Kevin Ikin
      • Kim Markez
      • Mark Debio
    • From the top menu options
      • At the top of the Active Users area, next to Refresh,
      • select Manage product licenses

everyone needs to license their newly synced accounts in Microsoft 365

  1. In the Manage Product licenses window
    • Next to Replace ,
      • Select the radio button
    • Next to Microsoft E5 Developer (without Windows and Audio Conferencing)
      • Select the Checkbox
      • Select Save Changes.
Part 7: Testing to see if the Federation works
  1. On your Control Center server
    • On your Chrome browser
      • Open up an Incognito session
      • In the address bar enter your Workspace ONE Access tenant url
  1. On the login window
    • Under select Your Domain
      • from the dropdown select , euc-livefire.com
    • Select Next
  1. On the login window
    • Under username
      • enter Jill
    • Under  password
      • enter VMware1!
    • select Sign in
  1. In the web Intelligent Hub
    • Select Apps
  1. In the web Intelligent Hub
    • Under Apps
      • Select Office 365 with Provisioning
  1. In the Help us protect your account window
    • Select , Skip for now (xx days until this is required)
      • xx represents whatever you see on your screen)
    • Select Next

You wont be prompted for this when you have an assigned account

  1. On the Stay signed in? page
    • Select Yes
  1. In the office.com window
    • Notice you have access to your Microsoft 365 applications
    • Using deep links, we are able to publish these applications individually to Workspace ONE Access

Acknowledgements

A BIG and wholehearted thank you to Sascha Warno  for his support and guidance.

Sascha is a Staff End User Computing Architect at VMware

About the Author

About the content author Reinhart Nel

https://www.livefire.solutions/meet-the-team/reinhartnel/

For any questions please email Reinhart at [email protected]

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.