EUCbackup Default chapterFederating Microsoft Office 365 with VMware Identity Manager (EMPOWER)

Federating Microsoft Office 365 with VMware Identity Manager (EMPOWER)

Part 1: Setting Up a Developer Account

One needs to set up an Office 365 E3 Developer subscription Account to be able to integrate with Workspace ONE.

In this section, we will cover the process of setting this up. Setting up a Developer subscription allows you a 12-month free trial. $99 per year thereafter.

Open a browser and go to Google Chrome search engine and type Office 365 e3 developer subscription.


Overview.

One needs to setup an Office 365 E3 Developer subscription. Account to be able to integrate with Workspace ONE. In this section we will cover the process of setting this up. Setting up a developer subscription allows you a 12 -month free trial.

 

  1. Open a browser and go to Google Chrome search engine and type office 365 e3 developer subscription.

2. Find the option that says Set up an Office 365 developer subscription and select

3. On the Set up an Office 365 developer subscription page under Set up your subscription Under ! Note

Select the join the Office 365 Developer Program hyperlink

4. On the Welcome to theOffice 365 Developer Program page select the Join the Office 365 Developer Program page

5. You will now be re-directed a 3rd time to the Join the Office 365 developer program today! Do not select  JOIN NOW

 

6. To the right of the page first select Sign In

7. On Microsoft Sign in Page type in the email address of an account you own
(NB! If this account is already associated with an office 365 account you will have to create a new account)

7.1 Alternatively select Next to NO account? Create one!

7.2 On the Create account page type your custom email address

7.3 Select Next

7.4 On the Create a password window type a unique password and select Next

7.5 On the Create account page type in your country and Birthdate and select Next

7.6 On the Verify email page notice you need to enter a code, log into your gmail account and select the email and find the code and then enter the code in the Enter Code area and select Next

7.7 On the Create account, page enter the custom security letters for your login

7.8 On the Stay Signed in page, select Yes

7.9 On the Sign in page type in your custom email address and select Next

7.10 On the Enter password page, type in your password and select Sign in

 

 

8.1 To the left of the page, select the Microsoft icon

8.2 Then look to the right of the page and select your account Icon, next select Add your name

8.3 On the Your info page under First name type your custom name and under Surname type your custom Surname, type in the matching security letters and select Save

 

9.0 Open an Incognito browser session with Google Chrome and copy the following url in the Browser address bar,

https://developer.microsoft.com/en-us/office/dev-program

9.1 To the right select Sign In, On the Sign In page type in your custom email address and select Next

9.2 On the Enter password window, type the custom password you created and select Sign in

9.3 On the Stay signed in? window select Yes

9.4 On the Join Office 365 Developer program today page select JOIN NOW>

9.5 On the Office 365 Developer Program Signup page select your Country/Region and type in the name of your Company and select the two checkboxes for terms and conditions and information and select NEXT

 

10. On the Office 365 Developer Program Preferences page select enough check box and options to make sure the Join button becomes available and the select JOIN

11. Close the Welcome to the Office 365 Developer Program! Window by selecting Close

12. On the Office 365 Developer Page select SET UP SUBSCRIPTION

13. In the Setup your developer subscription window, create a unique admin account , for example, your username could be CloudAdmin and your Domain could be your firstname and surname
NB! Ensure you document these credentials

14. When you are done select Continue

15. On the Add phone number for security windows type in your Country Code and your phone number

16. Select SEND code , follow through on the security picture block selecting your relevant pictures, and select Next Enter the Code from your phone and select Set up

 

17. Once your registration is complete you can login in using your new ADMIN account. On the your Office 365 Subscription page select and right click the Go to subscription hyper link and select Open Link in New Tab

18. On the Sign In window , Enter your password and select Sign in

19. On the Office 365 Page almost in the middle select Admin

20. On the sign in page pick your new CloudAdmin account

21. If you get prompted with a Welcome to Office 365 Admin Center Page select Skip

22. Notice the Office 365 E3 Developer Setup is incomplete. Select Go to Setup box

23. NB! Before moving onto the next section, ensure that you are 100% clear what YOUR registered Domain will be.

In the course labs we will use a naming convention Domain naming based on the location we are delivering at.

For example if this training session was being delivered in Atlanta , your domain name might be atlanta01.euc-livefire.com for student number 1. If we have 18 attendees there will be 18 different registered Domain names using the above mentioned naming convention. we have automated the dns configuration for this lab, so you will do use a vrealize automation self service portal to configure your dns zone.

On the Microsoft 365 admin center ensure the Connect a domain you already own radio button is selected and below type your registered Domain name (this example in the screenshot is only for demo purposes) select Next

. Note when registering your own domain name with Office 365, there are several approaches. The most seamless and trouble free approach is to register your own Domain Name with GODADDY. This provides a seamless experience and the verification takes seconds once you have your own domain name from GODADDY. GODADDY is an example of a name provider that seamlessly integrates with Microsoft's Office 365. If one chose this option your name that you use would belong to you for however long you choose to use your Office 365 Tenant

Another approach is to do this manually. EUC Livefire already owns a domain name which is hosted in AWS Route53. In the Office 365 setup wizard you will notice there is a step by step guide on how to setup your zone in AWS Route53 manually. We have chosen to automate this process for the sake of time.

If you choose this option the zone provided to you by Livefire associated with your tenant will possibly only be active for a maximum of a month and you will then have to find your own Domain name.

If you choose to follow the Livefire option, we have automated this process for your convenience using VMware VRA. Generally DNS name configuration in AWS Area 53 is a completely Manual process. We have automated more than 98% of this process. You will however interface with VMware vRealize Automation for 2 configurations.

1. Will be an MS record modification

2. MX record modification

You do not have Access to AWS AREA53. You will be using VMware vRealize Automation to facilitate the edit of these records

24. On the Verify domain page notice there are step-by-step instructions to follow,

Notice that there are DNS records called TXT name, TXT value and TTL

  • Note!. We have our Hosted DNS service in called AREA53 on AWS. We have our own euc-livefire.com Zone. Each of you have your own registered Zone Database, that is part of the EUC-Livefire.com namespace. eg. Tokyo01.euc-livefire.com. Your Office 365 instance will need to be verified with this namespace .To do this will require to modify your DNS subzone, working with the vrealize automation portal in a different browser tab while your doing your o365 tenant.
    1. Click on the copy icon next to your MS record
    2. Select Verify at the bottom of the screen

      NB! At this point ignore any error messages !

 25

  • On your Controlcenter2 desktop, from your task bar open your chrome browser
    1. Next to the bookmarks bar open vrealize automation
    2. Next to the "Select your domain" dropdown menu select corp.local
    3. Select Next

26.  

  • VRA automation continued ...
    1. In the username field type vra-euc-student
    2. In the password field type VMware1!
    3. select Sign in

27. VRA automation continued ...

  • In the update zone records catalog object, select  Request

27.

  • VRA automation continued ...
    1. Next to zone prefix dropdown menu select the city corresponding to your current location.
    2. Next to zone to update drop down menu select your dns zone as described in your information sheet
    3. Under Records update next to MS record replace the existing record your MS record and Paste your MS record, NOTE ensure that your MS record is enclosed in Quotation Marks
    4. Select Submit

28. Wait until the progress shows 100% and continue with your lab. you might need to refresh your browser if you see no progress bar.

29 .Go back to your o365 domain configuration and click on verify. it might give you an error because of the time it takes to replicate DNS configurations and it might require you to click on verify a couple more times.

30. On Add new users window select Got it, thanks, select Next

31. On the Assign licenses to unlicensed users page select Next

32. On Install your Office apps page select Next

33. On the Migrate email messages page leave the default Don't migrate email messages radio button and select Next

34. On the Choose your online services page, ensure that Exchange, Skype for Business and Mobile Device Management for Office 365 checkboxes are selected and select  Next

35.

  • On the Add DNS Records page.
    1. When ready select Verify at the bottom of the Add DNS Records window. If there is a failure on any records reach out to the EUC-livefire instructor team to get the records fixed and select
                Verify again.  Note you might have to give a few minutes for the records to update in DNS before selecting Verify
    2. Notice that when Verify is successful the you just configured your Office 365 Tenant successfully will show and you are ask to provide feedback related to your experience.
  • However, If Verify is Not successful and its MX related in the message go to the next step in this exercise.

 

36

  • If you get an error mentioning your MX records follow these steps:
    1. Click on the the copy icon next to Expected record
    2. On your ControlCenter2 server, Go back to the update zone records tool, select REQUEST
    3. Get to your zone and paste the MX records,
      • NOTE the example, there is a zero in front MX record, this is a priority field and should not be deleted.
    4. Select SUBMIT
    5. Go to your 0365 domain configuration and Verify the domain again.
    6. You should get a message saying You've reached the end of the setup

37.  Select  Microsoft 365 Admin center next to the 9 dot blue square in the top left corner.

  • In your Microsoft 365 Admin center,
    1. Select the 3 parallel dots in the black bar to the left of the console, this will expand the console
    2. Select the Spanner icon for Setup and select Domains

38.

  • In the Home > Domains interface, check to see if your namespace you have associated with your Office 365 setup has a (Default) next to it. If this is the case do the following.
    1. Select your account name that is not set to default :
    2. Select Set as default
    3. Your custom domain cannot be the default domain when federating with VMware identity Manager. Select Close. Check to see that you have a corresponding configuration in the domain portion of your setup as the screenshot.

Part 2 : Federating Office 365 with VMware Identity Manager.

From VMware Identity Manager version 2.8. Support has been added for User Provisioning in Office 365. In Part 2 of this lab session we will now federate our Office 365 Tenant with our VMware Identity Manager SAAS tenant.

  1. Using your Tenant Admin credentials, login into your SAAS VMware Identity Manager Tenant.
    1. To the right of the Workspace ONE console under Tenant Admin select Administration Console

 

2. Select the Identity & Access Management tab

  • To the right in the Identity & Access Management tab select Setup > User Attributes

 

3. In the User Attributes interface notice you have already set userPrincipalName and distinguishedName to Required and you have already created the objectGUID attribute.

These are pre-req requirements for Federating Office 365 with VMware identity Manager.

4. On your ControlCenter Desktop, Select the Start Button to launch the Start Menu and select Administrative Tools

  1. Select Active Directory Domains and Trusts shortcut
  2. In Active Directory Domain and Trusts mmc select and right-click Active Directory Domains and Trusts [ControlCenter2.euc-livefire.com]
  3. Select Properties
  4. Under the UPN Suffixes Tab under Alternative UPN suffixes type your custom domain name. the example we have in this lab is tokyo01.euc-livefire.com
  5. Select Add , select OK to close the window, close the Active Directory Domains and Trusts Window.

 

5.

  • On your ControlCenter Desktop close Active Directory Domain and trusts.
    1. In the Administrative tools folder select Active Directory Users and Computers shortcut and select open
    2. Under the euc-livefire.com domain, expand the Corp > Marketing Organisational Units
    3. You will notice we have Users 1 to 4. Select and right-click User1 and select Properties
    4. Select the Account tab, to the right below User logon name: select the drop down arrow and select your custom domain
    5. Repeat these tasks for all 4 users. Close the Active Directory Users and Computers window

6.

  • Switch back to your VMware Identity Manager SAAS tenant
    1. Under the Identity & Access Management tab select Manage
    2. Select Directories
    3. Select Sync Now for the Livefire Domain
    4. In the Review window, notice that a warning message that Directory Sync Safeguards will apply, select the Ignore Safeguards checkbox above the message
    5. Select Sync Directory

7.

  • On your ControlCenter desktop server select your Software shortcut and open the path to the Applications folder. In the Applications folder open the Azurefiles folder.
    1. Open the msoidcli_64.msi installer and when prompted select Run
    2. On the Microsoft Online Services Sign-in Assistant Setup page select the I accept the terms in the Licence agreement... checkbox. Select Install,
    3. When the installer is done select Finish
    4. If prompted to restart then do so and login as administrator

8.

  • On your ControlCenter desktop server select your Software shortcut and open the path to the Applications folder. In the Applications folder open the Azurefiles folder.
    1. Select and launch the AdministrationConfig-en.msi , select Run. On the Open File - Security Warning window select Run
    2. On the Windows Azure Active Directory Module for Windows Powershell Setup window select Next
    3. On the License Terms window , ensure the I accept the terms radio button is selected and select Next
    4. On the Install Location window, select Next
    5. On the Ready to Install window select Install
    6. Select Finish

9.

  • On your ControlCenter server desktop, you will notice a Windows Azure Active Directory for Powershell Shortcut.
    1. Select the Windows Powershell shortcut select Mor right click and select Run as administrator
    2. In the Powershell Console type the following

      Connect-MsolService
    3. When prompted for User name and Password, use your Cloud Admin account e.g. cloudadmin@ranmobojo.onmicrosoft.com
    4. Next we have to create a Service Principal account type in the powershell

      $sp = New-MSOLServicePrincipal -DisplayName 'ServPrinc1' -Type password -Value 'VMware1!'
    5. Next we are going to assign a role to the ServPrinc1 user

      Add-MsolRoleMember -RoleName 'User Account Administrator' -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId

10 . Next we will type echo $sp to get the GUID for the ServicePrincipalNames

  • Copy the ServicePrincipalNames value with out the {  } eg. 4da8fbdb-5e0d-4c32-8dee-748300f92b19

11. Revert back to your VMware Identity Manager SAAS Tenant Admin Console

  1. Select the Catalog Tab in the Admin Console, select NEW
  2. In the New SaaS Application window under Definition select or browse from catalog
  3. In the DEFINITION window to the right in the search area type off
  4. Select Office365 with Provisioning by selecting the   +    sign to the right

12. On the New SAAS Application window select Next

13. In the New Saas Application window, in the Configuration section add the following:

  • Under Target URL add the following. Actual to copy to edit into the configuration is in BLUE
    APPEND your custom domain name at the end of the string, in this example. at the end next to hint=we will type

    Actual copy string to Target Value is Below in Blue and edit the last area after hint=
    ............................
    domain_hint=tokyo01.euc-livefire.com

https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code+id_token&scope=openid+profile&redirect_uri=https%3a%2f%2foutlook.office365.com&domain_hint=tokyo01.euc-livefire.com

14. In the New Saas Application window, in the Configuration section leave the following default:-
           Single Sign-On URL / Application ID / Username Format / Username Value

  1. Add the following: under Application Parameters in the tenant line under Value add your custom Fully Qualified Domain Name ie tokyo01.euc-livefire.com
  2. Under Application Parameters in the issuer line under Value add your custom domain name ie tokyo01.euc-livefire

Make sure there are no hidden carriage returns if you paste this in

15. In the New Saas Application window, in the Configuration section under Advanced Properties leave the following default:-

           Enable Multiple O365 Email Domains / Credential Verification / Signature Algorithm / Digest Algorithm / Assertion Time
U
nder Custom Attribute Mapping in the UPN and ImmutableID keep the values default

  1. Make sure that the slider bar under Setup Provisioning is set to No for now, we will return to this
  2. On the New Saas Application window, select Next

16. In the New Saas Application window, in the Access Policies section select NEXT

17.  In the New Saas Application window, in the Summary section select SAVE

18. Notice you now have Office365 with Provisioning in the Catalog

  1. Select the check box next Office365 with Provisioning and select EDIT
  2. In the Edit SaaS Application window in the left payne, select Configuration, in the right pane, scroll down until you see Setup Provisioning. Notice you only 4 sections in the left pane.
  3. Change Setup Provisioning from No to Yes. Notice you now have 7 sections in the left pane. We will now go and configure Provisioning.

19. In the Edit SaaS Application window in the left pane select Provisioning

  1. In the Provisioning Adapter Configuration under Office 365 Domain type your custom domain, eg. Tokyo01.euc-livefire.com
  2. Under Client ID, (refer back to section 10 in this lab if necessary) add the ServicePrincipleNames value your recorded earlier. eg.4da8fbdb-5e0d-4c32-8dee-748300f92b19
  3. Under Client Secret area type the password your associated with the ServicePrinciple Name. In section 9 the password we used was VMware1!
  4. In the Edit SaaS Application window in the botton right corner select Next

20. In the Edit SaaS Application window in the left payne you will now notice in the left pane that we are in the User Provisioning section

  1. In the Attribute Name section, select Display Name, In the Edit Mapped Value window, in the Value container select the drop down arrow add the following, $(user.userName) and select SAVE
  2. In the Attribute Name section, select User Principle Name, In the Edit Mapped Value window, in the Value container select the drop down arrow add the following, $(user.userPrincipalName) and select SAVE
  3. In the Attribute Name section, select Guid, In the Edit Mapped Value window, in the Value container select the drop down arrow add the following, $(user.objectGUID) and select SAVE
  4. In the Attribute Name section, select Mail Nickname, In the Edit Mapped Value window, in the Value container select the drop down arrow add the following, $(user.userName) and select SAVE
  5. Select Next

21. In the Edit SaaS Application window in the left payne you will now notice in the left pane that we are in the Group Provisioning section

  1. Under Group Provisioning select + ADD GROUP
  2. In the Add Group to Provision window under Group Name type Mark and then select Marketing@euc-livefire.com, Under Nickname type Livefire Marketing. Select  Save
  3. On the Edit SaaS Application window Under Group Provisioning select NEXT
  4. On the Edit SaaS Application window Under Definition select SAVE

22. We will now Enable Provisioning and Save

  1. In the Catalog for Web Apps select the Office 365 with Provisioning and select Edit
  2. In the Edit SaaS Application window in the left payne select Configuration
  3. Scroll down until you see Setup Provisioning and change No to Yes, Just above Enable Provisioning is TEST CONNECTION. Select TEST CONNECTION. In the Edit Saas Application Window select NEXT, select NEXT, select NEXT, select SAVE

23. We will now do the Entitlement configuration of the Users

  1. In the Catalog for Web Apps select the Office 365 with Provisioning and select Assign
  2. In the Assign wizard type Mark in the search area under Users / User Groups, select Marketing@euc-livefire.com
  3. Under Deployment Type, select the drop down arrow change the Deployment Type to Automatic
  4. In the Assign wizard, review your configuration, in the bottom right hand corner select SAVE

Part 3 : Setting up the SAML between VMware Identity Manager and Office 365

  1. Ensure you do the next section on your ControlCenter2 server . Login to your to the VMware Identity Manager Admin Console, as Admin, under the Catalog tab select SETTINGS
    1. In the Settings window under SaaS Apps, select SAML Metadata, in the right hand pane under the SAML Metadata heading select DOWNLOAD under Signing Certificate
    2. Open the signingCertificate.cer from your default download location .

2. In the signingCertificate.cer we will remove all carriage returns the document

Do this with Notepad++ on your ControlCenter server. Any hidden carriage returns will cause this exercise to FAIL

  1. Remove the -----BEGIN CERTIFICATE----- and  -----END CERTIFICATE----- lines from the certificate.
  2. Next using your keyboard, backspace and arrow keys, shift your cursor so that you remove carriage returns off every line. Be careful not delete any part of the certificate. If you need help please reach out to your instructor to ensure you do this correctly.

3. On the ControlCenter2 server and open the existing Powershell interface we were working with earlier

  • In the Powershell Console type the following using your Cloudadmin credentials. The example we use is cloudadmin@ranmobojo.onmicrosoft.com
    and your password

    Connect-MsolService

4. Next we edit the following Powershell commands for our environment and include the certificate string as part of this command.

  1. Edit the sample string by replacing tokyo01.euc-livefire.com with YOUR CUSTOM Fully Qualified Domain name
  2. Edit the sample string by replacing aw-euclivefire.vidmpreview.com with YOUR CUSTOM SAAS VMware Identity Manager Tenant Fully Qualified Domain name

    example 1 is the string without the certificate|
    example 2 is the string with the certificate which you will have to append without introducing any hidden returns into Powershell

Set-MsolDomainAuthentication -DomainName tokyo01.euc-livefire.com -Authentication Federated -IssuerUri “tokyo01.euc-livefire” -FederationBrandName “tokyo01Corp” -PassiveLogOnUri “https://aw-euclivefire.vidmpreview.com/SAAS/API/1.0/POST/sso” -ActiveLogOnUri “https://aw-euclivefire.vidmpreview.com/SAAS/auth/wsfed/active/logon” -LogOffUri “https://login.microsoftonline.com/logout.srf” -MetadataExchangeUri “https://aw-euclivefire.vidmpreview.com/SAAS/auth/wsfed/services/mex” -SigningCertificate
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Notice your signing certificate is all on On

Set-MsolDomainAuthentication -DomainName tokyo01.euc-livefire.com -Authentication Federated -IssuerUri “tokyo01.euclivefire” -FederationBrandName “tokyo01Corp” -PassiveLogOnUri “https://aw-euclivefire.vidmpreview.com/SAAS/API/1.0/POST/sso” -ActiveLogOnUri “https://aw-euclivefire.vidmpreview.com/SAAS/auth/wsfed/active/logon” -LogOffUri “https://login.microsoftonline.com/logout.srf” -MetadataExchangeUri “https://aw-euclivefire.vidmpreview.com/SAAS/auth/wsfed/services/mex” -SigningCertificate MIIFIDCCAwigAwIBAgIGPBaJynnGMA0GCSqGSIb3DQEBCwUAMEgxIDAeBgNVBAMMF1ZNd2FyZSBJZGVudGl0eSBNYW5hZ2VyMRcwFQYDVQQKDA5BVy1FVUNMSVZFRklSRTELMAkGA1UEBhMCVVMwHhcNMTkwMjA0MjEzMTAyWhcNMjkwMjAxMjEzMTAyWjBIMSAwHgYDVQQDDBdWTXdhcmUgSWRlbnRpdHkgTWFuYWdlcjEXMBUGA1UECgwOQVctRVVDTElWRUZJUkUxCzAJBgNVBAYTAlVTMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApWfE7UfEG9iupk538HEUrqfAKb5VlcnsGrQCz9+Hb1QrDba8vvPWNp+H3MhkZ1RZS43mvy+3JVFEuEsCIqHyRrKsJVIswPda2eQKW/Y7jd3RHZFoxoqbvF4kOyJq5+k38xI/8t8Olkv2ruYYHwUZ+SDJpWdxFqbrpcBAFac5IYj7lPoPlOv9na+lZ7V8ddWQCrsNydKfndUPeBiUj389Xer0ckzHTcYjeGG82X9NHDXVsmbiMFrDnP0ZbMCD21CMOGyZ8wKFzbx3toStDuqyF6MbXv3tpVCnF/sELJaJNxbfdoslNGfbyNWiv/UQ7h8XDOywqpzMZkZkch/Bl6Ny1cS3UDW6GYgYuJHkmRu9Pgqv/98QpFueBrrR71+9WTLocSVxgbBCdyrgwVOHAJK1+yZOrYuiLIGcdJfhjczOaN/8dJnzYspxgW9tIxZ2SmQQDTy9zscvad2rplOZFqj9MQbDUmdanr52ksQ85jboArLW9B5TVmxefDtoPMiK6GKsR/Q+ygEplsyDT1S6eGzXaVBOQFGjjAFQ3c0wOQtZ0Q6+JJRk3KO4X2F5arDRZKTCfEyzH8VYwaJ04BJBmlkPQs14IKzAhwR/cqBzKnSFUxbeqm5U/YLeyaO03NKEYimHqoW7cEB9sPQnO7YUuZOG0KqHrC0S8dVt6dk5adfa0LECAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAiadCYNp2OVfFIlD3I3iQhLCvmc1hVKMEzz1FJNEAMZ3JZgwBEYLHL7d8kiRjI7c4hvZ62P2eQ2bC6z3lzqGVK8GNyUPGMKKgcFOgjJrK+roP4s740cbn4hQX3j3cOLCuQKQ2NkzwF0+5qGU26vOvlwnE8SONR4OxgScW2Bu55E5NOQj+Tu45Pt2KYZpSv9ZP9KJj75AqwmfkynomDBYZXT4WbSft5HDt7VXkFS6OPz41i32yqDTtHePLKbJ83LcXEETDVfyfigS1m1VWwcDp9sLfbqA4yEIoGFNO5KMssHOkVeCFCjzCs06B1pVHoWYqqNOg0gMU0vpX+gFcj7tHJklhbHUcqQpnYs/AJyL0pEroVZTBJS3UgK9vMEage9P+hoVqiX9g+Csd0GjRLExlpkm3uFKt0su05UQ0E9PrYpOS74YbmuRFEUJ5R5PzxSAWErG/SxPWNtGKzKdGjJzBmErOgShODflleURanuL18FDqBR7KXGOnNWDNk5GKVcB2LWqmmz6AmCkFee9oPju6hT+Y4M3O6mmP6dxjTILPUAddObZUUFhhX8fyjpTDUjTzKWdPaf5G4/ISfSqa0CoCFaNGTeEhoR9NtjYlabENZMuD2OoVDacMQvRMN1IbtilDF9ISROG3jzVJDNtFvwkuRzUJ5QyUEAuBZ6xpVEt/8Do=

5. We will now check the federation with the following command in the powershell

Get-MsolDomainFederationSettings -domainName tokyo01.euc-livefire.com

The settings will return output regarding the settings that make up this federation.

Part 4 :  Testing the federation

1. Login back to your office 365 Tenant with your office Admin account with this url https://admin.microsoft.com/Adminportal/Home?source=applauncher#/homepage
and use your cloudadmin account

  1. In the left-hand pane under Home, select Users > Active users. Notice that Marketing group Users 1 - 4  has been automatically provisioned with the unique suffix appended for the user principle name. Also notice that your users are Unlicensed.
  2. Select User1 check box and double click on User1
  3. In the User 1 properties select Edit next to Product Licenses
  4. In the location area select a Location ie United Kingdom. Next to Office 365 Enterprise E3 Developer, there is a scroll bar that is turned off, turn ON the scroll bar on and select Save.
  5. In the User1 properties select Close

2. Next to User1 Product licenses select Edit, scroll down and you will notice that Mobile Device Managerment for Office 365 is Off. We will go and enable this Azure so that we can do compliance with Workspace OneUEM. Select Cancel to close the Product Licenses window

3.  In your existing browser, open up a new tab and type https://portal.azure.com. Your CloudAdmin credentials should log you in automatically but if not, login with your CloudAdmin account.

  1. On the Welcome to Microsoft Azure window select Maybe later
  2. In the Left-hand pane select Azure Active Directory, then in the middle pane select Mobility (MDM and MAM
  3. In the right hand pane towards the top select Get a free Premium trial to use this feature -->
  4. Under Activate you will see ENTERPRISE MOBILITY + SECURITY E5 highlighted in Purple, below this, select Free Trial
  5. The ENTERPRISE MOBILITY + SECURITY E5 window will launch, to the bottom select Activate
    • Notice to the right that your free trial has been successfully activated pops up momentarily.

4. Go back to the tab with your Office 365 Admin console.

  1. Go back and select Edit next product licenses for User1.
  2. Notice that Enterprise Mobility + Security E5 is turned Off.
  3. Next to Enterprise Mobility + Security E5, turn the slider on, Notice you now have a whole range of Advance Azure security Features
  4. Select Save then select Close the Product licenses window

2. Open up an Incognito session of your browser and connect to your SAAS instance of VMware Identity manager.

  1. On the login window ensure that on the select your domain window, euc-livefire.com is selected, select Next
  2. In the username section, use the username user1 and the password VMware1! select Sign in

3.

  • In the Workspace ONE console
    1. Under Apps select All Apps
    2. Next Office 365 with Provisioning select Open
    3. You should now see the Microsoft Office365 console

Having a Portal to Portal single sign-on experience very rarely excites a customer. In this section we will insert Deep Links within Vmware Identity Manager to enhance the user experience.

1. Inserting Office 365 Deep links (Part 5)

  • On your Controlcenter server. Log in to your to your VMware Identity Manager Console as Admin and select the Catalog tab > Web Apps
    1. Select NEW
    2. In the New SaaS Application window under Name type Microsoft Word
    3. On your ControlCenter server desktop, select the software shortcut . Open the ICON Under Icon , select and open the ICON folder. In the Icon folder select your Word.png Icon and select OK. At the bottom right select NEXT
    4. On 2. Configuration in the Single Sign-On section under Authentication type to the right select the drop down and then select Web Application Link

2. Inserting Office 365 Deep links (Part 5)

  • Copy the URL below and edit in Notepad++ the following in Blue with your assigned domain suffix and then copy the edited URL and Paste under the Target URL
    • https://login.microsoftonline.com/login.srf?wa=wsignin1.0&whr=EXAMPLEDOMAIN.euc-livefire.com&wreply=https://office.live.com/start/Word.aspx?auth=2

3. Inserting Office 365 Deep links (Part 5)

  • Select NEXT > NEXT > SAVE & ASSIGN
    1. Under Users / User Groups in the Search area type Mark, select Marketing@euc-livefire.com
    2. Under Deployment Type select Automatic and select SAVE
    3. In the top right-hand cornet select BACK

4. Inserting Office 365 Deep links (Part 5)

  • Repeat the above steps for
    1. OneDrive
      • https://login.microsoftonline.com/login.srf?wa=wsignin1.0&whr=lisbonb35.euc-livefire.com&wreply=https://zingaramanwell-my.sharepoint.com
      • Replace Lisbonb with your domain
      • Replace zingaramanwell with your unique Office 365 domain name. eg in this example the domain name is cloudadmin@zingaramanwell.onmicrosoft .com, zingaramanwell is the domain name
    2. Excel
      • https://login.microsoftonline.com/login.srf?wa=wsignin1.0&whr=lisbonb35.euc-livefire.com&wreply=https://www.office.com/launch/excel?auth=2&home=1
    3. PowerPoint
      • https://login.microsoftonline.com/login.srf?wa=wsignin1.0&whr=lisbonb35.euc-livefire.com&wreply=https://www.office.com/launch/powerpoint?auth=2
    4. Outlook
      • https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code+id_token&scope=openid+profile&redirect_uri=https%3a%2f%2foutlook.office365.com&domain_hint=lisbonb35.euc-livefire.comom

5. Inserting Office 365 Deep links (Part 5)

  • Switch to a Browser in Incognito Mode . Using your VMware identity Manager URL login as User1 with the password VMware1!
  • Test your individual links for office 365

0 Comments

Add your comment

E-Mail me when someone replies to this comment