EUCbackup Default chapterFederating AZURE with VMware Identity Manager and Office 365 as a service

Federating AZURE with VMware Identity Manager and Office 365 as a service

Part 1: Setting Up a Developer Account

One needs to setup an Office 365 E3 Developer subscription account to be able to integrate with Workspace ONE. In this section we will cover the process of setting this up. Setting up a developer subscription allows you a 12 -month free trial.

An Important NOTE!

  • Be sure to have your attendee document sheet at hand, be prepared to document your configurations immediately.
  • Be 100% clear from your document what your assigned domain name is.

 

  1. Open a browser and go to Google Chrome search engine and type office 365 e3 developer subscription.

2. Find the option that says Set up an Office 365 developer subscription and select

3. On the Set up an Office 365 developer subscription page under Set up your subscription Under ! Note

Select the join the Office 365 Developer Program hyperlink

4. On the Welcome to theOffice 365 Developer Program page select the Join the Office 365 Developer Program page

5. You will now be re-directed a 3rd time to the Join the Office 365 developer program today! Do not select  JOIN NOW

 

6. To the right of the page first select Sign In

7. On Microsoft Sign in Page type in the email address of an account you own
(NB! If this account is already associated with an office 365 account you will have to create a new account)

7.1 Alternatively next to NO account? select Create one!

7.2 On the Create account page type your custom email address

7.3 Select Next

7.4 On the Create a password window type a unique password and select Next

7.5 On the Create account page type in your country and Birthdate and select Next

7.6 On the Verify email page notice you need to enter a code, log into your gmail account and select the email and find the code and then enter the code in the Enter Code area and select Next

7.7 On the Create account, page enter the custom security letters for your login

7.8 On the Stay Signed in page, select Yes

7.9 On the Sign in page type in your custom email address and select Next

7.10 On the Enter password page, type in your password and select Sign in

 

 

8.1 To the left of the page, select the Microsoft icon

8.2 Then look to the right of the page and select your account Icon, next select Add your name

8.3 On the Your info page under First name type your custom name and under Surname type your custom Surname, type in the matching security letters and select Save

 

9.0 Open an Incognito browser session with Google Chrome and copy the following url in the Browser address bar,

https://developer.microsoft.com/en-us/office/dev-program

9.1 To the right select Sign In, On the Sign In page type in your custom email address and select Next

9.2 On the Enter password window, type the custom password you created and select Sign in

9.3 On the Stay signed in? window select Yes

9.4 On the Join Office 365 Developer program today page select JOIN NOW>

9.5 On the Office 365 Developer Program Signup page select your Country/Region and type in the name of your Company and select the two checkboxes for terms and conditions and information and select NEXT

 

10. On the Office 365 Developer Program Preferences page select enough check box and options to make sure the Join button becomes available and the select JOIN

11. Close the Welcome to the Office 365 Developer Program! Window by selecting Close

12. On the Office 365 Developer Page select SET UP SUBSCRIPTION

13. In the Setup your developer subscription window, create a unique admin account , for example, your username could be CloudAdmin and your Domain could be your firstname and surname
NB! Ensure you document these credentials

14. When you are done select Continue

15. On the Add phone number for security windows type in your Country Code and your phone number

16. Select SEND code , follow through on the security picture block selecting your relevant pictures, and select Next Enter the Code from your phone and select Set up

 

17. Once your registration is complete you can login in using your new ADMIN account. On the your Office 365 Subscription page select and right click the Go to subscription hyper link and select Open Link in New Tab

18. On the Sign In window , Enter your password and select Sign in

19. On the Office 365 Page almost in the middle select Admin

20. On the sign in page pick your new CloudAdmin account

21. If you get prompted with a Welcome to Office 365 Admin Center Page select Skip

22. Notice the Office 365 E3 Developer Setup is incomplete. Select Go to Setup box

23. NB! Before moving onto the next section, ensure that you are 100% clear what YOUR registered Domain will be.

In the course lab we will use a Domain naming convention based on the location we are delivering at.

For example if this training session was being delivered in Atlanta , your domain name might be atlanta01.euc-livefire.com for student number 1. If we have 18 attendees there will be 18 different registered Domain names using the above mentioned naming convention. we have automated the dns configuration for this lab, so we will use a vrealize automation self service portal to configure your dns zone.

On the Microsoft 365 admin center ensure the Connect a domain you already own radio button is selected and below type your registered Domain name (this example in the screenshot is only for demo purposes) select Next

Note when registering your own domain name with Office 365, there are several approaches. The most seamless and trouble free approach is to register your own Domain Name with GODADDY. This provides a seamless experience and the verification takes seconds once you have your own domain name from GODADDY. GODADDY is an example of a name provider that seamlessly integrates with Microsoft's Office 365. If one chose this option your name that you use would belong to you for however long you choose to use your Office 365 Tenant

Another approach is to do this manually. EUC Livefire already owns a domain name which is hosted in AWS Route53. In the Office 365 setup wizard you will notice there is a step by step guide on how to setup your zone in AWS Route53 manually. We have chosen to automate this process for the sake of time.

If you choose this option the zone provided to you by Livefire associated with your tenant will possibly only be active for a maximum of a month and you will then have to find your own Domain name.

If you choose to follow the Livefire option, we have automated this process for your convenience using VMware VRA. Generally DNS name configuration in AWS Area 53 is a completely Manual process. We have automated more than 98% of this process. You will however interface with VMware vRealize Automation for 2 configurations.

1. MS record modification

2. MX record modification

You do not have Access to AWS AREA53. You will be using VMware vRealize Automation to facilitate the edit of these records

24. On the Verify domain page notice there are step-by-step instructions to follow,

Notice that there are DNS records called TXT name, TXT value and TTL

  • Note!. We have our Hosted DNS service in called AREA53 on AWS. We have our own euc-livefire.com Zone. Each of you have your own registered Zone Database, that is part of the EUC-Livefire.com namespace. eg. Tokyo01.euc-livefire.com. Your Office 365 instance will need to be verified with this namespace .To do this will require to modify your DNS subzone, working with the vrealize automation portal in a different browser tab while your doing your o365 tenant.
    1. Click on the copy icon next to your MS record
    2. Select Verify at the bottom of the screen

      NB! At this point ignore any error messages !

 25

  • On your Controlcenter2 desktop, from your task bar open your FireFox Browser 
    1. Next to the bookmarks bar open vrealize automation
    2. Next to the "Select your domain" dropdown menu select corp.local
    3. Select Next

26.  

  • VRA automation continued ...
    1. In the username field type vra-euc-student
    2. In the password field type VMware1!
    3. select Sign in

27. VRA automation continued ...

  • In the update zone records catalog object, select  Request

27.

  • VRA automation continued ...
    1. Next to zone prefix dropdown menu select the city corresponding to your current location.
    2. Next to zone number drop down menu select your dns zone number as described in your information sheet
    3. Under Records update next to MS record replace the existing record your MS record and Paste your MS record,
      NOTE ensure that your MS record is enclosed in Quotation Marks
    4. Select Submit

28. Wait until the progress shows 100% and continue with your lab. you might need to refresh your browser if you see no progress bar.

29 .Go back to your o365 domain configuration and click on verify. it might give you an error because of the time it takes to replicate DNS configurations and it might require you to click on verify a couple more times.

30. On Add new users window select Got it, thanks, select Next

31. On the Assign licenses to unlicensed users page select Next

32. On Install your Office apps page select Next

33. On the Migrate email messages page leave the default Don't migrate email messages radio button and select Next

34. On the Choose your online services page, ensure that Exchange, Skype for Business and Mobile Device Management for Office 365 checkboxes are selected and select  Next

35.

  • On the Add DNS Records page.
    1. When ready select Verify at the bottom of the Add DNS Records window. If there is a failure on any records reach out to the EUC-livefire instructor team to get the records fixed and select
                Verify again.  Note you might have to give a few minutes for the records to update in DNS before selecting Verify
    2. Notice that when Verify is successful the you just configured your Office 365 Tenant successfully will show and you are ask to provide feedback related to your experience.
  • However, If Verify is Not successful and its MX related in the message go to the next step in this exercise.

 

36

  • If you get an error mentioning your MX records follow these steps:
    1. Click on the the copy icon next to Expected record
    2. On your ControlCenter2 server, Go back to the update zone records tool, select REQUEST
    3. Get to your zone and paste the MX records,
      • NOTE the example, there is a zero in front MX record, this is a priority field and should not be deleted.
    4. Select SUBMIT
    5. Go to your 0365 domain configuration and Verify the domain again.
    6. You should get a message saying You've reached the end of the setup

37.  Select  Microsoft 365 Admin center next to the 9 dot blue square in the top left corner.

  • In your Microsoft 365 Admin center,
    1. Select the 3 parallel dots in the black bar to the left of the console, this will expand the console
    2. Select the Spanner icon for Setup and select Domains

38.

  • In the Home > Domains interface, check to see if your namespace you have associated with your Office 365 setup has a (Default) next to it. If this is the case do the following.
    1. Select your account name that is not set to default :
    2. Select Set as default
    3. Your custom domain cannot be the default domain when federating with VMware identity Manager. Select Close. Check to see that you have a corresponding configuration in the domain portion of your setup as the screenshot.

Part 2 : Federating Office 365 with VMware Identity Manager.

From VMware Identity Manager version 2.8. Support has been added for User Provisioning in Office 365. In Part 2 of this lab session we will now federate our Office 365 Tenant with a VMware Identity Manager SAAS tenant.

  1. Using your Tenant Admin credentials, login into your SAAS VMware Identity Manager Tenant.
    1. To the right of the Workspace ONE console under Tenant Admin select Administration Console

 

2. Select the Identity & Access Management tab

  • To the right in the Identity & Access Management tab select Setup > User Attributes

 

3. In the User Attributes interface notice you have already set userPrincipalName and distinguishedName to Required and you have already created the objectGUID attribute.

These are pre-req requirements for Federating Office 365 with VMware identity Manager.

4.

  • On your ControlCenter2 desktop server select your Software shortcut and open the path to the Applications folder. In the Applications folder open the Azurefiles folder.
    1. Open the msoidcli_64.msi installer and when prompted select Run
    2. On the Microsoft Online Services Sign-in Assistant Setup page select the I accept the terms in the Licence agreement... checkbox. Select Install,
    3. When the installer is done select Finish
    4. If prompted to restart then do so and login as administrator

5.

  • On your ControlCenter desktop server select your Software shortcut and open the path to the Applications folder. In the Applications folder open the Azurefiles folder.
    1. Select and launch the AdministrationConfig-en.msi , select Run. On the Open File - Security Warning window select Run
    2. On the Windows Azure Active Directory Module for Windows Powershell Setup window select Next
    3. On the License Terms window , ensure the I accept the terms radio button is selected and select Next
    4. On the Install Location window, select Next
    5. On the Ready to Install window select Install
    6. Select Finish

6.

  • On your ControlCenter server desktop, you will notice a Windows Azure Active Directory for Powershell Shortcut.
    1. Right click the Windows Powershell and select Run as administrator
    2. For your convenience we have added all the powershell commands to a TXT file that is available in the software folder on the desktop.You can copy the commands from the file directly into the powershell. Please note some of the commands require editing
    3. Simply browse to \\cs1-pd1.euc-livefire.com\software\Applications\Azurefiles where you will find the file powershell commands.txt
    4. In the Powershell Console type the following

      Connect-MsolService

 

  1. When prompted for User name and Password, use your Cloud Admin account e.g. cloudadmin@ranmobojo.onmicrosoft.com
  2. Next we have to create a Service Principal account type in the powershell

    $sp = New-MSOLServicePrincipal -DisplayName 'ServPrinc1' -Type password -Value 'VMware1!'
  3. Next we are going to assign a role to the ServPrinc1 user
    Add-MsolRoleMember -RoleName 'User Account Administrator' -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId

7 . Next we will type echo $sp to get the GUID for the ServicePrincipalNames

  • Copy the ServicePrincipalNames value with out the {  } eg. 4da8fbdb-5e0d-4c32-8dee-748300f92b19

8. Revert back to your VMware Identity Manager SAAS Tenant Admin Console

  1. Select the Catalog Tab in the Admin Console, select NEW
  2. In the New SaaS Application window under Definition select or browse from catalog
  3. In the DEFINITION window to the right in the search area type off
  4. Select Office365 with Provisioning by selecting the   +    sign to the right

9. On the New SAAS Application window select Next

10. In the New Saas Application window, in the Configuration section add the following:

  • Under Target URL add the following. Actual text to copy to edit into the configuration is in BLUE
  •  edit the last area after hint=
    ............................
    domain_hint=tokyo01.euc-livefire.com
https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code+id_token&scope=openid+profile&redirect_uri=https%3a%2f%2foutlook.office365.com&domain_hint=tokyo01.euc-livefire.com

11.

  • In the New Saas Application window, in the Configuration section leave the following default:

      -Single Sign-On URL / Application ID / Username Format / Username Value

  1. Add the following: under Application Parameters in the tenant line under Value add YOUR custom Fully Qualified Domain Name ie tokyo01.euc-livefire.com
  2. Under Application Parameters in the issuer line under Value add your custom domain name ie tokyo01.euc-livefire

Make sure there are no hidden carriage returns if you paste this in

12. In the New Saas Application window, in the Configuration section under Advanced Properties leave the following default:

-Enable Multiple O365 Email Domains / Credential Verification / Signature Algorithm / Digest Algorithm / Assertion Time
-Under Custom Attribute Mapping in the UPN and ImmutableID keep the values default

13. In the New Saas Application window, in the Access Policies section select NEXT

14.  In the New Saas Application window, in the Summary section select SAVE

15. Notice you now have Office365 with Provisioning in the Catalog

  1. Select the check box next Office365 with Provisioning and select EDIT
  2. In the Edit SaaS Application window in the left pane, select Configuration, in the right pane, scroll down until you see Setup Provisioning. Notice you only 4 sections in the left pane.
  3. Change Setup Provisioning from No to Yes. Notice you now have 7 sections in the left pane. We will now go and configure Provisioning.

16.

  • In the Edit SaaS Application window in the left pane select Provisioning
    1. In the Provisioning Adapter Configuration under Office 365 Domain type your custom domain, eg. Tokyo01.euc-livefire.com
    2. Under Client ID, (refer back to section 10 in this lab if necessary) add the ServicePrincipleNames value your recorded earlier. eg.4da8fbdb-5e0d-4c32-8dee-748300f92b19
    3. Under Client Secret area type the password your associated with the ServicePrinciple Name. In section 9 the password we used was VMware1!
    4. In the Edit SaaS Application window in the botton right corner select Next

17. In the Edit SaaS Application window in the left payne you will now notice in the left pane that we are in the User Provisioning section

  1. In the Attribute Name section, select Display Name, In the Edit Mapped Value window, in the Value container select the drop down arrow add the following, $(user.userName) and select SAVE
  2. In the Attribute Name section, select User Principle Name, In the Edit Mapped Value window, in the Value container select the drop down arrow add the following, $(user.userPrincipalName) and select SAVE
  3. In the Attribute Name section, select Guid, In the Edit Mapped Value window, in the Value container select the drop down arrow add the following, $(user.objectGUID) and select SAVE
  4. In the Attribute Name section, select Mail Nickname, In the Edit Mapped Value window, in the Value container select the drop down arrow add the following, $(user.userName) and select SAVE
  5. Select Next

18. In the Edit SaaS Application window in the left payne you will now notice in the left pane that we are in the Group Provisioning section

  1. Under Group Provisioning select + ADD GROUP
  2. In the Add Group to Provision window under Group Name type Mark and then select Marketing@euc-livefire.com, Under Nickname type Livefire Marketing. Select  Save
  3. On the Edit SaaS Application window Under Group Provisioning select NEXT
  4. On the Edit SaaS Application window Under Definition click SAVE

19. We will now Enable Provisioning and Save

  1. In the Catalog for Web Apps select the Office 365 with Provisioning and select Edit
  2. In the Edit SaaS Application window in the left pane select Configuration
  3. Scroll down until you see Setup Provisioning and change No to Yes,
  4. on your left pane, click on "4 Provisioning", Scroll down, next to Enable Provisioning, change the toggle from No to Yes
    • Select TEST CONNECTION
    • Select NEXT, select NEXT, select NEXT, select SAVE

20. We will now do the Entitlement configuration of the Users

  1. In the Catalog for Web Apps select the Office 365 with Provisioning and select Assign
  2. In the Assign wizard type Mark in the search area under Users / User Groups, select Marketing@euc-livefire.com
  3. Under Deployment Type, select the drop down arrow change the Deployment Type to Automatic
  4. In the Assign wizard, review your configuration, in the bottom right hand corner select SAVE

Part 3: Setting up the SAML between Workspace ONE Access and Office 365

  1. Ensure you do the next section on your ControlCenter2 server . Login to your to the Workspace ONE Access Admin Console, as Admin, under the Catalog > Web Apps tab to the right select SETTINGS
    1. In the Settings window under SaaS Apps, select SAML Metadata, in the right hand pane under the SAML Metadata heading select DOWNLOAD under Signing Certificate
    2. Using Notepad++ Open the signingCertificate.cer from your default download location .

2. In the signingCertificate.cer we will remove all carriage returns the document

Do this with Notepad++ on your ControlCenter server. Any hidden carriage returns will cause this exercise to FAIL

  1. Remove the -----BEGIN CERTIFICATE----- and  -----END CERTIFICATE----- lines from the certificate.
  2. Then select the certificate portion of the file and click ctrl + F in the Replace tab at the top type \n in the Find what field.Leave the Replace with field empty. Make sure the Search Mode at the bottom is Extended.  Then click on Replace All.
  3. Your certificate should now no longer have carriage returns. Notepad++ will tell you how many instances were replaced and your certificate will look different.

3. On the ControlCenter2 server and open the existing Powershell interface we were working with earlier (from the shortcut on your desktop). please copy, edit and paste the commands from the text file called powershell comands, located in your Software folder (linked in your control center desktop), in the \Applications\Azurefiles folder.

Run the following command:  


Connect-MsolService

 

  • In the Powershell Console type the following using your Cloudadmin credentials. The example we use is cloudadmin@ranmobojo.onmicrosoft.com
    and your password

4. Next we edit the following Powershell commands for our environment and include the certificate string as part of this command.

  1. Edit the sample string by replacing tokyo01.euc-livefire.com with YOUR CUSTOM Fully Qualified Domain name
  2. Edit the sample string by replacing aw-euclivefire.vidmpreview.com with YOUR CUSTOM SAAS Workspace ONE Access Tenant Fully Qualified Domain name

    example 1 is the string without the certificate|
    example 2 is the string with the certificate which you will have to append without introducing any hidden returns into Powershell
Set-MsolDomainAuthentication -DomainName tokyo01.euc-livefire.com -Authentication Federated -IssuerUri “tokyo01.euc-livefire” -FederationBrandName “tokyo01Corp” -PassiveLogOnUri “https://aw-euclivefire.vidmpreview.com/SAAS/API/1.0/POST/sso” -ActiveLogOnUri “https://aw-euclivefire.vidmpreview.com/SAAS/auth/wsfed/active/logon” -LogOffUri “https://login.microsoftonline.com/logout.srf” -MetadataExchangeUri “https://aw-euclivefire.vidmpreview.com/SAAS/auth/wsfed/services/mex” -SigningCertificate
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Set-MsolDomainAuthentication -DomainName tokyo01.euc-livefire.com -Authentication Federated -IssuerUri “tokyo01.euclivefire” -FederationBrandName “tokyo01Corp” -PassiveLogOnUri “https://aw-euclivefire.vidmpreview.com/SAAS/API/1.0/POST/sso” -ActiveLogOnUri “https://aw-euclivefire.vidmpreview.com/SAAS/auth/wsfed/active/logon” -LogOffUri “https://login.microsoftonline.com/logout.srf” -MetadataExchangeUri “https://aw-euclivefire.vidmpreview.com/SAAS/auth/wsfed/services/mex” -SigningCertificate MIIFIDCCAwigAwIBAgIGPBaJynnGMA0GCSqGSIb3DQEBCwUAMEgxIDAeBgNVBAMMF1ZNd2FyZSBJZGVudGl0eSBNYW5hZ2VyMRcwFQYDVQQKDA5BVy1FVUNMSVZFRklSRTELMAkGA1UEBhMCVVMwHhcNMTkwMjA0MjEzMTAyWhcNMjkwMjAxMjEzMTAyWjBIMSAwHgYDVQQDDBdWTXdhcmUgSWRlbnRpdHkgTWFuYWdlcjEXMBUGA1UECgwOQVctRVVDTElWRUZJUkUxCzAJBgNVBAYTAlVTMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApWfE7UfEG9iupk538HEUrqfAKb5VlcnsGrQCz9+Hb1QrDba8vvPWNp+H3MhkZ1RZS43mvy+3JVFEuEsCIqHyRrKsJVIswPda2eQKW/Y7jd3RHZFoxoqbvF4kOyJq5+k38xI/8t8Olkv2ruYYHwUZ+SDJpWdxFqbrpcBAFac5IYj7lPoPlOv9na+lZ7V8ddWQCrsNydKfndUPeBiUj389Xer0ckzHTcYjeGG82X9NHDXVsmbiMFrDnP0ZbMCD21CMOGyZ8wKFzbx3toStDuqyF6MbXv3tpVCnF/sELJaJNxbfdoslNGfbyNWiv/UQ7h8XDOywqpzMZkZkch/Bl6Ny1cS3UDW6GYgYuJHkmRu9Pgqv/98QpFueBrrR71+9WTLocSVxgbBCdyrgwVOHAJK1+yZOrYuiLIGcdJfhjczOaN/8dJnzYspxgW9tIxZ2SmQQDTy9zscvad2rplOZFqj9MQbDUmdanr52ksQ85jboArLW9B5TVmxefDtoPMiK6GKsR/Q+ygEplsyDT1S6eGzXaVBOQFGjjAFQ3c0wOQtZ0Q6+JJRk3KO4X2F5arDRZKTCfEyzH8VYwaJ04BJBmlkPQs14IKzAhwR/cqBzKnSFUxbeqm5U/YLeyaO03NKEYimHqoW7cEB9sPQnO7YUuZOG0KqHrC0S8dVt6dk5adfa0LECAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAiadCYNp2OVfFIlD3I3iQhLCvmc1hVKMEzz1FJNEAMZ3JZgwBEYLHL7d8kiRjI7c4hvZ62P2eQ2bC6z3lzqGVK8GNyUPGMKKgcFOgjJrK+roP4s740cbn4hQX3j3cOLCuQKQ2NkzwF0+5qGU26vOvlwnE8SONR4OxgScW2Bu55E5NOQj+Tu45Pt2KYZpSv9ZP9KJj75AqwmfkynomDBYZXT4WbSft5HDt7VXkFS6OPz41i32yqDTtHePLKbJ83LcXEETDVfyfigS1m1VWwcDp9sLfbqA4yEIoGFNO5KMssHOkVeCFCjzCs06B1pVHoWYqqNOg0gMU0vpX+gFcj7tHJklhbHUcqQpnYs/AJyL0pEroVZTBJS3UgK9vMEage9P+hoVqiX9g+Csd0GjRLExlpkm3uFKt0su05UQ0E9PrYpOS74YbmuRFEUJ5R5PzxSAWErG/SxPWNtGKzKdGjJzBmErOgShODflleURanuL18FDqBR7KXGOnNWDNk5GKVcB2LWqmmz6AmCkFee9oPju6hT+Y4M3O6mmP6dxjTILPUAddObZUUFhhX8fyjpTDUjTzKWdPaf5G4/ISfSqa0CoCFaNGTeEhoR9NtjYlabENZMuD2OoVDacMQvRMN1IbtilDF9ISROG3jzVJDNtFvwkuRzUJ5QyUEAuBZ6xpVEt/8Do=

5. We will now check the federation with the following command in the powershell

Get-MsolDomainFederationSettings -domainName tokyo01.euc-livefire.com

The settings will return output regarding the settings that make up this federation.

Part 4 : In this part, we will now start testing the federation to see and ensure it it working properly

1. Login back to your office 365 Tenant with your office Admin account with this url https://admin.microsoft.com/Adminportal/Home?source=applauncher#/homepage
and use your cloudadmin account

  1. In the left-hand pane under Home, select Users > Active users. Notice that Marketing group Users 1 - 4  has been automatically provisioned with the unique suffix appended for the user principle name. Also notice that your users are Unlicensed.
  2. Click on User1
  3. In the User 1 properties select the Product Licenses tab
  4. In the location area select a Location ie United Kingdom. Next to Office 365 Enterprise E3 Developer, there is a check box that is unchecked, check the checkbox and select Save.
  5. In the User1 properties select Close.
  6. NB! - Follow steps 1-5 for all the users including the Cloudadmin account to ensure that licensing is applied to all account.

2. On the User1 properties, in the license and apps tab, scroll down and you will notice that Mobile Device Managerment for Office 365 is Off. We will go and enable this in Azure so that we can do compliance with Workspace OneUEM. Select Cancel to close the Product Licenses window

4. Go back to the tab with your Office 365 Admin console.

  1. Click on User1 and click on the License and apps tab.
  2. Notice that Enterprise Mobility + Security E5 is turned Off.
  3. Next to Enterprise Mobility + Security E5, click on the checkbox, Notice you now have a whole range of Advance Azure security Features
  4. Select Save
  5. NB! Repeat the Licensing process you did for User 1 for User 2 and on your CLOUDADMIN account. It is critical that your CLOUDADMIN account has a mailbox to be able to complete and do the OKTA LAB properly. If this step is missed it could potentially mean you either mean you either skip the OKTA lab or you redo the Office 365 LAB
    • In the Admin Console select both User 2 and CloudAdmin check boxes
    • in the menu bar at the top select manage product licenses,
    • select the radio button next to add to existing product license assignments and click next
    • turn on the switch for enterprise mobility + security and click add
    • on the summary window click Close

2. Open up an Incognito session of your browser and connect to your SAAS instance of Workspace ONE Access.

  1. On the login window ensure that on the select your domain window, euc-livefire.com is selected, select Next
  2. In the username section, use your custom username ie user35UNL and the password VMware1! select Sign in

3.

  • In the Workspace ONE console
    1. Under Apps select All Apps
    2. Next Office 365 with Provisioning select Open
    3. You should now see the Microsoft Office365 console

Having a Portal to Portal single sign-on experience very rarely excites a customer. In this section we will insert Deep Links within Workspace ONE Access to enhance the user experience.

1. Inserting Office 365 Deep links (Part 5)

  • On your Controlcenter server. Log in to your to your Workspace ONE Access Console as Admin and select the Catalog tab > Web Apps
    1. Select NEW
    2. In the New SaaS Application window under Name type Microsoft Word
    3. Under Icon, click on browse, search for the software link on your desktop, and navigate to \Applications\Azurefiles\icons. select your Word.png Icon and select Open. At the bottom right select NEXT
    4. On 2. Configuration in the Single Sign-On section under Authentication type to the right select the drop down and then select Web Application Link

2. Inserting Office 365 Deep links (Part 5)

  • Copy the URL below and edit in Notepad++ the following in Blue with your assigned domain suffix and then copy the edited URL and Paste under the Target URL
    • https://login.microsoftonline.com/login.srf?wa=wsignin1.0&whr=EXAMPLEDOMAIN.euc-livefire.com&wreply=https://office.live.com/start/Word.aspx?auth=2

3. Inserting Office 365 Deep links (Part 5)

  • Select NEXT > SAVE & ASSIGN
    1. Under Users / User Groups in the Search area type Mark, select Marketing@euc-livefire.com
    2. Under Deployment Type select Automatic and select SAVE

4. Inserting Office 365 Deep links (Part 5)

  • Repeat the above steps for
    1. OneDrive
      • https://login.microsoftonline.com/login.srf?wa=wsignin1.0&whr=lisbonb35.euc-livefire.com&wreply=https://zingaramanwell-my.sharepoint.com
      • Replace Lisbonb with your domain
      • Replace zingaramanwell with your unique Office 365 domain name. eg in this example the domain name is cloudadmin@zingaramanwell.onmicrosoft .com, zingaramanwell is the domain name
    2. Excel
      • https://login.microsoftonline.com/login.srf?wa=wsignin1.0&whr=lisbonb35.euc-livefire.com&wreply=https://www.office.com/launch/excel?auth=2&home=1
    3. PowerPoint
      • https://login.microsoftonline.com/login.srf?wa=wsignin1.0&whr=lisbonb35.euc-livefire.com&wreply=https://www.office.com/launch/powerpoint?auth=2
    4. Outlook
      • https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code+id_token&scope=openid+profile&redirect_uri=https%3a%2f%2foutlook.office365.com&domain_hint=lisbonb35.euc-livefire.com

5. Inserting Office 365 Deep links (Part 5)

  • The Office 365 application has been assigned to Marketing. It has to remain assigned to Marketing for the Deep links to work. However, we do not necessarily want this to be visible to the End-User. We will now solve this issue as part of a well thought out solution.
    1. In the Catalog, select the Check-box next to Office365 with Provisioning, select EDIT
    2. in the Edit SaaS Application window, select step 2 Configuration and scroll down to the bottom. Change Show in the User Portal toggle from Yes to No
    3. Select NEXT > NEXT > NEXT > NEXT > SAVE

6. Inserting Office 365 Deep links (Part 5)

  • Switch to a Browser in Incognito Mode . Using your Workspace ONE Access URL login as User1 with the password VMware1!
  • Test your individual links for office 365

0 Comments

Add your comment

E-Mail me when someone replies to this comment