Federating AZURE with Workspace ONE Access and Office 365 as a service
Part 1: Setting Up a Developer Account
One needs to setup an Office 365 E3 Developer subscription account to be able to integrate with Workspace ONE. In this section we will walk through and setup the required developer subscription that allows you a 12 -month free trial.
An Important NOTE!
- Be sure to to take notes and document your configurations immediately.
- Be 100% clear from your document what your assigned domain name is.
- Open a browser and go to Google Chrome search engine and type office 365 e3 developer subscription.
2. Find the option that says Set up an Office 365 developer subscription and select
3. On the Set up an Office 365 developer subscription page under Set up your subscription Under ! Note
Select the join the Office 365 Developer Program hyperlink
4. On the Welcome to theOffice 365 Developer Program page select the Join the Office 365 Developer Program page
5. You will now be re-directed a 3rd time to the Join the Office 365 developer program today! Do not select JOIN NOW
6. To the right of the page first select Sign In
7. On Microsoft Sign in Page type in the email address of an account you own
(NB! If this account is already associated with an office 365 account you will have to create a new account)
7.1 Alternatively next to NO account? select Create one!
7.2 On the Create account page type your custom email address
7.3 Select Next
7.4 On the Create a password window type a unique password and select Next
7.5 On the Create account page type in your country and Birthdate and select Next
7.6 On the Verify email page notice you need to enter a code, log into your gmail account and select the email and find the code and then enter the code in the Enter Code area and select Next
7.7 On the Create account, page enter the custom security letters for your login
7.8 On the Stay Signed in page, select Yes
7.9 On the Sign in page type in your custom email address and select Next
7.10 On the Enter password page, type in your password and select Sign in
8.1 To the left of the page, select the Microsoft icon
8.2 Then look to the right of the page and select your account Icon, next select Add your name
8.3 On the Your info page under First name type your custom name and under Surname type your custom Surname, type in the matching security letters and select Save
9.0 Open an Incognito browser session with Google Chrome and copy the following url in the Browser address bar,
9.1 To the right select Sign In, On the Sign In page type in your custom email address and select Next
9.2 On the Enter password window, type the custom password you created and select Sign in
9.3 On the Stay signed in? window select Yes
9.4 On the Join Office 365 Developer program today page select JOIN NOW>
9.5 On the Office 365 Developer Program Signup page select your Country/Region and type in the name of your Company and select the two checkboxes for terms and conditions and information and select NEXT
10. On the Office 365 Developer Program Preferences page select enough check box and options to make sure the Join button becomes available and the select JOIN
11. Close the Welcome to the Office 365 Developer Program! Window by selecting Close
12. On the Office 365 Developer Page select SET UP SUBSCRIPTION
13. In the Setup your developer subscription window, create a unique admin account , for example, your username could be CloudAdmin and your Domain could be your firstname and surname
NB! Ensure you document these credentials
14. When you are done select Continue
15. On the Add phone number for security windows type in your Country Code and your phone number
16. Select SEND code , follow through on the security picture block selecting your relevant pictures, and select Next Enter the Code from your phone and select Set up
17. Once your registration is complete you can login in using your new ADMIN account. On the your Office 365 Subscription page select and right click the Go to subscription hyper link and select Open Link in New Tab
18. On the Sign In window , Enter your password and select Sign in
19. On the Office 365 Page almost in the middle select Admin
20. On the sign in page pick your new CloudAdmin account
21. If you get prompted with a Welcome to Office 365 Admin Center Page select Skip
22. Notice the Office 365 E3 Developer Setup is incomplete. Select Go to Setup box
23. NB! Before moving onto the next section, ensure that you are 100% clear what YOUR registered Domain will be.
In the course lab we will use a Domain naming convention based on the location we are delivering at.
For example if this training session was being delivered in Atlanta , your domain name might be atlanta01.euc-livefire.com for student number 1. If we have 18 attendees there will be 18 different registered Domain names using the above mentioned naming convention. we have automated the dns configuration for this lab, so we will use a vrealize automation self service portal to configure your dns zone.
On the Microsoft 365 admin center ensure the Connect a domain you already own radio button is selected and below type your registered Domain name (this example in the screenshot is only for demo purposes) select Next
Note when registering your own domain name with Office 365, there are several approaches. The most seamless and trouble free approach is to register your own Domain Name with GODADDY. This provides a seamless experience and the verification takes seconds once you have your own domain name from GODADDY. GODADDY is an example of a name provider that seamlessly integrates with Microsoft's Office 365. If one chose this option your name that you use would belong to you for however long you choose to use your Office 365 Tenant
Another approach is to do this manually. EUC Livefire already owns a domain name which is hosted in AWS Route53. In the Office 365 setup wizard you will notice there is a step by step guide on how to setup your zone in AWS Route53 manually. We have chosen to automate this process for the sake of time.
If you choose this option the zone provided to you by Livefire associated with your tenant will possibly only be active for a maximum of a month and you will then have to find your own Domain name.
If you choose to follow the Livefire option, we have automated this process for your convenience using VMware VRA. Generally DNS name configuration in AWS Area 53 is a completely Manual process. We have automated more than 98% of this process. You will however interface with VMware vRealize Automation for 2 configurations.
1. MS record modification
2. MX record modification
You do not have Access to AWS AREA53. You will be using VMware vRealize Automation to facilitate the edit of these records
24. On the Verify domain page notice there are step-by-step instructions to follow,
Notice that there are DNS records called TXT name, TXT value and TTL
- Note!. We have our Hosted DNS service in called AREA53 on AWS. We have our own euc-livefire.com Zone. Each of you have your own registered Zone Database, that is part of the EUC-Livefire.com namespace. eg. Tokyo01.euc-livefire.com. Your Office 365 instance will need to be verified with this namespace .To do this will require to modify your DNS subzone, working with the vrealize automation portal in a different browser tab while your doing your o365 tenant.
- Click on the copy icon next to your MS record
- Select Verify at the bottom of the screen
NB! At this point ignore any error messages !
- On your Controlcenter2 desktop, from your task bar open your FireFox Browser
- Next to the bookmarks bar open vrealize automation
- Next to the "Select your domain" dropdown menu select corp.local
- Select Next
- VRA automation continued ...
- In the username field type vra-euc-student
- In the password field type VMware1!
- select Sign in
27. VRA automation continued ...
- In the update zone records catalog object, select Request
- VRA automation continued ...
- Next to zone prefix dropdown menu select the city corresponding to your current location.
- Next to zone number drop down menu select your dns zone number as described in your information sheet
- Under Records update next to MS record replace the existing record your MS record and Paste your MS record,
NOTE ensure that your MS record is enclosed in Quotation Marks
- Select Submit
28. Wait until the progress shows 100% and continue with your lab. you might need to refresh your browser if you see no progress bar.
29 .Go back to your o365 domain configuration and click on verify. it might give you an error because of the time it takes to replicate DNS configurations and it might require you to click on verify a couple more times.
30. On Add new users window select Got it, thanks, select Next
31. On the Assign licenses to unlicensed users page select Next
32. On Install your Office apps page select Next
33. On the Migrate email messages page leave the default Don't migrate email messages radio button and select Next
34. On the Choose your online services page, ensure that Exchange, Skype for Business and Mobile Device Management for Office 365 checkboxes are selected and select Next
- On the Add DNS Records page.
- When ready select Verify at the bottom of the Add DNS Records window. If there is a failure on any records reach out to the EUC-livefire instructor team to get the records fixed and select
Verify again. Note you might have to give a few minutes for the records to update in DNS before selecting Verify
- Notice that when Verify is successful the you just configured your Office 365 Tenant successfully will show and you are ask to provide feedback related to your experience.
- When ready select Verify at the bottom of the Add DNS Records window. If there is a failure on any records reach out to the EUC-livefire instructor team to get the records fixed and select
- However, If Verify is Not successful and its MX related in the message go to the next step in this exercise.
- If you get an error mentioning your MX records follow these steps:
- Click on the the copy icon next to Expected record
- On your ControlCenter2 server, Go back to the update zone records tool, select REQUEST
- Get to your zone and paste the MX records,
- NOTE the example, there is a zero in front MX record, this is a priority field and should not be deleted.
- Select SUBMIT
- Go to your 0365 domain configuration and Verify the domain again.
- You should get a message saying You've reached the end of the setup
37. Select Microsoft 365 Admin center next to the 9 dot blue square in the top left corner.
- In your Microsoft 365 Admin center,
- Select the 3 parallel dots in the black bar to the left of the console, this will expand the console
- Select the Spanner icon for Setup and select Domains
- In the Home > Domains interface, check to see if your namespace you have associated with your Office 365 setup has a (Default) next to it. If this is the case do the following.
- Select your account name that is not set to default :
- Select Set as default
- Your custom domain cannot be the default domain when federating with Workspace ONE Access. Select Close. Check to see that you have a corresponding configuration in the domain portion of your setup as the screenshot.
Part 2: Federating Office 365 with Workspace ONE Access.
In Part 2 of this lab session we will now federate our Office 365 Tenant with a Workspace ONE Access SAAS tenant.
- Using your Tenant Admin credentials, login into your SAAS Workspace ONE Access Tenant.
- To the right of the Workspace ONE Access console under Tenant Admin select Administration Console
2. Select the Identity & Access Management tab
- To the right in the Identity & Access Management tab select Setup > User Attributes
3. In the User Attributes interface notice you have already set userPrincipalName and distinguishedName to Required and you have already created the objectGUID attribute.
These are pre-req requirements for Federating Office 365 with Workspace ONE Access.
- On your ControlCenter2 desktop server select your Software shortcut and open the path to the Applications folder. In the Applications folder open the Azurefiles folder.
- Open the msoidcli_64.msi installer and when prompted select Run
- On the Microsoft Online Services Sign-in Assistant Setup page select the I accept the terms in the Licence agreement... checkbox. Select Install,
- When the installer is done select Finish
- If prompted to restart then do so and login as administrator
- Under the same Azurefiles folder,
- Select and launch the AdministrationConfig-en.msi , select Run. On the Open File - Security Warning window select Run
- On the Windows Azure Active Directory Module for Windows Powershell Setup window select Next
- On the License Terms window , ensure the I accept the terms radio button is selected and select Next
- On the Install Location window, select Next
- On the Ready to Install window select Install
- Select Finish
- On your ControlCenter server desktop, you will notice a Windows Azure Active Directory for Powershell Shortcut.
- Right click the Windows Powershell and select Run as administrator
- For your convenience we have added all the powershell commands to a TXT file that is available in the software folder on the desktop.You can copy the commands from the file directly into the powershell. Please note some of the commands require editing
- Simply browse to \\cs1-pd1.euc-livefire.com\software\Applications\Azurefiles where you will find the file powershell commands.txt
- In the Powershell Console type the following
- When prompted for User name and Password, use your Cloud Admin account e.g. [email protected]
- Next we have to create a Service Principal account type in the powershell
$sp = New-MSOLServicePrincipal -DisplayName 'ServPrinc1' -Type password -Value 'VMware1!'
- Next we are going to assign a role to the ServPrinc1 user
Add-MsolRoleMember -RoleName 'User Account Administrator' -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId
- Revert back to your Workspace ONE Access SAAS Tenant Admin Console
- Select the Catalog Tab in the Admin Console, select NEW
- In the New SaaS Application window under Definition select or browse from catalog
- In the DEFINITION window to the right in the search area type off
- Select Office365 with Provisioning by selecting the + sign to the right
8 On the New SAAS Application window select Next
9. In the New Saas Application window, in the Configuration section add the following:
- In the New Saas Application window, in the Configuration section leave the following default:
-Single Sign-On URL / Application ID / Username Format / Username Value
- Add the following: under Application Parameters in the tenant line under Value add YOUR custom Fully Qualified Domain Name ie tokyo01.euc-livefire.com
- Under Application Parameters in the issuer line under Value add your custom domain name (without the .com part) ie tokyo01.euc-livefire
Make sure there are no hidden carriage returns if you paste this in
11. In the New Saas Application window, in the Configuration section under Advanced Properties leave the following default:
-Enable Multiple O365 Email Domains / Credential Verification / Signature Algorithm / Digest Algorithm / Assertion Time
-Under Custom Attribute Mapping in the UPN and ImmutableID keep the values default
- In the New Saas Application window, in the Access Policies section select NEXT
12. In the New Saas Application window, in the Summary section select SAVE
- We will now do the Entitlement configuration of the User
- In the Catalog for Web Apps select the Office 365 with Provisioning and select Assign
- In the Assign wizard type Mark in the search area under Users / User Groups, select [email protected]
- Under Deployment Type, select the drop down arrow change the Deployment Type to Automatic
- In the Assign wizard, review your configuration, in the bottom right hand corner select SAVE
Part 3: Using Azure ADconnect for user provision to Azure AD
In this part we are goin to install Azure AD Connect tool to provision users to azure AD from on premise Active Directory.
Please note: It is best practice to use Azure AD connect tool but not a requirement. You can also provision users to Azure AD from Workspace ONE Access using Office365 with Provision application with Setup Provisioning ENABLED.
1. From your Controlcenter machine desktop, open the Software shortcut on your desktop and navigate to the Applications > Azurefiles >ADconnect folder.
2. Double- click on AzureADConnect.msi and click run on the security warning
3. On the Welcome to Azure AD Connect window check the box next to "I agree to the license terms and privacy notice" and click Continue
4. In the Express Settings window click on "Use express settings"
5. On the "Connect to Azure AD" window, fill in your credentials for your microsoft account and click Next
6. In the "Connect to AD DS" window fill in your domain credentials, USERNAME: EUC-LIVEFIRE\ADMINISTRATOR, PASSWORD: VMware1!
7. Verify your custom domain is verified
8. Check the box next to "Continue without matching all UPN suffixes to verified domains" and click Next
9. On the "Ready to configure" windowmake sure the box next to "Start synchronization process when configuration completes" is checked and click Install. Getting to the following step should take a couple of minutes.
10. In the "Configuration complete" window click "Exit"
Part 4: Setting up the SAML between Workspace ONE Access and Office 365
- Ensure you do the next section on your ControlCenter2 server .
- Login to your to the Workspace ONE Access Admin Console, as Admin, under the Catalog > Web Apps tab to the right select SETTINGS
- In the Settings window under SaaS Apps, select SAML Metadata, in the right hand pane under the SAML Metadata heading select DOWNLOAD under Signing Certificate
- Using Notepad++ Open the signingCertificate.cer from your default download location .
2. In the signingCertificate.cer we will remove all carriage returns the document
Do this with Notepad++ on your ControlCenter server. Any hidden carriage returns will cause this exercise to FAIL
- Remove the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines from the certificate.
- Then select the certificate portion of the file and click ctrl + F in the Replace tab at the top type \n in the Find what field.Leave the Replace with field empty. Make sure the Search Mode at the bottom is Extended. Then click on Replace All.
- Your certificate should now no longer have carriage returns. Notepad++ will tell you how many instances were replaced and your certificate will look different.
3. On the ControlCenter2 server and open the existing Powershell interface we were working with earlier (from the shortcut on your desktop). please copy, edit and paste the commands from the text file called powershell comands, located in your Software folder (linked in your control center desktop), in the \Applications\Azurefiles folder.
Run the following command:
- In the Powershell Console type the following using your Cloudadmin credentials. The example we use is [email protected]
and your password
4. Next we edit the following Powershell commands for our environment and include the certificate string as part of this command.
- Edit the sample string by replacing any instance of tokyo01 with the city and number from YOUR CUSTOM Fully Qualified Domain name, i.e. london08
- Edit the sample string by replacing aw-euclivefire.vidmpreview.com with YOUR CUSTOM SAAS Workspace ONE Access Tenant Fully Qualified Domain name
example 1 is the string without the certificate|
example 2 is the string with the certificate which you will have to append without introducing any hidden returns into Powershell
Set-MsolDomainAuthentication -DomainName tokyo01.euc-livefire.com -Authentication Federated -IssuerUri “tokyo01.euc-livefire” -FederationBrandName “tokyo01Corp” -PassiveLogOnUri “https://aw-euclivefire.vidmpreview.com/SAAS/API/1.0/POST/sso” -ActiveLogOnUri “https://aw-euclivefire.vidmpreview.com/SAAS/auth/wsfed/active/logon” -LogOffUri “https://login.microsoftonline.com/logout.srf” -MetadataExchangeUri “https://aw-euclivefire.vidmpreview.com/SAAS/auth/wsfed/services/mex” -SigningCertificate xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
5. We will now check the federation with the following command in the powershell
Get-MsolDomainFederationSettings -domainName tokyo01.euc-livefire.com
The settings will return output regarding the settings that make up this federation.
Part 5: In this part, we will now start testing the federation to see and ensure it it working properly
- Login back to your office 365 Tenant with your office Admin account with this url https://admin.microsoft.com/Adminportal/Home?source=applauncher#/homepage and use your cloudadmin account
- In the left-hand pane under Home, select Users > Active users. Notice that Marketing group Users 1 - 8 has been automatically provisioned with the unique suffix appended for the user principle name. Also notice that your users are Unlicensed. Select users 1-8
- Select the radio buttons next to User 1 to User 8. This is includes your Custom User
- Next to Assign to group select the 3 dots which will expand the menu and select Manage product licenses
- In the Manage Product licenses window select Next
- On the Replace existing products window under Location, select a location ie United Kingdom.
- Next to Microsoft E5 Developer (without Windows and Audio Conferencing), turn the slider bar to On
Scroll down and select Replace select Close.
- NB! - Validate that your Cloudadmin account is licensed as well. This will depend on whether you started off with a custom Outlook account or used another email in the beginning of the course labs. If not re-apply to the licensing to this account and then ensure that you can open the Cloudadmin mailbox. This requirement must be done before starting your OKTA lab.
- Open up an Incognito session of your browser and connect to your SAAS instance of Workspace ONE Access.
- On the login window ensure that on the select your domain window, euc-livefire.com is selected, select Next
- In the username section, use your custom username ie user35scr and the password VMware1! select Sign in
- In the Workspace ONE console
- Under Apps select All Apps
- Next Office 365 with Provisioning select Open
- You should now see the Microsoft Office365 console
Part 6: Inserting Office 365 Deep Links into Workspace ONE Access
Having a Portal to Portal single sign-on experience very rarely excites a customer. In this section we will insert Deep Links within Workspace ONE Access to enhance the user experience.
1. Inserting Office 365 Deep links
- On your Controlcenter server. Log in to your to your Workspace ONE Access Console as Admin and select the Catalog tab > Web Apps
- Select NEW
- In the New SaaS Application window under Name type Microsoft Word
- Under Icon, click on browse, search for the software link on your desktop, and navigate to \Applications\Azurefiles\icons. select your Word.png Icon and select Open. At the bottom right select NEXT
- On 2. Configuration in the Single Sign-On section under Authentication type to the right select the drop down and then select Web Application Link
2. Inserting Office 365 Deep links (Part 5)
- Copy the URL below and edit in Notepad++ the following in Blue with your assigned domain suffix and then copy the edited URL and Paste under the Target URL
3. Inserting Office 365 Deep links (Part 5)
- Select NEXT > SAVE & ASSIGN
- Under Users / User Groups in the Search area type Mark, select [email protected]
- Under Deployment Type select Automatic and select SAVE
4. Inserting Office 365 Deep links (Part 5)
- Repeat the above steps for
- Replace Lisbonb with your domain
- Replace zingaramanwell with your unique Office 365 domain name. eg in this example the domain name is [email protected]zingaramanwell.onmicrosoft .com, zingaramanwell is the domain name
5. Inserting Office 365 Deep links (Part 5)
- The Office 365 application has been assigned to Marketing. It has to remain assigned to Marketing for the Deep links to work. However, we do not necessarily want this to be visible to the End-User. We will now solve this issue as part of a well thought out solution.
- In the Catalog, select the Check-box next to Office365 with Provisioning, select EDIT
- in the Edit SaaS Application window, select step 2 Configuration and scroll down to the bottom. Change Show in the User Portal toggle from Yes to No
- Select NEXT > NEXT > NEXT > NEXT > SAVE
6. Inserting Office 365 Deep links (Part 5)
- Switch to a Browser in Incognito Mode . Using your Workspace ONE Access URL login as User1 with the password VMware1!
- Test your individual links for office 365
7. Tidying up the Catalog in Workspace ONE Access for a better User Experience
- Switch back to your Workspace ONE Access Admin Console and select the Catalog tab
- In the Catalog next to Office 365 with Provisioning select the check box and then at the top select EDIT
- In the Edit SaaS Application wizard select 2 Configuration and scroll down to the bottom,
- Change the toggle under Show in User Portal from Yes to No and select NEXT > NEXT > SAVE
- Repeat the exact same process and validate that that the AirWatch and AirWatch Provisioning applications do not show in the User Portal