Integrate idemeum with Azure AD (B2B)¶
How can idemeum help secure O365?¶
idemeum integrates with Azure Active Directory (AAD) directly over SAML and provides the following services:
|Passwordless MFA||Eliminate passwords when users access your SSO and O365 resources. No enrollment, no user sync, easy and simple. idemeum supports cloud-only as well as hybrid deployment models.|
How is O365 deployed?¶
O365 and Azure Active Directory (AAD) can be implemented with various deployment models.
|Cloud only identity||User account only exists in the Azure AD tenant for your Microsoft 365 subscription.|
|Hybrid identity||User account exists in AD DS and a copy is also in the Azure AD tenant for your Microsoft 365 subscription. The user account in Azure AD might also include a hashed version of the already hashed AD DS user account password.
For authentication there are several options: password hash synchronization, pass-through authentication, and federation with ADFS.
How is idemeum integrated with O365?¶
idemeum can be federated directly with AAD using SAML protocol. When federating directly with Azure AD, idemeum can support cloud only as well as hybrid (password sync and pass-through) models.
Integrate idemeum with Azure AD¶
We are going to go through simple three steps to integrate idemeum with your Microsoft identity environment.
- Request idemeum tenant
- Configure Azure AD for federation
- Test user sign-in
All additional Microsoft documentation and useful links can be found in footnotes.
⚙️ 1. Request idemeum tenant¶
As a first step, reach out to idemeum team at firstname.lastname@example.org with the request to provision idemeum tenant. Please, let us know that you will be integrating idemeum with Azure AD.
We will need several things from you:
Preferred tenant name - we will provision a tenant name for you based on your preferences. The tenant name will be in the form of
Company logo - share your company logo with us so that we can display it on every login page request as well as in the application, when users log into your company resources. We will need the image in the
As a result of tenant provisioning we will share the configuration details with you, so that you can later use them in your Azure AD configuration:
$LogOnUrl- SAML LogOn URL.
$LogOffUrl- SAML LogOff URL.
$SigningCert- signing certificate to establish federation trust.
$IssuerUri- URI to identify idemeum in SAML responses.
You can always get this and additional information from your SAML metadata XML file. You can access this information by using the following link
https://<your tenant name>/api/saml/metadata/idp.xml. Replace with your actual tenant name that we will provision for you.
🧑🏿🤝🧑🏼 2. Configure Azure AD for federation¶
After signing up for Office 365, the only domain associated with your account is the
onmicrosoft.com subdomain chosen during registration (for example,
contoso.onmicrosoft.com). To allow users to SSO to Azure AD and Office 365, it is recommended to have another domain added to the environment. If you already have such domain added and verified, you can always use that.
Make sure you have admin account with another domain
Once you configure Azure AD domain to be federated, you will no longer be able to use local login into accounts associated with that domain. Therefore, if something is wrong with the configuration, you might lock yourself out. To prevent that, make sure you have admin account created on other domain (for instance on your
onmicrosoft.com domain), so that you can always use that account to log in and revert federation configuration.
We will be using PowerShell to configure the Azure AD domain for federation1.
- Launch PowerShell on a Windows machine
- Install MSOnline PowerShell module if you have not already
- Connect to MSOnline service. You will need to authenticate with your Azure AD Portal admin credentials
- You can check your existing domains and their federation settings
- Check your current domain federation settings. If the current setting is
federated, you will need to first convert domain to `managed' setting
Set-MsolDomainAuthentication -DomainName <yourdomain> -Authentication managed
- Now you can configure your domain with federation settings. Take a look at the example below.
$Domain- the domain that you are planning to federate with idemeum
$BrandName- the name that you will use for federation
$LogOnUrl- this is a SAML LogOn URL. We will share this URL with you as part of onboarding.
$LogOffUrl- this is a SAML LogOff URL. We will share this URL with you as part of onboarding
$SigningCert- signing certificate to establish federation trust. We will share this certificate with you as part of onboarding.
$IssuerUri- URI that identifies idemeum as SAML issuer.
$Protocol- protocol to use for federation. In our case it is SAML
1 2 3 4 5 6 7 8 9
- Verify that the settings are successfully configured for your domain.
Get-MsolDomainFederationSettings -DomainName <your domain here> | format-list *
🧪 3. Test user sign in¶
Once you are done with configuration you can quickly test the user sign-in flow.
- Open incognito browser window and navigate to
- Enter the email address of the account that you would like to sign into. Once you do that you will be redirected to idemeum for login. You will see the QR code that you will need to scan with the idemeum application.
- Once you scan the QR code with idemeum application and approve the sign in, you will be redirected to office 365.
🎉 Congratulations! You have successfully integrated idemeum and protected your O365 deployment with passwordless authentication.