1. Home
  2. Applications
  3. Office 365
  4. Setup Office 365 Federation & Provisioning (Cloud Users)

Setup Office 365 Federation & Provisioning (Cloud Users)

Purpose

Federated identity with Practice Protect offers the best overall end-user SSO experience in the Microsoft cloud and offers unique security options not available in standard deployments. Once Federation & Provisioning is in place all Microsoft 365 Identities will be managed from Practice Protect and login at the Microsoft 365 website is no longer possible.

Similar to pass-through authentication, user logon attempts are passed back to the Practice Protect farm to validate logins against your custom policies. Outlook/Skype For Business 2013 or later will leverage modern authentication to communicate with Practice Protect. Web browsers will get redirected to the Practice Project to complete their authentication. This lets us use what’s called SmartLinks technology to allow users to log on directly to SharePoint and other Microsoft 365 Apps without entering a username or password.

We also have access to security features not available in other scenarios. We can enable client access filtering which lets us restrict access to Microsoft Cloud services based on IP address (commonly used when we have hourly employees who shouldn’t be able to check email from home). We also provide multi-factor authentication.

Prerequisites

Instructions

    1. Under Core Services Click on Roles –> Click on Add Role –> Type Office 365 Email Integration Users on the Name field, then Click Save
    2. Newly created Roles (Office 365 Email Integration Users) should now show up on the list. Click on Office 365 Email Integration Users role –> Click Members –> Click Add –> On the search field type the Name of the user(s) –> Tick the box on the side of the Name then Click Add –> Click Save (You need to add all user accounts that have an active and matched accounts in Practice Protect and Office 365 to the Role).
    3. Log in to the Microsoft 365 Portal using the Service Account (Global Admin). Enter the Username and Password then Click Sign in.  If you have not set up the Service Account follow the following guide.
    4. Click on Admin to go to the Admin Center. 
    5. On the Admin center, Click on Setup –> Click Domains –> On the Domain name select the Domain with .onmicrosoft.com then Click Set as default.  
    6. Go to Users –> Click on Active users –> Notice that the Username is using the correct domain (without .onmicrosoft.com). We need to use the correct domain especially for New User Creation as this will sync up with O365. For existing users in O365 the username to be created should be exactly the same with the one in O365, otherwise it would create a separate account upon first synchronization. 
    7. Go back to the Client’s Practice Protect Admin Portal. Click on Apps –> Add WebApps –> Type Office 365 on the search field –> Select Office 365 (WS-Fed +Provisioning) –> Click Add 
    8. On the Add Web App page, click Yes
    9. On the Application Settings, select Token Based Authentication then enter the Directory ID, Client ID, and Client Secret registered in Microsoft Entra ID.
    10. Click Verify
    11. Under the Advanced settings, paste the script below after line 76. Then Save. This configuration sets the Issuer URI/URN for the SAML token response and identifies the domain that the token is associated with. 
      var UserMail = LoginUser.Get('userprincipalname');
      var URN = UserMail.split("@")[1];
      setAttribute('IssuerName', 'URN:' + URN);

    12. Click on Provisioning. Then, tick the box on the side of Enable provisioning for this application.
    13. On the Warning page tick the box Do not show again then click Close
    14. Leave Live Mode selected and tick Enable Hybrid Exchange Support. This means that any changes (on the user details) will be reflected in Office 365.
    15. Scroll down and go to Sync Options: select the radio button Sync (overwrite) users to target application when existing users are found with the same principal name. Leave the option Do not de-provision (deactivate or delete) users in the target application when the users are removed from the mapped role.
    16. Under Deprovisioning Rules, Click Add Rule and make sure to add and set the following rules (Event & Deprovisioning Action)
      1. User Disabled in Active Directory – Leave User Unmodified
      2. User Deleted in Active Directory – Leave User Unmodified
      3. User Removed from Role or Provisioning – Leave User Unmodified


        NOTE:
        It is important to set the above rules as any user deleted from Practice Protect will be de-licensed to the user in Microsoft 365.
    17. Scroll down and go to Role Mappings, Select the radio button User is assigned licenses mapped to each role they are a member of (role order has no effect). Click Add
    18. On the License and Attributes page, Select Office 365 Email Integration Users for the Role created in Step 2. Don’t assign any licenses and click Done. Optional – If you would like to sync licensing you can follow the following guide.
    19. Click Save.
    20. Scroll down to Provisioning Script and expand. Replace the existing script with the below Script.
      if (isPerson()) {
      //country based location e.g. "US" or "AU"
      destination.UsageLocation = "AU";
      destination.Mail = source.CanonicalizeName;
      }

       

    21. Then click Save to apply the script. 

    22. Run a manual synchronization. Under Settings go to Users > Outbound Provisioning > Provisioning Enabled Application –> Select Office 365 or Microsoft 365 (depending on the name of the app added), then click on Start Sync.
    23. View the real-time status of synchronization by clicking on View Synchronization Job Status and Reports. Once the Synchronization is successful and completed for all users, any changes in Practice Protect will be reflected in Office 365. 
    24. Enable ADAL/Modern Authentication in Office 365 through this page –  This is to apply the Practice Protect security mechanism in terms of signing in (Geolock, MFA, and other policies) as Basic Authentication doesn’t prompt for Multi-Factor Authentication 
    25. This completes the backend configuration of Office 365 Federation with provisioning in Practice Protect.
  1. Enabling Office365 Email Integration/Federation

    1. Return to the Office365 tile in the Admin Portal.

    2. On Permissions, Add the role that contains the user for email integration (i.e. Office 365 Email Integration Users) and click Save to apply. This should display the app on their user portal and can be used once federated. 

    3. Return to the Application Settings and then on Office 365 Domains section, tick the box beside the Domain(s) Name (i.e. youremaildomain.com) –> Click Actions –> Select Download Powershell Script and save the downloaded file as it will be used in the following steps to federate. 

    4. Go to the downloaded file from Step 3 and right-click –> click Run with PowerShell. This will prompt you to log in and authenticate. Use the Office365 Admin Account. 

    5. With the prompt “What Action Would You Like To Do?” press F. The script will run and federate your domain.

    6. Once the script is completed, Go back to Office365 web app settings in Practice Protect. On the Office 365 Domains section check the Type of the domain (i.e. cbpaccountant.com), It should now be Federated. (Optional) Refresh the page to show the latest state and type.

    7. (Optional) Repeat steps 3 to 6 to federate other domains. 

    8. Test federation if it is working by signing in to a user account in Office 365, Once you type the user name/email address the page will redirect to Practice Protect.

    9. To authenticate and access, log in using active Practice Protect account credentials.

    10. If you have your Office 365 Email configured on Outlook Desktop or Mobile, you will be prompted to log in with your Practice Protect Account. Most likely it is not synced.

    11. Post Federation, Practice Protect recommends disabling legacy protocols/basic authentication (i.e. POP. IMAP,  AUTH SMTP) in Office365. Please see the following guide.

 

Updated on September 26, 2024

Related Articles

Need Support?
Can't find the answer you're looking for?
Contact Support