1. Home
  2. Applications
  3. Office 365
  4. Setup Office 365 Federation & Provisioning (Cloud Users)

Setup Office 365 Federation & Provisioning (Cloud Users)

Purpose

Federated identity with Practice Protect offers the best overall end user SSO experience in the Microsoft cloud and offers unique security options not available in standard deployments. Once Federation & Provisioning is in place all Office 365 Identities will be managed from Practice Protect and login at the Office 365 website is no longer possible.

Similar to pass-through authentication, user logon attempts are passed back to the Practice Protect farm to validate logins against your custom polices. Outlook/Skype For Business 2013 or later will leverage modern authentication to communicate with Practice Protect. Web browsers will get redirected to the Practice Project to complete their authentication. This lets us use what’s called SmartLinks technology to allow users to logon directly to SharePoint and other Office 365 Apps without entering a username or password.

We also have access to security features not available in other scenarios. We can enable client access filtering which lets us restrict access to Microsoft cloud services based on IP address (commonly used when we have hourly employees that shouldn’t be able to check email from home). We also provide multi-factor authentication.

Prerequisites

Instructions

  1. Under Core Services Click on Roles –> Click on Add Role –> Type Office 365 on the Name field, then Click Save
  2. Newly created Role (Office 365) should now show up on the list . Click on Office 365 role –> Click Members –> Click Add –> On the search field type the Name of the user(s) –> Tick the box on the side of the Name then Click Add –> Click Save (You need to add all user accounts that have accounts in Office 365 to the Role).
  3. Login to O365 portal using the O365 Service Account. Enter the Username and Password then Click Sign in.  If you have not setup the Service Account follow the following guide.
  4. Click on Admin to go to the Admin Center. 
  5. On the Admin center, Click on Setup –> Click Domains –> On the Domain name select the Domain with .onmicrosoft.com then Click Set as default.  
  6. Go to Users –> Click on Active users –> Notice that the Username is using the correct domain (without .onmicrosoft.com). We need to use the correct domain especially for New User Creation as this will sync up with O365. For existing users in O365 the username to be created should be exactly the same with the one in O365, otherwise it would create a separate account upon first synchronization. 
  7. Go back to the Clients Admin Portal. Click on Apps –> Add WebApps –> Type Office 365 on the search field –> Select Office 365 (WS-Fed +Provisioning) –> Click Add 
  8. On Add Web App page, click Yes
  9. On the Application Settings, click Token Based Authentication enter the Directory ID, Client ID and Client Secret that was registered in AzureAD.
  10. Click Verify
  11. Click on User Access –> On Select Roles that can access this app, tick the box beside Office 365 –> Click Save
  12. Click on Provisioning –> Tick the box on the side of Enable provisioning for this application.
  13. On the Warning page tick the box Do not show again then click Close
  14. Leave the default which is in Live Mode. This means that any changes (on the user details) will be reflected in O365.
  15. Enable Hybrid Exchange Support (This is required for syncing secondary email alias’s).
  16. Scroll down and go to Sync Options: select the radio button Sync (overwrite) users to target application when existing users are found with the same principal name. Leave the option Do not de-provision (deactivate or delete) users in target application when the users are removed from mapped role.
  17. Under Deprovisioning Rules, for “User Disabled in Active Directory” change Deprovisioning Action to “Leave User Unmodified”. This rule will apply for both In-Cloud users and Active Directory users (if used).
  18. Scroll down and go to Role Mappings, Select the radio button User is assigned licenses mapped to each role they are a member of (role order has no effect). Click Add
  19. On the License and Attributes page, Select Office 365 for the Role created in step 2. Don’t assign any licenses and click Done. Optional – If you would like to sync licensing you can follow the following guide.
  20. Click Save.
  21. Scroll down to Provisioning Script and expand. Copy over the default script with the below Script.


    if (isPerson()) {

    //UsageLocation

    destination.UsageLocation = “AU”;

    destination.Mail = source.CanonicalizeName;

    }

21. Click Save.

22. Go to Settings –> Click Users –> Click on Outbound Provisioning –> Tick the box Run synchronization daily for all enabled applications –> On Sync Start Time (UTC / local time), select the timeframe to run the synchronization. The synchronization runs daily on the specified time. 

23. Click Save.

24. This completes the Setup of Office 365 Federation with provisioning in Practice Protect.

25. You can run a manual synchronization. Go to Provisioning Enabled Application –> Select Office 365, then Click on Start Sync

26. You can view the real time status of synchronization by clicking on View Synchronization Job Status and Reports. Once the Synchronization completes any changes in Practice Protect Online will reflect in the Office 365 portal.

27. On Core Services, click Polices > Default Policies > Application Policies > User Settings. Untick the box beside Enforce application challenge with WS-Trust. Click Save.

28. Repeat step 32 on all Active Policies.

29. Go back to O365 app settings in Practice Protect. On the Office 365 Domains section, tick the box beside the Domain(s) Name (i.e. cbpaccountant.com) –> Click Actions –> Select Download Powershell Script and save the downloaded file as it will be used in the next step.

30. Go to the downloaded file from step 29 and Right Click –> click Run with PowerShell. it will ask you to login to your O365 account, Use the O365 Service Account from step 3.

31. it will ask you “What Action Would You Like To Do?” press F. The script will run and federate your account.

32. Once the script is completed, Go back to O365 app settings in Practice Protect, Refresh the page. On the Office 365 Domains section check the Type of the domain (i.e. cbpaccountant.com) , It must be Federated (sometimes it can take couple of mins to complete the setup).

33. Repeat from step 29 to 32 for all Domains with Users.

34. Test federation if it is working by logging into a User account at Office 365, Once you type the user name the page will redirect to Practice Protect.

35. Now login with the users Practice Protect account.

36. You will now be directed back to Office 365.

37. Now you need to Enable ADAL for O365 Clients with Federation – To enforce modern authentication to enforce policy and MFA restrictions.  As Basic Authentication cannot enforce MFA.

38. If you have your Office 365 Email configured on Outlook or Mobile you will now be prompted to login with your Practice Protect Account. 

39. Now follow the following guide to Disable Legacy & Basic Authentication to lock out any attacks on Basic End Points. 

 

Updated on July 29, 2021

Related Articles