Integrate with Microsoft
In case your company uses Office 365, your corporate address book resides in Azure AD.
Which is great, because you can integrate Azure AD with Federated Directory.
Authentication with Microsoft
Enable Single Sign On authentication by using Microsoft as your identity provider.
This removes the option to authenticate with your Federated Directory credentials but redirects the users to Microsoft for Authentication.
User management by Azure AD
The following provisioning features are supported when using provisioning from Azure AD to Federated Directory:
- Create Users: New or existing users in your Azure AD will be pushed to Federated Directory as new users.
- Update User Attributes: Updates to user profiles in your Azure AD will be pushed to Federated Directory.
- Deactivate Users: Users deactivated in your Azure AD will be automatically disabled in Federated Directory, but their contact data can still be found. If reactivated, users will regain access to Federated Directory.
The following attributes will be synchronized to Federated Directory:
|Display Name||Variable Name||Mandatory|
|State or province||state|
|ZIP or postal Code||postalCode|
|Country or region||country|
The first two attributes are mandatory, all other attributes can be disabled from provisioning in Azure AD.
You will need to add Federated Directory as an Entreprise Application to your Azure AD. The easiest way to do this, is by signing up to Federated Directory with a Microsoft account with administrative privileges within your Azure AD.
This will automatically create the Federated Directory enterprise application in your Azure AD.
In case you already signed up manually and want to integrate with Azure AD, you will have to perform the following three steps.
Inside your Federated Directory create a new directory which will be integrated with your Microsoft environment. Switch the
Authentication methodto 'Microsoft accounts'.
Inside this new directory, create a new user. The username of this user should be identical to the user name (
userPrincipalName) in Azure AD that you will use to logon to Federated Directory in the next step.
Log out and go to the login screen. Here you should switch to the new directory you just created. Click on the button
Log in with your Microsoft account. Microsoft will ask permissions to your profile. After approval you will log in as the user you just created and Federated Directory is created inside your Azure AD as an Enterprise Application.
You are now ready to finalize the integration with Azure AD.
Authentication with Microsoft
The steps you have taken in the prerequisites chapter are enough to enable authentication with a Microsoft account.
The directory that contains your users, should be configured with
Authentication Method set to 'Microsoft Accounts'. The usernames of the users in this directory should be identical to the
userPrincipleName of the Azure AD user.
User management by Microsoft
If you want to automatically provision your users and their profiles from Azure AD to Federated Directory. Follow the steps below.
- In Federated Directory, go back to the directory you want to integrate with Microsoft and select the "keys" tab.
- Create a new key. Give it a name, like "Microsoft integration key". Once created, copy the "access token". The "access token" is only shown one time, directly after the creation of a directory key. You will need it in step 5.
- Go to the Azure AD portal > Enterprise applications and select the Federated Directory application. (see prerequisites if you don't see our application there).
- Go to "Provisioning" in the menu and switch the Provisioning Mode to "Automatic".
- Under Admin Credentials enter:
- Tenant URL:
- Secret Token: The access token created in step 2
- Tenant URL:
You can optionally enter a notification email, if you want to get notified when a failure occurs.
- Click “Test Connection” to ensure the connection is working. If ok, click Save.
- At the bottom of the page, switch 'Provisioning Status' to
- Switch the Scope to "Sync all users and groups". If you want more control which Azure AD users are synced to Federated Directory, keep it at "Sync only assigned users and groups".
- Save the settings again.
That is it. Your Azure AD users will now be synced to Federated Directory. Keep in mind that it could take Azure AD a couple of minutes (sometimes more than 30 minutes) to actually start provisioning the users to us. Look at the bottom of the provisioning page for the status.
Microsoft user provisioning does not support the actual deletion of a user. When Federated Directory is unassigned from a user or when a user is deleted in Azure AD, that user will not be removed from Federated Directory. It will only be disabled for now.
It happens sometimes that a Secret Token that worked before is no longer valid and connection tests fail. When the 'Save' button is pressed multiple times, sometimes Azure AD stores the Secret Token incorrectly. Just create a new token in Federated Directory and save it again in Azure AD. Don't forget to remove the old token from Federated Directory.