Integrate with Microsoft

In case your company uses Office 365, your corporate address book resides in Azure AD.
Which is great, because you can integrate Azure AD with Federated Directory.

Features

Authentication with Microsoft

Enable Single Sign On authentication by using Microsoft as your identity provider.

This removes the option to authenticate with your Federated Directory credentials but redirects the users to Microsoft for Authentication.

User management by Azure AD

The following provisioning features are supported when using provisioning from Azure AD to Federated Directory:

  • Create Users: New or existing users in your Azure AD will be pushed to Federated Directory as new users.
  • Update User Attributes: Updates to user profiles in your Azure AD will be pushed to Federated Directory.
  • Deactivate Users: Users deactivated in your Azure AD will be automatically disabled in Federated Directory, but their contact data can still be found. If reactivated, users will regain access to Federated Directory.

The following attributes will be synchronized to Federated Directory:

Display Name Variable Name Mandatory
User Name userPrincipalName ️️✔️
Display name displayName ✔️
Given name givenName
Last name surName
Mail mail
Office phone telephoneNumber
Mobile Phone mobile
Street address streetAddress
City city
State or province state
ZIP or postal Code postalCode
Country or region country
Preferred language preferredLanguage
Employee number employeeNumber
Cost center costCenter
Job title jobTitle
Department department
Manager manager
Object ID objectId

The first two attributes are mandatory, all other attributes can be disabled from provisioning in Azure AD.

Prerequisites

You will need to add Federated Directory as an Entreprise Application to your Azure AD. The easiest way to do this, is by signing up to Federated Directory with a Microsoft account with administrative privileges within your Azure AD.

This will automatically create the Federated Directory enterprise application in your Azure AD.

Add Federated Directory to Azure AD Enterprise Applications
In case you already signed up manually and want to integrate with Azure AD, you will have to perform the below three steps.
  1. Inside your Federated Directory create a new directory to be integrated with your Microsoft environment. Switch the Authentication method to 'Microsoft accounts'.

  2. Inside this new directory, create a new user. The username of this user should be identical to the user name (userPrincipalName) in Azure AD that you will use to logon to Federated Directory in the next step.

  3. Log out and switch on the login screen to the new directory you just created. Click on the button Log in with your Microsoft account. Microsoft will ask permissions to your profile. After approval you will log in as the user you just created and Federated Directory is created inside your Azure AD as an Enterprise Application.

Configuration steps

You are now ready to finalize the integration with Azure AD.

Authentication with Microsoft

The steps you have taken in the prerequisites chapter are enough to enable authentication with a Microsoft account.

The directory that contains your users, should be configured with Authentication Method set to 'Microsoft Accounts'. The usernames of the users in this directory should be identical to the userPrincipleName of the Azure AD user.

User management by Microsoft

If you want to automatically provision your users and their profiles from Azure AD to Federated Directory. Follow the below steps.

  1. In Federated Directory, go back to the directory you want to integrate with Microsoft and select the "keys" tab.
  2. Create a new key. Give it a name, like "Microsoft integration key". Once created, copy the "access token". You will need it in the next steps.
    Get directory key access token in Federated Directory
  3. Go to the Azure AD portal > Enterprise applications and select the Federated Directory application. (see prerequisites if you don't see our application there).
  4. Go to "Provisioning" in the menu and switch the Provisioning Mode to "Automatic".
  5. Under Admin Credentials enter:
    • Tenant URL: https://api.federated.directory/v2
    • Secret Token: The access token created in step 2


Get directory key access token in Federated Directory
You can optionally enter a notification email, when you want to get notified when a failure occurs.

  1. Click “Test Connection” to ensure the connection is working. If ok, click Save.
  2. At the bottom of the page, switch 'Provisioning Status' to On.
  3. Switch the Scope to "Sync all users and groups". If you want more control which Azure AD users are synced to Federated Directory, keep it at "Sync only assigned users and groups".
  4. Save the settings again.
    That is it. Your Azure AD users will now be synced to Federated Directory. Keep in mind that it could take Azure AD multiple minutes (sometimes more then 30 minutes) to actually start provisioning the users to us. Look at the bottom of the provisioning page for the status.

Known limitations

Microsoft user provisioning does not support the actual deletion of a user. When Federated Directory is unassigned from a user or when a user is deleted in Azure AD, that user will not be removed from Federated Directory. It will only be disabled for now.

It happens sometimes that a Secret Token that worked before is no longer valid and connection tests fail. When the 'Save' button is pressed multiple times, sometimes Azure AD stores the Secret Token incorrectly. Just create a new token in Federated Directory and save it again in Azure AD. Don't forget to remove the old token from Federated Directory.

Still need help? Get in touch!
Last updated on 9th Jul 2019