黑料海角91入口

Use 黑料海角91入口 SAML Single Sign On (SSO) to connect Microsoft 365/Entra ID (M365) with 黑料海角91入口 to give your users convenient but secure access with a single set of credentials.

Read this article to learn how to setup 黑料海角91入口's SSO connector for M365.

Prerequisites

• All users who will be using M365 SSO must be associated (bound) to the M365 Cloud Directory Integration instance prior to configuring SSO and enabling federation in M365. Users who are not bound to the M365 Cloud Directory Integration will NOT be able to login using SSO, because they will be missing the required M365 immutable ID.
• PowerShell is required to modify M365 Federation configurations:
  •   can be used on any computer (Windows, macOS, Linux) with the following required modules:
    • (optional, when using M365 for hosted custom domain email for Exchange Online)
• The M365 Cloud Directory integration allows you to create and manage M365 user identities directly from 黑料海角91入口. See the following articles for more information:
  • Understand the Difference Between the Microsoft 365 Directory Integration and SAML Connector
  • Microsoft 365 Integration Scenarios
  • Microsoft 365 User Import Provisioning
  • Giving 黑料海角91入口 Users Access to Microsoft 365 

• Verify you have 鈥淕lobal administrator鈥� level access to your M365 tenant/organization.
  • Go to Azure Active Directory > Users > select the user > Assigned Roles. Your account should have 鈥淕lobal administrator鈥� listed
• Modern Authentication must be enabled on the M365 tenant
• If MFA is enforced on end users in both environments, they will be prompted for MFA twice during the login process - once in 黑料海角91入口 and again in M365
• Confirm the following in Azure Active Directory > Custom Domain Names
  • The domain you would like to federate (e.g., YOUR_DOMAIN.com) is listed, verified, and not the Primary/(Default)
  • The onmicrosoft.com default domain or another domain you do not want to federate is the Primary/ (Default) domain. Set up a global admin account in your default domain (for example, admin@YOUR_DOMAIN.onmicrosoft.com) so that there is an admin account that can sign in outside of SSO as a failsafe
• Federation must be disabled on the target domain. If you need to disable Federation, see Disable Microsoft 365 Federation with PowerShell

Considerations

Important Considerations

• In M365, MFA is automatically turned on when security defaults are enabled, regardless of your other MFA settings. If 黑料海角91入口 MFA is enabled while also having M365 MFA enabled, end users will encounter two separate MFA prompts during the same login. See Troubleshooting to disable these settings
• The default domain in M365 cannot be federated
• When SSO is enabled, all users in the email domain you鈥檙e configuring SSO for are affected. After SSO is enabled, users aren't able to log in to Microsoft 365 using password authentication

General Considerations

• At this time, 黑料海角91入口 doesn't support integration with GoDaddy's implementation of M365. This version has limited identity management capabilities that require SSO login with GoDaddy's services to operate appropriately. Because of these requirements, we are prohibited from making changes to identities with the GoDaddy integration
• After a M365 domain is federated, the Microsoft applications your employees use to access their email may work differently, especially older 鈥渓egacy鈥� applications. See the following articles for more information:
  • Enable Modern Authentication for Microsoft 365.

Entra Sync Considerations

• SSO with existing Entra Connect or Entra Connect Cloud Sync - If you want to use 黑料海角91入口's SSO, but still use a local Active Directory to manage your M365 users, you must import your users into 黑料海角91入口 using the Directories tool before SSO becomes available

• If you are migrating your M365 users from Entra Connect or Entra Connect Cloud Sync to 黑料海角91入口 management, 黑料海角91入口 can't manage the users until Entra Connect or Entra Connect Cloud Sync is disabled
  • To disable directory sync:
    • Run PowerShell as administrator
    • Install Powershell Modules if you haven鈥檛 already
    • Run Connect-MgGraph -TenantId 鈥溾�� -Scopes 鈥淥rganization.ReadWrite.All, Directory.ReadWrite.All, Domain.ReadWrite.All, IdentityProvider.ReadWrite.All"
      •  
    • Run Get-MgOrganization | Select-Object DisplayName, OnPremisesSyncEnabled
    • The value for OnPremisesSyncEnabled appears as True or null (empty), meaning True is enabled
  • To disable, run the following cmdlet:

• To verify the change, run Get-MgOrganization | Select-Object DisplayName, OnPremisesSyncEnabled

iOS Considerations

The iOS Mail client supports SSO. If you want to use 黑料海角91入口鈥檚 SSO with the iOS Mail client:

• On the device, navigate to Settings > Mail > Accounts > Exchange
• Enter your email address and a description and click Next
• Click Sign In, this will trigger the Safari redirect to the 黑料海角91入口 User Portal

Creating a new 黑料海角91入口 Application Integration

1. Log in to the .
2. Go to聽USER AUTHENTICATION聽&驳迟;听SSO Applications.
3. Click + Add New Application.
4. Type the name of the application in the Search field and select it.
5. Click Next.
6. In the Display Label, type your name for the application. Optionally, you can enter a Description, adjust the User Portal Image and choose to hide or Show in User Portal.

7. Optionally, expand Advanced Settings to specify a value for the SSO IdP URL. If no value is entered, it will default to https://sso.jumpcloud.com/saml2/<applicationname>.

8. Click Save Application.
9. If successful, click:
   • Configure Application and go to the next section
   • Close to configure your new application at a later time

Configuring the SSO Integration

To configure 黑料海角91入口

1. Log in to .
2. Verify that all users you will use SSO have an immutable ID.
   • Navigate to Identity > Users > All users > {individual user} > Properties
   • Scroll down until you see the On-premises immutable ID field in the right column.
     
3. Log in to the .
4. Create a new application or select it from the Configured Applications list.
5. Select the SSO tab.
6. Replace instances of YOUR_DOMAIN in the IdP Entity ID and Login URL fields with the name of the domain you will be federating.

4. Add any desired additional attributes.
5. Click save.
6. Find Microsoft 365 in the Configured Applications list and click anywhere in the row to reopen the application configuration panel.
7. Select the SSO tab and click Export Metadata.

To regenerate your Microsoft 365 IdP certificate

You can regenerate your M365 IdP certificate at any time.

1. After regenerating the certificate, you must export a new metadata file:
   • In the SSO tab, click Export Metadata.
   • The new metadata file will download to your local Downloads folder.
2. Disable the current configuration:

3. Upload the new metadata file:

To configure Microsoft

Installing Microsoft Powershell Modules

1. Run PowerShell as an administrator. 
2. Install the Microsoft.Graph Module for Windows PowerShell (as referenced in the Prerequisites section):
   • Run Install-Module PowershellGet
   • Answer Y to install the NuGet Provider.
   • Answer A to Answer Yes to All to install from PSGallery.
   • Run Install-Module Microsoft.Graph
3. Modify the PowerShell execution policy to Remote Signed:
   • Run Set-ExecutionPolicy RemoteSigned
   • Answer A to confirm the change to the Execution Policy.
   • Enter your M365 Global Administrator credentials.
4. Install the Microsoft Exchange Online Management module (as referenced in the Prerequisites section):
   • Run Install-Module ExchangeOnlineManagement
   • Answer A to Answer Yes to All to install from PSGallery.

Connecting to the M365 Tenant

1. Connect to the M365 /Entra ID tenant:

Connecting to Exchange

1. Connect to Microsoft Exchange:
   • Run Connect-ExchangeOnline.
   • Enter your M365 Global Administrator credentials.

To enable federation in M365

To enable SSO, enable federation between your 黑料海角91入口 organization and your M365 tenant. The next steps will verify your current configuration and enable this federation. This step will make 黑料海角91入口 your IdP, but some settings will remain within Azure and M365, such as the option to remain logged in. You may set app specific conditional access policies in 黑料海角91入口 that will obligate users to authenticate through MFA or using modern authentication.

1. Verify the current authentication method of your M365 domains:
   • Run Get-MgDomain |  Select Id, AuthenticationType
     • For domains that list the authentication type as Managed, SSO is disabled.
     • For domains that list the authentication type as Federated, SSO is enabled.
2. If you have not, install Microsoft鈥檚 (as referenced in the Prerequisites section):
   • Run Install-Module -Name 黑料海角91入口.Office365.SSO
   • Answer A to Answer Yes to All to install from PSGallery.
3. Verify the current 黑料海角91入口 federation status of your M365 domain:
   • Run Show-黑料海角91入口.Office365.SSO to show the current status of 黑料海角91入口 SSO Federation for a specific domain.
   • At the Domain: prompt, enter your domain name.
   • The result returns the 黑料海角91入口 federation status for the domain provided.

4. Enable Single Sign On (SSO):

5. Verify the change:

6. Disconnect from the Graph connection:

Authorizing User SSO Access

Users are implicitly denied access to applications. After you connect an application to 黑料海角91入口, you need to authorize user access to that application. You can authorize user access from the Application Configuration panel or from the Groups Configuration panel. 

To authorize user access from the Application Configuration panel

1. Log in to the .
2. Go to USER AUTHENTICATION > SSO Applications, then select the application to which you want to authorize user access.
3. Select the User Groups tab. If you need to create a new group of users, see Get Started: User Groups.
4. Select the check box next to the group of users you want to give access.
5. Click save. 

To learn how to authorize user access from the Groups Configuration panel, see Authorize Users to an SSO Application.

Validating SSO user authentication workflow(s)

IdP-initiated user workflow

• Access the
• Go to聽Applications and click an application tile to launch it
• 黑料海角91入口 asserts the user's identity to the SP and is authenticated without the user having to log in to the application

SP-initiated user workflow

• Go聽to the SP application login - generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO

• Login redirects the user to 黑料海角91入口 where the user enters their 黑料海角91入口 credentials
• After the user is logged in successfully, they are redirected聽back to the SP and automatically logged in

Disabling M365 SSO

1. Run PowerShell as an administrator.
2. Install Powershell Modules if you haven鈥檛 already.
3. Change the directory of your PowerShell session to the location of the 黑料海角91入口 metadata file downloaded in To configure 黑料海角91入口. For example, replace <User> with the active username: cd 鈥淐:\Users\<User>\Downloads鈥�.
4. Run Disable-黑料海角91入口.Office365.SSO -XMLFilePath .\黑料海角91入口-office365-metadata.xml

To delete the application

1. Log in to the .
2. Go to USER AUTHENTICATION > SSO Applications.
3. Search for the application that you鈥檇 like to delete.
4. Check the box next to the application to select it.
5. Click Delete.
6. Enter the number of the applications you are deleting
7. Click Delete Application.
8. If successful, you will see an application deletion confirmation notification.

Troubleshooting