Skip to content
BlokSec Docs

Federation

Federation tells Microsoft 365 to redirect authentication for your domain to BlokSec instead of asking for a password. After federation is configured, users with email addresses on your domain (e.g., jane@yourcompany.com) will see the BlokSec sign-in page when they sign in to any Microsoft 365 application.

Prerequisites

Section titled “Prerequisites”

Before you begin, make sure:

  • You’ve completed the Application Setup step
  • You have Global Administrator access to your Microsoft Entra ID (Azure AD) tenant
  • Your domain (e.g., yourcompany.com) is verified in your Microsoft 365 tenant
  • The domain is currently set to Managed authentication (not already federated with another provider)

Start the federation wizard

Section titled “Start the federation wizard”
  1. In the BlokSec admin console, open your Microsoft 365 application
  2. Navigate to the Federation tab
  3. Click Configure Federation
Federation tab in the application settings with a Configure Federation button
Start the federation wizard

Sign in to Microsoft

Section titled “Sign in to Microsoft”

The wizard will ask you to sign in with your Microsoft Entra ID Global Administrator account. This grants BlokSec temporary permission to configure federation settings on your tenant via the Microsoft Graph API.

Microsoft sign-in prompt asking for Global Administrator credentials
Sign in with your Global Administrator account

Select your domain

Section titled “Select your domain”

After signing in, the wizard shows your verified domains. Select the domain you want to federate with BlokSec.

Domain selection showing verified domains in the Microsoft 365 tenant
Select the domain to federate

Review and apply

Section titled “Review and apply”

The wizard shows you exactly what will be configured:

  • Passive sign-in URI — The BlokSec endpoint where Microsoft will redirect users for authentication
  • Issuer URI — The unique identifier BlokSec uses to sign tokens
  • Metadata exchange URI — Where Microsoft retrieves BlokSec’s federation metadata
  • Sign-out URI — Where Microsoft sends users when they sign out
  • Signing certificate — The certificate used to verify BlokSec’s security tokens

Click Apply to execute the configuration. The wizard makes a series of Microsoft Graph API calls to set up federation:

  1. Verifies the domain exists and is verified
  2. Checks for any existing federation configuration
  3. Creates the BlokSec federation configuration
  4. Reads back and verifies the configuration was applied correctly
Review screen showing the federation configuration that will be applied, with step-by-step Graph API calls
Review the configuration before applying

Verify federation

Section titled “Verify federation”

Once the wizard completes, you can verify that federation is working:

  1. Open a private/incognito browser window (to avoid cached sessions)
  2. Go to https://portal.office.com
  3. Enter an email address on your federated domain (e.g., jane@yourcompany.com)
  4. Microsoft should redirect you to the BlokSec sign-in page instead of asking for a password
BlokSec sign-in page showing after Microsoft 365 redirects for a federated domain
Users see the BlokSec sign-in page instead of a password prompt

Removing federation

Section titled “Removing federation”

If you need to remove federation and revert to Microsoft-managed authentication:

  1. Open your Microsoft 365 application in the BlokSec admin console
  2. Go to the Federation tab
  3. Click Remove Federation

This reverts the domain to managed authentication, and users will be asked for their Microsoft password again. Federation can be re-added at any time.