website logo
⌘K
Getting Started
Use Cases
Secure, Passwordless Login via Standard Protocols (OIDC, SAML2)
BlokSec for MFA / 2FA
Adding Passwordless Login to your In-House / Custom Application
BlokSec yuID Authenticator App
BlokSec Admin Console
FAQ's
Integrations
Microsoft 365 (Formerly Office 365)
Google Workspace
Salesforce
Slack
Dropbox
CyberArk Privileged Access Manager
IBM Security Verify
Custom OIDC
Custom SAML2
BlokSec SDK Integration (iOS)
Compatibility
Dependencies
Prerequisites
SDK Usage (Initialise)
New User Registration
Authentication
Account Association
Restore/Backup
API Reference
Docs powered by archbee 

Microsoft 365 (Formerly Office 365)

20min

BlokSec can be configured to support passwordless login and user provisioning to Microsoft 365 (a.k.a. Office 365).

The BlokSec <> Microsoft 0365 integration enables authentication via the WS-FED protocol. Configuration involves a few simple steps on both the BlokSec admin UI and Microsoft Azure Active Directory (AAD) using PowerShell.

Authentication

BlokSec Admin UI

  1. Sign into BlokSec admin UI with admin privileges for your tenant
  2. On the main dashboard, click the Add Application drop-down and select Create From Template, and select Microsoft 365
  3. Complete the application details as follows and submit:
    • Name: Microsoft 365 (or your desired application name – we will assume this is called ‘Microsoft 365’ for the remainder of this article)
  4. Click Submit to save the configuration
  5. Select View PS Script and copy the contents to an editor. Update the <domain_name> parameter to the value of your tenant's custom domain.

You can only federate a custom domain (i.e., this is not your <tenant>.onmicrosoft.com domain) and the domain can not be the default domain for the organization.

Domain Federation (PowerShell)

Prerequisites

  • Before you can federate users from Microsoft 365 to BlokSec, you need to add a custom domain to your Microsoft 365 tenant. If you have not done this, please follow these instructions on how to add your domain. Note that the *.onmicrosoft.com domains cannot be federated. Also note that during the addition of the domain (on step 2 of the process), Microsoft 365 will ask if you want to add users, select the option "I don't want to add users right now."
  • You will need to use the Microsoft PowerShell tool. Here are the instructions to install the Microsoft Online Services Sign-In Assistant and the Azure Active Directory Module for Windows PowerShell.

Configuration

  1. In PowerShell, type the following command and enter your administrator credential for your Office 365 tenant when prompted: Connect-MsolService
  2. Once successfully connected, copy the updated version of the PS Script updated with your custom domain from step #5 above and paste / enter in PowerShell command prompt
  3. The provide PS Script follows the federation configuration command with a Get-MsolDomainFederationSettings command that should provide confirmation that the domain was successfully federated with BlokSec for authentication:
    1. Example output from successful command execution
      Example output from successful command execution
      

Troubleshooting

If you receive a message concerning default domain:

Text
|
Set-MsolDomainAuthentication : You cannot remove this domain as the default domain without replacing it with another default domain. Use the the Set-MsolDomain cmdlet to set another domain as the default domain before you delete this domain.


Ensure that the domain being federated is not the Default domain for the organization

  • In the admin center, go to the Settings > Domains page.
  • On the Domains page, select the domain you want to set as the default (note that this cannot be the domain you are federating, so if you have only one custom domain, e.g., company.com, change this back to the Microsoft-provided onmicrosoft.com domain, e.g., company.onmicrosoft.com)
  • Select Set as default

Backing Out To remove the federation from the selected domain, run the command:

PowerShell
|
Set-MsolDomainAuthentication -DomainName <domain_name> -Authentication managed


Provisioning

Azure AD Administration Portal

Create Application

  1. Open a browser and navigate to the Azure Active Directory Admin Center and login using an account with Global Administrator permissions (if your organization is simply subscribing to Microsoft 365 for email and Office applications, this is the same account you use to login to the https://admin.microsoft.com portal)
  2. Select Azure Active Directory in the left-hand navigation, then select App registrations under Manage.
  3. Select New registration. Enter a name for your application, for example, BlokSec Provisioning Integration.
  4. Set Supported account types as Accounts in this organizational directory only.
  5. Leave Redirect URI empty.
  6. Select Register. On the application's Overview page, copy the value of the Application (client) ID, this is your client_id that you will need it in the next step.
  7. Select Authentication under Manage. Locate the Advanced settings section and change the Allow public client flows toggle to Yes, then choose Save.

Configure API Permissions

Note: This section requires a work/school account with the Global administrator role (this would be the first account you created when subscribing to Microsoft 365).

  1. Select API permissions under Manage.
  2. Remove the default User.Read permission under Configured permissions by selecting the ellipses (...) in its row and selecting Remove permission.
  3. Select Add a permission, then Microsoft Graph.
  4. Select Application permissions.
  5. Select User.ReadWrite.All, then select Add permissions.
  6. Select Grant admin consent for..., then select Yes to provide admin consent for the selected permission.
  7. Select Certificates and secrets under Manage, then select New client secret.
  8. Enter a description, choose a duration, and select Add.
  9. Copy the secret from the Value column, this is your client_secret that you will need it in the next steps.

BlokSec Admin UI

  1. Sign into BlokSec admin UI with admin privileges for your tenant
  2. Select your Microsoft 365 application then edit the configuration (top right cog icon > Edit Application)
  3. Go to the provisioning tab
  4. Check the Enable provisioning checkbox
  5. Enter the following JSON data into the Properties (JSON) text area:
JS
|
{
  "client_id": "<client_id>",
  "client_secret": "<client_secret>",
  "tenant_domain": "<domain_name>"
}

Example provisioning configuration
Example provisioning configuration

  • Click Submit

Your domain is now configured to accept users provisioned via BlokSec.

Creating Users and Assigning Licenses

BlokSec Admin UI

  1. Log into the BlokSec Admin UI with an admin user
  2. Navigate to Applications > Microsoft 365 > (Cog menu) > Create Account
  3. Fill in the user's details. Note that Email will be used to send the registration, and Account Name is the new Microsoft 365 account name. For new users who do not have access to their Microsoft 365 email inbox to retrieve the registration email yet (they must first register with BlokSec to be able to login) we recommend using the secondary / personal email address for Email
Create Account example
Create Account example


Microsoft 365 Admin Center

  1. Log into the Microsoft 365 Admin Center as an administrative user
  2. Select the user who was created above
  3. Select the Licenses and apps tab
  4. Select the Microsoft 365 license type you would like added to the new user
Example M365 license application
Example M365 license application




Updated 20 Apr 2023
Did this page help you?
Yes
No
PREVIOUS
FAQ's
NEXT
Google Workspace
Docs powered by archbee 
TABLE OF CONTENTS
Authentication
BlokSec Admin UI
Domain Federation (PowerShell)
Prerequisites
Configuration
Troubleshooting
Provisioning
Azure AD Administration Portal
Create Application
Configure API Permissions
BlokSec Admin UI
Creating Users and Assigning Licenses
BlokSec Admin UI
Microsoft 365 Admin Center