Federate Office 365 to Workspace ONE Access in 15 minutes

I got a question from a customer if they can leverage VMware’s MFA technology (Verify) to secure access to their Office 365 environment. Which of course they can, but they were even more curious if they can do it without the Azure Active Directory P1 license. And the answer is again yes.

What the customer needs to do is to federate the authentication of their O365 environment to Workspace ONE Access tenant and then they can leverage the great conditional access we have (including MFA) to secure their environment.

I thought that it would be a good example to show them, how simple and quick it is to federate a blank O365 tenant with Workspace Access.

Theory

First, let’s check theoretically if this is possible. For my lab, I am paying for the Microsoft 365 Business Standard, which means I get the Azure AD for Office 365 license edition. And sure I do have it:

If we take a look into what’s possible with this edition, we see that the federation is all edition (Premium is not required).

Theory works, so let’s configure it. We will be following the official white paper from 2019 (https://www.vmware.com/pdf/vidm-office365-saml.pdf), which is still more or less valid.

Assumptions

I am assuming that we have a Workspace ONE Access environment up and running as well as integrated using connector with the on-prem Active Directory.

Also, I do assume that we have the domain we will be using configured and verified in AAD, and synchronization between AAD and on-prem Active Directory is working fine.

Keep in mind that I am doing this in a lab environment so I don’t care about security or other important things you would typically need to worry about in production.

Create the app in Workspace ONE Access

We will need to tell Workspace ONE Access about Office 365. Luckily for us, this app has a template in the application catalog. So you can just go to Catalog > Add and click on “or browse from the catalog” and search for Office365 with Provisioning.

Most of the fields will be pre-populated for you. You just need to pay attention to the section with Application Parameters:

The tenant should be the domain you will be using and the issuer can be anything (but unique for O365) I like to put there the FQDN of the Workspace ONE Access instance.

Save everything and don’t forget to assign some users to this application.

Get the Workspace ONE Access signing cert

We will need to get the signing cert of this instance of Workspace ONE. To get to it, click on the “Catalog” top-level menu and then on the “Settings” button.

Under SAML metadata section, you can find the Signing certificate. Copy it somewhere for later.

PowerShell time

Let’s connect to the O365 tenant.

Connect-MSolService

If your PowerShell does not know this command you would need to install the MSOnline module first.

Install-Module MSOnline

The last part is done via a single (but very long) PowerShell command. It will be one long line but for the readability, I broke it down and it should look like this:

Set-MsolDomainAuthentication 
	-Authentication Federated
	-DomainName minarik.io
	-IssuerUri aw-minarik-io.vmwareidentity.eu 
	-FederationBrandName MINARIK-IO 
	-PassiveLogOnUri https://aw-minarik-io.vmwareidentity.eu:443/SAAS/API/1.0/POST/sso 
	-ActiveLogOnUri https://aw-minarik-io.vmwareidentity.eu:443/SAAS/auth/wsfed/active/logon 
	-LogOffUri https://login.microsoftonline.com/logout.srf 
	-MetadataExchangeUri https://aw-minarik-io.vmwareidentity.eu:443/SAAS/auth/wsfed/services/mex 
	-SigningCertificate MIIFH.......fxrSRzKtJo9pxu7+aSQ1eID1EQfVbWtKXa7P320I56Yyb5nKxPXmq4A==

Couple of comments:

  • DomainName is the domain you want to federate (it should match what you set in the Workspace ONE Access application configuration)
  • IssueUrl can be anything, but it should match the same thing you set in the Workspace ONE Access application configuration
  • FederationBrandName can be anything, this is typically your company name
  • PassiveLogOnUri/ActiveLogOnUri/MetadataExchangeUri just replace aw-minarik-io.vmwareidentity.eu with the FQDN of your Workspace ONE Access instance.
  • SigningCertificate here you should paste the signing cert from Workspace ONE Access, make it a single long line without any line breaks or spaces. Remove the —-BEGIN CERTIFICATE—- and —-END CERTIFICATE— tags.

Hit enter. You should see no errors. Now if you check in the AAD console you should see that the domain is marked as federated.

That’s it. If you navigate to https://portal.office.com and enter your email address from this domain, you should be redirected to Workspace ONE Access for authentication and of course, conditional access / MFA can be enforced.