Office 365

Introduction

Setup Powershell environment

Install-Module MSOnline

Connect to Azure AD

connect-msolservice

Change Office federation settings

$cert = "MIIDXXX...XXXZWCxicZzKAgV"

The contents of the certificat is available on the setup page of your Trustelem application

$FederationBrandName = "mydomain.com"
Set-MsolDomainAuthentication -DomainName mydomain.com -Authentication managed
Set-MsolDomainAuthentication       -DomainName mydomain.com `
-FederationBrandName             $FederationBrandName `
-Authentication                  Federated `
-PassiveLogOnUri                 https://mydomain.trustelem.com/app/34XXX/sso `
-SigningCertificate              $cert `
-IssuerUri                       https://mydomain.trustelem.com/app/34XXX/mydomain.com `
-LogOffUri                       https://mydomain.trustelem.com/app/34XXX/slo `
-PreferredAuthenticationProtocol SAMLP

Note for Azure AD users

⚠️Using an external IdP like Trustelem (via SAML) to federate Azure AD / Office 365 for users that exist only in the cloud leads to several critical issues and is strongly discouraged:

The consequences are the following:

Powershell script example to add onPremisesImmutableId to existing users:

# Install the Microsoft Graph PowerShell module
Install-Module Microsoft.Graph -Scope CurrentUser

# Connect to Microsoft Graph with the necessary scopes
Connect-MgGraph -Scopes "User.ReadWrite.All", "Directory.AccessAsUser.All"

# Replace with your temporary fallback domain (e.g., yourdomain.onmicrosoft.com)
$tmpUPN = "yourdomain.onmicrosoft.com"

# Retrieve all users who don't have an OnPremisesImmutableId set
$users = Get-MgUser -All | Where-Object { -not $_.OnPremisesImmutableId }

foreach ($user in $users) {
    $currentUPN = $user.UserPrincipalName
    $initialDomain = $currentUPN.Split("@")[1]
    $newUPN = $currentUPN.Replace("@$initialDomain", "@$tmpUPN")

    # Temporarily change UPN to a domain that allows ImmutableId update
    Update-MgUser -UserId $user.Id -UserPrincipalName $newUPN

    # Generate a new unique ImmutableId (Base64-encoded GUID)
    $newImmutableId = [System.Convert]::ToBase64String([Guid]::NewGuid().ToByteArray())

    # Assign the ImmutableId to the user
    Update-MgUser -UserId $user.Id -OnPremisesImmutableId $newImmutableId

    # Revert UPN back to the original domain
    Update-MgUser -UserId $user.Id -UserPrincipalName $currentUPN
}

# List users who still don't have an ImmutableId (if any)
$usersWithoutImmutableId = Get-MgUser -All | Where-Object { -not $_.OnPremisesImmutableId } | Select-Object UserPrincipalName

Write-Output "Users without OnPremisesImmutableId:"
$usersWithoutImmutableId.UserPrincipalName

Powershell script example to create a new user with onPremisesImmutableId:

Connect-MgGraph -Scopes "User.ReadWrite.All", "Directory.AccessAsUser.All"

# Password profile as plain hashtable
$passwordProfile = @{
    Password = "TemporaryPassword123!"
    ForceChangePasswordNextSignIn = $true
}

# Build full user creation parameters in a hashtable (sûr et lisible)
$params = @{
    DisplayName      = "Peter Doe"
    GivenName        = "Peter"
    Surname          = "Doe"
    UserPrincipalName = "peter.doe@your_domain.onmicrosoft.com"
    MailNickname     = "peterdoe"
    PasswordProfile  = $passwordProfile
    AccountEnabled   = $true
}

# Create user
$newUser = New-MgUser @params

# If created, assign ImmutableId and switch UPN
if ($newUser -and $newUser.Id) {
    $immutableId = [System.Convert]::ToBase64String([Guid]::NewGuid().ToByteArray())
    Update-MgUser -UserId $newUser.Id -OnPremisesImmutableId $immutableId
    Update-MgUser -UserId $newUser.Id -UserPrincipalName "peter.doe@your_federated_domain.fr"
} else {
    Write-Error "User creation failed. Aborting further operations."
}

Disconnect-MgGraph



Revision #6
Created 1 July 2022 09:03:03 by WALLIX Admin
Updated 1 April 2025 09:59:26 by WALLIX Admin