This guide will assist you in configuring the WS-Federation tile within the Evo Portal as part of the integration process with Microsoft Entra ID (formerly Azure AD). By completing this setup, you will establish a trust relationship that enables seamless single sign-on (SSO) functionality between the Evo Portal and your federated domain. The process involves registering and configuring the WS-Federation endpoint, aligning the necessary metadata, and completing domain federation within Entra ID to ensure secure and streamlined authentication for users across platforms.

Step 1: Create and save the WS-Federation application within the appropriate tenant & directory in the Evo Portal. This action initiates the federation setup by establishing a trust relationship  between the Evo platform and Microsoft Entra ID (formerly Azure AD).

Select the Office 365 WS-Federation App Card

Now the Office 365 WS-Federation App card will be present

Make sure to Hit Save on the bottom right so this application now exists in the same directory with your Entra/Azure Environment.

Note: These default values are what we have tested to work and should not need to be edited.

After saving you'll now see your Office 365 (WS-Federation) Application under Applications.

Once saved, you can return to your application and click on "Setup Instructions"  in the top right corner to generate the script needed for configuration within Entra ID (Azure AD).

This action will generate a script that can be used within Entra ID (formerly Azure AD) to complete the WS-Federation configuration. The script corresponds to the steps outlined in the following section, titled "Federation."

Step 2: Once the application has been successfully created and you’ve retrieved the configuration  script from the Setup Instructions, proceed to federate your domain within Microsoft Entra ID (formerly Azure AD).  This step establishes the necessary federation settings to enable authentication through WS-Federation.

Federation Steps: Establish Fallback Domain Make sure the primary domain on your account is set to the fallback domain, e.g. yourdomain.onmicrosoft.com, instead of your federated domain.

Note: Once this change is made, any account not included in the Evo Group associated with the federated domain may encounter login issues. To avoid disruptions, we strongly recommend configuring your break-glass administrator account under the yourdomain.onmicrosoft.com domain, outside of the federated domain.

1. Using an Administrative PowerShell window, begin by connecting to Microsoft Online Services by running the commands:

2. You'll now need to connect to Microsoft Online with your admin@domain.onmicrosoft.com account in your Office 365 domain. Once complete, you'll be connected to the Microsoft Online Service!

To connect to your Microsoft 365 Organization, run the following command:

3. Open your Evo Security environment, e.g. https://yourcompany.evosecurity.com, and log in. Once logged in, locate the "Applications" page. This page can be found under "My Company" or under another customer.

4. Once on the Applications page, click the Office 365 ( WS-Federation)  Integration tile.

5. You will now see the script you need to run. There is a variable you need to change, so click the "Copy Script" and paste it to notepad or any other text editor of your choice.

NOTE: You can ignore the commented out section near the top of the script. These comments are for informational purposes only.

6. In your text editor, locate this line near the top of the script:

7. Copy and paste only the $dom = "..." line into a Powershell window and run that line. You have now set the domain variable for your domain.

8. Copy the lines beginning with $MySigningCert = ... and ending with the final quotation mark after -----END CERTIFICATE-----. Paste those lines into your Powershell window and execute that statement. You have now set the variable for the signing certificate.

9. Finally, run the rest of the script by copying and pasting the lines beginning with New-MgDomainFederationConfiguration and ending with enforceMfaByFederatedIdp into your Powershell window. After executing the statements you just pasted, your domain should be federated.

10. To confirm if your domain has been federated, run this command:

You should see a list of domains under your administrative account, and the domain you chose should now have the "Federated" status next to it.

1. To setup the application and complete a sync, please see the article below. If you've already done so, please move to Step 2.

see: Sync with Azure Active Directory (AAD) – Evo Support (evosecurity.com)

2. In the "Azure AD Federation Settings" section, enter your fallback and federated domains.

Ex: Azure AD Fallback Domain: domain.onmicrosoft.com

Azure AD Federated Domain: federatedomain.com (this is the domain you federated earlier)

3. After entering all information, please click on "Complete Sync", it will take from 12 to 30 minutes for Microsoft to complete a sync cycle.

Once the sync process is completed, you can go to Users tab and check your user accounts have been synced over. Please note a couple things below.

a. The existing users within your domain will be synced over as it is on Azure AD, nothing changed for existing users (ex: user@yourdomain.com)

b. You cannot create new accounts with your domain anymore, you can only create new accounts with user@domain.onmicrosoft.com. However, since you've done the setup on Evo, Evo will convert the user@domain.onmicrosoft.com to user@yourdomain.com and update it on Azure AD.

Please see the example process how to create a new account after federating below.

Create a new user with user@domain.onmicrosoft.com on Azure AD.

Add the user to Evo Sync Group (this is the group you selected during the User Provision process, see the link to this step 1 above).

Wait for the sync cycle to complete, then you will see the new user user@yourdomain.com on both Evo and Azure AD. Evo has synced the new user to Evo portal and updated it on Azure AD automatically.

Defederation is easy! Make sure you are still logged into Microsoft Online Services and run this PowerShell command:

(make sure you replace <domain name> with the name of the domain you federated!)

You should now be Defederated!

Note: Sometime the federation process takes longer than expected, please be patient. It could take up to 30-60 minutes. One symptom you may see is that when logging into Microsoft, it does not redirect to Evo Login page, but users also cannot log in to Microsoft. This means the federation is taking more time than usual to process.