Authenticate to Office365 using VMware Identity Manager

For more information about enabling mobile SSO between AirWatch and VMware Identity Manager, refer to the following knowledge base article: Configuring Mobile Single Sign-On. Additional information can be found in the Office 365 Integration document located here


Getting Started

This guide will walk you through how to configure VMWare Identity Manager to authenticate users accessing Office365 resources. This guide assumes an initial configuration has already been achieve in both Identity Manager and Office365. To go through this with this configuration you will require the following:


  • Identity Manager Requirements
    • Admin access to Identity Manager console.
    • Identity Manager Connector configured in tenant.
    • Integration with Active Directory (LDAP)
  • Office365
    • Admin access to Office365 portal.
    • Registered Office365 domain.
    • Integration with ActiveDirectory (DirSync client)
    • Access to Windows Azure Active Directory Module for Windows Powershell


Configuring Identity Manager Directory Prerequisites

  1.  Login to your Identity Manager  console using admin credentials and navigate to the admin console.
  2. Navigate to the Identity & Access Management. Make sure there is already a configured Directory with a green status check.
  3. Office365 requires IDPs to include the User’s objectGUID as part of the authentication response. You will need to add this as a custom attribute as it is not included by default.
    • From Directories page, click on Setup on the right hand side of the screen. You should now see a new set of tabs.
    • Navigate to the User Attributes tab.
    • Add new custom attribute and type “objectGUID” as the attribute value.
  4. Navigate back to the Directories page and click on the Directory Name which you have configured. From this page, click on Sync Settings.
  5. Navigate to the Mapped Attributes tab. You should a list of the default attributes as well as the custom attribute “objectGUID”
  6. You will need to map the custom attribute to an attribute in Active Directory. Select objectGUID from the drop down. Click Save and close this window.
  7. Click on Sync Now to sync the new attribute with Active Directory
  8. Search for one of your users in Identity Manager. Expand the user details by clicking on Show More. Make sure the objectGUID value has been populated. In order to configure Office365 to authenticate with Identity Manager, you will need to provide Identity Manager's signing certificate.
  9. To obtain the Identity Manager's signing certificate, navigate to the SAML Metadata page by clicking on the Catalog > Settings tab. You will only need to copy the certificate chain without the “Begin Certificate” or “End Certificate” lines.

Configuring Office365 Application in Identity Manager

 Next you need to add the Office365 application to Identity Manager.

  1. Navigate to the catalog page. Identity Manager has a catalog of preconfigure application templates which facilitate the configuration of several SaaS services.
  2. Click on the top right corner on Add Application and choose “Web Application from the cloud application catalog”.
  3. Click on the Office365 Outlook Application.
  4. From the Application Details page you can configure the display name, description or category for this application.
  5. Navigate to the Configuration section on the right hand side.
    • Select “Unspecified (username)” as the Name ID Format.
    • Select “${user.userPrincipalName}  from the selected suggestion dropdown as the Name ID Value
    • Change the Credential Verification option to Active Directory Password.
  6. In the Applications Parameters section you will need to provide a tenant id and issuer id value.
    • For the tenant value, type in the domain registered in Office 365 i.e.
    • The issuer value will need to correspond to the issuer value used during the configuration of the Office365 federated authentication.
  7. In the Entitlements section you can choose entitle this application to any group of users or specific users synced from Active Directory. These users will need to be provisioned and licensed in Office365 for authentication to work.


Configuring Office365 to Authenticate with Identity Manager

Next you need to configure Office365 to authenticate users using Identity Manager. The configuration of this will be done through the Windows Azure Active Directory Module for Windows PowerShell.

  1. Create a session with your Office365 tenant using the following command:
  2. When prompted, enter your Office365 admin credentials.
  3. Verify the domain being used for this has already been registered and verified:
  4. The authentication of the domain being used should be currently set to Managed.
  5. Below you find a template of the values that will need to be supplied to Office365 during the configuration of federated authentication. Modify the values to fit your Office365 and Identity Manager tenants.
    • $dom = "{Office365 Registered Domain}"
    • $brand = "{IDP Display Name}"
    • $ActiveSO = "https:// {Identity Manager Host Url}//SAAS/auth/wsfed/active/logon"
    • $PLUri = "https:// {Identity ManagerHost Url}//SAAS/API/1.0/POST/sso"
    • $IssuerUri = "{Issuer URI}"
    • $Metadata = "https://{Identity Manager Host Url}/SAAS/auth/wsfed/services/mex"
    • $cert = "{Certificate Chain}"
    • $Poff =
    • {Identity Manager Host URL} is the URL for your Identity Manageradmin console i.e
    • {Issuer URI} should be the  same value configuration in the Office365 application in Identity Manager.
    • {Certifcate Chain} should be the certificate chain for the Identity Manager signing certificate. Make sure to include the chain without any line breaks or spaces.
  6. Copy and paste the values in the template into the Powershell session to save all the values to variables within PowerShell.
  7. Once you have verified that all the values have been copied correctly, use the following command to configure your Office365 domain.
    • Set-MsolDomainAuthentication -FederationBrandName $brand -Authentication Federated -PassiveLogOnUri $PLUri -ActiveLogOnUri $ActiveSO -SigningCertificate $cert -IssuerUri $IssuerUri -LogOffUri $Poff -MetadataExchangeUri $Metadata –Preferred AuthenticationProtocol WSFED
  8. Verify that the domain has been correctly configured by using the following command:
  9. Enter your Office365 domain when prompted.
  10. Ensure that the ImmutableID of the users in Office365 matches the objectGUID value of users in Identity Manager:
    get-msoluser –Userprincipalname {UserPrincipalName} | select UserPrincipalName, ImmutableID
  11. Test the configuration by navigating to Enter your user’s email address. This should redirect you to the Identity Manager login screen. When prompted, enter your domain credentials.
Have more questions? Submit a request


Article is closed for comments.