Target
This article is for customers who wish to federate Microsoft 365 authentication to HENNGE Access Control.
Purpose
Configure the federation of HENNGE Access Control and Microsoft 365 to log in to Microsoft 365 from HENNGE Access Control.
Cautions
1. By completing the procedures in this article, the login screen of HENNGE Access Control will be shown when accessing Microsoft 365.
2. To enable federation for multiple domains, execute the command for all domains.
3. The account information of the global administrator in your Microsoft 365 tenant is required.
4. It is recommended to use a Microsoft 365 global administrator account with the initial Microsoft 365 domain (a domain that includes .onmicrosoft.com ) for the steps in this article.
5. When managing users with HENNGE Access Control, to enable user login to Microsoft 365, this operation and user synchronization settings between Microsoft 365 and HENNGE Access Control are required.
6. The content of this article is based on product specifications as of July 2024 and is revised accordingly without advanced notice.
Procedures
1. Prepare an environment to connect to Microsoft 365 via Microsoft Graph PowerShell
Referring to the following article, make sure you are ready to connect to Microsoft 365 using Microsoft Graph PowerShell.
Connect to Microsoft365 using Microsoft Graph PowerShell
2. Check Microsoft 365 default domain settings
2.1. Go to the Microsoft admin center and click on "Show All" in the menu on the left side of the screen.
2.2. In the menu on the left side of the screen, click [ Settings ] then [ Domains ].
2.3. Verify that "(Default)" appears to the right of the initial Microsoft 365 domain [ xxxx.onmicrosoft.com ].
Due to a limitation of Microsoft 365, federation cannot be enabled for the default domain; if you see "(Default)" for a domain other than the initial Microsoft 365 domain, change the default domain to the initial Microsoft 365 domain.
3. Check federation configuration commands
The commands to configure the federation between Microsoft 365 and HENNGE Access Control are stated in the document "HENNGE One Setting Information Sheet.pdf" provided by your HENNGE One onboarding guide beforehand.
Please contact your guide if you do not have a copy of the connection setup sheet.
4. Execute commands for federation configuration
4.1. Open Windows [ Start ] and open [ Windows PowerShell ] with administrative privileges.
* Confirm that "Administrator" is displayed in the upper left corner of the opened PowerShell.
4.2. Execute the following command:
Connect-MgGraph -Scopes "Domain.ReadWrite.All","Directory.AccessAsUser.All" -ErrorAction Stop
4.3. You will be prompted for Microsoft 365 credentials, so enter the information of the global administrator in your Microsoft 365 tenant.
4.4. Run the following command and confirm that the Authentication column for the federated domain is " Managed ".
* If a value other than "Managed" is shown in the Authentication column, contact your HENNGE One onboarding guide / customer success guide.
Get-MgDomain
4.5. Execute the commands to perform the federation one line at a time.
The following is an example:
Areas in red will vary for each customer's environment. See "HENNGE One Setting Information Sheet.pdf" for details.
If an error occurs when executing the commands, contact your HENNGE One onboarding guide / customer success guide.
$dom = "sampledomain.com"
$url = "https://ap.ssso.hdems.com/sso/sampledomain.com/login/"
$uri = "https://ap.ssso.hdems.com/sso/sampledomain.com"
$ecp = “https://ap.ssso.hdems.com/active/sampledomain.com”
$logouturl = "https://ap.ssso.hdems.com/sso/sampledomain.com/logout/"
$mex = "https://ap.ssso.hdems.com/mex/sampledomain.com"
$cert ="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
New-MgDomainFederationConfiguration -DomainId $dom -DisplayName $dom -IssuerUri $issuer -PreferredAuthenticationProtocol "wsFed" -ActiveSignInUri $auri -FederatedIdpMfaBehavior ` "acceptIfMfaDoneByFederatedIdp" -MetadataExchangeUri $mex -SigningCertificate $cert -PassiveSignInUri $puri -SignOutUri $logoffuri
4.6. Execute the following command and verify that the [ Authentication ] column for the target domain where the command was executed is "Federated".
* If a value other than "Federated" is shown in the Authentication column, contact your onboarding guide / customer success guide.
4.7. Verify that the federation is actually completed successfully.
Follow the contents of the following article to check if the federation has been successfully completed.
* It may take several hours from the execution of the command to the completion of federation.
Confirmation of Federation Status between HENNGE Access Control and Microsoft 365
4.8. Notify your onboarding guide / customer success guide that the federation is complete.
Please be sure to contact your HENNGE One onboarding guide / customer success guide once you have executed the federation commands and confirmed that it has completed successfully.
4.9. Disconnect from Microsoft Graph
Disconnect from Microsoft Graph by executing the following command
Disconnect-MgGraph
* With [ Connect-MgGraph ] command, your previously authenticated credentials will be retained and you will not be required to sign in again in the next time it is invoked. Therefore, it is necessary to perform a [ Disconnect-MgGraph ] to ensure that sign-in is disconnected.