Skip to main content
日本語 简体中文 繁體中文

[Cloud Protection] Federation Connection Procedure with Microsoft 365

Target

  • Customers who federate Cloud Protection authentication with Microsoft 365

Purpose

  • To configure federation between Cloud Protection and Microsoft 365, allowing users to log in to Cloud Protection via Microsoft 365.

Notes

  1. The content of this article is based on product specifications as of April 2026 and may be changed without prior notice.
  2. This procedure requires a Microsoft 365 global admin account and Cloud Protection Identity and Access Management admin role.
  3. To log in to the Cloud Protection Administration, user registration in Cloud Protection is required. Users not registered in Cloud Protection will not be able to log in to the Administration even after federation with Microsoft 365 is established.
  4. If a user is deleted on the Microsoft 365 side, the corresponding account on the Cloud Protection side will be disabled.
    * Users are not deleted automatically, so you must delete users separately on the Cloud Protection side.
  5. If you are using any of the following products from WithSecure, enabling federation will also change the login method for these products.
    ・Elements Endpoint Protection
    ・Elements Endpoint Detection and Response
    ・Elements Vulnerability Management (VM)
  6. If you want to enable federation for multiple domains, you must configure the settings for each domain individually.
  7. If you have already set up federation between Access Control and Microsoft 365, after completing this procedure, authentication will be required from Cloud Protection to Microsoft 365, and then from Microsoft 365 to Access Control. Therefore, you will need to log in to Access Control.

Pre-checks

Confirming the admin account email address

Before starting this procedure, please ensure that the email addresses of the users to be federated in Cloud Protection match the primary email addresses of the users in Microsoft 365.
* If the email addresses do not match, or if the user does not exist in either environment, you will not be able to log in to Cloud Protection.

In addition, users registered with Microsoft 365 plus addresses or alias addresses will not be able to log in after federation.
For more information about plus addresses, please refer to the following Microsoft page.
Plus addressing in Exchange Online

Checking roles

Check the roles of the users who will perform this procedure.

1. Access the Cloud Protection Administration with an account from the domain to be federated.
URL: https://elements.withsecure.com/apps/cloudprotection/

2. From the left menu, go to [Administration] - [Organization Settings] - [Security Admins].

3. In the list, click the email address of the admin account that will perform the federation.

4. For the relevant user, make sure the [Elements Administration]: Identity and Access Management switch is enabled.
* If the role is not assigned, enable the [Identity and Access Management] switch in the Edit User screen and click [Save].

Creating an admin account outside the scope of federation

To prepare for the possibility of losing access to Cloud Protection after federation is configured, we recommend registering an admin account in advance with a domain that is not subject to federation, such as onmicrosoft.com.

Be sure to assign the "Identity and Access Management" role to the admin account you create.

For the procedure to create a new user, please refer to the following page.
Create a new Cloud Protection user

Procedure

Connection Settings

1. In the left menu, click [Administration] - [Organization Settings] - [Security Admins], then click [Configure Federation Single Sign-On].

2. The federation settings screen for the target domain will appear. Click [Sign in with Microsoft].

3. If the Microsoft 365 or Access Control login screen appears, enter your ID and password to log in.

4. When the "Requested permissions" screen appears, check [Consent on behalf of your organization] and click [Accept].
* A Microsoft 365 global admin account is required.

5. Once consent is complete, you will be redirected to the federation settings screen, and the [Sign in with Microsoft] section from step 2 will change to [Verification successful].
* If you click [Close] at the bottom of the screen at this point, the settings will be lost and you will need to repeat the configuration from step 2.

6. Click [Enable Federation Single Sign-On] at the bottom of the screen.
* For the first login after federation is enabled, you will be required to enter your Cloud Protection password and perform multi-factor authentication.

7. Confirm that the message "Federation Single Sign-On is enabled for domain '~~~'" is displayed.

Initial Login Setup

Please perform the following steps for all Cloud Protection admins in the federated domain, including the admin who performed the connection settings.

1. Access the Cloud Protection login screen.
URL: https://elements.withsecure.com/apps/cloudprotection/

2. Enter your email address.

3. Depending on your environment, you will be redirected to the Microsoft 365 or Access Control login screen. Enter your ID and password.
* If you are already authenticated, you will be redirected to the Administration without the login screen appearing.

4. You will return to the Cloud Protection login screen. Enter your Cloud Protection password.

5. The multi-factor authentication screen will appear. Authenticate using the appropriate method and log in.

6. A screen from WithSecure stating "Your business account will be federated with your EntraID account." will appear. Click [Continue].

7. Once you are able to log in to Cloud Protection, the setup is complete.

From now on, you can log in to Cloud Protection by following steps 1 to 3 above.