Problem

Users are unable to access Office 365 with federated Azure Active Directory users. 

Requirements

• Federated Active Directory users must be synchronized from an on-premise Active Directory.

Solution

Azure Active Directory Configuration

Create a dynamic group to set an ACL within PortalGuard.

1. Login to Azure Active Directory and click 'Groups'.

2. Create a new group by clicking on 'New Group'.

3. Enter the following information:

   1. Open

      

4. Click 'Add dynamic query'.

5. Enter the following query:

   1. Open

      

6. Save the dynamic query by clicking 'Save'.

7. Lastly, click 'Create' to save the dynamic group.

PortalGuard Configuration

Update the Identity Claims and Authorization for the Office 365 - Cloud relying party.

1. Navigate to the PortalGuard server and open the Identity Provider Configuration Editor.

2. Create a copy of the Office 365 relying party.

3. Navigate to the Identity Claims tab.

4. Update the Attribute Store to use an Azure AD directory.

5. Edit the objectGUID claim to search for the onPremisesImmutableId attribute.

6. Edit the ImmutableID claim to search for the onPremisesImmutableId attribute.

7. Navigate to the Authorization tab.

8. Click 'Add' to limit access to the relying party for synchronized users.

9. Search for the new dynamic group that was created above.

10. Click the 'Save' button.

11. From the main screen of the Identity Provider Configuration Editor, click the 'Apply to Identity Provider' button. 

12. Click the 'Sync' button.