Configuring SAML SSO for Microsoft Entra ID users

These steps will guide you through setting up SAML SSO for Microsoft Entra ID (formerly known as Azure AD) users, using ADSelfService Plus as the identity provider (IdP) and Microsoft Entra ID as the service provider (SP).

Note:
  • SSO can be enabled only for domains that are verified in Microsoft Entra ID.
  • SSO cannot be enabled for "onmicrosoft.com" domains that are created by Microsoft.
  • SSO cannot be enabled for the default domain (the primary domain in which users are created). It can only be configured for custom domains. Microsoft Entra ID prohibits SSO configuration for default domains to ensure that administrators can log in to Office 365 regardless of issues with the IdP. If your organization does not have a custom Office 365 domain, you need to purchase one in order to configure SSO.
  • Federated domains, i.e., domains in which SSO has been enabled, cannot be configured for password synchronization.

Steps to link Microsoft Entra ID and on-premises AD user accounts

  1. Using Microsoft Entra Connect
    • GUID as sourceAnchor: If you have Microsoft Entra Connect, then use it to update the sourceAnchor attribute in Office 365 with AD’s GUID attribute value.
    • Other unique AD attribute as sourceAnchor: If you have already assigned a different attribute value other than GUID for the sourceAnchor attribute, then use the Account Linking option in ADSelfService Plus to map it with the corresponding attribute in AD.
  2. Using a third-party GUID to ImmutableID converter tool
    • Convert GUID to ImmutableID: If you don’t have Microsoft Entra Connect, then you can download a third-party tool that converts GUID to ImmutableID. Use the tool to convert the GUID value of each user to ImmutableID values and update them in Microsoft Entra ID.
    • Update the ImmutableID value in Microsoft Entra ID: Once you have converted the GUID to ImmutableID, you need to update the value in Microsoft Entra ID for each user by following the steps below using PowerShell commands.
      • Open PowerShell with administrator privileges.
      • Run the following command to install the Microsoft Graph PowerShell, if it is not already installed:

        Install-Module Microsoft.Graph -Scope CurrentUser

        • Microsoft Graph PowerShell commands for ImmutableID
      • Command to connect to Microsoft Graph PowerShell:

        Connect-MgGraph -Scopes "Directory.AccessAsUser.All"

        Note: Sign in with a Microsoft Entra ID account that has Global Admin privileges.

      • Command to update ImmutableID attribute for existing users:

        Update-MgUserByUserPrincipalName -UserPrincipalName "<user_mailID>" -OnPremisesImmutableId "<immutable_id>"

      • Command to update ImmutableID attribute while creating new users

        New-MgUser -AccountEnabled:$true -UserPrincipalName "user01@selfservice.com" -MailNickname "user01" -OnPremisesImmutableId "<immutable_id>" -DisplayName "user01" -GivenName "user" -Surname "S"

      • Command to confirm whether the ImmutableID attribute update was successful

        Get-MgUserByUserPrincipalName -UserPrincipalName "<user_mailID>" -Property UserPrincipalName,OnPremisesImmutableId | select UserPrincipalName, OnPremisesImmutableId

Prerequisite

  1. Login to ADSelfService Plus as an administrator.

  2. Navigate to  Configuration → Self-Service → Password Sync/Single Sign On → Add Application, then select Microsoft 365/Azure from the applications displayed.
    Note: You can also find Microsoft 365/Azure application that you need from the search bar located in the left pane or the alphabet wise navigation option in the right pane.
  3. Click IdP details in the top-right corner of the screen.

  4. In the pop-up that appears, copy the Entity ID, Login URL and Logout URL and download the SSO certificate by clicking on the Download Certificate.

    5. Screenshot

Microsoft Entra ID (Service Provider) configuration steps

  1. Open PowerShell with administrator privileges.
  2. Run the following command to install the Microsoft Graph PowerShell, if it is not already installed:

    Install-Module Microsoft.Graph -Scope CurrentUser

  3. Connect to Microsoft Graph PowerShell using the command below. Sign in with a Microsoft Entra ID account that has Global Admin privileges:

    Connect-MgGraph -Scopes "Directory.AccessAsUser.All"

  4. Retrieve a list of domains by running:

    Get-MgDomain

  5. Specify the domain for which you want to enable SSO:

    $dom = "selfservice.com"

  6. Define the Login URL, Entity ID, and Logout URL from step 4 of the Prerequisites for $url, $uri and $logouturl commands.

    $url = "<login URL value>"

    $uri = "<entity ID value>"

    $logouturl = "<logout URL value>"

    Example values:

    $url = "https://selfservice.com:9251/iamapps/ssologin/office365/1352163ea82348a5152487b2eb05c5adeb4aaf73"

    $uri = "https://selfservice.com:9251/iamapps/ssologin/office365/1352163ea82348a5152487b2eb05c5adeb4aaf73"

    $logouturl = "https://selfservice.com:9251/iamapps/ssologout/office365/1352163ea82348a5152487b2eb05c5adeb4aaf73"

  7. Now copy the SSO certificate file content and assign it to the $cert variable as shown below:

    $cert = "MIICqjCCAhOgAwIBAgIJAN..........dTOjFfqqA="

    8. SSO Certificate file
  8. Run the following command to enable SSO in Microsoft Entra ID:

    New-MgDomainFederationConfiguration -DomainId $dom -IssuerUri $uri -PassiveSignInUri $url -SignOutUri $logouturl -SigningCertificate $cert -PreferredAuthenticationProtocol saml -federatedIdpMfaBehavior rejectMfaByFederatedIdp

  9. To test the configuration, use the following command.

    Get-MgDomainFederationConfiguration -DomainId $dom | Format-List

    10. Get-MgDomainFederationConfiguration
    Note:

    If you have already enabled Microsoft Entra ID SSO using another IdP or want to update ADSelfService Plus' SSO settings, then you must first disable SSO in Microsoft Entra ID, and then follow the steps given in this guide. To disable SSO in Microsoft Entra ID, use the command given below:

    $dom = "selfservice.com"

    $federations = Get-MgDomainFederationConfiguration -DomainId $dom

    Remove-MgDomainFederationConfiguration -DomainId $dom -InternalDomainFederationId $federations.Id

    Remove-MgDomainFederationConfiguration

    Please note that the above change may take some time to get implemented in Microsoft Entra ID.

ADSelfService Plus (Identity Provider) configuration steps

  1. Now, switch to ADSelfService Plus’ Microsoft 365/Azure configuration page
  2. Enter the Application Name and Description.
  3. In the Domain Name field, enter the domain name you used in step 4 of the Microsoft Entra ID configuration steps.
  4. In the Assign Policies field, select the policies for which Azure AD SAML SSO needs to be enabled.
    Note:ADSelfService Plus allows you to create OU- and group-based policies for your AD domains. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy.
  5. Select the SAML tab and check the Enable Single Sign-On checkbox.
  6. Choose the Name ID format that has to be sent in the SAML response. The Name ID format will specify the type of value sent in the SAML response for user identity verification.

    7. Note: Use Unspecified as the default option if you are unsure about the format of the login attribute value used by the application

  7. Click Add Application

Note: ADSelfService Plus supports SP- and IdP-initiated SAML SSO flows for Microsoft Entra ID.

Go to Top

Copyright © 2025, ZOHO Corp. All Rights Reserved.