Azure AD Join


This document provides instructions on how configure Azure AD join using IBM® Security Verify as the Identity Provider.

Complete the following tasks:

  • Azure Active Directory
    • Enable device joining
    • Configure a federated Azure AD Domain
    • Provision user to Azure AD with Powershell commands
  • IBM Security Verify
    • Configure Microsoft 365 application (WS-Federation)

Enabling device joining and configuring a federated Azure AD domain

Enabling device joining

  1. Login to the Azure portal
  2. Configure the device settings as shown below to allow user to join device to Azure AD, disable the MFA settings at Azure AD side to avoid double MFA.
  1. [Optional] Enable automatic Intune enrollment. During Azure AD join, the computer is automatically enrolled to Intune with the following configurations.
  • From the Azure portal, click Mobility (MDM and MAM) > Microsoft Intune
  • Set All for MDM user scope and save the settings.

Configuring a federated Azure AD domain

  1. In the Azure portal, create a custom domain. For example, Ensure that it is verified. The custom domain is required to set up a federated Azure domain with a third party federation service. The main domain with suffix does not support federated domain configuration.
  1. Install Windows Powershell and Microsoft Online Services Module on the Windows machine.

  2. Execute the following command in the Powershell command console:


It prompts a login.

  1. Specify the Azure admin user credential. This is the admin user upn with the suffix.
  2. After a successful login, execute the following command in the Powershell command console to create a federated domain with the ISV tenant:
    (Please update the tenant hostname to your tenanthost accordingly, -DomainName is the custom domain created in step 1; -SigningCertificate is the public cert of the default cert of your tenant:
Set-MsolDomainAuthentication -Authentication federated -DomainName -FederationBrandName IbmSecurityVerify -IssuerUri -PassiveLogOnUri -ActiveLogOnUri -MetadataExchangeUri -LogOffUri -SigningCertificate MIIDYDCCAkigAwIBAgIEJDZp0DANBgkqhkiG9w0BAQsFADByMQkwBwYDVQQGEwAxCTAHBgNVBAgTADEJMAcGA1UEBxMAMQkwBwYDVQQKEwAxCTAHBgNVBAsTADE5MDcGA1UEAxMwc2FtbC1kZXYzLWNoZW55bS5kZXYudmVyaWZ5LmlibWNsb3Vkc2VjdXJpdHkuY29tMB4XDTIxMDMwODA1NTg0M1oXDTMxMDMwNjA1NTg0M1owcjEJMAcGA1UEBhMAMQkwBwYDVQQIEwAxCTAHBgNVBAcTADEJMAcGA1UEChMAMQkwBwYDVQQLEwAxOTA3BgNVBAMTMHNhbWwtZGV2My1jaGVueW0uZGV2LnZlcmlmeS5pYm1jbG91ZHNlY3VyaXR5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIR0RqRWk9ii2hhfHQ1mSo83HowKdwlfsSjTEuctyfgvij/hHgTLjh6ZgqOxREycmtmdvABv2W7F+6Dzp+i/KvEMDgp5yNXzf0e5LY0x9pr8Vn0WKCROnq+w047CES2v5hsZ+6zJnHK5ZZA88NJmE2F0Q3/rRS6AUzrEhVknXryUm17HViTYT6tThXmAIBbbes3pNAP2XDKPNt0fQJuUTVMzUG82rtx2KR13Am0UwjmWcs85kBM9upUc4Y8jGFVp71ljsM59rHhQlrBkQIAmHGzm/KXdpa3th6GFP/k6g+qPfoaD4fsND7pNA0DBQP0r4S6Pc5+KqXTcRQznEoNBJ+cCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAWyDFxjm3dzLye2DbF09/S+97iLBYumsmrsl5cAHzdYqcUBURGhplyEseBog0NHdD3ygd2e0WAmIu1jhz+JuUleDgmaxbECnrO8KcGgM9g+/6cc9v/W3VkdOmweajQn/AuC9DxqGnoiKA5PzO9Fz+3ooTj3PkO1UbYXUwWk+zO4+w0Z0sMKuUpKVL/dOXT/phUp4vFWikc2C5KPG9FKNq4rUj2PHnhBKiXgjRgt3hDJKMcaEC12N4eUlmbwxIeNkda1m4yzhisPOwKFwy0aw/pECwUfdlZsxu523o0GX4MpaWS6DgpRpfysUuVODzPdGm7AZXXqoWhIgBLTMJ6AUEDQ==
  1. After successfully executing the command, type
Get-MsolDomainFederationSettings -DomainName

PS C:\Users\YongmingChen> Get-MsolDomainFederationSettings -DomainName

ActiveLogOnUri                         :
DefaultInteractiveAuthenticationMethod :
FederationBrandName                    : IbmSecurityVerify
IssuerUri                              :
LogOffUri                              :
MetadataExchangeUri                    :
NextSigningCertificate                 :
OpenIdConnectDiscoveryEndpoint         :
PassiveLogOnUri                        :
SigningCertificate                     : MIIDYDCCAkigAwIBAgIEJDZp0DANBgkqhkiG9w0BAQsFADByMQkwBwYDVQQGEwAxCTAHBgNVBAgTAD
SupportsMfa                            :

It shows the federated domain settings.

  1. Verify all fields are correct.

Provisioning user to Azure AD with Powershell commands

  1. Provision the user in Azure AD. Decide which user attribute from the ISV user will be used as the immutabeid and upn in the Azure AD.

  2. Execute the following command in the Powershell command console:

New-MsolUser -userprincipalname [email protected] -immutableID testuserimmutableid -lastname test -firstname user -Displayname "test user" -LicenseAssignment "isvsts:DEVELOPERPACK_E5" -usageLocation SG

This provisions a user with upn: [email protected] and immutableID: testuserimmutableid.

  1. Run following command to verify that the immutableid was created correctly.
Get-MsolUser -UserPrincipalName "[email protected]" | Select ImmutableID

Configuring Microsoft 365 application (WS-Federation)

From ISV tenant Administrative Console

  1. Create Microsoft 365 application.
    1. Select Applications > Applications.
    2. Click Add application.
    3. In the Select Application Type pop-up, add the Microsoft365 application.
  2. In the Sign-on tab, select WS-Federation as the Sign-on method. Use the default settings except for SAML subject Name identifier.
  3. Select an attribute source for UPN and ImmutableID. The UPN and ImmutableID value must match the UPN and ImmutableID in the Azure AD user registry.
  4. Save the application.
  5. In the Applications page, select the Microsoft365 application and click Settings.
    Click on the 'Entitlements' tab, select an Access type and select the Approvers check-box accordingly.

Creating a new Microsoft 365 application with curl

  1. Obtain the API access token and use it in the authorization header.
  2. Use the following CURL command as a template to create the application:
curl --location --request POST 'https://<isv_tenant>/v1.0/applications' \
--header 'accept: application/json' \
--header 'authorization: Bearer <access token>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "name": "<Microsoft 365 application name>",
    "templateId": "41",
    "applicationRefId": "",
    "providers": {
        "saml": {
            "properties": {
                "validateAuthnRequest": "false",
                "generateUniqueID": false,
                "companyName": "Microsoft 365"
            "justInTimeProvisioning": "false"
        "sso": {
            "userOptions": "wsfed"
        "wsfed": {
            "properties": {
                "callbackURL": "",
                "providerId": "urn:federation:MicrosoftOnline",
                "multipleDomainsEnabled": "false",
                "activeProfile": {
                    "defaultRealm": "cloudIdentityRealm"
                "signingSettings": {
                    "signSamlAssertion": "true",
                    "signatureAlgorithm": "RSA-SHA256"
                "ici_reserved_subjectNameID": "1",
                "additionalProperties": [
                        "name": "activeProfileRequestRule",
                        "value": "{\"p\": {\"username\": [requestContext.username[0].split('@')[0]] }}"
    "attributeMappings": [
            "targetName": "UPN",
            "sourceId": "<upn_attr_id>",
            "targetAttrFormat": ""
            "targetName": "ImmutableID",
            "sourceId": "<ImmutableID_attr_id>",
            "targetAttrFormat": ""
    "applicationState": true,
    "approvalRequired": false,
    "description": "An online version of Microsoft Office",
    "signonState": true,
    "provisioningMode": "",
    "identitySources": [],
    "visibleOnLaunchpad": true,
    "provisioning": {
        "authentication": {},
        "attributeMappings": [],
        "reverseAttributeMappings": [],
        "policies": {
            "provPolicy": "disabled",
            "deProvPolicy": "disabled",
            "deProvAction": "delete",
            "passwordSync": "disabled",
            "adoptionPolicy": {
                "matchingAttributes": [],
                "remediationPolicy": {}
            "gracePeriod": 30
        "extension": {},
        "provisioningState": "disabled",
        "sendNotifications": false,
        "generatePassword": false,
        "generatePasswordOnRestore": false
    "apiAccessClients": [],
    "adaptiveAuthentication": {},
    "target": {
        "connectedApp_Yammer": "false",
        "connectedApp_OneDrive": "false",
        "connectedApp_Parature": "false",
        "connectedApp_SharePointOnline": "false",
        "connectedApp_MicrosoftPowerPointOnline": "false",
        "connectedApp_MicrosoftWordOnline": "false",
        "connectedApp_MicrosoftExcelOnline": "false",
        "connectedApp_SkypeforBiz": "false",
        "connectedApp_MicrosoftOneNote": "false",
        "connectedApp_Outlook": "false",
        "connectedApp_OneDriveforBusiness": "false",
        "connectedApp_MicrosoftPlanner": "false",
        "connectedApp_MicrosoftSharePointNewsfeed": "false",
        "connectedApp_MicrosoftDelve": "false",
        "connectedApp_OfficeSway": "false",
        "connectedApp_MicrosoftPowerApps": "false",
        "connectedApp_MicrosoftBookings": "false",
        "connectedApp_MicrosoftFlow": "false",
        "connectedApp_MicrosoftTeams": "false",
        "connectedApp_Dynamics365": "false",
        "connectedApp_MicrosoftOfficeOnlineAdmin": "false",
        "connectedApp_MicrosoftSecurityandCompliance": "false",
        "connectedApp_MicrosoftCalendar": "false",
        "connectedApp_MicrosoftPeople": "false",
        "connectedApp_MicrosoftTasks": "false"
    "customIcon": ""

POST to /v1.0/owner/applications/{applicationId}/entitlements end point to add user entitlement to the created application.

    "birthRightAccess": true,
    "requestAccess": false,
    "additions": [],
    "deletions": []
  1. Update the ISV tenant hostname in the URL.
  2. Update the access token in the authorization header.
  3. Update the JSON payload name for the application name.
  4. Update the JSON payload[] for the activeProfileRequestRule.
    • activeProfileRequestRule is optional. Remove it from the payload if it is not required.
  5. Update the JSON payload attributeMappings with the desired UPN and ImmutableID. The UPN and ImmutableID value must matchthe UPN and ImmutableID in the Azure AD user registry.
  6. Verify the JSON payload and ensure that all fields have the desired values.
  7. Run the updated curl command.

Run the flow

  1. Join the Windows 10 computer to Azure AD.
    1. From Settings > Accounts > Access work or school.
    2. Click Connect.
  1. Click Join this device to Azure Active Directory.
  1. Specify the upn with the custom domain. For example, [email protected].
  2. Click Connect. It redirects to ISV to authenticate. After successful authentication, the following prompt is shown. Click Join to proceed.
  1. From the Azure portal devices, verify that the device is Azure AD joined.
  1. Login to the Azure AD joined computer with the ISV user account.7.

  2. Switch to login with Work or School account

  1. Specify the username and password of the ISV user to log in.

OOBE (Azure AD join for fresh Windows installation)

User can also join Windows 10 to Azure AD during the Windows installation process. Follow the screen prompts.

Did this page help you?