VMware Digital Workspace Newsletter - Week 20

                           Week 20 -  2022             Weekly highlight:   Workspace ONE Hub Services  & Workspace ONE Access updates:   Removing the 3-Character Limit for People Search People Search (on Hub Web) will now allow searching with just one or two characters instead of the usual 3-character search. This enables support for searching names in logographic languages like Chinese, Japanese, etc.   Workflows Error Handling – Email Alerts upon failures Workspace ONE Experience Workflows error handling has been improved to send email alerts directly to Administrators   when a scheduled process fails to run successfully for any reason. All integration packs will now have an additional configuration parameter to include an email address to receive these notifications.   Saviynt Access Request Integration Pack for Workspace ONE Experience Workflows Hub Services customers with Workspace ONE Experience Workflows enabled can configure an integration with   Saviynt   to notify approve

Single Sign On to Office 365 with a Third Party Identity Provider (Workspace ONE)

 Federate Office 365 to a Third Party Identity Provider (Workspace ONE Access)

To use Single Sign On with Office 365, you will need to federate your Office 365 domain to a Third Party Identity Provider. In this case I will use VMware Workspace ONE Access. 

In the following video you can see the seamless user experience when the federation is configured:

- Powershell on Windows is required

First the necessary modules needs to be installed with the following command:

Install-Module -Name MSOnline

After the MS Online module is installed, you should be able to connect to MS Online with the following: (login with your tenant administrator in the popup)


After logging in, you can get the current domains listed with the following command:


This is what i see and you can see that none of my domains are federated at this point:

To federate your Office 365 domain, you will need to use the following command and fill in your domain and urls in the highlighted areas:

To get the correct Signing Certificate format, navigate to your Workspace ONE Access tenant and go to: Catalog - Settings - SAML Metadata:


In this screen you will find the Signing Certificate in the correct text format (without spaces etc.) 

Set-MsolDomainAuthentication –DomainName example.nl –IssuerUri example.workspaceoneaccess.com  –Authentication Federated -FederationBrandName "Zevenster" -PassiveLogOnUri https://example.workspaceoneaccess.com:443/SAAS/API/1.0/POST/sso -ActiveLogOnUri https://example.workspaceoneaccess.com/SAAS/auth/wsfed/active/logon -LogOffUri https://login.microsoftonline.com/logout.srf -MetadataExchangeUri https://example.workspaceoneaccess.com/SAAS/auth/wsfed/services/mex -SigningCertificate MIIFMTCCAxmgAwIBAgIHA4vUSKCpIjANBgkqhkiG9w0BAQsFADBQMSAwHgYDVQQDDBdWTXdhcmUgSAwfJeeRNT+Yu7g5RUhtT9DM1WDzOIGAG7Y9LrC7xPHLDpn7VJBcFTjHJ5dZ7g/T73173RwtBXzBC+z85t14DJ9l2gy8mRNPT86YsNu1i1FPc1d+kV0/abEDrFqCGjeNnMV6m/tnXNNKT9qzX+4Gb1iiqXEaIBZ+CIATOSVLfUtssF51+57iGPog6vMVjA7RNmqtvvHACmxA==

After you have successfully entered the command, the domain should be federated. You can verify again with:


Add Office 365 application to Workspace ONE Access:

Last step is to add the Office 365 application to Workpace ONE Access:

Before adding the Office365 application, you will need to make sure that the objectGUID attribute is synced from your Active Directory.

Go to the Admin console in Workspace ONE Access and Identity & Acces Management. Click on Setup on the right and go to User Attributes
In this screen you can scroll all the way down and add a custom attribute: 

Type in 'objectGUID' and hit Save

When syncing the Directory make sure the objectGUID attribute is mapped in the Directory Settings. In Identity & Acces Management click on Manage, go to you directory and click on Sync Settings. 

In the Sync Settings click on Mapped Attributes and make sure objectGUID is mapped to the right value:

Hit Save and Sync your directory.

To add the Office365 application in Workspace ONE Access, navigate to Catalog and choose New:

In this screen you can search in the templates to add an application, search for 'Office365' and choose the Office365 with provisioning:

(Provisioning will allow the users to be provisioned from Access to Office365. We are not using that in this configuration, so you can change the name to 'Office365' and leave provisoning)

In the WSFed configuration, scroll down and fill in the values for Application Parameters:

  • Office 365 Domain = your domain like example.nl
  • Office 365 Issuer = your  Access URL like example.workspaceoneaccess.com

After that click on Advanced Properties and make sure that the ImmutableID is mapped to ${user.objectGUID}:

Click on Next and Next again to assign the application to your users. (All Users is the default group for all the users)

After that hit Save and the applications should be available to your (test)users.


Popular posts from this blog

Workspace ONE | Use ADFS as an Identity Provider in Workspace ONE Access with JIT

Configure Shared iPad for Apple Business Manager in Workspace ONE

Simon's recommended VMworld 2021 sessions