1. MyLogin
  2. IT Partners

Setting up MyLogin as the identity provider for Windows 11 devices / Microsoft 365

Updated
Developers
Have more questions? Submit a request

Switching over from Wonde Single Sign-On to MyLogin? Click here.

Prerequisites

To configure MyLogin as an identity provider (IdP) for Microsoft Entra ID, the following prerequisites must be met:

  • You must have a Microsoft Entra ID tenant, with one or multiple custom domains (domains that are not in the format *.onmicrosoft.com)
    • If the federated domain hasn't yet been added to Microsoft Entra ID, you will need to have access to the DNS domain to create a DNS record. This is required to verify the ownership of the DNS namespace.
    • Head here to learn how to add your custom domain name using the Microsoft Entra ID portal.
  • Access the Microsoft Entra ID tenant with the Global Administrator role for your tenant.
  • Existing accounts in your Microsoft Entra ID are associated with your custom domain.

  • Web sign-in is not supported for Microsoft Entra hybrid joined or domain joined devices.

  • The devices you wish to utilise the MyLogin service on will be required to be Windows 11 devices.
  • Devices will need to be managed via Intune.
  • When federating the domain for MyLogin to be the IdP this will impact any users in the federated domain. If you wish to limit the impact on your users please consider creating a subdomain and see below for more details.
  • You should also make sure that all of your devices have been updated to the latest build of Windows 11. If you do not ensure that updates are maintained, you may experience difficulty distributing MyLogin's Web-Sign in capabilities to devices, and loss of service on devices where the solution has already been deployed.
  • Finally, make sure that all of the following URLs have been added to any relevant allowlists:-
    app.mylogin.com, app.eu-west.mylogin.com and account.microsoft.com and if you have any difficulty that you suspect to be related to more stringent web-filtering or firewalls, then please additionally add all of the following:-
    https://*.fontawesome.com, https://*.cloudfront.net, https://*.cloudflare.com, https://*.microsoftonline.com, https://ssl.gstatic.com, https://*.typekit.net, https://*.amazonaws.com, https://*.jquery.com, https://mylogin.com, https://lh3.googleusercontent.com, https://www.loom.com, https://fonts.bunny.net

Subdomains

It is also possible to federate subdomains. However, they will first need to be promoted to be recognised by Entra as a root domain, before federating the subdomain with MyLogin as the identity provider using the instructions above. This process is laid out by Microsoft here.

Note: Make sure that the domain.readwrite.all permission is consented under the "Modify permissions" tab on Graph Explorer, before attempting subdomain promotion.

It is not possible to promote a subdomain without first migrating any users out of the domain. Please bear this in mind if any of the users currently attached to the subdomain have not had an Immutable ID set, as this will first need to be actioned before migrating users out if you want to avoid upheaval in the long run. The best way to set an Immutable ID is to sync your domain with MyLogin first, as we set Immutable IDs where they are not yet set; as these IDs are required to be set for users in a federated domain.


Complete the MyLogin setup wizard

  1. Navigate to school.wonde.com and log into your school's Wonde School Portal.

  2. Hover over the MyLogin tile and click Launch (click on the tile and approve the permissions for MyLogin to access the required data via Wonde first if you haven't yet done so). Screenshot 2025-02-11 at 14.48.56.png

  3. Create a password for your MyLogin admin account.



  4. Confirm you want to use Wonde as the source of truth for user creation.



  5. Your new MyLogin users will begin to import from your MIS via Wonde.



  6. When your users finish importing, click Lets go! to move to the final stage of the setup wizard.



  7. Select Connect with Microsoft and connect the tenant that you would like to connect with for the purpose of matching Microsoft users with your new MyLogin users. If you'd like to connect both Microsoft and Google, then you will be able to add Google in Settings once the setup wizard is complete.
    Note: You will need to ensure app.mylogin.com is allowed on your network.
  8. Update your tenant ID.



  9. Save settings, and then go to Manage connection and Sync users from Microsoft.

  10. After you have linked the Microsoft tenant on step 9 you will need to go to Users > User matching and match the Microsoft users to the Wonde data. You can filter the list along the top. We suggest filtering via "suggestion confidence" and then "strong". Look through the list to ensure all users match and then you can toggle the top left box to select all filtered users and select "accept suggestions for Microsoft". Do the same for Medium and Weak but please ensure that you carefully look through to make sure MyLogin is matching them correctly.

  11. Once all users are matched you may wish to consider distributing the credentials out to users before proceeding to make MyLogin the IDP for the Microsoft environment. To do this head to Users > Overview and you can use the filters to narrow down the list where you can toggle the top left box to select all the currently filtered users and then choose which credentials to download (Press the "download" button). This will provide you with a PDF which you can rename to suit. Repeat this for all groups as necessary

Setup Windows 11 devices to use MyLogin as the Identity Provider

Please note: When you federate a Microsoft Entra ID domain, you will not be able to manually create users to that domain, as newly created accounts require an immutable ID. An immutable ID is not set when manually creating accounts in Entra ID.

Some third-party Entra ID provisioning services will automatically apply an immutable ID to users that it creates. 

If however, you do not have access to a user creation service that you can use to create users in a different domain within your tenant, utilise the script below and then migrate the users to the domain that has been federated with MyLogin as the "brand name" IdP.

You will first need to connect to MgGraph and invoke some permissions with the following command - If the MgGraph module is already installed on your Powershell you'll only need to use the second line:

Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "User.ReadWrite.All","Domain.ReadWrite.All","Directory.AccessAsUser.All"

Get-MgUser -All | Where-Object { $_.UserPrincipalName -like "*@YOURDOMAIN.com" -and $_.ImmutableId -like "" } | foreach { Update-MgUser -UserId $_.Id -OnPremisesImmutableId (New-Guid).guid;}

Once users have had their immutable IDs updated and have been migrated to the federated domain. You will need to update their UPN to contain the same domain name as the federated domain, so that they can be matched in the MyLogin UI, as only users with a UPN containing the domain name that you have selected for MyLogin to view users from will be visible to the platform. To do this you can use the script below.

Get-MgUser -All | Where-Object { $_.UserPrincipalName -like "*@YOUROLDDOMAIN.com" } | foreach { Update-MgUser -UserId $_.Id -NewUserPrincipalName $_.UserPrincipalName.Replace('@YOUROLDDOMAIN.com', '@YOURNEWDOMAIN.com')}

Step-by-step guide to setup MyLogin as your domain's identity provider

Note: Following these steps will enact MyLogin as your default identity provider at the domain level and cannot be further isolated to a lower level.

  1. On any Windows device, open Powershell and enter the following command:

    Install-Module Microsoft.Graph -Scope CurrentUser
    Connect-MgGraph -Scopes "User.ReadWrite.All","Domain.ReadWrite.All","Directory.AccessAsUser.All"
  2. Log in as a Global Administrator from your Azure AD/Entra ID tenant.

On the settings page of MyLogin. Enter your domain name under Federated Domain Setup, click Copy to clipboard to obtain the script and then paste this into Powershell. 



Once the above script has been run. You can check your domain settings with the following command in Powershell:

Get-MgDomainFederationConfiguration -DomainId YOURDOMAIN.com | Format-List

Setting up your Windows 11 devices to use MyLogin as the IdP

1. Navigate to intune.microsoft.com and log in as a Global Administrator for the tenant that the domain you are federating belongs to.

2. Navigate to ‘Groups’ on intune.microsoft.com and create a Group called "MyLogin Devices" (or use an existing device group).

3. Assign any devices you’d like to use MyLogin as the identity provider for, onto this Group.


4. Navigate to ‘Devices’ on intune.microsoft.com and create a Configuration profile also named "MyLogin Devices".

5. You will need to set this profile up for "Windows 10 and later" using the "Custom" template profile, as in the screenshot below. Apply the OMA-URIs in the section below to this Configuration Profile under the Configuration settings section.
Make sure to paste the full OMA-URI path, including the dot "."

./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment
Data type: Integer Value: 1
./Vendor/MSFT/SharedPC/EnableSharedPCModeWithOneDriveSync
Data type: Boolean Value: True
./Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn
Data type: Integer Value: 1
./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls
Data type: String Value: app.mylogin.com;app.eu-west.mylogin.com (If setting up in Australia use:- app.ap-southeast.mylogin.com;app.mylogin.com)
./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames
Data type: String Value: app.mylogin.com;app.eu-west.mylogin.com (If setting up in Australia use:- app.ap-southeast.mylogin.com;app.mylogin.com)
./Device/Vendor/MSFT/Policy/Config/Authentication/PreferredAadTenantDomainName
Data type: String Value: [Enter your custom domain name]

6. Assign the configuration profile to the MyLogin Devices group.

7. Once the configuration profile is pushed down to the group and devices have synced via Intune, the first time you login to the device, you will need to login to each device with your domain specific login option, so that subsequent logins display the MyLogin screen by default.

Additional settings and suggestions (optional)

If you’d like the MyLogin dashboard to load on Edge startup:

  1. Create an additional Configuration profile.
  2. From the Settings picker, select Microsoft Edge - Startup, home page, and new tab page, and next to Sites to open when the browser starts (Device), enter "app.mylogin.com".
  3. Assign the configuration profile to the MyLogin Devices Group.

Articles in this section

Was this article helpful?
0 out of 0 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.