Setting up MyLogin as the identity provider for Windows 11 devices / Microsoft 365

Have more questions? Submit a request

Prerequisites

To configure MyLogin as an identity provider (IdP) for Microsoft Entra ID, the following prerequisites must be met:

  • You must have a Microsoft Entra ID tenant, with one or multiple custom domains (domains that are not in the format *.onmicrosoft.com)
    • If the federated domain hasn't yet been added to Microsoft Entra ID, you will need to have access to the DNS domain to create a DNS record. This is required to verify the ownership of the DNS namespace.
    • Head here to learn how to add your custom domain name using the Microsoft Entra ID portal.

  • Access the Microsoft Entra ID tenant with the Global Administrator role for your tenant.

  • Existing accounts in your Microsoft Entra ID are associated with your custom domain.

  • The devices you wish to utilise the MyLogin service on will be required to be Windows 11 devices.

  • Devices will need to be managed via Intune.

  • When federating the domain for MyLogin to be the IdP this will impact any users in the federated domain. If you wish to limit the impact on your users please consider creating a subdomain and see below for more details.

 

Subdomains

It is also possible to federate subdomains. However, they will first need to be promoted to be recognised by Entra as a root domain, before federating the subdomain with MyLogin as the identity provider using the instructions above. This process is laid out by Microsoft here.

Note: Make sure that the domain.readwrite.all permission is consented under the "Modify permissions" tab on Graph Explorer, before attempting subdomain promotion.

It is not possible to promote a subdomain without first migrating any users out of the domain. Please bear this in mind if any of the users currently attached to the subdomain have not had an Immutable ID set, as this will first need to be actioned before migrating users out if you want to avoid upheaval in the long run. The best way to set an Immutable ID is to sync your domain with MyLogin first, as we set Immutable IDs where they are not yet set; as these IDs are required to be set for users in a federated domain.


Complete the MyLogin Device setup wizard

  1. Navigate to school.wonde.com and log into your school's Wonde School Portal.

  2. Hover over the MyLogin Device tile and click Launch (click on the tile and approve the permissions for MyLogin to access the required data via Wonde first if you haven't yet done so).

  3. Create a password for your MyLogin admin account.



  4. Confirm you want to use Wonde as the source of truth for user creation.



  5. Your new MyLogin users will begin to import from your MIS via Wonde.



  6. When your users finish importing, click Lets go! to move to the final stage of the setup wizard.



  7. Select Connect with Microsoft and connect the tenant that you would like to connect with for the purpose of matching Microsoft users with your new MyLogin users. If you'd like to connect both Microsoft and Google, then you will be able to add Google in Settings once the setup wizard is complete.
    Note: You will need to ensure app.mylogin.com is allowed on your network.



  8. Update your tenant ID.



  9. Save settings, and then go to Manage connection and Sync users from Microsoft.


  10. After you have linked the Microsoft tenant on step 9 you will need to go to Users > User matching and match the Microsoft users to the Wonde data. You can filter the list along the top. We suggest filtering via "suggestion confidence" and then "strong". Look through the list to ensure all users match and then you can toggle the top left box to select all filtered users and select "accept suggestions for Microsoft". Do the same for Medium and Weak but please ensure that you carefully look through to make sure MyLogin is matching them correctly.


  11. Once all users are matched you may wish to consider distributing the credentials out to users before proceeding to make MyLogin the IDP for the Microsoft environment. To do this head to Users > Overview and you can use the filters to narrow down the list where you can toggle the top left box to select all the currently filtered users and then choose which credentials to download (Press the "download" button). This will provide you with a PDF which you can rename to suit. Repeat this for all groups as necessary

Setup Windows 11 devices to use MyLogin as the Identity Provider

Please note: When you federate a Microsoft Entra ID domain, you will not be able to manually create users to that domain, as newly created accounts require an immutable ID. An immutable ID is not set when manually creating accounts in Entra ID.

Some third-party Entra ID provisioning services, such as Wonde's Edusync, will automatically apply an immutable ID to users that it creates. 

If however, you do not have access to a user creation service you can create users in a different domain within your tenant, utilise the script below and then migrate the users to the domain that's federated with MyLogin as the IdP.

Get-MsolUser -All | Where-Object { $_.UserPrincipalName -like "*@YOURDOMAIN.com" -and $_.ImmutableId -like "" } | foreach { Set-MsolUser -UserPrincipalName $_.UserPrincipalName -ImmutableId (New-Guid).guid; }

Step-by-step guide to setup MyLogin as your domain's identity provider

Note: Following these steps will enact MyLogin as your default identity provider at the domain level and cannot be further isolated to a lower level.

  1. On any Windows device, open Powershell and enter the following command:

    Install-Module -Name MSOnline
    Import-Module MSOnline
    Connect-MsolService

  2. Log in as a Global Administrator from your Azure AD/Entra ID tenant.

  3. On the settings page of MyLogin. Enter your domain name under Federated Domain Setup, click Copy to clipboard to obtain the script and then paste this into Powershell. 



    Once the above script has been run. You can check your domain settings with the following command in Powershell:

    Get-MSolDomainFederationSettings -DomainName YOURDOMAIN.com | Format-List *

    Navigate to intune.microsoft.com and log in as a Global Administrator from the domain you are federating the Authentication of MyLogin to.

  4. Navigate to ‘Groups’ on intune.microsoft.com and create a Group called "MyLogin Devices" (or use an existing device group).
    Assign any devices you’d like to use MyLogin as the identity provider for, onto this Group.

  5. Navigate to ‘Devices’ on intune.microsoft.com and create a Configuration profile also named "MyLogin Devices".
    You will need to set this profile up for "Windows 10 and later" using the "Custom" template profile, as in the screenshot below
    . Apply the OMA-URIs in the section below to this Configuration Profile under the Configuration settings section.



    • ./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment
      Data type: Integer Value: 1
    • ./Vendor/MSFT/SharedPC/EnableSharedPCModeWithOneDriveSync
      Data type: Boolean Value: True
    • ./Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn
      Data type: Integer Value: 1
    • ./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls
      Data type: String Value: app.mylogin.com (If setting up in Australia use:- app.ap-southeast.mylogin.com)
    • ./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames
      Data type: String Value: app.mylogin.com (If setting up in Australia use:- app.ap-southeast.mylogin.com)
    • ./Device/Vendor/MSFT/Policy/Config/Authentication/PreferredAadTenantDomainName
      Data type: String Value: [Enter your custom domain name]

  6. Assign the configuration profile to the MyLogin Device group.

Additional settings and suggestions (optional)

If you’d like the MyLogin dashboard to load on Edge startup:

  • Create an additional Configuration profile.

  • From the Settings picker, select Microsoft Edge - Startup, home page, and new tab page, and next to Sites to open when the browser starts (Device), enter "app.mylogin.com".

  • Assign the configuration profile to the MyLogin Devices Group.

Articles in this section

Was this article helpful?
0 out of 0 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.