Switching over from Wonde Single Sign-On to MyLogin? Click here.

Prerequisites

To configure MyLogin as an identity provider (IdP) for Microsoft Entra ID, the following prerequisites must be met:

• You must have a Microsoft Entra ID tenant, with one or multiple custom domains (domains that are not in the format *.onmicrosoft.com)
  • If the federated domain hasn't yet been added to Microsoft Entra ID, you will need to have access to the DNS domain to create a DNS record. This is required to verify the ownership of the DNS namespace.
  • Head here to learn how to add your custom domain name using the Microsoft Entra ID portal.
• Access the Microsoft Entra ID tenant with the Global Administrator role for your tenant.
• Existing accounts in your Microsoft Entra ID are associated with your custom domain.

• Web sign-in is not supported for Microsoft Entra hybrid joined or domain joined devices.

• The devices you wish to utilise the MyLogin service on will be required to be Windows 11 devices.
• Devices will need to be managed via Intune.
• When federating the domain for MyLogin to be the IdP this will impact any users in the federated domain. If you wish to limit the impact on your users please consider creating a subdomain and see below for more details.
• You should also make sure that all of your devices have been updated to the latest build of Windows 11. If you do not ensure that updates are maintained, you may experience difficulty distributing MyLogin's Web-Sign in capabilities to devices, and loss of service on devices where the solution has already been deployed.
• Finally, make sure that all of the following URLs have been added to any relevant allowlists:-
  app.mylogin.com, app.eu-west.mylogin.com (in Australia exchange both mylogin.com subdomains here for app.ap-southeast.mylogin.com) and account.microsoft.com and if you have any difficulty that you suspect to be related to more stringent web-filtering or firewalls, then please additionally add all of the following:-
  https://*.fontawesome.com, https://*.cloudfront.net, https://*.cloudflare.com, https://*.microsoftonline.com, https://ssl.gstatic.com, https://*.typekit.net, https://*.amazonaws.com, https://*.jquery.com, https://mylogin.com, https://lh3.googleusercontent.com, https://www.loom.com, https://fonts.bunny.net

Subdomains

It is also possible to federate subdomains. However, they will first need to be promoted to be recognised by Entra as a root domain, before federating the subdomain with MyLogin as the identity provider using the instructions above. This process is laid out by Microsoft here.

Note: Make sure that the domain.readwrite.all permission is consented under the "Modify permissions" tab on Graph Explorer, before attempting subdomain promotion.

It is not possible to promote a subdomain without first migrating any users out of the domain. Please bear this in mind if any of the users currently attached to the subdomain have not had an Immutable ID set, as this will first need to be actioned before migrating users out if you want to avoid upheaval in the long run. The best way to set an Immutable ID is to sync your domain with MyLogin first, as we set Immutable IDs where they are not yet set; as these IDs are required to be set for users in a federated domain.

Complete the MyLogin setup wizard

1. 1. Follow the guide on initial MyLogin set up as outline here https://mylogin.zendesk.com/hc/en-gb/articles/17471337783069-Initial-set-up-of-MyLogin-for-schools-using-Wonde
   2. You will also need to make sure that users are appropriately matched by following our matching guide
   3. Once set-up is complete and all users are matched you may wish to consider distributing the credentials out to users before proceeding to make MyLogin the IDP for the Microsoft environment. To do this head to Users > Overview and you can use the filters to narrow down the list where you can toggle the top left box to select all the currently filtered users and then choose which credentials to download (Press the "download" button). This will provide you with a PDF which you can rename to suit. Repeat this for all groups as necessary. Find more information here 
   4. Once complete - return to this guide to complete your Microsoft implementation

Setup Windows 11 devices to use MyLogin as the Identity Provider

Please note: When you federate a Microsoft Entra ID domain, you will not be able to manually create users to that domain, as newly created accounts require an immutable ID. An immutable ID is not set when manually creating accounts in Entra ID.

Some third-party Entra ID provisioning services will automatically apply an immutable ID to users that it creates. 

If however, you do not have access to a user creation service that you can use to create users in a different domain within your tenant, utilise the script below and then migrate the users to the domain that has been federated with MyLogin as the "brand name" IdP.

You will first need to connect to MgGraph and invoke some permissions with the following command - If the MgGraph module is already installed on your Powershell you'll only need to use the second line:

Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "User.ReadWrite.All","Domain.ReadWrite.All","Directory.AccessAsUser.All"

Get-MgUser -All | Where-Object { $_.UserPrincipalName -like "*@YOURDOMAIN.com" -and $_.ImmutableId -like "" } | foreach { Update-MgUser -UserId $_.Id -OnPremisesImmutableId (New-Guid).guid;}

Once users have had their immutable IDs updated and have been migrated to the federated domain. You will need to update their UPN to contain the same domain name as the federated domain, so that they can be matched in the MyLogin UI, as only users with a UPN containing the domain name that you have selected for MyLogin to view users from will be visible to the platform. To do this you can use the script below.

Get-MgUser -All | Where-Object { $_.UserPrincipalName -like "*@YOUROLDDOMAIN.com" } | foreach { Update-MgUser -UserId $_.Id -NewUserPrincipalName $_.UserPrincipalName.Replace('@YOUROLDDOMAIN.com', '@YOURNEWDOMAIN.com')}

Step-by-step guide to setup MyLogin as your domain's identity provider

Note: Following these steps will enact MyLogin as your default identity provider at the domain level and cannot be further isolated to a lower level.

1. On any Windows device, open Powershell and enter the following command:
   
   Install-Module Microsoft.Graph -Scope CurrentUser
   Connect-MgGraph -Scopes "User.ReadWrite.All","Domain.ReadWrite.All","Directory.AccessAsUser.All"
   
   
2. Log in as a Global Administrator from your Azure AD/Entra ID tenant.
   
   

On the settings page of MyLogin. Enter your domain name under Federated Domain Setup, click Copy to clipboard to obtain the script and then paste this into Powershell. 

Once the above script has been run. You can check your domain settings with the following command in Powershell:

Get-MgDomainFederationConfiguration -DomainId YOURDOMAIN.com | Format-List

Setting up your Windows 11 devices to use MyLogin as the IdP

1. Navigate to intune.microsoft.com and log in as a Global Administrator for the tenant that the domain you are federating belongs to.

2. Navigate to ‘Groups’ on intune.microsoft.com and create a Group called "MyLogin Devices" (or use an existing device group).

3. Assign any devices you’d like to use MyLogin as the identity provider for, onto this Group.


4. Navigate to ‘Devices’ on intune.microsoft.com and create a Configuration profile also named "MyLogin Devices".

5. You will need to set this profile up for "Windows 10 and later" using the "Custom" template profile, as in the screenshot below. Apply the OMA-URIs in the section below to this Configuration Profile under the Configuration settings section.
Make sure to paste the full OMA-URI path, including the dot "."

./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment
Data type: Integer Value: 1
./Vendor/MSFT/SharedPC/EnableSharedPCModeWithOneDriveSync
Data type: Boolean Value: True
./Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn
Data type: Integer Value: 1
./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls
Data type: String Value: app.mylogin.com (If setting up in Australia use:- app.ap-southeast.mylogin.com)
./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames
Data type: String Value: app.mylogin.com (If setting up in Australia use:- app.ap-southeast.mylogin.com)
./Device/Vendor/MSFT/Policy/Config/Authentication/PreferredAadTenantDomainName
Data type: String Value: [Enter your custom domain name]

6. Assign the configuration profile to the MyLogin Devices group.

7. Once the configuration profile is pushed down to the group and devices have synced via Intune, the first time you login to the device, you will need to login to each device with your domain specific login option, so that subsequent logins display the MyLogin screen by default.

Additional settings and suggestions (optional)

If you’d like the MyLogin dashboard to load on Edge startup:

1. Create an additional Configuration profile.
2. From the Settings picker, select Microsoft Edge - Startup, home page, and new tab page, and next to Sites to open when the browser starts (Device), enter "app.mylogin.com".
   
3. Assign the configuration profile to the MyLogin Devices Group.