Pre-requisites for setting up MyLogin as the Identity Provider for Microsoft 365/Windows

Please make sure that you are able to meet or remediate the criteria below before embarking on any deployment of MyLogin as the Identity Provider (IdP) for any Microsoft environment.

Microsoft sets several requirements to be able to make use of MyLogin's IdP capabilities in their environments:

• Third-party IdPs can only be configured at the domain level in Microsoft Entra ID. This means that isolating the effects of a third-party IdP like MyLogin can only be achieved at the domain level. For example, if you want only students to use MyLogin as their Microsoft 365 IdP, they must be placed in a separate domain or subdomain from staff. Additionally, users’ UPNs (User Principal Names) must be updated to include the appropriate domain suffix. This ensures that MyLogin can recognise them within the domain and match them to corresponding MyLogin user accounts.

• The devices you wish to use MyLogin's web sign-in capabilities on must be running Windows 11.

• Ensure that all devices are updated to the latest feature update to make sure that any bugs with Web Sign-in have been addressed by Microsoft.
  
• Any devices that you want to deploy a MyLogin ready configuration profile to, will need to be Intune joined only, NOT hybrid joined. This is a requirement of web sign-in as per this documentation: https://learn.microsoft.com/en-us/windows/security/identity-protection/web-sign-in/?tabs=intune

• You must set ImmutableIDs for users either through a syncing service like Wonde’s Edusync Microsoft solution or, if users are synced to Microsoft Entra ID via Entra Connect from an on-premises Active Directory, they will inherently retain their ImmutableID as a legacy attribute. Alternatively, users can have an ImmutableID assigned at creation using PowerShell. For detailed guidance, refer to this article.:- https://mylogin.zendesk.com/hc/en-gb/articles/13859990074653-Setting-up-MyLogin-as-the-identity-provider-for-Windows-11-devices-Microsoft-365

  This requirement exists because users in federated domains must have an ImmutableID. Domains cannot be federated unless this attribute is properly populated for all users.

  MyLogin verifies that all Microsoft users imported into the platform have this attribute populated when they are brought in to the platform. If the attribute is missing, MyLogin automatically assigns one to the user. While this ensures seamless domain federation, it does not eliminate any ongoing user creation difficulties.