Configure Office 365 Provisioning


Bitium: All account levels; must be an Admin to set up

Office 365: Businss account; must be a global admin to set up

In Azure Active Directory:

  1. Go to your Azure Management portal (Office 365 admin center -> ADMIN -> Azure AD).

  2. Click “Active Directory” and select your Office 365 Active Directory.

    Select Active Directory

  3. Click “App registrations” and then click “New app registration” on the top of the list to add new application.

    Add an application

  4. Enter the following values:

    • NAME: Bitium

    • Select “Web App/API” in Application type.

    • SIGN-ON URL: and click Create at the bottom of the page.

      Add an application

  5. Click the application and select “Settings”.

  6. Select the Reply URL and edit it with: and Click Save.

    Enter Reply URL

  7. Click Keys under Settings menu. Generate a key by selecting a duration and copy the “key” (Copy the key value after you save changes.) and Click Save.

    Save the Application ID and key to a notepad as you will need these again shortly.

    Copy Applicaiton ID and Key

  8. Click “Required permissions” under Settings menu. Click on Windows Azure Active Directory and check the following values:

    • In Applicatons Permissions list, set Read and write directory data

    • In Delegated Permissions list, set Read and write directory data and set Sign in and read user profile

      Select Application Permissions and Delegated Permissions

  9. Click ‘Save’ to save the changes.

In Bitium :

  1. Click “Manage Organization.”

  2. Click “Manage Apps.”

  3. Click “Add Apps.”

  4. Search “Office 365.”

  5. Add the app as an individual account and click “Install App.”

  6. Click “Go to Office 365.”

  7. Click the “Connector” tab.

  8. Click “approve access” to allow Bitium to connect with Office 365.

    Approve Access

  9. Enter the following values:

    • Client Key: Paste the Application ID you copied in Step 7 in Azure into the Client Key field.
    • Client Secret: Paste the key you copied in Step 9 in Azure into the Client Secret field.
    • Office 365 Default Domain: the default <company> domain your company is using.
    • Office 365 Federated Domain: the domain you have just verified and ready to configure for single sign-on.
  10. Click “Confirm.” You will be asked sign into Office 365. Sign in with a global admin account.

    Configure Office 365 Details

  11. You should receive an “authorization succeeded” message and the connector will show a green “connected” status button.

    Verify Connector Status

Configuring Immutable ID:

Before enabling Single Sign-on through SAML or WS Trust, Immutable ID must be set for all users. There are two possible cases where immutable ID needs to be assigned. It is recommended to follow these steps even if you are not planning to enable SSO for now.

Case 1: Mapping Existing Accounts

  1. To assign users to Office 365, click “Assign Users.” You will be shown list of users who have Office 365 accounts. Bitium will map any existing Office 365 accounts with existing Bitium accounts (Bitium maps by email).

  2. Click the checkbox to map the users, and then click “Done” to finish assigning the app to the user.

  3. In order to associate existing Office 365 Users with accounts in Bitium, we will need to reset their existing “Immutable IDs”.

    Note: Make sure the email domain matches the domain set for your Bitium org. Bitium will only import users from the federated domain and NOT the default domain (i.e. users who have a UPN like will not be imported.

  4. Save the following Powershell script in a file named update_user_immutableid.ps1

    if (!$temp -or !$user)
      Write-Host "Please enter proper values for temporary UPN and user UPN"
    $b  = [System.Text.Encoding]::UTF8.GetBytes($user)
    $encoded = [System.Convert]::ToBase64String($b)
    Set-MsolUserPrincipalName -UserPrincipalName $user -NewUserPrincipalName $temp | out-null
    Set-MsolUser -UserPrincipalName $temp -ImmutableId $encoded
    Set-MsolUserPrincipalName -UserPrincipalName $temp -NewUserPrincipalName $user
  5. We will then run this script for each user in the domain that needs to be migrated. For example, to update “” we would run the following command:

    .\update_user_immutableid.ps1 "" ""

    Note: Please make sure the first argument is the user that already has a federated UPN and second argument is a temp account for and the domain of temp account is your default domain. No output indicates success.

Case 2: Creating New Accounts

  1. To assign users in Bitium who do not have Office 365 accounts, click “Assign Users.”
  2. Click the checkbox for the users whom you would like to create accounts for in Office 365. Bitium will create Office 365 accounts for these users and automatically assign them an immutable ID.
  3. Select ‘create a new user account’
  4. Enter a mailnickname value (don’t add spaces or special characters or numbers in this field)
    • Edit the email to avoid special characters and numbers as Azure AD will not accept this as a valid UPN. This email field will be mapped to UPN.
    • Edit the email if the domain of the UPN displayed by default is different from your federated domain.
  5. Assign licenses to each user from your Office 365 admin control panel.

Case 2: Creating New Accounts w/ group provisioning

  1. Assign “Office 365” app to a group with users.
  2. All users nested in the group will be provisioned Office 365. For any users in the group that do not have Office 365, Bitium will auto-provision new accounts. All newly created accounts will be assign an ImmutableID.