Configuring the Azure AD (Microsoft 365) Federation

This section describes the procedure to configure this service to perform the login process for Azure AD (Microsoft 365).

[ Reference ]

To configure the federation setting, configuration of Graph API settings is required in advance.

For more information, refer to "Configuring Graph API Settings."

[ Note ]

Check the following points in advance before working on this task.

  • An Azure AD user mapped to the IIJ ID user must be prepared in advance.
    There is a need to perform provisioning of the user from IIJ ID or create a user on Azure AD from a system other than IIJ ID in advance.
    Refer to "Attribute Mapping for Federation with Azure AD" for information on attribute mapping for creation of a user with a system other than IIJ ID.
  • It may take some time to reflect federation according to the specifications on the Microsoft side.
    Reflection of the configuration of federation to Microsoft may be completed in several minutes to several hours (or even several tens of hours). This time difference is caused by Microsoft’s specifications.
    For this reason, it is recommended that you execute this task during off-peak hours.
    Also refer to "AADSTS50107エラーでMicrosoft 365にログインできない" (Japanese Only)


  1. In IIJ ID Console, click "Application" and then "Application Management."


  2. Click "Microsoft 365" and then "Edit."


  3. Click "Federation."


  4. Click "Link" for the desired domain.

    [ Reference ]

    You cannot link to the on.iijid.jp domain. Refer to "Restrictions on Service Linkage in the on.iijid.jp Domain" in "Usage Precautions" for more information.



  5. Click "Federate."

    To include multiple domains in the federation target, execute steps 4 and 5 for all the target domains.