You must prepare your Office 365 domain for Application Manager. If the domain is managed, you must convert it to federated.


Using the Microsoft Online Service Module in Power Shell, run a cmdlet such as the following:

–DomainName domain_name
–Authentication Federated 
–IssuerUri horizon_org_name
-FederationBrandName Federation_server_name
-PassiveLogOnUri https://host:port/SAAS/API/1.0/POST/sso
-ActiveLogOnUri https://host:port/SAAS/API/1.0/wsfed/services/active/usernamemixed?org=Tenant name
-MetadataExchangeUri https://host:port/SAAS/API/1.0/wsfed/services/mex/wsfedmex
-SigningCertificate SAML signing cert from Application Manager
Replacing the cmdlet Variables

Line of cmdlet

cmdlet Variable or Variables

Replace with



Your organization domain name, such as



The short tenant (also referred to as "organization") name used in Application Manager, such as example where is your fully qualified tenant name in Application Manager.



The fully qualified tenant name, such as


host and port

The fully qualified tenant name and the SSL port, such as and 443


host, port, and Tenant name

The fully qualified tenant name, the SSL port, and the short tenant name, such as, 443, and example.


host and port

The fully qualified tenant name and the SSL port, such as and 443


SAML signing cert from Application Manager

The Application Manager signing certificate. Navigate through the following path using the Application Manager Administrator Web interface, Admin > Settings > SAML Certificate, copy the Signing Certificate, excluding “-----BEGIN CERTIFICATE-----” and “-----END CERTIFICATE-----,” and paste it as the value for -SigningCertificate


Run the following cmdlet to list the values you sent to Office 365:

Get-MsolDomainFederationSettings -DomainName domain_name

The preceding command lists the values you provided to Office 365 using the Set-MsolDomainAuthentication cmdlet.


Verify that the values listed by the Get-MsolDomainFederationSettings cmdlet match the values you intended to input with the Set-MsolDomainAuthentication cmdlet.

Synchronize the Active Directory instance that you use with Application Manager with the Microsoft Office 365 service. See Synchronize Active Directory with Microsoft Office 365.