On Monday May 20th, Workspace 365 support is not available due to a national holiday.
Due to a SharePoint malfunction you may experience issues with the Documents app. Refer to the Microsoft 365 Service Health center for the latest status.
Hi , how can we help?

Provisioning API example: Change SSO settings in Workspace 365

 

Table of Contents

 

Introduction

If you can't access the Workspace anymore, you can request emergency admin access to reconfigure SSO. However, there is a possibility that the emergency access email is not received.

As an alternative, you can use the SSO provisioning API to change the 'Authority', 'Client ID' and 'Key' in Workspace 365. These values must match exactly with the corresponding App Registration in Microsoft Entra ID (previously called Azure AD). Otherwise you won't be able to access the Workspace environment.

 

manual_SSO.png

 

 

Requirements

  • A Power Automate Premium license (Microsoft offers a free 90-day trial license).
  • The Workspace 365 instance URL (https://yourworkspace365instance.url).
  • The Provisioning Key (00000000-0000-0000-0000-000000000000).
  • A Global Administrator account (or any other admin account who can access the Workspace SSO App registration).

 

Step 1. Look up the 'Authority', 'Client ID' and 'Key' in Azure

  1. Go to Azure.
  2. Log in with the Global Administrator account.
  3. Search for and select Microsoft Entra ID.
  4. Go to the Azure Active Directory overview pane.
  5. Under 'Basic information', note down the Primary domain.
    • The Authority consists of "https://login.windows.net/" appended with the Primary domain of your tenant (e.g. "workspace365.onmicrosoft.com").
      For example: "https://login.windows.net/workspace365.onmicrosoft.com".
  6. Go to the App Registrations
  7. Select the Workspace application from the list.
  8. Note down the Client ID from the App registration overview pane.
  9. Select Certificates & secrets.
  10. If you don't know what the Key is, you must create a new client secret and note down the key.

Back to top

 

Step 2. Create the Power Automate flow

  1. Log in to Microsoft 365 and click on the waffle button in the top left corner.
  2. Open the app Power Automate.
  3. Choose Create to create a new flow.
  4. Assign a flow name to your flow (e.g. "Workspace SSO API").
  5. Select Instant cloud flow.
  6. Select Manually trigger a flow.
  7. Click Create.
  8. Create a new step.
  9. Search for and select HTTP (premium).
  10. As the Method, choose PUT.
  11. Fill in the necessary information.
    • You can find an example for a HTTP PUT request to configure OAuth2 authentication (not available when hosted on-premises) here, but you need to adjust it according to your own values.
    • It should look something like this:
      workspace_SSO_power_automate.png
  12. Run the flow to test it.
  13. You should see it succeeded (see 'Run history'), otherwise double-check the settings that have been filled in the previous step.
  14. Try again to log into the Workspace 365 environment.

You have now changed the 'Authority', 'Client ID' and 'Key' in the Workspace SSO settings to what has been filled defined in the Power Automate HTTP PUT request. These values should match 100% with the corresponding Workspace SSO App Registration in Microsoft Entra ID. You should now be able to log in to the Workspace environment.

Back to top