Federate EntraID to Omnissa Access with Graph PowerShell SDK

If you’ve integrated Workspace ONE Access with Microsoft 365 before, the steps will look familiar.

Omnissa Access is the evolution of VMware Identity Manager, and while the interface and URLs have changed slightly, the principle remains the same: let Microsoft 365 trust Omnissa Access as the identity provider for your domain.

This post walks through the new way to federate Entra ID with Omnissa Access using the Microsoft Graph PowerShell SDK.

It replaces the legacy MSOnline module which is now deprecated.

Why Federation

Federation allows Microsoft 365 apps like Outlook, Teams, and SharePoint to redirect authentication requests to Omnissa Access.

This lets you apply the same conditional access and device compliance policies that you already use for your Workspace ONE devices.

Users sign in once, and single sign-on applies everywhere.

Prerequisites

Before running the script make sure:

• Your custom Entra ID domain (for example blackmesaresearchfacility.nl) is verified.

• You have administrator rights in both Entra ID and Omnissa Access.

• The Omnissa Access IdP metadata is publicly available.

  For example:https://debruinonline.vmwareidentity.de/SAAS/API/1.0/GET/metadata/idp.xml

• You need to setup the appropiate App in Omnissa Access.

  
  

The Old Way: MSOnline

If you previously federated Workspace ONE Access or VMware Identity Manager, you probably used commands like:

Set-MsolDomainAuthentication
Get-MsolDomainFederationSettings

These cmdlets belong to the MSOnline module, which is being retired.

The Microsoft Graph API is the only supported way forward.

This new approach is cleaner and future-proof, without dependency on the old MSOnline service.

The Working Script

Here is the full PowerShell script that creates a federation between Entra ID and Omnissa Access.

It automatically extracts the signing certificate from your IdP metadata.

The older articles with the MSOnline modules mention getting the singing certificate manually.

I don't like that so this script will do this for you. All you need to enter is the $idpDomain and $entraDomain variables

#### Edwin de Bruin
#### www.debruinonline.net	
#### Setup Federation between Microsoft EntraID and Omnissa Access.

############
$idpDomain = "debruinonline.vmwareidentity.de"
$entraDomain = "blackmesaresearchfacility.nl"
##################

Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "Domain.ReadWrite.All", "Directory.ReadWrite.All", "Directory.AccessAsUser.All"

# Load IdP metadata
$xml = [xml](Invoke-WebRequest -Uri "https://$idpDomain/SAAS/API/1.0/GET/metadata/idp.xml").Content

# Prepare XML namespaces
$ns = New-Object System.Xml.XmlNamespaceManager($xml.NameTable)
$ns.AddNamespace("md", "urn:oasis:names:tc:SAML:2.0:metadata")
$ns.AddNamespace("ds", "http://www.w3.org/2000/09/xmldsig#")

# Extract first signing certificate
$certNodes = $xml.SelectNodes("//md:EntityDescriptor/md:IDPSSODescriptor/md:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate", $ns)
$cert = $certNodes[0].InnerText

# Create federation in Entra ID
New-MgDomainFederationConfiguration `
 -DomainId $entraDomain `
 -DisplayName "OmnissaAccess" `
 -IssuerUri "https://$idpDomain/SAAS/API/1.0/GET/metadata/idp.xml" `
 -PassiveSignInUri "https://$idpDomain/SAAS/API/1.0/POST/sso" `
 -ActiveSignInUri "https://$idpDomain/SAAS/auth/wsfed/active/logon" `
 -SignOutUri "https://login.microsoftonline.com/logout.srf" `
 -MetadataExchangeUri "https://$idpDomain/SAAS/auth/wsfed/services/mex" `
 -PreferredAuthenticationProtocol wsFed `
 -FederatedIdpMfaBehavior acceptIfMfaDoneByFederatedIdp `
 -SigningCertificate $cert

The script connects to Microsoft Graph, downloads the IdP metadata, extracts the signing certificate, and configures federation automatically.

No copy-paste or manual certificate handling required.

Easy Peasy Lemon Squeezy

Validation

After the configuration is complete, verify federation with:

Get-MgDomainFederationConfiguration -DomainId $entraDomain | fl *

Then try signing in to Outlook on the web or https://portal.office.com. You should be redirected to Omnissa Access for authentication and then land in Microsoft 365 without further prompts.

Removing the Federation

If you ever need to revert your domain back to managed authentication or simply remove the federation configuration, you can do it with the following PowerShell command:

Remove-MgDomainFederationConfiguration `
 -DomainId $entraDomain `
 -InternalDomainFederationId (Get-MgDomainFederationConfiguration -DomainId $entraDomain).Id

This command deletes the federation entry from Entra ID and restores normal Microsoft-managed authentication.

It is safe to run if you are migrating or testing new federation setups.

Common Issues

AADSTS50107 – The requested federation realm object does not exist

In the past I would use for example debruinonline.vmwareidentity.de as the issuer URI when setting things up MS.

The new Graph Powershell SDK requires it starts with https. So, make sure this application matches the application parameters in Omnissa Access

Summary

The MSOnline PowerShell module is officially deprecated.

Federation configuration must now be done using the Microsoft Graph PowerShell SDK.

This script provides a modern, automated approach to connect Omnissa Access with Entra ID.

With the certificate extracted directly from your IdP metadata and all endpoints defined dynamically, the process is clean, predictable, and repeatable.

Mind the issuer in the application parameters, I ran into the AADSTS50107 – The requested federation realm object does not exist error when I needed to reenable the federation.

If you have questions or remarks, please leave a comment.