How to configure single sign-on for Office 365
ADSelfService Plus supports Active Directory (AD)-based single sign-on (SSO) for Office 365 and any other SAML-enabled application. Upon enabling SSO for Office 365 in ADSelfService Plus, all users have to do is simply log into their Windows machines using their AD domain credentials. Once logged in, users can securely access Office 365 in one click without having to re-enter their username and password.
Benefits of implementing SSO with ADSelfService Plus
Reduce password fatigue
Relieve users from having to remember different usernames and passwords for each enterprise application.
Streamline application access
Enable one-click access to all applications from a single portal.
Increase user adoption rate of applications
Witness the increased usage of applications due to their ready availability in an unified location.
Did you know SSO also helps with organization's regulatory compliance?
ADSelfService Plus supports both Identity Provider (IdP) and Service Provider (SP)-initiated SSO for Office 365.
IdP-initiated SSO for Office 365
- Users log in to the ADSelfService Plus self-service portal.
- From the ADSelfService Plus self-service portal, they can click on the Office 365 icon in the Applications dashboard.
SP-initiated SSO for Office 365
- Users can access their Office 365 domain via a URL or bookmark.
- They will automatically be redirected to the ADSelfService Plus portal for login.
- Once they've signed in, they'll be automatically redirected and logged in to the Office 365 portal.
Before you begin
- SSO can be enabled only for domains that are verified in Azure AD.
- SSO cannot be enabled for onmicrosoft.com domains that are created by Microsoft.
- SSO cannot be enabled for the default domain (the primary domain in which users are created). It can only be configured for custom domains. Office 365 prohibits SSO configuration for default domains to ensure that administrators can log in to Office 365 regardless of issues with the IdP. If your organization does not have a custom Office 365 domain, you need to purchase one in order to configure SSO.
- Federated domains, i.e., domains in which SSO has been enabled, cannot be configured for password synchronization.
- Download and install ADSelfService Plus if you have not already.
- Link Office 365 and on-premises AD user accounts:
- Using Azure AD Connect.
- GUID as sourceAnchor: If you have Azure AD Connect, then use it to update the sourceAnchor attribute in Office 365 with the GUID attribute value in AD.
- Another unique AD attribute as sourceAnchor: If you have already assigned a different attribute value other than GUID for the sourceAnchor attribute, then use the Account Linking option in ADSelfService Plus to map it with the corresponding attribute in AD.
- Using a third-party GUID to ImmutableID converter tool.
- Convert GUID to ImmutableID: If you don’t have Azure AD Connect, then you can download a third-party GUID to ImmutableID converter tool. Use the tool to convert the GUID value of each user to ImmutableID values and update them in Office 365.
- Update the ImmutableID value in Office 365: Once you have converted the GUID to ImmutableID, you need to update the value in Office 365 for each user using the PowerShell commands given below.
- Command to update ImmutableID attribute while creating new users.
$cred = Get-Credential
Connect-MsolService -Credential $cred
New-MsolUser -UserPrincipalName "firstname.lastname@example.org" -ImmutableId
"<immutable_id>" -DisplayName "user 01" -FirstName "user" -LastName "01"
-LicenseAssignment "<service_pack>" -UsageLocation "<location>" Note: You can check whether the update was successful using this command: Get-MsolUser -All | select userprincipalname,ImmutableId
- Command to update ImmutableID attribute for existing users.
Set-Msoluser -UserPrincipalName "<user_mailID>" -ImmutableID “ <immutable_id> ”
- Reconfigure or update SSO settings.
- If you are already using SSO for Office 365 from another identity provider or want to update ADSelfService Plus SSO settings, then you must first disable SSO in Office 365, and then follow the step-by-step process provided below. To disable SSO in Office 365, execute the command given below using PowerShell:
$dom = "mycompany.com"
Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName
Step-by-step guide to configure Office 365 SSO
Configuring your AD domain in ADSelfService Plus
With ADSelfService Plus, you can not only use the existing AD credentials of users but also other advanced authentication techniques like biometrics, YubiKey, Google authenticator, etc. for SSO authentication. To use the existing AD credentials for SSO authentication, first you need to configure an AD domain in ADSelfService Plus to enable SSO for Office 365.
ADSelfService Plus will automatically add all the domains that it can discover in your network. If your domains are automatically added, skip to step 9; otherwise, follow the steps 1-8 to add them manually.
- Launch the ADSelfService Plus web console and log in using admin credentials.
- Click the Domain Settings link available on the top-right corner of the application and select Add New Domain.
- An Add Domain Details window will appear.
- In the Domain Name field, enter the name of the domain you want to add.
- In the Add Domain Controllers field, click Discover. ADSelfService Plus will try to automatically discover the domain controllers associated with the domain.
- If the domains are not auto-discovered, then in the pop-up screen, enter the domain controller name in the field provided, and click Add.
- You can leave the authentication fields empty if you are not going to use the end user self-service features of ADSelfService Plus.
- Back in the Add Domain Details window, click Add to complete adding the domain in ADSelfService Plus.
Getting the SAML details from ADSelfService Plus
- Navigate to the Applications > Add Application.
- Select Office 365/ Azure in the list of applications provided.
- Click on IdP Details in the top-right corner of the screen.
- In the pop-up that appears, copy the login URL and download the SSO certificate by clicking on Download Certificate.
Configuring SSO settings in Office 365
- Open PowerShell with admin rights.
- Enter the following command:
$cred = Get-Credential
- In the pop-up that appears, enter the username and password of your Office 365 administrator account.
- Connect with MsolService using the following command:
Connect-MsolService -Credential $cred
- Now, get a list of your Office 365 domains by entering the following command:
- Enter the domain for which you would like to enable SSO:
$dom = "mycompany.com"
- Enter the login URL value from Step 13 for $url and $uri commands, and logout URL value for $logouturl command.
$url = "<login URL value>"
For example, $url =
$uri = "<login URL value>"
For example, $uri =
$logouturl = "<logout URL value>"
For example, $logouturl =
- Now copy the SSO certificate file content from Step 13 and pass it as the value for the following command:
Important: Please edit the file so that there aren’t any new lines before pasting the content into the file.
$cert = "MIICqjCCAhOgAwIBAgIJAN..........dTOjFfqqA="
- Next, run the following command to enable SSO in Office 365:
Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName $dom -Authentication Federated -PassiveLogOnUri $url -SigningCertificate $cert -IssuerUri $uri -LogOffUri $logouturl -PreferredAuthenticationProtocol SAMLP
- Test the configuration by using the following command:
Get-MSolDomainFederationSettings -DomainName "mycompany.com" | Format-List *
Adding your Office 365 setup in ADSelfService Plus and enable SSO
- Now, switch to ADSelfService Plus’ Office 365 SSO configuration page in Application.
- Select the Enable Single Sign-on checkbox.
- In the Domain Name field, enter the domain name you used in Step 16.
- Provide an appropriate description in the Description field.
- In the Available Policies field, click the drop-down box and select the policies for which you wish to enable SSO. The policy you select will determine which users have the SSO feature enabled.
Note: ADSelfService Plus allows you to create OU and group-based policies for your AD domains. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
- Click Add Application.
Now users can log into their Office 365 accounts automatically without having to enter their username and password again.
To improve security, ADSelfService Plus offers multiple authentication techniques for enforcing two-factor authentication during single sign-on,
Unify access to cloud and on-premises applications with SAML SSO
Your download is in progress and it will be completed in just a few seconds!
If you face any issues, download manually here
Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console.
Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus!
Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.
Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more.
Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.
Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.