Pricing  Get Quote
 
 

Office 365

How to configure single sign-on for Office 365

ADSelfService Plus supports Active Directory (AD)-based single sign-on (SSO) for Office 365 and any other SAML-enabled application. Upon enabling SSO for Office 365 in ADSelfService Plus, all users have to do is simply log into their Windows machines using their AD domain credentials. Once logged in, users can securely access Office 365 in one click without having to enter their username and password again.

ADSelfService Plus supports both Identity Provider (IdP) and Service Provider (SP)-initiated SSO for Office 365.

IdP-initiated SSO for Office 365: Users need to log in to the ADSelfService Plus self-service portal first, and then click on the Office 365 icon on the Applications dashboard to access Office 365.

SP-initiated SSO for Office 365: Users can access their Office 365 domain via a URL or bookmark. They will automatically be redirected to the ADSelfService Plus portal for login. Once they've signed on, they'll be automatically redirected and logged in to the Office 365 portal.

Configuration steps

Before you begin

  1. Download and install ADSelfService Plus if you haven’t already.

  2. Link Office 365 and on-premises AD user accounts by:
    • Using Azure AD Connect.
      • GUID as sourceAnchor: If you have Azure AD Connect, then use it to update the sourceAnchor attribute in Office 365 with the GUID attribute value in AD.
      • Another unique AD attribute as sourceAnchor: If you have already assigned a different attribute value other than GUID for the sourceAnchor attribute, then use the Account Linking option in ADSelfService Plus to map it with the corresponding attribute in AD.
    • Using a third-party GUID to ImmutableID converter tool.
      • Convert GUID to ImmutableID: If you don’t have Azure AD Connect, then you can download a third-party GUID to ImmutableID converter tool. Use the tool to convert the GUID value of each user to ImmutableID values and update them in Office 365.
      • Update the ImmutableID value in Office 365: Once you have converted the GUID to ImmutableID, you need to update the value in Office 365 for each user using the PowerShell commands given below.

      Command to update ImmutableID attribute while creating new users:

      $cred = Get-Credential
        Connect-MsolService -Credential $cred
        New-MsolUser -UserPrincipalName "user01@mycompany.com" -ImmutableId
       "<immutable_id>" -DisplayName "user 01" -FirstName "user" -LastName "01"
      -LicenseAssignment "<service_pack>" -UsageLocation "<location>"
      Note: You can check whether the update was successful using this command:
      Get-MsolUser -All | select userprincipalname,ImmutableId

      Command to update ImmutableID attribute for existing users:

      Set-Msoluser -UserPrincipalName "<user_mailID>" -ImmutableID
       “ <immutable_id> ”

    • Reconfigure or update SSO settings.
    • If you are already using SSO for Office 365 from another identity provider or want to update ADSelfService Plus SSO settings, then you must first disable SSO in Office 365, and then follow the step-by-step process provided below. To disable SSO in Office 365, execute the command given below using PowerShell: 

      $dom = "mycompany.com"
      Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName $dom
      -Authentication Managed

Follow the step-by-step guide given below for Office 365 SSO

Configuring your AD domain in ADSelfService Plus

With ADSelfService Plus, you can use the existing AD credentials of users for authentication during SSO. So, first you need to configure an AD domain in ADSelfService Plus to enable SSO for Office 365.

ADSelfService Plus will try to automatically add all the domains that it can discover in your network. If your domains are automatically added, skip to Step 9; otherwise, follow Steps 1-8 to add them manually.

  1. Launch the ADSelfService Plus web console and log in using admin credentials.
  2. Click the Domain Settings link available on the top-right corner of the application.

    office365-domain-settings

  3. An Add Domain Details window will appear.

    office365-domain-details

  4. In the Domain Name field, enter the name of the domain you want to add.
  5. In the Add Domain Controllers field, click Discover. ADSelfService Plus will try to automatically discover the domain controllers associated with the domain.
  6. If the domains are not auto-discovered, then enter the domain controller name in the field provided, and click Add.
  7. You can leave the authentication fields empty if you're not going to use the end user self-service features of ADSelfService Plus.
  8. Back in the Add Domain Details window, click Add to complete adding the domain in ADSelfService Plus.
  9. Getting the SAML details from ADSelfService Plus.

  10. Navigate to Configuration → Self-service → Password Sync/Single Sign On.
  11. Click Office 365 in the list of applications provided.
  12. Click Download SSO Certificate in the top-right corner of the screen.
  13. In the pop-up that appears, copy the login URL and download the SSO certificate by clicking on Download SSO Certificate.
  14. download-sso-certificate

    Configuring SSO settings in Office 365

  15. Open PowerShell with admin rights.
  16. Enter the following command:

    $cred = Get-Credential

    In the pop-up that appears, enter the username and password of your Office 365 administrator account.

  17. Connect with MsolService using the following command:

    Connect-MsolService -Credential $cred

  18. Now, get a list of your Office 365 domains by entering the following command:

    Get-MsolDomain

    Note:

    • SSO can be enabled only for domains that have their status as Verified.
    • Ensure that the domain is not the default domain (a domain that doesn't have the onmicrosoft.com subdomain), as they cannot be set as the federated domain.
  19. Enter the domain for which you would like to enable SSO.

    $dom = "mycompany.com"

  20. Enter the login URL value from Step 12 for $url and $uri commands, and logout URL value for $logouturl command.

    $url = "<login URL value>"
    For example, $url =
    "https://selfservice.com:9251/iamapps/ssologin/office365/
    1352163ea82348a5152487b2eb05c5adeb4aaf73"
    $uri = "<login URL value>"
      For example, $uri =
    "https://selfservice.com:9251/iamapps/ssologin/office365/
    1352163ea82348a5152487b2eb05c5adeb4aaf73"
    $logouturl = "<logout URL value>"
    For example, $logouturl =
     "https://selfservice.com:9251/iamapps/ssologout/office365/
    1352163ea82348a5152487b2eb05c5adeb4aaf73"

  21. Now copy the SSO certificate file content from Step 12 and pass it as the value for the following command:

    Important: Please edit the file so that there aren’t any new lines before pasting the content into the file.

    $cert = "MIICqjCCAhOgAwIBAgIJAN..........dTOjFfqqA="

    office365-samlconfig

  22. Next, run the following command to enable SSO in Office 365:

    Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName $dom -Authentication Federated -PassiveLogOnUri $url -SigningCertificate $cert -IssuerUri $uri -LogOffUri $logouturl -PreferredAuthenticationProtocol SAMLP

  23. Test the configuration by using the following command:

    Get-MSolDomainFederationSettings -DomainName "mycompany.com" | Format-List *

    office365-samlsuccess

  24. Adding your Office 365 setup in ADSelfService Plus and enable SSO.

  25. Now, switch to ADSelfService Plus’ Office 365 configuration page.
  26. Choose Single sign-on under Modules.
  27. In the Domain Name field, enter the domain name you used in Step 16.
  28. Provide an appropriate description in the Description field.
  29. In the Available Policies field, click the drop-down box and select the policies for which you wish to enable SSO. The policy you select will determine which users have the SSO feature enabled.

    Note: ADSelfService Plus allows you to create OU and group-based policies for your AD domains. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.

    office365-configuration-steps

  30. Click Save.

    Now users can log into their Office 365 accounts automatically without having to enter their username and password again.

Highlights

Password self-service

Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console. 

One identity with Single sign-on

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus! 

Password/Account Expiry Notification

Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.

Password Synchronizer

Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more. 

Password Policy Enforcer

Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.

Directory Self-UpdateCorporate Search

Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.

 

ADSelfService Plus trusted by

A single pane of glass for complete self service password management
 
×
Yes I'm Interested No, I'd rather pay more.