Note: Once this integration is enabled all access to Office 365 will require the use of MFAvia SSO.
Note: Hybrid Office 365 deployments are not supported. If you are using a hosted Exchange Server with an Office 365 domain this integration is not compatible.
Note: Using a Server 2012 Essentials server that has been federated with Office 365 is not compatible with this integration.
Note:Trial versions of Office 365 are not compatible with this integration.
Note: Use of email@example.com useraccount to manager the federated domain is required.
Note: Thick Clients will need to support and have Modern Authentication enabled to allow a federated login.
Setting up Office 365 in your On-Demand Tenant
- Select Directory Manager.
- Select Groups.
Select the green plus sign in the bottom right corner.
Name the Group Office 365Users.
Note: If you have other existing Groups for SSO users you can use one of these as well.
Select ADD GROUP.
- Select SSO Manager.
- Select the green plus sign in the bottom right corner.
- Select the Catalog Icon.
- SelectOffice 365.
- Set your Microsoft Office 365 Online settings. You will need to enter the following.
Your @company.onmicrosoft.com username
AuthAnvil supports federated signin and synchronization with Office 365, which is also known as Microsoft Online Services or Microsoft Azure Active Directory.
Federation is configured with these settings.
Managed Domain: This is the domain used to identify the tenant
Management Username: The *.onmicrosoft.com admininstrative account username used to synchronize user details
Password: The management account password
- Select Verify Compatibility. You should see the following message if the doamin informaiton is successfully verified.
- Set your desired Deep Linking into Office 365 Applications
Select which applications should show up on the launchpad so users can launch directly into them.
- Select Application Configuration.
Ensure that the Application is enabled.
- Select the desired Authentication policy.
- Select Add Application.
- Select Office 365.
AuthAnvil supports synchronizing from the Universal Directory to Office 365.
Enable Synchronization: Enable or disable synchronizing the Universal Directory with Office 365.
UserName Mapping: The AuthAnvil attribute used in place of the user's User Principal Name.
Default User License: A license can be applied to users when provisioned if Office 365 has been enabled.
- Select Permissions.
- Select Add Groups.
Select the Group you chose in Step 2.
- Select Save Changes.
Prequisites for Configuring Office 365 Federation
- Microsoft Online Service Sign-in Assistant for IT Professionals RTW
- Windows Azure Active Directory Module for Windows PowerShell (64-bit version)
Configuring Office 365 Federation
- Open PowerShell and connect to the Office 365 services.
$creds = Get-Credential -Username -Message "Configure Office 365 Federation"
Connect-MSOLService -Credential $creds
- Execute the following script. This will enable federation with the required AuthAnvil settings.
$domain = ""
$issuer = "https://(<My-Tenant).my.authanvil.com/trust"
$passiveLogon = "https://(<My-Tenant).my.authanvil.com/trust/launch"
$activeLogon = "https://(<My-Tenant).my.authanvil.com/services/trust/2005/mixed"
$mexUri = "https://(<My-Tenant).my.authanvil.com/services/trust/mex"
Note: The actual Signing cert will be displayed in the tenant when you Add the Application.
Note: Replace(<My-Tenant) with your actual On-Demand tenant
Set-MsolDomainFederationSettings -DomainName $domain -IssuerUri $issuer -PassiveLogOnUri $passiveLogon -ActiveLogOnUri $activeLogon -MetadataExchangeUri $mexUri -SigningCertificate $signingCert
- Verify the configuration was applied. Run this command and check that the output matches the parameters specified above.
Get-MsolDomainFederationSettings -DomainName $domain
If you are using a non email format for your AAoD usernames like the following:
You might need to add a suffix to the organization to enable MFA authentications from thick clients like Skype for Business / Outlook.
Follow these steps to add a Suffix to the organization to support the use of non-email address usernames.
- Select Directory Manager.
- Select Organizations.
- Select the target organization.
- Select Edit
- Add the principle name suffix to include the @domain. Example:
Note: Use the Office 365 domain that you are federating for the Principal Name Suffix including the @ symbol.
- Select Save changes.