Note: Once this integration is enabled all access to Office 365 will require the use of 2FA via SSO.
Note: Hybrid Office 365 deployments are not supported. If you are using a hosted Exchange Server with an Office 365 domain this integration is not compatible.
Note: Using a Server 2012 Essentials server that has been federated with Office 365 is not compatible with this integration.
Note: Trial versions of Office 365 are not compatible with this integration.
Office 365 Prerequisite Steps
In order to configure Office 365 federation with AuthAnvil Single Sign On you need to have a domain to federate. This will be the domain used for email. You cannot federate with the initially configured *.onmicrosoft.com domain.
If you have already configured and verified a domain you can skip this section.
Once you have a domain that you want federate you need to authorize Microsoft Online Services to use it. To authorize the domain follow these steps:
- Log in the Microsoft Online Services management portal at https://portal.microsoftonline.com with your administrator credentials.
- Click the Domains link in the left column and select Add a domain.
- Specify your new domain and click next.
- You will be prompted to verify your domain. To do this you will need to update your DNS records with a value specified by Microsoft. This is to prove that you really are the owner of that domain. Depending on your DNS provider you may have different instructions for updating the records. The basic idea is that you add a TXT or MX record.
Once the record is added you can now have Microsoft verify this.
- Verify the domain by clicking the Done, Verify now button. This can take up to 72 hours depending on your DNS provider but it usually only takes a few minutes. If you get a warning saying your domain can’t be verified then it’s possible the DNS update may not have finished yet. Just wait a little longer and try again.
Once you have verified your domain you can continue on to configuring AuthAnvil Single Sign On.
AuthAnvil Single Sign On Application Configuration
AuthAnvil Single Sign On 3.5 natively supports federation and synchronization of users with Microsoft Office 365 so configuration is quick and painless.
However, before we can configure the application it will help to briefly explain how user synchronization works between AuthAnvil Single Sign On and Office 365. The bulk of the work is handled by a scheduler service that runs every 10 minutes. This scheduler will check for changes to SSO users and roles and synchronize the changes with Office 365.
The scheduler determines which users should be synchronized based on role membership. In order for a user to be synchronized, that user has to be a member of at least one role that has been authorized to access Office 365. Once that user has been added to an authorized role they will be synchronized within the next sync window.
The scheduler determines whether a role should be synchronized based on whether or not the Allow Role to be Synchronized flag has been set for the given role.
The scheduler will sync changes to members of the role to its equivalent group in Office 365.
With a basic understanding of the synchronization we can now enable AuthAnvil for Office 365:
- Navigate to the Single Sign On Applications section in the AuthAnvil Manager. Select the Office 365 application.
- Enable the application.
- Select the Microsoft Online Configuration section.
You may be prompted with a message warning you that the Microsoft Sign-In Assistant needs to be installed on the SSO server.
The Sign-In Assistant allows AuthAnvil Single Sign On communicate with Microsoft Online Services for synchronization. The link will take you directly to an MSI installer and it will need to be installed on the SSO server. A server reboot is not required, but you may have to restart the AuthAnvilSSO IIS App Pool.
Note: If you already attempted to install Microsoft’s DirSync on this server then you won’t need to install the Sign-In Assistant as it is a prerequisite for DirSync.
- Once the Sign-In Assistant has been installed you need to configure the Office 365 domain and synchronization credentials:
- Set the domain to the domain name you registered and verified in Office 365 similar to what’s pictured below.
- Set the synchronization attribute. The default is Email. This is the attribute that is used as the identifier to create a new user or update existing users. The attribute values for the users must be in a User Principal Name (UPN) format.
- Enter the Microsoft Online administrator account credentials used for synchronization.
Note: This admin account should be a *.onmicrosoft.com account as AuthAnvil cannot federate with that domain. This prevents federating the domain where the admin account belongs. For example, if you use federate “company.com” and use “email@example.com” as the O365 admin account at this step, AuthAnvil will be unable to configure the software as firstname.lastname@example.org will have a dynamic one-time password instead of a static password. The admin credentials will fail after the first step.
- Finally, save the application.
Saving the application may take a moment to complete as it has to remotely configure Office 365. Once the configuration has been saved you should be redirected to the Applications page.
At this point AuthAnvil for Office 365 should be configured properly. It is now possible to authorize users to access Office 365.
Authorizing users to access Office 365 is easy to do as a user just needs to be a member of a role that has access to Office 365. This can be accomplished by creating a new role called “Office 365 Users”:
Once the role has been created you can add the users to that role:
Once all the users have been added you can authorize the role to access Office 365:
After the role has been authorized to access Office 365 all the users associated with that role will be synchronized within the next sync window.
Since there is a possibility that a user has been granted access to Office 365, but their account hasn’t been provisioned yet, the SSO Portal will notify them that access isn’t quite ready.
Once their account has been provisioned into Office 365 the application is automatically enabled.
Once you have completed the configuration log out of Office 365 and navigate to your SSO portal. You should see the Office 365 application without the grayed out provisioning box once the account has been successfully provisioned, as long as you are in the “Office 365 Users” role.
Click the Office 365 application and you should now be logged into your Office 365 account!