Troubleshooting Microsoft 365 SAML Application

Necessary conditions we want from Passly after Office 365 application is set up:

  1. Office 365 application is enabled.

  2. Domain is federated.

  3. Domain federation is managed automatically.

  4. User synchronization works.

  5. User has “ImmutableId” created in Passly. It is created as a “msol.syncSource” attribute.

  6. User has active Office 365 applications on the Launchpad.

  7. User is able to log in to Office 365 applications using SSO.

Adding Office 365 guide:

Be sure that the following settings are set up correctly:

Office 365 tab

Points 1-2 describe domain federation set up.
Points 3-5 describe user and group synchronization.

  1. “Manage Office 365 Federation Automatically” is checked.


    In case the client manages federation manually, users and groups won’t be synced correctly automatically.

    Do not suggest to use manual federation unless you have a valid reason for it.

  2. “Verify Compatibility” button returns “Domain is Federated”, “It supports Email”, “It is Verified”.


    It means that domain has been federated successfully.

    In case “Verify Compatibility” button returns “Domain is Federated” with yellow tick, it’s not an issue.
    In case “Verify Compatibility” button returns “Domain is Managed”, domain is in a managed state and needs to be federated.
    In case “Verify Compatibility” button returns an error message, federation won’t work correctly, users and groups won’t be synced correctly, users won’t be able to use SSO.

    Common issues here:
    - domain/username/password are incorrect;
    - admin credentials are under 2FA check, the client needs to disable 2FA in Azure Portal;
    - admin credentials are not under “Global Administrator” role in Azure Portal, the client needs to have this role in the list.

  3. “Use graph api application” is checked.

  4. “Verify” button returns “Is verified”.


    It means that application id, directory id and the certificate are valid.

    In case “Verify” button returns an error message, groups won’t be synced correctly.

    Common issues here:
    - application id/directory id/certificate are incorrect.

    How to set up graph api guide: Adding Microsoft 365.

  5. ail Address” is selected as a sync source for the users.

    In case “Principal Name” is selected as a sync source, the client needs to have users with an email address as their UserName in Directory Manager.

    In case the client has “Principal Name” selected as a sync source and the users have simple name surname as a UserName in Directory Manager, users won’t be synced correctly, users won’t be able to use SSO.

    Common issues here:
    - change “Principal Name” to “Email Address”.

Application Configuration tab

  1. “Application is Enabled” is checked


Attribute Transformation tab

  1. The list of the attributes contains the following:


    Do not suggest to change default attribute map unless you have a valid reason for it.

    Common issues here:
    - ImmutableID wasn’t created in Passly.

    ImmutableID is the way the users from the cloud and on-prem are linked by. Every user has its own unique ImmutableID. When provisioning the users from Passly to AzureAD, Passly should automatically save user's ImmutableID to user’s attributes as “msol.syncSource” attribute. You can check it on the users Account Attributes tab.

    When the user logs into the office applications using SSO, Passly sends “msol.syncSource” attribute as a special claim as we see on the Attribute Transformation map of the Office 365 application.

    When suggest manual ImmutableID creation use the following map:

    If the user is synced with DirSync, he has ObjectGUID attribute in Passly. msol.syncSource should have same value. Azure AD user should have same ImmutableID.

If the user is local in Passly


If the user in AzureAD already has ImmutableID, it’s not changed.


Permissions tab

  1. Must contain at list one user group.
    The users that should have an opportunity to see “Office 365” applications on the Launchpad and use SSO must be added to that group.

    In case there is no group added, users won’t be synced correctly, users won’t be able to use SSO.

Signing and Encryption tab

  1. Signing Certificate has valid “Valid between” time period.
    Common certificate issue: Unable to login to O365 via Passly and receiving signing certificate expired message


When you apply any changes on the client’s side, please press “Save changes” and reopen application to check whether the settings were updated.

Users and groups are synced automatically every 30 min. 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us
Provide feedback for the Documentation team!