Modules
Sign in
New Request
  1. Kaseya
  2. Passly
  3. SSO Manager

Troubleshooting Microsoft 365 SSO Application

This article should be used when support faces Office 365 issues.

Be sure that the following settings are set up correctly: Adding Office 365 guide 

Necessary conditions we want from Passly after Office 365 application is set up:

  1. Office 365 application is enabled.

  2. Domain is federated.

  3. Domain federation is managed automatically.

  4. User synchronization works.

  5. User has “ImmutableId” created in Passly. It is created as a “msol.syncSource” attribute.

  6. Users/groups have “Office 365 app name (Azure Active Directory)” for AppSyncSource in Directory Manager.

  7. If “Microsoft Graph” federation selected, user has “microsoft365.Id“ attribute that matches user id in Azure.

  8. If “Microsoft Online” federation selected with “Use graph for synchronization“ checked, user has “microsoft365.Id“ attribute that matches user id in Azure.

  9. User belongs to permission group of Office 365 application.

  10. User has active Office 365 applications on the Launchpad.

  11. User is able to log in to Office 365 applications using SSO.

 

Federation tab

“Microsoft Graph” option selected:
blobid0.png

If “Federate automatically” option checked/unchecked:

  • “Verify Compatibility” button returns “Domain is Federated”, “Issuer”, “It is Verified”.
    It means that domain has been federated successfully.
    blobid1.png

  • In case “Verify Compatibility” button returns an issuer that is not a valid client’s Passly URL, domain is federated to another IdP. Users won’t be able to use Passly for SSO.

  • In case “Verify Compatibility” button returns “Domain is Federated” with a yellow tick, it’s not an issue.

  • In case “Verify Compatibility” button returns “Domain is Managed”, domain is in a managed state and needs to be federated.

  • In case “Verify Compatibility” button returns an error message, federation won’t work correctly, users and groups won’t be synced correctly, users won’t be able to use Passly for SSO.

Common error reasons after “Verify Compatibility”:

  • Domain/client id/tenant id/certificate are incorrect;

  • App registration in Azure doesn’t have all required permissions;

  • “Domain not found” error message means that entered domain and client, tenant ids belong to different tenants in Azure or app registration in Azure doesn’t have all required permissions to check domain. Make sure client has registered his app registration in a correct tenant in Azure where entered domain is listed and app registration has all needed permissions.

How to set up an app registration for Microsoft Graph federation / Graph App registration for Federation and Synchronization - Step 2

 

If “Federate automatically” option checked

blobid2.png

Domain is federated when “Save Changes” button pressed. If there is an error during saving changes federation wasn’t successful.

Common error reasons after “Save Changes”:

  • App registration is not under a “Global Administrator” role in Azure Portal, the app needs to have this role in the list.

Please do not suggest to uncheck “Federate automatically” option to use a manual federation instead, unless you have a valid reason for it.

 

If “Federate automatically” option unchecked

blobid3.png

Federation should be done manually. Passly provides a PS script. Domain, client and tenant ids still should be verified and saved to Passly to enable user and group synchronization.

 

“Microsoft Online” option selected:

image-20221116-112553.png

If “Federate automatically” option checked/unchecked:

  • “Verify Compatibility” button returns “Domain is Federated”, “Issuer”, “It is Verified”.
    It means that domain has been federated successfully.
    blobid5.png
  • In case “Verify Compatibility” button returns an issuer that is not a valid client’s Passly URL, domain is federated to another IdP. Users won’t be able to use Passly for SSO.
  • In case “Verify Compatibility” button returns “Domain is Federated” with a yellow tick, it’s not an issue.
  • In case “Verify Compatibility” button returns “Domain is Managed”, domain is in a managed state and needs to be federated.
  • In case “Verify Compatibility” button returns an error message, federation won’t work correctly, users and groups won’t be synced correctly, users won’t be able to use Passly for SSO.

Common error reasons after “Verify Compatibility”:

  • domain/username/password are incorrect;
  • admin credentials are under 2FA check, the client needs to disable 2FA in Azure Portal;
  • admin credentials are not under “Global Administrator” role in Azure Portal, the client needs to have this role in the list.

“Use graph api for synchronization” is checked.
blobid6.png

“Verify” button returns “Credentials verified successfully”.
blobid7.png

It means that client id, tenant id and the certificate are valid.
In case “Verify” button returns an error message, users and groups won’t be synced correctly.

Common error reasons after “Verify”:

  • Client id/tenant id/certificate are incorrect;
  • App registration in Azure doesn’t have all required permissions;
  • “Domain not found” error message means that entered domain and client, tenant ids belong to different tenants in Azure or app registration in Azure doesn’t have all required permissions to check domain. Make sure client has registered his app registration in a correct tenant in Azure where entered domain is listed and app registration has all needed permissions.

How to set up an app registration for Microsoft Graph synchronization only


If “Federate automatically” option checked.

blobid8.png

Domain is federated when “Save Changes” button pressed. If there is an error during saving changes, federation wasn’t successful. 

Please do not suggest to uncheck “Federate automatically” option to use a manual federation instead, unless you have a valid reason for it.

If “Federate automatically” option unchecked

blobid9.png

Federation should be done manually. Passly provides a PS script. Domain, client and tenant ids still should be verified and saved to Passly.

 

Synchronization tab

User Export

  • “Email Address” is selected as a sync source for the users.
    blobid10.png
  • In case “Principal Name” is selected as a sync source, the client needs to have users with an email address as their UserName in Directory Manager.
    blobid11.png
  • In case the client has “Principal Name” selected as a sync source and the users have simple name surname as a UserName in Directory Manager, users won’t be synced correctly, users won’t be able to use SSO.

Common user synchronization error reasons:

  • change “Principal Name” to “Email Address”.

Group export

In order to synchronize groups, “Export Groups” should be enabled.

image-20230213-085417.png


Application Configuration tab

“Application is Enabled” is checked
blobid12.png

Attribute Transformation tab

The list of the attributes contains the following:
blobid13.png

Please do not suggest to change default attribute map unless you have a valid reason for it.

 

Permissions tab

Must contain at list one user group.
The users that should have an opportunity to launch “Office 365” applications from the Launchpad and use SSO must be added to that group.

image-20220426-132003.png

In case there is no group added, users won’t be able to use SSO.

 

Signing and Encryption tab

Signing Certificate has valid “Valid between” time period.
Common certificate issue: https://helpdesk.kaseya.com/hc/en-gb/articles/4468385848849-Unable-to-login-to-O365-via-Passly-and-receiving-signing-certificate-expired-message

 

User Account Attributes

ImmutableID is the way the users from the cloud and on-prem are linked by. Every user has its own unique ImmutableID. When provisioning the users from Passly to AzureAD, Passly should automatically save user's ImmutableID to user’s attributes as “msol.syncSource” attribute. You can check it on the users Account Attributes tab.
blobid14.png

When the user logs into the Office applications using SSO, Passly sends “msol.syncSource” attribute as a special claim as we see on the Attribute Transformation map of the Office 365 application.

When such attribute wasn’t generated by Passly automatically please look at the logs first Logs before suggest manual ImmutableID creation.

When suggest manual ImmutableID creation use the following map:

If the user is synced with DirSync, he has ObjectGUID attribute in Passly.
msol.syncSource should have the same value. Azure AD user should have the same ImmutableID.
blobid15.png

If the user is local in Passly
blobid16.png

If the user in AzureAD already has ImmutableID, it’s not changed.

 

 

Tooltips:

When apply any changes on the client’s side, please press “Save changes” and reopen application to check whether the settings were updated.
Users and groups are synced automatically every 30 min. You can start a manual sync any time you want.

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section