Adding Office 365

Note: Once this integration is enabled all access to Office 365 will require the use of MFA via SSO. 

Note: Hybrid Office 365 deployments are not supported. If you are using a hosted Exchange Server with an Office 365 domain this integration is not compatible.

Note: Using a Server 2012 Essentials server that has been federated with Office 365 is not compatible with this integration.

Note: Trial versions of Office 365 are not compatible with this integration.

Note: Use of a @company.onmicrosoft.com user account to manager the federated domain is required.

 

Setting up Office 365 in your On-Demand Tenant

  1. Select Directory Manager.
  2. Select Groups.
    Select the green plus sign in the bottom right corner.

    Name the Group Office 365 Users.
    Note: If you have other existing Groups for SSO users you can use one of these as well.
    Select ADD GROUP.
  3. Select SSO Manager.
  4. Select the green plus sign in the bottom right corner.
  5. Select the Catalog Icon.
  6. Select Office 365.

  7. Set your Microsoft Office 365 Online settings. You will need to enter the following.
    Managed Domain:
    Your @company.onmicrosoft.com username
    Password:

    AuthAnvil supports federated signin and synchronization with Office 365, which is also known as Microsoft Online Services or Microsoft Azure Active Directory.

    Federation is configured with these settings.
    Managed Domain: This is the domain used to identify the tenant
    Management Username: The *.onmicrosoft.com admininstrative account username used to synchronize user details
    Password: The management account password



     

  8. Select Verify Compatibility. You should see the following message if the doamin informaiton is successfully verified.
  9. Set your desired Deep Linking into Office 365 Applications
    Select which applications should show up on the launchpad so users can launch directly into them.
  10. Select Application Configuration.
    Ensure that the Application is enabled.
  11. Select the desired Authentication policy.
  12. Select Add Application.
  13. Select Office 365.
  14. Configure Synchronization.
    AuthAnvil supports synchronizing from the Universal Directory to Office 365.
    Enable Synchronization: Enable or disable synchronizing the Universal Directory with Office 365.
    UserName Mapping: The AuthAnvil attribute used in place of the user's User Principal Name.
    Default User License: A license can be applied to users when provisioned if Office 365 has been enabled.
  15. Select Permissions.
  16. Select Add Groups.
    Select the Group you chose in Step 2.
  17. Select Save Changes.

 

Advanced Settings

Prequisites for Configuring Office 365 Federation


Configuring Office 365 Federation

  1. Open PowerShell and connect to the Office 365 services.
    $creds = Get-Credential -Username -Message "Configure Office 365 Federation"
    Connect-MSOLService -Credential $creds
  2. Execute the following script. This will enable federation with the required AuthAnvil settings. 
    $domain = ""
    $issuer = "https://(<My-Tenant).my.authanvil.com/trust"
    $passiveLogon = "https://(<My-Tenant).my.authanvil.com/trust/launch"
    $activeLogon = "https://(<My-Tenant).my.authanvil.com/services/trust/2005/mixed"
    $mexUri = "https://(<My-Tenant).my.authanvil.com/services/trust/mex"
    $signingCert = 
    Note: The actual Signing cert will be displayed in the tenant when you Add the Application.
    Note: Replace (<My-Tenant) with your actual On-Demand tenant 

    Set-MsolDomainFederationSettings -DomainName $domain -IssuerUri $issuer -PassiveLogOnUri $passiveLogon -ActiveLogOnUri $activeLogon -MetadataExchangeUri $mexUri -SigningCertificate $signingCert
  3. Verify the configuration was applied. Run this command and check that the output matches the parameters specified above.
    Get-MsolDomainFederationSettings -DomainName $domain 

 

Username attributes

If you are using a non email format for your AAoD usernames like the following:

  • john.smith
  • jsmith

You might need to add a suffix to the organization to enable MFA authentications from thick clients like Skype for Business / Outlook.

Follow these steps to add a Suffix to the organization to support the use of non-email address usernames.

  1. Select Directory Manager.
    1.PNG
  2. Select Organizations.
    2.PNG
  3. Select the target organization.
    3.PNG
  4. Select Edit
    5.PNG
  5. Add the principle name suffix to include the @domain. Example:
    4.PNG
    Note: Use the Office 365 domain that you are federating for the Principal Name Suffix including the @ symbol.
  6. Select Save changes.

 

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.