Skip to main content

Microsoft Office 365 SAML integration

Office 365 is a cloud-based, subscription model version of Microsoft Office. Office 365 contains the same core applications as traditional versions of Office, including Word, Excel, PowerPoint, Outlook, OneNote, and, depending on the plan purchased, may also include other apps and services such as Publisher, Planner, OneDrive, Exchange, SharePoint, Access, Skype, Yammer, and Microsoft Teams.

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only you know or have access to.

Arculix by SecureAuth offers an SSO-MFA solution for Office 365 that enables strong authentication and secure access to your Azure and Office 365 tenant via SAML protocol.

Prerequisites

  • Arculix account with a configured Identity Provider and LDAP Agent.

    For more information, see the Arculix LDAP Agent deployment guide.

  • User account with administrative privileges for Arculix.

  • An organization identifier provided by Arculix (organization slug).

  • A Microsoft™ Azure Active Directory tenant with custom domain configuration.

  • An Azure Active Directory tenant administrator account.

  • Arculix acts as an identity provider (IdP) for Office 365 and authenticates users against your existing on-premises Active Directory credentials. On the other hand, Office 365 uses Azure AD as its identity store. Then, on-premises AD users should be synchronized to Azure AD through Azure AD Connect application. In addition, all the Azure AD users that will be authenticated via Arculix SAML must have an immutableID set. To identify which users may not have an immutableID set, run the following PowerShell™ command (Make sure you have the MSOnline PowerShell module installed via “Install-Module -Name MSOnline” and connect to your Azure instance via “Connect-MsolService” command):

    Get-MsolUser -All | Select-Object UserprincipalName,ImmutableID
    
    UserPrincipalName                  ImmutableId
    -----------------                  -----------
    User1@example.com      123ABC45-67EF-90GH-12IJ-34KL56MN7890P
    User2@example.com
    
  • Make sure you have the latest WMF (Windows management framework) installed. You can check the version of your PowerShell with this command:

    Get-Host | Select-Object Version
    
  • Users that do not show an ImmutableID such as User2@example.com, will not be able to login using SAML. To change the ImmutableID for specific users, run the following PowerShell command (replace UserPrincipalName with the affected user UserPrincipalName, e.g., User2@example.com):

    $guid = New-Guid
    Set-MSOLUser -UserPrincipalName UserPrincipalname -ImmutableID $guid
    

Arculix SAML configuration as an Identity Provider (IdP)

In this section, you'll add an application for Office 365 and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.

  1. Log in to Arculix with an administrative account and go to Applications.

  2. Click Create New Application.

    Create new application
  3. In the New Application form, on the General tab, set the following configurations:

    Name

    Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.

    For example, Office 365.

    Type

    Set to SAML Service Provider.

    Out of Band Methods

    Select the allowed methods end users can choose to approve MFA requests.

    For example, Arculix Mobile app (push notifications), SMS, or Security Key.

    Message for MFA Requests

    (Optional) Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

    arculix_new_app_365.png
  4. Select the SAML Service Provider Configuration tab, and set the following configurations:

    Issuer or Entity ID

    Set to urn:federation:MicrosoftOnline.

    Log in URL

    Enter the URL to log in to Azure or Office 365 portals.

    The options are: https://portal.azure.com, https://portal.office.com, or https://login.microsoftonline.com/login.srf.

    Metadata URL

    Enter the the Microsoft metadata URL:

    https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml

    NameID Format

    Set to Persistent.

    Name Identifier

    Set to ObjectGUID.

    ACS URL

    Enter the Microsoft ACS URL:

    https://login.microsoftonline.com/login.srf.

    arculix_365_saml_settings.png
  5. Click Add New Attribute Assertion button and set the following:

    Friendly Name

    Set to Email.

    Name

    Set to IDPEmail.

    Value

    Set to the name used for the email attribute in your user directory.

    For example, email.

    Name Format

    Set to urn:oasis:names:tc:SAML:2.0:attrname-format:basic.

    arculix_attribute_365.png
  6. In the Response Hosts section, add the following response hosts:

    • portal.azure.com

    • portal.office.com

    • login.microsoftonline.com

    arculix_response_hosts_365.png
  7. Save your changes.

  8. Download your SAML IdP X509 certificate from http://sso.arculix.com/[organization identifier]/saml/download/cert

    Note

    Azure AD requires the certificate in string format. Before you use this certificate, open the file in a text editor and edit the certificate by removing the line breaks and the begin/end certificate directives in such a way to have it as a single line string format.

    This web utility can do this automatically.

Office 365 configuration

In this section, you'll configure Office 365 as a service provider (SP).

  1. Run PowerShell as an administrator and connect to your Azure instance with the command below. You need to login with your Azure tenant administrator account.

    Note

    This admin account should be in a separate domain than the one that will be federated. For example, a member of the default domain that is provided by Microsoft.

    Connect-MsolService
    
  2. Retrieve all domains for the company (verified or unverified) to identify the domain should be federated.

    Get-MsolDomain
    
  3. Run the following script in a PowerShell environment.

    Note

    Most of the following values come from the earlier Arculix SAML configuration as an Identity Provider (IdP) section. Update these values where necessary.

    # The domain you want to authenticate against SAML(mandatory)
    $domain="example.com"
    # Identify who your IdP is
    $BrandName = "Arculix SAML IDP"
    # Logon URL (mandatory)
    $LogOnUrl = "https://sso.arculix.com/[organization identifier]/saml/auth"
    # Logoff URL (mandatory)
    $LogOffUrl = "https://sso.arculix.com/[organization identifier]/saml/logout"
    # The IdP Certificate. Note the use of @ to make it a raw text variable.
    $SigningCert = "Copy your Arculix Appliance SAML signing certificate got earlier in one single line, here"
    # The issuer URI. 
    $uri = "https://sso.arculix.com/[organization identifier]/saml"
    $Protocol = "SAMLP"
    
  4. After defining the parameters, issue the below command . A successful run of the command should not return any errors.

    Set-MsolDomainAuthentication -DomainName $domain -FederationBrandName $BrandName -Authentication federated -PassiveLogOnUri $LogOnUrl -SigningCertificate $SigningCert -IssuerUri $uri -LogOffUri $LogOffUrl -PreferredAuthenticationProtocol $Protocol 
    

    To verify if the domain is configured to use SAML, use the following command:

    Get-MsolDomainFederationSettings -domainname example.com | fl *
    

    The output should be similar to the following and must show the same values as used in the script variables above.

    ExtensionData                          : System.Runtime.Serialization.ExtensionDataObject
    ActiveLogOnUri                         :
    DefaultInteractiveAuthenticationMethod :
    FederationBrandName                    : arculix.com
    IssuerUri                              : https://sso.arculix.com/org-id/saml
    LogOffUri                              : https://sso.arculix.com/org-id/saml/logout
    MetadataExchangeUri                    :
    NextSigningCertificate                 :
    OpenIdConnectDiscoveryEndpoint         :
    PassiveLogOnUri                        : https://sso.arculix.com/org-id/saml/auth
    PasswordChangeUri                      :
    PasswordResetUri                       :
    PreferredAuthenticationProtocol        : Samlp
    PromptLoginBehavior                    :
    SigningCertificate                     : MII 79701424009245946274090644119698913542736738414383197137136495653488597823440743026907540474162173229890086677980241691766203566484177525691391892547529556572165857639252331212281503088199745189921112D=
    SigningCertificateUpdateStatus         :
    SupportsMfa                            :
    

Test your application integration

  1. Go to the Azure or Office 365 portals.

  2. You will be redirected to the Arculix SSO page.

    Application login page with email
  3. After successful authentication, select your preferred MFA method to approve access to the Office 365 application.

    Select an authenticator
  4. Finally, you will be redirected to your Azure/Office 365 landing page.

    365_dashboard.png

Troubleshooting

If you may receive an error page. It might take different forms:

  • If you receive an "Incorect username or password, please try again" error message, then check if your username and password are correct. If after checking your credentials, it still fails to log you in, please contact our support.

  • If you receive an Azure branded error web page such as below, check that the script you run exactly matches the values you obtained from the Arculix IdP. Correct any discrepancies and rerun the script.

    365_sign_in_failed.png
  • If you receive an Azure branded error web page such as below, check that the script you run exactly matches the values you obtained from the Arculix IdP. Correct any discrepancies and rerun the script.

    Set-MsolDomainAuthentication -DomainName example.com -Authentication “managed”
    

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.

Azure, PowerShell, Microsoft, and 'Active Directory' are either registered trademarks or trademarks of Microsoft and/or one or more of its subsidiaries in the United States and/or other countries.