Single sign-on (SSO) is a feature that allows users to access multiple applications with one login and password. SSO can improve security, productivity and user experience. In this blog post, we will show you how to enable SSO for Office 365, the cloud-based suite of productivity tools from Microsoft.
To enable SSO for Office 365, you will need to configure your identity provider (IdP) and your Office 365 tenant. The IdP is the service that authenticates your users and provides them with a token that can be used to access other applications. The Office 365 tenant is the domain where your Office 365 services are hosted.
There are two main methods to enable SSO for Office 365: using Azure Active Directory (Azure AD) or using a third-party IdP. Azure AD is the default IdP for Office 365 and it offers seamless integration with other Microsoft services. A third-party IdP is an external service that you can use to manage your user identities and SSO settings.
To use Azure AD as your IdP, you will need to have an Azure AD subscription and connect it to your Office 365 tenant. You can do this by following these steps:
- Sign in to the Azure portal with an account that has global administrator permissions for your Office 365 tenant.
- Navigate to Azure Active Directory > Enterprise applications > All applications.
- Click on + New application and search for Office 365.
- Select Office 365 and click on Add.
- On the Overview page, click on Single sign-on and select SAML as the sign-on method.
- On the Basic SAML Configuration page, enter the following values:
- Identifier (Entity ID): https://login.microsoftonline.com/
- Reply URL (Assertion Consumer Service URL): https://login.microsoftonline.com/login.srf
- Sign on URL: https://portal.office.com
- Relay State: Leave blank
- Logout URL: Leave blank
- On the User Attributes & Claims page, click on Edit and add the following claim:
- Name: http://schemas.microsoft.com/identity/claims/tenantid
- Source attribute: user.tenantid
- On the SAML Signing Certificate page, download the Certificate (Base64) file and save it on your computer.
- On the Set up Office 365 page, copy the Login URL and the Azure AD Identifier values and save them somewhere.
- Click on Save.
To use a third-party IdP as your IdP, you will need to have an account with the IdP and configure it to work with Office 365. The exact steps may vary depending on the IdP you choose, but in general, you will need to do the following:
- Sign in to your IdP’s portal with an account that has administrator permissions.
- Create a new application or service provider for Office 365 and enter the following values:
- Entity ID: https://login.microsoftonline.com/
- ACS URL: https://login.microsoftonline.com/login.srf
- Audience URI: https://login.microsoftonline.com/
- Name ID Format: EmailAddress
- Name ID Attribute: user.email
- Enable SAML 2.0 as the sign-on method and configure the following settings:
- Signature Algorithm: SHA-256
- Digest Algorithm: SHA-256
- Assertion Encryption: Disabled
- Signing Certificate: Upload or generate a certificate that will be used to sign the SAML assertions.
- Encryption Certificate: Leave blank
- Add a custom attribute or claim with the following values:
- Name: http://schemas.microsoft.com/identity/claims/tenantid
- Value: Your Office 365 tenant ID (you can find it by signing in to the Microsoft 365 admin center and navigating to Settings > About your organization)
- Save the application or service provider settings and download or copy the metadata file or URL.
- Sign in to the Microsoft 365 admin center with an account that has global administrator permissions for your Office 365 tenant.
- Navigate to Settings > Org settings > Organization profile > Identity provider.
- Click on + Add identity provider and select Third-party identity provider as the type.
- Enter a name for your IdP and upload or paste the metadata file or URL from step 5.
- Click on Save.
After you have configured your IdP and your Office 365 tenant, you can test your SSO setup by signing out of Office 365 and signing in again using your IdP’s login page. You should be able to access all your Office 365 applications without entering your password again.
SSO can make your life easier by reducing password fatigue, enhancing security and streamlining workflows. We hope this blog post has helped you understand how to enable SSO for Office 365 using Azure AD or a third-party IdP. If you have any questions or feedback, please leave a comment below.