Adding Microsoft 365 to your PingOne for Enterprise Dock
Add Microsoft 365 to your PingOne for Enterprise Dock from the application catalog.
If you use Azure Active Directory as your identity repository, you cannot integrate with Microsoft 365 through PingOne for Enterprise. This configuration creates a redirect loop where Azure and PingOne for Enterprise try to authenticate through one another. |
PingOne for Enterprise support for Microsoft 365 depends on factors such as:
-
The type of Microsoft 365 client you want to use
-
The identity repository you’ve configured for PingOne for Enterprise
PingOne for Enterprise Support for Microsoft 365
Client | Support Level | Exceptions | ||
---|---|---|---|---|
Passive profile or browser-based logins. These logins use portal.office.com or login.microsoft.com. |
Supported |
None |
||
Active Profile or thick clients. These logins use thick clients installed on servers, desktops, or mobile devices. Includes:
|
Supported only when AD Connect is your identity repository.
|
Not supported whenPingFederate or ADFS is your identity repository. If you use any identity provider (IdP) other than AD Connect, thick client logins are not supported. |
For more information about identity repositories, see Connecting to an identity repository.
Microsoft 365 prerequisites
-
Active Directory must be deployed and running with a functional level of mixed or native mode on:
-
Windows Server 2012
-
Windows Server 2012 R2
-
Windows Server 2016
-
Windows Server 2019 (Desktop only, not Core)
-
-
You must configure Microsoft Azure Active Directory Module for Windows PowerShell to establish a federated trust between your IdP and Azure AD.
For more information, see Connect to Microsoft 365 with PowerShell in the Microsoft documentation.
-
You must install the required Microsoft cloud service subscription updates to make sure your users are running the latest version of Windows.
Preparing Active Directory for SSO
Steps
-
Run the Microsoft Readiness Toolkit.
This application inspects your Active Directory environment and reports whether you are ready to set up single sign-on (SSO). If not, it lists the changes that you need to make.
For more information, see Use the Readiness Toolkit to assess application compatibility for Microsoft 365 apps in the Microsoft documentation.
-
Make sure that your user principal names (UPN) are assigned and properly formatted:
-
The UPN domain suffix must be under the domain you’re going to use for SSO.
-
The domain that you want to federate must be registered as a public domain with a domain registrar or within your own public DNS servers.
If your Active Directory domain name is not a public internet domain (for example, if it ends with the .local suffix), you must set UPNs with an internet domain suffix that can be registered publicly. This should be a domain that is familiar to your users, such as their email domain.
For more information about creating UPNs, see Add UPN suffixes and update your users to them in the Microsoft documentation.
-
If you have already set up Active Directory synchronization, the users' UPN might not match their on-premises UPN defined in Active Directory.
You can rename users' UPN using the Set-MsolUserPrincipleName cmdlet in the Microsoft Azure Active Directory Module for Windows PowerShell.
-
Configuring Microsoft 365 in PingOne for Enterprise
Steps
-
In the PingOne for Enterprise admin console, go to Applications → Application Catalog.
-
Optional: In the Search field, search for the application.
-
Click the Office 365 application line to expand it and click Setup.
-
On the SSO Instructions tab, click Continue to Next Step.
-
On the Basic Information tab:
-
Copy the values for the following settings:
-
Issuer URI
-
Passive Log On URI
-
Active Log On URI
-
Log Off URI
-
Metadata Exchange URI
-
-
Click Download to download the signing certificate.
-
Click Continue to Next Step.
-
-
On the Connection Configuration tab, select the Force Re-authentication check box to force users with an active single sign-on (SSO) session to reauthenticate before using Microsoft 365.
Reauthentication ensures that active sessions don’t cause problems with Microsoft 365 SSO.
Next steps
Click Continue to Next Step.
Microsoft 365 Connection Configuration
Before you begin
You must have an .onmicrosoft.com admin account to add a domain and configure DNS for Microsoft 365.
About this task
To add a domain to Microsoft 365 and configure domain federation:
Steps
-
In the Microsoft 365 Admin Center, go to Settings → Domains
-
Click Add Domain.
-
In the Enter a domain you own field, enter the name of your domain.
-
Click Next.
-
Choose a method to verify your ownership of the domain:
Choose from:
-
Use Domain Connect to let Microsoft verify the domain.
-
Add a TXT record to your domain’s website using the values supplied by Microsoft.
-
Upload a text file to your website’s top-level folder.
-
-
Click Verify.
-
Configure the DNS records on the domain registrar for other services.
Do not make the new domain the primary domain for your Microsoft 365 account. Setting the new domain as the default domain causes an error when you use
Set-MsolDomainAuthentication
to set the domain as a federated domain.For more information, see Add a domain to Microsoft 365 in the Microsoft documentation.
Result:
You’ve added your domain. Now you’re ready to configure federation.
-
At the PowerShell command line, enter
Connect-MsolService
.Result:
PowerShell initiates a connection to Azure and opens an embedded browser window.
-
In the browser window, sign on to the Azure tenant with a Global Administrator account.
-
Run the following commands in the Azure AD PowerShell.
You can find the bolded values in the Microsoft 365 application configuration tab in PingOne for Enterprise.
$dom = "<your domain name, such as example.com>" $BrandName = "<The name of your organization, such as Example Inc.>" $ActiveLogOn = "<The Active Log On URI value from PingOne for Enterprise>" $LogOnURl = "<The Passive Log On URI value from PingOne for Enterprise>" $LogOffUrl = "<The Log Off URI value from PingOne for Enterprise>" $MyURI = "<The Issuer URI value from PingOne for Enterprise>" $Metadata = "<The Metadata Exchange URI value from PingOne for Enterprise>" $MySigningCert = "<The Signing Certificate text from PingOne for Enterprise in base64 format>" Set-MsolDomainAuthentication ` -DomainName $dom ` -FederationBrandName $BrandName ` -Authentication Federated ` -PassiveLogOnUri $LogonUrl ` -SigningCertificate $MySigningCert ` -IssuerUri $MyURI ` -LogOffUri $LogOffUrl ` -MetadataExchangeUri $Metadata ` -ActiveLofOnUri $ActiveLogOn `
When copying the base64-encoded signing certificate to enter into the MSOL cmdlet, make sure to remove any line breaks in the certificate text. Line breaks will cause errors when attempting to execute the commands.
-
Use the following commands to confirm domain federation settings:
-
Get-MsolDomain
: check the status of domain federation. -
Set-MsolDomainAuthentication
: change the authentication type for a given domain.For a complete list of commands, see MSOnline in the Microsoft documentation.
-
Microsoft 365 Attribute Mapping
About this task
PingOne automatically populates required SAML attributes.
For Microsoft 365, the required attributes are:
-
subject
: maps to theuserPrincipalName
Active Directory attribute. -
guid
: maps to theobjectGUID
Active Directory attribute.Microsoft has updated the default
sourceAnchor
attribute to usems-DS-consistencyGUID
by default. To determine which option is best for your organization, see Azure AD Connect: Design concepts in the Microsoft documentation.
Steps
-
To add an additional optional attribute, click Add new attribute.
-
In the Application Attribute field, enter the attribute name as it appears in the application.
-
In the Identity Bridge Attribute or Literal Value field, choose one of the following:
Choose from:
-
To map to the application attribute: Enter or select a directory attribute.
-
To assign to the application attribute: Select As Literal, then enter a literal value.
-
-
To create advanced attribute mappings, click Advanced.
For more information, see Create advanced attribute mappings.
Next steps
Click Continue to Next Step.
Microsoft 365 App Customization
Steps
-
To change the application icon, click Select image and upload a local image file.
The image file must be:
-
PNG, GIF, or JPG format
-
312 x 52 pixels maximum
-
2 MB maximum file size
Images are scaled to 64 x 64 pixels for display.
-
-
To change the name of the application displayed on the dock, in the Name field, enter a new name.
-
To change the description of the application, in the Description field, enter the new description text.
-
To change the category to which the application is assigned on the dock, in the Category list, select a category.
For information about creating custom application categories, see Creating a custom application category.
Troubleshooting
If you did not download the signing certificate on the Basic Information tab, an error message will prevent you from proceeding.
Next steps
Click Continue to Next Step.
Microsoft 365 Group Access
About this task
The Group Access tab shows every user group that you have created.
For more information about creating user groups, see Add user groups.
Steps
-
To add a group’s access to the application, on the line for that group, click Add.
-
To remove a group’s access, on the line for that group, click Remove.
-
When you’re finished assigning groups, click Continue to Next Step.
Next steps
On the Review Setup tab, review your configuration. Click Finish to add the application to your PingOne Dock.