--- title: Adding Microsoft 365 to your PingOne for Enterprise Dock description: Add Microsoft 365 to your PingOne for Enterprise Dock from the application catalog. component: pingoneforenterprise page_id: pingoneforenterprise:pingone_for_enterprise_app_catalog:p14eapps_ms365 canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise_app_catalog/p14eapps_ms365.html revdate: October 4, 2023 section_ids: pingone-for-enterprise-support-for-microsoft-365: PingOne for Enterprise Support for Microsoft 365 microsoft-365-prerequisites: Microsoft 365 prerequisites preparing-active-directory-for-sso: Preparing Active Directory for SSO steps: Steps configuring-microsoft-365-in-pingone-for-enterprise: Configuring Microsoft 365 in PingOne for Enterprise steps-2: Steps next-steps: Next steps microsoft-365-connection-configuration: Microsoft 365 Connection Configuration before-you-begin: Before you begin about-this-task: About this task steps-3: Steps choose-from: Choose from: result: Result: result-2: Result: microsoft-365-attribute-mapping: Microsoft 365 Attribute Mapping about-this-task-2: About this task steps-4: Steps choose-from-2: Choose from: next-steps-2: Next steps microsoft-365-app-customization: Microsoft 365 App Customization steps-5: Steps troubleshooting: Troubleshooting next-steps-3: Next steps microsoft-365-group-access: Microsoft 365 Group Access about-this-task-3: About this task steps-6: Steps next-steps-4: Next steps --- # Adding Microsoft 365 to your PingOne for Enterprise Dock Add Microsoft 365 to your PingOne for Enterprise Dock from the application catalog. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you use Azure Active Directory as your identity repository, you cannot integrate with Microsoft 365 through PingOne for Enterprise. This configuration creates a redirect loop where Azure and PingOne for Enterprise try to authenticate through one another. | PingOne for Enterprise support for Microsoft 365 depends on factors such as: * The type of Microsoft 365 client you want to use * The identity repository you've configured for PingOne for Enterprise ## PingOne for Enterprise Support for Microsoft 365 | Client | Support Level | Exceptions | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Passive profile or browser-based logins. These logins use portal.office.com or login.microsoft.com. | Supported | None | | Active Profile or thick clients.These logins use thick clients installed on servers, desktops, or mobile devices.Includes:- Word - Excel - Powerpoint - Outlook - SharePoint | Supported only when AD Connect is your identity repository. You must disable Integrated Windows Authentication (IWA) if you're using AD Connect without IIS. AD Connect without IIS doesn't support IWA with the Active Profile, and Office clients don't support forms-based authentication. | Not supported whenPingFederate or ADFS is your identity repository.If you use any identity provider (IdP) other than AD Connect, thick client logins are not supported. | Learn more in [Connecting to an identity repository](../pingone_for_enterprise/p14e_connecting_idp.html). ## Microsoft 365 prerequisites * Active Directory must be deployed and running with a functional level of mixed or native mode on: * Windows Server 2012 * Windows Server 2012 R2 * Windows Server 2016 * Windows Server 2019 (Desktop only, not Core) * You must configure Microsoft Azure Active Directory Module for Windows PowerShell to establish a federated trust between your IdP and Azure AD. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For more information, see [Connect to Microsoft 365 with PowerShell](https://docs.microsoft.com/en-us/microsoft-365/enterprise/connect-to-microsoft-365-powershell?view=o365-worldwide) in the Microsoft documentation. | * You must install the required Microsoft cloud service subscription updates to make sure your users are running the latest version of Windows. ## Preparing Active Directory for SSO ### Steps 1. Run the Microsoft Readiness Toolkit. This application inspects your Active Directory environment and reports whether you are ready to set up single sign-on (SSO). If not, it lists the changes that you need to make. Learn more in [Microsoft 365 Apps readiness dashboard](https://learn.microsoft.com/en-us/intune/configmgr/sum/deploy-use/office-365-dashboard#bkmk_readiness-dash) in the Microsoft documentation. 2. Make sure that your user principal names (UPN) are assigned and properly formatted: * The UPN domain suffix must be under the domain you're going to use for SSO. * The domain that you want to federate must be registered as a public domain with a domain registrar or within your own public DNS servers. If your Active Directory domain name is not a public internet domain (for example, if it ends with the .local suffix), you must set UPNs with an internet domain suffix that can be registered publicly. This should be a domain that is familiar to your users, such as their email domain. For more information about creating UPNs, see [Add UPN suffixes and update your users to them](https://learn.microsoft.com/en-us/microsoft-365/enterprise/prepare-a-non-routable-domain-for-directory-synchronization?view=o365-worldwide#add-upn-suffixes-and-update-your-users-to-them) in the Microsoft documentation. * If you have already set up Active Directory synchronization, the users' UPN might not match their on-premises UPN defined in Active Directory. You can rename users' UPN using the [Set-MsolUserPrincipleName cmdlet](https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoluserprincipalname?view=azureadps-1.0) in the Microsoft Azure Active Directory Module for Windows PowerShell. ## Configuring Microsoft 365 in PingOne for Enterprise ### Steps 1. In the PingOne for Enterprise admin console, go to **Applications > Application Catalog**. 2. **Optional:** In the **Search** field, search for the application. 3. Click the **Office 365** application line to expand it and click **Setup**. 4. On the **SSO Instructions** tab, click **Continue to Next Step**. 5. On the **Basic Information** tab: 1. Copy the values for the following settings: * **Issuer URI** * **Passive Log On URI** * **Active Log On URI** * **Log Off URI** * **Metadata Exchange URI** 2. Click **Download** to download the signing certificate. 3. Click **Continue to Next Step**. 6. On the **Connection Configuration** tab, select the **Force Re-authentication** checkbox to force users with an active single sign-on (SSO) session to reauthenticate before using Microsoft 365. Reauthentication ensures that active sessions don't cause problems with Microsoft 365 SSO. ### Next steps Click **Continue to Next Step**. ## Microsoft 365 Connection Configuration ### Before you begin You must have an .onmicrosoft.com admin account to add a domain and configure DNS for Microsoft 365. ### About this task To add a domain to Microsoft 365 and configure domain federation: ### Steps 1. In the Microsoft 365 Admin Center, go to **Settings > Domains** 2. Click **Add Domain**. 3. In the **Enter a domain you own** field, enter the name of your domain. 4. Click **Next**. 5. Choose a method to verify your ownership of the domain: #### Choose from: * Use Domain Connect to let Microsoft verify the domain. * Add a TXT record to your domain's website using the values supplied by Microsoft. * Upload a text file to your website's top-level folder. 6. Click **Verify**. 7. Configure the DNS records on the domain registrar for other services. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Do not make the new domain the primary domain for your Microsoft 365 account. Setting the new domain as the default domain causes an error when you use `Set-MsolDomainAuthentication` to set the domain as a federated domain. | Learn more in [Add a domain to Microsoft 365](https://learn.microsoft.com/en-us/microsoft-365/admin/setup/add-domain) in the Microsoft documentation. #### Result: You've added your domain. Now you're ready to configure federation. 8. At the PowerShell command line, enter `Connect-MsolService`. #### Result: PowerShell initiates a connection to Azure and opens an embedded browser window. 9. In the browser window, sign on to the Azure tenant with a Global Administrator account. 10. Run the following commands in the Azure AD PowerShell. | | | | - | ------------------------------------------------------------------------------------------------------------ | | | You can find the bolded values in the Microsoft 365 application configuration tab in PingOne for Enterprise. | ```shell $dom = "" $BrandName = "" $ActiveLogOn = "" $LogOnURl = "" $LogOffUrl = "" $MyURI = "" $Metadata = "" $MySigningCert = "" Set-MsolDomainAuthentication ` -DomainName $dom ` -FederationBrandName $BrandName ` -Authentication Federated ` -PassiveLogOnUri $LogonUrl ` -SigningCertificate $MySigningCert ` -IssuerUri $MyURI ` -LogOffUri $LogOffUrl ` -MetadataExchangeUri $Metadata ` -ActiveLofOnUri $ActiveLogOn ` ``` | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When copying the base64-encoded signing certificate to enter into the MSOL cmdlet, make sure to remove any line breaks in the certificate text. Line breaks will cause errors when attempting to execute the commands. | 11. Use the following commands to confirm domain federation settings: * `Get-MsolDomain`: check the status of domain federation. * `Set-MsolDomainAuthentication`: change the authentication type for a given domain. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For a complete list of commands, see [MSOnline](https://learn.microsoft.com/en-us/powershell/module/msonline/?view=azureadps-1.0#msonline) in the Microsoft documentation. | ## Microsoft 365 Attribute Mapping ### About this task PingOne automatically populates required SAML attributes. For Microsoft 365, the required attributes are: * `subject`: maps to the `userPrincipalName` Active Directory attribute. * `guid`: maps to the `objectGUID` Active Directory attribute. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Microsoft has updated the default `sourceAnchor` attribute to use `ms-DS-consistencyGUID` by default. To determine which option is best for your organization, see [Azure AD Connect: Design concepts](https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts) in the Microsoft documentation. | ### Steps 1. To add an additional optional attribute, click **Add new attribute**. 2. In the **Application Attribute** field, enter the attribute name as it appears in the application. 3. In the **Identity Bridge Attribute or Literal Value** field, choose one of the following: #### Choose from: * To map to the application attribute: Enter or select a directory attribute. * To assign to the application attribute: Select **As Literal**, then enter a literal value. 4. To create advanced attribute mappings, click **Advanced**. Learn more in [Creating advanced attribute mappings](../pingone_for_enterprise/p14e_creating_advaced_attribute_mappings.html). ### Next steps Click **Continue to Next Step**. ## Microsoft 365 App Customization ### Steps * To change the application icon, click **Select image** and upload a local image file. The image file must be: * PNG, GIF, or JPG format * 312 x 52 pixels maximum * 2 MB maximum file size | | | | - | ------------------------------------------------ | | | Images are scaled to 64 x 64 pixels for display. | * To change the name of the application displayed on the dock, in the **Name** field, enter a new name. * To change the description of the application, in the **Description** field, enter the new description text. * To change the category to which the application is assigned on the dock, in the **Category** list, select a category. Learn more in [Creating a custom application category](../pingone_for_enterprise/p14e_creating_custom_application_category.html). ### Troubleshooting If you did not download the signing certificate on the **Basic Information** tab, an error message will prevent you from proceeding. ### Next steps Click **Continue to Next Step**. ## Microsoft 365 Group Access ### About this task The **Group Access** tab shows every user group that you have created. Learn more in [Adding user groups](../pingone_for_enterprise/p14e_add_groups.html). ### Steps * To add a group's access to the application, on the line for that group, click **Add**. * To remove a group's access, on the line for that group, click **Remove**. * When you're finished assigning groups, click **Continue to Next Step**. ### Next steps On the **Review Setup** tab, review your configuration. Click **Finish** to add the application to your PingOne Dock.