Configure Single Sign-on for Office 365 (2024)

Table of Contents
Before you begin Start this task Configure Single Sign on with Secure Web Authentication Configure Single Sign on with WS-Federation Test Single Sign-on configuration Next step FAQs References

You can enable users to sign on to Office 365 using one of the following methods:

  • Secure Web Authentication (SWA)
  • WS-Federation - automatic
  • WS-Federation - manual

SWA is a single sign-on method developed by Okta. It stores the end user credentials using strong encryption combined with a customer-specific private key. When the end user clicks the app, Okta securely signs them in using the encrypted credentials. See SWA app integrations.

WS-Federation defines mechanisms to transfer identity information using encrypted SOAP messages. It doesn't require a separate password for Office 365. See WS-Fed app integrations.

Before you begin

  • Complete Add Office 365 to Okta.

  • Bring users into Okta: You can import users from a directory such as Active Directory (AD) or an app such as Salesforce. Currently, Okta doesn't support imports that take longer than two hours to complete. Contact Support if you have this type of import. You can also create users directly in Okta. See the following for more information:

    • Manage Active Directory users and groups
    • Import users
    • Add users manually
  • Disable the Microsoft MFA for the Office 365 admin account that you’re using for WS-Federation. If the MFA is enabled, it can break provisioning and single sign-on setups in Okta.
  • If you're integrating an Azure AD tenant that has the Web Sign-in option Enabled in Microsoft Endpoint Manager admin center, ensure that its configuration settings allow your Okta org URL. See the Microsoft Doc for Policy CSP - Authentication.

Start this task

  1. You can use one of the following methods to configure single sign-on for Office 365:

    See Also
    Was ist Single Sign-On (SSO)?Einmalanmeldung: Alles, was du wissen musstConfigure Single Sign-On options | OktaWhat Is single sign-on (SSO)?

    • Configure Single Sign on with Secure Web Authentication
    • Configure Single Sign-on with WS-Federation - automatic method
    • Configure Single Sign-on using WS-Federation - automatic method (Microsoft Graph)
    • Configure Single Sign on with WS-Federation - manual method
    • Configure Single Sign with WS-Federation - manual method (Microsoft Graph)
  2. Once you've configured the single sign on, you need to Test Single Sign-on configuration.

Configure Single Sign on with Secure Web Authentication

You can enable users to sign in to Office 365 using either SWA or WS-Federation. When possible, use WS-Federation because it's more secure than SWA.

  1. Go to Office 365 > Sign on > Settings > Edit.
  2. In Sign on Methods, select Secure Web Authentication.
  3. Select the appropriate option for username and password setup. See Secure Web Authentication.
  4. Map username format as explained in section 3. Test provisioning.
  5. Click Save.

Configure Single Sign on with WS-Federation

There are two ways of configuring WS-Federation: automatic and manually. You can allow Okta to automatically configure WS-Federation or you can manually configure it using the customized PowerShell script provided by Okta. Configuring WS-Federation automatically is recommended because Okta takes care of the back-end procedures.

Configure Single Sign-on with WS-Federation - automatic method

  1. Go to Office 365 > Sign on > Settings > Edit.
  2. In Sign on Methods, select WS-Federation > Automatic.
  3. Enter your Office 365 Administrator Username and Password.
  4. Click Fetch and Select. This displays a list of all Office 365 domains available for federation.
  5. Select domains that you want to federate.
  6. Click Save.

Configure Single Sign-on for Office 365 (2)

Ensure your administrator credentials for the Office 365 aren't in the domain you're federating.

See Also
Single Sign On to SAP Cloud Integration (CPI runtime) from an external Identity Provider

This locks you out of the Office 365 domain. You won’t be able to authenticate yourself in Microsoft 365 Admin Center as you have to authenticate through Okta, where you're treated as a user, not as an admin. Ensure you're using administrator credentials for an account that is on your default Office 365 domain. The default tenant domain is yourtenant.onmicrosoft.com.

Configure Single Sign-on using WS-Federation - automatic method (Microsoft Graph)

If you enabled the MS Graph federation feature, your navigation is different.

  1. Go to Office 365 > Sign on > Settings > Edit.
  2. In Sign on Methods, select WS-Federation > Automatic.
  3. Click Authenticate with Microsoft Office 365. You're redirected to the Microsoft account login page.
    1. Log into Microsoft as a Global Administrator for your Microsoft tenant.
    2. Read and accept the requested permissions.
  4. Click Fetch and Select. This displays a list of all Office 365 domains available for federation.
  5. Select domains that you want to federate.
  6. Click Save.

Configure Single Sign-on for Office 365 (4)

Ensure your administrator credentials for the Office 365 are NOT in the domain you're federating.

This locks you out of the Office 365 domain. You won’t be able to authenticate yourself in Microsoft 365 Admin Center as you have to authenticate through Okta, where you're treated as a user, not as an admin. Ensure you're using administrator credentials for an account that is on your default Office 365 domain. The default tenant domain is yourtenant.onmicrosoft.com.

Configure Single Sign on with WS-Federation - manual method

  1. Go to Office 365 > Sign on > Settings > Edit.
  2. In Sign on Methods, select WS-Federation > Manual using PowerShell.
  3. Click View Setup Instructions for the PowerShell command customized for your domain.
  4. Copy this command for use in PowerShell.

In PowerShell:

  1. Enter Connect-MsolService.
  2. Enter your Office 365 Global Administrator username and password.
  3. Enter the copied customized PowerShell command.
  4. Ensure that the federation is successful by entering this command:
    5. Get-MsolDomainFederationSettings -DomainName yourdomain.name

Configure Single Sign with WS-Federation - manual method (Microsoft Graph)

If you enabled the MS Graph federation feature, the PowerShell commands are different.

  1. Go to Office 365 > Sign on > Settings > Edit.
  2. In Sign on Methods, select WS-Federation > Manual using PowerShell.
  3. Click View Setup Instructions for the PowerShell command customized for your domain.
  4. Copy this command for use in PowerShell.

In PowerShell:

  1. Enter Connect-MgGraph -Scopes Directory.AccessAsUser.All.
  2. Enter your Office 365 Global Administrator username and password.
  3. Enter the copied customized PowerShell command.
  4. Ensure that the federation is successful by entering this command:
    5. Get-MgDomainFederationConfiguration -DomainId yourdomain.name

Test Single Sign-on configuration

  1. Log into Okta as a test user.
  2. Open Office 365 from the End-User Dashboard.
  3. Ensure that the user is successfully logged in to the Office 365 account.

Next step

Provision users to Office 365

Configure Single Sign-on for Office 365 (2024)

FAQs

How to configure SSO for Office 365? ›

Configure SSO on with Secure Web Authentication
  1. Go to Office 365Sign onSettingsEdit.
  2. In Sign on Methods, select Secure Web Authentication.
  3. Select the appropriate option for username and password setup. See Secure Web Authentication.
  4. Map username format as explained in section Test provisioning.
  5. Click Save.

Get More Info Here
How to resolve single sign-on issue? ›

General troubleshooting
  1. In your IdP: Confirm that your Org ID, Entity ID, and ACS URL are all correct. Review the SAML attribute statements that you've entered. Regenerate the SAML metadata and replace it in Iterable.
  2. In Iterable: Check the SAML Domain field. Learn how. Replace the SAML metadata from your IdP.

Tell Me More
Why is my SSO not working in teams? ›

Verify that your SSO settings are correctly configured: Check with your IT department or SSO provider to make sure that your SSO settings are correctly configured for use with the Teams desktop app. Clear your Teams desktop app cache: Clearing the cache in the Teams desktop app can sometimes resolve login issues.

Keep Reading
How do I automatically sign in to Outlook add in with single sign-on SSO credentials? ›

In the navigation menu, click Advanced and then click Security. In the Sign-in Methods section, enable the Automatically sign in to Outlook add-in with Single Sign-On (SSO) credentials option.

Get More Info
How do I set up SSO authentication? ›

Configure the SSO profile for your organization
  1. Sign in to your Google Admin console. ...
  2. In the Admin console, go to Menu Security Authentication. ...
  3. In Third-party SSO profile for your organization, click Add SSO profile.
  4. Check the Set up SSO with third-party identity provider box.

Keep Reading
How does SSO work with Office 365? ›

With SSO being enabled users can use the same Office 365 username and password (credentials) to access multiple apps as they don't need to remember different passwords for multiple apps.

Tell Me More
What is a single sign-on SSO solution? ›

A single sign-on solution can simplify username and password management for both users and administrators. Users no longer have to keep track of different sets of credentials and can simply remember a single more complex password. SSO often enables users to just get access to their applications much faster.

Learn More Now
How do I change the single sign-on Microsoft? ›

Turn SSO on or off
  1. Open Drive and click Team dashboard in the lower left corner.
  2. On the left, click Permissions.
  3. Under Single sign-on (SSO), select an option: ...
  4. In the confirmation box, click Confirm.
  5. If you selected Microsoft (OIDC), enter your Microsoft password.

Read On
How do I update my single sign-on? ›

Update single sign-on values

To update the single sign-on values: In the Microsoft Entra admin center, select Edit in the Basic SAML Configuration section on the Set up single sign-on pane. For Reply URL (Assertion Consumer Service URL), enter the Assertion Consumer Service (ACS) URL value that you previously recorded.

Get More Info
How do I know if SSO is working? ›

The most straightforward way to test this is to use a set of valid and invalid account information and use SSO to sign in. The ideal behavior is that SSO should be successful for valid data and unsuccessful for invalid data. Any deviation from ideal behavior is of serious concern and should be fixed on high priority.

Get More Info Here

What should you use to configure the Teams SSO settings for the app? ›

To enable SSO for a Teams tab app:
  • Configure app with Microsoft Entra ID: Create a Microsoft Entra app to generate an app ID and application ID URI. ...
  • Add code: Add the code to handle access token, send this token to your app's server code in the Authorization header, and validate the access token when it's received.
Apr 10, 2024

Explore More
How do I test Microsoft SSO? ›

Procedure
  1. Go to Microsoft website to find the application created in Azure Active Directory.
  2. Scroll to the Validate single sign-on section and click Validate.
  3. Select Sign in as current user. This test lets you check if the enabled configuration works for your administrator account.

Know More
Does Office 365 have SSO? ›

Overview. To use single sign-on (SSO) with Entra ID/Office 365, you'll need to make sure you have: Active SIS sync with Clever. Entra ID Premium OR Entra ID and PowerShell Proficiency.

See More
What is Single Sign-On SSO with Active Directory? ›

Single sign-on (SSO) solutions allow users to login to multiple applications with just one set of credentials, eliminating the hassle and risk of managing different combinations of usernames and passwords. To enable single sign-on with Active Directory, you'll need to use ADFS or a third-party tool.

Get More Info
Does Office 365 use SAML? ›

Microsoft supports this sign-on experience as the integration of a Microsoft cloud service, such as Microsoft 365, with your properly configured SAML 2.0 profile-based IdP.

See Details
How is SSO enabled for Microsoft cloud services such as Office 365? ›

Launch the Microsoft 365 configuration app. Select the UserLock SSO server domain to be connected to Microsoft 365. This also initiates installation of the MSOnline Powershell module and requires signing into the Azure Ad admin account. Choose the organization's AD domain to be federated with Microsoft 365.

Find Out More
What should you use to configure the teams SSO settings for the app? ›

To enable SSO for a Teams tab app:
  • Configure app with Microsoft Entra ID: Create a Microsoft Entra app to generate an app ID and application ID URI. ...
  • Add code: Add the code to handle access token, send this token to your app's server code in the Authorization header, and validate the access token when it's received.
Apr 10, 2024

View More

References

Top Articles
Creamy Mashed Potatoes Recipe (VIDEO)
BEST Mashed Turnips Recipe [+VIDEO] 🍠 MasalaHerb.com
Itty Bitty Bunny Milkies Metal Gear
The Boogeyman Showtimes Near Regal Warren Midwest City
ALL Chapters & Episodes of When His Eyes Opened by Simple Silence
SJB MEMORIALS AND GRAVE CARE LIMITED - 13595021
Election latest: No 10 'aware of concerns' around postal ballots - as Starmer warned he could face 'shortest honeymoon ever'
Simple Simon's Pizza Ramona Menu
Sound of Freedom (Film, 2023) - MovieMeter.nl
Sound of Freedom Soundtrack (2023) | List of Songs | WhatSong
Latest Posts
The 51 Best Ina Garten Recipes of All Time
Instant Pot Potato Carrot Recipe - Vegan in the Freezer
Article information

Author: Trent Wehner

Last Updated:

Views: 5744

Rating: 4.6 / 5 (76 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Trent Wehner

Birthday: 1993-03-14

Address: 872 Kevin Squares, New Codyville, AK 01785-0416

Phone: +18698800304764

Job: Senior Farming Developer

Hobby: Paintball, Calligraphy, Hunting, Flying disc, Lapidary, Rafting, Inline skating

Introduction: My name is Trent Wehner, I am a talented, brainy, zealous, light, funny, gleaming, attractive person who loves writing and wants to share my knowledge and understanding with you.