Skip to content

Office 365 Apps

Microsoft 365 Single Sign-On (SSO) allows users to log into their Microsoft 365 account using a single set of credentials. This eliminates the need for users to manage multiple passwords while reducing the risk of phishing attacks. By leveraging an existing on-premises Active Directory (AD) infrastructure, Microsoft 365 SSO ensures seamless authentication across cloud and on-premises applications.

Prerequisites

Before configuring Microsoft 365 SSO, ensure that your environment meets the following requirements:

  • Verified Domain: Your on-premises User Principal Name (UPN) domain must be verified in your Azure AD/Microsoft 365 Tenant.

  • Azure AD Connect Configuration: Install and configure Azure AD Connect to link and synchronize on-premises Active Directory user accounts with Microsoft 365.

  • Directory Synchronization: Ensure that your on-premises Active Directory is continuously synchronized with Azure Active Directory.

  • Administrative Permissions: A Global Administrator account for the Microsoft 365 Tenant is required to establish a secure connection via PowerShell.

  • HySecure Gateway Configuration: The Accops HySecure Gateway must be set up with a public DNS name and a valid SSL certificate.

  • Access to Management Console: The HySecure Gateway Management Console must be accessible with Security Officer-level privileges.

  • Shell Access to the Hysecure Gateway.

Configurations

Set up HySecure Identity Provider (IdP) for Microsoft 365

Note

This configuration applies to HySecure 5427 with Hotfix 0006 and above, as well as HySecure 7.

Steps to use HySecure as an Identity Provider (IdP) for a SAML-based Microsoft 365 application:

  1. Configure the HySecure Gateway as an SAML identity provider.

    img

    1. Log in to the HySecure management console using Security Officer level privileges.
    2. Navigate to Settings > Services Config > SAML Identity Provider.
    3. Create a new SAML Identity Provider.

    4. Enter the following details:

      • Identity Provider Name: Provide the unique name of the Identity Provider.
      • Domain Name: Select the configured HySecure domain that is used to authenticate the user from the authentication server.
      • Entity ID: Enter the unique shared data between IdP and SP in the format https://
      • Single Sign-On Service Endpoint: Enter the IdP URL (HySecure) where the SP will connect for SAML SSO.
      • Single Logout Service Endpoint: Enter the IdP Logout URL where the SP will connect for SAML Logout.
      • NameId Format: Select the name identifier for the providers to communicate with each other regarding the user.
      • Certificate Signing Options: Select the available SAML Signing Options (The default value is Sign SAML Assertion).
      • CA Certificate for Signing: Select the CA Certificate used to sign the SAML assertion (Use the certificate that is configured in SP if the HySecure certificate is used in SAML SP; leave this with the default value).

      General Configuration:

      Field Example Description
      Identity Provider Name M365 Unique Name can be used
      Domain Name Default Select the configured HySecure domain that is used to authenticate the user from the authentication server.

      Service Endpoints:

      Field Example
      Entity ID https://sso.accops.xyz
      Single Sign On Service Endpoint https://sso.accops.xyz/samlv2/sso/
      Single Logout Service Endpoint https://sso.accops.xyz/samlv2/slo/
      NameId Format unspecified

      Certificate Details:

      Field Example
      Certificate Signing Options Sign SAML Assertion
      Digest Algorithm SHA-256

  2. Download the SAML SSO Certificate. In the SAML Identity Providers section, download the certificate for the identity provider attached to the Microsoft365 Application

    img

  3. Open the Certificate in the Notepad and copy the content of the SAML SSO Certificate.

    Example:

    jsx -----BEGIN CERTIFICATE----- MIIGaTCCBFGgAwIBAgIQU6mGzL7jCk9sZBQ2BrwVTjANBgkqhkiG9w0BAQwFADBL MQswCQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NT TCBSU0EgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTI1MDMxNTAwMDAwMFoXDTI1 MDYxMzIzNTk1OVowGTEXMBUGA1UEAxMOc3NvLmFjY29wcy54eXowggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdHKaWWxVw+uxibJeiYIepWFgz2zID5VQH AIQIqykWWAbyZfdWhUS9nx4aHusSEPfh8HFzbYCDtzL5shxI1uIKScTcUFxbcjCg WgJWZK3GaDNVnGzrwFr3zcBvZZy6FaMrEzwN63HciufOc6birUruf7S8Lq0KT5xa h1PaVsiMqQ+/3UvKM/1cqYkVO1zPAM7XgIkk9fw8LY7VYVJFVqhqEBapb2Pqr5ks Qzy7MZOztEvwC5owNGhLltjSCyvW/9KdZNyMYTEylxZm+YnPagNn+CfjDJp6j737 W0FjFUI4WFAoSyTPAgAVjL25f2sfZp9P5JW0tNvIo86BI79neNAPAgMBAAGjggJ5 MIICdTAfBgNVHSMEGDAWgBTI2XhootkZaNU9ct5fCj7ctYaGpjAdBgNVHQ4EFgQU q3QKTEDWi4kqW2Flhe/MgVj8s3EwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQC MAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAwNAYL KwYBBAGyMQECAk4wJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9D UFMwCAYGZ4EMAQIBMIGIBggrBgEFBQcBAQR8MHowSwYIKwYBBQUHMAKGP2h0dHA6 Ly96ZXJvc3NsLmNydC5zZWN0aWdvLmNvbS9aZXJvU1NMUlNBRG9tYWluU2VjdXJl U2l0ZUNBLmNydDArBggrBgEFBQcwAYYfaHR0cDovL3plcm9zc2wub2NzcC5zZWN0 aWdvLmNvbTCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2AM8RVu7VLnyv84db2Wku m+kacWdKsBfsrAHSW3fOzDsIAAABlZlgwAcAAAQDAEcwRQIhAMsdk5lNj+eQUkQr J9EmJO9zAxJCf9FOhF6DZN/DwCIhAiBC/NlCt8yCP+/rhl+7kJcrIOGSmKLUqYMA 9vmVjDkG1gB1AMz7D2qFcQll/pWbU87psnwi6YVcDZeNtql+VMD+TA2wAAABlZlg wA4AAAQDAEYwRAIgLOkzF3Gq4mmEshBuNQHqplIzJRm9Nnz3BIElzPSLgZgCIGik cD726raITQX/PjONJz85wmC+DEinOelaUn4/q2mjMBkGA1UdEQQSMBCCDnNzby5h Y2NvcHMueHl6MA0GCSqGSIb3DQEBDAUAA4ICAQATM2RYOZ3vkbYO2x7fxka0GeJc ADeeRQl8WyPFS1ZizzPMFuxhKTtJlappBg0duVBNITVkD0gjrxvkVA1DUBfdlh6T Bhxn2f6wPWjzBepWEHTe1AkwcgDuSlfkbLDLom5T8+QDZ3Az4QA0dugM7ZagqRS9 Ckhr5CYyLOzRb8jhhgSa1RX76fmQd9uVlKKJnSNC9XaKCkhy6NZrbxBH4FGWpNit bLkGMP6byOSlkCyo5TC2JEBLpSD1c48NY/MwQIU3Zp+2Sdmg+RwNk7zmGICbAEUP M2JxnO7+9OFYfad5calmamP3vI/lPbynVnmmM3nlDty7zWhoWR7IKef7tHqS1jua NgI5CLbxUVjCjk1uukPV7/UxFBdfxNvBHfa5NMoDWIOQccO4p3VbrHaMEDwEmr4V +F0cJAtiu6l/tm6HeFhf1yK0j7f89xdmcMxbTR6Moy4bVOSVM+Zplqwgs16mBvlL jLnIPEDakCSCFXilwd40nlMUWGy8jl5qsf4NhN2VWkZtTgGoxTuPQZuwvNF+mgVZ Vb1HTJwCMraZVhZ/Y6gjXoEHWyHQCx3ARgYrRZ/e3BAS2Fmgbdryg3dEeiqJw6E/ mw0WFFDbflIIJmWdMV40iZzd7myayXeZFq/soXxSTJXwcMigVa5zUS1YgO2Nct71 muGN3UL15dsDyAQldQ== -----END CERTIFICATE-----

    Note

    This certificate is required when federating the M365 domain with the Accops HySecure Gateway, so ensure that there are no new lines added when copying the content in the SAML SSO Certificate

  4. In the Apps section, select Apps to create an HTTPS Type App.

    img

    Basic Settings:

    Field Example
    Application ID M365
    Display Name M365

    Application Settings:

    Field Example
    Type HTTPS
    Tunnel Type App Tunnel
    Application Server Address Login.
    Application Port 443
    Protocol TCP
    Traffic Routing Allow
    Web URL https://login.microsoftonline.com
    Access Site Group LocalSiteGroup

    SSO Settings:

    Field Example
    Enable Single Sign-On
    Authentication type SAML based
    Select Identity Provider M365 (DOMAIN:Default)
    Preconfigured Service Provider Office365
    Service Provider Entity ID https://login.microsoftonline.com
    Service Provider Login URL https://login.microsoftonline.com/login.srf?sso_reload=true
    Service Provider Logout URL https://login.microsoftonline.com/logout.srf
    Response signing option Sign SAML Assertion
    Mapping Attributes Available attributes Application claims
    objectGUID NameID
    EmailID IDPEmail
    PhoneNo mobile

  5. Add the on-premises Active Directory (synchronized with Azure AD) as an authentication server.

    img

    The following user attribute is mandatory:

    User Mapping Attributes Available attributes Application claims
    objectGUID objectGUID

  6. Add the respective M365 all into a New/Existing Application Group.

    img

  7. Create/Update an Application Access in the New/Existing Access Controls.

    img

Set up HySecure in Microsoft 365 (Service Provider)

  1. Open PowerShell as Administrator and install the Microsoft Graph module. If the Microsoft Graph module is already installed, skip this step. Install-Module Microsoft.Graph

Reference URL : https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation?view=graph-powershell-1.0

  1. Connect to Microsoft Graph using the command in PowerShell: Connect-MgGraph -Scopes "Domain.ReadWrite.All","Directory.AccessAsUser.All"

  2. Log in to the Microsoft 365 Tenant with a Global Administrator Account.

img

img

  • After authentication completes. Close the browser.

img

  1. Retrieve the list of domains in your Microsoft 365 tenant using the command: Get-MgDomain

PS C:\WINDOWS\system32> Get-MgDomain Id AuthenticationType AvailabilityStatus IsAdminManaged IsDefault IsInitial IsRoot IsVerified -- ------------------ ------------------ -------------- --------- --------- ------ ------- xxxxxxxxoc.onmicrosoft.com Managed True True True True True xxxxxxxxoc.mail.onmicrosoft.com Managed True False False True True accops.xyz Managed True False False True True

!!! Note • Microsoft 365 SSO can only be enabled for verified domains in Microsoft Entra ID (formerly Azure AD). • SSO cannot be enabled for "onmicrosoft.com" domains, as they are managed by Microsoft. • SSO cannot be configured for the default domain (i.e., the primary domain where users are created); it is only supported for custom domains. • Microsoft 365 restricts SSO on default domains to ensure that administrators can always log in, even if there are issues with the Identity Provider (IdP). • Organizations without a custom Microsoft 365 domain must purchase one to enable SSO. • Federated domains (domains with SSO enabled) cannot be configured for password synchronization.

  1. Update the Default Domain in Microsoft 365. Sign in to the Microsoft 365 portal as a Global Administrator. To update the default domain in your Microsoft 365 tenant, navigate to the Microsoft 365 Admin Center and manage domain settings under the Domains section.

!!!Note If a custom domain is set as the default, change the default domain to the onmicrosoft.com domain. This step is mandatory before configuring the custom domain as a federated domain.

img

  • Click the three-dot next to the onmicrosoft.com domain and select Set as default.

img

img

  1. To configure accops.xyz as a Federated Domain. the following prerequisites must be met:

Before proceeding, update the following parameters according to your environment

$DisplayName="Accops" <Replace it with Your Brand Name> $Domain="accops.xyz" <Replace it with Your Custom Domain> $LogOnUrl=https://sso.accops.xyz/samlv2/sso/M365 <Replace *sso.accops.xyz* with Your Accops HySecure Gateway FQDN> $LogOffUrl=https://sso.accops.xyz/samlv2/slo/M365 <Replace *sso.accops.xyz* with Your Accops HySecure Gateway FQDN> $idpEntityId=https://sso.accops.xyz <Replace with your Entity ID> $MatadataUri=https://login.microsoftonline.com <No change required> $Protocol="saml" <No change required> $SigningCert="SAML SSO Certificate" <Replace with the content of the SAML SSO certificate>

> This sample contains with the required parameters:

```
$DisplayName="Accops"
$Domain="accops.xyz"
$LogOnUrl="https://sso.accops.xyz/samlv2/sso/M365"
$LogOffUrl = “https://sso.accops.xyz/samlv2/slo/M365”
$idpEntityId = “https://sso.accops.xyz”
$MetadataUri = “https://login.microsoftonline.com/”
$Protocol = "saml"
$MySigningCert = “MIIGaTCCBFGgAwIBAgIQU6mGzL7jCk9sZBQ2BrwVTjANBgkqhkiG9w0BAQwFADBLMQswCQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NT
TCBSU0EgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTI1MDMxNTAwMDAwMFoXDTI1
MDYxMzIzNTk1OVowGTEXMBUGA1UEAxMOc3NvLmFjY29wcy54eXowggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdHKaWWxVw+uxibJeiYIepWFgz2zID5VQH
AIQIqykWWAbyZfdWhUS9nx4aHusSEPfh8HFzbYCDtzL5shxI1uIKScTcUFxbcjCg
WgJWZK3GaDNVnGzrwFr3zcBvZZy6FaMrEzwN63HciufOc6birUruf7S8Lq0KT5xa
h1PaVsiMqQ+/3UvKM/1cqYkVO1zPAM7XgIkk9fw8LY7VYVJFVqhqEBapb2Pqr5ks
Qzy7MZOztEvwC5owNGhLltjSCyvW/9KdZNyMYTEylxZm+YnPagNn+CfjDJp6j737
W0FjFUI4WFAoSyTPAgAVjL25f2sfZp9P5JW0tNvIo86BI79neNAPAgMBAAGjggJ5
MIICdTAfBgNVHSMEGDAWgBTI2XhootkZaNU9ct5fCj7ctYaGpjAdBgNVHQ4EFgQU
q3QKTEDWi4kqW2Flhe/MgVj8s3EwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQC
MAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAwNAYL
KwYBBAGyMQECAk4wJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9D
UFMwCAYGZ4EMAQIBMIGIBggrBgEFBQcBAQR8MHowSwYIKwYBBQUHMAKGP2h0dHA6
Ly96ZXJvc3NsLmNydC5zZWN0aWdvLmNvbS9aZXJvU1NMUlNBRG9tYWluU2VjdXJl
U2l0ZUNBLmNydDArBggrBgEFBQcwAYYfaHR0cDovL3plcm9zc2wub2NzcC5zZWN0
aWdvLmNvbTCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2AM8RVu7VLnyv84db2Wku
m+kacWdKsBfsrAHSW3fOzDsIAAABlZlgwAcAAAQDAEcwRQIhAMsdk5lNj+eQUkQr
J9EmJO9zAxJCf9FOhF6DZN/DwCIhAiBC/NlCt8yCP+/rhl+7kJcrIOGSmKLUqYMA
9vmVjDkG1gB1AMz7D2qFcQll/pWbU87psnwi6YVcDZeNtql+VMD+TA2wAAABlZlg
wA4AAAQDAEYwRAIgLOkzF3Gq4mmEshBuNQHqplIzJRm9Nnz3BIElzPSLgZgCIGik
cD726raITQX/PjONJz85wmC+DEinOelaUn4/q2mjMBkGA1UdEQQSMBCCDnNzby5h
Y2NvcHMueHl6MA0GCSqGSIb3DQEBDAUAA4ICAQATM2RYOZ3vkbYO2x7fxka0GeJc
ADeeRQl8WyPFS1ZizzPMFuxhKTtJlappBg0duVBNITVkD0gjrxvkVA1DUBfdlh6T
Bhxn2f6wPWjzBepWEHTe1AkwcgDuSlfkbLDLom5T8+QDZ3Az4QA0dugM7ZagqRS9
Ckhr5CYyLOzRb8jhhgSa1RX76fmQd9uVlKKJnSNC9XaKCkhy6NZrbxBH4FGWpNit
bLkGMP6byOSlkCyo5TC2JEBLpSD1c48NY/MwQIU3Zp+2Sdmg+RwNk7zmGICbAEUP
M2JxnO7+9OFYfad5calmamP3vI/lPbynVnmmM3nlDty7zWhoWR7IKef7tHqS1jua
NgI5CLbxUVjCjk1uukPV7/UxFBdfxNvBHfa5NMoDWIOQccO4p3VbrHaMEDwEmr4V
+F0cJAtiu6l/tm6HeFhf1yK0j7f89xdmcMxbTR6Moy4bVOSVM+Zplqwgs16mBvlL
jLnIPEDakCSCFXilwd40nlMUWGy8jl5qsf4NhN2VWkZtTgGoxTuPQZuwvNF+mgVZ
Vb1HTJwCMraZVhZ/Y6gjXoEHWyHQCx3ARgYrRZ/e3BAS2Fmgbdryg3dEeiqJw6E/
mw0WFFDbflIIJmWdMV40iZzd7myayXeZFq/soXxSTJXwcMigVa5zUS1YgO2Nct71
muGN3UL15dsDyAQldQ==”

```

  1. To configure accops.xyz as a Federated Domain, run the command given below in PowerShell.

    New-MgDomainFederationConfiguration -DomainId $Domain -ActiveSignInUri $LogOnUrl -PassiveSignInUri $LogOnUrl -DisplayName $DisplayName -IssuerUri $idpEntityId -MetadataExchangeUri $MetadataUri -SignOutUri $LogOffUrl -SigningCertificate $SigningCert -PreferredAuthenticationProtocol $Protocol -FederatedIdpMfaBehavior "rejectMfaByFederatedIdp

  2. Verify the Domain Authentication Status.

    Run the following command: ``` Get-MgDomain PS C:\Windows\system32> Get-MgDomain

    Id                             AuthenticationType AvailabilityStatus IsAdminManaged IsDefault IsInitial IsRoot IsVerified 
--                              ------------------ ------------------ -------------- --------- --------- ------ -------

xxxxxxxxoc.onmicrosoft.com      Managed                               True           True      True      True   True
xxxxxxxxoc.mail.onmicrosoft.com Managed                               True           False     False     True   True
accops.xyz                      Federated                             True           False     False     True   True

    ```

    Check the output to verify the domain status:

    • If Authentication is set to Federated, the domain is successfully configured for SSO.

    • If Authentication is Managed, the domain is still using Microsoft’s default authentication.

    Ensure your custom domain (example: accops.xyz) is listed as Federated before proceeding with SSO testing.

  3. Verify Federation Configuration.

    Run the following Command: *Get-MgDomainFederationConfiguration -DomainId "accops.xyz" | Format-List *

    img

    Review the output to verify the following details: - Federation Brand Name - Active & Passive Logon URLs - Issuer URI - LogOff URL - Signing Certificate Ensure all values match your configured Accops HySecure SAML setting

  4. Reconfigure or update SSO settings.

    Warning

    If you are already using SSO for Office 365 from another identity provider or want to update Accops as a Identity Provider for SSO settings, then you must first disable SSO in Office 365, and then follow the steps in this guide from Step 6 to Step 7.

If you ever need to revert a custom domain from Federated to Managed, use the following command:

Update-MgDomain -DomainId "accops.xyz" -BodyParameter @{AuthenticationType="Managed"}

Note

Replace the DomainId with your actual domain name.

Sign in to your Office 365

Using IdP initiated login

  1. Go to the Accops Workspace Portal (https://sso.accops.xyz)

    Enter the sAMAccountName of the user.

    For Example: 

    Username: joe
Password: xxxxxx

  2. Enter the login credentials. Click Sign In.

    img

  3. Verify through Multi-Factor Authentication using the options available for MFA in the dropdown.

    img

  4. Upon successful Authentication and Authorization, the user will will be redirected to the Accops Workspace Portal.

    img

  5. Click M365 icon to launch Single Sign-On (SSO) access to Microsoft 365.

    img

Using SP initiated login

  1. Go to the Office 365 portal https://office.com and sign in with the email address.

    img

  2. The Authentications request will be redirected to the organization's Sign In Page (Accops IDP Login Portal).

    img

  3. Enter the Authentication details and click Sign-In.

    Enter the sAMAccountName of the user.

    For Example: 

    Username: joe
Password: xxxxxx

    img

  4. The Accops IDP Server will prompt the user if more Authentication is required. Fulfill the Multi-Factor Authentication (MFA) using one of the available verification method, select the type of MFA that should be used to verify. Click Sign In.

    img

  5. Access to the Office 365 Portal should now be successfully established.

    img