Note: Once this integration is enabled all access to Office 365 will require the use of MFA via SSO.
Note: Hybrid Office 365 deployments are not supported. If you are using a hosted Exchange Server with an Office 365 domain this integration is not compatible.
Note: Office 365 domains configured via ADFS (Active Directory Federated Services) is not compatible.
Note: Using a Server 2012 Essentials server that has been federated with Office 365 is not compatible with this integration.
Note: Trial versions of Office 365 are not compatible with this integration.
Note: Use of a @company.onmicrosoft.com user account to manage the federated domain is required.
Note: Thick Clients will need to support and have Modern Authentication enabled to allow a federated login.
Setting up Office 365 in your Passly Tenant
- Select Directory Manager.
- Select Groups.
Select the Blue plus sign in the bottom right corner.
Name the Group Office 365 Users.
Note: If you have other existing Groups for SSO users you can use one of these as well.
Select ADD GROUP. - Select SSO Manager.
- Select the Blue plus sign in the bottom right corner.
- Select the Catalog Icon.
- Select Office 365.
- Set your Microsoft Office 365 Online settings. You will need to enter the following.
Managed Domain:
Your @company.onmicrosoft.com username
Password:
Passly supports federated signin and synchronization with Office 365, which is also known as Microsoft Online Services or Microsoft Azure Active Directory.
Federation is configured with these settings.
Managed Domain: This is the domain used to identify the tenant
Management Username: The *.onmicrosoft.com admininstrative account username used to synchronize user details
Password: The management account password
- Select Verify Compatibility. You should see the following message if the domain information is successfully verified.
- Set your desired Deep Linking into Office 365 Applications
Select which applications should show up on the launchpad so users can launch directly into them. - Select Application Configuration.
Ensure that the Application is enabled. - Select the desired Authentication Policy.
- Select Add Application.
- Select Office 365.
- Configure Synchronization.
Passly supports synchronizing from the Universal Directory to Office 365.
Enable Synchronization: Enable or disable synchronizing the Universal Directory with Office 365.
UserName Mapping: The Passly attribute used in place of the user's User Principal Name.
Default User License: A license can be applied to users when provisioned if Office 365 has been enabled. - Select Permissions.
- Select Add Groups.
Select the Group you chose in Step 2. - Select Save Changes.
Advanced Settings
Prerequisites for Configuring Office 365 Federation
- Microsoft Online Service Sign-in Assistant for IT Professionals RTW
- Windows Azure Active Directory Module for Windows PowerShell (64-bit version)
Configuring Office 365 Federation
- Open PowerShell and connect to the Office 365 services.
$creds = Get-Credential -Username -Message "Configure Office 365 Federation"
Connect-MSOLService -Credential $creds - Execute the following script. This will enable federation with the required Passly settings.
$domain = ""
$issuer = "https://(<My-Tenant).my.passly.com/trust"
$passiveLogon = "https://(<My-Tenant).my.passly.com/trust/launch"
$activeLogon = "https://(<My-Tenant).my.passly.com/services/trust/2005/mixed"
$mexUri = "https://(<My-Tenant).my.passly.com/services/trust/mex"
$signingCert =
Note: The actual Signing cert will be displayed in the tenant when you Add the Application.
Note: Replace (<My-Tenant) with your actual On-Demand tenant
Set-MsolDomainFederationSettings -DomainName $domain -IssuerUri $issuer -PassiveLogOnUri $passiveLogon -ActiveLogOnUri $activeLogon -MetadataExchangeUri $mexUri -SigningCertificate $signingCert - Verify the configuration was applied. Run this command and check that the output matches the parameters specified above.
Get-MsolDomainFederationSettings -DomainName $domain
Username attributes
If you are using a non-email format for your Passly usernames like the following:
- john.smith
- jsmith
You might need to add a suffix to the organization to enable MFA authentications from thick clients like Skype for Business / Outlook.
Follow these steps to add a Suffix to the organization to support the use of non-email address usernames.
- Select Directory Manager.
- Select Organizations.
- Select the target organization.
- Select Edit
- Add the Principal Name Suffix to include the @domain. Example:
Note: Use the Office 365 domain that you are federating for the Principal Name Suffix including the @ symbol. - Select Save changes.