Working with Service accounts and Office 365

Note: This information requires that you are setting up the Office 365 integration following this article.

If you have a Service account that you want to exclude from 2FA when working with the Office 365 SAML integration you can exclude them using Groups & Policy.

To complete the exclusion you will need to create a unique policy for the Office 365 SAML App.

Steps to create a Policy

First we need to create two Security Groups. If you are already using Directory Sync than you can use existing AD Security Groups. Then we can create the policy. Once we have the policy we can apply the policy to the application.

Step 1 - Create Security Groups
If you are using existing AD Security Groups proceed to Step 2.

  1. Log into your Passly Tenant https://(your company).my.Passly.com 
  2. Select Directory Manager.
  3. Select Groups.
    blue.PNG
  4. Select the Green plus sign in the bottom right corner.

  5. blue.PNG
  6. Set the Name of the Group.
    Example: Office 365 Users.
  7. Select Add Group.
  8. Select the Group by clicking it's name.
    Add all Office 365 Users to this Group by selecting the Green plus sign in the bottom right corner.

  9. blue.PNG
  10. Select Add Users.
  11. Select Directory Manager.
  12. Select Groups.
  13. Select the Green plus sign in the bottom right corner.

  14. blue.PNG
  15. Set the Name of the Group.
    Example: Office 365 Exclusion.
  16. Select Add Group.
  17. Select the Group by clicking it's name.
    Add all Office 365 exclusion accounts (service accounts) to this Group by selecting the Green plus sign in the bottom right corner.

  18. blue.PNG
  19. Select Add Users.


Once we we have the Groups for inclusion and exclusion of 2FA we can build a unique policy to be applied in the SSO Manager for Office 365.


Step 2- Steps to create a Policy

  1. Log into your Passly Tenant https://(your company).my.passly.com 
  2. Select Policy Manager.
    1.PNG
  3. Select the Green plus sign in the bottom right corner.

  4. blue.PNG
  5. Set the Policy name.
    1.PNG
    Example Office 365 Policy.
  6. Select the Policy Element. Select the Office 365 Exclusion group.
    4.PNG
  7. Set the then action.
    5.PNG
  8. Select Add Additional Rule.
    6.PNG
  9. Select the Policy Element. Use the Office 365 Users Group.
    7.PNG
  10. Set the then action.
    8.PNG

 

Step 3 - Changing the policy for the SSO application in the SSO Manager

  1. Log into your Passly Tenant https://(your company).my.Passly.com 
  2. Select SSO Manager.
    9.PNG
  3. Select the Office 365 App.
    10.PNG
  4. Select Application Configuration.
    11.PNG
  5. Choose the new policy from the Authentication Policy drop down.
    14.PNG
  6. Select Save Changes.
    13.PNG

At this point all users in the Office 365 user group should be prompted for 2FA when accessing Office 365 via SSO or thick clients.
Tip: You can also add elements to the second rule to include trusting devices. This would allow you to not require 2FA on thick clients on every login.

 

Other Resources

How to Protect Office 365 with Passly

How can I use Passly with Office 365

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us