Configure Single Sign-on for Office 365
You can enable users to sign on to Office 365 using one of the following methods:
- Secure Web Authentication (SWA)
- WS-Federation - automatic
- WS-Federation - manual
SWA is a single sign-on method developed by Okta. It stores the end user credentials using strong encryption combined with a customer-specific private key. When the end user clicks the app, Okta securely signs them in using the encrypted credentials. See SWA app integrations.
WS-Federation defines mechanisms to transfer identity information using encrypted SOAP messages. It doesn't require a separate password for Office 365. See WS-Fed app integrations.
Before you begin
- Complete Add Office 365 to Okta.
-
Bring users into Okta: You can import users from a directory such as Active Directory (AD) or an app such as Salesforce. Currently, Okta doesn't support imports that take longer than two hours to complete. Contact Support if you have this type of import. You can also create users directly in Okta. See the following for more information:
- Disable the Microsoft MFA for the Office 365 admin account that you’re using for WS-Federation. If the MFA is enabled, it can break provisioning and single sign-on setups in Okta.
- If you're integrating an Azure AD tenant that has the Web Sign-in option Enabled in Microsoft Endpoint Manager admin center, ensure that its configuration settings allow your Okta org URL. See the Microsoft Doc for Policy CSP - Authentication.
Start this task
-
You can use one of the following methods to configure single sign-on for Office 365:
- Configure Single Sign on with Secure Web Authentication
- Configure Single Sign-on with WS-Federation - automatic method
- Configure Single Sign-on using WS-Federation - automatic method (Microsoft Graph)
- Configure Single Sign on with WS-Federation - manual method
- Configure Single Sign with WS-Federation - manual method (Microsoft Graph)
- Once you've configured the single sign on, you need to Test Single Sign-on configuration.
Configure Single Sign on with Secure Web Authentication
You can enable users to sign in to Office 365 using either SWA or WS-Federation. When possible, use WS-Federation because it's more secure than SWA.
- Go to Office 365 > Sign on > Settings > Edit.
- In Sign on Methods, select Secure Web Authentication.
- Select the appropriate option for username and password setup. See Secure Web Authentication.
- Map username format as explained in section 3. Test provisioning.
- Click Save.
Configure Single Sign on with WS-Federation
There are two ways of configuring WS-Federation: automatic and manually. You can allow Okta to automatically configure WS-Federation or you can manually configure it using the customized PowerShell script provided by Okta. Configuring WS-Federation automatically is recommended because Okta takes care of the back-end procedures.
Configure Single Sign-on with WS-Federation - automatic method
- Go to Office 365 > Sign on > Settings > Edit.
- In Sign on Methods, select WS-Federation > Automatic.
- Enter your Office 365 Administrator Username and Password.
- Click Fetch and Select. This displays a list of all Office 365 domains available for federation.
- Select domains that you want to federate.
- Click Save.
Ensure your administrator credentials for the Office 365 aren't in the domain you're federating.
This locks you out of the Office 365 domain. You won’t be able to authenticate yourself in Microsoft 365 Admin Center as you have to authenticate through Okta, where you're treated as a user, not as an admin. Ensure you're using administrator credentials for an account that is on your default Office 365 domain. The default tenant domain is yourtenant.onmicrosoft.com.
Configure Single Sign-on using WS-Federation - automatic method (Microsoft Graph)
If you enabled the MS Graph federation feature, your navigation is different.
- Go to Office 365 > Sign on > Settings > Edit.
- In Sign on Methods, select WS-Federation > Automatic.
- Click Authenticate with Microsoft Office 365. You're redirected to the Microsoft account login page.
- Log into Microsoft as a Global Administrator for your Microsoft tenant.
- Read and accept the requested permissions.
- Click Fetch and Select. This displays a list of all Office 365 domains available for federation.
- Select domains that you want to federate.
- Click Save.
Ensure your administrator credentials for the Office 365 are NOT in the domain you're federating.
This locks you out of the Office 365 domain. You won’t be able to authenticate yourself in Microsoft 365 Admin Center as you have to authenticate through Okta, where you're treated as a user, not as an admin. Ensure you're using administrator credentials for an account that is on your default Office 365 domain. The default tenant domain is yourtenant.onmicrosoft.com.
Configure Single Sign on with WS-Federation - manual method
- Go to Office 365 > Sign on > Settings > Edit.
- In Sign on Methods, select WS-Federation > Manual using PowerShell.
- Click View Setup Instructions for the PowerShell command customized for your domain.
- Copy this command for use in PowerShell.
In PowerShell:
- Enter Connect-MsolService.
- Enter your Office 365 Global Administrator username and password.
- Enter the copied customized PowerShell command.
- Ensure that the federation is successful by entering this command: Get-MsolDomainFederationSettings -DomainName yourdomain.name
Configure Single Sign with WS-Federation - manual method (Microsoft Graph)
If you enabled the MS Graph federation feature, the PowerShell commands are different.
- Go to Office 365 > Sign on > Settings > Edit.
- In Sign on Methods, select WS-Federation > Manual using PowerShell.
- Click View Setup Instructions for the PowerShell command customized for your domain.
- Copy this command for use in PowerShell.
In PowerShell:
- Enter Connect-MgGraph -Scopes Directory.AccessAsUser.All.
- Enter your Office 365 Global Administrator username and password.
- Enter the copied customized PowerShell command.
- Ensure that the federation is successful by entering this command: Get-MgDomainFederationConfiguration -DomainId yourdomain.name
Test Single Sign-on configuration
- Log into Okta as a test user.
- Open Office 365 from the End-User Dashboard.
- Ensure that the user is successfully logged in to the Office 365 account.