Microsoft Office 365 Integration Guide Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka0f0000000ay3nkag&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2f38682106-microsoft-office-365-integration-guide
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Average Rating:
Microsoft Office 365 Integration Guide
Published: Jan 10, 2015   -   Updated: May 10, 2018

Architectural Description
Prerequisites
Selection and Purchase of a Domain Name for Office 365
Registering an Office 365 Account
Configuring Office 365
Configuring Okta
Field Mapping
Configuring Your of Active Directory Domain


This guide describes how to configure Okta with the Microsoft Office 365 application in the Okta Integration Network (OIN).  This integration enables users to single sign-on (SSO) into Microsoft Office 365 from Okta. 

top

Architectural Description

An Okta Office 365 integration has more components than a typical Okta SSO-enabled app.  Office 365 requires Active Directory (AD) to be the authoritative data source for Office 365 users. In addition, Office 365 needs user data from AD. Microsoft provides an application called Directory Sync that synchronizes directory objects (users, groups, and contacts) from a customer's on-premises AD to Office 365. You must install Directory Sync on a dedicated computer in a customer's on-premises environment. You should not install this application directly on your domain controller.

top

Prerequisites

  • An Office 365 account
  • A valid domain name
  • A Microsoft Active Directory domain controller, ideally with the same domain name to be registered in Office 365 (refer to http://support.microsoft.com/kb/243629 for more information)
  • A Windows Server for your Directory Sync application (the server must be a member of the domain)
  • A Windows Server for Microsoft Online Services Module for Windows PowerShell

top

Selection and Purchase of a Domain Name for Office 365

When you register for an account with Office 365, you get a domain that can be used for email. For example, if you register an organization called acme, Office 365 gives you email addresses in the format of username@acme.onmicrosoft.com. If your organization already has a domain, such as acme.com, and your email addresses end in @acme.com, you can use this instead of the domain that Office 365 provides. Before you proceed, we recommend that you decide which domain to use. See Configuring Office 365 for instructions on setting the domain in Office 365.

top

Registering an Office 365 Account

This guide assumes that your organization has registered for an Office 365 account. If you currently do not have an Office 365 account, you can purchase one at Microsoft: http://office.microsoft.com/en-us/business/compare-office-365-for-business-plans-FX102918419.aspx.

If you wish to configure a demo environment, register for an Enterprise Free Trial account at the same site.

top

Configuring Office 365

Add a domain to your Office 365 account as follows:

  1. Sign into your Office 365 account at https://login.microsoftonline.com with your .onmicrosoft.com admin account.
  2. Select Management > Domains.
  3. Click Add a domain.
  4. Enter your domain name and click Next.
  5. Before you set up your domain with Office 365, Microsoft has to make sure that you own the domain name.
    1. To do that, you must add a specific record to the DNS records at your DNS hosting provider. 
    2. Microsoft looks for the record to confirm ownership.
    3. Find your domain registrar and follow the directions to confirm ownership of the domain.
  6. In Step 2 of the Add users and assign licenses wizard, Office 365 gives you options to import users. You can ignore this for now.
  7. In Step 3 of the wizard, select Set the domain purpose and configure DNS.
  8. Configure the DNS records on the domain registrar (follow the appropriate instructions for your domain registrar).

Note:  You cannot federate a domain marked "default." This behavior is by design. Unfortunately, when you add a domain to Office 365, Office 365 automatically treats this domain as the default domain. When you later execute the Set-MsolDomainAuthentication command, as described in subsequent steps, it will result in an error that mentions replacing the default domain. This error occurs if you changed the default domain to be something other than the "onmicrosoft.com" administrative tenant. Your real domainname.com domain cannot be the default domain. To change the default domain, sign into the Microsoft Online Services Portal and click the domain link above the Admin Overview header. The Edit Company Information window appears. Select the Default Domain drop-down menu and choose the onmicrosoft.com admin tenant to be the default domain, and then click OK.

 

top

Configuring Okta

Next you must set up Office 365 in Okta and configure the connection. Do the following:

  1. From your Administrator Dashboard, select Applications > Add Application, and enter Microsoft Office in the search field.
  2. Select Microsoft Office 365. This starts the application wizard.
  3. On the General tab, enter a label (the label you enter is displayed on your users' home pages) and the domain you configured for your Office 365 account (for example, QuilFun.com), and then click Next.
  4. On the Sign-on tab, select the WS-Federation option.
  5. Click the link, WS-Federation setup instructions for Microsoft Office 365. This page contains the command-line information for you to enter in a subsequent step.

top

Field Mapping

The following table lists the field mapping information for Office 365:

Okta Field NameOkta Field Display NameOffice 365 Field NameOffice 365 Field Display Name
login/userName/emailUser Name/EmailuserPrincipalNameUser Principal Name (UPN)
firstName lastNameDisplay NamedisplayNameDisplay Name
lastNameLast NamelastNameLast Name
firstNameFirst NamegivenName (firstName)First Name
immutableIdImmutable IdimmutableIdImmutable Id

top

Configuring Your Active Directory Domain

Next, you must federate your AD domain with the Okta identity provider information. This enables WS-FED/SSO on Office 365. You must have administrator rights on a Windows Server to run the necessary cmdlets.

  1. Sign into Windows Server.
  2. Per the Okta Office 365 instructions, install the following:
    • Microsoft Online Services Sign-in Assistant (choose either the 32- or 64-bit version).
    • Windows Azure AD Module for Windows PowerShell (formerly known as the Microsoft Online Services Module for Windows PowerShell cmdlets).

      Instructions for both can be found here: http://technet.microsoft.com/en-us/library/jj151815.aspx. The installers should place a shortcut on your desktop for each application.
  3. Start the Windows Azure AD Module for Windows PowerShell.
  4. Start the Microsoft Online Services Module for Windows Powershell and enter Connect-MsolService to connect to your Office 365 domain.
  5. If your domain is not already federated enter the following in Microsoft Online Services Module for Windows Powershell. 

Set-MsolDomainAuthentication -DomainName QUILFUN.com -Authentication Federated -FederationBrandName Okta -IssuerUri k2qkymyeRDFTRUFSIGIY

 -PassiveLogOnUri https://vanilla.okta.com/app/office365/k2qkymyeRDFTRUFSIGIY/sso/wsfed/passive

 -ActiveLogOnUri

https://vanilla.okta.com/app/office365/k2qkymyeRDFTRUFSIGIY/sso/wsfed/active

 -MetadataExchangeUri https://vanilla.okta.com/app/office365/k2qkymyeRDFTRUFSIGIY/sso/wsfed/mex

 -LogOffUri https://vanilla.okta.com/app/office365/k2qkymyeRDFTRUFSIGIY/sso/wsfed/signout

-SigningCertificate

MIICmTCCAgKgAwIBAgIGATyn6ePAMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB3ZhbmlsbGExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTMwMjA1MDExMjA4WhcNNDMwMjA1MDExMzA4WjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAd2YW5pbGxhMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCNwfuq0ts97TkZr5wNrQYaL5HzZQHg0sivJa9qPfQ7iw8t97ypv9YbCqUL8+ynkNoMCc5lYmFOar/gKQxFkO3ZNrzIAf1AyM5QJA5d+0/mbRvmUONh/t0H/tmaEvqNLLzkwcSNZwfuEyLiRxvCHyRUhppms4nlSs/AzTo9coD2HwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAF/Atyl/IyNHyhMUoV6LN8flbHE9C2AsdHkkHVAVqDcEnVgcvnuwg0s/+Z3EQaHzrwPA+7BxV/o1xsTiSUFiG/xrsCBzYKoEDMUODSSXJZYLrSWQyb1pZYmocxwx6hLixuQgmR/4juAeRBoBAB0ifGOCzVehKYNxcfLvT33CHwGC

If your domain is already federated, enter the following:

Set-MsolDomainFederationSettings -DomainName QUILFUN.com

 -FederationBrandName Okta -IssuerUri k2qkymyeRDFTRUFSIGIY

-PassiveLogOnUri https://vanilla.okta.com/app/office365/k2qkymyeRDFTRUFSIGIY/sso/wsfed/passive

 -ActiveLogOnUri https://vanilla.okta.com/app/office365/k2qkymyeRDFTRUFSIGIY/sso/wsfed/active

 -MetadataExchangeUri https://vanilla.okta.com/app/office365/k2qkymyeRDFTRUFSIGIY/sso/wsfed/mex

 -LogOffUri https://vanilla.okta.com/app/office365/k2qkymyeRDFTRUFSIGIY/sso/wsfed/signout

 -SigningCertificate MIICmTCCAgKgAwIBAgIGATyn6ePAMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB3ZhbmlsbGExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTMwMjA1MDExMjA4WhcNNDMwMjA1MDExMzA4WjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAd2YW5pbGxhMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCNwfuq0ts97TkZr5wNrQYaL5HzZQHg0sivJa9qPfQ7iw8t97ypv9YbCqUL8+ynkNoMCc5lYmFOar/gKQxFkO3ZNrzIAf1AyM5QJA5d+0/mbRvmUONh/t0H/tmaEvqNLLzkwcSNZwfuEyLiRxvCHyRUhppms4nlSs/AzTo9coD2HwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAF/Atyl/IyNHyhMUoV6LN8flbHE9C2AsdHkkHVAVqDcEnVgcvnuwg0s/+Z3EQaHzrwPA+7BxV/o1xsTiSUFiG/xrsCBzYKoEDMUODSSXJZYLrSWQyb1pZYmocxwx6hLixuQgmR/4juAeRBoBAB0ifGOCzVehKYNxcfLvT33CHwGC

  1. Configure your domain in the Microsoft Online Services Module for Windows PowerShell. Note that converting a domain to federated authentication affects all users in the domain. In PowerShell, enter Connect-MsolService and enter your administrator credentials for your Office 365 domain when prompted.

Post a Comment