UserLock Documentation
UserLock Documentation

Configure Microsoft 365 for UserLock Single-Sign On

Please note! Maintain an administrator account in the * domain, protected by Azure AD's (now Microsoft Entra ID) native multi-factor authentication. This account is essential in the event of federation problems with Azure AD.


Enable Microsoft 365 in UserLock SSO

In the UserLock console, Navigate to Single Sign-On → Configuration.

  1. Select Add configuration, then select Microsoft 365 as the provider to be configured.
  2. Add your domains, whether they belong to the same tenant or not, for sub-domains see special cases below.

NOTE: The SSO service needs to be restarted in order to use this profile

Configuring Microsoft 365 sub-domains

If you have several domains to federate, you will see a message appear if you add a subdomain of a domain already entered. The federation of sub-domains is generally automatic and you should not add them at this point otherwise you will fail to configure the SSO correctly. However, it is sometimes necessary to add them.

In the case of sub-domains, please observe the following rules:

  • Rule #1 - If you only have one Microsoft 365 tenant, never add the subdomains.
  • Rule #2 - If you have multiple tenants, only add a subdomain if it belongs to a different tenant than the main domain

Example 1 - Sub-domains in the same tenant

Company XYZ uses the Microsoft 365 tenant and the domain as the email address domain for most of its Active Directory accounts. Two teams have different domains:

  • the sales team uses the domain
  • the team based in France uses the domain

When configuring the SSO, only the domains and should be added to the list. The subdomain will be automatically federated, along with the main domain.

Example 2 - Sub-domains in different tenants

Company XYZ uses the Microsoft 365 tenants and The domain is the email address domain for most of its Active Directory accounts. Two teams have different domains:

  • the sales team uses the domain
  • the team based in France uses the domain
  • the domain belongs to the tenant

When configuring SSO, all three domains must be added to the list. The subdomain cannot be automatically federated with the main domain because it does not belong to the same tenant, so you need to add to the list and ignore the warning.

Configure Microsoft 365 for Single Sign-On

You can configure Microsoft 365 using a tool provided by IS Decisions (see below depending on your version), or via PowerShell.

Note: Once the configuration is done, it is possible to bypass the login page where the user has to enter his email by creating a shortcut including the domain_hint parameter to specify the email domain e.g.,

Configure SSO with IS Decisions Microsoft 365 tool

  1. Launch the tool

    Search for ‘Microsoft 365 configuration’ in the Start menu and launch the application.

  2. Select the UserLock SSO Server

    From the IS Decisions Microsoft 365 tool, select the UserLock SSO server that will be used to connect to Microsoft 365.

  3. Connect to Microsoft Online

    The tool requires the MSOnline Powershell module. If it is not installed, the tool will attempt installation. When prompted, Please consent and install to continue configuring Microsoft 365 SSO.

    Sign in with Azure AD global administrator credentials.

  4. Set the federation

    Select the domain to federate in the top drop-down list and click the ‘Federate Domain’ button to complete the process:

Synchronize your users

Synchronizing users is necessary for Microsoft 365 to recognize user identities in the Active Directory. Two methods are available:

  • Azure AD Connect - recommended method because it is automatic once configured
  • UserLock SSO wizard - this manual method is easier and faster to get started but can be tedious with a large number of users

Install and configure Azure AD Connect

Perform a custom installation of Azure AD Connect.

  1. Download Azure AD Connect
  2. Launch Azure AD Connect
  3. On the Express Settings page, select Customize
  4. In the User Sign-In page, select Do not configure
  5. In the Connect Directories section, select your AD domain ( and your Azure AD domain

Once setup has completed, Azure AD Connect will synchronize the local users with Azure AD.

NOTE: In Connect to Azure AD, if your Azure AD is already federated, you may need to restart Azure AD Connect with /InteractiveAuth flag

Configure SSO with Powershell

Run Powershell as an administrator.

  1. Connect to Microsoft Online

    Execute the following command and connect with a domain admin Microsoft Online account:

  2. Ensure Microsoft Online domain is Managed

    Run the following code to find whether Office your domain is set as Federated or Managed:

    Get-MsolDomain -DomainName | Select-Object "Authentication"

    If it is set as Federated, you will need to disable federation!

    Set-MsolDomainAuthentication -DomainName -Authentication Managed
  3. Obtain the certificate data
    • Navigate to the C:\ProgramData\ISDecisions\UserLock\SSO folder
    • Open the ulsso.signing.cer file with Notepad
    • Copy only the data between the first and last lines. Do not include these lines.
    • In the Powershell window, assign the certificate data to the $certData variable

      $certData = ‘MIICtTCCAZ2gAw……IBAgIIJ5vEidR23KwwDQYJ==’
  4. Set the federation

    Execute the following command to set the authentication for UserLock SSO. Please note that the $certData is used for -SigningCertificate data:

    Set-MsolDomainAuthentication -DomainName`
    -Authentication Federated `
    -PassiveLogOnUri `
    -SigningCertificate $certData `
    -IssuerUri `
    -PreferredAuthenticationProtocol Samlp `

    SSO is now the defined Authentication source of the federated domain.

How to cancel SSO

To cancel SSO, you can either use the IS Decisions tool or Powershell:

  • Using ISDecisions tool, cancel the federation on a federated domain.
  • Using Powershell, executing the following commands:

    Set-MsolDomainAuthentication -DomainName -Authentication Managed


On a Windows Server, Enhanced Security Configuration is enabled by default. That may prevent the Microsoft 365 configuration tool to correctly display the Microsoft authentication window. In this case, a script error popup will appear and the window will remain blank.

To fix this, please follow these instructions: