Configure Microsoft 365 for UserLock Single-Sign On
Procedure
- Enable Microsoft 365 in UserLock SSO
- Install and configure Azure AD Connect
- Configure Microsoft 365 for Single Sign-On
Enable Microsoft 365 in UserLock SSO
In the UserLock console, Navigate to Single Sign-On → Configuration.
- Select Add configuration, then select Microsoft 365 as the provider to be configured.
NOTE: The SSO service needs to be restarted in order to use this profile
NOTE: The configuration of Microsoft 365 with UserLock SSO will be applied to all applications using Azure AD. (For example the Azure Portal or Microsoft Partner Network, any other application that you have configured to use Azure AD). Once configured, these applications will also be protected by UserLock, and will show as a connection to "Microsoft".
Install and configure Azure AD Connect
Perform a custom installation of Azure AD Connect.
- Download Azure AD Connect
- Launch Azure AD Connect
- On the Express Settings page, select Customize
- In the User Sign-In page, select Do not configure
- In the Connect Directories section, select your AD domain (contoso.com) and your Azure AD domain
Once setup has completed, Azure AD Connect will synchronize the local users with Azure AD.
NOTE: In Connect to Azure AD, if your Azure AD is already federated, you may need to restart Azure AD Connect with /InteractiveAuth flag
Configure Microsoft 365 for Single Sign-On
Two methods exists to configure Microsoft 365:
- Configure SSO with IS Decisions Microsoft 365 tool (automated method)
- Configure SSO with Powershell (manual method)
Configure SSO with IS Decisions Microsoft 365 tool
-
Launch the tool
Search for ‘Microsoft 365 configuration’ in the Start menu and launch the application.
-
Select the UserLock SSO Server
From the IS Decisions Microsoft 365 tool, select the UserLock SSO server that will be used to connect to Microsoft 365.
-
Connect to Microsoft Online
The tool requires the MSOnline Powershell module. If it is not installed, the tool will attempt installation. When prompted, Please consent and install to continue configuring Microsoft 365 SSO.
Sign in with Azure AD global administrator credentials.
-
Set the federation
Select the domain to federate in the top drop-down list and click the ‘Federate Domain’ button to complete the process:
Configure SSO with Powershell
Run Powershell as an administrator.
-
Connect to Microsoft Online
Execute the following command and connect with a domain admin Microsoft Online account:
Connect-MsolService
-
Ensure Microsoft Online domain is Managed
Run the following code to find whether Office your domain is set as Federated or Managed:
Get-MsolDomain -DomainName federated.domain.name | Select-Object "Authentication"
If it is set as Federated, you will need to disable federation!
Set-MsolDomainAuthentication -DomainName contoso.com -Authentication Managed
-
Obtain the certificate data
- Navigate to the C:\ProgramData\ISDecisions\UserLock\SSO folder
- Open the ulsso.cer file with Notepad
- Copy only the data between the first and last lines. Do not include these lines.
-
In the Powershell window, assign the certificate data to the $certData variable
$certData = ‘MIICtTCCAZ2gAw……IBAgIIJ5vEidR23KwwDQYJ==’
-
Set the federation
Execute the following command to set the authentication for UserLock SSO. Please note that the $certData is used for -SigningCertificate data:
Set-MsolDomainAuthentication -DomainName contoso.com`
-Authentication Federated `-PassiveLogOnUri https://sso.contoso.com/saml/sso `-SigningCertificate $certData `-IssuerUri https://sso.contoso.com `-PreferredAuthenticationProtocol Samlp `-LogOffUri https://sso.contoso.com/connect/endsessionSSO is now the defined Authentication source of the federated domain.
How to cancel SSO
To cancel SSO, you can either use the IS Decisions tool or Powershell:
- Using ISDecisions tool, cancel the federation on a federated domain.
-
Using Powershell, executing the following commands:
Connect-MsolService
Set-MsolDomainAuthentication -DomainName sso.contoso.com -Authentication Managed
Troubleshooting
On a Windows Server, Enhanced Security Configuration is enabled by default. That may prevent the Microsoft 365 configuration tool to correctly display the Microsoft authentication window. In this case, a script error popup will appear and the window will remain blank.
To fix this, please follow these instructions:
- Open the Internet Options, either by entering inetcpl.cpl with Run... window (Windows + R shortcut) or by entering inetcpl.cpl in the Windows menu (Windows key)
- In the Security tab, select Trusted Sites and click the Sites button
- Add https://login.microsoftonline.com, https://aadcdn.msauth.net and https://aadcdn.msftauth.net to the Websites list
- Click Close then OK
- Restart the Microsoft 365 Configuration tool