UserLock Documentation
UserLock Documentation

Configure Microsoft 365 for UserLock Single-Sign On

Procedure

Enable Microsoft 365 in UserLock SSO

In the UserLock console, Navigate to Single Sign-On → Configuration.

  1. Select Add configuration, then select Microsoft 365 as the provider to be configured.

NOTE: The SSO service needs to be restarted in order to use this profile

NOTE: The configuration of Microsoft 365 with UserLock SSO will be applied to all applications using Azure AD. (For example the Azure Portal or Microsoft Partner Network, any other application that you have configured to use Azure AD). Once configured, these applications will also be protected by UserLock, and will show as a connection to "Microsoft".

Install and configure Azure AD Connect

Perform a custom installation of Azure AD Connect.

  1. Download Azure AD Connect
  2. Launch Azure AD Connect
  3. On the Express Settings page, select Customize
  4. In the User Sign-In page, select Do not configure
  5. In the Connect Directories section, select your AD domain (contoso.com) and your Azure AD domain

Once setup has completed, Azure AD Connect will synchronize the local users with Azure AD.

NOTE: In Connect to Azure AD, if your Azure AD is already federated, you may need to restart Azure AD Connect with /InteractiveAuth flag

Configure Microsoft 365 for Single Sign-On

Two methods exists to configure Microsoft 365:

Configure SSO with IS Decisions Microsoft 365 tool

  1. Launch the tool

    Search for ‘Microsoft 365 configuration’ in the Start menu and launch the application.


  2. Select the UserLock SSO Server

    From the IS Decisions Microsoft 365 tool, select the UserLock SSO server that will be used to connect to Microsoft 365.


  3. Connect to Microsoft Online

    The tool requires the MSOnline Powershell module. If it is not installed, the tool will attempt installation. When prompted, Please consent and install to continue configuring Microsoft 365 SSO.



    Sign in with Azure AD global administrator credentials.


  4. Set the federation

    Select the domain to federate in the top drop-down list and click the ‘Federate Domain’ button to complete the process:



Configure SSO with Powershell

Run Powershell as an administrator.

  1. Connect to Microsoft Online

    Execute the following command and connect with a domain admin Microsoft Online account:

    Connect-MsolService
  2. Ensure Microsoft Online domain is Managed

    Run the following code to find whether Office your domain is set as Federated or Managed:

    Get-MsolDomain -DomainName federated.domain.name | Select-Object "Authentication"

    If it is set as Federated, you will need to disable federation!

    Set-MsolDomainAuthentication -DomainName contoso.com -Authentication Managed
  3. Obtain the certificate data
    • Navigate to the C:\ProgramData\ISDecisions\UserLock\SSO folder
    • Open the ulsso.cer file with Notepad
    • Copy only the data between the first and last lines. Do not include these lines.
    • In the Powershell window, assign the certificate data to the $certData variable

      $certData = ‘MIICtTCCAZ2gAw……IBAgIIJ5vEidR23KwwDQYJ==’
  4. Set the federation

    Execute the following command to set the authentication for UserLock SSO. Please note that the $certData is used for -SigningCertificate data:

    Set-MsolDomainAuthentication -DomainName contoso.com`
    -Authentication Federated `
    -PassiveLogOnUri https://sso.contoso.com/saml/sso `
    -SigningCertificate $certData `
    -IssuerUri https://sso.contoso.com `
    -PreferredAuthenticationProtocol Samlp `
    -LogOffUri https://sso.contoso.com/connect/endsession

    SSO is now the defined Authentication source of the federated domain.

How to cancel SSO

To cancel SSO, you can either use the IS Decisions tool or Powershell:

  • Using ISDecisions tool, cancel the federation on a federated domain.
  • Using Powershell, executing the following commands:

    Connect-MsolService
    Set-MsolDomainAuthentication -DomainName sso.contoso.com -Authentication Managed

Troubleshooting

On a Windows Server, Enhanced Security Configuration is enabled by default. That may prevent the Microsoft 365 configuration tool to correctly display the Microsoft authentication window. In this case, a script error popup will appear and the window will remain blank.

To fix this, please follow these instructions: