This page shows how to add multifactor authentication to your Microsoft Office365 using the Octopus Authenticator to gain more control and security over how users log into your network.

  • Login to Octopus Authenticator Console
  • Select Services from the left pane
  • Select Add Service
  • Click Microsoft Office365 service template


     

    Tab 1 – General Information

 


The following fields and values are displayed

Fields nameFields Value
Service nameMicrosoft Office365 (default)
IssuerMicrosoft (default)
Description
Service statusEnable (default)
Display icon
Login page URL<https://<Enterprise Base URL>/o365-saml/<No.>/login>

Note: Secret Double Octopus recommendation is to leave the default field values as is.


 

Tab 2 – Parameters    


 

The following fields and values are displayed

Field nameField value
Loginemail
 Office 365 email    email
 NameID
Office 365 domainDomain name
+ Add additional parameterDo not add any parameters

 

 

Tab 3 – Sign On

The following fields and values are displayed

Field nameField value
Multi Factor Authentication (MFA)Off (default)
Sign-on MethodSAML 2.0
X.509 Certificate 
SAML signature algorithmSHA-1 (default)
Single Sign On (SSO)Off (default)
Issuer URLhttps://<Enterprise base URL>
SAML 2.0 Endpoint (HTTP)https://<Enterprise base URL>/o365-saml/login
Custom message

Note: Secret Double Octopus recommendation is to leave the default field values as displayed.


 

Step 4 – Users


 

To configure the users of the service

  • Select users from either “Local Users” or “LDAP Users” lists
  • You can select either:
    • A group of users to import, by clicking on the dot next to one of the folders
    • An individual user to import, by clicking on the dot next to that user

The corresponding dot will then be colored blue. When you select only some of the users in the group, the dot adjacent to the group will be colored partially.

After you click SAVE SETTINGS, the selected users will be enrolled in the service.

  • Click SAVE SETTINGS

 


 

Set up SSO for Microsoft office 365 using Octopus Authenticator Identity Provider

  1. Log in to your Microsoft Window Azure AD Module for Windows PowerShell
    • “Connect-MsolService”

 

Note: Steps 3-5 are required only if your domain is already federated

  1. To swap your domain back from federated to managed, enter:
    • “Set-MsolDomianAuthentication -DomainName <office365 domain name> -Authentication Managed”
  2. Please issue the following settings
    • $dom = “<Office365 domain name>”
    • $fedbrandName = “<Organization name>”
    • $url = “<Secret Double Octopus SAML 2.0 Endpoint URL>
    • $uri = “<Secret Double Octopus Office365 Service Issuer URL>”
    • $logouturl = “<Secret Double Octopus SAML 2.0 Endpoint URL>”
    • $cert = “New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 (<C:/xxx.crt>)

Note: To retrieve the X.509 certificate file, please refer to Secret Double Octopus Office365 X.509 Certificate and download the .crt file.

  • $certDate = [system.convert]::tobase64string($cert.rawdata)

  1. To check the new set variables, enter:
    • “get-variable dom,fedBrandName,url,uri,logoutUrl,cert,certData | fl Name,Value”

  1. Swap back your domain from managed to federated, enter:
    • “Set-MsolDomainAuthentication –DomainName $dom -Authentication Federated -FederationBrandName $fedBrandName -PassiveLogOnUri $url -IssuerUri $uri -LogOffUri $logoutUrl -PreferredAuthenticationProtocol SAMLP -SigningCertificate $certData
  2. Verify the new Settings:
    • “Get-MsolDomainFederationSettings -domain $dom | fl”

8. To retrieve the ImmutableID of the users, issue:

  • “Get-MsolUser -All | Select-Object UserprincipalName,ImmutableID”

 

Important note:
For each user you want to use with Secret Double Octopus Office365 service, enter his ImmutableID value to custom filed (e.g. custom1, custom2 or custum3 according to the service setting)

 

Note: To learn more about Office365 configuration, please refer to Enable Exchange Online for modern authentication web-page