Note: This blog post outlines guidance on how to allow SSO on End-Users devices operated by Microsoft Windows OS and running Microsoft Office products.
As many of you know, one of the most important components in SSO (in regards to office 365 services), when a user uses Office applications is Modern Authentication. Modern Authentication is enabled by default in Office 2016, however, to make Office 2013 (we still see A LOT of companies use Office 2010 and Office 2013) fully compatible with Modern Authentication some additional steps are required.
Of course, cloud identity is very big and important topic. We see a lot of different vendors, like Azure AD, Okta, Onelogin, and etc. providing cloud identity solutions.
Recently we were asked to help one VERY big enterprise (more than 80000 users!) with their cloud identity and SSO challenges. This organisation decided to use Okta.
So, the information included in this section represents the summary of the recommended settings, inside OKTA Admin panel and all required changes on the client side.
For SSO these are the business requirements:
- Standardise on a single supported enterprise collaboration solution
- Easy access to the information (ex: documents) stored at Office 365 without constantly providing user credentials, like: Username & password
SSO includes the following technical requirements:
- Modern Authentication at Office 365 must be enabled for all required services.
- End-users devices should be operated by Microsoft Windows OS (Windows 7, 8, 8.1 or 10).
- All users should use Office 2013 or Office 2016 desktop clients
Note: Microsoft does NOT support Modern Authentication for Office 2010.
- Windows and Office 2013/2016 should be up-to-date!
- Users UPN has to match a user’s primary email address.
Now, when we are clear with Business and Technology Objectives, let’s see what and how should be configured 🙂
Office 365 Settings
Modern authentication in Office 365 enables authentication features like multi-factor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers. Modern authentication is based on the Active Directory Authentication Library (ADAL) and OAuth 2.0.
By default, modern authentication isn’t enabled for all Office 365 products, but it’s possible to enable it.
Enable Modern Authentication in Office 365
- Connect to Office 365 PowerShell.
- Run the following command in office 365 PowerShell:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
- To verify that the change was successful, run the following command in Office 365 PowerShell:
Get-OrganizationConfig | Format-Table -Auto Name,OAuth*
Okta settings and Office 365 Application Configuration
The following screenshots demonstrate the recommended settings in Okta Admin. The Office 365 Application settings also provided:
Note: For demo purposes, demo-highclouder.com domain was used as a primary address. All users have an email address in the following format: “user”@demo-highclouder.com. User’s UPN is matching a primary email address.
Integration with Microsoft Active Directory
Okta Active Directory Agent should be installed on a Windows server, that joined to Active Directory Domain. It’s recommended to install it on at least two servers.
Note: It’s strongly recommended to set Okta username format as: User Principal Name (UPN)
Note: The FQDN of OKTAIWAWEBAPP server must be defined in Private DNS. In this example, it’s OktaIWAWebApp.demo-highclouder.com.
Note: It’s important to defined IPs for which SSO should be applied.
Office 365 Application Settings
Note: A user that defined as an Admin Username/Password should have appropriate permissions at Microsoft Office 365 environment! In this example, the admin username is: firstname.lastname@example.org
And now we are coming to one VERY important setting!
End-Users Settings (OS, IE and Office 2013)
Office 2013 Modern Authentication using the Active Directory Authentication Library (ADAL). For Modern Authentication to function the following component versions should be greater than 15.0.4625.1000:
- C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSO.DLL
- C:\Program Files\Common Files\Microsoft Shared\OFFICE15\Csi.dll
- C:\Program Files\Microsoft Office\Office15\GROOVE.EXE
- C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE
And this dll should be greater than 1.0.1933.710:
- C:\Program Files\Common Files\Microsoft Shared\OFFICE15\ADAL.DLL
To achieve the necessary version levels, the following updates should be installed:
- https://support.microsoft.com/en-us/kb/3085480 which takes MSO.DLL to 15.0.4753.1001
- https://support.microsoft.com/en-us/kb/3085504 which takes CSI.DLL to 15.0.4753.1000
- https://support.microsoft.com/en-us/kb/3085509 which takes GROOVE.EXE to 15.0.4763.1000
- https://support.microsoft.com/en-us/kb/3085495 which takes OUTLOOK.EXE to 15.0.4753.1002
- https://support.microsoft.com/en-us/kb/3055000 which takes ADAL.DLL to 1.0.2016.624
Enable Modern Authentication for Office 2013
To enable modern authentication for any Windows devices that have Office 2013 installed, it’s needed to set specific registry keys.
IMPORTANT: Modern authentication is already enabled for Office 2016 clients, you do not need to set registry keys for Office 2016.
To enable modern authentication for any devices running Windows (for example on laptops and tablets), that have Microsoft Office 2013 installed, it’s needed to set the following registry keys:
Add URLs to Local Intranet Zone
Internet Explorer Internet Options should be configured as follows (if IE is not default system browser, different settings must be set:
Enable Integrated Windows Authentication
Note: Please be sure that “Enable Integrated Windows Authentication” is selected!
Let’s check what we’ve configured so far :). Let’s see how it works!
If everything was configured right, when user will try to use resources stored at Office 365 (ex: Word document stored in OneDrive for Business), the following pop-up window should arrive:
A user will be required to provide his email address (be sure that user’s UPN is matching a primary email address) and hit the Next button.
Credentials Manager Verification
To validate that all required Authenticated tokens are stored inside OS, navigate to “Credential Manager” and check the settings under “Generic Credentials”. System should have something similar to the following picture:
Enjoy! I hope you will find this information helpful :). Feel free to contact me if you need any help with this or similar topic!