This article consists of the instructions on how to correctly setup the Access Control Single Sign-on environment between your HDE One domain environment and your Office 365 domain. Before beginning the setup, you have to ensure that your machine is meeting the setup's prerequisites.
For the set values, please see your Connection Settings document that we have provided.
Prerequisites of setting up Access Control Single Sign-on
(i) HDE One Directory Sync is installed and functioning properly.(Office365 with Windows Active Directory)
If your machine has not install HDE One Directory Sync or it is not working properly that you may want to try installing it again,
Please refer to this article: HDE Access Control : HDE One Directory Sync (Office 365 with Windows Active Directory)
(ii) A Windows machine that is installed with:
1) PowerShell ver. 3.0 or above.
2) Azure Active Directory Module for Windows PowerShell
3) Microsoft Online Services Sign-In Assistant for IT Professionals
After assuring that your Windows machine is installed with the requirements above, you may now proceed to the actual setup.
(1) Connecting to Office 365
1.1) Creating an Administrative Account on Office 365 (Optional)
One administrative account on Office 365 is required to be used for the setup, so if you choose to use an existing administrative account on Office 365 (email@example.com), you may use it for the setup and skip to 1.2).
Otherwise, you may want to create a new administrative account with "Global Administrator" admin role on Office 365 specifically for this setup. Please note that it is unnecessary for this administrative account to have any license because simply the "Global Administrator" admin role is sufficient. Also, you may even delete the particular account that you have specifically created for this setup if you choose to after this entire setup is completely done.
To create a new administrative account on Office 365, simply use your existing administrative account to log into the Office 365 admin center and go to USERS -> Active Users interface to click on the Plus button.
After clicking on the Plus button, an interface to create a new account will pop up. Please input the user account details accordingly and create the new user account. For the password, it is recommended to have a specific password since this account is created for the purpose of this setup only. Please note that the User name (firstname.lastname@example.org) and the password will be used as login details for the Microsoft Online Services Sign In via PowerShell.
Select the new account as shown as below, click on "EDIT USER ROLES" button on the right panel.
Please be sure to select "Global administrator" to grant the account the administrative access. Input an alternate email address to complete the process.
Once the newly created account is successfully granted with "Global administrator" admin role, you are ready to use it to log into the Microsoft Online Services Sign In via PowerShell.
1.2) Log in with your Administrator Account
First, run the Windows Azure Active Directory Module for Windows PowerShell that you have installed.
1.2.1) Run the command below:
1.2.2) After entering the command, a login dialog will popup for you to input the login User name (email@example.com) and password of the administrator account that you choose to use.
1.3) Getting your Domain Information
After you have successfully logged in, to check the status of your domain environment with the command below:
After executing the command, you will be able to see the information of two domain names:
- Your Access Control Domain
- Your Office 365 Domain
If both of the domains have "Verified" for "Status" column and "Managed" for "Authentication" column, it means that you are ready for the next step which is Configuring Single Sign-on Settings.
1.4) Changing the Default Domain
Please change your default domain from yourdomain.com to yourdomain.onmicrosoft.com by executing the command below:
Set-MsolDomain -name yourdomain.onmicrosoft.com -IsDefault
(2) Configuring Single Sign-on Settings
Step 1 - Inputting Setting Commands
Please refer to the HDE One Connection Setting document (Spreadsheet format) that we have provided, in the "Office365 Setup" Sheet, please copy the line 13 to line 20 as shown as below:
After successfully copied the lines of command, paste them altogether on Powershell at once.
After pasting onto Powershell, be sure to press Enter once more to ensure the commands are all executed.
Step 2 - Confirming your Domain Information
Finally, to ensure that the setup is successfully being carried out, execute the command "Get-MsolDomain" to make sure that the "Authentication" column for "yourdomain.com" is "Federated".
If so, it means that the Single Sign-on Setup for your domain environment is completed and the users in your cloud environment could log in to all of the services using one single account.
(Optional) Disabling Single Sign-on
To disable the Single Sign-on for your domain environment, simply execute the command below (Replace "yourdomain.com" to Your domain address) :
Set-MsolDomainAuthentication -Authentication Managed -DomainName yourdomain.com
This command will change the "Authentication" of your domain from "Federated" to "Managed". Hence, disabling the Single Sign-on.