Skip to main content

Microsoft Integrations

Microsoft Office 365 OAuth SSO

Introduction

You can activate an OAuth2.0 based Microsoft O365 Single Sign On at Flexopus. With the Microsoft OAuth SSO, you basically allow login for all users in the world who have a Microsoft O365 accounts, and you can restrict based on their domain settings which emails can or can not log in.

IMPORTANT! Please check in advance whether you want to use this simple SSO configuration variant. We generally recommend connection to a Microsoft Active Directory via SAML2. With a direct SAML2 SSO configuration, you can restrict the access of possible users only to the once that exists in your Identity Provider.
Read the article here.

During the setup process, we activate the interface for Microsoft Office 365 users for your cloud tenant and restrict the login option to email addresses with the domain @company.com. Afterward, your employees should be able to authenticate themselves directly with their MS365 credentials.

When they log in for the first time, Flexopus automatically creates a new user with name and email address in the backend. You can then subsequently assign special rights (e.g., Location Manager, Admin) or assign user groups to the user. An authentication check is carried out for each subsequent login.


Configuration Manual


STEP 1 - Activate Microsoft SSO

Navigate in Flexopus to Dashboard > Settings > Authentication and create a new provider. In the pop-up select the option Microsoft O365 SSO.

Create a Microsoft O365 SSO provider

Enable the integration and set at the List of allowed domains for SSO setting which domains are able to log in: my-company.com, my-subcomany.de.

💡
Note: If you want to enable everybody set a * however, this configuration is really not recommended. Try to specify who can or can not log in.
Configure whitelist domain

Optionally, you can use also the option Require existing user profile to log in through SSO, you can specify that users can only log in with an already existing account. After activation, application access is restricted to existing user accounts. New users must be added manually.

You can also decide with the Use UPN as email setting which Microsoft attribute you want to use for the UPN synchronization. This is an advances settings. You can leave it on the default setting.

UPN configuration

SAVE your changes.


STEP 2 - Test the configuration

Open Flexopus in a new incognito window and test the login:
https://{your-company}.flexopus.com/ or in case you have a custom domain, then go to the custom domain.

You should be able to log in with an existing or a new user, depending on how you configured the access rights in your Azure Active Directory and Flexopus.

💡
Note: The Two-Factor Authentication (2FA) will be applied based on the user's Microsoft 2FA settings. In case you set in your Microsoft Admin console the 2FA required, then users will be asked in the Microsoft authentication process to proceed with 2FA.

Once the Microsoft SSO configured successfully, you can optionally disable the E-Mail and Password login and enforce all users to user Single Sign On. Navigate to Dashboard > Settings > Authentication. You can find two options here:

  • Disable password login
    You can disable all email and password login forms.
  • Hide login form
    You can hide the login form on the main login page with it, but there is a secondary login form ../dashboard/auth/login which you can leave open to use it for a backup admin user.
Disable emails and password login

R0014