Skip to main content

Microsoft Integrations

Microsoft Office 365 OAuth SSO

Introduction

You can activate an OAuth2.0-based Microsoft O365 Single Sign-On (SSO) in Flexopus. With Microsoft OAuth SSO, you essentially allow login access for all users with a Microsoft O365 account. You can then restrict access based on domain settings, determining which emails are allowed or not allowed to log in.

IMPORTANT! Please check in advance if you prefer using this simpler SSO configuration. We generally recommend connecting to Microsoft Active Directory via SAML2. With a direct SAML2 SSO configuration, you can restrict access to only the users that exist in your Identity Provider.
Read the article here.

During the setup process, we activate the interface for Microsoft Office 365 users for your cloud tenant and restrict the login option to email addresses with the domain @company.com. Afterward, your employees can authenticate directly with their MS365 credentials.

When they log in for the first time, Flexopus automatically creates a new user with their name and email address in the backend. You can then assign special rights (e.g., Location Manager, Admin) or assign user groups to the user. An authentication check is performed for each subsequent login.


Configuration Manual


STEP 1 - Activate Microsoft SSO

Navigate in Flexopus to Dashboard > Settings > Authentication and create a new provider. In the pop-up, select the option Microsoft O365 SSO.

Create a Microsoft O365 SSO provider

Enable the integration and set the List of allowed domains for SSO setting to specify which domains are allowed to log in, such as: my-company.com, my-subcompany.de.

💡
Note: If you want to allow everyone to log in, set a *. However, this configuration is not recommended. It's better to specify exactly who can or cannot log in.
Configure whitelist domain

Optionally, you can enable the Require existing user profile to log in through SSO option. This ensures that only users with an existing account can log in. After activation, application access is restricted to these accounts, and new users must be added manually.

You can also configure the Use UPN as email setting to decide which Microsoft attribute to use for UPN synchronization. This is an advanced setting, and you can leave it on the default configuration.

UPN configuration

Save your changes.


STEP 2 - Test the configuration

Open Flexopus in a new incognito window and test the login:

https://{your-company}.flexopus.com/ or, if you have a custom domain, go to the custom domain.

You should be able to log in with either an existing or new user, depending on how you configured the access rights in your Azure Active Directory and Flexopus.

💡
Note: The Two-Factor Authentication (2FA) will be applied based on the user's Microsoft 2FA settings. If you have set 2FA as required in your Microsoft Admin Console, users will be prompted to complete the 2FA process during the Microsoft authentication.

Once Microsoft SSO is configured successfully, you can optionally disable the email and password login and enforce Single Sign-On for all users. Navigate to Dashboard > Settings > Authentication. You will find two options:

  1. Disable password login
    You can disable all email and password login forms.
  2. Hide login form
    This option hides the login form on the main login page. However, a secondary login form (../dashboard/auth/login) remains accessible for use by a backup admin user.
Disable emails and password login

R0014