This article is still in progress, please check back for more content shortly
Office 365 SSO has long been a pipe dream of many companies but historically has always been either too difficult or too expensive to implement. Not any more, as Microsoft have now made this avaialble to all customer for free, see here. Let’s look at how we can easily achieve this.
This article is for you if
- You are wanting to setup Office 365 SSO but aren’t sure exactly how to do this
- Your users want to use Office 365 SSO
- You are frustrated at having to login to Office 365 each time you want to check your emails
- You plan to move users data to OneDrive and want do this automatically via Group Policy
- You plan to move on premise central file shares to SharePoint and want to re-map these automatically for users via Group Policy
- You are moving to Office 365 from another cloud service provider and need a good tutorial on how to get the best from seamless single sign on
- You want to learn how to configure Azure AD Connect for Office 365 SSO
- Your manager has asked you to setup Office 365 SSO but you don’t want to look incompetent and say you don’t know how
Once configured your users machines should work as demoed in the video below.
Configure your users UPN Suffixes to match your Azure AD tenant domain
Configure your Domain Controller for Azure Active Directory password hash sync and seamless single sign-on using the Azure AD Connector
You can download the connector here
Once downloaded, install and run Azure AD Connect and enter an Office 365 Admin credential.
Click Add Directory and add your local domain and provide credentials when requested; it should then show a green tick circle.
Select the OUs you wish to sync to Office 365 and select just the users and groups OUs you wish to sync.
Select Password hash synchronization to hash your user’s passwords into Office 365. Unlike other connectors, this does not require a password reset for users.
Click Enter credential for Enabling single sign-on. It should go to a green circle tick again.
Click Configure. The wizard will run and create the required AzureAD computer account in AD Computers used to run SSSO.
Copy the OneDrive ADMX and ADML templates from the Windows test machine to your Domain Controller’s SYSVOL folder
You can find the ADMX files here – C:\Program Files\Microsoft OneDrive\OneDriveVersionNumber\adm
Remember to change OneDriveVersionNumber to the version you are on
Configure the Azure Active Directory single sign-on Group Policy
You can do this by setting the below policies.
Test seamless single sign-on to Office 365
You can create your custom SSSO URLs using this wizard here. Ensure that when logged onto an AD account, you can go to one of these links and it auto logs in.
For example, outlook would be – https://outlook.com/owa/theictguy.co.uk
Configure the OneDrive Group Policy for seamless single sign-on, to silently move your user’s Known Folders to OneDrive and always to use OneDrive Files On-Demand as default
Test OneDrive seamless single sign-on from the Windows test machine and confirm the Known Folders auto-redirect
As before, when testing SSSO, login to an AD account and ensure that once OneDrive has logged in automatically the Desktop, Documents and Pictures should auto-redirect withing a few seconds. This is dependant on the specification of the machine and Internet speeds.
To Map a SharePoint site to OneDrive on Demand, you can configure the Group Policy at User Configuration -> Administrative Templates -> OneDrive -> Configure team site libraries to sync automatically
You will need to populate this with the Name of the SharePoint Site you want to map and the ID; for example –
Name: Staff Shared
You can get the tenant ID by clicking on Sync and then Copy Site ID.
You can do this by setting the following Registry Key on login.
Key path SOFTWARE\Microsoft\OneDrive\Accounts\Business1
Value name TimerAutoMount
Value type REG_QWORD
Value data 0x1 (1)
As before, when testing folder auto redirection, the Shared Drive should auto map within a few seconds when using the above Reg fix.
Login to Office 365 Admin Center and click SharePoint under Admin centres
Click Get Started under File Shared
Choose Download agent and install the agent onto your file servers
Click Add Task
Decide if you wish to upload a single share or multiple via CSV. For this guide, we will run with a single share.
Enter your source; this must be a share stored on the same network that the agent has access to.
Select your destination, for this part of the guide we will select SharePoint
Enter the URL of the destination SharePoint site.
Select either the root Documents folder or any other subfolder. You can also create a new folder here too.
Give your task a name and select to either Run now or Run later.
Suggest that the below setting is also enabled to replace invalid characters when uploading.
This setting also to not upload hidden files
Now click Run, the job will queue and upload the file share.