Microsoft 365 Single Sign-On (SSO) Setup Steps
Why Would I Use This Sign-on Option?
If you're a Microsoft 365 client you can take advantage of synchronizing your Azure Active Directory users with MyHub, this will deliver the following benefits:
- Your users can use the same Microsoft 365 email address and password (credentials) to access your MyHub site so they no longer need to remember another password
- Once set up the user can click on the Microsoft 365 log in button to access the site without the need to enter their email address and password every time
- The site administrator can add and delete users to your MyHub site directly from Azure Active Directory so you don't need to manage two user databases
- Greater security and control over who has access to your MyHub site, there's no need to check yet another software solution to see if a user has been deleted when they leave the business
Frequently Asked Questions:
- Q. Does MyHub support MFA (Multi-Factor Authentication) via Microsoft 365?
- A. Yes, MFA can be used inside MyHub, the setup is covered in Stage 5 / Step 7 of this guide.
- Q. Do I have you use Microsoft 365 to use MyHub?
- A. No, you can use the MyHub user management tools to add and manage users
- Q. Can I have a combination of users using Microsoft 365 and other email addresses like Gmail to log in?
- A. Yes you can, all users can still use the MyHub login process to access the site. Simply add the non Microsoft 365 users to the site in the Add & Manage Users area
- Q. What will happen when I do the first synchronization with Azure Active Directory?
- A. New Users - Your Microsoft 365 users will be added to your MyHub site, the users will receive an automated welcome email telling them how to log in using their Microsoft 365 credentials
- A. Existing Users - Your existing users will be updated in the backend to reflect that they are now Microsoft 365 users, the users will receive an automated email telling them that they can now use their Microsoft 365 credentials to log in. Note - If you have existing users and switch to using Microsoft 365 to log in the users will not be duplicated when you synchronize
- Q. What happens when I delete a user from Azure Active Directory?
- A. The user will be deleted in MyHub
- Q. What happens when I delete a user in MyHub will it be deleted from Azure Active Directory?
- A. No, all Microsoft 365 user management must be done in Microsoft 365, in this scenario if the user has not been deleted from Microsoft 365 they will be added back to your MyHub site on the next synchronization
- Q. Is the synchronization automatic and how often does it happen?
- A. Yes, it is automatic and takes place every hour so it might take some time for a new user to appear - if it's urgent you can do a manual synchronization in the MyHub Add & Manage Users > Add & Manage Many Users area of your site
- Q. If I have more than one MyHub site can I synchronize my users to all of my sites?
- A. No, you can only use Azure Active Directory on one site, additional sites will need to have users added by MyHub support, please contact support for help
- Q. Where do I manage user permissions and roles?
- A. All user permissions to access pages, modules and folders are managed in your MyHub site, you can do this in the Add & Manage Users > Add & Manage Roles area. Note - you can not synchronize roles from your Azure Active Directory
- Q. Why am I seeing Microsoft 365 admin and non-admin email addresses in my user and staff directory?
- A. When you do a synchronization all other email addresses will be imported, if you don't want them to display in the Staff Directory you can disable them using the Myhub disable option in the Add & Manage users area of your site.
Setting up Microsoft 365 Users using Azure Active Directory
Please Note: There are a number of steps within Azure that will need to be are carried out by your Microsoft 365 administrator.
In order to enable Microsoft 365 Single Sign-On (SSO) for your MyHub site, you will need to go through the following setup stages.
- Stage 1: Create A New Azure Active Directory App Registration
- Stage 2: Configure An App Registration And Permissions
- Stage 3: Generate A Secret Key
- Stage 4: Copy Client And Tenant ID Values
- Stage 5: Configure MyHub For Microsoft 365 SSO
- Stage 6: Logging In For the First Time
Stage 1: Create A New Azure Active Directory App Registration
In order to allow your MyHub instance to work with Microsoft 365 SSO, the first stage is to configure a new Azure Active Directory application registration to use with your site.
- Step 1: In your browser, go to https://portal.azure.com/
- Step 2: Click "View" under Manage Azure Active Directory.
- Step 3: Follow the steps in the diagram below to find the + New registration option
- Step 4: Enter the following values in the Register an application screen
- Name: Your chosen name for this new application e.g. MyHub
- Supported account types: Accounts in this organizational directory only (Your company name)
- Redirect URI: Your MyHub login page URL e.g. https://yourcompanyname.myhubintranet.com/Intranet-Login, you get this value from the address bar in your MyHub site. If you are using a custom domain, your login page will be different. Please use it instead.
- Please ensure that the copied URL stops at the end of the word login:
- Step 5: Once you have entered the values click the Register button to create your new App registration
- Step 6: Once you have created your new app registration you will be taken the overview page of the registration with your chosen name entered previously. To enable SSO within the MyHub mobile app, click the Authentication menu link, then click Add a platform, and then choose Mobile and desktop applications.
- Step 7: From here, paste the following value into the Custom redirect URIs textbox and then click Configure: com.myhub.intranet://com.myhub.intranet/android/callback
Step 8: From here, follow the same process from Step 6 and then paste the following value into the Custom redirect URIs textbox and then click Configure: com.myhub.intranet://com.myhub.intranet/ios/callback
The following values should now be visible, as seen in the screenshot below:
Stage 2: Configure An App Registration And Permissions
Once you have created a new App registration, you will then need to complete the following configuration and permission changes before moving to the next stage.
- Step 1: Click the Manifest menu link, then replace the oauth2AllowIdTokenImplicitFlow value on line 28 with true instead of false and click Save
- Step 2: Next click API permissions menu item, then click + Add a permission, then click the Microsoft Graph panel
- Step 3: Click the Delegated permissions panel
- Step 4: Scroll down to the User permissions section, tick the User.Read.All checkbox and then click the Add permissions button. If the User.Read checkbox is checked you can uncheck this as the User.Read.All permission will provide the permissions required. Then click the Add permissions button.
- Step 5: Click the Add a permission button again followed by the Microsoft Graph panel link and then this time select the Application permissions panel
- Step 6: In here also tick the User.Read.All checkbox under the User permissions section and then click the Add permissions button
- Step 7: Once you have added the permissions, grant admin consent so that your users won't need to be shown a consent screen when logging into MyHub.
- Step 8: If you would like to use the Groups functionality mentioned in step 6 of stage 5, you will need to add two extra Microsoft Graph Application Permissions as follows:
Once you have added the Group permissions, you will need to grant consent by clicking the Grant admin consent for xxx button with the tick next to it as shown in the screen capture below. Make sure that you have a green tick status against each of the following permissions before proceeding:
Stage 3: Generate A Secret Key
In order for the two applications to talk to each other securely, we need to create a secret key associated with your new App registration.
- Step 1: From within the appropriate App registration click the Certificates & secrets menu option, then click the New client secret button
- Step 2: Enter the following values in the Register an application screen and then click the Add button
- Description: Your chosen name for this client e.g. MyHub
- Expires: Select your preferred expiry length of time
- Step 3: Once you have created your Client secret, copy the Value ready to be used within stage 5. Please note you will need to copy this value straight after it has been created otherwise you'll only see a few characters followed by a list of asterisks as shown in the diagram below. If you do not copy the Value when you created it, you will need to create a new Client secret. Tip: Be careful to not copy the Secret ID and if you have the MyHub configuration window open paste the value directly into the Client Secret field otherwise save it somewhere. You will need this value to configure in MyHub. Please note: only add a single Client Secret otherwise you will get a credentials error when you try to enable Microsoft 365 in MyHub.
Stage 4: Copy Client And Tenant ID Values
To configure MyHub to communicate and synchronize your users, you will need to locate and copy the Application (client) ID and Directory (tenant) ID from Azure. Click on the Overview menu item to bring the following screen up so that you can copy them.
Stage 5: Configure MyHub For Microsoft 365 SSO
Once your Microsoft 365 administrator has completed stages 1-4, you will be ready to configure your MyHub instance.
- Step 1: Before proceeding with this step check that you have the following values ready to be used:
- New client secret value
- Application (client) ID
- Directory (tenant) ID
- Step 2: Log into your MyHub site as an administrator and navigate to the Admin sidebar and click the gear icon, then Site Security & Settings.
- Step 3: Expand the Microsoft 365 Single Sign-On settings area and enter your Application (client) ID, Client secret and Directory (tenant) ID values. Then click the Enable checkbox followed by the Update button.
- Step 4: When you click the Update button after checking the Enabled checkbox MyHub will perform the following steps:
- Check that your Microsoft 365 credentials are valid
- Perform an import of Microsoft 365 users for the first time
- Schedule an update that happens hourly that does the following:
- Checks to see if the first name and last name values have changed within Azure Active Directory and update your user records in MyHub if they have changed.
- Checks to see if the users have been deleted or disabled within Azure Active Directory and delete the corresponding user record in MyHub.
- Check to see if new users have been added to Active Directory and create the new user records into MyHub.
- Step 5: If you would like to import user profile information from Microsoft 365, check the "Import User Profile Information" box seen in the image below.
- Check this box to import and update user profile details that have been edited and updated by the user and/or administrators in Microsoft 365.
- This will override any information that has been previously updated within the MyHub site.
- Note: Once enabled, the import process will take several minutes to complete.
- The Microsoft 365 fields able to be imported are: emailAddresses, givenName, surname, streetAddress, city, state, country, postalCode, manager, jobTitle, department, imAddresses, businessPhones, mobilePhone, birthday, faxNumber, TimeZoneStandard, profilePhoto
- For reference, the equivalent default fields inside of MyHub are named: EmailAddress, FirstName, LastName, StreetNumberName, City, Region, Country, PostalCode, ManagerName, JobTitle, Department, Skype, BusinessTelephone, BusinessMobile, Birthday, BusinessFax, PreferredTimeZone, ProfileImage
- Step 6: If you would like to import and synchronize users that are only in specific Microsoft 365 groups, do not check the Sync All User checkbox. When selecting one or more of the groups shown, only the users in these groups will be synchronized.
If you add or delete groups that you want to synchronize users from within Microsoft 365, in order to make them display in MyHub click the refresh icon. Then select the groups you would like to synchronize and click the Update button to save your settings.
- Step 7: If you would like to use MFA (Multi-Factor Authentication) within MyHub, navigate to the Users section as seen in the screenshot below.
- Step 8: From here, click on Per-user MFA.
Step 9: Click on bulk update to manage MFA settings for your organization in bulk, or tik the box next to users to update their MFA status individually.
Tip: If you need to synchronize with Microsoft 365 prior to the scheduled hourly update, you can trigger this to happen right away by navigating to Add & Manage Users > Add & Manage Many Users and click the Import Microsoft 365 Users button. Please note, if you have added or deleted users in your Microsoft 365 account, it is advisable to wait 5 minutes while Microsoft 365 updates all of it's different systems before clicking the Import Microsoft 365 Users button.
Stage 6: Logging In For The First Time
When the above stages and steps have all been completed fully in order, your users will be able to log directly into MyHub using their Microsoft 365 credentials. If they are already signed into Microsoft 365, all they need to do is click the Microsoft 365 Log In button to authenticate via Single Sign-On without the need to enter a separate MyHub username and password. Your Microsoft 365 permissions will automatically apply for Microsoft 365 files and documents embedded within MyHub.
Note: If you are the first user logging in you may be presented with the following screen. Please ensure that you click the Consent checkbox and then click the Accept button:
Toubleshooting
- Do the Application ID and Directory ID values in MyHub match the values exactly in Azure?
- Does the Client Secret match, sometimes it's easier just to create a new one?
- Is the Manifest oauth2AllowIdTokenImplicitFlow value correctly set to true on line 24?
- Are the two sets of permissions set up correctly under API permissions? Please check both the Delegated and Application values.
- Have you granted Admin consent under the API permissions?