Microsoft Office 365 Single Sign-On (SSO) Setup Steps
Why Would I Use This Sign-on Option?
If you're a Microsoft Office 365 (O365) client you can take advantage of synchronizing your Azure Active Directory users with MyHub, this will deliver the following benefits:
- Your users can use the same O365 email address and password (credentials) to access your MyHub site so they no longer need to remember another password
- Once set up the user can click on the O365 log in button to access the site without the need to enter their email address and password every time
- The site administrator can add and delete users to your MyHub site directly from Azure Active Directory so you don't need to manage two user databases
- Greater security and control over who has access to your MyHub site, there's no need to check yet another software solution to see if a user has been deleted when they leave the business
Frequently Asked Questions:
- Q. Do I have you use O365 to use MyHub?
- A. No, you can use the MyHub user management tools to add and manage users
- Q. Can I have a combination of users using O365 and other email addresses like Gmail to log in?
- A. Yes you can, all users can still use the MyHub login process to access the site. Simply add the non O365 users to the site in the Add & Manage Users area
- Q. What will happen when I do the first synchronization with Azure Active Directory?
- A. New Users - Your O365 users will be added to your MyHub site, the users will receive an automated welcome email telling them how to log in using their O365 credentials
- A. Existing Users - Your existing users will be updated in the backend to reflect that they are now O365 users, the users will receive an automated email telling them that they can now use their O365 credentials to log in. Note - If you have existing users and switch to using O365 to log in the users will not be duplicated when you synchronize
- Q. What happens when I delete a user from Azure Active Directory?
- A. The user will be deleted in MyHub
- Q. What happens when I delete a user in MyHub will it be deleted from Azure Active Directory?
- A. No, all O365 user management must be done in O365, in this scenario if the user has not been deleted from O365 they will be added back to your MyHub site on the next synchronization
- Q. Is the synchronization automatic and how often does it happen?
- A. Yes, it is automatic and takes place every hour so it might take some time for a new user to appear - if it's urgent you can do a manual synchronization in the MyHub Add & Manage Users > Add & Manage Many Users area of your site
- Q. If I have more than one MyHub site can I synchronize my users to all of my sites?
- A. No, you can only use Azure Active Directory on one site, additional sites will need to have users added by MyHub support, please contact support for help
- Q. Where do I manage user permissions and roles?
- A. All user permissions to access pages, modules and folders are managed in your MyHub site, you can do this in the Add & Manage Users > Add & Manage Roles area. Note - you can not synchronize roles from your Azure Active Directory
- Q. Why am I seeing O365 admin and non-admin email addresses in my user and staff directory?
- A. When you do a synchronization all other email addresses will be imported, if you don't want them to display in the Staff Directory you can disable them using the Myhub disable option in the Add & Manage users area of your site.
Setting up O365 Users using Azure Active Directory
Please Note: There are a number of steps within Azure that will need to be are carried out by your O365 administrator.
In order to enable O365 Single Sign-On (SSO) for your MyHub site, you will need to go through the following setup stages.
- Stage 1: Create A New Azure Active Directory App Registration
- Stage 2: Configure An App Registration And Permissions
- Stage 3: Generate A Secret Key
- Stage 4: Copy Client And Tenant ID Values
- Stage 5: Configure MyHub For O365 SSO
- Stage 6: Logging In For the First Time
Stage 1: Create A New Azure Active Directory App Registration
In order to allow your MyHub instance to work with O365 SSO, the first stage is to configure a new Azure Active Directory application registration to use with your site.
- Step 1: In your browser, go to https://portal.azure.com/
- Step 2: Follow the steps in the diagram below to find the + New registration option
- Step 3: Enter the following values in the Register an application screen
- Name: Your chosen name for this new application e.g. MyHub
- Supported account types: Accounts in this organizational directory only (Your company name)
- Redirect URI: Your MyHub login page URL e.g. https://yourcompanyname.myhubintranet.com/Intranet-Login, you get this value from the address bar in your MyHub site. Please ensure that the copied URL stops at the end of the word login:
- Step 4: Once you have entered the values click the Register button to create your new App registration
Stage 2: Configure An App Registration And Permissions
Once you have created a new App registration, you will then need to complete the following configuration and permission changes before moving to the next stage.
- Step 1: Once you have created your new app registration you will be taken the overview page of the registration with your chosen name entered previously. From here click the Manifest menu link, then replace the oauth2AllowIdTokenImplicitFlow value on line 24 with true instead of false and click Save
- Step 2: Next click API permissions menu item, then click + Add a permission, then click the Microsoft Graph panel
- Step 3: Click the Delegated permissions panel
- Step 4: Scroll down to the User permissions section, tick the User.Read.All checkbox and then click the Add permissions button. If the User.Read checkbox is checked you can uncheck this as the User.Read.All permission will provide the permissions required. Then click the Add permissions button.
- Step 5: Click the Add a permission button again followed by the Microsoft Graph panel link and then this time select the Application permissions panel
- Step 6: In here also tick the User.Read.All checkbox under the User permissions section and then click the Add permissions button
- Step 7: Once you have added the permissions, grant admin consent so that your users won't need to be shown a consent screen when logging into MyHub.
Stage 3: Generate A Secret Key
In order for the two applications to talk to each other securely, we need to create a secret key associated with your new App registration.
- Step 1: From within the appropriate App registration click the Certificates & secrets menu option, then click the New client secret button
- Step 2: Enter the following values in the Register an application screen and then click the Add button
- Description: Your chosen name for this client e.g. MyHub
- Expires: Select your preferred expiry length of time
Step 3: Once you have created your Client secret, copy the value ready to be used within stage 5. Tip: if you have the MyHub configuration window open paste the value directly into the Client Secret field otherwise save it somewhere. You will need this value to configure in MyHub. Please note: only add a single Client Secret otherwise you will get a credentials error when you try to enable O365 in MyHub.
Stage 4: Copy Client And Tenant ID Values
To configure MyHub to communicate and synchronize your users, you will need to locate and copy the Application (client) ID and Directory (tenant) ID from Azure. Click on the Overview menu item to bring the following screen up so that you can copy them.
Stage 5: Configure MyHub For O365 SSO
Once your O365 administrator has completed stages 1-4, you will be ready to configure your MyHub instance.
- Step 1: Before proceeding with this step check that you have the following values ready to be used:
- New client secret value
- Application (client) ID
- Directory (tenant) ID
- Step 2: Log into your MyHub site as an administrator and navigate to the Admin area and click the Site Settings button.
- Step 3: Expand the Office 365 Single Sign-On settings area and enter your Application (client) ID, Client secret and Directory (tenant) ID values. Then click the Enable checkbox followed by the Update button.
- Step 4: When you click the Update button after checking the Enabled checkbox MyHub will perform the following steps:
- Check that your Office 365 credentials are valid
- Perform an import of O365 users for the first time
- Schedule an update that happens hourly that does the following:
- Checks to see if the first name and last name values have changed within Azure Active Directory and update your user records in MyHub if they have changed.
- Checks to see if the users have been deleted or disabled within Azure Active Directory and delete the corresponding user record in MyHub.
- Check to see if new users have been added to Active Directory and create the new user records into MyHub.
Tip: If you need to synchronize with O365 prior to the scheduled hourly update, you can trigger this to happen right away by navigating to Add & Manage Users > Add & Manage Many Users and click the Import Office 365 Users button. Please note, if you have added or deleted users in your O365 account, it is advisable to wait 5 minutes while O365 updates all of it's different systems before clicking the Import Office 365 Users button.
Stage 6: Logging In For The First Time
When the above stages and steps have all been completed fully in order, your users will be able to log directly into MyHub using their Microsoft Office 365 credentials. If they are already signed into O365, all they need to do is click the Microsoft Office 365 Log In button to authenticate via Single Sign-On without the need to enter a separate MyHub username and password. Your O365 permissions will automatically apply for O365 files and documents embedded within MyHub.
Note: If you are the first user logging in you may be presented with the following screen. Please ensure that you click the Consent checkbox and then click the Accept button:
- Do the Application ID and Directory ID values in MyHub match the values exactly in Azure?
- Does the Client Secret match, sometimes it's easier just to create a new one?
- Is the Manifest oauth2AllowIdTokenImplicitFlow value correctly set to true on line 24?
- Are the two sets of permissions set up correctly under API permissions? Please check both the Delegated and Application values.
- Have you granted Admin consent under the API permissions?