5.4 Integrate Advanced Authentication and Office 365 without Using AD FS

Let us assume Reltic Data, Inc. wants to implement multi-factor authentication for their Office 365 without using Active Directory Federation Services (AD FS). Their employees must use the corporate email address and succeed the multi-factor authentication to access Microsoft Office 365 suite.

This section explains the prerequisites, flow of actions, and step-by-step configuration details to achieve this. This example refers to the following user profiles:

  • Susan: An administrator of Reltic Data, Inc.

  • Sam: An employee of Reltic Data, Inc.

Susan, the administrator, needs to enforce multi-factor authentication with the Card and Email OTP methods for Office 365. After multi-factor authentication is implemented, Sam the employee, needs to authenticate both methods to access Office 365.

5.4.1 Prerequisites

Ensure that you meet the following prerequisites:

5.4.2 Administrator Tasks

Susan, the administrator, needs to perform the following tasks:

Configure Methods

  1. Log in to Advanced Authentication Administration Portal as an Administrator.

  2. The Card and Email OTP methods work as expected with the pre-defined value. For more information, see Card and Email OTP.

Create Chain

Perform the following steps to create a chain with Card and Email OTP methods:

  1. Click Chains > New Chain in the Advanced Authentication Administration portal.

  2. Specify the following details:




    Specify the name for the chain.

    NOTE:Ensure to remember the name of the chain for further use. In this example, we named the chain Card+ Email OTP.


    Select the Card and Email OTP methods to add to the chain.

  3. Click Save.

Create SAML2 Event

  1. Click Events > New Event to add a new event.

  2. Specify the following details:




    Specify a name for the event.

    Event type

    Select SAML2.


    Select the required chains. In this example, we select Card+ Email OTP.

  3. In Upload SP SAML 2.0 metadata file, click Choose File and upload the saved XML file.

  4. Set Send Immutable Id (User object Id) as Name ID (required for Microsoft Office 365) to ON.

  5. Click Save.

Configuring Policies

Policies contain configuration settings for the Advanced Authentication methods, events, and so on. Perform the following steps to configure the policy:

Configuring Web Authentication Policy

  1. Click Policies > Web Authentication.

  2. Specify a valid DNS name of an Advanced Authentication server in the Identity Provider URL field.

    For example, https://caf.realticsol.cf/

  3. Click Save.

Configuring Mail Sender Policy

  1. Click Policies > Mail sender to add a configure the Email OTP method

  2. Specify the following details:




    Specify the outgoing mail server name.


    Specify the port number.


    Specify the username of an account that is used to send the authentication email messages.


    Specify the password for the specified account.

    Sender email

    Specify the email address of the sender.

  3. Click Save.

Configuring Server Option

  1. Open Server Option.

  2. Click Signing Certificate.

  3. Click Signing Certificate and save the certificate content for further use.

Enabling Single Sign-On to Microsoft Office 365

To enable single sign-on to Office 365, perform the following tasks:

Enabling Directory Synchronization in Office 365

  1. Log in to the domain-joined computer where you have installed the following components:

    • Microsoft Online Services Sign-in Assistant.

    • Microsoft Azure Active Directory Module for Windows PowerShell.

    • Azure AD Connect tool.

  2. Launch Azure AD Connect on the domain-joined computer.

  3. In Express Settings, click Use express settings.

  4. In User Sign-in, select Do not Configure.

  5. Click Next.

  6. Specify the Azure AD global administrator credentials in Connect to Azure AD.

  7. Click Next.

  8. In Identifying users, select Choose a specific attribute.

  9. Select objectGUID.

  10. Verify the Active Directory Synchronization and activate the Office 365 licensing for the unlicensed but synchronized user

Federating the Custom Domain Using Advanced Authentication

  1. Launch Windows PowerShell.

  2. Run the following command to connect to your Office 365 tenant:


  3. Specify the tenant administrator credentials of your office 365 domain.

  4. Click Sign in.

  5. Run the following command to verify whether your Office 365 domain is federated:

    get-msoldomain -domain samplecompany.com

    In this example, get-msoldomain -domain realticsol.com

    In case the authentication type of your Office 365 domain is set to Federated, you must convert the authentication type to Managed using the following command:

    Set-MsolDomainAuthentication –DomainName realticsol.com -Authentication Managed

  6. Run the following commands:

    • $dom="fully_qualified_domain_name"

      In this example, $dom="realticsol.cf".

    • $uri="https://AdvancedAuthenticationServerAddress/osp/a/TOP/auth/saml2/metadata"

      In this example, $uri="https://caf.realticsol.cf/osp/a/TOP/auth/saml2/metadata"

    • $url="https://AdvancedAuthenticationServerAddress/osp/a/TOP/auth/saml2/sso"

      In this example, $url"https://caf.realticsol.cf/osp/a/TOP/auth/saml2/sso"

    • $logoutUrl="https://AdvancedAuthenticationServerAddress/osp/a/TOP/auth/saml2/slo"

      In this example, $logoutUrl="https://caf.realticsol.cf/osp/a/TOP/auth/saml2/slo"

    • $protocol="SAMLP"

    • $cert="paste the signing certificate copied from Server options of Advanced Authentication."

  7. Run the following command to convert your Office 365 domain to Federated authentication:

    Set-MsolDomainAuthentication –DomainName $dom -Authentication Federated -PassiveLogOnUri $url -IssuerUri $uri -LogOffUri $logoutUrl -PreferredAuthenticationProtocol SAMLP -SigningCertificate $cert

  8. Run the following command to verify the federation settings of your Office 365 domain:

    Get-MsolDomainFederationSettings -domain samplecompany.com

    In this example, Get-MsolDomainFederationSettings -domain realticsol.cf

5.4.3 End User Tasks

Sam, the employee, must perform the following actions to access Office 365.

NOTE:The Email OTP method enrolls automatically. If you need to enroll with another email ID, see Email OTP.

Enrolling Card Method

Before enrolling the Card authenticator, ensure that the card reader is connected to the computer.

  1. Log in to the Advanced Authentication Self-Service portal.

  2. Click the Card icon in Add Authenticator.

    A message Click "Save" to begin is displayed.

  3. (Optional) Specify a comment related to the Card authenticator in Comment.

  4. (Optional) Select the preferred category from the Category.

  5. Click Save.

    A message Waiting for the card is displayed.

  6. Tap a card on the reader.

    A message Authenticator "Card" has been added is displayed.

Authenticating on Office 365

  1. Launch http://office.com/.

  2. Click Sign In.

  3. Specify the email address of the Office 365 account.

    The page redirects to the Advanced Authentication server authentication screen.

    NOTE:Ensure the card reader is plugged into the workstation.

  4. Tap the card on the reader.

  5. Check your email. You will receive an email with an OTP.

  6. Specify the OTP from Email in Password.

  7. Click Login.