• Open the LastPass Admin Dashboard. Select “Applications” from the left side menu and then select “Web App” from the submenu.

LastPass Web Applications

 

  • Click on “+ Add SSO App” button from the upper right corner. 
  • A pop-up window will appear. Under the section: “Select your app”, click on “Search…” and select Office 365 Suite from the LastPass Catalog

 

  • On One Click Setup section, please enter your Domain and click on “One-click setup“.
One-Click setup will automatically sync your Office365 directory (AzureAD) with your LastPass Directory – this is required in order to complete the setup.

For manual setup of Office 365, all Office 365 users must also have a LastPass account and ImmutableID must be synced between the two directories (Read more here). For “One-click setup”, LastPass will sync ImmutableID automatically, and all of your users are prompted to signup for LastPass on their next login attempt. Once SSO is enabled for Office 365, all users in that email domain are impacted (you cannot select a subset of users within a single domain). After SSO is enabled, users are not able to log in to Office 365 using their AzureAD password authentication – instead they will be redirected first to LastPass to complete authentication, then sent back to Office 365.

Please use *.onmicrosoft.com credential.

Administrator credentials for Office 365 can NOT be the same domain that is being used to configure SSO. This requires setting the *.onmicrosoft.com domain to default in the Office365 Portal.

Office one click setup

 

  • You will be directed to Microsoft login page. Enter your Microsoft Global Administrator Email and Password.

Office 365 login

 

  • You will be redirected back to the LastPass admin dashboard and you will receive a Success Sync message. Click on “Proceed“.

 

Office 365 is now configured! You can assign users to Office 365.

 

You can alternatively setup Office 365 manually.

To continue manually, click on “Manual Set up“. Identity Provider section will automatically open, download the Certificate to your computer. 
Then, right-click on the PowerShell command template for ADFS to save it to your computer.

Powershell command ADFS

Expand the Service Provider section and configure your ACS URL:
https://login.microsoftonline.com/login.srf.
SSO app Service Provider
Expand the Advanced Setup section and configure your IDP:
https://identity.lastpass.com/yourworkdomain.com
Select “Employee ID” for Identifier and click on “Save“.
User identifier
Log into Office 365 administration center as an administrator and then click on Admin.

From the left side menu select “Settings > Domains“.

Add a domain that you are going to use for Single Sign-On and go through the steps to confirm that you own the domain.

DO NOT add any users at this stage.
In the section where you are asked “How do you want to use with Office365?“, uncheck the checked boxes next to “Exchange Online” and “Lync Online“; unless DNS entries are to be updated.

Make sure that the domain is not the “default domain“. If it is set as the default domain, please go ahead and change that setting by configuring the “.onmicrosoft.com” as the “default domain“.

SSO configuration for Office 365 requires Windows Azure Active Directory Module for Windows PowerShell cmdlets. Download and install cmdlets from the following links:
https://technet.microsoft.com/en-us/library/jj151815.aspx

You need to use the PowerShell Command template and the certificate that you downloaded from the LastPass Admin Dashboard.

To configure Office 365 SSO, customize the PowerShell command template as follows:
$domain 
– enter your company domain, in the following format: yourworkdomain.com
$issuer – enter your company domain at the end of the URL, in the following format:
https://identity.lastpass.com/yourworkdomain.com
$certificateFileFull path and filename of the certificate file you’ve just downloadedConfigure Office 365 texts
Please open Powershell as an administrator.
$cred=Get-Credential
It will prompt for the administrator’s credentials. Type your administrator login credentials into the dialog that appears on the screen.

Copy and paste the second command, to get authenticated on Office 365:
Connect-MsolService -Credential $cred

Copy the block of PowerShell commands starting with $domain and ending with $logoffurl.
Paste them into your PowerShell window.

Then copy and paste the second block to upload the certificate file.

Run the following command to enable SSO for your domain:
Set-MsolDomainAuthentication -FederationBrandName $domain -DomainName $domain -Authentication federated PreferredAuthenticationProtocol SAMLP -IssuerUri $issuer -Signing Certificate $certificate -PassiveLogOnUri $ssoUrl -ActiveLogOnUri $ecpUrl -LogOffUri $logoffUrl –Verbose
You have completed the manual SSO setup for Office 365.

Troubleshooting information for manual setup

See all licenses:
Get-MsolAccountSku
You need your AccountSku number to be able to add users.
Add users:
New-MsolUser -UserPrincipalName -ImmutableId -FirstName -LastName -DisplayName -LicenseAssignment -usageLocation
The immutable id is a unique user identifier on Office 365. Make sure Immutable id is reflected in the user’s info on LastPass portal, as the user’s IDThe user principal name is the IDPEmail. Both these values must match with the Office 365 configuration for single sign-on to be successful.
User ID
Delete users:
emove-MsolUser -UserPrincipalName <User’s email>
The above command moves the user to the Office 365 recycle bin. To create a user with the same name, make sure to remove the user from the recycle bin.
Retrieve a deleted user:
Get-MsolUser -ReturnDeletedUsers -SearchString <User’s email> | select UserPrincipalName, ObjectId

Remove a deleted user from the recycle bin:
Remove-MsolUser -RemoveFromRecycleBin –ObjectId

Login error:
Some users might experience the following sign-in issue, due to a known bug on Office 365.
Sorry, but we’re having trouble signing you in. Please try again in a few minutes. If this doesn’t work, you might want to contact your admin and report the following error: <error#>.
The solution is simply to restart your browser. Then open a fresh browser tab and try to log in.
off29.21