- Open the LastPass Admin Dashboard. Select “Applications” from the left side menu and then select “Web App” from the submenu.
- On One Click Setup section, please enter your Domain and click on “One-click setup“.
One-Click setup will automatically sync your Office365 directory (AzureAD) with your LastPass Directory – this is required in order to complete the setup.
For manual setup of Office 365, all Office 365 users must also have a LastPass account and ImmutableID must be synced between the two directories (Read more here). For “One-click setup”, LastPass will sync ImmutableID automatically, and all of your users are prompted to signup for LastPass on their next login attempt. Once SSO is enabled for Office 365, all users in that email domain are impacted (you cannot select a subset of users within a single domain). After SSO is enabled, users are not able to log in to Office 365 using their AzureAD password authentication – instead they will be redirected first to LastPass to complete authentication, then sent back to Office 365.
Please use *.onmicrosoft.com credential.
Administrator credentials for Office 365 can NOT be the same domain that is being used to configure SSO. This requires setting the *.onmicrosoft.com domain to default in the Office365 Portal.
- You will be directed to Microsoft login page. Enter your Microsoft Global Administrator Email and Password.
- You will be redirected back to the LastPass admin dashboard and you will receive a Success Sync message. Click on “Proceed“.
Office 365 is now configured! You can assign users to Office 365.
You can alternatively setup Office 365 manually.
To continue manually, click on “Manual Set up“. Identity Provider section will automatically open, download the Certificate to your computer.
Then, right-click on the PowerShell command template for ADFS to save it to your computer.
Expand the Service Provider section and configure your ACS URL:
Expand the Advanced Setup section and configure your IDP:
Select “Employee ID” for Identifier and click on “Save“.
Log into Office 365 administration center as an administrator and then click on Admin.
From the left side menu select “Settings > Domains“.
Add a domain that you are going to use for Single Sign-On and go through the steps to confirm that you own the domain.
DO NOT add any users at this stage.
In the section where you are asked “How do you want to use with Office365?“, uncheck the checked boxes next to “Exchange Online” and “Lync Online“; unless DNS entries are to be updated.
Make sure that the domain is not the “default domain“. If it is set as the default domain, please go ahead and change that setting by configuring the “.onmicrosoft.com” as the “default domain“.
SSO configuration for Office 365 requires Windows Azure Active Directory Module for Windows PowerShell cmdlets. Download and install cmdlets from the following links:
You need to use the PowerShell Command template and the certificate that you downloaded from the LastPass Admin Dashboard.
To configure Office 365 SSO, customize the PowerShell command template as follows:
$domain – enter your company domain, in the following format: yourworkdomain.com
$issuer – enter your company domain at the end of the URL, in the following format:
$certificateFile – Full path and filename of the certificate file you’ve just downloaded
Please open Powershell as an administrator.
It will prompt for the administrator’s credentials. Type your administrator login credentials into the dialog that appears on the screen.
Copy and paste the second command, to get authenticated on Office 365:
Connect-MsolService -Credential $cred
Copy the block of PowerShell commands starting with $domain and ending with $logoffurl.
Paste them into your PowerShell window.
Then copy and paste the second block to upload the certificate file.
Run the following command to enable SSO for your domain:
Set-MsolDomainAuthentication -FederationBrandName $domain -DomainName $domain -Authentication federated PreferredAuthenticationProtocol SAMLP -IssuerUri $issuer -Signing Certificate $certificate -PassiveLogOnUri $ssoUrl -ActiveLogOnUri $ecpUrl -LogOffUri $logoffUrl –Verbose
You have completed the manual SSO setup for Office 365.
Troubleshooting information for manual setup
See all licenses:
You need your AccountSku number to be able to add users.
New-MsolUser -UserPrincipalName -ImmutableId -FirstName -LastName -DisplayName -LicenseAssignment -usageLocation
The immutable id is a unique user identifier on Office 365. Make sure Immutable id is reflected in the user’s info on LastPass portal, as the user’s IDThe user principal name is the IDPEmail. Both these values must match with the Office 365 configuration for single sign-on to be successful.
emove-MsolUser -UserPrincipalName <User’s email>
The above command moves the user to the Office 365 recycle bin. To create a user with the same name, make sure to remove the user from the recycle bin.
Retrieve a deleted user:
Get-MsolUser -ReturnDeletedUsers -SearchString <User’s email> | select UserPrincipalName, ObjectId
Remove a deleted user from the recycle bin:
Remove-MsolUser -RemoveFromRecycleBin –ObjectId
Some users might experience the following sign-in issue, due to a known bug on Office 365.
“Sorry, but we’re having trouble signing you in. Please try again in a few minutes. If this doesn’t work, you might want to contact your admin and report the following error: <error#>.”
The solution is simply to restart your browser. Then open a fresh browser tab and try to log in.
Alternatively, LastPass MFA can be used for secure login to Office 365/Azure AD SSO while maintaining Azure AD as the primary Identity Provider. For more info, visit LastPass conditional access setup page.