The SDO service allows users secure, password-free access to Microsoft 365 portals and services. Users are able to log into the console by authorizing the connection through an app on their phone. This article provides the steps needed to enabled the SDO service for Microsoft 365 and federate the domain that SDO will use for access.
Primary Domain Considerations
Accessing the Office 365 environment through SDO requires the federation of a domain with SDO. Once a domain is federated, users logging into any Office 365 account with that domain will automatically be redirected to the SDO platform to authorize their login via the Authenticator App. In most cases, a company will opt to federate their primary domain so that users can log in with the same address where they receive email. When the primary domain is federated with SDO, all users who log into Office 365 using their primary email address will automatically be directed to the SDO login, which will prompt the Authenticator App to authorize the login.
If your preference or company needs necessitate keeping the primary domain unfederated or federated with a different source, it is possible to use an Intermediary Domain for SDO Authentication. Please review the article Setting up SDO for Microsoft 365 with an Intermediary Domain for the steps needed to set up SDO with an Intermediary domain.
Enabling SDO for Office 365
- 1. In the Control Panel, click on My Services from the left-hand menu.
- Click on the Secret Double Octopus vendor band to expand it.
- Under the expanded vendor band, click on the Services tab.
- Click on the Edit button for Microsoft Office 365
- Select your primary domain from the Domain drop-down field.
- Click the Activate Microsoft Office365 button.
- Click on the Service Metadata tab.
- The Service Metadata page will show the Login URL, Logout URL, and Issuer URL for your SDO authentication connection. Record each of these URLs, as they will be used to set up Office 365 for SDO access.
- Copy the contents of the X.509 Certificate text box.
- Open a text editor such as Notepad and paste the copied X.509 Certificate text.
- Under the File menu, select Save As, and save the file with a to .pem file extension
- Save the file to an easily found location on your computer (a drive root will be the easiest to reference).
Setting up the Office 365 tenant for SDO Authentication
Configuring Office 365 for SDO Authentication requires the execution of a number of commands in Powershell. You must connect to the Powershell session using Global Administrator credentials. If you have any questions about connecting via Powershell, or would like our Support team to execute the commands on your behalf, please contact our team.
Important: Before you begin, verify that you have installed the required PowerShell modules (Software Requirements). Please note that the requires MS Online module only support Windows Powershell versions. Mac and Unix Powershells are not supported by the module.
1. Open PowerShell, as an administrator, and run the following commands to insure you have the proper modules installed to proceed.
Install-Module -Name AzureAD
2. In the PowerShell window, enter the following command and hit Enter:
3. Log in with your Global Admin credentials.
4. Enter the following command, inserting your intermediary domain, and hit Enter.
$dom = “<primary domain name>”
5. Enter the following command, inserting your Organization Name. This is your company name as recording in the Office 365 account.
$fedbrandName = “<Organization name>”
6. Enter the following command, inserting the Login URL you copied in step 8 of the previous section.
$url = “<SDO Login URL>”
7. Enter the following command, inserting the Issuer URL you copied in step 8 of the previous section.
$uri = “<SDO Issuer URL>”
8. Enter the following command, inserting the Logout URL you copied in step 8 of the previous section.
$logouturl = “<SDO Logout URL>”
9. Enter the following command, inserting the location and name of the .pem file you created in step 13 of the previous section.
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 (“<C:\cert.pem>”)
10. Enter the following command, and hit Enter
$certData = [system.convert]::tobase64string($cert.rawdata)
11. Execute the federation of your domain but entering the following command and hitting Enter.
Set-MsolDomainAuthentication -DomainName $dom -Authentication Federated -FederationBrandName $fedBrandName -PassiveLogOnUri $url -IssuerUri $uri -LogOffUri $logoutUrl -PreferredAuthenticationProtocol SAMLP -SigningCertificate $certData
12. Verify the new settings with the following command.
Get-MsolDomainFederationSettings -domain $dom | fl
13. In the Control Panel, click the My Services menu from the left-hand menu.
14. Click the Secret Double Octopus vendor band to expand it.
15. Click the Services tab.
16. Click the Edit button for the Microsoft Office 365 Service.
17. Under the Configuration tab, enter the your Intermediary domain.
18. Click the Save button.
The Office 365 Intermediary Domain is now set up for authentication through SDO.