Ukraine flag

We stand with our friends and colleagues in Ukraine. To support Ukraine in their time of need visit this page

> Office 365 (SSO) 2FA

Office 365 (SSO) 2FA

Protectimus two-factor authentication (2FA) system supports an SP (Service Provider) initiated Single Sign On (SSO).

This means that your end-users will have the ability to sign into their accounts directly from the protected resource login page. When the end-user tries to sign into a protected resource, an authorization request is sent to the Identify Provider (Protectimus). Once the Protectimus authenticates the user’s identity, the user is logged into their account in the protected resource.

A scheme of interaction of Protectimus On-Premise Two-Factor Authentication Platform with Microsoft Office 365 through Keycloak is presented below.
Office 365 2FA integration scheme

1. Get Registered and Configure Basic Settings

  1. Install the Protectimus On-Premise Platform and get registered with Protectimus.
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

2. Synchronize your On-Premise AD with Azure AD

2.1. Open

Admin -> Show all -> Azure Active Directory -> Custom domain names -> “Add custom domain”

In DNS, you need to create a TXT record to confirm adding a domain to Azure AD.

2.2. Download and run the Azure AD Connect

Continue -> Customize -> Install (No checked options) -> Password Hash Synchronization -> Next -> Connect to Azure AD:

username@[something] pass:

Next -> Add Directory -> domain

You can create a separate Organizational Unit (OU) for users whose accounts must be protected with two-factor authentication and set up synchronization only for this OU. Every User in this OU must have an email, it will be used as a UPN (User Principal Name).
  • Create new AD account
  • Enterprise ADMIN username: domain\Administrator
  • PASSWORD: Windows AD Administrator password
(Check the image below) ↓ Office 365 two-factor authentication setup with Protectimus - step 1

Next -> Next -> Sync Selected Domain Office 365 two-factor authentication setup with Protectimus - step 2

Next -> Next -> Next -> Exit.

3. Configure Keycloak

3.1. Create Realm

Add Realm, for example, name it Office365

3.2. Create User Federation

Add Mapper:
  • Name:
  • Mapper Type: user-attribute-ldap-mapper
  • User Model Attribute:
  • LDAP Attribute: objectGUID
  • Read Only: ON
  • Always Read Value from LDAP: ON
  • Is Mandatory in LDAP: OFF
  • Is Binary Attribute: OFF
Office 365 two-factor authentication setup with Protectimus - step 3

3.3. Create a client 

  1. To do this, import this file when creating a client:

    ATTENTION! It is important to name the file: “urn:federation:MicrosoftOnline”
  2. Edit the client properties:
    • Client Signature Required – Disable
    • Signature Algorithm – “RSA_SHA1”
  3. Create a Mapper for the client “Add builtin” -> X500 email
    • Mapper: Name: IDPEmail
    • Mapper Type: User Property
    • Property: email
    • SAML Attribute Name: IDPEmail
    An email of a user in Active Directory will be used as a username.
Office 365 two-factor authentication setup with Protectimus - step 4

4. Connect Office 365 with Keycloak

4.1. Get SAML certificate

First of all, you need to get a SAML certificate and check it using this URL:[realm name]/protocol/saml/descriptor

Or check the certificate using the corresponding feature in the interface – SAML keys.

4.2. Install the required software 

  • Install-Module -Name AzureAD
  • Install-Module MSOnline
If you’ll be asked about NuGet and PSGallery – install them too.

4.3. Connecting Office 365 with Keycloak

Execute the following script:
# get the public key certificate from keycloak
# see X509Certificate


$cred = Get-Credential
Connect-MsolService -Credential $cred

Set-MsolDomainAuthentication -DomainName $dom  -Authentication Federated -ActiveLogOnUri $uri -SigningCertificate $cert -PassiveLogOnUri $uri -IssuerUri $issuer_uri -LogOffUri $uri -PreferredAuthenticationProtocol SAMLP

You can check if the operation has been performed successfully:
Get-MsolDomainFederationSettings -DomainName

4.4. Disconnecting Office 365 and Keycloak

Execute the following script:
Set-MsolDomainAuthentication -DomainName $dom -Authentication managed

Everything is ready, open and try to log in with an account from AD.
Last updated on 2022-09-14