Automatic setup of SSO
Table of Contents
Once the new Workspace environment has been created (either via our API or PowerShell script), in Workspace 365 you have the possibility to configure Single Sign-On (SSO). There are two SSO methods:
- Web Services Federation (only supported for on-premises versions of Workspace 365)
- oAuth2 (recommended)
You can choose between a manual or automatic setup of SSO. In this article, we'll talk about the automatic setup of SSO. When setting up SSO, you create a SSO app registration in Azure for your Workspace environment, along with the corresponding (API) permissions for the applications such as SharePoint, Exchange or Power BI.
Automatic setup of SSO
To setup SSO as an admin, go to:
- Workspace settings and select Single Sign-on.
- We strongly recommend using oAuth2 as a SSO method.
- Choose automatic setup.
- Fill in the Office 365/Azure AD password.
- Check the checkbox "I give Workspace 365 permission to create an Azure AD application to provide Single Sign-on".
- Grant permissions to applications such as SharePoint or Exchange. You can always configure these API permissions afterwards in Azure.
Only grant permission for the applications that are being used. For example, if you do not use Power BI, do not grant permission for Power BI as it will result in an error.
- Click on Done.
- You will be redirected and signed out.
- After you are redirected, you will get a consent of all previously set permissions. You have to accept these permissions. When the request for a SSO token is sent to the Azure AD, the Workspace 365 page will ask you to wait for 1 minute.
If you receive an error at this stage, please check if there is only one signed in Microsoft Office 365 account in the browser session. Tip: if you use multiple accounts in Google Chrome you can easily switch between user profiles by clicking on the user icon on the top right side of the URL bar.
- You need to consent on behalf of your organization, because otherwise these permissions are only granted for admins in your tenant.
- Be aware that these permissions are only granted for administrator in this tenant. You have to grant it for all users. If you do not Grant Permissions you will receive the following error while trying to log in to the workspace as a user: "Need admin approval".
Change API permissions manually
If you want to update/change/apply the consent in Azure AD, you can apply it to the App registration.
- In Azure AD navigate to the corresponding Workspace SSO App registration (all applications).
- Click on API Permissions.
- The following permissions are for SharePoint, Exchange (Microsoft Graph) and Power BI (Power BI Service).
- You can add permissions by clicking on Add a permission.
- Don't forget Grant admin consent after adding permissions.