The EmpowerID SSO framework allows you to federate EmpowerID with Office 365 without requiring you to set up Active Directory Federation Service (ADFS) or DirSync. In this scenario, the EmpowerID Security Token Service (STS) replaces ADFS, making EmpowerID the identity provider for your organization's Office 365 services.


If Windows Azure AD Module for Windows PowerShell and Microsoft Online (MSOL) Sign-In Assistant are already installed on your EmpowerID server, you must remove them before installing the newer versions.


You must have a licensed corporate Office 365 account and connect it to EmpowerID.

The Account Store that you connect it with must not have any spaces in the name.

You must install the following modules in this order on the machine on which you configure the SSO Connection.

  1. Windows Management Framework 5.1 
    This version provides functionality that EmpowerID uses to communicate with Office 365, including the newest version of Windows PowerShell.

  2. To verify the version, in Powershell, run

    The version must be Major 5 Minor 0 or higher.

  3. Windows Azure AD Module for Windows PowerShell Version 1.1 
    This provides you with the Office 365 cmdlets necessary for administering Office 365.

  4. After installing Windows Azure AD Module for Windows PowerShell Version 1.1, in PowerShell, run 

    Save-Module -Name MSOnline -Path %path%


     with the local path where you want to download the module.

  5. If you see these messages, enter Y for both.
    • PowerShellGet requires NuGet provider version '' or newer
    • You are installing the modules from an untrusted repository

  6. Once finished, in PowerShell, run 

    Import-Module MSOnline

  7. After importing the module, to confirm the version, run 

    Get-Module MSOnline

    The version must be or higher.

After connecting to Office 365, but before federating it with EmpowerID, it is recommended that the Office 365 users for the federated domain update their EmpowerID passwords. This ensures that their EmpowerID Person does not become locked out for a password mismatch between their EmpowerID Person password and an Office 365 password that is saved in a rich client application such as Outlook or Lync. 


You can create any number of O365 Ws-federation connections in latest versions of EmpowerID. Each O365 domain can have its own passive endpoint url and issuer. The name of the connection merely needs to include the word “office365” or “Office365”.

These are examples of legitimate O365 Ws-federation connection names:

  • MyOffice365TenantA
  • TenantBOffice365
  • Office365TenantC

To create a WS-Federation Connection

  1. In the navigation sidebar of the EmpowerID Web interface, expand Admin, then SSO Connections, and click WS-Federation.
  2. Click the Actions tab, and then click the Create WS-Federation Connection button.

  3. On the General tab of the Connection Details screen that appears, under WS-Federation Connection Type, select Service Provider.
  4. In the Service Provider Details section that appears, drop down the WS-Federation Service Provider Template and select Default SSO Connection Settings
  5. In the General Details section, enter a name and description in the NameDisplay Name, and Description fields.

  6. In the Reply To Address and Realm fields, enter your EmpowerID server's domain, for example,, and leave the checkbox below cleared.
  7. In the Tile Information section, for the Tile Image URL, leave the path intact and change GenericLogo.png to office-365.png.
  8. In the Initiating URL field, enter this URL, changing to your domain:

  9. In the Logout URL field, enter this URL:

  10. In the Account Information section, drop down the Select existing Account Directory and select your Office 365 account store. 


    If you have a space in the name of the account store, you need to remove it in the EmpowerID Management Console before federating.

  11. In the Relying Party Trust section, in the Trust Identifier URI field, enter urn:federation:MicrosoftOnline.
  12. Drop down the Signing Certificate field, select the one supplied with your installation, and click Save.

To create an SSO application for Office 365

  1. In the Navigation Sidebar of the EmpowerID Web interface, expand Applications and click Manage Applications.
  2. From the Actions pane of Application Manager, click the Create Application action. 

    This opens the Application Details form, which contains tabs and fields for creating the application.

  3. On the General tab, configure these options for the application:
    1. Name, Display Name and Description — Enter Office 365.
    2. Icon — Leave the path intact, but change the file name from Genric-1.png to office-365.png.
      This displays EmpowerID's Office 365 image to users in their EmpowerID Personal Applications page.
    3. Full URL (Exact Match Path) — Leave this field blank as it is not used for Office 365.
    4. Allow Access Requests — Leave this option selected to allow users to request or claim accounts in the application in the IT Shop.
    5. Allow Claim Account — Leave this option selected to allow users to claim an account in the application from the IT Shop.
    6. Allow Request Account — Leave this option (and Allow Access Requests) selected to allow users to request an account in the application.
    7. Login Is Email Address (Receive OTP to Claim) — Select this option (required for Office 365) to pass identity assertions to the application when logging in from EmpowerID and to send a one-time password to users claiming an account.
    8. Make me the Application Owner  — Select this to own the application. Application owners can manage the application and approve or deny access requests.
    9. Configure Advanced Claim and Request Account Options  — Only select this option if you have custom pages and workflows configured for processing access requests and managing any accounts linked to the application's EmpowerID account directory. Additional fields appear when you select it.

  4. On the Single Sign-On tab, click Single Sign-On Connection Type and select WS-Federation.

  5. In the WS-Fed Connection field, start typing the name of the Office 365 connection created earlier, and click the tile for it.

  6. On the Users tab, click Select existing Account Directory and select your Office365 Account Store.


    EmpowerID uses this directory to map your Office 365 users with their corresponding EmpowerID Persons. You must add this Account Store to EmpowerID to have it appear in the drop-down.

  7. Click Add to cart, click the shopping cart that flashes at the top of the page, and in the Cart dialog that appears, enter a reason for creating the application and click Submit.

To configure access for the application

  1. After EmpowerID creates the application, click the Find Applications link in the breadcrumbs at the top of the page.

  2. Search for the Office 365 application you just created and click the Display Name link for it. 

  3. This directs you to the View One page for the application. View One pages allow you to view and manage information about a particular resource object.

  4. To add owners who can manage the application, expand the Owners accordion, and in the Enter name to add field, enter a person's name and click the tile for that person.

  5. The Added flag increments with the number of owners to add. Click Submit to add the owners to the grid.

  6. To ensure that all users with an Office 365 account can access the application, expand the Who Has Access To Application accordion and do the following:
    1. Drop down the Assignee Type and select Business Role and Location.
    2. Click the Add (+) button on the Assignee grid.

      This opens the Grant Access dialog. Use this dialog to select the Business Role and Location for which you are granting access as well as the Access Level you are granting it.

    3. In the Business Role pane of the Grant Access dialog, search for and select Any Role.
    4. In the Location pane of the Grant Access dialog, search for and select Anywhere.
    5. Select Viewer from the Access Level drop-down.

    6. Click Save.

Next, set the Public DNS for your server to match the domain name you are federating in Office 365 as described below. If the two already match you can skip ahead to Configuring a Trusted Endpoint for the SSL certificate used in your EmpowerID deployment.

To configure an EmpowerID server with a DNS Alias

This is an optional step that is only required when the DNS for your server and the domain name you registered in Office 365 are not the same. These values must match for SSL endpoints to function correctly. By setting a DNS, you are directing the EmpowerID services to ignore the machine's FQDN and use the Public DNS in its place.

  1. In the Navigation Sidebar, expand Admin, then EmpowerID Servers and Settings and click EmpowerID Servers.
  2. From the EmpowerID Server Details page, click the EmpowerID Servers tab and search for the server whose role you want to set.
  3. Click the Edit button for that server.

  4. In the dialog that appears, enter the DNS Alias in the PublicDns field and click Save.


    The value entered here must be found in the SSL Certificate (i.e., Subject Name, SAN Cert, etc.).

  5. Restart the EmpowerID services on that server.

To export the EmpowerID Certificate in base64-encoding format

  1. From the server with your certificate, open Manage computer certificates
  2. Expand the Certificates - Local Computer node, then Personal, and click Certificates.
  3. Right-click the certificate you are using in your EmpowerID deployment and select All Tasks, then Export from the context menu.

  4. In the Certificate Export Wizard that appears, click Next.
  5. Select No, do not export the private key and click Next.

  6. Select Base-64 encoded X.509 (.CER) and click Next.

  7. Select an export location, naming the exported certificate and click Next.
  8. Click Finish to complete the export.
  9. Open the exported certificate in a text editor and remove the first and last lines:

  10. Remove all spaces and line breaks so that the certificate appears on one line.

Next, establish trust between Office 365 and EmpowerID as described below.

To establish trust between Office 365 and EmpowerID

  1. To connect to Microsoft Online, from the Start menu, open the Microsoft Azure Active Directory Module for Windows PowerShell command window and enter this command:

    Code Block

  2. In the Sign in to your account window that appears, enter the email address of a global administrator of your Office 365 account and click Next, then enter the password and click Sign In.

  3. Once you have connected, run the following command to set the ImmutableID on all Office 365 accounts that have the domain specified in the command. Be sure to replace YourDomainName with your domain name, e.g.

    This command is only necessary if the account was created in Office 365.
    Do not run this command if you are using DirSync.

    Code Block
    Get-MsolUser -DomainName YourDomainName |  where {$_.ImmutableId -eq $null -OR $_.ImmutableId -eq ''} | Set-MsolUser -ImmutableId {[guid]::NewGuid().ToString()}


    To get all licensed users and their immutable IDs, run this command:

    Code Block
    Get-MsolUser -all |  where {$_.isLicensed -eq $true} | select-object userprincipalname, immutableid

  4. Next, set the following variables at the PowerShell prompt for your domain, the federation endpoints and the signing certificate. The following example shows what the values for the variables looked like for our configuration. You need to replace the values with those specific to your environment. For example, the name of our domain is "," so the value of $dom and $FederationBrandName is ""

    Code Block
    $dom = ""
    $FederationBrandName = ""
    $IssuerUri = ""
    $ActiveLogOnUri = ""
    $mex = ""
    $LogOffUri = ""
    $PassiveLogOnUri = ""
    $cert = "MIIC5jCCAc6gAw..............QKgUSV0rciLpDOYiqAwbP6D"    


    The values for the ActiveLogOnUri, LogOffUri, and PassiveLogOnUri are the same and point to the Issuer you set up when you created the WS-Fed connection above. The value set for the IssuerURI does not need to be a resolvable DNS; however, it does need to be unique in Office 365 as an IssuerURI cannot be used for more than one connection/tenant . Also, when setting the value for the certificate, be sure to pass in the string without any line breaks, using Base-64 encoding.


    If you received a DefaultDomainUnsetException error when running the above PowerShell cmdlet, you need to specify the domain as the default domain. To fix the error run the below cmdlet. Additionally, you will need to run the cmdlet each time you add a tenant to set the default domain for those tenants. Be sure to replace "" with the fully qualified domain name your Office 365 account was given by Microsoft when first created.

    Code Block
    set-msoldomain -name -IsDefault

  5. Use the cmdlet below to set the Federation Authentication Mode to WS-Fed for the Office 365 domain. Enter the cmdlet as one line.

    Code Block
    Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName $dom -Authentication Federated -PassiveLogOnUri $PassiveLogOnUri -SigningCertificate $cert -IssuerUri $IssuerUri -ActiveLogOnUri $ActiveLogOnUri -MetadataExchangeUri $mex -LogOffUri $LogOffUri


    If necessary, you can revert the domain from federated to managed by using the following PowerShell cmdlet.

    Code Block
    Set-MsolDomainAuthentication -DomainName $dom -Authentication Managed

  6. Use the following cmdlet to update the Office 365 Domain with the federation settings. Enter the cmdlet as one line.

    Code Block
    Set-MsolDomainFederationSettings -DomainName $dom -FederationBrandName $dom -IssuerUri $IssuerUri -LogOffUri $LogOffUri -PassiveLogOnUri $PassiveLogOnUri -ActiveLogOnUri $ActiveLogOnUri -MetadataExchangeUri $mex -SigningCertificate $cert

  7. Run the following cmdlet to verify your settings:

    Code Block

  8. Run the following cmdlet to retrieve the Open Authorization (OAuth) configuration settings currently in use in your organization:

    Code Block

  9. Run the following cmdlet to enable Modern Authentication:

    Code Block
    Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

  10. Run the following cmdlet to close your session:

    Code Block


If you are using Skype for Business, please see the Configuring Skype for Business Online topic for instructions.

To test the Office 365 SSO Connection

  1. From your Web browser navigate to the login for Office 365 and enter your username.
  2. Click the Password field. A message appears stating that Office 365 is redirecting you to your organization's sign-in page.
  3. Log in to the EmpowerID Web application as you normally would. The username is the same as that used for accessing Office 365.
  4. EmpowerID verifies your identity and redirects you to Office 365.

