How to set up Microsoft O365 SSO

Instructions for setting up Single Sign-On using Microsoft O365 (Azure Active Directory)

This article applies to our FMI Works product, when delivered as a cloud solution

Why use Microsoft O365 as an SSO provider

FMI Identity can allow login via your organisation's existing O365 for added security and ease of use, allowing your IT department to manage authentication, as well as reducing the load on your staff by only requiring them to manage their passwords for a single system.

Once configured by our support staff, any users that try to sign in from your owned domains will be redirected to Microsoft’s login page to complete the process. Our system uses very little information from your O365 configuration and will only use enough data to authenticate your users.

For more information about FMI and SSO generally see our Single Sign-on article.

How do we connect?

We use a registered application in Microsoft Azure and OpenID Connect to ensure that your login is as smooth and secure as possible. The registered application will use Microsoft Graph to communicate with your O365 tenant and authenticate your login. FMI Identity never has access to your O365 credentials, and only receives enough information to validate your login.

Access rights and consent

If your organisation is configured such that the users can consent to an application accessing data themselves, then no further action is required. Upon sign-in, your users will be asked for consent to access their data, which is then used to complete the login process.

In the more likely event that your organisation does not allow all users to access the organisation's data, someone in your organisation with elevated privileges, specifically, a Global Administrator, an Application Administrator, or a Cloud Application Administrator will need to log in first and consent on behalf of the organisation.

Sign into FMI Identity with elevated privileges and consent to SSO

  1. Sign into FMI Identity using an Azure Active Directory account with elevated privileges.
  2. Enter the account email and when prompted check “Consent on behalf of your organisation” and click the “Accept” button. 

SSO Consent-1

Turning on Multi-factor Authentication

If your organisation would like to turn on MFA for FMI Works, this can be done through Azure, noting that Azure will only allow conditional access policies to function with FMI Works where MFA is turned on for all cloud applications.