Requirements for single sign-on
To use single sign-on, you must:
- Have Active Directory deployed and running in Windows Server 2003 operating system, Windows Server 2008, or Windows Server 2008 R2 with a functional level of mixed or native mode.
- Plan for and deploy AD FS 2.0 on Windows Server 2008 or Windows Server 2008 R2. Also, if the user is connecting from outside your company’s network, you must deploy an AD FS 2.0 proxy.
- Use the Microsoft Online Services Module for Windows PowerShell to establish a trust with Office 365.
- Install the required updates for Office 365 from the Office 365 downloads page to ensure that your users are running the latest updates of either Windows 7, Windows Vista, or Windows XP. To access the Office 365 downloads page, sign in to the Office 365 portal, and, under Resources, click Downloads. The features in Office 365 will not work properly without the appropriate versions of operating systems, browsers, and software. For more information, see Software requirements for Office 365, Set up your desktop for Office 365, and Manually update and configure desktops for Office 365.
Prepare Active Directory
Active Directory must have certain settings configured in order to work properly with single sign-on. In particular, the user principal name (UPN), also known as a user logon name, must be set up in a specific way for each user.
Depending on each of your domains, you may need to do the following:
- The UPN must be set and known by the user.
- The UPN domain suffix must be under the domain that you choose to set up for single sign-on.
- The domain you choose to federate must be registered as a public domain with a domain registrar or within your own public DNS servers.
- To create UPNs, follow the instructions in the Active Directory topic Add User Principal Name Suffixes. Keep in mind that UPNs that are used for single sign-on can only contain letters, numbers, periods, dashes, and underscores.
- If your Active Directory domain name is not a public domain (for example, it ends with a “.local” suffix), you must set a UPN to have a domain suffix that is under a domain name that can be registered publically. We recommend that you use something familiar to your users, such as their email domain.
- If you have already set up Active Directory synchronization, the user’s Office 365 UPN may not match the user’s on-premises UPN defined in Active Directory. To fix this, rename the user’s Office 365 UPN using the Set-MsolUser cmdlet in the Microsoft Online Services Module for Windows PowerShell.