Integrate Mobile Microsoft Office 365 applications

Identity as a Service supports accessing Microsoft Office applications by logging in to your Microsoft Office 365 account. Once configured, a user can log in to the Microsoft Office 365 account through Identity as a Service authentication. There are some exceptions which are described in the sections below.

● The Microsoft Office applications supported are accessible through ActiveSync authentication or Modern authentication (ADAL).

● Identity as a Service supports ActiveSync authentication using an Active Directory or Identity as a Service password. With it, users can access their Microsoft Office 365 email accounts that require Identity as a Service authentication. With ActiveSync, email changes to the email account are automatically synced to the mobile device. The mobile application remains logged in to the Microsoft Office 365 account once ActiveSync is configured.

Note: ActiveSync supports password authentication only. Second-factor authentication cannot be used with ActiveSync.

Note: This guide was tested using previous versions of Identity as a Service and Microsoft Office 365. Other versions of Microsoft Office 365 may require integration and configuration steps that differ from those documented in this procedure. For newer versions of Microsoft Office 365, this integration guide may be used as an initial approach for integrating Microsoft Office 365. In the event of other issues, contact support@entrust.com for assistance.

● A user's Identity as a Service, Microsoft Office 365, and email application account must be configured for Microsoft Office 365 for ActiveSync to work. You must Integrate Microsoft Office 365 before your integrate mobile Microsoft Office 365 applications with Identity as a Service.

To integrate mobile Microsoft Office 365 applications with Identity as a Service, you must do the following:

Step 1: Complete the steps in Integrate Microsoft Office 365

Step 2: Configure Microsoft Outlook for modern authentication

Configure Microsoft Outlook for modern authentication

Complete this procedure to configure Microsoft Outlook for modern authentication on a Windows desktop machine. The setup involves entering PowerShell commands to configure the Windows operating system to support modern authentication to Microsoft Outlook.

Follow these instructions https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online to enable modern authentication. If using Powershell, this will include entering the following command

Set-OrganizationConfig –OAuth2ClientProfileEnabled $true

Note: A setting of true turns on MFA on users under federated domain.

Note: Each of these commands might take some time to run depending on connectivity to MS cloud.

Once these commands have been entered, a user can login to their Microsoft Outlook account on that desktop device. See the Identity as a Service User Help for instruction on logging in to Microsoft Office applications.

Step 3: Enable modern authentication for Microsoft Office 2013 applications

Enable modern authentication for Office 2013 applications

Any device with a Windows operating system requires additional configuration to support modern authentication to Microsoft Office 2013 applications. Modern authentication is required to allow users to login to Office 365 accounts on their application through Identity as a Service authentication.

This is achieved by setting up registry keys on each device. Office 2016 applications support modern authentication by default and do not require additional setup, with the exception of Microsoft Outlook.

1. Log in to your desktop computer.

2. Access the Windows Start menu.

3. Click the search icon and enter regedit into the search bar. regedit.exe appears.

4. Click on regedit.exe. A pop-up window appears asking you to confirm approval for the application to run.

5. Click Yes. The Registry Editor dialog box appears.

6. Go to HKEY_Current_User\Software\Microsoft\Office\15.0\Common\Identity. The registry files at that location appear.

7. Two new REG_DWORD keys must be created if they are not already shown: EnableADAL and Version. To create either key:

a. Right-click in the window displaying the list of files.

b. Select New and DWORD (32-bit) Value. A new REG_DWORD file is listed in the window.

c. Rename the file to EnableADAL or Version.

Important: The name of the file must match EnableADAL or Version exactly. Authentication will fail if the name is not an exact match.

d. Optional: Repeat steps a-c to create the second file if required.

You should now have two REG_DWORD files: EnableADAL and Version.

8. Enable both files by completing the following steps for each one:

a. Right-click the file and select Modify. The Edit DWORD (32-bit) Value dialog box appears.

b. Enter 1 into the Value data field of the registration key.

c. Click OK. The Registry Editor dialog box displays the new value in brackets in the Data column of the registry key.

d. Repeat steps a-c for the second registry key.

9. Close the Registry Editor dialog box.

The device now supports modern authentication to Office 2013 applications. It can now be used to log in to an Office 2013 application account through Identity as a Service authentication. See the Identity as a Service User Help for instructions on logging in to a Microsoft Office application.

Configure Microsoft Exchange for Identity as a Service authentication

Complete the following steps to configure an Exchange email account for Identity as a Service authentication on your mobile device. The same steps can be used to configure an Android or iOS email client. These steps are general guidelines as the procedure may vary depending on your device.

1. Access the mobile device with the email application you want to configure.

2. Tap Settings. The device Settings appears.

3. Locate the Accounts setting.

4. Click Add account.

5. Under Accounts, tap Exchange. The Exchange page appears.

6. Tap Account settings. The email Settings page appears.

7. Tap Add account. The Set up email page appears.

8. Tap Exchange and Office 365. A new page appears prompting you to enter your email address.

9. Enter your email address. In most cases, the email address required is the User Principal Name (UPN) that you created in Step 1: Create a custom user attribute in Integrate Microsoft Office 365 with Identity as a Service.

Note: You need to ensure that your User ID is your Identity as a Service User ID. For example, if your Microsoft UPN is alicegrey@mymicrosoftdomain.com and your Identity as a Service userID is agrey, then enter agrey@mymicrosoftdomain.com

10. Tap Next. A new page appears prompting you to enter a password.

11. Enter your Identity as a Service or Active Directory password. This is the password registered to you on your Identity as a Service account. After processing your email address and password, the Incoming server settings page appears.

12. Enter or confirm the following values are entered into the required information fields. Do not change the values in the other information fields:

Information field	Required value
Domain\Username	<Identity as a Service UserID>@<Domain name from UPN email address>
Password	<Identity as a Service or Active Directory password registered on your Identity as a Service account.>
Server Note: The Server field is not a required field when configured on iOS devices. While not required, it is recommended that a value be entered to ensure the O365 ECP is set up correctly.	outlook.office365.com

13. Click Next. The application validates the account information entered. A new page appears confirming the exchange account has been configured successfully.

14. Click Next. The new email account is listed on the email Settings page.

Integrate mobile Microsoft Office 365 applications with Identity as a Service

Step 1: Complete the steps in Integrate Microsoft Office 365

Step 2: Configure Microsoft Outlook for modern authentication

Step 3: Enable modern authentication for Microsoft Office 2013 applications