Office 365 Silent Activation: New Implementations
The steps in this topic apply to orgs that implemented this feature for the first time after September 1, 2019 (after the 2019.09.0 release). If you have implemented the Early Access version of this feature prior to the 2019.09.0 release, refer to the instructions in Office 365 Silent Activation: Old Implementations.
Okta silent activation for Microsoft Office 365 provides a seamless experience for accessing Microsoft Office on shared workstations or VDI environments. Using Okta as an identity provider, once your end users have logged into a domain-joined Windows machine, they are automatically signed into Office 365 applications.
Before you begin
- Active Directory domain(s) integrated with your Okta org. See Active Directory integration.
- Permissions in Active Directory to configure a Service Principle Name (SPN). See Microsoft doc: Delegating Authority to Modify SPNs.
- The user's Active Directory UPN must match the Office 365 UPN. The Office 365 application username can be configured to map any AD attribute. See Microsoft doc: Prepare to provision users through directory synchronization to Office 365.
- All Office 365 end users must have valid licenses.
- All end users must be assigned to the Office 365 instance associated with their specific domain.
- Users must be able to reach domain controllers.
Supported apps and configurations
- All versions of Windows currently supported by Microsoft
- Office 2016 and later
- Supported apps: Word, Excel, Outlook, OneNote, Skype for Business, PowerPoint, Access and Publisher
RC4_HMAC_MD5 encryption is not supported with AD Single Sign-On and Office 365 Silent Activation. When using ADSSO or Office 365 Silent Activation, Okta recommends using AES 128-bit (AES-128) or AES 256-bit (AES-256) encryption.
Start this procedure
This procedure includes the following main steps:
- If a Client Access Policy in Office 365 is set to deny web browsers, it will also block the silent activation.
- If your app or Okta sign-on policy requires MFA for web browsers, there will be no MFA when logging in through silent activation.
- SWA sign-on is not supported.
When creating a service account:
- For the Okta tenant Kerberos service, use a domain user account instead of a domain admin account.
- To further lock down the account, turn on the logon to restriction with a fictitious host name and mark the account as Account is sensitive and cannot be delegated.
- Sign in to a server from which you can access Active Directory Users and Computers.
Right-click the folder where you want to create the new service account and select New > User.
Create the new account with the following values:
User logon name <username> User logon name (pre-Windows 2000) <username> (can be any username)
The service account username plus domain name must be 16 characters at minimum. Additionally, admin permissions are not required for the service account, but specific permissions are needed to set the SPN. See Microsoft doc: Delegating Authority to Modify SPNs.
- Click Next.
Create a password that is a minimum of 14 characters, and check the Password never expires box.
- Click Next.
Run the following command to configure an SPN for the service account:
setspn -S HTTP/<yourorg>.kerberos.<oktaorgtype>.com <username>
Placeholder Value yourorg Your Okta org name oktaorgtype Your Okta org type. For example, okta, oktapreview, okta-emea, or okta-gov. username Username that you created in previous steps.
Example: setspn -S HTTP/atkodemo.kerberos.oktapreview.com OktaSilentActivation
Verify that the SPN is correct by running the following command:
setspn -l <username>
Enable Integrated Windows Authentication on the browser.
In Internet Explorer,
- Go to Settings > Internet Options > Advanced.
- On the Advanced tab, scroll down to the Security settings, and select Enable Integrated Windows Authentication.
Make sure that Internet Explorer can save session cookies (Internet Options > Privacy > Settings > Advanced). If it can't, neither SSO nor standard sign in can work.
Configure the Local Intranet Zone to trust Okta.
In Internet Explorer,
- Go to Settings > Internet Options > Security.
- On the Security tab, click Local Intranet > Sites > Advanced.
Add the URL for your Okta org as configured in the earlier steps.
- Click Close and OK on the other configuration options.
- Create a Global Policy Object (GPO) to roll this out to all client machines that will use Silent Activation.
In the Okta Admin Console,
- Go to Security > Delegated Authentication.
- On the Delegated Authentication page, click the Active Directory tab.
- Scroll down to the Agentless Desktop SSO and Silent Activation section and click Edit.
- Under Active Directory Instances, find the instance for which you configured the service account.
Configure this instance with the following username format:
Field Value Desktop SSO Enabled Service Account Username
This is the Active Directory sign-on name that you created in STEP 1, without any domain suffix or Netbios name prefix. It can be the sAMAccountName or the username part of the UPN. These two may be the same string unless the org admin chose to use different values. This field is case sensitive. When the UPN prefix differs from sAMAccountName, the service account username needs to be the same as the UPN and include the domain suffix. For example, agentlessDsso@mydomain.com.
Service Account Password Your Active Directory password
Kerberos authentication is now enabled for the Office 365 app instance.
In the Okta Admin Console,
- Go to Applications > your Office 365 app instance > Sign on tab > Edit.
- In the Silent Activation section, select the check box to enable silent activation for the app instance.
- Save the settings.
Silent Activation is now enabled for the Office 365 app instance.
Run the Office 365 Client.
On a machine that has an Office 2016 client installed,
Confirm the authentication through Kerberos endpoint in Okta.
In the Okta Admin Console
You have now successfully set up Silent Activation for Office 365.