000029260 - How to integrate Microsoft Office 365 with AD FS 3.0 and RSA Authentication Agent 1.0 for AD FS

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029260
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: RSA SecurID Authentication Agent for AD FS
RSA Version/Condition: 1.0
IssueHow to integrate Microsoft Office 365 with AD FS 3.0 and RSA SecurID Authentication Agent 1.0 for AD FS.
To set up the RSA AD FS agent, these RSA resources are available:
RSA Authentication Agent for AD FS download
RSA Secured
RSA Auth Agent 1.0 for Microsoft AD FS 3.0 Imp guide

To set up Office 365 to integrate with AD FS 3.0, refer to Microsoft or resources such as:

NotesThrough the AD FS Management tool, one can set a global authentication policy that applies to all relying party apps, or a per relying party trust policy that applies to a specific replying party app. The first screen shot below shows an example of a global policy configured to require all extranet users to use multi-factor authentication when accessing any web app protected by AD FS.


Note the extranet and intranet checkboxes. Extranet means that the authentication request is coming through a Web Application Proxy (see https://technet.microsoft.com/en-us/library/hh831502.aspx). MFA policy can also be applied to specific users and groups as well as to registered and unregistered devices. (Device registration is Microsoft’s lightweight domain registration support where a device like an iPhone can be registered and used as an authentication factor.) When requiring a user or group to use MFA, it is Active Directory users and groups that are used. (AD FS can be thought of as an IDP for Active Directory.)


The second screen shot shows an example of an MFA policy defined for a specific relying party app, Outlook Web App (OWA). The policy requires that external users of OWA perform a SecurID authentication. Internal users of OWA are not required to perform a SecurID authentication. OWA is an example of an Office 365 web app.