Ask the Community
Groups
Working with Service accounts and Office 365 - Connect IT Community | Kaseya
<main> <article class="userContent"> <p><strong>Note</strong>: This information requires that you are setting up the Office 365 integration following this <strong><a rel="nofollow" href="https://kaseya.vanillacommunities.com/kb/articles/aliases/idagent/hc/en-us/articles/360005103357">article</a></strong>.</p> <p>If you have a Service account that you want to exclude from 2FA when working with the Office 365 SAML integration you can exclude them using Groups & Policy.</p> <p>To complete the exclusion you will need to create a unique policy for the Office 365 SAML App.<br><br></p> <p><strong>Steps to create a Policy</strong></p> <p>First we need to create two Security Groups. If you are already using <strong>Directory Sync</strong> than you can use existing AD Security Groups. Then we can create the policy. Once we have the policy we can apply the policy to the application.<br><br></p> <p><strong>Step 1 - Create Security Groups<br></strong>If you are using existing AD Security Groups proceed to Step 2.</p> <ol><li>Log into your Passly Tenant <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2F%28your">https://(your</a> company).my.Passly.com </li> <li>Select <strong>Directory Manager</strong>.</li> <li>Select <strong>Groups</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/YW2GVJLL0ABD/blue-png.png" alt="blue.PNG" class="embedImage-img importedEmbed-img"></img></li> <li>Select the Green plus sign in the bottom right corner.<br><br></li> <li><img src="https://us.v-cdn.net/6032361/uploads/migrated/YW2GVJLL0ABD/blue-png.png" alt="blue.PNG" class="embedImage-img importedEmbed-img"></img></li> <li>Set the Name of the Group.<br>Example: <strong>Office 365 Users</strong>.</li> <li>Select <strong>Add Group</strong>.</li> <li>Select the Group by clicking it's name.<br>Add all Office 365 Users to this Group by selecting the Green plus sign in the bottom right corner.<br><br></li> <li><img src="https://us.v-cdn.net/6032361/uploads/migrated/YW2GVJLL0ABD/blue-png.png" alt="blue.PNG" class="embedImage-img importedEmbed-img"></img></li> <li>Select <strong>Add Users</strong>.</li> <li>Select <strong>Directory Manager</strong>.</li> <li>Select <strong>Groups</strong>.</li> <li>Select the Green plus sign in the bottom right corner.<br><br></li> <li><img src="https://us.v-cdn.net/6032361/uploads/migrated/YW2GVJLL0ABD/blue-png.png" alt="blue.PNG" class="embedImage-img importedEmbed-img"></img></li> <li>Set the Name of the Group.<br>Example: <strong>Office 365 Exclusion</strong>.</li> <li>Select <strong>Add Group</strong>.</li> <li>Select the Group by clicking it's name.<br>Add all Office 365 exclusion accounts (service accounts) to this Group by selecting the Green plus sign in the bottom right corner.<br><br></li> <li><img src="https://us.v-cdn.net/6032361/uploads/migrated/YW2GVJLL0ABD/blue-png.png" alt="blue.PNG" class="embedImage-img importedEmbed-img"></img></li> <li>Select <strong>Add Users</strong>.</li> </ol><p><br>Once we we have the Groups for inclusion and exclusion of 2FA we can build a unique policy to be applied in the SSO Manager for Office 365.</p> <p><strong><br>Step 2- Steps to create a Policy</strong></p> <ol><li>Log into your Passly Tenant <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2F%28your">https://(your</a> company).my.passly.com </li> <li>Select Policy Manager.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/146SJX95FJZM/1-png.png" alt="1.PNG" class="embedImage-img importedEmbed-img"></img></li> <li>Select the Green plus sign in the bottom right corner.<br><br></li> <li><img src="https://us.v-cdn.net/6032361/uploads/migrated/YW2GVJLL0ABD/blue-png.png" alt="blue.PNG" class="embedImage-img importedEmbed-img"></img></li> <li>Set the Policy name.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/93BHQM685MGY/1-png.png" alt="1.PNG" class="embedImage-img importedEmbed-img"></img><br>Example Office 365 Policy.</li> <li>Select the Policy Element. Select the Office 365 Exclusion group.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/WSK7A5L7SMYU/4-png.png" alt="4.PNG" class="embedImage-img importedEmbed-img"></img></li> <li>Set the then action.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/1CIG80ZLB750/5-png.png" alt="5.PNG" class="embedImage-img importedEmbed-img"></img></li> <li>Select <strong>Add Additional Rule</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/6LD5HHUJAFYS/6-png.png" alt="6.PNG" class="embedImage-img importedEmbed-img"></img></li> <li>Select the Policy Element. Use the Office 365 Users Group.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/QEU7IVFPM0QB/7-png.png" alt="7.PNG" class="embedImage-img importedEmbed-img"></img></li> <li>Set the then action.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/N0FTATZHF342/8-png.png" alt="8.PNG" class="embedImage-img importedEmbed-img"></img></li> </ol><p> </p> <p><strong>Step 3 - Changing the policy for the SSO application in the SSO Manager</strong></p> <ol><li>Log into your Passly Tenant <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2F%28your">https://(your</a> company).my.Passly.com </li> <li>Select SSO Manager.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/X8RT8DZNPC1H/9-png.png" alt="9.PNG" class="embedImage-img importedEmbed-img"></img></li> <li>Select the Office 365 App.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/CEJU8R93QHH1/10-png.png" alt="10.PNG" class="embedImage-img importedEmbed-img"></img></li> <li>Select Application Configuration.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/4G21BGH4LDKN/11-png.png" alt="11.PNG" class="embedImage-img importedEmbed-img"></img></li> <li>Choose the new policy from the Authentication Policy drop down.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/YNVQGKK0PEAW/14-png.png" alt="14.PNG" class="embedImage-img importedEmbed-img"></img></li> <li>Select Save Changes.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/1SURX84U3XSQ/13-png.png" alt="13.PNG" class="embedImage-img importedEmbed-img"></img><br><br></li> </ol><p>At this point all users in the Office 365 user group should be prompted for 2FA when accessing Office 365 via SSO or thick clients.<br><strong>Tip</strong>: You can also add elements to the second rule to include trusting devices. This would allow you to not require 2FA on thick clients on every login.</p> <p> </p> <p><strong>Other Resources</strong></p> <p><a rel="nofollow" href="https://kaseya.vanillacommunities.com/kb/articles/aliases/idagent/hc/en-us/articles/360005103357">How to Protect Office 365 with Passly</a></p> <p><a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fkaseya.zendesk.com%2Fhc%2Fen-gb%2Farticles%2F360034788051">How can I use Passly with Office 365</a></p> </article> </main>