We have different resources available, depending on whether you would like to set up Single sign-on with optional two-factor authentication, or just two-factor authentication.
If you wish to set up Google single sign-on with two-factor authentication, see our other guide.
Follow the instructions below to set up Microsoft single sign-on with two-factor authentication.
What is Microsoft Single sign-on (SSO)?
Microsoft SSO is a secure authentication system that is free to use and makes logging in easier for your staff because they can sign into Arbor using their Microsoft school account. Your school must have staff accounts in an Azure Active Directory (AD) tenant to be able to use this feature. You might be able to get Azure AD for free if you will only be using it for SSO, you can see more details about this here.
We strongly recommend using two-factor authentication with single sign-on. This adds an extra layer of security when logging in, which means that even if someone else knows a staff member’s Google email address and password, they won’t be able to log in without the generated authenticator app code (see the section below).
If you have single sign-on enabled, your staff can still log into the MIS in the standard way (using their email address and password) if they prefer. See this article for how they can do this.
Two-factor authentication adds an extra layer of security for your MIS designed to ensure that school staff are the only people who can access their accounts using a code generated on their phone, even if someone else knows their Arbor password.
We recommend Google Authenticator as it’s free for our schools, but you can use other authentication applications instead, such as Microsoft Authenticator or Authy.
As part of two-factor authentication, you can use IP whitelisting to make it quicker for your staff to log in when they are at your school site. You can allow staff to log into the MIS from the school's IP address without needing to complete the second step of the two-factor authentication.
IP Whitelisting allows you to create lists of trusted IP addresses or IP ranges from which your staff can access your school’s MIS. When using a trusted IP address, the second step of the two-factor authentication is not required, and your staff will only need to input their email/username and password (no verification code needed) to log in.
Who can set up these features?
Microsoft Single Sign-On and Two-factor authentication are available for all schools to set up and use no matter what package you've purchased.
Please note that we're not able to help you with any issues you might have with your Microsoft setup - if you're having trouble, please contact Microsoft support.
- School: Permissions: View
- Either the Staff: User Details: Administer or School: General Admin: Administer permissions
If someone else will be setting this up, look here for how to assign these permissions on an ad-hoc basis if needed.
Setting up single sign-on
Before completing the setup
There are some steps you must complete before you start using Microsoft single sign-on and two-factor authentication.
- Make sure your staff accounts are in Azure AD - Your school must have staff accounts in an Azure Active Directory (AD) tenant to be able to use this feature. You might be able to get Azure AD for free if you will only be using it for SSO, you can see more details about this here.
- Check staff have their Microsoft email as their default work email address - Your staff will need to use their Microsoft email address to log into Arbor using Microsoft single sign-on. Set each staff member’s Microsoft email address as their Work and Default email address on their Staff Profile. Every staff member’s email must be different. See our article on adding email addresses for more help. If you turn on single sign-on and two-factor authentication before you change your staff’s email address, they may not be able to log on.
- Let your staff know of any changes - If you’ve changed any staff’s default email addresses, they’ll only be able to log in using this new email address. Let your staff know what email address to log in with.
- Check staff know their password (if you’ll be using two-factor authentication) - During the first login, staff will be asked to verify their identity by filling in their Arbor password. This is only done once, and only if you have two-factor authentication enabled.
- Ask staff to download your authentication app (if you’ll be using two-factor authentication) - Your staff will need to have downloaded the authentication app you’ll use (e.g. Google Authenticator) so they can receive their access code to log in if you’ll be using two-factor authentication. If they have not downloaded the app and completed the setup, your staff will not be able to log in.
- Find out your school’s IP address (optional) - This is required if you choose to use IP whitelisting. Find out your IP address by typing ‘What is my IP’ into Google. Remember the results depend on where you currently are, so the IP address of a school in a different location will be different.
Completing the setup
To get to the setup page go to School > Users & Security > Users > Single Sign-On Setup.
To enable single sign-on, click the Enable logging in with box and select Microsoft. Then click the Save settings button at the bottom of the page.
When your staff log in, they can select the Log in with Microsoft option to log in using their Microsoft work account.
Top Tip: If at any point in the future you would like to switch off Microsoft SSO, just change this back to the ‘Do not enable single sign-on’ option.
You can turn on two-factor authentication from the same page that you set up single sign-on, go to School > Users & Security > Users > Two-Factor Authentication Setup.
To turn on two-factor authentication, click the Enable two-factor authentication using… box and select Authentication app, then click the Save settings button.
This means that when staff log in once they have set up the app, they will need to enter the security code from their app into Arbor to log in.
Top Tip: If at any point in the future you would like to switch two-factor authentication off, change this back to the ‘Do not enable two-factor authentication’ option.
Using this section, you can add your school IP address (or a range of addresses) to your whitelist.
Top Tip: Find out your IP address by typing ‘What is my IP’ into Google.
IP Whitelisting allows you to create lists of trusted IP addresses or IP ranges from which your staff can access your school’s MIS without the need to use two-factor authentication. When using a trusted IP address, the second step of the two-factor authentication is not required, and your staff will only need to log in using their standard login email and password, with no verification code required. This can save your staff a lot of time when logging in using a school computer!
When using a different IP address, they will still need to complete the second step of two-factor authentication when logging in.
Click +Add in the IP Whitelist section.
In the slide over type in the IP address and click the Save changes button.
- Once Single sign-on has been switched on, you can see the new process for your staff to log in here: Logging in when Microsoft Single sign-on is enabled
You can help troubleshoot and fix login issues here: Troubleshooting Two-factor authentication and Google authenticator App issues
If you receive an error when trying to log in, follow these instructions: Troubleshooting Single sign-on login errors