Setting up Microsoft Single sign-on with optional two-factor authentication

We have different resources available, depending on whether you would like to set up Single sign-on with optional two-factor authentication, or just two-factor authentication.

If you wish to set up Google single sign-on with two-factor authentication, see our other guide.

Follow the instructions below to set up Microsoft single sign-on with two-factor authentication.

How long will it take?

  • Completing the checklist to prepare - varies depending on the actions needed, can take time to update staff email addresses
  • Switch on SSO - 2 minutes
  • Switch on Two-factor authentication - 2 minutes
  • Add IP Whitelisting - 2 minutes

Permissions

  • You'll need either the Staff: User Details: Administer or School: General Admin: Administer permissions to set this up on the School MIS - if you don't have the permission, you'll need to ask your admin team to give you permission using these instructions.
  • You'll need the User Details: Manage All Users permission to set this up on the MAT MIS - if you don't have the permission, someone will need to assign you a new Business Role that contains this permission.

 

What is Microsoft Single sign-on (SSO)?

Microsoft SSO is a secure authentication system that is free to use and makes logging in easier for your staff because they can sign into Arbor using their Microsoft account. You must have staff accounts in an Azure Active Directory (AD) tenant to be able to use this feature. You might be able to get Azure AD for free if you will only be using it for SSO, you can see more details about this here.

We strongly recommend using two-factor authentication with single sign-on. This adds an extra layer of security when logging in, which means that even if someone else knows a staff member’s Google email address and password, they won’t be able to log in without the generated authenticator app code (see the section below).

If you have single sign-on enabled, your staff can still log into the MIS in the standard way (using their email address and password) if they prefer. See this article for how they can do this.

Two-factor authentication

Two-factor authentication adds an extra layer of security for your MIS designed to ensure that your staff are the only people who can access their accounts using a code generated on their phone, even if someone else knows their Arbor password.

We recommend Google Authenticator as it’s free, but you can use other authentication applications instead, such as Microsoft Authenticator or Authy.

You can set it so only people logging in with Username and Password need to use Two-factor authentication, but users signing in using Single sign-on don't.

IP whitelisting

As part of two-factor authentication, you can use IP whitelisting to make it quicker for your staff to log in when they are at your site. You can allow staff to log into the MIS from your public/external IP address without needing to complete the second step of the two-factor authentication.

IP Whitelisting allows you to create lists of trusted IP addresses or IP ranges from which your staff can access your MIS. When using a trusted IP address, the second step of the two-factor authentication is not required, and your staff will only need to input their email/username and password (no verification code needed) to log in.

 

Who can set up these features?

Microsoft Single Sign-On and Two-factor authentication are available for all schools to set up and use no matter what package you've purchased.

Please note that we're not able to help you with any issues you might have with your Microsoft setup - if you're having trouble, please contact Microsoft support.

 

Before setting up single sign-on

There are some steps you must complete before you start using Microsoft single sign-on and two-factor authentication.

  1. Make sure your staff accounts are in Azure AD - You must have staff accounts in an Azure Active Directory (AD) tenant to be able to use this feature. You might be able to get Azure AD for free if you will only be using it for SSO, you can see more details about this here.
  2. Check staff have their Microsoft email as their default work email address - Your staff will need to use their Microsoft email address to log into Arbor using Microsoft single sign-on. Set each staff member’s Microsoft email address as their Work and Default email address on their Staff Profile. We match on User Principal Name (UPN) in Microsoft Azure, so the email address that is recorded as the UPN in Microsoft needs to match the default work email address recorded against the Staff profile in Arbor. Every staff member’s email must be different. See our article on adding email addresses for more help. If you turn on single sign-on and two-factor authentication before you change your staff’s email address, they may not be able to log on.
  3. Let your staff know of any changes - If you’ve changed any staff’s default email addresses, they’ll only be able to log in using this new email address. Let your staff know what email address to log in with.
  4. Check staff know their password (if you’ll be using two-factor authentication) - During the first login, staff will be asked to verify their identity by filling in their Arbor password. This is only done once, and only if you have two-factor authentication enabled.
  5. Ask staff to download your authentication app (if you’ll be using two-factor authentication) - Your staff will need to have downloaded the authentication app you’ll use (e.g. Google Authenticator) so they can receive their access code to log in if you’ll be using two-factor authentication. If they have not downloaded the app and completed the setup, your staff will not be able to log in.
  6. Find out your IP address (optional) - This is required if you choose to use IP whitelisting. Find out your IP address by typing ‘What is my IP’ into Google. Remember the results depend on where you currently are, so the IP address in a different location will be different.

 

Setting up single sign-on

Step 1 - Turn on single sign-on

To get to the setup page, go to:

  • School > Users & Security > Users > Single Sign-On Setup on the School MIS
  • Group Staff > Users & Security > Authentication Setup > Single Sign-On Setup on the MAT MIS

Screenshot_2023-01-11_at_10.12.08.png

 

To enable single sign-on, click the Enable logging in with box and select Microsoft. Then click the Save settings button at the bottom of the page.

Screenshot_2022-12-01_at_14.23.10.png

 

When your staff log in, they can select the Log in with Microsoft option to log in using their Microsoft work account.

Top Tip: If at any point in the future you would like to switch off Microsoft SSO, just change this back to the ‘Do not enable single sign-on’ option.

log_in_with_microsoft.png

Step 2 (optional) - Turn on Two-factor authentication

You can turn on two-factor authentication from the same page that you set up single sign-on, go to:

  • School > Users & Security > Users > Single Sign-On Setup on the School MIS
  • Group Staff > Users & Security > Authentication Setup > Single Sign-On Setup on the MAT MIS

To turn on two-factor authentication, click the Enable two-factor authentication using… box and select Authentication app, then click the Save settings button.

Tick the Bypass two-factor authentication for SSO accounts? box if you want to only require Two-factor authentication when using the Arbor Username and Password, but not when logging in with Single sign-on (SSO). 

Screenshot_2023-01-11_at_10.12.34.png

 

When staff log in once they have set up the app, they will need to enter the security code from their app into Arbor to log in.

Top Tip: If at any point in the future you would like to switch two-factor authentication off, change this back to the ‘Do not enable two-factor authentication’ option.

turn_off_authentication.png

Step 3 (optional if using two-factor authentication) - Add IP Whitelisting

Using this section, you can add your IP address (or a range of addresses) to your whitelist.

Top Tips:

  • Find out your IP address by typing ‘What is my IP’ into Google.
  • You must use your public/external IP, not a private or internal IP.

IP Whitelisting allows you to create lists of trusted IP addresses or IP ranges from which your staff can access your MIS without the need to use two-factor authentication. When using a trusted IP address, the second step of the two-factor authentication is not required, and your staff will only need to log in using their standard login email and password, with no verification code required.

When using a different IP address, they will still need to complete the second step of two-factor authentication when logging in.

Click +Add in the IP Whitelist section.

Screenshot_2022-12-01_at_14.23.45.png

 

In the slide over type in the IP address and click the Save changes button.

Adding_IPs.png

 

 

What's next?

Was this article helpful?
1 out of 3 found this helpful
I'm still stuck!

Comments

0 comments

Article is closed for comments.