Two-Factor Authentication
for Microsoft Office 365 Logins (ADFS)


Find out why our Two-Factor Authentication is the best, some key-facts for developers and why you should upgrade to SecSign for your business.

Learn more about the options of on-premise use and your own customized ID App in your corporate design.

Download the plugin as cloud version for a free and convenient protection.

Active Directory Federation Services are used for local user management (for example Active Directory or LDAP) in companies for the authentication of web and cloud services (for example Office 365).

But with added convenience comes an increase in security threats. Just one insufficiently secured user account is enough to give attackers access to an immense amount of sensitive company data.

So how do you protect cloud access while keeping the authentication simple and compliance high?

Use your local Active Directory for authentication at cloud services and secure access with our SecSign ID on-premise Two-Factor Authentication server.

The authentication is redirected via the Active Directory, secured with the on-premise SecSign ID server. The authentication takes place on the local SecSign ID server.
That way all user can be managed and controlled local in the Active Directory. No sensitive data is ever transmitted to the cloud service.
Try out the Login with the ADFS in our test environment.



Learn more about the SecSign ID Identity Federation System for cloud solutions:
Efficient protection for all logins and convenient management of ALL users and ALL applications.

Secure Logins have never been so easy

Introducing SecSign ID for Office 365 logins.
Protect access with our simple touch authentication and intuitive authentication rules, defined by you.
Compliance can easily be enforced and attacks to your company logins are rendered impossible.
The following video gives an overview on the authentication process. The complex process can easily be integrated in a few simple steps.

Try the secure Two-Factor Authentication for the Office 365 login. You can experience the functionalities in our test environment with your SecSign ID.

Contact us

Table of contents

    The SecSign ID Plugins offers true Two-Factor Authentication (2FA) and adds an additional security layer by transforming the users mobile device to a physical token for the authentication.

    1. Installation

    Common steps for the integration with Microsoft Office 365 are explained here:

    1On the Windows Server run the Server Manager, Add Roles and Features. Please check the following options additionally to those selected per default already:

    1. Server roles:
      • Active Directory Domain Services
      • Active Directory Federation Services
      • Web Server (IIS)
    2. Features:
      • .NET Framework 4.5 (4.6 on Windows Server 2016) Features
        • ASP.NET 4.5
    3. Role services for Web Server (IIS)
      • Application Development
        • ASP.NET 4.5 (4.6 on Windows Server 2016)

    2Promote the server to a domain controller if not done already.

    3Install a recent Oracle Java run time enviroment from:

    4Add the SecSign ID user attribute to the Active Directory:

    5Import a certificate for HTTPS on the Windows Server.

    • Copy your private key and https certificate bundled in a p12 file (pfx) to the server and double-click it.
    • Select “Local Machine” as store location.
    • Confirm the suggested options and confirm to install the certificate.

    6Install the imported certificate for HTTPS at the Web Server (IIS).

    • Click the Windows start menu and then click “Windows Administrative Tools”.
    • Double-click the Internet Information Services (IIS) Manager.
    • Right-click the web site in the list on the left side.
    • Select Edit Bindings.
    • Add “https” and select the TLS (SSL) certificate.

    7 Sign up for a free trial (or a paid subscription) of Microsoft Office 365 at:

    • Go to the Office 365 Admin center at:
    • Add a Domain.
    • Software installation (like Microsoft Word) and e-mail address migration are not required to set up the SecSign ID federation.
    • Select “I’ll manage my own DNS records.”
    • None of the DNS entries suggested by Microsoft are required just to set up the SecSign ID federation. Select “Exit and continue later”.

    8 Install “Microsoft Azure Active Directory Connect” from:

    • Use customized settings.
    • Do not check anything at “Install required components”.
    • In “User sign-in” select: “Federation with AD FS”.
    • In “Connect to Azure AD” enter your credentials from the Office 365 sign-up.
    • In “Connect your directories” select your forest and enter your Windows administrator credentials.
    • In “Azure AD sign-in configuration” select “userPrincipalName”.
    • In “Domain and OU filtering” select “Sync all domains and OUs”.
    • In “Uniquely identifying your users” select that “Users are represented only once across all directories” and select objectGUID as source anchor.
    • In “Filter users and devices” select “Synchronize all users and devices”.
    • Do not select any optional features.
    • In “AD FS Farm” load your private key and certificate from a p12 file (pfx) and select a subject name. This must be a host name in the public DNS pointing to this server.
    • In “AD FS Servers” select your Windows Server.
    • Skip the installation of a Web application proxy server.
    • Enter you Domain administrator credentials in the next dialog.
    • Enter the same credentials again in “AD FS service account”.
    • Select your Azure AD domain.
    • Select to start the synchronization process, do not select staging and click “Install”.
    • Create the necessary DNS entries or just exit and do it later as needed.

    9 Install “Active Directory module for Windows Powershell”. (On a domain controller this is installed already.)

    • Run the Server Manager and open the “Add Roles and Features Wizard”.
    • In the “Features” dialog unfold: Remote Server Administration Tools, Role Administration Tools and select: Active Directory module for Windows Powershell

    10 Install “Azure Active Directory Connection” from: and download & install AdministrationConfig-V1.1.166.0-GA.msi

    11 Install SecSign ID Federation SAML generator.

    • Run SecSign-ID-Federation-SAML-Generator-Setup.exe.
    • Copy the pfx or p12 file containing your SAML response signing key to the folder FederatedSecSignID
    • Run regedit.exe and open the registry key:
    • Edit the value of SamlResponseSigningKeyPassword and type the password of your SAML response signing key.
    • Edit the value of SamlResponseSigningKeyFile to the path and file name of your SAML response signing key.
    • Edit the values of SecSignIDServerHostName and SecSignIDServerPort to match your SecSign ID Server.
    • Edit the values of FallbackSecSignIDServerHostName and FallbackSecSignIDServerPort to match your fallback SecSign ID Server.
      If you do not have a fallback server then please leave ‘-‘ as the value of FallbackSecSignIDServerHostName.
    • Edit the value of ServiceNameForSecSignApp. This description of the service will be displayed in the SecSign App during the log-in.

    12 Configure the federation properties by running these commands in a Powershell:

    • Extract your SAML signing certificate from a p12 file (pfx):
      Get-PfxCertificate -FilePath .p12 | Export-Certificate -FilePath secsign.cer
    • Base64 encode the certificate by running this command in a PowerShell window:
      $SECSIGNSAMLSIGNCERT = [convert]::ToBase64String((get-content secsign.cer -encoding byte))
    • Enter your credentials for the Microsoft Office 365 admin web site: connect-MsolService
    • Turn off federation temporarily to make sure that the following command will actually upload your SAML signing certificate:
      Set-MsolDomainAuthentication -DomainName -Authentication Managed
    • Set the federation settings of your domain in Microsoft Azure:

      $Domain = “
      $ActiveLogOnUri = “https:///adfs/services/trust/2005/usernamemixed”
      $FederationBrandName = “SecSign”
      $IssuerUri = “https:///FederatedSecSignID/SecSignIDLogin.aspx”
      $LogOffUri = “https:///adfs/ls/”
      $MetadataExchangeUri = “https:///adfs/services/trust/mex”
      $PassiveLogOnUri = “https:///FederatedSecSignID/SecSignIDLogin.aspx”

      Set-MsolDomainAuthentication –DomainName $Domain -IssuerUri $IssuerUri -LogOffUri $LogOffUri -PassiveLogOnUri $PassiveLogOnUri -ActiveLogOnUri $ActiveLogOnUri -FederationBrandName $FederationBrandName -MetadataExchangeUri $MetadataExchangeUri -SigningCertificate $SECSIGNSAMLSIGNCERT -Authentication Federated

    • Should you ever need to remove users of an already removed test domain from Azure and the Office 365 admin panel doesn’t allow you to do so you may use:

      Remove-MsolUser –UserPrincipalName

      More details here:

    2. Available APIS

    We provide an ever growing list of APIs and plugins to easily integrate the SecSign ID Two-Factor Authentication in any project. An overview is available at Plugin and APIs.
    We do not only offer APIs in different programming languages but also plugins for CMS, Server and VPN environments, oAuth2 and many more. These plugins use our APIs and offer additional functionalities, for example user management, easy and native installation, logging or integration in firewalls or Active Directory.

    The JIRA plugin for example uses the JAVA-API. The PHP-Api and JS-API is used by WordPress, Joomla, Drupal, Typo3 and many more. The is used for the Windows and Cisco VPN and the C-API is used for protecting Unix SSH services. The Objective-C API is used by our AppleTV and iPhone/iPad apps.


    3. See for yourself

    You can experience the SecSign ID two-factor authentication and the two-factor login by simply integrating the plugin into your website or test environment. Or you can try out the login process on our website without having to register first. You already have a SecSign ID or you want one? Login now and use the portal or use our hassle free registration.

    See for yourself how fast and convenient the login process using challenge-response authentication with 2048-bit key pairs is. There is no need for passwords, and no passwords or other confidential information are ever transmitted. It is easy to integrate and simple to use.

    For more information about the patented SafeKey procedure and it's unique security can be found here.

    If you are missing an API for the programming language you are working with, feel free to contact us and we’ll find a solution with you. If you need help with the integration into an existing system or you can’t find the plugin for your content management system you are working with, don’t hesitate to contact our support team.

    Your own ID-Server

    On premise installations of SecSign ID offer the flexibility to connect with your preferred servers, services, and devices. And you can customize the SecSign ID with your own organization’s branding.


    Why upgrade to SecSign?

    On-premise or in the cloud

    Choose between our SecSign ID Cloud or operate your own on-premise Two-Factor Authentication server.

    Easy customization

    Operate your own YourBrand ID app - Two-Factor Authentication customized to your needs.

    Ready-to-use SDK

    Integrate SecSign ID Two-Factor Authentication in existing apps with our ready-to-use SDK.

    Easy user management

    Use the Two-Factor Authentication Server to secure your company Active Directory/LDAP. Your own Identity and Access Management System, for example for mandatory updates and additional security features.

    Cover all logins

    Integration in any login environment: web, local, VPN, remote desktop, mobile logins and many more.

    Plugins for all your needs

    No need for complex integration: we have plugins for almost all environments.

    Do NOT follow this link or you will be banned from the site!