SharePoint Online authentication setup
Microsoft SharePoint Onlineauthentication setup
The following instructions do not apply when you configure
Microsoft SharePoint Onlineusing Modern Authentication. For Kerberos constrained delegation (KCD), which allows for single sign-on credential-less access to network resources from devices, only Active Directory Federation Service (ADFS) authentication to
Microsoft SharePoint Onlineis supported.
Configure delegation using the
BEMSservice account (for example, BEMSAdmin). When adding Kerberos delegation constraints for
Docsservice users, add the ADFS server HTTP service. Do not add
Microsoft SharePoint Onlineservers for delegation here.
For non-KCD configurations, where users enter their credentials on the device, both DirSync with Password Hash and ADFS authentication mechanisms to
Microsoft SharePoint Onlineare supported. No extra authentication-related steps are required to use this configuration.
ADFS version and location
Refer to the version of
Microsoft Windowsthat is installed in your environment to verify which version of ADFS is required. The ADFS server is automatically identified by the
Docsservice based on the
Microsoft SharePoint Onlinelocation and does not need to be specified.
ADFS HTTPS certificate
If your ADFS server uses a self-signed certificate for HTTPS communication, the certificate must be added as a trusted CA on the computer hosting
To add the certificate, navigate to the
MicrosoftIIS Manager on the computer hosting ADFS, then go to Server Certificates and export the certificate to a file. On the computer hosting
BEMS, import this certificate into the trusted CA list.
Once you deploy
Microsoft SharePoint Online, you’re ready to configure the
Docsservice for your
Microsoft SharePoint Onlineusers.