Office 365 configuration sso


Hello can someone explain how it works?

For instance is possible to have diferent domains (ex: ucs domain -> domain.local and office365



that is possible and works out of the box. The installation wizard will ask about the external domain you want to set up and configure the app respectively. Have you seen our technical blog post about the Office 365 App?

If you still have questions, feel free to ask them here


Yes and i follow the wizard… but i’m missing something…
I have one working domain for emails ->
I have one external domain pointing to ucs ->
I have one ucs domain -> domain.local

I then add the external domain to active directory an verified it.

But i only can create email address with user@domain.local and in office365 tab i can’t write the office365 email address that sould be something like, the user is created in azure but with and should be

In office365 i have 3 domains


The local part of the users primary email address together with the domain that you configured in the UCS Office365 Wizard define the users userPrincipalName in your Azure domain.

If you want to add and sync an additional email address with arbitrary domain names for a user, you can enter it as alternative e-mail address in the users Advanced Settings -> Mail -> Alternative e-mail address

Does this help, or did i misunderstand your request?


First, why i must use a domain that must be verified but can’t be the primary?
The problem is that i use the primavery email address as prodution and is that email that i want the user use…

And for old users the sso is enough to active the office365?



The verification is a requirement from Microsoft Azure. In the UMC module ‘Mail’, you can add a new mail domain object with your primary domain. Afterwards, it is possible to configure the primary mail address of a user with that domain in UCS


I think i don’t understand…
But two notes

  • i don’t have mail configured in ucs
  • even if i configured mail in ucs when i create the user then must create the user and force that email instead the domain.local?


I create the second domain
I add an user and force the email to be but in azure the user was create with the federated domain…


IMHO in Office 365 you can use secondary email addresses for email as well.

If you wish to use as the domain part of the UPN, you have to configure to the be federated domain and rerun the configuration wizard using that.


The problem is the wizard won’t work with primary domain active…
In office i can add and change the primary email of the user… but for that i create the user by hand too… and changing that will not break the sso ?


When execute the following cmd
i get this

Traceback (most recent call last):
File “/usr/share/univention-office365/scripts/print_users_and_groups”, line 158, in
File “/usr/share/univention-office365/scripts/print_users_and_groups”, line 119, in print_users_and_groups
member = ah.list_groups(objectid=member_id)
File “/usr/lib/pymodules/python2.7/univention/office365/”, line 263, in list_groups
return self._list_objects(object_type=“group”, object_id=objectid, ofilter=ofilter)
File “/usr/lib/pymodules/python2.7/univention/office365/”, line 252, in _list_objects
return self.call_api(“GET”, url)
File “/usr/lib/pymodules/python2.7/univention/office365/”, line 216, in call_api
raise ResourceNotFoundError(response)
univention.office365.azure_handler.ResourceNotFoundError: Resource ‘da857017-fc00-4c7e-b7dd-3e7577d1e59b’ does not exist or one of its queried reference-property objects are not present.


You must use the federated domain in the wizard with an admin user in that federated domain.

[quote=“codedmind, post:11, topic:6000”]
member = ah.list_groups(objectid=member_id)
univention.office365.azure_handler.ResourceNotFoundError: Resource ‘da857017-fc00-4c7e-b7dd-3e7577d1e59b’ does not exist or one of its queried reference-property objects are not present.[/quote]
One of the existing office365-groups has a member-object that is neither user nor group. The script can’t handle that.
I’m interested in fixing that: Can you look at the groups in Azure and check what members they have - if there is something that is neither user nor group?



But can i set the primary domain as federated domain?

About the groups i have three types, Security Group, Distribuition list and Security Group in the office 365 in azure active directory i have three differents names Security, Distribuition and Office.

Using powershell do you know any cmd to list the groups resources id? Maybe that way is easy to identify the group


Sorry - no idea - please refer to the Microsoft documentation for that.


@troeder can you guide me if that resource should be find in office365 or in azure?
I view all the groups details inside azure and none of them have that id



@troeder ok i find it!!! that resource ID is from an external contact address…
In exchange we can create a contact for example a contat will have an external smtp address and all the email that arrive to will be delivery in without cost an emailbox and for sequence a license…

So that resource is a MailContact instead a UserMailBox

Any way to solve this?


The connector currently does not support contact entries (see Bug #41257). This means, that you probably currently not be able to synchronize groups. User-sync should not be affected.

Here is a modified version of print_users_and_groups.txt (5.6 KB)
I had to rename it to *.txt, so the forum would allow the upload :wink:
You can rename it back and make it executable, or just run it with
python print_users_and_groups.txt
Please try it out.


Hello troeder.

With that it works without error.

About the other problem (users being created with federated domain instead of primary) should i change the primary domain, federated it and after that make it primary again.

The actual problem with users being created with the federated domain is that the smtp settings is wrong so i must went to the office portal for each user and change/add the smtp of primary domain…



Almost a year pass and i return to this topic again.
I still have some difficults to understand the best approach.

In azure i have now 3 domains

The ucs domain is domain.local

After install the connector i follow the instructions and must use the because only with this domain i can run with sucess the .bat script.

After everything went ok, i try and create a test user with office 365 template, the user was created and the primary email in ucs is test.o365@domain.local and in office 365 the address is

So my problems:

  • what can (if is possible) i do so the users when created area created with the instead
  • For the old users what variable i should fill and where so the office 365 username can be fill?



As I wrote in comment 12, must be a federated domain. Here are some resources how to achieve that:

The userPrincipalName (UPN, username in Azure) is calculated from the mailPrimaryAddress (the primary email address in UCS). The local part of a UCS users email address (the part before the @) will be the userPrincipalName for Azure.