Office365 - SSO - wrong password

Hi Folks,
maybe I miss a detail :frowning:
We have a test USC connected to O365 using the UCS connector. But it’s not’s working as expected:

here’s what we did and what happens:

  • add a “normal user” to UCS, enable o365
  • go to o365 login page and enter
  • o365 adds user to Azure AD (with student license)
  • get message: wrong password

So basically two questions: why does o365 rject my password. Checked at ucs and login is possible?
How to assign other licenses than student?
How to define groups in UCS that will be given to o365?

Any idea / hint would be highly appreciated…



Where (on which page) do you get the ‘wrong password’ message?

To enable specific licenses and fine tune which service plans get enabled you can follow this article:

You can set the UCR variable office365/groups/sync to yes and restart the univention-directory-listener service to enable group sync. Once a user group is modified it is checked if it should be synced to the Azure AD.

thanx for the UCR hint - I always forget to check this first :frowning:

At I get “account or password is not correct”. here I use the email adress instead of the the UCS username (username is something like asb123 email is User Principal Name (

On O365 login is allowed for this user and licenses are assigned. And when I set a new password at O365 admin center login is possible. Seems O365 is not able to use my UCS to log me in.

Do I missunderstand the scope of this conncector?

The key concept for the connector is that the user password does not leave the UCS domain. This has the consequence that we do not sync passwords into the Azure cloud.

Therefore, Single Sign-On has to be used with the Office365 connector. The wizard describes the required steps to configure the Azure AD for Single Sign-On.

thanx for confirmation that I understood O365 connector right…

however, even though I followed the wizard, I can’t log in. Maybe one remark: the laptop / computer is NOT part of the domain and just using the web interface from O365 to log in. Is O365 only working for clients in the domain?

Or do you have an idea where to start debugging? At the end we need a solution that will use UCS for O365 login just like we have for NextCloud too…

thanx in advance

Using the Office365 services is possible from any computer that can access the Office365 website as well as the UCS Single Sign-On loginpage. The computer does not have to be joined into the UCS domain.

If i understood you correctly, after entering the username at the Microsoft loginpage, you can also enter your password on that page. The user should get redirected to the UCS Single Sign-On login. If that is not the case, it indicates that the powershell script offered by the wizard has not been run or has not run successfully.
Open the setup wizard again, there is a button to get to the page where the configuration of Single Sign-On is described.

any chance to get to this script without going through the whole wizard?

Did you try this? The script can be downloaded on that page.

whooo… that did the trick. Seem I either missed the script or it did not run sucessfully. However - re-run the script and it’s workig like a charm… :slight_smile:

But unfrtunately this leads back to another post:

Even though I can solve thsi by tweaking the apache configs this will not survive an update or ucr commit… any idea to the other post?