Integrating Office 365 SSO Using OAuth2.0

Overview

MangoApps supports Single Sign-On (SSO) integration with Office 365 using the OAuth2.0 protocol. OAuth2.0 is a secure, open-standard framework for token-based authorization that allows external applications to access user data without exposing credentials.

By leveraging Office 365 (Microsoft Entra ID) as the OAuth2 provider, organizations can streamline user authentication, enhance security, and optionally enable Just-In-Time (JIT) provisioning to simplify user management.

This guide outlines the steps required to configure the integration both on the Office 365 (Entra ID) side and within MangoApps.

Required Roles

To complete the integration, ensure the following roles and access levels are available:

On Microsoft Entra ID (Azure) Side:

• Global Administrator or Application Administrator to register and configure the application.

On MangoApps Side:

• Domain Administrator or IT Admin with access to the Admin Portal for managing SSO settings.

Provider Side Setup (Microsoft Entra ID / Azure Portal)

To get starter, we will first need to register an application in Azure. Sign into the and navigate to Azure Active Directory > App Registrations.

Click New registration in the top menu.

Configure the items in the Register an application form as follows:

• Name: Create name for your application

• Supported account types: Choose based on your use case

• Redirect URI: Select Web and enter:

  Copy

  https://<yourdomain>.mangoapps.com/oauth2/complete

Click Register.

Next we will configure platform settings,

Under your newly registered app, go to Authentication.

Ensure the following options are checked:

• Access tokens (used for implicit flows)

• ID tokens (used for implicit and hybrid flows)

Now we will navigate to Certificates & secrets.

Click New client secret, set an expiration, and click Add.

Copy the generated Client Secret and store it securely.

Next, configure API Permissions

Go to API permissions.

Click Add a permission and select relevant Microsoft APIs to grant access to from the search or from scrolling the applications. Go to the Owners tab and grant admin permission as needed.

Note Down Key Details

These deatials will be used in subsequent steps for setup.

• Client ID: From the app overview.

• Client Secret: From the previous step.

• Auth & Token URLs: These can be found under the app’s Endpoints tab or at:

  Copy

  https://login.microsoftonline.com/{your_tenant_ID}/v2.0/.well-known/openid-configuration

MangoApps Side Setup

Log into the MangoApps Admin Portal and navigate to SSO > Connection > OAuth 2.0.

Click Add SSO Connection.

In the pop-up menu, fill in the following:

• Provider: Select Office 365

• Application Label: Give the connection a name.

• Client ID & Secret: Enter the credentials generated in Azure.

• Authorized Redirect URL:

  Copy

  https://<yourmangodomain>.mangoapps.com/oauth2/complete

• JavaScript Origins URL:

  Copy

  https://<yourmangodomain>.mangoapps.com

• Auth URL and Token URL: Use the endpoints from the Entra ID configuration.

(Optionally) Enable JIT Provisioning: This allows new users authenticated via Office 365 to be automatically created in MangoApps.

(Private Cloud / On-Premise Only) Use Enterprise Credentials:

• Enable this setting if you're managing the Office 365 app registration yourself.

• For shared cloud users, leave this disabled—MangoApps handles app registration.

Click Save and use the toggle bar to Enable the connection.

Testing Considerations

• Test login with a sample user account in your Azure tenant.

• Confirm correct redirection and access token generation.

• Ensure user field mappings (email, first name, etc.) are syncing properly.

• Validate that JIT provisioning works as expected if enabled.

• Check that logout behavior redirects to your defined logout URL.

Security Considerations

• Always store your Client Secret securely and rotate it periodically.

• Use HTTPS for all callback URLs to prevent interception.

• Assign least privilege permissions when adding API access.

• For private cloud/on-prem customers, monitor token usage and enable enterprise credential validation.

• Disable the connection immediately if a breach or misconfiguration is suspected.

End User Experience

• Users will see an Office 365 login button on the MangoApps login page.

• Upon clicking, they will be redirected to the Microsoft login screen.

• After authentication, they are returned to MangoApps and logged in.

• If JIT is enabled, new users from your domain will be created automatically on first login.

Rollout Recommendations

1. Pilot with a Small Group:

   • Start with IT/admin users to verify stability.

   • Monitor login flows and provisioning.

2. Document Internal Support Steps:

   • Prepare a quick reference for IT support teams on login troubleshooting.

3. Notify End Users:

   • Share a guide or short video explaining the new login process.

4. Gradual Rollout:

   • Enable Office 365 SSO for departments in phases.

   • Provide fallback login (password or other SSO methods) during transition.

5. Monitor Usage:

   • Review logs in both MangoApps and Azure for successful and failed logins.

   • Adjust configuration as needed based on feedback.