Skip to main content

Microsoft Entra ID SSO Setup

Configure single sign-on with Microsoft Entra ID (formerly Azure Active Directory) using OpenID Connect

SSOEntra-IDAzureOIDCAuthentication

Microsoft Entra ID SSO Setup

Configure single sign-on (SSO) to allow your organization members to authenticate using Microsoft Entra ID. This guide uses the OpenID Connect (OIDC) protocol for a modern, secure integration.

Prerequisites

Before you begin, ensure you have:

  • Microsoft Entra ID tenant with administrative access
  • Azure Portal access with permissions to create app registrations
  • Organization owner or admin role in Securtea
  • Your organization's email domain (e.g., yourcompany.com)

Overview

The SSO setup process involves two main steps:

  1. Configure an app registration in Microsoft Entra ID - Register Securtea as an application and generate credentials
  2. Configure SSO in Securtea - Enter the app registration details to enable SSO for your organization

Once configured, users with your organization's email domain will automatically be redirected to Microsoft Entra ID when signing in.

Step 1: Create App Registration in Azure Portal

1.1 Navigate to App Registrations

  1. Sign in to the Azure Portal
  2. Navigate to Microsoft Entra ID (or search for "Entra ID" in the top search bar)
  3. In the left sidebar, select App registrations
  4. Click + New registration

1.2 Configure the App Registration

On the registration page:

  1. Name: Enter a descriptive name (e.g., Securtea SSO)

  2. Supported account types: Select Accounts in this organizational directory only (Single tenant)

  3. Redirect URI:

    • Platform: Web
    • URI: https://yourdomain.com/api/auth/sso/callback/oidc-{org-slug}

  4. Click Register

1.3 Copy the Application (Client) ID

After registration:

  1. On the app overview page, locate the Application (client) ID
  2. Copy this UUID - you'll need it for Securtea configuration
  3. Also note your Directory (tenant) ID - you'll use this in the Issuer URL

1.4 Create a Client Secret

  1. In the left sidebar, select Certificates & secrets
  2. Click + New client secret
  3. Description: Enter a name (e.g., Securtea Integration)
  4. Expires: Choose an expiration period (e.g., 24 months)
  5. Click Add
  6. Important: Immediately copy the Value (not the Secret ID) - it will only be shown once
  7. Store this securely - you'll enter it into Securtea

1.5 Configure API Permissions (Optional)

By default, the app has permissions to read basic user profile information. To enable additional capabilities:

  1. In the left sidebar, select API permissions

  2. Verify these Microsoft Graph delegated permissions are present:

    • openid - Required for OIDC
    • email - Access user email
    • profile - Access user profile

  3. If any are missing, click + Add a permissionMicrosoft GraphDelegated permissions

Step 2: Configure SSO in Securtea

2.1 Navigate to SSO Settings

  1. Sign in to your Securtea dashboard
  2. Navigate to SettingsOrganizationSSO Authentication
  3. Select the OIDC tab

2.2 Enter Configuration Details

Complete the following fields:

Email Domain *

  • Enter your organization's email domain (e.g., yourcompany.com)
  • Users with this email domain will be redirected to Microsoft Entra ID for authentication
  • Note: Only one domain is supported per SSO configuration

Issuer URL *

Format: https://login.microsoftonline.com/{tenant-id}/v2.0

  • Replace {tenant-id} with your Directory (tenant) ID from Azure Portal
  • Example: https://login.microsoftonline.com/12345678-1234-1234-1234-123456789abc/v2.0

Client ID *

  • Paste the Application (client) ID from Step 1.3

Client Secret *

  • Paste the client secret value from Step 1.4
  • This field is password-protected and won't be displayed after saving

2.3 Configure Callback URL in Azure

Before saving in Securtea:

  1. Copy the Callback URL shown in the Securtea form
    • Format: https://yourdomain.com/api/auth/sso/callback/oidc-{your-org-slug}
  2. Return to the Azure Portal → Your App Registration → Authentication
  3. Under Redirect URIs, add or verify the callback URL
  4. Click Save in Azure Portal

2.4 Save Configuration

  1. Click Configure OIDC in Securtea
  2. Wait for the success confirmation
  3. Your SSO configuration is now active

Step 3: Test the Connection

After configuration:

  1. In the Securtea SSO settings page, locate the Test Connection section

  2. Click Test

  3. The system will verify:

    • The issuer URL is reachable
    • The client credentials are valid
    • The OIDC discovery endpoint is accessible

  4. Review the test results:

    • Success: Your configuration is working correctly
    • Failed: Review the error message and check your configuration

User Experience

First-time SSO Users

When a user signs in with your organization's email domain for the first time:

  1. They enter their email on the Securtea login page

  2. They're redirected to Microsoft Entra ID

  3. They sign in with their Microsoft credentials

  4. Securtea automatically:

    • Creates their user account
    • Verifies their email (provider-verified)
    • Creates or adds them to your organization
    • Assigns appropriate role (admin for managers/IT, member for others)

  5. They're redirected back to Securtea and signed in

Returning Users

  • Users are automatically redirected to Microsoft for authentication
  • After successful authentication, they're signed in immediately
  • No password management required in Securtea

Important Notes

Security Considerations

  • Client Secret Rotation: Microsoft client secrets expire. Set a calendar reminder to rotate before expiration
  • Least Privilege: Only assign necessary API permissions in Azure
  • Audit Logs: Monitor sign-in activity in both Azure and Securtea

Limitations

  • One SSO Provider: Only one SSO provider (OIDC or SAML) can be configured per organization
  • Single Domain: The email domain field accepts one domain only
  • No Guest Users: Azure guest users may need additional configuration

Session Management

  • Sessions are managed by Securtea's authentication system
  • Microsoft Entra ID session policies don't directly affect Securtea sessions
  • Users can sign out from Securtea independently of their Microsoft session

Troubleshooting

"Invalid Client" Error

Cause: Client ID or Client Secret is incorrect

Solution:

  1. Verify the Client ID matches the Application (client) ID in Azure
  2. Regenerate the client secret if it's expired or incorrect
  3. Ensure you copied the secret value, not the Secret ID

"Redirect URI Mismatch" Error

Cause: The callback URL in Azure doesn't match Securtea's callback URL

Solution:

  1. Copy the exact callback URL from Securtea SSO settings
  2. In Azure Portal → App Registration → Authentication → Redirect URIs
  3. Ensure the URL matches exactly (including https:// and the org slug)

"Issuer Not Found" Error

Cause: The Issuer URL is incorrectly formatted or the tenant ID is wrong

Solution:

  1. Verify the format: https://login.microsoftonline.com/{tenant-id}/v2.0
  2. Confirm the tenant ID is correct (found in Azure Portal → Entra ID → Overview)
  3. Ensure /v2.0 is included at the end

Users Can't Sign In After Configuration

Cause: Email domain mismatch or user's email not verified in Microsoft

Solution:

  1. Verify the email domain in Securtea matches your users' email domain exactly
  2. Ensure users have verified email addresses in Microsoft Entra ID
  3. Check Azure sign-in logs for authentication failures

Test Connection Succeeds But Sign-In Fails

Cause: Scopes or permissions issue

Solution:

  1. In Azure Portal → App Registration → API Permissions
  2. Ensure openid, email, and profile permissions are granted
  3. Click Grant admin consent if permissions require it

Removing SSO Configuration

To remove SSO and revert to email/password authentication:

  1. Navigate to SettingsOrganizationSSO Authentication
  2. Click Remove Configuration
  3. Confirm the removal

Additional Resources

Support

If you encounter issues not covered in this guide:

  1. Check the test connection results for specific error messages
  2. Review Azure sign-in logs for authentication details
  3. Contact Securtea support with:
    • Organization slug
    • Error messages
    • Screenshots of Azure configuration (redact secrets)

Global Search

Search for pages, settings, and documentation