How to configure SSO with Microsoft Entra ID

  • Updated on Jul 16, 2025
  • Published on Apr 16, 2025
  • 3 minute(s) read
Prev Next

Register an application in Azure Portal

  1. Log in to Azure Portal.
  2. In the Azure Portal menu, navigate to Microsoft Entra ID.

azure-portal-ms-entra-id.png

  1. In the left pane, navigate to Manage > App registrations.

AW43_azure-portal-app-registration-menu

  1. Click on + New registration on the top toolbar.

  2. In the Register an application window that opens, configure the following:

  • In the Supported account types section select Accounts in this organizational directory only (tenant only - Single tenant). For more information about the supported account types, see Microsoft documentation.
  • In the Redirect URI (optional) section select Web and in the value field insert the FQDN of the Application Workspace zone you want to add, with the /api/auth/token/end suffix.

Example:

https://< Virtual Host >/api/auth/token/end

AW43-azure-portal-new-app-registration

  1. Click on Register on the bottom left, to complete the initial app registration.

  2. You need to generate a client secret that facilitates communication between Application Workspace and Microsoft Entra ID (Azure AD). In the newly created app registration, in the left pane, navigate to Manage > Certificates & secrets > Client secrets > New client secret.

azure-portal-app-registration-certificates.png

  1. Add a description and an expiration date for your client secret and then click Add. Note down your client secret after you create it because there is no way of retrieving the value after you leave this screen.

  2. You need to add permissions to your app registration. In the left pane, navigate to Manage > API permissions and add the following permissions:

  • Directory.Read.All - Allows Application Workspace to read data in your organization's directory, such as users, groups and apps. This permission requires Admin Consent.
  • User.Read - Allows users to sign in to Application Workspace. It is recommended to grant Admin Consent so that users will not be asked to share their profile on the first login.
  • (Optional) User.Read.All - Allows Application Workspace to read the user data and retrieve photos from Microsoft Entra ID (Azure AD). This permission requires Admin Consent.
  • (Optional) GroupMember.ReadWrite.All - Allows Application Workspace to modify group memberships.

For more information about permissions, see Microsoft documentation.

  1. Click on the Grant admin consent for {your tenant}. It can take up to an hour before these settings take effect in Microsoft Entra ID (Azure AD).

AW43-azure-portal-app-registration-API-permissions-grant-admin-consent

Creating the identity source in Application Workspace

  1. Navigate to Manage > Authentication > Identity Sources
  2. Click AW43_enlarge Create in the table toolbar. The Create identity source dialog box opens.
  3. In the Type screen, select Microsoft Entra ID (Azure AD). Click Next.

AW43-create-identity-source-MSEntra-type-screen.png

  1. In the Overview screen:
  • For the Name field, we recommend you use only letters without spaces. If you plan to use Kerberos/NTLM, use the NETBIOS name.
  • If the Hidden checkbox is selected, this identity source will not be shown as an option on the login page. Even hidden, you can configure it in the Agent file or using URL parameters as described in URL Parameters.

AW43-create-identity-source-MSEntra-overview-screen.png

  1. After you finish inserting all necessary information, click Next.
  2. In the the Settings screen:

Application ID - The value of the Application (client) ID field in Azure Portal > Overview page of the Microsoft Entra ID (Azure AD) app registration.

Client secret - The client secret you defined earlier in Register an application in Azure Portal, step 7.

Authorization URI - The value of the OAuth 2.0 authorization endpoint (v1) field in Azure Portal > Overview page > Endpoints tab of the Microsoft Entra ID (Azure AD) app registration.

Token URI - The value of the OAuth 2.0 token endpoint (v1) field in Azure Portal > Overview page > Endpoints tab of the Microsoft Entra ID (Azure AD) app registration.

Logout URI - The redirection URI needs to be encoded to work properly.

Photos - This option requires User.Read.All permissions in Microsoft Entra ID (Azure AD). See Register an application in Azure Portal, step 9.

AW43-create-identity-source-MSEntra-settings-screen.png

  1. After you finish inserting all necessary information, click Next.
  2. In the Summary screen, leave the Modify identity source after creation selected to open the newly created identity source. Click Finish.

For an overview of the identity source settings, see Microsoft Entra ID (Azure AD).