# SSO With Microsoft Entra ID

This guide will show you how to configure Microsoft Entra ID (formerly Azure AD) as a single sign-on (SSO) provider to authenticate to StrongDM for your organization.

{% hint style="info" %}
If you intend to use Entra ID for both [provisioning](https://docs.strongdm.com/admin/principals/provisioning/entra-provisioning) and SSO, the best practice is to use two separate Entra ID apps: one to manage the SCIM integration and one to manage the SSO integration.
{% endhint %}

### Prerequisites

Ensure that you have the appropriate roles:

* In Microsoft Entra ID (formerly Azure AD), you must be an Application Administrator or Global Administrator.
* In StrongDM, you must be an Account Administrator.

### Azure SSO Configuration Guide

#### App registration and configuration in Microsoft Entra ID

{% hint style="info" %}
These instructions vary based on your organization's StrongDM region (not your individual location).
{% endhint %}

{% tabs %}
{% tab title="US" %}

1. Log in to the Azure portal or Microsoft Entra admin center, and go to **App registrations**.
2. ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-2c11c956f0e2565ac4875fa9645580b75234f32d%2Fazure-ad-sso-app-registration.png?alt=media)\
   Click **New application registration** and set the following:
   1. **Name**: Provide a descriptive name for this app.
   2. **Supported account types**: Specify if you want this app to span across multiple directories.
   3. **Redirect URI**: Select **Web** and then specify the redirect URI as needed depending on your tenant location: `https://app.strongdm.com/auth/return`
3. Click **Register**.
4. ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-7f834a4f91fd1d569125e92115b9b3c1d28bd9da%2Fsso-azure-application-id.png?alt=media)\
   The app’s **Overview** section will appear. Copy the **Application (client) ID** and save it for later use. You will be pasting the application ID into the StrongDM Admin UI in a later step.
5. In the app’s **Branding** section:
   1. Set the **Home page URL** as needed, depending on your tenant location: `https://app.strongdm.com`
   2. Copy the **Publisher Domain** and save it for later use in the Admin UI, then click **Save**.
6. In the app’s \*\*Certificates & secrets\*\* section:
   1. Click **+ New client secret**
   2. Provide a description, set the expiration, and click **Add**, then click **Save**

{% hint style="warning" %}
The client secret will be shown only one time, so copy the **value** (not the secret ID) now for later use in the Admin UI.
{% endhint %}
{% endtab %}

{% tab title="UK" %}
*Follow instructions in the tab for the region of your organization's StrongDM control plane, not your own location. The default control plane region is US.*

1. Log in to the Azure portal or Microsoft Entra admin center, and go to **App registrations**.
2. ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-2c11c956f0e2565ac4875fa9645580b75234f32d%2Fazure-ad-sso-app-registration.png?alt=media)\
   Click **New application registration** and set the following:
   1. **Name**: Provide a descriptive name for this app.
   2. **Supported account types**: Specify if you want this app to span across multiple directories.
   3. **Redirect URI**: Select **Web** and then specify the redirect URI as needed depending on your tenant location: `https://app.uk.strongdm.com/auth/return`
3. Click **Register**.
4. ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-7f834a4f91fd1d569125e92115b9b3c1d28bd9da%2Fsso-azure-application-id.png?alt=media)\
   The app’s **Overview** section will appear. Copy the **Application (client) ID** and save it for later use. You will be pasting the application ID into the StrongDM Admin UI in a later step.
5. In the app’s **Branding** section:
   1. Set the **Home page URL** as needed, depending on your tenant location: `https://app.uk.strongdm.com`
   2. Copy the **Publisher Domain** and save it for later use in the Admin UI, then click **Save**.
6. In the app’s \*\*Certificates & secrets\*\* section:
   1. Click **+ New client secret**
   2. Provide a description, set the expiration, and click **Add**, then click **Save**

{% hint style="warning" %}
The client secret will be shown only one time, so copy the **value** (not the secret ID) now for later use in the Admin UI.
{% endhint %}
{% endtab %}

{% tab title="EU" %}
*Follow instructions in the tab for the region of your organization's StrongDM control plane, not your own location. The default control plane region is US.*

1. Log in to the Azure portal or Microsoft Entra admin center, and go to **App registrations**.
2. ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-2c11c956f0e2565ac4875fa9645580b75234f32d%2Fazure-ad-sso-app-registration.png?alt=media)\
   Click **New application registration** and set the following:
   1. **Name**: Provide a descriptive name for this app.
   2. **Supported account types**: Specify if you want this app to span across multiple directories.
   3. **Redirect URI**: Select **Web** and then specify the redirect URI as needed depending on your tenant location: `https://app.eu.strongdm.com/auth/return`
3. Click **Register**.
4. ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-7f834a4f91fd1d569125e92115b9b3c1d28bd9da%2Fsso-azure-application-id.png?alt=media)\
   The app’s **Overview** section will appear. Copy the **Application (client) ID** and save it for later use. You will be pasting the application ID into the StrongDM Admin UI in a later step.
5. In the app’s **Branding** section:
   1. Set the **Home page URL** as needed, depending on your tenant location: `https://app.eu.strongdm.com`
   2. Copy the **Publisher Domain** and save it for later use in the Admin UI, then click **Save**.
6. In the app’s \*\*Certificates & secrets\*\* section:
   1. Click **+ New client secret**
   2. Provide a description, set the expiration, and click **Add**, then click **Save**

{% hint style="warning" %}
The client secret will be shown only one time, so copy the **value** (not the secret ID) now for later use in the Admin UI.
{% endhint %}
{% endtab %}
{% endtabs %}

#### Add SSO in StrongDM

1. In the Admin UI, go to **Settings** > **User Management**.
2. In the **Single Sign-on** section, click the **lock** to make changes, and then set the following:
   1. From the dropdown selector, select **Azure** as the SSO provider.
   2. **Single sign-on URL:** Set `https://login.microsoftonline.com/<PUBLISHER_DOMAIN>`
   3. **Client ID**: Set the `Application (client) ID` that you copied from the app’s **Overview** section.
   4. **Client Secret**: Set the `client secret value` that you copied from the app’s **Certificates & secrets** section.
3. Select your desired [general SSO settings](https://docs.strongdm.com/admin/principals/sso).
4. Click **activate**.

![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-b29c53182ef09a04f184658e66c5fc867552ac39%2Fsso-azure-sdm-auth-page.png?alt=media)

Microsoft Entra ID SSO configuration is now complete.