# SSO With Microsoft Entra ID

This guide will show you how to configure Microsoft Entra ID (formerly Azure AD) as a single sign-on (SSO) provider to authenticate to StrongDM for your organization.

{% hint style="info" %}
If you intend to use Entra ID for both [provisioning](/admin/principals/provisioning/entra-provisioning.md) and SSO, the best practice is to use two separate Entra ID apps: one to manage the SCIM integration and one to manage the SSO integration.
{% endhint %}

### Prerequisites

Ensure that you have the appropriate roles:

* In Microsoft Entra ID (formerly Azure AD), you must be an Application Administrator or Global Administrator.
* In StrongDM, you must be an Account Administrator.

### Azure SSO Configuration Guide

#### App registration and configuration in Microsoft Entra ID

{% hint style="info" %}
These instructions vary based on your organization's StrongDM region (not your individual location).
{% endhint %}

{% tabs %}
{% tab title="US" %}

1. Log in to the Azure portal or Microsoft Entra admin center, and go to **App registrations**.
2. ![](/files/Df0opKptsj8RqLN7POhk)\
   Click **New application registration** and set the following:
   1. **Name**: Provide a descriptive name for this app.
   2. **Supported account types**: Specify if you want this app to span across multiple directories.
   3. **Redirect URI**: Select **Web** and then specify the redirect URI as needed depending on your tenant location: `https://app.strongdm.com/auth/return`
3. Click **Register**.
4. ![](/files/z46XV2Z1FIJIlpp9acgx)\
   The app’s **Overview** section will appear. Copy the **Application (client) ID** and save it for later use. You will be pasting the application ID into the StrongDM Admin UI in a later step.
5. In the app’s **Branding** section:
   1. Set the **Home page URL** as needed, depending on your tenant location: `https://app.strongdm.com`
   2. Copy the **Publisher Domain** and save it for later use in the Admin UI, then click **Save**.
6. In the app’s \*\*Certificates & secrets\*\* section:
   1. Click **+ New client secret**
   2. Provide a description, set the expiration, and click **Add**, then click **Save**

{% hint style="warning" %}
The client secret will be shown only one time, so copy the **value** (not the secret ID) now for later use in the Admin UI.
{% endhint %}
{% endtab %}

{% tab title="UK" %}
*Follow instructions in the tab for the region of your organization's StrongDM control plane, not your own location. The default control plane region is US.*

1. Log in to the Azure portal or Microsoft Entra admin center, and go to **App registrations**.
2. ![](/files/Df0opKptsj8RqLN7POhk)\
   Click **New application registration** and set the following:
   1. **Name**: Provide a descriptive name for this app.
   2. **Supported account types**: Specify if you want this app to span across multiple directories.
   3. **Redirect URI**: Select **Web** and then specify the redirect URI as needed depending on your tenant location: `https://app.uk.strongdm.com/auth/return`
3. Click **Register**.
4. ![](/files/z46XV2Z1FIJIlpp9acgx)\
   The app’s **Overview** section will appear. Copy the **Application (client) ID** and save it for later use. You will be pasting the application ID into the StrongDM Admin UI in a later step.
5. In the app’s **Branding** section:
   1. Set the **Home page URL** as needed, depending on your tenant location: `https://app.uk.strongdm.com`
   2. Copy the **Publisher Domain** and save it for later use in the Admin UI, then click **Save**.
6. In the app’s \*\*Certificates & secrets\*\* section:
   1. Click **+ New client secret**
   2. Provide a description, set the expiration, and click **Add**, then click **Save**

{% hint style="warning" %}
The client secret will be shown only one time, so copy the **value** (not the secret ID) now for later use in the Admin UI.
{% endhint %}
{% endtab %}

{% tab title="EU" %}
*Follow instructions in the tab for the region of your organization's StrongDM control plane, not your own location. The default control plane region is US.*

1. Log in to the Azure portal or Microsoft Entra admin center, and go to **App registrations**.
2. ![](/files/Df0opKptsj8RqLN7POhk)\
   Click **New application registration** and set the following:
   1. **Name**: Provide a descriptive name for this app.
   2. **Supported account types**: Specify if you want this app to span across multiple directories.
   3. **Redirect URI**: Select **Web** and then specify the redirect URI as needed depending on your tenant location: `https://app.eu.strongdm.com/auth/return`
3. Click **Register**.
4. ![](/files/z46XV2Z1FIJIlpp9acgx)\
   The app’s **Overview** section will appear. Copy the **Application (client) ID** and save it for later use. You will be pasting the application ID into the StrongDM Admin UI in a later step.
5. In the app’s **Branding** section:
   1. Set the **Home page URL** as needed, depending on your tenant location: `https://app.eu.strongdm.com`
   2. Copy the **Publisher Domain** and save it for later use in the Admin UI, then click **Save**.
6. In the app’s \*\*Certificates & secrets\*\* section:
   1. Click **+ New client secret**
   2. Provide a description, set the expiration, and click **Add**, then click **Save**

{% hint style="warning" %}
The client secret will be shown only one time, so copy the **value** (not the secret ID) now for later use in the Admin UI.
{% endhint %}
{% endtab %}
{% endtabs %}

#### Add SSO in StrongDM

1. In the Admin UI, go to **Settings** > **User Management**.
2. In the **Single Sign-on** section, click the **lock** to make changes, and then set the following:
   1. From the dropdown selector, select **Azure** as the SSO provider.
   2. **Single sign-on URL:** Set `https://login.microsoftonline.com/<PUBLISHER_DOMAIN>`
   3. **Client ID**: Set the `Application (client) ID` that you copied from the app’s **Overview** section.
   4. **Client Secret**: Set the `client secret value` that you copied from the app’s **Certificates & secrets** section.
3. Select your desired [general SSO settings](/admin/principals/sso.md).
4. Click **activate**.

![](/files/3lTlNjGMhBJCvVvz4fi5)

Microsoft Entra ID SSO configuration is now complete.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.strongdm.com/admin/principals/sso/entra-oidc.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.