Skip to content

SSO in Entra ID

Configuring Entra ID as an external identity provider lets users sign in with their Microsoft work accounts. Authentication—including single sign-on, multi-factor authentication, and conditional access—is handled by Entra ID.

This approach centralises user management and streamlines onboarding.

Before You Begin

Open the configuration form in a new tab. You'll fill it in as you complete each step below.

Open SSO Configuration Form

Recommended setup

Work with three browser tabs open:

  1. Azure Portal or Microsoft Entra admin centre — the menus are the same
  2. This page — the instructions you're following
  3. The form — where you'll enter the values

Form Fields Summary

As you complete the steps below, you'll collect these values for the form:

Form Field Where to Find It Step
Client Key Application (client) ID on Overview page 1
Authorisation Endpoint URL OAuth 2.0 authorization endpoint (v2) 1
Access Token URL OAuth 2.0 token endpoint (v2) 1
Issuer "issuer" value from OpenID Connect metadata JSON 1
Client Secret OneTimeSecret link containing your secret 2

Step 1: Register the application

In the Azure Portal or Microsoft Entra admin centre, navigate to Microsoft Entra ID > App registrations:

  1. Click New registration
  2. Configure the basic settings:
    • Name: Enter a name (e.g., "SIDRA Floating Licence")
    • Supported account types: Select "Accounts in this organizational directory only"
    • Redirect URI: Select Web and enter: 
      https://licensing.sidrasolutions.com/user/oauth20/cb
  3. Click Register

Copy the configuration values

After registration, you'll land on the app's Overview page:

  1. Copy the Application (client) ID
    • → Paste into form field: Client Key
  2. Click the Endpoints button (top of the page)
  3. Copy these endpoint URLs:
    • OAuth 2.0 authorization endpoint (v2) → Form field: Authorisation Endpoint URL
    • OAuth 2.0 token endpoint (v2) → Form field: Access Token URL
  4. To find the Issuer value:
    • Copy the OpenID Connect metadata document URL
    • Open it in a new browser tab (it displays a JSON file)
    • Find the "issuer" field and copy its value → Form field: Issuer

Configure the logout URL

  1. Go to Authentication (left sidebar)
  2. Scroll to Front-channel logout URL and enter: 
    https://licensing.sidrasolutions.com/user/oidc/idp-logout
  3. Click Save

Step 2: Create a client secret

  1. Go to Certificates & secrets (left sidebar)
  2. Under Client secrets, click New client secret
  3. Enter a description and select an expiry period
  4. Click Add

Copy the secret immediately

The secret value is only displayed once. If you navigate away, you cannot retrieve it.

  1. Copy the Value (not the Secret ID)
  2. Go to onetimesecret.com and create a secure link for the secret
  3. Paste the OneTimeSecret link → Form field: Client Secret

Step 3: Add API permissions

  1. Go to API permissions (left sidebar)
  2. Click Add a permission
  3. Select Microsoft Graph > Delegated permissions
  4. Search for and select these permissions (may appear under "OpenID permissions" in some tenants):
    • email
    • openid
    • profile
  5. Click Add permissions

Grant admin consent

Click Grant admin consent for [your organisation] and confirm. The status for each permission should show a green tick.

Step 4: Submit the form

Before you submit — common mistakes

  • Client Secret: Copy the Value, not the Secret ID (it's only shown once)
  • Redirect URI: Must be exactly https://licensing.sidrasolutions.com/user/oauth20/cb
  • Admin consent: Ensure all permissions show a green tick
  • Assignment required: If enabled, you must assign users/groups or sign-in will fail

Return to the configuration form tab and:

  1. Verify all SSO Configuration Values are filled in
  2. Complete the Customer Information section
  3. Click Submit

You'll receive a confirmation email. SIDRA Support will complete the server-side configuration and notify you when SSO is ready for testing.

Restricting access (optional)

By default, all users in your organisation can sign in. To restrict access to specific users or groups:

  1. In the Azure Portal, go to Enterprise applications
  2. Find and select your registered application
  3. Go to Properties and set Assignment required? to Yes
  4. Go to Users and groups and assign access to specific users or groups

Need help?

If you encounter any issues, contact SIDRA Support.