# Configure Microsoft Entra ID for single sign-on (SSO) and user import in Salto IDM
> Configure Microsoft Entra ID in the Azure portal to enable single sign-on (SSO) and import Entra ID users as Salto IDM users.


This guide explains which services to create and which settings to configure in the [Azure portal](https://portal.azure.com/) to enable single sign-on (SSO) and import Microsoft Entra ID (formerly Azure Active Directory) users as Salto IDM users.

## Instructions {#instructions}

Follow these instructions to create an app registration and configure it correctly in Salto IDM.

### Step 1: Register the application with your Microsoft Entra ID tenant {#step-1-register-the-application-with-your-microsoft-entra-id-tenant}

1. Navigate to the [Azure portal - App registrations](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps) page.
2. Either pick an existing application on the **All applications** tab or select **New registration**.
3. When the **Register an application** page appears, enter your application's registration information:
    - In the **Name** section, enter a representative name (for example, `SaltoIDM-EntraID-Integration`).
    - In the **Supported account types** section, select one of the following:
        - To allow external users and accounts from different domains and tenants, select **Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)**.
        - To allow only internal users and accounts from your own domain and tenant, select **Accounts in this organizational directory (Your Tenant Name only - Single Tenant)**.
    - In the **Redirect URI (optional)** section, select **Web** from the dropdown and enter the following URL: `https://{{HOSTNAME}}:{{PORT}}/signin-microsoft`

    ![Register an application page in the Azure portal](images/entra-id-app-registration.png)
    {.border}

4. Select **Register** to create the application.

{{% info-panel %}}
For the **Redirect URI**, ensure that you use HTTPS (not HTTP) and replace `{{HOSTNAME}}` and `{{PORT}}` with the actual host and port where the application will be running.

When the production environment runs on the default HTTPS port (443), you do not need to add the port (for example, `https://demo.saltoidm.com/signin-microsoft`).

To keep your registrations clean and isolated, which allows easier debugging and problem-solving, create separate app registrations for different environments (for example, Localhost, Production, Staging).
{{% /info-panel %}}

### Step 2: Configure application authentication {#step-2-configure-application-authentication}

1. After navigating to the app registration page, select the **Authentication** tab.
2. Update your **Front-channel logout URL** to point to `https://{{HOSTNAME}}:{{PORT}}/Account/Signout`.
3. Select the following checkboxes so the authorization endpoint can issue the correct tokens:
    - **Access tokens (used for implicit flows)**
    - **ID tokens (used for implicit and hybrid flows)**

    ![Authentication tab with access and ID tokens selected](images/entra-id-authentication-tokens.png)

### Step 3: Configure the application secret {#step-3-configure-the-application-secret}

1. Select the **Certificates & secrets** tab and select **New client secret**.
2. Add a representative **Description** to your secret, and choose an **Expiration** according to your own security and maintenance rules.

    ![Adding a client secret with a description and expiration](images/entra-id-client-secret.png)
    {.border}

3. Once you create the secret, copy the **Secret Value** (not the Secret ID) and store it in a safe place, such as a password manager.
Once you leave this page, you will not be able to see the value again, and if you do not save it, you will need to re-create the secret.

{{% warning-panel %}}
After the secret expires, SSO will not work.
You must create a new secret and update its value in Salto IDM.

Ensure you have a mechanism in place to alert you when the secret is about to expire to avoid login issues in production environments.
{{% /warning-panel %}}

### Step 4: Configure application claims {#step-4-configure-application-claims}

1. Select the **Token configuration** tab and select **Add optional claim**.
2. For **Token type**, choose **ID**, and check the following claims:
    - **Email**
    - **Given name**
    - **Surname**
    - **Object ID**

    ![Add optional claim dialog with the ID token claims selected](images/entra-id-optional-claims.png)

3. Select **Add**.
A pop-up appears, requesting access to turn on the required API permissions to read those claims.
Check the checkbox, and then select **Add**.

    ![Pop-up to turn on the Microsoft Graph email and profile permission](images/entra-id-graph-permission-consent.png)

### Step 5: Configure API permissions {#step-5-configure-api-permissions}

1. Select the **API permissions** tab and ensure that the following permissions were automatically added in the previous steps.

    ![API permissions automatically added for Microsoft Graph](images/entra-id-api-permissions.png)

2. Select **Add a permission**, choose **Microsoft Graph**, then **Application permissions**, search for and check `User.Read.All` under **User** rights.
Select **Add permissions**.

    ![Selecting the application permission to read all users](images/entra-id-user-read-all-permission.png)
    {.border}

3. Lastly, provide **admin consent** to those permissions by selecting the button above the permission table.
Once you grant permission, a checkmark is added to the permissions.

    ![Admin consent granted status for the permissions](images/entra-id-admin-consent.png)

### Step 6: Add the app registration settings to Salto IDM {#step-6-add-the-app-registration-settings-to-salto-idm}

1. In Salto IDM, ensure that your license has the **Microsoft Entra ID** integration on.
Contact our support team if your installation does not have the integration.
2. Log in as an app user with rights to update **Microsoft Entra ID**.
3. Navigate to **Administration** > **Settings**.
Choose **Microsoft Entra ID** from the menu on the left.
4. Ensure that the **Use Microsoft Entra ID Single Sign-on** option is on.
5. Fill in all the values according to your app registration IDs in Azure and the previously stored secret:

    ![Single Sign-On Credentials settings in Salto IDM](images/idm-entra-id-sso-credentials.png)
    {.border}

    You can find the **Directory (tenant) ID** and **Application (client) ID** on the **Overview** page of your app registration in Azure.

    ![App registration overview showing the application and directory IDs](images/entra-id-app-overview-ids.png)

{{% info-panel %}}
Once you save the values, the **Client secret (value)** field is empty.
This is not a mistake.
It is made to prevent exposing your secrets in the frontend.

When saving new values, if you change the secret, it is automatically updated.
If you leave it empty, it is not replaced.
{{% /info-panel %}}

### Step 7: Log in using Microsoft Entra ID SSO {#step-7-log-in-using-microsoft-entra-id-sso}

1. Once this option is on and correctly configured, you can log in using your Microsoft account.
2. Navigate to the login page and choose **Sign in with Microsoft**.

    ![Salto IDM login page with the Sign in with Microsoft option](images/idm-sign-in-with-microsoft.png)
    {.border}

3. Follow the usual steps required to log in to your account.
Once you are redirected back to Salto IDM, confirm that you are linking your Microsoft account with a Salto IDM application user:

    ![Association information confirming the Microsoft account link](images/idm-account-association.png)
    {.border}

4. After this, you can log in to Salto IDM as a limited user.
Ask your administrator to assign the correct roles and rights to your application user so you can use the required features.

### Step 8: Import Microsoft Entra ID users as Salto IDM users {#step-8-import-microsoft-entra-id-users-as-salto-idm-users}

1. Go to **Administration** > **Automations** and create a new automation.
Select the **Microsoft Entra ID Import** option, and use the **Credentials** tab on the right to add the saved credentials.

    ![Creating a Microsoft Entra ID import automation in Salto IDM](images/idm-entra-id-import-automation.png)
    {.border}

2. Save the automation, and use the **Configuration** tab to fully adjust the import according to your needs.

    ![Configuration tab for the Microsoft Entra ID import automation](images/idm-entra-id-import-configuration.png)
    {.border}

3. After the automation is done, for example by running it manually, you can see the created users as Users in Salto IDM.

    ![Confirmation that the automation completed in Salto IDM](images/idm-automation-success.png)
    {.border}