# Microsoft Entra ID {% hint style="info" %} This feature is available in the **Premium plan and higher**. {% endhint %} {% hint style="danger" %} **Remember to** [**grant your Azure users access permissions**](#step-4-managing-user-access) **to GoodAccess. Users without them won't be able to log in.** {% endhint %} ## Step 1 - Adding a new identity provider [Log in to the GoodAccess **Control Panel**, and go to **Settings** > **SSO & Identity**.](https://app.goodaccess.com/sso-and-identity/) Click **+ Add provider**, enter the **Provider name**, choose your **Identity Provider**, and click **Continue**. ## Step 2 - Setting up Single Sign-On with SAML Log in to the [Azure Portal](https://portal.azure.com/), and go to **Enterprise applications** (you can use the searchbar). Click **+ New application**, and **+ Create your own application**. Give the application a name, choose **Integrate any other application you don't find in the gallery (Non-gallery)**, and click **Create**. In your new application go to **Single Sign-On** > **SAML**.

Azure Portal with key steps to creating a new enterprise application. — Creating a new enterprise application

Azure Portal with key steps to selecting SAML as a single sign-on method for the enterprise application. — Selecting SAML as a single sign-on method

### 1. Basic SAML Configuration Click **Edit** to open Basic SAML Configuration. Copy the details from GoodAccess - **(2) GoodAccess links**. * **Identifier** - Entity ID * **Reply URL** - Assertion Consumer Service URL * **Sign on URL** - Login URL * **Relay State** - Relay State Return to GoodAccess, and click **Continue**. Return to Azure, and click **Save**.

Azure Portal with key steps to opening the "Basic SAML Configuration". — Opening the Basic SAML Configuration

Azure Portal with key steps to setting up the "Basic SAML Configuration". — Setting up the Basic SAML Configuration

### 2. Attributes & Claims Click **Edit** to open Attributes & Claims. Under the Additional claims section click on the record with the value **user.userprincipalname** and edit it as follows: * **Name** - "name" (without quotes) * **Namespace** - Delete pre-filled URL Click **Save**. Then, still in the Additional claims section click on the record with the value **user.mail** and edit it as follows: * **Name** - "email" (without quotes) * **Namespace** - Delete pre-filled URL * **Source attribute** - user.userprincipalname Don't forget to **Save**.

Azure Portal with key steps to setting up the "Attributes & Claims". — Setting up Attributes & Claims

Azure Portal with key steps to managing the "user.userprincipalname" claim. — Managing the "user.userprincipalname" claim

Azure Portal with key steps to managing the "user.mail" claim. — Managing the "user.mail" claim

### 3. SAML Certificates Download the **Certificate (Base64)**, and open the file in a text editor (e.g. Notepad).

Azure Portal with key steps to downloading the certificate. — Downloading the certificate

### 4. Set up GoodAccess Copy the details to GoodAccess - **(3) Identity Provider links**, and click **Continue**. * **Sign in URL** - Login URL * **Entity ID** - Microsoft Entra ID Identifier * **X509 signing certificate** - Copy the certificate from the text editor

Azure Portal with key steps to setting up GoodAccess. — Setting up GoodAccess

{% hint style="info" %} If you don't want to setup SCIM, skip the next step in GoodAccess, and click **Submit** to finish the configuration. {% endhint %} You have now successfully set up your Microsoft Entra ID SSO with GoodAccess. ## Step 3 (optional) - Setting up SCIM In the application, go to **Provisioning** > **Provisioning**, and set **Provisioning mode** to **Automatic**. Expand **Admin Credentials,** and copy the **URL** and **Token** from GoodAccess - **(4) User provisioning (SCIM)**. Return to GoodAccess, and click **Submit**. Return to Azure, and click **Test Connection**, and **Save** to confirm your settings.

Azure Portal with key steps to setting up SCIM. — Setting up SCIM

### 1. Attribute Mapping Open **Mappings**, and select **Provision Microsoft Entra ID Users**. Here, make sure that only the following four attributes are listed: * userName * active * displayName * externalId If there are other attributes except these four, **Delete** them to prevent provisioning issues. Don't forget to **Save**.

Azure Portal with key steps to setting up the "Attribute Mapping". — Setting up the Attribute Mapping

### 2. Starting the provisioning {% hint style="danger" %} Users created via **Provisioning on demand** may be skipped by Azure during future automatic provisioning. **We strongly recommend avoiding this function.** If you have already created users this way, click the **Restart provisioning** button to restore synchronization for all users. {% endhint %} Go to **Overview**, and click **Start provisioning**.

Azure Portal with key steps to starting the provisioning. — Starting the provisioning

{% hint style="info" %} The whole provisioning process will take around **20 minutes** to complete depending on the number of members and groups being added. {% endhint %} You have now successfully set up Microsoft Entra ID SCIM with GoodAccess. ## Step 4 - Managing user access In the application, go to **Users and groups**, and click **+ Add user/group**. Choose who should have access, and click **Assign**.

Azure Portal with key steps to managing user access. — Managing user access