# Microsoft Entra ID

{% hint style="info" %}
This feature is available in the **Premium plan and higher**.
{% endhint %}

{% hint style="danger" %}
**Remember to** [**grant your Azure users access permissions**](#step-4-managing-user-access) **to GoodAccess. Users without them won't be able to log in.**
{% endhint %}

## Step 1 - Adding a new identity provider

[Log in to the GoodAccess **Control Panel**, and go to **Settings** > **SSO & Identity**.](https://app.goodaccess.com/sso-and-identity/)

Click **+ Add provider**, enter the **Provider name**, choose your **Identity Provider**, and click **Continue**.

## Step 2 - Setting up Single Sign-On with SAML

Log in to the [Azure Portal](https://portal.azure.com/), and go to **Enterprise applications** (you can use the searchbar).

Click **+ New application**, and **+ Create your own application**.

Give the application a name, choose **Integrate any other application you don't find in the gallery (Non-gallery)**, and click **Create**.

In your new application go to **Single Sign-On** > **SAML**.

<div><figure><img src="/files/Cef3q7B5iXkZOcxO8C7D" alt="Azure Portal with key steps to creating a new enterprise application."><figcaption><p>Creating a new enterprise application</p></figcaption></figure> <figure><img src="/files/bO6CNFMKUNwAZLO0t8kN" alt="Azure Portal with key steps to creating a new enterprise application."><figcaption><p>Creating a new enterprise application</p></figcaption></figure></div>

<figure><img src="/files/7v5sp3EotLe1xQrpM4eR" alt="Azure Portal with key steps to selecting SAML as a single sign-on method for the enterprise application."><figcaption><p>Selecting SAML as a single sign-on method</p></figcaption></figure>

### 1. Basic SAML Configuration

Click **Edit** to open Basic SAML Configuration.

Copy the details from GoodAccess - **(2) GoodAccess links**.

* **Identifier** - Entity ID
* **Reply URL** - Assertion Consumer Service URL
* **Sign on URL** - Login URL
* **Relay State** - Relay State

Return to GoodAccess, and click **Continue**.

Return to Azure, and click **Save**.

<div><figure><img src="/files/f0gnNJOpHMh3J85HhW3W" alt="Azure Portal with key steps to opening the &#x22;Basic SAML Configuration&#x22;."><figcaption><p>Opening the Basic SAML Configuration</p></figcaption></figure> <figure><img src="/files/BCpS327JBiHPkyPFdnHU" alt="Azure Portal with key steps to setting up the &#x22;Basic SAML Configuration&#x22;."><figcaption><p>Setting up the Basic SAML Configuration</p></figcaption></figure></div>

### 2. Attributes & Claims

Click **Edit** to open Attributes & Claims.

Under the Additional claims section click on the record with the value **user.userprincipalname** and edit it as follows:

* **Name** - "name" (without quotes)
* **Namespace** - Delete pre-filled URL

Click **Save**.

Then, still in the Additional claims section click on the record with the value **user.mail** and edit it as follows:

* **Name** - "email" (without quotes)
* **Namespace** - Delete pre-filled URL
* **Source attribute** - user.userprincipalname

Don't forget to **Save**.

<figure><img src="/files/cvZjOMAc82UzkI01xpqq" alt="Azure Portal with key steps to setting up the &#x22;Attributes &#x26; Claims&#x22;."><figcaption><p>Setting up Attributes &#x26; Claims</p></figcaption></figure>

<div><figure><img src="/files/OI12MRiy1h1jwZ3Jyzxn" alt="Azure Portal with key steps to managing the &#x22;user.userprincipalname&#x22; claim."><figcaption><p>Managing the "user.userprincipalname" claim</p></figcaption></figure> <figure><img src="/files/bZoT874YZJOACc2U1bc1" alt="Azure Portal with key steps to managing the &#x22;user.mail&#x22; claim."><figcaption><p>Managing the "user.mail" claim</p></figcaption></figure></div>

### 3. SAML Certificates

Download the **Certificate (Base64)**, and open the file in a text editor (e.g. Notepad).

<figure><img src="/files/7BgO9qZn5ZYSH50SB6CV" alt="Azure Portal with key steps to downloading the certificate."><figcaption><p>Downloading the certificate</p></figcaption></figure>

### 4. Set up GoodAccess

Copy the details to GoodAccess - **(3) Identity Provider links**, and click **Continue**.

* **Sign in URL** - Login URL
* **Entity ID** - Microsoft Entra ID Identifier
* **X509 signing certificate** - Copy the certificate from the text editor

<figure><img src="/files/dwCeO8wSxZP0rMlFKRn1" alt="Azure Portal with key steps to setting up GoodAccess."><figcaption><p>Setting up GoodAccess</p></figcaption></figure>

{% hint style="info" %}
If you don't want to setup SCIM, skip the next step in GoodAccess, and click **Submit** to finish the configuration.
{% endhint %}

You have now successfully set up your Microsoft Entra ID SSO with GoodAccess.

## Step 3 (optional) - Setting up SCIM

In the application, go to **Provisioning** > **Provisioning**, and set **Provisioning mode** to **Automatic**.

Expand **Admin Credentials,** and copy the **URL** and **Token** from GoodAccess - **(4) User provisioning (SCIM)**.

Return to GoodAccess, and click **Submit**.

Return to Azure, and click **Test Connection**, and **Save** to confirm your settings.

<figure><img src="/files/rtBOrOT0o8CzVWl5tTja" alt="Azure Portal with key steps to setting up SCIM."><figcaption><p>Setting up SCIM</p></figcaption></figure>

### 1. Attribute Mapping

Open **Mappings**, and select **Provision Microsoft Entra ID Users**.

Here, make sure that only the following four attributes are listed:

* userName
* active
* displayName
* externalId

If there are other attributes except these four, **Delete** them to prevent provisioning issues.

Don't forget to **Save**.

<div data-full-width="false"><figure><img src="/files/ZRH4S8qKMaMXaa1hzcli" alt="Azure Portal with key steps to setting up the &#x22;Attribute Mapping&#x22;." width="563"><figcaption><p>Setting up the Attribute Mapping</p></figcaption></figure> <figure><img src="/files/M7mxBEKCkyIXsXQsGrFL" alt="Azure Portal with key steps to setting up the &#x22;Attribute Mapping&#x22;." width="563"><figcaption><p>Setting up the Attribute Mapping</p></figcaption></figure></div>

### 2. Starting the provisioning

{% hint style="danger" %}
Users created via **Provisioning on demand** may be skipped by Azure during future automatic provisioning.

**We strongly recommend avoiding this function.**

If you have already created users this way, click the **Restart provisioning** button to restore synchronization for all users.
{% endhint %}

Go to **Overview**, and click **Start provisioning**.

<figure><img src="/files/SYYSclackBNCCuXnzc1t" alt="Azure Portal with key steps to starting the provisioning."><figcaption><p>Starting the provisioning</p></figcaption></figure>

{% hint style="info" %}
The whole provisioning process will take around **20 minutes** to complete depending on the number of members and groups being added.
{% endhint %}

You have now successfully set up Microsoft Entra ID SCIM with GoodAccess.

## Step 4 - Managing user access

In the application, go to **Users and groups**, and click **+ Add user/group**.

Choose who should have access, and click **Assign**.

<figure><img src="/files/qAsYuXx9LLpKak6HnFyB" alt="Azure Portal with key steps to managing user access."><figcaption><p>Managing user access</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://support.goodaccess.com/configuration-guides/features/sso-scim/microsoft-entra-id.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.