> For the complete documentation index, see [llms.txt](https://support.goodaccess.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://support.goodaccess.com/configuration-guides/features/sso-scim/microsoft-entra-id.md).

# Microsoft Entra ID

{% hint style="info" %}
This feature is available in the **Premium plan and higher**.
{% endhint %}

{% hint style="danger" %}
**Remember to** [**grant your Azure users access permissions**](#step-4-managing-user-access) **to GoodAccess. Users without them won't be able to log in.**
{% endhint %}

## Step 1 - Adding a new identity provider

[Log in to the GoodAccess **Control Panel**, and go to **Settings** > **SSO & Identity**.](https://app.goodaccess.com/sso-and-identity/)

Click **+ Add provider**, enter the **Provider name**, choose your **Identity Provider**, and click **Continue**.

## Step 2 - Setting up Single Sign-On with SAML

Log in to the [Azure Portal](https://portal.azure.com/), and go to **Enterprise applications** (you can use the searchbar).

Click **+ New application**, and **+ Create your own application**.

Give the application a name, choose **Integrate any other application you don't find in the gallery (Non-gallery)**, and click **Create**.

In your new application go to **Single Sign-On** > **SAML**.

<div><figure><img src="/files/Cef3q7B5iXkZOcxO8C7D" alt="Azure Portal with key steps to creating a new enterprise application."><figcaption><p>Creating a new enterprise application</p></figcaption></figure> <figure><img src="/files/bO6CNFMKUNwAZLO0t8kN" alt="Azure Portal with key steps to creating a new enterprise application."><figcaption><p>Creating a new enterprise application</p></figcaption></figure></div>

<figure><img src="/files/7v5sp3EotLe1xQrpM4eR" alt="Azure Portal with key steps to selecting SAML as a single sign-on method for the enterprise application."><figcaption><p>Selecting SAML as a single sign-on method</p></figcaption></figure>

### 1. Basic SAML Configuration

Click **Edit** to open Basic SAML Configuration.

Copy the details from GoodAccess - **(2) GoodAccess links**.

* **Identifier** - Entity ID
* **Reply URL** - Assertion Consumer Service URL
* **Sign on URL** - Login URL
* **Relay State** - Relay State

Return to GoodAccess, and click **Continue**.

Return to Azure, and click **Save**.

<div><figure><img src="/files/f0gnNJOpHMh3J85HhW3W" alt="Azure Portal with key steps to opening the &#x22;Basic SAML Configuration&#x22;."><figcaption><p>Opening the Basic SAML Configuration</p></figcaption></figure> <figure><img src="/files/BCpS327JBiHPkyPFdnHU" alt="Azure Portal with key steps to setting up the &#x22;Basic SAML Configuration&#x22;."><figcaption><p>Setting up the Basic SAML Configuration</p></figcaption></figure></div>

### 2. Attributes & Claims

Click **Edit** to open Attributes & Claims.

Under the Additional claims section click on the record with the value **user.userprincipalname** and edit it as follows:

* **Name** - "name" (without quotes)
* **Namespace** - Delete pre-filled URL

Click **Save**.

Then, still in the Additional claims section click on the record with the value **user.mail** and edit it as follows:

* **Name** - "email" (without quotes)
* **Namespace** - Delete pre-filled URL
* **Source attribute** - user.userprincipalname

Don't forget to **Save**.

<figure><img src="/files/cvZjOMAc82UzkI01xpqq" alt="Azure Portal with key steps to setting up the &#x22;Attributes &#x26; Claims&#x22;."><figcaption><p>Setting up Attributes &#x26; Claims</p></figcaption></figure>

<div><figure><img src="/files/OI12MRiy1h1jwZ3Jyzxn" alt="Azure Portal with key steps to managing the &#x22;user.userprincipalname&#x22; claim."><figcaption><p>Managing the "user.userprincipalname" claim</p></figcaption></figure> <figure><img src="/files/bZoT874YZJOACc2U1bc1" alt="Azure Portal with key steps to managing the &#x22;user.mail&#x22; claim."><figcaption><p>Managing the "user.mail" claim</p></figcaption></figure></div>

### 3. SAML Certificates

Download the **Certificate (Base64)**, and open the file in a text editor (e.g. Notepad).

<figure><img src="/files/7BgO9qZn5ZYSH50SB6CV" alt="Azure Portal with key steps to downloading the certificate."><figcaption><p>Downloading the certificate</p></figcaption></figure>

### 4. Set up GoodAccess

Copy the details to GoodAccess - **(3) Identity Provider links**, and click **Continue**.

* **Sign in URL** - Login URL
* **Entity ID** - Microsoft Entra ID Identifier
* **X509 signing certificate** - Copy the certificate from the text editor

<figure><img src="/files/dwCeO8wSxZP0rMlFKRn1" alt="Azure Portal with key steps to setting up GoodAccess."><figcaption><p>Setting up GoodAccess</p></figcaption></figure>

{% hint style="info" %}
If you don't want to setup SCIM, skip the next step in GoodAccess, and click **Submit** to finish the configuration.
{% endhint %}

You have now successfully set up your Microsoft Entra ID SSO with GoodAccess.

## Step 3 (optional) - Setting up SCIM

In the application, go to **Provisioning** > **Provisioning**, and set **Provisioning mode** to **Automatic**.

Expand **Admin Credentials,** and copy the **URL** and **Token** from GoodAccess - **(4) User provisioning (SCIM)**.

Return to GoodAccess, and click **Submit**.

Return to Azure, and click **Test Connection**, and **Save** to confirm your settings.

<figure><img src="/files/rtBOrOT0o8CzVWl5tTja" alt="Azure Portal with key steps to setting up SCIM."><figcaption><p>Setting up SCIM</p></figcaption></figure>

### 1. Attribute Mapping

Open **Mappings**, and select **Provision Microsoft Entra ID Users**.

Here, make sure that only the following four attributes are listed:

* userName
* active
* displayName
* externalId

If there are other attributes except these four, **Delete** them to prevent provisioning issues.

Don't forget to **Save**.

<div data-full-width="false"><figure><img src="/files/ZRH4S8qKMaMXaa1hzcli" alt="Azure Portal with key steps to setting up the &#x22;Attribute Mapping&#x22;." width="563"><figcaption><p>Setting up the Attribute Mapping</p></figcaption></figure> <figure><img src="/files/M7mxBEKCkyIXsXQsGrFL" alt="Azure Portal with key steps to setting up the &#x22;Attribute Mapping&#x22;." width="563"><figcaption><p>Setting up the Attribute Mapping</p></figcaption></figure></div>

### 2. Starting the provisioning

{% hint style="danger" %}
Users created via **Provisioning on demand** may be skipped by Azure during future automatic provisioning.

**We strongly recommend avoiding this function.**

If you have already created users this way, click the **Restart provisioning** button to restore synchronization for all users.
{% endhint %}

Go to **Overview**, and click **Start provisioning**.

<figure><img src="/files/SYYSclackBNCCuXnzc1t" alt="Azure Portal with key steps to starting the provisioning."><figcaption><p>Starting the provisioning</p></figcaption></figure>

{% hint style="info" %}
The whole provisioning process will take around **20 minutes** to complete depending on the number of members and groups being added.
{% endhint %}

You have now successfully set up Microsoft Entra ID SCIM with GoodAccess.

## Step 4 - Managing user access

In the application, go to **Users and groups**, and click **+ Add user/group**.

Choose who should have access, and click **Assign**.

<figure><img src="/files/qAsYuXx9LLpKak6HnFyB" alt="Azure Portal with key steps to managing user access."><figcaption><p>Managing user access</p></figcaption></figure>
