# Microsoft Azure SSO Login {% hint style="info" %} **SSO** feature requires a whitelist for activation and is intended for enterprise clients. {% endhint %} > **Note:** > > To activate this feature, please get in touch with the relevant sales representative or customer success manager (), and provide the team owner's account. ## Microsoft Azure SSO (SAML) Setup Guide ### 1. Prerequisites * The user must have a **Microsoft Azure account** for their company * After logging in, go to the **“Enterprise Applications”** page

*** ### 2. Create an Application 1. Click **“Create your own application”** 2. Give your application a name

3. Choose **“Set up single sign-on”** and select **SAML** as the login method

*** ### 3. Permission Requirements * Only **Team Owners** or **Super Team Admins** have access to the SSO configuration page *** ### 4. SSO Configuration Details #### **1. Enable SSO** * SSO is **disabled by default**

#### **2. Configuration Item Details** **✅ Identity Provider (IdP)** * Currently, **only Microsoft Entra** is supported **✅ SSO Protocol** * Currently, only **SAML** is supported **✅Login Method Options** There are **two options** for how users log in: 1. **Single Sign-On (SSO) & Username/Password (default)** Users can log in using either SSO or their account credentials. 2. **SSO Only** Users can only log in via Single Sign-On; password login will be disabled. **✅Add Domain(s)** * Enter **your company email suffixes** (e.g., **`yourcompany.com`**) * **Multiple domains** can be added

**✅ Service Provider (SP) Configuration** * **Recommended method:** a. Download the XML file from the D5 Team Management backend b. In the Azure portal, open the SSO configuration module and go to **“Set up Single Sign-On”** c. Click **“Upload metadata file”** and import the downloaded XML file * **Manual method:** a. In Azure’s “Basic SAML Configuration” section, manually fill in the following: \- Copy the **Identifier (Entity ID)** from the D5 backend and paste it into the corresponding field \- Copy the **Assertion Consumer Service URL (ACS URL)** and paste it accordingly b. Click “Save” to apply

**✅ Identity Provider (IdP) Information** 1. In the Azure portal’s SSO module, go to the **“Set up Single Sign-On”** section 2. Under the **SAML Certificates** area, download the **“Federation Metadata XML”** 3. Upload this file to the D5 Team Management backend 4. The system will parse the content and automatically fill in the IdP login URL

## Microsoft Azure SCIM Configuration Guide ### 1. Setup in D5 Myspace - Team Management Backend Enable Provisioning

*** ### 2. Setup in Microsoft Azure * Go to **Enterprise Applications > SSO Control Module > Provisioning**

* Click **Add a new configuration**

* Enter the **SCIM endpoint and access token** provided in the D5 Team Management Backend. Click **Test Connection**, and after the test is successful, click **Create**.

* Click **Settings**, enable the provisioning switch, and click **Save**. > 💡 If the access token changes in the future: > > * Navigate to **Provisioning > Settings > Admin Credentials** > * Set the **Provisioning Status** to **On** > * Click **Save** > * Finally, **enable provisioning** to sync user accounts

* Click **Mappings**, then select **Provision Microsoft Entra ID Users**.

* On the attribute mapping page, click **Add New Mapping.**

* Configure the new mapping with the following steps. After completing the configuration, click **Save:** > - Set **Mapping type** to **Expression** > - Enter the following **Expression:** `SingleAppRoleAssignment([appRoleAssignments])` > - Set **Target attribute** to `roles[primary eq "True"].value` > - Set **Match objects using this attribute** to **Yes** > - Set **Matching precedence** to **2**

* Return to the attribute mapping page and click **Save.**

* Return to the **Overview (Preview)** page to confirm whether provisioning has started. If it hasn't, click **Start Provisioning.**

*** ### 3. Creating Application Roles * Go to **Enterprise Applications > SSO Control Module > Properties** * Click **“App Registrations”** * After entering, go to the **“App Roles”** section * You can **add new roles** here as needed > ⚠️ If no roles are configured, synced users will default to **Team Member** role

*** ### 4. Start provisioning

### 5. SCIM Sync Behavior * When **SCIM is enabled,** the following features will be **disabled** in the D5 Team Management Backend: * Manually **editing team member roles** * **Modifying member account attributes** * **Inviting users to the team** * **Removing members from the team**

* In **Group Management**, the following options will also be hidden: * **Invite to Team** * **Remove from Team**

* Sync Status and Frequency * **Sync Frequency:** Once every **40 minutes**

* **View Sync Results:** * In the Azure backend, click on sync logs * You can see **each step of the sync** and any **failure reasons**

Example Case * A new user is added in the IdP (who has **never registered** in D5) * After waiting for the sync cycle, the user will automatically appear in the team |

| | --------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- | |

| *** ### 6. Sync Failure Scenarios * **Team Seat Limit Reached** If an existing D5 account is being synced while the team's seat quota is full, the sync will fail, and the account will **not be added to the team.**

* **Backend Deployment in Progress** If the D5 backend is undergoing a release during the sync process,the sync will fail. The account will **not be created nor added to the team.** It will be retried in the **next scheduled sync.**

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.d5render.com/instruction-for-d5-for-teams/single-sign-on-sso/microsoft-azure-sso-login.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.