Microsoft Entra

Allow users to sign in with Microsoft Entra

Entra Integration

Microsoft Entra integration enables you to leverage Microsoft’s managed identity service for user authentication and management. Entra is currently the only provider that supports SCIM.

Prerequisites

Microsoft Entra app with Accounts access. The application type should be Web.
SendAuth subdomain configured

Configuration Steps

1. Configure Entra App Client

The app should provide the email attribute.

In the Azure portal for your Entra app, add your SendAuth callback URL as a Redirect URI: https://<your-subdomain>.app.sendauth.com/oauth/callback, replacing <your-subdomain> with the subdomain configured in your SendAuth account.

Under Certificates & secrets, click + New client secret. Enter sendauth-secret as the description, and choose 365 days (12 months) for expiration.

Note that you’ll need to generate a new secret before then or your users will be locked out.

Click Add.

2. Gather Client Integration Information

On the secret you just created, note the Value.

Under Overview, note the Application (client) ID.

Click Endpoints and copy the OpenID Connect Metadata Document, and then remove the suffix /.well-known/openid-configuration. The resulting URL should look like https://login.microsoftonline.com/32563d5-ee16-xxxx-yyyy-abcdef123456, with no trailing /.

3. Set Up Identity Provider

In SendAuth, navigate to Settings, then click the Authentication tab. Set Use local authentication to Disabled.

Issuer will be in the format the URL from Endpoints from step 2.

Client ID will be the Application (client) ID from step 2.

Client Secret will be the Value from step 2.

SendAuth identity provider configuration example

Click Save.

Once configured, users who visit https://<your-subdomain>.app.sendauth.com will be sent to your Entra app when they need to sign in.