Link Search Menu Expand Document

Azure AD Configuration

With Azure AD (also known as Microsoft Entra ID), all users invited to SafeStack can sign in using their company’s Azure AD identity. This document describes how to set up your Azure AD tenant to authenticate your users on SafeStack.

Users will need to be invited to your SafeStack organisation before they can sign in using Azure AD. SCIM support to auto manage your organizations users through your identity system is not yet supported.

Set-up guide

You will need to set up an App Registration for the relevant Azure Active Directory tenant. The following instructions must be performed in Azure, the SafeStack team can provide assistance if needed. The instructions below are a simplified version of the official Auth0 documentation

Step 1: Registering an application

For detailed information, check out the Official Microsoft documentation on registering an app.

  1. Sign in to the Azure Portal
  2. If you have access to multiple tenants, choose the desired tenant from the Directories + subscriptions filter
  3. Navigate to the Azure Active Directory service
  4. Note down the Primary domain that is shown in the basic information
  5. Navigate to the Manage > App Registrations screen
  6. Click + New registration to begin the process of integrating Auth0
  7. Choose a relevant display name (e.g. SafeStack Auth0 Integration), and specify which AD’s have access
  8. Set two redirect URI’s, for platform type Web:
    1. https://learn-safestack-io.au.auth0.com/login/callback
    2. https://auth.learn.safestack.io/login/callback
  9. Click Register, then note down the Application (client) ID that is generated

Step 2: Generate a client secret

For detailed information, check out the Official Microsoft documentation on generating client secrets.

  1. After registering an application in Azure AD, navigate toManage > Certificates & secrets
  2. Click + New client secret
  3. Enter a relevant description and choose a preferred expiration time (max of 12 months recommended)
  4. Click Add, then note down the Value of the secret that is generated. This is also referred to as Client secret

Important!

The secret's value will never show again after this initial setup, so make sure to save it securely

Step 3: Review permissions

For detailed information, check out the Official Microsoft documentation on adding permissions.

  1. After generating a client secret in Azure AD, navigate to Manage > API permissions
  2. Ensure that the API / Permissions name called User.Read exists with type set to Delegated
    1. If this permission does not exist, click + Add a permissions, then select Microsoft Graph, click Delegated permissions, then search for and select the User.Read permission, then click Add permissions to update the app’s permissions
  3. Finally, click Grant admin consent for <your AD tenant name> to consent the permission on behalf of all your users

Step 4: Get in touch with us

Get in touch with us with the following information that you would have noted down from previous steps:

  • Primary domain
  • Application (client) ID
  • Client Secret
  • Whether our application in Azure AD is set up as a single-tenant or a multi-tenant application

Because this information is sensitive, we recommend that you use your organization’s preferred way of sharing secrets with third parties or vendors. This could include using a service like OneTimeSecret or the secret sharing functionality offered by your password manager.

Please share this information with sso@safestack.io and we’ll handle the rest!