With Microsoft Entra ID SSO, synced Entra ID users can log in to the app with their Microsoft account instead of a password.
The guide goes through how SSO works, what you should know before enabling it, and how to choose between enabling SSO for all synced users or per user.
What is Microsoft Entra ID SSO?
Microsoft Entra ID SSO, Single Sign-On, means that the user logs in via Microsoft instead of using a separate password in the app.
When the user enters their user ID, such as their email address, the app checks which login method applies:
- If the user has a password login, a password field is displayed.
- If the user has SSO, the user is forwarded to Microsoft login.
- Once Microsoft has verified the user, the user is sent back and signed in to the app.
It works the same way in the web app, desktop app, and mobile app.
Before you enable SSO
SSO is based on Entra ID Sync. This means that the feature can only be used for users who are synced from Microsoft Entra ID.
To use SSO, the organization needs:
- Have Entra ID Sync enabled in the app
- Have users synced from Microsoft Entra ID
- Have the right package or add-on for Entra ID features
SSO replaces password login
When SSO is enabled for a user, password login is removed for that user.
This means that the user can no longer log in with a password via email address or mobile number. Instead, the user must log in with their Microsoft account.
This is a security measure. If both SSO and password were active at the same time, the password could become a weaker alternative login path.
Choose how to enable SSO
When SSO is enabled in your organization, there are two levels to be aware of.
Option 1: Enable SSO per user
Select this option if you want to be able to control which synced users use SSO.
It is a good fit if:
- You want to test SSO on a few users first
- All synced users should not use SSO directly
- You want to be able to add or remove SSO on individual users
Option 2: Enable SSO for all synced users
Select this option if all users synced from Entra ID should use SSO.
When the setting is active, all synced Entra ID users will receive SSO as their login method.
Enable SSO in the app
- Go to Organization Settings .
- Go to Users .
- Click on Entra ID Sync .
- Go to the Single Sign-On, SSO section.
- Enable SSO .
When SSO is enabled, you can choose whether SSO should be enabled for all synced users or managed per user.
Enable SSO for all synced users
- Go to Organization Settings .
- Go to Users .
- Click on Entra ID Sync .
- Go to the Single Sign-On, SSO section.
- Enable SSO .
- Enable the setting for all synced users.
When this setting is active, all synced Entra ID users use Microsoft sign-in.
Enable or remove SSO per user
If SSO is enabled in your organization, but not enabled for all synced users, you can manage SSO on a per-user basis.
- Go to Organization Settings .
- Go to Users .
- Click on Entra ID Sync .
- Under Synced users, open All users with active sync .
- Go to the current user.
- Enable or disable SSO for the user.
If SSO is removed from a user, the user will need to have another login method, such as an email address or mobile number with a password.
New users and invitations
If a user is invited after SSO is enabled, the invitation email looks different.
The user is informed that the sign-in is with a Microsoft account. When the user clicks the link to activate the account, a clear button to sign in with Microsoft appears.
If SSO is disabled
Be careful about disabling SSO if many users are already using it.
If SSO is removed from users who don't have another sign-in method, they won't be able to sign in until a new sign-in method is added.
Then an administrator needs:
- Go to each user.
- Add a new user ID, such as an email address.
- Ask the user to reset their password via Forgotten Password .
If Microsoft is experiencing operational disruptions
Since the login is done via Microsoft, the app depends on the availability of a Microsoft Entra ID.
If Microsoft has an outage, users logging in with SSO may be affected. They may then have to wait until Microsoft's service is back up and running.
Frequently asked questions
Can SSO be used without Entra ID Sync?
No. Currently, SSO requires that the user is synced from Microsoft Entra ID.
Can I enable SSO for only certain users?
Yes, if SSO is enabled in your organization but not enabled for all synced users. Then you can manage SSO on a per-synced user basis.
Can some synced users be excluded if SSO is enabled for everyone?
No. If SSO is enabled for all synced users, it applies to all users synced from Entra ID. Users that are not included need to be managed outside of Entra ID Sync.
What happens if a user is not synced from Entra ID?
The user cannot use SSO. Instead, the user continues to log in using another login method.
Can users still log in with passwords?
No, not if SSO is enabled for the user. Then password login is replaced with Microsoft login.
Can an organization have multiple Entra ID connections?
No. The app currently supports one Entra ID connection per organization.
Are users logged out immediately when SSO is enabled?
Active sessions should normally continue to work until the session expires. The next time the user signs in, they will use their Microsoft account.
Are ongoing calls affected?
Regular calls should not be affected by enabling SSO, however users who need to sign in again will use Microsoft sign-in.
Does SSO work in the mobile app?
Yes. Logging in works the same way in the mobile app as in the web app and desktop app.
Summary
Microsoft Entra ID SSO enables synced Entra ID users to log in to the app with their Microsoft account.
Remember that:
- SSO requires Entra ID Sync
- SSO only applies to synced users
- SSO replaces password login
- Enabling SSO turns on the feature
- Enable for all synced users enables SSO for all synced users
- SSO can be managed per user if it is not enabled for all synced users
- It can be manual work if SSO is later removed from many users