Back to Home
Enterprise

Microsoft Entra ID

Configure Microsoft Entra ID (formerly Azure Active Directory) for enterprise SSO using SAML 2.0 or OpenID Connect.

Prerequisites
You need admin access to your Microsoft Entra ID tenant and an AccessIQ Professional or Enterprise plan.

Step 1: Register Application in Entra ID

  1. Go to Azure Portal → Microsoft Entra ID → App registrations
  2. Click "New registration"
  3. Enter a name (e.g., "AccessIQ SSO")
  4. Select "Accounts in this organizational directory only"
  5. Set Redirect URI to:https://auth.accessiq.io/callback/oidc
  6. Click "Register"

Step 2: Configure Client Secret

  1. In your app registration, go to "Certificates & secrets"
  2. Click "New client secret"
  3. Add a description and select expiry period
  4. Copy the secret value immediately (it won't be shown again)

Step 3: Configure in AccessIQ

Configure Entra ID via APIbash
curl -X POST https://api.accessiq.io/v1/organizations/YOUR_ORG/identity-providers \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "oidc",
    "name": "Microsoft Entra ID",
    "enabled": true,
    "config": {
      "clientId": "YOUR_APPLICATION_CLIENT_ID",
      "clientSecret": "YOUR_CLIENT_SECRET",
      "issuer": "https://login.microsoftonline.com/YOUR_TENANT_ID/v2.0",
      "scopes": ["openid", "profile", "email"],
      "attributeMapping": {
        "email": "email",
        "name": "name",
        "picture": "picture"
      }
    },
    "domains": ["yourcompany.com"]
  }'

Required Entra ID Values

FieldWhere to Find
clientIdApp registration → Overview → Application (client) ID
tenantIdApp registration → Overview → Directory (tenant) ID
clientSecretApp registration → Certificates & secrets

Optional: Configure SCIM Provisioning

Enable automatic user provisioning from Entra ID:

  1. In Azure Portal, go to Enterprise Applications → Your App
  2. Click "Provisioning" → "Get started"
  3. Set Provisioning Mode to "Automatic"
  4. Enter SCIM endpoint:https://api.accessiq.io/scim/v2/organizations/YOUR_ORG
  5. Enter your SCIM API token for authentication
  6. Test connection and save

Testing the Integration

Test IdP Connectionbash
curl -X POST https://api.accessiq.io/v1/organizations/YOUR_ORG/identity-providers/IDP_ID/test \
  -H "Authorization: Bearer YOUR_API_KEY"

# Response
{
  "success": true,
  "message": "Connection successful",
  "metadata": {
    "issuer": "https://login.microsoftonline.com/...",
    "supportedScopes": ["openid", "profile", "email"],
    "userInfoEndpoint": "https://graph.microsoft.com/oidc/userinfo"
  }
}
Domain Verification
For security, configure domain restrictions to ensure only users from your verified domains can authenticate via this IdP.