Introduction
In this article we will walk you through the automatic (recommended) setup of SSO for your Workspace 365 environment. When choosing the automatic setup of SSO, you automatically create a SSO App Registration for your Workspace environment in Azure, along with the corresponding API permissions for applications such as SharePoint and Exchange. If needed, you can always adjust these API permissions manually once SSO has been enabled.
How to set up SSO automatically
Error during setup? Turn off MFA for your Global Admin account. Please check the log files for more information. If you do not want to turn off MFA, you can follow the manual setup of SSO instructions.
To set up SSO automatically:
Go to the Workspace admin settings.
Select Single sign-on.
We strongly recommend using oAuth2 as a SSO method.
Choose automatic setup.
Fill in the Microsoft 365/Entra ID (previously called Azure AD) password of the administrator (this must be an admin who is allowed to change the corresponding App Registration in Azure).
Check the checkbox "I give Workspace 365 permission to create an Azure AD application to provide Single Sign-on".
Grant permissions to applications such as SharePoint or Exchange. You can always configure these API permissions afterwards in Azure.
If you do not use Power BI, do not grant permission for Power BI. This will result in an error. Only grant permission for the applications that are being used.
Click on Done. You will be redirected and signed out.
After you are redirected, you will get a consent of all previously set permissions. You have to accept these permissions. When the request for a SSO token is sent to the Microsoft Entra ID, the Workspace 365 page will ask you to wait for 1 minute.
If you receive an error at this stage, please check if there is only one signed in Microsoft 365 account in the browser session. Tip: if you use multiple accounts in Google Chrome you can easily switch between user profiles by clicking on the user icon on the top right side of the URL bar.
You need to consent on behalf of your organization, because otherwise these permissions are only granted for admins in your tenant.
Be aware that these permissions are only granted for administrator in this tenant. You have to grant it for all users. If you do not Grant Permissions, you will receive the following error while trying to log in to the workspace as a user: "Need admin approval".