Manual setup of SSO
Table of Contents
In this article we explain how to set up SSO manually for your Workspace environment (we do however recommend using the automatic setup for SSO). We will explain how to create the SSO App registration in Azure AD and how to set up SSO manually in the Workspace. Lastly, we explain how to grant permissions for applications such as SharePoint and Exchange, by adding API permissions to the SSO App registration.
Manual SSO setup
- Go to the Workspace admin settings and select Single sign-on.
- Set the Single sign-on type to Oauth2.
- Choose Manual setup.
- The Authority is retrieved from Azure AD. This is the Primary domain of your tenant (e.g. "workspace365.onmicrosoft.com") and can be found under Overview tab (Basic information) in Azure AD.
- The Client ID can be retrieved from the SSO App registration (Overview) in Azure AD.
- You must first however create a new App registration by clicking on New registration.
- Choose a name, e.g. "Workspace 365 SSO".
- As for Supported account types choose: "Accounts in this organizational directory only (workspace365inc only - Single tenant)"
- Under Redirect URI, choose Web. The URL should have the following format: "https://instance.workspace365.net/environment/OAuth2/HandleAuthorityResponse".
- Click on Register.
- The Key can be retrieved under Client secrets. You must first create a new Client secret.
- Once the App registration has been created in Azure AD, under Certificates & Secrets, click on New client secret.
- Fill in a Description and set the expire date.
- Click on Add.
- Copy the Value. This value will be hidden once you leave this page.
- Under Key in the Workspace SSO setup, paste this value.
- Click on Verify.
- If successful, you should see a green screen "verification succeeded" pop up. If so, check the checkbox "I have seen the GREEN screen telling the verification was successful".
- Then, click on Done.
Adding API permissions
Once the manual SSO setup has been successfully verified, you can add the API permissions to your App registration in Azure AD. In the example below, we will add permissions for Exchange, SharePoint (Microsoft Graph) and Power BI (Power BI Service).
- Go to the App registration and click on the corresponding SSO app registration.
- Go to API permissions.
- Click on Add a permission.
- Add the following permissions (only grant permissions for applications you actually use):
- Click on Add permissions.
- Don't forget to Grant admin consent once you're done.