Manual setup of SSO
Quick reference:
Settings -> Single sign-on
Table of Contents
- Introduction
- Step 1. Enable SSO manually in Workspace
- Step 2. Adding API permissions to the SSO App Registration in Azure
Introduction
In this article we explain how to set up SSO manually for your Workspace environment (we do however recommend using the automatic setup for SSO). Be sure to use the Primary Administrator account for the setup.
Step 1. Enable SSO manually in Workspace
To set up SSO manually, go to:
- Workspace admin settings.
- Select Single sign-on.
- Set the Single sign-on type to OAuth2.
- Choose Manual setup.
- The Authority consists of "https://login.windows.net/" appended with the Primary domain of your tenant (e.g. "workspace365.onmicrosoft.com"), which can be retrieved from Azure AD and can be found under Overview tab (Basic information).
Example: "https://login.windows.net/workspace365.onmicrosoft.com"
- The Client ID can be retrieved from the SSO App registration (Overview) in Azure AD.
- You must first however create a new App registration by clicking on "New registration".
- Choose a name, e.g. "Workspace 365 SSO".
- As for Supported account types choose: "Accounts in this organizational directory only (workspace365inc only - Single tenant)"
- Under Redirect URI, choose Web. The URL should have the following format: "https://instance.workspace365.net/environment/OAuth2/HandleAuthorityResponse".
- Click on Register.
- The Key can be retrieved under Client secrets. You must first create a new Client secret.
- Once the App registration has been created in Azure AD, under Certificates & Secrets, click on New client secret.
- Fill in a Description and set the expire date.
- Click on Add.
- Copy the Value. This value will be hidden once you leave this page.
- Under Key in the Workspace SSO setup, paste this value.
- Click on Verify.
- If successful, you should see a green screen "verification succeeded" pop up. If so, check the checkbox "I have seen the GREEN screen telling the verification was successful".
- Then, click on Done.
Step 2. Adding API permissions to the SSO App Registration in Azure
Once the manual SSO setup has been successfully verified, you can add the API permissions to your SSO App registration in Azure AD. In the example below, we will add permissions for Exchange, SharePoint (Microsoft Graph) and Power BI (Power BI Service).
- Go to the corresponding SSO App Registration.
- Click on API permissions.
- Select Add a permission.
- The following permissions are for SharePoint, Exchange (Microsoft Graph) and Power BI (Power BI Service).
- You can add permissions by clicking on Add a permission (update/change/apply the consent in Azure AD can be done at any time later on if needed).
- Don't forget to Grant admin consent once you're done. A green checkmark indicates that admin consent has been granted. This is very important. Without admin consent, Workspace does not have permissions to retrieve the data from Azure.