Skip to main content

MS Azure AD OIDC

The following procedure creates an OIDC SSO configuration for your Enterprise organization.

Prerequisites

  • Owner or admin role in an Enterprise organization

  • Administrative access to your organization's Microsoft Azure AD portal

Supported features

This configuration supports the following:

  • Service provider initiated SSO

  • Single Log Out [optional]

Configuration steps

Before configuring SSO, you need to assign a namespace and make files of your service provider certificate and private key. These steps provide the information you need to enter later.

Create your namespace:

  1. Go to Organization > SSO.

  2. Under Namespace, enter the namespace you want for your organization, for example, acmecorp. Your organization members enter this namespace when they log in via SSO.

  3. Under SSO type, select Oauth2.

Steps on Microsoft Azure AD

Create an OIDC application on Microsoft Azure AD

  1. Log in to Microsoft Azure AD and go to Manage Microsoft Entra ID.

  2. Click Enterprise applications.

  3. Click + New Application.

  4. Click + Create your own application.

  5. Enter a name for your app and select Register an application to integrate with Microsoft Entra ID (App you're developing).

  6. Click Create.

  7. Enter and select the following:

    Section on Register an application page

    Required information

    Name

    Enter a name for your OIDC SSO app

    Supported account types

    Select the option best for your use case.

    For example, use Accounts in this organizational directory only if your application is only for internal use within your organization.

    Redirect URI (optional)

    Although Microsoft marks this field as optional, successful implementation with Make requires the following:

    Select a platform - Web

    https://next.integromat.com/sso/login

  8. Click Register.

Create your client credentials

  1. In the Microsoft Azure AD portal go to Home > Enterprise applications > {your OIDC app} > Single Sign-on and click Go to application.

  2. Under Essentials, find Application (client) ID. Copy this value and save it in a secure place. This is the required information for the Client ID field in your Make SSO configuration.

  3. In the lefthand menu under Manage, click Certificates & secrets.

  4. Click + New client secret.

  5. In the new dialogue, enter a short description and click Add.

  6. Find the new client secret on the list. Copy the Value and save it in a secure place. This is the required information for the Client secret field in your Make SSO configuration.

Configure tokens and optional claims

  1. In the lefthand menu under Manage, click Token Configuration.

  2. Click + optional claim.

  3. In the new dialogue, select ID.

  4. A list appears. Select Email.

Add API permissions

  1. In the lefthand menu under Manage, click API Permissions.

  2. Click + Add permission.

  3. In the new dialogue, click Microsoft Graph.

  4. Click Application permissions.

  5. Use the search bar to find User.Read.All.

  6. Select User.Read.All and click Add permissions.

    Tip

    You can select User.Read instead of User.Read.All

Add users to your application

To provide access to your organization members, you need to add these users to your app in the MS Azure portal.

  1. In the Microsoft Azure AD portal go to Home > Enterprise applications > {your OIDC app}.

  2. Click Users and groups.

  3. Click + Add user/group to add the users you want to access your Make organization.

Steps in Make

  1. Enter the following information on the SSO tab of your organization's dashboard:

    Field on SSO tab

    Value to enter

    User information URL

    https://graph.microsoft.com/v1.0/me

    Client ID

    Enter the Application (client) ID you copied in step 2 of Create your client credentials.

    Token URL

    https://login.microsoftonline.com/1234etc/oauth2/v2.0/token

    Login scopes

    User.Read.All

    Scopes separator

    Enter a single space.

    Authorize URL

    To find your Authorize URL:

    1. In the Microsoft Azure AD portal go to Home > Enterprise applications > {your OIDC app} > Single Sign-on and click Go to application.

    2. Click Endpoints. A window appears.

    3. Find OAuth 2.0 authorization endpoint (v1). Copy and paste this URL into your Make configuration.

    Client secret

    Enter the Value you copied in step 6 of Create your client credentials.

    User information IML resolve

    {"id":"{{id}}","email":"{{mail}}","name":"{{givenName}}"}

    Redirect URL

    No action required

    Team provisioning for new users

    Select an option based on your needs.

  2. Click Save.

Service provider initiated SSO

  1. Go to Make's login page.

  2. Click Sign in with SSO.

  3. Enter the namespace you chose for your organization.

  4. Log in using your Microsoft credentials and consent to Make's access to your user data.

Troubleshooting

When you save the SSO configuration, you automatically receive an email with a link to bypass SSO login. Use this link to log in and adjust your configuration as needed.

In this section: