Skip to content

Microsoft Entra ID SSO

Monozu supports Microsoft Entra ID (formerly Azure AD) as an OIDC identity provider, allowing your users to sign in with their existing corporate credentials.

Auth modes

Section titled “Auth modes”
ModeDescription
standardEmail/password OR Entra ID SSO (user’s choice)
restrictedEntra ID SSO only + email domain allowlist

The restricted mode is recommended for enterprise tenants — it prevents local password accounts and enforces corporate identity.

Configuration

Section titled “Configuration”

  1. Register an app in Entra ID

    In the Azure portal, go to Entra ID → App registrations → New registration:

    • Name: Monozu Cloud
    • Supported account types: Accounts in this organizational directory only
    • Redirect URI (Web): https://cloud.monozu.io/auth/callback/entra

  2. Copy credentials

    From the app registration, collect:

    • Application (client) ID
    • Directory (tenant) ID
    • Create a Client secret under Certificates & secrets

  3. Configure in Monozu

    Go to Settings → Authentication → Entra ID and enter:

    • Tenant ID
    • Client ID
    • Client Secret

  4. Set auth policy

    Choose standard or restricted. If restricted, add your email domain(s) to the allowlist (e.g. acme.com).

  5. Test

    Sign out and sign back in using Continue with Microsoft. Verify the user is created/matched correctly.

User provisioning

Section titled “User provisioning”

Users are JIT-provisioned on first login — no pre-creation required. The user’s display name and email are pulled from the Entra ID token.

After first login, assign the user to appropriate groups via Settings → Groups.

Multi-tenant platform SSO

Section titled “Multi-tenant platform SSO”

In addition to per-tenant Entra ID configuration, Monozu supports platform-level SSO for operator (admin panel) accounts. This is separate from tenant-level SSO and configured at the infrastructure level.