Skip to main content

Configure SSO with Microsoft Entra ID

Set up OpenID Connect (OIDC) single sign-on so your team can log in to ASCERA using their Microsoft accounts.

This guide walks you through creating an App Registration in Microsoft Entra ID and obtaining the Client ID, Client Secret, and Directory ID required by ASCERA.

Prerequisites

  • A Microsoft Entra ID (Azure AD) tenant
  • An account with at least the Application Developer or Cloud Application Administrator role
  • Admin access to ASCERA's Organization Settings

Step 1: Create an App Registration

  1. Sign in to the Microsoft Entra admin center.

  2. In the left sidebar, navigate to Entra ID > App registrations.

    Microsoft Entra ID

  3. Click New registration.

  4. Fill in the following:

FieldValue
NameA recognizable name, e.g. ASCER - SSO
Supported account typesSelect Accounts in this organizational directory only (single tenant)
Redirect URISelect Web and enter the redirect URI for your platform (see below)
  1. Click Register.

Use the redirect URI that matches the platform you access:

PlatformRedirect URI
ASCERAhttps://app.ascera.com/login/auth/callback/entra-id
CUIComplyhttps://app.cuicomply.com/login/auth/callback/entra-id

Step 2: Copy the Client ID and Directory ID

After registration, you will land on the app's Overview page. Copy the following two values:

Entra ID FieldASCERA Field
Application (client) IDClient ID
Directory (tenant) IDDirectory ID

Important: Application (client) ID and Object ID are different values. Use the one labeled "Application (client) ID."

Step 3: Create a Client Secret

  1. From your App Registration page, click Certificates & secrets in the left menu.
  2. Select the Client secrets tab.
  3. Click + New client secret.
  4. Enter a description (e.g. ASCERA SSO Secret) and select an expiration period (see note below).
  5. Click Add.
  6. Immediately copy the Value column. This is your Client Secret.

Critical: The secret value is only shown once. If you navigate away without copying it, you will need to create a new secret. Make sure you copy the Value, not the Secret ID.

Note: Microsoft limits client secrets to a maximum of 24 months. Set a calendar reminder to rotate the secret before it expires to avoid login disruptions.

Step 4: Verify API Permissions (Optional)

By default, new app registrations include the User.Read permission, which is sufficient for basic SSO. To verify:

  1. Go to API permissions in the left menu of your App Registration.
  2. Confirm Microsoft Graph > User.Read is listed.
  3. If your organization requires admin consent, click Grant admin consent for [Your Organization] so users are not prompted individually.

Step 5: Enter Credentials in ASCERA

  1. In ASCERA, go to Settings > Single Sign-On (SSO).
  2. Click Add SSO.
  3. Select Entra ID as the Provider.
  4. Paste the values you copied:
ASCERA FieldWhere to Find It
Client IDApplication (client) ID from the Overview page
Client SecretSecret Value from Certificates & secrets
Directory IDDirectory (tenant) ID from the Overview page
  1. Click Create.

Your SSO configuration is now active. Users in your Entra ID tenant can log in to ASCERA using their Microsoft credentials.

User Access and Provisioning

Enabling SSO does not automatically grant access to everyone in your Entra ID tenant. ASCERA controls access independently. A user must first be added to your ASCERA tenant by their email address before they can log in.

Users who exist in Entra ID but have not been added to ASCERA will not be able to log in, even if SSO is configured. Think of SSO as the authentication method, not the access control mechanism. ASCERA still determines who is authorized.

Troubleshooting

Error / SymptomResolution
AADSTS50011 - redirect URI mismatchThe redirect URI in your App Registration does not match what ASCERA sends. Go to Authentication in your App Registration and add or correct the redirect URI.
AADSTS7000215 - invalid client secretYou may have copied the Secret ID instead of the Value. Create a new client secret and copy the Value column.
AADSTS700016 - application not foundThe Client ID or Directory ID is incorrect. Verify you copied the Application (client) ID and Directory (tenant) ID from the Overview page.
Users prompted for consent on every loginAn admin has not granted consent. Go to API permissions and click Grant admin consent.
SSO stopped working suddenlyThe client secret may have expired. Create a new secret in Entra ID and update it in ASCERA.