Microsoft Entra ID
In this guide, you’ll learn how to set up Microsoft Entra ID in Coalesce.
You must be a Microsoft Entra ID Administrator to complete this process.
Before You Begin
Get Your Subdomain
You'll need your subdomain to complete setup, it's used as part of the redirect URI.
Your subdomain is the subdomain of your Coalesce instance. For example, if you login at https://testapp.app.coalescesoftware.io/. Your subdomain is testapp. You can also check your subdomain by going to your organizations single sign-on settings.
If the Subdomain box in your settings is blank, you need to create a subdomain for your organization by adding one in the settings.
Microsoft Entra ID Permissions
When selecting Use Single-Sign On with Microsoft Entra ID, you may be prompted to grant Coalesce permission to:
- Sign you in and read your profile
- Maintain access to data you have given it access to
- Microsoft Graph:
emailprofileUser.Readopenid
These permissions can be pre-approved for future users by an admin in Microsoft Entra ID.
- Go to Manage > App Registrations > Your App Registration > API Permissions.
- Then select Add a permission > Microsoft Graph > Delegated Permissions and then select the desired permissions to pre-approve for the non-admin users.
Configure Microsoft Entra ID
To use Microsoft Entra ID as your Single Sign-On provider, you'll want to create a new App Registration in Azure.
-
Go to the Overview panel in Azure Active Directory
-
Click the +Add dropdown
-
Select App Registration
-
On the registration page for this newly created integration, enter the following:
- Name - this is typically going to be
Coalescebut any friendly name works - Supported Account Types - choose which Account types to support, see the following screenshot.
- Make sure you choose Single Page Application (SPA).
- Redirect URI - The redirect URI should be formatted as follows -
https://mySubdomain.<app_domain>/login/callback.- Create a subdomain if one hasn’t already been defined for your organization. We recommend choosing a name specific to your organization. If the Subdomain box in your Single Sign-On Settings is blank, you can create one by adding it in the subdomain box.
Supported Account TypesPersonal Microsoft accounts only is not a supported option for Coalesce Azure SSO.
- Name - this is typically going to be
-
Click Register to create the integration. You'll now be at a window with all your App Registration settings. Keep this browser tab open as you'll need to enter some information from it into Coalesce.
Configure Coalesce Microsoft Entra ID Settings
-
Open a new window.
-
Sign in to your Coalesce application using username and password.
-
Go to Organization Settings > Single Sign-On.
-
Fill out the fields.
Field Description Authority The system being used for Single Sign On. Choose Azure. Subdomain This will be the same as mySubdomain. Not the entire redirect URI.Authorization Server Single for tenant integrations. https://login.microsoftonline.com/[tenantID]/Authorization Server for multi-tenant and multi- personal integrations https://login.microsoftonline.com/common/OIDC Client ID Refer to the Application (client) ID in the "Essentials" section on the overview page for your App Registration. Server-Side Authorization Toggle on to add an authorization URL. Use this when the authorization server blocks access to the OpenID configuration or token endpoints. Authorization Endpoint The authorization URL to redirect to. -
Once you've filled out the SSO settings in Coalesce, click Save.
-
Log out of Coalesce.
-
Go to your SSO URL, which will be formatted like -
https://mySubdomain.<app_domain>- and click on the Use Single Sign-On button to log in using SSO.
If instead of a button you see an error message, check to make sure you correctly entered all the fields in your Coalesce SSO settings. If the problem persists please reach out to our Support Team.