Skip to main content

Microsoft Entra ID

In this guide, you’ll learn how to set up Microsoft Entra ID in Coalesce.

Microsoft Entra ID Administrator

You must be a Microsoft Entra ID Administrator to complete this process.

Before You Begin

Get Your Subdomain

Your subdomain is the subdomain of your Coalesce instance. For example, if you login at https://testapp.app.coalescesoftware.io/. Your subdomain is testapp.

To check if already have a subdomain, go your organizations single sign-on settings.

If you don't have a subdomain, you can add one to the subdomain box. Coalesce will automatically configure your subdomain based on the name entered. Check with your IT team before adding it to your organizations settings.

Single Sign-On configuration form header showing Authority and Subdomain fields with Other selected

Microsoft Entra ID Permissions

When selecting Use Single-Sign On with Microsoft Entra ID, you may be prompted to grant Coalesce permission to:

  • Sign you in and read your profile
  • Maintain access to data you have given it access to
  • Microsoft Graph:
    • email
    • profile
    • User.Read
    • openid

These permissions can be pre-approved for future users by an admin in Microsoft Entra ID.

  1. Go to Manage > App Registrations > Your App Registration > API Permissions.
  2. Then select Add a permission > Microsoft Graph > Delegated Permissions and then select the desired permissions to pre-approve for the non-admin users.

Configure Microsoft Entra ID

To use Microsoft Entra ID as your Single Sign-On provider, you'll want to create a new App Registration in Azure.

  1. Go to the Overview panel in Azure Active Directory

  2. Click the +Add dropdown

  3. Select App Registration

    Azure Active Directory home page

  4. On the registration page for this newly created integration, enter the following:

    1. Name - this is typically going to be Coalesce but any friendly name works
    2. Supported Account Types - choose which Account types to support, see the following screenshot.
    3. Make sure you choose Single Page Application (SPA).
    4. Redirect URI - The redirect URI should be formatted as follows - https://mySubdomain.<app_domain>/login/callback.
      1. Create a subdomain if one hasn’t already been defined for your organization. We recommend choosing a name specific to your organization. If the Subdomain box in your Single Sign-On Settings is blank, you can create one by adding it in the subdomain box.
    Configuring an App Integration in Azure
    Supported Account Types

    Personal Microsoft accounts only is not a supported option for Coalesce Microsoft Entra ID SSO.

  5. Click Register to create the integration. You'll now be at a window with all your App Registration settings.

  6. While still in Azure, go to Manage > Authentication.

  7. Scroll down to Implicit grant and hybrid flows. Select both: Access tokens (used for implicit flows) and ID tokens (used for implicit and hybrid flows) and Save.

    The image shows the Azure portal's authentication settings for a Coalesce SSO test application, displaying implicit grant and hybrid flow configurations with options for access and ID tokens. It also specifies supported account types, with a warning about enabling personal Microsoft accounts for existing registrations.

  8. Go to Manage > Token configuration.

  9. Click Add optional claim.

  10. Choose ID as the Token Type.

  11. Select email and Save.

    The image shows the token configuration settings for the Coalesce SSO Test application in Azure, displaying optional claims with the email claim added for ID tokens. The Add optional claim panel lists available claims with descriptions, allowing customization of token attributes.

  12. Go back to the Overview. You'll need the information to finish configuration in Coalesce.

    Example Azure App Registration Overview

Configure Coalesce Microsoft Entra ID Settings

  1. Open a new window.

  2. Sign in to your Coalesce application using username and password.

  3. Go to Organization Settings > Single Sign-On.

  4. Enter in the following information:

    FieldDescription
    AuthorityThe system being used for Single Sign On. Choose Azure.
    SubdomainThis will be the same as mySubdomain. Not the entire redirect URI.
    Authorization Server Single for tenant integrations.https://login.microsoftonline.com/[tenantID]/
    Authorization Server for multi-tenant and multi- personal integrationshttps://login.microsoftonline.com/common/
    OIDC Client IDRefer to the Application (client) ID in the "Essentials" section on the overview page for your App Registration.
    Server-Side Authorization (Optional)Toggle on to add an authorization URL. Use this when the authorization server blocks access to the OpenID configuration or token endpoints.
    Authorization Endpoint (Available with Server-Side Authorization )The authorization URL to redirect to.
    The image shows the Org Settings page in Coalesce's interface, specifically the Single Sign-On configuration section. It includes fields for Authority, Subdomain, Authorization Server, and OIDC Client ID, along with an option to enable Server-Side Authorization.

  5. Once you've filled out the SSO settings in Coalesce, click Save.

  6. Log out of Coalesce.

  7. Go to your SSO URL, which will be formatted like - https://mySubdomain.<app_domain> - and click on the Use Single Sign-On button to log in using SSO.

Use Single Sign On Button

If instead of a button you see an error message, check to make sure you correctly entered all the fields in your Coalesce SSO settings. If the problem persists please reach out to our Support Team.

Duplicate Accounts After SSO Setup

Seperate SSO Account Creation

The creation of a separate SSO account is expected behavior and does not affect your existing basic auth account's permissions.

When you first authenticate using SSO in Coalesce, the system creates a new SSO account separate from your existing basic authentication account. This new SSO account is automatically assigned Org Member permissions by default.

If you previously had admin permissions through your basic auth account, you'll need to update the permissions for your new SSO account. To do this:

  1. Log in using your basic authentication credentials.
  2. Update the permissions for your SSO account.
  3. If you don't have admin access, contact your organization's admin to update the permissions.