> ## Documentation Index > Fetch the complete documentation index at: https://sso.brellium.dev/llms.txt > Use this file to discover all available pages before exploring further. # SSO Configuration for Microsoft Entra ID > Configure single sign-on for Brellium using Microsoft Entra ID (formerly Azure AD) This guide walks you through configuring single sign-on (SSO) for Brellium using Microsoft Entra ID (formerly Azure Active Directory). You register an application in your Entra ID tenant and provide the credentials to Brellium to complete the connection. ## Prerequisites Before you begin, ensure you have: * Administrator access to your Microsoft Entra ID tenant * A Brellium admin account with permissions to authorize integrations ## Supported features The Brellium Microsoft Entra ID integration supports the following features: * **SP-initiated SSO** — Users can sign in to Brellium from the Brellium sign-in page, which redirects to Microsoft Entra ID for authentication. * **IdP-initiated SSO** — Users can sign in to Brellium directly from the Microsoft My Apps portal by clicking the Brellium tile. * **Just-In-Time (JIT) provisioning** — User accounts are automatically created in Brellium on first sign-in through Microsoft Entra ID. The following attributes are provisioned: * Email address * Full name * **Federated logout (SLO)** — Users who sign out from Brellium also have their Microsoft Entra ID session terminated. To provision and deprovision users in Brellium using SCIM, see the [SCIM Provisioning Configuration guide](/integrations/azure-ad-scim). ## Configuration steps 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). 2. Go to **Identity** > **Applications** > **App registrations**. 3. Click **New registration**. Microsoft Entra ID App registrations page showing the New registration button

Microsoft Entra ID App registrations page showing the New registration button

4. Configure the following settings: | Setting | Value | | --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Name** | `Brellium` (or your preferred application label) | | **Supported account types** | Select **Accounts in this organizational directory only (Single tenant)** to limit access to your organization. To allow users from external Azure AD directories, select **Accounts in any organizational directory (Any Azure AD directory - Multitenant)**. | | **Redirect URI** | Select **Web** and enter the callback URL provided by Brellium. | Register an application form showing Name and Supported account types fields

Register an application form showing Name and Supported account types fields

5. Click **Register**. On the application's **Overview** page, note the **Application (client) ID** — you will need this later. Application overview page with Application (client) ID highlighted

Application overview page with Application (client) ID highlighted

Make sure you are in the correct Azure AD directory when registering the application. If you have multiple directories, verify you are in the intended tenant before proceeding. Contact your Brellium customer success manager or [Brellium support](mailto:sso.support@brellium.com) to obtain the correct **Redirect URI** for your organization. If you did not set the Redirect URI during registration, you can add it afterward: 1. In the registered Brellium application, go to **Authentication** under **Manage**. 2. Click **Add a platform** and select **Web**. Authentication page showing Add a platform with Web option selected

Authentication page showing Add a platform with Web option selected

3. Enter the **Redirect URI** provided by Brellium. 4. Click **Configure**. Configure Web platform showing the Redirect URIs field

1. In the registered Brellium application, go to **Certificates & secrets** under **Manage**. 2. Click **New client secret**. 3. Enter a description (e.g., `Brellium SSO`) and select an expiration period. Add a client secret dialog with Description and Expires fields

Add a client secret dialog with Description and Expires fields

4. Click **Add**. 5. Copy the **Value** of the new client secret immediately — it is only shown once. Certificates and secrets page showing the client secret Value highlighted

Certificates and secrets page showing the client secret Value highlighted

If you configure an expiring secret, record the expiration date. You must renew the secret before it expires to avoid a service interruption. When you renew the secret, provide the new value to Brellium. 1. In the registered Brellium application, go to **API permissions** under **Manage**. 2. Click **Add a permission** > **Microsoft Graph** > **Delegated permissions**. 3. Add the following permissions: | Permission | Description | | ---------------------- | -------------------------------------------------------------------- | | **User.Read** | Allows the app to sign in users and read their profiles | | **Directory.Read.All** | Allows the app to read directory data on the signed-in user's behalf | 4. Click **Add permissions**. 5. If required by your organization, click **Grant admin consent** to consent on behalf of all users in the directory. Provide the following values to your Brellium customer success manager or [Brellium support](mailto:sso.support@brellium.com) to complete the connection: | Value | Where to find it | | ----------------------------- | ---------------------------------------------------------------------------------------------------------------------- | | **Application (client) ID** | App registrations > Brellium > Overview | | **Client secret** | The secret value you copied in the previous step | | **Microsoft Entra ID domain** | Your Azure AD directory's primary domain (e.g., `yourcompany.onmicrosoft.com`), found on the directory's Overview page | Brellium configures the enterprise connection on your behalf. You will be notified when the setup is complete. Once Brellium has configured the connection, an administrator in your Azure AD tenant must grant consent for the application. Your Brellium contact will provide a consent URL. 1. Open the consent URL in a browser. 2. Sign in with an Azure AD administrator account. 3. Review the permissions and click **Accept**. If you do not have the appropriate Azure AD administrative permissions to grant consent, share the consent URL with an administrator in your organization. 1. In the [Microsoft Entra admin center](https://entra.microsoft.com), go to **Identity** > **Applications** > **Enterprise applications**. 2. Select the **Brellium** application. 3. Go to **Users and groups** under **Manage**. 4. Click **Add user/group**. 5. Select the users or groups to assign and click **Assign**. Verify that SSO is working correctly. **Verify IdP-initiated SSO:** 1. Go to the [Microsoft My Apps portal](https://myapps.microsoft.com). 2. Click the **Brellium** tile. 3. Confirm that you are signed in to Brellium without being prompted for additional credentials. **Verify SP-initiated SSO:** 1. Open a new browser window and go to the [Brellium sign-in page](https://app.brellium.com). 2. Click **Sign in with Microsoft**. 3. Enter your Microsoft Entra ID credentials. 4. Confirm that you are signed in to Brellium. ## SP-initiated SSO After the integration is configured, users can sign in to Brellium using one of the following methods: For SP-initiated SSO, users must access Brellium through one of the options below. Direct sign-in at `app.brellium.com` without a verified domain will not automatically redirect to Microsoft Entra ID. **Option 1: Use your organization's Brellium domain** Navigate directly to your organization's dedicated Brellium URL (e.g., `https://myorganization.brellium.app`). You are automatically redirected to Microsoft Entra ID for authentication. **Option 2: Sign in with a verified domain** If your organization has configured verified domains: 1. Go to [https://app.brellium.com](https://app.brellium.com). 2. Enter your email address. 3. You are automatically redirected to Microsoft Entra ID for authentication based on your email domain. If your organization has not yet configured verified domains, contact your customer success manager or [Brellium support](mailto:sso.support@brellium.com) to set this up. If your credentials are valid, you are redirected to the Brellium dashboard. ## Troubleshoot | Issue | Cause | Solution | | ------------------------------------------------------- | -------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | | "Access cannot be granted to this service" error | Supported account types are misconfigured | Verify the **Supported account types** in the app registration. If external users need access, select the appropriate multitenant option. | | "invalid\_request; failed to obtain access token" error | Azure AD client secret is invalid or expired | Generate a new client secret in Azure AD and provide the updated value to Brellium | | Users aren't created on first sign-in | Just-In-Time provisioning isn't enabled | Contact Brellium support to enable JIT provisioning for your organization | | Application not visible in Azure AD | App was registered in the wrong directory | Verify you are in the correct Azure AD tenant and re-register the application if needed | ## Signing key rollover Microsoft Entra ID periodically rolls its signing keys for security purposes. **You do not need to take any action** — Brellium uses the new key automatically. ## Support If you have questions or encounter issues not covered in this guide, contact the Brellium support team: * **Email**: [sso.support@brellium.com](mailto:sso.support@brellium.com)