May 21, 2026

Single Sign-On (Microsoft Entra ID)

Let your team sign in to Alaigned with their existing Microsoft corporate accounts

Overview

Single Sign-On (SSO) lets your organization's members sign in to Alaigned with their existing Microsoft Entra ID (Azure AD) corporate accounts, instead of a separate Alaigned password. This reduces password friction, speeds up onboarding, and keeps account control with your identity provider.

Setting up SSO is an administrator task and has two halves: registering an application in Microsoft Entra, and entering the resulting credentials in Alaigned.

Where to find it

Top nav → AdminCompany ProfileSSO tab. SSO configuration is available to administrators only.

Before you begin

  • You need the manage enterprise permission in Alaigned.
  • You need access to the Microsoft Entra admin center (Azure Portal) for your organization's tenant.
  • Decide who will own the Entra app registration — the client secret it produces is sensitive.

Step 1 — Register an application in Microsoft Entra

In the Microsoft Entra admin center:

  1. Create a new App registration for Alaigned.

  2. Add a Redirect URI of type Web. Alaigned shows you the exact URI to use on the SSO settings page — it has the form:

    https://your-org.alaigned.com/auth/microsoft_entra/callback

  3. Create a client secret for the app and copy its value immediately — Entra only shows it once.

  4. Note down three values: the Directory (tenant) ID, the Application (client) ID, and the client secret.

Step 2 — Configure SSO in Alaigned

  1. Open Company Profile in the organization admin area and select the SSO tab.
  2. Enter the three values from Entra: Tenant ID, Client ID (Application ID), and Client Secret.
  3. Click Test Connection. Alaigned verifies the credentials against Entra — you must run a successful test before SSO can be enabled.
  4. Once the test passes, click Enable SSO and confirm.

Enabling SSO is permanent

Once SSO is enabled it cannot be switched off from the admin UI — this is deliberate, to prevent locking your organization out. If you ever need to disable SSO, contact Alaigned support. Double-check the configuration (especially that the redirect URI matches) before you enable.

How members sign in

After SSO is enabled, the Alaigned login page shows a Sign in with Microsoft option. Members choose it, authenticate with Microsoft, and land in Alaigned — no Alaigned password required.

SSO sessions last 72 hours, after which members sign in again (password-based sessions last longer — up to 60 days). The shorter window keeps access tied closely to your identity provider.

New members — automatic provisioning

When someone signs in through SSO for the first time and doesn't yet have an Alaigned account, one is created automatically (just-in-time provisioning). The new account starts with the Enterprise Viewer role — a safe, read-only default — and is flagged for role assignment.

An administrator should then give the new member their proper role. The "needs role assignment" flag clears automatically the first time an admin changes the member's role.

Audit trail

Key SSO actions are recorded in the organization's audit log — including the SSO configuration being created, updated, and enabled, and SSO accounts being provisioned and linked. This gives you a compliance record of how SSO access was set up and who it was granted to.