![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 47%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Graph
An API that connects multiple Microsoft services, enabling data access and automation across platforms
To use Microsoft SSO with Azure AD (Microsoft Entra ID) and obtain the required credentials (Client ID, Client Secret, Tenant ID), the application must be registered in Microsoft Entra ID and then configured for SSO.
At a high level, the process is:
- Register the application in Microsoft Entra ID
- In the Microsoft Entra admin center, register the app so it can use modern auth protocols like OpenID Connect or OAuth 2.0.
- The registration process creates an application object and allows retrieval of the Application (client) ID and Directory (tenant) ID from the app registration Overview page.
- These values are used as the Client ID and Tenant ID in SSO/OAuth configuration.
- Create or reset client credentials (Client Secret)
- For scenarios like Azure Spring Apps Enterprise SSO, a client secret is created for the app registration and stored for later use.
- Example flow using Azure CLI:
- Export the application ID and reset credentials to generate a new secret:
export APPLICATION_ID=$(cat ad.json | jq -r '.appId') az ad app credential reset --id ${APPLICATION_ID} --append > sso.json - Retrieve the Client ID:
cat sso.json | jq -r '.appId' - Retrieve the Client Secret:
cat sso.json | jq -r '.password' - Retrieve the Tenant ID and derive issuer/JWK endpoints if needed:
export TENANT_ID=$(cat sso.json | jq -r '.tenant') echo "https://login.microsoftonline.com/${TENANT_ID}/v2.0" echo "https://login.microsoftonline.com/${TENANT_ID}/discovery/v2.0/keys"
- Export the application ID and reset credentials to generate a new secret:
- Use the credentials in SSO configuration
- For web or client apps using MSAL, configure:
-
clientId= Application (client) ID -
authority=https://login.microsoftonline.com/<Directory (tenant) ID>
-
- These values are then used to request tokens and enable SSO to Microsoft resources.
- For web or client apps using MSAL, configure:
- Configure SSO for specific SaaS or workloads (examples from context)
- For SaaS apps like LinkedIn Learning:
- Add the app from Enterprise applications.
- Configure SAML SSO by setting Identifier (Entity ID), Reply URL (ACS URL), and Sign-on URL as provided by the SaaS app.
- For Azure Spring Apps Enterprise:
- Use the generated Client ID, Client Secret, Issuer URI, and JWK URI in the Spring app’s identity/SSO configuration.
- For SaaS apps like LinkedIn Learning:
- Security and best practices
- Use SSO to centralize authentication and apply consistent policies (MFA, conditional access, unified logging) across applications.
- Avoid duplicate accounts by using Azure AD SSO for workload and SaaS access.
- Protect client secrets securely (for example, in Azure Key Vault) and rotate them regularly.
These steps provide the Azure AD credentials (Client ID, Secret, Tenant ID) required to implement Microsoft SSO for applications and services that integrate with Microsoft identities.
References:
- Quickstart: Configure single sign-on for applications using the Azure Spring Apps Enterprise plan
- Configure single sign-on with Microsoft Entra ID
- LinkedIn Learning and Microsoft Entra ID (Formally Azure AD) SSO Implementation Guide
- Configure Automatic User Provisioning
- Security Control: Identity management
- Security Control v3: Identity management
- Identity Management
- Configure NS1 SSO for Azure for Single sign-on with Microsoft Entra ID