Skip to main content

Microsoft Entra ID (Azure AD) SSO Setup

Configure SAML-based Single Sign-On with Microsoft Entra ID (formerly Azure Active Directory).

Prerequisites

  • Microsoft Entra ID tenant with admin access
  • Propper organization admin access
  • Users must have Microsoft 365 or Entra ID accounts

Step 1: Create an Enterprise Application

  1. Sign in to the Microsoft Entra admin center
  2. Navigate to Identity > Applications > Enterprise applications
  3. Click + New application
  4. Click + Create your own application
  5. Enter a name (e.g., "Propper")
  6. Select Integrate any other application you don't find in the gallery (Non-gallery)
  7. Click Create

Step 2: Configure SAML Single Sign-On

  1. In your new application, go to Single sign-on in the left menu
  2. Select SAML as the single sign-on method
  3. In the Basic SAML Configuration section, click Edit
  4. Enter the following values:
FieldValue
Identifier (Entity ID)urn:propper:sp:auth
Reply URL (ACS URL)https://auth.propper.ai/saml/acs
Sign on URLhttps://app.propper.ai/login
Logout URLhttps://auth.propper.ai/saml/slo
  1. Click Save
tip

You can add multiple Identifier values if needed. The first one will be the default.

Step 3: Configure Attributes & Claims

  1. In the Attributes & Claims section, click Edit
  2. Configure the following claims:

Required Claims

Claim NameSource AttributeNamespace
emailuser.mail or user.userprincipalname(leave empty)
firstNameuser.givenname(leave empty)
lastNameuser.surname(leave empty)

Adding Custom Claims

  1. Click + Add new claim
  2. For each claim above:
    • Enter the Name (e.g., email)
    • Leave Namespace empty
    • Select Source as "Attribute"
    • Choose the appropriate Source attribute
    • Click Save

Optional: Group Claims (for Role Mapping)

To enable group-based role assignment:

  1. Click + Add a group claim
  2. Select Security groups or Groups assigned to the application
  3. Under Source attribute, select Group ID or Display Name
  4. Set the Name to groups
  5. Click Save
info

For large organizations, we recommend using "Groups assigned to the application" to limit the groups sent in the token.

Step 4: Download IdP Metadata

  1. In the SAML Certificates section, locate App Federation Metadata Url
  2. Copy this URL - you'll need it when configuring Propper

Alternatively, download the certificate directly:

  1. Under SAML Certificates, find Certificate (Base64)
  2. Click Download to save the certificate file
  3. Also copy the following from the Set up [App Name] section:
    • Login URL (this is your SSO URL)
    • Azure AD Identifier (this is your IdP Entity ID)

Step 5: Assign Users and Groups

  1. Go to Users and groups in the left menu
  2. Click + Add user/group
  3. Select the users or groups who should have access to Propper
  4. Click Assign
warning

Users will not be able to sign in via SSO until they are assigned to the application.

Step 6: Configure Propper

  1. Log in to Propper as an organization admin
  2. Go to Settings > Security > SSO
  3. Click Configure SSO or Edit Configuration
  4. Select Microsoft Entra ID as the provider
  5. Choose one of the following methods:
  1. Paste the App Federation Metadata Url from Step 4
  2. Click Import
  3. The IdP Entity ID, SSO URL, and Certificate will be populated automatically

Option B: Manual Configuration

Enter the following values from Step 4:

Propper FieldEntra ID Value
IdP Entity IDAzure AD Identifier
SSO URLLogin URL
CertificateContents of the downloaded Certificate (Base64) file
  1. Click Save Configuration

Step 7: Test the Connection

  1. In Propper SSO settings, click Test Connection
  2. A new window will open with the IdP login page
  3. Sign in with a user who is assigned to the application
  4. If successful, you'll be redirected back to Propper
tip

Test in an incognito/private browser window to ensure you're testing the full authentication flow.

Optional: Enable JIT Provisioning

To automatically create Propper accounts for new SSO users:

  1. In Propper SSO settings, enable Just-In-Time Provisioning
  2. Select a Default Role for new users
  3. Optionally, configure Allowed Domains to restrict which email domains can be provisioned
  4. If using group claims, configure Role Mappings to assign roles based on Entra ID groups

Optional: Enforce SSO

To require SSO for all users:

  1. First, verify your email domain in Propper
  2. Enable SSO Enforcement for the verified domain
  3. Add admin email addresses to the Bypass List to prevent lockout
warning

Always add at least one admin to the bypass list before enabling enforcement. This ensures you can still access the admin panel if there are SSO issues.

Troubleshooting

Error: Invalid Signature

  • Ensure the certificate in Propper matches the certificate in Entra ID
  • If the certificate was recently rotated, update it in Propper
  • Verify the certificate hasn't expired in the Entra ID SAML Certificates section

Error: User Not Assigned

  • The user attempting to log in is not assigned to the Enterprise Application
  • Go to Users and groups and add the user

Error: Attribute Missing

  • Ensure all required attributes (email, firstName, lastName) are configured
  • Check that the source attributes contain values for the test user
  • Verify the claim names exactly match: email, firstName, lastName

Error: Audience Mismatch

  • Verify the Identifier (Entity ID) in Entra ID exactly matches urn:propper:sp:auth
  • Check for extra spaces or trailing slashes

Error: Reply URL Mismatch

  • Verify the Reply URL exactly matches https://auth.propper.ai/saml/acs
  • Ensure there are no typos or trailing slashes

Users See "Access Denied"

  • The user may not be assigned to the application in Entra ID
  • Check if Conditional Access policies are blocking access
  • Verify the user's account is active and not blocked

Additional Resources