# Setup standard Single Sign On with MS Entra ID

## Enable standard SSO with MS Entra ID

In the environment, in the Ultimo Configuration Tool, go to the AET on "application" level. Search for "Microsoft." Enable "Allow Microsoft Authentication."

<figure><img src="https://4033746893-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MZmRVbbu75Ds8MiWx_F%2Fuploads%2Fk1CeFPi8KZsr6WWHnHQB%2Fimage.png?alt=media&#x26;token=51c2a22e-d41b-4e18-81f7-4310d4140187" alt=""><figcaption><p>Example of enabled setting</p></figcaption></figure>

When enabled, on the login page a new button will appear to login with Microsoft.

{% hint style="info" %}
Only active user accounts that receive an activation link can actually login using this new button
{% endhint %}

## Add new users

In Ultimo in the UCT>User manager you can add new users. Fill in the mandatory field. You can ignore the password and authentication fields. When the user receives the activation email, based on what is allowed in the Ultimo application, they decide for themselves how to log in and which fields to fill in. After you add the user, activate the account. Automatically, the user will receive an activation email with the required information.

## Reset existing users and invite them

All existing users log in with a different method. Either 'forms' or 'custom SSO'. To let them login with this new method you can reset the login method in the user manager. This can be done per user or via multiple select in a batch. Use optional filtering to determine the correct selection.

{% hint style="info" %}
Important to have the employees' e-mail address filled in at the employee record. Make sure it is only 1 (valid) e-mail address per record.
{% endhint %}

All activated users will receive an activation link. It is possible to reset inactive users but they wont receive an activation link.

<figure><img src="https://4033746893-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MZmRVbbu75Ds8MiWx_F%2Fuploads%2FCp9iRzZg9klIPbxBHrSI%2Fimage.png?alt=media&#x26;token=54a3a9e4-687d-4086-b931-1be6906b3f64" alt=""><figcaption><p>Example of the user manager with the reset button pressed</p></figcaption></figure>

<figure><img src="https://4033746893-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MZmRVbbu75Ds8MiWx_F%2Fuploads%2FfqudIhxpErttYUTMlWaR%2Fimage.png?alt=media&#x26;token=4416b9f5-837c-42e1-bb72-fc4c05882cf1" alt=""><figcaption><p>Example of the activation email</p></figcaption></figure>

If the link has expired, you can send a new invite by clicking the envelope icon in the user manager.

## Activation link

The user shares the account information with the Ultimo app when using the activation link, as shown in the dialog below. Our app is verified by Microsoft and is a trusted app.

<figure><img src="https://4033746893-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MZmRVbbu75Ds8MiWx_F%2Fuploads%2FqsQOYhnySumuW90s8PEu%2Fimage.png?alt=media&#x26;token=a328348d-0274-4669-be9f-21674c8a80f8" alt=""><figcaption><p>Premission requested by IFS Ultimo app</p></figcaption></figure>

{% hint style="info" %}
In some organisations, the app needs to be approved by the IT department. Based on the settings in Entra Id, a user can request permission from IT via a dialog when they use the app or contact their IT department manually.&#x20;
{% endhint %}

Once the user links his organisation account with Ultimo, the activation step is finished, and from now on, the user can log in using the login button on the login page.

{% hint style="info" %}
Authentication is done at your organisation's identity provider. When enabled, multi-factor authentication is applied.
{% endhint %}

## Provisioning

Our standard SSO method is only applicable when using MS Entra ID. It is pure authentication. Although it is possible to maintain users manually, we advise [SCIM](https://developer.ultimo.net/connectors/scim) to have user provisioning in place.