What this is
Microsoft Azure SSO allows users to log in to Propensity using their Microsoft Entra ID (formerly Azure Active Directory) credentials.
This setup enables centralized authentication through your organization’s Microsoft environment and removes the need for separate Propensity passwords.
Before you begin
To configure Azure SSO, you must:
- Have administrator access to Microsoft Entra ID
- Have Workspace Admin access in Propensity
- Be able to create:
- An Enterprise Application
- An App Registration
- A Client Secret
Step 1: Enable Azure SSO in Propensity
- Go to Workspace Settings
- Click the pencil icon next to the workspace where you want to enable SSO
- Scroll to the SSO section
- Select Azure SSO
You will see:
- Login Endpoint URL (used by your users)
- Authority/Login URL (to be provided from Microsoft)
- Client ID
- Microsoft Secret
Keep this page open. You will paste values here from Microsoft.
Step 2: Create the Enterprise Application in Microsoft Entra
- Log in to Microsoft Entra Admin Center
- Go to Enterprise Applications
- Click New Application
- Create a new application (for example: “Propensity Auth”)
After creating it:
- Go to Users and Groups
- Assign the users or groups who should have access
Step 3: Configure Single Sign-On
Inside the Enterprise Application:
- Go to Single Sign-On
- Configure it as a basic SAML application
The specific endpoints are primarily for reference. The key configuration needed for Propensity is obtained from the App Registration section.
Step 4: Get Required Credentials from App Registrations
- Go to App Registrations
- Select the application you created
You will need three values:
1. Authority URL
- Click Endpoints
- Copy the Authority URL
- Paste it into the Login URL field in Propensity
Propensity automatically appends required endpoints internally.
2. Client ID
- Copy the Application (Client) ID
- Paste it into the Client ID field in Propensity
3. Client Secret
- Go to Certificates & Secrets
- Click New client secret
- Create a new secret
- Copy the Value (not the Secret ID)
Paste this value into the Microsoft Secret field in Propensity.
Important: The secret value is only visible once when created. Store it securely.
Step 5: Configure Required API Permissions
In Microsoft Entra, your application must include the following delegated permissions:
- openid → Required for core SSO authentication
- profile → Provides access to basic user profile information
- email → Retrieves the user’s email for identification
- User.Read → Allows access to user profile via Microsoft Graph
All required permissions use delegated access and support authentication and basic user identity retrieval.
Step 6: Admin Consent (if required)
For the permissions listed above (step #5):
- Admin consent is not required
This means SSO can function correctly without granting tenant-wide admin consent for these permissions.
Step 7: Save and Activate in Propensity
After entering:
- Authority URL
- Client ID
- Client Secret
Click Save in Propensity.
The SSO login endpoint shown in Workspace Settings will now be active. You can share this login URL with your users.
How Users Log In
Users will:
- Visit the SSO login URL shown in Workspace Settings
- Authenticate using their Microsoft credentials
- Access Propensity without creating a separate password
Common Issues
Login fails after configuration
- Verify the Client Secret has not expired
- Confirm the Authority URL was copied correctly
- Ensure required API permissions are configured
Users cannot access the application
- Ensure users or groups are assigned inside the Enterprise Application
- Confirm they have access to the correct workspace in Propensity
Secret expired
Client secrets have expiration dates. If expired:
- Create a new secret
- Replace the value in Propensity
- Save again
Important Notes
- Only administrators can configure Azure SSO
- Changes in Microsoft (such as secret expiration) require updating Propensity
- Required permissions are limited to authentication and basic profile access
- Admin consent is not required for the standard SSO configuration