Configuring Single Sign-On (SSO) for Entra

Chaya David
  • Updated
Follow

Overview

This integration creates an App Registration in Entra, issues a client secret, grants the required Microsoft Graph delegated permissions, configures redirect URIs and branding, and then enables SSO in Fullpath. After the initial app integration (steps 1–8), finalize Enterprise App properties and assign users in Entra (steps 9–10).

 

Scope

This article describes the complete step‑by‑step process to configure Fullpath SSO using Microsoft Entra (Azure AD). It assumes you already have:

  • A Fullpath account with access to the Fullpath Dashboard SSO settings.
  • A Microsoft Entra (Azure AD) account and appropriate admin privileges.
  • Both the Fullpath Dashboard and the Entra portal open and accessible while completing steps 1–8.

 

Technical eligibility

  • Active Microsoft Entra (Azure AD) tenant.
  • Fullpath tenant with SSO settings available.

     

Roles and permissions notes

  • Administrator privileges in both systems:
    • In Entra: Global Administrator or a role that can create App registrations, create client secrets, grant admin consent, and manage Enterprise Apps.
    • In Fullpath: permissions to modify SSO settings and enable/disable SSO.
  • All Fullpath users that will sign in via SSO must exist in the Fullpath Dashboard with the same email address used in Entra.

 

 

How to enable and disable SSO in Fullpath Dashboard

Enable: In Fullpath SSO settings, paste the Entra values (Client ID, Client Secret value, Tenant ID), set the Redirect URI, then toggle ENABLE SINGLE SIGN ON and click SAVE. Read more about the Fullpath Dashboard settings for SSO here.

Disable: In Fullpath SSO settings, toggle ENABLE SINGLE SIGN ON off and click SAVE. If you disable SSO, users revert to Fullpath native authentication; confirm user access before disabling.

 

 

Step-by-step instructions

Prerequisite: Open both the Fullpath SSO Settings page and the Microsoft Entra portal.
 

1. Create the App registration

1.1. In Entra portal: App registrations > + New registration.  



1.2. Enter a Name (suggestion: Fullpath <Enterprise Group> App).  

1.3. Under Supported account types select: Accounts in this organizational directory only.  



1.4. Click REGISTER.

 

2. Create a client secret

2.1. In the new App registration: Certificates & secrets.  

2.2. Click + New client secret.  



2.3. Enter a Description (e.g., "For Fullpath Integration") and select Expiry (choose according to your security policy).  



2.4. Click ADD and copy the Secret VALUE immediately. This value is shown only once.  




Note: Paste and securely store the Secret VALUE for use inside the Fullpath Dashboard SSO settings.

 

 

3. Add API permissions (Microsoft Graph - Delegated permissions)

3.1. App registrations > [Your app] > API permissions > + Add a permission.  



3.2. Select Microsoft Graph > Delegated permissions.  





3.3. Select the following permissions:
 - email
 - offline_access
 - openid
 - profile






3.4. After adding the permissions, click Grant admin consent for <YourTenant> (Global Admin required). Confirm consent in the dialog.


 




Important: Confirm the exact permission list with your security team if additional permissions are required. The above list is typically sufficient for SSO + user info.
 

 

image - 2026-01-14T120955.672.png

 

4. Collect App registration details for Fullpath

4.1. App registrations > All applications > click your Fullpath app.  



4.2. From the Overview page copy:
 - Application (client) ID → SSO Client ID in Fullpath
 - Directory (tenant) ID → SSO Tenant ID in Fullpath  



4.3. Use the Secret VALUE created in step 2 → SSO Client Secret in Fullpath.  

4.4. Note: SSO Authorization Server ID is not required for Entra.

 

5. Configure Redirect URI in Entra

5.1. In App registration: Authentication.  



5.2. Under Redirect URIs click + Add a platform and choose Web.  



5.3. In Fullpath Dashboard SSO settings copy the Redirect URL that Fullpath auto‑generates and paste it into the Redirect URI field in Entra.  



5.4. Click Configure or Save.

 

 

6. Branding & properties (optional but recommended)

6.1. App registration > Branding & properties.  


6.2. Paste Fullpath Homepage URL (from Fullpath SSO settings).  

6.3. Optionally upload a logo and add links to Fullpath privacy/terms.  

6.4. Click Save.

 

 

7. Enable SSO in Fullpath

7.1. Return to Fullpath SSO Dashboard.  

7.2. Populate the SSO fields with values collected:


 - SSO Client ID (Application ID)
 - SSO Client Secret (Secret VALUE)
 - SSO Tenant ID (Directory/Tenant ID)
 - Redirect URL (should already be present)  

7.3. Toggle ENABLE SINGLE SIGN ON and click SAVE.

 

8. Finalize Enterprise App properties in Entra


8.1. Entra portal > Enterprise applications > All applications > click the newly created app. 
 
8.2. Manage > Properties.  


8.3. Toggle Assignment required = Yes.  

8.4. Toggle Visible to users = Yes.  



8.5. Click Save.

 

 

9. Assign users


9.1. Important: Add users first inside Fullpath Dashboard with the same email addresses that will be used in Entra.  


9.2. In Entra Enterprise applications, add/assign the same users or groups to the Enterprise App. (See Microsoft documentation on assigning users for full details.)  


9.3. Only users assigned in both systems with matching email addresses will be able to sign in via SSO.

 

 

 

Troubleshooting tips

Secret VALUE lost: If you did not copy the Secret VALUE when created, create a new client secret and update Fullpath with the new VALUE.  
 

Invalid redirect URI: Redirect URI in Entra must exactly match the Redirect URL provided by Fullpath (including trailing slash if present). If you get an invalid_grant or redirect_mismatch error, re‑check the URI.  
 

Permissions not granted: If users cannot obtain profile/email information, verify Microsoft Graph permissions were added and admin consent was granted. Re‑grant admin consent if needed.  
 

Access denied on sign-in: Ensure the user exists in Fullpath with the same email used in Entra and that the user is assigned to the Enterprise App (if Assignment required = Yes).  
 

Token/consent errors: If you changed permission scopes after initial consent, re‑run Grant admin consent. 
 

Expired client secret: If the secret expires, generate a new client secret and update Fullpath immediately.  
 

Scope discrepancy: If Fullpath requires additional scopes not listed here, confirm the exact scopes with the Fullpath product/security team before granting.

 

 

Other important points and notes

  • Both dashboards (Fullpath and Entra) must be open and accessible while completing steps 1–8.  
  • Save the client secret VALUE at creation — it is only visible once.  
  • The App registration’s Supported account type must be set to “Accounts in this organizational directory only” per the process.  
  • After integration, further configurations (conditional access, sign‑in logs, additional conditional policies) can be managed in Entra’s Enterprise applications area.  
  • All Fullpath users must be created in Fullpath prior to assigning them in Entra; email addresses must exactly match.  
  • If any step’s UI label differs in your Entra portal, confirm your portal version or tenant settings; contact your Entra administrator if necessary.