Azure AD / Entra ID SSO + SCIM

For tenants on Microsoft Entra ID (the modern name for Azure AD). This is the most common path for Claresia customers running Microsoft Copilot M365.

Total time: 10–15 minutes.

Part 1 — SSO (OIDC recommended for Entra ID)

1. In Claresia Onboarding Portal, click Configure SSO (Step 4). Choose the Azure AD / Entra ID tab. Pick OIDC (recommended) or SAML 2.0.

2. In Entra Admin Center, go to Applications → Enterprise Applications → New application → Create your own application.

   • Name: Claresia
   • Choose: Integrate any other application you don’t find in the gallery

3. After creation, open Single sign-on (left nav). Pick OpenID Connect (or SAML if your tenant policy requires).

4. OIDC path:

   • Copy the Application (client) ID + Directory (tenant) ID from Overview
   • Under Certificates & secrets → New client secret, generate a secret, copy the value (it shows only once)
   • Under Authentication → Add a platform → Web:
     • Redirect URI: https://api.workos.com/sso/oidc/callback (the portal displays the exact URL)
     • Front-channel logout URL: leave blank
     • ID tokens (used for implicit and hybrid flows): checked
   • Under API permissions, ensure openid, profile, email, offline_access are granted (admin consent)

5. Back in Claresia Onboarding Portal, paste:

   • Issuer URL: https://login.microsoftonline.com/<tenant-id>/v2.0
   • Client ID
   • Client secret
   • Click Test login. A popup opens, you authenticate as an Entra user, green check returns.

Tip

If your tenant has Conditional Access policies (e.g., MFA-on-untrusted-IP), they apply automatically — Claresia inherits whatever your IdP enforces.

Part 2 — SCIM provisioning

1. In Claresia Onboarding Portal, click Configure SCIM (Step 5). Copy the SCIM endpoint URL + bearer token.

2. In Entra Admin Center, open your Claresia enterprise app → Provisioning → Get started.

3. Provisioning Mode: Automatic.

4. Tenant URL: paste the SCIM endpoint URL. Secret Token: paste the bearer token. Click Test Connection — should return success.

5. Under Mappings:

   • Provision Microsoft Entra ID Users → keep defaults; ensure userPrincipalName → userName, givenName → name.givenName, surname → name.familyName, mail → emails[type eq "work"].value
   • Provision Microsoft Entra ID Groups → enable

6. Under Settings:

   • Scope: Sync only assigned users and groups
   • Provisioning Status: On

7. Save.

8. Under Users and groups, Add user/group → assign your claresia-* groups (or individual users for piloting).

9. Back in Claresia Onboarding Portal, click Sync now. Should show imported user + group counts within ~60 seconds (initial sync from Entra is slightly slower than Okta).

Part 3 — Group → role mapping

Entra group	Claresia role	Notes
claresia-admins	tenant_admin	Full access
claresia-auditors	auditor	Read + audit log
claresia-users	member	Default
claresia-eng-pilot	member + archetype eng_lead	Pilot cohort

Conditional Access recommendations

For Mode B/C deployments handling sensitive data:

• Require MFA on Claresia sign-in
• Block sign-in from non-corporate IP ranges (or require Compliant Device)
• Set session lifetime to 8 hours (Claresia’s JWT refresh is 5-min sliding; this caps the absolute session)

Common gotchas

Symptom	Cause	Fix
AADSTS50011 redirect URI mismatch	Redirect URI typed wrong	Re-copy from portal exactly
AADSTS900561 PUT method not allowed	OIDC tokens not enabled in Authentication blade	Re-tick ID tokens
SCIM “Quarantine” state in Entra	Bearer token expired or wrong	Re-generate from portal, paste fresh
Test connection returns 401	Bearer token typo	Copy from portal again — don’t retype
Test connection returns 403	SCIM endpoint accessible but bearer doesn’t have write scope	Generate a new bearer from portal (forces a refresh)

Reference

• Microsoft — OIDC config in Entra ID
• Microsoft — SCIM 2.0 in Entra ID
• WorkOS — Microsoft Entra integration