How to Set Up Microsoft SSO

This guide shows you how to enable Sign in with Microsoft for users of your AlloyScan site. The flow uses a Microsoft Entra ID (Azure AD) App registration in your tenant. After setup, the AlloyScan sign-in page displays a Sign in with Microsoft button and users authenticate against your tenant.

Prerequisites

• You have the Administrator role on the AlloyScan site.
• You have an account in Microsoft Entra ID with permission to register applications in your tenant.
• The SSO providers menu entry is visible at Admin Center > Site Settings > IAM > SSO providers. If the entry is missing, contact your vendor support to confirm that SSO providers are enabled for the deployment.
• Users who will sign in with Microsoft already have Active user records on the site (their Email in IAM > Users matches the Microsoft account email).

Steps

1. Note the AlloyScan redirect URI

Important: A redirect URI mismatch is the most common cause of SSO failure. Capture the URI exactly as AlloyScan presents it before you register anything on the Microsoft side.

1. Navigate to Admin Center > Site Settings > IAM > SSO providers.
2. Open the Microsoft row to reveal the configuration form.
3. Copy the Redirect URI value shown on the form. You will paste it into the Microsoft App registration in the next step.

2. Register the application in Microsoft Entra ID

1. Sign in to the Microsoft Entra admin center for your tenant.
2. Go to App registrations and click New registration.
3. Provide a name (for example, AlloyScan SSO — <site slug>).
4. Set Supported account types to match the user population that should be allowed to sign in (single tenant or multi-tenant, depending on your policy).
5. Under Redirect URI, choose Web as the platform and paste the Redirect URI you copied from AlloyScan in step 1.
6. Click Register.
7. On the application overview page, copy the Application (client) ID and the Directory (tenant) ID.
8. Open Certificates & secrets, click New client secret, set an expiry, and copy the secret Value immediately. You cannot retrieve it later.

3. Configure the provider in AlloyScan

1. Return to Admin Center > Site Settings > IAM > SSO providers in AlloyScan.
2. On the Microsoft row, paste the values from Microsoft Entra:
   • Application (client) ID
   • Tenant ID (directory ID)
   • Client secret
3. Confirm that the Redirect URI on this form matches what you registered on the Microsoft side.
4. Toggle Microsoft to ON.
5. Click Save.

Verify

1. Open a private or incognito browser window and navigate to your AlloyScan site sign-in page.
2. Confirm that a Sign in with Microsoft button is now displayed below the email and password fields.
3. Click the button and complete the Microsoft sign-in. If your tenant enforces MFA, MFA happens here.
4. After redirect back to AlloyScan, you should land on the site Dashboard.
5. Open Admin Center > Site Settings > Logs > Security log. The successful sign-in is recorded as a login event.

Note: If the user's email does not match an Active record in IAM > Users, the sign-in fails after the Microsoft step. Add or activate the user in IAM > Users and retry.

Common pitfalls

• Redirect URI mismatch. The most common failure mode. The URI registered in Microsoft Entra must match the URI shown on the AlloyScan provider form character-for-character.
• Expired client secret. Microsoft client secrets have a finite lifetime. When they expire, sign-in starts failing — generate a new secret and paste it back into AlloyScan.
• Tenant restriction. If you registered the app as single tenant, only users in that tenant can sign in.

Related

• How to Set Up Google SSO
• Authentication Reference
• About Authentication
• Troubleshooting Users and Sign-in