Advanced Set Up
      Back to home
      1. Help Centre
      2. Resources
      3. Advanced Set Up

      How to set up Microsoft Entra ID SSO

      Instructions for setting up Single Sign-On using Microsoft Entra ID (formerly Azure Active Directory)

      This article applies to our FMI Works product, when delivered as a cloud solution

      Why use Microsoft Entra ID as an SSO provider

      FMI Identity can allow login via your organisation's existing Microsoft Entra ID for added security and ease of use, allowing your IT department to manage authentication, as well as reducing the load on your staff by only requiring them to manage their passwords for a single system.

      Once configured by our support staff, any users that try to sign in from your owned domains will be redirected to Microsoft’s login page to complete the process. Our system uses very little information from your Microsoft Entra ID configuration and will only use enough data to authenticate your users.

      For more information about FMI and SSO generally see our Single Sign-on article.

      How do we connect?

      We use a registered application in Microsoft Azure and OpenID Connect to ensure that your login is as smooth and secure as possible. The registered application will use Microsoft Graph to communicate with your Microsoft Entra ID tenant and authenticate your login. FMI Identity never has access to your Microsoft Entra ID credentials, and only receives enough information to validate your login.

      Access rights and consent

      If your organisation is configured such that the users can consent to an application accessing data themselves, then no further action is required. Upon sign-in, your users will be asked for consent to access their data, which is then used to complete the login process.

      In the more likely event that your organisation does not allow all users to access the organisation's data, someone in your organisation with elevated privileges, specifically, a Global Administrator, an Application Administrator, or a Cloud Application Administrator will need to log in first and consent on behalf of the organisation.

      Sign into FMI Identity with elevated privileges and consent to SSO

      1. Sign into FMI Identity using a Microsoft Entra ID account with elevated privileges.
      2. Enter the account email and when prompted check “Consent on behalf of your organisation” and click the “Accept” button. 

      SSO Consent-1

      Turning on Multi-factor Authentication

      If your organisation would like to turn on MFA for FMI Works, this can be done through Azure, noting that Azure will only allow conditional access policies to function with FMI Works where MFA is turned on for all cloud applications.