Skip to main content

Configuring Enterprise SSO with Entra ID

Step-by-step guide to integrate Microsoft Entra ID (formerly Azure AD) with TeamPassword Enterprise for Single Sign-On (SSO) authentication.

TeamPassword avatar
Written by TeamPassword
Updated today

This guide walks you through the complete setup process for integrating Microsoft Entra ID (formerly Azure AD) with TeamPassword Enterprise for Single Sign-On (SSO) authentication.

Summary of the steps:

  1. Subscribe to an Enterprise plan

  2. Configure Entra ID

  3. Configure Authentication platform

  4. Enable Enterprise SSO

  5. Sign in with Enterprise SSO

Overview

This configuration enables customers to authenticate with TeamPassword using their Microsoft Entra ID credentials. Once set up, users can sign in through the Enterprise SSO button without needing to enter their separate TeamPassword email and password.


Note: SAML ≠ SSO.

TeamPassword’s Enterprise SSO integration uses the OpenID Connect (OIDC) protocol, a modern, industry-standard authentication framework. SAML is a different protocol and is not required. To configure Enterprise SSO, customers simply need to create an OIDC application in Microsoft Entra ID and use those credentials to complete the setup.

Part 1: Subscribe to an Enterprise plan

Enterprise SSO is available to customers subscribed to one of our Enterprise plans.

If you are currently on an active Standard plan, you can upgrade to Enterprise from your team’s Billing page.

If you are on a legacy bulk plan and do not see the option to upgrade to Enterprise, please contact TeamPassword Support for assistance.

Part 2: Entra ID Configuration

Prerequisites

To configure Enterprise SSO with TeamPassword using Microsoft Entra ID as your identity provider, customers must have:

  1. An active Microsoft Entra ID tenant
    Your team must have an existing Entra ID account (tenant) via the Azure Portal. This is required to manage users and register applications.

  2. Administrative access to the Entra ID tenant
    The person performing the setup must have sufficient permissions (e.g., Global Administrator, Application Administrator, or Cloud Application Administrator) to register and configure applications.

  3. Ability to create an OIDC (OpenID Connect) application
    TeamPassword’s SSO integration uses the OpenID Connect (OIDC) protocol. During setup, you will need to:

    • Create an App Registration

    • Configure redirect (callback) URLs

    • Generate a Client ID

    • Generate a Client Secret

    • Provide your Tenant ID

  4. Users provisioned in Entra ID
    Users who need access to TeamPassword must already exist in your Entra ID tenant.

Step 1: Provision Users

  1. Sign in to the Microsoft Azure Portal

  2. Navigate to Microsoft Entra ID

  3. Verify that your tenant and users are properly configured.


    Users must have a one-to-one mapping with their TeamPassword accounts. The email address in Microsoft Entra ID must match the email address associated with their TeamPassword account.


    For internal users created directly in the tenant, the email/UPN used for login must exactly match the user’s TeamPassword account email. For example, if a user’s Entra ID login is [email protected] but their TeamPassword account email is [email protected], authentication will fail because the email addresses do not match.


    Similarly, for external users invited into the Entra ID tenant, the external email address associated with their Entra ID account must match the email address of their TeamPassword account.


    ⚠️ Important: The Entra ID login email field must be populated for each user. This value is blank by default. If it is missing, the user will not be able to authenticate via SSO.

Step 2: Register the Application

  1. In Microsoft Entra ID, go to App registrations

  2. Click New registration

  3. Configure the application with the following settings:

    • Name: TeamPassword

    • Supported account types: Single tenant

    • Redirect URI:

      • Type: Web

      • URI: https://teampassword.fusionauth.io/oauth2/callback

  4. Click Register

Step 3: Collect Application Credentials

After registration, you'll need to collect three pieces of information to share with TeamPassword Support:

  1. On the application overview page, note the following:

    • Application (client) ID

    • Directory (tenant) ID

  2. Save these values securely — you'll need to share them with TeamPassword Support.

Step 4: Create Client Secret

  1. Navigate to Manage > Certificates & secrets in the left menu

  2. Click New client secret

  3. Configure the secret:

    • Description: TeamPassword SSO Secret

    • Expires: 12 months

    • Click Add

    • Immediately copy the "Value" (not the Secret ID)

    • ⚠️ Important: This secret value will only be displayed once. Copy it now and store it securely.

Step 5: Save Credentials

To make things easier in the next step, save the above credentials in a record.

  1. In your TeamPassword account, create a record named:

    Enterprise SSO Setup Credentials <your-team-name>

    ⚠️ Important: Be sure to include your team/organization name in the record title.

  2. Copy and paste the following into the notes section, replacing the values with your actual values:

    These are our Enterprise SSO setup credentials to be shared with the TeamPassword support team. Please do not delete this record until Enterprise SSO migration is complete.

    Application (client) ID: <your Client ID>
    Directory (tenant) ID: <your Tenant ID>
    Client secret value: <your Client Secret>

  3. Click Save

Part 3: Authentication Platform Configuration

Using the Entra ID credentials collected in the previous step, our team will now need to complete the remaining configuration in our authentication platform.

Step 1: Share credentials with TeamPassword Support

  1. Please contact TeamPassword Support at [email protected] to inform us that you have completed your Entra ID setup and have the credentials ready to share.

  2. Once we have confirmed your email, create a one-time share of the credentials record you just created and send the link to [email protected]. Since the link is only valid for 24 hours, we need to be informed so that we can look out for it.

    Note: The Allow one-time secret links feature must be enabled in the security settings in order to be able to share shared records. Private records can always be shared.

Step 2: Await confirmation from TeamPassword Support

Once we receive your credentials, we will finish Enterprise SSO configuration in our authentication platform and contact you once complete.

Part 4: Enable Enterprise SSO

Once configuration is complete, finalize the setup by enabling Enterprise SSO from within TeamPassword.

Step 1: Owner migration

The team owner must first enable Enterprise SSO for their own account from their Account Settings.


Step 2: Member migration

Once the owner has enabled Enterprise SSO, the rest of the team members will be able to enable it for their own accounts by following the same steps. Because users can belong to multiple teams but can only be associated with one Enterprise SSO–enabled team at a time, Enterprise SSO must be enabled individually by each user.


Part 5: Sign in with Enterprise SSO

With all steps complete, you can now sign in using Enterprise SSO from your new workspace URL. We recommend bookmarking this URL for easy access in the future.


Alternatively, you can sign in from the standard sign-in page by clicking the Enterprise SSO button. You will be prompted to enter your workspace subdomain before being redirected to sign in.

Did this answer your question?