Auth

Setting up SSO with Microsoft Entra

Microsoft Entra ID, formerly known as Azure Active Directory (Azure AD), is one of the most popular Identity Providers (IDPs). With this guide, we hope integrating SSO with 21RISK will feel easy. The objective is to configure an OAuth 2.0 Authorization Code Flow with Proof Key for Code Exchange (PKCE). We will create an App registration, configure a callback URL, permissions and a client secret. Let's get started ✅

Setup App registration in Entra

Entra needs an App registration to associate the OAuth flow with, so the first step is to create a new registration. Navigate to portal.azure.com, and use the top search field to search for "App registrations".

You will now reach a page with the title "App registrations". Just under the title in bold, you will find a "New registration" button, click here.

You will now see a page called "Register an application". For the user-facing display name, type 21RISK. For the "Supported account types" it's typically "Accounts in this organizational directory only", but depending on your specific setup it might be "Accounts in any organizational directory". Skip the Redirect URI for now, and click on the Register button.

After a couple of seconds, you should now see the App registration home screen.

Sync 21RISK with Entra

In a new browser tab/window, log in to 21RISK.com and navigate to the /settings/advanced page. Click on the button "Create SSO IdP connection".

This should take you to the details page of your new SSO Connection.

Now copy the Callback URL, from the "Service Provider Configuration" section.

Now jump back into Entra, and click on "Manage" > "Authentication" in the sidebar.

Now you should see a title "Platform configurations". Here you click on "Add a platform", this should open a slideover from the right. Here you click on "Web".

This should change the title in the slideover to "Configure Web". In the Redirect URIs input, paste the Callback URL from 21RISK. Ignore "Front-channel logout" and "Implicit grant and hybrid flows". Click "Configure"

Now it's time to configure the required permissions. In the left sidenav, click on "Manage" > "API permissions". On this page, you should see the title "Configured permissions". Click on "Add a permission":

This should open the slideover from the right with the title "Request API permissions". Click on the "Microsoft Graph"

Choose the "Delegated permissions"

Now, set checkmarks for email, openid and profile. Click "Add permissions"

With the permissions added, you can click on the button "Grant admin consent", and remove the need for users to grant consent.

Now it's time to create a secret for the 21RISK application. Click on "Manage" > "Certificates & secrets", and click on "New client secret".

Input a description for your secret, and configure an expiration according to your organization policies. Finish with "Add"

Now you should have a client secret, which you should copy.

Without closing Entra, go to 21RISK and paste the secret here:

In Entra, navigate to the Overview and copy the Application (client) ID

And paste it into 21RISK here

Back in Entra, click on "Endpoints" and copy the "OpenID Connect metadata document"

Paste this here in 21RISK in "Issuer". Finally click "Create"

You are now done with the Entra configuration.

To mark the connection as primary, click here.

Entra Assignment required

The default configuration in Entra is to have "Assignment required" = No. In other words, the default is that all users can use the new app registration. If you would like to update/change this, first find "Enterprise applications" by searching here:

Here you should have list of applications. Click on the 21RISK application

In the left sidenav, click on "Manage" > "Properties". Here you can now update the "Assignment required" to match your company policies. Please note that we have a very powerful authorization model built into 21RISK, so we recommend no Assignment required.

previous SSO introduction
next Setting up SSO with Google