In this article, you’ll find a step-by-step guide on how to set up Microsoft Entra ID Single Sign-On (SSO) towards Admincontrol for your tenant/company.
Microsoft Entra ID, formerly known as Azure Active Directory (Azure AD), is a cloud-based identity and access management service that allows seamless integration of applications through SSO, enhancing security and user experience.
The setup takes places in the Entra ID portal, and also the Admincontrol AD Integration setup page.
An Enterprise application is created and properties are collected/created here and also in the belonging App registrations application.
Here you will insert credentials, get the redirect URI and at the end activate the SSO.
Please follow this step by step guide to activate Entra ID SSO:
Log into your Entra ID admin account, as "Cloud Application Administrator" or higher.
Search for Enterprise applications in the top bar and select it under services
On the Enterprise applications page, click "New application"
On the following page, clik "Create your own application"
Enter Admincontrol, select the last option "Integrate any other application you don't find in the gallery (Non-gallery)" and click "Create"
Go to "App Registrations" by searching for it in the top bar as shown in the screenshot below.
Its the first of the 3 tabs on the App registrations page
Locate the App registration named "Admincontrol" and click it.
Copy the value into a temporary document, reference it as "OIDC client ID"
On the same page, click the link shown below
Locate the button and click it
Write "Admincontrol" in description and select 730 days as expires length.
IMPORTANT: Please set a timely alert to ensure the renewal and update of this secret, as it will expire in two years. You can configure the alert using a method that suits your needs. Currently, Microsoft does not support a built-in alert method in the Entra ID portal. Instructions for updating the secret are provided in a separate section on this page.
Copy by clicking the copy-button after Value and paste it into a temporary document, reference it as "OIDC Client Secret"
NOTE: After you navigate away from this page the secret will not be visible ever again. If you need it for anything else at some point later, please store it in a secure tool/location. Alternatively a new secret can be created and used.
Locate the "Overview" as shown below and click it.
In your temporary document, you will now be storing a third value, reference it as OIDC Issuer Url.
Copy the value of "Directory (tenant) ID" into https://login.microsoftonline.com/[tenant-id]/v2.0 and compose a url.
The output will be like this.
https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/v2.0
Store it in your temporary document, reference it as "OIDC Issuer Url".
In the middle of the page, click the "Add a permission" button
In the following modal, click the top API suggestion, "Microsoft Graph"
In the following view, click "Delegated permissions"
A new section of the view appears, here you need to go down to the "OpenId permissions" section and check "openid" and "profile".
Below the checked boxed, you will find the "Add permissions" button, click it.
In the middle of the page, locate this button and click it.
Search for "Enterprise applications" in the top search bar in Entra ID portal, and select it
Search for "Admincontrol" and click on the application found.
Expand the "Manage" area and click on "Users and groups".
Here you need to add all users/groups that should have access to Admincontrol login.
To minimize maintenance its recommended to add groups, not single users, but you are free to do anything that makes sense for your company's usage here.
IMPORTANT: Any user in your tenant that needs access to Admincontrol needs to be here. If a user is not included by user or group the login to Admincontrol will be denied. (This only applies to the registered domain(s), other users that might be in the portal with different username domains will log in like before without Entra ID)
Adding users is a broader area and if you need directions please take a look at the Microsoft documentation: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/assign-user-or-group-access-portal?pivots=portal
Create a Conditional Access policy and enable Microsoft Entra multifactor authentication for all users of the Admincontrol Enterprise Application. This is a requirement in order to use Entra ID SSO with Admincontrol.
Please follow the documentation from Microsoft: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-getstarted#plan-conditional-access-policies
Reach out to your Admincontrol contact to enable AD Integration for for your domain(s).
Navigate to https://login.admincontrol.net/settings/adintegration
You will log in with the username provided by Admincontrol at the point of the acquirement of the AD Integration. After login you will see this page:
NOTE: Please note that this page has a short session duration. You will be automatically logged out after 15 minutes of inactivity.
The OIDC Client ID is located in your temporary document, collected in step 11, referenced as "OIDC Client ID". Paste it into the first text input field, with the matching name.
The OIDC Client Secret is located in your temporary document, collected in step 16, referenced as "OIDC Client Secret". Paste it into the second text input field, with the matching name.
The OIDC Issuer Url is located in your temporary document, collected in step 18, referenced as "OIDC Issuer Url". Paste it into the third and last text input field, with the matching name.
Values will be saved, but SSO is still not enabled.
Click the copy button you see below and paste it into your temporary document. Reference it as "Redirect URI".
Go to "App Registrations" by searching for it in the top bar as shown in the screenshot below.
Its the first of the 3 tabs on the App registrations page.
Locate the App registration named "Admincontrol" and click it.
In the Admincontrol App registration left menu, expand "Manage" and click Authentication
Click the button as specified in the screenshot below
In the modal, select "Web" as shown below.
The Redirect URI is located in your temporary document, collected in step 38, referenced as "Redirect URI". Paste it into the text input field for Redirect URI.
Navigate to https://login.admincontrol.net/settings/adintegration
You will log in with the username provided by Admincontrol at the point of the acquirement of the AD Integration. After login you will see this page:
Toggle the Enable SSO ON by pressing the toggle as shown below. This is how it looks after pressed.
You are DONE, all Admincontrol logins on our domains are now done with your Entra ID tenant.
After the setup is done, your end users will be redirected to your tenant for login, this is based on the domain of the username.
After successful Entra ID login, the user will be logged into their matching Admincontrol user.
This needs to be done before the current OIDC client secret expires. Once you have created a new secret in the Entra ID portal, you can set it to be used. Multiple secrets can coexist, so there is no need to wait for the exact expiration date. Please follow the steps to complete the change to the new OIDC client secret.
Go to "App Registrations" by searching for it in the top bar as shown in the screenshot below.
Its the first of the 3 tabs on the App registrations page.
Locate the App registration named "Admincontrol" and click it.
Click "Certificates & secrets" in the left menu, under the "Manage" section.
In the "Client secrets" tab, click "New client secret
Write "Admincontrol" in description and select 730 days as expires length.
IMPORTANT: Please set a timely alert to ensure the renewal and update of this secret, as it will expire in two years. You can configure the alert using a method that suits your needs. Currently, Microsoft does not support a built-in alert method in the Entra ID portal. Instructions for updating the secret are provided in a separate section on this page.
Copy by clicking the copy-button after Value and paste it into a temporary document, reference it as "OIDC Client Secret"
NOTE: After you navigate away from this page the secret will not be visible ever again. If you need it for anything else at some point later, please store it in a secure tool/location. Alternatively a new secret can be created and used.
Navigate to https://login.admincontrol.net/settings/adintegration
You will log in with the username provided by Admincontrol at the point of the acquirement of the AD Integration. After login you will see this page:
Locate the button "Set new OIDC Secret" and click it.
The OIDC Client Secret is located in your temporary document, collected in step 9, referenced as "OIDC Client Secret". Paste it into the text input field as shown below.
The following confirmation is displayed.
We are now using the new secret.
User provisioning is currently not supported, meaning Admincontrol will not be aware of the user's status in Entra ID, except during the login process itself. Consequently, users might appear active within the solution even if their AD account is deactivated or removed.
Offboarding is still supported for authentication, as new logins will be blocked by AD. However, if the user needs to be shown as inactive for admins in the Admincontrol portal, the admin must also deactivate the user there.
Electronic ID logins will not be possible for end users if their account belongs to a domain requiring Entra ID login. This is because Admincontrol cannot determine the current status of the AD user, and we need to prevent any potential backdoor access for offboarded AD users.
Onboarding with an Entra ID user is supported, but an invite is required, and the signup forms needs to be submitted before the user start logging in with Entra ID.