# Setting Up Microsoft Entra (Azure AD) This document outlines the steps required to set up Microsoft Entra (formerly Azure AD) SSO integration with StepSecurity. **You can follow this interactive demo to get started with setting up Microsoft Entra SSO:** {% embed url="" %} ### Setup Instructions #### Step 1: **Configure SAML Settings** * On the StepSecurity App navigate to Admin Console → Security & Auth → Configure SSO → Microsoft Entra ID

* Copy the values displayed here #### Step 2: Create a New Enterprise Application * Navigate to your Microsoft Entra Admin Portal. * Create a new Enterprise Application. * Name the application StepSecurity.

#### Step 3: Configure Single Sign-On * After creating the application, go to the Single Sign-On section. * Select SAML as the SSO method.

#### Step 4: Provide SAML Configuration * Paste the values you obtained from the StepSecurity App into the corresponding fields

#### Step 5: Add a Group Claim We recommend creating dedicated Microsoft-Entra groups for StepSecurity, such as `StepSecurity-Administrators` and `StepSecurity-Auditors`. Follow the instructions below to set them up:

How to Setup StepSecurity Microsoft Entra Groups

1. Navigate to the Admin Console in your Microsoft Entra dashboard and select Groups

2. Click "New group"

3. Give the group an appropriate name and description, add members, and assign an owner

4. Create two groups: one for **StepSecurity Administrators** and another for **StepSecurity Auditors**

5. To add the groups you just created to the application, go to the "Users and groups"

6. Click "Add user/group"

7. Select the two groups you just created and assign it to the application

Update Attributes & Claims to pass group information in the SAML assertion. * Open Attributes & Claims → Add a group claim.

* Under Which groups select "Groups assigned to the application" * Set Source attribute to Cloud‑only group display names.

* Expand Advanced options and add a filter to restrict the group to names that start with **“StepSecurity-”**

* Enable Customize the name of the group claim and set Name to `Groups`. * Click Save {% hint style="danger" %} **You should only pass StepSecurity groups to the StepSecurity platform. If the app passes all group memberships, it may exceed the maximum request body size.** {% endhint %} * This enables StepSecurity’s SCIM-like functionality — for example, you can use Microsoft Entra groups and map them to roles in the StepSecurity dashboard for centralized access control. #### Step 6: For Idp Initiated login(Optional) * To get your RelayState value go to the StepSecurity App and navigate to Admin Console → Security & Auth → Configure SSO → Microsoft Entra ID → Step 4

* In the Entra portal, paste that value into Relay State (Optional) under Basic SAML Configuration and Save.

#### Step 7: Exchange metadata and (optionally) configure IdP‑initiated access * Download the IdP metadata file from the Entra SAML configuration page. Upload the file to the StepSecurity app and provide your organization’s email domain. Then notify the StepSecurity team via Slack or email and wait for the StepSecurity Operations team to update your tenant.

#### **Step 8: Confirm SSO Setup** * On the StepSecurity → Security & Auth page, you can test your SSO integration. * To verify that the SSO flow is working, follow these steps: * Authorize your email address for SSO access: Navigate to the Admin Console -> Members and click "Add Members". * Select SSO as the Authentication Type and add your email as an authorized member. * Log out of your current StepSecurity session. * Go to `https://app.stepsecurity.io/login` and log in using SSO. * Confirm that you can successfully access the dashboard. * For additional confirmation, go to Admin Console → Security & Auth, then in Step 3 of the Microsoft Entra SSO configuration, click "Run SSO Test". Verify that all checks on the test page pass successfully

#### **Step 9: Add Members** {% hint style="info" %} **Important:** If any changes are made to SSO group membership in Microsoft Entra (for example, adding or removing a user from a group), the affected user must log out and log back into StepSecurity for the updated group access and role mappings to take effect immediately otherwise it will be reflected once the sso session is renewed. {% endhint %} Every SSO identity must be explicitly authorized in the StepSecurity dashboard. You can do this in two different ways: * Authorize Individual users * Authorize groups

**To authorize individual users:** * The user must also be explicitly authorized to access the application, either by assigning the user directly to the app or by assigning a group the user belongs to

* Once the user is authorized in Microsoft Entra in your StepSecurity dashboard navigate to Admin Console -> Members

* Click "Add Members" and select the SSO option * Add the user's email address

**To authorize groups:** * Ensure that the group is authorized to use the application * Once the group is authorized in Microsoft Entra in your StepSecurity dashboard navigate to Admin Console -> Members

* Click "Add Members" on your StepSecurity dashboard and select the SSO Group option * Add the SSO group

For more details on adding members to your StepSecurity dashboard, visit this [documentation](https://docs.stepsecurity.io/admin-console/members).