Articles in this section

See more

Admincontrol Single Sign-on (SSO) with Microsoft Entra ID

Overview

In this article, you’ll find a step-by-step guide on how to set up Microsoft Entra ID Single Sign-On (SSO) towards Admincontrol for your tenant/company.

Microsoft Entra ID, formerly known as Azure Active Directory (Azure AD), is a cloud-based identity and access management service that allows seamless integration of applications through SSO, enhancing security and user experience.

 

The setup takes places in the Entra ID portal, and also the Admincontrol AD Integration setup page.

 

Entra ID portal

An Enterprise application is created and properties are collected/created here and also in the belonging App registrations application.

 

Admincontrol AD Integration setup page

Here you will insert credentials, get the redirect URI and at the end activate the SSO.

 

 

 

Please follow this step by step guide to activate Entra ID SSO:

 

 

1 Log in to Entra ID portal

Log into your Entra ID admin account, as "Cloud Application Administrator" or higher.

 

 

2 Go to Enterprise applications

Search for Enterprise applications in the top bar and select it under services

 

3 Click "New application"

On the Enterprise applications page, click "New application"

 

4 Click "Create your own application"

On the following page, clik "Create your own application"

 

5 Name it "Admincontrol"

 

6 Select third option, non-gallery

Enter Admincontrol, select the last option "Integrate any other application you don't find in the gallery (Non-gallery)" and click "Create"

 

7 Click "Create"

 

8 Go to "App Registrations"

Go to "App Registrations" by searching for it in the top bar as shown in the screenshot below.

 

9 Click "All applications"

Its the first of the 3 tabs on the App registrations page

 

10 Click "Admincontrol"

Locate the App registration named "Admincontrol" and click it.

 

11 Collect Application (client) ID

Copy the value into a temporary document, reference it as "OIDC client ID"

 

12 Click "Add a certificate or a secret"

On the same page, click the link shown below

 

13 Click "New client secret"

Locate the button and click it

 

14 Enter description and expiry length

Write "Admincontrol" in description and select 730 days as expires length.

IMPORTANT: Please set a timely alert to ensure the renewal and update of this secret, as it will expire in two years. You can configure the alert using a method that suits your needs. Currently, Microsoft does not support a built-in alert method in the Entra ID portal. Instructions for updating the secret are provided in a separate section on this page.

 

15 Click "Add"

 

16 Collect secret

Copy by clicking the copy-button after Value and paste it into a temporary document, reference it as "OIDC Client Secret"

NOTE: After you navigate away from this page the secret will not be visible ever again. If you need it for anything else at some point later, please store it in a secure tool/location. Alternatively a new secret can be created and used.

 

17 Go to Overview in the Admincontrol App registration

Locate the "Overview" as shown below and click it.

 

18 Collect tenant id and save it as OIDC Issuer Url

In your temporary document, you will now be storing a third value, reference it as OIDC Issuer Url.

Copy the value of "Directory (tenant) ID" into https://login.microsoftonline.com/[tenant-id]/v2.0 and compose a url.

 

The output will be like this.

https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/v2.0

Store it in your temporary document, reference it as "OIDC Issuer Url".

 

19 Click "Api Permissions"

 

20 Click "Add a permission"

In the middle of the page, click the "Add a permission" button

 

21 Click "Microsoft Graph"

In the following modal, click the top API suggestion, "Microsoft Graph"

 

22 Click "Delegated permissions"

In the following view, click "Delegated permissions"

 

23 Select "openid" and "profile"

A new section of the view appears, here you need to go down to the "OpenId permissions" section and check "openid" and "profile".

 

24 Click "Add permissions"

Below the checked boxed, you will find the "Add permissions" button, click it.

 

25 Click "Grant admin consent for Admincontrol"

In the middle of the page, locate this button and click it.

 

26 Go to Enterprise applications

Search for "Enterprise applications" in the top search bar in Entra ID portal, and select it

 

27 Click on the "Admincontrol" Enterprise application

Search for "Admincontrol" and click on the application found.

 

28 Go to "Users and groups"

Expand the "Manage" area and click on "Users and groups".

 

29 Add users and groups

Here you need to add all users/groups that should have access to Admincontrol login.

To minimize maintenance its recommended to add groups, not single users, but you are free to do anything that makes sense for your company's usage here.

IMPORTANT: Any user in your tenant that needs access to Admincontrol needs to be here. If a user is not included by user or group the login to Admincontrol will be denied.

Adding users is a broader area and if you need directions please take a look at the Microsoft documentation: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/assign-user-or-group-access-portal?pivots=portal

 

30 Enable Microsoft Entra multifactor authentication

Create a Conditional Access policy and enable Microsoft Entra multifactor authentication for all users of the Admincontrol Enterprise Application. This is a requirement in order to use Entra ID SSO with Admincontrol.

Please follow the documentation from Microsoft: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-getstarted#plan-conditional-access-policies

 

31 Contact Admincontrol, acquire AD Integration

Reach out to your Admincontrol contact to enable AD Integration for for your domain(s).

 

32 Go to Admincontrol Ad Integration setup page

Navigate to https://login.admincontrol.net/settings/adintegration

 

33 Log in to Admincontrol Ad Integration setup page

You will log in with the username provided by Admincontrol at the point of the acquirement of the AD Integration. After login you will see this page:

NOTE: Please note that this page has a short session duration. You will be automatically logged out after 15 minutes of inactivity.

 

34 Paste in your OIDC Client ID

The OIDC Client ID is located in your temporary document, collected in step 11, referenced as "OIDC Client ID". Paste it into the first text input field, with the matching name.

 

35 Paste in your OIDC Client Secret

The OIDC Client Secret is located in your temporary document, collected in step 16, referenced as "OIDC Client Secret". Paste it into the second text input field, with the matching name.

 

36 Paste in your OIDC Issuer Url

The OIDC Issuer Url is located in your temporary document, collected in step 18, referenced as "OIDC Issuer Url". Paste it into the third and last text input field, with the matching name.

 

37 Click "Save"

Values will be saved, but SSO is still not enabled.

 

38 Collect the "Redirect URI"

Click the copy button you see below and paste it into your temporary document. Reference it as "Redirect URI".

 

39 Go to Entra ID portal

 

40 Go to "App Registrations"

Go to "App Registrations" by searching for it in the top bar as shown in the screenshot below.

 

41 Click "All applications"

Its the first of the 3 tabs on the App registrations page.

 

42 Click "Admincontrol"

Locate the App registration named "Admincontrol" and click it.

 

43 Click "Authentication" in the "Manage" section

In the Admincontrol App registration left menu, expand "Manage" and click Authentication

 

44 Click "Add a platform"

Click the button as specified in the screenshot below

 

45 Select "Web"

In the modal, select "Web" as shown below.

 

46 Paste in your Redirect URI and press Configure

The Redirect URI is located in your temporary document, collected in step 38, referenced as "Redirect URI". Paste it into the text input field for Redirect URI.

 

47 Go to Admincontrol Ad Integration setup page

Navigate to https://login.admincontrol.net/settings/adintegration

 

48 Log in to Admincontrol Ad Integration setup page

You will log in with the username provided by Admincontrol at the point of the acquirement of the AD Integration. After login you will see this page:

 

49 Enable SSO

Toggle the Enable SSO ON by pressing the toggle as shown below. This is how it looks after pressed.

You are DONE, all Admincontrol logins on our domains are now done with your Entra ID tenant.

 

 

 

 

Login - changes affected after completed setup

After the setup is done, your end users will be redirected to your tenant for login, this is based on the domain of the username. 

 

After successful Entra ID login, the user will be logged into their matching Admincontrol user.

 

 

 

 

How to update expired app registration oidc client secret

This needs to be done before the current OIDC client secret expires. Once you have created a new secret in the Entra ID portal, you can set it to be used. Multiple secrets can coexist, so there is no need to wait for the exact expiration date. Please follow the steps to complete the change to the new OIDC client secret.

 

1 Go to Entra ID portal

 

2 Go to "App Registrations"

Go to "App Registrations" by searching for it in the top bar as shown in the screenshot below.

 

3 Click "All applications"

Its the first of the 3 tabs on the App registrations page.

 

4 Click "Admincontrol"

Locate the App registration named "Admincontrol" and click it.

 

5 Expand "Manage" and click "Certificates & secrets"

Click "Certificates & secrets" in the left menu, under the "Manage" section.

 

6 Click "New client secret"

In the "Client secrets" tab, click "New client secret

 

7 Enter description and expiry length

Write "Admincontrol" in description and select 730 days as expires length.

IMPORTANT: Please set a timely alert to ensure the renewal and update of this secret, as it will expire in two years. You can configure the alert using a method that suits your needs. Currently, Microsoft does not support a built-in alert method in the Entra ID portal. Instructions for updating the secret are provided in a separate section on this page.

 

8 Click "Add"

 

9 Collect secret

Copy by clicking the copy-button after Value and paste it into a temporary document, reference it as "OIDC Client Secret"

NOTE: After you navigate away from this page the secret will not be visible ever again. If you need it for anything else at some point later, please store it in a secure tool/location. Alternatively a new secret can be created and used.

 

10 Go to Admincontrol Ad Integration setup page

Navigate to https://login.admincontrol.net/settings/adintegration

 

11 Log in to Admincontrol Ad Integration setup page

You will log in with the username provided by Admincontrol at the point of the acquirement of the AD Integration. After login you will see this page:

 

12 Click "Set new OIDC Secret"

Locate the button "Set new OIDC Secret" and click it.

 

13 Paste in your new "OIDC Client Secret"

The OIDC Client Secret is located in your temporary document, collected in step 9, referenced as "OIDC Client Secret". Paste it into the text input field as shown below.

 

 

14 Press Save

The following confirmation is displayed.

We are now using the new secret.

 

 

Good to know

User provisioning is currently not supported, meaning Admincontrol will not be aware of the user's status in Entra ID, except during the login process itself. Consequently, users might appear active within the solution even if their AD account is deactivated or removed.

Offboarding is still supported for authentication, as new logins will be blocked by AD. However, if the user needs to be shown as inactive for admins in the Admincontrol portal, the admin must also deactivate the user there.

Electronic ID logins will not be possible for end users if their account belongs to a domain requiring Entra ID login. This is because Admincontrol cannot determine the current status of the AD user, and we need to prevent any potential backdoor access for offboarded AD users.

Onboarding with an Entra ID user is supported, but an invite is required, and the signup forms needs to be submitted before the user start logging in with Entra ID.

 

Error situations

  • User is told that electronic id login is not allowed - This is correct, login must be done with Entra ID

 

  • Errors like this on Entra ID login: "The user account does not exist in the tenant Admincontrol and does not have access to the application xxx in this tenant. The account must be added as an external user in the tenant first. Please use a different account." Normally this is solved by one of the two following solutions:
    • If user should have access to any Admincontrol portal with this user, the user needs to exist both in the tenant and in the userlist of the Admincontrol Enterprise application.
    • It could be that this user is registered with a different username in Admincontrol, and if this is the case the user needs to to a login with that username instead

 

  • No Admincontrol user is found. Two possible fixes:
    • Get an invite to a portal for this user
    • Log in with a different user

 

  • Entra ID login is not working for any reason, and users are blocked to log in - Turn off SSO in settings on Admincontrol setup page, or contact support to disable it.

 

 

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Return to top