Microsoft Entra ID SSO

Microsoft Entra ID is a “universal platform to manage and secure identities”: https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id

Peerdom supports the most recommended single-sign-on methods: OpenID Connect and OAuth.

Check this 2 minute video, or continue reading below.

What to do

Get your Tenant ID

We will need your Azure Tenant ID to activate SSO authentication. This can be found via the Microsoft Entra Admin Center or the Azure Portal. In either case, the Tenant ID can be found in the Microsoft Entra ID > Overview section. Note your Tenant ID as you’ll send it to us later.

Register the Peerdom Sync App

In the App Registrations section, create a new application. Add two Redirect URIs:

  1. Type: Web
    Value: https://backend.peerdom.org/auth/azure/return

  2. Type: Web
    Value: http://localhost:3000/auth/azure/return

Note: the second Redirect URI will be used by us to get the initial refresh token. After we’ve setup the synchronization, this redirect URI can be removed.

Create Client secret

Enter the newly registered Peerdom Sync App (from step 2) and create a new Client Secret in the Certificates & Secrets section. Choose the option: Never expire. Note the Client Secret value for later.

Enable API permissions

Go to the API permissions tab on the Peerdom Sync App and add two permissions:

  1. Microsoft Graph -> Application -> Directory.Read.All
  2. Microsoft Graph -> Application -> User.Read.All

Approve the admin consent for both of these permissions on your organisation level by clicking on the button “Grant admin consent for ORGNAME”.

Create a group to define peer synchronization

Peerdom synchronises with your Entra ID, meaning that your Peerdom directory will stay up to date with the current names and email addresses as defined in your Entra ID Directory. You will need to create a group with the users you’d like to synchronise. Create this group on Entra ID, add the members you’d like to appear on Peerdom, and write down the Group ID.

(Optional) Create a group to restrict logins

By default, Peerdom will accept all SSO log in attempts from your top-level domain. To restrict log in access to a particular group of users, you have two options:

  1. Restrict access to your Peerdom Sync App Registration. To do so, follow the Entra ID documentation (under the section App Registration). The Application (client) ID you send us (see below) will enforce these restrictions.
  2. Create a new group, add the users you’d like to give log in access to Peerdom, and write down the Group ID. This GroupID may be the same you created in step 5 for peer synchronization, but it can also differ.

Send us the SSO information

We need the following:

  1. Tenant ID
  2. Application (client) ID for the Peerdom sync app you registered
  3. Client secret value for the Peerdom sync app
  4. Group ID for peer synchronization
  5. (Optional) Group ID for log in group restrictions; if different from .4 above
  6. Include members from subgroups: yes/no
  • Yes: sync direct members of the given group specified by Group ID in step 4, as well as all members of its subgroups
  • No: only sync direct members of the group specified by Group ID in step 4, excluding subgroup members
  1. Avatar synchronization: yes/no
  • Yes: synchronise images from Entra ID
  • No: images are uploaded and managed in Peerdom
  1. Default access rights When you add a new colleague to your Entra ID, a new peer will be created in Peerdom. We need to know what access rights to give them by default.
  • Member: View content
  • Editor: Edit content, invite/add/remove other peers
  • Owner: Edit content, invite/add/remove, administer access rights

Reach out to the person of contact, or send it to our support.