How to Connect Microsoft Entra ID (Azure AD)

How to Connect Microsoft Entra ID (Azure AD) with CloudZero

CloudZero supports single-sign on (SSO) for Microsoft Entra ID (formerly Azure Active Directory). This enables Entra ID users to seamlessly log in to CloudZero without needing to enter a CloudZero username and password.

Set Up a New SSO Integration with Entra ID

To set up a new SSO integration for CloudZero using Microsoft Entra ID, complete the following steps:

  1. Retrieve your Entra ID primary domain from Azure.
  2. Create a new app registration in Azure.
  3. Create a client secret for the application.
  4. Assign API permissions to the application.
  5. Configure the SSO integration in CloudZero.

As part of these steps, you will gather the following information from Azure:

  • Primary domain
  • Application (client) ID
  • Secret value
  • Secret expiration date

Step 1: Retrieve Primary Domain From Azure

  1. Log in to the Azure Portal and navigate to Entra ID.

  2. Copy the Primary domain from your Entra ID overview for use in a later step.

Copy your tenant's Primary Domain from Entra ID

Step 2: Create Azure App Registration

  1. In the Azure Portal, navigate to App Registrations.

  2. Select New registration.

  3. Enter a name in the Name field, such as CloudZero.

  4. In the Supported account types section, select Accounts in this organizational directory only (Single tenant).

  5. In the Redirect URI section, select Web from the drop-down menu and enter the following URI: https://auth.cloudzero.com/login/callback

  6. Select Register. Azure creates the app registration.

Create the app registration in Azure

  1. On the Overview page for the app you created, copy the Application (client) ID for use in a later step.

Copy the application (client) ID in Azure

Step 3: Create Client Secret

  1. In the Azure Portal, on the Overview page for the app registration you created, select Manage > Certificates & secrets.

  2. Select New client secret.

  3. Enter a description for the client secret.

  4. Select an expiration date.

  5. Select Add.

  6. Copy the secret's Value (not the secret's ID). Note that the value cannot be displayed again after you leave the page. You will need this value for a later step.

Copy the secret value in Azure

  1. Note the secret's expiration date for use in a later step.

Step 4: Assign App Permissions

  1. In the Azure Portal, on the Overview page for the app registration, select Manage > API permissions.

  2. Select Add a permission.

  3. Select Microsoft Graph.

  4. Select Delegated permissions.

  5. In the Select permissions search field, search for and select the following permissions:

    • Directory.Read.All
    • User.Read
  6. Select Add permissions.

Add Directory.Read.All and User.Read permissions to the application

Step 5: Configure the Entra ID SSO Integration in CloudZero

  1. Log in to CloudZero and navigate to Settings > SSO Integration.

  2. In the Select Your Identity Provider section, select Azure Active Directory from the Identity Provider Type drop-down menu.

  3. In the Enter your Azure information section, enter the Email Domain. Users with an email address from this domain will be forwarded to your Microsoft Entra ID integration to log in to CloudZero.

  4. Paste the primary domain you copied in Step 1 into the Tenant URL field. Note that this is the domain name only (such as example.com). Do not add https://www. to it.

  5. Paste the application (client) ID you copied in Step 2 into the Client ID field.

  6. Paste the secret value you copied in Step 3 into the Client Secret field.

  7. Enter the expiration date for the secret from Step 3 into the Secret Expiration Date field, using the format YYYY-mm-dd.

  8. Select Save.

  9. Select the Open SSO Test Window button to open a new browser tab to log into your IdP and confirm a successful round trip with CloudZero. A successful round trip will redirect you to https://jwt.io/ with a valid token. After you see a decoded token, you can close this browser tab.

  10. When the test is successful, CloudZero's SSO Integration page automatically displays the message Testing Complete. If this does not happen within one minute, refresh the page.

  11. Check the Enable log-ins with my SSO box.

🚧

This will immediately switch over the specified email domain to use the configured SSO.

If you need to roll back this configuration, contact your CloudZero support representative.

  1. Copy the Bookmark URL at the bottom of the page.

Copy the Bookmark URL from the CloudZero UI

  1. Manually create a bookmark in your browser of choice using the Bookmark URL. When you select the bookmark in your browser, you will seamlessly log in to CloudZero.

  2. Share the Bookmark URL with other users in your CloudZero organization so they can create their own browser bookmarks to log in to CloudZero.